Merge tag 'x86-urgent-2026-07-05' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull x86 fix from Ingo Molnar:
- Prevent OOB access in the resctrl code while offlining
CPUs when Intel SNC (Sub-NUMA Clustering) is enabled
(Reinette Chatre)
* tag 'x86-urgent-2026-07-05' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
x86,fs/resctrl: Prevent out-of-bounds access while offlining CPU when SNC enabled
Merge tag 'perf-urgent-2026-07-05' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull perf events fixes from Ingo Molnar:
- Fix a perf_event_attr::remove_on_exec bug for group events
(Taeyang Lee)
- Fix uprobes CALL emulation interaction with shadow stacks, and
add a testcase for this (David Windsor)
- Fix uprobes unregister bug (Jiri Olsa)
* tag 'perf-urgent-2026-07-05' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
uprobes/x86: Use proper mm_struct in __in_uprobe_trampoline
selftests/x86: Add shadow stack uprobe CALL test
x86/uprobes: Keep shadow stack in sync for emulated CALLs
perf/core: Detach event groups during remove_on_exec
Merge tag 'locking-urgent-2026-07-05' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull futex fix from Ingo Molnar:
- Fix a futex-requeue deadlock detection regression (Thomas Gleixner)
* tag 'locking-urgent-2026-07-05' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
futex/requeue: Revert "Prevent NULL pointer dereference in remove_waiter() on self-deadlock""
Merge tag 'irq-urgent-2026-07-05' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull irq fixes from Ingo Molnar:
"Misc irqchip driver fixes:
- Fix a resource leak in the RISC-V imsic-early driver (Haoxiang Li)
- Fix an OF node reference leak in the ARM gic-v3-its driver (Yuho
Choi)
- Fix a dangling handler function on module removal bug in the
TS-4800 ARM board irqchip driver (Qingshuang Fu)"
* tag 'irq-urgent-2026-07-05' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
irqchip/ts4800: Fix missing chained handler cleanup on remove
irqchip/gic-v3-its: Fix OF node reference leak
irqchip/irq-riscv-imsic-early: Fix fwnode leak on state setup failure
Merge tag 'sound-7.2-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound
Pull sound fixes from Takashi Iwai:
"A standard set of driver-specific fixes and quirks accumulated since
the merge window:
ASoC:
- SOF: Sanity check to prevent OOB reads
- rsnd: Fix clock leak and double-disable issues with PM
- tas675x: Misc fixes for register fields, etc
- lpass-va-macro: Correct codec version for Qualcomm SC7280
- amd-yc: DMIC quirk for Alienware m15 R7 AMD
Others:
- us144mkii: Fix a UAF on disconnect and anchor list corruption
- HD-audio: Realtek quirks for HP models"
* tag 'sound-7.2-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
ASoC: rsnd: src: Add missing scu_supply clock to suspend/resume
Documentation: sound: tas675x: Fix temperature range and impedance documentation
ASoC: codecs: tas675x: Fix CHx temperature range register bit fields
ASoC: codecs: tas675x: use READ_ONCE for params to be used concurrently
ASoC: rsnd: adg: make rsnd_adg_clk_control() idempotent
ASoC: SOF: validate probe info element counts
ALSA: usx2y: us144mkii: fix work UAF on disconnect
ASoC: amd: yc: Add Alienware m15 R7 AMD to DMIC quirk table
ALSA: hda/realtek: Add quirk for HP Victus 16-e0xxx (88EE) to enable mute LED
MAINTAINERS: ASoC: SOF: add AMD reviewer for Sound Open Firmware
ASoC: codecs: lpass-va-macro: Fix LPASS Codec Version for SC7280
ALSA: us144mkii: capture_urb_complete: redundant usb_anchor_urb corrupts anchor list on each resubmission
Merge tag 'spi-fix-v7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi
Pull spi fixes from Mark Brown:
"A small set of fixes that came in since -rc1, we have one core fix for
shutting down target mode properly if the system suspends while it's
running plus a small set of fairly unremarkable device specific fixes.
There's also a couple of pure DT binding changes for Renesas SoCs, the
power domains one allows some SoCs to be correctly described with
existing code"
* tag 'spi-fix-v7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi:
spi: rzv2h-rspi: Fix DMA transfer error handling for signal interruption
spi: dt-bindings: snps,dw-apb-ssi: add 'power-domains' property
spi: dt-bindings: snps,dw-apb-ssi: drop superfluous RZ/N1 entry
spi: dw: use the correct error msg if request_irq() fails
spi: dw: fix first spi transfer with dma always fallback to PIO
spi: core: Abort active target transfer on controller suspend
spi: sh-msiof: abort transfers when reset times out
Merge tag 's390-7.2-3' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux
Pull s390 fixes from Vasily Gorbik:
- Fix PKEY_VERIFYPROTK ioctl key type handling by removing the generic
key-length based type check with its wrong bit-size calculation, and
leaving protected key verification to the pkey handler
- Fix monwriter buffer reuse by rejecting records that change the data
length, preventing out of bounds user copy into the kernel buffer
* tag 's390-7.2-3' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
s390/monwriter: Reject buffer reuse with different data length
pkey: Move keytype check from pkey api to handler
Merge tag 'mips-fixes_7.2_1' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux
Pull MIPS fixes from Thomas Bogendoerfer.
* tag 'mips-fixes_7.2_1' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux:
MIPS: configs: Enable the current Ingenic USB PHY symbol
MIPS: loongson64: add IRQ work based on self-IPI
MIPS: mm: Add check for highmem before removing memory block
mips: Add build salt to the vDSO
MIPS: DEC: Ensure RTC platform device deregistration upon failure
Merge tag 'v7.2-rc1-smb3-server-fixes' of git://git.samba.org/ksmbd
Pull smb server fixes from Steve French:
- Fix several use-after-free races in durable handle reconnect,
supersede, and oplock handling
- Avoid holding the inode oplock lock while waiting for a lease break
acknowledgement. This removes delays of up to 35 seconds when cifs.ko
closes a deferred handle in response to a lease break
- Fix malformed security descriptor handling, including an undersized
DACL allocation issue and an out-of-bounds ACE SID read
- Fix memory leaks in security descriptor and DOS attribute xattr
encoding/decoding error paths
- Fix outstanding SMB2 credit leaks on aborted requests and correct the
QUERY_INFO credit charge calculation
- Fix hard-link creation without replacement being incorrectly rejected
when the handle lacks DELETE access
- Avoid unnecessary zeroing of large SMB2 read buffers
- Add an oplock list lockdep annotation and update the documented
support status for durable handles and SMB3.1.1 compression
- Durable handle fixes to address ownership and lifetime races during
reconnect, session teardown, oplock handling, and superseding opens,
preventing stale session and file references from being used by
concurrent operations
* tag 'v7.2-rc1-smb3-server-fixes' of git://git.samba.org/ksmbd:
ksmbd: fix app-instance durable supersede session UAF
ksmbd: snapshot previous oplock state before durable checks
ksmbd: close superseded durable handles through refcount handoff
ksmbd: fix use-after-free of fp->owner.name in durable handle owner check
smb/server: do not require delete access for non-replacing links
ksmbd: don't hold ci->m_lock while waiting for a lease break ack
ksmbd: doc: update feature support status for durable handles and compression
ksmbd: annotate oplock list traversals under m_lock
ksmbd: fix outstanding credit leak on abort and error paths
ksmbd: fix credit charge calculation for SMB2 QUERY_INFO
ksmbd: avoid zeroing the read buffer in smb2_read()
ksmbd: validate num_subauth when copying ACE in set_ntacl_dacl
ksmbd: reject undersized DACLs before parsing ACEs
ksmbd: fix n.data memory leak in ksmbd_vfs_set_dos_attrib_xattr
ksmbd: Fix acl.sd_buf memory leak and invalid sd_size error handling
ksmbd: fix sd_ndr.data memory leak in ksmbd_vfs_set_sd_xattr
Merge tag 'drm-fixes-2026-07-04' of https://gitlab.freedesktop.org/drm/kernel
Pull drm fixes from Dave Airlie:
"Weekly fixes for drm. This is large for rc2 but it's just a lot of
small fixes across a bunch of drivers, xe, amdgpu as usual, plus some
sashiko-inspired fixes for panthor, and some dma-fence updates.
core:
- kernel doc fix
- include types.h in drm_ras.h
dma-fence:
- fix NULL ptr dereference
- use correct callback
- make dma_fence_dedup_array more robust
dp:
- handle torn down topology gracefully
- fix kernel doc
i915:
- Input validation fixes for BIOS and EDID
- Fix HDCP code buffer overflow and seq_num_v monotonic increase check
- Fix near-NULL deref in i915_active during GFP_ATOMIC exhaustion
xe:
- Wedge from the timeout handler only after releasing the queue
- Fix a NULL pointer dereference
- Remove redundant exec_queue_suspended
- RTP / OA whitelist fixes
- Return error on non-migratable faults requiring devmem
- Skip FORCE_WC and vm_bound check for external dma-bufs
- Hold notifier lock for write on inject test path
- Drop bogus static from finish in force_invalidate
- Fix double-free of managed BO in error path
- Don't attempt to process FAST_REQ or EVENT relays
- Fix NPD in bo_meminfo
- Prevent invalid cursor access for purged BOs
- Fix offset alignment for MERT WHITELST_OA_MERT_MMIO_TRG
amdxdna:
- fix device removal issues
- fix use after free in debug BO
imagination:
- fix double call to scheduler fini
- fix ioctl return values
- fix user array stride
virtio:
- handle EDIDs better
panthor:
- irq safe fence lock fix
- reset work fix
- fix invalid pointer
- fix iomem access in suspended state
- sched resume fix
- unplug suspend fix
- drop needless check
- eviction leak fix
- bail on group start/resume fix
- keep irqs masked
malidp:
- use clock bulk API
komeda:
- clock prepare fixes"
* tag 'drm-fixes-2026-07-04' of https://gitlab.freedesktop.org/drm/kernel: (105 commits)
drm/xe/oa: Fix offset alignment for MERT WHITELIST_OA_MERT_MMIO_TRG
drm/xe/pt: prevent invalid cursor access for purged BOs
drm/xe: fix NPD in bo_meminfo()
drm/xe/pf: Don't attempt to process FAST_REQ or EVENT relays
drm/xe/hw_engine: Fix double-free of managed BO in error path
drm/xe/userptr: Drop bogus static from finish in force_invalidate
drm/xe/userptr: Hold notifier_lock for write on inject test path
drm/xe/display: skip FORCE_WC and vm_bound check for external dma-bufs
drm/xe: Return error on non-migratable faults requiring devmem
drm/xe/rtp: Ensure locking/ref counting for OA whitelists
drm/xe/oa: (De-)whitelist OA registers on OA stream open/release
drm/xe/rtp: (De-)whitelist OA registers for all hwe's for a gt
drm/xe/rtp: Toggle 'deny' bit to (de-)whitelist OA regs
drm/xe/rtp: Save OA nonpriv registers to register save/restore lists
drm/xe/rtp: Generalize whitelist_apply_to_hwe
drm/xe/rtp: Keep track of non-OA nonpriv slots
drm/xe/rtp: Maintain OA whitelists separately
drm/xe/rtp: Fix build error with clang < 21 and non-const initializers
drm/imagination: Fix user array stride in pvr_set_uobj_array()
drm/imagination: Fix returned size for DRM_IOCTL_PVR_DEV_QUERY
...
Merge tag 'acpi-7.2-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm
Pull ACPI support fixes from Rafael Wysocki:
"These fix a coding mistake in the ACPI TAD (Time and Alarm
Device) driver introduced by one of its previous updates and
get rid of the ugly #ifdef __KERNEL__ conditional compilation
in acpi_ut_safe_strncpy() by redefining that function as an
alias for strscpy_pad():
- Add a missing ACPI_TAD_AC_WAKE capability check omitted by mistake
to the ACPI TAD driver (Xu Rao)
- Define acpi_ut_safe_strncpy() as an alias for strscpy_pad()
which is viable because that function is only called from kernel
code (Rafael Wysocki)"
* tag 'acpi-7.2-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
ACPICA: Define acpi_ut_safe_strncpy() as strscpy_pad() alias
ACPI: TAD: Check AC wake capability before enabling wakeup
Merge tag 'riscv-for-linus-7.2-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux
Pull RISC-V fixes from Paul Walmsley:
- Fix a crash when a kretprobe reads from the stack
- Fix an issue with the build-time mcount sorter that broke ftrace
- Fix the rv32 IRQ stack frame padding to match the ABI
- Only defer IOMMU configuration during initialization. This avoids an
issue where IOMMU configuration could be indefinitely deferred
- Add the missing build salt to the vDSO
- Now that RISC-V systems with higher numbers of cores are starting to
become available, raise NR_CPUS for RISC-V to 256
- Clean up some warnings from sparse caused by the RISC-V-optimized
RAID6 code
- Clean up our __cpu_up() code with a few minor fixes
* tag 'riscv-for-linus-7.2-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux:
riscv: probes: save original sp in rethook trampoline
riscv: Fix 32-bit call_on_irq_stack() frame pointer ABI
scripts/sorttable: Handle RISC-V patchable ftrace entries
riscv: smp: use secs_to_jiffies in __cpu_up
ACPI: RIMT: Only defer the IOMMU configuration in init stage
riscv: Add build salt to the vDSO
raid6: fix raid6_recov_rvv symbol undeclared warning
raid6: fix riscv symbol undeclared warnigns
riscv: Raise default NR_CPUS for 64BIT to 256
Merge tag 'v7.2-rc1-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6
Pull smb client fixes from Steve French:
- Credit fix
- Fix alignment issue in parse_posix_ctxt
- SID parsing fix
* tag 'v7.2-rc1-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6:
cifs: Fix missing credit release on failure in cifs_issue_read()
cifs: update internal module version number
smb: client: use unaligned reads in parse_posix_ctxt()
smb: client: harden POSIX SID length parsing
Merge tag 'vfs-7.2-rc2.fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs
Pull vfs fixes from Christian Brauner:
- netfs:
- fix the decision when to disallow write-streaming with fscache in
use, handling of asynchronous cache object creation, a double fput
in cachefiles, clearing S_KERNEL_FILE without the inode lock held,
page extraction bugs in the iov_iter helpers (a potential
underflow, a missing allocation failure check, a memory leak, and
a folio offset miscalculation), writeback error and ENOMEM
handling, DIO write retry for filesystems without a
->prepare_write() method, and the replacement of the wb_lock mutex
with a bit lock plus writethrough collection offload so that
multiple asynchronous writebacks don't interfere with each other.
- Fix the barriering when walking the netfs subrequest list during
retries as it was possible to see a subrequest that was just added
by the application thread.
- iomap:
- Change iomap to submit read bios after each extent instead of
building them up across extents. The old behavior was considered
problematic for a while and now caused an actual erofs bug.
- Guard the ioend io_size EOF trim in iomap against underflow when a
concurrent truncate moves EOF below the start of the ioend,
wrapping io_size to a huge value.
- overlayfs
- Fix a stale overlayfs comment about the locking order.
- Store the linked-in upper dentry instead of the disconnected
O_TMPFILE dentry during overlayfs tmpfile copy-up. With a FUSE or
virtiofs upper layer ->d_revalidate() would try to look up "/" in
the workdir and fail, causing persistent ESTALE errors that broke
dpkg and apt.
- vfs-bpf:
Have the bpf_real_data_inode() kfunc take a struct file instead of a
dentry so it is usable from the bprm_check_security, mmap_file, and
file_mprotect hooks, and rename it from bpf_real_inode() to make the
data-inode semantics explicit. The kfunc landed this cycle so the
change is safe.
- afs:
NULL pointer dereferences in the callback service and in
afs_get_tree(), several memory and refcount leaks, missing locking
around the dynamic root inode numbers and premature cell exposure
through /afs, a netns destruction hang caused by a misplaced
increment of net->cells_outstanding, a bulk lookup malfunction caused
by the dir_emit() API change, inode (re)initialisation issues, and
assorted smaller fixes to error codes, seqlock handling, and debug
output.
- vfs:
Refuse O_TMPFILE creation with an unmapped fsuid or fsgid and add a
selftest for it.
- vboxsf:
Add Jori Koolstra as vboxsf maintainer, taking over from Hans de
Goede.
- dio:
Release the pages attached to a short atomic dio bio; the REQ_ATOMIC
size check error path leaked them.
- procfs:
Only bump the parent directory link count when registering
directories in procfs. Registering regular files inflated the count
and leaked a link on every create and remove cycle.
- minix:
Avoid an unsigned overflow in the minix bitmap block count
calculation that let crafted images with huge inode or zone counts
pass superblock validation and crash the kernel during mount.
- cachefiles:
Fix a double unlock in the cachefiles nomem_d_alloc error path left
over from the start_creating() conversion.
- fat:
Stop fat from reading directory entries past the 0x00
end-of-directory marker. If the trailing on-disk slots aren't
zero-filled the driver surfaced arbitrary garbage as directory
entries.
- freexvfs:
Don't BUG() on unknown typed-extent types in freevxfs, reachable via
ioctl(FIBMAP) on a crafted image; fail with an I/O error instead.
- orangefs:
Keep the readdir entry size 64-bit in orangefs fill_from_part().
Truncating it to __u32 bypassed the bounds check and led to
out-of-bounds reads triggerable by the userspace client.
- xfs:
Fix the error unwind in xfs_open_devices() which released the rt
device file twice and left dangling buftarg pointers behind that were
freed again when the failed mount was torn down.
- exec:
Fix an off-by-one in the comment documenting the maximum binfmt
rewrite depth in exec_binprm(). The code allows five rewrites, not
four; restricting the code would break userspace so the comment is
fixed instead.
- file handles:
Reject detached mounts in capable_wrt_mount(). A detached mount can
be dissolved concurrently, leaving a NULL mount namespace that
open_by_handle_at() would dereference.
* tag 'vfs-7.2-rc2.fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs: (57 commits)
netfs: Fix barriering when walking subrequest list
iomap: submit read bio after each extent
fuse: call fuse_send_readpages explicitly from fuse_readahead
iomap: consolidate bio submission
fhandle: reject detached mounts in capable_wrt_mount()
netfs: Fix DIO write retry for filesystems without a ->prepare_write()
netfs: Fix folio state after ENOMEM whilst under writeback iteration
netfs: Fix writeback error handling
netfs: Fix writethrough to use collection offload
netfs: Replace wb_lock with a bit lock for asynchronicity
netfs: Fix kdoc warning
scatterlist: Fix offset in folio calc in extract_xarray_to_sg()
iov_iter: Remove unused variable in kunit_iov_iter.c
iov_iter: Fix a memory leak in iov_iter_extract_user_pages()
iov_iter: Fix missing alloc fail check in iov_iter_extract_bvec_pages()
iov_iter: Fix potential underflow in iov_iter_extract_xarray_pages()
cachefiles: Fix file burial to take lock when unsetting S_KERNEL_FILE
cachefiles: Fix double fput
netfs: Fix netfs_create_write_req() to handle async cache object creation
netfs: Fix decision whether to disallow write-streaming due to fscache use
...
Merge tag 'xfs-fixes-7.2-rc2' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux
Pull xfs fixes from Carlos Maiolino:
"A collection of bugfixes and some small code refactoring"
* tag 'xfs-fixes-7.2-rc2' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux:
xfs: simplify __xfs_buf_ioend
xfs: fix handling of synchronous errors in xfs_buf_submit
xfs: remove xfs_buf_ioend
xfs: improve the xfs_buf_ioend_fail calling convention
xfs: use null daddr for unset first bad log block
xfs: fix memory leak in xfs_dqinode_metadir_create()
xfs: release dquot buffer after dqflush failure
xfs: also mark the buffer stale on verifier failure in xfs_buf_submit
xfs: open code xfs_buf_ioend_fail in xfs_buf_submit
xfs: fix AGFL extent count calculation in xrep_agfl_fill
xfs: simplify the failure path in xfs_buf_alloc_vmalloc
xfs: fix incorrect use of gfp flags in xfs_buf_alloc_backing_mem
xfs: lift setting __GFP_NOFAIL from xfs_buf_alloc_kmem to the caller
xfs: split up xfs_buf_alloc_backing_mem
Merge tag 'for-linus-7.2a-rc2-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip
Pull xen fixes from Juergen Gross:
- rename function parameters and a comment related to
xen_exchange_memory() (Jan Beulich)
- replace __ASSEMBLY__ with __ASSEMBLER__ (Thomas Huth)
- add some sanity checking to the Xen pvcalls frontend driver (Michael
Bommarito)
- fix error handling in the Xen gntdev driver (Wentao Liang)
- fix several minor bugs in Xen related drivers (Yousef Alhouseen)
* tag 'for-linus-7.2a-rc2-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip:
x86/Xen: correct commentary and parameter naming of xen_exchange_memory()
xenbus: reject unterminated directory replies
xen/gntalloc: validate grant count before allocation
xen/gntalloc: make grant counters unsigned
xen/front-pgdir-shbuf: free grant reference head on errors
xen/gntdev: fix error handling in ioctl
xen: Replace __ASSEMBLY__ with __ASSEMBLER__ in header files
xen/pvcalls: bound backend response req_id before indexing rsp[]
Merge tag 'gpio-fixes-for-v7.2-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux
Pull gpio fixes from Bartosz Golaszewski:
- check the return value of gpiochip_add_data() in gpio-mvebu and
gpio-htc-egpio
- avoid locking context issues with GPIO drivers using the shared GPIO
proxy by only allowing sleeping operations (atomic GPIO ops don't
really make sense in shared context anyway)
- with the above: restore non-sleeping GPIO access in pinctrl-meson
- fix return value on OOM in gpio-timberdale
- fix interrupt handling in gpio-mt7621
- support both A and B variants of NCT6126D in gpio-f7188x
* tag 'gpio-fixes-for-v7.2-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux:
pinctrl: meson: restore non-sleeping GPIO access
gpio: timberdale: Return -ENOMEM on dynamic memory allocation in probe
gpio: mt7621: be sure IRQ domain is created before exposing GPIO chips
gpio: mt7621: more robust management of IRQ domain teardown
gpio: mt7621: avoid corruption of shared interrupt trigger state
gpio: shared-proxy: always serialize with a sleeping mutex
gpio-f7188x: Add support for NCT6126D version B
gpio: htc-egpio: use managed gpiochip registration
gpio: mvebu: fail probe if gpiochip registration fails
David Howells [Thu, 2 Jul 2026 08:23:02 +0000 (09:23 +0100)]
netfs: Fix barriering when walking subrequest list
Fix the barriering used when walking the subrequest list in retry as
there's a possibility of seeing a subreq that's just been added by the
application thread.
Merge tag 'asoc-fix-v7.2-rc1' of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus
ASoC: Fixes for v7.2
A fairly standard set of driver specific fixes and quirks that have come
in since the merge window, plus a MAINTAINERS update. The tas675x
READ_ONCE change is probably not actually fixing issues properly but we
need a whole new approach to concurrency there and it came along with
some good fixes.
The result of this mixture of different and unrelated subsystem
details is that even when touching an obscure device id struct most of
the kernel needs to be recompiled. Given that each driver typically
only needs one or two of these structures, splitting into per
subsystem headers and only including what is really needed reduces the
amount of needed recompilation.
This split is implemented in the first commit and then after some
preparatory work in the following commits, the last two replace
includes of <linux/mod_devicetable.h> by the actually needed more
specific headers.
There are still a few instances left, but the ones with high impact
(that is in headers that are used a lot) and the easy ones (.c files)
are handled. These remaining includes will be addressed during the
next merge window"
* tag 'device-id-rework' of git://git.kernel.org/pub/scm/linux/kernel/git/ukleinek/linux:
Replace <linux/mod_devicetable.h> by more specific <linux/device-id/*.h> (c files)
Replace <linux/mod_devicetable.h> by more specific <linux/device-id/*.h> (headers)
parisc: #include <linux/compiler.h> for unlikely() in <asm/ptrace.h>
media: em28xx: Add include for struct usb_device_id
LoongArch: KVM: Add include defining struct cpu_feature
ALSA: hda/core: Add include defining struct hda_device_id
usb: dwc2: Add include defining struct pci_device_id
platform/x86: int3472: Add include defining struct dmi_system_id
platform/x86: x86-android-tablets: Add include defining struct dmi_system_id
i2c: Let i2c-core.h include <linux/i2c.h>
of: Explicitly include <linux/types.h> and <linux/err.h>
platform/x86: msi-ec: Ensure dmi_system_id is defined
usb: serial: Include <linux/usb.h> in <linux/usb/serial.h>
driver core: platform: Include header for struct platform_device_id
driver: core: Include headers for acpi_device_id and of_device_id for struct device_driver
media: ti: vpe: #include <linux/platform_device.h> explicitly
mod_devicetable.h: Split into per subsystem headers
Replace <linux/mod_devicetable.h> by more specific <linux/device-id/*.h> (c files)
Replace the #include of <linux/mod_devicetable.h> by the more specific
<linux/device-id/*.h> where applicable. For most cases the include
can be dropped completely, only a few drivers need one or two headers
added.
; some of them are widely used headers. To stop mixing up different and
unrelated driver( type)s let the subsystem headers only use the subset
of the recently split <linux/mod_devicetable.h> that are relevant for
them.
The fallout (I hope) is addressed in the previous commits that handle
sources relying on e.g. <linux/i2c.h> pulling in the full legacy header
and thus providing pci_device_id.
parisc: #include <linux/compiler.h> for unlikely() in <asm/ptrace.h>
Currently <linux/compiler.h> isn't included at all (not even
transitively) in <asm/ptrace.h>.
arch/parisc/kernel/asm-offsets.c just happens to include the following
chain of includes before <asm/ptrace.h>:
. That chain will be broken, because in one of the next commits
<asm/hardware.h> is changed to only include <linux/device-id/parisc.h>
instead of <linux/mod_devicetable.h>. So to ensure
arch/parisc/kernel/asm-offsets.c knows about unlikely() even after that
change, #include <linux/compiler.h> explicitly.
media: em28xx: Add include for struct usb_device_id
Traditionally <linux/mod_devicetable.h> was a header defining a plethora
of structs, among them struct usb_device_id. This was split now with the
objective that only the relevant bits are included.
Currently <linux/mod_devicetable.h> is transitively included in
drivers/media/usb/em28xx/em28xx.h via:
To keep struct usb_device_id available once <linux/device/driver.h>
stops including <linux/mod_devicetable.h>, include it the header
providing that struct explictly.
LoongArch: KVM: Add include defining struct cpu_feature
Traditionally <linux/mod_devicetable.h> was a header defining a plethora
of structs, among them struct cpu_features. This was split now with the
objective that only the relevant bits are included.
Currently <linux/mod_devicetable.h> is transitively included in
arch/loongarch/kvm/main.c via:
ALSA: hda/core: Add include defining struct hda_device_id
Traditionally all *_device_id were defined in a single header
<linux/mod_devicetable.h>. This was split now with the objective that
only the relevant bits are included. So including <linux/pci.h> won't be
enough to get a definition of (the unrelated to pci) struct
hda_device_id.
Add an explicit include for the header defining struct hda_device_id to
keep working when <linux/pci.h> stops providing this defintion.
usb: dwc2: Add include defining struct pci_device_id
Up to now <linux/acpi.h> includes <linux/mod_devicetable.h> that
provides struct pci_device_id. However <linux/mod_devicetable.h> was
split into per bus headers and <linux/acpi.h> will only include the acpi
related one (and similar for other bus headers).
As struct pci_device_id is used in drivers/usb/dwc2/core.h, add an
include to ensure it's defined also after the includes in <linux/acpi.h>
are tightened.
However these includes will be tightend such that only the bits relevant
for of will be provided by <linux/of.h>. To ensure that dmi_system_id
stays around, include the respective header explicitly.
platform/x86: x86-android-tablets: Add include defining struct dmi_system_id
Currently <linux/i2c.h> includes <linux/mod_devicetable.h> transitively
which ensures that struct dmi_system_id is defined in
drivers/platform/x86/x86-android-tablets/x86-android-tablets.h. However
this include in <linux/i2c.h> will be replaced by one for i2c_device_id
only. To ensure that dmi_system_id is available add the include for that
explicitly.
The subsystem private header i2c-core.h uses several symbols defined in
<linux/i2c.h>, e.g. struct i2c_board_info and i2c_lock_bus()). This
doesn't pose a problem in practise because all files including
"i2c-core.h" also include <linux/i2c.h>.
To make this more robust add an include statement for <linux/i2c.h>
making the header self-contained.
of: Explicitly include <linux/types.h> and <linux/err.h>
<linux/of_platform.h> uses resource_size_t and relies on the transitive
include <linux/mod_devicetable.h> -> <linux/types.h>. It also uses error
constants and thus relying on the include chain
<linux/mod_devicetable.h> -> <linux/uuid.h> -> <linux/string.h> ->
<linux/err.h>.
With the plan to split <linux/mod_devicetable.h> per subsystem and then
only letting of_platform.h include the of-specific bits (which don't
require these two headers), add the needed includes explicitly to keep
the header self-contained.
platform/x86: msi-ec: Ensure dmi_system_id is defined
Currently <linux/acpi.h> includes <linux/mod_devicetable.h> and thus
dmi_system_id is available for the driver. To disentangle includes
<linux/acpi.h> will be changed to only include the header for
acpi_device_id instead of the full <linux/mod_devicetable.h>. To prepare
for that include the dedicated header for struct dmi_device_id.
usb: serial: Include <linux/usb.h> in <linux/usb/serial.h>
All consumers of the latter also include the former, but without that
struct usb_driver and struct usb_device_id (and maybe more) are not
defined. Add an include for <linux/usb.h> to make the header
self-contained.
driver core: platform: Include header for struct platform_device_id
Platform drivers can define an array containing the supported device
variants to be assigned to the struct platform_driver's .id_table.
While a forward declaration of struct platform_device_id is technically
enough to make the driver self-contained, it's reasonable to provide the
(very lightweight) data type definition for that array in
<linux/platform_device.h> to not add that burden to all platform drivers
with an id-table.
Note that currently <linux/device.h> transitively includes
<linux/mod_devicetable.h> that provides struct platform_device_id. But
that include is planned to be replaced by a tighter set of includes that
only define the structures relevant for the stuff in <linux/device.h>.
driver: core: Include headers for acpi_device_id and of_device_id for struct device_driver
struct device_driver contains pointers of type struct of_device_id* and
struct acpi_device_id* but doesn't ensure these are defined. To make the
header self-contained add the (very lightweight) includes that contain
the respective definitions.
The result is that even when touching an obscure device id struct most
of the kernel needs to be recompiled. Given that each driver typically
only needs one or two of these structures, splitting into per subsystem
headers and only including what is really needed reduces the amount of
needed recompilation.
Implement the first step and define each device id struct in a separate
header (together with its associated #defines).
<linux/mod_devicetable.h> is modified to include all the new headers to
continue to provide the same symbols.
Several headers currently include <linux/mod_devicetable.h>, those that
are most lukrative to include only their subsystem headers only are:
ata: libata-scsi: limit simulated SCSI command copy to response length
The function ata_scsi_rbuf_fill() is used to copy the response of
emulated SCSI commands from ata_scsi_rbuf to the SCSI command's
scatterlist.
Currently, sg_copy_from_buffer() is called with the size argument
set to ATA_SCSI_RBUF_SIZE (2048 bytes). Since ata_scsi_rbuf is
zeroed out before the simulation actor is invoked, copying the
full buffer size causes the remainder of the SCSI command's
transfer buffer (beyond the actual response length 'len') to be
overwritten with zeroes. This clobbers any pre-existing sentinel
values or data in the caller's buffer tail, even though the
correct residual count is reported via scsi_set_resid().
Fix this by passing the actual response length 'len' as the copy
size to sg_copy_from_buffer(), ensuring that the tail of the
caller's buffer remains untouched. Also, add a defensive check
to ensure that the actor does not return a length exceeding the
static buffer capacity. If this occurs, trigger a WARN_ON(),
fail the command with an aborted command error, and return
immediately without copying any data.
The fix was tested by invoking an SCSI SG_IO INQUIRY on
an ATA disk on vanilla build, and build with the fix. Confirmed
that the input buffer's tail end remains unmodified with the fix.
Fixes: 5251ae224d8d ("ata: libata-scsi: Return residual for emulated SCSI commands") Assisted-by: Antigravity:gemini-3.5-flash Signed-off-by: Karuna Ramkumar <rkaruna@google.com> Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
Wentao Liang [Thu, 25 Jun 2026 14:18:37 +0000 (22:18 +0800)]
ata: pata_pxa: Fix DMA channel leak on probe error
When dmaengine_slave_config() fails, the DMA channel acquired by
dma_request_chan() is not released before returning the error,
leaking the channel reference.
Fix by adding dma_release_channel() in the error path.
The ata_host_activate() error path already correctly releases the
DMA channel.
Myeonghun Pak [Fri, 26 Jun 2026 08:58:37 +0000 (17:58 +0900)]
ata: sata_gemini: unwind clocks on IDE pinctrl errors
gemini_sata_bridge_init() prepares and enables both SATA PCLKs, then
disables them again while keeping the clocks prepared for later bridge
start and stop operations. If gemini_setup_ide_pins() fails after that,
gemini_sata_probe() returns directly and skips the existing
out_unprep_clk unwind path.
Route the IDE pinctrl failure through out_unprep_clk so the clocks
prepared by gemini_sata_bridge_init() are unprepared before probe
fails.
Fixes: d872ced29d5f ("ata: sata_gemini: Introduce explicit IDE pin control") Co-developed-by: Ijae Kim <ae878000@gmail.com> Signed-off-by: Ijae Kim <ae878000@gmail.com> Signed-off-by: Myeonghun Pak <mhun512@gmail.com> Reviewed-by: Niklas Cassel <cassel@kernel.org> Reviewed-by: Linus Walleij <linusw@kernel.org> Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
Bryam Vargas [Tue, 23 Jun 2026 03:23:45 +0000 (22:23 -0500)]
ata: libata-core: Reject an invalid concurrent positioning ranges count
ata_dev_config_cpr() takes the number of range descriptors from buf[0]
of the concurrent positioning ranges log (up to 255), which the device
reports independently of the log size in the GPL directory. The count is
then walked at a fixed 32-byte stride in two places with no bound: the
log read here, and the INQUIRY VPD page B9h emitter, which writes one
descriptor per range into the fixed 2048-byte ata_scsi_rbuf. A device
reporting a count larger than its own log overflows the read buffer (up
to 7704 bytes past a 512-byte slab), and a count above 62 overflows the
response buffer on the emit side.
Bound the count once, on probe, against both the log the device returned
and the number of descriptors the VPD B9h response buffer can hold
(ATA_DEV_MAX_CPR, derived from the rbuf size). Reject an out-of-range
count with a warning; this keeps the emitter in bounds with no separate
change there.
Suggested-by: Damien Le Moal <dlemoal@kernel.org> Fixes: fe22e1c2f705 ("libata: support concurrent positioning ranges log") Fixes: c745dfc541e7 ("libata: fix reading concurrent positioning ranges log") Cc: stable@vger.kernel.org Signed-off-by: Bryam Vargas <hexlabsecurity@proton.me> Reviewed-by: Niklas Cassel <cassel@kernel.org> Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
Bryam Vargas [Sat, 20 Jun 2026 02:54:02 +0000 (21:54 -0500)]
ata: libata-core: Add NOLPM quirk for PNY CS900 1TB SSD
The PNY CS900 1TB SSD (Phison PS3111-S11, DRAM-less) drops off the bus
after entering Device-Initiated Slumber during idle. With the default
med_power_with_dipm policy the link goes down (SStatus 1 SControl 300)
and does not recover, forcing the filesystem read-only. Forcing
max_performance keeps the link stable across prolonged idle.
Add a NOLPM quirk so link power management is disabled for this drive
specifically, leaving it intact for other devices on the host.
Cc: stable@vger.kernel.org Signed-off-by: Bryam Vargas <hexlabsecurity@proton.me> Reviewed-by: Niklas Cassel <cassel@kernel.org> Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
Merge tag 'bpf-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf
Pull BPF fixes from Daniel Borkmann:
- Initialize task local storage before fork bails out to free the task
(Jann Horn)
- Fix insn_aux_data leak on verifier error path (KaFai Wan)
- Reject BPF inode storage map creation when BPF LSM is uninitialized
(Matt Bobrowski)
- Mask pseudo pointer values in verifier logs when pointer leaks are
not allowed (Nuoqi Gui)
- Harden BPF JIT against spraying via IBPB flush (Pawan Gupta)
- Reject a skb-modifying SK_SKB stream parser since the latter is only
meant to measure the next message (Sechang Lim)
- Fix bpf_refcount_acquire to reject refcounted allocation arguments
with a non-zero fixed offset (Yiyang Chen)
* tag 'bpf-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf:
bpf: Prefer dirty packs for eBPF allocations
bpf: Prefer packs that won't trigger an IBPB flush on allocation
bpf: Skip redundant IBPB in pack allocator
bpf: Restrict JIT predictor flush to cBPF
x86/bugs: Enable IBPB flush on BPF JIT allocation
bpf: Support for hardening against JIT spraying
bpf: Reject BPF_MAP_TYPE_INODE_STORAGE creation if BPF LSM is uninitialized
bpf,fork: wipe ->bpf_storage before bailouts that access it
bpf: Fix insn_aux_data leak on verifier err_free_env path
selftests/bpf: Cover pseudo-BTF ksym log masking
bpf: Mask pseudo pointer values in verifier logs
selftests/bpf: Cover refcount acquire node offsets
bpf: Reject offset refcount acquire arguments
selftests/bpf: test rejection of a packet-modifying SK_SKB stream parser
bpf, sockmap: reject a packet-modifying SK_SKB stream parser
selftests/bpf: don't modify the skb in the strparser parser prog
Merge tag 'vfio-v7.2-rc2' of https://github.com/awilliam/linux-vfio
Pull VFIO fixes from Alex Williamson:
"Mostly straightforward fixes here, inconsistent runtime PM handling
due to global device policies, bitfield races, unwind path gaps,
teardown ordering, and a misplaced library flag.
- Fix racy bitfield updates in vfio-pci-core and the mlx5 vfio-pci
variant driver with a binary split between setup/release and
runtime modified flags. These were noted across several Sashiko
reviews as pre-existing issues (Alex Williamson)
- Fix runtime PM inconsistency where the vfio-pci driver module_init
could modify the idle PM policy of existing devices through globals
managed in vfio-pci-core, leading to unbalanced runtime PM
operations (Alex Williamson)
- Restore mutability of writable vfio-pci module options by further
pulling policy globals out of vfio-pci-core, to instead be latched
per device at device init. Provide visibility of the per device
latched values through debugfs (Alex Williamson)
- Reorder device debugfs removal before device_del() to avoid gap
where debugfs is available with stale devres pointers (Alex
Williamson)
- Move UUID library linking flag from vfio selftest Makefile into
libvfio.mk to avoid exposing such dependencies when linking with
KVM selftests (Sean Christopherson)"
* tag 'vfio-v7.2-rc2' of https://github.com/awilliam/linux-vfio:
vfio: selftests: Add luuid to libvfio.mk's list of libraries, not to the Makefile
vfio/pci: Expose latched module parameter policy in debugfs
vfio: Remove device debugfs before releasing devres
vfio/pci: Latch all module parameters per device
vfio/mlx5: Fix racy bitfields and tighten struct layout
vfio/pci: Fix racy bitfields and tighten struct layout
vfio/pci: Release the VGA arbiter client on register_device() failure
vfio/pci: Latch disable_idle_d3 per device
Dave Airlie [Thu, 2 Jul 2026 22:53:09 +0000 (08:53 +1000)]
Merge tag 'drm-misc-fixes-2026-07-02' of https://gitlab.freedesktop.org/drm/misc/kernel into drm-fixes
drm-misc-fixes for v7.2-rc2:
- Fix potential null pointer dereference in dma-buf.
- Handle 0 in dma_fence_dedup_array.
- Use the correct callback in dma_fence_timeline_name.
- Fix device removal handling in amdxdna.
- kernel-doc fixes.
- Include header fix for drm_ras.h
- Handle edids better in virtio.
- Use the clk_bulk api for error handling in malidp.
- More clk handling fixes for komeda.
- panthor scheduler block fallout fixes.
- panthor unplug fixes.
- other panthor fixes.
- Fix unnecessary WARN_ON in topology probe after teardown.
- Add refcount to amdxdna job to fix use-after free.
- Fix increasing args->size in ioctl's of drm/imagination.
- Handle stride correctly in pvr_set_uobj_array.
- Only call imagination's drm_sched_entity_fini once.
Dave Airlie [Thu, 2 Jul 2026 22:43:58 +0000 (08:43 +1000)]
Merge tag 'drm-xe-fixes-2026-07-02' of https://gitlab.freedesktop.org/drm/xe/kernel into drm-fixes
Driver Changes:
- Wedge from the timeout handler only after releasing the queue (Rodrigo)
- Fix a NULL pointer dereference (Francois)
- Remove redundant exec_queue_suspended (Lu)
- RTP / OA whitelist fixes (Ashutosh, Gustavo, Thomas)
- Return error on non-migratable faults requiring devmem (Matt Brost)
- Skip FORCE_WC and vm_bound check for external dma-bufs (Matt Auld)
- Hold notifier lock for write on inject test path (Shuicheng)
- Drop bogus static from finish in force_invalidate (Shuicheng)
- Fix double-free of managed BO in error path (Shuicheng)
- Don't attempt to process FAST_REQ or EVENT relays (Michal)
- Fix NPD in bo_meminfo (Matthew Auld)
- Prevent invalid cursor access for purged BOs (Matthew Auld)
- Fix offset alignment for MERT WHITELST_OA_MERT_MMIO_TRG (Ashutosh)
futex/requeue: Revert "Prevent NULL pointer dereference in remove_waiter() on self-deadlock""
The commit cited below should not have been merged. It attemted to fix an
existing problem ansd thereby introduced new problems by keeping the
pi_state in state Q_REQUEUE_PI_IN_PROGRESS and leaking it.
Based on the commit description the intention was to handle the case
when task_blocks_on_rt_mutex() returns -EDEADLK and the following
remove_waiter() dereferences the NULL pointer in waiter->task.
That is already handled by Davidlohr in commit 40a25d59e85b3
("locking/rtmutex: Skip remove_waiter() when waiter is not enqueued") and
requires no further acting.
Revert the commit breaking the "waiter == owner" case again.
Fixes: 74e144274af39 ("futex/requeue: Prevent NULL pointer dereference in remove_waiter() on self-deadlock") Reported-by: Michael Bommarito <michael.bommarito@gmail.com> Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de> Signed-off-by: Thomas Gleixner <tglx@kernel.org> Cc: stable@vger.kernel.org Link: https://patch.msgid.link/20260701131150.0Ijhq4Dw@linutronix.de Closes: https://lore.kernel.org/all/20260629020049.2082397-1-michael.bommarito@gmail.com
John Madieu [Tue, 30 Jun 2026 17:53:29 +0000 (17:53 +0000)]
ASoC: rsnd: src: Add missing scu_supply clock to suspend/resume
scu_supply is enabled alongside scu and scu_x2 during normal SRC
operation, but rsnd_src_suspend() and rsnd_src_resume() only disable
and re-enable scu and scu_x2. The supply clock is left enabled across
a system suspend and its prepare/enable refcount becomes unbalanced
after a suspend/resume cycle.
Disable scu_supply in rsnd_src_suspend() and re-enable it in
rsnd_src_resume() so the SRC clocks are managed consistently across
system PM transitions.
Fixes: ef19ecf042b4 ("ASoC: rsnd: Add system suspend/resume support") Signed-off-by: John Madieu <john.madieu.xa@bp.renesas.com> Acked-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com> Link: https://patch.msgid.link/20260630175329.4145703-1-john.madieu.xa@bp.renesas.com Signed-off-by: Mark Brown <broonie@kernel.org>
Merge tag 'net-7.2-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
Pull networking fixes from Paolo Abeni:
"Including fixes from netfilter and batman-adv.
Current release - new code bugs:
- netfilter: cthelper: cap to maximum number of expectation per master
Previous releases - regressions:
- netpoll: fix a use-after-free on shutdown path
- tcp: restore RCU grace period in tcp_ao_destroy_sock
- ipv6: fix NULL deref in fib6_walk_continiue() on multi-batch dump
- batman-adv: dat: ensure accessible eth_hdr proto field
- eth:
- virtio_net: disable cb when NAPI is busy-polled
- lan743x: Initialize eth_syslock spinlock before use
Previous releases - always broken:
- netfilter:
- nft_set_pipapo: don't leak bad clone into future transaction
- sched:
- sch_teql: Introduce slaves_lock to avoid race condition and UAF
- replace direct dequeue call with peek and qdisc_dequeue_peeked
- sctp: add INIT verification after cookie unpacking
- tipc: fix out-of-bounds read in broadcast Gap ACK blocks
- seg6: validate SRH length before reading fixed fields
- eth:
- mlx5e: fix use-after-free of metadata_dst on RX SC delete
- enetc: check the number of BDs needed for xdp_frame
- fbnic: don't cache shinfo across skb realloc"
* tag 'net-7.2-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (58 commits)
net/mlx5: HWS, fix matcher leak on resize target setup failure
net/sched: hhf: clear heavy-hitter state on reset
net/sched: dualpi2: clear stale classification on filter miss
net/sched: act_bpf: use rcu_dereference_bh() to read the filter
selftests: drv-net: tso: don't touch dangerous feature bits
cxgb4: Fix decode strings dump for T6 adapters
virtio_net: disable cb when NAPI is busy-polled
sctp: fix addr_wq_timer race in sctp_free_addr_wq()
selftests: net: bump default cmd() timeout to 20 seconds
bridge: stp: Fix a potential use-after-free when deleting a bridge
net/sched: sch_teql: Introduce slaves_lock to avoid race condition and UAF
net: gianfar: dispose irq mappings on probe failure and device removal
net: lan743x: Initialize eth_syslock spinlock before use
net: libwx: fix VMDQ mask for 1-queue mode
net: airoha: fix max receive size configuration
fsl/fman: Free init resources on KeyGen failure in fman_init()
netfilter: nftables: restrict checkum update offset
netfilter: nftables: restrict linklayer and network header writes
netfilter: nfnetlink_queue: restrict writes to network header
netfilter: nft_fib: reject fib expression on the netdev egress hook
...
Gerald Schaefer [Tue, 23 Jun 2026 17:44:06 +0000 (19:44 +0200)]
s390/monwriter: Reject buffer reuse with different data length
When data buffers are reused, e.g. for interval sample records, the
first record determines the data length, and the size of the buffer for
user copy. Current monwriter code does not check if the data length was
changed for subsequent records, which also would never happen for valid
user programs.
However, a malicious user could change the data length, resulting in out
of bounds user copy to the kernel buffer, and memory corruption. By
default, the monwriter misc device is created with root-only permissions,
so practical impact is typically low.
Fix this by checking for changed data length and rejecting such records.
Jiri Olsa [Wed, 1 Jul 2026 11:13:25 +0000 (13:13 +0200)]
uprobes/x86: Use proper mm_struct in __in_uprobe_trampoline
In the unregister path we use __in_uprobe_trampoline check with
current->mm for the VMA lookup, which is wrong, because we are
in the tracer context, not the traced process.
Add mm_struct pointer argument to __in_uprobe_trampoline and
changing related callers to pass proper mm_struct pointer.
Fixes: ba2bfc97b462 ("uprobes/x86: Add support to optimize uprobes") Reported-by: syzbot+61ce80689253f42e6d80@syzkaller.appspotmail.com Signed-off-by: Jiri Olsa <jolsa@kernel.org> Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> Reviewed-by: Oleg Nesterov <oleg@redhat.com> Acked-by: Andrii Nakryiko <andrii@kernel.org> Tested-by: syzbot+61ce80689253f42e6d80@syzkaller.appspotmail.com Link: https://patch.msgid.link/20260701111337.53943-2-jolsa@kernel.org
David Windsor [Tue, 30 Jun 2026 00:13:34 +0000 (20:13 -0400)]
selftests/x86: Add shadow stack uprobe CALL test
Add coverage for entry uprobes installed on CALL instructions while user
shadow stack is enabled. The test puts an entry uprobe on a helper whose
first instruction is a relative CALL, then verifies that the call/return
sequence completes without SIGSEGV.
This catches regressions where x86 uprobe CALL emulation updates the
regular user stack but leaves the CET shadow stack stale.
David Windsor [Tue, 30 Jun 2026 00:13:33 +0000 (20:13 -0400)]
x86/uprobes: Keep shadow stack in sync for emulated CALLs
Uprobe CALL emulation updates the normal user stack, but not the CET user
shadow stack. The subsequent RET then sees a stale shadow stack entry and
raises #CP.
Update the relative CALL emulation and XOL CALL fixup paths to keep the
shadow stack in sync.
Fixes: 488af8ea7131 ("x86/shstk: Wire in shadow stack interface") Signed-off-by: David Windsor <dwindsor@gmail.com> Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> Acked-by: Oleg Nesterov <oleg@redhat.com> Acked-by: Jiri Olsa <jolsa@kernel.org> Tested-by: Jiri Olsa <jolsa@kernel.org> Link: https://patch.msgid.link/8b5b1c7407b98f31664ad7b6a6faf20d2d4a6cad.1782777969.git.dwindsor@gmail.com
Taeyang Lee [Sun, 14 Jun 2026 14:22:18 +0000 (23:22 +0900)]
perf/core: Detach event groups during remove_on_exec
perf_event_remove_on_exec() removes events by calling
perf_event_exit_event(). For top-level events, this removes the event from
the context with DETACH_EXIT only.
This can leave inconsistent group state when a removed event is a group
leader and the group contains siblings without remove_on_exec. If the group
was active, the surviving siblings can remain active and attached to the
removed leader's sibling list, but are no longer represented by a valid
group leader on the PMU context active lists.
A later close of the removed leader uses DETACH_GROUP and can promote the
still-active siblings from this stale group state. The next schedule-in can
then add an already-linked active_list entry again, corrupting the PMU
context active list.
With DEBUG_LIST enabled, this is caught as a list_add double-add in
merge_sched_in().
Fix this by detaching group relationships when remove_on_exec removes an
event. This preserves the existing task-exit and revoke behavior, while
ensuring surviving siblings are ungrouped before the removed event leaves
the context.
Matthew Auld [Thu, 25 Jun 2026 15:20:58 +0000 (16:20 +0100)]
drm/xe/pt: prevent invalid cursor access for purged BOs
During a page table walk for binding, xe_pt_stage_bind() explicitly
skips initializing the xe_res_cursor for purged BOs, treating them
similarly to NULL VMAs by only setting the cursor size.
However, xe_pt_hugepte_possible() and xe_pt_scan_64K() did not check
if the BO was purged before attempting to walk the cursor using
xe_res_dma() and xe_res_next(). Because the cursor was left
uninitialized for purged BOs, this falls through and triggers
warnings like:
WARNING: drivers/gpu/drm/xe/xe_res_cursor.h:274 at xe_res_next
Fix this by explicitly checking if the BO is purged in both
xe_pt_hugepte_possible() and xe_pt_scan_64K(), returning early just
as we do for NULL VMAs, avoiding the invalid cursor accesses entirely.
As a precaution, also zero-initialize the cursor in xe_pt_stage_bind()
to ensure we don't pass garbage data into the page table walkers
if we ever hit a similar edge case in the future.
Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/work_items/8418 Fixes: ad9843aac91a ("drm/xe/madvise: Implement purgeable buffer object support") Assisted-by: Copilot:gemini-3.1-pro-preview Reported-by: Matthew Schwartz <matthew.schwartz@linux.dev> Signed-off-by: Matthew Auld <matthew.auld@intel.com> Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com> Cc: Matthew Brost <matthew.brost@intel.com> Cc: Arvind Yadav <arvind.yadav@intel.com> Reviewed-by: Matthew Brost <matthew.brost@intel.com> Tested-by: Matthew Schwartz <matthew.schwartz@linux.dev> Link: https://patch.msgid.link/20260625152054.450125-8-matthew.auld@intel.com
(cherry picked from commit 4c7b9c6ece32440e5a435a92076d049450cd2d2e) Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
Matthew Auld [Thu, 25 Jun 2026 15:20:56 +0000 (16:20 +0100)]
drm/xe: fix NPD in bo_meminfo()
When a buffer object is purged, its ttm.resource is set to NULL via the
TTM pipeline gutting flow. However, the BO remains in the client's
object list until userspace explicitly closes the GEM handle. If memory
stats are queried during this time, accessing bo->ttm.resource->mem_type
will result in a NULL pointer dereference.
Fix this by safely skipping purged BOs in bo_meminfo, as they no longer
consume any memory.
User is getting NPD on device resume, and possible theory is that in
bo_move(), if we need to evict something to SYSTEM to save the CCS state,
but the BO is marked as dontneed, this won't trigger a move but will
nuke the pages, leaving us with a NULL bo resource. And the meminfo()
doesn't look ready to handle a NULL resource.
v2 (Sashiko):
- There could potentially be other cases where we might end up with a
NULL resource, so make this a general NULL check for now.
Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/work_items/8419 Fixes: ad9843aac91a ("drm/xe/madvise: Implement purgeable buffer object support") Assisted-by: Copilot:gemini-3.1-pro-preview Reported-by: Matthew Schwartz <matthew.schwartz@linux.dev> Signed-off-by: Matthew Auld <matthew.auld@intel.com> Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com> Cc: Matthew Brost <matthew.brost@intel.com> Cc: Arvind Yadav <arvind.yadav@intel.com> Reviewed-by: Matthew Brost <matthew.brost@intel.com> Tested-by: Matthew Schwartz <matthew.schwartz@linux.dev> Link: https://patch.msgid.link/20260625152054.450125-6-matthew.auld@intel.com
(cherry picked from commit c9a8e7daa0afe3161111e27fd92176e608c7f186) Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
Michal Wajdeczko [Wed, 27 May 2026 18:37:35 +0000 (20:37 +0200)]
drm/xe/pf: Don't attempt to process FAST_REQ or EVENT relays
Currently defined VF/PF relay actions use regular REQUEST messages
only and the PF shouldn't attempt to handle FAST_REQUEST nor EVENT
messages as this would result in breaking the VFPF ABI protocol
and also might trigger an assert on the PF side.
Shuicheng Lin [Fri, 26 Jun 2026 21:06:31 +0000 (21:06 +0000)]
drm/xe/hw_engine: Fix double-free of managed BO in error path
The error path in hw_engine_init() explicitly frees a BO allocated
with xe_managed_bo_create_pin_map() via xe_bo_unpin_map_no_vm().
Since the managed BO already has a devm cleanup action registered,
this causes a double-free when devm unwinds during probe failure.
Remove the explicit free and let devm handle it, consistent with
all other xe_managed_bo_create_pin_map() callers.
Shuicheng Lin [Thu, 25 Jun 2026 22:44:52 +0000 (22:44 +0000)]
drm/xe/userptr: Drop bogus static from finish in force_invalidate
The local "finish" pointer in xe_vma_userptr_force_invalidate() is
unconditionally written before each read, so the static storage class
serves no purpose. Worse, it makes the variable a process-wide shared
slot: the function's per-VM asserts do not exclude concurrent callers
on different VMs, so two such callers can race on the slot and take
the wrong if (finish) branch.
The function is gated by CONFIG_DRM_XE_USERPTR_INVAL_INJECT
(developer/test option, default n), so production builds are
unaffected.
Drop the static.
Fixes: 18c4e536959e ("drm/xe/userptr: Convert invalidation to two-pass MMU notifier") Assisted-by: Claude:claude-opus-4.7 Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com> Cc: Matthew Brost <matthew.brost@intel.com> Reviewed-by: Matthew Brost <matthew.brost@intel.com> Reviewed-by: Zongyao Bai <zongyao.bai@intel.com> Link: https://patch.msgid.link/20260625224452.3243231-1-shuicheng.lin@intel.com Signed-off-by: Shuicheng Lin <shuicheng.lin@intel.com>
(cherry picked from commit ed382e3b07fae51a09d7290485bff0592f6b168b) Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
Shuicheng Lin [Thu, 25 Jun 2026 21:56:15 +0000 (21:56 +0000)]
drm/xe/userptr: Hold notifier_lock for write on inject test path
When CONFIG_DRM_XE_USERPTR_INVAL_INJECT=y, xe_pt_svm_userptr_pre_commit()
runs vma_check_userptr() with the svm notifier_lock taken for read. The
test injection causes vma_check_userptr() to call
xe_vma_userptr_force_invalidate(), which feeds into
xe_vma_userptr_do_inval() with drm_gpusvm_ctx.in_notifier=true. That
flag tells drm_gpusvm_unmap_pages() the caller already holds
notifier_lock for write and only asserts the mode. Because the caller
actually holds it for read, the assertion fires:
Acquire notifier_lock for write in pre-commit when the inject Kconfig
is enabled, via new helpers xe_pt_svm_userptr_notifier_lock()/_unlock().
Rename xe_svm_assert_held_read() to
xe_svm_assert_held_read_or_inject_write() so it asserts the correct
mode under each build configuration. Production builds
(CONFIG_DRM_XE_USERPTR_INVAL_INJECT=n) keep the existing read-mode
behavior bit-for-bit.
Fixes: 9e9787414882 ("drm/xe/userptr: replace xe_hmm with gpusvm") Assisted-by: Claude:claude-opus-4.7 Cc: Matthew Auld <matthew.auld@intel.com> Cc: Zongyao Bai <zongyao.bai@intel.com> Reviewed-by: Matthew Brost <matthew.brost@intel.com> Link: https://patch.msgid.link/20260625215615.3016892-1-shuicheng.lin@intel.com Signed-off-by: Shuicheng Lin <shuicheng.lin@intel.com>
(cherry picked from commit 80ccbd97ffee8ad2e73167d826fe7be548364365) Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
Matthew Auld [Fri, 12 Jun 2026 17:05:02 +0000 (18:05 +0100)]
drm/xe/display: skip FORCE_WC and vm_bound check for external dma-bufs
Currently, xe_display_bo_framebuffer_init() unconditionally attempts to
apply XE_BO_FLAG_FORCE_WC to the buffer and rejects the FB creation with
-EINVAL if the BO is already VM_BINDed.
However, for imported dma-bufs (ttm_bo_type_sg), this check doesn't seem
to make much sense since CPU caching policy is entirely controlled by
the exporter. Plus there is no place to set this flag, in the first
place. Also this is not rejected if not yet vm_binded, but that seems
arbitrary since setting or not setting FORCE_WC should a noop either
way, at this stage, and whether it is currently VM_BINDed makes no
difference.
Currently if we run an app and offload rendering to an external dGPU,
like NV or another xe device, the dma-buf passed back to the compositor
(igpu) will be an actual external import from xe pov, and it will be
missing FORCE_WC, and if the compositor side did a VM_BIND before
turning into it into an fb the whole thing gets rejected.
So it looks like we either need to reject outright, no matter what, or
this usecase is valid and we need to loosen the restriction for sg
buffers. Proposing here to loosen the restriction.
Matthew Brost [Wed, 17 Jun 2026 13:51:01 +0000 (06:51 -0700)]
drm/xe: Return error on non-migratable faults requiring devmem
Non-migratable faults that require devmem incorrectly jump to the 'out'
label, which squashes the error code intended to be returned to the
upper layers. Fix this by returning -EACCES instead.
Reported-by: Sashiko <sashiko-bot@kernel.org> Fixes: 4208fac3dce5 ("drm/xe: Add more SVM GT stats") Cc: stable@vger.kernel.org Signed-off-by: Matthew Brost <matthew.brost@intel.com> Reviewed-by: Francois Dugast <francois.dugast@intel.com> Link: https://patch.msgid.link/20260617135101.1245574-1-matthew.brost@intel.com
(cherry picked from commit c4508edb2c723de93717272488ea65b165637eac) Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
Ashutosh Dixit [Mon, 15 Jun 2026 22:42:27 +0000 (15:42 -0700)]
drm/xe/rtp: Ensure locking/ref counting for OA whitelists
Since multiple OA streams might be open in parallel on a gt, ensure that
proper locking is in place. Also ensure that OA registers are whitelisted
when the first OA stream is open and de-whitelisted after the last OA
stream is closed.
Ashutosh Dixit [Mon, 15 Jun 2026 22:42:26 +0000 (15:42 -0700)]
drm/xe/oa: (De-)whitelist OA registers on OA stream open/release
Whitelist OA registers on stream open and de-whitelist on stream
close/release. Whitelisting is only done when 'stream->sample' is
true. 'stream->sample' is only true when (a) xe_observation_paranoid is set
to false by system admin, or (b) the process is perfmon_capable(). This
therefore enforces the OA register whitelisting security requirements.
Ashutosh Dixit [Mon, 15 Jun 2026 22:42:25 +0000 (15:42 -0700)]
drm/xe/rtp: (De-)whitelist OA registers for all hwe's for a gt
Whitelist or de-whitelist OA registers for all hwe's on the gt on which the
OA stream is opened. This simplifies the case where an oa unit has 0
attached hwe's (but which monitors OA events on the associated GT).
Ashutosh Dixit [Mon, 15 Jun 2026 22:42:23 +0000 (15:42 -0700)]
drm/xe/rtp: Save OA nonpriv registers to register save/restore lists
Now we can save OA whitelisting nonpriv registers to register save/restore
lists. OA nonpriv registers are saved to both hwe->oa_sr as well as
hwe->reg_sr.
During probe, resume and gt-reset flows KMD will apply hwe->reg_sr,
ensuring OA registers are de-whitelisted after these events. For
engine-reset, hwe->reg_sr is registered with GuC and GuC will apply these
registers, ensuring OA registers are de-whitelisted after engine resets.
hwe->oa_sr is used for whitelisting or de-whitelisting OA registers during
OA operation, by toggling the 'deny' bit on oa stream open/close.
Ashutosh Dixit [Mon, 15 Jun 2026 22:42:21 +0000 (15:42 -0700)]
drm/xe/rtp: Keep track of non-OA nonpriv slots
In order to dynamically whitelist/dewhitelist OA registers on OA stream
open/close, we need to keep track of nonpriv slots occupied by non-OA
register whitelists.
Ashutosh Dixit [Mon, 15 Jun 2026 22:42:20 +0000 (15:42 -0700)]
drm/xe/rtp: Maintain OA whitelists separately
OA registers are dynamically whitelisted (and again dewhitelisted) on OA
stream open/close. Maintaining OA whitelists separately from non-OA
register whitlists simplifies this management of OA register
whitelisting/dewhitelisting.
drm/xe/rtp: Fix build error with clang < 21 and non-const initializers
Clang < 21 treats const-qualified compound literals at function scope as
having static storage duration, which requires all initializer elements
to be compile-time constants. When xe_hw_engine.c initializes a local
struct xe_rtp_table_sr using XE_RTP_TABLE_SR(), the compound literals in
XE_RTP_TABLE_SR end up containing runtime values (e.g. blit_cctl_val
derived from gt->mocs.uc_index), triggering:
xe_hw_engine.c:361: error: initializer element is not a compile-time constant
xe_hw_engine.c:416: error: initializer element is not a compile-time constant
ARRAY_SIZE() cannot be used as a replacement because it expands through
__must_be_array() -> __BUILD_BUG_ON_ZERO_MSG() -> _Static_assert inside
sizeof(struct{}), which clang < 21 also rejects in the same context.
Replace ARRAY_SIZE() with an open-coded sizeof(arr)/sizeof(elem) in
XE_RTP_TABLE_SR and XE_RTP_TABLE to avoid both issues.
Fixes: e23fafb8594e ("drm/xe/rtp: Add struct types for RTP tables") Cc: Matt Roper <matthew.d.roper@intel.com> Cc: Gustavo Sousa <gustavo.sousa@intel.com> Cc: Violet Monti <violet.monti@intel.com> Cc: Matthew Brost <matthew.brost@intel.com> Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com> Cc: Rodrigo Vivi <rodrigo.vivi@intel.com> Cc: Ashutosh Dixit <ashutosh.dixit@intel.com> Cc: intel-xe@lists.freedesktop.org Reported-by: Mark Brown <broonie@kernel.org> Closes: https://lore.kernel.org/intel-xe/bfb0dee8-b243-47ba-a89d-71472b0d51c5@sirena.org.uk/ Assisted-by: GitHub_Copilot:claude-sonnet-4.6 Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com> Reviewed-by: Gustavo Sousa <gustavo.sousa@intel.com> Link: https://patch.msgid.link/20260605093305.110598-1-thomas.hellstrom@linux.intel.com
(cherry picked from commit a57011eff45e7265dc42a7adad68b84605d8f828) Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
drm/imagination: Fix user array stride in pvr_set_uobj_array()
pvr_set_uobj_array() copies an array of kernel objects to a userspace
array whose element size is described by out->stride. When out->stride
is different from the kernel object size, the slow path advances the
userspace pointer by the kernel object size and the kernel pointer by the
userspace stride.
This reverses the intended layout. For larger userspace strides, later
copies read from the wrong kernel addresses. For smaller userspace
strides, later copies are written at the wrong userspace offsets. The
padding clear is also done only for the first element instead of the
padding area for each element.
Advance the userspace pointer by out->stride and the kernel pointer by
obj_size, and clear per-element padding while the current userspace
pointer is still available.
Fixes: f99f5f3ea7ef ("drm/imagination: Add GPU ID parsing and firmware loading") Cc: stable@vger.kernel.org # v6.8+ Reviewed-by: Alessio Belle <alessio.belle@imgtec.com> Signed-off-by: Shuvam Pandey <shuvampandey1@gmail.com> Link: https://patch.msgid.link/6a456012.eb165e5c.113c2a.b71d@mx.google.com Signed-off-by: Alessio Belle <alessio.belle@imgtec.com>
drm/imagination: Fix returned size for DRM_IOCTL_PVR_DEV_QUERY
For a few subtypes of DRM_IOCTL_PVR_DEV_QUERY, driver was overriding
the returned size unconditionally. This would have resulted in
increase of reported size beyond the amount of data returned to
userspace when args->size < size of query structure.
Updated behaviour matches with the description of
drm_pvr_ioctl_dev_query_args.size and written byte length.
None of the structures of DRM_IOCTL_PVR_DEV_QUERY changed after addition,
so change will not break any compatibility with earlier version.
Fixes: f99f5f3ea7ef ("drm/imagination: Add GPU ID parsing and firmware loading") Fixes: ff5f643de0bf ("drm/imagination: Add GEM and VM related code") Signed-off-by: Brajesh Gupta <brajesh.gupta@imgtec.com> Reviewed-by: Alessio Belle <alessio.belle@imgtec.com> Link: https://patch.msgid.link/20260701-b4-b4-query-v2-1-a1b491387875@imgtec.com Signed-off-by: Alessio Belle <alessio.belle@imgtec.com>
Brajesh Gupta [Tue, 30 Jun 2026 15:40:07 +0000 (21:10 +0530)]
drm/imagination: Fix double call to drm_sched_entity_fini()
Call sequence of double call:
pvr_context_destroy
pvr_context_kill_queues
pvr_queue_kill
drm_sched_entity_destroy
drm_sched_entity_fini // here
pvr_context_put
kref_put(..., pvr_context_release)
pvr_context_destroy_queues
pvr_queue_destroy
drm_sched_entity_fini // here
Call to drm_sched_entity_destroy() from pvr_context_kill_queues() calls
drm_sched_entity_flush() + drm_sched_entity_fini().
drm_sched_entity_flush() ensures all pending jobs are completed and
drm_sched_entity_fini() ensures no further submission is allowed as
per expectation from pvr_context_kill_queues(). Double call to
drm_sched_entity_fini() is misuse of the API so keep call only in
pvr_context_create() failure path.
Stack trace for issue with addition of refcounting for DRM entity
stats in commit fd177135f0e6 ("drm/sched: Account entity GPU time"):
Paolo Abeni [Thu, 2 Jul 2026 08:34:05 +0000 (10:34 +0200)]
Merge tag 'batadv-net-pullrequest-20260630' of https://git.open-mesh.org/batadv
Simon Wunderlich says:
====================
Here are some batman-adv bugfix, all by Sven Eckelmann:
- fix pointers after potential skb reallocs (5 patches)
- dat: ensure accessible eth_hdr proto field
* tag 'batadv-net-pullrequest-20260630' of https://git.open-mesh.org/batadv:
batman-adv: dat: ensure accessible eth_hdr proto field
batman-adv: bla: reacquire gw address after skb realloc
batman-adv: dat: acquire ARP hw source only after skb realloc
batman-adv: gw: acquire ethernet header only after skb realloc
batman-adv: access unicast_ttvn skb->data only after skb realloc
batman-adv: retrieve ethhdr after potential skb realloc on RX
====================
Dawei Feng [Mon, 29 Jun 2026 06:40:49 +0000 (14:40 +0800)]
net/mlx5: HWS, fix matcher leak on resize target setup failure
hws_bwc_matcher_move() allocates a replacement matcher before setting it
as the resize target. If mlx5hws_matcher_resize_set_target() fails, the
replacement matcher is not attached anywhere and is leaked.
Fix the leak by destroying the replacement matcher before returning from
the resize-target failure path.
The bug was first flagged by an experimental analysis tool we are
developing for kernel memory-management bugs while analyzing
v6.13-rc1. The tool is still under development and is not yet publicly
available. Manual inspection confirms that the bug is still
present in v7.1.1.
An x86_64 allyesconfig build showed no new warnings. As we do not have a
mlx5 HWS-capable device to test with, no runtime testing was able to be
performed.
Jan Beulich [Thu, 2 Jul 2026 06:11:22 +0000 (08:11 +0200)]
x86/Xen: correct commentary and parameter naming of xen_exchange_memory()
As documented in comments in struct xen_memory_exchange, the input to the
hypercall is a set of MFNs which are to be removed from the domain, plus a
set of PFNs where the newly allocated MFNs are to appear. Present comment
and parameter naming don't correctly reflect that.
Zihan Xi [Wed, 1 Jul 2026 10:23:21 +0000 (18:23 +0800)]
smb: client: use unaligned reads in parse_posix_ctxt()
The server controls create-context DataOffset, so the POSIX context data
pointer may be misaligned on strict-alignment architectures. Use
get_unaligned_le32() when reading nlink, reparse_tag, and mode.
Fixes: 69dda3059e7a ("cifs: add SMB2_open() arg to return POSIX data") Cc: stable@vger.kernel.org Signed-off-by: Zihan Xi <xizh2024@lzu.edu.cn> Signed-off-by: Ren Wei <n05ec@lzu.edu.cn> Signed-off-by: Steve French <stfrench@microsoft.com>
Zihan Xi [Sun, 28 Jun 2026 09:19:24 +0000 (17:19 +0800)]
smb: client: harden POSIX SID length parsing
posix_info_sid_size() reads sid[1] to obtain the subauthority count,
but its existing boundary check still accepts buffers with only one
remaining byte. Require two bytes before reading sid[1] so all client
paths that reuse the helper reject truncated POSIX SIDs safely.
Fixes: 349e13ad30b4 ("cifs: add smb2 POSIX info level") Cc: stable@vger.kernel.org Reported-by: Yuan Tan <yuantan098@gmail.com> Reported-by: Yifan Wu <yifanwucs@gmail.com> Reported-by: Juefei Pu <tomapufckgml@gmail.com> Reported-by: Xin Liu <bird@lzu.edu.cn> Assisted-by: Codex:gpt-5.4 Signed-off-by: Zihan Xi <xizh2024@lzu.edu.cn> Signed-off-by: Ren Wei <n05ec@lzu.edu.cn> Signed-off-by: Steve French <stfrench@microsoft.com>
Merge tag 'bootconfig-fixes-v7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace
Pull bootconfig fix from Masami Hiramatsu:
- bootconfig: Fix NULL-pointer arithmetic
Fix undefined pointer arithmetic in xbc_snprint_cmdline() when
probing the buffer length with NULL and size 0. Track the written
length as a size_t instead to prevent build-time UBSan/FORTIFY_SOURCE
failures.
* tag 'bootconfig-fixes-v7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace:
bootconfig: fix NULL-pointer arithmetic in xbc_snprint_cmdline()
accel/amdxdna: Fix use-after-free in debug BO command handling
When a debug BO command completes, job->drv_cmd may already have been
freed. Accessing it from aie2_sched_drvcmd_resp_handler() can result in
a use-after-free and memory corruption.
Fix this by introducing reference counting for drv_cmd objects and
transferring ownership to the job while it is in flight. This ensures
that the command remains valid until the completion handler finishes
processing it.
Reinette Chatre [Tue, 9 Jun 2026 21:02:27 +0000 (14:02 -0700)]
x86,fs/resctrl: Prevent out-of-bounds access while offlining CPU when SNC enabled
The architecture updates the cpu_mask in a domain's header to track which
online CPUs are associated with the domain. When this mask becomes empty
the architecture initiates offline of the domain that includes calling
on resctrl fs to offline the domain. If it is a monitoring domain in
which LLC occupancy is tracked resctrl fs forces the limbo handler to
clear all busy RMID state associated with the domain.
The limbo handler always reads the current event value associated with a
busy RMID irrespective of it being checked as part of regular "is it still
busy" check or whether it will be forced released anyway. When reading an
RMID on a system with SNC enabled the "logical RMID" is converted to the
"physical RMID" and this conversion requires the NUMA node ID of the
resctrl monitoring domain that is in turn determined by querying the NUMA
node ID of any CPU belonging to the monitoring domain.
When the monitoring domain is going offline its cpu_mask is empty causing
the NUMA node ID query via cpu_to_node() to be done with "nr_cpu_ids" as
argument resulting in an out-of-bounds access.
Refactor the limbo handler to skip reading the RMID when the RMID will
just be forced to no longer be dirty in the domain anyway. Add a safety
check to the architecture's RMID reader to protect against this scenario.
Gustavo Sousa [Mon, 1 Jun 2026 20:09:47 +0000 (13:09 -0700)]
drm/xe/rtp: Add struct types for RTP tables
We currently have a mixture of styles for our RTP tables with respect of
how we define the number of entries:
* xe_rtp_process_to_sr() expects to receive the number of entries as
arguments;
* xe_rtp_process() expects the array to have a sentinel at the end of
the array;
* in xe_rtp_test.c, even though xe_rtp_process_to_sr() does not
require a sentinel value, we need to rely on that technique to be
able to count xe_rtp_entry_sr entries because simply using
ARRAY_SIZE() is not possible.
The style used by xe_rtp_process_to_sr() makes it hard to share the
tables with other compilation units (e.g. kunit tests), since the number
of entries is calculated with ARRAY_SIZE(), which is done at compile
time.
Since we use the size of the tables to create some bitmasks, using a
sentinel style doesn't seem great either.
A way to reconcile things into a single style is to have a struct type
that would hold the entries array and the number of entries. Since we
have xe_rtp_entry and xe_rtp_entry_sr, we would have one type for each.
The advantage of the proposed approach is that now we have a nice way to
share the tables directly to kunit tests with information about their
size.
v6:
- Removed sentinels that are not needed
v5:
- Removed added code from conflict resolution issues
v4:
- Removed conflicts with main branch
v3:
- No changes
v2:
- Add compatibility with new xe_rtp_table_sr format for
"bad-mcr-reg-forced-to-regular" and
"bad-regular-reg-forced-to-mcr"
Fixes: 828a8eaf37c3 ("drm/xe/oa: Add MMIO trigger support") Cc: stable@vger.kernel.org # v6.12+ Reviewed-by: Matt Roper <matthew.d.roper@intel.com> Signed-off-by: Gustavo Sousa <gustavo.sousa@intel.com> Signed-off-by: Violet Monti <violet.monti@intel.com> Link: https://patch.msgid.link/20260601200947.2032784-7-violet.monti@intel.com Signed-off-by: Matt Roper <matthew.d.roper@intel.com>
(cherry picked from commit 5ff004fdc7377905f2fe5264b8829d35e14608b8) Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
Mark Brown [Wed, 1 Jul 2026 18:52:46 +0000 (19:52 +0100)]
ASoC: codecs: tas675x: misc bugfixes and minor changes
Sen Wang <sen@ti.com> says:
Few miscellaneous bug fixes after the initial merge of TAS675x driver, of
which includes:
- Adding READ_ONCE for all concurrent read params
- Corrected kcontrol bits for temperature range
- Corrected conversion notes in the driver documentation
Sen Wang [Tue, 30 Jun 2026 18:31:22 +0000 (13:31 -0500)]
Documentation: sound: tas675x: Fix temperature range and impedance documentation
Two corrections against the TRM (SLOU589A):
- Corrected channel temperature range
- Corrected conversion formula for global temperature
Fixes: ba46edca354e ("Documentation: sound: Add TAS675x codec mixer controls documentation") Signed-off-by: Sen Wang <sen@ti.com> Link: https://patch.msgid.link/20260630183126.2588322-4-sen@ti.com Signed-off-by: Mark Brown <broonie@kernel.org>
Sen Wang [Tue, 30 Jun 2026 18:31:20 +0000 (13:31 -0500)]
ASoC: codecs: tas675x: use READ_ONCE for params to be used concurrently
active_playback_dais and active_capture_dais are written atomically via
set_bit()/clear_bit() and can be read concurrently from the
fault_check_work delayed work handler.
fault_check_work already uses READ_ONCE; extend the same guard to all other
reads in tas675x_hw_params() and tas675x_mute_stream().
jpeg_v4_0_3_is_idle() initializes ret to false and then accumulates ring
idle status using &=. Since false & condition always remains false, the
function can never report the JPEG block as idle.
Initialize ret to true so the function returns true only when all JPEG
rings report RB_JOB_DONE.
Signed-off-by: Boyuan Zhang <boyuan.zhang@amd.com> Reviewed-by: Alex Deucher <alexander.deucher@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit e9df8e9d04e0593d17ddb069f3b7958991cd18c9) Cc: stable@vger.kernel.org
Signed-off-by: Harish Kasiviswanathan <Harish.Kasiviswanathan@amd.com> Reviewed-by: Kent Russell <kent.russell@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 4623b958dd6da0f4c3026afdf330626a09ecb0f0) Cc: stable@vger.kernel.org