<feed xmlns='http://www.w3.org/2005/Atom'>
<title>kernel/git/next/linux-next.git/include, branch fs-next</title>
<subtitle>The linux-next integration testing tree</subtitle>
<id>https://git.rulkc.org/pub/scm/linux/kernel/git/next/linux-next.git/atom?h=fs-next</id>
<link rel='self' href='https://git.rulkc.org/pub/scm/linux/kernel/git/next/linux-next.git/atom?h=fs-next'/>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/next/linux-next.git/'/>
<updated>2026-07-07T11:04:10+00:00</updated>
<entry>
<title>Merge branch 'vfs.all' of https://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs.git</title>
<updated>2026-07-07T11:04:10+00:00</updated>
<author>
<name>Mark Brown</name>
<email>broonie@kernel.org</email>
</author>
<published>2026-07-07T11:04:10+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=facd9724cea049c963fd341f8725651173e9ce55'/>
<id>urn:sha1:facd9724cea049c963fd341f8725651173e9ce55</id>
<content type='text'>
</content>
</entry>
<entry>
<title>Merge branch 'nfsd-next' of https://git.kernel.org/pub/scm/linux/kernel/git/cel/linux</title>
<updated>2026-07-07T11:04:01+00:00</updated>
<author>
<name>Mark Brown</name>
<email>broonie@kernel.org</email>
</author>
<published>2026-07-07T11:04:01+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=17c8c485892416c2690339bdd7f7674158c0eacc'/>
<id>urn:sha1:17c8c485892416c2690339bdd7f7674158c0eacc</id>
<content type='text'>
</content>
</entry>
<entry>
<title>Merge branch 'linux-next' of git://git.linux-nfs.org/projects/anna/linux-nfs.git</title>
<updated>2026-07-07T11:04:00+00:00</updated>
<author>
<name>Mark Brown</name>
<email>broonie@kernel.org</email>
</author>
<published>2026-07-07T11:04:00+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=33f2fdc1b6f8beac85e37f4eca72e8cbde8ce7c6'/>
<id>urn:sha1:33f2fdc1b6f8beac85e37f4eca72e8cbde8ce7c6</id>
<content type='text'>
</content>
</entry>
<entry>
<title>Merge branch 'for-next' of https://git.kernel.org/pub/scm/fs/fscrypt/linux.git</title>
<updated>2026-07-07T10:44:14+00:00</updated>
<author>
<name>Mark Brown</name>
<email>broonie@kernel.org</email>
</author>
<published>2026-07-07T10:44:14+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=4d6e788be405e4e64434f45500d44abbf5aab59c'/>
<id>urn:sha1:4d6e788be405e4e64434f45500d44abbf5aab59c</id>
<content type='text'>
</content>
</entry>
<entry>
<title>Merge tag 'mm-hotfixes-stable-2026-07-06-17-49' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm</title>
<updated>2026-07-07T01:51:36+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2026-07-07T01:51:36+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=0e35b9b6ec0ffcc5e23cbdec09f5c622ad532b53'/>
<id>urn:sha1:0e35b9b6ec0ffcc5e23cbdec09f5c622ad532b53</id>
<content type='text'>
Pull misc fixes from Andrew Morton:
 "20 hotfixes. 17 are for MM. 12 are cc:stable and the remaining 8
  address post-7.1 issues or aren't considered suitable for backporting.

  Two patches from SJ addresses a couple of quite old DAMON issues. And
  two patches from Yichong Chen fixes tools/virtio build issues. The
  remaining patches are singletons"

* tag 'mm-hotfixes-stable-2026-07-06-17-49' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm:
  tools/include: include stdint.h for SIZE_MAX in overflow.h
  tools/virtio: add missing compat definitions for vhost_net_test
  mm: do file ownership checks with the proper mount idmap
  samples/damon/mtier: fail early if address range parameters are invalid
  mm: a second pagecache maintainer
  mm/damon: add a kernel-doc comment for damon_ctx-&gt;rnd_state
  mm/damon: add a kernel-doc comment for damon_ctx-&gt;probes
  mailmap: add entries for Radu Rendec
  selftests/mm: hmm-tests: include linux/mman.h to access MADV_COLLAPSE
  selftests/mm: pagemap_ioctl: use the correct page size for transact_test()
  fs/proc: fix KPF_KSM reported for all anonymous pages
  mm: page_ext: add count limit to page_ext_iter_next to prevent invalid PFN access
  mm/damon/ops-common: handle extreme intervals in damon_hot_score()
  MAINTAINERS: add Lance as an rmap reviewer
  mm/compaction: handle free_pages_prepare() properly in compaction_free()
  mm/damon/sysfs-schemes: put stats for scheme_add_dirs() internal error
  mm/damon/sysfs-schemes: fix dir put orders in access_pattern_add_dirs()
  mm: shrinker: fix NULL pointer dereference in debugfs
  mm: shrinker: fix shrinker_info teardown race with expansion
  selftests/mm: fix ksft_process_madv.sh test category
</content>
</entry>
<entry>
<title>SUNRPC: pin upper rpc_clnt across the TLS connect_worker</title>
<updated>2026-07-06T19:18:08+00:00</updated>
<author>
<name>Chuck Lever</name>
<email>chuck.lever@oracle.com</email>
</author>
<published>2026-05-04T10:28:19+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=a08b2842b3fdf023ef0fac951a3bcf331cfcd578'/>
<id>urn:sha1:a08b2842b3fdf023ef0fac951a3bcf331cfcd578</id>
<content type='text'>
The TLS connect path has a use-after-free: nothing pins the
upper rpc_clnt across the delayed connect_worker. xs_connect()
stores task-&gt;tk_client in sock_xprt::clnt as a raw pointer
and queues the worker; for TLS-secured transports that worker
is xs_tcp_tls_setup_socket(), which reads several fields out
of the saved pointer (cl_timeout, cl_program, cl_prog,
cl_vers, cl_cred, cl_stats) to construct the args for the
inner handshake rpc_clnt.

The xprt does not reference the rpc_clnt; the rpc_clnt
references the xprt. xs_destroy() does cancel the
connect_worker, but it runs only when the xprt's refcount
drops to zero, which cannot happen until the rpc_clnt
releases its cl_xprt reference in rpc_free_client_work().
When a TLS handshake fails fatally (for example, an mTLS
mount whose client cert does not match the server), the
connecting task is woken with -EACCES and exits, the mount
caller invokes rpc_shutdown_client(), and the upper rpc_clnt
is freed before the queued connect_worker fires.
xs_tcp_tls_setup_socket() then dereferences the freed clnt,
producing the refcount_t underflow Michael Nemanov reported.

Take a reference on the upper rpc_clnt in xs_connect() for
TLS transports via a new rpc_hold_client() helper, and drop
it in the connect_worker's exit path with rpc_release_client().
The xprt_lock_connect() / xprt_unlock_connect() pairing
already serialises xs_connect() with xs_tcp_tls_setup_socket(),
so the take and release are balanced one-for-one.

The non-TLS connect worker (xs_tcp_setup_socket) never reads
sock_xprt::clnt, so leave that path alone and avoid the
clnt-holds-xprt-holds-clnt cycle that would otherwise prevent
xprt destruction.

Reported-by: Michael Nemanov &lt;michael.nemanov@vastdata.com&gt;
Closes: https://lore.kernel.org/linux-nfs/40e3d522-dfcf-4fc1-9c55-b5e81f1536d5@vastdata.com/
Fixes: 75eb6af7acdf ("SUNRPC: Add a TCP-with-TLS RPC transport class")
Signed-off-by: Chuck Lever &lt;chuck.lever@oracle.com&gt;
Tested-by: Michael Nemanov &lt;michael.nemanov@vastdata.com&gt;
Reviewed-by: Michael Nemanov &lt;michael.nemanov@vastdata.com&gt;
Signed-off-by: Anna Schumaker &lt;anna.schumaker@hammerspace.com&gt;
</content>
</entry>
<entry>
<title>lockd, nfsd: RCU-protect nlmsvc_ops dispatch</title>
<updated>2026-07-06T01:07:22+00:00</updated>
<author>
<name>Jeff Layton</name>
<email>jlayton@kernel.org</email>
</author>
<published>2026-06-11T20:00:59+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=a6635b861a56596cb1aea25b009c369406e5446d'/>
<id>urn:sha1:a6635b861a56596cb1aea25b009c369406e5446d</id>
<content type='text'>
nlmsvc_ops is published by nfsd_lockd_init() and cleared by
nfsd_lockd_shutdown() with plain stores, while lockd dereferences
it unguarded from dispatch sites in fs/lockd/svcsubs.c. The pointer
targets nfsd's .rodata and the fopen/fclose callbacks live in nfsd's
.text, so a stale load after rmmod nfsd results in either a NULL
deref or a module-text use-after-free.

Declare nlmsvc_ops as __rcu, publish via rcu_assign_pointer(), clear
via RCU_INIT_POINTER() + synchronize_rcu(). Add a struct module
*owner field to nlmsvc_binding and pin the module across indirect
calls with try_module_get/module_put. When the binding is torn down,
fall back to fput() to avoid leaking struct file references.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Jeff Layton &lt;jlayton@kernel.org&gt;
Link: https://patch.msgid.link/20260611-nfsd-testing-v2-16-5b90e276f2d9@kernel.org
Signed-off-by: Chuck Lever &lt;cel@kernel.org&gt;
</content>
</entry>
<entry>
<title>SUNRPC: Add svc_serv_maxthreads() to report the thread ceiling</title>
<updated>2026-07-06T01:07:22+00:00</updated>
<author>
<name>Chuck Lever</name>
<email>cel@kernel.org</email>
</author>
<published>2026-06-11T01:58:53+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=91a6b5f0b47e880ef63318739bca99622778cf42'/>
<id>urn:sha1:91a6b5f0b47e880ef63318739bca99622778cf42</id>
<content type='text'>
A pooled RPC service sizes its threads dynamically, growing and
shrinking each pool between its minimum and maximum bounds as load
varies.  The count of running threads therefore reflects recent
demand, not the service's capacity.  A consumer that sizes a data
structure against the concurrency the service can sustain -- NFSD's
NFSv4 session slot tables, for one -- needs that stable ceiling, and
computing it means summing sp_nrthrmax across every pool.

Add svc_serv_maxthreads() so the summation, and its dependence
on the layout of struct svc_serv and struct svc_pool, stays within
sunrpc. The read is lock-free: pool maxima change only when a service
is reconfigured, a path callers already serialize against startup and
shutdown, so a racing reader observes at worst a transient value. This
is acceptable for the sizing heuristics that will consume it.

nfsd_nrthreads() already sums sp_nrthrmax across pools by hand; convert
it to svc_serv_maxthreads(), giving the new export an in-tree consumer
and removing a copy of the dependence on svc_serv internals.

Reviewed-by: NeilBrown &lt;neil@brown.name&gt;
Reviewed-by: Jeff Layton &lt;jlayton@kernel.org&gt;
Reviewed-by: Benjamin Coddington &lt;bcodding@hammerspace.com&gt;
Link: https://patch.msgid.link/20260610-nfsd-slot-growth-clamp-v1-1-7b966700df0b@kernel.org
Signed-off-by: Chuck Lever &lt;cel@kernel.org&gt;
</content>
</entry>
<entry>
<title>SUNRPC: close backchannel before destroying callback service</title>
<updated>2026-07-06T01:07:22+00:00</updated>
<author>
<name>Chuck Lever</name>
<email>chuck.lever@oracle.com</email>
</author>
<published>2026-05-28T19:32:13+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=0814ee624c9e3efb33eb1c335cc4af718dafb79b'/>
<id>urn:sha1:0814ee624c9e3efb33eb1c335cc4af718dafb79b</id>
<content type='text'>
A backchannel receive can complete a request while the NFS callback
service is being torn down.  xprt_complete_bc_request() removes the
request from bc_pa_list, drops bc_alloc_count, marks the request in use,
and then asks xprt_enqueue_bc_request() to hand it to the callback
service.

If teardown has already cleared xprt-&gt;bc_serv, xprt_enqueue_bc_request()
currently returns without enqueueing or freeing the committed request.
The xprt_get() taken on entry is leaked as well.  If the producer wins
the race before bc_serv is cleared, it can also enqueue onto sv_cb_list
after nfs_callback_down() has stopped the callback threads, leaving the
request linked to a svc_serv that is about to be freed.

Close the producer side before callback threads are stopped.  Add
xprt_svc_shutdown_bc() to clear xprt-&gt;bc_serv under bc_pa_lock, and call
it on callback shutdown and callback-start failure before stopping the
service threads.  Requests that lose the NULL transition in
xprt_enqueue_bc_request() are released through the normal backchannel
free path after balancing bc_slot_count.  Finally, drain any remaining
sv_cb_list requests after the callback threads have stopped and before
svc_destroy() frees the service.

Fixes: 441244d4273a ("SUNRPC: cleanup common code in backchannel request")
Fixes: 9e9fdd0ad0fb ("NFSv4.1: protect destroying and nullifying bc_serv structure")
Cc: stable@vger.kernel.org
Signed-off-by: Chris Mason &lt;clm@meta.com&gt;
Reviewed-by: Jeff Layton &lt;jlayton@kernel.org&gt;
Link: https://patch.msgid.link/20260528-tier2-v1-6-d026a1415e0b@oracle.com
Signed-off-by: Chuck Lever &lt;chuck.lever@oracle.com&gt;
</content>
</entry>
<entry>
<title>svcrdma: Validate Read chunk positions at decode time</title>
<updated>2026-07-06T01:07:22+00:00</updated>
<author>
<name>Chuck Lever</name>
<email>chuck.lever@oracle.com</email>
</author>
<published>2026-05-26T13:36:00+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=3564d142507a5799845e9912e36a8d0380d1a625'/>
<id>urn:sha1:3564d142507a5799845e9912e36a8d0380d1a625</id>
<content type='text'>
Read chunk position and length validation is currently scattered
across three consumer functions: svc_rdma_read_data_item(),
svc_rdma_read_multiple_chunks(), and svc_rdma_read_call_chunk().
Each independently guards against the same class of unsigned
arithmetic underflow from untrusted wire values. Any new consumer
of the parsed Read chunk list must replicate these checks or risk
re-introducing the defects fixed by earlier patches in this series.

Add pcl_check_read_chunk_positions() to consolidate position and
length validation into a single post-decode pass, called from
svc_rdma_xdr_decode_req() after all three chunk lists have been
parsed and the inline body length is known. The pass verifies
three properties:

 - Each Read chunk's inline-body offset (its unreduced-stream
   position minus the cumulative length of preceding Read chunks)
   falls within the inline body length, or within the Call chunk
   length for interleaved reads.

 - Adjacent Read chunk positions do not overlap: cumulative read
   bytes at each transition do not exceed the next position.

 - Each chunk length does not exceed the receive context's page
   budget.

Malformed frames are rejected before reaching any consumer. The
existing consumer-side guards remain as defense in depth.

Acked-by: Jeff Layton &lt;jlayton@kernel.org&gt;
Link: https://patch.msgid.link/20260526-rpc-kernel-bugs-v1-6-e251306ccca9@oracle.com
Signed-off-by: Chuck Lever &lt;chuck.lever@oracle.com&gt;
</content>
</entry>
</feed>
