MIPS: DEC: Ensure RTC platform device deregistration upon failure
Switch RTC platform device registration from platform_device_register()
to platform_add_devices() so as to make sure any failure will result in
automatic device unregistration.
Fixes: fae67ad43114 ("arch/mips/dec: switch DECstation systems to rtc-cmos") Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk> Acked-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de> Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
jiazhenyuan [Tue, 23 Jun 2026 02:41:53 +0000 (10:41 +0800)]
xfs: fix AGFL extent count calculation in xrep_agfl_fill
In xrep_agfl_fill(), the call to xagb_bitmap_set() passes
'agbno - 1' as the length argument. However, xagb_bitmap_set()
expects a length (number of blocks), not an end block number.
Passing 'agbno - 1' causes used_extents to record an incorrect
range.
Fix this by calculating the correct length as 'agbno - start',
which represents the actual number of blocks filled into the AGFL.
Signed-off-by: jiazhenyuan <jiazhenyuan@uniontech.com> Fixes: 014ad53732d2ba ("xfs: use per-AG bitmaps to reap unused AG metadata blocks during repair") Reviewed-by: "Darrick J. Wong" <djwong@kernel.org> Signed-off-by: Carlos Maiolino <cem@kernel.org>
xfs: fix incorrect use of gfp flags in xfs_buf_alloc_backing_mem
xfs_buf_alloc_backing_mem currently has two issues with how the GFP_
flags are set:
- when aiming for a large folio allocation, the gfp mask is adjusted
to try less hard, but these flags then persist for the vmalloc
allocation, which is bogus.
- the __GFP_NOFAIL for small allocations is also applied when readahead
force __GFP_NORETRY which doesn't make any sense.
Fix this by only applying __GFP_NOFAIL when __GFP_NORETRY is not set,
and by reordering the code so that the large folio gfp adjustments
are performed locally just for that allocation.
Fixes: 94c78cfa3bd1 ("xfs: convert buffer cache to use high order folios") Signed-off-by: Christoph Hellwig <hch@lst.de> Reviewed-by: Carlos Maiolino <cmaiolino@redhat.com> Signed-off-by: Carlos Maiolino <cem@kernel.org>
Linus Torvalds [Sun, 28 Jun 2026 14:46:12 +0000 (07:46 -0700)]
Merge tag 'ntb-7.2' of https://github.com/jonmason/ntb
Pull NTB updates from Jon Mason:
"An EPF bug fix to prevent an invalid unmap during device removal,
along with documentation fixes and minor AMD driver cleanups"
* tag 'ntb-7.2' of https://github.com/jonmason/ntb:
ntb: amd: Use named initializer for pci_device_id::driver_data
NTB: fix kernel-doc warnings in ntb.h
NTB: epf: Avoid pci_iounmap() with offset when PEER_SPAD and CONFIG share BAR
ntb_hw_amd: Fix incorrect debug message in link disable path
Linus Torvalds [Sun, 28 Jun 2026 11:40:05 +0000 (04:40 -0700)]
Merge tag 'input-for-v7.2-rc0-2' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input
Pull more input updates from Dmitry Torokhov:
- Updates to Synaptics RMI4 driver to fix potential OOB accesses in F30
and F3A keymap handling
- A workaround in Synaptics RMI4 to tolerate buggy firmware on some
touchpads (e.g. ThinkPad T14 Gen 1) that report incomplete register
descriptor structures, preventing probe failures
- A revert of an incorrect register descriptor address calculation in
Synaptics RMI4 driver
- A fix for a regression in HP GSC PS/2 (gscps2) driver where the
receive buffer write index was not advanced, leaving keyboard and
mouse unusable.
* tag 'input-for-v7.2-rc0-2' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
Input: gscps2 - advance receive buffer write index
Input: rmi4 - tolerate short register descriptor structure
Revert "Input: rmi4 - fix register descriptor address calculation"
Input: synaptics-rmi4 - bound the F30 keymap to the GPIO/LED count
Input: synaptics-rmi4 - bound the F3A keymap to the GPIO count
Sven Eckelmann [Sun, 28 Jun 2026 08:37:07 +0000 (10:37 +0200)]
batman-adv: dat: ensure accessible eth_hdr proto field
When batadv_get_vid() accesses the proto field of the ethernet header, it
is not checking if the data itself is accessible. The caller is responsible
for it. But in contrast to other call sites, batadv_dat_get_vid() and its
caller didn't make sure this is true. This could have caused an
out-of-bounds access.
Cc: stable@vger.kernel.org Reported-by: Sashiko <sashiko-bot@kernel.org> Fixes: be1db4f6615b ("batman-adv: make the Distributed ARP Table vlan aware") Signed-off-by: Sven Eckelmann <sven@narfation.org>
Sven Eckelmann [Sun, 28 Jun 2026 06:45:41 +0000 (08:45 +0200)]
batman-adv: bla: reacquire gw address after skb realloc
The pskb_may_pull() called by batadv_bla_is_backbone_gw() could reallocate
the buffer behind the skb. Variables which were pointing to the old buffer
need to be reassigned to avoid an use-after-free.
Cc: stable@vger.kernel.org Fixes: 9e794b6bf4a2 ("batman-adv: drop unicast packets from other backbone gw") Signed-off-by: Sven Eckelmann <sven@narfation.org>
Sven Eckelmann [Sun, 28 Jun 2026 06:45:41 +0000 (08:45 +0200)]
batman-adv: dat: acquire ARP hw source only after skb realloc
The pskb_may_pull() called by batadv_get_vid() could reallocate the buffer
behind the skb. Variables which were pointing to the old buffer need to be
reassigned to avoid an use-after-free.
Cc: stable@vger.kernel.org Fixes: b61ec31c8575 ("batman-adv: Snoop DHCPACKs for DAT") Signed-off-by: Sven Eckelmann <sven@narfation.org>
Sven Eckelmann [Sun, 28 Jun 2026 06:45:41 +0000 (08:45 +0200)]
batman-adv: gw: acquire ethernet header only after skb realloc
The pskb_may_pull() called by batadv_get_vid() could reallocate the buffer
behind the skb. Variables which were pointing to the old buffer need to be
reassigned to avoid an use-after-free.
Cc: stable@vger.kernel.org Fixes: 6c413b1c22a2 ("batman-adv: send every DHCP packet as bat-unicast") Signed-off-by: Sven Eckelmann <sven@narfation.org>
Sven Eckelmann [Sun, 28 Jun 2026 06:35:35 +0000 (08:35 +0200)]
batman-adv: access unicast_ttvn skb->data only after skb realloc
The pskb_may_pull() called by batadv_get_vid() could reallocate the buffer
behind the skb. Variables which were pointing to the old buffer need to be
reassigned to avoid an use-after-free.
This was done correctly for the ethernet header but missed for the
unicast_packet pointer.
Cc: stable@vger.kernel.org Reported-by: Sashiko <sashiko-bot@kernel.org> Fixes: c018ad3de61a ("batman-adv: add the VLAN ID attribute to the TT entry") Signed-off-by: Sven Eckelmann <sven@narfation.org>
Sven Eckelmann [Sun, 28 Jun 2026 04:44:13 +0000 (06:44 +0200)]
batman-adv: retrieve ethhdr after potential skb realloc on RX
pskb_may_pull() in batadv_interface_rx() could reallocate the buffer behind
the skb. Variables which were pointing to the old buffer need to be
reassigned to avoid an use-after-free.
This was done correctly for the VLAN header but missed for the ethernet
header which is later used for the TT and AP isolation handling.
Cc: stable@vger.kernel.org Reported-by: Sashiko <sashiko-bot@kernel.org> Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol") Fixes: c78296665c3d ("batman-adv: Check skb size before using encapsulated ETH+VLAN header") Signed-off-by: Sven Eckelmann <sven@narfation.org>
Lorenzo Bianconi [Thu, 25 Jun 2026 09:42:46 +0000 (11:42 +0200)]
net: airoha: dma map xmit frags with skb_frag_dma_map()
Map xmit skb fragments using skb_frag_dma_map() instead of
dma_map_single(skb_frag_address()). skb_frag_address() relies on
page_address() to obtain a kernel virtual address, which is not
guaranteed to work for all page types (e.g. highmem pages or
user-pinned pages from MSG_ZEROCOPY).
skb_frag_dma_map() maps the fragment directly via its struct page and
offset through dma_map_page(), avoiding the need for a kernel virtual
address entirely.
Introduce an enum airoha_dma_map_type to track how each queue entry was
mapped (single vs page), so that the matching unmap function is called
on completion and in error paths.
Linus Walleij [Thu, 25 Jun 2026 07:47:01 +0000 (09:47 +0200)]
net: dsa: Fix skb ownership in taggers
The tag_8021q.c tagger calls vlan_insert_tag() in dsa_8021q_xmit().
vlan_insert_tag() will consume the skb with kfree_skb() on failure
and return NULL.
When NULL is returned as error code to ->xmit() in dsa_user_xmit()
it will free the same skb again leading to a double-free.
The idea of dsa_user_xmit() and dsa_switch_rcv() dropping the skb
they held before the call to ->xmit() and ->rcv() is conceptually
wrong: the pattern elsewhere in the networking code is that consumers
drop their skb:s on failure.
Modify the ->xmit() and ->rcv() call sites to not drop the SKB if
the taggers return NULL from any of these calls. Move those drops into
the taggers so every callback error path that retains ownership consumes
the skb before returning NULL.
Keep the existing helper ownership rules: VLAN insertion helpers already
free on failure (this is the case in tag_8021q.c), while deferred
transmit paths either transfer the skb reference to worker context or
hold a worker reference with skb_get() and drop the caller's reference.
For SJA1105 meta RX, transfer the buffered stampable skb under the meta
lock and return NULL while the skb is waiting for its meta frame: the
skb is not dropped in this case.
NOTICE: Backporting patches to taggers (e.g. for stable kernels) after
this point cannot be mechanical or they will introduce double
kfree_skb().
Reported-by: Sashiko AI Review <sashiko-bot@kernel.org> Closes: https://lore.kernel.org/r/20260610153952.1685895-1-kuba@kernel.org/ Suggested-by: Jakub Kicinski <kuba@kernel.org> Acked-by: David Yang <mmyangfl@gmail.com> # yt921x Acked-by: Kurt Kanzenbach <kurt@linutronix.de> # hellcreek Reviewed-by: Wei Fang <wei.fang@nxp.com> # netc Signed-off-by: Linus Walleij <linusw@kernel.org> Link: https://patch.msgid.link/20260625-dsa-fix-free-skb-v5-1-b5931e4cbdb0@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Xin Long [Wed, 24 Jun 2026 22:53:12 +0000 (18:53 -0400)]
sctp: add INIT verification after cookie unpacking
In SCTP handshake, the INIT chunk is initially processed by the server
and embedded into the cookie carried in INIT-ACK. The client then
returns this cookie via COOKIE-ECHO, where the server unpacks it and
reconstructs the original INIT chunk.
When cookie authentication is enabled, the cookie contents are protected
against tampering, so reusing the unpacked INIT without re-verification
is safe.
However, when cookie authentication is disabled, the reconstructed INIT
can no longer be trusted. In this case, the INIT must be explicitly
validated after unpacking to avoid processing potentially tampered data.
Add sctp_verify_init() checks after cookie unpacking in COOKIE-ECHO
processing paths (sctp_sf_do_5_1D_ce() and sctp_sf_do_5_2_4_dupcook())
when cookie_auth_enable is disabled. On failure, the new association is
freed and the packet is discarded.
Also tighten cookie validation in sctp_unpack_cookie() by verifying the
embedded chunk type is SCTP_CID_INIT before treating it as an INIT
chunk.
Finally, update sctp_verify_init() to validate parameter bounds using
the actual embedded INIT length instead of chunk->chunk_end, since the
INIT stored in COOKIE-ECHO may not span the entire chunk buffer.
Breno Leitao [Thu, 25 Jun 2026 12:03:18 +0000 (05:03 -0700)]
netpoll: fix a use-after-free on shutdown path
There is a use-after-free error on netpoll, which is clearly detected by
KASAN.
BUG: KASAN: slab-use-after-free in _raw_spin_lock_irqsave+0x3b/0x80
Read of size 1 at addr ... by task kworker/9:1
Workqueue: events queue_process
Call Trace:
skb_dequeue+0x1e/0xb0
queue_process+0x2c/0x600
process_scheduled_works+0x4b6/0x850
worker_thread+0x414/0x5a0
Allocated by task 242:
__netpoll_setup+0x201/0x4a0
netpoll_setup+0x249/0x550
enabled_store+0x32f/0x380
Freed by task 0:
kfree+0x1b7/0x540
rcu_core+0x3f8/0x7a0
The problem happens when there is a pending TX worker running in
parallel with the cleanup path.
This is what happens on netpoll shutdown path:
1) __netpoll_cleanup() is called
2) set dev->npinfo to NULL
3) call_rcu() with rcu_cleanup_netpoll_info()
3.1) rcu_cleanup_netpoll_info() tries to cancel all workers with
cancel_delayed_work(), but doesn't wait for the worker to finish
4) and kfree(npinfo);
Because 3.1) doesn't really cancel the work, as the comment says "we
can't call cancel_delayed_work_sync here, as we are in softirq", the TX
worker can run after 4).
Tl;DR: queue_process() is not an RCU reader, it reaches npinfo through
the work item via container_of().
Use disable_delayed_work_sync() to ensure the worker is completely
stopped and prevent any future re-arming attempts. Once npinfo is set
to NULL, senders will bail out and not queue new work. The disable flag
ensures any in-flight re-arming attempts also fail silently.
In the future, we can do the cleanup inline here without needing the
npinfo->rcu rcu_head, but that is net-next material.
Yousef Alhouseen [Thu, 25 Jun 2026 14:23:54 +0000 (16:23 +0200)]
sctp: fix SCTP_RESET_STREAMS stream list length limit
SCTP_RESET_STREAMS carries a flexible array of u16 stream IDs, but the
optlen clamps treat USHRT_MAX as a byte count and then multiply
sizeof(__u16) by the fixed header size.
That caps the copied and validated option buffer at about 64 KiB, which
rejects valid requests containing more than about half of the u16 stream
ID range.
Use struct_size_t() for the maximum struct sctp_reset_streams layout
instead, so the bound matches the flexible array described by
srs_number_streams.
Fixes: 5960cefab9df ("sctp: add a ceiling to optlen in some sockopts") Acked-by: Xin Long <lucien.xin@gmail.com> Signed-off-by: Yousef Alhouseen <alhouseenyousef@gmail.com> Link: https://patch.msgid.link/20260625142354.2600-1-alhouseenyousef@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Wei Fang [Fri, 26 Jun 2026 07:32:44 +0000 (15:32 +0800)]
net: enetc: check the number of BDs needed for xdp_frame
The size of xdp_redirect_arr array is ENETC_MAX_SKB_FRAGS. However, the
number of fragments contained in xdp_frame may be greater than or equal
to ENETC_MAX_SKB_FRAGS, which will cause the access to xdp_redirect_arr
to be out of bounds.
Linus Torvalds [Sat, 27 Jun 2026 20:48:12 +0000 (13:48 -0700)]
Merge tag 'pwm/for-7.2-rc1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/ukleinek/linux
Pull pwm fixes from Uwe Kleine-König:
"Two more fixes that I managed to put into the public branch merged
into next before my first pull request but missed to include them in
it.
The first change is a relevant change that fixes misconfigurations due
to a variable overflow. The second is only cosmetic but very obviously
an improvement"
* tag 'pwm/for-7.2-rc1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/ukleinek/linux:
pwm: rzg2l-gpt: Add missing newlines to dev_err_probe() messages
pwm: rzg2l-gpt: Fix period_ticks type from u32 to u64
Linus Torvalds [Sat, 27 Jun 2026 19:52:20 +0000 (12:52 -0700)]
Merge tag 'fbdev-for-7.2-rc1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/linux-fbdev
Pull more fbdev updates from Helge Deller:
"Fixes for generic fbdev & fbcon code for the handling of modelists
and preventing a potential NULL ptr dereference in the console code.
Fix missed cleanups in the error path of various fbdev drivers.
And Uwe Kleine-König contributed a cleanup patch to use named
initializers in the vga16fb driver"
* tag 'fbdev-for-7.2-rc1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/linux-fbdev:
fbdev: Fix fb_new_modelist to prevent null-ptr-deref in fb_videomode_to_var
fbcon: fix NULL pointer dereference for a console without vc_data
fbdev: fix use-after-free in store_modes()
fbdev: viafb: return an error when DMA copy times out
fbdev: goldfishfb: fail pan display on base-update timeout
fbdev: fbcon: fix out-of-bounds read in err_out of fbcon_do_set_font()
fbdev: pm2fb: unwind WC setup on probe failure
fbdev: vga16fb: Drop unused assignment of platform_device_id driver data
Linus Torvalds [Sat, 27 Jun 2026 19:15:23 +0000 (12:15 -0700)]
Merge tag 'sound-fix-7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound
Pull sound fixes from Takashi Iwai:
"A collection of small bug fixes accumulated over the last week.
Most are device-specific fixes while there are a few core fixes as
well.
Here are the highlights:
ALSA Core:
- A fix for an uninitialised heap leak in ALSA sequencer core
- A fix for error handling/resource leak in compress-offload API
USB-audio:
- A teardown-ordering fix in USB MIDI 2.0 to prevent use-after-free
- Bounds and length checks for packet data in Native Instruments
caiaq / Traktor Kontrol input parsers
- Avoidance of expensive kobject path lookups in DualSense controller
matches
- Robustness/memory leak fixes for Qualcomm USB offload driver
- Focusrite Control Protocol (FCP) NULL-pointer dereference fix and a
new device quirk (ISA C8X)
- Device-specific quirks for Yamaha CDS3000 and SC13A
HD-Audio:
- A bunch of quirks and mute/mic-mute LED fixups for various laptops
(Acer, Clevo, Lenovo, HP)
ASoC & SoundWire:
- Avoid failing card registration if the device_link creation fails
- A workaround for SoundWire randconfig build failures by making
helper functions static inline
- Corrected MCLK reference validation for CS530x codecs
- Clean up of untested, problematic guard() macro replacements in
Rockchip SAI driver
- Fix for eDMA maxburst misalignment with channel count in Freescale
ASRC
- Miscellaneous hardware-specific fixes (qcom, rt5650, tlv320aic3x,
tas2781/3)
Others:
- Bounds and length checks for packet data in Apple iSight"
* tag 'sound-fix-7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: (46 commits)
ALSA: FCP: Fix NULL pointer dereference in interface lookup
ALSA: hda/realtek: Update Acer Nitro ANV15-41 quirk to enable mute LED
ASoC: fsl_asrc_dma: fix eDMA maxburst misalignment with channel count
ASoC: codecs: pcm512x: only print info once on no sclk
ASoC: tas2781: Update default register address to TAS2563
ALSA: firewire: isight: bound the sample count to the packet payload
ALSA: usb-audio: qcom: Free QMI handle
ALSA: hda: Add Lenovo Legion 7i 16IAX7 17AA3874 quirk
ALSA: usb-audio: avoid kobject path lookup in DualSense match
ALSA: hda/realtek: Add quirk for Acer Nitro ANV15-41
ASoC: soc-core: Don't fail if device_link could not be created
ASoC: rockchip: rockchip_sai: #include <linux/platform_device.h> explicitly
ALSA: seq: Fix uninitialised heap leak in snd_seq_event_dup()
ASoC: rt5575: Use __le32 for SPI burst write address
ASoC: tas2783: Update loaded firmware names to linux-firmware 20260519
ASoC: SDCA: Validate written enum value in ge_put_enum_double()
ASoC: realtek: Add back local call to sdw_show_ping_status()
ASoC: ti: Add back local call to sdw_show_ping_status()
ASoC: max98373: Add back local call to sdw_show_ping_status()
ASoC: es9356: Add back local call to sdw_show_ping_status()
...
Linus Torvalds [Sat, 27 Jun 2026 18:33:30 +0000 (11:33 -0700)]
Merge tag 'i2c-fixes-7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/andi.shyti/linux
Pull i2c fixes from Andi Shyti:
- i801: fix error path in smbus transfer
- mpc: fix timeout calculation
* tag 'i2c-fixes-7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/andi.shyti/linux:
i2c: i801: fix hardware state machine corruption in error path
i2c: mpc: Fix timeout calculations
Linus Torvalds [Sat, 27 Jun 2026 16:20:16 +0000 (09:20 -0700)]
Merge tag 'fscrypt-for-linus' of git://git.kernel.org/pub/scm/fs/fscrypt/linux
Pull fscrypt fixes from Eric Biggers:
- Fix a bug where in a specific edge case, file contents en/decryption
could be done with the wrong data unit size
- Fix the data structure used for keeping track of users that have
added an fscrypt key to be a simple list instead of a 'struct key'
keyring
This fixes issues such as a lockdep report found by syzbot and
possible unintended interactions with the keyctl() system calls
* tag 'fscrypt-for-linus' of git://git.kernel.org/pub/scm/fs/fscrypt/linux:
fscrypt: Replace mk_users keyring with simple list
fscrypt: Fix key setup in edge case with multiple data unit sizes
Xu Rao [Wed, 24 Jun 2026 09:47:39 +0000 (17:47 +0800)]
Input: gscps2 - advance receive buffer write index
Commit 44f920069911 ("Input: gscps2 - use guard notation when
acquiring spinlock") moved the receive loop into gscps2_read_data()
and gscps2_report_data().
While moving the code, it preserved the writes to
buffer[ps2port->append], but omitted the following producer index
update from the original loop:
As a result, append never advances. Since gscps2_report_data() only
reports bytes while act != append, the receive buffer always appears
empty and no keyboard or mouse data reaches the serio core.
Dmitry Torokhov [Fri, 26 Jun 2026 23:33:21 +0000 (16:33 -0700)]
Input: rmi4 - tolerate short register descriptor structure
Some touchpads (e.g. ThinkPad T14 Gen 1) have buggy firmware that reports
a register descriptor structure size that is too small for the number of
registers it claims to have in the presence map. The remaining bytes in
the structure are 0, which with the new strict bounds checking causes the
parser to fail with -EIO, aborting the device probe.
Tolerate such short reads by dropping the remaining (unparseable or
0-size) registers from the list instead of failing the probe,
preventing the driver from trying to use them.
Fixes: 0adb483fbf2d ("Input: rmi4 - refactor register descriptor parsing") Reported-by: Barry K. Nathan <barryn@pobox.com> Tested-by: Barry K. Nathan <barryn@pobox.com> Cc: stable@vger.kernel.org Assisted-by: Antigravity:gemini-3.5-flash Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
The register descriptor presence register is a packet register, which
means its bytes share a single RMI address. It does not occupy
consecutive addresses, and the register structure that follows it
is located at the next RMI address (presence_address + 1), not
(presence_address + presence_size).
Revert the incorrect address calculation introduced in commit a98518e72439.
Reported-by: "Barry K. Nathan" <barryn@pobox.com> Tested-by: "Barry K. Nathan" <barryn@pobox.com> Cc: stable@vger.kernel.org Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
ntb: amd: Use named initializer for pci_device_id::driver_data
The current list initialisation depends on the well hidden two zeros in
the PCI_VDEVICE macro. Instead use a named initialisation that is more
robust and easier to understand.
Signed-off-by: Uwe Kleine-König (The Capable Hub) <u.kleine-koenig@baylibre.com> Reviewed-by: Dave Jiang <dave.jiang@intel.com> Signed-off-by: Jon Mason <jdmason@kudzu.us>
Randy Dunlap [Thu, 12 Mar 2026 05:14:15 +0000 (22:14 -0700)]
NTB: fix kernel-doc warnings in ntb.h
Correct a function name and function parameter name to avoid
kernel-doc warnings:
Warning: include/linux/ntb.h:575 expecting prototype for
ntb_default_port_count(). Prototype was for ntb_default_peer_port_count()
instead
Warning: include/linux/ntb.h:590 function parameter 'pidx' not
described in 'ntb_default_peer_port_number'
Signed-off-by: Randy Dunlap <rdunlap@infradead.org> Acked-by: Dave Jiang <dave.jiang@intel.com> Signed-off-by: Jon Mason <jdmason@kudzu.us>
Koichiro Den [Wed, 4 Mar 2026 02:05:27 +0000 (11:05 +0900)]
NTB: epf: Avoid pci_iounmap() with offset when PEER_SPAD and CONFIG share BAR
When BAR_PEER_SPAD and BAR_CONFIG share one PCI BAR, the module teardown
path ends up calling pci_iounmap() on the same iomem with some offset,
which is unnecessary and triggers a kernel warning like the following:
Trying to vunmap() nonexistent vm area (0000000069a5ffe8)
WARNING: mm/vmalloc.c:3470 at vunmap+0x58/0x68, CPU#5: modprobe/2937
[...]
Call trace:
vunmap+0x58/0x68 (P)
iounmap+0x34/0x48
pci_iounmap+0x2c/0x40
ntb_epf_pci_remove+0x44/0x80 [ntb_hw_epf]
pci_device_remove+0x48/0xf8
device_remove+0x50/0x88
device_release_driver_internal+0x1c8/0x228
driver_detach+0x50/0xb0
bus_remove_driver+0x74/0x100
driver_unregister+0x34/0x68
pci_unregister_driver+0x34/0xa0
ntb_epf_pci_driver_exit+0x14/0xfe0 [ntb_hw_epf]
[...]
Fix it by unmapping only when PEER_SPAD and CONFIG use difference bars.
Cc: stable@vger.kernel.org Fixes: e75d5ae8ab88 ("NTB: epf: Allow more flexibility in the memory BAR map method") Reviewed-by: Frank Li <Frank.Li@nxp.com> Signed-off-by: Koichiro Den <den@valinux.co.jp> Reviewed-by: Dave Jiang <dave.jiang@intel.com> Signed-off-by: Jon Mason <jdmason@kudzu.us>
====================
net/sched: finish the qdisc_dequeue_peeked conversion (taprio, multiq)
Commit 77be155cba4e added peek emulation: a non-work-conserving qdisc's
->peek dequeues one skb and stashes it in the child's gso_skb. A parent
that peeks such a child must then take the packet with
qdisc_dequeue_peeked(), not a direct ->dequeue(), or the stashed skb is
bypassed and the child's qlen/backlog desync. sch_red and sch_sfb were
just fixed for this; taprio and multiq still take the direct path.
With a qfq child the desync re-enters qfq_dequeue on an emptied aggregate
list and dereferences NULL, panicking from softirq on ordinary egress.
taprio reaches it on its own (root-only software path, all gates open);
multiq reaches it when a peeking parent such as tbf wraps it over a
non-work-conserving grandchild. Both need only CAP_NET_ADMIN.
Confirmed under KASAN: the unpatched arm panics, the patched arm is
clean, and a work-conserving-child control is clean. The reproducers and
splats for both are below; the per-patch changes are one line each.
taprio reproducer (self-triggering, no parent qdisc needed):
ip link add dummy0 numtxqueues 4 type dummy; ip link set dummy0 up
ip addr add 10.10.11.10/24 dev dummy0
tc qdisc add dev dummy0 root handle 1: taprio num_tc 2 \
map 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 queues 1@0 1@1 \
base-time 9000000000000000000 sched-entry S 03 200000 flags 0x0 clockid CLOCK_TAI
tc qdisc replace dev dummy0 parent 1:1 handle 3: qfq
tc class add dev dummy0 classid 3:1 parent 3: qfq maxpkt 512 weight 1
tc filter add dev dummy0 parent 3: protocol ip prio 1 matchall classid 3:1
ping -c1 10.10.11.99 -I dummy0
multiq reproducer (needs a peeking parent over a stashing child; tbf
values chosen to force it to throttle):
ip link add dummy0 numtxqueues 2 type dummy; ip link set dummy0 up
ip addr add 10.10.11.10/24 dev dummy0
tc qdisc add dev dummy0 root handle 1: tbf rate 88bit burst 1661b \
peakrate 2257333 minburst 1024 limit 7b
tc qdisc add dev dummy0 parent 1: handle 2: multiq
for b in 1 2; do # qfq on every band
tc qdisc add dev dummy0 parent 2:$b handle 3$b: qfq
tc class add dev dummy0 classid 3$b:1 parent 3$b: qfq maxpkt 512 weight 1
tc filter add dev dummy0 parent 3$b: protocol ip prio 1 matchall classid 3$b:1
done
ping -c12 10.10.11.99 -I dummy0
Bryam Vargas [Thu, 25 Jun 2026 09:51:20 +0000 (04:51 -0500)]
net/sched: sch_multiq: Replace direct dequeue call with peek and qdisc_dequeue_peeked
multiq_dequeue() takes a packet from a band's child with a direct
->dequeue() call after multiq_peek() peeked it. When the child is
non-work-conserving the peek stashes the skb in the child's gso_skb, so
the direct dequeue returns a different skb and orphans the stash,
desyncing the child's qlen/backlog. With a qfq child reached through a
peeking parent (e.g. tbf) this re-enters the child on an emptied list and
dereferences NULL, panicking the kernel from softirq on ordinary egress.
Take the packet through qdisc_dequeue_peeked(), as sch_prio already does
and as sch_red and sch_sfb were just fixed to do. The helper is a no-op
when the child has no stash, so a work-conserving child is unaffected.
Fixes: 77be155cba4e ("pkt_sched: Add peek emulation for non-work-conserving qdiscs.") Cc: stable@vger.kernel.org Signed-off-by: Bryam Vargas <hexlabsecurity@proton.me> Reviewed-by: Victor Nogueira <victor@mojatatu.com> Acked-by: Jamal Hadi Salim <jhs@mojatatu.com> Link: https://patch.msgid.link/20260625-b4-disp-31bcb279-v1-2-85c40b83c529@proton.me Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Bryam Vargas [Thu, 25 Jun 2026 09:51:19 +0000 (04:51 -0500)]
net/sched: sch_taprio: Replace direct dequeue call with peek and qdisc_dequeue_peeked
When taprio's software path peeks a non-work-conserving child qdisc, the
child stashes the peeked skb in its gso_skb; taprio_dequeue_from_txq()
then takes the packet with a direct child ->dequeue() call, which ignores
that stash, orphans the peeked skb and desyncs the child's qlen/backlog.
With a qfq child this re-enters the child on an emptied list and
dereferences NULL, panicking the kernel from softirq on ordinary egress.
Take the packet through qdisc_dequeue_peeked(), as sch_red and sch_sfb
now do. The helper returns the child's stashed skb first and is a no-op
when there is none, so a work-conserving child is unaffected and the
gated path now consumes the skb whose length was charged to the budget.
Fixes: 5a781ccbd19e ("tc: Add support for configuring the taprio scheduler") Cc: stable@vger.kernel.org Cc: Vladimir Oltean <vladimir.oltean@nxp.com> Signed-off-by: Bryam Vargas <hexlabsecurity@proton.me> Reviewed-by: Victor Nogueira <victor@mojatatu.com> Acked-by: Jamal Hadi Salim <jhs@mojatatu.com> Link: https://patch.msgid.link/20260625-b4-disp-31bcb279-v1-1-85c40b83c529@proton.me Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Nuoqi Gui [Tue, 23 Jun 2026 10:32:31 +0000 (18:32 +0800)]
seg6: validate SRH length before reading fixed fields
seg6_validate_srh() reads fixed SRH fields such as srh->type and
srh->hdrlen before checking that the supplied length covers the fixed
struct ipv6_sr_hdr fields.
The BPF SEG6 encap path reaches this with a BPF program-supplied pointer
and length: bpf_lwt_push_encap() and the SEG6 local BPF END_B6 and
END_B6_ENCAP actions call bpf_push_seg6_encap(), which forwards the
length to seg6_validate_srh() with no minimum-size guard. A 2-byte SEG6
encap header can therefore make the validator read srh->type at offset 2
beyond the caller-supplied buffer.
Reject lengths shorter than the fixed SRH at the top of
seg6_validate_srh(), before any field is read. This fixes the BPF helper
path and keeps the common validator robust.
Corey Leavitt [Wed, 24 Jun 2026 20:40:16 +0000 (22:40 +0200)]
net: pse-pd: scope pse_control regulator handle to kref lifetime
__pse_control_release() drops psec->ps via devm_regulator_put(), which
only succeeds if the devres entry added by the matching
devm_regulator_get_exclusive() is still present on pcdev->dev at the
time the pse_control's kref hits zero.
That assumption does not hold when the controller is unbound while a
pse_control still has consumers: pcdev->dev's devres list is released
LIFO, so every per-attach regulator-GET devres runs (and
regulator_put()s the underlying regulator) before
pse_controller_unregister() itself is invoked. Any later
pse_control_put() from that unbind path then reads psec->ps as a
dangling pointer inside devm_regulator_put() and WARNs at
drivers/regulator/devres.c:232 (devres_release() fails to find the
already-released match).
The pse_control's consumer handle is logically scoped to the
pse_control's refcount, not to pcdev->dev's devres lifetime. Switch to
the plain regulator_get_exclusive() / regulator_put() pair so the
regulator put in __pse_control_release() no longer depends on the
controller's devres still being present. No change to the
regulator-framework-visible refcount or lifetime of the underlying
regulator: a single get paired with a single put. The existing
devm_regulator_register() for the per-PI rails is unchanged (those ARE
correctly scoped to the controller's lifetime).
This addresses only the regulator handle. The same unbind-while-held
scenario also leaves __pse_control_release() reading psec->pcdev->pi[]
and psec->pcdev->owner after pse_controller_unregister() has freed
pcdev->pi, because the controller does not drain its outstanding
pse_control references on unregister. That wider pse_control vs
pcdev lifetime problem pre-dates this change and is addressed by the
PSE controller notifier series, which drains phydev->psec on
PSE_UNREGISTERED before pcdev->pi is freed.
Haoxiang Li [Wed, 24 Jun 2026 06:40:13 +0000 (14:40 +0800)]
net: liquidio: fix BAR resource leak on PF number failure
If cn23xx_get_pf_num() fails, the function returns without
unmapping either BAR. Unmap both BARs before returning from
the error path.
Found by manual code review.
Fixes: 0c45d7fe12c7 ("liquidio: fix use of pf in pass-through mode in a virtual machine") Cc: stable@vger.kernel.org Signed-off-by: Haoxiang Li <haoxiang_li2024@163.com> Reviewed-by: Larysa Zaremba <larysa.zaremba@intel.com> Link: https://patch.msgid.link/20260624064013.2809570-1-haoxiang_li2024@163.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Haoxiang Li [Wed, 24 Jun 2026 06:59:55 +0000 (14:59 +0800)]
net: ipa: fix SMEM state handle leaks in SMP2P init
ipa_smp2p_init() acquires two Qualcomm SMEM state handles with
qcom_smem_state_get(). However, neither the init error paths
nor ipa_smp2p_exit() release them.
Release both handles with qcom_smem_state_put() in the init
error paths and in ipa_smp2p_exit().
Fixes: 530f9216a953 ("soc: qcom: ipa: AP/modem communications") Cc: stable@vger.kernel.org Signed-off-by: Haoxiang Li <haoxiang_li2024@163.com> Reviewed-by: Larysa Zaremba <larysa.zaremba@intel.com> Reviewed-by: Alex Elder <elder@riscstar.com> Link: https://patch.msgid.link/20260624065955.2822765-1-haoxiang_li2024@163.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Linus Torvalds [Sat, 27 Jun 2026 00:03:48 +0000 (17:03 -0700)]
Merge tag 'drm-fixes-2026-06-27' of https://gitlab.freedesktop.org/drm/kernel
Pull drm fixes from Dave Airlie:
"These are just the fixes from our fixes branch, all pretty small and
scattered.
sysfb:
- drm/sysfb truncation and alignment fixes
edid:
- fix edid OOB read in tile parsing
- increase displayid topology id to correct size
nouveau:
- fix error handling paths in nouveau
amdxdna:
- get_bo_info fix
ivpu:
- fix leak when error handling in ivpu"
* tag 'drm-fixes-2026-06-27' of https://gitlab.freedesktop.org/drm/kernel:
drm/sysfb: Avoid truncating maximum stride
drm/sysfb: Return errno code from drm_sysfb_get_visible_size()
drm/sysfb: Avoid possible truncation with calculating visible size
drm/sysfb: Do not page-align visible size of the framebuffer
drm/edid: fix OOB read in drm_parse_tiled_block()
drm/nouveau: fix reversed error cleanup order in ucopy functions
drm/nouveau/acr: fix missing nvkm_done() in error path of nvkm_acr_oneinit()
accel/amdxdna: Use caller client for debug BO sync
drm/displayid: fix Tiled Display Topology ID size
accel/ivpu: fix HWS command queue leak on registration failure
Linus Torvalds [Fri, 26 Jun 2026 23:41:30 +0000 (16:41 -0700)]
Merge tag 'drm-next-2026-06-27' of https://gitlab.freedesktop.org/drm/kernel
Pull drm merge window fixes from Dave Airlie:
"This is the merge window fixes from our next tree, i915/xe and amdgpu
make up all of it.
I've got a separate fixes pull from our fixes branch arriving after
this.
i915:
- Fix corrupted display output on GLK, #16209
- Add missing Spectre mitigation for parallel submit IOCTL
- MTL+ fix for DP resume
- clear CRTC blobs after dropping refs
- fix sharpness filter on DP MST
xe:
- Set TTM beneficial order to 9 in Xe
- Several error path cleanups
- Fix TDR for unstarted jobs on kernel queues
- Several TLB invalidation fixes related to suspending LR queues
- Some small RAS fixes
- Multi-queue suspend fix for LR queues
- Revert inclusion of NVL_S firmware
* tag 'drm-next-2026-06-27' of https://gitlab.freedesktop.org/drm/kernel: (52 commits)
drm/i915/cdclk: Fix up CDCLK_FREQ_DECIMAL without a full PLL re-enable
drm/i915/gem: Add missing nospec on parallel submit slot
drm/amdgpu: Use system unbound workqueue for soft IH ring
amdgpu/ih6.1: Fix minor version
drm/amdkfd: Use exclusive bounds for SVM split alignment checks
drm/amdgpu/gfx9: Fix Ring and IB test fail after mode2
drm/amdgpu/uvd: Fix forcing MSG, FB BOs into VCPU segment when it isn't at 0 (v2)
drm/amdgpu/uvd: Place VCPU BO only in VRAM for UVD 4.x and older
drm/amdgpu: Fix amdgpu_bo_move() when old_mem and new_mem are both GTT
drm/amdgpu: Respect placement requirements in amdgpu_gtt_mgr functions
drm/amdgpu: Fix context pstate override handling
drm/amdkfd: Use memdup_array_user to copy data from/to user space at kfd ioctls
drm/amdkfd: check find_first_zero_bit before __set_bit on kfd->doorbell_bitmap
drm/amdkfd: Let driver decide buffer size at AMDKFD_IOC_GET_DMABUF_INFO ioctl
drm/amdgpu: fix recursive ww_mutex acquire in amdgpu_devcoredump_format
drm/amdgpu: convert amdgpu_vm_lock_by_pasid() to drm_exec
drm/amdgpu: Don't use UTS_RELEASE directly
drm/amdkfd: Fix NULL deref during sysfs teardown
drm/amdgpu: validate CP_GFX_SHADOW chunk size in CS pass1
drm/amdgpu: check amdgpu_vm_bo_find() result in GET_MAPPING_INFO
...
Linus Torvalds [Fri, 26 Jun 2026 23:15:53 +0000 (16:15 -0700)]
Merge tag 'ceph-for-7.2-rc1' of https://github.com/ceph/ceph-client
Pull ceph updates from Ilya Dryomov:
"This adds support for manual client session reset in CephFS, allowing
operators to get out of tricky livelock situations involving caps and
file locks without evicting the problematic client instance on the MDS
side or rebooting the client node both of which can be disruptive"
* tag 'ceph-for-7.2-rc1' of https://github.com/ceph/ceph-client:
ceph: add manual reset debugfs control and tracepoints
ceph: add client reset state machine and session teardown
ceph: add diagnostic timeout loop to wait_caps_flush()
ceph: harden send_mds_reconnect and handle active-MDS peer reset
ceph: use proper endian conversion for flock_len in reconnect
ceph: convert inode flags to named bit positions and atomic bitops
rbd: switch to dynamic root device
Linus Torvalds [Fri, 26 Jun 2026 20:24:59 +0000 (13:24 -0700)]
Merge tag 'thermal-7.2-rc1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm
Pull thermal control fixes from Rafael Wysocki:
"These fix a failure path in an Intel thermal driver and prevent
thermal testing module code from being executed after it has been
freed:
- Fix dangling resources on thermal_throttle_online() failure in the
Intel thermal_throttle driver (Ricardo Neri)
- Eliminate a possibility of running thermal testing module code
after that module has been removed (Rafael Wysocki)"
* tag 'thermal-7.2-rc1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
thermal: testing: zone: Flush work items during cleanup
thermal: intel: Fix dangling resources on thermal_throttle_online() failure
Linus Torvalds [Fri, 26 Jun 2026 20:14:18 +0000 (13:14 -0700)]
Merge tag 'pm-7.2-rc1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm
Pull power management fixes from Rafael Wysocki:
"These fix the schedutil cpufreq governor and drop a bogus warning
from the cpuidle core:
- Remove a misguided warning along with an inaccurate comment
next to it from the cpuidle core (Rafael Wysocki)
- Clear need_freq_update as appropriate in the .adjust_perf()
path of the schedutil cpufreq governor to avoid calling
cpufreq_driver_adjust_perf() unnecessarily on every scheduler
utilization update (Zhongqiu Han)"
* tag 'pm-7.2-rc1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
cpuidle: Allow exit latency to exceed target residency
cpufreq: schedutil: Fix uncleared need_freq_update on the .adjust_perf() path
Linus Torvalds [Fri, 26 Jun 2026 20:00:10 +0000 (13:00 -0700)]
Merge tag 'acpi-7.2-rc1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm
Pull ACPI support fixes and cleanups from Rafael Wysocki:
"These fix assorted issues and do cleanups in the ACPI support code,
which includes a fix for tools build breakage related to strncpy()
removal:
- Unbreak ACPICA tools builds after switching over to using
strscpy_pad() that is kernel-specific (Rafael Wysocki)
- Fix module parameter file paths in comments in the ACPI code
managing the general sysfs attributes (Zenghui Yu)
- Update kerneldoc comments in the ACPI resource management code to
follow the common style (Andy Shevchenko)
- Fix inverted interface check in ipmi_bmc_gone() that may cause ACPI
IPMI interfaces to be mishandled (Xu Rao)
- Add __cpuidle annotation to idle state management functions related
to ACPI _LPI to avoid trace-induced RCU warnings (Li RongQing)"
* tag 'acpi-7.2-rc1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
ACPI: processor_idle: Mark LPI enter functions as __cpuidle
ACPICA: Unbreak tools build after switching over to strscpy_pad()
ACPI: IPMI: Fix inverted interface check in ipmi_bmc_gone()
ACPI: resource: Amend kernel-doc style
ACPI: sysfs: Fix path of module parameters in comments
Linus Torvalds [Fri, 26 Jun 2026 18:18:49 +0000 (11:18 -0700)]
Merge tag 'spi-fix-v7.2-merge-window' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi
Pull spi fixes from Mark Brown:
"A fairly unremarkable collection of fixes that came in over the
merge window, plus a new device ID for the DesignWare controller
in the StarFive JHB100 SoC.
There's a couple of core fixes included, one avoiding freeing an
empty resource in error handling cases and another which fixes a
NULL dereference which could be triggered by using an abnormal
device registration flow like driver_override"
* tag 'spi-fix-v7.2-merge-window' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi:
spi: imx: reconfigure for PIO when DMA cannot be started
spi: dw: Add support for snps,dwc-ssi-2.00a
spi: dt-bindings: snps,dw-apb-ssi: Add starfive,jhb100-spi
spi: rpc-if: Use correct device for hardware reinitialization on resume
spi: acpi: Free resource list at appropriate time
spi: dw: fix wrong BAUDR setting after resume
spi: uniphier: Fix completion initialization order before devm_request_irq()
spi: Add NULL check for spi_get_device_id() in spi_get_device_match_data()
Linus Torvalds [Fri, 26 Jun 2026 18:07:26 +0000 (11:07 -0700)]
Merge tag 'regulator-fix-v7.2-merge-window' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator
Pull regulator fixes from Mark Brown:
"A couple of unremarkable driver specific fixes that came in during the
merge window"
* tag 'regulator-fix-v7.2-merge-window' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator:
regulator: da9121: Use subvariant ids in the I2C table
regulator: pca9450: Correct default t_off_deb for PCA9451A/PCA9452
Linus Torvalds [Fri, 26 Jun 2026 17:47:26 +0000 (10:47 -0700)]
Merge tag 'regmap-fix-v7.2-merge-window' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regmap
Pull regmap fix from Mark Brown:
"Ensure that we don't overwrite the error code when cleaning up a
failed cache initialisation, helping people debug issues if they
do arise"
* tag 'regmap-fix-v7.2-merge-window' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regmap:
regcache: Do not overwrite error code when finalizing cache after error
Merge branches 'acpi-sysfs', 'acpi-resource', 'acpi-driver' and 'acpi-processor'
Merge an update of comments regarding the ACPI sysfs code, a kernel-doc
style fixup update of ACPI resource management, and ACPI IPMI driver
fix, and an ACPI processor driver fix for 7.2-rc1:
- Fix module parameter file paths in comments in the ACPI code managing
the general sysfs attributes (Zenghui Yu)
- Update kerneldoc comments in the ACPI resource management code to
follow the common style (Andy Shevchenko)
- Fix inverted interface check in ipmi_bmc_gone() which may cause ACPI
IPMI interfaces to be mishandled (Xu Rao)
- Add __cpuidle to idle state management functions related to ACPI _LPI
to avoid trace-induced RCU warnings (Li RongQing)
* acpi-sysfs:
ACPI: sysfs: Fix path of module parameters in comments
- Handle negative index in of_fwnode_get_reference_args()
* tag 'devicetree-fixes-for-7.2-1' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux:
dt-bindings: mfd: khadas,mcu: Drop type reference from "fan-supply"
dt-bindings: clock: renesas: div6: Use ZT/ZTR trace clock in R-Mobile APE6 example
regulator: dt-bindings: Add Unisoc SC2730 PMIC
dt-bindings: thermal: amlogic: Correct 'reg' in the example
dt-bindings: thermal: amlogic: Fix missing header in the example
of: Fix RST inline emphasis warnings in of_map_id() kernel-doc
of: property: Fix of_fwnode_get_reference_args() with negative index
Linus Torvalds [Fri, 26 Jun 2026 15:42:49 +0000 (08:42 -0700)]
Merge tag 'loongarch-7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/chenhuacai/linux-loongson
Pull LoongArch updates from Huacai Chen:
- Add THREAD_INFO_IN_TASK implementation
- Add build salt to the vDSO
- Add some BPF JIT inline helpers
- Update DTS for I2C clocks and clock-frequency
- Some bug fixes and other small changes
* tag 'loongarch-7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/chenhuacai/linux-loongson:
selftests/bpf: Test jited inline of bpf_get_smp_processor_id() for LoongArch
selftests/bpf: Test jited inline of bpf_get_current_task() for LoongArch
selftests/bpf: Add __arch_loongarch to limit test cases for LoongArch
selftests/bpf: Add get_preempt_count() support for LoongArch
LoongArch: dts: Add i2c clocks and clock-frequency properties to LS2K2000
LoongArch: dts: Add i2c clocks and clock-frequency properties to LS2K1000
LoongArch: dts: Add i2c clocks and clock-frequency properties to LS2K0500
LoongArch: BPF: Inline bpf_get_smp_processor_id() helper
LoongArch: BPF: Inline bpf_get_current_task/_btf() helpers
LoongArch: BPF: Fix off-by-one error in tail call
LoongArch: BPF: Fix outdated tail call comments
LoongArch: Add build salt to the vDSO
LoongArch: Fix nr passing in set_direct_map_valid_noflush()
LoongArch: Fix missing dirty page tracking in {pte,pmd}_wrprotect()
LoongArch: Move struct kimage forward declaration before use
LoongArch: Report dying CPU to RCU in stop_this_cpu()
LoongArch: Add PIO for early access before ACPI PCI root register
LoongArch: Add THREAD_INFO_IN_TASK implementation
Linus Torvalds [Fri, 26 Jun 2026 15:40:35 +0000 (08:40 -0700)]
Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux
Pull arm64 fixes from Will Deacon:
"Small crop of arm64 fixes for -rc1. We've got a build fix for a new
randconfig permutation, a fix for a long-standing truncation issue
with hardware watchpoints and a KVM initialisation fix for the newly
merged remapping of the kernel data and bss sections:
- Fix randconfig build failure due to missing include of asm/insn.h
- Reject unaligned hardware watchpoints which were silently being
truncated
- Fix crash in KVM initialisation by deferring the read-only
remapping of the kernel data and bss sections"
* tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
arm64: mm: Defer read-only remap of data/bss linear alias
arm64/hw_breakpoint: reject unaligned watchpoints that would truncate BAS
arm64: static_call: include asm/insns.h
Linus Torvalds [Fri, 26 Jun 2026 15:24:06 +0000 (08:24 -0700)]
Merge tag 'ecryptfs-7.2-rc1-updates' of git://git.kernel.org/pub/scm/linux/kernel/git/tyhicks/ecryptfs
Pull ecryptfs updates from Tyler Hicks:
"No functional changes, just code cleanups:
- replace kmalloc()/snprintf() with kasprintf()
- simplify code flow by removing an unnecessary variable"
* tag 'ecryptfs-7.2-rc1-updates' of git://git.kernel.org/pub/scm/linux/kernel/git/tyhicks/ecryptfs:
ecryptfs: use kasprintf in ecryptfs_crypto_api_algify_cipher_name
ecryptfs: remove redundant variable found_auth_tok
Linus Torvalds [Fri, 26 Jun 2026 15:17:42 +0000 (08:17 -0700)]
Merge tag 'v7.2-rc-part2-smb3-server-fixes' of git://git.samba.org/ksmbd
Pull smb server updates from Steve French:
"This is mostly a correctness and compatibility update for ksmbd's
SMB2/3 lease, oplock, durable handle, compound request, CREATE,
rename, stream and share-mode handling.
A large part of the series fixes cases found by smbtorture where ksmbd
diverged from the SMB2/3 protocol requirements.
The main changes are:
- Rework SMB2 lease state handling so lease state is shared per
ClientGuid/LeaseKey across opens, with better validation of lease
create contexts, ACK handling, epochs, break-in-progress reporting,
v2 lease notification routing, and chained lease breaks
- Fix several oplock break corner cases, including ACK validation,
timeout downgrade behavior, level-II break handling on unlink,
share-conflict lease breaks, and read-control/stat-open behavior
- Fix durable handle behavior around delete-on-close, stale
reconnects, reconnect context parsing, oplock/lease break
invalidation, and durable v2 AppInstanceId replacement
- Fix compound request handling so related commands propagate failed
statuses correctly, preserve response framing across chained
errors, keep compound FIDs across READ/WRITE/FLUSH, and send
interim STATUS_PENDING where clients expect cancellable compound
I/O
- Tighten CREATE and stream semantics, including create attribute
validation, allocation size reporting, explicit create security
descriptors, unnamed DATA stream handling, stream directory
validation, and stream delete sharing against the base file
- Fix rename and metadata behavior, including parent directory
sharing checks, denying directory rename with open children, and
preserving SMB ChangeTime across rename for open handles
- Fix two important safety issues: a multichannel byte-range lock
list owner race that could lead to use-after-free, and an NTLMv2
session key update before authentication proof validation
- Fix a concurrent SMB2 NEGOTIATE preauth use-after-free, a UBSAN
warning in compression capability parsing, a false hung-task
warning in the durable handle scavenger, endian debug logging,
Smatch indentation warnings, and kernel-doc warnings
- Increase the default SMB3 transaction size from 1MB to 4MB to
better match modern read/write negotiation and improve sequential
I/O behavior"
* tag 'v7.2-rc-part2-smb3-server-fixes' of git://git.samba.org/ksmbd: (50 commits)
ksmbd: fix kernel-doc warnings in smb2_lease_break_noti()
ksmbd: fix inconsistent indenting warnings
ksmbd: validate NTLMv2 response before updating session key
ksmbd: increase SMB3_DEFAULT_TRANS_SIZE from 1MB to 4MB
ksmbd: fix UBSAN array-index-out-of-bounds in decode_compress_ctxt()
ksmbd: sleep interruptibly in the durable handle scavenger
ksmbd: start file id allocation at 1
ksmbd: treat read-control opens as stat opens only for leases
ksmbd: validate :: stream type against directory create
ksmbd: break conflicting-open leases only as far as needed
ksmbd: break handle caching for share conflicts
ksmbd: normalize ungrantable lease states
ksmbd: return oplock protocol error for level II ack
ksmbd: avoid level II oplock break notification on unlink
ksmbd: downgrade oplock after break timeout
ksmbd: apply create security descriptor first
ksmbd: return requested create allocation size
ksmbd: tighten create file attribute validation
ksmbd: reject empty-attribute synchronize-only create
ksmbd: honor stream delete sharing for base file
...
Ian Bridges [Thu, 25 Jun 2026 04:13:12 +0000 (23:13 -0500)]
fbdev: Fix fb_new_modelist to prevent null-ptr-deref in fb_videomode_to_var
info->var, a framebuffer's current mode, is expected to have a matching
entry in info->modelist. var_to_display() relies on this and treats a
failed fb_match_mode() as "This should not happen". fb_set_var() keeps it
true by adding the mode to the list on every change, and
do_register_framebuffer() does the same at registration.
store_modes() replaces the modelist from userspace. fb_new_modelist()
validates the new modes but does not check that info->var still has a
match. It relies on fbcon_new_modelist() to re-point consoles, but that
only handles consoles mapped to the framebuffer. With fbcon unbound there
are none, so info->var is left describing a mode that is no longer in the
list.
A later console takeover runs var_to_display(), where fb_match_mode()
returns NULL and leaves fb_display[i].mode NULL. fbcon_switch() passes it
to display_to_var(), and fb_videomode_to_var() dereferences the NULL mode.
Keep the current mode in the list in fb_new_modelist(), the same way
fb_set_var() does.
Ian Bridges [Wed, 24 Jun 2026 21:11:36 +0000 (16:11 -0500)]
fbcon: fix NULL pointer dereference for a console without vc_data
fbcon_new_modelist() runs when a framebuffer's modelist changes. For each
console mapped to it with fb_display[i].mode set, it reads vc_cons[i].d and
passes the vc_num to fbcon_set_disp(). This assumes a console with a mode
set has a vc_data, but it can be NULL. fbcon_set_disp() sets
fb_display[i].mode before it checks vc_data, and fbcon_deinit() leaves the
mode set after the vc_data is freed. fbcon_new_modelist() then dereferences
the NULL vc_data.
Keep fb_display[i].mode set only while the console has a vc_data. Check
vc_data before setting the mode in fbcon_set_disp(), and clear the mode in
fbcon_deinit(). The existing mode check in fbcon_new_modelist() then skips
such consoles.
Ian Bridges [Fri, 26 Jun 2026 04:50:48 +0000 (23:50 -0500)]
fbdev: fix use-after-free in store_modes()
store_modes() replaces a framebuffer's modelist with modes from userspace.
On success it frees the old modelist with fb_destroy_modelist(). Two
fields still point into that freed list.
One pointer is fb_display[i].mode, the mode a console is using.
fbcon_new_modelist() moves these pointers to the new list. It only does so
for consoles still mapped to the framebuffer. An unmapped console is
skipped and keeps its stale pointer. Unbinding fbcon, for example, sets
con2fb_map[i] to -1 but leaves fb_display[i].mode set. An
FBIOPUT_VSCREENINFO ioctl with FB_ACTIVATE_INV_MODE later reaches
fbcon_mode_deleted(). That function reads the stale fb_display[i].mode
through fb_mode_is_equal(). The read is a use-after-free.
The other pointer is fb_info->mode, the current mode. It is set through
the mode sysfs attribute. store_modes() does not update fb_info->mode, so
it is left pointing into the freed list. show_mode(), the attribute's read
handler, dereferences the stale fb_info->mode through mode_string(). The
read is a use-after-free.
Clear both pointers before freeing the list. Commit a1f305893074 ("fbcon:
Set fb_display[i]->mode to NULL when the mode is released") added the
helper fbcon_delete_modelist(). It clears every fb_display[i].mode that
points into a given list. So far it is called only from the unregister
path. Call it from store_modes() too, and set fb_info->mode to NULL.
Pengpeng Hou [Wed, 24 Jun 2026 13:18:28 +0000 (21:18 +0800)]
gpio: htc-egpio: use managed gpiochip registration
egpio_probe() registers each nested gpio_chip with gpiochip_add_data()
but ignores the return value. If one registration fails, probe still
returns success even though one of the chips was not published to
gpiolib.
Use devm_gpiochip_add_data() and fail probe if any chip registration
fails. This lets devres unwind already registered chips and prevents
the driver from publishing a partially initialized device.
Fixes: a1635b8fe59d ("[ARM] 4947/1: htc-egpio, a driver for GPIO/IRQ expanders with fixed input/output pins") Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn> Link: https://patch.msgid.link/20260624131828.94139-1-pengpeng@iscas.ac.cn Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Pengpeng Hou [Wed, 24 Jun 2026 13:16:45 +0000 (21:16 +0800)]
gpio: mvebu: fail probe if gpiochip registration fails
mvebu_gpio_probe() registers the GPIO chip with
devm_gpiochip_add_data() but ignores the return value. If registration
fails, probe continues and leaves later code operating on a GPIO chip
that was never published to gpiolib.
Return the registration error so the device fails probe cleanly.
Jiaming Zhang [Thu, 25 Jun 2026 13:49:33 +0000 (21:49 +0800)]
ALSA: FCP: Fix NULL pointer dereference in interface lookup
A malformed USB device can provide a vendor-specific interface without
any endpoint descriptors. fcp_find_fc_interface() currently selects the
first vendor-specific interface and reads endpoint 0 from it, without
checking whether the interface actually has any endpoints.
When bNumEndpoints is zero, no endpoint array is allocated for the parsed
alternate setting, so get_endpoint(..., 0) yields an invalid endpoint
descriptor pointer. Dereferencing it through usb_endpoint_num() then
triggers a NULL pointer dereference.
Skip vendor-specific interfaces that do not have any endpoints.
ALSA: hda/realtek: Update Acer Nitro ANV15-41 quirk to enable mute LED
The laptop has a microphone mute LED on the F4 key, but it was not
taken in mind when the previous quirk was added
in commit 00e44a68efef50f65b12854b41f098b4d50f10be ("ALSA:
hda/realtek: Add quirk for Acer Nitro ANV15-41").
Replace ALC2XX_FIXUP_HEADSET_MIC with ALC245_FIXUP_ACER_MICMUTE_LED,
which enables the LED and chains the previous quirk for the headset
microphone.
Takashi Iwai [Fri, 26 Jun 2026 05:33:15 +0000 (07:33 +0200)]
Merge tag 'asoc-fix-v7.2-merge-window' of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus
ASoC: Fixes for v7.2
We've got a good collection of device specific fix here, plus a couple
of stand out things:
- Richard fixed some special cases with the new device_link creation
by more gracefully handling any errors during creation.
- Charles did some light refactoring of the SoundWire interfaces to
fix some persistent randconfig issues that people kept running into.
KaFai Wan [Wed, 24 Jun 2026 12:35:35 +0000 (20:35 +0800)]
bpf: Fix insn_aux_data leak on verifier err_free_env path
When bpf_check() allocates env->insn_aux_data successfully but later
fails to allocate env->succ, it jumps directly to err_free_env.
The existing vfree(env->insn_aux_data) sits before the err_free_env
label, so that direct jump bypasses it and leaks insn_aux_data.
Move vfree(env->insn_aux_data) into err_free_env so all early and late
exit paths release it consistently.
Fixes: 2f69c5685427 ("bpf: make bpf_insn_successors to return a pointer") Signed-off-by: KaFai Wan <kafai.wan@linux.dev> Reviewed-by: Anton Protopopov <a.s.protopopov@gmail.com> Link: https://lore.kernel.org/r/20260624123536.114757-1-kafai.wan@linux.dev Signed-off-by: Alexei Starovoitov <ast@kernel.org>
====================
bpf: Mask pseudo pointer values in verifier logs
Verifier log printing already hides ldimm64 immediates for map FD and
map value pseudo sources when pointer leaks are not allowed. The same
print path also sees rewritten immediates for BPF_PSEUDO_MAP_IDX,
BPF_PSEUDO_MAP_IDX_VALUE, and BPF_PSEUDO_BTF_ID, but those sources were
not included in the pointer classification.
Extend the existing masking so all pointer-producing ldimm64 pseudo
sources print as 0x0 when allow_ptr_leaks is false.
Patch 1 extends the disassembler-side masking.
Patch 2 adds verifier selftest coverage for pseudo-BTF ksym logs.
Signed-off-by: Nuoqi Gui <gnq25@mails.tsinghua.edu.cn> Acked-by: Eduard Zingerman <eddyz87@gmail.com>
---
Changes in v2:
- Replace the CAP_BPF gate with verifier-log masking in print_bpf_insn().
- Also mask BPF_PSEUDO_MAP_IDX and BPF_PSEUDO_MAP_IDX_VALUE immediates.
- Update selftests to check masked pseudo-BTF ksym logs.
- Link to v1: https://patch.msgid.link/20260620-f01-13-pseudo-btf-id-cap-bpf-v1-0-f950f69fe60c@mails.tsinghua.edu.cn
====================
Nuoqi Gui [Tue, 23 Jun 2026 10:43:39 +0000 (18:43 +0800)]
selftests/bpf: Cover pseudo-BTF ksym log masking
Add verifier_unpriv coverage for a raw socket-filter load of the
bpf_prog_active typed ksym. The test verifies that the unprivileged load
remains accepted and that the verbose verifier log prints the ldimm64
immediate as 0x0 instead of exposing a nonzero kernel address.
Nuoqi Gui [Tue, 23 Jun 2026 10:43:38 +0000 (18:43 +0800)]
bpf: Mask pseudo pointer values in verifier logs
print_bpf_insn() masks ldimm64 immediates for pointer-bearing pseudo
sources when pointer leaks are not allowed, but the mask only covers
BPF_PSEUDO_MAP_FD and BPF_PSEUDO_MAP_VALUE.
BPF_PSEUDO_MAP_IDX, BPF_PSEUDO_MAP_IDX_VALUE, and BPF_PSEUDO_BTF_ID can
also be resolved to kernel pointer values before the verifier log prints
the instruction. Include them in the existing pointer classification so
the log prints 0x0 instead of the rewritten address.
bpf_refcount_acquire() is modeled as returning a refcounted allocation
base, but it currently accepts PTR_TO_BTF_ID | MEM_ALLOC arguments whose
offset already points at an embedded graph node returned from a list or
rbtree operation.
At runtime the kfunc starts from the supplied pointer and adds the type's
refcount offset. With a graph-node pointer, that starts from base +
node_off, while the verifier treats the returned pointer as the allocation
base. Reject non-zero fixed-offset arguments to keep the runtime operation
and the verifier model aligned.
Programs that pop graph nodes can still acquire a reference after
normalizing the node pointer with container_of().
Patch 1 handles the zero fixed-offset requirement in the existing
check_func_arg_reg_off() / __check_ptr_off_reg() path without consuming a
bpf_type_flag bit.
Patch 2 adds a rejected direct list-node case.
Changes from v3:
- Add Eduard's Acked-by to patch 1.
- Drop the redundant rbtree selftest case; the list case exercises the same
refcount-acquire fixed-offset rejection path.
- Trim the selftest commit message and remove the selftest Fixes tag.
Changes from v2:
- Avoid adding a new bpf_type_flag bit.
- Carry the refcount-acquire zero fixed-offset requirement with an
internal check_func_arg_reg_off() parameter.
Changes from v1:
- Move zero fixed-offset enforcement into check_func_arg_reg_off() /
__check_ptr_off_reg(), as suggested by Eduard.
- Drop the positive container_of() selftest case.
- Remove the stale bpf_obj_drop() after bpf_list_push_front(), since the
pushed reference is consumed even when the verifier explores the error
branch.
- Rebase to bpf-next master a975094bf98c.
Add regression coverage for bpf_refcount_acquire() on graph-node-derived
pointers.
The rejected case passes a popped list node pointer directly to
bpf_refcount_acquire(), which must fail because the pointer carries a
non-zero fixed offset.
Yiyang Chen [Tue, 23 Jun 2026 06:11:09 +0000 (06:11 +0000)]
bpf: Reject offset refcount acquire arguments
bpf_refcount_acquire() increments the refcount at the caller-supplied
pointer plus the refcount field offset, then returns the caller-supplied
pointer unchanged.
The verifier records the return value as a base pointer to the refcounted
object.
bpf_list_pop_front() and bpf_rbtree_remove() can return embedded
graph-node pointers as PTR_TO_BTF_ID | MEM_ALLOC with a fixed offset equal
to the node field offset. Passing such a pointer directly to
bpf_refcount_acquire() currently passes the refcounted-kptr type check.
That makes the runtime operation start from base + node_off while the
verifier models the returned pointer as the object base.
Require refcount-acquire arguments to have zero fixed offset by carrying
the requirement through check_func_arg_reg_off() to __check_ptr_off_reg().
Programs can still acquire a refcount from a graph-node-derived pointer
after normalizing it with container_of().
Bryam Vargas [Sun, 14 Jun 2026 05:36:12 +0000 (00:36 -0500)]
Input: synaptics-rmi4 - bound the F30 keymap to the GPIO/LED count
rmi_f30_map_gpios() allocates gpioled_key_map with
min(gpioled_count, TRACKSTICK_RANGE_END) == at most 6 entries, but
rmi_f30_attention() iterates the full f30->gpioled_count (device query
register, range 0..31) and dereferences gpioled_key_map[i], and
input->keycodemax is set to the full gpioled_count while input->keycode
points at the 6-entry allocation.
A device that reports gpioled_count > 6 with GPIO support enabled
therefore causes an out-of-bounds read on the attention interrupt and
out-of-bounds read/write through the EVIOCGKEYCODE/EVIOCSKEYCODE ioctls,
which bound the index only against keycodemax. This is the same defect
as the F3A handler, which was copied from F30.
Size the keymap for the full gpioled_count; the mapping loop still
assigns only the first min(gpioled_count, TRACKSTICK_RANGE_END) entries.
Fixes: 3e64fcbdbd10 ("Input: synaptics-rmi4 - limit the range of what GPIOs are buttons") Cc: stable@vger.kernel.org Signed-off-by: Bryam Vargas <hexlabsecurity@proton.me> Link: https://patch.msgid.link/20260614-b4-disp-818d6bda-v1-2-cf39a3615085@proton.me Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Bryam Vargas [Sun, 14 Jun 2026 05:36:11 +0000 (00:36 -0500)]
Input: synaptics-rmi4 - bound the F3A keymap to the GPIO count
rmi_f3a_initialize() takes the GPIO count from the device query register
(f3a->gpio_count = buf & RMI_F3A_GPIO_COUNT, range 0..127).
rmi_f3a_map_gpios() then allocates gpio_key_map with
min(gpio_count, TRACKSTICK_RANGE_END) == at most 6 entries, but
rmi_f3a_attention() iterates the full gpio_count and dereferences
gpio_key_map[i], and input->keycodemax is set to the full gpio_count
while input->keycode points at the 6-entry allocation.
A device that reports gpio_count > 6 therefore causes an out-of-bounds
read of gpio_key_map[] on every attention interrupt, and out-of-bounds
accesses through the input core's default keymap ioctls: EVIOCGKEYCODE
reads past the buffer (leaking adjacent slab memory to user space) and
EVIOCSKEYCODE writes a caller-controlled value past it, for any process
able to open the evdev node, since input_default_getkeycode() and
input_default_setkeycode() only bound the index against keycodemax.
Size the keymap for the full gpio_count. The mapping loop is unchanged:
it still assigns only the first min(gpio_count, TRACKSTICK_RANGE_END)
entries; the remaining slots stay KEY_RESERVED (devm_kcalloc zero-fills)
and are skipped when reporting.
====================
bpf, sockmap: reject a packet-modifying SK_SKB stream parser
A BPF_PROG_TYPE_SK_SKB stream parser runs on strparser's message head,
which can chain skbs through frag_list. A parser that resizes the skb
frees the frag_list segments that strparser still tracks through
skb_nextp, leading to a use-after-free.
A stream parser is only meant to measure the next message, not to modify
the packet, so reject a packet-modifying parser at attach time.
v5:
- target bpf-next instead of bpf
- add Reviewed-by tag (Jiayuan Chen)
Sechang Lim [Sat, 20 Jun 2026 02:44:17 +0000 (02:44 +0000)]
bpf, sockmap: reject a packet-modifying SK_SKB stream parser
sk_psock_strp_parse() runs the BPF_PROG_TYPE_SK_SKB stream-parser program
to find the length of the next message. strparser assembles a message out
of several received skbs by chaining them onto the head's frag_list and
recording where to append the next one in strp->skb_nextp:
The parser is only meant to inspect the skb, but the program may call
bpf_skb_change_tail() -- or the sibling bpf_skb_pull_data(),
bpf_skb_change_head(), bpf_skb_adjust_room(), all allowed for SK_SKB.
Once the head carries a frag_list these go
strp->skb_nextp now points into a freed sk_buff. The next segment of
the same message arrives in __strp_recv(), which links it with
*strp->skb_nextp = skb, an 8-byte write into the freed skb. The free
and the write happen in different __strp_recv() calls, so the message
has to span at least three segments before it triggers.
BUG: KASAN: slab-use-after-free in __strp_recv+0x447/0xda0
Write of size 8 at addr ffff88810db86140 by task repro/349
The same resize also leaves the head's length inconsistent with its
frags, so a later __pskb_pull_tail() can instead hit the
BUG_ON(skb_copy_bits(...)) in net/core/skbuff.c.
A stream parser is only meant to measure the next message, not to modify
the packet. Reject a parser whose program can change packet data
(prog->aux->changes_pkt_data) at attach time. The check is shared by
sock_map_prog_update() and sock_map_link_update_prog(), which between them
cover prog attach, link create and link update. Verdict programs are
unaffected and may still modify the skb.
Sechang Lim [Sat, 20 Jun 2026 02:44:16 +0000 (02:44 +0000)]
selftests/bpf: don't modify the skb in the strparser parser prog
sockmap_parse_prog.c is attached as an SK_SKB stream parser and modifies
the skb: it calls bpf_skb_pull_data() and writes a byte into the packet.
A stream parser runs on strparser's message head and must not modify it.
A resize frees the frag_list segments strparser still tracks, leading to
a use-after-free.
Make the parser read-only. It only needs to return the message length,
which keeps it attaching once packet-modifying parsers are rejected.
- Guard error writes in conntrack kfuncs (Yiyang Chen)
* tag 'bpf-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf:
bpf: Disable xfrm_decode_session hook attachment
selftests/bpf: Add test for stale bounds on LSM retval context load
bpf: Reset register bounds before narrowing retval range in check_mem_access()
selftests/bpf: Cover small conntrack opts error writes
bpf: Guard conntrack opts error writes
selftests/bpf: Cover half-slot cleanup of pointer spills
bpf: Preserve pointer spill metadata during half-slot cleanup
selftests/bpf: Test cgroup link replace with BPF_F_PREORDER
bpf: Fix effective prog array index with BPF_F_PREORDER
bpf: Fix BPF_PROG_ASSOC_STRUCT_OPS last field check
bpf: zero-initialize the fib lookup flow struct
bpftool: Fix vmlinux BTF leak in cgroup commands
bpf: Add missing access_ok call to copy_user_syms
bpf: Allow type tag BTF records to succeed other modifier records
bpf: Emit verbose message when prog-specific btf_struct_access rejects a write
bpf: Fix build_id caching in stack_map_get_build_id_offset()
bpf: Fix partial copy of non-linear test_run output
selftests/bpf: Cover stack nospec slot indexing
bpf: Fix stack slot index in nospec checks
Linus Torvalds [Thu, 25 Jun 2026 19:48:57 +0000 (12:48 -0700)]
Merge tag 'clk-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux
Pull clk updates from Stephen Boyd:
"This is all clk driver updates. Mostly new SoC support for various
Qualcomm chips and Canaan K230. Otherwise there's non-critical fixes
and updates to clk data such as adding missing clks to existing
drivers or marking clks critical. Nothing looks especially exciting"
* tag 'clk-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux: (106 commits)
clk: qcom: regmap-phy-mux: Rework the implementation
clk: qcom: a53: Corrected frequency multiplier for 1152MHz
clk: qcom: camcc-milos: Declare icc path dependency for CAMSS_TOP_GDSC
clk: qcom: gdsc: Support enabling interconnect path for power domain
dt-bindings: clock: qcom,milos-camcc: Document interconnect path
interconnect: Add devm_of_icc_get_by_index() as exported API for users
clk: qcom: camcc-x1p42100: Add support for camera clock controller
clk: qcom: camcc-x1e80100: Add support for camera QDSS debug clocks
clk: qcom: videocc-x1p42100: Add support for video clock controller
dt-bindings: clock: qcom: Add X1P42100 camera clock controller
dt-bindings: clock: qcom: Add X1P42100 video clock controller
clk: keystone: sci-clk: fix application of sizeof to pointer
clk: keystone: don't cache clock rate
clk: spacemit: k3: Add PCIe DBI clock
dt-bindings: soc: spacemit: k3: Add PCIe DBI clock IDs
clk: spacemit: k3: Fix PCIe clock register offset
clk: spacemit: k3: Switch to pll2_d6 as parent for PCIe clock
clk: at91: keep securam node alive while mapping it
clk: samsung: exynos990: Fix PERIC0/1 USI clock types
clk: renesas: r9a08g045: Drop unused pm_domain header file
...
Samuel Holland [Wed, 24 Jun 2026 11:31:48 +0000 (19:31 +0800)]
riscv: Fix 32-bit call_on_irq_stack() frame pointer ABI
call_on_irq_stack() uses struct member offsets to set up its link in the
frame record list. On riscv32, struct stackframe is the wrong size to
maintain stack pointer alignment, so STACKFRAME_SIZE_ON_STACK includes
padding. However, the ABI requires the frame record to be placed
immediately below the address stored in s0, so the padding must come
before the struct members.
Fix the layout by making STACKFRAME_FP and STACKFRAME_RA the negative
offsets from s0, instead of the positive offsets from sp.
Linus Torvalds [Thu, 25 Jun 2026 19:38:52 +0000 (12:38 -0700)]
Merge tag 'spmi-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sboyd/spmi
Pull SPMI updates from Stephen Boyd:
"Support for Qualcomm PMIC arbiter v8.5 and Hawi along with a
kernel doc cleanup and a kzalloc flex usage"
* tag 'spmi-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sboyd/spmi:
spmi: use kzalloc_flex in main allocation
spmi: clean up kernel-doc in spmi.h
spmi: spmi-pmic-arb: add support for PMIC arbiter v8.5
dt-bindings: spmi: glymur-spmi-pmic-arb: Add compatible for Qualcomm Hawi SoC
Linus Torvalds [Thu, 25 Jun 2026 19:33:15 +0000 (12:33 -0700)]
Merge tag 'trace-tools-7.2-2' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace
Pull rtla fixes from Steven Rostedt:
- Fix and cleanup .gitignore
- Fix pgrep filter in get_workload_pids.sh
Fix parsing of kernel thread names in get_workload_pids() helper
function. On some systems pgrep matches kernel thread names including
the brackets (e.g. "[osnoise/0]") and other systems brackets are not
included. Fix the tests to handle both.
* tag 'trace-tools-7.2-2' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace:
rtla/tests: Fix pgrep filter in get_workload_pids.sh
rtla: Fix and clean up .gitignore
Linus Torvalds [Thu, 25 Jun 2026 19:25:36 +0000 (12:25 -0700)]
Merge tag 'net-7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
Pull networking fixes from Jakub Kicinski:
"Including fixes from netfilter and IPsec.
Current release - regressions:
- do not acquire dev->tx_global_lock in netdev_watchdog_up()
- ethtool: keep rtnl_lock for ops using ethtool_op_get_link()
- fix deadlock in nested UP notifier events
Current release - new code bugs:
- eth:
- cn20k: fix subbank free list indexing for search order
- airoha: fix BQL underflow in shared QDMA TX ring
Previous releases - regressions:
- netfilter:
- flowtable: fix offloaded ct timeout never being extended
- nf_conncount: prevent connlimit drops for early confirmed ct
Previous releases - always broken:
- require CAP_NET_ADMIN in the originating netns when modifying
cross-netns devices
- report NAPI thread PID in the caller's pid namespace
- mac802154: fix dirty frag in in-place crypto for IOT radios
- sctp: hold socket lock when dumping endpoints in sctp_diag, avoid
an overflow
- eth: gve: fix header buffer corruption with header-split and HW-GRO
- af_key: initialize alg_key_len for IPComp states, prevent OOB read"
* tag 'net-7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (213 commits)
selftests: bonding: add a test for VLAN propagation over a bonded real device
vlan: defer real device state propagation to netdev_work
net: add the driver-facing netdev_work scheduling API
net: turn the rx_mode work into a generic netdev_work facility
net: ethtool: keep rtnl_lock for ops using ethtool_op_get_link()
rxrpc: Fix rxrpc_rotate_tx_rotate() to check there's something to rotate
rxrpc: Fix leak of released call in recvmsg(MSG_PEEK)
rxrpc: Fix socket notification race
rxrpc: Fix potential infinite loop in rxrpc_recvmsg()
rxrpc: Fix oob challenge leak in cleanup after notification failure
rxrpc: Fix the reception of a reply packet before data transmission
afs: Fix uncancelled rxrpc OOB message handler
afs: Fix further netns teardown to cancel the preallocation charger
rxrpc: Fix double unlock in rxrpc_recvmsg()
rxrpc: Fix leak of connection from OOB challenge
rxrpc: Fix ACKALL packet handling
net: hns3: differentiate autoneg default values between copper and fiber
net: hns3: fix permanent link down deadlock after reset
net: hns3: refactor MAC autoneg and speed configuration
net: hns3: unify copper port ksettings configuration path
...
RISC-V uses -fpatchable-function-entry=8,4 when the compressed ISA is
enabled and -fpatchable-function-entry=4,2 otherwise. In both cases, the
patchable NOP area starts 8 bytes before the function symbol address.
The __mcount_loc entries therefore point at the patchable NOP area
associated with a function, while nm reports the function symbol at the
entry address used for the function range check.
After RISC-V selected HAVE_BUILDTIME_MCOUNT_SORT, sorttable started
applying that range check at build time. Without allowing entries just
before the reported function address, the mcount sorter treats valid
RISC-V ftrace callsites as invalid weak-function entries and writes
them back as zero. The resulting kernel boots with no ftrace entries,
breaking dynamic ftrace and users such as livepatch.
The failure is silent during the final link because zeroing weak-function
entries is an expected sorttable operation. At boot, those zero entries
are skipped by ftrace_process_locs(), so the only obvious symptom is that
the vmlinux ftrace table has lost valid callsites and ftrace users cannot
attach to them.
CONFIG_FTRACE_SORT_STARTUP_TEST also reports the table as sorted in this
state: it only checks that the __mcount_loc entries are in ascending
order, which a fully zeroed table trivially satisfies. The original
commit relied on this check and did not see the regression.
On an affected RISC-V QEMU boot with both CONFIG_FTRACE_SORT_STARTUP_TEST
and CONFIG_FTRACE_STARTUP_TEST enabled, the sort check still passes
while ftrace reports zero usable entries and the early selftests fail:
[ 0.000000] ftrace section at ffffffff8101da98 sorted properly
[ 0.000000] ftrace: allocating 0 entries in 128 pages
[ 0.054999] Testing tracer function: .. no entries found ..FAILED!
[ 0.172407] tracer: function failed selftest, disabling
[ 0.178186] Failed to init function_graph tracer, init returned -19
Handle RISC-V like arm64 for the function-range check and allow
patchable entries up to 8 bytes before the function address.
With this fix, a RISC-V QEMU smoke boot with ftrace startup tests shows
the vmlinux ftrace table is populated and dynamic ftrace still works:
Yicong Yang [Thu, 25 Jun 2026 09:47:02 +0000 (17:47 +0800)]
ACPI: RIMT: Only defer the IOMMU configuration in init stage
The IOMMU configuration will be deferred if the IOMMU driver
isn't probed by the time. Make this deferral only in the
initialization stage with driver_deferred_probe_check_state().
Otherwise the devices depends on IOMMU will be deferred forever
in case the IOMMU device probe failed or it doesn't appear in
the ACPI namespace.
Ben Dooks [Mon, 22 Jun 2026 13:52:07 +0000 (14:52 +0100)]
raid6: fix riscv symbol undeclared warnigns
The riscv rvv.c file is missing the include of pq_arch.h
which defines all the exported functions. Include this
to remove the following sparse warnings:
lib/raid/raid6/riscv/rvv.c:1225:1: warning: symbol 'raid6_rvvx1' was not declared. Should it be static?
lib/raid/raid6/riscv/rvv.c:1226:1: warning: symbol 'raid6_rvvx2' was not declared. Should it be static?
lib/raid/raid6/riscv/rvv.c:1227:1: warning: symbol 'raid6_rvvx4' was not declared. Should it be static?
lib/raid/raid6/riscv/rvv.c:1228:1: warning: symbol 'raid6_rvvx8' was not declared. Should it be static?