Huiwen He [Wed, 1 Jul 2026 15:21:57 +0000 (23:21 +0800)]
smb/server: map SET_INFO ENOSPC to disk full
FILE_ALLOCATION_INFORMATION can call vfs_fallocate(). If the allocation
cannot be satisfied, vfs_fallocate() returns -ENOSPC.
smb2_set_info() did not map -ENOSPC, so ksmbd returned a generic SMB error
and the client reported EIO instead of ENOSPC. This makes the ENOSPC step
in xfstests generic/213 fail.
Map -ENOSPC and -EFBIG to STATUS_DISK_FULL in the SET_INFO error path.
Tested with xfstests generic/213 on ksmbd.
Signed-off-by: Huiwen He <hehuiwen@kylinos.cn> Reviewed-by: ChenXiaoSong <chenxiaosong@kylinos.cn> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
ksmbd: coalesce sub-15ms write time updates on close
Windows reports automatic write-time updates with a resolution of roughly
15 milliseconds. If a file is written and closed within that interval, a
close response requesting full information can report the write time from
the open rather than the filesystem's finer-grained mtime update.
ksmbd currently converts the filesystem mtime directly in SMB2 CLOSE, so
even a sub-millisecond write is visible to the client. This makes
smb2.timestamp_resolution.resolution1 fail because the immediate write
changes LastWriteTime.
Save the write time returned by SMB2 CREATE in the file handle. When CLOSE
requests post-query attributes, coalesce a positive mtime change smaller
than 15 milliseconds to that saved value. Larger changes remain visible,
including the test's write after a 20 millisecond delay.
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
ksmbd: fix multichannel binding and enforce channel limit
A signed multichannel SESSION_SETUP binding request can require multiple
authentication rounds. ksmbd excludes SESSION_SETUP from the signed
request check and tries to sign every binding response with the channel
signing key. The channel does not exist for
STATUS_MORE_PROCESSING_REQUIRED, so that response is sent unsigned.
Clients reject it with STATUS_ACCESS_DENIED.
The final channel signing key also needs the key exported by the binding
authentication context. Keep that key in the channel instead of
overwriting the established session key, and use the session signing key
for intermediate and failed binding responses. Retain the binding session
reference until an error response has been signed and sent.
Limit a session to 32 channels while holding the channel lock. Return
STATUS_INSUFFICIENT_RESOURCES for an additional binding, matching the
server limit expected by clients.
This fixes smb2.multichannel.generic.num_channels, which previously
failed the first binding with STATUS_ACCESS_DENIED and returned the same
status instead of STATUS_INSUFFICIENT_RESOURCES for channel 33.
Fixes: f5a544e3bab7 ("ksmbd: add support for SMB3 multichannel") Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
sid_to_id() currently treats the last subauthority of any owner or group
SID as a Unix uid or gid. For example, this maps Everyone (S-1-1-0) to
uid 0 and BUILTIN\Users (S-1-5-32-545) to gid 545.
When an SMB2 CREATE security descriptor contains those SIDs, ksmbd
attempts to change the newly created file to the bogus Unix ownership.
notify_change() then returns -EPERM, which makes smb2.create.aclfile fail
with NT_STATUS_SHARING_VIOLATION.
Validate the SID prefix before extracting its RID. Only server-domain
owner SIDs and S-1-22-2 Unix group SIDs have local ID representations.
Treat other valid Windows SIDs as unmapped so their original values can
still be preserved in the NT ACL xattr.
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
Peiyang He [Mon, 6 Jul 2026 04:00:15 +0000 (12:00 +0800)]
ntfs: fail attrlist updates when the superblock is inactive
generic_shutdown_super() clears SB_ACTIVE before evicting cached inodes.
If eviction selects the fake inode for a base inode's unnamed
$ATTRIBUTE_LIST attribute, ntfs_evict_big_inode() drops the fake inode's
reference on the base inode while the fake inode is still hashed and marked
I_FREEING.
That iput can synchronously write back the base inode. The writeback path
may update mapping pairs and call ntfs_attrlist_update(), which
unconditionally calls ntfs_attr_iget() for the same $ATTRIBUTE_LIST fake
inode. VFS then finds the I_FREEING inode and waits for eviction to finish,
but the current task is still inside that eviction path, causing a
self-deadlock in find_inode().
Fix this by mirroring the teardown guard used by __ntfs_write_inode():
once SB_ACTIVE has been cleared, do not try to iget the attribute-list
fake inode. Return -EIO so teardown aborts the update instead of waiting on
the inode it is evicting.
Reported-by: Peiyang He <peiyang_he@smail.nju.edu.cn> Closes: https://lore.kernel.org/all/AB8D5E603E6EA856+ae5f622a-dd3a-4e38-bdd2-42276ae0e1a8@smail.nju.edu.cn/ Fixes: 495e90fa3348 ("ntfs: update attrib operations") Cc: stable@vger.kernel.org Signed-off-by: Peiyang He <peiyang_he@smail.nju.edu.cn> Assisted-by: Codex:gpt-5.5 Reviewed-by: Hyunchul Lee <hyc.lee@gmail.com> Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
ntfs: sanitize MFT references returned from ntfs_lookup_inode_by_name()
ntfs_lookup_inode_by_name() returns MFT references read from directory
index entries on disk. These values are untrusted, but the function can
currently return an error-marked MFT reference to its callers without
validating it.
Callers later decode lookup failures with MREF_ERR(). A crafted NTFS image
can set the MREF error bit while leaving the low bits as an arbitrary
value, causing callers to consume a bogus pseudo-errno instead of treating
the lookup result as corrupted on-disk metadata.
Fix this at the source by normalizing every error-marked MFT reference
returned from ntfs_lookup_inode_by_name() to ERR_MREF(-EIO). Apply this to
all four directory lookup return paths so every caller gets a validated
result without needing additional checks or an API change.
This keeps the sanitization in the common lookup helper, which is cleaner
than duplicating validation in each caller.
Peiyang He [Sun, 5 Jul 2026 11:14:09 +0000 (19:14 +0800)]
ntfs: fix hole runlist memory leak in insert range error path
ntfs_non_resident_attr_insert_range() allocates hole_rl before mapping the
whole runlist. If ntfs_attr_map_whole_runlist() fails, the error path drops
ni->runlist.lock and returns without freeing hole_rl. This leaks memory
of sizeof(*hole_rl) * 2 bytes.
Fix this memory leak by freeing hole_rl before returning from
that error path, matching the later error paths in the same function.
Fixes: 495e90fa3348 ("ntfs: update attrib operations") Cc: stable@vger.kernel.org Signed-off-by: Peiyang He <peiyang_he@smail.nju.edu.cn> Reviewed-by: Hyunchul Lee <hyc.lee@gmail.com> Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
ntfs: avoid calling post_write_mst_fixup() for invalid index_block
ntfs_icx_ib_sync_write() calls post_write_mst_fixup() when ntfs_ib_write()
returns an error, intending to restore the buffer after a failed write.
However, ntfs_ib_write() returns an error immediately if
pre_write_mst_fixup() validation fails. The caller,
ntfs_icx_ib_sync_write(), interprets any error as a write failure
requiring rollback. It does not differentiate between I/O errors and
validation failures, and calls post_write_mst_fixup() anyway.
Since post_write_mst_fixup() assumes that the index_block contents is
correct, it doesn't perform the boundary checks, which results in
out-of-bounds memory access.
An attacker can craft a malicious NTFS image with:
- large index_block.usa_ofs offset, pointing outside the ntfs_record
- index_block.usa_count = 0, causing integer underflow
- or index_block.usa_count larger than actual number of sectors in the
ntfs_record, causing out-of-bounds access
KASAN reports describing the memory corruption:
==================================================================
BUG: KASAN: slab-out-of-bounds in post_write_mst_fixup+0x19c/0x1d0
Read of size 2 at addr ffff8881586c9018 by task p/9428
Call Trace:
<TASK>
dump_stack_lvl+0x100/0x190
print_report+0x139/0x4ad
? post_write_mst_fixup+0x19c/0x1d0
? __virt_addr_valid+0x262/0x500
? post_write_mst_fixup+0x19c/0x1d0
kasan_report+0xe4/0x1d0
? post_write_mst_fixup+0x19c/0x1d0
post_write_mst_fixup+0x19c/0x1d0
ntfs_icx_ib_sync_write+0x179/0x220
ntfs_inode_sync_filename+0x83d/0x1080
__ntfs_write_inode+0x1049/0x1480
ntfs_file_fsync+0x131/0x9b0
==================================================================
BUG: KASAN: slab-out-of-bounds in post_write_mst_fixup+0x1aa/0x1d0
Write of size 2 at addr ffff8881586c91fe by task p/9428
Call Trace:
<TASK>
dump_stack_lvl+0x100/0x190
print_report+0x139/0x4ad
? post_write_mst_fixup+0x1aa/0x1d0
? __virt_addr_valid+0x262/0x500
? post_write_mst_fixup+0x1aa/0x1d0
kasan_report+0xe4/0x1d0
? post_write_mst_fixup+0x1aa/0x1d0
post_write_mst_fixup+0x1aa/0x1d0
ntfs_icx_ib_sync_write+0x179/0x220
ntfs_inode_sync_filename+0x83d/0x1080
__ntfs_write_inode+0x1049/0x1480
ntfs_file_fsync+0x131/0x9b0
==================================================================
Let's move the post_write_mst_fixup() call to ntfs_ib_write().
The ntfs_ib_write() function calls pre_write_mst_fixup() at the beginning.
If the index_block contents is invalid, pre_write_mst_fixup() fails and
ntfs_ib_write() returns early without calling post_write_mst_fixup() on
bad index_block.
ntfs: fix WARN_ON for resident attribute in ntfs_map_runlist_nolock()
When ntfs_map_runlist_nolock() needs to look up the attribute extent
containing a target VCN (ctx_needs_reset == true), it calls
ntfs_attr_lookup() and then expects the result to be a non-resident
attribute, since only non-resident attributes have a mapping pairs
array to decompress.
A crafted NTFS image can place a resident attribute where a non-resident
one is expected, causing ntfs_attr_lookup() to succeed but return a
resident attribute record. Previously this was caught only by a
WARN_ON(), which does not stop execution. The code then falls through to
read a->data.non_resident.highest_vcn from what is actually a resident
attribute, accessing the wrong union member and corrupting the VCN range
check.
The caller path triggering this warning during mount is:
In this path ctx is NULL, so ntfs_map_runlist_nolock() allocates a
temporary search context internally and sets ctx_needs_reset = true.
The existing resident-attribute guard in the ctx != NULL branch already
returns -EIO silently for the same condition; make the ctx_needs_reset
path consistent by replacing the WARN_ON() with the same -EIO error
return.
This causes the crafted image to be rejected with a mount error instead
of triggering a kernel warning.
Hyunchul Lee [Thu, 2 Jul 2026 05:28:16 +0000 (14:28 +0900)]
ntfs: avoid self-deadlock during inode eviction
An attribute-list update performed while allocating clusters can drop the
last reference to the temporary attribute inode. Evicting that inode
drops its reference to the base inode and can invoke ntfs_drop_big_inode()
for the base inode from within the base inode's own writeback path.
If the base inode is unlinked, ntfs_drop_big_inode() calls
truncate_setsize(), which waits for the inode's folio writeback to
complete. The same writeback worker is responsible for completing that
writeback, so it waits for itself indefinitely.
Prevent this self-deadlock by grabbing a reference to the base inode at the
beginning of ntfs_writepages() and releasing it at the end of the function.
This defers eviction until all bios have been submitted, allowing the wait
for folio writeback to complete safely.
Fixes: b041ca562526 ("ntfs: update iomap and address space operations") Cc: stable@vger.kernel.org Signed-off-by: Hyunchul Lee <hyc.lee@gmail.com> Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
ntfs: make system files immutable to prevent corruption
When a system file such as $Bitmap is exposed via show_sys_files and
written from userspace, the volume is corrupted and, because the cluster
allocator scans $Bitmap through the same inode's page cache, a write to
$Bitmap also deadlocks writeback against the folio it already holds locked.
These files are maintained by the driver itself and have no valid reason
to be written through the file interface. Mark base metadata files
(mft_no < FILE_first_user) as immutable during inode read so the VFS
rejects write, mmap, truncate and unlink with -EPERM. Directories are
skipped so the root and $Extend remain usable. Internal metadata updates
do not go through the VFS write path and are unaffected.
Eric Dumazet [Wed, 1 Jul 2026 12:23:29 +0000 (12:23 +0000)]
amt: fix size calculation in amt_get_size()
amt_get_size() incorrectly used sizeof(struct iphdr) for the sizes of
IFLA_AMT_DISCOVERY_IP, IFLA_AMT_REMOTE_IP, and IFLA_AMT_LOCAL_IP.
These attributes contain IPv4 addresses (__be32), not full IP headers.
Replace sizeof(struct iphdr) with sizeof(__be32) to avoid over-allocating
netlink message space.
Fixes: b9022b53adad ("amt: add control plane of amt interface") Signed-off-by: Eric Dumazet <edumazet@google.com> Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com> Link: https://patch.msgid.link/20260701122329.3562825-1-edumazet@google.com Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Xiang Mei [Tue, 30 Jun 2026 18:32:27 +0000 (11:32 -0700)]
net/smc: fix UAF in smc_cdc_rx_handler() by pinning the socket
smc_cdc_rx_handler() looks up the connection by token under the link
group's conns_lock, drops the lock, and then dereferences conn and the
smc_sock derived from it, ending in sock_hold(&smc->sk) inside
smc_cdc_msg_recv(). No reference is held across the lock release.
The only reference pinning the socket while the connection is
discoverable in the link group is taken in smc_lgr_register_conn()
(sock_hold) and dropped in __smc_lgr_unregister_conn() (sock_put), both
under conns_lock. Once the handler drops conns_lock, a concurrent
close() -> smc_release() -> smc_conn_free() -> smc_lgr_unregister_conn()
can drop that reference and free the smc_sock, so the handler's later
sock_hold() runs on freed memory:
WARNING: lib/refcount.c:25 at refcount_warn_saturate
Workqueue: rxe_wq do_work
refcount_warn_saturate (lib/refcount.c:25)
smc_cdc_msg_recv (net/smc/smc_cdc.c:430)
smc_cdc_rx_handler (net/smc/smc_cdc.c:502)
smc_wr_rx_tasklet_fn (net/smc/smc_wr.c:445)
tasklet_action_common (kernel/softirq.c:938)
handle_softirqs (kernel/softirq.c:622)
Kernel panic - not syncing: panic_on_warn set
Only SMC-R is affected. The SMC-D receive tasklet is stopped by
tasklet_kill(&conn->rx_tsklet) in smc_conn_free() before the connection
is unregistered, so it cannot run concurrently with the free.
Take the socket reference while still holding conns_lock, so the
registration reference can no longer be the last one, and drop it once
the handler is done.
Fixes: d7b0e37c1ac1 ("net/smc: restructure CDC message reception") Reported-by: Weiming Shi <bestswngs@gmail.com> Assisted-by: Claude:claude-opus-4-8 Signed-off-by: Xiang Mei <xmei5@asu.edu> Link: https://patch.msgid.link/20260630183227.2044998-1-xmei5@asu.edu Signed-off-by: Paolo Abeni <pabeni@redhat.com>
net/sched: act_pedit: fix TOCTOU heap OOB write in tc offload
There is a TOCTOU race condition in flower lockless approach between sizing
a flow_rule buffer and filling it.
zdi-disclosures@trendmicro.com reports:
The cls_flower classifier operates with TCF_PROTO_OPS_DOIT_UNLOCKED
(fl_change runs without RTNL), while RTM_NEWACTION holds RTNL, so the
independent locking domains make the race reachable in practice. KASAN
confirms:
BUG: KASAN: slab-out-of-bounds in tcf_pedit_offload_act_setup+0x81b/0x930
Write of size 4 at addr ffff888001f27520 by task poc-toctou/312
The buggy address is located 0 bytes to the right of
allocated 288-byte region [ffff888001f27400, ffff888001f27520)
(cache kmalloc-512)
Note: The result is a heap OOB write attacker-controlled content into the
adjacent slab object (requires CAP_NET_ADMIN).
The fix introduces reading tcfp_nkeys under act->tcfa_lock in all places
using a new tcf_pedit_nkeys_locked() which replaces the old tcf_pedit_nkeys().
Additionally we close the remaining TOCTOU window between the sizing read and
the fill reads by more careful accounting.
Rather than silently truncating the key count, which leads to incorrect
action semantics offloaded to hardware and secondary OOB writes if
the remaining capacity is zero or consumed by prior actions, we enforce
remaining capacity checks and return -ENOSPC if the required space exceeds
the remaining capacity.
Fixes: 71d0ed7079df ("net/act_pedit: Support using offset relative to the conventional network headers") Reported-by: zdi-disclosures@trendmicro.com Tested-by: Victor Nogueira <victor@mojatatu.com> Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com> Link: https://patch.msgid.link/20260701161912.125355-1-jhs@mojatatu.com Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Xiang Mei [Tue, 30 Jun 2026 17:41:09 +0000 (10:41 -0700)]
net: qualcomm: rmnet: validate MAP frame length before ingress parsing
When ingress deaggregation is disabled, rmnet_map_ingress_handler() passes
the skb straight to __rmnet_map_ingress_handler(), skipping the length
validation that rmnet_map_deaggregate() performs on the aggregated path.
The parser then dereferences the MAP header and csum header/trailer based on
the on-wire pkt_len without checking skb->len, so a short frame is read out
of bounds:
BUG: KASAN: slab-out-of-bounds in rmnet_map_checksum_downlink_packet
Read of size 1 at addr ffff88801118ed00 by task exploit/147
Call Trace:
...
rmnet_map_checksum_downlink_packet (drivers/net/ethernet/qualcomm/rmnet/rmnet_map_data.c:413)
__rmnet_map_ingress_handler (drivers/net/ethernet/qualcomm/rmnet/rmnet_handlers.c:96)
rmnet_rx_handler (drivers/net/ethernet/qualcomm/rmnet/rmnet_handlers.c:129)
__netif_receive_skb_core.constprop.0 (net/core/dev.c:6089)
netif_receive_skb (net/core/dev.c:6460)
tun_get_user (drivers/net/tun.c:1955)
tun_chr_write_iter (drivers/net/tun.c:2001)
vfs_write (fs/read_write.c:688)
ksys_write (fs/read_write.c:740)
do_syscall_64 (arch/x86/entry/syscall_64.c:94)
...
Factor that validation out of rmnet_map_deaggregate() into
rmnet_map_validate_packet_len() and run it on the no-aggregation path too.
The MAP header is bounds-checked first, since this path can receive a frame
shorter than the header.
Paolo Abeni [Mon, 6 Jul 2026 10:39:42 +0000 (12:39 +0200)]
Merge tag 'nf-26-07-03' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf
Florian Westphal says:
====================
netfilter: updates for net
The following patchset contains Netfilter fixes for *net*, all
for ancient problems. Patch 7 raised drive-by sashiko findings,
but those are not related to the change itself.
1) Rebuild the nf_nat_sip data pointer to prevent stale access after SKB
reallocation. Restrict UDP mangling to UDP streams to avoid TCP packet
corruption.
2) Prevent undefined behavior in xt_u32 caused by invalid shift counts.
From Wyatt Feng.
3) Use u64 variables to prevent incorrect comparisons on links exceeding
34 Gbps in xt_rateest. From Feng Wu.
4) Cap the number of expectations per master during nfnetlink_cthelper
updates. From Pablo Neira Ayuso.
5) Mark malformed IPv6 extension headers for hotdrop in ip6tables.
From Zhixing Chen.
6) Skip the end element of an open interval during the get command when its
closest match is the interval's start element. Also from Pablo Neira Ayuso.
7) Fix PMTU calculation for GUE/GRE tunnels in IPVS during ICMP fragmentation
error handling. Include additional tunnel header length when computing the
new MTU. From Yizhou Zhao.
8) Reset full ip_vs_seq structures in ip_vs_conn_new. Also from Yizhou Zhao.
9) Reject invalid shift parameters in xt_connmark. Also from Wyatt Feng.
netfilter pull request nf-26-07-03
* tag 'nf-26-07-03' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf:
netfilter: xt_connmark: reject invalid shift parameters
ipvs: reset full ip_vs_seq structs in ip_vs_conn_new
ipvs: fix PMTU for GUE/GRE tunnel ICMP errors
netfilter: nft_set_rbtree: get command skips end element with open interval
netfilter: ip6tables: mark malformed IPv6 extension headers for hotdrop
netfilter: nfnetlink_cthelper: cap to maximum number of expectation per master on updates
netfilter: xt_rateest: fix u64 truncation in xt_rateest_mt()
netfilter: xt_u32: reject invalid shift counts
netfilter: nf_nat_sip: reload possible stale data pointer
====================
Nirmoy Das [Tue, 30 Jun 2026 16:51:57 +0000 (09:51 -0700)]
selftests: net: make busywait timeout clock portable
loopy_wait() expects millisecond timestamps. However, Ubuntu Resolute
can use uutils date, where `date -u +%s%3N` returns seconds plus full
nanoseconds instead of a 3-digit millisecond field. This makes
busywait expire too early and can make vlan_bridge_binding.sh read a
stale operstate.
Shigeru Yoshida [Tue, 30 Jun 2026 16:46:20 +0000 (01:46 +0900)]
qede: fix off-by-one in BD ring consumption on build_skb failure
qede_rx_build_skb() and qede_tpa_rx_build_skb() do not check for a
NULL return from qede_build_skb(). When it returns NULL under memory
pressure, the functions still consume a BD from the ring before
returning NULL. The callers then recycle additional BDs, resulting in
one extra BD being consumed (off-by-one). This desynchronizes the BD
ring, which can corrupt DMA page reference counts and lead to SLUB
freelist corruption.
Commit 4e910dbe3650 ("qede: confirm skb is allocated before using")
added a NULL check inside qede_build_skb() to prevent a NULL pointer
dereference, but did not address the missing NULL checks in the
callers, making this off-by-one reachable.
Fix this by adding NULL checks for the return value of
qede_build_skb() in both qede_rx_build_skb() and
qede_tpa_rx_build_skb(), returning NULL immediately before any BD ring
manipulation.
Fixes: 8a8633978b84 ("qede: Add build_skb() support.") Signed-off-by: Shigeru Yoshida <syoshida@redhat.com> Reviewed-by: Jamie Bainbridge <jamie.bainbridge@gmail.com> Link: https://patch.msgid.link/20260630164623.3152625-1-syoshida@redhat.com Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Sven Eckelmann [Thu, 2 Jul 2026 17:32:40 +0000 (19:32 +0200)]
batman-adv: dat: fix tie-break for candidate selection
The original version of the candidate selection for DAT attempted to
compare both candidate and max_orig_node to identify which has the smaller
MAC address. This comparison is required as tie-break when a hash collision
happened.
But the used function returned 0 when the function was not equal and a
non-zero value when it was equal. As result, the actually selected
node was dependent on the order of entries in the orig_hash and not
actually on the mac addresses. The last originator in the hash collision
would always win.
To have a proper ordering, it must diff the actual MAC address bytes and
reject the candidate when the diff is not smaller than 0.
Sven Eckelmann [Fri, 3 Jul 2026 18:47:45 +0000 (20:47 +0200)]
batman-adv: mcast: avoid OOB read of num_dests header
Before the access to struct batadv_tvlv_mcast_tracker's num_dests, it is
attempted to check whether enough space is actually in the network header.
But instead of using offsetofend() to check for the whole size (2) which
must be accessible, offsetof() of is called. The latter is always returning
0. The comparison with the network header length will always return that
enough data is available - even when only 1 or 0 bytes are accessible.
Instead of using offsetofend(), use the more common check for the whole
header.
Cc: stable@vger.kernel.org Fixes: 07afe1ba288c ("batman-adv: mcast: implement multicast packet reception and forwarding") Signed-off-by: Sven Eckelmann <sven@narfation.org>
Sven Eckelmann [Fri, 3 Jul 2026 19:04:03 +0000 (21:04 +0200)]
batman-adv: frag: fix primary_if leak on failed linearization
If the skb has a frag_list, it must be linearized before it can be split
using skb_split(). But when this step failed, it must not only free the skb
but also take care of the reference to the already found primary_if.
Cc: stable@vger.kernel.org Reported-by: Sashiko <sashiko-bot@kernel.org> Fixes: a063f2fba3fa ("batman-adv: Don't skb_split skbuffs with frag_list") Signed-off-by: Sven Eckelmann <sven@narfation.org>
Sven Eckelmann [Fri, 3 Jul 2026 18:28:31 +0000 (20:28 +0200)]
batman-adv: frag: free unfragmentable packet
The caller of batadv_frag_send_packet() assume that the skb provided to the
function are always consumed. But the pre-check for an empty payload or the
zero fragment size returned an error without any further actions.
A failed pre-check must use the same error handling code as the rest of the
function.
Cc: stable@vger.kernel.org Fixes: ee75ed88879a ("batman-adv: Fragment and send skbs larger than mtu") Signed-off-by: Sven Eckelmann <sven@narfation.org>
Sven Eckelmann [Fri, 3 Jul 2026 20:27:13 +0000 (22:27 +0200)]
batman-adv: tt: prevent TVLV OOB check overflow
A TT unicast TVLV contains the number of VLANs stored in it. This number is
an u16 and gets multiplied by the size of the struct
batadv_tvlv_tt_vlan_data (8 bytes). The size can therefore overflow the u16
used to store the tt_vlan_len. All additional safety checks to prevent
out-of-bounds access of the TVLV buffer are invalid due to this overflow.
Using size_t prevents this overflow and ensures that the safety checks
compare against the actual buffer requirements.
Cc: stable@vger.kernel.org Fixes: 7ea7b4a14275 ("batman-adv: make the TT CRC logic VLAN specific") Signed-off-by: Sven Eckelmann <sven@narfation.org>
Sven Eckelmann [Thu, 2 Jul 2026 19:06:23 +0000 (21:06 +0200)]
batman-adv: tt: avoid request storms during pending request
batadv_send_tt_request() allocates a tt_req_node when none exists for the
destination originator node. This should prevent that a multiple TT
requests are send at the same time to an originator.
But if allocation of the send buffer failed, this request must be cleaned
up again. But indicator for such a failure is "ret == false". But the
actual implementation is checking for "ret == true".
The check must be inverted to not loose the information about the TT
request directly after it was attempted to be sent out. This should avoid
potential request storms.
Cc: stable@vger.kernel.org Fixes: 335fbe0f5d25 ("batman-adv: tvlv - convert tt query packet to use tvlv unicast packets") Signed-off-by: Sven Eckelmann <sven@narfation.org>
Sven Eckelmann [Sat, 4 Jul 2026 07:46:09 +0000 (09:46 +0200)]
batman-adv: clean untagged VLAN on netdev registration failure
When an mesh interface is registered, it creates an untagged struct
batadv_meshif_vlan on top of it via the NETDEV_REGISTER notifier. But in
this process, another receiver of this notification can veto the
registration. The netdev registration will be aborted because of this veto.
The register_netdevice() call will try to clean up the net_device using
unregister_netdevice_queue() - which only uses the .priv_destructor to
free private resources. In this situation, .dellink will not be called.
The cleanup of the untagged batadv_meshif_vlan must thefore be done in the
destructor to avoid a leak of this object.
Cc: stable@vger.kernel.org Fixes: 5d2c05b21337 ("batman-adv: add per VLAN interface attribute framework") Signed-off-by: Sven Eckelmann <sven@narfation.org>
Chuck Lever [Sat, 13 Jun 2026 22:16:33 +0000 (18:16 -0400)]
NFSD: Prevent post-shutdown use-after-free in NFSD_CMD_UNLOCK_FILESYSTEM
The NFSD_CMD_UNLOCK_FILESYSTEM netlink command runs
nfsd4_cancel_copy_by_sb() before nfsd_mutex is held and before
nn->nfsd_serv is confirmed set, the same pre-mutex ordering the procfs
unlock_filesystem path carried. Once nfsd has shut down,
nfs4_state_destroy_net() has freed nn->conf_id_hashtbl but left the
pointer intact, so the cancel helper iterates freed slab memory as an
array of struct list_head and then dereferences a bogus nfs4_client
when it takes clp->async_lock. A local administrator holding
CAP_SYS_ADMIN can reach this use-after-free by stopping the server and
then issuing the command.
Move the async COPY cancel into the nfsd_mutex section, after
nn->nfsd_serv is confirmed, so every NFSv4 state-table walker on this
path observes a running server. Async copies exist only while the
server runs, so gating the cancel on nn->nfsd_serv loses nothing.
Mehdi Hassan [Sat, 4 Jul 2026 02:35:06 +0000 (02:35 +0000)]
smb: client: refactor cifs_revalidate_mapping() to use clear_and_wake_up_bit()
In the `skip_invalidate:` path under `cifs_revalidate_mapping()`, the
sequence of calls:
clear_bit_unlock();
smp_mb__after_atomic();
wake_up_bit();
can be replaced exactly by `clear_and_wake_up_bit()`.
The `clear_and_wake_up_bit()` helper function was introduced in
'commit 8236b0ae31c83 ("bdi: wake up concurrent wb_shutdown()
callers.")' to replace equivalent instances of this sequence of
operations. This substitution has been applied in multiple subsystems.
Compile-tested with CONFIG_CIFS=y on x86_64, no new warnings present.
Merge tag 'x86-urgent-2026-07-05' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull x86 fix from Ingo Molnar:
- Prevent OOB access in the resctrl code while offlining
CPUs when Intel SNC (Sub-NUMA Clustering) is enabled
(Reinette Chatre)
* tag 'x86-urgent-2026-07-05' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
x86,fs/resctrl: Prevent out-of-bounds access while offlining CPU when SNC enabled
Merge tag 'perf-urgent-2026-07-05' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull perf events fixes from Ingo Molnar:
- Fix a perf_event_attr::remove_on_exec bug for group events
(Taeyang Lee)
- Fix uprobes CALL emulation interaction with shadow stacks, and
add a testcase for this (David Windsor)
- Fix uprobes unregister bug (Jiri Olsa)
* tag 'perf-urgent-2026-07-05' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
uprobes/x86: Use proper mm_struct in __in_uprobe_trampoline
selftests/x86: Add shadow stack uprobe CALL test
x86/uprobes: Keep shadow stack in sync for emulated CALLs
perf/core: Detach event groups during remove_on_exec
Merge tag 'locking-urgent-2026-07-05' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull futex fix from Ingo Molnar:
- Fix a futex-requeue deadlock detection regression (Thomas Gleixner)
* tag 'locking-urgent-2026-07-05' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
futex/requeue: Revert "Prevent NULL pointer dereference in remove_waiter() on self-deadlock""
Merge tag 'irq-urgent-2026-07-05' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull irq fixes from Ingo Molnar:
"Misc irqchip driver fixes:
- Fix a resource leak in the RISC-V imsic-early driver (Haoxiang Li)
- Fix an OF node reference leak in the ARM gic-v3-its driver (Yuho
Choi)
- Fix a dangling handler function on module removal bug in the
TS-4800 ARM board irqchip driver (Qingshuang Fu)"
* tag 'irq-urgent-2026-07-05' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
irqchip/ts4800: Fix missing chained handler cleanup on remove
irqchip/gic-v3-its: Fix OF node reference leak
irqchip/irq-riscv-imsic-early: Fix fwnode leak on state setup failure
Merge tag 'sound-7.2-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound
Pull sound fixes from Takashi Iwai:
"A standard set of driver-specific fixes and quirks accumulated since
the merge window:
ASoC:
- SOF: Sanity check to prevent OOB reads
- rsnd: Fix clock leak and double-disable issues with PM
- tas675x: Misc fixes for register fields, etc
- lpass-va-macro: Correct codec version for Qualcomm SC7280
- amd-yc: DMIC quirk for Alienware m15 R7 AMD
Others:
- us144mkii: Fix a UAF on disconnect and anchor list corruption
- HD-audio: Realtek quirks for HP models"
* tag 'sound-7.2-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
ASoC: rsnd: src: Add missing scu_supply clock to suspend/resume
Documentation: sound: tas675x: Fix temperature range and impedance documentation
ASoC: codecs: tas675x: Fix CHx temperature range register bit fields
ASoC: codecs: tas675x: use READ_ONCE for params to be used concurrently
ASoC: rsnd: adg: make rsnd_adg_clk_control() idempotent
ASoC: SOF: validate probe info element counts
ALSA: usx2y: us144mkii: fix work UAF on disconnect
ASoC: amd: yc: Add Alienware m15 R7 AMD to DMIC quirk table
ALSA: hda/realtek: Add quirk for HP Victus 16-e0xxx (88EE) to enable mute LED
MAINTAINERS: ASoC: SOF: add AMD reviewer for Sound Open Firmware
ASoC: codecs: lpass-va-macro: Fix LPASS Codec Version for SC7280
ALSA: us144mkii: capture_urb_complete: redundant usb_anchor_urb corrupts anchor list on each resubmission
Merge tag 'spi-fix-v7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi
Pull spi fixes from Mark Brown:
"A small set of fixes that came in since -rc1, we have one core fix for
shutting down target mode properly if the system suspends while it's
running plus a small set of fairly unremarkable device specific fixes.
There's also a couple of pure DT binding changes for Renesas SoCs, the
power domains one allows some SoCs to be correctly described with
existing code"
* tag 'spi-fix-v7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi:
spi: rzv2h-rspi: Fix DMA transfer error handling for signal interruption
spi: dt-bindings: snps,dw-apb-ssi: add 'power-domains' property
spi: dt-bindings: snps,dw-apb-ssi: drop superfluous RZ/N1 entry
spi: dw: use the correct error msg if request_irq() fails
spi: dw: fix first spi transfer with dma always fallback to PIO
spi: core: Abort active target transfer on controller suspend
spi: sh-msiof: abort transfers when reset times out
RDMA/irdma: Prevent overflows in memory contiguity checks
irdma_check_mem_contiguous() and irdma_check_mr_contiguous() verify that
PBL entries describe physically contiguous memory ranges.
Both functions calculate byte offsets using 32-bit operands. For example,
with 4 KiB pages, pg_size * pg_idx overflows 32-bit arithmetic when
pg_idx reaches 1048576. In the level-2 check, PBLE_PER_PAGE is 512, so
i * pg_size * PBLE_PER_PAGE overflows when i reaches 2048.
These values are reachable in the driver. For MRs, palloc->total_cnt
comes from iwmr->page_cnt, which is calculated by
ib_umem_num_dma_blocks(). The MR size is limited by IRDMA_MAX_MR_SIZE,
so a 4 GiB MR with 4 KiB pages can reach page_cnt of 1048576. PBLE
resources do not exclude this value either: for gen3, the limit is based
on avail_sds * MAX_PBLE_PER_SD, and MAX_PBLE_PER_SD is 0x40000, so 4 SDs
are enough for 1048576 PBLEs.
Cast one operand to u64 before the multiplications so that the offset
calculations are performed in 64-bit arithmetic.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
// Returns without action
if(!sighand)
return 0;
free_posix_timer();
This is "harmless" unless the deleted timer was armed and enqueued in
p->signal because on exec() a TGID targeted timer is inherited.
As sys_timer_delete() freed the underlying posix timer object
run_posix_cpu_timers() or any timerqueue related add/delete operations on
other timers will access the freed object's timerqueue node, which results
in an UAF.
There is a similar problem vs. posix_cpu_timer_set(). For regular posix
timers it just transiently returns -ESRCH to user space, but for the use
case in do_cpu_nanosleep() it's the same UAF just that the k_itimer is
allocated on the stack.
Also posix_cpu_timer_rearm() fails to rearm the timer, which means it stops
to expire.
While debating solutions Frederic pointed out another problem:
posix_cpu_timer_del(tmr)
__exit_signal(p)
posix_cpu_timers*_exit(p);
unhash_task(p);
p->sighand = NULL;
sh = lock_task_sighand(p)
sighand = p->sighand;
if (!sighand)
return NULL;
lock(sighand);
if (!sh)
WARN_ON_ONCE(timer_queued(tmr));
On weakly ordered architectures it is not guaranteed that
posix_cpu_timer_del() will observe the stores in posix_cpu_timers*_exit()
when p->sighand is observed as NULL, which means the WARN() can be a false
positive.
Solve these issues by:
1) Changing the store in __exit_signal() to smp_store_release().
2) Adding a smp_acquire__after_ctrl_dep() into the !sighand path
of lock_task_sighand().
3) Creating a helper function for looking up the task and locking sighand
which does not return when sighand == NULL. Instead it retries the
task lookup and only if that fails it gives up.
4) Using that helper in the three affected functions.
#1/#2 ensures that the reader side which observes sighand == NULL also
observes all preceeding stores, i.e. the stores in posix_cpu_timers*_exit()
and the ones in unhash_task().
#3 ensures that the above described non-leader exec() situation is handled
gracefully. When the task lookup returns the old leader, but sighand ==
NULL then it retries. In the non-leader exec() case the subsequent task
lookup will observe the new leader due to #1/#2. In normal exit() scenarios
the subsequent lookup fails.
When the task lookup fails, the function also checks whether the timer is
still enqueued and issues a warning if that's the case. Unfortunately there
is nothing which can be done about it, but as the task is already not
longer visible the timer should not be accessed anymore. This check also
requires memory ordering, which is not provided when the first lookup
fails. To achieve that the check is preceeded by a smp_rmb() which pairs
with the smp_wmb() in write_seqlock() in __exit_signal(). That ensures that
the stores in posix_cpu_timers*_exit() are visible.
The history of the non-leader exec() issue goes back to the early days of
posix CPU timers, which stored a pointer to the group leader task in the
timer. That obviously fails when a non-leader exec() switches the leader.
commit e0a70217107e ("posix-cpu-timers: workaround to suppress the problems
with mt exec") added a temporary workaround for that in 2010 which survived
about 10 years. The fix for the workaround changed the task pointer to a
pid pointer, but failed to see the subtle race described above. So the
Fixes tag picks that commit, which seems to be halfways accurate.
Thanks to Frederic Weissbecker, Oleg Nesterov and Peter Zijlstra for
review, feedback and suggestions and to Wongi and Jungwoo for the excellent
bug report and analysis!
Fixes: 55e8c8eb2c7b ("posix-cpu-timers: Store a reference to a pid not a task") Reported-by: Wongi Lee <qw3rtyp0@gmail.com> Reported-by: Jungwoo Lee <jwlee2217@gmail.com> Signed-off-by: Thomas Gleixner <tglx@kernel.org> Reviewed-by: Oleg Nesterov <oleg@redhat.com> Cc: stable@vger.kernel.org
net: microchip: vcap: fix races on the shared Super VCAP block
The VCAP instances on a chip are not independent, yet they are locked
independently. On sparx5 and lan969x the IS0 and IS2 instances are
backed by the same Super VCAP hardware block and share its cache and
command registers: every access drives the shared VCAP_SUPER_CTRL
register and moves data through the shared cache registers.
Accessing one instance therefore races with accessing another. The
per-instance admin->lock cannot prevent this, as each instance takes a
different lock.
The locking issue is mostly disguised by the fact that the core usage of
the vcap api runs under rtnl. However, the full rule dump in debugfs
decodes rules straight from hardware (a READ command followed by a cache
read) and runs outside rtnl, so it races a concurrent tc-flower rule
write to another Super VCAP instance.
Besides corrupting the dump, the read repopulates the shared cache
between the writers cache fill and its write command, so the writer
commits the wrong data and corrupts the hardware entry.
Introduce vcap_lock() and vcap_unlock() helpers and route every rule
lock site in the VCAP API and its debugfs code through them. Replace the
per-instance admin->lock with a single mutex in struct vcap_control that
serializes access to all instances. The helpers reach it through a new
admin->vctrl back-pointer, and the clients initialise and destroy the
control lock instead of a per-instance one.
No path holds more than one instance lock, so collapsing them onto a
single mutex cannot self-deadlock.
Shuangpeng Bai [Tue, 30 Jun 2026 19:48:56 +0000 (15:48 -0400)]
llc: fix SAP refcount leak in llc_ui_autobind()
llc_ui_autobind() opens a SAP after choosing a dynamic LSAP.
llc_sap_open() returns a reference owned by the caller, and
llc_sap_add_socket() takes a second reference for the socket's
membership in the SAP hash tables.
llc_ui_bind() drops the caller's reference after adding the socket,
but llc_ui_autobind() keeps it. When the socket is closed,
llc_sap_remove_socket() releases only the socket reference, leaving
the SAP on llc_sap_list with sk_count == 0.
This is user-visible because repeated autobind and close cycles can consume
all dynamic SAP values and make later autobinds fail with -EUSERS.
Drop the caller's reference after a successful autobind, matching
llc_ui_bind()'s ownership model.
iio: light: al3010: fix incorrect scale for the highest gain range
al3010_scales[] encodes the highest gain range as {0, 1187200}.
For IIO_VAL_INT_PLUS_MICRO, the fractional part must be less than 1000000, so the scale 1.1872 should instead be represented as
{ 1, 187200 }.
Since write_raw() compares the value from userspace against this
table, writing the advertised 1.1872 scale never matches the malformed
entry and returns -EINVAL. As a result, the highest gain range cannot
be selected. Reading the scale in that state also reports the malformed
value.
Andy Shevchenko [Tue, 19 May 2026 21:56:06 +0000 (23:56 +0200)]
iio: adc: nxp-sar-adc: Fix the delay calculation in nxp_sar_adc_wait_for()
The original code was using ndelay() twice. In one case the delay
is calculated as 1/3 of ADC clock and in the other as 80 ADC clocks.
But according to the comments in all cases it should be a multiplier
of the ADC clock, and not a fraction of it. Inadvertently
nxp_sar_adc_wait_for() takes the wrong case and spread it over
the code make it wrong in all places. Fix this by modifying a helper
to correctly use the multiplier.
Fixes: 7e5c0f97c66a ("iio: adc: nxp-sar-adc: Avoid division by zero") Fixes: 4434072a893e ("iio: adc: Add the NXP SAR ADC support for the s32g2/3 platforms") Reported-by: Sashiko <sashiko-bot@kernel.org> Closes: https://sashiko.dev/#/patchset/20260416090122.758990-1-andriy.shevchenko%40linux.intel.com Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com> Reviewed-by: Stepan Ionichev <sozdayvek@gmail.com> Acked-by: Daniel Lezcano <daniel.lezcano@oss.qualcomm.com> Cc: <Stable@vger.kernel.org> Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Stepan Ionichev [Mon, 18 May 2026 09:43:11 +0000 (14:43 +0500)]
iio: light: tsl2591: return actual error from probe IRQ failure
When devm_request_threaded_irq() fails, probe logs the error and
then returns -EINVAL, dropping the real error code and breaking the
deferred-probe flow for -EPROBE_DEFER.
Return ret directly; the IRQ subsystem already prints on failure.
iio: imu: inv_icm42600: fix timestamping by limiting FIFO reading
Timestamps are made by measuring the chip clock using the watermark
interrupts. If we read more than watermark samples as done today, we
are reducing the period between interrupts and distort the time
measurement. Fix that by reading only watermark samples in the
interrupt case.
Fixes: 7f85e42a6c54 ("iio: imu: inv_icm42600: add buffer support in iio devices") Cc: stable@vger.kernel.org Signed-off-by: Jean-Baptiste Maneyrol <jean-baptiste.maneyrol@tdk.com> Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Merge tag 's390-7.2-3' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux
Pull s390 fixes from Vasily Gorbik:
- Fix PKEY_VERIFYPROTK ioctl key type handling by removing the generic
key-length based type check with its wrong bit-size calculation, and
leaving protected key verification to the pkey handler
- Fix monwriter buffer reuse by rejecting records that change the data
length, preventing out of bounds user copy into the kernel buffer
* tag 's390-7.2-3' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
s390/monwriter: Reject buffer reuse with different data length
pkey: Move keytype check from pkey api to handler
Merge tag 'mips-fixes_7.2_1' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux
Pull MIPS fixes from Thomas Bogendoerfer.
* tag 'mips-fixes_7.2_1' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux:
MIPS: configs: Enable the current Ingenic USB PHY symbol
MIPS: loongson64: add IRQ work based on self-IPI
MIPS: mm: Add check for highmem before removing memory block
mips: Add build salt to the vDSO
MIPS: DEC: Ensure RTC platform device deregistration upon failure
Merge tag 'v7.2-rc1-smb3-server-fixes' of git://git.samba.org/ksmbd
Pull smb server fixes from Steve French:
- Fix several use-after-free races in durable handle reconnect,
supersede, and oplock handling
- Avoid holding the inode oplock lock while waiting for a lease break
acknowledgement. This removes delays of up to 35 seconds when cifs.ko
closes a deferred handle in response to a lease break
- Fix malformed security descriptor handling, including an undersized
DACL allocation issue and an out-of-bounds ACE SID read
- Fix memory leaks in security descriptor and DOS attribute xattr
encoding/decoding error paths
- Fix outstanding SMB2 credit leaks on aborted requests and correct the
QUERY_INFO credit charge calculation
- Fix hard-link creation without replacement being incorrectly rejected
when the handle lacks DELETE access
- Avoid unnecessary zeroing of large SMB2 read buffers
- Add an oplock list lockdep annotation and update the documented
support status for durable handles and SMB3.1.1 compression
- Durable handle fixes to address ownership and lifetime races during
reconnect, session teardown, oplock handling, and superseding opens,
preventing stale session and file references from being used by
concurrent operations
* tag 'v7.2-rc1-smb3-server-fixes' of git://git.samba.org/ksmbd:
ksmbd: fix app-instance durable supersede session UAF
ksmbd: snapshot previous oplock state before durable checks
ksmbd: close superseded durable handles through refcount handoff
ksmbd: fix use-after-free of fp->owner.name in durable handle owner check
smb/server: do not require delete access for non-replacing links
ksmbd: don't hold ci->m_lock while waiting for a lease break ack
ksmbd: doc: update feature support status for durable handles and compression
ksmbd: annotate oplock list traversals under m_lock
ksmbd: fix outstanding credit leak on abort and error paths
ksmbd: fix credit charge calculation for SMB2 QUERY_INFO
ksmbd: avoid zeroing the read buffer in smb2_read()
ksmbd: validate num_subauth when copying ACE in set_ntacl_dacl
ksmbd: reject undersized DACLs before parsing ACEs
ksmbd: fix n.data memory leak in ksmbd_vfs_set_dos_attrib_xattr
ksmbd: Fix acl.sd_buf memory leak and invalid sd_size error handling
ksmbd: fix sd_ndr.data memory leak in ksmbd_vfs_set_sd_xattr
Merge tag 'drm-fixes-2026-07-04' of https://gitlab.freedesktop.org/drm/kernel
Pull drm fixes from Dave Airlie:
"Weekly fixes for drm. This is large for rc2 but it's just a lot of
small fixes across a bunch of drivers, xe, amdgpu as usual, plus some
sashiko-inspired fixes for panthor, and some dma-fence updates.
core:
- kernel doc fix
- include types.h in drm_ras.h
dma-fence:
- fix NULL ptr dereference
- use correct callback
- make dma_fence_dedup_array more robust
dp:
- handle torn down topology gracefully
- fix kernel doc
i915:
- Input validation fixes for BIOS and EDID
- Fix HDCP code buffer overflow and seq_num_v monotonic increase check
- Fix near-NULL deref in i915_active during GFP_ATOMIC exhaustion
xe:
- Wedge from the timeout handler only after releasing the queue
- Fix a NULL pointer dereference
- Remove redundant exec_queue_suspended
- RTP / OA whitelist fixes
- Return error on non-migratable faults requiring devmem
- Skip FORCE_WC and vm_bound check for external dma-bufs
- Hold notifier lock for write on inject test path
- Drop bogus static from finish in force_invalidate
- Fix double-free of managed BO in error path
- Don't attempt to process FAST_REQ or EVENT relays
- Fix NPD in bo_meminfo
- Prevent invalid cursor access for purged BOs
- Fix offset alignment for MERT WHITELST_OA_MERT_MMIO_TRG
amdxdna:
- fix device removal issues
- fix use after free in debug BO
imagination:
- fix double call to scheduler fini
- fix ioctl return values
- fix user array stride
virtio:
- handle EDIDs better
panthor:
- irq safe fence lock fix
- reset work fix
- fix invalid pointer
- fix iomem access in suspended state
- sched resume fix
- unplug suspend fix
- drop needless check
- eviction leak fix
- bail on group start/resume fix
- keep irqs masked
malidp:
- use clock bulk API
komeda:
- clock prepare fixes"
* tag 'drm-fixes-2026-07-04' of https://gitlab.freedesktop.org/drm/kernel: (105 commits)
drm/xe/oa: Fix offset alignment for MERT WHITELIST_OA_MERT_MMIO_TRG
drm/xe/pt: prevent invalid cursor access for purged BOs
drm/xe: fix NPD in bo_meminfo()
drm/xe/pf: Don't attempt to process FAST_REQ or EVENT relays
drm/xe/hw_engine: Fix double-free of managed BO in error path
drm/xe/userptr: Drop bogus static from finish in force_invalidate
drm/xe/userptr: Hold notifier_lock for write on inject test path
drm/xe/display: skip FORCE_WC and vm_bound check for external dma-bufs
drm/xe: Return error on non-migratable faults requiring devmem
drm/xe/rtp: Ensure locking/ref counting for OA whitelists
drm/xe/oa: (De-)whitelist OA registers on OA stream open/release
drm/xe/rtp: (De-)whitelist OA registers for all hwe's for a gt
drm/xe/rtp: Toggle 'deny' bit to (de-)whitelist OA regs
drm/xe/rtp: Save OA nonpriv registers to register save/restore lists
drm/xe/rtp: Generalize whitelist_apply_to_hwe
drm/xe/rtp: Keep track of non-OA nonpriv slots
drm/xe/rtp: Maintain OA whitelists separately
drm/xe/rtp: Fix build error with clang < 21 and non-const initializers
drm/imagination: Fix user array stride in pvr_set_uobj_array()
drm/imagination: Fix returned size for DRM_IOCTL_PVR_DEV_QUERY
...
Merge tag 'acpi-7.2-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm
Pull ACPI support fixes from Rafael Wysocki:
"These fix a coding mistake in the ACPI TAD (Time and Alarm
Device) driver introduced by one of its previous updates and
get rid of the ugly #ifdef __KERNEL__ conditional compilation
in acpi_ut_safe_strncpy() by redefining that function as an
alias for strscpy_pad():
- Add a missing ACPI_TAD_AC_WAKE capability check omitted by mistake
to the ACPI TAD driver (Xu Rao)
- Define acpi_ut_safe_strncpy() as an alias for strscpy_pad()
which is viable because that function is only called from kernel
code (Rafael Wysocki)"
* tag 'acpi-7.2-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
ACPICA: Define acpi_ut_safe_strncpy() as strscpy_pad() alias
ACPI: TAD: Check AC wake capability before enabling wakeup
Merge tag 'riscv-for-linus-7.2-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux
Pull RISC-V fixes from Paul Walmsley:
- Fix a crash when a kretprobe reads from the stack
- Fix an issue with the build-time mcount sorter that broke ftrace
- Fix the rv32 IRQ stack frame padding to match the ABI
- Only defer IOMMU configuration during initialization. This avoids an
issue where IOMMU configuration could be indefinitely deferred
- Add the missing build salt to the vDSO
- Now that RISC-V systems with higher numbers of cores are starting to
become available, raise NR_CPUS for RISC-V to 256
- Clean up some warnings from sparse caused by the RISC-V-optimized
RAID6 code
- Clean up our __cpu_up() code with a few minor fixes
* tag 'riscv-for-linus-7.2-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux:
riscv: probes: save original sp in rethook trampoline
riscv: Fix 32-bit call_on_irq_stack() frame pointer ABI
scripts/sorttable: Handle RISC-V patchable ftrace entries
riscv: smp: use secs_to_jiffies in __cpu_up
ACPI: RIMT: Only defer the IOMMU configuration in init stage
riscv: Add build salt to the vDSO
raid6: fix raid6_recov_rvv symbol undeclared warning
raid6: fix riscv symbol undeclared warnigns
riscv: Raise default NR_CPUS for 64BIT to 256
Merge tag 'v7.2-rc1-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6
Pull smb client fixes from Steve French:
- Credit fix
- Fix alignment issue in parse_posix_ctxt
- SID parsing fix
* tag 'v7.2-rc1-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6:
cifs: Fix missing credit release on failure in cifs_issue_read()
cifs: update internal module version number
smb: client: use unaligned reads in parse_posix_ctxt()
smb: client: harden POSIX SID length parsing
Andreas Kempe [Thu, 2 Jul 2026 10:41:23 +0000 (10:41 +0000)]
iio: imu: st_lsm6dsx: deselect shub page before reading whoami
As part of driver initialization, e.g. st_lsm6dsx_init_shub() selects
the shub register page using st_lsm6dsx_set_page(). Selecting the shub
register page shadows the regular register space so whoami, among other
registers, is no longer accessible.
In applications where the IMU is permanently powered separately from the
processor, there is a window where a reset of the CPU leaves the IMU in
the shub register page. Once this occurs, any subsequent probe attempt
fails because of the register shadowing.
Using the ism330dlc, the error typically looks like
st_lsm6dsx_i2c 3-006a: unsupported whoami [10]
with the unknown whoami read from a reserved register in the shub page.
The reset register is also shadowed by the page select, preventing a
reset from recovering the chip.
Unconditionally clear the shub page before the whoami readout to ensure
normal register access and allow the initialization to proceed.
Place the fix in st_lsm6dsx_check_whoami() before the whoami check
because hw->settings, which st_lsm6dsx_set_page() relies on, is first
assigned in that function.
Placing the fix in a more logical place than the whoami check would
require a bigger restructuring of the code.
Fixes: c91c1c844ebd ("iio: imu: st_lsm6dsx: add i2c embedded controller support") Signed-off-by: Andreas Kempe <andreas.kempe@actia.se> Acked-by: Lorenzo Bianconi <lorenzo@kernel.org> Cc: <Stable@vger.kernel.org> Signed-off-by: Jonathan Cameron <jic23@kernel.org>
====================
net/mlx5e: Fix crashes in dynamic per-channel stats and HV VHCA agent
Since per-channel stats were converted to be allocated and published
lazily at first channel open in commit fa691d0c9c08 ("net/mlx5e:
Allocate per-channel stats dynamically at first usage"),
priv->channel_stats[] and priv->stats_nch are filled in
incrementally during interface bring-up. This opened a window in
which the various stats readers - most of them reachable from
userspace via netlink/netdev stats queries - can race with
mlx5e_open_channel() on another CPU and observe partially
initialized state. The HV VHCA stats agent, which is created
before the channels are opened, hits related problems of its own.
Feng Liu [Tue, 30 Jun 2026 11:51:51 +0000 (14:51 +0300)]
net/mlx5e: Fix publication race for priv->channel_stats[]
mlx5e_channel_stats_alloc() publishes a new entry to
priv->channel_stats[] and then increments priv->stats_nch as a
publication token, but neither store carries any memory barrier:
priv->channel_stats[ix] = kvzalloc_node(...);
if (!priv->channel_stats[ix])
return -ENOMEM;
priv->stats_nch++;
Concurrent readers compute the loop bound from priv->stats_nch and
then dereference priv->channel_stats[i] using plain accesses, e.g.
for (i = 0; i < priv->stats_nch; i++) {
struct mlx5e_channel_stats *cs = priv->channel_stats[i];
... cs->rq.packets ...
}
On weakly-ordered architectures (ARM, PowerPC, RISC-V) the writes to
channel_stats[ix] and stats_nch may become visible to other CPUs out
of program order. A reader can observe stats_nch == N while still
seeing channel_stats[N-1] == NULL, leading to a NULL pointer
dereference in the channel_stats loop.
This has been observed in production on BlueField-3 DPUs (arm64),
where ovs-vswitchd queries netdev statistics over netlink during NIC
bringup, racing mlx5e_open_channel() -> mlx5e_channel_stats_alloc()
on another CPU:
Add mlx5e_stats_nch_write() and mlx5e_stats_nch_read() helpers in en.h
that wrap the smp_store_release()/smp_load_acquire() pair on stats_nch.
The release/acquire pair establishes the contract:
stats_nch == N => channel_stats[0..N-1] are visible and non-NULL.
Publish the stats_nch increment via mlx5e_stats_nch_write() in the
writer (mlx5e_channel_stats_alloc()), and read stats_nch via
mlx5e_stats_nch_read() in all readers: mlx5e RX/TX queue stats,
mlx5e_get_base_stats(), ethtool channels stats, IPoIB stats, the
sw_stats fold and the HV VHCA stats agent.
Fixes: fa691d0c9c08 ("net/mlx5e: Allocate per-channel stats dynamically at first usage") Signed-off-by: Feng Liu <feliu@nvidia.com> Reviewed-by: Eran Ben Elisha <eranbe@nvidia.com> Reviewed-by: Cosmin Ratiu <cratiu@nvidia.com> Reviewed-by: Nimrod Oren <noren@nvidia.com> Signed-off-by: Tariq Toukan <tariqt@nvidia.com> Link: https://patch.msgid.link/20260630115151.729219-4-tariqt@nvidia.com Signed-off-by: Paolo Abeni <pabeni@redhat.com>
mlx5e_hv_vhca_stats_create() registers the stats agent through
mlx5_hv_vhca_agent_create(). The helper publishes the agent in
hv_vhca->agents[type] under agents_lock and immediately schedules an
asynchronous control invalidation on the HV VHCA workqueue before
returning to mlx5e.
The asynchronous invalidation invokes the control agent's invalidate
callback, which reads the hypervisor control block and forwards the
command to mlx5e_hv_vhca_stats_control(). That callback may either:
- call cancel_delayed_work_sync(&priv->stats_agent.work), or
- call queue_delayed_work(priv->wq, &sagent->work, sagent->delay).
However, the delayed_work and priv->stats_agent.agent are only
initialized after mlx5_hv_vhca_agent_create() returns to mlx5e:
agent = mlx5_hv_vhca_agent_create(...); /* publish + invalidate */
...
priv->stats_agent.agent = agent; /* too late */
INIT_DELAYED_WORK(&priv->stats_agent.work, ...); /* too late */
If the asynchronous control path runs before the two assignments
above, it can:
- Operate on an uninitialized delayed_work whose timer.function is
NULL. queue_delayed_work() calls add_timer() unconditionally, so
when the timer expires the timer softirq invokes a NULL function
pointer.
- Re-initialize the timer later through INIT_DELAYED_WORK() while
the timer is already enqueued in the timer wheel, corrupting the
hlist (entry.pprev cleared while the previous bucket node still
points at this entry).
- When the worker eventually runs, mlx5e_hv_vhca_stats_work() reads
sagent->agent (NULL) and dereferences it inside
mlx5_hv_vhca_agent_write().
Fix this by:
- Initializing priv->stats_agent.work before invoking
mlx5_hv_vhca_agent_create(), so the work is always in a valid
state when the control callback observes it.
- Adding a struct mlx5_hv_vhca_agent **ctx_update out-parameter
to mlx5_hv_vhca_agent_create(). The helper writes the agent
pointer to *ctx_update before publishing into hv_vhca->agents[]
and triggering the agents_update flow, so any callback
subsequently invoked from that flow already sees a valid
priv->stats_agent.agent. This avoids having the control
callback participate in agent initialization.
While at it, access priv->stats_agent.agent with
READ_ONCE()/WRITE_ONCE() for the cross-CPU access with the worker, and
clear priv->stats_agent.buf on the agent_create() failure path.
Fixes: cef35af34d6d ("net/mlx5e: Add mlx5e HV VHCA stats agent") Signed-off-by: Feng Liu <feliu@nvidia.com> Reviewed-by: Eran Ben Elisha <eranbe@nvidia.com> Signed-off-by: Tariq Toukan <tariqt@nvidia.com> Link: https://patch.msgid.link/20260630115151.729219-3-tariqt@nvidia.com Signed-off-by: Paolo Abeni <pabeni@redhat.com>
mlx5e_hv_vhca_stats_create() is called from mlx5e_nic_enable(),
before mlx5e_open(). At that point priv->stats_nch is still zero,
because it is only ever incremented in mlx5e_channel_stats_alloc(),
which is reached only from mlx5e_open_channel().
mlx5e_hv_vhca_stats_buf_size() therefore returns 0, and
kvzalloc(0, GFP_KERNEL) returns ZERO_SIZE_PTR ((void *)16) rather
than NULL. The "if (!buf)" guard does not catch this, and
mlx5e_hv_vhca_stats_create() completes "successfully" with
priv->stats_agent.buf set to ZERO_SIZE_PTR.
Once channels are opened (priv->stats_nch > 0) and the hypervisor
enables stats reporting, mlx5e_hv_vhca_stats_work() recomputes
buf_len using the new non-zero stats_nch and calls
memset(buf, 0, buf_len) on ZERO_SIZE_PTR, faulting at address 0x10.
Allocate the buffer based on priv->max_nch, which is set in
mlx5e_priv_init() and is the upper bound on stats_nch:
- Add a separate helper mlx5e_hv_vhca_stats_buf_max_size() that
returns sizeof(per_ring_stats) * max(max_nch, stats_nch), and
use it for the kvzalloc() in mlx5e_hv_vhca_stats_create().
- Keep mlx5e_hv_vhca_stats_buf_size() (which returns based on
stats_nch) for the worker's active payload size, so the wire
format (block->rings = stats_nch) and the amount of data filled
by mlx5e_hv_vhca_fill_stats() are unchanged.
The max(max_nch, stats_nch) guard handles the rare case where
mlx5e_attach_netdev() recomputes max_nch downward across a
detach/resume cycle while priv->stats_nch persists (mlx5e_detach_netdev
does not call mlx5e_priv_cleanup, so stats_nch is only reset when
the netdev is destroyed). Without the guard, the worker could compute
buf_len from stats_nch and overrun the smaller buffer allocated based
on the reduced max_nch.
Allocating a non-zero buffer also makes the kvzalloc() failure path in
mlx5e_hv_vhca_stats_create() reachable for the first time: it returns
early without (re)creating the agent. Clear
priv->stats_agent.{agent,buf} in mlx5e_hv_vhca_stats_destroy() after
freeing them, so that if a later create() bails out on this path, a
subsequent teardown does not double-free the stale agent/buffer left
from a previous enable/disable cycle.
This mirrors the existing mlx5e pattern of preallocating arrays of
size max_nch (e.g. priv->channel_stats) and lazily populating
entries up to stats_nch on demand.
Fixes: fa691d0c9c08 ("net/mlx5e: Allocate per-channel stats dynamically at first usage") Signed-off-by: Feng Liu <feliu@nvidia.com> Reviewed-by: Eran Ben Elisha <eranbe@nvidia.com> Signed-off-by: Tariq Toukan <tariqt@nvidia.com> Link: https://patch.msgid.link/20260630115151.729219-2-tariqt@nvidia.com Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Damon Ding [Tue, 23 Jun 2026 02:35:06 +0000 (10:35 +0800)]
drm/bridge: analogix_dp: Fix PE/VS value shift mismatch during link training
VS/PE values returned by drm_dp_get_adjust_request_voltage() and
drm_dp_get_adjust_request_pre_emphasis() are already encoded to their
native DPCD register bit positions. However, DPCD_VOLTAGE_SWING_SET /
DPCD_PRE_EMPHASIS_SET macros perform an extra internal shift. Feeding
the raw offset-bearing values directly leads to overlapping bitfields
and invalid lane training configuration, causing link training failures
and black screen.
Add right shift using DP_TRAIN_*_SHIFT constants to strip the DPCD bit
offsets before passing values to the SET macros and subsequent checks.
Apply this fix for both clock recovery and adjust training code paths.
Paolo Abeni [Fri, 3 Jul 2026 16:39:03 +0000 (18:39 +0200)]
Merge branch 'net-mlx5-lag-bug-fixes'
Tariq Toukan says:
====================
net/mlx5: LAG bug fixes
Three bug fixes by Shay in the mlx5 LAG subsystem.
Patch 1 fixes an off-by-one in the error rollback path of
mlx5_lag_create_single_fdb_filter(): the loop started from the
failed index i, potentially operating on uninitialized state or
double-tearing-down an entry that had already self-rolled-back.
The rollback should start from i - 1.
Patch 2 fixes a hang in mlx5_mpesw_work(): when
mlx5_lag_get_devcom_comp() returns NULL the function returned
early without calling complete(), blocking any caller waiting on
mpesww->comp indefinitely.
Patch 3 fixes a kernel crash during teardown when
mlx5_lag_get_dev_seq() returns an error because no device is
marked as master or the peer is no longer in the LAG. The peer
flow cleanup is now skipped instead of proceeding with a bad
pointer.
This series by Shay fixes three bugs in the mlx5 LAG subsystem.
Shay Drory [Tue, 30 Jun 2026 11:29:17 +0000 (14:29 +0300)]
net/mlx5e: TC, skip peer flow cleanup when LAG seq is unavailable
mlx5_lag_get_dev_seq() will return error when the peer isn't in the LAG
or when no device is marked as master. Result bad memory access and kernel
crash[1].
Hence, skip the peer when lookup fails.
Note: In case there are peer flows, they are cleaned before LAG cleared
the master mark.
Shay Drory [Tue, 30 Jun 2026 11:29:16 +0000 (14:29 +0300)]
net/mlx5: LAG, MPESW, Fix missing complete() on devcom error
mlx5_mpesw_work() returned without calling complete() when
mlx5_lag_get_devcom_comp() returned NULL. A caller that queued the
work and waited on mpesww->comp would block indefinitely.
Funnel the early-return path through a new "complete" label so the
waiter is always woken.
Fixes: b430c1b4f63b ("net/mlx5: Replace global mlx5_intf_lock with HCA devcom component lock") Signed-off-by: Shay Drory <shayd@nvidia.com> Reviewed-by: Mark Bloch <mbloch@nvidia.com> Signed-off-by: Tariq Toukan <tariqt@nvidia.com> Link: https://patch.msgid.link/20260630112917.698313-3-tariqt@nvidia.com Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Shay Drory [Tue, 30 Jun 2026 11:29:15 +0000 (14:29 +0300)]
net/mlx5: LAG, Fix off-by-one in single-FDB error rollback
On failure at index i, the reverse cleanup loop in
mlx5_lag_create_single_fdb() starts from i, so the failed index
itself is rolled back. That can operate on uninitialized state or
double-tear-down a rule the add_one path already self-rolled-back.
Start the rollback from i - 1 so only successfully-installed entries
are undone.
Fixes: ddbb5ddc43ad ("net/mlx5: LAG, Refactor lag logic") Signed-off-by: Shay Drory <shayd@nvidia.com> Reviewed-by: Mark Bloch <mbloch@nvidia.com> Signed-off-by: Tariq Toukan <tariqt@nvidia.com> Link: https://patch.msgid.link/20260630112917.698313-2-tariqt@nvidia.com Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Merge tag 'vfs-7.2-rc2.fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs
Pull vfs fixes from Christian Brauner:
- netfs:
- fix the decision when to disallow write-streaming with fscache in
use, handling of asynchronous cache object creation, a double fput
in cachefiles, clearing S_KERNEL_FILE without the inode lock held,
page extraction bugs in the iov_iter helpers (a potential
underflow, a missing allocation failure check, a memory leak, and
a folio offset miscalculation), writeback error and ENOMEM
handling, DIO write retry for filesystems without a
->prepare_write() method, and the replacement of the wb_lock mutex
with a bit lock plus writethrough collection offload so that
multiple asynchronous writebacks don't interfere with each other.
- Fix the barriering when walking the netfs subrequest list during
retries as it was possible to see a subrequest that was just added
by the application thread.
- iomap:
- Change iomap to submit read bios after each extent instead of
building them up across extents. The old behavior was considered
problematic for a while and now caused an actual erofs bug.
- Guard the ioend io_size EOF trim in iomap against underflow when a
concurrent truncate moves EOF below the start of the ioend,
wrapping io_size to a huge value.
- overlayfs
- Fix a stale overlayfs comment about the locking order.
- Store the linked-in upper dentry instead of the disconnected
O_TMPFILE dentry during overlayfs tmpfile copy-up. With a FUSE or
virtiofs upper layer ->d_revalidate() would try to look up "/" in
the workdir and fail, causing persistent ESTALE errors that broke
dpkg and apt.
- vfs-bpf:
Have the bpf_real_data_inode() kfunc take a struct file instead of a
dentry so it is usable from the bprm_check_security, mmap_file, and
file_mprotect hooks, and rename it from bpf_real_inode() to make the
data-inode semantics explicit. The kfunc landed this cycle so the
change is safe.
- afs:
NULL pointer dereferences in the callback service and in
afs_get_tree(), several memory and refcount leaks, missing locking
around the dynamic root inode numbers and premature cell exposure
through /afs, a netns destruction hang caused by a misplaced
increment of net->cells_outstanding, a bulk lookup malfunction caused
by the dir_emit() API change, inode (re)initialisation issues, and
assorted smaller fixes to error codes, seqlock handling, and debug
output.
- vfs:
Refuse O_TMPFILE creation with an unmapped fsuid or fsgid and add a
selftest for it.
- vboxsf:
Add Jori Koolstra as vboxsf maintainer, taking over from Hans de
Goede.
- dio:
Release the pages attached to a short atomic dio bio; the REQ_ATOMIC
size check error path leaked them.
- procfs:
Only bump the parent directory link count when registering
directories in procfs. Registering regular files inflated the count
and leaked a link on every create and remove cycle.
- minix:
Avoid an unsigned overflow in the minix bitmap block count
calculation that let crafted images with huge inode or zone counts
pass superblock validation and crash the kernel during mount.
- cachefiles:
Fix a double unlock in the cachefiles nomem_d_alloc error path left
over from the start_creating() conversion.
- fat:
Stop fat from reading directory entries past the 0x00
end-of-directory marker. If the trailing on-disk slots aren't
zero-filled the driver surfaced arbitrary garbage as directory
entries.
- freexvfs:
Don't BUG() on unknown typed-extent types in freevxfs, reachable via
ioctl(FIBMAP) on a crafted image; fail with an I/O error instead.
- orangefs:
Keep the readdir entry size 64-bit in orangefs fill_from_part().
Truncating it to __u32 bypassed the bounds check and led to
out-of-bounds reads triggerable by the userspace client.
- xfs:
Fix the error unwind in xfs_open_devices() which released the rt
device file twice and left dangling buftarg pointers behind that were
freed again when the failed mount was torn down.
- exec:
Fix an off-by-one in the comment documenting the maximum binfmt
rewrite depth in exec_binprm(). The code allows five rewrites, not
four; restricting the code would break userspace so the comment is
fixed instead.
- file handles:
Reject detached mounts in capable_wrt_mount(). A detached mount can
be dissolved concurrently, leaving a NULL mount namespace that
open_by_handle_at() would dereference.
* tag 'vfs-7.2-rc2.fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs: (57 commits)
netfs: Fix barriering when walking subrequest list
iomap: submit read bio after each extent
fuse: call fuse_send_readpages explicitly from fuse_readahead
iomap: consolidate bio submission
fhandle: reject detached mounts in capable_wrt_mount()
netfs: Fix DIO write retry for filesystems without a ->prepare_write()
netfs: Fix folio state after ENOMEM whilst under writeback iteration
netfs: Fix writeback error handling
netfs: Fix writethrough to use collection offload
netfs: Replace wb_lock with a bit lock for asynchronicity
netfs: Fix kdoc warning
scatterlist: Fix offset in folio calc in extract_xarray_to_sg()
iov_iter: Remove unused variable in kunit_iov_iter.c
iov_iter: Fix a memory leak in iov_iter_extract_user_pages()
iov_iter: Fix missing alloc fail check in iov_iter_extract_bvec_pages()
iov_iter: Fix potential underflow in iov_iter_extract_xarray_pages()
cachefiles: Fix file burial to take lock when unsetting S_KERNEL_FILE
cachefiles: Fix double fput
netfs: Fix netfs_create_write_req() to handle async cache object creation
netfs: Fix decision whether to disallow write-streaming due to fscache use
...
Merge tag 'xfs-fixes-7.2-rc2' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux
Pull xfs fixes from Carlos Maiolino:
"A collection of bugfixes and some small code refactoring"
* tag 'xfs-fixes-7.2-rc2' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux:
xfs: simplify __xfs_buf_ioend
xfs: fix handling of synchronous errors in xfs_buf_submit
xfs: remove xfs_buf_ioend
xfs: improve the xfs_buf_ioend_fail calling convention
xfs: use null daddr for unset first bad log block
xfs: fix memory leak in xfs_dqinode_metadir_create()
xfs: release dquot buffer after dqflush failure
xfs: also mark the buffer stale on verifier failure in xfs_buf_submit
xfs: open code xfs_buf_ioend_fail in xfs_buf_submit
xfs: fix AGFL extent count calculation in xrep_agfl_fill
xfs: simplify the failure path in xfs_buf_alloc_vmalloc
xfs: fix incorrect use of gfp flags in xfs_buf_alloc_backing_mem
xfs: lift setting __GFP_NOFAIL from xfs_buf_alloc_kmem to the caller
xfs: split up xfs_buf_alloc_backing_mem
Merge tag 'for-linus-7.2a-rc2-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip
Pull xen fixes from Juergen Gross:
- rename function parameters and a comment related to
xen_exchange_memory() (Jan Beulich)
- replace __ASSEMBLY__ with __ASSEMBLER__ (Thomas Huth)
- add some sanity checking to the Xen pvcalls frontend driver (Michael
Bommarito)
- fix error handling in the Xen gntdev driver (Wentao Liang)
- fix several minor bugs in Xen related drivers (Yousef Alhouseen)
* tag 'for-linus-7.2a-rc2-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip:
x86/Xen: correct commentary and parameter naming of xen_exchange_memory()
xenbus: reject unterminated directory replies
xen/gntalloc: validate grant count before allocation
xen/gntalloc: make grant counters unsigned
xen/front-pgdir-shbuf: free grant reference head on errors
xen/gntdev: fix error handling in ioctl
xen: Replace __ASSEMBLY__ with __ASSEMBLER__ in header files
xen/pvcalls: bound backend response req_id before indexing rsp[]
Merge tag 'gpio-fixes-for-v7.2-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux
Pull gpio fixes from Bartosz Golaszewski:
- check the return value of gpiochip_add_data() in gpio-mvebu and
gpio-htc-egpio
- avoid locking context issues with GPIO drivers using the shared GPIO
proxy by only allowing sleeping operations (atomic GPIO ops don't
really make sense in shared context anyway)
- with the above: restore non-sleeping GPIO access in pinctrl-meson
- fix return value on OOM in gpio-timberdale
- fix interrupt handling in gpio-mt7621
- support both A and B variants of NCT6126D in gpio-f7188x
* tag 'gpio-fixes-for-v7.2-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux:
pinctrl: meson: restore non-sleeping GPIO access
gpio: timberdale: Return -ENOMEM on dynamic memory allocation in probe
gpio: mt7621: be sure IRQ domain is created before exposing GPIO chips
gpio: mt7621: more robust management of IRQ domain teardown
gpio: mt7621: avoid corruption of shared interrupt trigger state
gpio: shared-proxy: always serialize with a sleeping mutex
gpio-f7188x: Add support for NCT6126D version B
gpio: htc-egpio: use managed gpiochip registration
gpio: mvebu: fail probe if gpiochip registration fails
mac802154: remove interfaces with RCU list deletion
Queue wake, stop, and disable paths walk local->interfaces under RCU.
The bulk hardware teardown path removes entries with list_del(), so an
asynchronous transmit completion can follow a poisoned list node in
ieee802154_wake_queue().
Use list_del_rcu() as in the single-interface removal path. The following
unregister_netdevice() waits for in-flight RCU readers before freeing the
netdevice, so no separate grace-period wait is needed.
Jamal Hadi Salim [Tue, 30 Jun 2026 15:09:22 +0000 (11:09 -0400)]
net/sched: sch_teql: move rcu_read_lock()/spin_lock() from _bh variants
This is a followup based on sashiko comments [1] on commit e5b811fe7931
("net/sched: sch_teql: Introduce slaves_lock to avoid race condition and UAF")
Use plain rcu_read_lock()/spin_lock() in teql_master_xmit() instead of the
_bh variants, since ndo_start_xmit is already invoked with BH disabled
by the core stack and the _bh primitives can warn in_hardirq() when xmit
is reached through netpoll or a softirq xmit path with hard IRQs disabled.
Moves rcu_read_lock() after restart: label + adds rcu_read_unlock() before
goto restart (fixes the unbounded RCU hold across retries)
platform/x86: bitland-mifs-wmi: Fix NULL pointer dereference during suspend/resume
The driver registers two distinct WMI devices: a control device
(BITLAND_WMI_CONTROL) and an event device (BITLAND_WMI_EVENT). During
the probe phase, the event device handling path returns early before
initializing the platform profile device (data->pp_dev), leaving it
NULL.
However, the PM sleep operations are registered globally for the WMI
driver and are triggered for both devices. When entering suspend, the
event device invokes bitland_mifs_wmi_suspend(), which passes the
uninitialized data->pp_dev (NULL) into laptop_profile_get(). This leads
to a NULL pointer dereference inside dev_get_drvdata(), causing a
kernel Oops and halting the suspend sequence.
Fix this by adding a validity check for data->pp_dev in both the suspend
and resume callbacks, safely skipping profile operations for the event
device.
Fixes: dc1ec4fa86b2 ("platform/x86: bitland-mifs-wmi: Add new Bitland MIFS WMI driver") Reviewed-by: Armin Wolf <W_Armin@gmx.de> Signed-off-by: Mingyou Chen <qby140326@gmail.com> Reviewed-by: Armin Wolf <W_Armin@gmx.de> Link: https://patch.msgid.link/20260701120140.430659-1-qby140326@gmail.com Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Daniel Gibson [Fri, 26 Jun 2026 22:02:10 +0000 (00:02 +0200)]
platform/x86/amd/pmc: Avoid logging "(null)" for DMI values
dmi_get_system_info(...) can return NULL. Using that as %s arguments
of dev_info() would log "(null)" (as part of a message like
'... System Vendor: "(null)", Product Name: "(null)" ...'), which may
be confusing for users.
Use Elvis operator to print "(Unknown)" instead.
Fixes: 428b9fd2dce5 ("platform/x86/amd/pmc: Add delay_suspend module parameter") Reported-by: kernel test robot <lkp@intel.com> Closes: https://lore.kernel.org/oe-kbuild-all/202606251540.Nr2BtaNu-lkp@intel.com/ Suggested-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> Signed-off-by: Daniel Gibson <daniel@gibson.sh> Link: https://patch.msgid.link/20260626220210.1761783-2-daniel@gibson.sh Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Revision 2 of the CONNMARK target accepts user-controlled shift
parameters and applies them to 32-bit mark values in
connmark_tg_shift().
A shift_bits value of 32 or more triggers an undefined-shift bug when
the rule is evaluated. Invalid shift_dir values are also accepted and
silently fall back to the left-shift path.
Reject invalid revision-2 shift parameters in connmark_tg_check() so
malformed rules fail at installation time, before they can reach the
packet path.
Fixes: 472a73e00757 ("netfilter: xt_conntrack: Support bit-shifting for CONNMARK & MARK targets.") Reported-by: Yuan Tan <yuantan098@gmail.com> Reported-by: Zhengchuan Liang <zcliangcn@gmail.com> Reported-by: Xin Liu <dstsmallbird@foxmail.com> Assisted-by: Codex:GPT-5.4 Signed-off-by: Wyatt Feng <bronzed_45_vested@icloud.com> Reviewed-by: Ren Wei <enjou1224z@gmail.com> Reviewed-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
ipvs: reset full ip_vs_seq structs in ip_vs_conn_new
Commit 9a05475cebdd ("ipvs: avoid kmem_cache_zalloc in
ip_vs_conn_new") changed ip_vs_conn_new() to allocate an ip_vs_conn
object with kmem_cache_alloc(). The function then initializes many
fields explicitly, but only resets in_seq.delta and out_seq.delta in the
two struct ip_vs_seq members.
That leaves init_seq and previous_delta uninitialized. This is normally
harmless while the corresponding IP_VS_CONN_F_IN_SEQ or
IP_VS_CONN_F_OUT_SEQ flag is clear. For connections learned from a sync
message, however, ip_vs_proc_conn() preserves those flags from
IP_VS_CONN_F_BACKUP_MASK and passes opt=NULL when the message omits
IPVS_OPT_SEQ_DATA. In that case the new connection can be hashed with
SEQ flags set but with the rest of in_seq/out_seq still containing stale
slab data.
When a packet for such a connection is later handled by an IPVS
application helper, vs_fix_seq() and vs_fix_ack_seq() use
previous_delta and init_seq to rewrite TCP sequence numbers. A malformed
sync message can therefore make forwarded packets carry stale slab bytes
in their TCP seq/ack numbers, and can also corrupt the forwarded TCP
flow.
Reset both struct ip_vs_seq members completely before publishing the
connection. This matches the existing "reset struct ip_vs_seq" comment
and keeps the sequence-adjustment gates inactive unless valid sequence
data is installed later.
Fixes: 9a05475cebdd ("ipvs: avoid kmem_cache_zalloc in ip_vs_conn_new") Cc: stable@vger.kernel.org Reported-by: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn> Reported-by: Yuxiang Yang <yangyx22@mails.tsinghua.edu.cn> Reported-by: Ao Wang <wangao@seu.edu.cn> Reported-by: Xuewei Feng <fengxw06@126.com> Reported-by: Qi Li <qli01@tsinghua.edu.cn> Reported-by: Ke Xu <xuke@tsinghua.edu.cn> Assisted-by: Claude-Code:GLM-5.2 Signed-off-by: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn> Signed-off-by: Florian Westphal <fw@strlen.de>
When an ICMP Fragmentation Needed error is received for a tunneled IPVS
connection, ip_vs_in_icmp() recomputes the MTU that the original packet
can use by subtracting the tunnel overhead from the reported next-hop
MTU.
The current code always subtracts sizeof(struct iphdr), which is only
the IPIP overhead. For GUE and GRE tunnels, ipvs_udp_decap() and
ipvs_gre_decap() already compute the additional tunnel header length,
but that value is scoped to the decapsulation block and is lost before
the ICMP_FRAG_NEEDED handling. As a result, the ICMP error sent back to
the client advertises an MTU that is too large, so PMTUD can fail to
converge for GUE/GRE-tunneled real servers.
With a reported next-hop MTU of 1400, a GUE tunnel currently returns
1380 to the client. The correct value is 1368:
Hoist the tunnel header length into the main ip_vs_in_icmp() scope and
subtract sizeof(struct iphdr) + ulen in the Fragmentation Needed path.
The IPIP path keeps ulen as 0, so its existing 1400 - 20 = 1380 result
is unchanged.
Fixes: 508f744c0de3 ("ipvs: strip udp tunnel headers from icmp errors") Cc: stable@vger.kernel.org Reported-by: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn> Reported-by: Yuxiang Yang <yangyx22@mails.tsinghua.edu.cn> Reported-by: Ao Wang <wangao@seu.edu.cn> Reported-by: Xuewei Feng <fengxw06@126.com> Reported-by: Qi Li <qli01@tsinghua.edu.cn> Reported-by: Ke Xu <xuke@tsinghua.edu.cn> Assisted-by: Claude-Code:GLM-5.2 Signed-off-by: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn> Acked-by: Julian Anastasov <ja@ssi.bg> Signed-off-by: Florian Westphal <fw@strlen.de>
netfilter: nft_set_rbtree: get command skips end element with open interval
The get command on intervals provide partial matches such as subranges
for usability reasons. However, an open interval has no closing end
element. If the closing element matches within the range of the open
internal, ie. its closest match is the start element of the open range,
then, return 0 but offer no matching element to userspace through
netlink as a special case. Userspace provides at least a matching start
element in this case and the closing end element matching the open
interal is ignored.
Another possibility is to report the matching start element of the open
interval for this end interval. However, this results in duplicated
matching being listed in userspace because userspace does not expect a
start element as response to a end element.
Fixes: 2aa34191f06f ("netfilter: nft_set_rbtree: use binary search array in get command") Reported-by: Melbin K Mathew <mlbnkm1@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
netfilter: ip6tables: mark malformed IPv6 extension headers for hotdrop
The ah, hbh and rt matches check that the fixed extension header is
present, then use the header length field to derive the advertised
extension header length for matching.
For the ah match, add the missing advertised-length check. For hbh
and rt, update the existing advertised-length checks. In all three
cases, set hotdrop to true before returning false when the advertised
extension header length exceeds the available skb data.
Returning false treats the packet as a rule mismatch. Set hotdrop to
true and drop malformed packets so they cannot bypass rules intended
to drop packets with these IPv6 extension headers.
netfilter: nfnetlink_cthelper: cap to maximum number of expectation per master on updates
Really cap it to NF_CT_EXPECT_MAX_CNT (255) on updates.
The commit ("netfilter: nfnetlink_cthelper: cap to maximum number of
expectation per master") only covers creation of helpers, not updates.
Fixes: 397c8300972f ("netfilter: nf_conntrack_helper: cap maximum number of expectation at helper registration") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
Feng Wu [Thu, 25 Jun 2026 08:44:25 +0000 (08:44 +0000)]
netfilter: xt_rateest: fix u64 truncation in xt_rateest_mt()
On links faster than ~34 Gbps, where byte rate may exceed 2^32-1
(~ 4.3 GBps), the comparison result becomes incorrect because the
truncated value no longer reflects the actual estimator rate.
Wyatt Feng [Sun, 28 Jun 2026 08:05:54 +0000 (16:05 +0800)]
netfilter: xt_u32: reject invalid shift counts
u32_match_it() executes rule-supplied shift operands on a 32-bit
value. A malformed u32 rule can provide a shift count of 32 or more,
triggering an undefined shift out-of-bounds during packet evaluation.
Validate XT_U32_LEFTSH and XT_U32_RIGHTSH operands in
u32_mt_checkentry() and reject malformed rules before they reach the
packet path.
If a cloned or fragmented SKB is reallocated by skb_ensure_writable(), the
old data buffer is freed. However, nf_nat_sip() fails to update *dptr to
point to the new buffer.
It also appears to use nf_nat_mangle_udp_packet() on what could be a TCP
packet, which would overwrite the sequence number with a checksum update.
------------------------------------------------------------------------
nf_conntrack_sip linerizes skbs, hence no fragmented skb can be seen.
But clones are possible, so rebuild dptr.
Disable nf_nat_mangle_udp_packet() branch for TCP streams.
It doesn't look like this can ever happen, else we should have received
bug reports about this, so just check the conntrack is UDP and drop
otherwise.
The calling conntrack_sip set ->forced_dport for SIP_HDR_VIA_UDP messages,
so I don't think this is ever expected to be true for a TCP stream.
Fixes: 7266507d8999 ("netfilter: nf_ct_sip: support Cisco 7941/7945 IP phones") Cc: stable@vger.kernel.org Assisted-by: Claude:claude-sonnet-4-6 Signed-off-by: Florian Westphal <fw@strlen.de>
Alice Ryhl [Fri, 3 Jul 2026 11:25:12 +0000 (11:25 +0000)]
rust_binder: clear freeze listener on node removal
Generally userspace is supposed to explicitly clear freeze listeners
before they drop the refcount on the node ref to zero, but there's
nothing forcing that. Currently, in this scenario the freeze listener
remains in the freeze_listeners rbtree and in the remote node's freeze
listener list, even though the ref for which the listener is registered
is gone. This could potentially lead to a memory leak due to a refcount
cycle. Thus, remove the freeze listener in this scenario.
Rust binder resolved handle 0 to the context manager node, but it does not
reject the case where the caller owns the same node.
The C binder driver rejects transactions from the context-manager process
to handle 0 after resolving the target node. Match that behavior in Rust
Binder by rejecting handle 0 transactions when the resolved context-manager
node is owned by the calling process.
This applies to both synchronous and oneway transactions because both paths
resolve the target through Process::get_transaction_node().
Hyunwoo Kim [Sun, 31 May 2026 13:29:24 +0000 (22:29 +0900)]
rust_binder: use a u64 stride when cleaning up the offsets array
Allocation's Drop walks the offsets array (binder_size_t = u64 entries),
cleaning up the objects, but it used usize instead of u64 for both the
stride and the per-entry read.
On 64-bit kernels (usize == u64) this is harmless, but on 32-bit kernels
it walks the 8-byte entries in 4-byte steps, iterating an N-entry array
2N times, and reads the always-zero high word as offset 0, cleaning up
the object at offset 0 N extra times. As a result the referenced node or
handle ends up with a lower reference count than it actually has (a
refcount over-decrement), and binder's reference accounting is corrupted;
for example, the owner can be notified of a strong reference release
(BR_RELEASE) even though references still remain.
Change the stride to u64, and read each entry as a u64, narrowing it to
usize with try_into().
On 32-bit ARM, when this over-decrement would drive a count below zero,
the driver's existing refcount guard refuses it and fires:
rust_binder: Failure: refcount underflow!
Cc: stable <stable@kernel.org> Fixes: eafedbc7c050 ("rust_binder: add Rust Binder driver") Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com> Acked-by: Carlos Llamas <cmllamas@google.com> Reviewed-by: Alice Ryhl <aliceryhl@google.com> Link: https://patch.msgid.link/ahw3tFhLz9bMMJAO@v4bel Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Carlos Llamas [Fri, 19 Jun 2026 18:52:31 +0000 (18:52 +0000)]
binder: fix UAF in binder_free_transaction()
In binder_free_transaction(), the t->to_proc is read under the t->lock.
However, once the t->lock is dropped, the to_proc can die in parallel.
This leads to a use-after-free error when we attempt to acquire its
inner lock right afterwards:
==================================================================
BUG: KASAN: slab-use-after-free in _raw_spin_lock+0xe4/0x1a0
Write of size 4 at addr ffff00001125da70 by task B/672
To prevent this, pin the target thread (t->to_thread) to guarantee the
target process remains alive. Undelivered transactions without a target
thread are already safe, as the target process can only be the current
context in those paths.
Cc: stable <stable@kernel.org> Reported-by: Alice Ryhl <aliceryhl@google.com> Closes: https://lore.kernel.org/all/aikJKVuny_eOivwN@google.com/ Fixes: a370003cc301 ("binder: fix possible UAF when freeing buffer") Signed-off-by: Carlos Llamas <cmllamas@google.com> Reviewed-by: Alice Ryhl <aliceryhl@google.com> Link: https://patch.msgid.link/20260619185233.2194678-2-cmllamas@google.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Carlos Llamas [Fri, 19 Jun 2026 18:52:30 +0000 (18:52 +0000)]
binder: fix UAF in binder_thread_release()
When a thread exits, binder_thread_release() walks its transaction stack
to clear the t->from and t->to_proc that correspond with the exiting
thread. However, a process dying in parallel might attempt to kfree some
of these transactions. And if one of them has no associated t->to_proc,
the t->to_proc->inner_lock will not be acquired.
This means that transaction accesses in binder_thread_release() after
t->to_proc has been cleared might race with binder_free_transaction()
and cause a use-after-free error as reported by KASAN:
==================================================================
BUG: KASAN: slab-use-after-free in binder_thread_release+0x5d0/0x798
Write of size 8 at addr ffff000016627500 by task X/715
Allocated by task 717 on cpu 18 at 67.267803s:
__kasan_kmalloc+0xa0/0xbc
__kmalloc_cache_noprof+0x174/0x444
binder_transaction+0x554/0x8150
binder_thread_write+0xa30/0x4354
binder_ioctl+0x20f0/0x299c
[...]
Freed by task 202 on cpu 18 at 90.416221s:
__kasan_slab_free+0x58/0x80
kfree+0x1a0/0x4a4
binder_free_transaction+0x150/0x294
binder_send_failed_reply+0x398/0x6d8
binder_release_work+0x3e4/0x4ec
binder_deferred_func+0xbd8/0x104c
[...]
==================================================================
In order to avoid this, make sure that binder_free_transaction() reads
the t->to_proc under the transaction lock. This will serialize the
transaction release with the accesses in binder_thread_release(). Plus,
it matches the documented locking rules for @to_proc.
Cc: stable <stable@kernel.org> Fixes: 7a4408c6bd3e ("binder: make sure accesses to proc/thread are safe") Reviewed-by: Alice Ryhl <aliceryhl@google.com> Signed-off-by: Carlos Llamas <cmllamas@google.com> Link: https://patch.msgid.link/20260619185233.2194678-1-cmllamas@google.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Keshav Verma [Mon, 15 Jun 2026 21:17:43 +0000 (02:47 +0530)]
rust_binder: synchronize Rust Binder stats with freeze commands
Rust Binder stats use BC_COUNT and BR_COUNT to size the command and
return counters, and use event string tables when printing debug
statistics.
The Binder protocol includes freeze-related commands and return codes,
but the Rust Binder statistics code was not updated to cover them. As a
result, those commands and return codes are not accounted for or printed
by the stats debug output.
Update the counts and event string tables so these commands and return
codes are included in the debug statistics output.
Chris Mason [Wed, 3 Jun 2026 17:44:54 +0000 (10:44 -0700)]
binder: cache secctx size before release zeroes it
binder_transaction() bounds the scatter-gather buffer area with
sg_buf_end_offset and subtracts the aligned LSM context size because
the secctx is written at the tail of that area. The subtraction reads
lsmctx.len, but that field has already been cleared by the time the
line runs:
security_release_secctx() does memset(cp, 0, sizeof(*cp)), so lsmctx.len
reads back as 0 and the subtraction contributes nothing, leaving
sg_buf_end_offset too large by the aligned secctx size on every
transaction to a txn_security_ctx node.
Each BINDER_TYPE_PTR object then derives buf_left = sg_buf_end_offset -
sg_buf_offset as the sole upper bound on its copy, so the inflated end
offset lets the copy run into the bytes that already hold the secctx.
The aligned size must therefore be cached before release rather than
re-read from the now-cleared field. Fix by caching it in
lsmctx_aligned_size at function scope when it is first computed and
subtracting lsmctx_aligned_size instead of re-reading lsmctx.len after
release. Reuse the same value for the earlier buf_offset computation.
Fixes: 6fba89813ccf ("lsm: ensure the correct LSM context releaser") Cc: stable <stable@kernel.org> Assisted-by: kres:claude-opus-4-8 Signed-off-by: Chris Mason <clm@meta.com> Reviewed-by: Alice Ryhl <aliceryhl@google.com> Acked-by: Carlos Llamas <cmllamas@google.com> Link: https://patch.msgid.link/20260603174506.1957278-1-clm@meta.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
David Howells [Thu, 2 Jul 2026 08:23:02 +0000 (09:23 +0100)]
netfs: Fix barriering when walking subrequest list
Fix the barriering used when walking the subrequest list in retry as
there's a possibility of seeing a subreq that's just been added by the
application thread.
Merge tag 'usb-serial-7.2-rc2' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/johan/usb-serial into usb-linus
Johan writes:
USB serial fixes for 7.2-rc2
Here is a fix for an information leak in the keyspan_pda driver and
three fixes for digi_acceleport addressing stuck rx if a port is closed
while throttled, a hard lockup on disconnect and write buffer
corruption.
Included are also some new modem device ids.
All have been in linux-next for a few days with no reported issues.
* tag 'usb-serial-7.2-rc2' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/johan/usb-serial:
USB: serial: keyspan_pda: fix information leak
USB: serial: option: add Telit Cinterion FE990D50 compositions
USB: serial: digi_acceleport: fix broken rx after throttle
USB: serial: digi_acceleport: fix hard lockup on disconnect
USB: serial: digi_acceleport: fix write buffer corruption
GUE private flags can indicate that remote checksum offload metadata is
present. The private flags field itself is accounted for by
guehdr_flags_len(), but guehdr_priv_flags_len() currently returns 0 even
when GUE_PFLAG_REMCSUM is set.
This lets a packet with only the private flags field pass
validate_gue_flags(), after which gue_remcsum() and gue_gro_remcsum()
read the missing REMCSUM start/offset fields from the following bytes.
Account for GUE_PLEN_REMCSUM when GUE_PFLAG_REMCSUM is present so that
malformed packets are rejected during option validation.
Fixes: c1aa8347e73e ("gue: Protocol constants for remote checksum offload") Signed-off-by: Qihang <q.h.hack.winter@gmail.com> Reviewed-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Merge tag 'asoc-fix-v7.2-rc1' of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus
ASoC: Fixes for v7.2
A fairly standard set of driver specific fixes and quirks that have come
in since the merge window, plus a MAINTAINERS update. The tas675x
READ_ONCE change is probably not actually fixing issues properly but we
need a whole new approach to concurrency there and it came along with
some good fixes.
The result of this mixture of different and unrelated subsystem
details is that even when touching an obscure device id struct most of
the kernel needs to be recompiled. Given that each driver typically
only needs one or two of these structures, splitting into per
subsystem headers and only including what is really needed reduces the
amount of needed recompilation.
This split is implemented in the first commit and then after some
preparatory work in the following commits, the last two replace
includes of <linux/mod_devicetable.h> by the actually needed more
specific headers.
There are still a few instances left, but the ones with high impact
(that is in headers that are used a lot) and the easy ones (.c files)
are handled. These remaining includes will be addressed during the
next merge window"
* tag 'device-id-rework' of git://git.kernel.org/pub/scm/linux/kernel/git/ukleinek/linux:
Replace <linux/mod_devicetable.h> by more specific <linux/device-id/*.h> (c files)
Replace <linux/mod_devicetable.h> by more specific <linux/device-id/*.h> (headers)
parisc: #include <linux/compiler.h> for unlikely() in <asm/ptrace.h>
media: em28xx: Add include for struct usb_device_id
LoongArch: KVM: Add include defining struct cpu_feature
ALSA: hda/core: Add include defining struct hda_device_id
usb: dwc2: Add include defining struct pci_device_id
platform/x86: int3472: Add include defining struct dmi_system_id
platform/x86: x86-android-tablets: Add include defining struct dmi_system_id
i2c: Let i2c-core.h include <linux/i2c.h>
of: Explicitly include <linux/types.h> and <linux/err.h>
platform/x86: msi-ec: Ensure dmi_system_id is defined
usb: serial: Include <linux/usb.h> in <linux/usb/serial.h>
driver core: platform: Include header for struct platform_device_id
driver: core: Include headers for acpi_device_id and of_device_id for struct device_driver
media: ti: vpe: #include <linux/platform_device.h> explicitly
mod_devicetable.h: Split into per subsystem headers
Dawei Feng [Tue, 30 Jun 2026 07:16:25 +0000 (15:16 +0800)]
octeontx2-pf: fix SQB pointer leak on init failure
otx2_init_hw_resources() initializes SQ aura and pool resources before
several later setup steps. On failure, err_free_sq_ptrs only frees SQB
pages, leaving the per-SQ sqb_ptrs arrays behind.
Use otx2_free_sq_res() for the SQ unwind path and let it free sqb_ptrs
even when sq->sqe has not been allocated yet.
The bug was first flagged by an experimental analysis tool we are
developing for kernel memory-management bugs while analyzing
v6.13-rc1. The tool is still under development and is not yet publicly
available. Manual inspection confirms that the bug is still
present in v7.1.1.
An x86_64 allyesconfig build showed no new warnings. As we do not have an
OcteonTX2 PF device and the corresponding AF mailbox setup to test with,
no runtime testing was able to be performed.
Xiang Mei [Tue, 30 Jun 2026 04:51:21 +0000 (21:51 -0700)]
net: usb: net1080: validate packet_len before pad-byte access in rx_fixup
For an even packet_len, net1080_rx_fixup() reads the pad byte at
skb->data[packet_len] before the skb->len != packet_len check further
down, and packet_len is only bounded against NC_MAX_PACKET. A malicious
NetChip 1080 device can send a short frame advertising a large even
packet_len (e.g. 0x4000), so the pad-byte read lands past the end of the
skb:
BUG: KASAN: slab-out-of-bounds in net1080_rx_fixup
Read of size 1 at addr ffff8880106c83c6 by task ksoftirqd/0/14
...
net1080_rx_fixup (drivers/net/usb/net1080.c:384)
usbnet_bh (drivers/net/usb/usbnet.c:1589)
process_one_work (kernel/workqueue.c:3322)
bh_worker (kernel/workqueue.c:3708)
tasklet_action (kernel/softirq.c:965)
handle_softirqs (kernel/softirq.c:622)
...
Reject the frame when packet_len >= skb->len before reading.
Fixes: 904813cd8a0b ("[PATCH] USB: usbnet (4/9) module for net1080 cables") Reported-by: Weiming Shi <bestswngs@gmail.com> Assisted-by: Claude:claude-opus-4-8 Signed-off-by: Xiang Mei <xmei5@asu.edu> Link: https://patch.msgid.link/20260630045121.1565324-1-xmei5@asu.edu Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Dmitry Torokhov [Tue, 30 Jun 2026 01:44:41 +0000 (18:44 -0700)]
Input: maple_keyb - set driver data before registering input device
Set maple driver data before calling input_register_device() to
ensure that it is available if the device is opened immediately and
the callback is triggered.
Dmitry Torokhov [Tue, 30 Jun 2026 05:49:15 +0000 (22:49 -0700)]
Input: maplecontrol - set driver data before registering input device
Set maple driver data before calling input_register_device() to
ensure that it is available if the device is opened immediately and
the callback is triggered.
Dmitry Torokhov [Tue, 30 Jun 2026 05:47:34 +0000 (22:47 -0700)]
Input: maplemouse - set driver data before registering input device
Set maple driver data before calling input_register_device() to
ensure that it is available if the device is opened immediately and
the callback is triggered.
Replace <linux/mod_devicetable.h> by more specific <linux/device-id/*.h> (c files)
Replace the #include of <linux/mod_devicetable.h> by the more specific
<linux/device-id/*.h> where applicable. For most cases the include
can be dropped completely, only a few drivers need one or two headers
added.
; some of them are widely used headers. To stop mixing up different and
unrelated driver( type)s let the subsystem headers only use the subset
of the recently split <linux/mod_devicetable.h> that are relevant for
them.
The fallout (I hope) is addressed in the previous commits that handle
sources relying on e.g. <linux/i2c.h> pulling in the full legacy header
and thus providing pci_device_id.
parisc: #include <linux/compiler.h> for unlikely() in <asm/ptrace.h>
Currently <linux/compiler.h> isn't included at all (not even
transitively) in <asm/ptrace.h>.
arch/parisc/kernel/asm-offsets.c just happens to include the following
chain of includes before <asm/ptrace.h>:
. That chain will be broken, because in one of the next commits
<asm/hardware.h> is changed to only include <linux/device-id/parisc.h>
instead of <linux/mod_devicetable.h>. So to ensure
arch/parisc/kernel/asm-offsets.c knows about unlikely() even after that
change, #include <linux/compiler.h> explicitly.