]> git.ipfire.org Git - thirdparty/linux.git/log
thirdparty/linux.git
13 days agoperf bpf: Fix up build failure due to change of btf_vlen() return type
Mark Brown [Wed, 17 Jun 2026 13:00:38 +0000 (14:00 +0100)] 
perf bpf: Fix up build failure due to change of btf_vlen() return type

Fix:

util/btf.c: In function '__btf_type__find_member_by_name':
util/btf.c:19:43: error: comparison of integer expressions of different signedness: 'int' and '__u32' {aka 'unsigned int'} [-Werror=sign-compare]
   19 |         for (i = 0, m = btf_members(t); i < btf_vlen(t); i++, m++) {
      |                                           ^

builtin-trace.c: In function 'syscall_arg__strtoul_btf_enum':
builtin-trace.c:967:27: error: comparison of integer expressions of different signedness: 'int' and '__u32' {aka 'unsigned int'} [-Werror=sign-compare]
  967 |         for (int i = 0; i < btf_vlen(bt); ++i, ++be) {
      |                           ^

by making the variable the same type as the function.

Committer note:

Add an extra hunk from Alan Maguire, fixing btf_enum_scnprintf().

Reviewed-by: Alan Maguire <alan.maguire@oracle.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Cc: Alexei Starovoitov <ast@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
13 days agoMerge tag 'tty-7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty
Linus Torvalds [Mon, 22 Jun 2026 18:51:49 +0000 (11:51 -0700)] 
Merge tag 'tty-7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty

Pull tty / serial driver updates from Greg KH:
 "Here is the big set of TTY and Serial driver updates for 7.2-rc1.

  Overall we end up removing more code than added, due to an obsolete
  synclink_gt driver being removed from the tree, always a nice thing to
  see happen.

  Other than that driver removal, major things included in here are:

   - max310x serial driver updates and fixes

   - 8250 driver updates and rework in places to make it more "modern"

   - dts file updates

   - serial driver core tweaks and updates

   - vt code cleanups

   - vc_screen crash fixes

   - other minor driver updates and cleanups

  All of these have been in linux-next for well over a week with no
  reported issues"

* tag 'tty-7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty: (49 commits)
  serial: 8250_pci: Don't specify conflicting values to pci_device_id members
  vc_screen: fix null-ptr-deref in vcs_notifier() during concurrent vcs_write
  serial: qcom_geni: Fix RX DMA stall when SE_DMA_RX_LEN_IN is zero
  vt: merge ucs_is_zero_width()/ucs_is_double_width() into ucs_get_width()
  serial: 8250: fix possible ISR soft lockup
  dt-bindings: serial: rs485: remove deprecated .txt binding stub
  serial: qcom-geni: trace: Add tracepoint support for Qualcomm GENI serial
  tty: serial: Use named initializers for arrays of i2c_device_data
  serial: 8250_dw: remove clock-notifier infrastructure
  serial: 8250_dw: unregister 8250 port if clk_notifier_register() fails
  amba/serial: amba-pl011: Bring back zx29 UART support
  serial: 8250: Add support for console flow control
  serial: 8250: Check LSR timeout on console flow control
  serial: 8250: Set cons_flow on port registration
  tty: serial: 8250: protect against NULL uart->port.dev in register
  arm64: dts: add support for A9 based Amlogic BY401
  dt-bindings: arm: amlogic: add A311Y3 support
  serial: max310x: fix compile errors if CONFIG_SPI_MASTER is disabled
  serial: qcom-geni: Avoid probing debug console UART without console support
  serial: max310x: add comments for PLL limits
  ...

13 days agoMerge tag 'nf-26-06-21' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf
Jakub Kicinski [Mon, 22 Jun 2026 17:33:38 +0000 (10:33 -0700)] 
Merge tag 'nf-26-06-21' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf

Pablo Neira Ayuso says:

====================
Netfilter fixes for net

The following patchset contains Netfilter fixes for net. This batches
fixes for real crashes with trivial/correctness fixes. There is too
a rework of the conntrack expectation timeout strategy to deal with
a possible race when removing an expectation.

1) Fix the incorrect flowtable timeout extension for entries in
   hw offload, from Adrian Bente. This is correcting a defect in
   the functionality, no crash.

2) Hold reference to device under the fake dst in br_netfilter,
   from Haoze Xie. This is fixing a possible UaF if the device
   is removed while packet is sitting in nfqueue.

3) Reject template conntrack in xt_cluster, otherwise access to
   uninitialize conntrack fields are possible leading to WARN_ON
   due to unset layer 3 protocol. From Wyatt Feng.

4) Make sure the IPv6 tunnel header is in the linear skb data
   area before pulling. While at it remove incomplete NEXTHDR_DEST
   support. From Lorenzo Bianconi. This possibly leading to crash
   if IPv4 header is not in the linear area.

5) Use test_bit_acquire in ipset hash set to avoid reordering
   of subsequent memory access. This is addressing a LLM related
   report, no crash has been observed. From Jozsef Kadlecsik.

6) Use test_bit_acquire in ipset bitmap set too, for the same
   reason as in the previous patch, from Jozsef Kadlecsik.

7) Call kfree_rcu() after rcu_assign_pointer() to address a
   possible UaF if kfree_rcu() runs inmediately, which to my
   understanding never happens. Never observed in practise,
   reported by LLM. Also from Jozsef Kadlecsik.

8) Use disable_delayed_work_sync() instead cancel_delayed_work_sync()
   to avoid that ipset GC handler re-queues work as reported by LLM.
   From Jozsef Kadlecsik. This is for correctness.

9) Restore the check in nft_payload for exceeding payloda offset
    over 2^16. From Florian Westphal. This fixes a silent truncation,
    not a big deal, but better be assertive and reject it.

10) Validate NFT_META_BRI_IIFHWADDR can only run from bridge
    prerouting. From Florian Westphal. Harmless but it could allow
    to read bytes from skb->cb.

11) Zero out destination hardware address during the flowtable
    path setup, also from Florian. This is a correctness fix, LLM
    points that possible infoleak can happen but topology to achieve
    it is not clear.

12) Skip IPv4 options if present when building the IPV4 reject reply.
    Otherwise bytes in the IPv4 options header can be sent back to
    origin where the ICMP header is being expected. Again from
    Florian Westphal.

13) Replace timer API for expectation by GC worker approach. This
    is implicitly fixing a race between nf_ct_remove_expectations()
    which might fail to remove the expectation due to timer_del()
    returning false because timer has expired and callback is
    being run concurrently. This fix is addressing a crash that has
    been already reported with a reproducer.

14) Check if br_vlan_get_pvid_rcu() fails, otherwise possible stack
    infoleak of 4-bytes. From Florian Westphal.

* tag 'nf-26-06-21' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf:
  netfilter: nft_meta_bridge: fix NFT_META_BRI_IIFPVID stack leak
  netfilter: nf_conntrack_expect: use conntrack GC to reap expectations
  netfilter: nf_reject: skip iphdr options when looking for icmp header
  netfilter: nft_flow_offload: zero device address for non-ether case
  netfilter: nft_meta_bridge: add validate callback for get operations
  netfilter: nft_payload: reject offsets exceeding 65535 bytes
  netfilter: ipset: make sure gc is properly stopped
  netfilter: ipset: fix order of kfree_rcu() and rcu_assign_pointer()
  netfilter: ipset: Don't use test_bit() in lockless RCU readers in bitmap types
  netfilter: ipset: Don't use test_bit() in lockless RCU readers in hash types
  netfilter: flowtable: fix and simplify IP6IP6 tunnel handling
  netfilter: xt_cluster: reject template conntracks in hash match
  netfilter: nf_queue: pin bridge device while NFQUEUE holds fake dst
  netfilter: flowtable: fix offloaded ct timeout never being extended
====================

Link: https://patch.msgid.link/20260620222738.112506-1-pablo@netfilter.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
13 days agoASoC: cs530x: Fix expected MCLK rates for CS5302/4/8
Ahmad Fatoum [Wed, 17 Jun 2026 14:47:53 +0000 (16:47 +0200)] 
ASoC: cs530x: Fix expected MCLK rates for CS5302/4/8

When this driver was first added, it accepted rates of 24.56 MHz and
22.572 MHz for the MCLK when PLL bypass is enabled.

These rates seem to have no basis in the datasheets and were thus replaced
with 45.1584 MHz and 49.152 MHz, respectively, in commit e7ab858390f2
("ASoC: cs530x: Correct MCLK reference frequency values").

While the new rates are indeed correct for the CS4xxx ICs[0][1][2][3],
they are incorrect for the CS530x ICs the driver was originally written to
support as the MCLK frequencies are halved there[4][5][6].

Fix this by checking against the correct type-appropriate rates.

While at it, drop the CS530X_SYSCLK_REF_* macros. They arguably confuse
more than they help, especially as they are not applicable to the
cs5302/4/8.

[0]: https://statics.cirrus.com/pubs/proDatasheet/CS4282P_DS1318F1.pdf
[1]: https://statics.cirrus.com/pubs/proDatasheet/CS4302P_DS1315F1.pdf
[2]: https://statics.cirrus.com/pubs/proDatasheet/CS4304P_DS1316F1.pdf
[3]: https://statics.cirrus.com/pubs/proDatasheet/CS4308P_DS1317F1.pdf
[4]: https://statics.cirrus.com/pubs/proDatasheet/CS5302P_DS1312F1.pdf
[5]: https://statics.cirrus.com/pubs/proDatasheet/CS5304P_DS1313F1.pdf
[6]: https://statics.cirrus.com/pubs/proDatasheet/CS5308P_DS1314F1.pdf

Fixes: 2884c29152c0 ("ASoC: cs530x: Support for cs530x ADCs")
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
Reviewed-by: Charles Keepax <ckeepax@opensource.cirrus.com>
Link: https://patch.msgid.link/20260617-cs530x-mclk-v1-1-0215b5f1a0a4@pengutronix.de
Signed-off-by: Mark Brown <broonie@kernel.org>
13 days agoMerge tag 'i2c-7.2-part2' of git://git.kernel.org/pub/scm/linux/kernel/git/andi.shyti...
Linus Torvalds [Mon, 22 Jun 2026 16:30:31 +0000 (09:30 -0700)] 
Merge tag 'i2c-7.2-part2' of git://git.kernel.org/pub/scm/linux/kernel/git/andi.shyti/linux

Pull more i2c updates from Andi Shyti:
 "Cleanups:
   - generic cleanups in qcom, qcom-cci and pxa, plus core cleanups in
     algo-bit and atr

  Fixes:
   - davinci: clean up cpufreq notifier on probe failure
   - imx-lpi2c: suspend the adapter while hardware is powered down
   - ls2x-v2: return IRQ_HANDLED after servicing error interrupts
   - stm32f7: fix timing calculation accuracy

  DT bindings:
   - microchip: permit resets
   - i2c-mux-pinctrl: update maintainer entry
   - i2c-mux-reg: convert bindings to DT schema"

* tag 'i2c-7.2-part2' of git://git.kernel.org/pub/scm/linux/kernel/git/andi.shyti/linux:
  i2c: pxa: Use named initializers for the platform_device_id array
  i2c: imx-lpi2c: mark I2C adapter when hardware is powered down
  i2c: stm32f7: truncate clock period instead of rounding it
  dt-bindings: i2c: microchip,corei2c: permit resets
  i2c: qcom: Unify user-visible "Qualcomm" name
  i2c: ls2x-v2: return IRQ_HANDLED after servicing an error
  i2c: atr: annotate i2c_atr_adap_desc->aliases with __counted_by_ptr
  i2c: algo: bit: use str_plural helper in bit_xfer
  dt-bindings: i2c: i2c-mux-pinctrl: change maintainer
  dt-bindings: i2c: convert i2c-mux-reg to DT schema
  i2c: davinci: Unregister cpufreq notifier on probe failure
  i2c: qcom-cci: Remove overcautious disable_irq() calls
  i2c: qcom-cci: Move cci_init() under cci_reset() function
  i2c: qcom-cci: Do not check return value of cci_init()

13 days agoMerge tag 'i3c/for-7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/i3c/linux
Linus Torvalds [Mon, 22 Jun 2026 16:24:22 +0000 (09:24 -0700)] 
Merge tag 'i3c/for-7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/i3c/linux

Pull i3c updates from Alexandre Belloni:
 "This cycle, there was a lot of work around the mipi-i3c-hci driver
  that also led to improvements of the core. We also have support for a
  new SoC, the Microchip SAMA7D65. And of course, there are small fixes
  for the other controller drivers.

  Subsystem:
   - introduce dynamic address reconciliation after DAA
   - add preliminary API for hub support
   - fixes for dev_nack_retry_count handling
   - move hot-join support in the core instead of open coding in
     different drivers

  Drivers:
   - mipi-i3c-hci-pci: DMA abort, recovery and related improvements,
     hot-join support, Microchip SAMA7D65 support, fix possible race in
     IBI handling
   - dw-i3c-master: fix IBI count register selection for versalnet
   - svc: interrupt handling fixes for NPCM845"

* tag 'i3c/for-7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/i3c/linux: (45 commits)
  i3c: mipi-i3c-hci: Use named initializers for platform_device_id's .driver_data
  i3c: master: Use unsigned int for dev_nack_retry_count consistently
  i3c: master: Add missing runtime PM get in dev_nack_retry_count_store()
  i3c: master: Update dev_nack_retry_count under maintenance lock
  i3c: master: Expose the APIs to support I3C hub
  i3c: master: rename i3c_master_reattach_i3c_dev() to *_locked
  i3c: mipi-i3c-hci: add microchip sama7d65 SoC compatible with the required quirk
  dt-bindings: i3c: mipi-i3c-hci: add Microchip SAMA7D65 compatible
  i3c: Consistently define pci_device_ids using named initializers
  i3c: master: Reconcile dynamic addresses after DAA
  i3c: master: Move DAA API functions after i3c_master_add_i3c_dev_locked()
  i3c: master: Make i3c_master_add_i3c_dev_locked() return void
  i3c: mipi-i3c-hci: Tolerate i3c_master_add_i3c_dev_locked() failures in DAA
  i3c: master: Prevent reuse of dynamic address on device add failure
  i3c: mipi-i3c-hci: Ignore DISEC failures when disabling IBIs
  i3c: mipi-i3c-hci: Fix race in i3c_hci_addr_to_dev()
  i3c: mipi-i3c-hci: Add Hot-Join support
  i3c: master: Export i3c_master_enec_disec_locked()
  i3c: master: Defer new-device registration out of DAA caller context
  i3c: dw: Drop redundant Hot-Join cancel_work_sync() in shutdown
  ...

13 days agoirqchip/imgpdc: Fix resource leak, add missing chained handler cleanup on remove
Qingshuang Fu [Thu, 18 Jun 2026 02:13:52 +0000 (10:13 +0800)] 
irqchip/imgpdc: Fix resource leak, add missing chained handler cleanup on remove

The driver allocates domain generic chips using
irq_alloc_domain_generic_chips() during probe and sets up chained
handlers using irq_set_chained_handler_and_data(). However, on driver
removal, the generic chips are not freed and the chained handlers are
not removed.

The generic chips remain on the global gc_list and may later be accessed by
generic interrupt chip suspend, resume, or shutdown callbacks after the
driver has been removed, potentially resulting in a use-after-free and
kernel crash.

The chained handlers that were installed in probe for peripheral and
syswake interrupts are also left dangling, which can lead to spurious
interrupts accessing freed memory.

Fix these issues by:

  - Setting IRQ_DOMAIN_FLAG_DESTROY_GC flag in domain->flags, so the
    core code automatically removes generic chips when irq_domain_remove()
    is called

  - Clearing all chained handlers with NULL in pdc_intc_remove()

Fixes: b6ef9161e43a ("irq-imgpdc: add ImgTec PDC irqchip driver")
Signed-off-by: Qingshuang Fu <fuqingshuang@kylinos.cn>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260618021352.661773-1-fffsqian@163.com
13 days agosched_ext: Move sources under kernel/sched/ext/
Tejun Heo [Mon, 22 Jun 2026 15:32:54 +0000 (05:32 -1000)] 
sched_ext: Move sources under kernel/sched/ext/

The sched_ext sources had grown to ten ext* files directly under
kernel/sched/. Move them into a new kernel/sched/ext/ subdirectory and drop
the now-redundant ext_ prefix. ext.c/h keep their names.

  kernel/sched/ext.{c,h}       -> kernel/sched/ext/ext.{c,h}
  kernel/sched/ext_internal.h  -> kernel/sched/ext/internal.h
  kernel/sched/ext_types.h     -> kernel/sched/ext/types.h
  kernel/sched/ext_idle.{c,h}  -> kernel/sched/ext/idle.{c,h}
  kernel/sched/ext_cid.{c,h}   -> kernel/sched/ext/cid.{c,h}
  kernel/sched/ext_arena.{c,h} -> kernel/sched/ext/arena.{c,h}

The include paths in build_policy.c and sched.h, the MAINTAINERS glob, and a
few documentation and comment references are updated to match. No code or
symbol changes.

Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Reviewed-by: Andrea Righi <arighi@nvidia.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
13 days agoMerge tag 'slab-for-7.2-part2' of git://git.kernel.org/pub/scm/linux/kernel/git/vbabk...
Linus Torvalds [Mon, 22 Jun 2026 15:28:48 +0000 (08:28 -0700)] 
Merge tag 'slab-for-7.2-part2' of git://git.kernel.org/pub/scm/linux/kernel/git/vbabka/slab

Pull more slab updates from Vlastimil Babka:

 - Introduce and wire up a new alloc_flags parameter for modifying
   slab-specific behavior without adding or reusing gfp flags. Also
   introduce slab_alloc_context to keep function parameter bloat in
   check. Both are similar to what the page allocator does.
   kmalloc_flags() exposes alloc_flags for mm-internal users.

     - SLAB_ALLOC_NOLOCK flag is used to implement kmalloc_nolock()
       behavior without relying on lack of __GFP_RECLAIM, which caused
       false positives with workarounds like fd3634312a04 ("debugobject:
       Make it work with deferred page initialization - again").

     - SLAB_ALLOC_NO_RECURSE replaces __GFP_NO_OBJ_EXT, which could have
       been removed, but pending memory allocation profiling changes in
       mm tree have grown a new user - there is however a work ongoing
       to replace that too, so __GFP_NO_OBJ_EXT should eventually be
       removed. (Vlastimil Babka)

 - Add kmem_buckets_alloc_track_caller() with a user to be added in the
   net tree (Pedro Falcato)

 - Fixes for kernel-doc and slabinfo (Randy Dunlap, Yichong Chen)

* tag 'slab-for-7.2-part2' of git://git.kernel.org/pub/scm/linux/kernel/git/vbabka/slab:
  tools/mm/slabinfo: fix total_objects attribute name
  slab: recognize @GFP parameter as optional in kernel-doc
  mm/slab: add a node-track-caller variant for kmem buckets allocation
  mm/slab: replace __GFP_NO_OBJ_EXT with SLAB_ALLOC_NO_RECURSE for sheaves
  mm/slab: remove __GFP_NO_OBJ_EXT usage from alloc_slab_obj_exts()
  mm/slab: introduce kmalloc_flags()
  mm/slab: allow __GFP_NOMEMALLOC and __GFP_NOWARN for kmalloc_nolock()
  mm/slab: pass slab_alloc_context to __do_kmalloc_node()
  mm/slab: allow kmem_cache_alloc_bulk() with any gfp flags
  mm/slab: replace slab_alloc_node() parameters with slab_alloc_context
  mm/slab: pass alloc_flags through slab_post_alloc_hook() chain
  mm/slab: pass alloc_flags to new slab allocation
  mm/slab: add alloc_flags to slab_alloc_context
  mm/slab: replace struct partial_context with slab_alloc_context
  mm/slab: introduce alloc_flags and SLAB_ALLOC_NOLOCK
  mm/slab: introduce slab_alloc_context
  mm/slab: stop inlining __slab_alloc_node()
  mm/slab: do not init any kfence objects on allocation

13 days agoMerge tag 'hyperv-next-signed-20260621' of git://git.kernel.org/pub/scm/linux/kernel...
Linus Torvalds [Mon, 22 Jun 2026 15:06:13 +0000 (08:06 -0700)] 
Merge tag 'hyperv-next-signed-20260621' of git://git.kernel.org/pub/scm/linux/kernel/git/hyperv/linux

Pull hyperv updates from Wei Liu:

 - Use wakeup mailbox to boot APs in Hyper-V VTL2 TDX guests (Yunhong
   Jiang, Ricardo Neri)

 - Move the Hyper-V IOMMU to its own subdirectory (Mukesh Rathor)

 - Cosmetic changes to mshv and balloon driver (Junrui Luo, Markus
   Elfring)

* tag 'hyperv-next-signed-20260621' of git://git.kernel.org/pub/scm/linux/kernel/git/hyperv/linux:
  mshv: add bounds check on vp_index in mshv_intercept_isr()
  hv_balloon: Simplify data output in hv_balloon_debug_show()
  x86/hyperv: Cosmetic changes in irqdomain.c for readability
  iommu/hyperv: Create hyperv subdirectory under drivers/iommu
  x86/hyperv/vtl: Use the wakeup mailbox to boot secondary CPUs
  x86/hyperv/vtl: Mark the wakeup mailbox page as private
  x86/acpi: Add a helper to get the address of the wakeup mailbox
  x86/hyperv/vtl: Setup the 64-bit trampoline for TDX guests
  x86/realmode: Make the location of the trampoline configurable
  x86/hyperv/vtl: Set real_mode_header in hv_vtl_init_platform()
  x86/dt: Parse the Wakeup Mailbox for Intel processors
  dt-bindings: reserved-memory: Wakeup Mailbox for Intel processors
  x86/acpi: Add functions to setup and access the wakeup mailbox
  x86/topology: Add missing struct declaration and attribute dependency

13 days agoMerge tag 's390-7.2-2' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux
Linus Torvalds [Mon, 22 Jun 2026 14:43:48 +0000 (07:43 -0700)] 
Merge tag 's390-7.2-2' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux

Pull more s390 updates from Alexander Gordeev:

 - consolidate s390 idle time accounting by moving all CPU time tracking
   to the architecture backend and eliminate the mix of architecture-
   specific and common code accounting

 - Add missing EXPORT_SYMBOL_GPL() to kcpustat_field_idle() and
   kcpustat_field_iowait() functions

 - Finalize ptep_get() conversion by replacing direct page table entry
   dereferencing with proper accessors (ptep_get(), pmdp_get(), etc.)

 - Explicitly check the buffer length in PKEY_VERIFYPROTK ioctl and
   pkey_pckmo implementations and fail if the length is exceeded

* tag 's390-7.2-2' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
  s390/pkey: Check length in pkey_pckmo handler implementation
  s390/pkey: Check length in PKEY_VERIFYPROTK ioctl
  s390/idle: Add missing EXPORT_SYMBOL_GPL()
  s390/mm: Complete ptep_get() conversion
  s390/idle: Remove idle time and count sysfs files
  s390/idle: Provide arch specific kcpustat_field_idle()/kcpustat_field_iowait()
  s390/irq/idle: Use stcke instead of stckf for time stamps
  s390/timex: Move union tod_clock type to separate header

13 days agodebugobjects: Plug race against a concurrent OOM disable
Thomas Gleixner [Sun, 21 Jun 2026 14:47:44 +0000 (16:47 +0200)] 
debugobjects: Plug race against a concurrent OOM disable

syzbot reported a puzzling splat:

   WARNING: kernel/time/hrtimer.c:443 at stub_timer+0xa/0x20

stub_timer() is installed as timer callback function in
hrtimer_fixup_assert_init(), which is invoked when
debug_object_assert_init() can't find a shadow object. In that case debug
objects emits a warning about it before invoking the fixup.

Though the provided console log lacks this warning and instead has the
following a few seconds before the splat:

     ODEBUG: Out of memory. ODEBUG disabled

So the object was looked up in debug_object_assert_init() and the lookup
failed due a concurrent out of memory situation which disabled debug
objects and freed the shadow objects:

debug_object_assert_init()
        if (!debug_objects_enabled)
         return;                         obj = alloc();
                 if (!obj) {
// Out of memory
                                                 debug_objects_enabled = false;
                                                        free_objects();
        obj = lookup_or_alloc();

        // The lookup failed because the other side
        // removed the objects, so this returns
        // an error code as the object in question
        // is not statically initialized

if (!IS_ERR_OR_NULL(obj))
         return;
        if (!obj) {
         debug_oom();
                return;
        }

        print(...)
           if (!debug_objects_enabled)
                return;

        fixup(...)

The debug object splat is skipped because debug_objects_enabled is false,
but the fixup callback is invoked unconditionally, which makes the timer
disfunctional.

This is only a problem in debug_object_assert_init() and
debug_object_activate() as both have to handle statically initialized
objects and therefore must handle the error pointer return case
gracefully. All other places only handle the found/not found case and the
NULL pointer return is a signal for OOM. Otherwise they get a valid shadow
object.

Plug the hole by checking whether debug objects are still enabled before
invoking the print and fixup function in those two places.

Fixes: b84d435cc228 ("debugobjects: Extend to assert that an object is initialized")
Reported-by: syzbot+5e8dda76ca21dae314b6@syzkaller.appspotmail.com
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/874iiwlzlb.ffs@fw13
13 days agotime: Fix off-by-one in compat settimeofday() usec validation
Wang Yan [Mon, 22 Jun 2026 10:33:48 +0000 (18:33 +0800)] 
time: Fix off-by-one in compat settimeofday() usec validation

The compat version of settimeofday() uses '>' instead of '>=' when
validating tv_usec against USEC_PER_SEC, allowing the value 1000000 to pass
the check. After the subsequent conversion to nanoseconds (tv_nsec *=
NSEC_PER_USEC), this results in tv_nsec == NSEC_PER_SEC, which violates the
timespec invariant that tv_nsec must be strictly less than NSEC_PER_SEC.

The native settimeofday() was already fixed in commit ce4abda5e126 ("time:
Fix off-by-one in settimeofday() usec validation"), but the compat
counterpart was missed.

Fix it by using '>=' to reject tv_usec values outside the valid range [0,
USEC_PER_SEC - 1].

Fixes: 5e0fb1b57bea ("y2038: time: avoid timespec usage in settimeofday()")
Signed-off-by: Wang Yan <wangyan01@kylinos.cn>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Acked-by: Arnd Bergmann <arnd@arndb.de>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260622103348.120255-1-wangyan01@kylinos.cn
13 days agoALSA: hda/realtek: Fix noisy mic for Clevo V6xxAW
Aaron Erhardt [Tue, 19 May 2026 15:49:48 +0000 (17:49 +0200)] 
ALSA: hda/realtek: Fix noisy mic for Clevo V6xxAW

Add a PCI quirk to reduce the volume of the internal microphone to prevent
extremely noisy signal.

Signed-off-by: Aaron Erhardt <aer@tuxedocomputers.com>
Signed-off-by: Werner Sembach <wse@tuxedocomputers.com>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260519155047.106096-1-wse@tuxedocomputers.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
13 days agoerofs: handle 48-bit blocks_hi for compressed inodes
Zhan Xusheng [Mon, 22 Jun 2026 08:11:36 +0000 (16:11 +0800)] 
erofs: handle 48-bit blocks_hi for compressed inodes

Combine i_nb.blocks_hi with i_u.blocks_lo when computing
inode->i_blocks for compressed inodes, mirroring the startblk_hi
handling for unencoded inodes a few lines above.  Also evaluate
the shift in u64 to avoid truncation.

Fixes: efb2aef569b3 ("erofs: add encoded extent on-disk definition")
Fixes: 1d191b4ca51d ("erofs: implement encoded extent metadata")
Reviewed-by: Gao Xiang <hsiangkao@linux.alibaba.com>
Signed-off-by: Zhan Xusheng <zhanxusheng@xiaomi.com>
Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
13 days agodrm/sysfb: Avoid truncating maximum stride
Thomas Zimmermann [Thu, 18 Jun 2026 08:42:00 +0000 (10:42 +0200)] 
drm/sysfb: Avoid truncating maximum stride

Passing a maximum as 64-bit type to drm_sysfb_get_validated_int0()
can truncate the value to 32 bits. Use drm_sysfb_get_validated_size0(),
which uses 64-bit arithmetics. Then test the returned stride against
the limits of int to avoid truncations in the returned value. A valid
stride is in the range of [1, INT_MAX] inclusive.

Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Reported-by: Sashiko <sashiko-bot@kernel.org>
Closes: https://lore.kernel.org/dri-devel/20260617114016.5A5991F000E9@smtp.kernel.org/
Fixes: 32ae90c66fb6 ("drm/sysfb: Add efidrm for EFI displays")
Fixes: a84eb6abe2b6 ("drm/sysfb: Add vesadrm for VESA displays")
Cc: Thomas Zimmermann <tzimmermann@suse.de>
Cc: Javier Martinez Canillas <javierm@redhat.com>
Cc: dri-devel@lists.freedesktop.org
Cc: <stable@vger.kernel.org> # v6.16+
Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
Link: https://patch.msgid.link/20260618084327.46567-5-tzimmermann@suse.de
13 days agodrm/sysfb: Return errno code from drm_sysfb_get_visible_size()
Thomas Zimmermann [Thu, 18 Jun 2026 08:41:59 +0000 (10:41 +0200)] 
drm/sysfb: Return errno code from drm_sysfb_get_visible_size()

Change the return type of drm_sysfb_get_visible_size() to s64 so
that it returns a possible errno code from _get_validated_size0().
Fix callers to handle the errno code.

The currently returned unsigned type converts an errno code to a
very large size value, which drivers interpret as visible size of
the system framebuffer. Later efforts to reserve the framebuffer
resource fail.

The bug has been present since efidrm and vesadrm got merged. It
was then part of each driver.

Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Fixes: 32ae90c66fb6 ("drm/sysfb: Add efidrm for EFI displays")
Fixes: a84eb6abe2b6 ("drm/sysfb: Add vesadrm for VESA displays")
Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
Cc: Thomas Zimmermann <tzimmermann@suse.de>
Cc: Javier Martinez Canillas <javierm@redhat.com>
Cc: dri-devel@lists.freedesktop.org
Cc: <stable@vger.kernel.org> # v6.16+
Link: https://patch.msgid.link/20260618084327.46567-4-tzimmermann@suse.de
13 days agodrm/sysfb: Avoid possible truncation with calculating visible size
Thomas Zimmermann [Thu, 18 Jun 2026 08:41:58 +0000 (10:41 +0200)] 
drm/sysfb: Avoid possible truncation with calculating visible size

Calculating the visible size of the system framebuffer can result in
truncation of the result. The calculation uses 32-bit arithmetics,
which can overflow if the values for height and stride are large. Fix
the issue by multiplying with mul_u32_u32().

Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Fixes: 32ae90c66fb6 ("drm/sysfb: Add efidrm for EFI displays")
Fixes: a84eb6abe2b6 ("drm/sysfb: Add vesadrm for VESA displays")
Reported-by: Sashiko <sashiko-bot@kernel.org>
Closes: https://lore.kernel.org/dri-devel/20260617114027.1F2A71F000E9@smtp.kernel.org/
Cc: Thomas Zimmermann <tzimmermann@suse.de>
Cc: Javier Martinez Canillas <javierm@redhat.com>
Cc: dri-devel@lists.freedesktop.org
Cc: <stable@vger.kernel.org> # v6.16+
Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
Link: https://patch.msgid.link/20260618084327.46567-3-tzimmermann@suse.de
13 days agodrm/sysfb: Do not page-align visible size of the framebuffer
Thomas Zimmermann [Thu, 18 Jun 2026 08:41:57 +0000 (10:41 +0200)] 
drm/sysfb: Do not page-align visible size of the framebuffer

Only return the actually visible size of the system framebuffer in
drm_sysfb_get_visible_size_si(). Drivers use this size value for
reserving access to framebuffer memory. Increasing the value can
make later attempts to do so fail.

Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Fixes: 32ae90c66fb6 ("drm/sysfb: Add efidrm for EFI displays")
Fixes: a84eb6abe2b6 ("drm/sysfb: Add vesadrm for VESA displays")
Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
Cc: Thomas Zimmermann <tzimmermann@suse.de>
Cc: Javier Martinez Canillas <javierm@redhat.com>
Cc: dri-devel@lists.freedesktop.org
Cc: <stable@vger.kernel.org> # v6.16+
Link: https://patch.msgid.link/20260618084327.46567-2-tzimmermann@suse.de
13 days agoALSA: hda/realtek: Add LED fixup for HP EliteBook 6 G2i Laptops
Dirk Su [Mon, 22 Jun 2026 07:20:04 +0000 (15:20 +0800)] 
ALSA: hda/realtek: Add LED fixup for HP EliteBook 6 G2i Laptops

The HP EliteBook 6 G2i laptops requires specific LED control method
ALC236_FIXUP_HP_GPIO_LED to work

Signed-off-by: Dirk Su <dirk.su@canonical.com>
Link: https://patch.msgid.link/20260622072019.56351-1-dirk.su@canonical.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
13 days agoALSA: hda/realtek: Add quirk for Lenovo Yoga 7 16IAP7
Chris Aherin [Mon, 22 Jun 2026 00:12:10 +0000 (19:12 -0500)] 
ALSA: hda/realtek: Add quirk for Lenovo Yoga 7 16IAP7

The Yoga 7 16IAP7 (board LNVNB161216, codec SSID 17aa:386a) has pin
complex 0x17 (bass speakers) wrongly reported as unconnected, causing
only one of four speaker pins (0x14) to be configured and resulting in
mono/tinny audio.

SOF corrupts the PCI subsystem ID to 17aa:0000, preventing SND_PCI_QUIRK
from matching. HDA_CODEC_QUIRK is used instead, which matches against
codec->core.subsystem_id read directly from the HDA codec register and
unaffected by the SOF bug.

Applies ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN, the same fixup used for
the Yoga 7 14IAL7, which corrects pin 0x17's default configuration and
enables both speaker pairs.

Signed-off-by: Chris Aherin <chrisaherin@gmail.com>
Link: https://patch.msgid.link/20260622001210.20553-1-chrisaherin@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
13 days agodrm/edid: fix OOB read in drm_parse_tiled_block()
Xiang Mei [Mon, 15 Jun 2026 18:47:37 +0000 (11:47 -0700)] 
drm/edid: fix OOB read in drm_parse_tiled_block()

drm_parse_tiled_block() casts the DisplayID block to a
struct displayid_tiled_block and reads the full fixed layout up to
tile->topology_id[7] without checking block->num_bytes. The DisplayID
iterator only validates the declared payload length, so a crafted EDID
can advertise a tiled-display block (tag DATA_BLOCK_TILED_DISPLAY, or
DATA_BLOCK_2_TILED_DISPLAY_TOPOLOGY for v2.0) with a small num_bytes at
the end of a DisplayID extension. The read then runs past the end of the
exact-sized kmemdup()'d EDID allocation, a heap out-of-bounds read.

Reject blocks shorter than the spec's 22-byte tiled payload before
reading the fixed struct, as drm_parse_vesa_mso_data() already does.

  BUG: KASAN: slab-out-of-bounds in drm_edid_connector_update
  Read of size 2 at addr ffff888010077700 by task exploit/147
   dump_stack_lvl (lib/dump_stack.c:94 ...)
   print_report (mm/kasan/report.c:378 ...)
   kasan_report (mm/kasan/report.c:595)
   drm_edid_connector_update (drivers/gpu/drm/drm_edid.c:7581)
   bochs_connector_helper_get_modes (drivers/gpu/drm/tiny/bochs.c:574)
   drm_helper_probe_single_connector_modes (drivers/gpu/drm/drm_probe_helper.c:426)
   status_store (drivers/gpu/drm/drm_sysfs.c:219)
   ...
   vfs_write (fs/read_write.c:595 fs/read_write.c:688)
   ksys_write (fs/read_write.c:740)

Fixes: 40d9b043a89e ("drm/connector: store tile information from displayid (v3)")
Reported-by: Weiming Shi <bestswngs@gmail.com>
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Xiang Mei <xmei5@asu.edu>
Reviewed-by: Jani Nikula <jani.nikula@intel.com>
Link: https://patch.msgid.link/20260615184737.899892-1-xmei5@asu.edu
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
13 days agogpio: tb10x: fix struct tb10x_gpio kernel-doc
Igor Putko [Thu, 18 Jun 2026 15:56:24 +0000 (18:56 +0300)] 
gpio: tb10x: fix struct tb10x_gpio kernel-doc

Fix build warning by adding the missing structure name and
description to the kernel-doc comment block.

Signed-off-by: Igor Putko <igorpetindev@gmail.com>
Link: https://patch.msgid.link/20260618155626.18751-2-igorpetindev@gmail.com
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
13 days agogpiolib: initialize return value in gpiochip_set_multiple()
Ruoyu Wang [Sat, 20 Jun 2026 15:53:19 +0000 (23:53 +0800)] 
gpiolib: initialize return value in gpiochip_set_multiple()

gpiochip_set_multiple() falls back to setting lines one by one when the
chip does not provide set_multiple(). If the fallback path receives an
empty mask, the loop is skipped and ret is returned without being
initialized.

Initialize ret to 0 so an empty mask is treated as a successful no-op.

Fixes: 9b407312755f ("gpiolib: rework the wrapper around gpio_chip::set_multiple()")
Signed-off-by: Ruoyu Wang <ruoyuw560@gmail.com>
Acked-by: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
Link: https://patch.msgid.link/20260620155319.79994-1-ruoyuw560@gmail.com
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
13 days agopower: sequencing: fix ABBA deadlock in pwrseq_device_unregister()
Bartosz Golaszewski [Thu, 18 Jun 2026 08:45:12 +0000 (10:45 +0200)] 
power: sequencing: fix ABBA deadlock in pwrseq_device_unregister()

The pwrseq core takes three locks in consistent order everywhere:

  pwrseq_sem -> pwrseq->rw_lock -> pwrseq->state_lock

pwrseq_get() -> pwrseq_match_device() takes pwrseq_sem for reading, then
rw_lock for reading. pwrseq_power_on()/pwrseq_power_off() take rw_lock
for reading and then state_lock.

pwrseq_device_unregister() is the only exception, it takes: state_lock,
then rw_lock for writing and finally pwrseq_sem for writing. This created
two potential ABBA deadlock situations that sashiko pointed out.

  - pwrseq_power_on/off() take rw_lock for reading then state_lock, while
    pwrseq_unregister() takes state_lock then rw_lock for writing
  - pwrseq_get() takes pwrseq_sem for reading then rw_lock for reading,
    while pwrseq_unregister() takes rw_lock for writing then pwrseq_sem
    for writing

Reorder the unregister path to taking pwrseq_sem for writing -> rw_lock
for writing and drop the state_lock entirely. This is safe as
enable_count is only ever written under rw_lock held for read (via
pwrseq_unit_enable()/disable(), reached only from pwrseq_power_on/off()),
so holding rw_lock for writing already excludes every other writer and
reader and the active-users WARN() stays race-free without state_lock.

Fixes: 249ebf3f65f8 ("power: sequencing: implement the pwrseq core")
Closes: https://sashiko.dev/#/patchset/20260616151049.1705503-1-vulab%40iscas.ac.cn
Link: https://patch.msgid.link/20260618-pwrseq-abba-deadlock-v1-1-943a3fd81c06@oss.qualcomm.com
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
13 days agopower: sequencing: pcie-m2: Sort PCI device IDs in ascending order
Wei Deng [Wed, 17 Jun 2026 14:30:55 +0000 (20:00 +0530)] 
power: sequencing: pcie-m2: Sort PCI device IDs in ascending order

Sort the entries in pwrseq_m2_pci_ids[] by device ID in ascending order:
0x1103 (WCN6855) before 0x1107 (WCN7850).

Fixes: 2abcfdd91e6a ("power: sequencing: pcie-m2: Add PCI ID 0x1103 for WCN6855 Bluetooth")
Reviewed-by: Manivannan Sadhasivam <mani@kernel.org>
Signed-off-by: Wei Deng <wei.deng@oss.qualcomm.com>
Link: https://patch.msgid.link/20260617143055.820096-1-wei.deng@oss.qualcomm.com
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
13 days agopwrseq: core: fix use-after-free in pwrseq_debugfs_seq_next()
Wentao Liang [Tue, 16 Jun 2026 15:10:49 +0000 (15:10 +0000)] 
pwrseq: core: fix use-after-free in pwrseq_debugfs_seq_next()

pwrseq_debugfs_seq_next() declares 'next' with __free(put_device),
which causes put_device() to be called on the returned pointer when
the variable goes out of scope.  This results in a use-after-free
since the seq_file framework receives a pointer whose reference has
already been dropped.

Simply removing __free(put_device) would fix the UAF but would leak
the reference acquired by bus_find_next_device(), as stop() only
calls up_read(&pwrseq_sem) and never releases the device reference.

Fix this by making the reference counting consistent across all
seq_file callbacks, matching the standard pattern used by PCI and
SCSI:

- start(): use get_device() so it returns a referenced pointer.
- next(): explicitly put_device(curr) to release the previous
  device's reference (no NULL check needed - the seq_file framework
  only calls next() while the previous return was non-NULL).
- stop(): put_device(data) to release the last iterated device's
  reference, with a NULL guard since stop() may be called with NULL
  when start() returned NULL or next() reached end-of-sequence.

Cc: stable@vger.kernel.org
Fixes: 249ebf3f65f8 ("power: sequencing: implement the pwrseq core")
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
Link: https://patch.msgid.link/20260616151049.1705503-1-vulab@iscas.ac.cn
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
2 weeks agoMerge tag 'bpf-next-7.2' into loongarch-next
Huacai Chen [Mon, 22 Jun 2026 03:29:06 +0000 (11:29 +0800)] 
Merge tag 'bpf-next-7.2' into loongarch-next

LoongArch architecture changes for 7.2 need the bpf changes to add new
features, so merge 'bpf-next-7.2' to create a base.

2 weeks agoerofs: remove fscache backend entirely
Gao Xiang [Mon, 22 Jun 2026 01:36:22 +0000 (09:36 +0800)] 
erofs: remove fscache backend entirely

EROFS over fscache was introduced to provide image lazy pulling
functionality. After the feature landed, the fscache subsystem made
netfs a new hard dependency, which is unexpected for a local filesystem
and has an kernel-defined caching hierarchy which could be inflexible
compared to the fanotify pre-content hooks. Therefore, this feature has
been deprecated for almost two years.

As EROFS file-backed mounts and fanotify pre-content hooks both upstream
for a while and already providing equivalent functionality (erofs-utils
has supported fanotify pre-content hooks), let's remove the fscache
backend now.

The main application of this feature is Nydus [1], and they plan to move
to use fanotify pre-content hooks in the near future too.

I hope this patch can be merged into Linux 7.2, which is also motivated
by newly found implementation issues [2][3] that are not worth
investigating given the deprecation and limited development resources.
The associated fscache/cachefiles cleanup patch will follow separately
through the vfs tree (netfs) later: it seems fine since the codebase is
isolated by CONFIG_CACHEFILES_ONDEMAND.

[1] https://github.com/dragonflyoss/nydus/blob/v2.1.0/docs/nydus-fscache.md
[2] https://github.com/dragonflyoss/nydus/pull/1824
[3] https://lore.kernel.org/r/20260619135800.1594811-1-michael.bommarito@gmail.com

Acked-by: Jingbo Xu <jefflexu@linux.alibaba.com>
Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
2 weeks agoMerge branch 'fix-effective-prog-array-indexing-with-bpf_f_preorder'
Alexei Starovoitov [Mon, 22 Jun 2026 01:10:04 +0000 (18:10 -0700)] 
Merge branch 'fix-effective-prog-array-indexing-with-bpf_f_preorder'

Amery Hung says:

====================
Fix effective prog array indexing with BPF_F_PREORDER

This patchset fixes a cgroup effective-array indexing bug where
replace_effective_prog() and purge_effective_progs() used a linear hlist
position that doesn't match the array layout when BPF_F_PREORDER
programs are present, corrupting the array on link update and risking a
use-after-free in the detach fallback. It computes the slot via a shared
effective_prog_pos() helper and adds a cgroup_preorder selftest.

Changelog

v1 -> v2:
 - Also fix purge_effective_progs(), in addition to
   replace_effective_prog() (Sashiko).
 - selftest: Set err on bpf_link_create() failure so the failure is
   reported to the caller (Sashiko).
====================

Link: https://patch.msgid.link/20260619063520.2690547-1-ameryhung@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2 weeks agoselftests/bpf: Test cgroup link replace with BPF_F_PREORDER
Amery Hung [Fri, 19 Jun 2026 06:35:20 +0000 (23:35 -0700)] 
selftests/bpf: Test cgroup link replace with BPF_F_PREORDER

Add a cgroup_preorder case that attaches a normal and a BPF_F_PREORDER
program to a cgroup (effective order [2, 1]), then replaces the normal
link's program via bpf_link_update() and checks the effective order
becomes [2, 3] — i.e. only the non-preorder slot changes. Without the
replace_effective_prog() fix the array is corrupted and the order is
wrong.

Signed-off-by: Amery Hung <ameryhung@gmail.com>
Acked-by: Yonghong Song <yonghong.song@linux.dev>
Link: https://lore.kernel.org/r/20260619063520.2690547-3-ameryhung@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2 weeks agobpf: Fix effective prog array index with BPF_F_PREORDER
Amery Hung [Fri, 19 Jun 2026 06:35:19 +0000 (23:35 -0700)] 
bpf: Fix effective prog array index with BPF_F_PREORDER

replace_effective_prog() and purge_effective_progs() located the slot in
the effective array by walking the program hlist and counting entries
linearly. That count does not match the array layout: compute_effective_
progs() places BPF_F_PREORDER programs at the front (ancestor cgroup
first, attach order within a cgroup) and the rest after them (descendant
cgroup first). So when a preorder program is present, the linear hlist
position no longer equals the program's index in the effective array.

For replace_effective_prog() (bpf_link_update()) this overwrote the
wrong slot, corrupting the effective order. For purge_effective_progs(),
it could dummy out a slot belonging to a different program and leave the
detached program in the array while bpf_prog_put() drops its reference,
i.e. a use-after-free.

Fix both by replaying compute_effective_progs()'s placement (including
the per-cgroup preorder reversal) in a shared effective_prog_pos()
helper. Identify the entry by its struct bpf_prog_list pointer rather
than by (prog, link) value, so the lookup resolves to exactly the
attachment the syscall selected even when the same bpf_prog is attached
to several cgroups in the hierarchy.

Fixes: 4b82b181a26c ("bpf: Allow pre-ordering for bpf cgroup progs")
Signed-off-by: Amery Hung <ameryhung@gmail.com>
Acked-by: Yonghong Song <yonghong.song@linux.dev>
Link: https://lore.kernel.org/r/20260619063520.2690547-2-ameryhung@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2 weeks agobpf: Fix BPF_PROG_ASSOC_STRUCT_OPS last field check
Thiébaud Weksteen [Thu, 18 Jun 2026 04:09:33 +0000 (14:09 +1000)] 
bpf: Fix BPF_PROG_ASSOC_STRUCT_OPS last field check

When struct prog_assoc_struct_ops was added,
BPF_PROG_ASSOC_STRUCT_OPS_LAST_FIELD referenced prog_fd instead of the
actual last field, flags.

Fixes: b5709f6d26d6 ("bpf: Support associating BPF program with struct_ops")
Signed-off-by: Thiébaud Weksteen <tweek@google.com>
Reviewed-by: Jakub Sitnicki <jakub@cloudflare.com>
Acked-by: Yonghong Song <yonghong.song@linux.dev>
Link: https://lore.kernel.org/r/20260618040934.4113938-1-tweek@google.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2 weeks agobpf: zero-initialize the fib lookup flow struct
Avinash Duduskar [Wed, 17 Jun 2026 22:47:19 +0000 (04:17 +0530)] 
bpf: zero-initialize the fib lookup flow struct

bpf_ipv4_fib_lookup() and bpf_ipv6_fib_lookup() build the flow key on
the stack with a bare "struct flowi4 fl4;" / "struct flowi6 fl6;" and
fill it field by field, but never set flowi4_l3mdev / flowi6_l3mdev.

On the non-DIRECT path the lookup goes through the fib rules whenever the
netns has custom rules, which a VRF installs:

bpf_ipv4_fib_lookup() -> fib_lookup() -> __fib_lookup()
  -> l3mdev_update_flow()   reads !fl->flowi_l3mdev
  -> fib_rules_lookup() -> fib_rule_match()
       -> l3mdev_fib_rule_match()   uses fl->flowi_l3mdev

l3mdev_update_flow() resolves the l3mdev master from the ingress device
only while the field is still zero. Left at a nonzero stack value the
resolution is skipped, and l3mdev_fib_rule_match() then tests that value
as an ifindex, so the VRF master is not resolved and the rule fails to
match: an ingress enslaved to a VRF can fail to select its table. FIB
rules matching on an L3 master device (l3mdev_fib_rule_iif_match()/
_oif_match()) read the same value, so an "ip rule iif/oif <vrf>"
mismatches the same way.

Zero-initialize the whole flow struct rather than adding one more
field assignment, so any flowi field added later is covered too.
ip_route_input_slow() likewise zeroes the field before its input lookup.

CONFIG_INIT_STACK_ALL_ZERO masks this by default, but it depends on
compiler support (CC_HAS_AUTO_VAR_INIT_ZERO), so INIT_STACK_NONE builds,
including older toolchains that fall back to it, are exposed. Built with
INIT_STACK_ALL_PATTERN, a plain bpf_fib_lookup (no VLAN, no DIRECT) over a
VRF slave whose destination is routed only in the VRF table returns
BPF_FIB_LKUP_RET_NOT_FWDED, and resolves with this patch. On the default
config the lookup succeeds either way, so ordinary testing does not catch
the bug.

Fixes: 40867d74c374 ("net: Add l3mdev index to flow struct and avoid oif reset for port devices")
Signed-off-by: Avinash Duduskar <avinash.duduskar@gmail.com>
Reviewed-by: Toke Høiland-Jørgensen <toke@redhat.com>
Link: https://lore.kernel.org/r/20260617224719.1428599-1-avinash.duduskar@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2 weeks agobpftool: Fix vmlinux BTF leak in cgroup commands
Yichong Chen [Wed, 17 Jun 2026 09:01:17 +0000 (17:01 +0800)] 
bpftool: Fix vmlinux BTF leak in cgroup commands

bpftool cgroup show and tree call libbpf_find_kernel_btf() to
resolve attach_btf names, but never release the returned BTF object.

For cgroup tree, do_show_tree_fn() is called once for each cgroup
visited by nftw(). When more than one cgroup has attached programs,
each callback overwrites btf_vmlinux with a new object and loses the
previous allocation.

Load vmlinux BTF only once during a tree walk and release it when
cgroup show or tree completes. Reset btf_vmlinux_id at the same time
so batch mode starts with clean state.

Fixes: 596f5fb2ea2a ("bpftool: implement cgroup tree for BPF_LSM_CGROUP")
Signed-off-by: Yichong Chen <chenyichong@uniontech.com>
Reviewed-by: Quentin Monnet <qmo@kernel.org>
Link: https://lore.kernel.org/r/24357C69B4405079+20260617090117.280222-1-chenyichong@uniontech.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2 weeks agobpf: Add missing access_ok call to copy_user_syms
Jiri Olsa [Tue, 16 Jun 2026 08:30:56 +0000 (10:30 +0200)] 
bpf: Add missing access_ok call to copy_user_syms

As reported by sashiko we use __get_user without prior access_ok call on the
user space pointer. Adding the missing call for the whole pointer array.

Plus removing the err check in the error path, because it's not needed and
also we can return -ENOMEM directly from the first kvmalloc_array fail path.

Cc: stable@vger.kernel.org
[1] https://lore.kernel.org/bpf/20260611115503.AC16D1F00893@smtp.kernel.org/
Fixes: 0236fec57a15 ("bpf: Resolve symbols with ftrace_lookup_symbols for kprobe multi link")
Reported-by: Sashiko <sashiko-bot@kernel.org>
Closes: https://lore.kernel.org/bpf/20260611115503.AC16D1F00893@smtp.kernel.org/
Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com>
Link: https://lore.kernel.org/r/20260616083056.405652-1-jolsa@kernel.org
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2 weeks agobpf: Allow type tag BTF records to succeed other modifier records
Emil Tsalapatis [Tue, 16 Jun 2026 06:14:54 +0000 (02:14 -0400)] 
bpf: Allow type tag BTF records to succeed other modifier records

llvm commit [1] allowed attaching type tag records to modifier BTF
records. This is useful for using typedefs that encompass a base type
and a type tag, e.g.:

typedef struct rbtree __arena rbtree_t;

Modify btf_check_type_tags() so that it allows this sequence of records.
The function now only checks for record loops in BTF modifier record
chains. Rename to btf_check_modifier_chain_length to reflect this.

Also expand the BTF modifier traversal code to take into account that
type record can be interleaved with other modifier records. In effect
this means traversing all modifiers to collect the type tags.

Also modify existing selftests to now accept modifier records (const,
typedef) that point to type tag records.

[1] https://github.com/llvm/llvm-project/pull/203089

Signed-off-by: Emil Tsalapatis <emil@etsalapatis.com>
Link: https://lore.kernel.org/r/20260616061454.7869-1-emil@etsalapatis.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2 weeks agobpf: Emit verbose message when prog-specific btf_struct_access rejects a write
Alexei Starovoitov [Mon, 15 Jun 2026 23:21:46 +0000 (16:21 -0700)] 
bpf: Emit verbose message when prog-specific btf_struct_access rejects a write

When BPF_WRITE goes through a PTR_TO_BTF_ID register, check_ptr_to_btf_access()
delegates to env->ops->btf_struct_access(). Most implementations
(bpf_scx_btf_struct_access, tc_cls_act_btf_struct_access, etc.) return
-EACCES for disallowed fields without logging anything, so the verifier
rejects the program with an empty message. For example a scx program doing

  1: R1=trusted_ptr_task_struct()
  ...
  4: (7b) *(u64 *)(r1 +0) = r2
  verification time 83 usec
  the program is rejected

leaves the user guessing which field is off-limits.
Emit verbose message.

Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com>
Acked-by: Yonghong Song <yonghong.song@linux.dev>
Link: https://lore.kernel.org/r/20260615232146.5491-1-alexei.starovoitov@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2 weeks agobpf: Fix build_id caching in stack_map_get_build_id_offset()
Ihor Solodrai [Mon, 15 Jun 2026 19:55:36 +0000 (12:55 -0700)] 
bpf: Fix build_id caching in stack_map_get_build_id_offset()

This patch is a follow up to recent implementation of
stack_map_get_build_id_offset_sleepable() [1].

stack_map_get_build_id_offset() and its sleepable variant each cached
only the last successfully resolved VMA, with separate bookkeeping in
each function. A run of IPs in a VMA with no usable build ID will
repeat the lookup for every frame: find_vma() in the non-sleepable
path, a VMA lock and a blocking build_id_parse_file() in the sleepable.

Factor the per-call cache into a shared struct stack_map_build_id_cache
with two independent slots [2][3], used by both functions:

  * resolved   - last VMA that produced a build ID (file, build_id and
                 range), reused to skip the lookup and the parse;
  * unresolved - last VMA with no usable build ID (range only), reused to
                 emit a raw IP without another lookup or parse.

Keeping the slots independent means a build-ID-less VMA no longer evicts
the last resolved build ID, so a trace alternating between a binary and a
region without one stops re-resolving the binary on every return.

The shared lookup tests [vm_start, vm_end), matching the sleepable path;
the non-sleepable path previously reused a build ID for ip == vm_end
(range_in_vma() is inclusive) and now re-resolves it correctly.

[1] https://lore.kernel.org/bpf/20260525223948.1920986-1-ihor.solodrai@linux.dev/
[2] https://lore.kernel.org/bpf/CAEf4Bza2fRDGhLQoPE-EzM7F34xaEJfi5Exmxb-iWVUN3F06=g@mail.gmail.com/
[3] https://lore.kernel.org/bpf/CAEf4BzZXJFr=1iiVx937ht=4PYQkQHg=eFk810zhMDzXQG3ihw@mail.gmail.com/

Suggested-by: Andrii Nakryiko <andrii@kernel.org>
Signed-off-by: Ihor Solodrai <ihor.solodrai@linux.dev>
Link: https://lore.kernel.org/r/20260615195536.1065107-1-ihor.solodrai@linux.dev
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2 weeks agobpf: Fix partial copy of non-linear test_run output
Sun Jian [Wed, 17 Jun 2026 09:35:56 +0000 (17:35 +0800)] 
bpf: Fix partial copy of non-linear test_run output

For non-linear test_run output, bpf_test_finish() derives the linear
data copy length from copy_size - frag_size. This only matches the
linear data length when copy_size is the full packet size.

When userspace provides a short data_out buffer, copy_size is clamped to
that buffer size. If copy_size is smaller than frag_size, the computed
length becomes negative and bpf_test_finish() returns -ENOSPC before
copying the packet prefix or updating data_size_out.

Compute the linear data length from the packet layout instead, and clamp
the linear copy length to copy_size. This preserves the expected
partial-copy semantics: return -ENOSPC, copy the packet prefix that fits
in data_out, and report the full packet length through data_size_out.

Fixes: 7855e0db150ad ("bpf: test_run: add xdp_shared_info pointer in bpf_test_finish signature")
Signed-off-by: Sun Jian <sun.jian.kdev@gmail.com>
Acked-by: Paul Chaignon <paul.chaignon@gmail.com>
Link: https://lore.kernel.org/r/20260617093557.63880-2-sun.jian.kdev@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2 weeks agoMerge branch 'bpf-fix-stack-slot-index-for-spectre-v4-nospec-checks'
Alexei Starovoitov [Mon, 22 Jun 2026 00:51:58 +0000 (17:51 -0700)] 
Merge branch 'bpf-fix-stack-slot-index-for-spectre-v4-nospec-checks'

Nuoqi Gui says:

====================
bpf: Fix stack slot index for Spectre v4 nospec checks

check_stack_write_fixed_off() uses one byte-indexing scheme when checking
whether a fixed-offset stack write needs Spectre v4 sanitization, and another
scheme when recording the write into slot_type[].

For sub-8-byte writes this can make the sanitization check look at bytes that
are not overwritten by the write. A zeroed lower half-slot followed by a write
to the upper half-slot can therefore miss the nospec barrier for the second
write.

Use the same stack-byte index for the sanitization check and the slot update,
and add a focused verifier selftest that expects both half-slot writes to emit
nospec through the unprivileged loader lane.

Bounded impact: this fixes verifier/JIT Spectre v4 mitigation emission for a
fixed-offset stack-write corner case. No architectural verifier memory-safety
bypass, exploit chain, CVE, embargo, or security escalation is claimed.

Fixes: 2039f26f3aca ("bpf: Fix leakage due to insufficient speculative store bypass mitigation")
Signed-off-by: Nuoqi Gui <gnq25@mails.tsinghua.edu.cn>
---
Changes in v3:
- selftests/bpf: drop the stray space in the __xlated_unpriv stack-store
  expectations ("(r10 - 4)"/"(r10 - 8)" -> "(r10 -4)"/"(r10 -8)")
- Link to v2: https://lore.kernel.org/bpf/20260618-f01-11-stack-nospec-slot-index-v2-0-ede9495359b6@mails.tsinghua.edu.cn/

Changes in v2:
- drop __caps_unpriv(CAP_BPF) from the selftest
- fix selftest style
- use Fixes: 2039f26f3aca per review
- Link to v1: https://lore.kernel.org/bpf/20260617-f01-11-stack-nospec-slot-index-v1-0-e3a080b0cd7e@mails.tsinghua.edu.cn/
====================

Link: https://patch.msgid.link/20260618-f01-11-stack-nospec-slot-index-v3-0-780297041721@mails.tsinghua.edu.cn
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2 weeks agoselftests/bpf: Cover stack nospec slot indexing
Nuoqi Gui [Wed, 17 Jun 2026 17:50:27 +0000 (01:50 +0800)] 
selftests/bpf: Cover stack nospec slot indexing

Add a verifier test for the fixed-offset stack write case where two 4-byte
stores initialize opposite halves of the same stack slot.

The test runs through the unprivileged loader lane and expects both
half-slot writes to emit nospec in the translated program.

Acked-by: Luis Gerhorst <luis.gerhorst@fau.de>
Signed-off-by: Nuoqi Gui <gnq25@mails.tsinghua.edu.cn>
Link: https://lore.kernel.org/r/20260618-f01-11-stack-nospec-slot-index-v3-2-780297041721@mails.tsinghua.edu.cn
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2 weeks agobpf: Fix stack slot index in nospec checks
Nuoqi Gui [Wed, 17 Jun 2026 17:50:26 +0000 (01:50 +0800)] 
bpf: Fix stack slot index in nospec checks

check_stack_write_fixed_off() computes the byte slot for a fixed-offset
stack write as -off - 1, and records each written byte in slot_type[] with
(slot - i) % BPF_REG_SIZE.

The Spectre v4 sanitization pre-check uses slot_type[i] instead. For a
4-byte write at fp-8 after the lower half of fp-8 has been zeroed, the
pre-check scans bytes 0..3 and sees STACK_ZERO while the actual write updates
bytes 7..4. That can leave the second half-slot write without nospec_result
even though the bytes being overwritten still require sanitization.

Use the same slot index in the sanitization pre-check that the write path uses
when updating slot_type[].

Fixes: 2039f26f3aca ("bpf: Fix leakage due to insufficient speculative store bypass mitigation")
Acked-by: Luis Gerhorst <luis.gerhorst@fau.de>
Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com>
Signed-off-by: Nuoqi Gui <gnq25@mails.tsinghua.edu.cn>
Link: https://lore.kernel.org/r/20260618-f01-11-stack-nospec-slot-index-v3-1-780297041721@mails.tsinghua.edu.cn
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2 weeks agortc: Use named initializers for platform_device_id arrays
Uwe Kleine-König (The Capable Hub) [Thu, 28 May 2026 06:48:12 +0000 (08:48 +0200)] 
rtc: Use named initializers for platform_device_id arrays

Named initializers are better readable and more robust to changes of the
struct definition. This robustness is relevant for a planned change to
struct platform_device_id replacing .driver_data by an anonymous union.

While touching these arrays unify spacing and usage of commas.

Signed-off-by: Uwe Kleine-König (The Capable Hub) <u.kleine-koenig@baylibre.com>
Reviewed-by: Matti Vaittinen <mazziesaccount@gmail.com>
Reviewed-by: Linus Walleij <linusw@kernel.org>
Acked-by: Karel Balej <balejk@matfyz.cz> # for Marvell 88PM886
Link: https://patch.msgid.link/d14b9076b2c7703708bcc5cc35f339cd97fc10cd.1779950275.git.u.kleine-koenig@baylibre.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
2 weeks agortc: ab8500: Simplify driver_data handling
Uwe Kleine-König (The Capable Hub) [Thu, 28 May 2026 06:48:11 +0000 (08:48 +0200)] 
rtc: ab8500: Simplify driver_data handling

Instead of hiding the rtc ops for the only supported device behind an
abstraction for multi-device support, hardcode the used ops which gets rid
of the need to call platform_get_device_id and two casts.

Signed-off-by: Uwe Kleine-König (The Capable Hub) <u.kleine-koenig@baylibre.com>
Reviewed-by: Linus Walleij <linusw@kernel.org>
Link: https://patch.msgid.link/a909d3c59d00756130ac16051ceedbec0ce9cec7.1779950275.git.u.kleine-koenig@baylibre.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
2 weeks agortc: Drop unused assignment of platform_device_id driver data
Uwe Kleine-König (The Capable Hub) [Thu, 28 May 2026 06:48:10 +0000 (08:48 +0200)] 
rtc: Drop unused assignment of platform_device_id driver data

The two drivers explicitly set the .driver_data member of struct
platform_device_id to zero without relying on that value. Drop this
unused assignments.

While touching these array unify spacing, usage of commas and use named
initializers for .name.

Signed-off-by: Uwe Kleine-König (The Capable Hub) <u.kleine-koenig@baylibre.com>
Reviewed-by: Tzung-Bi Shih <tzungbi@kernel.org>
Link: https://patch.msgid.link/9ec7a174605a17dd19c011ee2253de28d09b02bd.1779950275.git.u.kleine-koenig@baylibre.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
2 weeks agortc: Use named initializers for arrays of i2c_device_data
Uwe Kleine-König (The Capable Hub) [Fri, 15 May 2026 15:47:20 +0000 (17:47 +0200)] 
rtc: Use named initializers for arrays of i2c_device_data

While being less compact, using named initializers allows to more easily
see which members of the structs are assigned which value without having
to lookup the declaration of the struct. And it's also more robust
against changes to the struct definition.

The mentioned robustness is relevant for a planned change to struct
i2c_device_id that replaces .driver_data by an anonymous union.

While touching all these arrays, unify usage of whitespace and commas.

This patch doesn't modify the compiled arrays, only their representation
in source form benefits. The former was confirmed with x86 and arm64
builds.

Signed-off-by: Uwe Kleine-König (The Capable Hub) <u.kleine-koenig@baylibre.com>
Reviewed-by: Tóth János <gomba007@gmail.com>
Link: https://patch.msgid.link/20260515154720.406128-2-u.kleine-koenig@baylibre.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
2 weeks agortc: ds1307: handle oscillator stop flag for ds1337/ds1339/ds3231
Ronan Dalton [Fri, 8 May 2026 03:24:49 +0000 (15:24 +1200)] 
rtc: ds1307: handle oscillator stop flag for ds1337/ds1339/ds3231

Prior to commit 48458654659c ("rtc: ds1307: remove clear of oscillator
stop flag (OSF) in probe"), the oscillator stop flag (OSF) bit was
checked during device probe for the ds1337, ds1339, ds1341, and ds3231
chips; if it was set, it would be cleared and a warning would be logged
saying "SET TIME!". Since that commit, the OSF bit is no longer cleared,
but the warning is still printed.

Directly following that commit, there was no way to get rid of this
warning because nothing cleared the OSF bit on these chips.

The commit associated with the previous commit, 523923cfd5d6 ("rtc:
ds1307: handle oscillator stop flag (OSF) for ds1341"), made proper use
of the OSF when getting and setting the time in the RTC. However, the
other RTC variants ds1337, ds1339 and ds3231 didn't have a corresponding
change made.

Given that the OSF bit is no longer cleared at probe time when it is
set, the remaining three chips should have the same handling as the
ds1341 chip has for the OSF bit.

Fix the issue on the ds1337, ds1339 and ds3231 chips by applying the
same logic as the ds1341 has to these chips.

Note that any devices brought up between the first referenced commit and
this one may begin mistrusting the time reported by the RTC until it is
set again, if the bit was never explicitly cleared.

Note that only the ds1339 was tested with this change, but the
datasheets for the other chips contain essentially identical
descriptions of the OSF bit so the same change should work.

Signed-off-by: Ronan Dalton <ronan.dalton@alliedtelesis.co.nz>
Cc: linux-rtc@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Cc: Alexandre Belloni <alexandre.belloni@bootlin.com>
Cc: Tyler Hicks <code@tyhicks.com>
Cc: Sasha Levin <sashal@kernel.org>
Cc: Meagan Lloyd <meaganlloyd@linux.microsoft.com>
Cc: Rodolfo Giometti <giometti@enneenne.com>
Cc: Chris Packham <chris.packham@alliedtelesis.co.nz>
Fixes: 48458654659c ("rtc: ds1307: remove clear of oscillator stop flag (OSF) in probe")
Reviewed-by: Meagan Lloyd <meaganlloyd@linux.microsoft.com>
Reviewed-by: Tyler Hicks <code@tyhicks.com>
Link: https://patch.msgid.link/20260508032518.3696705-2-ronan.dalton@alliedtelesis.co.nz
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
2 weeks agortc: mpfs: fix counter upload completion condition
Conor Dooley [Wed, 13 May 2026 17:55:55 +0000 (18:55 +0100)] 
rtc: mpfs: fix counter upload completion condition

The condition that needs to be checked for upload completion is the
UPLOAD bit in the completion register going low. The original iterations
of this driver used a do-while and this was converted to a
read_poll_timeout() during upstreaming without the condition being
inverted as it should have been.

I suspect that this went unnoticed until now because a) the first read
was done when the bit was still set, immediately completing the
read_poll_timeout() and b) because the RTC doesn't hold time when power
is removed from the SoC reducing its utility (I for one keep it
disabled). If my first suspicion was true when the driver was
upstreamed, it's not true any longer though, hence the detection of the
problem.

Fixes: 0b31d703598dc ("rtc: Add driver for Microchip PolarFire SoC")
CC: stable@vger.kernel.org
Signed-off-by: Conor Dooley <conor.dooley@microchip.com>
Tested-by: Valentina Fernandez <valentina.fernandezalanis@microchip.com>
Link: https://patch.msgid.link/20260513-panhandle-ashy-70c6abf84d59@spud
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
2 weeks agortc: abx80x: fix the RTC_VL_CLR clearing all status flags
Antoni Pokusinski [Wed, 15 Apr 2026 16:06:11 +0000 (18:06 +0200)] 
rtc: abx80x: fix the RTC_VL_CLR clearing all status flags

The RTC_VL_CLR ioctl intends to clear only the battery low flag (BLF),
however the current implementation writes 0 to the status register,
clearing all status bits.

Fix this by writing back the masked status value so that only BLF is
cleared, preserving other status flags.

Fixes: ffe1c5a2d427 ("rtc: abx80x: Implement RTC_VL_READ,CLR ioctls")
Signed-off-by: Antoni Pokusinski <apokusinski01@gmail.com>
Link: https://patch.msgid.link/20260415160610.127155-2-apokusinski01@gmail.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
2 weeks agortc: renesas-rtca3: Factor out year decoding helper
Lad Prabhakar [Tue, 2 Jun 2026 19:25:59 +0000 (20:25 +0100)] 
rtc: renesas-rtca3: Factor out year decoding helper

The logic to decode the year value from the hardware registers is
duplicated in both rtca3_read_time() and rtca3_read_alarm().

Introduce a helper rtca3_decode_year() to centralize this conversion.

Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
Reviewed-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
Tested-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com> # on RZ/G3S
Link: https://patch.msgid.link/20260602192559.1791344-6-prabhakar.mahadev-lad.rj@bp.renesas.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
2 weeks agortc: renesas-rtca3: Fix typo in rtca3_ppb_per_cycle documentation
Lad Prabhakar [Tue, 2 Jun 2026 19:25:58 +0000 (20:25 +0100)] 
rtc: renesas-rtca3: Fix typo in rtca3_ppb_per_cycle documentation

Correct a typo in the kernel-doc comment for struct
rtca3_ppb_per_cycle by fixing "adjutment" to "adjustment".

Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
Reviewed-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
Tested-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com> # on RZ/G3S
Link: https://patch.msgid.link/20260602192559.1791344-5-prabhakar.mahadev-lad.rj@bp.renesas.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
2 weeks agortc: renesas-rtca3: Fix incorrect error message for reset assert
Lad Prabhakar [Tue, 2 Jun 2026 19:25:57 +0000 (20:25 +0100)] 
rtc: renesas-rtca3: Fix incorrect error message for reset assert

Update the message to "assert reset" to accurately reflect the
operation being performed.

Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
Reviewed-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
Tested-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com> # on RZ/G3S
Link: https://patch.msgid.link/20260602192559.1791344-4-prabhakar.mahadev-lad.rj@bp.renesas.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
2 weeks agortc: renesas-rtca3: Check RADJ poll result during initial setup
Lad Prabhakar [Tue, 2 Jun 2026 19:25:56 +0000 (20:25 +0100)] 
rtc: renesas-rtca3: Check RADJ poll result during initial setup

In rtca3_initial_setup(), the driver clears the RTCA3_RADJ register and
waits for it to reach zero using readb_poll_timeout(). Check the return
value of readb_poll_timeout() and propagate the error if the poll fails.

Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
Reviewed-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
Tested-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com> # on RZ/G3S
Link: https://patch.msgid.link/20260602192559.1791344-3-prabhakar.mahadev-lad.rj@bp.renesas.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
2 weeks agortc: renesas-rtca3: Fix PIE clear polling condition in alarm setup error path
Lad Prabhakar [Tue, 2 Jun 2026 19:25:55 +0000 (20:25 +0100)] 
rtc: renesas-rtca3: Fix PIE clear polling condition in alarm setup error path

In rtca3_set_alarm(), the setup_failed path attempts to disable the
Periodic Interrupt Enable (PIE) bit and wait until it is cleared.
However, the polling condition passed to readb_poll_timeout_atomic()
uses an incorrect expression:

    !(tmp & ~RTCA3_RCR1_PIE)

As ~RTCA3_RCR1_PIE evaluates to a mask of all bits except PIE, the
condition effectively waits for all non-PIE bits to become zero, which
is unrelated to the intended operation and is unlikely to ever be true.
This causes the poll to time out unnecessarily.

Fix the condition to check for the PIE bit itself being cleared:

    !(tmp & RTCA3_RCR1_PIE)

This correctly waits until PIE is deasserted after being cleared.

Fixes: d4488377609e3 ("rtc: renesas-rtca3: Add driver for RTCA-3 available on Renesas RZ/G3S SoC")
Cc: stable@vger.kernel.org
Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
Reviewed-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
Tested-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com> # on RZ/G3S
Link: https://patch.msgid.link/20260602192559.1791344-2-prabhakar.mahadev-lad.rj@bp.renesas.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
2 weeks agodt-bindings: rtc: epson,rx6110: Convert to DT Schema
Udaya Kiran Challa [Thu, 14 May 2026 17:33:32 +0000 (23:03 +0530)] 
dt-bindings: rtc: epson,rx6110: Convert to DT Schema

Convert the Epson RX6110 Real Time Clock devicetree binding
from the legacy text format to DT schema.

Signed-off-by: Udaya Kiran Challa <challauday369@gmail.com>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
Link: https://patch.msgid.link/20260514173851.25088-1-challauday369@gmail.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
2 weeks agoMerge tag 'amd-drm-fixes-7.2-2026-06-19' of https://gitlab.freedesktop.org/agd5f...
Dave Airlie [Sun, 21 Jun 2026 23:03:36 +0000 (09:03 +1000)] 
Merge tag 'amd-drm-fixes-7.2-2026-06-19' of https://gitlab.freedesktop.org/agd5f/linux into drm-next

amd-drm-fixes-7.2-2026-06-19:

amdgpu:
- devcoredump fixes
- SMU15 fix
- Various irq put/get imbalance cleanup fixes
- 8K panel fix
- DCN3.5 fix
- lockdep fix
- Cleaner shader sysfs IB overflow fix
- Async flip fixes
- GET_MAPPING_INFO fix
- CP_GFX_SHADOW fix
- Ctx pstate handling fix
- GTT bo move handling fixes
- Old UVD BO placement fixes
- GC9 mode2 reset fix
- IH6.1 version fix
- Soft IH ring fix

amdkfd:
- Fix doorbell/mmio double unpin on free
- CRIU fixes
- SMI event fixes
- Sysfs teardown fix
- Various boundary checking fixes
- Various error checking fixes
- SVM fix

radeon:
- r100_copy_blit fix for large BOs

Signed-off-by: Dave Airlie <airlied@redhat.com>
From: Alex Deucher <alexander.deucher@amd.com>
Link: https://patch.msgid.link/20260619152610.776982-1-alexander.deucher@amd.com
2 weeks agoMerge tag 'drm-xe-next-fixes-2026-06-17' of https://gitlab.freedesktop.org/drm/xe...
Dave Airlie [Sun, 21 Jun 2026 22:57:17 +0000 (08:57 +1000)] 
Merge tag 'drm-xe-next-fixes-2026-06-17' of https://gitlab.freedesktop.org/drm/xe/kernel into drm-next

- Set TTM beneficial order to 9 in Xe
- Several error path cleanups
- Fix TDR for unstarted jobs on kernel queues
- Several TLB invalidation fixes related to suspending LR queues
- Some small RAS fixes
- Multi-queue suspend fix for LR queues
- Revert inclusion of NVL_S firmware

Signed-off-by: Dave Airlie <airlied@redhat.com>
From: Matthew Brost <matthew.brost@intel.com>
Link: https://patch.msgid.link/ajLy2brwvOZEFNNN@gsse-cloud1.jf.intel.com
2 weeks agoMerge tag 'drm-intel-next-fixes-2026-06-17' of https://gitlab.freedesktop.org/drm...
Dave Airlie [Sun, 21 Jun 2026 22:52:33 +0000 (08:52 +1000)] 
Merge tag 'drm-intel-next-fixes-2026-06-17' of https://gitlab.freedesktop.org/drm/i915/kernel into drm-next

Only a few simple display fixes around DP MST, CRTC color
state, and PLL sequencing.

Signed-off-by: Dave Airlie <airlied@redhat.com>
From: Rodrigo Vivi <rodrigo.vivi@intel.com>
Link: https://patch.msgid.link/ajJxbrt3a_USBecY@intel.com
2 weeks agoerofs: simplify RCU read critical sections
Gao Xiang [Fri, 19 Jun 2026 08:34:03 +0000 (16:34 +0800)] 
erofs: simplify RCU read critical sections

 - use scoped_guard() for RCU read critical section in
   z_erofs_decompress_kickoff();

 - simplify the RCU critical section loop in
   z_erofs_pcluster_begin().

Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
2 weeks agoerofs: add sparse support to pcluster layout
Gao Xiang [Sun, 21 Jun 2026 19:44:14 +0000 (03:44 +0800)] 
erofs: add sparse support to pcluster layout

Although zeros can be compressed transparently on EROFS using fixed-size
output compression so that it is never prioritized in the Android use
cases, indicating entire pclusters as holes is still useful to preserve
holes in the sparse datasets; otherwise overlayfs will allocate more
space when copying up, and SEEK_HOLE won't report any hole.

This patch introduces two ways to mark a pcluster as a hole:

 - A new Z_EROFS_LI_HOLE compatible flag (bit 14) in the HEAD lcluster
   advise field for non-compact (full) indexes;

 - A 0-block CBLKCNT value on the first NONHEAD lcluster.

The hole tag is preferred for maximum compatibility since pre-existing
kernels that do not understand Z_EROFS_LI_HOLE will decompress at the
stored blkaddr (the same blkaddr will be shared among all sparse
pclusters).  Only the 0-block CBLKCNT approach also works for compact
indexes, but it is limited to big pclusters and new kernels.

Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
2 weeks agodpaa2-switch: do not accept VLAN uppers while bridged
Ioana Ciornei [Thu, 18 Jun 2026 09:28:12 +0000 (12:28 +0300)] 
dpaa2-switch: do not accept VLAN uppers while bridged

The dpaa2-switch driver does not support VLAN uppers while its ports are
bridged. This scenario tried to be prevented by rejecting a bridge join
while VLAN uppers exist but the reverse order was still possible.

This patches adds a check so that the dpaa2-switch also does not accept
VLAN uppers while bridged.

Fixes: f48298d3fbfa ("staging: dpaa2-switch: move the driver out of staging")
Signed-off-by: Ioana Ciornei <ioana.ciornei@nxp.com>
Link: https://patch.msgid.link/20260618092813.432535-2-ioana.ciornei@nxp.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2 weeks agoipv6: ioam: fix type confusion of dst_entry
Jiayuan Chen [Thu, 18 Jun 2026 10:43:35 +0000 (18:43 +0800)] 
ipv6: ioam: fix type confusion of dst_entry

IOAM uses a dummy dst_entry(null_dst) to mark that the destination should
not be changed after the transformation. This dst is stored in the IOAM lwt
state and may be passed to dst_cache_set_ip6().

However, the IPv6 dst cache path eventually calls rt6_get_cookie(), which
treats the dst_entry as part of a struct rt6_info. Since the null_dst was
embedded directly as a struct dst_entry in struct ioam6_lwt, this resulted
in an invalid cast and rt6_get_cookie() reading fields from the wrong
object.

In practice, the wrong cookie is not used while dst->obsolete is zero, but
rt6_get_cookie() may also access per-cpu value when rt->sernum is
zero. In this case, rt->sernum aliases ioam6_lwt::cache::reset_ts, which
can become zero, making this a potential invalid pointer access.

Fix this by embedding a full struct rt6_info for the dummy IPv6 route and
passing its dst member to the dst APIs.

Fixes: 47ce7c854563 ("net: ipv6: ioam6: fix double reallocation")
Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Reviewed-by: Justin Iurman <justin.iurman@gmail.com>
Link: https://patch.msgid.link/20260618104336.48934-1-jiayuan.chen@linux.dev
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2 weeks agoMerge branch 'ipv4-ipv6-account-for-fraggap-on-paged-allocation-paths'
Jakub Kicinski [Sun, 21 Jun 2026 22:24:52 +0000 (15:24 -0700)] 
Merge branch 'ipv4-ipv6-account-for-fraggap-on-paged-allocation-paths'

Wongi Lee says:

====================
ipv4/ipv6: account for fraggap on paged allocation paths

Fix fraggap accounting in the paged-allocation paths of IPv4 and IPv6.

The IPv6 patch is the v4 update of the previously posted patch. The IPv4
patch handles the same code pattern (by Ido).

v3: https://lore.kernel.org/aiq3f7UZGFp0F3MV@DESKTOP-19IMU7U.localdomain
v2: https://lore.kernel.org/aigx83czv+UJZA0d@DESKTOP-19IMU7U.localdomain
v1: https://lore.kernel.org/aibiIYMAwUErTw5U@DESKTOP-19IMU7U.localdomain
====================

Link: https://patch.msgid.link/ajFQn6yh43eDeQm9@DESKTOP-19IMU7U.localdomain
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2 weeks agoipv6: account for fraggap on the paged allocation path
Wongi Lee [Tue, 16 Jun 2026 13:46:17 +0000 (22:46 +0900)] 
ipv6: account for fraggap on the paged allocation path

In __ip6_append_data(), when the paged-allocation branch is taken
(MSG_MORE / NETIF_F_SG / large fraglen), alloclen and pagedlen are
computed as

alloclen = fragheaderlen + transhdrlen;
pagedlen = datalen - transhdrlen;

datalen already includes fraggap (datalen = length + fraggap). When
fraggap is non-zero, this is not the first skb and transhdrlen is zero.
The fraggap bytes carried over from the previous skb are copied just past
the fragment headers in the new skb's linear area. The linear area is
therefore undersized by fraggap bytes while pagedlen is overstated by the
same amount, and the copy writes past skb->end into the trailing
skb_shared_info.

An unprivileged user can trigger this via a UDPv6 socket using
MSG_MORE together with MSG_SPLICE_PAGES.

The bad accounting was introduced by commit 773ba4fe9104 ("ipv6:
avoid partial copy for zc"). Before commit ce650a166335 ("udp6: Fix
__ip6_append_data()'s handling of MSG_SPLICE_PAGES"), the negative
copy value caused -EINVAL to be returned. That later commit allowed
MSG_SPLICE_PAGES to proceed in this case, making the corruption
triggerable.

The non-paged branch sets alloclen to fraglen, which already accounts
for fraggap because datalen does. Bring the paged branch in line by
adding fraggap to alloclen and subtracting it from pagedlen.

After this adjustment, copy no longer collapses to -fraggap on the
paged path, so remove the stale comment describing that old arithmetic.
Since a negative copy is no longer expected for a valid MSG_SPLICE_PAGES
case, remove the MSG_SPLICE_PAGES exception from the negative copy check.

Fixes: 773ba4fe9104 ("ipv6: avoid partial copy for zc")
Signed-off-by: Jungwoo Lee <jwlee2217@gmail.com>
Signed-off-by: Wongi Lee <qw3rtyp0@gmail.com>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Link: https://patch.msgid.link/ajFTqRljatR17fFy@DESKTOP-19IMU7U.localdomain
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2 weeks agoipv4: account for fraggap on the paged allocation path
Wongi Lee [Tue, 16 Jun 2026 13:38:29 +0000 (22:38 +0900)] 
ipv4: account for fraggap on the paged allocation path

In __ip_append_data(), when the paged-allocation branch is taken,
alloclen and pagedlen are computed as

alloclen = fragheaderlen + transhdrlen;
pagedlen = datalen - transhdrlen;

datalen already includes fraggap, but the fraggap bytes carried over
from the previous skb are copied into the new skb's linear area at
offset transhdrlen by the subsequent skb_copy_and_csum_bits(). The
linear area is therefore undersized by fraggap bytes while pagedlen is
overstated by the same amount.

The non-paged branch sets alloclen to fraglen, which already accounts
for fraggap because datalen does. Bring the paged branch in line by
adding fraggap to alloclen and subtracting it from pagedlen.

After this adjustment, copy no longer collapses to -fraggap on the
paged path, so remove the stale comment describing that old arithmetic.

Fixes: 8eb77cc73977 ("ipv4: avoid partial copy for zc")
Signed-off-by: Jungwoo Lee <jwlee2217@gmail.com>
Signed-off-by: Wongi Lee <qw3rtyp0@gmail.com>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Link: https://patch.msgid.link/ajFR1eLAIs42TN3g@DESKTOP-19IMU7U.localdomain
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2 weeks agoselftests/tc-testing: Add DualPI2 GSO backlog accounting test
Xingquan Liu [Fri, 19 Jun 2026 15:13:48 +0000 (11:13 -0400)] 
selftests/tc-testing: Add DualPI2 GSO backlog accounting test

Add a regression test for DualPI2 GSO backlog accounting when it is
used as a child qdisc of QFQ.

The test sends one UDP GSO datagram through a QFQ class with DualPI2 as
the leaf qdisc. DualPI2 splits the skb into two segments. After the
traffic drains, both QFQ and DualPI2 must report zero backlog and zero
qlen.

On kernels with the broken accounting, QFQ can keep a stale non-zero
qlen after all real packets have been dequeued.

Signed-off-by: Xingquan Liu <b1n@b1n.io>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Reviewed-by: Victor Nogueira <victor@mojatatu.com>
Link: https://patch.msgid.link/20260619151447.223640-2-b1n@b1n.io
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2 weeks agonet/sched: dualpi2: fix GSO backlog accounting
Xingquan Liu [Fri, 19 Jun 2026 15:13:47 +0000 (11:13 -0400)] 
net/sched: dualpi2: fix GSO backlog accounting

When DualPI2 splits a GSO skb into N segments, it propagates N
additional packets to its parent before returning NET_XMIT_SUCCESS.
The parent then accounts for the original skb once more, leaving its
qlen one larger than the number of packets actually queued.

With QFQ as the parent, after all real packets are dequeued, QFQ still
has a non-zero qlen while its in-service aggregate has no active
classes. qfq_choose_next_agg() returns NULL and qfq_dequeue() passes
the result to qfq_peek_skb(), causing a NULL pointer dereference.

Follow the same pattern used by tbf_segment() and taprio: count only
successfully queued segments, propagate the difference between the
original skb and those segments, and return NET_XMIT_SUCCESS whenever
at least one segment was queued.

Fixes: 8f9516daedd6 ("sched: Add enqueue/dequeue of dualpi2 qdisc")
Cc: stable@vger.kernel.org
Signed-off-by: Xingquan Liu <b1n@b1n.io>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Reviewed-by: Victor Nogueira <victor@mojatatu.com>
Link: https://patch.msgid.link/20260619151447.223640-1-b1n@b1n.io
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2 weeks agoipv6: ndisc: fix NULL deref in accept_untracked_na()
Weiming Shi [Wed, 17 Jun 2026 06:55:13 +0000 (14:55 +0800)] 
ipv6: ndisc: fix NULL deref in accept_untracked_na()

accept_untracked_na() re-fetches the inet6_dev with __in6_dev_get(dev)
and dereferences idev->cnf.accept_untracked_na without a NULL check,
even though its only caller ndisc_recv_na() already fetched and
NULL-checked idev for the same device.

Both reads of dev->ip6_ptr run in the same RCU read-side critical
section, but a concurrent addrconf_ifdown() can clear dev->ip6_ptr
between them: lowering the MTU below IPV6_MIN_MTU calls addrconf_ifdown()
without the synchronize_net() that orders the unregister path, so the
re-fetch returns NULL and oopses:

 BUG: KASAN: null-ptr-deref in ndisc_recv_na (net/ipv6/ndisc.c:974)
 Read of size 4 at addr 0000000000000364
 Call Trace:
  <IRQ>
  ndisc_recv_na (net/ipv6/ndisc.c:974)
  icmpv6_rcv (net/ipv6/icmp.c:1193)
  ip6_protocol_deliver_rcu (net/ipv6/ip6_input.c:479)
  ip6_input_finish (net/ipv6/ip6_input.c:534)
  ip6_input (net/ipv6/ip6_input.c:545)
  ip6_mc_input (net/ipv6/ip6_input.c:635)
  ipv6_rcv (net/ipv6/ip6_input.c:351)
  </IRQ>

It is reachable by an unprivileged user via a network namespace.

Pass the caller's already validated idev instead of re-fetching it; the
idev stays alive for the whole RCU critical section, so it is safe even
after dev->ip6_ptr has been cleared.

Fixes: aaa5f515b16b ("net: ipv6: new accept_untracked_na option to accept na only if in-network")
Reported-by: Xiang Mei <xmei5@asu.edu>
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Link: https://patch.msgid.link/20260617065512.2529757-2-bestswngs@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2 weeks agonet: sit: require CAP_NET_ADMIN in the device netns for changelink
Maoyi Xie [Thu, 18 Jun 2026 07:08:17 +0000 (15:08 +0800)] 
net: sit: require CAP_NET_ADMIN in the device netns for changelink

ipip6_changelink() operates on at most two netns, dev_net(dev) and the
tunnel link netns t->net. They differ once the device is created in or
moved to a netns other than the one the request runs in. The rtnl
changelink path checks CAP_NET_ADMIN only against dev_net(dev), so a
caller privileged there but not in t->net can rewrite a tunnel that
lives in t->net.

Gate ipip6_changelink() on rtnl_dev_link_net_capable() at its top,
before any attribute is parsed. sit was the one tunnel type not covered
by the recent series that added this check to the other changelink()
handlers.

Fixes: 5e6700b3bf98 ("sit: add support of x-netns")
Link: https://lore.kernel.org/netdev/20260612085941.3158249-1-maoyixie.tju@gmail.com/
Cc: stable@vger.kernel.org
Signed-off-by: Maoyi Xie <maoyixie.tju@gmail.com>
Reviewed-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20260618070817.3378283-1-maoyixie.tju@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2 weeks agonet: airoha: Fix skb->priority underflow in airoha_dev_select_queue()
Wayen Yan [Sat, 20 Jun 2026 08:17:44 +0000 (16:17 +0800)] 
net: airoha: Fix skb->priority underflow in airoha_dev_select_queue()

In airoha_dev_select_queue(), the expression:

  queue = (skb->priority - 1) % AIROHA_NUM_QOS_QUEUES;

implicitly converts to unsigned arithmetic: when skb->priority is 0
(the default for unclassified traffic), (0u - 1u) wraps to UINT_MAX,
and UINT_MAX % 8 = 7, routing default best-effort packets to the
highest-priority QoS queue. This causes QoS inversion where the
majority of traffic on a PON gateway starves actual high-priority
flows (VoIP, gaming, etc.).

The "- 1" offset was a leftover from the ETS offload implementation
that has since been removed. The correct mapping is a direct modulo:

  queue = skb->priority % AIROHA_NUM_QOS_QUEUES;

This maps priority 0 → queue 0 (lowest), priority 7 → queue 7
(highest), with higher priorities wrapping around. This is the
standard Linux sk_prio → HW queue mapping used by other drivers.

Fixes: 2b288b81560b ("net: airoha: Introduce ndo_select_queue callback")
Link: https://lore.kernel.org/netdev/178185573207.2378135.3729126358670287878@gmail.com/
Acked-by: Lorenzo Bianconi <lorenzo@kernel.org>
Reviewed-by: Joe Damato <joe@dama.to>
Signed-off-by: Wayen Yan <win847@gmail.com>
Link: https://patch.msgid.link/178194366700.2485734.5368768965976693502@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2 weeks agonet/sched: act_ct: fix nf_connlabels leak on two error paths
Michael Bommarito [Wed, 17 Jun 2026 21:57:08 +0000 (17:57 -0400)] 
net/sched: act_ct: fix nf_connlabels leak on two error paths

tcf_ct_fill_params() calls nf_connlabels_get() (setting put_labels) when
TCA_CT_LABELS is present, but two later error sites use a bare return
instead of "goto err", skipping the err: nf_connlabels_put() cleanup.
They also precede the "p->put_labels = put_labels" assignment, so the
tcf_ct_params_free() fallback does not release the count either. Each
failed RTM_NEWACTION on these paths leaks one nf_connlabels reference:
net->ct.labels_used is incremented and never released. The action is
reachable with CAP_NET_ADMIN over the netns, i.e. from an unprivileged
user namespace on default-userns kernels.

Impact: an unprivileged user with CAP_NET_ADMIN over a network namespace
(e.g. via user namespaces) leaks one nf_connlabels reference per failed
RTM_NEWACTION on the two error paths; net->ct.labels_used is never
released.

The err: label is safe to reach from both sites: p->tmpl is still NULL
there (kzalloc'd, not yet assigned) and nf_ct_put(NULL) is a no-op, so
no inline release is needed.

Fixes: 70f06c115bcc ("sched: act_ct: switch to per-action label counting")
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://patch.msgid.link/20260617215708.1115818-1-michael.bommarito@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2 weeks agonet: emac: Fix NULL pointer dereference in emac_probe
Rosen Penev [Thu, 18 Jun 2026 02:34:05 +0000 (19:34 -0700)] 
net: emac: Fix NULL pointer dereference in emac_probe

Move devm_request_irq() after devm_platform_ioremap_resource() so that
dev->emacp is mapped before the interrupt handler can fire.  An early
interrupt hitting emac_irq() would dereference the NULL dev->emacp and
crash.

Also remove redundant error message. devm_platform_ioremap_resource()
already returns an error message with dev_err_probe().

Fixes: dcc34ef7c834 ("net: ibm: emac: manage emac_irq with devm")
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Link: https://patch.msgid.link/20260618023405.415644-1-rosenp@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2 weeks agoMerge tag 'ieee802154-for-net-next-2026-06-20' of git://git.kernel.org/pub/scm/linux...
Jakub Kicinski [Sun, 21 Jun 2026 21:55:41 +0000 (14:55 -0700)] 
Merge tag 'ieee802154-for-net-next-2026-06-20' of git://git.kernel.org/pub/scm/linux/kernel/git/wpan/wpan-next

Stefan Schmidt says:

====================
pull-request: ieee802154-next 2026-06-20

An overdue pull request for ieee802154, catching up on all the AI found issues
at last.

Shitalkumar Gandhi fixed problems in the ca8210 driver for cases where we could
have a leak or a pointer truncation.

Robertus Diawan Chris made sure we do not overwrite the return code when
associating.

Michael Bommarito worked on properly gating our netlink API use in the llsec
security context.

Ivan Abramov cleaned up the netns cases as he did in other subsystems.

Doruk Tan Ozturk ensures we have the correct skn ready in cryptoo operation (to
avoid a  silent overwrite).

Aleksandr Nogikh fixed a kernel-infoleak detected by syzbot.

* tag 'ieee802154-for-net-next-2026-06-20' of git://git.kernel.org/pub/scm/linux/kernel/git/wpan/wpan-next:
  ieee802154: allow legacy LLSEC ADD/DEL ops to pass strict validation
  ieee802154: admin-gate legacy LLSEC dump operations
  mac802154: Prevent overwrite return code in mac802154_perform_association()
  ieee802154: fix kernel-infoleak in dgram_recvmsg()
  mac802154: llsec: add skb_cow_data() before in-place crypto
  ieee802154: ca8210: fix pointer truncation in kfifo on 64-bit
  ieee802154: ca8210: fix cas_ctl leak on spi_async failure
  ieee802154: Remove WARN_ON() in cfg802154_pernet_exit()
  ieee802154: Avoid calling WARN_ON() on -ENOMEM in cfg802154_switch_netns()
  ieee802154: Restore initial state on failed device_rename() in cfg802154_switch_netns()
====================

Link: https://patch.msgid.link/20260620174903.1010671-1-stefan@datenfreihafen.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2 weeks agoMerge tag 'batadv-net-pullrequest-20260619' of https://git.open-mesh.org/batadv
Jakub Kicinski [Sun, 21 Jun 2026 21:53:06 +0000 (14:53 -0700)] 
Merge tag 'batadv-net-pullrequest-20260619' of https://git.open-mesh.org/batadv

Simon Wunderlich says:

====================
Here are some batman-adv bugfixes, all by Sven Eckelmann:

- gw: don't deselect gateway with active hardif

- TTL fixes in bcast/mcast and fragmentation handling (4 patches)

- BATMAN V: prevent OGM aggregation on disabled hardif

- tp_meter: concurrency and range fixes, add cap to unacked list
  (4 patches)

- tt: fix unchecked VLAN ID in tt for local add and roam (2 patches)

- dat: check VLAN ID in the hash

- tvlv: enforce 2-byte alignment

- tvlv: avoid race of cifsnotfound handler state

* tag 'batadv-net-pullrequest-20260619' of https://git.open-mesh.org/batadv:
  batman-adv: tvlv: avoid race of cifsnotfound handler state
  batman-adv: tvlv: enforce 2-byte alignment
  batman-adv: dat: prevent false sharing between VLANs
  batman-adv: tt: track roam count per VID
  batman-adv: tt: don't merge change entries with different VIDs
  batman-adv: tp_meter: handle overlapping packets
  batman-adv: tp_meter: prevent parallel modifications of last_recv
  batman-adv: tp_meter: annotate last_recv_time access with READ/WRITE_ONCE
  batman-adv: tp_meter: restrict number of unacked list entries
  batman-adv: v: prevent OGM aggregation on disabled hardif
  batman-adv: frag: avoid underflow of TTL
  batman-adv: frag: ensure fragment is writable before modifying TTL
  batman-adv: fix (m|b)cast csum after decrementing TTL
  batman-adv: ensure bcast is writable before modifying TTL
  batman-adv: gw: don't deselect gateway with active hardif
====================

Link: https://patch.msgid.link/20260619070045.438101-1-sw@simonwunderlich.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2 weeks agoocteontx2-pf: mcs: Fix mcs resources free on PF shutdown
Geetha sowjanya [Tue, 16 Jun 2026 19:00:20 +0000 (00:30 +0530)] 
octeontx2-pf: mcs: Fix mcs resources free on PF shutdown

On PF shutdown, the current driver free mcs hardware
resources though mcs resources are not allocated to it.
This patch checks the mcs resources status and if resources
are allocated then only sends mailbox message to free them.

Fixes: c54ffc73601c ("octeontx2-pf: mcs: Introduce MACSEC hardware offloading")
Signed-off-by: Geetha sowjanya <gakula@marvell.com>
Signed-off-by: Subbaraya Sundeep <sbhatta@marvell.com>
Link: https://patch.msgid.link/1781636420-19816-3-git-send-email-sbhatta@marvell.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2 weeks agoocteontx2-pf: Clear stats of all resources when freeing resources
Subbaraya Sundeep [Tue, 16 Jun 2026 19:00:19 +0000 (00:30 +0530)] 
octeontx2-pf: Clear stats of all resources when freeing resources

When all MCS resources mapped to a PF are being freed then clear
stats of all those resources too.

Fixes: 815debbbf7b5 ("octeontx2-pf: mcs: Clear stats before freeing resource")
Signed-off-by: Subbaraya Sundeep <sbhatta@marvell.com>
Link: https://patch.msgid.link/1781636420-19816-2-git-send-email-sbhatta@marvell.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2 weeks agoocteontx2-af: mcs: Fix unsupported secy stats read
Geetha sowjanya [Tue, 16 Jun 2026 19:00:18 +0000 (00:30 +0530)] 
octeontx2-af: mcs: Fix unsupported secy stats read

Secy control stats counter doesn't exist for CNF10KB platform.
Skip reading this respective register for CNF10KB silicon while
fetching secy stats.

Fixes: 9312150af8da ("octeontx2-af: cn10k: mcs: Support for stats collection")
Signed-off-by: Geetha sowjanya <gakula@marvell.com>
Signed-off-by: Subbaraya Sundeep <sbhatta@marvell.com>
Link: https://patch.msgid.link/1781636420-19816-1-git-send-email-sbhatta@marvell.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2 weeks agoocteontx2-af: npc: cn20k: fix NPC defrag
Ratheesh Kannoth [Wed, 17 Jun 2026 10:21:49 +0000 (15:51 +0530)] 
octeontx2-af: npc: cn20k: fix NPC defrag

npc_defrag_alloc_free_slots() always passed NPC_MCAM_KEY_X2 into
__npc_subbank_alloc(), which must match sb->key_type, so defrag never
allocated replacement slots on X4 banks. Pass the subbank key type for
bank 0, and only extend the search into bank 1 for X2 (X4 MCAM indices
are confined to b0b..b0t).

Fixes: 645c6e3c1999 ("octeontx2-af: npc: cn20k: virtual index support")
Signed-off-by: Ratheesh Kannoth <rkannoth@marvell.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260617102149.1309913-1-rkannoth@marvell.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2 weeks agonet: ethernet: mtk_ppe: Fix rhashtable leak in mtk_ppe_init error paths
Wayen Yan [Wed, 17 Jun 2026 05:48:13 +0000 (13:48 +0800)] 
net: ethernet: mtk_ppe: Fix rhashtable leak in mtk_ppe_init error paths

In mtk_ppe_init(), when accounting is enabled, the error paths for
dmam_alloc_coherent(mib) and devm_kzalloc(acct) failures return NULL
directly, bypassing the err_free_l2_flows label that destroys the
rhashtable initialized earlier.

While this leak only occurs during probe (not runtime) and the leaked
memory is minimal (an empty rhash table), fixing it ensures proper
error path cleanup consistency.

Fix by changing the two return NULL statements to goto err_free_l2_flows.

Fixes: 603ea5e7ffa7 ("net: ethernet: mtk_eth_soc: fix memory leak in error path")
Signed-off-by: Wayen Yan <win847@gmail.com>
Acked-by: Lorenzo Bianconi <lorenzo@kernel.org>
Link: https://patch.msgid.link/178167550101.2217645.14579307712717502425@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2 weeks agonet: dst_metadata: fix false-positive memcpy overflow in tun_dst_unclone
Ilya Maximets [Tue, 16 Jun 2026 10:03:29 +0000 (12:03 +0200)] 
net: dst_metadata: fix false-positive memcpy overflow in tun_dst_unclone

kmalloc_flex() in metadata_dst_alloc() sets __counted_by for the
structure to the options_len, which is then initialized to zero.
Later, we're initializing the structure by copying the tunnel info
together with the options, and this triggers a warning for a potential
memcpy overflow, since the compiler estimates that the options can't
fit into the structure, even though the memory for them is actually
allocated.

 memcpy: detected buffer overflow: 104 byte write of buffer size 96
 WARNING: CPU: X PID: Y at lib/string_helpers.c:1036 __fortify_report
  skb_tunnel_info_unclone+0x179/0x190
  geneve_xmit+0x7fe/0xe00

The issue is triggered when built with clang and source fortification.

Fix that by doing the copy in two stages: first - the main data with
the options_len, then the options.  This way the correct length should
be known at the time of the copy.

It would be better if the options_len never changed after allocation,
but the allocation code is a little separate from the initialization
and it would be awkward and potentially dangerous to return a struct
with options_len set to a non-zero value from the metadata_dst_alloc().

Another option would be to use ip_tunnel_info_opts_set(), but it is
doing too many unnecessary operations for the use case here.

Fixes: 69050f8d6d07 ("treewide: Replace kmalloc with kmalloc_obj for non-scalar types")
Reported-by: Johan Thomsen <write@ownrisk.dk>
Closes: https://lore.kernel.org/netdev/CAKv6aAM8_EWgXScnKmKYm_4SwGDVBK++dzfP+Y6msUXbp99QUw@mail.gmail.com/
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
Link: https://patch.msgid.link/20260616100332.1308294-1-i.maximets@ovn.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2 weeks agotipc: fix use-after-free of the discoverer in tipc_disc_rcv()
Weiming Shi [Wed, 17 Jun 2026 13:57:45 +0000 (21:57 +0800)] 
tipc: fix use-after-free of the discoverer in tipc_disc_rcv()

bearer_disable() frees b->disc with tipc_disc_delete()'s plain kfree(),
but tipc_disc_rcv() still dereferences b->disc in RX softirq under
rcu_read_lock() (tipc_udp_recv -> tipc_rcv -> tipc_disc_rcv).

L2 bearers are safe thanks to the synchronize_net() in
tipc_disable_l2_media(), but the UDP bearer defers that call to the
cleanup_bearer() workqueue, so the discoverer is freed with no grace
period:

 BUG: KASAN: slab-use-after-free in tipc_disc_rcv (net/tipc/discover.c:149)
 Read of size 8 at addr ffff88802348b728 by task poc_tipc/184
 <IRQ>
  tipc_disc_rcv (net/tipc/discover.c:149)
  tipc_rcv (net/tipc/node.c:2126)
  tipc_udp_recv (net/tipc/udp_media.c:391)
  udp_rcv (net/ipv4/udp.c:2643)
  ip_local_deliver_finish (net/ipv4/ip_input.c:241)
 </IRQ>
 Freed by task 181:
  kfree (mm/slub.c:6565)
  bearer_disable (net/tipc/bearer.c:418)
  tipc_nl_bearer_disable (net/tipc/bearer.c:1001)

The bearer is freed with kfree_rcu(); free the discoverer the same way.
Add an rcu_head to struct tipc_discoverer and free it and its skb from an
RCU callback.

Because the RCU callback (tipc_disc_free_rcu) lives in module text, a
call_rcu() that is still pending when the tipc module is unloaded would
invoke a freed function. Add an rcu_barrier() to tipc_exit() after the
bearer subsystem has been torn down, so all pending discoverer callbacks
have run before the module text goes away.

Reachable from an unprivileged user namespace: the TIPCv2 genl family is
netnsok and its bearer commands have no GENL_ADMIN_PERM. Needs CONFIG_TIPC
and CONFIG_TIPC_MEDIA_UDP.

Fixes: 25b0b9c4e835 ("tipc: handle collisions of 32-bit node address hash values")
Reported-by: Xiang Mei <xmei5@asu.edu>
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
Reviewed-by: Tung Nguyen <tung.quang.nguyen@est.tech>
Link: https://patch.msgid.link/20260617135744.3383175-3-bestswngs@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2 weeks agonet: marvell: prestera: initialize err in prestera_port_sfp_bind
Ruoyu Wang [Wed, 17 Jun 2026 19:32:28 +0000 (03:32 +0800)] 
net: marvell: prestera: initialize err in prestera_port_sfp_bind

prestera_port_sfp_bind() returns err after walking the ports node. If no
child node matches the port's front-panel id, err is never assigned.

Initialize err to 0 because absence of a matching optional port device
tree node is not an error. In that case no phylink is created and port
creation should continue with port->phy_link left NULL. Errors from
malformed matched nodes and phylink_create() still propagate.

Fixes: 52323ef75414 ("net: marvell: prestera: add phylink support")
Signed-off-by: Ruoyu Wang <ruoyuw560@gmail.com>
Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Acked-by: Elad Nachman <enachman@marvell.com>
Link: https://patch.msgid.link/20260617193228.1653582-1-ruoyuw560@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2 weeks agolib: Add stale 'raid6' directory to .gitignore file
Linus Torvalds [Sun, 21 Jun 2026 21:09:49 +0000 (14:09 -0700)] 
lib: Add stale 'raid6' directory to .gitignore file

I keep having to do this, because people think they can just move
directories around and move the gitignore files around with them.

You really can't do that - the old generated files stay around for
others, and still need to be ignored in the old location.

So when moving gitignore entries around because you moved the files (or
when moving a whole gitignore file around because the directory it was
in moved), the old gitignore situation needs to be dealt with.

Yes, those files may have moved in *your* tree when you moved the
directory.  And yes, new repositories will never even have seen them.
But all those other developers that see the result of your move still
likely have a working tree with the old state, and the files that were
hidden from git by an old gitignore file do not suddenly become
relevant.

Fixes: 3626738bc714 ("raid6: move to lib/raid/")
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2 weeks agoMerge tag 'mm-nonmm-stable-2026-06-21-10-22' of git://git.kernel.org/pub/scm/linux...
Linus Torvalds [Sun, 21 Jun 2026 20:20:19 +0000 (13:20 -0700)] 
Merge tag 'mm-nonmm-stable-2026-06-21-10-22' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm

Pull non-MM updates from Andrew Morton:

 - "taskstats: fix TGID dead-thread stat retention" (Yiyang Chen)

   Fix a taskstats TGID aggregation bug where fields added in the TGID
   query path were not preserved after thread exit, and adds a kselftest
   covering the regression.

 - "lib/tests: string_helpers: Slight improvements" (Andy Shevchenko)

   Improve lib/tests/string_helpers_kunit.c a little

 - "lib/base64: decode fixes" (Josh Law)

   Address minor issues in lib/base64.c

 - "selftests/filelock: Make output more kselftestish" (Mark Brown)

   Make the output from the ofdlocks test a bit easier for tooling to
   work with. Also ignore the generated file

 - "uaccess: unify inline vs outline copy_{from,to}_user() selection"
   (Yury Norov)

   Simplify the usercopy code by removing the selectability of inlining
   copy_{from,to}_user().

 - "ocfs2: validate inline xattr header consumers" (ZhengYuan Huang)

   Fix a number of possible issues in the ocfs2 xattr code

 - "lib and lib/cmdline enhancements" (Dmitry Antipov)

   Provide additional robustness checking in the cmdline handling code
   and its in-kernel testing and selftests

 - "cleanup the RAID6 P/Q library" (Christoph Hellwig)

   Clean up the RAID6 P/Q library to match the recent updates to the
   RAID 5 XOR library and other CRC/crypto libraries

 - "ocfs2: harden inode validators against forged metadata" (Michael
   Bommarito)

   Add three structural checks to OCFS2 dinode validation so malformed
   on-disk fields are rejected before ocfs2_populate_inode() copies them
   into the in-core inode

 - "lib/raid: replace __get_free_pages() call with kmalloc()" (Mike
   Rapoport)

   Clean up the lib/raid code by using kmalloc() in more places

* tag 'mm-nonmm-stable-2026-06-21-10-22' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm: (108 commits)
  ocfs2: fix circular locking dependency in ocfs2_dio_end_io_write
  ocfs2: fix NULL h_transaction deref in ocfs2_assure_trans_credits
  lib: interval_tree_test: validate benchmark parameters
  ocfs2: avoid moving extents to occupied clusters
  treewide: fix transposed "sign" typos and update spelling.txt
  ocfs2: fix UBSAN array-index-out-of-bounds in ocfs2_sum_rightmost_rec
  fat: reject BPB volumes whose data area starts beyond total sectors
  selftests/uevent: increase __UEVENT_BUFFER_SIZE to avoid ENOBUFS on busy systems
  lib/test_firmware: allocate the configured into_buf size
  fs: efs: remove unneeded debug prints
  checkpatch: cuppress warnings when Reported-by: is followed by Link:
  MAINTAINERS: add Alexander as a kcov reviewer
  mailmap: update Alexander Sverdlin's Email addresses
  fs: fat: inode: replace sprintf() with scnprintf()
  ocfs2: fix out-of-bounds write in ocfs2_remove_refcount_extent
  ocfs2: fix race between ocfs2_control_install_private() and ocfs2_control_release()
  ocfs2/dlm: require a ref for locking_state debugfs open
  ocfs2: reject FITRIM ranges shorter than a cluster
  ocfs2: validate fast symlink target during inode read
  ocfs2: add journal NULL check in ocfs2_checkpoint_inode()
  ...

2 weeks agoMerge tag 'mtd/for-7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux
Linus Torvalds [Sun, 21 Jun 2026 19:25:17 +0000 (12:25 -0700)] 
Merge tag 'mtd/for-7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux

Pull mtd updates from Miquel Raynal:
 "NAND changes:

   - Extend SPI NAND continuous read to Winbond devices, which requires
     numerous changes in the spi-{mem,nand} layers such as the need for
     a secondary read operation template

   - Continuous reads in general have also been enhanced/fixed for
     avoiding potential issues at probe time and at block boundaries

  SPI NOR changes:

   - Big set of cleanups and improvements to the locking support.

     This series contains some cleanups and bug fixes for code and
     documentation around write protection. Then support is added for
     complement locking, which allows finer grained configuration of
     what is considered locked and unlocked. Then complement locking is
     enabled on a bunch of Winbond W25 flashes

   - Fix die erase support on Spansion flashes.

     Die erase is only supported on multi-die flashes, but the die erase
     opcode was set for all. When the opcode is set, it overrides the
     default chip erase opcode which should be used for single-die
     flashes. Only set the opcode on multi-die flashes. Also, the opcode
     was not set on multi-die s28hx-t flashes. Set it so they can use
     die-erase correctly

  General changes:

   - A few drivers and mappings have been removed following SoCs support
     removal

   - And again, there is the usual load of misc improvements and fixes"

* tag 'mtd/for-7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux: (63 commits)
  mtd: cfi: Use common error handling code in two functions
  mtd: slram: simplify register_device() cleanup
  mtd: slram: remove failed entries from the device list
  mtd: rawnand: ndfc: use ioread32be/iowrite32be and allow COMPILE_TEST
  mtd: spi-nor: spansion: add die erase support in s28hx-t
  mtd: spi-nor: spansion: use die erase for multi-die devices only
  mtd: spi-nor: winbond: Add W25Q02NWxxIM CMP locking support
  mtd: spi-nor: winbond: Add W25Q01NWxxIM CMP locking support
  mtd: spi-nor: winbond: Add W25Q01NWxxIQ CMP locking support
  mtd: spi-nor: winbond: Add W25H02NWxxAM CMP locking support
  mtd: spi-nor: winbond: Add W25H01NWxxAM CMP locking support
  mtd: spi-nor: winbond: Add W25H512NWxxAM CMP locking support
  mtd: spi-nor: Add steps for testing locking with CMP
  mtd: spi-nor: swp: Add support for the complement feature
  mtd: spi-nor: Add steps for testing locking support
  mtd: maps: remove obsolete impa7 map driver
  mtd: maps: remove uclinux map driver
  mtd: maps: remove AMD Élan specific drivers
  mtd: inftlmount: convert printk(KERN_WARNING) to pr_warn
  mtd: Consistently define pci_device_ids
  ...

2 weeks agocpu: hotplug: Bound hotplug states sysfs output
Bradley Morgan [Fri, 19 Jun 2026 16:37:18 +0000 (16:37 +0000)] 
cpu: hotplug: Bound hotplug states sysfs output

states_show() adds CPU hotplug state names into a single sysfs buffer
using sprintf(). With enough registered states, this can write past the
end of the PAGE_SIZE buffer.

Use sysfs_emit_at() so output is bounded.

Fixes: 98f8cdce1db5 ("cpu/hotplug: Add sysfs state interface")
Signed-off-by: Bradley Morgan <include@grrlz.net>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260619163719.12103-2-include@grrlz.net
2 weeks agocpu: hotplug: Preserve per instance callback errors
Bradley Morgan [Fri, 19 Jun 2026 16:37:17 +0000 (16:37 +0000)] 
cpu: hotplug: Preserve per instance callback errors

cpuhp_invoke_callback() unwinds earlier callbacks for the same
hotplug state when one instance fails. The rollback path currently
reuses ret, so a successful rollback can hide the original error and
make the failed transition look successful.

Keep the rollback result separate from the original error.

Fixes: 724a86881d03 ("smp/hotplug: Callback vs state-machine consistency")
Signed-off-by: Bradley Morgan <include@grrlz.net>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260619163719.12103-1-include@grrlz.net
2 weeks agoRevert "mm: limit filemap_fault readahead to VMA boundaries"
Lorenzo Stoakes [Fri, 19 Jun 2026 11:28:51 +0000 (12:28 +0100)] 
Revert "mm: limit filemap_fault readahead to VMA boundaries"

This reverts commit 7b32f64bc512b40b268776c5ac4d354b325b3197.

This patch caused a significant performance regression, so revert it, and
we can determine whether the approach is sensible or not moving forwards,
and if so how to avoid this.

There was a merge conflict with commit de97ae6222c1 ("mm/readahead: no
PG_readahead on EOF"), care was taken to ensure that the revert retained
the behaviour of this patch and cleanly reverts commit 7b32f64bc512 ("mm:
limit filemap_fault readahead to VMA boundaries") only.

Link: https://lore.kernel.org/20260619112852.104213-1-ljs@kernel.org
Fixes: 7b32f64bc512 ("mm: limit filemap_fault readahead to VMA boundaries")
Signed-off-by: Lorenzo Stoakes <ljs@kernel.org>
Reported-by: kernel test robot <oliver.sang@intel.com>
Closes: https://lore.kernel.org/oe-lkp/202606181547.617a6967-lkp@intel.com
Acked-by: David Hildenbrand (Arm) <david@kernel.org>
Reviewed-by: Pedro Falcato <pfalcato@suse.de>
Reviewed-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Jan Kara <jack@suse.cz>
Cc: Kalesh Singh <kaleshsingh@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2 weeks agomm/vmscan: pass NULL to trace vmscan node reclaim
Ben Dooks [Tue, 16 Jun 2026 09:59:06 +0000 (10:59 +0100)] 
mm/vmscan: pass NULL to trace vmscan node reclaim

The tracepoint for node relcaims takes a `struct mem_cgroup *`
as the third argument, so pass NULL instead of 0 to fix warning
about using an integer as a pointer.

Fixes the following warnings:

mm/vmscan.c:6753:66: warning: Using plain integer as NULL pointer
mm/vmscan.c:6757:58: warning: Using plain integer as NULL pointer
mm/vmscan.c:7818:60: warning: Using plain integer as NULL pointer

Link: https://lore.kernel.org/20260616095906.210016-1-ben.dooks@codethink.co.uk
Signed-off-by: Ben Dooks <ben.dooks@codethink.co.uk>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2 weeks agomm: use mapping_mapped to simplify the code
Huang Shijie [Fri, 12 Jun 2026 07:30:32 +0000 (15:30 +0800)] 
mm: use mapping_mapped to simplify the code

Use mapping_mapped() to simplify the code, make the code tidy and clean.

Link: https://lore.kernel.org/20260612073032.33228-1-huangsj@hygon.cn
Signed-off-by: Huang Shijie <huangsj@hygon.cn>
Reviewed-by: Pedro Falcato <pfalcato@suse.de>
Reviewed-by: Lorenzo Stoakes <ljs@kernel.org>
Reviewed-by: Muchun Song <muchun.song@linux.dev>
Reviewed-by: Oscar Salvador (SUSE) <osalvador@kernel.org>
Cc: David Hildenbrand <david@kernel.org>
Cc: Liam R. Howlett <liam@infradead.org>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Vlastimil Babka <vbabka@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2 weeks agoselftests/mm: fix exclusive_cow test fork() handling
Aboorva Devarajan [Thu, 11 Jun 2026 03:41:02 +0000 (09:11 +0530)] 
selftests/mm: fix exclusive_cow test fork() handling

The test ignores the return value of fork(), so both the parent and the
(newly created) child run the COW verification loops and then call
hmm_buffer_free() before returning into the kselftest harness, which
_exit()s each side.  This duplicated teardown sequence has been observed
to manifest as a SIGSEGV in the test child, e.g.:

  hmm-tests[360141]: segfault (11) at 0 nip 10006964 lr 1000ac3c code 1
  in hmm-tests[6964,10000000+30000]

Fix this by adopting the same fork()-then-wait pattern already used by the
nearby anon_write_child / anon_write_child_shared tests in this file: the
child performs the COW verification and then _exit(0)s so it does not run
the test teardown, while the parent independently verifies COW, waits for
the child, and only then frees the buffer.

Link: https://lore.kernel.org/20260611034102.1030738-4-aboorvad@linux.ibm.com
Fixes: b659baea75469 ("mm: selftests for exclusive device memory")
Signed-off-by: Aboorva Devarajan <aboorvad@linux.ibm.com>
Cc: Alex Sierra <alex.sierra@amd.com>
Cc: Alistair Popple <apopple@nvidia.com>
Cc: Balbir Singh <balbirs@nvidia.com>
Cc: David Hildenbrand <david@kernel.org>
Cc: Jason Gunthorpe <jgg@ziepe.ca>
Cc: Leon Romanovsky <leon@kernel.org>
Cc: Liam R. Howlett <liam@infradead.org>
Cc: Lorenzo Stoakes <ljs@kernel.org>
Cc: Matthew Brost <matthew.brost@intel.com>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: Ralph Campbell <rcampbell@nvidia.com>
Cc: Sayali Patil <sayalip@linux.ibm.com>
Cc: Shuah Khan <shuah@kernel.org>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Vlastimil Babka <vbabka@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2 weeks agoselftests/mm: remove hardcoded THP sizing assumptions in hmm tests
Sayali Patil [Thu, 11 Jun 2026 03:41:01 +0000 (09:11 +0530)] 
selftests/mm: remove hardcoded THP sizing assumptions in hmm tests

migrate_partial_unmap_fault() and migrate_remap_fault() use hardcoded
offsets based on a 2MB PMD size.  Similarly, benchmark_thp_migration()
assumes a fixed 2MB THP size when generating test buffer sizes.

Derive offsets and test sizes from the runtime PMD page size returned by
read_pmd_pagesize().  If unavailable, fall back to TWOMEG.  This allows
the tests to adapt correctly on systems where PMD-sized THP differs from
2MB.  Also replace the fixed 1MB unmap size with a PMD-relative value
derived from the runtime PMD size.

On systems with larger PMD sizes, computed test buffer sizes can exceed
INT_MAX.  Skip such test cases to avoid overflow.

Link: https://lore.kernel.org/20260611034102.1030738-3-aboorvad@linux.ibm.com
Fixes: 24c2c5b8ffbd ("selftests/mm/hmm-tests: partial unmap, mremap and anon_write tests")
Fixes: 271a7b2e3c13 ("selftests/mm/hmm-tests: new throughput tests including THP")
Signed-off-by: Sayali Patil <sayalip@linux.ibm.com>
Signed-off-by: Aboorva Devarajan <aboorvad@linux.ibm.com>
Acked-by: Balbir Singh <balbirs@nvidia.com>
Cc: Alex Sierra <alex.sierra@amd.com>
Cc: Alistair Popple <apopple@nvidia.com>
Cc: David Hildenbrand <david@kernel.org>
Cc: Jason Gunthorpe <jgg@ziepe.ca>
Cc: Leon Romanovsky <leon@kernel.org>
Cc: Liam R. Howlett <liam@infradead.org>
Cc: Lorenzo Stoakes <ljs@kernel.org>
Cc: Matthew Brost <matthew.brost@intel.com>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: Ralph Campbell <rcampbell@nvidia.com>
Cc: Shuah Khan <shuah@kernel.org>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Vlastimil Babka <vbabka@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2 weeks agoselftests/mm: allow PUD-level entries in compound testcase of hmm tests
Sayali Patil [Thu, 11 Jun 2026 03:41:00 +0000 (09:11 +0530)] 
selftests/mm: allow PUD-level entries in compound testcase of hmm tests

Patch series "selftests/mm: assorted fixes for hmm-tests", v3.

This series fixes a few issues in hmm-tests that show up when page-size
and huge-page configuration differ from the hardcoded assumptions the
tests were written for (PMD/THP sizing, default hugepage size, and related
cases).

It also includes a fix to exclusive_cow: the test ignored the return value
of fork(), so both parent and child ran the same teardown path.

This patch (of 3):

The HMM compound testcase currently assumes only PMD-level mappings and
fails on systems where default_hugepagesz=1G is set, because the region is
then reported by the device at PUD level.

Determine the mapping level (PMD or PUD) the device reports for the first
page of the range and require every page to match that level exactly via
ASSERT_EQ().  This accepts PUD-level mappings while preserving the
expected/observed protection values printed on failure, and rejects a
fragmented mapping that mixes PMD- and PUD-level entries within the same
range (which a per-page OR check would have let pass).

Link: https://lore.kernel.org/20260611034102.1030738-1-aboorvad@linux.ibm.com
Link: https://lore.kernel.org/20260611034102.1030738-2-aboorvad@linux.ibm.com
Fixes: e478425bec93 ("mm/hmm: add tests for hmm_pfn_to_map_order()")
Signed-off-by: Sayali Patil <sayalip@linux.ibm.com>
Co-developed-by: Aboorva Devarajan <aboorvad@linux.ibm.com>
Signed-off-by: Aboorva Devarajan <aboorvad@linux.ibm.com>
Cc: Alex Sierra <alex.sierra@amd.com>
Cc: Alistair Popple <apopple@nvidia.com>
Cc: Balbir Singh <balbirs@nvidia.com>
Cc: David Hildenbrand <david@kernel.org>
Cc: Jason Gunthorpe <jgg@ziepe.ca>
Cc: Leon Romanovsky <leon@kernel.org>
Cc: Liam R. Howlett <liam@infradead.org>
Cc: Lorenzo Stoakes <ljs@kernel.org>
Cc: Matthew Brost <matthew.brost@intel.com>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: Ralph Campbell <rcampbell@nvidia.com>
Cc: Shuah Khan <shuah@kernel.org>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Vlastimil Babka <vbabka@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2 weeks agomm/gup_test: reject wrapped user ranges
Samuel Moelius [Tue, 9 Jun 2026 00:48:15 +0000 (00:48 +0000)] 
mm/gup_test: reject wrapped user ranges

gup_test accepts an address and size from the debugfs ioctl and repeatedly
compares against addr + size.  If that addition wraps, the loop can be
skipped and the ioctl returns success with size rewritten to zero.

Compute the end address once with overflow checking and use that checked
end for the loop bounds.

Assisted-by: Codex:gpt-5.5-cyber-preview
Link: https://lore.kernel.org/20260609004814.1240586.6294d614ac80.gup-test-range-end-wrap@trailofbits.com
Signed-off-by: Samuel Moelius <sam.moelius@trailofbits.com>
Acked-by: David Hildenbrand (Arm) <david@kernel.org>
Cc: Jason Gunthorpe <jgg@ziepe.ca>
Cc: John Hubbard <jhubbard@nvidia.com>
Cc: Peter Xu <peterx@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2 weeks agomm/page_frag: reject invalid CPUs in page_frag_test
Samuel Moelius [Fri, 5 Jun 2026 18:41:52 +0000 (18:41 +0000)] 
mm/page_frag: reject invalid CPUs in page_frag_test

The page_frag selftest module accepts test_push_cpu and test_pop_cpu as
signed module parameters, then validates them by passing them directly to
cpu_active().

That validation is itself unsafe for negative or out-of-range CPU numbers.
For example, test_push_cpu=-1 is converted to a very large unsigned CPU
number before cpu_active() reaches cpumask_test_cpu(), which trips the
cpumask range check with CONFIG_DEBUG_PER_CPU_MAPS enabled.

Reject CPU values outside [0, nr_cpu_ids) before asking whether the CPU is
active.

Assisted-by: Codex:gpt-5.5-cyber-preview
Link: https://lore.kernel.org/20260605184157.2490353-1-sam.moelius@trailofbits.com
Signed-off-by: Samuel Moelius <sam.moelius@trailofbits.com>
Cc: David Hildenbrand <david@kernel.org>
Cc: Liam R. Howlett <liam@infradead.org>
Cc: Lorenzo Stoakes <ljs@kernel.org>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: Shuah Khan <shuah@kernel.org>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Vlastimil Babka <vbabka@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2 weeks agomm/damon/core: always put unsuccessfully committed target pids
SeongJae Park [Fri, 5 Jun 2026 01:38:48 +0000 (18:38 -0700)] 
mm/damon/core: always put unsuccessfully committed target pids

damon_commit_target() puts and gets the destination and the source target
pids.  It puts the destination target pid because it will be overwritten
by the source target pid.  It gets the source pid because the caller is
supposed to eventually put the pids.  In more detail, the caller will call
damon_destroy_ctx() after damon_commit_ctx() to destroy the entire source
context.  And in this case, [f]vaddr operation set's cleanup_target()
callback will put the pids.

The commit operation is made at the context level.  The operation can fail
in multiple places including in the middle and after the targets commit
operations.  For any such failures, immediately the error is returned to
the damon_commit_ctx() caller.  If some or all of the source target pids
were committed to the destination during the unsuccessful context commit
attempt, those pids should be put twice.

The source context will do the put operations using the above explained
routine.  However, let's suppose the destination context was not
originally using [f]vaddr operation set and the commit failed before the
ops of the source context is committed.  The destination does not have the
cleanup_target() ops callback, so it cannot put the pids via the
damon_destroy_ctx().

As a result, the pids are leaked.  The issue in the real world would be
not very common.  The commit feature is for changing parameters of running
DAMON context while inheriting internal status like the monitoring
results.  The monitoring results of a physical address range ain't have
things that are beneficial to be inherited to a virtual address ranges
monitoring.  So the problem-causing DAMON control would be not very common
in the real world.  That said, it is a supported feature.  And
damon_commit_target() failure due to memory allocation is relatively
realistic [1] if there are a huge number of target regions.

Fix by putting the pids in the commit operation in case of the failures.

The issue was discovered [2] by Sashiko.

Link: https://lore.kernel.org/20260605013849.83750-1-sj@kernel.org
Link: https://lore.kernel.org/20260603112306.58490-1-akinobu.mita@gmail.com
Link: https://lore.kernel.org/20260320020056.835-1-sj@kernel.org
Fixes: 83dc7bbaecae ("mm/damon/sysfs: use damon_commit_ctx()")
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: <stable@vger.kernel.org> # 6.11.x
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2 weeks agomm: page_isolation: avoid unsafe folio reads while scanning compound pages
Kaitao Cheng [Tue, 2 Jun 2026 13:07:55 +0000 (21:07 +0800)] 
mm: page_isolation: avoid unsafe folio reads while scanning compound pages

page_is_unmovable() can inspect compound pages without holding a folio
reference or any lock.  The folio can therefore be freed, split or reused
while the scanner is still looking at it.

The existing HugeTLB handling already avoids folio_hstate() for this
reason, but it still derives the hstate from folio_size() and later
derives the scan step from folio_nr_pages() and folio_page_idx().  These
helpers rely on the folio still being a valid folio head.  If the folio
changed concurrently, the scanner can read inconsistent folio metadata and
compute a wrong step.  In the worst case, folio_nr_pages() can return 1
for what used to be a tail page and the subtraction from folio_page_idx()
can underflow.

There is a similar issue for non-Hugetlb compound pages: folio_test_lru()
expects a valid folio.  If the previously observed head page has been
reused as a tail page of another compound page, the folio flag checks can
trigger VM_BUG_ON_PGFLAGS().

Read the compound order once with compound_order(), reject obviously bogus
orders, and derive the hstate and scan step from that order instead of
querying folio size information again.  Also use PageLRU(page), which is
safe for the page being scanned, instead of folio_test_lru() on a
potentially stale folio pointer.

Treat an unknown HugeTLB hstate as unmovable so the scanner does not try
to skip over an unstable HugeTLB folio.

Link: https://lore.kernel.org/20260602130755.38794-1-kaitao.cheng@linux.dev
Fixes: a0a9f2180b90 ("mm: page_isolation: avoid calling folio_hstate() without hugetlb_lock")
Signed-off-by: Kaitao Cheng <chengkaitao@kylinos.cn>
Reviewed-by: Zi Yan <ziy@nvidia.com>
Acked-by: David Hildenbrand (Arm) <david@kernel.org>
Acked-by: Oscar Salvador (SUSE) <osalvador@kernel.org>
Cc: Brendan Jackman <jackmanb@google.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Liu Shixin <liushixin2@huawei.com>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Muchun Song <muchun.song@linux.dev>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Vlastimil Babka <vbabka@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2 weeks agomm/shrinker: do not hold RCU lock in shrinker_debugfs_count_show()
Shakeel Butt [Wed, 10 Jun 2026 23:20:48 +0000 (16:20 -0700)] 
mm/shrinker: do not hold RCU lock in shrinker_debugfs_count_show()

Reading the debugfs "count" file of a memcg-aware shrinker can sleep
inside an RCU read-side critical section:

  BUG: sleeping function called from invalid context at kernel/cgroup/rstat.c:421
  RCU nest depth: 1, expected: 0
   css_rstat_flush
   mem_cgroup_flush_stats
   zswap_shrinker_count
   shrinker_debugfs_count_show

shrinker_debugfs_count_show() invokes the ->count_objects() callback under
rcu_read_lock().  The zswap callback flushes memcg stats via
css_rstat_flush(), which may sleep, so it must not run under RCU.

The RCU lock is not needed here.  mem_cgroup_iter() takes RCU internally
and returns a memcg holding a css reference (dropped on the next iteration
or by mem_cgroup_iter_break()), so the memcg stays alive without it.  The
shrinker is kept alive by the open debugfs file: shrinker_free() removes
the debugfs entries via debugfs_remove_recursive(), which waits for
in-flight readers to drain, before call_rcu(..., shrinker_free_rcu_cb).
The sibling "scan" handler already invokes the sleeping ->scan_objects()
callback with no RCU section.

Drop the rcu_read_lock()/rcu_read_unlock().

Link: https://lore.kernel.org/20260610232048.62930-1-shakeel.butt@linux.dev
Fixes: 5035ebc644ae ("mm: shrinkers: introduce debugfs interface for memory shrinkers")
Signed-off-by: Shakeel Butt <shakeel.butt@linux.dev>
Reported-by: Zenghui Yu <zenghui.yu@linux.dev>
Closes: https://lore.kernel.org/all/c052a064-cddb-494f-a0d8-f8a10b4b1c4d@linux.dev/
Suggested-by: Nhat Pham <nphamcs@gmail.com>
Reviewed-by: SeongJae Park <sj@kernel.org>
Reviewed-by: Qi Zheng <qi.zheng@linux.dev>
Tested-by: Zenghui Yu (Huawei) <zenghui.yu@linux.dev>
Reviewed-by: Nhat Pham <nphamcs@gmail.com>
Acked-by: Muchun Song <muchun.song@linux.dev>
Reviewed-by: Roman Gushchin <roman.gushchin@linux.dev>
Cc: Dave Chinner <david@fromorbit.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2 weeks agoselftests: mm: fix and speedup "droppable" test
David Hildenbrand (Arm) [Thu, 11 Jun 2026 10:01:55 +0000 (12:01 +0200)] 
selftests: mm: fix and speedup "droppable" test

The droppable test currently relies on creating memory pressure in a child
process to trigger dropping the droppable pages.

That not only takes a long time on some machines (allocating and filling
all that memory), on large machines this will not work as we hardcode the
area size to 134217728 bytes.

...  further, we rely on timeouts to detect that memory was not dropped,
which is really suboptimal.

Instead, let's just use MADV_PAGEOUT on a 2 MiB region.  MADV_PAGEOUT
works with droppable memory even without swap.

There is the low chance of MADV_PAGEOUT failing to drop a page because of
speculative references.  We'll wait 1s and retry 10 times to rule that
unlikely case out as best as we can.

On a machine without swap:

$ ./droppable
TAP version 13
1..1
ok 1 madvise(MADV_PAGEOUT) behavior
# Totals: pass:1 fail:0 xfail:0 xpass:0 skip:0 error:0

Link: https://lore.kernel.org/20260611-droppable_test-v1-1-b6a73d99f658@kernel.org
Fixes: 9651fcedf7b9 ("mm: add MAP_DROPPABLE for designating always lazily freeable mappings")
Signed-off-by: David Hildenbrand (Arm) <david@kernel.org>
Reported-by: Aishwarya TCV <Aishwarya.TCV@arm.com>
Tested-by: Sarthak Sharma <sarthak.sharma@arm.com>
Tested-by: Lance Yang <lance.yang@linux.dev>
Reviewed-by: Dev Jain <dev.jain@arm.com>
Reviewed-by: SeongJae Park <sj@kernel.org>
Tested-by: Lorenzo Stoakes <ljs@kernel.org>
Reviewed-by: Lorenzo Stoakes <ljs@kernel.org>
Reviewed-by: Jason A. Donenfeld <Jason@zx2c4.com>
Cc: Anthony Yznaga <anthony.yznaga@oracle.com>
Cc: Liam R. Howlett <liam@infradead.org>
Cc: Mark Brown <broonie@kernel.org>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: Shuah Khan <shuah@kernel.org>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Vlastimil Babka <vbabka@kernel.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>