rtmutex: Use waiter::task instead of current in remove_waiter()
remove_waiter() is used by the slowlock paths, but it is also used for
proxy-lock rollback in rt_mutex_start_proxy_lock() when invoked from
futex_requeue().
In the latter case waiter::task is not current, but remove_waiter()
operates on current for the dequeue operation. That results in several
problems:
1) the rbtree dequeue happens without waiter::task::pi_lock being held
2) the waiter task's pi_blocked_on state is not cleared, which leaves a
dangling pointer primed for UAF around.
3) rt_mutex_adjust_prio_chain() operates on the wrong top priority waiter
task
Use waiter::task instead of current in all related operations in
remove_waiter() to cure those problems.
[ tglx: Fixup rt_mutex_adjust_prio_chain(), add a comment and amend the
changelog ]
Fixes: 8161239a8bcc ("rtmutex: Simplify PI algorithm and make highest prio task get lock") Reported-by: Yuan Tan <yuantan098@gmail.com> Reported-by: Yifan Wu <yifanwucs@gmail.com> Reported-by: Juefei Pu <tomapufckgml@gmail.com> Reported-by: Xin Liu <bird@lzu.edu.cn> Signed-off-by: Keenan Dong <keenanat2000@gmail.com> Signed-off-by: Thomas Gleixner <tglx@kernel.org> Cc: stable@vger.kernel.org
netfilter: nfnetlink_osf: fix potential NULL dereference in ttl check
The nf_osf_ttl() function accessed skb->dev to perform a local interface
address lookup without verifying that the device pointer was valid.
Additionally, the implementation utilized an in_dev_for_each_ifa_rcu
loop to match the packet source address against local interface
addresses. It assumed that packets from the same subnet should not see a
decrement on the initial TTL. A packet might appear it is from the same
subnet but it actually isn't especially in modern environments with
containers and virtual switching.
Remove the device dereference and interface loop. Replace the logic with
a switch statement that evaluates the TTL according to the ttl_check.
Fixes: 11eeef41d5f6 ("netfilter: passive OS fingerprint xtables match") Reported-by: Kito Xu (veritas501) <hxzene@gmail.com> Closes: https://lore.kernel.org/netfilter-devel/20260414074556.2512750-1-hxzene@gmail.com/ Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de> Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nfnetlink_osf: fix out-of-bounds read on option matching
In nf_osf_match(), the nf_osf_hdr_ctx structure is initialized once
and passed by reference to nf_osf_match_one() for each fingerprint
checked. During TCP option parsing, nf_osf_match_one() advances the
shared ctx->optp pointer.
If a fingerprint perfectly matches, the function returns early without
restoring ctx->optp to its initial state. If the user has configured
NF_OSF_LOGLEVEL_ALL, the loop continues to the next fingerprint.
However, because ctx->optp was not restored, the next call to
nf_osf_match_one() starts parsing from the end of the options buffer.
This causes subsequent matches to read garbage data and fail
immediately, making it impossible to log more than one match or logging
incorrect matches.
Instead of using a shared ctx->optp pointer, pass the context as a
constant pointer and use a local pointer (optp) for TCP option
traversal. This makes nf_osf_match_one() strictly stateless from the
caller's perspective, ensuring every fingerprint check starts at the
correct option offset.
Fixes: 1a6a0951fc00 ("netfilter: nfnetlink_osf: add missing fmatch check") Suggested-by: Florian Westphal <fw@strlen.de> Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de> Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
ipvs: fix MTU check for GSO packets in tunnel mode
Currently, IPVS skips MTU checks for GSO packets by excluding them with
the !skb_is_gso(skb) condition. This creates problems when IPVS tunnel
mode encapsulates GSO packets with IPIP headers.
The issue manifests in two ways:
1. MTU violation after encapsulation:
When a GSO packet passes through IPVS tunnel mode, the original MTU
check is bypassed. After adding the IPIP tunnel header, the packet
size may exceed the outgoing interface MTU, leading to unexpected
fragmentation at the IP layer.
2. Fragmentation with problematic IP IDs:
When net.ipv4.vs.pmtu_disc=1 and a GSO packet with multiple segments
is fragmented after encapsulation, each segment gets a sequentially
incremented IP ID (0, 1, 2, ...). This happens because:
a) The GSO packet bypasses MTU check and gets encapsulated
b) At __ip_finish_output, the oversized GSO packet is split into
separate SKBs (one per segment), with IP IDs incrementing
c) Each SKB is then fragmented again based on the actual MTU
This sequential IP ID allocation differs from the expected behavior
and can cause issues with fragment reassembly and packet tracking.
Fix this by properly validating GSO packets using
skb_gso_validate_network_len(). This function correctly validates
whether the GSO segments will fit within the MTU after segmentation. If
validation fails, send an ICMP Fragmentation Needed message to enable
proper PMTU discovery.
"Historically this is not an issue, even for normal base hooks: the data
path doesn't use the original nf_hook_ops that are used to register the
callbacks.
However, in v5.14 I added the ability to dump the active netfilter
hooks from userspace.
This code will peek back into the nf_hook_ops that are available
at the tail of the pointer-array blob used by the datapath.
The nat hooks are special, because they are called indirectly from
the central nat dispatcher hook. They are currently invisible to
the nfnl hook dump subsystem though.
But once that changes the nat ops structures have to be deferred too."
Update nf_nat_register_fn() to deal with partial exposition of the hooks
from error path which can be also an issue for nfnetlink_hook.
Fixes: e2cf17d3774c ("netfilter: add new hook nfnl subsystem") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: xtables: restrict several matches to inet family
This is a partial revert of:
commit ab4f21e6fb1c ("netfilter: xtables: use NFPROTO_UNSPEC in more extensions")
to allow ipv4 and ipv6 only.
- xt_mac
- xt_owner
- xt_physdev
These extensions are not used by ebtables in userspace.
Moreover, xt_realm is only for ipv4, since dst->tclassid is ipv4
specific.
Fixes: ab4f21e6fb1c ("netfilter: xtables: use NFPROTO_UNSPEC in more extensions") Reported-by: "Kito Xu (veritas501)" <hxzene@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Xiang Mei [Tue, 14 Apr 2026 22:14:01 +0000 (15:14 -0700)]
netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO
nf_osf_match_one() computes ctx->window % f->wss.val in the
OSF_WSS_MODULO branch with no guard for f->wss.val == 0. A
CAP_NET_ADMIN user can add such a fingerprint via nfnetlink; a
subsequent matching TCP SYN divides by zero and panics the kernel.
Reject the bogus fingerprint in nfnl_osf_add_callback() above the
per-option for-loop. f->wss is per-fingerprint, not per-option, so
the check must run regardless of f->opt_num (including 0). Also
reject wss.wc >= OSF_WSS_MAX; nf_osf_match_one() already treats that
as "should not happen".
io_uring: fix iowq_limits data race in tctx node addition
__io_uring_add_tctx_node() reads ctx->int_flags and
ctx->iowq_limits[0..1] without holding ctx->uring_lock, while
io_register_iowq_max_workers() writes these same fields under the lock.
Mostly an application problem if you try and make these race, but let's
silence KCSAN by just grabbing the ->uring_lock around the operation.
This is a slow path operation anyway, and ->uring_lock will be grabbed
by submission right after anyway.
Fixes: 2e480058ddc2 ("io-wq: provide a way to limit max number of workers") Signed-off-by: Jens Axboe <axboe@kernel.dk>
Rick Edgecombe [Thu, 9 Apr 2026 18:43:30 +0000 (11:43 -0700)]
x86/shstk: Prevent deadlock during shstk sigreturn
During sigreturn the shadow stack signal frame is popped. The kernel does
this by reading the shadow stack using normal read accesses. When it can't
assume the memory is shadow stack, it takes extra steps to makes sure it is
reading actual shadow stack memory and not other normal readable memory. It
does this by holding the mmap read lock while doing the access and checking
the flags of the VMA.
Unfortunately that is not safe. If the read of the shadow stack sigframe
hits a page fault, the fault handler will try to recursively grab another
mmap read lock. This normally works ok, but if a writer on another CPU is
also waiting, the second read lock could fail and cause a deadlock.
Fix this by not holding mmap lock during the read access to userspace.
Instead use mmap_lock_speculate_...() to watch for changes between dropping
mmap lock and the userspace access. Retry if anything grabbed an mmap write
lock in between and could have changed the VMA.
These mmap_lock_speculate_...() helpers use mm::mm_lock_seq, which is only
available when PER_VMA_LOCK is configured. So make X86_USER_SHADOW_STACK
depend on it. On x86, PER_VMA_LOCK is a default configuration for SMP
kernels. So drop support for the other configs under the assumption that
the !SMP shadow stack user base does not exist.
Currently there is a check that skips the lookup work when the SSP can be
assumed to be on a shadow stack. While reorganizing the function, remove
the optimization to make the tricky code flows more common, such that
issues like this cannot escape detection for so long.
Fixes: 7fad2a432cd3 ("x86/shstk: Check that signal frame is shadow stack mem") Suggested-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Rick Edgecombe <rick.p.edgecombe@intel.com> Signed-off-by: Thomas Gleixner <tglx@kernel.org> Reviewed-by: Dave Hansen <dave.hansen@intel.com> Reviewed-by: Thomas Gleixner <tglx@kernel.org> Cc: stable@vger.kernel.org
in io_wq_put_and_exit(), which can be triggered with memory allocation
fault injection. Ensure that the io_wq is marked as exiting to silence
this warning trigger.
drm/nouveau: fix u32 overflow in pushbuf reloc bounds check
nouveau_gem_pushbuf_reloc_apply() validates each relocation with
if (r->reloc_bo_offset + 4 > nvbo->bo.base.size)
but reloc_bo_offset is __u32 (uapi/drm/nouveau_drm.h) and the integer
literal 4 promotes to unsigned int, so the addition is performed in 32
bits and wraps before the comparison against the size_t bo size.
Cast to u64 so the addition happens in 64-bit arithmetic.
Cc: Lyude Paul <lyude@redhat.com> Cc: Danilo Krummrich <dakr@kernel.org> Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com> Cc: Maxime Ripard <mripard@kernel.org> Cc: Thomas Zimmermann <tzimmermann@suse.de> Cc: David Airlie <airlied@gmail.com> Cc: Simona Vetter <simona@ffwll.ch> Reported-by: Anthropic Cc: stable <stable@kernel.org> Assisted-by: gkh_clanker_t1000 Fixes: a1606a9596e5 ("drm/nouveau: new gem pushbuf interface, bump to 0.0.16") Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Add Fixes: tag. - Danilo ] Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Steven Rostedt [Mon, 20 Apr 2026 18:24:26 +0000 (14:24 -0400)]
ktest: Fix the month in the name of the failure directory
The Perl localtime() function returns the month starting at 0 not 1. This
caused the date produced to create the directory for saving files of a
failed run to have the month off by one.
Cc: stable@vger.kernel.org Cc: John 'Warthog9' Hawley <warthog9@kernel.org> Link: https://patch.msgid.link/20260420142426.33ad0293@fedora Fixes: 7faafbd69639b ("ktest: Add open and close console and start stop monitor") Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Merge tag 'platform-drivers-x86-v7.1-1' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86
Pull x86 platform driver updates from Ilpo Järvinen:
"asus-wmi:
- Retain battery charge threshold during boot which avoids
unsolicited change to 100%. Return -ENODATA when the limit
is not yet known
- Improve screenpad power/brightness handling consistency
- Fix screenpad brightness range
bitland-mifs-wmi:
- Add driver for Bitland laptops (supports platform profile,
hwmon, kbd backlight, gpu mode, hotkeys, and fan boost)
dell_rbu:
- Fix using uninitialized value in sysfs write function
dell-wmi-sysman:
- Respect destination length when constructing enum strings
hp-wmi:
- Propagate fan setting apply failures and log an error
- Fix sysfs write vs work handler cancel_delayed_work_sync() deadlock
- Correct keepalive schedule_delayed_work() to mod_delayed_work()
- Fix u8 underflows in GPU delta calculation
- Use mutex to protect fan pwm/mode
- Ignore kbd backlight and FnLock key events that are handled by FW
- Fix fan table parsing (use correct field)
- Add support for Omen 14-fb0xxx, 16-n0xxx, 16-wf1xxx, and
Omen MAX 16-ak0xxxx
input: trackpoint & thinkpad_acpi:
- Enable doubletap by default and add sysfs enable/disable
int3472:
- Add support for GPIO type 0x02 (IR flood LED)
intel-speed-select: (updated to v1.26)
- Avoid using current base frequency as maximum
- Fix CPU extended family ID decoding
- Fix exit code
- Improve error reporting
intel/vsec:
- Refactor to support ACPI-enumerated PMT endpoints.
pcengines-apuv2:
- Attach software node to the gpiochip
uniwill:
- Refactor hwmon to smaller parts to accomodate HW diversity
- Support USB-C power/performance priority switch through sysfs
- Add another XMG Fusion 15 (L19) DMI vendor
- Enable fine-grained features to device lineup mapping
wmi:
- Perform output size check within WMI core to allow simpler WMI
drivers
misc:
- acpi_driver -> platform driver conversions (a large number of
changes from Rafael J. Wysocki)
- cleanups / refactoring / improvements"
* tag 'platform-drivers-x86-v7.1-1' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86: (106 commits)
platform/x86: hp-wmi: Add support for Omen 16-wf1xxx (8C77)
platform/x86: hp-wmi: Add support for Omen 16-n0xxx (8A44)
platform/x86: hp-wmi: Add support for OMEN MAX 16-ak0xxx (8D87)
platform/x86: hp-wmi: fix fan table parsing
platform/x86: hp-wmi: add Omen 14-fb0xxx (board 8C58) support
platform/wmi: Replace .no_notify_data with .min_event_size
platform/wmi: Extend wmidev_query_block() to reject undersized data
platform/wmi: Extend wmidev_invoke_method() to reject undersized data
platform/wmi: Prepare to reject undersized unmarshalling results
platform/wmi: Convert drivers to use wmidev_invoke_procedure()
platform/wmi: Add wmidev_invoke_procedure()
platform/x86: int3472: Add support for GPIO type 0x02 (IR flood LED)
platform/x86: int3472: Parameterize LED con_id in registration
platform/x86: int3472: Rename pled to led in LED registration code
platform/x86: int3472: Use local variable for LED struct access
platform/x86: thinkpad_acpi: remove obsolete TODO comment
platform/x86: dell-wmi-sysman: bound enumeration string aggregation
platform/x86: hp-wmi: Ignore backlight and FnLock events
platform/x86: uniwill-laptop: Fix signedness bug
platform/x86: dell_rbu: avoid uninit value usage in packet_size_write()
...
Merge tag 'backlight-next-7.1' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/backlight
Pull backlight updates from Lee Jones:
"Apple Backlight:
- Convert the Apple Backlight ACPI driver to a proper platform
driver, aligning with current ACPI binding practices
Skyworks SKY81452:
- Check the return value of `devm_gpiod_get_optional()`
to properly handle GPIO acquisition errors"
* tag 'backlight-next-7.1' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/backlight:
backlight: apple_bl: Convert to a platform driver
backlight: sky81452-backlight: Check return value of devm_gpiod_get_optional() in sky81452_bl_parse_dt()
net: mctp: fix don't require received header reserved bits to be zero
From the MCTP Base specification (DSP0236 v1.2.1), the first byte of
the MCTP header contains a 4 bit reserved field, and 4 bit version.
On our current receive path, we require those 4 reserved bits to be
zero, but the 9500-8i card is non-conformant, and may set these
reserved bits.
DSP0236 states that the reserved bits must be written as zero, and
ignored when read. While the device might not conform to the former,
we should accept these message to conform to the latter.
Relax our check on the MCTP version byte to allow non-zero bits in the
reserved field.
David Carlier [Fri, 17 Apr 2026 05:54:08 +0000 (06:54 +0100)]
gtp: disable BH before calling udp_tunnel_xmit_skb()
gtp_genl_send_echo_req() runs as a generic netlink doit handler in
process context with BH not disabled. It calls udp_tunnel_xmit_skb(),
which eventually invokes iptunnel_xmit() — that uses __this_cpu_inc/dec
on softnet_data.xmit.recursion to track the tunnel xmit recursion level.
Without local_bh_disable(), the task may migrate between
dev_xmit_recursion_inc() and dev_xmit_recursion_dec(), breaking the
per-CPU counter pairing. The result is stale or negative recursion
levels that can later produce false-positive
SKB_DROP_REASON_RECURSION_LIMIT drops on either CPU.
The other udp_tunnel_xmit_skb() call sites in gtp.c are unaffected:
the data path runs under ndo_start_xmit and the echo response handlers
run from the UDP encap rx softirq, both with BH already disabled.
Fix it by disabling BH around the udp_tunnel_xmit_skb() call, mirroring
commit 2cd7e6971fc2 ("sctp: disable BH before calling
udp_tunnel_xmit_skb()").
Fixes: 6f1a9140ecda ("net: add xmit recursion limit to tunnel xmit functions") Cc: stable@vger.kernel.org Signed-off-by: David Carlier <devnexen@gmail.com> Link: https://patch.msgid.link/20260417055408.4667-1-devnexen@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Dexuan Cui [Thu, 16 Apr 2026 19:14:33 +0000 (12:14 -0700)]
hv_sock: Report EOF instead of -EIO for FIN
Commit f0c5827d07cb unluckily causes a regression for the FIN packet,
and the final read syscall gets an error rather than 0.
Ideally, we would want to fix hvs_channel_readable_payload() so that it
could return 0 in the FIN scenario, but it's not good for the hv_sock
driver to use the VMBus ringbuffer's cached priv_read_index, which is
internal data in the VMBus driver.
Fix the regression in hv_sock by returning 0 rather than -EIO.
Fixes: f0c5827d07cb ("hv_sock: Return the readable bytes in hvs_stream_has_data()") Cc: stable@vger.kernel.org Reported-by: Ben Hillis <Ben.Hillis@microsoft.com> Reported-by: Mitchell Levy <levymitchell0@gmail.com> Signed-off-by: Dexuan Cui <decui@microsoft.com> Acked-by: Stefano Garzarella <sgarzare@redhat.com> Link: https://patch.msgid.link/20260416191433.840637-1-decui@microsoft.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Merge tag 'leds-next-7.1' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/leds
Pull LED updates from Lee Jones:
Core:
- Implement fallback to software node name for LED names
- Fix formatting issues in `led-core.c` reported by checkpatch.pl
- Make `led_remove_lookup()` NULL-aware
- Switch from `class_find_device_by_of_node()` to
`class_find_device_by_fwnode()`
- Drop the unneeded dependency on `OF_GPIO` from `LEDS_NETXBIG`
in Kconfig
Kinetic KTD2692:
- Make the `ktd2692_timing` variable static to resolve a
sparse warning
LGM SSO:
- Fix a typo in the `GET_SRC_OFFSET` macro
- Remove a duplicate assignment of `priv->mmap` in
`intel_sso_led_probe()`
Multicolor:
- Fix a signedness error by changing the `intensity_value` type
to `unsigned int`
Qualcomm LPG:
- Prevent array overflow when selecting high-resolution values
Spreadtrum SC2731:
- Add a compatible string for the SC2730 PMIC LED controller
TI LM3642:
- Use `guard(mutex)` to simplify locking and avoid manual
`mutex_unlock()` calls
TI LP5569:
- Use `sysfs_emit()` instead of `sprintf()` for sysfs outputs
TI LP5860:
- Add the `enable-gpios` property for the `VIO_EN` pin"
TI LP8860:
- Do not unconditionally program the EEPROM on probe
- Hold the mutex lock for the entirety of the EEPROM programming
process
- Return directly from `lp8860_init()` instead of using empty `goto`
statements
- Use a single regmap table and an access table instead of separate
maps for normal and EEPROM registers
- Remove an unused read of the `STATUS` register during EEPROM
programming
TTY Trigger:
- Prefer `IS_ERR_OR_NULL()` over manual NULL checks"
* tag 'leds-next-7.1' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/leds:
leds: class: Make led_remove_lookup() NULL-aware
leds: led-class: Switch to using class_find_device_by_fwnode()
leds: Kconfig: Drop unneeded dependency on OF_GPIO
leds: lm3642: Use guard to simplify locking
leds: core: Fix formatting issues
leds: core: Implement fallback to software node name for LED names
leds: lgm-sso: Fix typo in macro for src offset
dt-bindings: leds: lp5860: add enable-gpio
leds: Prefer IS_ERR_OR_NULL over manual NULL check
dt-bindings: leds: sc2731: Add compatible for SC2730
leds: lp8860: Do not always program EEPROM on probe
leds: lp8860: Remove unused read of STATUS register
leds: lp8860: Hold lock for all of EEPROM programming
leds: lp8860: Return directly from lp8860_init
leds: lp8860: Use a single regmap table
leds: lgm-sso: Remove duplicate assignments for priv->mmap
leds: qcom-lpg: Check for array overflow when selecting the high resolution
leds: ktd2692: Make ktd2692_timing variable static
leds: lp5569: Use sysfs_emit instead of sprintf()
leds: multicolor: Change intensity_value to unsigned int
Lorenzo Bianconi [Thu, 16 Apr 2026 10:30:12 +0000 (12:30 +0200)]
net: airoha: Fix possible TX queue stall in airoha_qdma_tx_napi_poll()
Since multiple net_device TX queues can share the same hw QDMA TX queue,
there is no guarantee we have inflight packets queued in hw belonging to a
net_device TX queue stopped in the xmit path because hw QDMA TX queue
can be full. In this corner case the net_device TX queue will never be
re-activated. In order to avoid any potential net_device TX queue stall,
we need to wake all the net_device TX queues feeding the same hw QDMA TX
queue in airoha_qdma_tx_napi_poll routine.
Weiming Shi [Thu, 16 Apr 2026 02:46:54 +0000 (19:46 -0700)]
openvswitch: cap upcall PID array size and pre-size vport replies
The vport netlink reply helpers allocate a fixed-size skb with
nlmsg_new(NLMSG_DEFAULT_SIZE, ...) but serialize the full upcall PID
array via ovs_vport_get_upcall_portids(). Since
ovs_vport_set_upcall_portids() accepts any non-zero multiple of
sizeof(u32) with no upper bound, a CAP_NET_ADMIN user can install a PID
array large enough to overflow the reply buffer, causing nla_put() to
fail with -EMSGSIZE and hitting BUG_ON(err < 0). On systems with
unprivileged user namespaces enabled (e.g., Ubuntu default), this is
reachable via unshare -Urn since OVS vport mutation operations use
GENL_UNS_ADMIN_PERM.
Reject attempts to set more PIDs than nr_cpu_ids in
ovs_vport_set_upcall_portids(), and pre-compute the worst-case reply
size in ovs_vport_cmd_msg_size() based on that bound, similar to the
existing ovs_dp_cmd_msg_size(). nr_cpu_ids matches the cap already
used by the per-CPU dispatch configuration on the datapath side
(ovs_dp_cmd_fill_info() serialises at most nr_cpu_ids PIDs), so the
two sides stay consistent.
Fixes: 5cd667b0a456 ("openvswitch: Allow each vport to have an array of 'port_id's.") Reported-by: Xiang Mei <xmei5@asu.edu> Assisted-by: Claude:claude-opus-4-6 Signed-off-by: Weiming Shi <bestswngs@gmail.com> Reviewed-by: Ilya Maximets <i.maximets@ovn.org> Link: https://patch.msgid.link/20260416024653.153456-2-bestswngs@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
net/mlx5: Fix HCA caps leak on notifier init failure
mlx5_mdev_init() allocates HCA caps via mlx5_hca_caps_alloc() before
calling mlx5_notifiers_init(). If notifier initialization fails, the
error path jumps to err_hca_caps and skips mlx5_hca_caps_free(), leaking
allocated caps.
Add a dedicated unwind label for notifier-init failure that frees HCA
caps before continuing the existing cleanup sequence.
Qingfang Deng [Wed, 15 Apr 2026 02:24:51 +0000 (10:24 +0800)]
pppoe: drop PFC frames
RFC 2516 Section 7 states that Protocol Field Compression (PFC) is NOT
RECOMMENDED for PPPoE. In practice, pppd does not support negotiating
PFC for PPPoE sessions, and the current PPPoE driver assumes an
uncompressed (2-byte) protocol field. However, the generic PPP layer
function ppp_input() is not aware of the negotiation result, and still
accepts PFC frames.
If a peer with a broken implementation or an attacker sends a frame with
a compressed (1-byte) protocol field, the subsequent PPP payload is
shifted by one byte. This causes the network header to be 4-byte
misaligned, which may trigger unaligned access exceptions on some
architectures.
To reduce the attack surface, drop PPPoE PFC frames. Introduce
ppp_skb_is_compressed_proto() helper function to be used in both
ppp_generic.c and pppoe.c to avoid open-coding.
Fixes: 7fb1b8ca8fa1 ("ppp: Move PFC decompression to PPP generic layer") Signed-off-by: Qingfang Deng <qingfang.deng@linux.dev> Reviewed-by: Simon Horman <horms@kernel.org> Link: https://patch.msgid.link/20260415022456.141758-2-qingfang.deng@linux.dev Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Qingfang Deng [Wed, 15 Apr 2026 02:24:50 +0000 (10:24 +0800)]
flow_dissector: do not dissect PPPoE PFC frames
RFC 2516 Section 7 states that Protocol Field Compression (PFC) is NOT
RECOMMENDED for PPPoE. In practice, pppd does not support negotiating
PFC for PPPoE sessions, and the flow dissector driver has assumed an
uncompressed frame until the blamed commit.
During the review process of that commit [1], support for PFC is
suggested. However, having a compressed (1-byte) protocol field means
the subsequent PPP payload is shifted by one byte, causing 4-byte
misalignment for the network header and an unaligned access exception
on some architectures.
The exception can be reproduced by sending a PPPoE PFC frame to an
ethernet interface of a MIPS board, with RPS enabled, even if no PPPoE
session is active on that interface:
Merge tag 'mfd-next-7.1' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/mfd
Pull MFD updates from Lee Jones:
"Core:
- Add a resource-managed version of alloc_workqueue()
(`devm_alloc_workqueue()`)
- Preserve the Open Firmware (OF) node when an ACPI handle
is present
Apple SMC:
- Wire up the Apple SMC power driver by adding a new MFD cell
Atmel HLCDC:
- Fetch the LVDS PLL clock as a fallback if the generic sys_clk
is unavailable
Broadcom BCM2835 PM:
- Add support for the BCM2712 power management device
- Introduce a hardware type identifier to distinguish SoC variants
Congatec CGBC, KEMPLD, RSMU, Si476x:
- Fix various kernel-doc warnings and correct struct member names
DLN2:
- Drop redundant USB device references and switch to managed
resource allocations
- Update bare 'unsigned' types to 'unsigned int'
ENE KB3930:
- Use the of_device_is_system_power_controller() wrapper
EZX PCAP:
- Avoid rescheduling after destroying the workqueue by switching
to a device-managed workqueue
- Drop redundant memory allocation error messages
- Return directly instead of using empty goto statements
Freescale i.MX25 TSADC:
- Convert devicetree bindings from TXT to YAML format
Freescale MC13xxx:
- Fix a memory leak in subdevice platform data allocation by
using devm_kmemdup()
Intel LPC ICH:
- Expose a software node for the GPIO controller cell to fix
GPIO lookups
Intel LPSS:
- Add PCI IDs for the Intel Nova Lake-H platform
Maxim MAX77620:
- Convert devicetree bindings from TXT to YAML format
- Document an optional I2C address for the MAX77663 RTC device
Maxim MAX77705:
- Make the max77705_pm_ops variable static to resolve a
sparse warning
MediaTek MT6397:
- Correct the hardware CIDs for the MT6328, MT6331, and MT6332
PMICs to allow proper driver binding
ROHM BD71828:
- Enable system wakeup via the power button
ROHM BD72720:
- Add a new compatible string for the ROHM BD73900 PMIC
SpacemiT P1:
- Drop the deprecated "vin-supply" property from the devicetree
bindings
- Add individual regulator supply properties to match actual
hardware topology
STMicroelectronics STPMIC1:
- Attempt system shutdown a second time to handle transient I2C
communication failures
Viperboard:
- Drop redundant USB device references"
* tag 'mfd-next-7.1' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/mfd: (28 commits)
mfd: core: Preserve OF node when ACPI handle is present
mfd: ene-kb3930: Use of_device_is_system_power_controller() wrapper
mfd: intel-lpss: Add Intel Nova Lake-H PCI IDs
dt-bindings: mfd: max77620: Document optional RTC address for MAX77663
dt-bindings: mfd: max77620: Convert to DT schema
mfd: ezx-pcap: Avoid rescheduling after destroying workqueue
mfd: ezx-pcap: Return directly instead of empty gotos
mfd: ezx-pcap: Drop memory allocation error message
mfd: bcm2835-pm: Add BCM2712 PM device support
mfd: bcm2835-pm: Introduce SoC-specific type identifier
dt-bindings: mfd: bd72720: Add ROHM BD73900
mfd: si476x: Fix kernel-doc warnings
mfd: rsmu: Remove a empty kernel-doc line
mfd: kempld: Fix kernel-doc struct member names
mfd: congatec: Fix kernel-doc struct member names
dt-bindings: mfd: Convert fsl-imx25-tsadc.txt to yaml format
mfd: viperboard: Drop redundant device reference
mfd: dln2: Switch to managed resources and fix bare unsigned types
mfd: macsmc: Wire up Apple SMC power driver
mfd: mt6397: Properly fix CID of MT6328, MT6331 and MT6332
...
Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma
Pull rdma updates from Jason Gunthorpe:
"The usual collection of driver changes, more core infrastructure
updates that typical this cycle:
- Minor cleanups and kernel-doc fixes in bnxt_re, hns, rdmavt, efa,
ocrdma, erdma, rtrs, hfi1, ionic, and pvrdma
- New udata validation framework and driver updates
- Modernize CQ creation interface in mlx4 and mlx5, manage CQ umem in
core
- Promote UMEM to a core component, split out DMA block iterator
logic
- Introduce FRMR pools with aging, statistics, pinned handles, and
netlink control and use it in mlx5
- Add PCIe TLP emulation support in mlx5
- Extend umem to work with revocable pinned dmabuf's and use it in
irdma
- More net namespace improvements for rxe
- GEN4 hardware support in irdma
- First steps to MW and UC support in mana_ib
- Support for CQ umem and doorbells in bnxt_re
- Drop opa_vnic driver from hfi1
Fixes:
- IB/core zero dmac neighbor resolution race
- GID table memory free
- rxe pad/ICRC validation and r_key async errors
- mlx4 external umem for CQ
- umem DMA attributes on unmap
- mana_ib RX steering on RSS QP destroy"
* tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma: (116 commits)
RDMA/core: Fix user CQ creation for drivers without create_cq
RDMA/ionic: bound node_desc sysfs read with %.64s
IB/core: Fix zero dmac race in neighbor resolution
RDMA/mana_ib: Support memory windows
RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv
RDMA/core: Prefer NLA_NUL_STRING
RDMA/core: Fix memory free for GID table
RDMA/hns: Remove the duplicate calls to ib_copy_validate_udata_in()
RDMA: Remove redundant = {} for udata req structs
RDMA/irdma: Add missing comp_mask check in alloc_ucontext
RDMA/hns: Add missing comp_mask check in create_qp
RDMA/mlx5: Pull comp_mask validation into ib_copy_validate_udata_in_cm()
RDMA: Use ib_copy_validate_udata_in_cm() for zero comp_mask
RDMA/hns: Use ib_copy_validate_udata_in()
RDMA/mlx4: Use ib_copy_validate_udata_in() for QP
RDMA/mlx4: Use ib_copy_validate_udata_in()
RDMA/mlx5: Use ib_copy_validate_udata_in() for MW
RDMA/mlx5: Use ib_copy_validate_udata_in() for SRQ
RDMA/pvrdma: Use ib_copy_validate_udata_in() for srq
RDMA: Use ib_copy_validate_udata_in() for implicit full structs
...
Merge tag 'ntfs3_for_7.1' of https://github.com/Paragon-Software-Group/linux-ntfs3
Pull ntfs3 updates from Konstantin Komarov:
"New:
- reject inodes with zero non-DOS link count
- return folios from ntfs_lock_new_page()
- subset of W=1 warnings for stricter checks
- work around -Wmaybe-uninitialized warnings
- buffer boundary checks to run_unpack()
- terminate the cached volume label after UTF-8 conversion
Fixes:
- check return value of indx_find to avoid infinite loop
- prevent uninitialized lcn caused by zero len
- increase CLIENT_REC name field size to prevent buffer overflow
- missing run load for vcn0 in attr_data_get_block_locked()
- memory leak in indx_create_allocate()
- OOB write in attr_wof_frame_info()
- mount failure on volumes with fragmented MFT bitmap
- integer overflow in run_unpack() volume boundary check
- validate rec->used in journal-replay file record check
Updates:
- resolve compare function in public index APIs
- $LXDEV xattr lookup
- potential double iput on d_make_root() failure
- initialize err in ni_allocate_da_blocks_locked()
- correct the pre_alloc condition in attr_allocate_clusters()"
* tag 'ntfs3_for_7.1' of https://github.com/Paragon-Software-Group/linux-ntfs3:
fs/ntfs3: fix Smatch warnings
fs/ntfs3: validate rec->used in journal-replay file record check
fs/ntfs3: terminate the cached volume label after UTF-8 conversion
fs/ntfs3: fix potential double iput on d_make_root() failure
ntfs3: fix integer overflow in run_unpack() volume boundary check
ntfs3: add buffer boundary checks to run_unpack()
ntfs3: fix mount failure on volumes with fragmented MFT bitmap
fs/ntfs3: fix $LXDEV xattr lookup
ntfs3: fix OOB write in attr_wof_frame_info()
ntfs3: fix memory leak in indx_create_allocate()
ntfs3: work around false-postive -Wmaybe-uninitialized warnings
fs/ntfs3: fix missing run load for vcn0 in attr_data_get_block_locked()
fs/ntfs3: increase CLIENT_REC name field size
fs/ntfs3: prevent uninitialized lcn caused by zero len
fs/ntfs3: add a subset of W=1 warnings for stricter checks
fs/ntfs3: return folios from ntfs_lock_new_page()
fs/ntfs3: resolve compare function in public index APIs
ntfs3: reject inodes with zero non-DOS link count
Merge tag 'ecryptfs-7.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tyhicks/ecryptfs
Pull eCryptfs updates from Tyler Hicks:
- avoid unnecessary eCryptfs inode timestamp truncation by re-using the
lower filesystem's time granularity
- various small code cleanups
- reorganize the setattr hook inode resizing to improve style and
readability, remove an unnecessary memory allocation when shrinking,
and to support an upcoming rework of the VFS interfaces involved in
truncation
* tag 'ecryptfs-7.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tyhicks/ecryptfs:
ecryptfs: keep the lower iattr contained in truncate_upper
ecryptfs: factor out a ecryptfs_iattr_to_lower helper
ecryptfs: merge ecryptfs_inode_newsize_ok into truncate_upper
ecryptfs: combine the two ATTR_SIZE blocks in ecryptfs_setattr
ecryptfs: use ZERO_PAGE instead of allocating zeroed memory in truncate_upper
ecryptfs: streamline truncate_upper
ecryptfs: cleanup ecryptfs_setattr
ecryptfs: Drop TODO comment in ecryptfs_derive_iv
ecryptfs: Fix typo in ecryptfs_derive_iv function comment
ecryptfs: Log function name only once in decode_and_decrypt_filename
ecryptfs: Remove redundant if checks in encrypt_and_encode_filename
ecryptfs: Fix tag number in encrypt_filename() error message
ecryptfs: Use struct_size to improve process_response + send_miscdev
ecryptfs: Replace memcpy + manual NUL termination with strscpy
ecryptfs: Set s_time_gran to get correct time granularity
Merge tag 'nfsd-7.1' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux
Pull nfsd updates from Chuck Lever:
- filehandle signing to defend against filehandle-guessing attacks
(Benjamin Coddington)
The server now appends a SipHash-2-4 MAC to each filehandle when
the new "sign_fh" export option is enabled. NFSD then verifies
filehandles received from clients against the expected MAC;
mismatches return NFS error STALE
- convert the entire NLMv4 server-side XDR layer from hand-written C to
xdrgen-generated code, spanning roughly thirty patches (Chuck Lever)
XDR functions are generally boilerplate code and are easy to get
wrong. The goals of this conversion are improved memory safety, lower
maintenance burden, and groundwork for eventual Rust code generation
for these functions.
- improve pNFS block/SCSI layout robustness with two related changes
(Dai Ngo)
SCSI persistent reservation fencing is now tracked per client and
per device via an xarray, to avoid both redundant preempt operations
on devices already fenced and a potential NFSD deadlock when all nfsd
threads are waiting for a layout return.
- scalability and infrastructure improvements
Sincere thanks to all contributors, reviewers, testers, and bug
reporters who participated in the v7.1 NFSD development cycle.
* tag 'nfsd-7.1' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux: (83 commits)
NFSD: Docs: clean up pnfs server timeout docs
nfsd: fix comment typo in nfsxdr
nfsd: fix comment typo in nfs3xdr
NFSD: convert callback RPC program to per-net namespace
NFSD: use per-operation statidx for callback procedures
svcrdma: Use contiguous pages for RDMA Read sink buffers
SUNRPC: Add svc_rqst_page_release() helper
SUNRPC: xdr.h: fix all kernel-doc warnings
svcrdma: Factor out WR chain linking into helper
svcrdma: Add Write chunk WRs to the RPC's Send WR chain
svcrdma: Clean up use of rdma->sc_pd->device
svcrdma: Clean up use of rdma->sc_pd->device in Receive paths
svcrdma: Add fair queuing for Send Queue access
SUNRPC: Optimize rq_respages allocation in svc_alloc_arg
SUNRPC: Track consumed rq_pages entries
svcrdma: preserve rq_next_page in svc_rdma_save_io_pages
SUNRPC: Handle NULL entries in svc_rqst_release_pages
SUNRPC: Allocate a separate Reply page array
SUNRPC: Tighten bounds checking in svc_rqst_replace_page
NFSD: Sign filehandles
...
Mark Brown [Mon, 20 Apr 2026 17:40:07 +0000 (18:40 +0100)]
ASoC: Correct bug parsing DisCo booleans
Charles Keepax <ckeepax@opensource.cirrus.com> says:
MIPI DisCo uses the unfortunate convention of allowing boolean
properties to be present but having a zero value. Opposed to the
normal convention of simply not specifying the property. Fix an
issue in the SDCA code where mipi-sdca-control-deferrable is not
parsed correctly.
However, we also have some shipping ACPIs where these properties
are not specified correctly. Update the MBQ regmap to attempt defers
albeit with a warning in the case where a control attempts to defer
but is not marked at such. There is little down side to this as if
defer is genuinely not supported then the control will just return
the same error again.
Charles Keepax [Mon, 13 Apr 2026 12:46:21 +0000 (13:46 +0100)]
ASoC: SDCA: Fix reading of mipi-sdca-control-deferrable
The discussion in [1] highlighted that the SDCA code shouldn't be using
fwnode_property_read_bool() for DisCo controls, as the spec allows setting
the value to zero meaning the property should not be used. Correct a
small bug in the SDCA code that will mark such controls as deferrable.
Charles Keepax [Mon, 13 Apr 2026 12:46:20 +0000 (13:46 +0100)]
regmap: sdw-mbq: Allow defers on undeferrable controls
It is a fairly common DisCo issue to have the deferrability of controls
marked incorrectly and Windows seems very permissive in this regard. As
there isn't really any down side to trying a defer even if the control
isn't deferrable, allow this but add a warning message.
Juan reported that the patch didn't work as expected at the later
check, failing to create PCM capture devices that has worked
beforehand. Drop the change again for addressing the regression,
and we'll continue developing a proper fix later.
Reported-by: Juan Pablo Fuentealba Bizama <jpfuentealbabizama@gmail.com> Closes: https://lore.kernel.org/20260417150748.6684-1-jpfuentealbabizama@gmail.com Signed-off-by: Takashi Iwai <tiwai@suse.de>
snd_als4000_capture_trigger() updates chip->mode under mixer_lock,
while snd_als4000_set_rate() and snd_als4000_playback_trigger()
serialize the same rate-lock state with reg_lock.
The PCM core serializes callbacks only per acted-on substream, or for an
explicitly linked group, so unlinked playback and capture streams can
run concurrently.
That leaves two races on ALS4000 rate-lock state:
- playback and capture trigger callbacks can concurrently update
chip->mode and lose one of the SB_RATE_LOCK bits
- snd_als4000_set_rate() can observe chip->mode without the capture
lock bit set and reprogram the shared sample rate while capture is
being started
Fix this by taking reg_lock as the outer lock in
snd_als4000_capture_trigger() and nesting mixer_lock only for the CR1E
write. This keeps chip->mode serialized with the rest of the ALS4000
rate-lock users while preserving the existing CR1E programming
sequence.
ALSA: core: Fix potential data race at fasync handling
In snd_fasync_work_fn(), which is the offload work for traversing and
processing the pending fasync list, the call of kill_fasync() is done
outside the snd_fasync_lock for avoiding deadlocks. The problem is
that its the references of fasync->on, fasync->signal and fasync->poll
are done there also outside the lock. Since these may be modified by
snd_kill_fasync() call concurrently from other process, inconsistent
values might be passed to kill_fasync(). Although there shouldn't be
critical UAF, it's still better to be addressed.
This patch moves the kill_fasync() argument evaluations inside the
snd_fasync_lock for avoiding the data races above. The handling in
fasync->on flag is optimized in the loop to skip directly.
Also, for more clarity, snd_fasync_free() takes the lock and unlink
the pending entry more directly instead of clearing fasync->on flag.
ALSA: hda/tas2781: Fix sound abnormal issue on some SPI device
In the SPI driver probe, the chip ID must be set to TAS2781. Without this
initialization, calibration data fails to load correctly, causing audio
abnormalities on some devices.
And update the register bulk read API to handle the distinct requirements
of SPI and I2C devices.
Fixes: 05ac3846ffe5 ("ALSA: hda/tas2781: A workaround solution to lower-vol issue among lower calibrated-impedance micro-speaker on TAS2781") Signed-off-by: Baojun Xu <baojun.xu@ti.com> Link: https://patch.msgid.link/20260418055030.765-1-baojun.xu@ti.com Signed-off-by: Takashi Iwai <tiwai@suse.de>
Merge tag 'apple-soc-fixes-7.0' of https://git.kernel.org/pub/scm/linux/kernel/git/sven/linux into soc/late2
Apple SoC fixes for 7.0
Two commits without any functional changes that arrived just before the
merge window opened:
- Update Sasha's email address in all dt-bindings, MAINTAINERS and add
him to mailmap
- Fix a typo in spi1-nvram.dtsi
Documentation/process: maintainer-soc: Document purpose of defconfigs
Common mistake in commit messages of patches on mailing list adding
CONFIG options to arm/multi_v7 or arm64/defconfig is saying what that
patch is doing, e.g. "Enable driver foo". That is obvious from the diff
part, thus explaining it does not bring any value. What brings value is
to understand why "driver foo" should be in a shared, upstream
defconfig, especially considering that distros have their own defconfigs
and we do not care about non-upstream trees.
Documentation/process: maintainer-soc: Trim from trivial ask-DT
It is obvious that one can ask DT maintainers of something, just like
one can ask anyone, so just drop the sentence. Concise documents with
rules have bigger chances of actually being read by people.
The netgear r8000 dts file limits the bus range for the first host
bridge to exclude bus 0, but the two devices on the first bus are
explicitly assigned to bus 0, causing a build time warning:
/home/arnd/arm-soc/arch/arm/boot/dts/broadcom/bcm4709-netgear-r8000.dts:142.3-27: Warning (pci_device_bus_num): /axi@18000000/pcie@13000/pcie@0/pcie@0,0/pcie@1,0:bus-range: PCI bus number 0 out of range, expected (1 - 255)
/home/arnd/arm-soc/arch/arm/boot/dts/broadcom/bcm4709-netgear-r8000.dts:142.3-27: Warning (pci_device_bus_num): /axi@18000000/pcie@13000/pcie@0/pcie@0,0/pcie@2,0:bus-range: PCI bus number 0 out of range, expected (1 - 255)
As Rosen mentioned, the bus-range property was a mistake, so just
remove it and keep the reg values pointing to bus 0, which is
allowed by the default bus range of the SoC.
* arm/fixes:
arm64: dts: imx8mm-tqma8mqml: Correct PAD settings for PMIC_nINT
arm64: dts: imx8mn-tqma8mqnl: Correct PAD settings for PMIC_nINT
arm64: dts: imx8mm-emtop-som: Correct PAD settings for PMIC_nINT
reset: amlogic: t7: Fix null reset ops
arm64: dts: imx8mp-data-modul-edm-sbc: Correct PAD settings for PMIC_nINT
arm64: dts: imx8mp-dhcom-som: Correct PAD settings for PMIC_nINT
arm64: dts: imx8mp-ultra-mach-sbc: Correct PAD settings for PMIC_nINT
arm64: dts: imx8mp-sr-som: Correct PAD settings for PMIC_nINT
arm64: dts: imx8mp-nitrogen-som: Correct PAD settings for PMIC_nINT
arm64: dts: imx8mp-aristainetos3a-som-v1: Correct PAD settings for PMIC_nINT
arm64: dts: imx8mp-edm-g: Correct PAD settings for PMIC_nINT
arm64: dts: imx8mp-icore-mx8mp: Correct PAD settings for PMIC_nINT
arm64: dts: imx8mp-navqp: Correct PAD settings for PMIC_nINT
arm64: dts: imx8mp-debix-som-a: Correct PAD settings for PMIC_nINT
arm64: dts: imx8mp-debix-model-a: Correct PAD settings for PMIC_nINT
dt-bindings: arm64: add Marvell 7k COMe boards
Yongbang Shi [Thu, 19 Mar 2026 13:11:32 +0000 (21:11 +0800)]
MAINTAINERS: split hisilicon maintenance and add Yongbang Shi for hibmc-drm matainers
To improve maintainability, split the maintainer information for the hibmc and
kirin drivers under the drivers/gpu/drm/hisilicon directory.
drivers/gpu/drm/hisilicon/hibmc driver has almost completed feature development
based on the new generation HiSilicon BMC chip. It was co-developed by
Yongbang Shi, Baihan Li and Lin He. Going forward, this module will be
maintained by Yongbang Shi.
Signed-off-by: Yongbang Shi <shiyongbang@huawei.com> Acked-by: Tao Tian <tiantao6@hisilicon.com> Acked-by: Xinliang Liu <xinliang.liu@linaro.org> Acked-by: Thomas Zimmermann <tzimmermann@suse.de> Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de> Link: https://patch.msgid.link/20260319131132.722033-1-shiyongbang@huawei.com
Merge branch 'for-next/c1-pro-erratum-4193714' into for-next/core
* for-next/c1-pro-erratum-4193714:
: Work around C1-Pro erratum 4193714 (CVE-2026-0995)
arm64: errata: Work around early CME DVMSync acknowledgement
arm64: cputype: Add C1-Pro definitions
arm64: tlb: Pass the corresponding mm to __tlbi_sync_s1ish()
arm64: tlb: Introduce __tlbi_sync_s1ish_{kernel,batch}() for TLB maintenance
Merge branches 'for-next/misc' and 'for-next/mpam' into for-next/core
* for-next/misc:
: Miscellaneous cleanups/fixes
virt: arm-cca-guest: fix error check for RSI_INCOMPLETE
arm64/hwcap: Include kernel-hwcap.h in list of generated files
* for-next/mpam:
: Fix an unmount->remount problem with the CDP emulation, uninitialised
: variable and checker warnings
arm_mpam: resctrl: Make resctrl_mon_ctx_waiters static
arm_mpam: resctrl: Fix the check for no monitor components found
arm_mpam: resctrl: Fix MBA CDP alloc_capable handling on unmount
Mark Brown [Mon, 20 Apr 2026 11:39:35 +0000 (12:39 +0100)]
spi: fix explicit controller deregistration
Johan Hovold <johan@kernel.org> says:
Turns out we have a few drivers that get the tear down ordering wrong
also when not using device managed registration (cf. [1] and [2]).
Fix this to avoid issues like system errors due to unclocked accesses,
NULL-pointer dereferences, hangs or failed I/O during during
deregistration (e.g. when powering down devices).
Johan Hovold [Tue, 14 Apr 2026 13:43:15 +0000 (15:43 +0200)]
spi: mpc52xx: fix use-after-free on unbind
The state machine work is scheduled by the interrupt handler and
therefore needs to be cancelled after disabling interrupts to avoid a
potential use-after-free.
Fixes: 984836621aad ("spi: mpc52xx: Add cancel_work_sync before module remove") Cc: stable@vger.kernel.org Cc: Pei Xiao <xiaopei01@kylinos.cn> Signed-off-by: Johan Hovold <johan@kernel.org> Link: https://patch.msgid.link/20260414134319.978196-5-johan@kernel.org Signed-off-by: Mark Brown <broonie@kernel.org>
Make sure to deregister the controller before dropping the reference
count that allows new operations to start to allow SPI drivers to do I/O
during deregistration.
Fixes: 7446284023e8 ("spi: cadence-quadspi: Implement refcount to handle unbind during busy") Cc: stable@vger.kernel.org # 6.17 Cc: Khairul Anuar Romli <khairul.anuar.romli@altera.com> Signed-off-by: Johan Hovold <johan@kernel.org> Link: https://patch.msgid.link/20260414134319.978196-3-johan@kernel.org Signed-off-by: Mark Brown <broonie@kernel.org>
Billy Tsai [Wed, 15 Apr 2026 10:24:42 +0000 (18:24 +0800)]
gpio: aspeed: fix AST2700 debounce selector bit definitions
The AST2700 datasheet defines reg_debounce_sel1 as the low bit and
reg_debounce_sel2 as the high bit. The current driver uses the AST2600
mapping instead, where sel1 is the high bit and sel2 is the low bit.
As a result, the debounce selector bits are programmed in reverse on
AST2700. Swap the G7 sel1/sel2 bit definitions so the driver matches the
hardware definition.
Jonas Karlman [Thu, 16 Apr 2026 15:49:28 +0000 (15:49 +0000)]
gpio: rockchip: Fix GPIO regression after conversion to dynamic base allocation
The commit c8079f83e0bf ("gpio: rockchip: convert to dynamic GPIO base
allocation") broke GPIO on devices using device trees which don't set
the gpio-ranges property, something only Rockchip RK35xx SoC DTs do.
On a Rockchip RK3399 device something like following is now observed:
[ 0.082771] rockchip-gpio ff720000.gpio: probed /pinctrl/gpio@ff720000
[ 0.083531] rockchip-gpio ff730000.gpio: probed /pinctrl/gpio@ff730000
[ 0.084110] rockchip-gpio ff780000.gpio: probed /pinctrl/gpio@ff780000
[ 0.084746] rockchip-gpio ff788000.gpio: probed /pinctrl/gpio@ff788000
[ 0.085389] rockchip-gpio ff790000.gpio: probed /pinctrl/gpio@ff790000
--
[ 0.212208] rockchip-pinctrl pinctrl: pin 637 is not registered so it cannot be requested
[ 0.212271] rockchip-pinctrl pinctrl: error -EINVAL: pin-637 (gpio3:637)
[ 0.212344] leds-gpio leds: error -EINVAL: Failed to get GPIO '/leds/led-0'
[ 0.212389] leds-gpio leds: probe with driver leds-gpio failed with error -22
--
[ 0.607545] rockchip-pinctrl pinctrl: pin 519 is not registered so it cannot be requested
[ 0.608775] rockchip-pinctrl pinctrl: error -EINVAL: pin-519 (gpio0:519)
[ 0.610003] dwmmc_rockchip fe320000.mmc: probe with driver dwmmc_rockchip failed with error -22
--
[ 0.805882] rockchip-pinctrl pinctrl: pin 547 is not registered so it cannot be requested
[ 0.806672] rockchip-pinctrl pinctrl: error -EINVAL: pin-547 (gpio1:547)
[ 0.807301] reg-fixed-voltage regulator-vbus-typec: error -EINVAL: can't get GPIO
[ 0.807307] rockchip-pinctrl pinctrl: pin 602 is not registered so it cannot be requested
[ 0.807970] reg-fixed-voltage regulator-vbus-typec: probe with driver reg-fixed-voltage failed with error -22
[ 0.808692] rockchip-pinctrl pinctrl: error -EINVAL: pin-602 (gpio2:602)
[ 0.810279] reg-fixed-voltage regulator-vcc3v3-pcie: error -EINVAL: can't get GPIO
[ 0.810284] rockchip-pinctrl pinctrl: pin 665 is not registered so it cannot be requested
[ 0.810299] rockchip-pinctrl pinctrl: error -EINVAL: pin-665 (gpio4:665)
[ 0.810960] reg-fixed-voltage regulator-vcc3v3-pcie: probe with driver reg-fixed-voltage failed with error -22
[ 0.811679] reg-fixed-voltage regulator-vcc5v0-host: error -EINVAL: can't get GPIO
[ 0.813943] reg-fixed-voltage regulator-vcc5v0-host: probe with driver reg-fixed-voltage failed with error -22
--
[ 0.867788] rockchip-pinctrl pinctrl: pin 522 is not registered so it cannot be requested
[ 0.868537] rockchip-pinctrl pinctrl: error -EINVAL: pin-522 (gpio0:522)
[ 0.869166] pwrseq_simple sdio-pwrseq: error -EINVAL: reset GPIOs not ready
[ 0.869798] pwrseq_simple sdio-pwrseq: probe with driver pwrseq_simple failed with error -22
--
[ 0.940365] rockchip-pinctrl pinctrl: pin 623 is not registered so it cannot be requested
[ 0.941084] rockchip-pinctrl pinctrl: error -EINVAL: pin-623 (gpio3:623)
[ 0.941823] rk_gmac-dwmac fe300000.ethernet: error -EINVAL: Cannot register the MDIO bus
[ 0.942542] rk_gmac-dwmac fe300000.ethernet: error -EINVAL: MDIO bus (id: 0) registration failed
[ 0.943772] rk_gmac-dwmac fe300000.ethernet: probe with driver rk_gmac-dwmac failed with error -22
Restore GPIO to a working state on devices using older Rockchip SoCs
and/or DTs not having the gpio-ranges property set by restoring prior
use of bank->pin_base as the pin_offset value.
Also change to use bank->nr_pins as the npins value to align and prevent
a possible future breakage if gc->ngpio is ever changed to match the 32
GPIOs each controller theoretically can handle.
Fixes: c8079f83e0bf ("gpio: rockchip: convert to dynamic GPIO base allocation") Signed-off-by: Jonas Karlman <jonas@kwiboo.se> Reviewed-by: Linus Walleij <linusw@kernel.org> Acked-by: Heiko Stuebner <heiko@sntech.de> Link: https://patch.msgid.link/20260416154928.2103388-1-jonas@kwiboo.se Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
krb5enc_dispatch_decrypt() sets req->base.complete as the skcipher
callback, which is the caller's own completion handler. When the
skcipher completes asynchronously, this signals "done" to the caller
without executing krb5enc_dispatch_decrypt_hash(), completely bypassing
the integrity verification (hash check).
Compare with the encrypt path which correctly uses
krb5enc_encrypt_done as an intermediate callback to chain into the
hash computation on async completion.
Fix by adding krb5enc_decrypt_done as an intermediate callback that
chains into krb5enc_dispatch_decrypt_hash() upon async skcipher
completion, matching the encrypt path's callback pattern.
Also fix EBUSY/EINPROGRESS handling throughout: remove
krb5enc_request_complete() which incorrectly swallowed EINPROGRESS
notifications that must be passed up to callers waiting on backlogged
requests, and add missing EBUSY checks in krb5enc_encrypt_ahash_done
for the dispatch_encrypt return value.
Fixes: d1775a177f7f ("crypto: Add 'krb5enc' hash and cipher AEAD algorithm") Signed-off-by: Dudu Lu <phx0fer@gmail.com>
Unset MAY_BACKLOG on the async completion path so the user won't
see back-to-back EINPROGRESS notifications.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Douya Le [Sun, 19 Apr 2026 08:52:59 +0000 (16:52 +0800)]
crypto: algif_aead - snapshot IV for async AEAD requests
AF_ALG AEAD AIO requests currently use the socket-wide IV buffer during
request processing. For async requests, later socket activity can
update that shared state before the original request has fully
completed, which can lead to inconsistent IV handling.
Snapshot the IV into per-request storage when preparing the AEAD
request, so in-flight operations no longer depend on mutable socket
state.
Fixes: d887c52d6ae4 ("crypto: algif_aead - overhaul memory management") Cc: stable@kernel.org Reported-by: Yuan Tan <yuantan098@gmail.com> Reported-by: Yifan Wu <yifanwucs@gmail.com> Reported-by: Juefei Pu <tomapufckgml@gmail.com> Reported-by: Xin Liu <bird@lzu.edu.cn> Co-developed-by: Luxing Yin <tr0jan@lzu.edu.cn> Signed-off-by: Luxing Yin <tr0jan@lzu.edu.cn> Tested-by: Yucheng Lu <kanolyc@gmail.com> Signed-off-by: Douya Le <ldy3087146292@gmail.com> Signed-off-by: Ren Wei <n05ec@lzu.edu.cn> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Input: edt-ft5x06 - fix use-after-free in debugfs teardown
The commit 68743c500c6e ("Input: edt-ft5x06 - use per-client debugfs
directory") removed the manual debugfs teardown, relying on the I2C core
to handle it. However, this creates a window where debugfs files are
still accessible after edt_ft5x06_ts_teardown_debugfs() frees
tsdata->raw_buffer.
To prevent a use-after-free, protect the freeing of raw_buffer with the
device mutex and set raw_buffer to NULL. The debugfs read function
already checks if raw_buffer is NULL under the same mutex, so this
safely avoids the use-after-free.
drm/v3d: Reject empty multisync extension to prevent infinite loop
v3d_get_extensions() walks a userspace-provided singly-linked list of
ioctl extensions without any bound on the chain length. A local user
can craft a self-referential extension (ext->next == &ext) with zero
in_sync_count and out_sync_count, which bypasses the existing duplicate-
extension guard:
if (se->in_sync_count || se->out_sync_count)
return -EINVAL;
The guard never fires because v3d_get_multisync_post_deps() returns
immediately when count is zero, leaving both fields at zero on every
iteration. The result is an infinite loop in kernel context, blocking
the calling thread and pegging a CPU core indefinitely.
Fix this by rejecting a multisync extension where both in_sync_count
and out_sync_count are zero in v3d_get_multisync_submit_deps(). An
empty multisync carries no synchronization information and serves no
useful purpose, so returning -EINVAL for such an extension is the
correct defense against this attack vector.
Igor Korotin [Thu, 9 Apr 2026 18:41:00 +0000 (19:41 +0100)]
MAINTAINERS: add Rust I2C tree and update Igor Korotin's email
Add a git tree entry for Rust I2C development and update the e-mail
address. The tree will be used to collect patches and provide a basis
for integration and testing, including linux-next.
Signed-off-by: Igor Korotin <igor.korotin@linux.dev> Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Merge tag 'mm-hotfixes-stable-2026-04-19-00-14' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
Pull MM fixes from Andrew Morton:
"7 hotfixes. 6 are cc:stable and all are for MM. Please see the
individual changelogs for details"
* tag 'mm-hotfixes-stable-2026-04-19-00-14' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm:
mm/damon/core: disallow non-power of two min_region_sz on damon_start()
mm/vmalloc: take vmap_purge_lock in shrinker
mm: call ->free_folio() directly in folio_unmap_invalidate()
mm: blk-cgroup: fix use-after-free in cgwb_release_workfn()
mm/zone_device: do not touch device folio after calling ->folio_free()
mm/damon/core: disallow time-quota setting zero esz
mm/mempolicy: fix weighted interleave auto sysfs name
Merge tag 'driver-core-7.1-rc1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/driver-core/driver-core
Pull driver core fixes from Danilo Krummrich:
- Prevent a device from being probed before device_add() has finished
initializing it; gate probe with a "ready_to_probe" device flag to
avoid races with concurrent driver_register() calls
- Fix a kernel-doc warning for DEV_FLAG_COUNT introduced by the above
- Return -ENOTCONN from software_node_get_reference_args() when a
referenced software node is known but not yet registered, allowing
callers to defer probe
- In sysfs_group_attrs_change_owner(), also check is_visible_const();
missed when the const variant was introduced
* tag 'driver-core-7.1-rc1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/driver-core/driver-core:
driver core: Add kernel-doc for DEV_FLAG_COUNT enum value
sysfs: attribute_group: Respect is_visible_const() when changing owner
software node: return -ENOTCONN when referenced swnode is not registered yet
driver core: Don't let a device probe until it's ready
Merge tag 'staging-7.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging
Pull staging driver updates from Greg KH:
"Here is the "big" set of staging driver changes for 7.1-rc1.
Nothing major in here at all, just lots of little cleanups for the
staging drivers, driven by new developers getting their feet wet in
kernel development. "Largest" thing in here is the change of some of
the octeon variable types into proper kernel ones.
Full details are in the shortlog.
All of these have been in linux-next for a while with no reported
issues"
* tag 'staging-7.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging: (154 commits)
staging: rtl8723bs: remove redundant & parentheses
staging: most: dim2: replace BUG_ON() in poison_channel()
staging: most: dim2: replace BUG_ON() in enqueue()
staging: most: dim2: replace BUG_ON() in configure_channel()
staging: most: dim2: replace BUG_ON() in service_done_flag()
staging: most: dim2: replace BUG_ON() in try_start_dim_transfer()
staging: rtl8723bs: remove unused RTL8188E antenna selection macros
staging: rtl8723bs: remove redundant blank lines in basic_types.h
staging: rtl8723bs: wrap complex macros with parentheses
staging: rtl8723bs: remove unused WRITEEF/READEF byte macros
staging: rtl8723bs: rename camelCase variable
staging: greybus: audio: fix error message for BTN_3 button
staging: rtl8723bs: rename variables to snake_case
staging: rtl8723bs: fix spelling in comment
staging: rtl8723bs: cleanup return in sdio_init()
staging: rtl8723bs: use direct returns in sdio_dvobj_init()
staging: rtl8723bs: remove unused arg at odm_interface.h
greybus: raw: fix use-after-free if write is called after disconnect
greybus: raw: fix use-after-free on cdev close
staging: rtl8723bs: fix logical continuations in xmit_linux.c
...
Merge tag 'usb-7.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb
Pull USB / Thunderbolt updates from Greg KH:
"Here is the big set of USB and Thunderbolt changes for 7.1-rc1.
Lots of little things in here, nothing major, just constant
improvements, updates, and new features. Highlights are:
- new USB power supply driver support.
These changes did touch outside of drivers/usb/ but got acks from
the relevant mantainers for them.
- dts file updates and conversions
- string function conversions into "safer" ones
- new device quirks
- xhci driver updates
- usb gadget driver minor fixes
- typec driver additions and updates
- small number of thunderbolt driver changes
- dwc3 driver updates and additions of new hardware support
- other minor driver updates
All of these have been in the linux-next tree for a while with no
reported issues"
* tag 'usb-7.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: (176 commits)
usb: dwc3: starfive: Add JHB100 USB 2.0 DRD controller
dt-bindings: usb: dwc3: add support for StarFive JHB100
dt-bindings: usb: atmel,at91sam9rl-udc: convert to DT schema
dt-bindings: usb: atmel,at91rm9200-udc: convert to DT schema
dt-bindings: usb: generic-ehci: fix schema structure and add at91sam9g45 constraints
dt-bindings: usb: generic-ohci: add AT91RM9200 OHCI binding support
arm: dts: at91: remove unused #address-cells/#size-cells from sam9x60 udc node
drivers/usb/host: Fix spelling error 'seperate' -> 'separate'
usbip: tools: add hint when no exported devices are found
USB: serial: iuu_phoenix: fix iuutool author name
usb: gadget: f_ncm: validate minimum block_len in ncm_unwrap_ntb()
usb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete()
usb: gadget: f_hid: Add missing error code
usb: typec: cros_ec_ucsi: Load driver from OF and ACPI definitions
dt-bindings: chrome: Add cros-ec-ucsi compatibility to typec binding
USB: of: Simplify with scoped for each OF child loop
usbip: validate number_of_packets in usbip_pack_ret_submit()
usb: gadget: renesas_usb3: validate endpoint index in standard request handlers
usb: core: config: reverse the size check of the SSP isoc endpoint descriptor
usb: typec: ucsi: Set usb mode on partner change
...
Merge tag 'tty-7.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty
Pull tty/serial updates from Greg KH:
"Here is the set of tty and serial driver changes for 7.1-rc1.
Not much here this cycle, biggest thing is the removal of an old
driver that never got any actual hardware support (esp32), and the
second try to moving the tty ports to their own workqueues (first try
was in 7.0-rc1 but was reverted due to problems)
Otherwise it's just a small set of driver updates and some vt modifier
key enhancements.
All have been in linux-next for a while with no reported issues"
* tag 'tty-7.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty: (35 commits)
tty: serial: ip22zilog: Fix section mispatch warning
hvc/xen: Check console connection flag
serial: sh-sci: Add support for RZ/G3L RSCI
dt-bindings: serial: renesas,rsci: Document RZ/G3L SoC
tty: atmel_serial: update outdated reference to atmel_tasklet_func()
serial: xilinx_uartps: Drop unused include
serial: qcom-geni: drop stray newline format specifier
serial: 8250: loongson: Enable building on MIPS Loongson64
dt-bindings: serial: 8250: Add Loongson 3A4000 uart compatible
serial: 8250_fintek: Add support for F81214E
tty: tty_port: add workqueue to flip TTY buffer
vt: support ITU-T T.416 color subparameters
serial: qcom-geni: Fix RTS behavior with flow control
tty: serial: imx: keep dma request disabled before dma transfer setup
tty: serial: 8250: Add SystemBase Multi I/O cards
serial: pic32_uart: allow driver to be compiled on all architectures with COMPILE_TEST
serial: tegra: remove Kconfig dependency on APB DMA controller
dt-bindings: serial: amlogic,meson-uart: Add compatible string for A9
dt-bindings: serial: atmel,at91-usart: add microchip,lan9691-usart
serial: auart: check clk_enable() return in console write
...
Merge tag 'mm-stable-2026-04-18-02-14' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
Pull more MM updates from Andrew Morton:
- "Eliminate Dying Memory Cgroup" (Qi Zheng and Muchun Song)
Address the longstanding "dying memcg problem". A situation wherein a
no-longer-used memory control group will hang around for an extended
period pointlessly consuming memory
- "fix unexpected type conversions and potential overflows" (Qi Zheng)
Fix a couple of potential 32-bit/64-bit issues which were identified
during review of the "Eliminate Dying Memory Cgroup" series
- "kho: history: track previous kernel version and kexec boot count"
(Breno Leitao)
Use Kexec Handover (KHO) to pass the previous kernel's version string
and the number of kexec reboots since the last cold boot to the next
kernel, and print it at boot time
- "MAINTAINERS: update KHO and LIVE UPDATE entries" (Pratyush Yadav)
Document upcoming changes in the maintenance of KHO, LUO, memfd_luo,
kexec, crash, kdump and probably other kexec-based things - they are
being moved out of mm.git and into a new git tree
* tag 'mm-stable-2026-04-18-02-14' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm: (121 commits)
MAINTAINERS: add page cache reviewer
mm/vmscan: avoid false-positive -Wuninitialized warning
MAINTAINERS: update Dave's kdump reviewer email address
MAINTAINERS: drop include/linux/liveupdate from LIVE UPDATE
MAINTAINERS: drop include/linux/kho/abi/ from KHO
MAINTAINERS: update KHO and LIVE UPDATE maintainers
MAINTAINERS: update kexec/kdump maintainers entries
mm/migrate_device: remove dead migration entry check in migrate_vma_collect_huge_pmd()
selftests: mm: skip charge_reserved_hugetlb without killall
userfaultfd: allow registration of ranges below mmap_min_addr
mm/vmstat: fix vmstat_shepherd double-scheduling vmstat_update
mm/hugetlb: fix early boot crash on parameters without '=' separator
zram: reject unrecognized type= values in recompress_store()
docs: proc: document ProtectionKey in smaps
mm/mprotect: special-case small folios when applying permissions
mm/mprotect: move softleaf code out of the main function
mm: remove '!root_reclaim' checking in should_abort_scan()
mm/sparse: fix comment for section map alignment
mm/page_io: use sio->len for PSWPIN accounting in sio_read_complete()
selftests/mm: transhuge_stress: skip the test when thp not available
...
SeongJae Park [Sat, 11 Apr 2026 21:36:36 +0000 (14:36 -0700)]
mm/damon/core: disallow non-power of two min_region_sz on damon_start()
Commit d8f867fa0825 ("mm/damon: add damon_ctx->min_sz_region") introduced
a bug that allows unaligned DAMON region address ranges. Commit c80f46ac228b ("mm/damon/core: disallow non-power of two min_region_sz")
fixed it, but only for damon_commit_ctx() use case. Still, DAMON sysfs
interface can emit non-power of two min_region_sz via damon_start(). Fix
the path by adding the is_power_of_2() check on damon_start().
decay_va_pool_node() can be invoked concurrently from two paths:
__purge_vmap_area_lazy() when pools are being purged, and the shrinker via
vmap_node_shrink_scan().
However, decay_va_pool_node() is not safe to run concurrently, and the
shrinker path currently lacks serialization, leading to races and possible
leaks.
Protect decay_va_pool_node() by taking vmap_purge_lock in the shrinker
path to ensure serialization with purge users.
Link: https://lore.kernel.org/20260413192646.14683-1-urezki@gmail.com Fixes: 7679ba6b36db ("mm: vmalloc: add a shrinker to drain vmap pools") Signed-off-by: Uladzislau Rezki (Sony) <urezki@gmail.com> Reviewed-by: Baoquan He <baoquan.he@linux.dev> Cc: chenyichong <chenyichong@uniontech.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
mm: call ->free_folio() directly in folio_unmap_invalidate()
We can only call filemap_free_folio() if we have a reference to (or hold a
lock on) the mapping. Otherwise, we've already removed the folio from the
mapping so it no longer pins the mapping and the mapping can be removed,
causing a use-after-free when accessing mapping->a_ops.
Follow the same pattern as __remove_mapping() and load the free_folio
function pointer before dropping the lock on the mapping. That lets us
make filemap_free_folio() static as this was the only caller outside
filemap.c.
Link: https://lore.kernel.org/20260413184314.3419945-1-willy@infradead.org Fixes: fb7d3bc41493 ("mm/filemap: drop streaming/uncached pages when writeback completes") Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org> Reported-by: Google Big Sleep <big-sleep-vuln-reports+bigsleep-501448199@google.com> Cc: Jens Axboe <axboe@kernel.dk> Cc: Jan Kara <jack@suse.cz> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
mm: blk-cgroup: fix use-after-free in cgwb_release_workfn()
cgwb_release_workfn() calls css_put(wb->blkcg_css) and then later accesses
wb->blkcg_css again via blkcg_unpin_online(). If css_put() drops the last
reference, the blkcg can be freed asynchronously (css_free_rwork_fn ->
blkcg_css_free -> kfree) before blkcg_unpin_online() dereferences the
pointer to access blkcg->online_pin, resulting in a use-after-free:
BUG: KASAN: slab-use-after-free in blkcg_unpin_online (./include/linux/instrumented.h:112 ./include/linux/atomic/atomic-instrumented.h:400 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 block/blk-cgroup.c:1367)
Write of size 4 at addr ff11000117aa6160 by task kworker/71:1/531
Workqueue: cgwb_release cgwb_release_workfn
Call Trace:
<TASK>
blkcg_unpin_online (./include/linux/instrumented.h:112 ./include/linux/atomic/atomic-instrumented.h:400 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 block/blk-cgroup.c:1367)
cgwb_release_workfn (mm/backing-dev.c:629)
process_scheduled_works (kernel/workqueue.c:3278 kernel/workqueue.c:3385)
** Stack based on commit 66672af7a095 ("Add linux-next specific files
for 20260410")
I am seeing this crash sporadically in Meta fleet across multiple kernel
versions. A full reproducer is available at:
https://github.com/leitao/debug/blob/main/reproducers/repro_blkcg_uaf.sh
(The race window is narrow. To make it easily reproducible, inject a
msleep(100) between css_put() and blkcg_unpin_online() in
cgwb_release_workfn(). With that delay and a KASAN-enabled kernel, the
reproducer triggers the splat reliably in less than a second.)
Fix this by moving blkcg_unpin_online() before css_put(), so the
cgwb's CSS reference keeps the blkcg alive while blkcg_unpin_online()
accesses it.
Link: https://lore.kernel.org/20260413-blkcg-v1-1-35b72622d16c@debian.org Fixes: 59b57717fff8 ("blkcg: delay blkg destruction until after writeback has finished") Signed-off-by: Breno Leitao <leitao@debian.org> Reviewed-by: Dennis Zhou <dennis@kernel.org> Reviewed-by: Shakeel Butt <shakeel.butt@linux.dev> Cc: David Hildenbrand <david@kernel.org> Cc: Jens Axboe <axboe@kernel.dk> Cc: Johannes Weiner <hannes@cmpxchg.org> Cc: Josef Bacik <josef@toxicpanda.com> Cc: JP Kobryn <inwardvessel@gmail.com> Cc: Liam Howlett <liam.howlett@oracle.com> Cc: Lorenzo Stoakes (Oracle) <ljs@kernel.org> Cc: Martin KaFai Lau <martin.lau@linux.dev> Cc: Michal Hocko <mhocko@suse.com> Cc: Mike Rapoport <rppt@kernel.org> Cc: Suren Baghdasaryan <surenb@google.com> Cc: Tejun Heo <tj@kernel.org> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Matthew Brost [Fri, 10 Apr 2026 23:03:46 +0000 (16:03 -0700)]
mm/zone_device: do not touch device folio after calling ->folio_free()
The contents of a device folio can immediately change after calling
->folio_free(), as the folio may be reallocated by a driver with a
different order. Instead of touching the folio again to extract the
pgmap, use the local stack variable when calling percpu_ref_put_many().
Link: https://lore.kernel.org/20260410230346.4009855-1-matthew.brost@intel.com Fixes: d245f9b4ab80 ("mm/zone_device: support large zone device private folios") Signed-off-by: Matthew Brost <matthew.brost@intel.com> Reviewed-by: Balbir Singh <balbirs@nvidia.com> Reviewed-by: Vishal Moola <vishal.moola@gmail.com> Reviewed-by: Alistair Popple <apopple@nvidia.com> Cc: David Hildenbrand <david@kernel.org> Cc: Oscar Salvador <osalvador@suse.de> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
SeongJae Park [Tue, 7 Apr 2026 00:31:52 +0000 (17:31 -0700)]
mm/damon/core: disallow time-quota setting zero esz
When the throughput of a DAMOS scheme is very slow, DAMOS time quota can
make the effective size quota smaller than damon_ctx->min_region_sz. In
the case, damos_apply_scheme() will skip applying the action, because the
action is tried at region level, which requires >=min_region_sz size.
That is, the quota is effectively exceeded for the quota charge window.
Because no action will be applied, the total_charged_sz and
total_charged_ns are also not updated. damos_set_effective_quota() will
try to update the effective size quota before starting the next charge
window. However, because the total_charged_sz and total_charged_ns have
not updated, the throughput and effective size quota are also not changed.
Since effective size quota can only be decreased, other effective size
quota update factors including DAMOS quota goals and size quota cannot
make any change, either.
As a result, the scheme is unexpectedly deactivated until the user notices
and mitigates the situation. The users can mitigate this situation by
changing the time quota online or re-install the scheme. While the
mitigation is somewhat straightforward, finding the situation would be
challenging, because DAMON is not providing good observabilities for that.
Even if such observability is provided, doing the additional monitoring
and the mitigation is somewhat cumbersome and not aligned to the intention
of the time quota. The time quota was intended to help reduce the user's
administration overhead.
Fix the problem by setting time quota-modified effective size quota be at
least min_region_sz always.
mm/mempolicy: fix weighted interleave auto sysfs name
The __ATTR macro is a utility that makes defining kobj_attributes easier
by stringfying the name, verifying the mode, and setting the show/store
fields in a single initializer. It takes a raw token as the first value,
rather than a string, so that __ATTR family macros like __ATTR_RW can
token-paste it for inferring the _show / _store function names.
Commit e341f9c3c841 ("mm/mempolicy: Weighted Interleave Auto-tuning") used
the __ATTR macro to define the "auto" sysfs for weighted interleave. A
few months later, commit 2fb6915fa22d ("compiler_types.h: add "auto" as a
macro for "__auto_type"") introduced a #define macro which expanded auto
into __auto_type.
This led to the "auto" token passed into __ATTR to be expanded out into
__auto_type, and the sysfs entry to be displayed as __auto_type as well.
Expand out the __ATTR macro and directly pass a string "auto" instead of
the raw token 'auto' to prevent it from being expanded out. Also bypass
the VERIFY_OCTAL_PERMISSIONS check by triple checking that 0664 is indeed
the intended permissions for this sysfs file.
Before:
$ ls /sys/kernel/mm/mempolicy/weighted_interleave
__auto_type node0
After:
$ ls /sys/kernel/mm/mempolicy/weighted_interleave/
auto node0
Link: https://lore.kernel.org/20260407141415.3080960-1-joshua.hahnjy@gmail.com Fixes: 2fb6915fa22d ("compiler_types.h: add "auto" as a macro for "__auto_type"") Signed-off-by: Joshua Hahn <joshua.hahnjy@gmail.com> Reviewed-by: Gregory Price <gourry@gourry.net> Reviewed-by: Rakie Kim <rakie.kim@sk.com> Acked-by: David Hildenbrand (Arm) <david@kernel.org> Acked-by: Zi Yan <ziy@nvidia.com> Cc: Alistair Popple <apopple@nvidia.com> Cc: Byungchul Park <byungchul@sk.com> Cc: "Huang, Ying" <ying.huang@linux.alibaba.com> Cc: Matthew Brost <matthew.brost@intel.com> Cc: Rakie Kim <rakie.kim@sk.com> Cc: Ying Huang <ying.huang@linux.alibaba.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Eric Biggers [Sat, 18 Apr 2026 19:21:38 +0000 (12:21 -0700)]
lib/crypto: docs: Add rst documentation to Documentation/crypto/
Add a documentation file Documentation/crypto/libcrypto.rst which
provides a high-level overview of lib/crypto/.
Also add several sub-pages which include the kernel-doc for the
algorithms that have it. This makes the existing, quite extensive
kernel-doc start being included in the HTML and PDF documentation.
Note that the intent is very much *not* that everyone has to read these
Documentation/ files. The library is intended to be straightforward and
use familiar conventions; generally it should be possible to dive right
into the kernel-doc. You shouldn't need to read a lot of documentation
to just call `sha256()`, for example, or to run the unit tests if you're
already familiar with KUnit. (This differs from the traditional crypto
API which has a larger barrier to entry.)
Nevertheless, this seems worth adding. Hopefully it is useful and makes
LWN no longer consider the library to be "meticulously undocumented".
Eric Biggers [Sat, 18 Apr 2026 19:21:37 +0000 (12:21 -0700)]
docs: kdoc: Expand 'at_least' when creating parameter list
sphinx doesn't know that the kernel headers do:
#define at_least static
Do this replacement before declarations are passed to it.
This prevents errors like the following from appearing once the
lib/crypto/ kernel-doc is wired up to the sphinx build:
linux/Documentation/crypto/libcrypto:128: ./include/crypto/sha2.h:773: WARNING: Error in declarator or parameters
Error in declarator or parameters
Invalid C declaration: Expected ']' in end of array operator. [error at 59]
void sha512_final (struct sha512_ctx *ctx, u8 out[at_least SHA512_DIGEST_SIZE])
Acked-by: Jonathan Corbet <corbet@lwn.net> Reviewed-by: Ard Biesheuvel <ardb@kernel.org> Acked-by: Randy Dunlap <rdunlap@infradead.org> Tested-by: Randy Dunlap <rdunlap@infradead.org> Link: https://lore.kernel.org/r/20260418192138.15556-2-ebiggers@kernel.org Signed-off-by: Eric Biggers <ebiggers@kernel.org>
Merge tag 'pinctrl-v7.1-1' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl
Pull pin control updates from Linus Walleij:
"Core changes:
- Perform basic checks on pin config properties so as not to allow
directly contradictory settings such as setting a pin to more than
one bias or drive mode
- Introduce pinctrl_gpio_get_config() handling in the core for SCMI
GPIO using pin control
New drivers:
- GPIO-by-pin control driver (also appearing in the GPIO pull
request) fulfilling a promise on a comment from Grant Likely many
years ago: "can't GPIO just be a front-end for pin control?" it
turns out it can, if and only if you design something new from
scratch, such as SCMI
- Broadcom BCM7038 as a pinctrl-single delegate
- Mobileye EyeQ6Lplus OLB pin controller
- Qualcomm Eliza and Hawi families TLMM pin controllers
- Qualcomm SDM670 and Milos family LPASS LPI pin controllers
- Qualcomm IPQ5210 pin controller
- Realtek RTD1625 pin controller support
- Rockchip RV1103B pin controller support
- Texas Instruments AM62L as a pinctrl-single delegate
Improvements:
- Set config implementation for the Spacemit K1 pin controller"
* tag 'pinctrl-v7.1-1' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl: (84 commits)
pinctrl: qcom: Add Hawi pinctrl driver
dt-bindings: pinctrl: qcom: Describe Hawi TLMM block
dt-bindings: pinctrl: pinctrl-max77620: convert to DT schema
pinctrl: single: Add bcm7038-padconf compatible matching
dt-bindings: pinctrl: pinctrl-single: Add brcm,bcm7038-padconf
dt-bindings: pinctrl: apple,pinctrl: Add t8122 compatible
pinctrl: qcom: sdm670-lpass-lpi: label variables as static
pinctrl: sophgo: pinctrl-sg2044: Fix wrong module description
pinctrl: sophgo: pinctrl-sg2042: Fix wrong module description
pinctrl: qcom: add sdm670 lpi tlmm
dt-bindings: pinctrl: qcom: Add SDM670 LPASS LPI pinctrl
dt-bindings: qcom: lpass-lpi-common: add reserved GPIOs property
pinctrl: qcom: Introduce IPQ5210 TLMM driver
dt-bindings: pinctrl: qcom: add IPQ5210 pinctrl
pinctrl: qcom: Drop redundant intr_target_reg on modern SoCs
pinctrl: qcom: eliza: Fix interrupt target bit
pinctrl: core: Don't use "proxy" headers
pinctrl: amd: Support new ACPI ID AMDI0033
pinctrl: renesas: rzg2l: Drop superfluous blank line
pinctrl: renesas: rzg2l: Fix save/restore of {IOLH,IEN,PUPD,SMT} registers
...
David Carlier [Sat, 18 Apr 2026 19:17:37 +0000 (20:17 +0100)]
eventfs: Hold eventfs_mutex and SRCU when remount walks events
Commit 340f0c7067a9 ("eventfs: Update all the eventfs_inodes from the
events descriptor") had eventfs_set_attrs() recurse through ei->children
on remount. The walk only holds the rcu_read_lock() taken by
tracefs_apply_options() over tracefs_inodes, which is wrong:
- list_for_each_entry over ei->children races with the list_del_rcu()
in eventfs_remove_rec() -- LIST_POISON1 deref, same shape as d2603279c7d6.
- eventfs_inodes are freed via call_srcu(&eventfs_srcu, ...).
rcu_read_lock() does not extend an SRCU grace period, so ti->private
can be reclaimed under the walk.
- The writes to ei->attr race with eventfs_set_attr(), which holds
eventfs_mutex.
Reproducer:
while :; do mount -o remount,uid=$((RANDOM%1000)) /sys/kernel/tracing; done &
while :; do
echo "p:kp submit_bio" > /sys/kernel/tracing/kprobe_events
echo > /sys/kernel/tracing/kprobe_events
done
Wrap the events portion of tracefs_apply_options() in
eventfs_remount_lock()/_unlock() that take eventfs_mutex and
srcu_read_lock(&eventfs_srcu). eventfs_set_attrs() doesn't sleep so the
nested rcu_read_lock() is fine; lockdep_assert_held() pins the contract.
Comment in tracefs_drop_inode() said "RCU cycle" -- it is SRCU.
Fixes: 340f0c7067a9 ("eventfs: Update all the eventfs_inodes from the events descriptor") Cc: stable@vger.kernel.org Link: https://patch.msgid.link/20260418191737.10289-1-devnexen@gmail.com Signed-off-by: David Carlier <devnexen@gmail.com> Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
David Carlier [Sat, 18 Apr 2026 15:22:50 +0000 (16:22 +0100)]
eventfs: Use list_add_tail_rcu() for SRCU-protected children list
Commit d2603279c7d6 ("eventfs: Use list_del_rcu() for SRCU protected
list variable") converted the removal side to pair with the
list_for_each_entry_srcu() walker in eventfs_iterate(). The insertion
in eventfs_create_dir() was left as a plain list_add_tail(), which on
weakly-ordered architectures can expose a new entry to the SRCU reader
before its list pointers and fields are observable.
Use list_add_tail_rcu() so the publication pairs with the existing
list_del_rcu() and list_for_each_entry_srcu().
Fixes: 43aa6f97c2d0 ("eventfs: Get rid of dentry pointers without refcounts") Cc: stable@vger.kernel.org Link: https://patch.msgid.link/20260418152251.199343-1-devnexen@gmail.com Signed-off-by: David Carlier <devnexen@gmail.com> Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
sctp: fix OOB write to userspace in sctp_getsockopt_peer_auth_chunks
sctp_getsockopt_peer_auth_chunks() checks that the caller's optval
buffer is large enough for the peer AUTH chunk list with
if (len < num_chunks)
return -EINVAL;
but then writes num_chunks bytes to p->gauth_chunks, which lives
at offset offsetof(struct sctp_authchunks, gauth_chunks) == 8
inside optval. The check is missing the sizeof(struct
sctp_authchunks) = 8-byte header. When the caller supplies
len == num_chunks (for any num_chunks > 0) the test passes but
copy_to_user() writes sizeof(struct sctp_authchunks) = 8 bytes
past the declared buffer.
The sibling function sctp_getsockopt_local_auth_chunks() at the
next line already has the correct check:
if (len < sizeof(struct sctp_authchunks) + num_chunks)
return -EINVAL;
Align the peer variant with its sibling.
Reproducer confirms on v7.0-13-generic: an unprivileged userspace
caller that opens a loopback SCTP association with AUTH enabled,
queries num_chunks with a short optval, then issues the real
getsockopt with len == num_chunks and sentinel bytes painted past
the buffer observes those sentinel bytes overwritten with the
peer's AUTH chunk type. The bytes written are under the peer's
control but land in the caller's own userspace; this is not a
kernel memory corruption, but it is a kernel-side contract
violation that can silently corrupt adjacent userspace data.
Fixes: 65b07e5d0d09 ("[SCTP]: API updates to suport SCTP-AUTH extensions.") Assisted-by: Claude:claude-opus-4-6 Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com> Acked-by: Xin Long <lucien.xin@gmail.com> Link: https://patch.msgid.link/20260416031903.1447072-1-michael.bommarito@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Marek Vasut [Wed, 15 Apr 2026 23:09:45 +0000 (01:09 +0200)]
net: ks8851: Avoid excess softirq scheduling
The code injects a packet into netif_rx() repeatedly, which will add
it to its internal NAPI and schedule a softirq, and process it. It is
more efficient to queue multiple packets and process them all at the
local_bh_enable() time.
Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de> Fixes: e0863634bf9f ("net: ks8851: Queue RX packets in IRQ handler instead of disabling BHs") Cc: stable@vger.kernel.org Signed-off-by: Marek Vasut <marex@nabladev.com> Link: https://patch.msgid.link/20260415231020.455298-2-marex@nabladev.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
projects / thirdparty / kernel / stable.git / log
