summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2026-06-26Merge tag 'ecryptfs-7.2-rc1-updates' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/tyhicks/ecryptfs Pull ecryptfs updates from Tyler Hicks: "No functional changes, just code cleanups: - replace kmalloc()/snprintf() with kasprintf() - simplify code flow by removing an unnecessary variable" * tag 'ecryptfs-7.2-rc1-updates' of git://git.kernel.org/pub/scm/linux/kernel/git/tyhicks/ecryptfs: ecryptfs: use kasprintf in ecryptfs_crypto_api_algify_cipher_name ecryptfs: remove redundant variable found_auth_tok
2026-06-26Merge tag 'v7.2-rc-part2-smb3-server-fixes' of git://git.samba.org/ksmbdLinus Torvalds
Pull smb server updates from Steve French: "This is mostly a correctness and compatibility update for ksmbd's SMB2/3 lease, oplock, durable handle, compound request, CREATE, rename, stream and share-mode handling. A large part of the series fixes cases found by smbtorture where ksmbd diverged from the SMB2/3 protocol requirements. The main changes are: - Rework SMB2 lease state handling so lease state is shared per ClientGuid/LeaseKey across opens, with better validation of lease create contexts, ACK handling, epochs, break-in-progress reporting, v2 lease notification routing, and chained lease breaks - Fix several oplock break corner cases, including ACK validation, timeout downgrade behavior, level-II break handling on unlink, share-conflict lease breaks, and read-control/stat-open behavior - Fix durable handle behavior around delete-on-close, stale reconnects, reconnect context parsing, oplock/lease break invalidation, and durable v2 AppInstanceId replacement - Fix compound request handling so related commands propagate failed statuses correctly, preserve response framing across chained errors, keep compound FIDs across READ/WRITE/FLUSH, and send interim STATUS_PENDING where clients expect cancellable compound I/O - Tighten CREATE and stream semantics, including create attribute validation, allocation size reporting, explicit create security descriptors, unnamed DATA stream handling, stream directory validation, and stream delete sharing against the base file - Fix rename and metadata behavior, including parent directory sharing checks, denying directory rename with open children, and preserving SMB ChangeTime across rename for open handles - Fix two important safety issues: a multichannel byte-range lock list owner race that could lead to use-after-free, and an NTLMv2 session key update before authentication proof validation - Fix a concurrent SMB2 NEGOTIATE preauth use-after-free, a UBSAN warning in compression capability parsing, a false hung-task warning in the durable handle scavenger, endian debug logging, Smatch indentation warnings, and kernel-doc warnings - Increase the default SMB3 transaction size from 1MB to 4MB to better match modern read/write negotiation and improve sequential I/O behavior" * tag 'v7.2-rc-part2-smb3-server-fixes' of git://git.samba.org/ksmbd: (50 commits) ksmbd: fix kernel-doc warnings in smb2_lease_break_noti() ksmbd: fix inconsistent indenting warnings ksmbd: validate NTLMv2 response before updating session key ksmbd: increase SMB3_DEFAULT_TRANS_SIZE from 1MB to 4MB ksmbd: fix UBSAN array-index-out-of-bounds in decode_compress_ctxt() ksmbd: sleep interruptibly in the durable handle scavenger ksmbd: start file id allocation at 1 ksmbd: treat read-control opens as stat opens only for leases ksmbd: validate :: stream type against directory create ksmbd: break conflicting-open leases only as far as needed ksmbd: break handle caching for share conflicts ksmbd: normalize ungrantable lease states ksmbd: return oplock protocol error for level II ack ksmbd: avoid level II oplock break notification on unlink ksmbd: downgrade oplock after break timeout ksmbd: apply create security descriptor first ksmbd: return requested create allocation size ksmbd: tighten create file attribute validation ksmbd: reject empty-attribute synchronize-only create ksmbd: honor stream delete sharing for base file ...
2026-06-26fbdev: Fix fb_new_modelist to prevent null-ptr-deref in fb_videomode_to_varIan Bridges
info->var, a framebuffer's current mode, is expected to have a matching entry in info->modelist. var_to_display() relies on this and treats a failed fb_match_mode() as "This should not happen". fb_set_var() keeps it true by adding the mode to the list on every change, and do_register_framebuffer() does the same at registration. store_modes() replaces the modelist from userspace. fb_new_modelist() validates the new modes but does not check that info->var still has a match. It relies on fbcon_new_modelist() to re-point consoles, but that only handles consoles mapped to the framebuffer. With fbcon unbound there are none, so info->var is left describing a mode that is no longer in the list. A later console takeover runs var_to_display(), where fb_match_mode() returns NULL and leaves fb_display[i].mode NULL. fbcon_switch() passes it to display_to_var(), and fb_videomode_to_var() dereferences the NULL mode. Keep the current mode in the list in fb_new_modelist(), the same way fb_set_var() does. Cc: stable@vger.kernel.org Assisted-by: Claude:claude-opus-4-8 Signed-off-by: Ian Bridges <icb@fastmail.org> Signed-off-by: Helge Deller <deller@gmx.de>
2026-06-26fbcon: fix NULL pointer dereference for a console without vc_dataIan Bridges
fbcon_new_modelist() runs when a framebuffer's modelist changes. For each console mapped to it with fb_display[i].mode set, it reads vc_cons[i].d and passes the vc_num to fbcon_set_disp(). This assumes a console with a mode set has a vc_data, but it can be NULL. fbcon_set_disp() sets fb_display[i].mode before it checks vc_data, and fbcon_deinit() leaves the mode set after the vc_data is freed. fbcon_new_modelist() then dereferences the NULL vc_data. Keep fb_display[i].mode set only while the console has a vc_data. Check vc_data before setting the mode in fbcon_set_disp(), and clear the mode in fbcon_deinit(). The existing mode check in fbcon_new_modelist() then skips such consoles. Reported-by: syzbot+42525d636f430fd5d983@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=42525d636f430fd5d983 Cc: stable@vger.kernel.org Assisted-by: Claude:claude-opus-4-8 Signed-off-by: Ian Bridges <icb@fastmail.org> Signed-off-by: Helge Deller <deller@gmx.de>
2026-06-26fbdev: fix use-after-free in store_modes()Ian Bridges
store_modes() replaces a framebuffer's modelist with modes from userspace. On success it frees the old modelist with fb_destroy_modelist(). Two fields still point into that freed list. One pointer is fb_display[i].mode, the mode a console is using. fbcon_new_modelist() moves these pointers to the new list. It only does so for consoles still mapped to the framebuffer. An unmapped console is skipped and keeps its stale pointer. Unbinding fbcon, for example, sets con2fb_map[i] to -1 but leaves fb_display[i].mode set. An FBIOPUT_VSCREENINFO ioctl with FB_ACTIVATE_INV_MODE later reaches fbcon_mode_deleted(). That function reads the stale fb_display[i].mode through fb_mode_is_equal(). The read is a use-after-free. The other pointer is fb_info->mode, the current mode. It is set through the mode sysfs attribute. store_modes() does not update fb_info->mode, so it is left pointing into the freed list. show_mode(), the attribute's read handler, dereferences the stale fb_info->mode through mode_string(). The read is a use-after-free. Clear both pointers before freeing the list. Commit a1f305893074 ("fbcon: Set fb_display[i]->mode to NULL when the mode is released") added the helper fbcon_delete_modelist(). It clears every fb_display[i].mode that points into a given list. So far it is called only from the unregister path. Call it from store_modes() too, and set fb_info->mode to NULL. Reported-by: syzbot+81c7c6b52649fd07299d@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=81c7c6b52649fd07299d Cc: stable@vger.kernel.org Link: https://lore.kernel.org/all/ajjoDhAi2y4ArSlz@dev/ Assisted-by: Claude:claude-opus-4-8 Signed-off-by: Ian Bridges <icb@fastmail.org> Signed-off-by: Helge Deller <deller@gmx.de>
2026-06-26gpio: htc-egpio: use managed gpiochip registrationPengpeng Hou
egpio_probe() registers each nested gpio_chip with gpiochip_add_data() but ignores the return value. If one registration fails, probe still returns success even though one of the chips was not published to gpiolib. Use devm_gpiochip_add_data() and fail probe if any chip registration fails. This lets devres unwind already registered chips and prevents the driver from publishing a partially initialized device. Fixes: a1635b8fe59d ("[ARM] 4947/1: htc-egpio, a driver for GPIO/IRQ expanders with fixed input/output pins") Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn> Link: https://patch.msgid.link/20260624131828.94139-1-pengpeng@iscas.ac.cn Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
2026-06-26gpio: mvebu: fail probe if gpiochip registration failsPengpeng Hou
mvebu_gpio_probe() registers the GPIO chip with devm_gpiochip_add_data() but ignores the return value. If registration fails, probe continues and leaves later code operating on a GPIO chip that was never published to gpiolib. Return the registration error so the device fails probe cleanly. Fixes: fefe7b092345 ("gpio: introduce gpio-mvebu driver for Marvell SoCs") Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn> Link: https://patch.msgid.link/20260624131645.86884-1-pengpeng@iscas.ac.cn Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
2026-06-26xfrm: fix stale skb->prev after async crypto steals a GSO segmentPetr Wozniak
skb_gso_segment() leaves the segment list head with ->prev pointing at the last segment, an invariant validate_xmit_skb_list() relies on when it sets its tail pointer (tail = skb->prev). When validate_xmit_xfrm() walks a GSO list and some segments are stolen by async crypto (->xmit() returns -EINPROGRESS), those segments are unlinked from the list but the head ->prev is never updated. If the last segment is the one stolen, the returned head still has ->prev pointing at it, even though it is now owned by the crypto engine and may be freed. validate_xmit_skb_list() later does tail->next = skb, writing through that stale pointer -- a use-after-free. Repoint skb->prev at the last retained segment before returning. Fixes: f53c723902d1 ("net: Add asynchronous callbacks for xfrm on layer 2.") Signed-off-by: Petr Wozniak <petr.wozniak@gmail.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2026-06-26xfrm: propagate -EINPROGRESS from validate_xmit_xfrm()Petr Wozniak
validate_xmit_xfrm() returns NULL both when a packet is dropped and when it is stolen by async crypto (-EINPROGRESS from ->xmit()). Callers cannot distinguish the two cases. f53c723902d1 ("net: Add asynchronous callbacks for xfrm on layer 2.") changed the semantics of a NULL return from "dropped" to "stolen or dropped", but __dev_queue_xmit() was not updated. On virtual/bridge interfaces (noqueue qdisc) __dev_queue_xmit() initialises rc=-ENOMEM and jumps to out: when skb is NULL, returning -ENOMEM to the caller even though the packet will be delivered correctly via xfrm_dev_resume(). Return ERR_PTR(-EINPROGRESS) from validate_xmit_xfrm() for the async case so callers can tell it apart from a real drop. Update __dev_queue_xmit() to handle ERR_PTR(-EINPROGRESS) from validate_xmit_skb() correctly. Update validate_xmit_skb_list() to use IS_ERR_OR_NULL() so that ERR_PTR(-EINPROGRESS) is not mistakenly added to the transmitted list. Fixes: f53c723902d1 ("net: Add asynchronous callbacks for xfrm on layer 2.") Suggested-by: Sabrina Dubroca <sd@queasysnail.net> Signed-off-by: Petr Wozniak <petr.wozniak@gmail.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2026-06-26ALSA: FCP: Fix NULL pointer dereference in interface lookupJiaming Zhang
A malformed USB device can provide a vendor-specific interface without any endpoint descriptors. fcp_find_fc_interface() currently selects the first vendor-specific interface and reads endpoint 0 from it, without checking whether the interface actually has any endpoints. When bNumEndpoints is zero, no endpoint array is allocated for the parsed alternate setting, so get_endpoint(..., 0) yields an invalid endpoint descriptor pointer. Dereferencing it through usb_endpoint_num() then triggers a NULL pointer dereference. Skip vendor-specific interfaces that do not have any endpoints. Fixes: 46757a3e7d50 ("ALSA: FCP: Add Focusrite Control Protocol driver") Reported-by: Jiaming Zhang <r772577952@gmail.com> Closes: https://lore.kernel.org/lkml/CANypQFb1EHj0xX8bA1WxSOSK-5xca6ZNKzOQcp12=s=puY7VFw@mail.gmail.com/ Signed-off-by: Jiaming Zhang <r772577952@gmail.com> Link: https://patch.msgid.link/20260625134933.425785-1-r772577952@gmail.com Signed-off-by: Takashi Iwai <tiwai@suse.de>
2026-06-26ALSA: hda/realtek: Update Acer Nitro ANV15-41 quirk to enable mute LEDOleg Kucheryavenko
The laptop has a microphone mute LED on the F4 key, but it was not taken in mind when the previous quirk was added in commit 00e44a68efef50f65b12854b41f098b4d50f10be ("ALSA: hda/realtek: Add quirk for Acer Nitro ANV15-41"). Replace ALC2XX_FIXUP_HEADSET_MIC with ALC245_FIXUP_ACER_MICMUTE_LED, which enables the LED and chains the previous quirk for the headset microphone. Fixes: 00e44a68efef ("ALSA: hda/realtek: Add quirk for Acer Nitro ANV15-41") Signed-off-by: Oleg Kucheryavenko <oleg.kucheryavenko2018@gmail.com> Link: https://patch.msgid.link/20260625134955.27465-1-oleg.kucheryavenko2018@gmail.com Signed-off-by: Takashi Iwai <tiwai@suse.de>
2026-06-26Merge tag 'asoc-fix-v7.2-merge-window' of ↵Takashi Iwai
https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus ASoC: Fixes for v7.2 We've got a good collection of device specific fix here, plus a couple of stand out things: - Richard fixed some special cases with the new device_link creation by more gracefully handling any errors during creation. - Charles did some light refactoring of the SoundWire interfaces to fix some persistent randconfig issues that people kept running into.
2026-06-25bpf: Fix insn_aux_data leak on verifier err_free_env pathKaFai Wan
When bpf_check() allocates env->insn_aux_data successfully but later fails to allocate env->succ, it jumps directly to err_free_env. The existing vfree(env->insn_aux_data) sits before the err_free_env label, so that direct jump bypasses it and leaks insn_aux_data. Move vfree(env->insn_aux_data) into err_free_env so all early and late exit paths release it consistently. Fixes: 2f69c5685427 ("bpf: make bpf_insn_successors to return a pointer") Signed-off-by: KaFai Wan <kafai.wan@linux.dev> Reviewed-by: Anton Protopopov <a.s.protopopov@gmail.com> Link: https://lore.kernel.org/r/20260624123536.114757-1-kafai.wan@linux.dev Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-25Merge branch 'bpf-mask-pseudo-pointer-values-in-verifier-logs'Alexei Starovoitov
Nuoqi Gui says: ==================== bpf: Mask pseudo pointer values in verifier logs Verifier log printing already hides ldimm64 immediates for map FD and map value pseudo sources when pointer leaks are not allowed. The same print path also sees rewritten immediates for BPF_PSEUDO_MAP_IDX, BPF_PSEUDO_MAP_IDX_VALUE, and BPF_PSEUDO_BTF_ID, but those sources were not included in the pointer classification. Extend the existing masking so all pointer-producing ldimm64 pseudo sources print as 0x0 when allow_ptr_leaks is false. Patch 1 extends the disassembler-side masking. Patch 2 adds verifier selftest coverage for pseudo-BTF ksym logs. Signed-off-by: Nuoqi Gui <gnq25@mails.tsinghua.edu.cn> Acked-by: Eduard Zingerman <eddyz87@gmail.com> --- Changes in v2: - Replace the CAP_BPF gate with verifier-log masking in print_bpf_insn(). - Also mask BPF_PSEUDO_MAP_IDX and BPF_PSEUDO_MAP_IDX_VALUE immediates. - Update selftests to check masked pseudo-BTF ksym logs. - Link to v1: https://patch.msgid.link/20260620-f01-13-pseudo-btf-id-cap-bpf-v1-0-f950f69fe60c@mails.tsinghua.edu.cn ==================== Link: https://patch.msgid.link/20260623-f01-13-pseudo-btf-id-cap-bpf-v2-0-a190ebb8f3e2@mails.tsinghua.edu.cn Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-25selftests/bpf: Cover pseudo-BTF ksym log maskingNuoqi Gui
Add verifier_unpriv coverage for a raw socket-filter load of the bpf_prog_active typed ksym. The test verifies that the unprivileged load remains accepted and that the verbose verifier log prints the ldimm64 immediate as 0x0 instead of exposing a nonzero kernel address. Signed-off-by: Nuoqi Gui <gnq25@mails.tsinghua.edu.cn> Link: https://lore.kernel.org/r/20260623-f01-13-pseudo-btf-id-cap-bpf-v2-2-a190ebb8f3e2@mails.tsinghua.edu.cn Signed-off-by: Alexei Starovoitov <ast@kernel.org> Acked-by: Eduard Zingerman <eddyz87@gmail.com>
2026-06-25bpf: Mask pseudo pointer values in verifier logsNuoqi Gui
print_bpf_insn() masks ldimm64 immediates for pointer-bearing pseudo sources when pointer leaks are not allowed, but the mask only covers BPF_PSEUDO_MAP_FD and BPF_PSEUDO_MAP_VALUE. BPF_PSEUDO_MAP_IDX, BPF_PSEUDO_MAP_IDX_VALUE, and BPF_PSEUDO_BTF_ID can also be resolved to kernel pointer values before the verifier log prints the instruction. Include them in the existing pointer classification so the log prints 0x0 instead of the rewritten address. Fixes: 4976b718c355 ("bpf: Introduce pseudo_btf_id") Fixes: 387544bfa291 ("bpf: Introduce fd_idx") Signed-off-by: Nuoqi Gui <gnq25@mails.tsinghua.edu.cn> Link: https://lore.kernel.org/r/20260623-f01-13-pseudo-btf-id-cap-bpf-v2-1-a190ebb8f3e2@mails.tsinghua.edu.cn Signed-off-by: Alexei Starovoitov <ast@kernel.org> Acked-by: Eduard Zingerman <eddyz87@gmail.com>
2026-06-25Merge branch 'bpf-reject-offset-refcount-acquire-arguments'Alexei Starovoitov
Yiyang Chen says: ==================== bpf: Reject offset refcount acquire arguments bpf_refcount_acquire() is modeled as returning a refcounted allocation base, but it currently accepts PTR_TO_BTF_ID | MEM_ALLOC arguments whose offset already points at an embedded graph node returned from a list or rbtree operation. At runtime the kfunc starts from the supplied pointer and adds the type's refcount offset. With a graph-node pointer, that starts from base + node_off, while the verifier treats the returned pointer as the allocation base. Reject non-zero fixed-offset arguments to keep the runtime operation and the verifier model aligned. Programs that pop graph nodes can still acquire a reference after normalizing the node pointer with container_of(). Patch 1 handles the zero fixed-offset requirement in the existing check_func_arg_reg_off() / __check_ptr_off_reg() path without consuming a bpf_type_flag bit. Patch 2 adds a rejected direct list-node case. Changes from v3: - Add Eduard's Acked-by to patch 1. - Drop the redundant rbtree selftest case; the list case exercises the same refcount-acquire fixed-offset rejection path. - Trim the selftest commit message and remove the selftest Fixes tag. Changes from v2: - Avoid adding a new bpf_type_flag bit. - Carry the refcount-acquire zero fixed-offset requirement with an internal check_func_arg_reg_off() parameter. Changes from v1: - Move zero fixed-offset enforcement into check_func_arg_reg_off() / __check_ptr_off_reg(), as suggested by Eduard. - Drop the positive container_of() selftest case. - Remove the stale bpf_obj_drop() after bpf_list_push_front(), since the pushed reference is consumed even when the verifier explores the error branch. - Rebase to bpf-next master a975094bf98c. v3: https://lore.kernel.org/bpf/cover.1781979133.git.chenyy23@mails.tsinghua.edu.cn/ v2: https://lore.kernel.org/bpf/cover.1781963957.git.chenyy23@mails.tsinghua.edu.cn/ v1: https://lore.kernel.org/bpf/cover.1781852308.git.chenyy23@mails.tsinghua.edu.cn/ ==================== Link: https://patch.msgid.link/cover.1782192383.git.chenyy23@mails.tsinghua.edu.cn Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-25selftests/bpf: Cover refcount acquire node offsetsYiyang Chen
Add regression coverage for bpf_refcount_acquire() on graph-node-derived pointers. The rejected case passes a popped list node pointer directly to bpf_refcount_acquire(), which must fail because the pointer carries a non-zero fixed offset. Signed-off-by: Yiyang Chen <chenyy23@mails.tsinghua.edu.cn> Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com> Acked-by: Yonghong Song <yonghong.song@linux.dev> Link: https://lore.kernel.org/r/bf2a2033ced272106292de4465b8ef3fb991c912.1782192383.git.chenyy23@mails.tsinghua.edu.cn Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-25bpf: Reject offset refcount acquire argumentsYiyang Chen
bpf_refcount_acquire() increments the refcount at the caller-supplied pointer plus the refcount field offset, then returns the caller-supplied pointer unchanged. The verifier records the return value as a base pointer to the refcounted object. bpf_list_pop_front() and bpf_rbtree_remove() can return embedded graph-node pointers as PTR_TO_BTF_ID | MEM_ALLOC with a fixed offset equal to the node field offset. Passing such a pointer directly to bpf_refcount_acquire() currently passes the refcounted-kptr type check. That makes the runtime operation start from base + node_off while the verifier models the returned pointer as the object base. Require refcount-acquire arguments to have zero fixed offset by carrying the requirement through check_func_arg_reg_off() to __check_ptr_off_reg(). Programs can still acquire a refcount from a graph-node-derived pointer after normalizing it with container_of(). Fixes: 7c50b1cb76aca ("bpf: Add bpf_refcount_acquire kfunc") Signed-off-by: Yiyang Chen <chenyy23@mails.tsinghua.edu.cn> Acked-by: Eduard Zingerman <eddyz87@gmail.com> Acked-by: Yonghong Song <yonghong.song@linux.dev> Link: https://lore.kernel.org/r/2f894647f56f71838fdddeb97a3e057ed35ea92e.1782192383.git.chenyy23@mails.tsinghua.edu.cn Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-25Input: synaptics-rmi4 - bound the F30 keymap to the GPIO/LED countBryam Vargas
rmi_f30_map_gpios() allocates gpioled_key_map with min(gpioled_count, TRACKSTICK_RANGE_END) == at most 6 entries, but rmi_f30_attention() iterates the full f30->gpioled_count (device query register, range 0..31) and dereferences gpioled_key_map[i], and input->keycodemax is set to the full gpioled_count while input->keycode points at the 6-entry allocation. A device that reports gpioled_count > 6 with GPIO support enabled therefore causes an out-of-bounds read on the attention interrupt and out-of-bounds read/write through the EVIOCGKEYCODE/EVIOCSKEYCODE ioctls, which bound the index only against keycodemax. This is the same defect as the F3A handler, which was copied from F30. Size the keymap for the full gpioled_count; the mapping loop still assigns only the first min(gpioled_count, TRACKSTICK_RANGE_END) entries. Fixes: 3e64fcbdbd10 ("Input: synaptics-rmi4 - limit the range of what GPIOs are buttons") Cc: stable@vger.kernel.org Signed-off-by: Bryam Vargas <hexlabsecurity@proton.me> Link: https://patch.msgid.link/20260614-b4-disp-818d6bda-v1-2-cf39a3615085@proton.me Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
2026-06-25Input: synaptics-rmi4 - bound the F3A keymap to the GPIO countBryam Vargas
rmi_f3a_initialize() takes the GPIO count from the device query register (f3a->gpio_count = buf & RMI_F3A_GPIO_COUNT, range 0..127). rmi_f3a_map_gpios() then allocates gpio_key_map with min(gpio_count, TRACKSTICK_RANGE_END) == at most 6 entries, but rmi_f3a_attention() iterates the full gpio_count and dereferences gpio_key_map[i], and input->keycodemax is set to the full gpio_count while input->keycode points at the 6-entry allocation. A device that reports gpio_count > 6 therefore causes an out-of-bounds read of gpio_key_map[] on every attention interrupt, and out-of-bounds accesses through the input core's default keymap ioctls: EVIOCGKEYCODE reads past the buffer (leaking adjacent slab memory to user space) and EVIOCSKEYCODE writes a caller-controlled value past it, for any process able to open the evdev node, since input_default_getkeycode() and input_default_setkeycode() only bound the index against keycodemax. Size the keymap for the full gpio_count. The mapping loop is unchanged: it still assigns only the first min(gpio_count, TRACKSTICK_RANGE_END) entries; the remaining slots stay KEY_RESERVED (devm_kcalloc zero-fills) and are skipped when reporting. Fixes: 9e4c596bfd00 ("Input: synaptics-rmi4 - add support for F3A") Cc: stable@vger.kernel.org Signed-off-by: Bryam Vargas <hexlabsecurity@proton.me> Link: https://patch.msgid.link/20260614-b4-disp-818d6bda-v1-1-cf39a3615085@proton.me Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
2026-06-25Merge branch 'bpf-sockmap-reject-a-packet-modifying-sk_skb-stream-parser'Alexei Starovoitov
Sechang Lim says: ==================== bpf, sockmap: reject a packet-modifying SK_SKB stream parser A BPF_PROG_TYPE_SK_SKB stream parser runs on strparser's message head, which can chain skbs through frag_list. A parser that resizes the skb frees the frag_list segments that strparser still tracks through skb_nextp, leading to a use-after-free. A stream parser is only meant to measure the next message, not to modify the packet, so reject a packet-modifying parser at attach time. v5: - target bpf-next instead of bpf - add Reviewed-by tag (Jiayuan Chen) v4: - https://lore.kernel.org/all/20260619062959.3277612-1-rhkrqnwk98@gmail.com/ v3: - https://lore.kernel.org/all/20260618102718.2331468-1-rhkrqnwk98@gmail.com/ v2: - https://lore.kernel.org/all/20260612123553.2724240-1-rhkrqnwk98@gmail.com/ v1: - https://lore.kernel.org/all/20260609112316.3685738-1-rhkrqnwk98@gmail.com/ ==================== Link: https://patch.msgid.link/20260620024423.4141004-1-rhkrqnwk98@gmail.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-25selftests/bpf: test rejection of a packet-modifying SK_SKB stream parserSechang Lim
Verify that attaching an SK_SKB stream parser that can modify the packet is rejected, while a read-only parser still attaches. Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev> Signed-off-by: Sechang Lim <rhkrqnwk98@gmail.com> Link: https://lore.kernel.org/r/20260620024423.4141004-4-rhkrqnwk98@gmail.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-25bpf, sockmap: reject a packet-modifying SK_SKB stream parserSechang Lim
sk_psock_strp_parse() runs the BPF_PROG_TYPE_SK_SKB stream-parser program to find the length of the next message. strparser assembles a message out of several received skbs by chaining them onto the head's frag_list and recording where to append the next one in strp->skb_nextp: *strp->skb_nextp = skb; strp->skb_nextp = &skb->next; and then calls the parser on the head: len = (*strp->cb.parse_msg)(strp, head); The parser is only meant to inspect the skb, but the program may call bpf_skb_change_tail() -- or the sibling bpf_skb_pull_data(), bpf_skb_change_head(), bpf_skb_adjust_room(), all allowed for SK_SKB. Once the head carries a frag_list these go ... -> skb_ensure_writable -> pskb_may_pull -> __pskb_pull_tail and __pskb_pull_tail() frees the frag_list skbs that strparser still tracks through skb_nextp: while ((list = skb_shinfo(skb)->frag_list) != insp) { skb_shinfo(skb)->frag_list = list->next; consume_skb(list); } strp->skb_nextp now points into a freed sk_buff. The next segment of the same message arrives in __strp_recv(), which links it with *strp->skb_nextp = skb, an 8-byte write into the freed skb. The free and the write happen in different __strp_recv() calls, so the message has to span at least three segments before it triggers. BUG: KASAN: slab-use-after-free in __strp_recv+0x447/0xda0 Write of size 8 at addr ffff88810db86140 by task repro/349 Call Trace: <IRQ> __strp_recv+0x447/0xda0 __tcp_read_sock+0x13d/0x590 tcp_bpf_strp_read_sock+0x195/0x320 strp_data_ready+0x267/0x340 sk_psock_strp_data_ready+0x1ce/0x350 tcp_data_queue+0x1364/0x2fd0 tcp_rcv_established+0xe07/0x1640 [...] Allocated by task 349: skb_clone+0x17b/0x210 __strp_recv+0x2c3/0xda0 __tcp_read_sock+0x13d/0x590 [...] Freed by task 349: kmem_cache_free+0x150/0x570 __pskb_pull_tail+0x57b/0xc20 skb_ensure_writable+0x236/0x260 __bpf_skb_change_tail+0x1d4/0x590 sk_skb_change_tail+0x2a/0x40 bpf_prog_1b285dcd6c41373e+0x27/0x30 bpf_prog_run_pin_on_cpu+0xf3/0x260 sk_psock_strp_parse+0x118/0x1e0 __strp_recv+0x4f6/0xda0 [...] The same resize also leaves the head's length inconsistent with its frags, so a later __pskb_pull_tail() can instead hit the BUG_ON(skb_copy_bits(...)) in net/core/skbuff.c. A stream parser is only meant to measure the next message, not to modify the packet. Reject a parser whose program can change packet data (prog->aux->changes_pkt_data) at attach time. The check is shared by sock_map_prog_update() and sock_map_link_update_prog(), which between them cover prog attach, link create and link update. Verdict programs are unaffected and may still modify the skb. Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev> Signed-off-by: Sechang Lim <rhkrqnwk98@gmail.com> Link: https://lore.kernel.org/r/20260620024423.4141004-3-rhkrqnwk98@gmail.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-25selftests/bpf: don't modify the skb in the strparser parser progSechang Lim
sockmap_parse_prog.c is attached as an SK_SKB stream parser and modifies the skb: it calls bpf_skb_pull_data() and writes a byte into the packet. A stream parser runs on strparser's message head and must not modify it. A resize frees the frag_list segments strparser still tracks, leading to a use-after-free. Make the parser read-only. It only needs to return the message length, which keeps it attaching once packet-modifying parsers are rejected. Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev> Signed-off-by: Sechang Lim <rhkrqnwk98@gmail.com> Link: https://lore.kernel.org/r/20260620024423.4141004-2-rhkrqnwk98@gmail.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-25Merge tag 'v7.2-rc-part2-smb3-client-fixes' of ↵Linus Torvalds
git://git.samba.org/sfrench/cifs-2.6 Pull smb client fixes from Steve French: - fix potential double frees - fix potential memory leak in receiving compound response - querydir improvement - fix chown with smb311 posix extensions - ACL setting fixes - minor debug improvement and cleanup - add some missing protocol defines - sparse file fixes * tag 'v7.2-rc-part2-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6: cifs: define variable sized buffer for querydir responses smb/client: do not account EOF extension as allocation smb/client: preserve errors from smb2_set_sparse() smb: client: Fix next buffer leak in receive_encrypted_standard() smb/client: use %pe to print error pointer smb/client: name the default fallocate mode smb common: add missing AAPL defines smb/client: fix chown/chgrp with SMB3 POSIX Extensions smb/client: fix security flag calculation when setting security descriptors smb: client: refactor ACL setting control flow in id_mode_to_cifs_acl() smb: client: fix query directory replay double-free smb: client: fix change notify replay double-free smb: client: fix query_info() replay double-free smb: client: fix double-free in SMB2_close() replay smb: client: fix double-free in SMB2_ioctl() replay smb: client: fix double-free in SMB2_open() replay smb: client: fix double-free in SMB2_flush() replay
2026-06-26Merge tag 'drm-misc-fixes-2026-06-25' of ↵Dave Airlie
https://gitlab.freedesktop.org/drm/misc/kernel into drm-fixes drm-misc-fixes for v7.2: - drm/sysfb truncation and alignment fixes. - fix edid OOB read. - fix error handling paths in nouveau - amdxdna get_bo_info fix. - increase displayid topology id to correct size. - fix leak when error handling in ivpu. Signed-off-by: Dave Airlie <airlied@redhat.com> From: Maarten Lankhorst <maarten.lankhorst@linux.intel.com> Link: https://patch.msgid.link/2d17f718-43f5-4772-9c04-a975c9ad4bc3@linux.intel.com
2026-06-26Merge tag 'drm-intel-next-fixes-2026-06-25-1' of ↵Dave Airlie
https://gitlab.freedesktop.org/drm/i915/kernel into drm-next - Fix corrupted display output on GLK, #16209 (Ville) - Add missing Spectre mitigation for parallel submit IOCTL (Joonas) Signed-off-by: Dave Airlie <airlied@redhat.com> From: Joonas Lahtinen <joonas.lahtinen@linux.intel.com> Link: https://patch.msgid.link/ajzIhInnHnGCwMlu@jlahtine-mobl
2026-06-25Merge tag 'bpf-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpfLinus Torvalds
Pull bpf fixes from Alexei Starovoitov: - Fix effective prog array index with BPF_F_PREORDER (Amery Hung) - Zero-initialize the fib lookup flow struct (Avinash Duduskar) - Disable xfrm_decode_session hook attachment (Bradley Morgan) - Allow type tag BTF records to succeed other modifier records (Emil Tsalapatis) - Fix build_id caching in stack_map_get_build_id_offset() (Ihor Solodrai) - Add missing access_ok call to copy_user_syms (Jiri Olsa) - Fix stack slot index in nospec checks (Nuoqi Gui) - Preserve pointer spill metadata during half-slot cleanup (Nuoqi Gui) - Fix partial copy of non-linear test_run output (Sun Jian) - Fix BPF_PROG_ASSOC_STRUCT_OPS last field check (Thiébaud Weksteen) - Reset register bounds before narrowing retval range (Tristan Madani) - Fix vmlinux BTF leak in bpftool cgroup commands (Yichong Chen) - Guard error writes in conntrack kfuncs (Yiyang Chen) * tag 'bpf-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf: bpf: Disable xfrm_decode_session hook attachment selftests/bpf: Add test for stale bounds on LSM retval context load bpf: Reset register bounds before narrowing retval range in check_mem_access() selftests/bpf: Cover small conntrack opts error writes bpf: Guard conntrack opts error writes selftests/bpf: Cover half-slot cleanup of pointer spills bpf: Preserve pointer spill metadata during half-slot cleanup selftests/bpf: Test cgroup link replace with BPF_F_PREORDER bpf: Fix effective prog array index with BPF_F_PREORDER bpf: Fix BPF_PROG_ASSOC_STRUCT_OPS last field check bpf: zero-initialize the fib lookup flow struct bpftool: Fix vmlinux BTF leak in cgroup commands bpf: Add missing access_ok call to copy_user_syms bpf: Allow type tag BTF records to succeed other modifier records bpf: Emit verbose message when prog-specific btf_struct_access rejects a write bpf: Fix build_id caching in stack_map_get_build_id_offset() bpf: Fix partial copy of non-linear test_run output selftests/bpf: Cover stack nospec slot indexing bpf: Fix stack slot index in nospec checks
2026-06-25Merge tag 'clk-for-linus' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux Pull clk updates from Stephen Boyd: "This is all clk driver updates. Mostly new SoC support for various Qualcomm chips and Canaan K230. Otherwise there's non-critical fixes and updates to clk data such as adding missing clks to existing drivers or marking clks critical. Nothing looks especially exciting" * tag 'clk-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux: (106 commits) clk: qcom: regmap-phy-mux: Rework the implementation clk: qcom: a53: Corrected frequency multiplier for 1152MHz clk: qcom: camcc-milos: Declare icc path dependency for CAMSS_TOP_GDSC clk: qcom: gdsc: Support enabling interconnect path for power domain dt-bindings: clock: qcom,milos-camcc: Document interconnect path interconnect: Add devm_of_icc_get_by_index() as exported API for users clk: qcom: camcc-x1p42100: Add support for camera clock controller clk: qcom: camcc-x1e80100: Add support for camera QDSS debug clocks clk: qcom: videocc-x1p42100: Add support for video clock controller dt-bindings: clock: qcom: Add X1P42100 camera clock controller dt-bindings: clock: qcom: Add X1P42100 video clock controller clk: keystone: sci-clk: fix application of sizeof to pointer clk: keystone: don't cache clock rate clk: spacemit: k3: Add PCIe DBI clock dt-bindings: soc: spacemit: k3: Add PCIe DBI clock IDs clk: spacemit: k3: Fix PCIe clock register offset clk: spacemit: k3: Switch to pll2_d6 as parent for PCIe clock clk: at91: keep securam node alive while mapping it clk: samsung: exynos990: Fix PERIC0/1 USI clock types clk: renesas: r9a08g045: Drop unused pm_domain header file ...
2026-06-25riscv: Fix 32-bit call_on_irq_stack() frame pointer ABISamuel Holland
call_on_irq_stack() uses struct member offsets to set up its link in the frame record list. On riscv32, struct stackframe is the wrong size to maintain stack pointer alignment, so STACKFRAME_SIZE_ON_STACK includes padding. However, the ABI requires the frame record to be placed immediately below the address stored in s0, so the padding must come before the struct members. Fix the layout by making STACKFRAME_FP and STACKFRAME_RA the negative offsets from s0, instead of the positive offsets from sp. Fixes: 82982fdd5133 ("riscv: Deduplicate IRQ stack switching") Signed-off-by: Samuel Holland <samuel.holland@sifive.com> Reviewed-by: Matthew Bystrin <dev.mbstr@gmail.com> Signed-off-by: Rui Qi <qirui.001@bytedance.com> Link: https://lore.kernel.org/all/20240530001733.1407654-2-samuel.holland@sifive.com/ Reviewed-by: Nam Cao <namcao@linutronix.de> Link: https://patch.msgid.link/20260624113148.3723541-1-qirui.001@bytedance.com [pjw@kernel.org: cleaned up the patch tags and added Matthew's Reviewed-by] Signed-off-by: Paul Walmsley <pjw@kernel.org>
2026-06-25Merge tag 'spmi-for-linus' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/sboyd/spmi Pull SPMI updates from Stephen Boyd: "Support for Qualcomm PMIC arbiter v8.5 and Hawi along with a kernel doc cleanup and a kzalloc flex usage" * tag 'spmi-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sboyd/spmi: spmi: use kzalloc_flex in main allocation spmi: clean up kernel-doc in spmi.h spmi: spmi-pmic-arb: add support for PMIC arbiter v8.5 dt-bindings: spmi: glymur-spmi-pmic-arb: Add compatible for Qualcomm Hawi SoC
2026-06-25Merge tag 'trace-tools-7.2-2' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace Pull rtla fixes from Steven Rostedt: - Fix and cleanup .gitignore - Fix pgrep filter in get_workload_pids.sh Fix parsing of kernel thread names in get_workload_pids() helper function. On some systems pgrep matches kernel thread names including the brackets (e.g. "[osnoise/0]") and other systems brackets are not included. Fix the tests to handle both. * tag 'trace-tools-7.2-2' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace: rtla/tests: Fix pgrep filter in get_workload_pids.sh rtla: Fix and clean up .gitignore
2026-06-25Merge tag 'net-7.2-rc1' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net Pull networking fixes from Jakub Kicinski: "Including fixes from netfilter and IPsec. Current release - regressions: - do not acquire dev->tx_global_lock in netdev_watchdog_up() - ethtool: keep rtnl_lock for ops using ethtool_op_get_link() - fix deadlock in nested UP notifier events Current release - new code bugs: - eth: - cn20k: fix subbank free list indexing for search order - airoha: fix BQL underflow in shared QDMA TX ring Previous releases - regressions: - netfilter: - flowtable: fix offloaded ct timeout never being extended - nf_conncount: prevent connlimit drops for early confirmed ct Previous releases - always broken: - require CAP_NET_ADMIN in the originating netns when modifying cross-netns devices - report NAPI thread PID in the caller's pid namespace - mac802154: fix dirty frag in in-place crypto for IOT radios - sctp: hold socket lock when dumping endpoints in sctp_diag, avoid an overflow - eth: gve: fix header buffer corruption with header-split and HW-GRO - af_key: initialize alg_key_len for IPComp states, prevent OOB read" * tag 'net-7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (213 commits) selftests: bonding: add a test for VLAN propagation over a bonded real device vlan: defer real device state propagation to netdev_work net: add the driver-facing netdev_work scheduling API net: turn the rx_mode work into a generic netdev_work facility net: ethtool: keep rtnl_lock for ops using ethtool_op_get_link() rxrpc: Fix rxrpc_rotate_tx_rotate() to check there's something to rotate rxrpc: Fix leak of released call in recvmsg(MSG_PEEK) rxrpc: Fix socket notification race rxrpc: Fix potential infinite loop in rxrpc_recvmsg() rxrpc: Fix oob challenge leak in cleanup after notification failure rxrpc: Fix the reception of a reply packet before data transmission afs: Fix uncancelled rxrpc OOB message handler afs: Fix further netns teardown to cancel the preallocation charger rxrpc: Fix double unlock in rxrpc_recvmsg() rxrpc: Fix leak of connection from OOB challenge rxrpc: Fix ACKALL packet handling net: hns3: differentiate autoneg default values between copper and fiber net: hns3: fix permanent link down deadlock after reset net: hns3: refactor MAC autoneg and speed configuration net: hns3: unify copper port ksettings configuration path ...
2026-06-25scripts/sorttable: Handle RISC-V patchable ftrace entriesWang Han
RISC-V uses -fpatchable-function-entry=8,4 when the compressed ISA is enabled and -fpatchable-function-entry=4,2 otherwise. In both cases, the patchable NOP area starts 8 bytes before the function symbol address. The __mcount_loc entries therefore point at the patchable NOP area associated with a function, while nm reports the function symbol at the entry address used for the function range check. After RISC-V selected HAVE_BUILDTIME_MCOUNT_SORT, sorttable started applying that range check at build time. Without allowing entries just before the reported function address, the mcount sorter treats valid RISC-V ftrace callsites as invalid weak-function entries and writes them back as zero. The resulting kernel boots with no ftrace entries, breaking dynamic ftrace and users such as livepatch. The failure is silent during the final link because zeroing weak-function entries is an expected sorttable operation. At boot, those zero entries are skipped by ftrace_process_locs(), so the only obvious symptom is that the vmlinux ftrace table has lost valid callsites and ftrace users cannot attach to them. CONFIG_FTRACE_SORT_STARTUP_TEST also reports the table as sorted in this state: it only checks that the __mcount_loc entries are in ascending order, which a fully zeroed table trivially satisfies. The original commit relied on this check and did not see the regression. On an affected RISC-V QEMU boot with both CONFIG_FTRACE_SORT_STARTUP_TEST and CONFIG_FTRACE_STARTUP_TEST enabled, the sort check still passes while ftrace reports zero usable entries and the early selftests fail: [ 0.000000] ftrace section at ffffffff8101da98 sorted properly [ 0.000000] ftrace: allocating 0 entries in 128 pages [ 0.054999] Testing tracer function: .. no entries found ..FAILED! [ 0.172407] tracer: function failed selftest, disabling [ 0.178186] Failed to init function_graph tracer, init returned -19 Handle RISC-V like arm64 for the function-range check and allow patchable entries up to 8 bytes before the function address. With this fix, a RISC-V QEMU smoke boot with ftrace startup tests shows the vmlinux ftrace table is populated and dynamic ftrace still works: [ 0.000000] ftrace: allocating 46749 entries in 184 pages [ 0.051115] Testing tracer function: PASSED [ 1.283782] Testing dynamic ftrace: PASSED [ 6.275456] Testing tracer function_graph: PASSED Fixes: 0ca1724b56af ("riscv: ftrace: select HAVE_BUILDTIME_MCOUNT_SORT") Suggested-by: Steven Rostedt (Google) <rostedt@goodmis.org> Reviewed-by: Steven Rostedt <rostedt@goodmis.org> Reviewed-by: Shuai Xue <xueshuai@linux.alibaba.com> Reviewed-by: Chen Pei <cp0613@linux.alibaba.com> Link: https://lore.kernel.org/all/20260527113028.4b21a5de@fedora/ Signed-off-by: Wang Han <wanghan@linux.alibaba.com> Reviewed-by: Martin Kaiser <martin@kaiser.cx> Link: https://patch.msgid.link/20260609063002.3943001-1-wanghan@linux.alibaba.com Signed-off-by: Paul Walmsley <pjw@kernel.org>
2026-06-25riscv: smp: use secs_to_jiffies in __cpu_upThorsten Blum
Use secs_to_jiffies() to simplify the code. Drop the redundant zero initialization while at it. Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev> Link: https://patch.msgid.link/20260611232537.467398-3-thorsten.blum@linux.dev Signed-off-by: Paul Walmsley <pjw@kernel.org>
2026-06-25ACPI: RIMT: Only defer the IOMMU configuration in init stageYicong Yang
The IOMMU configuration will be deferred if the IOMMU driver isn't probed by the time. Make this deferral only in the initialization stage with driver_deferred_probe_check_state(). Otherwise the devices depends on IOMMU will be deferred forever in case the IOMMU device probe failed or it doesn't appear in the ACPI namespace. Fixes: 8f7729552582 ("ACPI: RISC-V: Add support for RIMT") Signed-off-by: Yicong Yang <yang.yicong@picoheart.com> Link: https://patch.msgid.link/20260625094702.11558-1-yang.yicong@picoheart.com [pjw@kernel.org: added Fixes line] Signed-off-by: Paul Walmsley <pjw@kernel.org>
2026-06-25riscv: Add build salt to the vDSOBastian Blank
The vDSO needs to have a unique build id in a similar manner to the kernel and modules. Use the build salt macro. Signed-off-by: Bastian Blank <waldi@debian.org> Reviewed-by: Nam Cao <namcao@linutronix.de> Link: https://patch.msgid.link/ajQY7n0an0YwQ--j@steamhammer.waldi.eu.org Signed-off-by: Paul Walmsley <pjw@kernel.org>
2026-06-25raid6: fix raid6_recov_rvv symbol undeclared warningBen Dooks
The riscv recov_rvv.c should have included pq_arch.h for the definition of raid6_recov_rvv. Add the include to fix the following sparse warning: lib/raid/raid6/riscv/recov_rvv.c:218:32: warning: symbol 'raid6_recov_rvv' was not declared. Should it be static? Signed-off-by: Ben Dooks <ben.dooks@codethink.co.uk> Reviewed-by: Nam Cao <namcao@linutronix.de> Link: https://patch.msgid.link/20260622135535.481534-1-ben.dooks@codethink.co.uk Signed-off-by: Paul Walmsley <pjw@kernel.org>
2026-06-25raid6: fix riscv symbol undeclared warnignsBen Dooks
The riscv rvv.c file is missing the include of pq_arch.h which defines all the exported functions. Include this to remove the following sparse warnings: lib/raid/raid6/riscv/rvv.c:1225:1: warning: symbol 'raid6_rvvx1' was not declared. Should it be static? lib/raid/raid6/riscv/rvv.c:1226:1: warning: symbol 'raid6_rvvx2' was not declared. Should it be static? lib/raid/raid6/riscv/rvv.c:1227:1: warning: symbol 'raid6_rvvx4' was not declared. Should it be static? lib/raid/raid6/riscv/rvv.c:1228:1: warning: symbol 'raid6_rvvx8' was not declared. Should it be static? Signed-off-by: Ben Dooks <ben.dooks@codethink.co.uk> Reviewed-by: Nam Cao <namcao@linutronix.de> Link: https://patch.msgid.link/20260622135207.480540-1-ben.dooks@codethink.co.uk Signed-off-by: Paul Walmsley <pjw@kernel.org>
2026-06-25riscv: Raise default NR_CPUS for 64BIT to 256Vivian Wang
SpacemiT has already produced a 80-core RVA23 RISC-V server [1], and going further back, the dual-socket SG2042-based Sophgo Pisces has 128 cores (although that had some issues achieving mainline support). Therefore, an NR_CPUS of 64 is not enough. Raise default NR_CPUS to 256 for 64BIT (when !RISCV_SBI_V01, since very old firmware can't support more than 64 cores). The number was picked as a power of two that is at least double the known max. I believe this should be the right balance between not wasting too much memory and not having to touch this too often. Ubuntu has already been shipping NR_CPUS=512 for riscv64. We have also been testing NR_CPUS=256 internally at ISCAS and found negligible performance impact and no ill effects. Reported-by: Lufei Zheng <lufei.zheng@spacemit.com> Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1140651 # [1] Suggested-by: Han Gao <gaohan@iscas.ac.cn> Signed-off-by: Vivian Wang <wangruikang@iscas.ac.cn> Link: https://patch.msgid.link/20260625-riscv-more-nr-cpus-v1-1-5da8c72b9269@iscas.ac.cn Signed-off-by: Paul Walmsley <pjw@kernel.org>
2026-06-25Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvmLinus Torvalds
Pull kvm fixes from Paolo Bonzini: "s390: - Fix S390_USER_OPEREXEC so it can now be enabled regardless of other unrelated capabilities - Fix handling of the _PAGE_UNUSED pte bit that could lead to guest memory corruption in some scenarios - A bunch of misc gmap fixes (locking, behaviour under memory pressure) - Fix CMMA dirty tracking x86: - Tidy up some WARN_ON() and BUG_ON(), replacing them with WARN_ON_ONCE() or KVM_BUG_ON(). All of these have obviously never triggered, or somebody would have been annoyed earlier, but still... - Fix missing interrupt due to stale CR8 intercept - Add a statistic that can come in handy to debug leaks as well as the vulnerability to a class of recently-discovered issues - Do not ask arch/x86/kernel to export default_cpu_present_to_apicid() just for KVM" * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm: (22 commits) x86/apic: KVM: Use cpu_physical_id() to get APIC ID of running vCPU for AVIC KVM: x86/mmu: Expose number of shadow MMU shadow pages as a stat KVM: x86: Unconditionally recompute CR8 intercept on PPR update KVM: VMX: Grab vmcs12 on CR8 interception update iff vCPU is in guest mode KVM: x86: WARN (once) if RTC pending EOI tracking goes off the rails KVM: x86: WARN and fail kvm_set_irq() if a PIC or I/O APIC vector is invalid KVM: x86: Bug the VM, not the kernel, if the ISR count {under,over}flows KVM: x86/mmu: Bug the VM, not the host kernel, if KVM write-protects upper SPTEs KVM: x86: Replace BUG_ON() with WARN_ON_ONCE() on "bad" nested GPA translation KVM: Replace guest-triggerable BUG_ON() in ioeventfd datamatch with get_unaligned() KVM: s390: Return failure in case of failure in kvm_s390_set_cmma_bits() KVM: s390: selftests: Fix cmma selftest KVM: s390: Fix cmma dirty tracking KVM: s390: Fix locking in kvm_s390_set_mem_control() KVM: s390: Fix handle_{sske,pfmf} under memory pressure KVM: s390: Fix code typo in gmap_protect_asce_top_level() KVM: s390: Do not set special large pages dirty KVM: s390: Fix dat_peek_cmma() overflow s390/mm: Fix handling of _PAGE_UNUSED pte bit KVM: s390: Fix typo in UCONTROL documentation ...
2026-06-25Merge branch 'net-avoid-nested-up-notifier-events'Jakub Kicinski
Jakub Kicinski says: ==================== net: avoid nested UP notifier events syzbot reported that recent ethtool rework leads to deadlock on stacked devices. VLANs create nested notifications, confusing execution context. Bringing up dummy causes vlan to bring itself up as well. Which in turn causes bond to ask for link state - a call chain traveling in the opposite direction. bond (3) bond_update_speed_duplex(vlan) | ^ v vlan (2) UP(vlan) (4) vlan_ethtool_get_link_ksettings() | ^ v dummy (1) UP(dummy) (5) __ethtool_get_link_ksettings() We locked the instance lock of dummy at (1) and will will try to lock it again at (5) - which of course deadlocks. For non-nested notifications this is avoided because NETDEV_UP is always run ops-locked (so that bond asks for link using the netif_ API which assumes instance lock already held). The nesting, however, makes this problematic, we cannot carry the state of the whole chain back in the opposite direction. AFAICT vlan is the only driver which causes such issues. So let's try a localized fix of deferring vlan auto-open to a workqueue. ==================== Link: https://patch.msgid.link/20260624182018.2445732-1-kuba@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-25selftests: bonding: add a test for VLAN propagation over a bonded real deviceJakub Kicinski
Add a regression test for the VLAN notifier handling that the netdev_work deferral fixed. A VLAN's real device propagates its UP/DOWN, MTU and feature changes onto the VLANs stacked on top of it. This used to be done synchronously from the real device's notifier and deadlocked when the real device was brought up while enslaved to a bond (instance lock held across NETDEV_UP) and the VLAN on top was itself a bond member: the synchronous propagation re-entered the stack and took the same instance lock again. The test covers both halves: - that the deferred UP/DOWN, MTU and feature propagation actually lands on the VLAN (link state and MTU use an ops-locked dummy, i.e. the deferral path; features use veth, which exports vlan_features to inherit), and - that the deadlock-prone topology - a VLAN on a dummy, with the VLAN and the dummy each enslaved to a different bond - can be built without hanging. Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com> Acked-by: Stanislav Fomichev <sdf@fomichev.me> Link: https://patch.msgid.link/20260624182018.2445732-5-kuba@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-25vlan: defer real device state propagation to netdev_workJakub Kicinski
vlan_device_event() generates nested UP/DOWN, MTU and feature change events. It executes an event for the VLAN device directly from the notifier - while the locks of the lower device are held. This causes deadlocks, for example: bond (3) bond_update_speed_duplex(vlan) | ^ v vlan (2) UP(vlan) (4) vlan_ethtool_get_link_ksettings() | ^ v dummy (1) UP(dummy) (5) __ethtool_get_link_ksettings() The dummy device is ops locked, vlan creates a nested event (2), then bond wants to ask vlan for link state (3). bond uses the "I'm already holding the instance lock" flavor of API. But in this case the lock held refers to vlan itself. We hit vlan's link settings trampoline (4) and call __ethtool_get_link_ksettings() which tries to lock dummy. Deadlock. There's no clean way for us to tell the vlan_ethtool_get_link_ksettings() that the caller is already in lower device's critical section. Defer the propagation to the per-netdev work facility instead: the notifier only schedules netdev_work_sched(vlandev, VLAN_WORK_*), and ndo_work (vlan_dev_work) applies the change later. Hopefully nobody expects the VLAN state changes to be instantaneous. If someone does expect the changes to be instantaneous we will have to do the same thing Stan did for rx_mode and "strategically" place sync calls, to make sure such delayed works are executed after we drop the ops lock but before we drop rtnl_lock. Stan suggests that if we need that down the line we may consider reshaping the mechanism into "async notifications". AFAICT only vlan does this sort of netdev open chaining, so as a first try I think that sticking the complexity into the vlan code makes sense. One corner case is that we need to cancel the event if user explicitly changes the state before work could run. Consider the following operations with vlan0 on top of dummy0: ip link set dev dummy0 up # queues work to up vlan0 ip link set dev vlan0 down # user explicitly downs the vlan ndo_work # acts on the stale event Reported-by: syzbot+09da62a8b78959ceb8bb@syzkaller.appspotmail.com Reported-by: syzbot+cb67c392b0b8f0fd0fc1@syzkaller.appspotmail.com Reported-by: syzbot+9bb8bd77f3966641f298@syzkaller.appspotmail.com Fixes: 9f275c2e9020 ("net: ethtool: make sure __ethtool_get_link_ksettings() is ops-locked") Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com> Reviewed-by: Nicolai Buchwitz <nb@tipi-net.de> Acked-by: Stanislav Fomichev <sdf@fomichev.me> Link: https://patch.msgid.link/20260624182018.2445732-4-kuba@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-25net: add the driver-facing netdev_work scheduling APIJakub Kicinski
With an extra event mask we can easily extend the netdev work to also service driver-defined events. For advanced drivers this is probably not a perfect match, but it makes running deferred work easier in simple cases. Expose the netdev_work facility to drivers. Add helpers to schedule work and a dedicated ndo to perform the driver- -scheduled actions. Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com> Acked-by: Stanislav Fomichev <sdf@fomichev.me> Link: https://patch.msgid.link/20260624182018.2445732-3-kuba@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-25net: turn the rx_mode work into a generic netdev_work facilityJakub Kicinski
The rx_mode update runs from a workqueue: drivers have their ndo_set_rx_mode_async() callback executed by a single global work item under RTNL and ops lock. This is a useful pattern. Support multiple "events" that need to be serviced and make RX_MODE sync the first one. Call the events "core" because later on we will let drivers define and schedule their own. Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com> Acked-by: Stanislav Fomichev <sdf@fomichev.me> Link: https://patch.msgid.link/20260624182018.2445732-2-kuba@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-25net: ethtool: keep rtnl_lock for ops using ethtool_op_get_link()Jakub Kicinski
Breno reports following splats on mlx5: RTNL: assertion failed at net/core/dev.c (2241) WARNING: net/core/dev.c:2241 at netif_state_change+0xed/0x130, CPU#5: ethtool/1335 RIP: 0010:netif_state_change+0xf9/0x130 Call Trace: <TASK> __linkwatch_sync_dev+0xea/0x120 ethtool_op_get_link+0xe/0x20 __ethtool_get_link+0x26/0x40 linkstate_prepare_data+0x51/0x200 ethnl_default_doit+0x213/0x470 genl_family_rcv_msg_doit+0xdd/0x110 Looks like I missed ethtool_op_get_link() trying to sync linkwatch, which needs rtnl_lock. Not all drivers do this - bnxt doesn't, it just returns the link state, so add an opt-in bit. Reported-by: Breno Leitao <leitao@debian.org> Fixes: 45079e00133e ("net: ethtool: optionally skip rtnl_lock on Netlink path for GET ops") Acked-by: Stanislav Fomichev <sdf@fomichev.me> Reviewed-by: Breno Leitao <leitao@debian.org> Acked-by: Harshitha Ramamurthy <hramamurthy@google.com> Link: https://patch.msgid.link/20260624190439.2521219-1-kuba@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-25Merge branch 'rxrpc-miscellaneous-fixes'Jakub Kicinski
David Howells says: ==================== rxrpc: Miscellaneous fixes Here are some miscellaneous AF_RXRPC fixes for more stuff found by Sashiko[1][2]: (1) Fix ACKALL handling by adding two more call states to simplify when ACKs are valid. (2) Fix connection leak from AF_RXRPC recvmsg userspace OOB handling. (3) Fix double unlock in AF_RXRPC recvmsg userspace OOB handling. (4) Fix AFS preallocate charge to flush the waitqueue after unlistening the socket so that any charging thread that does manage to get started will be waited for before socket destruction. (5) Fix AFS OOB notify handling to cancel in-progress OOB notification handling and then to flush the workqueue it's on. (6) Fix handling of apparent reply reception before initial transmission starts in client call. (7) Fix OOB challenge leak in cleanup on notification failure. (8) Fix infinite loop in recvmsg if OOB packet available, but no calls. (9) Fix notify vs recvmsg race where notify thinks the call is already queued. (10) Fix MSG_PEEK call leak for calls with no content. (11) Fix rxrpc_rotate_tx_window() to check that there's something in the Tx buffer before attempting to rotate it. ==================== Link: https://patch.msgid.link/20260624163819.3017002-1-dhowells@redhat.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-25rxrpc: Fix rxrpc_rotate_tx_rotate() to check there's something to rotateDavid Howells
Fix rxrpc_rotate_tx_rotate() to check that there's something in the transmission buffer to be rotated before it attempts to rotate anything. Fixes: b341a0263b1b ("rxrpc: Implement progressive transmission queue struct") Link: https://sashiko.dev/#/patchset/20260618134802.2477777-1-dhowells%40redhat.com Signed-off-by: David Howells <dhowells@redhat.com> cc: Marc Dionne <marc.dionne@auristor.com> cc: Jeffrey Altman <jaltman@auristor.com> cc: Simon Horman <horms@kernel.org> cc: linux-afs@lists.infradead.org cc: stable@kernel.org Link: https://patch.msgid.link/20260624163819.3017002-12-dhowells@redhat.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>