Linus Torvalds [Fri, 19 Jun 2026 15:56:49 +0000 (08:56 -0700)]
Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm
Pull kvm updates from Paolo Bonzini:
"arm64:
This is a bit of an odd merge window on the KVM/arm64 front. There
is absolutely no new feature in the pull request. It is purely
fixes, because it is simply becoming too hard to review new stuff
when so many AI-fuelled fixes hit the list.
- Significant cleanup of the vgic-v5 PPI support which was merged in
7.1. This makes the code more maintainable, and squashes a couple
of bugs in the meantime
- Set of fixes for the handling of the MMU in an NV context,
particularly VNCR-triggered faults. S1POE support is fixed as well
- Large set of pKVM fixes, mostly addressing recurring issues around
hypervisor tracking of donated pages in obscure cases where the
donation could fail and leave things in a bizarre state
- Fixes for the so-called "lazy vgic init", which resulted in
sleeping operations in non-preemptible sections. This turned out to
be far more invasive than initially expected..
- Reduce the overhead of L1/L2 context switch by not touching the FP
registers
- Fix the way non-implemented page sizes are dealt with when a guest
insist on using them for S2 translation
- The usual set of low-impact fixes and cleanups all over the map
Loongarch:
- On a request for lazy FPU load, load all FPU state that the VM
supports instead of enabling only the part (FPU, LSX or LASX) that
caused the FPU load request
- Some enhancements about interrupt injection
- Some bug fixes and other small changes
RISC-V:
- Batch G-stage TLB flushes for GPA range based page table updates
- Convert HGEI line management to fully per-HART
- Fix missing CSR dirty marking when FWFT state updated via ONE_REG
- Fix stale FWFT feature exposure to Guest/VM
- Speed up dirty logging write faults using MMU rwlock and atomic PTE
updates using cmpxchg() for permission-only changes
- Use flexible array for APLIC IRQ state
- Use kvm_slot_dirty_track_enabled() for logging enable check on a
memslot
- Avoid skipping valid pages in kvm_riscv_gstage_wp_range()
- Avoid skipping valid pages in kvm_riscv_gstage_unmap_range()
- Use endian-specific __lelong for NACL shared memory
S390:
- KVM_PRE_FAULT_MEMORY support
- Support for 2G hugepages
- Support for the ASTFLEIE 2 facility
- Support for fast inject using kvm_arch_set_irq_inatomic
- Fix potential leak of uninitialized bytes
- A few more misc gmap fixes
x86:
- Generic support for the more granular permissions allowed by EPT,
namely "read" (which was previously usurping the U bit) and
separate execution bits for kernel and userspace
- Do not assume that all page tables start with U=1/W=1/NX=0 at the
root, as AMD GMET needs to have U=0 at the root
- Introduce common assembly macros for use within Intel and AMD
vendor-specific vmentry code. This touches the SPEC_CTRL handling,
which is now entirely done in assembly for Intel (by reusing the
AMD code that already existed), and register save/restore which
uses some macro magic to compute the offsets in the struct. Both of
these are preparatory changes for upcoming APX support
- Clean up KVM's register tracking and storage, primarily to prepare
for APX support, which expands the maximum number of GPRs from 16
to 32
- Keep a single copy of the PDPTRs rather than two, since
architecturally there is just one
- Handle EXIT_FASTPATH_EXIT_USERSPACE in vendor code to ensure vendor
code gets a chance to handle things like reaping the PML buffer
- Update KVM's view of PV async enabling if and only if the MSR write
fully succeeds
- Fix a variety of issues where the emulator doesn't honor
guest-debug state, and clean up related code along the way
- Synthesize EPT Violation and #NPF "error code" bits when injecting
faults into L1 that didn't originate in hardware (in which case the
VMCS/VMCB doesn't hold relevant information)
- Add support for virtualizing (well, emulating) AMD's flavor of
CPL>0 CPUID faulting
- Clean up the GPR APIs so that KVM's use of "raw" is consistent, and
fix a variety of minor bugs along the way
- Fix an OOB memory access due to not checking the VP ID when
handling a Hyper-V PV TLB flush for L2
- Fix a bug in the mediated PMU's handling of fixed counters that
allowed the guest to bypass the PMU event filter
- Allow userspace to return EAGAIN when handling SNP and TDX
hypercalls, so the KVM can forward a "retry" status code to the
guest, and reserve all unused error codes for future usage
- Overhaul the TDP MMU => S-EPT code to move as much S-EPT specific
logic as possible into the TDX code, and to funnel (almost) all
S-EPT updates into a single chokepoint. The motivation is largely
to prepare for upcoming Dynamic PAMT support, but the cleanups are
nice to have on their own
- Plug a hole in shadow page table handling, where KVM fails to
recursively zap nested EPT/NPT shadow page tables when the nested
hypervisor tears down its own EPT/NPT page tables from the bottom
up
x86 (Intel):
- Support for nested MBEC (Mode-Based Execute Control), see above in
the generic section; also run with MBEC enabled even for non-nested
mode
- Use the kernel's "enum pg_level" in the TDX APIs instead of the
TDX-Module's level definitions (which are 0-based)
- Rework the TDX memory APIs to not require/assume that guest memory
is backed by "struct page" (in prepartion for guest_memfd hugepage
support)
- Fix a largely benign bug where KVM TDX would incorrectly state it
could emulate several x2APIC MSRs
- Use the "safe" WRMSR API when proxying LBR MSR writes as the
to-be-written value is guest controlled and completely unvalidated
x86 (AMD):
- Support for nested GMET (Guest Mode Execution Trap), see above in
the generic section; also run with GMET enabled even for non-nested
mode
- Fixes and minor cleanups to GHCB handling, on top of the earlier
work already merged into 7.1-rc
- Ensure KVM's copy of CR0 and CR3 are up-to-date prior to invoking
fastpath handlers
- Add support for virtualizing gPAT (KVM previously just used L1's
PAT when running L2)
- Fix goofs where KVM mishandles side effects (e.g. single-step and
PMC updates) when emulating VMRUN
- Fix a variety of bugs in AVIC's handling of x2APIC MSR
interception, most notably where KVM didn't disable interception of
IRR, ISR, and TMR regs
- Add support for virtualizing Host-Only/Guest-Only bits in the
mediated PMU
- Don't advertise support for unusable VM types, and account for VM
types that are disabled by firmware, e.g. to mitigate security
vulnerabilities
- Rewrite the SEV {en,de}crypt debug ioctls as they were riddle with
bugs and unnecessarily complicated, and add comprehensive tests
- Clean up and deduplicate the SEV page pinning code
- Fix minor goofs related to writing back CPUID information after
firmware rejects a CPUID page for an SNP vCPU
Generic:
- Rename invalidate_begin() to invalidate_start() throughout KVM to
follow the kernel's nomenclature, e.g. for mmu_notifiers
- Use guard() to cleanup up various KVM+VFIO flows
- Minor cleanups
guest_memfd:
- Return -EEXIST instead of -EINVAL if userspace attempts to bind a
gmem range to multiple memslots, and fix the test that was supposed
to ensure KVM returns -EEXIST
- Treat memslot binding offsets and sizes as unsigned values to fix a
bug where KVM interprets a large "offset + size" as a negative
value and allows a nonsensical offset
- Use the inode number instead of the page offset for the NUMA
interleaving index to fix a bug where the effective index would
jump by two for consecutive pages (the caller also adds in the page
offset)
Selftests:
- Randomize the dirty log test's delay when reaping the bitmap on the
first pass, as always waiting only 1ms hid a KVM RISC-V bug as the
test reaped the bitmap before KVM could build up enough state to
hit the bug
- A pile of one-off fixes and cleanups"
* tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm: (326 commits)
KVM: x86/mmu: Ensure hugepage is in by slot before checking max mapping level
KVM: x86: Fix shadow paging use-after-free due to unexpected role
KVM: s390: Introducing kvm_arch_set_irq_inatomic fast inject
KVM: s390: Enable adapter_indicators_set to use mapped pages
KVM: s390: Add map/unmap ioctl and clean mappings post-guest
riscv: kvm: Use endian-specific __lelong for NACL shared memory
KVM: selftests: access_tracking_perf_test: bump number of NUMA nodes to 32
KVM: s390: vsie: Implement ASTFLEIE facility 2
KVM: s390: vsie: Refactor handle_stfle
s390/sclp: Detect ASTFLEIE 2 facility
KVM: s390: Minor refactor of base/ext facility lists
KVM: x86/mmu: move pdptrs out of the MMU
KVM: x86: check that kvm_handle_invpcid is only invoked with shadow paging
KVM: nSVM: invalidate cached PDPTRs across nested NPT transitions
KVM: nVMX: remove unnecessary code in prepare_vmcs02_rare
KVM: x86: remove nested_mmu from mmu_is_nested()
KVM: arm64: vgic-its: Make ABI commit helpers return void
KVM: s390: Initialize KVM_S390_GET_CMMA_BITS memory
LoongArch: KVM: Add missing slots_lock for device register/unregister
LoongArch: KVM: Validate irqchip index in irqfd routing
...
Linus Torvalds [Fri, 19 Jun 2026 14:46:16 +0000 (07:46 -0700)]
Merge tag 'mips_7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux
Pull MIPS updates from Thomas Bogendoerfer:
- use software nodes for GPIO code
- cleanups and fixes
* tag 'mips_7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux: (41 commits)
mips: select legacy gpiolib interfaces where used
MIPS: lib: Remove '.hidden' for local symbols
MIPS: VDSO: Avoid including .got in dynamic segment
MIPS: smp: report dying CPU to RCU in stop_this_cpu()
MIPS: kernel: proc: Delete unnecessary braces in show_cpuinfo()
MIPS: kernel: proc: Use seq_putc() calls in show_cpuinfo()
mips: sched: Fix CPUMASK_OFFSTACK memory corruption
MIPS: mm: Fix out-of-bounds write in maar_res_walk()
MIPS: ath79: reduce ARCH_DMA_MINALIGN
mips: dts: ar9132: fix wdt node name
mips: Remove remaining defconfig references to the pktcdvd driver
MIPS: mm: remove comment referring to removed CONFIG_MIPS_CMP
MIPS: alchemy: db1300: switch to static device properties
MIPS: alchemy: gpr: switch to static device properties
MIPS: alchemy: db1000: use nodes attached to GPIO chips in properties
MIPS: alchemy: mtx1: attach software nodes to GPIO chips
MIPS: alchemy: provide visible function prototypes to board files
MIPS: alchemy: platform: add missing include
MIPS: ip22-gio: do not export device release function
MIPS: ip22-gio: switch to dynamic root device
...
Linus Torvalds [Fri, 19 Jun 2026 14:37:52 +0000 (07:37 -0700)]
Merge tag 'powerpc-7.2-1' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux
Pull powerpc updates from Madhavan Srinivasan:
- Enable GENERIC_ENTRY feature
- Add missing property in DTS for mpc83xx platform
- Enable building of DTB based on platfrom Kconfig
- Add powerpc64 JIT support for timed may_goto
- Add timeout to RTAS busy-wait loops
- Simplify cpumask api usage for cpuinfo display
- implement get_direction() in cpm1 (8xx platform)
- MAINTAINERS file update for power VMX AES entries
- Fixes to handle preempt count
- Restore KUAP registers on syscall restart exit
- define MIN_RMA in bytes rather than MB
- misc fixes and cleanups
Thanks to Aboorva Devarajan, Adriano Vero, Amit Machhiwal, Anushree
Mathur, Bartosz Golaszewski, Christophe Leroy (CS GROUP), David Gow,
Jinjie Ruan, J. Neuschäfer, Linus Walleij, Mahesh Salgaonkar, Mukesh
Kumar Chaurasiya (IBM), Ritesh Harjani (IBM), Saket Kumar Bhaskar,
Samir M, Sayali Patil, Shirisha G, Shivang Upadhyay, Shrikanth Hegde,
Sourabh Jain, Thorsten Blum, Venkat Rao Bagalkote, and Yury Norov.
* tag 'powerpc-7.2-1' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux: (32 commits)
powerpc/fadump: define MIN_RMA in bytes rather than MB
powerpc: Restore KUAP registers on syscall restart exit
powerpc/kexec: fix double get_cpu() imbalance in kexec_prepare_cpus
powerpc/powernv: fix preempt count leak in pnv_kexec_wait_secondaries_down
powerpc/perf: fix preempt count underflow in fsl_emb_pmu_del
powerpc/boot: Allow text relocations for pseries wrapper with binutils 2.46+
powerpc: Simplify access_ok()
powerpc/entry: Disable interrupts before irqentry_exit
powerpc/8xx: implement get_direction() in cpm1
powerpc/pseries/lparcfg: Replace deprecated strcpy in parse_system_parameter_string
powerpc: Fix indentation and replace typedef with struct name
powerpc/rtas: Replace one-element array with flexible array member
powerpc: use sysfs_emit{_at} in sysfs show functions
MAINTAINERS: powerpc: update VMX AES entries
ppc/fadump: invoke kmsg_dump in fadump panic path
powerpc/xive: Add warning if target CPU not found
powerpc/perf: Use cpumask_intersects api for checking disable path
powerpc: Simplify cpumask api usage for cpuinfo display
powerpc: Use cpumask_next_wrap instead
powerpc/fadump: Add timeout to RTAS busy-wait loops
...
Arnd Bergmann [Thu, 11 Jun 2026 13:21:44 +0000 (15:21 +0200)]
arm64: static_call: include asm/insns.h
I came a cross a missing declaration in a randconfig build:
arch/arm64/kernel/static_call.c:16:5: error: call to undeclared function 'aarch64_insn_adrp_get_offset'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration]
16 | aarch64_insn_adrp_get_offset(le32_to_cpup(tramp + 4)) +
| ^
Include the header that contains this definition explicitly,
rather than relying on it to come indirectly through another
header.
Fixes: 54ac9ff8f119 ("arm64: Use static call trampolines when kCFI is enabled") Signed-off-by: Arnd Bergmann <arnd@arndb.de> Signed-off-by: Will Deacon <will@kernel.org>
Holger Dengler [Wed, 17 Jun 2026 17:06:39 +0000 (19:06 +0200)]
s390/pkey: Check length in pkey_pckmo handler implementation
Explicitly check the length of the target buffer in the pkey_pckmo
implementation of the key_to_protkey() handler function. The handler
function fails, if the generated output data exceeds the length of the
provided target buffer.
Cc: stable@vger.kernel.org Fixes: 8fcc231ce3be ("s390/pkey: Introduce pkey base with handler registry and handler modules") Reported-by: Christian Borntraeger <borntraeger@linux.ibm.com> Reviewed-by: Harald Freudenberger <freude@linux.ibm.com> Signed-off-by: Holger Dengler <dengler@linux.ibm.com> Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
Lorenzo Bianconi [Mon, 15 Jun 2026 09:18:25 +0000 (11:18 +0200)]
netfilter: flowtable: fix and simplify IP6IP6 tunnel handling
Fix nf_flow_ip6_tunnel_proto() to use pskb_may_pull() instead of
skb_header_pointer() to ensure the outer IPv6 header is in the skb
headroom, which is required for subsequent packet processing. Move
ctx->offset update inside the IPPROTO_IPV6 conditional block since it
should only be adjusted when an IP6IP6 tunnel is actually detected.
Simplify the rx path by removing ipv6_skip_exthdr() and checking
ip6h->nexthdr directly, as the flowtable fast path only handles simple
IP6IP6 encapsulation without extension headers.
Drop the tunnel encapsulation limit destination option support from the
tx path to match, since the rx path no longer handles extension headers.
Remove the encap_limit parameter from nf_flow_offload_ipv6_forward(),
nf_flow_tunnel_ip6ip6_push() and nf_flow_tunnel_v6_push(), along with
the ipv6_tel_txoption struct and related headroom/MTU adjustments.
Fixes: d98103575dcdd ("netfilter: flowtable: Add IP6IP6 rx sw acceleration") Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Wyatt Feng [Thu, 11 Jun 2026 07:21:42 +0000 (15:21 +0800)]
netfilter: xt_cluster: reject template conntracks in hash match
xt_cluster_mt() treats any non-NULL nf_ct_get() result as a fully
initialized conntrack and passes it to xt_cluster_hash().
This causes a state confusion bug when the raw table CT target attaches
a template conntrack to skb->_nfct before normal conntrack processing.
Templates carry IPS_TEMPLATE status but do not have a valid tuple for
hashing yet, so xt_cluster_hash() can hit its WARN_ON() path on the
zeroed l3num field.
Reject template conntracks before hashing them. This matches existing
netfilter handling for template objects and avoids hashing incomplete
conntrack state.
Haoze Xie [Mon, 8 Jun 2026 05:43:44 +0000 (13:43 +0800)]
netfilter: nf_queue: pin bridge device while NFQUEUE holds fake dst
The br_netfilter fake rtable is embedded in struct net_bridge and is
attached to bridged packets with skb_dst_set_noref(). If such a packet is
queued to NFQUEUE, __nf_queue() upgrades that fake dst with
skb_dst_force().
At that point the queued skb can hold a real dst reference after bridge
teardown has started. The problem is not that every bridged packet needs
its own dst reference. The problem is that NFQUEUE can keep the bridge
private fake dst alive after unregister begins.
Fix this by keeping the bridge fake dst model unchanged and pinning the
bridge master device only while the packet sits in NFQUEUE. Record the
bridge device in nf_queue_entry when the queued skb carries a bridge fake
dst, take a device reference for the queue lifetime, and drop it when the
queue entry is freed.
Also make sure queued entries are reaped when that bridge device goes
down, and drop the redundant nf_bridge_info_exists() test from the fake
dst detection.
This keeps netdev_priv(br->dev) alive until verdict completion, so the
embedded fake rtable and its metrics backing storage cannot be freed out
from under dst_release(). It also avoids the constant refcount bump and
avoids using ipv4-specific dst helpers for IPv6 bridge traffic.
Fixes: 34666d467cbf ("netfilter: bridge: move br_netfilter out of the core") Cc: stable@kernel.org Reported-by: Yuan Tan <yuantan098@gmail.com> Reported-by: Yifan Wu <yifanwucs@gmail.com> Reported-by: Juefei Pu <tomapufckgml@gmail.com> Reported-by: Xin Liu <bird@lzu.edu.cn> Signed-off-by: Haoze Xie <royenheart@gmail.com> Signed-off-by: Ren Wei <n05ec@lzu.edu.cn> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Adrian Bente [Thu, 28 May 2026 07:08:51 +0000 (10:08 +0300)]
netfilter: flowtable: fix offloaded ct timeout never being extended
OpenWrt has recently migrated many platforms to kernel 6.18. On the
MediaTek platform, which supports hardware network offloading, WiFi
connections accelerated via the WED path were observed to drop after
roughly 300 seconds.
After several debugging sessions, assisted by the Claude LLM, the
problem was narrowed down as follows:
nf_flow_table_extend_ct_timeout() extends ct->timeout for offloaded
flows using:
cmpxchg(&ct->timeout, expires, new_timeout);
'expires' comes from nf_ct_expires(ct) and is a relative value, while
ct->timeout holds an absolute timestamp. The two are never equal, so
the cmpxchg always fails and the timeout is never extended.
This goes unnoticed for most flows, but a long-lived hardware (WED)
offloaded flow on MediaTek MT7986 eventually has ct->timeout decay to
zero, the conntrack entry is reaped and the connection breaks.
Open-code the relative value from a single READ_ONCE(ct->timeout)
snapshot and compare against that same absolute snapshot in the
cmpxchg, so the timeout extension actually takes effect while the
datapath remains authoritative if it updates ct->timeout concurrently.
x86/platform/geode: reference the real node of the cs5535 GPIO controller
GPIO software node lookup should rely exclusively on matching the
addresses of the referenced firmware nodes. Commit e5d527be7e69 ("gpio:
swnode: don't use the swnode's name as the key for GPIO lookup") tried to
enforce this but had to be reverted: it broke existing users who abuse the
software node mechanism by creating "dummy" software nodes named after the
device they want to get GPIOs from, without ever attaching them to the
actual GPIO devices. Those users rely on GPIOLIB matching the label of the
GPIO controller against the name of the software node rather than on a real
firmware node link.
Un-reverting e5d527be7e69 therefore requires converting all such users to
real firmware node lookup. The geode board setup is one of them: it
references the cs5535 GPIO controller through a locally-defined dummy node
named "cs5535-gpio".
The cs5535 MFD driver now exports the software node associated with its
GPIO controller cell as cs5535_gpio_swnode. Use it as the target of the
GPIO software node references in geode-common.c instead of the dummy node,
so the lookup resolves by firmware node address. As the referenced node
must exist at lookup time, make the cs5535 driver built-in for all boards
selecting GEODE_COMMON (depend on GPIO_CS5535=y). The node is exported in
the "CS5535" namespace, so import it in this module.
ALSA: hda/realtek: Enable mute LED on HP EliteBook 840 G6
The HP EliteBook 840 G6 (PCI SSID 103c:854d) has an ALC215 codec whose
mic-mute and audio-mute LEDs are wired to the same GPIOs as the already
supported EliteBook 830 G6 and 840 G7. Without a matching quirk the LEDs
are never registered, so the front-panel mic-mute LED stays permanently
lit and does not track the mute state.
Apply ALC285_FIXUP_HP_GPIO_LED, mirroring the sibling EliteBook entries.
With this fixup the codec registers an "hda::micmute" LED class device and
the LED correctly follows the capture-mute state. This was verified on the
affected machine by forcing the same fixup at runtime via
snd_sof_intel_hda_generic.hda_model=103c:8548, which made the LED work as
expected.
Cen Zhang [Thu, 18 Jun 2026 17:00:10 +0000 (01:00 +0800)]
ALSA: usb-audio: Kill MIDI 2.0 URBs before freeing endpoints
MIDI 2.0 input URBs are started during snd_usb_midi_v2_create(). A
later setup failure can still jump to snd_usb_midi_v2_free(), which
currently frees each endpoint and its coherent URB buffers without first
stopping the submitted URBs. A completion can then dereference the
embedded URB context and endpoint state after they have been freed, or
try to resubmit from the stale endpoint.
This was observed as a KASAN slab-use-after-free in
input_urb_complete().
The buggy scenario involves two paths, with each column showing the order
within that path:
probe error path: USB completion path:
1. start_input_streams() submits 1. The HCD still owns a
input URBs. submitted input URB.
2. A later setup helper returns 2. input_urb_complete() runs
an error. with urb->context in ep.
3. snd_usb_midi_v2_free() frees 3. The completion reads ep
endpoint storage and URB buffers. state and can requeue URBs.
Make the endpoint destructor follow the same teardown ordering used for
disconnect when the endpoint has not already been disconnected: publish
ep->disconnected, kill the URBs synchronously, and drain the endpoint
before freeing URB buffers and endpoint storage. The guard avoids
repeating the stop sequence after the normal
snd_usb_midi_v2_disconnect_all() path, while still synchronizing the
direct MIDI 2.0 create-error free path.
Alice Ryhl [Tue, 16 Jun 2026 12:30:38 +0000 (12:30 +0000)]
rust: Kbuild: set frame-pointer llvm module flag for CONFIG_FRAME_POINTER
Due to a rustc bug, the -Cforce-frame-pointers=y flag only emits the
frame-pointer annotation for functions, but not for the module. This
means that functions generated by the LLVM backend such as
'asan.module_ctor' do not receive the frame-pointer annotation.
This is likely to lead to broken backtraces and may also cause issues
with ftrace if these features are used with functions generated by the
LLVM backend.
Thus, use -Zllvm_module_flag to work around this rustc bug if using a
rustc without the fix.
[ The fix [1] has landed for Rust 1.98.0 (expected release on
2026-08-20). - Miguel ]
- Added comment with link to the PR, similar to what we did in commit ac35b5580ace ("rust: arm64: set uwtable llvm module flag for
CONFIG_UNWIND_TABLES").
- Miguel ] Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
Gary Guo [Tue, 16 Jun 2026 13:25:56 +0000 (14:25 +0100)]
rust: doctest: fix incorrect pattern in replacement
The `-> Result<(), impl core::fmt::Debug>` string is generated by rustdoc
and by adding "::" into the string it no longer finds anything, making
the line useless.
Remove the "::" in the pattern. Omit it in the replacement too, for
consistency with upstream rustdoc.
Fixes: de7cd3e4d638 ("rust: use absolute paths in macros referencing core and kernel") Signed-off-by: Gary Guo <gary@garyguo.net> Cc: stable@vger.kernel.org Link: https://patch.msgid.link/20260616132559.2245814-1-gary@kernel.org
[ Added link in code comment to `rustdoc`'s 1.87 PR that fully qualified
it for context. Improved comments for consistency. Reworded to drop
changelog and to fix typo. - Miguel ] Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
Linus Torvalds [Fri, 19 Jun 2026 04:55:24 +0000 (21:55 -0700)]
Merge tag 'riscv-for-linus-7.2-mw1' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux
Pull RISC-V updates from Paul Walmsley:
- Prevent get_free_mem_region() from returning regions that are
unmappable in certain circumstances by defining
DIRECT_MAP_PHYSMEM_END for RISC-V
- Fix an early boot problem with kexec_file when the amount of
installed physical memory installed on the system exceeds the direct
map size, which is possible in certain RISC-V virtual memory modes
- Unconditionally sfence.vma in the new vmalloc area handling code in
the page fault handler, since even the presence of Svvptc doesn't
guarantee that the CPU won't immediately fault again after the
exception handler completes and subsequently crash
- Fix ftrace_graph_ret_addr() to use the correct task pointer (aligning
with what other architectures do)
- Fix the misaligned access performance checking code in cases when
performance is specified on the kernel command line and when CPUs
have been brought offline and back online
- Get rid of a bogus address offset in the non-frame-pointer version of
walk_stackframe(), aligning it with the frame pointer-based code
- Fix a RISC-V kfence issue causing bogus use-after-free warnings
- Add ARCH_HAS_CC_CAN_LINK for RISC-V, which needs different compiler
command line flags than other architectures
- Implement _THIS_IP_ using RISC-V-specific assembly, which seems to be
less brittle (from a compiler point of view) than taking the address
of a label
- Reduce kernel startup overhead by defining
HAVE_BUILDTIME_MCOUNT_SORT, since arch/riscv meets all the
requirements
- Patch the CFI vDSO during alternatives processing, not only the
standard vDSO
- Fix a potential memory leak in the cacheinfo code
- Clean up kernel/setup.c:add_resource() to pass along the return value
from insert_resource() and to improve the display of resource ranges
- Clean up our purgatory.[ch] by aligning our purgatory() prototype to
what's in arch/x86, and by cleaning up verify_sha256_digest()
- Clean up cpu_is_stopped() to align its function a little more closely
to its name
- Replace some unbounded string function usage in get_early_cmdline()
and the ptdump code with strscpy()
- Replace sprintf() with sysfs_emit() in cpu_show_ghostwrite() for
safer bounds checking
- Standardize how compiler output flags are specified in the RISC-V
kselftests, aligning them with what other architectures do
- Use the Linux-generic cmp_int() macro in place of an open-coded
"cmp_3way()" macro in kernel/module-sections.c
- Panic early in boot if IRQ handler stacks can't be allocated rather
than pretending to continue normally
- Add support for Eswin SoCs in the RISC-V defconfig
- Remove some unnecessary conditionals in sbi_hsm_hart_{start,stop}()
- Clean up some Kconfig infelicities found by Kconfirm
- Replace an open-coded version of min() in the kexec_elf code with
the standard min() function
* tag 'riscv-for-linus-7.2-mw1' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux: (36 commits)
riscv: traps_misaligned: Avoid redundant unaligned access speed probe
riscv: misaligned: Fix fast_unaligned_access_speed_key init
riscv: also select ARCH_KEEP_MEMBLOCK if kexec is selected
riscv: alternative: Also patch the CFI vDSO
riscv: alternative: Pass vDSO start as parameter to apply_vdso_alternatives()
riscv: alternative: Use IS_ENABLED() over ifdeffery for apply_vdso_alternatives()
riscv: vdso: Always declare vdso_start symbols
riscv: kexec: use min to simplify riscv_kexec_elf_load
riscv: panic if IRQ handler stacks cannot be allocated
riscv: mm: Unconditionally sfence.vma for spurious fault
riscv: mm: Use the bitmap API for new_valid_map_cpus
riscv: mm: Rename new_vmalloc into new_valid_map_cpus
riscv: kfence: Call mark_new_valid_map() for kfence_unprotect()
riscv: mm: Extract helper mark_new_valid_map()
riscv: stacktrace: Remove bogus -0x4 offset in non-FP walk_stackframe
riscv: cacheinfo: Fix node reference leak in populate_cache_leaves
riscv: kexec_file: Constrain segment placement to direct map
riscv: mm: Define DIRECT_MAP_PHYSMEM_END
riscv: defconfig: Enable Eswin SoCs
riscv: cpu_ops_sbi: No need to be bothered to check ret.error
...
Linus Torvalds [Fri, 19 Jun 2026 04:23:22 +0000 (21:23 -0700)]
Merge tag 'trace-ring-buffer-v7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace
Pull ring-buffer updates from Steven Rostedt
- Do not invalidate entire buffer for invalid sub-buffers
For the persistent ring buffer, if one sub-buffer is found to be
invalid, it invalidates the entire per CPU ring buffer. This can lose
a lot of valuable data if there's some corruption with the writes to
the buffer not syncing properly on a hard crash. Instead, if a
sub-buffer is found to be invalid, simply zero it out and mark it for
"missed events".
When the persistent ring buffer is read and a sub-buffer that was
cleared due to being invalid on boot up is discovered, the output
will show "[LOST EVENTS]" to let the user know that events were
missing at that location. Displaying the events from valid buffers
can still be useful.
- Add a test to be able to test corrupted sub-buffers
If a persistent ring buffer is created as "ptraingtest" and the new
config that adds the test is enabled, when a panic happens, the
kernel will randomly corrupt one of the per CPU ring buffers. On boot
up, the sub-buffers with the corruption should be cleared and
flagged. When reading this buffer, the missed events should should
[LOST EVENTS].
- Add commit number in the sub-buffer meta debug info
The commit is used to know the content of a meta page. Add it to the
buffer_meta file that is shown for each per CPU buffer.
- Clean up the persistent ring buffer validation code
Add some helper functions and make variable names more consistent.
* tag 'trace-ring-buffer-v7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace:
ring-buffer: Better comment the use of RB_MISSED_EVENTS
ring-buffer: Show persistent buffer dropped events in trace_pipe file
ring-buffer: Show persistent buffer dropped events in trace file
ring-buffer: Have dropped subbuffers be persistent across reboots
ring-buffer: Cleanup buffer_data_page related code
ring-buffer: Cleanup persistent ring buffer validation
ring-buffer: Show commit numbers in buffer_meta file
ring-buffer: Add persistent ring buffer invalid-page inject test
ring-buffer: Skip invalid sub-buffers when rewinding persistent ring buffer
ring-buffer: Skip invalid sub-buffers when validating persistent ring buffer
Linus Torvalds [Fri, 19 Jun 2026 03:53:00 +0000 (20:53 -0700)]
Merge tag 'trace-v7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace
Pull tracing updates from Steven Rostedt:
- Remove a redundant IS_ERR() check
trace_pipe_open() already checks for IS_ERR() and does it again in
the return path. Remove the return check.
- Export seq_buf_putmem_hex() to allow kunit tests against them
To add Kunit tests on seq_buf_putmem_hex(), it needs to be exported.
- Replace strcat() and strcpy() with seq_buf() logic
The code for synthetic events uses a series of strcat() and strcpy()
which can be error prone. Replace them with seq_buf() logic that does
all the necessary bound checking.
- Add a lockdep rcu_is_watching() to trace_##event##_enabled() call
The trace_##event##_enabled() is a static branch that is true if the
"event" is enabled. But this can hide bugs if this logic is in a
location where RCU is disabled and not "watching". It would only
trigger if lockdep is enabled and the event is enabled.
Add a "rcu_is_watching()" warning if lockdep is enabled in that
helper function to trigger regardless if the event is enabled or not.
- Remove the local variable in the trace_printk() macro
For name space integrity, remove the _______STR variable in the
trace_printk() macro for using the sizeof() macro directly.
- Use guard()s for the trace_recursion_record.c file
- Fix typo in a comment of eventfs_callback() kerneldoc
- Use trace_call__##event() in events within trace_##event##_enabled()
A couple of events are called within an if block guarded by
trace_##event##_enabled(). That is a static key that is only enabled
when the event is enabled. The trace_call_##event() calls the
tracepoint code directly without adding a redundant static key for
that check.
- Allow perf to read synthetic events
Currently, perf does not have the ability to enable a synthetic
event. If it does, it will either cause a kernel warning or error
with "No such device". Synthetic events are not much different than
kprobes and perf can handle fine with a few modifications.
- Replace printk(KERN_WARNING ...) with pr_warn()
- Replace krealloc() on an array with krealloc_array()
- Fix README file path name for synthetic events
- Change tracing_map tracing_map_array to use a flexible array
Instead of allocating a separate pointer to hold the pages field of
tracing_map_array, allocate the pages field as a flexible array when
allocating the structure.
- Fold trace_iterator_increment() into trace_find_next_entry_inc()
The function trace_iterator_increment() was only used by
trace_find_next_entry_inc(). It's not big enough to be a helper
function for one user. Fold it into its caller.
- Make field_var_str field a flexible array of hist_elt_data
Instead of allocating a separate pointer for the field_var_str array
of the hist_elt_data structure, allocate it as a flexible array when
allocating the structure.
- Disable KCOV for trace_irqsoff.c
Like trace_preemptirq.c, trace_irqsoff.c has code that will crash
when KCOV is enabled on ARM. The irqsoff tracing can be called on ARM
because the irqsoff tracing code can be run from early interrupt code
and produce coverage unrelated to syscall inputs.
- Fix warning in __unregister_ftrace_function() called by perf
Perf calls unregister_ftrace_function() without checking if its
ftrace_ops has already been unregistered. There's an error path where
on clean up it will unregister the ftrace_ops even if it wasn't
registered and causes a warning.
* tag 'trace-v7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace:
perf/ftrace: Fix WARNING in __unregister_ftrace_function
tracing: Disable KCOV instrumentation for trace_irqsoff.o
tracing: Turn hist_elt_data field_var_str into a flexible array
tracing: Move trace_iterator_increment() into trace_find_next_entry_inc()
tracing: Simplify pages allocation for tracing_map logic
tracing: Fix README path for synthetic_events
tracing: Use krealloc_array() for trace option array growth
tracing/branch: Use pr_warn() instead of printk(KERN_WARNING)
tracing: Allow perf to read synthetic events
HID: Use trace_call__##name() at guarded tracepoint call sites
cpufreq: amd-pstate: Use trace_call__##name() at guarded tracepoint call site
tracefs: Fix typo in a comment of eventfs_callback() kerneldoc
tracing: Switch trace_recursion_record.c code over to use guard()
tracing: Remove local variable for argument detection from trace_printk()
tracepoint: Add lockdep rcu_is_watching() check to trace_##name##_enabled()
tracing: Bound synthetic-field strings with seq_buf
seq_buf: Export seq_buf_putmem_hex() and add KUnit tests
tracing: Remove redundant IS_ERR() check in trace_pipe_open()
Daniel Zahka [Wed, 17 Jun 2026 10:39:49 +0000 (03:39 -0700)]
eth: fbnic: take netif_addr_lock_bh() around rx mode address programming
When __fbnic_set_rx_mode() is called from contexts other than
.ndo_set_rx_mode_async(), the uc and mc addr lists are accessed
without the addr lock that __hw_addr_sync_dev() and
__hw_addr_unsync_dev() require. Wrap these unprotected accesses with
netif_addr_lock_bh(). fbnic_clear_rx_mode() has similar issues.
Doruk Tan Ozturk [Wed, 17 Jun 2026 07:58:18 +0000 (09:58 +0200)]
tipc: fix slab-use-after-free Read in tipc_aead_decrypt_done
tipc_aead_decrypt() goes straight from tipc_bearer_hold(b) to
crypto_aead_decrypt(req) without taking a reference on the netns, unlike
the encrypt path. When crypto_aead_decrypt() is offloaded asynchronously
(e.g. the SIMD aead wrapper queuing to cryptd), the cryptd worker runs
tipc_aead_decrypt_done() later. If the bearer's netns is torn down in the
meantime, cleanup_net() -> tipc_exit_net() -> tipc_crypto_stop() frees the
per-netns tipc_crypto, and the completion then reads it:
tipc_aead_decrypt_done() dereferences aead->crypto->stats and
aead->crypto->net, and tipc_crypto_rcv_complete() dereferences
aead->crypto->aead[] and the node table -- reading freed memory.
This is the same class of bug that commit e279024617134 ("net/tipc: fix
slab-use-after-free Read in tipc_aead_encrypt_done") fixed for the encrypt
side. The encrypt path takes maybe_get_net(aead->crypto->net) before
crypto_aead_encrypt() and drops it with put_net() on the synchronous
return paths and in tipc_aead_encrypt_done(); the -EINPROGRESS/-EBUSY
return keeps the reference for the async callback to release. The decrypt
path was left without the equivalent guard.
Mirror the encrypt-side fix on the decrypt path: take a net reference
before crypto_aead_decrypt() (failing with -ENODEV and the matching
bearer put if it cannot be acquired), keep it across the
-EINPROGRESS/-EBUSY async return, and drop it with put_net() on the
synchronous success/error return and at the end of
tipc_aead_decrypt_done().
Reproduced under KASAN on v7.1-rc7: a UDP bearer with a cluster key is
flooded with crafted encrypted frames from an unknown peer (driving the
cluster-key decrypt path) while the bearer's netns is repeatedly torn
down. The completion must run asynchronously to outlive
tipc_crypto_stop(); on x86 the stock aesni gcm(aes) now decrypts
synchronously, so the async path was exercised via cryptd offload. The
unguarded aead->crypto dereference in tipc_aead_decrypt_done() is the
unpatched upstream path; tipc_aead_decrypt() still lacks
maybe_get_net(aead->crypto->net), so the completion can outlive the free
on any config where crypto_aead_decrypt() goes async.
Found by 0sec automated security-research tooling (https://0sec.ai).
Fixes: fc1b6d6de220 ("tipc: introduce TIPC encryption & authentication") Cc: stable@vger.kernel.org Signed-off-by: Doruk Tan Ozturk <doruk@0sec.ai> Reviewed-by: Alexander Lobakin <aleksander.lobakin@intel.com> Reviewed-by: Tung Nguyen <tung.quang.nguyen@est.tech> Reviewed-by: Simon Horman <horms@kernel.org> Link: https://patch.msgid.link/20260617075818.37431-1-doruk@0sec.ai Signed-off-by: Jakub Kicinski <kuba@kernel.org>
net: rds: check cmsg_len before reading rds_rdma_args in size pass
rds_rm_size() handles RDS_CMSG_RDMA_ARGS after only CMSG_OK() and then
calls rds_rdma_extra_size(), which reads args->local_vec_addr and
args->nr_local without first checking that cmsg_len covers struct
rds_rdma_args. The other two RDS_CMSG_RDMA_ARGS consumers already guard
this: rds_rdma_bytes() in rds_sendmsg() and rds_cmsg_rdma_args() in
rds_cmsg_send() both reject cmsg_len < CMSG_LEN(sizeof(struct
rds_rdma_args)). Add the same check to rds_rm_size() so all three RDMA
args passes are consistent.
This is a consistency and hardening change with no behavioral effect for
well-formed senders and no reachable bug today: rds_rdma_bytes() runs
before rds_rm_size() in rds_sendmsg() and already rejects a short
RDS_CMSG_RDMA_ARGS, so the size pass is not reached with an undersized
cmsg. But rds_rm_size() reads the args independently of that earlier
pass, and nothing in rds_rm_size() itself records or enforces the
precondition, so a reader or a future refactor of the size pass cannot
tell the cmsg has already been length-checked. Applying the same
cmsg_len guard in all three RDS_CMSG_RDMA_ARGS consumers keeps that
invariant local to each and robust to reordering.
Rongguang Wei [Wed, 17 Jun 2026 09:28:54 +0000 (17:28 +0800)]
net: wangxun: don't advertise IFF_SUPP_NOFCS
Like commit a24162f18825("i40e: don't advertise IFF_SUPP_NOFCS"),
ngbe and txgbe also advertises IFF_SUPP_NOFCS and allowing users
to use the SO_NOFCS socket option. But the driver does not check
skb->no_fcs, so this option is silently ignored.
With this change, send() fails with -EPROTONOSUPPORT when AF_PACKET
socket is set SO_NOFCS option.
Ido Schimmel [Wed, 17 Jun 2026 10:43:23 +0000 (13:43 +0300)]
selftests: vlan_bridge_binding: Fix flaky operational state check
check_operstate() busy waits for up to one second for the operational
state to change to the expected state. This is not enough since carrier
loss events can be delayed by the kernel for up to one second (see
__linkwatch_run_queue()), leading to sporadic failures.
Fix by increasing the busy wait period to two seconds.
Fixes: dca12e9ab760 ("selftests: net: Add a VLAN bridge binding selftest") Reported-by: Jakub Kicinski <kuba@kernel.org> Closes: https://lore.kernel.org/netdev/20260616092733.3a31be4d@kernel.org/ Signed-off-by: Ido Schimmel <idosch@nvidia.com> Reviewed-by: Nikolay Aleksandrov <razor@blackwall.org> Reviewed-by: Petr Machata <petrm@nvidia.com> Link: https://patch.msgid.link/20260617104323.1069457-1-idosch@nvidia.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Dawei Feng [Tue, 16 Jun 2026 14:24:24 +0000 (22:24 +0800)]
net: ena: clean up XDP TX queues when regular TX setup fails
create_queues_with_size_backoff() creates XDP TX queues before setting
up the regular TX path. If the subsequent allocation or creation of
regular TX queues fails, the error handling paths omit the teardown of the
XDP TX queues, leading to a resource leak.
Fix this by explicitly destroying the XDP TX queue subset at the two
missing failure points.
The bug was first flagged by an experimental analysis tool we are
developing for kernel memory-management bugs while analyzing
v6.13-rc1. The tool is still under development and is not yet publicly
available. Manual inspection confirms that the bug is still
present in v7.1-rc7.
An x86_64 allyesconfig build showed no new warnings. As we do not have
an ENA device to test with, no runtime testing was able to be performed.
Fixes: 548c4940b9f1 ("net: ena: Implement XDP_TX action") Cc: stable@vger.kernel.org Signed-off-by: Dawei Feng <dawei.feng@seu.edu.cn> Reviewed-by: Arthur Kiyanovski <akiyano@amazon.com> Tested-by: Arthur Kiyanovski <akiyano@amazon.com> Link: https://patch.msgid.link/20260616142424.4005130-1-dawei.feng@seu.edu.cn Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Ankit Garg [Wed, 17 Jun 2026 01:32:08 +0000 (18:32 -0700)]
gve: fix header buffer corruption with header-split and HW-GRO
The DQO RX datapath programs a per-buffer-queue-descriptor
header_buf_addr at post time and reads the split header back at
completion time. Both the post and the read currently index the
header buffer by queue position rather than by the buffer's identity:
- post (gve_rx_post_buffers_dqo): header_buf_addr is computed from
bufq->tail
- read (gve_rx_dqo): the header is read from desc_idx (the completion
queue head index)
This relies on the buffer-queue index and the completion-queue index
being equal for the start of every packet, i.e. on the device consuming
posted buffers and returning completions in the exact same order. That
assumption does not hold once HW-GRO is enabled with multiple
flows: coalesced segments are accepted and completed in an order that
may differ from the order buffers were posted, and segments from
different flows may interleave.
That results in two problems:
1. Wrong header slot on read. Because the read offset is derived from
the completion index (desc_idx) while the device wrote the header to
the address programmed for the buffer's buf_id, the driver can copy
a header belonging to a different packet. This shows up as
throughput drop (about 30% drop and large numbers of TCP
retransmissions) with header-split and HW-GRO both enabled and many
streams.
2. Header buffer reused while still owned by the device. The driver
advances bufq->head by one per completion and re-posts buffers based
on that. Arrival of N RX completions only guarantees that at least N
RX buffer descriptors have been read by the device. It does not
guarantee that the device has relinquished the ownership of all the
buffers corresponding to those N descriptors. With out-of-order
completions (e.g. the completion for a packet copied into buffer N
arrives before the completion for a packet copied into buffer N-1),
the driver can re-post and overwrite a header buffer that the device
is still going to write into, corrupting the header of a packet
whose completion has not yet been processed.
Fix both issues by indexing the header buffer by buf_id on both the post
and read paths. Reading from buf_id's slot is therefore always correct
regardless of completion ordering (fixes problem 1).
Indexing by buf_id also ties each header slot to the lifetime of its
buffer state. A buffer state is only returned to the free/recycle lists
when its own completion (buf_id) is processed, so its header slot can
only be re-posted after the device is done with it. This makes header
slot reuse safe under out-of-order completions (fixes problem 2).
Allocate (gve_rx_alloc_hdr_bufs) and free (gve_rx_free_hdr_bufs) the
header buffers based on num_buf_states to match the buf_id indexing.
Cc: stable@vger.kernel.org Fixes: 5e37d8254e7f ("gve: Add header split data path") Signed-off-by: Ankit Garg <nktgrg@google.com> Reviewed-by: Praveen Kaligineedi <pkaligineedi@google.com> Reviewed-by: Jordan Rhee <jordanrhee@google.com> Reviewed-by: Harshitha Ramamurthy <hramamurthy@google.com> Signed-off-by: Joshua Washington <joshwash@google.com> Reviewed-by: Eric Dumazet <edumazet@google.com> Link: https://patch.msgid.link/20260617013208.3781453-1-joshwash@google.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Maoyi Xie [Tue, 16 Jun 2026 17:38:41 +0000 (01:38 +0800)]
net: thunderbolt: Fix frags[] overflow by bounding frame_count
tbnet_poll() assembles a multi-frame ThunderboltIP packet into one skb. The
first frame goes into the skb linear area and every further frame is added as
a page fragment.
A packet of frame_count frames therefore ends up with frame_count - 1
fragments. tbnet_check_frame() only bounds the peer supplied frame_count to
TBNET_RING_SIZE / 4 (64), which is far above MAX_SKB_FRAGS (17 by default). A
peer that sends a packet of 19 or more small frames pushes nr_frags past
MAX_SKB_FRAGS, so skb_add_rx_frag() writes past skb_shinfo()->frags[] and
corrupts memory after the shared info.
Tighten the start of packet bound to MAX_SKB_FRAGS + 1 so a packet can never
produce more fragments than frags[] can hold. This matches the recent skb
frags overflow fixes in other receive paths, for example f0813bcd2d9d ("net:
wwan: t7xx: fix potential skb->frags overflow in RX path") and 600dc40554dc
("net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete()").
Fixes: e69b6c02b4c3 ("net: Add support for networking over Thunderbolt cable") Cc: stable@vger.kernel.org Signed-off-by: Maoyi Xie <maoyixie.tju@gmail.com> Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com> Link: https://patch.msgid.link/178163152194.2486768.14724194232649760778@maoyixie.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Breno Leitao [Tue, 16 Jun 2026 16:09:52 +0000 (09:09 -0700)]
netconsole: don't drop the last byte of a full-sized message
nt->buf is exactly MAX_PRINT_CHUNK bytes, but scnprintf() reserves one
byte for its NUL terminator, so a non-fragmented payload of exactly
MAX_PRINT_CHUNK loses its last byte (emitted as a stray NUL in the
release path). Grow nt->buf to MAX_PRINT_CHUNK + 1 and bound the
scnprintf() calls with sizeof(nt->buf); the transmitted length stays
capped at MAX_PRINT_CHUNK.
Alternatively, nt->buf could be left at MAX_PRINT_CHUNK and the NUL byte
reserved by routing exactly-MAX_PRINT_CHUNK payloads to fragmentation
('len < MAX_PRINT_CHUNK'), at the cost of fragmenting those messages.
But it would look less sane, thus the current approach.
Yun Zhou [Tue, 16 Jun 2026 12:30:57 +0000 (20:30 +0800)]
flow_dissector: check device type before reading ETH_ADDRS
__skb_flow_dissect() unconditionally reads 12 bytes from eth_hdr(skb)
when FLOW_DISSECTOR_KEY_ETH_ADDRS is requested. This assumes the skb
has a valid Ethernet header at mac_header, which is not always the case.
The problem can be triggered by:
1. Creating a TUN device in L3 mode (IFF_TUN, hard_header_len=0)
2. Attaching a multiq qdisc with a flower filter matching on eth_src
3. Sending a packet through AF_PACKET
Since TUN in L3 mode has no link-layer header, mac_header points to
the L3 data area. The flow dissector reads 12 bytes of uninitialized
skb memory, which then propagates through fl_set_masked_key() and is
used as a rhashtable lookup key in __fl_lookup(), as reported by KMSAN.
Rejecting the filter in the control path (at tc filter add time) is
not feasible because TC filter blocks can be shared between arbitrary
devices -- a filter installed on an Ethernet device may later classify
packets on a headerless device through a shared block. The device
association is not fixed at filter creation time.
Fix this by gating the memcpy on dev->type == ARPHRD_ETHER, which
ensures only true Ethernet-framed packets have their addresses read.
This is more precise than the previous hard_header_len >= 12 check,
which would incorrectly pass for non-Ethernet link types like IPoIB
(ARPHRD_INFINIBAND, hard_header_len=24) and FDDI (hard_header_len=21)
whose L2 headers are not in Ethernet format. Additionally check
skb_mac_header_was_set() to guard against the pathological case where
mac_header is the unset sentinel (~0U), which would cause eth_hdr() to
return a wild pointer.
For the act_mirred redirect case (Ethernet packet redirected to a
non-Ethernet device sharing a TC block), zeroing the key is the correct
behavior: the packet is now being classified on the target device, where
Ethernet address matching is not semantically meaningful.
Note: on non-Ethernet devices, the zeroed key will match a filter
configured with all-zero MAC addresses. This is an improvement over the
previous behavior where uninitialized memory could randomly match any
filter.
Reported-by: syzbot+fa2f5b1fb06147be5e16@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=fa2f5b1fb06147be5e16 Fixes: 67a900cc0436 ("flow_dissector: introduce support for Ethernet addresses") Signed-off-by: Yun Zhou <yun.zhou@windriver.com> Link: https://patch.msgid.link/20260616123057.482154-1-yun.zhou@windriver.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Lukasz Raczylo [Tue, 16 Jun 2026 13:23:03 +0000 (15:23 +0200)]
net: macb: add TX stall timeout callback to recover from lost TSTART write
The MACB found in the Raspberry Pi RP1 suffers from sporadic stalls on
the TX queue.
While the exact root cause is not yet fully understood, it is likely
related to a hardware issue where a TSTART write to the NCR register
is missed, preventing the transmission from being kicked off.
Implement a timeout callback to handle TX queue stalls, triggering the
existing restart mechanism to recover.
Link: https://lore.kernel.org/all/20260514215459.36109-1-lukasz@raczylo.com/ Fixes: dc110d1b23564 ("net: cadence: macb: Add support for Raspberry Pi RP1 ethernet controller") Signed-off-by: Lukasz Raczylo <lukasz@raczylo.com> Co-developed-by: Steffen Jaeckel <sjaeckel@suse.de> Signed-off-by: Steffen Jaeckel <sjaeckel@suse.de> Co-developed-by: Andrea della Porta <andrea.porta@suse.com> Signed-off-by: Andrea della Porta <andrea.porta@suse.com> Reviewed-by: Nicolai Buchwitz <nb@tipi-net.de> Reviewed-by: Théo Lebrun <theo.lebrun@bootlin.com> Link: https://patch.msgid.link/468f480454a314303bac6a54780b153f689f2267.1781598350.git.andrea.porta@suse.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Wayen Yan [Tue, 16 Jun 2026 11:52:36 +0000 (19:52 +0800)]
net: airoha: fix foe_check_time allocation size
foe_check_time is declared as u16 pointer but was allocated with
only ppe_num_entries bytes instead of ppe_num_entries * sizeof(u16).
When airoha_ppe_foe_verify_entry() is called with hash >= ppe_num_entries/2,
it writes beyond the allocated buffer, causing heap buffer overflow and
potential kernel crash.
Fixes: 6d5b601d52a2 ("net: airoha: ppe: Dynamically allocate foe_check_time array in airoha_ppe struct") Signed-off-by: Wayen Yan <win847@gmail.com> Acked-by: Lorenzo Bianconi <lorenzo@kernel.org> Link: https://patch.msgid.link/178161119471.2163752.14373384830691569758@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Cosmin Ratiu [Tue, 16 Jun 2026 11:06:33 +0000 (14:06 +0300)]
devlink: Fix parent ref leak on tc-bw failure
When a node is created via rate-new with tc-bw and a parent node,
devlink_nl_rate_set() executes the sequence of ops. It bails out on the
first failure and doesn't rollback anything. For most things that is
fine (setting some numbers), but the parent set can leak if there's
another failure after that.
That is precisely what happens when parent setting isn't the last block
in the function. After the referenced "Fixes" commit, when tc-bw fails
to be set the function bails out after having set the parent and
incremented its refcount.
There are two callers:
- devlink_nl_rate_set_doit() is fine, it just reports the error.
- but devlink_nl_rate_new_doit() frees the newly created node and leaks
the parent refcnt.
Fix that by reordering the blocks so parent setting is last and adding a
comment explaining this so future modification preserve the ordering
(hopefully).
Fixes: 566e8f108fc7 ("devlink: Extend devlink rate API with traffic classes bandwidth management") Signed-off-by: Cosmin Ratiu <cratiu@nvidia.com> Reviewed-by: Carolina Jubran <cjubran@nvidia.com> Reviewed-by: Simon Horman <horms@kernel.org> Link: https://patch.msgid.link/20260616110633.1449432-3-cratiu@nvidia.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Cosmin Ratiu [Tue, 16 Jun 2026 11:06:32 +0000 (14:06 +0300)]
devlink: Fix parent ref leak in devl_rate_node_create()
In the original commit the function bails out on kstrdup failure,
forgetting to decrement the refcnt of the parent.
Fix that by moving the parent refcnt setting after kstrdup.
Fixes: caba177d7f4d ("devlink: Enable creation of the devlink-rate nodes from the driver") Signed-off-by: Cosmin Ratiu <cratiu@nvidia.com> Reviewed-by: Carolina Jubran <cjubran@nvidia.com> Reviewed-by: Simon Horman <horms@kernel.org> Link: https://patch.msgid.link/20260616110633.1449432-2-cratiu@nvidia.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Junrui Luo [Mon, 15 Jun 2026 15:04:27 +0000 (23:04 +0800)]
octeontx2-af: cn10k: restrict VF LMTLINE sharing to its own PF
rvu_mbox_handler_lmtst_tbl_setup() uses req->base_pcifunc as a direct
index into the LMT map table to read another function's LMTLINE
physical base address and copy it into the caller's own LMT map table
entry. The mailbox dispatcher authenticates req->hdr.pcifunc from the
IRQ source, but req->base_pcifunc is a separate payload field and is
not sanitized.
Reject the request with -EPERM when a VF caller's base_pcifunc is not a
valid function under its own PF. is_pf_func_valid() bounds the FUNC field
to the PF's configured VF count, keeping the computed index inside the
caller's own slot block.
Ruoyu Wang [Mon, 15 Jun 2026 12:50:42 +0000 (20:50 +0800)]
net: pch_gbe: handle TX skb allocation failure
pch_gbe_alloc_tx_buffers() allocates an skb for each TX descriptor and
then passes the returned pointer to skb_reserve(). If netdev_alloc_skb()
fails, skb_reserve() dereferences NULL.
Make pch_gbe_alloc_tx_buffers() return an error when an skb allocation
fails. On failure, let pch_gbe_alloc_tx_buffers() clean the partially
allocated TX ring before returning the error. While bringing the device
up, release the RX buffer pool through a shared cleanup helper before
unwinding the IRQ setup.
Cc: stable+noautosel@kernel.org # untested fix to unlikely error path Fixes: 77555ee72282 ("net: Add Gigabit Ethernet driver of Topcliff PCH") Signed-off-by: Ruoyu Wang <ruoyuw560@gmail.com> Reviewed-by: Simon Horman <horms@kernel.org> Link: https://patch.msgid.link/20260615125043.3537046-1-ruoyuw560@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Wentao Guan [Tue, 16 Jun 2026 06:40:53 +0000 (14:40 +0800)]
net: llc: make empty have static storage duration
Make @empty have static storage duration (like net/sysctl_net.c does)
to avoid storing a bad pointer, and keep consistent with
__register_sysctl_table @table 'should not be free'd after registration'.
Note that this is _not_ a bug, since size is 0 the pointer will
never get deferenced.
Ioana Ciornei [Tue, 16 Jun 2026 10:54:30 +0000 (13:54 +0300)]
dpaa2-switch: fix VLAN upper check not rejecting bridge join
The blamed commit refactored the prechangeupper event handling but
failed to actually return an error in case
dpaa2_switch_prevent_bridging_with_8021q_upper() detected a 802.1q upper
on a port which tries to join a bridge. Fix this by returning err
instead of 0.
Xiang Mei [Tue, 16 Jun 2026 04:28:37 +0000 (21:28 -0700)]
virtio-net: fix len check in receive_big()
receive_big() bounds the device-announced length by
(big_packets_num_skbfrags + 1) * PAGE_SIZE. That is still too loose:
add_recvbuf_big() sets sg[1] to start at offset
sizeof(struct padded_vnet_hdr) into the first page, so the chain
actually carries hdr_len + (PAGE_SIZE - sizeof(padded_vnet_hdr)) +
big_packets_num_skbfrags * PAGE_SIZE bytes -- 20 bytes less than the
check allows for the common hdr_len == 12 case.
A malicious virtio backend can announce a len in that gap. page_to_skb()
then walks one frag past the page chain, storing a NULL page->private
into skb_shinfo()->frags[MAX_SKB_FRAGS], which is both an out-of-bounds
write past the static frag array and a NULL frag handed up the rx path.
Bound len by the size add_recvbuf_big() actually advertised.
Fixes: 0c716703965f ("virtio-net: fix received length check in big packets") Reported-by: Weiming Shi <bestswngs@gmail.com> Signed-off-by: Xiang Mei <xmei5@asu.edu> Reviewed-by: Xuan Zhuo <xuanzhuo@linux.alibaba.com> Acked-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Bui Quang Minh <minhquangbui99@gmail.com> Link: https://patch.msgid.link/20260616042837.2249468-1-xmei5@asu.edu Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Zihan Xi [Sat, 13 Jun 2026 17:42:40 +0000 (01:42 +0800)]
selftests/tc-testing: act_ct: add TDC test for skb cb preservation across defrag
Add a tc-testing case that sends IPv4 fragments through act_ct on clsact
egress while a root prio qdisc is present on the transmit path.
The test verifies that packet processing and qdisc accounting continue
to work after conntrack defragmentation, covering tc_skb_cb preservation
across defragmentation.
Zihan Xi [Sat, 13 Jun 2026 17:42:39 +0000 (01:42 +0800)]
net/sched: act_ct: preserve tc_skb_cb across defragmentation
tcf_ct_handle_fragments() calls nf_ct_handle_fragments() without saving
and restoring skb->cb. The defrag helper clears IPCB/IP6CB, which aliases
the tc_skb_cb/qdisc_skb_cb control buffer. Fragmented traffic through
act_ct therefore loses qdisc metadata such as pkt_segs and can trigger
WARN_ON_ONCE() in qdisc_pkt_segs() when panic_on_warn is enabled.
Save and restore the full tc_skb_cb around nf_ct_handle_fragments(),
matching the pattern used by ovs_ct_handle_fragments().
Fixes: ec624fe740b4 ("net/sched: Extend qdisc control block with tc control block") Cc: stable@vger.kernel.org Reported-by: Yuan Tan <yuantan098@gmail.com> Reported-by: Yifan Wu <yifanwucs@gmail.com> Reported-by: Juefei Pu <tomapufckgml@gmail.com> Reported-by: Xin Liu <bird@lzu.edu.cn> Signed-off-by: Zihan Xi <xizh2024@lzu.edu.cn> Signed-off-by: Ren Wei <n05ec@lzu.edu.cn> Link: https://patch.msgid.link/510c51217fd7aaf29c6dc298bab8d643fe229b1c.1781358692.git.xizh2024@lzu.edu.cn Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Linus Torvalds [Fri, 19 Jun 2026 00:21:54 +0000 (17:21 -0700)]
Merge tag 'media/v7.2-1' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media
Pull media updates from Mauro Carvalho Chehab:
- v4l2:
- core: fix subdev sensor ownership
- subdev: Allow accessing routes with STREAMS client capability
- ctrls: Add validation for HEVC active reference counts and
background detection control
- common: Add YUV24 format info and has_alpha helper
- vb2: Change vb2_read() and vb2_write() return types to ssize_t
Kees Cook [Mon, 23 Mar 2026 01:27:25 +0000 (01:27 +0000)]
string: Remove strncpy() from the kernel
strncpy() has been a persistent source of bugs due to its ambiguous
intended usage and frequently counter-intuitive semantics: it may not
NUL-terminate the destination, and it unconditionally zero-pads to the
full length, which isn't always needed. All former callers have been
migrated[1] to:
- strscpy() for NUL-terminated destinations
- strscpy_pad() for NUL-terminated destinations needing zero-padding
- strtomem_pad() for non-NUL-terminated fixed-width fields
- memcpy_and_pad() for bounded copies with explicit padding
- memcpy() for known-length copies
Remove the generic implementation, its declaration, the FORTIFY_SOURCE
wrapper, and associated tests.
Linus Torvalds [Thu, 18 Jun 2026 23:38:36 +0000 (16:38 -0700)]
Merge tag 'cxl-for-7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/cxl/cxl
Pull CXL updates from Dave Jiang:
"A collection of CXL fixes and changes, including an update to
MAINTAINERS to add Ming Li as a CXL subsystem reviewer.
There's also a series to introduce devm_cxl_probe_mem() core API in
order to pave the way for CXL type2 device drivers to setup and
retrieve CXL region resource during probe"
* tag 'cxl-for-7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/cxl/cxl: (26 commits)
cxl: Add dummy function for cxl_memdev_attach_region for !CONFIG_CXL_REGION
cxl/region: Introduce devm_cxl_probe_mem()
cxl/memdev: Introduce cxl_class_memdev_type
cxl/memdev: Pin parents for entire memdev lifetime
cxl/region: Resolve region deletion races
cxl/region: Block region delete during region creation
cxl/region: Fill first free targets[] slot during auto-discovery
cxl/region: Fix out-of-bounds access in cxl_cancel_auto_attach()
tools/testing/cxl: Resolve auto-region decoder targets like real HW
cxl: Align interleave decode/encode helpers with their callers
cxl/test: Add check after kzalloc() memory in alloc_mock_res()
cxl/test: Unregister cxl_acpi in cxl_test_init() error path
cxl/test: Zero out LSA backing memory to avoid leaking to user
cxl/test: Fix integer overflow in mock LSA bounds checks
cxl/test: Verify cmd->size_in before accessing payload
cxl/port: update reference to removed CONFIG_PROVE_CXL_LOCKING
cxl/region: Avoid variable shadowing in region attach paths
cxl: Fix CXL_HEADERLOG_SIZE to match RAS Capability size
cxl/pci: Convert PCIBIOS errors to errno on DVSEC config accesses
cxl/pci: Fix the incorrect check of pci_read_config_word() return
...
strncpy() has no remaining callers in the kernel[1]. Remove the
xtensa-specific inline assembly implementation and __HAVE_ARCH_STRNCPY
define, falling back to the generic version in lib/string.c.
strncpy() has no remaining callers in the kernel[1]. Remove the
x86-32-specific inline assembly implementation and __HAVE_ARCH_STRNCPY
define, falling back to the generic version in lib/string.c.
strncpy() has no remaining callers in the kernel[1]. Remove the
powerpc-specific assembly implementation from both the kernel
(arch/powerpc/lib/string.S) and the boot wrapper
(arch/powerpc/boot/string.S), along with the __HAVE_ARCH_STRNCPY
define and declaration, falling back to the generic version in
lib/string.c.
The boot wrapper's strncpy had no callers in arch/powerpc/boot/.
strncpy() has no remaining callers in the kernel[1]. Remove the
m68k-specific inline assembly implementation and __HAVE_ARCH_STRNCPY
define, falling back to the generic version in lib/string.c.
strncpy() has no remaining callers in the kernel[1]. Remove the
alpha-specific assembly implementation and __HAVE_ARCH_STRNCPY define,
falling back to the generic version in lib/string.c.
The __stxncpy helper (stxncpy.S/ev6-stxncpy.S) is retained as it is
still used by strncat.
Linus Torvalds [Thu, 18 Jun 2026 23:27:58 +0000 (16:27 -0700)]
Merge tag 'libnvdimm-for-7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm
Pull nvdimm/dax updates from Alison Schofield:
- Fix a race condition and a couple of static analysis issues in BTT
- Use sysfs_emit() in preparation for removal of cpumap_print_to_pagebuf()
- Escalate a dev_dbg to dev_err in a resource conflict message
- MAINTAINER file updates
* tag 'libnvdimm-for-7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm:
MAINTAINERS: nvdimm: Include maintainer profile
MAINTAINERS: Update address for Ira Weiny
MAINTAINERS: Add maintainer info for libnvdimm and DAX
nvdimm: Use sysfs_emit() for cpumask show callback
dax/bus: Upgrade resource conflict message to dev_err() in alloc_dax_region()
nvdimm/btt: Free arenas on btt_init() error paths
nvdimm/btt: Free arena sub-allocations on discover_arenas() error path
nvdimm/btt: Handle preemption in BTT lane acquisition
Linus Torvalds [Thu, 18 Jun 2026 23:18:33 +0000 (16:18 -0700)]
Merge tag 'pmdomain-v7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/linux-pm
Pull pmdomain updates from Ulf Hansson:
"pmdomain core:
- Add OF helpers for parsing the power-domains-child-ids property
- Extend the power domain DT binding with power-domains-child-ids
- Switch to use the dynamic root device
pmdomain providers:
- arm: Add support for domain hierarchies to SCMI power domains
- qcom: Add power domains for the Shikra and Nord SoCs
- sunxi: Fix GPU support on Radxa Cubie A7Z by keeping power domain on"
* tag 'pmdomain-v7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/linux-pm:
pmdomain: core: fix unused variable warning with !PM_GENERIC_DOMAINS_OF
pmdomain: core: fix early domain registration
pmdomain: mediatek: mfg: move __packed after struct name to fix kernel-doc
pmdomain: qcom: rpmpd: Add Shikra RPM Power Domains
pmdomain: qcom: rpmhpd: Add power domains for Nord SoC
dt-bindings: power: qcom,rpmpd: document the Shikra RPM Power Domains
pmdomain: sunxi: support power domain flags for pck600
pmdomain: core: switch to dynamic root device
pmdomain: qcom: Unify user-visible "Qualcomm" name
dt-bindings: power: qcom,rpmhpd: Add RPMh power domain for Nord SoC
dt-bindings: power: qcom,rpmhpd: Fix whitespace in RPMHPD defines
pmdomain: arm_scmi: add support for domain hierarchies
pmdomain: core: add support for power-domains-child-ids
dt-bindings: power: Add power-domains-child-ids property
A response-bearing attempt can return a replayable error and free its
response buffer. If SMB2_query_directory_init() fails before the next send,
cleanup retains the previous buffer type and frees that response again.
Reset response bookkeeping before each attempt to prevent the stale free.
Fixes: 4f1fffa23769 ("cifs: commands that are retried should have replay flag set") Cc: stable@vger.kernel.org Signed-off-by: Henrique Carvalho <henrique.carvalho@suse.com> Signed-off-by: Steve French <stfrench@microsoft.com>
A response-bearing attempt can return a replayable error and free its
response buffer. If SMB2_notify_init() fails before the next send, cleanup
retains the previous buffer type and frees that response again.
Reset response bookkeeping before each attempt to prevent the stale free.
Fixes: 4f1fffa23769 ("cifs: commands that are retried should have replay flag set") Cc: stable@vger.kernel.org Signed-off-by: Henrique Carvalho <henrique.carvalho@suse.com> Signed-off-by: Steve French <stfrench@microsoft.com>
A response-bearing attempt can return a replayable error and free its
response buffer. If SMB2_query_info_init() fails before the next send,
cleanup retains the previous buffer type and frees that response again.
Reset response bookkeeping before each attempt to prevent the stale free.
Fixes: 4f1fffa23769 ("cifs: commands that are retried should have replay flag set") Cc: stable@vger.kernel.org Signed-off-by: Henrique Carvalho <henrique.carvalho@suse.com> Signed-off-by: Steve French <stfrench@microsoft.com>
smb: client: fix double-free in SMB2_close() replay
A response-bearing attempt can return a replayable error and free its
response buffer. If SMB2_close_init() fails before the next send, cleanup
retains the previous buffer type and frees that response again.
Reset response bookkeeping before each attempt to prevent the stale free.
Fixes: 4f1fffa23769 ("cifs: commands that are retried should have replay flag set") Cc: stable@vger.kernel.org Signed-off-by: Henrique Carvalho <henrique.carvalho@suse.com> Signed-off-by: Steve French <stfrench@microsoft.com>
smb: client: fix double-free in SMB2_ioctl() replay
A response-bearing attempt can return a replayable error and free its
response buffer. If SMB2_ioctl_init() fails before the next send, cleanup
retains the previous buffer type and frees that response again.
Reset response bookkeeping before each attempt to prevent the stale free.
Fixes: 4f1fffa23769 ("cifs: commands that are retried should have replay flag set") Cc: stable@vger.kernel.org Signed-off-by: Henrique Carvalho <henrique.carvalho@suse.com> Signed-off-by: Steve French <stfrench@microsoft.com>
smb: client: fix double-free in SMB2_open() replay
A response-bearing attempt can return a replayable error and free its
response buffer. If SMB2_open_init() fails before the next send, cleanup
retains the previous buffer type and frees that response again.
Reset response bookkeeping before each attempt to prevent the stale free.
Fixes: 4f1fffa23769 ("cifs: commands that are retried should have replay flag set") Cc: stable@vger.kernel.org Signed-off-by: Henrique Carvalho <henrique.carvalho@suse.com> Signed-off-by: Steve French <stfrench@microsoft.com>
Zhao Zhang [Thu, 18 Jun 2026 15:28:05 +0000 (23:28 +0800)]
smb: client: fix double-free in SMB2_flush() replay
SMB2_flush() keeps its response buffer bookkeeping across replay
attempts. If a replayable flush response is received and the retry then
fails before cifs_send_recv() stores a replacement response, flush_exit
will free the stale response pointer a second time.
Reinitialize resp_buftype and rsp_iov at the top of the replay loop so
cleanup only acts on response state produced by the current attempt.
This fixes a double-free without changing replay handling for successful
requests.
Fixes: 4f1fffa23769 ("cifs: commands that are retried should have replay flag set") Cc: stable@vger.kernel.org Reported-by: Yuan Tan <yuantan098@gmail.com> Reported-by: Zhengchuan Liang <zcliangcn@gmail.com> Reported-by: Xin Liu <bird@lzu.edu.cn> Assisted-by: Codex:GPT-5.4 Acked-by: Henrique Carvalho <henrique.carvalho@suse.com> Signed-off-by: Zhao Zhang <zzhan461@ucr.edu> Signed-off-by: Ren Wei <n05ec@lzu.edu.cn> Signed-off-by: Steve French <stfrench@microsoft.com>
Remove the reference to the obsolete kselftest wiki.
The kselftest wiki is marked obsolete and is no longer updated. The last
edit was in 2019, and the information is outdated, referring readers for
support to IRC networks that have not been used for years, and to kernel
versions that are no longer supported.
If there is any relevant information left in the wiki it needs to be
cleaned up and moved into the canonical kselftest documentation here.
Link: https://lore.kernel.org/r/20260115172817.7120-1-bacs@librecast.net Signed-off-by: Brett A C Sheffield <bacs@librecast.net> Acked-by: Bagas Sanjaya <bagasdotme@gmail.com> Acked-by: SeongJae Park <sj@kernel.org> Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
Linus Torvalds [Thu, 18 Jun 2026 22:03:21 +0000 (15:03 -0700)]
Merge tag 'pinctrl-v7.2-1' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl
Pull pin control updates from Linus Walleij:
"Core changes:
- Add new generic callbacks to populate per-pin pin controllers
creating groups and functions from the device tree building out
pinctrl_generic_to_map() and move the Spacemit driver over to use
this
- Generic board-level pin control driver using the mux framework
New pin controller drivers:
- Amlogic (meson) A9 SoC
- Aspeed AST2700 SoC0 and SoC1
- nVidia Tegra264 and Tegra238
- Qualcomm Nord TLMM, Shikra TLMM, SM6350 LPASS LPI, and IPQ9650 TLMM
- Renesas RZ/G3L SoC
- UltraRISC DP1000
Improvements:
- Handle pull up/pull down properly in the Renesas RZG2L driver
- Fix up nVidia Tegra 234 DT bindings
- Fix up pin definitions in the Qualcomm Eliza driver
- Qualcomm PM8010 GPIO support in the PM8010
- Qualcomm SM6115 EGPIO support in the SM6115
- Switch Qualcomm LPASS LPI drivers to use runtime PM for power
management
- Clean up the Qualcomm Kconfig business a bit to include the
necessary drivers for each subarch
- Fix output glitch in the Amlogic (meson) A4 pin controller
- Move the Airoha driver from the Mediatek directory to its own
directory. It is too different from other Mediatek hardware
- A slew of fixes to the Airoha AN7581 and AN7583 drivers"
* tag 'pinctrl-v7.2-1' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl: (151 commits)
pinctrl: Export pinctrl_get_group_selector()
pinctrl: Match DT helper types
pinctrl: qcom: Register functions before enabling pinctrl
pinctrl: meson: amlogic-a4: use nolock get range
pinctrl: ultrarisc: Add UltraRISC DP1000 pinctrl driver
dt-bindings: pinctrl: Add UltraRISC DP1000 pinctrl controller
pinctrl: qcom: Remove unused macro definitions
pinctrl: tegra: PINCTRL_TEGRA264 should depend on ARCH_TEGRA
pinctrl: tegra: PINCTRL_TEGRA238 should depend on ARCH_TEGRA
pinctrl: tegra238: add missing AON pin groups
dt-bindings: pinctrl: tegra238: add missing AON pin groups
pinctrl: airoha: an7583: remove undefined groups from pcm_spi pin function
pinctrl: airoha: an7583: fix phy1_led1 pin function
pinctrl: airoha: an7583: add missed gpio22 pin group
pinctrl: airoha: an7583: fix gpio21 pin group
pinctrl: airoha: fix pwm pin function for an7581 and an7583
pinctrl: airoha: an7583: fix incorrect led mapping in phy4_led1 pin function
pinctrl: airoha: an7581: fix incorrect led mapping in phy4_led1 pin function
pinctrl: airoha: an7583: fix misprint in gpio19 pinconf
pinctrl: airoha: an7581: fix misprint in gpio19 pinconf
...
Linus Torvalds [Thu, 18 Jun 2026 21:55:20 +0000 (14:55 -0700)]
Merge tag 'backlight-next-7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/backlight
Pull backlight updates from Lee Jones:
"New Support & Features:
- Maxim MAX25014: Add support for the Maxim MAX25014 4-channel
automotive grade backlight driver IC
Improvements & Fixes:
- Maintainers: Add the Congatec Board Controller backlight driver to
its corresponding entry
- Congatec Board Controller: Remove redundant X86 dependency from the
backlight driver
- Kinetic KTD2801: Enable BL_CORE_SUSPENDRESUME to ensure the chip is
powered off during suspend
Cleanups & Refactoring:
- Core: Use named initializers for i2c_device_id arrays to improve
readability and robustness
Device Tree Binding Updates:
- Maxim MAX25014: Add device tree bindings for the Maxim MAX25014
backlight controller"
* tag 'backlight-next-7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/backlight:
backlight: Use named initializers for arrays of i2c_device_data
MAINTAINERS: Add cgbc backlight driver
backlight: cgbc: Remove redundant X86 dependency
backlight: Add max25014atg backlight
dt-bindings: backlight: Add max25014 support
backlight: ktd2801: Enable BL_CORE_SUSPENDRESUME
Linus Torvalds [Thu, 18 Jun 2026 21:45:08 +0000 (14:45 -0700)]
Merge tag 'leds-next-7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/leds
Pull LED updates from Lee Jones:
"New Support & Features:
- Samsung S2MU005: Add support for the Samsung S2MU005 PMIC which
includes flash and RGB LED controllers
- Texas Instruments:
- LP5812: Add support for the TI LP5812 LED driver
- LP5860: Add support for the Texas Instruments LP5860 LED matrix
driver via SPI
Improvements & Fixes:
- Core:
- Adjust the brightness sysfs node documentation to clarify that
only decimal values are accepted
- Fix a race condition in the software blink logic when stopping
blinking and setting brightness simultaneously
- Introduce the `multi_max_intensity` sysfs attribute for
multicolor LEDs to support hardware-based global brightness
control
- Replace OF-based device lookup with firmware node equivalents
to support ACPI and software nodes
- Return `ENODATA` when reading brightness from
hardware-controlled LEDs
- Set the coherent DMA mask to zero for the Samsung PMIC device
to suppress unnecessary "DMA mask not set" messages
- ams OSRAM AS3668: Fix a Kconfig symbol name mismatch in the
Makefile that prevented the driver from being built
- BlinkM: Fix spelling and comment style issues in the driver
- DAC124S085: Declare the SPI command word as `__le16` to ensure
correct endianness and pass sparse checks
- GPIO Trigger: Use `GPIOD_FLAGS_BIT_NONEXCLUSIVE` to allow sharing
GPIOs between the LED trigger and other drivers
- NXP PCA9532: Fix an issue where the LED would stop blinking when
changing brightness to a non-zero value
- Qualcomm: Unify the user-visible company name to "Qualcomm" across
flash LED config options
- Qualcomm LPG: Optimize memory allocation by combining main
structure and channels into a single allocation using flexible
array members
- Texas Instruments
- LP5860: Add missing `CONFIG_OF` dependency to prevent build
warnings
- TPS6131x: Increase the overvoltage protection threshold to 6V
to avoid false triggers with 5V input supplies
- Userspace LEDs (uLEDs):
- Fix a potential buffer overread by using `strnchr()` for name
string validation
- Return `-EFAULT` on `copy_to_user()` failure to properly handle
read errors
Cleanups & Refactoring:
- Core:
- Convert various `i2c_device_id` arrays to use named
initializers for improved robustness and readability
- Multi-color: Fix incorrect `KernelVersion` and `Date` tags for
the `multi_max_intensity` ABI
- Broadcom BCM63138 / ChromeOS EC: Move `MODULE_DEVICE_TABLE`
declarations next to the ID tables for consistency
- LP5812: Fix a sysfs ABI reference in the documentation
- ST1202: Remove an unused legacy GPIO header include
Device Tree Binding Updates:
- Class: Document the keyboard backlight LED class naming
conventions, including a new scheme for zoned backlights
- Core: Dual-license the common LED bindings header under GPLv2
and BSD-2-Clause
- IR SPI LED: Add a new 30% duty-cycle value for the IR transmitter
used in Xiaomi Redmi Note 8
- Samsung S2M series:
- Document the flash LED device bindings for Samsung S2M series
PMICs
- Document the pattern behavior for Samsung S2M series PMIC RGB
- S2MU005: Add device tree bindings for the S2MU005 PMIC,
including its flash and RGB LED sub-devices
- TI LM3560: Document the TI LM3559 and LM3560 synchronous boost
flash drivers"
* tag 'leds-next-7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/leds: (30 commits)
leds: tps6131x: Increase overvoltage protection threshold to 6V
leds: Fix sysfs ABI date
leds: Fix CONFIG_OF dependency for LEDS_LP5860_CORE
leds: uleds: Fix potential buffer overread
leds: Use named initializers for arrays of i2c_device_data
leds: uleds: Return -EFAULT on copy_to_user() failure
leds: core: Report ENODATA for brightness of hardware controlled LED
leds: class: Use firmware nodes for device lookup
Documentation: leds: Document pattern behavior of Samsung S2M series PMIC RGB LEDs
leds: rgb: Add support for Samsung S2M series PMIC RGB LED device
leds: flash: Add support for Samsung S2M series PMIC flash LED device
dt-bindings: leds: Document Samsung S2M series PMIC flash LED device
leds: core: Fix race condition for software blink
leds: Adjust documentation of brightness sysfs node
leds: dac124s085: Declare SPI command word as __le16
leds: Introduce the multi_max_intensity sysfs attribute
dt-bindings: leds: Document TI LM3560 Synchronous Boost Flash Driver
leds: bcm63138/cros_ec: Move MODULE_DEVICE_TABLE next to the table itself
leds: Add support for TI LP5860 LED driver chip
Documentation: leds: leds-class: Document keyboard backlight LED class naming
...
Linus Torvalds [Thu, 18 Jun 2026 21:26:29 +0000 (14:26 -0700)]
Merge tag 'mfd-next-7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/mfd
Pull MFD updates from Lee Jones:
"New Support & Features:
- Renesas RSMU: Add support for the IDT 8a34002 Clock Matrix
- Samsung S2MU005: Add support for the Samsung S2MU005 PMIC which
includes charger, MUIC, flash and RGB LED controllers
- SpacemiT P1: Add a reboot cell for the SpacemiT P1 chip
- Texas Instruments BQ25792: Add support for the TI BQ25792 charger
manager
Improvements & Fixes:
- Core: Unify the user-visible company name to "Qualcomm" across
various config options
- ChromeOS EC:
- Delay `dev_set_drvdata()` until the probe process has
successfully completed to avoid use-after-free issues
- Prevent adding `cros_ec_ucsi` as an MFD sub-device if it is
already defined in Device Tree or ACPI
- Cirrus Logic CS42L43: Add a sanity check for firmware size to
prevent out-of-bounds memory access during firmware loading
- Cirrus Logic CS5535: Associate the GPIO cell with a dedicated
software node to support board files requesting GPIOs
- Maxim MAX77620: Modernize poweroff handling by converting to the
sys-off API
- Qualcomm RPM: Add the missing QDSS clock resource for the MSM8960
SoC
- Renesas RSMU: Fix page register setup for the 8A3400x family by
correctly calculating the page address
- Renesas RZ/MTU3:
- Make the reset line optional to support newer SoC variants
(RZ/T2H, RZ/N2H)
- Modernize the driver by using device-managed APIs for reset
control and device addition
- Samsung Core: Set the coherent DMA mask to zero for the Samsung
PMIC device to suppress unnecessary "DMA mask not set" messages
- Silicon Motion SM501: Fix a reference leak on failed device
registration by properly dropping the platform device reference
- Texas Instruments:
- TPS65219: Make poweroff handler registration conditional on the
"system-power-controller" Device Tree property
- TPS6586x: Fix Device Tree node reference counting by manually
bumping the refcount for sub-devices
- TPS65910: Add return value checking for the dummy I2C transfer
used to work around silicon erratum SWCZ010
- TWL4030: Update board-specific checks to use Device Tree
compatibles instead of legacy machine IDs
Cleanups & Refactoring:
- Core: Consistently define `pci_device_id` arrays using named
initializers across various Intel and Silicon Motion drivers
- Maintainers: Shift maintenance of Samsung PMIC drivers to André
Draszik
- Maxim MAX77759: Improve code style by reformatting the IRQ table
and refining macro comments
- MEN MENF21BMC / Texas Instruments TWL: Correctly treat
`i2c_check_functionality()` as returning a boolean status
- Rohm BD72720: Drop the non-existent BUCK11 ID to improve code
clarity
- Silicon Labs Si476x: Fix various spelling mistakes in driver
comments
- Spreadtrum SC27xx: Transition to `devm_mfd_add_devices()` and
separate MFD cell tables for each PMIC model
- Timberdale: Move GPIO pin definitions into the driver and
transition to using a software node for the GPIO cell
- Wolfson WM8994: Remove dead legacy-GPIO code and its associated
`irq_gpio` member
Device Tree Binding Updates:
- Aspeed AST2x00: Document the AST2700 SCU0 and add support for its
SoC0/SoC1 pin controllers
- Hisilicon Hi655x: Convert the Hi655x PMIC binding from text format
to YAML DT schema
- Khadas MCU: Add a new compatible and fan-supply property for the
Khadas VIM4 MCU
- MediaTek MT6397: Add support for the MT6365 PMIC and document
regulator supplies for the MT6359 variant
- Qualcomm TCSR: Add compatibles for Nord and IPQ5210 TCSR blocks
- Renesas RZ/G3L: Revert the addition of the
`renesas,r9a08g046-lvds-cmn` compatible string due to documentation
errors
- Samsung S2MU005: Document the S2MU005 PMIC and its sub-devices
(charger, MUIC, flash and RGB LEDs)
- Spreadtrum SC2731: Include regulator bindings for the SC2730
variant
- STMPE: Fix the schema by marking 'compatible' and '#pwm-cells' as
required for the PWM subnode
- Texas Instruments BQ257xx: Expand the BQ25703A binding to include
the BQ25792 variant
Removals:
- Motorola EZX PCAP: Remove the unused and non-functional driver for
Motorola EZX phones"
* tag 'mfd-next-7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/mfd: (47 commits)
dt-bindings: mfd: syscon: Revert renesas,r9a08g046-lvds-cmn
dt-bindings: mfd: st,stmpe: Add missing properties for PWM subnode
mfd: rz-mtu3: Make reset optional
mfd: rz-mtu3: Store &pdev->dev in local variable
mfd: rz-mtu3: Use local variable for reset
mfd: rz-mtu3: Use device-managed APIs
dt-bindings: mfd: aspeed,ast2x00-scu: Support AST2700 SoC1 pinctrl
mfd: tps6586x: Fix OF node refcount
dt-bindings: mfd: sprd,sc2731: Include SC2730 regulator bindings
mfd: twl4030-power: Update checks for specific boards to use the DT
dt-bindings: mfd: qcom,tcsr: Document the IPQ5210 TCSR block
mfd: qcom_rpm: Add msm8960 QDSS clock resource
mfd: si476x-i2c: Fix spelling mistakes in comments
mfd: max77620: Convert poweroff support to sys-off API
mfd: dt-bindings: mt6397: Add regulator supplies
dt-bindings: mfd: mediatek: mt6397: Add MT6365 PMIC support
dt-bindings: mfd: mediatek: mt6397: Add rtc for MT6359
mfd: cs42l43: Sanity check firmware size
mfd: qcom: Unify user-visible "Qualcomm" name
mfd: cros_ec: Delay dev_set_drvdata() until probe success
...
Linus Torvalds [Thu, 18 Jun 2026 21:20:39 +0000 (14:20 -0700)]
Merge tag 'hid-for-linus-2026061601' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid
Pull HID updates from Jiri Kosina:
"Core:
- semantic cleanup fixes for 'hid_device_id::driver_data' (Pawel
Zalewski)
Multitouch:
- UX improvement fixes for Yoga Book 9 (Dave Carey)
Logitech:
- fix for high resolution scrolling for Logitech HID++ 2.0 devices
(Lauri Saurus)
CP2112:
- fix for cp2112 firmware-based speed configuration, if available
(Danny Kaehn)
Wacom:
- memory corruption and scheduling while atomic and error fixes and
error handling fixes (Jinmo Yang, Myeonghun Pak)
New device support:
- OneXPlayer (Derek J. Clark)
- HORI Wireless Switch Pad (Hector Zelaya)
- Rakk Dasig X (Karl Cayme)
And other assorted small fixes and device ID additions"
* tag 'hid-for-linus-2026061601' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid: (39 commits)
HID: hidpp: fix potential UAF in hidpp_connect_event()
HID: logitech-hidpp: sync wheel multiplier on wheel mode changes
HID: intel-thc-hid: intel-quickspi: reset touch IC on system resume
HID: uhid: convert to hid_safe_input_report()
HID: hid-goodix-spi: validate report size to prevent stack buffer overflow
HID: nintendo: add support for HORI Wireless Switch Pad
HID: multitouch: Honor ContactCount for Yoga Book 9 to suppress ghost contacts
HID: pidff: Use correct effect type in effect update
HID: wacom: stop hardware after post-start probe failures
HID: core: demote warning to debug level
HID: lenovo: Use KEY_PERFORMANCE capability for ThinkPad X12 Tab Gen 2
HID: lenovo: Add support for ThinkPad X13 Folio keyboard
HID: cp2112: Configure I2C bus speed from firmware
HID: cp2112: Add fwnode support
HID: hid-lenovo-go: cancel cfg_setup work in hid_go_cfg_remove()
HID: Input: Add battery list cleanup with devm action
HID: logitech-hidpp: remove excess kernel-doc member in hidpp_scroll_counter
HID: wacom: use cleanup.h for wacom_wac_queue_flush() buffer management
HID: wacom: use GFP_ATOMIC in wacom_wac_queue_flush()
HID: wacom: fix slab-out-of-bounds write in wacom_wac_queue_insert
...
Pengpeng Hou [Thu, 11 Jun 2026 06:00:00 +0000 (14:00 +0800)]
kconfig: add optional warnings for changed input values
When reading .config input, Kconfig stores user-provided values first
and then resolves the final value after applying dependencies, ranges,
and other constraints.
If the final value differs from the user input, Kconfig already tracks
that state internally, but it does not provide a focused diagnostic to
show which explicit inputs were adjusted. This is particularly confusing
for requested values that get forced down by unmet dependencies or
clamped by ranges.
Add an opt-in diagnostic controlled by KCONFIG_WARN_CHANGED_INPUT. Emit
the warnings from conf_write() and conf_write_defconfig() after value
resolution. Print the diagnostic to stderr directly, not through the
normal message callback, so it remains visible when conf is run with -s,
such as from make -s.
Keep the diagnostic out of the conf_message() formatting buffer so long
warning lists are not truncated, and mark processed symbols as written
before the SYMBOL_WRITE check so duplicate menu nodes cannot emit
duplicate warnings.
Document the new environment variable and add tests for olddefconfig,
savedefconfig, and the silent-conf path.
Rong Xu [Wed, 17 Jun 2026 22:46:23 +0000 (15:46 -0700)]
modpost: Ignore Clang LTO suffixes in symbol matching
When building the kernel with Clang ThinLTO enabled, the compiler
can mangle static variable names by appending suffixes such as
".llvm.<hash>" to prevent naming collisions across translation units.
This name mangling breaks the section mismatch whitelisting in modpost.
modpost relies on glob patterns (e.g., "*_ops" or "*_probe") to identify
safe references between permanent data and initialization code. Because
the LTO suffix modifies the end of the symbol name, legitimately
whitelisted structures fail the match, resulting in false positive
warnings.
For example, a static pernet_operations struct triggers the following:
Quang Nguyen [Thu, 18 Jun 2026 08:19:30 +0000 (09:19 +0100)]
spi: rpc-if: Use correct device for hardware reinitialization on resume
rpcif_spi_resume() currently passes the SPI controller device to
rpcif_hw_init(), but the function should be called with the RPC
interface device.
Retrieve the rpcif private data from the SPI controller and pass
rpc->dev instead. Also propagate the return value of rpcif_hw_init() so
that a failure during resume is properly reported rather than silently
ignored.
Fixes: ad4728740bd6 ("spi: rpc-if: Add resume support for RZ/G3E") Signed-off-by: Quang Nguyen <quang.nguyen.wx@renesas.com> Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com> Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be> Link: https://patch.msgid.link/20260618081932.172168-1-biju.das.jz@bp.renesas.com Signed-off-by: Mark Brown <broonie@kernel.org>
PCI: host-common: Request bus reassignment when not probe-only
pci_host_common_init() is used by several generic ECAM host drivers.
After PCI core changes around pci_flags and preserve_config, these hosts
no longer opted into full bus number reassignment the way they did
before, which broke enumeration of devices on a Marvell CN106XX board.
When PCI_PROBE_ONLY is not set, add PCI_REASSIGN_ALL_BUS so
pci_scan_bridge_extend() takes the reassignment path: bus numbers can be
assigned from firmware EA data (e.g. pci_ea_fixed_busnrs()). Skip the
flag in probe-only mode so existing assignments are not overridden.
Fixes: 7246a4520b4b ("PCI: Use preserve_config in place of pci_flags") Closes: https://lore.kernel.org/all/abkqm_LCd9zAM8cW@rkannoth-OptiPlex-7090/ Signed-off-by: Ratheesh Kannoth <rkannoth@marvell.com>
[mani: added stable tag] Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
[bhelgaas: add problem report link] Signed-off-by: Bjorn Helgaas <bhelgaas@google.com> Cc: stable@vger.kernel.org Cc: Vidya Sagar <vidyas@nvidia.com> Link: https://patch.msgid.link/20260414081730.3864372-1-rkannoth@marvell.com
Hans Zhang [Thu, 21 May 2026 16:18:20 +0000 (00:18 +0800)]
PCI: rockchip: Protect root bus removal with rescan lock
Hold the pci_rescan_remove_lock lock while stopping and removing a root bus
to avoid racing with concurrent rescan or hotplug operations triggered via
sysfs. Such races may lead to use-after-free issues or system crashes.
Hans Zhang [Thu, 21 May 2026 16:18:22 +0000 (00:18 +0800)]
PCI: plda: Protect root bus removal with rescan lock
Hold the pci_rescan_remove_lock lock while stopping and removing a root bus
to avoid racing with concurrent rescan or hotplug operations triggered via
sysfs. Such races may lead to use-after-free issues or system crashes.
Hans Zhang [Thu, 21 May 2026 16:18:19 +0000 (00:18 +0800)]
PCI: mediatek: Protect root bus removal with rescan lock
Hold the pci_rescan_remove_lock lock while stopping and removing a root bus
to avoid racing with concurrent rescan or hotplug operations triggered via
sysfs. Such races may lead to use-after-free issues or system crashes.
Hans Zhang [Thu, 21 May 2026 16:18:18 +0000 (00:18 +0800)]
PCI: iproc: Protect root bus removal with rescan lock
Hold the pci_rescan_remove_lock lock while stopping and removing a root bus
to avoid racing with concurrent rescan or hotplug operations triggered via
sysfs. Such races may lead to use-after-free issues or system crashes.
Hans Zhang [Thu, 21 May 2026 16:18:15 +0000 (00:18 +0800)]
PCI: dwc: Protect root bus removal with rescan lock
Hold the pci_rescan_remove_lock lock while stopping and removing a root bus
to avoid racing with concurrent rescan or hotplug operations triggered via
sysfs. Such races may lead to use-after-free issues or system crashes.
Hans Zhang [Thu, 21 May 2026 16:18:14 +0000 (00:18 +0800)]
PCI: cadence: Protect root bus removal with rescan lock
Hold the pci_rescan_remove_lock lock while stopping and removing a root bus
to avoid racing with concurrent rescan or hotplug operations triggered via
sysfs. Such races may lead to use-after-free issues or system crashes.
Hans Zhang [Thu, 21 May 2026 16:18:17 +0000 (00:18 +0800)]
PCI: brcmstb: Protect root bus removal with rescan lock
Hold the pci_rescan_remove_lock lock while stopping and removing a root bus
to avoid racing with concurrent rescan or hotplug operations triggered via
sysfs. Such races may lead to use-after-free issues or system crashes.
Hans Zhang [Thu, 21 May 2026 16:18:16 +0000 (00:18 +0800)]
PCI: altera: Protect root bus removal with rescan lock
Hold the pci_rescan_remove_lock lock while stopping and removing a root bus
to avoid racing with concurrent rescan or hotplug operations triggered via
sysfs. Such races may lead to use-after-free issues or system crashes.
Linus Torvalds [Thu, 18 Jun 2026 16:42:02 +0000 (09:42 -0700)]
Merge tag 'ext4_for_linus-7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4
Pull ext4 updates from Ted Ts'o:
- A major rework of the fast commit mechanism to avoid lock contention
and deadlocks. We also export snapshot statistics in
/proc/fs/ext4/*/fc_info
- Performance optimization for directory hash computation by processing
input in 4-byte chunks and removing function pointers, along with new
KUnit tests for directory hash
- Cleanups in JBD2 to remove special slabs and use kmalloc() instead
- Various bug fixes, including:
- Early validation of donor superblock in EXT4_IOC_MOVE_EXT to
avoid cross-fs deadlock
- Fix for a kernel BUG in ext4_write_inline_data_end under
data=journal
- Fix for a NULL dereference in jbd2_journal_dirty_metadata when
handle is aborted
- Fix for an underflow in JBD2 fast commit block initialization
check
- Fix for LOGFLUSH shutdown ordering to ensure ordered data
writeback
- Miscellaneous fixes for error path return values and KUnit
assertions
* tag 'ext4_for_linus-7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4:
ext4: validate donor file superblock early in EXT4_IOC_MOVE_EXT
ext4: fix kernel BUG in ext4_write_inline_data_end
ext4: fix ERR_PTR(0) in ext4_mkdir()
jbd2: remove special jbd2 slabs
ext4: remove mention of PageWriteback
ext4: improve str2hashbuf by processing 4-byte chunks and removing function pointers
ext4: add Kunit coverage for directory hash computation
ext4: fast commit: export snapshot stats in fc_info
ext4: fast commit: add lock_updates tracepoint
ext4: fast commit: avoid i_data_sem by dropping ext4_map_blocks() in snapshots
ext4: fast commit: avoid self-deadlock in inode snapshotting
ext4: fast commit: avoid waiting for FC_COMMITTING
ext4: lockdep: handle i_data_sem subclassing for special inodes
ext4: fast commit: snapshot inode state before writing log
jbd2: fix integer underflow in jbd2_journal_initialize_fast_commit()
ext4: fix fast commit wait/wake bit mapping on 64-bit
jbd2: check for aborted handle in jbd2_journal_dirty_metadata()
ext4: Use %pe to print PTR_ERR()
ext4: fix LOGFLUSH shutdown ordering to allow ordered-mode data writeback
ext4: replace KUnit tests for memcmp() with KUNIT_ASSERT_MEMEQ()
Linus Torvalds [Thu, 18 Jun 2026 16:21:50 +0000 (09:21 -0700)]
Merge tag 'v7.2-rc-part1-ksmbd-fixes' of git://git.samba.org/ksmbd
Pull smb server updates from Steve French:
- Use after free fixes
- Out of bounds read fix
- Add SMB compression support both at rest and over the wire: support
decompression of compressed SMB2 requests, initially allow compressed
SMB2 READ responses, and implement get/set compression operations for
per-file compression state.
- Credentials fixes: for various FSCTLs, setinfo, delete on close and
for alternate data streams
- Fix access checks and permission checks in DUPLICAT_EXTENTS and
SET_ZERO_DATA fsctls, find_file_posix_info, FILE_LINK_INFORMATION and
smb2_set_info_sec
- Reject non valid session in compound request
- Serialize QUERY_DIRECTORY
- Prevent path traversal bypass by restricting caseless retry
- Path lookup fix
- Two minor cleanup fixes
* tag 'v7.2-rc-part1-ksmbd-fixes' of git://git.samba.org/ksmbd: (31 commits)
ksmbd: fix path resolution in ksmbd_vfs_kern_path_create
ksmbd: use opener credentials for FSCTL mutations
ksmbd: use opener credentials for ADS I/O
ksmbd: require source read access for duplicate extents
ksmbd: run set info with opener credentials
ksmbd: use opener credentials for delete-on-close
ksmbd: serialize QUERY_DIRECTORY requests per file
ksmbd: add permission checks for FSCTL_DUPLICATE_EXTENTS_TO_FILE
ksmbd: enforce FILE_READ_ATTRIBUTES on SMB_FIND_FILE_POSIX_INFORMATION
ksmbd: reject non-VALID session in compound request branch
ksmbd: compress SMB2 READ responses
ksmbd: negotiate and decode SMB2 compression
cifs: negotiate chained SMB2 compression capabilities
smb: add common SMB2 compression transform helpers
smb: move LZ77 compression into common code
ksmbd: add per-handle permission check to FILE_LINK_INFORMATION
ksmbd: add a permission check for FSCTL_SET_ZERO_DATA
ksmbd: add a WRITE_DAC/WRITE_OWNER check to SMB2 SET_INFO SECURITY
ksmbd: fix use-after-free of a deferred file_lock on SMB2_CLOSE then SMB2_CANCEL
smb: server: remove code guarded by nonexistent config option
...
Linus Torvalds [Thu, 18 Jun 2026 16:18:00 +0000 (09:18 -0700)]
Merge tag 'v7.2-rc-part1-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6
Pull smb client updates from Steve French:
- Three cleanup patches
- Fix error return value in smb2_aead_req_alloc
- Three compression fixes
- Update i_blocks after write (fixes various xfstests)
- Fix races in cifsd thread creation
- Fix potential out of bounds read parsing security descriptors
- Witness protocol fix
- Fix umount bug
- Mount fix
- Fix cached directory entries on unlink/rmdir/rename
* tag 'v7.2-rc-part1-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6:
smb: client: Use more common code in SMB2_tcon()
smb: client: Use more common error handling code in smb3_reconfigure()
smb/client: Fix error code in smb2_aead_req_alloc()
smb/client: clean up a type issue in cifs_xattr_get()
smb/client: allow FS_IOC_SETFLAGS to clear compression
smb/client: use writable handle for FS_IOC_SETFLAGS compression
smb/client: always return a value for FS_IOC_GETFLAGS
smb/client: update i_blocks after contiguous writes
smb: client: fix races in cifsd thread creation
cifs: validate full SID length in security descriptors
smb: client: resolve SWN tcon from live registrations
cifs: remove all cifs files before kill super
smb: client: fix conflicting option validation for new mount API
cifs: invalidate cfid on unlink/rename/rmdir
Linus Torvalds [Thu, 18 Jun 2026 16:14:15 +0000 (09:14 -0700)]
Merge tag 'nfsd-7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux
Pull nfsd updates from Chuck Lever:
"Jeff Layton wired up netlink upcalls for the auth.unix.ip and
auth.unix.gid caches in SunRPC and the svc_export and nfsd.fh caches
in NFSD. The new kernel-user API is more extensible and lays the
groundwork for retiring the old pipe interface.
The default NFS r/w block size rises to 4MB on hosts with at least
16GB of RAM, reducing per-RPC overhead on fast networks. Smaller
machines keep their previously computed default, and the value remains
tunable through /proc/fs/nfsd/max_block_size.
Chuck Lever converted the server's RPCSEC GSS Kerberos code to the
kernel's shared crypto/krb5 library. The conversion retires and
removes SunRPC's bespoke implementation of Kerberos v5, but keeps
RPCSEC GSS-API.
Continuing the xdrgen migration that converted the NLMv4 server XDR
layer in v7.1, Chuck Lever converted the NLM version 3 server-side XDR
layer from hand-written C to xdrgen-generated code. As with the NLMv4
conversion in v7.1, the goals are improved memory safety, lower
maintenance burden, and groundwork for generation of Rust code for
this layer instead of C.
Chuck Lever fixed an issue where lingering NFSv4 state pins a mounted
file system after it is unexported. A new netlink-based mechanism can
now release NLM locks and NFSv4 state by client address, by
filesystem, and by export. Now an administrator can quiesce an export
cleanly before unmounting it.
The remaining patches are bug fixes, clean-ups, and minor
optimizations, including a batch of memory-leak and use-after-free
fixes in the ACL, lockd, and TLS handshake paths, many of them
reported by Chris Mason. Sincere thanks to all contributors,
reviewers, testers, and bug reporters who participated in the v7.2
NFSD development cycle"
* tag 'nfsd-7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux: (106 commits)
svcrdma: wake sq waiters when the transport closes
nfsd: reset write verifier on deferred writeback errors
nfsd: avoid leaking pre-allocated openowner on unconfirmed retry race
sunrpc: wait for in-flight TLS handshake callback when cancel loses race
sunrpc: pin svc_xprt across the asynchronous TLS handshake callback
nfsd: fix posix_acl leak on SETACL decode failure
nfsd: fix posix_acl leak and ignored error in nfsd4_create_file
nfsd: check get_user() return when reading princhashlen
nfsd: fix inverted cp_ttl check in async copy reaper
nfsd: fix dead ACL conflict guard in nfsd4_create
NFSD: Fix SECINFO_NO_NAME decode error cleanup
sunrpc: harden rq_procinfo lifecycle to prevent double-free
SUNRPC: Return an error from xdr_buf_to_bvec() on overflow
SUNRPC: Bound-check xdr_buf_to_bvec() stores before writing
nfsd: release layout stid on setlease failure
lockd: Avoid hashing uninitialized bytes in nlm4svc_lookup_file()
lockd: Plug nlm_file refcount leak on cached nlm_do_fopen() failure
lockd: Plug nlm_file leak when nlm_do_fopen() fails
Revert "NFSD: Defer sub-object cleanup in export put callbacks"
Revert "svcrdma: Use contiguous pages for RDMA Read sink buffers"
...
Linus Torvalds [Thu, 18 Jun 2026 15:50:52 +0000 (08:50 -0700)]
Merge tag 'fuse-update-7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse
Pull fuse updates from Miklos Szeredi:
- Fix lots of bugs, most from the late 6.x era, but some going back
to 2.6.x
- Add subsystems (io-uring, passthrough) and respective maintainers
(Bernd, Joanne and Amir)
- Separate transport and fs layers (Miklos)
- Don't block on cat /dev/fuse (Joanne)
- Perform some refactoring in fuse-uring (Joanne)
- Don't use bounce-buffer for READDIR reply in virtio-fs (Matthew Ochs)
- Clean up documentation (Randy)
- Improve tracing (Amir)
- Extend page cache invalidation after DIO (Cheng Ding)
- Invalidate readdir cache on epoch change (Jun Wu)
- Misc cleanups
* tag 'fuse-update-7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse: (81 commits)
fuse-uring: clear ent->fuse_req in commit_fetch error path
fuse-uring: use named constants for io-uring iovec indices
fuse-uring: refactor setting up copy state for payload copying
fuse-uring: use enum types for header copying
fuse-uring: refactor io-uring header copying from ring
fuse-uring: refactor io-uring header copying to ring
fuse-uring: separate next request fetching from sending logic
fuse: invalidate readdir cache on epoch bump
virtio-fs: avoid double-free on failed queue setup
fuse: invalidate page cache after DIO and async DIO writes
fuse: set ff->flock only on success
fuse: clean up interrupt reading
fuse: remove stray newline in fuse_dev_do_read()
fuse: use READ_ONCE in fuse_chan_num_background()
fuse: dax: Move long delayed work on system_dfl_long_wq
fuse: add fuse_request_sent tracepoint
fuse: Add SPDX ID lines to some files
fuse: use QSTR() instead of QSTR_INIT() in fuse_get_dentry
fuse: convert page array allocation to kcalloc()
fuse: use current creds for backing files
...
This quirk is identical to the one for the Yamaha Steinberg UR22, here
applied to a CD player that also uses the Steinberg USB interface.
This quirk is necessary to avoid sporadic "clic" noise when using the DAC
of the player.
Mark Tomlinson [Thu, 30 Apr 2026 02:16:28 +0000 (14:16 +1200)]
PCI: iproc: Restore .map_irq() for the platform bus driver
Commit b64aa11eb2dd ("PCI: Set bridge map_irq and swizzle_irq to default
functions") moved the assignment of default .map_irq() callback to
devm_of_pci_bridge_init() and removed the initialization of
'iproc_pcie::map_irq' in platform bus driver. This led to the callback
getting assigned the NULL pointer for platform bus driver, thereby breaking
the INTx functionality, since 'iproc_pcie::map_irq' overrides the
'pci_host_bridge::map_irq' callback in iproc_pcie_setup().
This issue only affected the iproc platform bus driver as this driver
relies on the default callback for non-PAXC controllers. iproc-brcm driver
was already providing the custom mapping function, so it was unaffected.
Restore the original (and intended) behaviour to use the default map_irq
function by removing the local 'iproc_pcie::map_irq' pointer and directly
assigning the 'pci_host_bridge::map_irq' callback in iproc-bcma driver.
This ensures that the default 'map_irq' callback is used for platform bus
driver and only iproc-brcm driver overrides it with a custom one.
Fixes: b64aa11eb2dd ("PCI: Set bridge map_irq and swizzle_irq to default functions") Signed-off-by: Mark Tomlinson <mark.tomlinson@alliedtelesis.co.nz>
[mani: commit log] Signed-off-by: Manivannan Sadhasivam <mani@kernel.org> Signed-off-by: Bjorn Helgaas <bhelgaas@google.com> Acked-by: Ray Jui <ray.jui@broadcom.com> Link: https://patch.msgid.link/20260430021628.1343154-1-mark.tomlinson@alliedtelesis.co.nz
Linus Torvalds [Thu, 18 Jun 2026 15:16:21 +0000 (08:16 -0700)]
Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma
Pull rdma updates from Jason Gunthorpe:
"Many AI driven bug fixes, and several big driver API cleanups
- Driver bug fixes and minor cleanups in mlx5, hns, rxe, efa, siw,
rtrs, mana, irdma, mlx4. Commonly error path flows, integer
arithmetic overflows on unsafe data, out of bounds access, and use
after free issues under races.
- Second half of the new udata API for drivers focusing on uAPI
response
- bnxt_re supports more options for QP creation that will allow a dv
path in rdma-core
- Untangle the module dependencies so drivers don't link to
ib_uverbs.ko as was originall intended
- Provide a new way to handle umems with a consistent simplified uAPI
and update several drivers to use it. This brings dmabuf support to
more places and more drivers
- Support for mlx5 rate limit and packet pacing for UD and UC
- A batch of fixes for the new shared FRMR pools infrastructure"
* tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma: (148 commits)
RDMA/irdma: Replace waitqueue and flag with completion
RDMA/hns: Fix memory leak of bonding resources
RDMA/rtrs-srv: Bound RDMA-Write length to chunk size in rdma_write_sg
docs: infiniband: correct name of option to enable the ib_uverbs module
RDMA/bnxt_re: Reject GET_TOGGLE_MEM when toggle page was not allocated
RDMA/bnxt_re: Fail DBR related page allocation UAPIs if the feature is disabled
RDMA/bnxt_re: Avoid repeated requests to allocate WC pages
RDMA/bnxt_re: Proper rollback if the ioremap fails
RDMA/bnxt_re: Add a max slot check for SQ
RDMA/bnxt_re: Avoid displaying the kernel pointer
RDMA/bnxt_re: Free CQ toggle page after firmware teardown
RDMA/bnxt_re: Free SRQ toggle page after firmware teardown
RDMA/bnxt_re: Initialize dpi variable to zero
ABI: sysfs-class-infiniband: minor cleanup
RDMA/mlx5: Release the HW‑provided UAR index rather than the SW one
RDMA/mlx5: Fix undefined shift of user RQ WQE size
RDMA/mlx5: Remove raw RSS QP restrack tracking
RDMA/mlx5: Remove DCT restrack tracking
RDMA/mlx5: Drop FRMR pool handle on UMR revoke failure
RDMA/core: Add ib_frmr_pool_drop for unrecoverable handles
...
Rosen Penev [Tue, 26 May 2026 04:40:16 +0000 (21:40 -0700)]
PCI: mvebu: Use fixed-width interrupt masks to avoid truncation in 64-bit builds
Use u32-typed BIT and GENMASK helpers for PCIe interrupt register
masks. This keeps inverted masks in the same width as the registers
and avoids truncation warnings on 64-bit compile-test builds.
Fixes below and similar warnings:
drivers/pci/controller/pci-mvebu.c:316:21: error: implicit conversion from 'unsigned long' to 'u32' (aka 'unsigned int') changes value from 18446744069414584320 to 0 [-Werror,-Wconstant-conversion]
mvebu_writel(port, ~PCIE_INT_ALL_MASK, PCIE_INT_UNMASK_OFF);
Linus Torvalds [Thu, 18 Jun 2026 15:12:50 +0000 (08:12 -0700)]
Merge tag 'ata-7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/libata/linux
Pull ata updates from Niklas Cassel:
- Bump required Clang version to 23 (Marco), and add Clang context
analysis annotations (Bart)
- Use the ahci_nr_ports() helper in libahci (me)
- Fail to probe the ahci driver if the BAR size is smaller than the
required size to support CAP.NP (Number of Ports) (liyouhong)
- Move EXPORT_SYMBOL_GPL(ahci_do_softreset) to be just below the
function definition (Bart)
- Make ata_scsi_scan_host() schedule hotplug work on the
system_dfl_long_wq workqueue so that it can benefit from scheduler
task placement (Marco)
- Make ata_scsi_port_error_handler() schedule hotplug work on the
system_dfl_long_wq workqueue, such that the work always uses the same
workqueue (me)
- Use devm_platform_get_and_ioremap_resource() in pata_arasan_cf driver
(Rosen)
- Fix ata_exec_internal() to only release and acquire the EH mutex if
the calling function is the one holding the EH mutex (Bart)
- Use hweight_long() to count the port_map bits (TanZheng)
- Add COMPILE_TEST support for pata_ep93xx driver (Rosen)
- Drop unused assignments from pata_isapnp driver (Uwe)
- Extend existing JMicron PMP quirk to include JMicron JMS562 (Xu)
- Drop unused assignments of pci_device_id driver data (Uwe)
- Use named initializers for pci_device_id arrays (Uwe)
* tag 'ata-7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/libata/linux:
ata: Use named initializers for pci_device_id arrays
ata: Drop unused assignments of pci_device_id driver data
ata: libata-pmp: add JMicron JMS562 quirk
ata: pata_isapnp: Drop unused assignments from pnp_device_id array
ata: pata_ep93xx: add COMPILE_TEST support
ata: pata_ep93xx: use unsigned long for data
ata: pata_ep93xx: avoid asm on non ARM
ata: Annotate functions in the issuing path with __must_hold()
ata: libata: Pass ap parameter directly to functions in the issuing path
ata: libata: Document when host->eh_mutex should be held
ata: libata: Add an argument to ata_eh_reset()
ata: ahci: use hweight_long() to count port_map bits
ata: libata: Fix ata_exec_internal()
ata: pata_arasan_cf: simplify ioremap
ata: libata-eh: queue hotplug work on the system_dfl_long_wq workqueue
ata: libata-scsi: Move long delayed work on system_dfl_long_wq
ata: ahci: Move EXPORT_SYMBOL_GPL(ahci_do_softreset)
ata: ahci: fail probe if BAR too small for claimed ports
ata: libahci: use ahci_nr_ports() helper
Linus Torvalds [Thu, 18 Jun 2026 15:09:57 +0000 (08:09 -0700)]
Merge tag 'for-7.2/io_uring-epoll-20260616' of git://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux
Pull io_uring epoll update from Jens Axboe:
"As discussed a few months ago, this pull request gets rid of allowing
nested epoll notification contexts via io_uring.
Nested contexts have been a source of issues on the epoll side, and
there should not be a need to support them from io_uring. The epoll
io_uring side exists mainly to facilitate a gradual migration from a
notification based epoll setup to an io_uring ditto"
* tag 'for-7.2/io_uring-epoll-20260616' of git://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux:
io_uring/epoll: disallow adding an epoll file to an epoll context
io_uring/epoll: switch to using do_epoll_ctl_file() interface
Alvin Šipraga [Wed, 17 Jun 2026 14:55:08 +0000 (16:55 +0200)]
ASoC: audio-graph-card2: Drop warning for manually selected DAI formats
Sometimes the DAI format must be specified in the audio-graph-card2
device tree, so emitting a warning can be misleading. Revert back to
emitting no warning.
A few examples where automatic format selection might not be applicable:
- For DPCM, where the other side of the DAI link is not apparent, no
proper selection can actually be made. This can lead to disagreeing
formats.
- Due to hardware peculiarities, some ostensibly supported formats might
not work in practice.
In either case, the only correct solution is for the sound card to set
the format
Heiko Carstens [Wed, 17 Jun 2026 14:53:13 +0000 (16:53 +0200)]
s390/idle: Add missing EXPORT_SYMBOL_GPL()
Uwe Kleine-König reported this build breakage caused by a recent commit
which provides arch specific kcpustat_field_idle()/kcpustat_field_iowait()
functions:
ALSA: usb-audio: qcom: clear opened when stream enable fails
On enable, subs->opened is set before the service_interval is validated;
an invalid interval jumps to the response label without clearing it, so
the substream is wedged at -EBUSY until a disable or disconnect.
ALSA: usb-audio: qcom: reject stream disable with no active interface
handle_uaudio_stream_req() resolves an interface index with
info_idx_from_ifnum(), which returns -EINVAL when no interface matches.
The enable branch and the response: cleanup label both guard against a
negative index, but the disable branch does not: it forms
info = &uadev[pcm_card_num].info[info_idx] and dereferences it.
uadev[].info is a pointer allocated only when a stream is first enabled,
so a negative info_idx on the disable path is unsafe in two ways:
- If the card was never enabled, .info is NULL and &info[-EINVAL] is a
wild pointer; reading info->data_ep_pipe faults (kernel oops).
- If the card was enabled at least once (.info allocated) and the
disable names an interface that does not match, &info[-EINVAL] points
before the allocation; info->data_ep_pipe / info->sync_ep_pipe are an
out-of-bounds slab read and, when non-zero, an out-of-bounds 4-byte
write (both pipe fields are cleared to 0). That is memory corruption,
not just a NULL dereference.
The request is reachable from unprivileged local userspace over
AF_QIPCRTR. Reject a disable request with no resolved interface, matching
the guard the enable path already has.
Haowen Tu [Thu, 18 Jun 2026 07:54:31 +0000 (15:54 +0800)]
ALSA: hda/realtek: Add headset mic quirk for Acer S40-54
Acer S40-54 with ALC256 does not restore headset mic detection properly
after S4 resume. After resume, headset plug events may no longer update
the headset mic state, leaving the headset microphone unavailable.
The system uses subsystem ID 1025:161f. Applying the existing
ALC256_FIXUP_ACER_MIC_NO_PRESENCE fixup restores headset mic detection
on this machine.
Maoyi Xie [Thu, 18 Jun 2026 06:03:15 +0000 (14:03 +0800)]
ALSA: caiaq: bound the length in the EP1 input parsers
snd_caiaq_input_read_erp() and snd_caiaq_input_read_io() can be reached
from snd_usb_caiaq_input_dispatch(). They read fixed byte offsets from
the reply buffer without checking the reported length. On a short reply
they decode stale bytes left from a previous, longer report and feed them
to the input layer.
This is not an out-of-bounds access. Every offset is a compile-time
driver constant. The largest is buf[21] in the Maschine ERP case. The
EP1 transfer buffer ep1_in_buf is EP1_BUFSIZE (64) bytes, and the USB
core caps actual_length at 64, so a short reply only reads in-bounds
stale data. Acting on data the device did not send is still wrong, so
bail out per usb_id case when the reply is shorter than the bytes that
case consumes.
read_erp: AK1 needs 2 bytes, Kore needs 16, Maschine needs 22.
read_io: the Kore case needs 5 bytes (buf[4]) and the Traktor Kontrol
X1 case needs 7 (buf[5]/buf[6]). The preceding key bit loop
is already bounded by "i < len * 8" and is left untouched.
snd_caiaq_input_read_analog() and snd_usb_caiaq_maschine_dispatch() are
not changed. Their callers already floor the reply length.
Maoyi Xie [Thu, 18 Jun 2026 06:03:15 +0000 (14:03 +0800)]
ALSA: caiaq: fix out-of-bounds read in the Traktor Kontrol S4 input parser
snd_usb_caiaq_tks4_dispatch() decodes the Traktor Kontrol S4 input
stream in fixed 16-byte (TKS4_MSGBLOCK_SIZE) message blocks. On every
iteration it advances buf and subtracts the block size while looping on
"while (len)".
len is urb->actual_length. That value is supplied by the device and is
not guaranteed to be a multiple of 16. When a final short block leaves
len between 1 and 15, the loop runs once more, reads up to buf[15], and
then does "len -= TKS4_MSGBLOCK_SIZE". As len is unsigned this underflows
to a huge value. The loop then keeps iterating and walking buf far past
the end of the 512-byte ep4_in_buf, reading out of bounds until a bogus
block id happens to be hit.
Iterate only while a full message block is available. This stops the
unsigned underflow and silently drops any trailing partial block, which
carries no complete control value anyway.
The sibling endpoint-4 parsers are not affected. The Traktor Kontrol X1
and Maschine arms in snd_usb_caiaq_ep4_reply_dispatch() floor
urb->actual_length before dispatching.
Ben Dooks [Wed, 17 Jun 2026 10:29:43 +0000 (11:29 +0100)]
ALSA: pcm: fix __le32 cast warning in snd_pcm_set_sync_per_card
In snd_pcm_set_sync_per_card() the le32 value is written to an u32
instead of an __le32 pointer. Fix the following warning by fixing
the type:
sound/soc/soc-pcm.c:2166:9: warning: incorrect type in argument 7 (different base types)
sound/soc/soc-pcm.c:2166:9: expected int
sound/soc/soc-pcm.c:2166:9: got restricted snd_pcm_format_t
i2c: pxa: Use named initializers for the platform_device_id array
Named initializers are better readable and more robust to changes of the
struct definition. This robustness is relevant for a planned change to
struct platform_device_id replacing .driver_data by an anonymous union.