summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2026-06-18PCI: brcmstb: Protect root bus removal with rescan lockHans Zhang
Hold the pci_rescan_remove_lock lock while stopping and removing a root bus to avoid racing with concurrent rescan or hotplug operations triggered via sysfs. Such races may lead to use-after-free issues or system crashes. Signed-off-by: Hans Zhang <18255117159@163.com> Signed-off-by: Manivannan Sadhasivam <mani@kernel.org> [bhelgaas: commit log] Signed-off-by: Bjorn Helgaas <bhelgaas@google.com> Link: https://patch.msgid.link/20260521161822.132996-5-18255117159@163.com
2026-06-18PCI: altera: Protect root bus removal with rescan lockHans Zhang
Hold the pci_rescan_remove_lock lock while stopping and removing a root bus to avoid racing with concurrent rescan or hotplug operations triggered via sysfs. Such races may lead to use-after-free issues or system crashes. Signed-off-by: Hans Zhang <18255117159@163.com> Signed-off-by: Manivannan Sadhasivam <mani@kernel.org> [bhelgaas: commit log] Signed-off-by: Bjorn Helgaas <bhelgaas@google.com> Link: https://patch.msgid.link/20260521161822.132996-4-18255117159@163.com
2026-06-18Merge tag 'ext4_for_linus-7.2-rc1' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4 Pull ext4 updates from Ted Ts'o: - A major rework of the fast commit mechanism to avoid lock contention and deadlocks. We also export snapshot statistics in /proc/fs/ext4/*/fc_info - Performance optimization for directory hash computation by processing input in 4-byte chunks and removing function pointers, along with new KUnit tests for directory hash - Cleanups in JBD2 to remove special slabs and use kmalloc() instead - Various bug fixes, including: - Early validation of donor superblock in EXT4_IOC_MOVE_EXT to avoid cross-fs deadlock - Fix for a kernel BUG in ext4_write_inline_data_end under data=journal - Fix for a NULL dereference in jbd2_journal_dirty_metadata when handle is aborted - Fix for an underflow in JBD2 fast commit block initialization check - Fix for LOGFLUSH shutdown ordering to ensure ordered data writeback - Miscellaneous fixes for error path return values and KUnit assertions * tag 'ext4_for_linus-7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4: ext4: validate donor file superblock early in EXT4_IOC_MOVE_EXT ext4: fix kernel BUG in ext4_write_inline_data_end ext4: fix ERR_PTR(0) in ext4_mkdir() jbd2: remove special jbd2 slabs ext4: remove mention of PageWriteback ext4: improve str2hashbuf by processing 4-byte chunks and removing function pointers ext4: add Kunit coverage for directory hash computation ext4: fast commit: export snapshot stats in fc_info ext4: fast commit: add lock_updates tracepoint ext4: fast commit: avoid i_data_sem by dropping ext4_map_blocks() in snapshots ext4: fast commit: avoid self-deadlock in inode snapshotting ext4: fast commit: avoid waiting for FC_COMMITTING ext4: lockdep: handle i_data_sem subclassing for special inodes ext4: fast commit: snapshot inode state before writing log jbd2: fix integer underflow in jbd2_journal_initialize_fast_commit() ext4: fix fast commit wait/wake bit mapping on 64-bit jbd2: check for aborted handle in jbd2_journal_dirty_metadata() ext4: Use %pe to print PTR_ERR() ext4: fix LOGFLUSH shutdown ordering to allow ordered-mode data writeback ext4: replace KUnit tests for memcmp() with KUNIT_ASSERT_MEMEQ()
2026-06-18Merge tag 'v7.2-rc-part1-ksmbd-fixes' of git://git.samba.org/ksmbdLinus Torvalds
Pull smb server updates from Steve French: - Use after free fixes - Out of bounds read fix - Add SMB compression support both at rest and over the wire: support decompression of compressed SMB2 requests, initially allow compressed SMB2 READ responses, and implement get/set compression operations for per-file compression state. - Credentials fixes: for various FSCTLs, setinfo, delete on close and for alternate data streams - Fix access checks and permission checks in DUPLICAT_EXTENTS and SET_ZERO_DATA fsctls, find_file_posix_info, FILE_LINK_INFORMATION and smb2_set_info_sec - Reject non valid session in compound request - Serialize QUERY_DIRECTORY - Prevent path traversal bypass by restricting caseless retry - Path lookup fix - Two minor cleanup fixes * tag 'v7.2-rc-part1-ksmbd-fixes' of git://git.samba.org/ksmbd: (31 commits) ksmbd: fix path resolution in ksmbd_vfs_kern_path_create ksmbd: use opener credentials for FSCTL mutations ksmbd: use opener credentials for ADS I/O ksmbd: require source read access for duplicate extents ksmbd: run set info with opener credentials ksmbd: use opener credentials for delete-on-close ksmbd: serialize QUERY_DIRECTORY requests per file ksmbd: add permission checks for FSCTL_DUPLICATE_EXTENTS_TO_FILE ksmbd: enforce FILE_READ_ATTRIBUTES on SMB_FIND_FILE_POSIX_INFORMATION ksmbd: reject non-VALID session in compound request branch ksmbd: compress SMB2 READ responses ksmbd: negotiate and decode SMB2 compression cifs: negotiate chained SMB2 compression capabilities smb: add common SMB2 compression transform helpers smb: move LZ77 compression into common code ksmbd: add per-handle permission check to FILE_LINK_INFORMATION ksmbd: add a permission check for FSCTL_SET_ZERO_DATA ksmbd: add a WRITE_DAC/WRITE_OWNER check to SMB2 SET_INFO SECURITY ksmbd: fix use-after-free of a deferred file_lock on SMB2_CLOSE then SMB2_CANCEL smb: server: remove code guarded by nonexistent config option ...
2026-06-18Merge tag 'v7.2-rc-part1-smb3-client-fixes' of ↵Linus Torvalds
git://git.samba.org/sfrench/cifs-2.6 Pull smb client updates from Steve French: - Three cleanup patches - Fix error return value in smb2_aead_req_alloc - Three compression fixes - Update i_blocks after write (fixes various xfstests) - Fix races in cifsd thread creation - Fix potential out of bounds read parsing security descriptors - Witness protocol fix - Fix umount bug - Mount fix - Fix cached directory entries on unlink/rmdir/rename * tag 'v7.2-rc-part1-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6: smb: client: Use more common code in SMB2_tcon() smb: client: Use more common error handling code in smb3_reconfigure() smb/client: Fix error code in smb2_aead_req_alloc() smb/client: clean up a type issue in cifs_xattr_get() smb/client: allow FS_IOC_SETFLAGS to clear compression smb/client: use writable handle for FS_IOC_SETFLAGS compression smb/client: always return a value for FS_IOC_GETFLAGS smb/client: update i_blocks after contiguous writes smb: client: fix races in cifsd thread creation cifs: validate full SID length in security descriptors smb: client: resolve SWN tcon from live registrations cifs: remove all cifs files before kill super smb: client: fix conflicting option validation for new mount API cifs: invalidate cfid on unlink/rename/rmdir
2026-06-18Merge tag 'nfsd-7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linuxLinus Torvalds
Pull nfsd updates from Chuck Lever: "Jeff Layton wired up netlink upcalls for the auth.unix.ip and auth.unix.gid caches in SunRPC and the svc_export and nfsd.fh caches in NFSD. The new kernel-user API is more extensible and lays the groundwork for retiring the old pipe interface. The default NFS r/w block size rises to 4MB on hosts with at least 16GB of RAM, reducing per-RPC overhead on fast networks. Smaller machines keep their previously computed default, and the value remains tunable through /proc/fs/nfsd/max_block_size. Chuck Lever converted the server's RPCSEC GSS Kerberos code to the kernel's shared crypto/krb5 library. The conversion retires and removes SunRPC's bespoke implementation of Kerberos v5, but keeps RPCSEC GSS-API. Continuing the xdrgen migration that converted the NLMv4 server XDR layer in v7.1, Chuck Lever converted the NLM version 3 server-side XDR layer from hand-written C to xdrgen-generated code. As with the NLMv4 conversion in v7.1, the goals are improved memory safety, lower maintenance burden, and groundwork for generation of Rust code for this layer instead of C. Chuck Lever fixed an issue where lingering NFSv4 state pins a mounted file system after it is unexported. A new netlink-based mechanism can now release NLM locks and NFSv4 state by client address, by filesystem, and by export. Now an administrator can quiesce an export cleanly before unmounting it. The remaining patches are bug fixes, clean-ups, and minor optimizations, including a batch of memory-leak and use-after-free fixes in the ACL, lockd, and TLS handshake paths, many of them reported by Chris Mason. Sincere thanks to all contributors, reviewers, testers, and bug reporters who participated in the v7.2 NFSD development cycle" * tag 'nfsd-7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux: (106 commits) svcrdma: wake sq waiters when the transport closes nfsd: reset write verifier on deferred writeback errors nfsd: avoid leaking pre-allocated openowner on unconfirmed retry race sunrpc: wait for in-flight TLS handshake callback when cancel loses race sunrpc: pin svc_xprt across the asynchronous TLS handshake callback nfsd: fix posix_acl leak on SETACL decode failure nfsd: fix posix_acl leak and ignored error in nfsd4_create_file nfsd: check get_user() return when reading princhashlen nfsd: fix inverted cp_ttl check in async copy reaper nfsd: fix dead ACL conflict guard in nfsd4_create NFSD: Fix SECINFO_NO_NAME decode error cleanup sunrpc: harden rq_procinfo lifecycle to prevent double-free SUNRPC: Return an error from xdr_buf_to_bvec() on overflow SUNRPC: Bound-check xdr_buf_to_bvec() stores before writing nfsd: release layout stid on setlease failure lockd: Avoid hashing uninitialized bytes in nlm4svc_lookup_file() lockd: Plug nlm_file refcount leak on cached nlm_do_fopen() failure lockd: Plug nlm_file leak when nlm_do_fopen() fails Revert "NFSD: Defer sub-object cleanup in export put callbacks" Revert "svcrdma: Use contiguous pages for RDMA Read sink buffers" ...
2026-06-18Merge tag 'fuse-update-7.2' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse Pull fuse updates from Miklos Szeredi: - Fix lots of bugs, most from the late 6.x era, but some going back to 2.6.x - Add subsystems (io-uring, passthrough) and respective maintainers (Bernd, Joanne and Amir) - Separate transport and fs layers (Miklos) - Don't block on cat /dev/fuse (Joanne) - Perform some refactoring in fuse-uring (Joanne) - Don't use bounce-buffer for READDIR reply in virtio-fs (Matthew Ochs) - Clean up documentation (Randy) - Improve tracing (Amir) - Extend page cache invalidation after DIO (Cheng Ding) - Invalidate readdir cache on epoch change (Jun Wu) - Misc cleanups * tag 'fuse-update-7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse: (81 commits) fuse-uring: clear ent->fuse_req in commit_fetch error path fuse-uring: use named constants for io-uring iovec indices fuse-uring: refactor setting up copy state for payload copying fuse-uring: use enum types for header copying fuse-uring: refactor io-uring header copying from ring fuse-uring: refactor io-uring header copying to ring fuse-uring: separate next request fetching from sending logic fuse: invalidate readdir cache on epoch bump virtio-fs: avoid double-free on failed queue setup fuse: invalidate page cache after DIO and async DIO writes fuse: set ff->flock only on success fuse: clean up interrupt reading fuse: remove stray newline in fuse_dev_do_read() fuse: use READ_ONCE in fuse_chan_num_background() fuse: dax: Move long delayed work on system_dfl_long_wq fuse: add fuse_request_sent tracepoint fuse: Add SPDX ID lines to some files fuse: use QSTR() instead of QSTR_INIT() in fuse_get_dentry fuse: convert page array allocation to kcalloc() fuse: use current creds for backing files ...
2026-06-18ALSA: emu10k1: Use common error handling code in snd_emu10k1_playback_open()Markus Elfring
Use an additional label so that a bit of exception handling can be better reused at the end of this function implementation. This issue was detected by using the Coccinelle software. Signed-off-by: Markus Elfring <elfring@users.sourceforge.net> Link: https://patch.msgid.link/d709474d-62b0-4f7e-9011-a0f716b35383@web.de Signed-off-by: Takashi Iwai <tiwai@suse.de>
2026-06-18ALSA: usb-audio: Add quirk for YAMAHA CDS3000Jean-Louis Colaco
This quirk is identical to the one for the Yamaha Steinberg UR22, here applied to a CD player that also uses the Steinberg USB interface. This quirk is necessary to avoid sporadic "clic" noise when using the DAC of the player. Signed-off-by: Jean-Louis Colaco <jean-louis.colaco@orange.fr> Link: https://patch.msgid.link/20260618113202.8363-1-jean-louis.colaco@orange.fr Signed-off-by: Takashi Iwai <tiwai@suse.de>
2026-06-18PCI: iproc: Restore .map_irq() for the platform bus driverMark Tomlinson
Commit b64aa11eb2dd ("PCI: Set bridge map_irq and swizzle_irq to default functions") moved the assignment of default .map_irq() callback to devm_of_pci_bridge_init() and removed the initialization of 'iproc_pcie::map_irq' in platform bus driver. This led to the callback getting assigned the NULL pointer for platform bus driver, thereby breaking the INTx functionality, since 'iproc_pcie::map_irq' overrides the 'pci_host_bridge::map_irq' callback in iproc_pcie_setup(). This issue only affected the iproc platform bus driver as this driver relies on the default callback for non-PAXC controllers. iproc-brcm driver was already providing the custom mapping function, so it was unaffected. Restore the original (and intended) behaviour to use the default map_irq function by removing the local 'iproc_pcie::map_irq' pointer and directly assigning the 'pci_host_bridge::map_irq' callback in iproc-bcma driver. This ensures that the default 'map_irq' callback is used for platform bus driver and only iproc-brcm driver overrides it with a custom one. Fixes: b64aa11eb2dd ("PCI: Set bridge map_irq and swizzle_irq to default functions") Signed-off-by: Mark Tomlinson <mark.tomlinson@alliedtelesis.co.nz> [mani: commit log] Signed-off-by: Manivannan Sadhasivam <mani@kernel.org> Signed-off-by: Bjorn Helgaas <bhelgaas@google.com> Acked-by: Ray Jui <ray.jui@broadcom.com> Link: https://patch.msgid.link/20260430021628.1343154-1-mark.tomlinson@alliedtelesis.co.nz
2026-06-18Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdmaLinus Torvalds
Pull rdma updates from Jason Gunthorpe: "Many AI driven bug fixes, and several big driver API cleanups - Driver bug fixes and minor cleanups in mlx5, hns, rxe, efa, siw, rtrs, mana, irdma, mlx4. Commonly error path flows, integer arithmetic overflows on unsafe data, out of bounds access, and use after free issues under races. - Second half of the new udata API for drivers focusing on uAPI response - bnxt_re supports more options for QP creation that will allow a dv path in rdma-core - Untangle the module dependencies so drivers don't link to ib_uverbs.ko as was originall intended - Provide a new way to handle umems with a consistent simplified uAPI and update several drivers to use it. This brings dmabuf support to more places and more drivers - Support for mlx5 rate limit and packet pacing for UD and UC - A batch of fixes for the new shared FRMR pools infrastructure" * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma: (148 commits) RDMA/irdma: Replace waitqueue and flag with completion RDMA/hns: Fix memory leak of bonding resources RDMA/rtrs-srv: Bound RDMA-Write length to chunk size in rdma_write_sg docs: infiniband: correct name of option to enable the ib_uverbs module RDMA/bnxt_re: Reject GET_TOGGLE_MEM when toggle page was not allocated RDMA/bnxt_re: Fail DBR related page allocation UAPIs if the feature is disabled RDMA/bnxt_re: Avoid repeated requests to allocate WC pages RDMA/bnxt_re: Proper rollback if the ioremap fails RDMA/bnxt_re: Add a max slot check for SQ RDMA/bnxt_re: Avoid displaying the kernel pointer RDMA/bnxt_re: Free CQ toggle page after firmware teardown RDMA/bnxt_re: Free SRQ toggle page after firmware teardown RDMA/bnxt_re: Initialize dpi variable to zero ABI: sysfs-class-infiniband: minor cleanup RDMA/mlx5: Release the HW‑provided UAR index rather than the SW one RDMA/mlx5: Fix undefined shift of user RQ WQE size RDMA/mlx5: Remove raw RSS QP restrack tracking RDMA/mlx5: Remove DCT restrack tracking RDMA/mlx5: Drop FRMR pool handle on UMR revoke failure RDMA/core: Add ib_frmr_pool_drop for unrecoverable handles ...
2026-06-18PCI: mvebu: Use fixed-width interrupt masks to avoid truncation in 64-bit buildsRosen Penev
Use u32-typed BIT and GENMASK helpers for PCIe interrupt register masks. This keeps inverted masks in the same width as the registers and avoids truncation warnings on 64-bit compile-test builds. Fixes below and similar warnings: drivers/pci/controller/pci-mvebu.c:316:21: error: implicit conversion from 'unsigned long' to 'u32' (aka 'unsigned int') changes value from 18446744069414584320 to 0 [-Werror,-Wconstant-conversion] mvebu_writel(port, ~PCIE_INT_ALL_MASK, PCIE_INT_UNMASK_OFF); Assisted-by: Codex:GPT-5.5 Signed-off-by: Rosen Penev <rosenp@gmail.com> Signed-off-by: Manivannan Sadhasivam <mani@kernel.org> Signed-off-by: Bjorn Helgaas <bhelgaas@google.com> Link: https://patch.msgid.link/20260526044016.1025613-1-rosenp@gmail.com
2026-06-18Merge tag 'ata-7.2-rc1' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/libata/linux Pull ata updates from Niklas Cassel: - Bump required Clang version to 23 (Marco), and add Clang context analysis annotations (Bart) - Use the ahci_nr_ports() helper in libahci (me) - Fail to probe the ahci driver if the BAR size is smaller than the required size to support CAP.NP (Number of Ports) (liyouhong) - Move EXPORT_SYMBOL_GPL(ahci_do_softreset) to be just below the function definition (Bart) - Make ata_scsi_scan_host() schedule hotplug work on the system_dfl_long_wq workqueue so that it can benefit from scheduler task placement (Marco) - Make ata_scsi_port_error_handler() schedule hotplug work on the system_dfl_long_wq workqueue, such that the work always uses the same workqueue (me) - Use devm_platform_get_and_ioremap_resource() in pata_arasan_cf driver (Rosen) - Fix ata_exec_internal() to only release and acquire the EH mutex if the calling function is the one holding the EH mutex (Bart) - Use hweight_long() to count the port_map bits (TanZheng) - Add COMPILE_TEST support for pata_ep93xx driver (Rosen) - Drop unused assignments from pata_isapnp driver (Uwe) - Extend existing JMicron PMP quirk to include JMicron JMS562 (Xu) - Drop unused assignments of pci_device_id driver data (Uwe) - Use named initializers for pci_device_id arrays (Uwe) * tag 'ata-7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/libata/linux: ata: Use named initializers for pci_device_id arrays ata: Drop unused assignments of pci_device_id driver data ata: libata-pmp: add JMicron JMS562 quirk ata: pata_isapnp: Drop unused assignments from pnp_device_id array ata: pata_ep93xx: add COMPILE_TEST support ata: pata_ep93xx: use unsigned long for data ata: pata_ep93xx: avoid asm on non ARM ata: Annotate functions in the issuing path with __must_hold() ata: libata: Pass ap parameter directly to functions in the issuing path ata: libata: Document when host->eh_mutex should be held ata: libata: Add an argument to ata_eh_reset() ata: ahci: use hweight_long() to count port_map bits ata: libata: Fix ata_exec_internal() ata: pata_arasan_cf: simplify ioremap ata: libata-eh: queue hotplug work on the system_dfl_long_wq workqueue ata: libata-scsi: Move long delayed work on system_dfl_long_wq ata: ahci: Move EXPORT_SYMBOL_GPL(ahci_do_softreset) ata: ahci: fail probe if BAR too small for claimed ports ata: libahci: use ahci_nr_ports() helper
2026-06-18Merge tag 'for-7.2/io_uring-epoll-20260616' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux Pull io_uring epoll update from Jens Axboe: "As discussed a few months ago, this pull request gets rid of allowing nested epoll notification contexts via io_uring. Nested contexts have been a source of issues on the epoll side, and there should not be a need to support them from io_uring. The epoll io_uring side exists mainly to facilitate a gradual migration from a notification based epoll setup to an io_uring ditto" * tag 'for-7.2/io_uring-epoll-20260616' of git://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux: io_uring/epoll: disallow adding an epoll file to an epoll context io_uring/epoll: switch to using do_epoll_ctl_file() interface
2026-06-18ASoC: audio-graph-card2: Drop warning for manually selected DAI formatsAlvin Šipraga
Sometimes the DAI format must be specified in the audio-graph-card2 device tree, so emitting a warning can be misleading. Revert back to emitting no warning. A few examples where automatic format selection might not be applicable: - For DPCM, where the other side of the DAI link is not apparent, no proper selection can actually be made. This can lead to disagreeing formats. - Due to hardware peculiarities, some ostensibly supported formats might not work in practice. In either case, the only correct solution is for the sound card to set the format Link: https://lore.kernel.org/all/87ik7s36k2.wl-kuninori.morimoto.gx@renesas.com/ Signed-off-by: Alvin Šipraga <alvin.sipraga@analog.com> Acked-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com> Link: https://patch.msgid.link/20260617145508.327213-1-alvin@pqrs.dk Signed-off-by: Mark Brown <broonie@kernel.org>
2026-06-18s390/idle: Add missing EXPORT_SYMBOL_GPL()Heiko Carstens
Uwe Kleine-König reported this build breakage caused by a recent commit which provides arch specific kcpustat_field_idle()/kcpustat_field_iowait() functions: ERROR: modpost: "arch_kcpustat_field_idle" [drivers/leds/trigger/ledtrig-activity.ko] undefined! ERROR: modpost: "arch_kcpustat_field_iowait" [drivers/leds/trigger/ledtrig-activity.ko] undefined! Fix this by adding the missing EXPORT_SYMBOL_GPL(). Fixes: 670e057744e0 ("s390/idle: Provide arch specific kcpustat_field_idle()/kcpustat_field_iowait()") Reported-by: Uwe Kleine-König <u.kleine-koenig@baylibre.com> Closes: https://lore.kernel.org/r/ajKsG0JP6qTssQBX@monoceros Acked-by: Alexander Gordeev <agordeev@linux.ibm.com> Tested-by: Uwe Kleine-König <u.kleine-koenig@baylibre.com> Signed-off-by: Heiko Carstens <hca@linux.ibm.com> Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
2026-06-18ALSA: usb-audio: qcom: clear opened when stream enable failsMichael Bommarito
On enable, subs->opened is set before the service_interval is validated; an invalid interval jumps to the response label without clearing it, so the substream is wedged at -EBUSY until a disable or disconnect. Clear subs->opened on the enable error path. Fixes: 326bbc348298a ("ALSA: usb-audio: qcom: Introduce QC USB SND offloading support") Assisted-by: Claude:claude-opus-4-8 Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com> Link: https://patch.msgid.link/20260618025126.1862954-3-michael.bommarito@gmail.com Signed-off-by: Takashi Iwai <tiwai@suse.de>
2026-06-18ALSA: usb-audio: qcom: reject stream disable with no active interfaceMichael Bommarito
handle_uaudio_stream_req() resolves an interface index with info_idx_from_ifnum(), which returns -EINVAL when no interface matches. The enable branch and the response: cleanup label both guard against a negative index, but the disable branch does not: it forms info = &uadev[pcm_card_num].info[info_idx] and dereferences it. uadev[].info is a pointer allocated only when a stream is first enabled, so a negative info_idx on the disable path is unsafe in two ways: - If the card was never enabled, .info is NULL and &info[-EINVAL] is a wild pointer; reading info->data_ep_pipe faults (kernel oops). - If the card was enabled at least once (.info allocated) and the disable names an interface that does not match, &info[-EINVAL] points before the allocation; info->data_ep_pipe / info->sync_ep_pipe are an out-of-bounds slab read and, when non-zero, an out-of-bounds 4-byte write (both pipe fields are cleared to 0). That is memory corruption, not just a NULL dereference. The request is reachable from unprivileged local userspace over AF_QIPCRTR. Reject a disable request with no resolved interface, matching the guard the enable path already has. Fixes: 326bbc348298a ("ALSA: usb-audio: qcom: Introduce QC USB SND offloading support") Assisted-by: Claude:claude-opus-4-8 Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com> Link: https://patch.msgid.link/20260618025126.1862954-2-michael.bommarito@gmail.com Signed-off-by: Takashi Iwai <tiwai@suse.de>
2026-06-18ALSA: hda/realtek: Add headset mic quirk for Acer S40-54Haowen Tu
Acer S40-54 with ALC256 does not restore headset mic detection properly after S4 resume. After resume, headset plug events may no longer update the headset mic state, leaving the headset microphone unavailable. The system uses subsystem ID 1025:161f. Applying the existing ALC256_FIXUP_ACER_MIC_NO_PRESENCE fixup restores headset mic detection on this machine. Add a machine-specific quirk for this system. Signed-off-by: Haowen Tu <tuhaowen@uniontech.com> Link: https://patch.msgid.link/20260618075431.1116988-1-tuhaowen@uniontech.com Signed-off-by: Takashi Iwai <tiwai@suse.de>
2026-06-18ALSA: caiaq: bound the length in the EP1 input parsersMaoyi Xie
snd_caiaq_input_read_erp() and snd_caiaq_input_read_io() can be reached from snd_usb_caiaq_input_dispatch(). They read fixed byte offsets from the reply buffer without checking the reported length. On a short reply they decode stale bytes left from a previous, longer report and feed them to the input layer. This is not an out-of-bounds access. Every offset is a compile-time driver constant. The largest is buf[21] in the Maschine ERP case. The EP1 transfer buffer ep1_in_buf is EP1_BUFSIZE (64) bytes, and the USB core caps actual_length at 64, so a short reply only reads in-bounds stale data. Acting on data the device did not send is still wrong, so bail out per usb_id case when the reply is shorter than the bytes that case consumes. read_erp: AK1 needs 2 bytes, Kore needs 16, Maschine needs 22. read_io: the Kore case needs 5 bytes (buf[4]) and the Traktor Kontrol X1 case needs 7 (buf[5]/buf[6]). The preceding key bit loop is already bounded by "i < len * 8" and is left untouched. snd_caiaq_input_read_analog() and snd_usb_caiaq_maschine_dispatch() are not changed. Their callers already floor the reply length. Suggested-by: Takashi Iwai <tiwai@suse.com> Signed-off-by: Maoyi Xie <maoyixie.tju@gmail.com> Link: https://patch.msgid.link/178176259547.3343534.6659489917322808916@maoyixie.com Signed-off-by: Takashi Iwai <tiwai@suse.de>
2026-06-18ALSA: caiaq: fix out-of-bounds read in the Traktor Kontrol S4 input parserMaoyi Xie
snd_usb_caiaq_tks4_dispatch() decodes the Traktor Kontrol S4 input stream in fixed 16-byte (TKS4_MSGBLOCK_SIZE) message blocks. On every iteration it advances buf and subtracts the block size while looping on "while (len)". len is urb->actual_length. That value is supplied by the device and is not guaranteed to be a multiple of 16. When a final short block leaves len between 1 and 15, the loop runs once more, reads up to buf[15], and then does "len -= TKS4_MSGBLOCK_SIZE". As len is unsigned this underflows to a huge value. The loop then keeps iterating and walking buf far past the end of the 512-byte ep4_in_buf, reading out of bounds until a bogus block id happens to be hit. Iterate only while a full message block is available. This stops the unsigned underflow and silently drops any trailing partial block, which carries no complete control value anyway. The sibling endpoint-4 parsers are not affected. The Traktor Kontrol X1 and Maschine arms in snd_usb_caiaq_ep4_reply_dispatch() floor urb->actual_length before dispatching. Fixes: 15c5ab607045 ("ALSA: snd-usb-caiaq: Add support for Traktor Kontrol S4") Cc: stable@vger.kernel.org Signed-off-by: Maoyi Xie <maoyixie.tju@gmail.com> Link: https://patch.msgid.link/178176259547.3343534.2724779296835237429@maoyixie.com Signed-off-by: Takashi Iwai <tiwai@suse.de>
2026-06-18ALSA: pcm: fix __le32 cast warning in snd_pcm_set_sync_per_cardBen Dooks
In snd_pcm_set_sync_per_card() the le32 value is written to an u32 instead of an __le32 pointer. Fix the following warning by fixing the type: sound/soc/soc-pcm.c:2166:9: warning: incorrect type in argument 7 (different base types) sound/soc/soc-pcm.c:2166:9: expected int sound/soc/soc-pcm.c:2166:9: got restricted snd_pcm_format_t Signed-off-by: Ben Dooks <ben.dooks@codethink.co.uk> Link: https://patch.msgid.link/20260617102943.893950-1-ben.dooks@codethink.co.uk Signed-off-by: Takashi Iwai <tiwai@suse.de>
2026-06-18i2c: pxa: Use named initializers for the platform_device_id arrayUwe Kleine-König (The Capable Hub)
Named initializers are better readable and more robust to changes of the struct definition. This robustness is relevant for a planned change to struct platform_device_id replacing .driver_data by an anonymous union. Signed-off-by: Uwe Kleine-König (The Capable Hub) <u.kleine-koenig@baylibre.com> Signed-off-by: Andi Shyti <andi.shyti@kernel.org> Link: https://lore.kernel.org/r/827657abb02edb39bc90f7336194f614d383770e.1781688767.git.u.kleine-koenig@baylibre.com
2026-06-18tools/mm/slabinfo: fix total_objects attribute nameYichong Chen
SLUB exports the total_objects sysfs attribute, but slabinfo tries to read objects_total. As a result, the lookup fails and the field remains zero. Use the correct attribute name and rename the corresponding structure member to match. Fixes: 205ab99dd103 ("slub: Update statistics handling for variable order slabs") Signed-off-by: Yichong Chen <chenyichong@uniontech.com> Cc: <stable@vger.kernel.org> Reviewed-by: SeongJae Park <sj@kernel.org> Link: https://patch.msgid.link/96556748872BB47E+20260612071359.649946-1-chenyichong@uniontech.com Signed-off-by: Vlastimil Babka (SUSE) <vbabka@kernel.org>
2026-06-18slab: recognize @GFP parameter as optional in kernel-docRandy Dunlap
Since the @GFP parameter in kmalloc_obj() etc. is now optional, change the kernel-doc to indicate that it is optional. This avoids kernel-doc warnings: WARNING: include/linux/slab.h:1101 Excess function parameter 'GFP' description in 'kmalloc_obj' WARNING: include/linux/slab.h:1113 Excess function parameter 'GFP' description in 'kmalloc_objs' WARNING: include/linux/slab.h:1128 Excess function parameter 'GFP' description in 'kmalloc_flex' Fixes: e19e1b480ac7 ("add default_gfp() helper macro and use it in the new *alloc_obj() helpers") Signed-off-by: Randy Dunlap <rdunlap@infradead.org> Acked-by: Harry Yoo (Oracle) <harry@kernel.org> Link: https://patch.msgid.link/20260617163125.2716279-1-rdunlap@infradead.org Signed-off-by: Vlastimil Babka (SUSE) <vbabka@kernel.org>
2026-06-18mm/slab: add a node-track-caller variant for kmem buckets allocationPedro Falcato
This is required by users that want to use kmem buckets, but still desire specifying the NUMA node. Reviewed-by: Kees Cook <kees@kernel.org> Acked-by: Vlastimil Babka (SUSE) <vbabka@kernel.org> Acked-by: Harry Yoo (Oracle) <harry@kernel.org> Signed-off-by: Pedro Falcato <pfalcato@suse.de> Link: https://patch.msgid.link/20260611124642.345400-2-pfalcato@suse.de Signed-off-by: Vlastimil Babka (SUSE) <vbabka@kernel.org>
2026-06-18mm/slab: replace __GFP_NO_OBJ_EXT with SLAB_ALLOC_NO_RECURSE for sheavesVlastimil Babka (SUSE)
Finish the switch away from __GFP_NO_OBJ_EXT by replacing it with SLAB_ALLOC_NO_RECURSE when allocating empty sheaves. Pass alloc_flags to [__]alloc_empty_sheaf(). Callers that can't be part of a recursive kmalloc() chain simply pass SLAB_ALLOC_DEFAULT. Use kmalloc_flags() instead of kzalloc() for allocating the sheaf. With that we can finalize the removal the __GFP_NO_OBJ_EXT handling from obj_ext allocations as well, leaving only SLAB_ALLOC_NO_RECURSE in place. This leaves __GFP_NO_OBJ_EXT with no users in slab, so stop allowing the flag in kmalloc_nolock(). Link: https://patch.msgid.link/20260610-slab_alloc_flags-v2-16-7190909db118@kernel.org Reviewed-by: Hao Li <hao.li@linux.dev> Reviewed-by: Harry Yoo (Oracle) <harry@kernel.org> Reviewed-by: Suren Baghdasaryan <surenb@google.com> Signed-off-by: Vlastimil Babka (SUSE) <vbabka@kernel.org>
2026-06-18mm/slab: remove __GFP_NO_OBJ_EXT usage from alloc_slab_obj_exts()Vlastimil Babka (SUSE)
__GFP_NO_OBJ_EXT has limited scope within the slab allocator itself and gfp flags are a scarce resource, unlike slab's alloc_flags. Introduce SLAB_ALLOC_NO_RECURSE alloc flag that has the same intent as __GFP_NO_OBJ_EXT but a more generic name, meaning that a kmalloc() family function should not recurse into another kmalloc*() for the purposes of allocating auxiliary structures (obj_ext arrays or sheaves). First, replace the __GFP_NO_OBJ_EXT for allocating obj_ext arrays in alloc_slab_obj_exts(). Make use of the newly added kmalloc_flags() function, where we can pass alloc_flags with SLAB_ALLOC_NO_RECURSE added. This will also pass through SLAB_ALLOC_NOLOCK so we don't need to special case kmalloc_nolock() anymore. Note that until now the kmalloc_nolock() ignored the incoming gfp flags and hardcoded __GFP_ZERO | __GFP_NO_OBJ_EXT. But it's correct to pass on the incoming gfp flags (only augmented with __GFP_ZERO), because if alloc_flags contain SLAB_ALLOC_NOLOCK, the incoming gfp flags have to be also compatible with it. However, we might have added __GFP_THISNODE for opportunistic slab allocation, as pointed out by Hao Li, and __GFP_COMP by allocate_slab() as pointed out by Shengming Hu. Solve this by adding both flags to OBJCGS_CLEAR_MASK as it makes sense to strip them anyway for non-kmalloc_nolock() allocations of sheaves or obj_ext arrays as well. To avoid recursion of sheaf -> obj_ext -> sheaf -> ... allocations at this patch, until the next patch converts sheaves to SLAB_ALLOC_NO_RECURSE, use both gfp and alloc_flags for obj_ext. The next patch will remove the gfp part. Link: https://patch.msgid.link/20260610-slab_alloc_flags-v2-15-7190909db118@kernel.org Reviewed-by: Harry Yoo (Oracle) <harry@kernel.org> Reviewed-by: Suren Baghdasaryan <surenb@google.com> Reviewed-by: Hao Li <hao.li@linux.dev> Signed-off-by: Vlastimil Babka (SUSE) <vbabka@kernel.org>
2026-06-18erofs: add folio order to trace_erofs_read_folioZhan Xusheng
erofs supports large folios for reads, but the actual folio order instantiated in the page cache may be lower due to allocation constraints such as memory fragmentation. trace_erofs_read_folio already receives the folio being read but currently records only its index. Add folio_order() to the tracepoint so that users can observe the realized folio order and verify the effectiveness of large folio reads. Also drop the uptodate field: read_folio() is only called for a non-uptodate folio, so it is always 0. Suggested-by: Gao Xiang <hsiangkao@linux.alibaba.com> Signed-off-by: Zhan Xusheng <zhanxusheng@xiaomi.com> Reviewed-by: Gao Xiang <hsiangkao@linux.alibaba.com> Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
2026-06-18gpio: eic-sprd: use raw_spinlock_t in the irq startup pathRunyu Xiao
sprd_eic_irq_unmask() enables the GPIO IRQ and then updates controller state through sprd_eic_update(), which takes sprd_eic->lock with spin_lock_irqsave(). The callback can be reached from irq_startup() while setting up a requested IRQ. That path is not sleepable, but on PREEMPT_RT a regular spinlock_t becomes a sleeping lock. This issue was found by our static analysis tool and then manually reviewed against the current tree. The grounded PoC kept the request_threaded_irq() -> __setup_irq() -> irq_startup() -> sprd_eic_irq_unmask() -> sprd_eic_update() carrier and used the original spin_lock_irqsave(&sprd_eic->lock) edge. Lockdep reported: BUG: sleeping function called from invalid context hardirqs last disabled at ... __setup_irq.constprop.0 ... [vuln_msv] sprd_rt_spin_lock_irqsave+0x1c/0x30 [vuln_msv] sprd_eic_update.constprop.0+0x48/0x90 [vuln_msv] sprd_eic_irq_unmask.constprop.0+0x35/0x50 [vuln_msv] __setup_irq.constprop.0+0xd/0x30 [vuln_msv] Convert the Spreadtrum EIC controller lock to raw_spinlock_t. The locked section only serializes MMIO register updates and does not contain sleepable operations, so keeping it non-sleeping is appropriate for the irqchip callbacks. Fixes: 25518e024e3a ("gpio: Add Spreadtrum EIC driver support") Cc: stable@vger.kernel.org Signed-off-by: Runyu Xiao <runyu.xiao@seu.edu.cn> Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de> Link: https://patch.msgid.link/20260617154035.1199948-3-runyu.xiao@seu.edu.cn Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
2026-06-18gpio: sch: use raw_spinlock_t in the irq startup pathRunyu Xiao
sch_irq_unmask() enables the GPIO IRQ and then updates the controller state through sch_irq_mask_unmask(), which takes sch->lock with spin_lock_irqsave(). The callback can be reached from irq_startup() while setting up a requested IRQ. That path is not sleepable, but on PREEMPT_RT a regular spinlock_t becomes a sleeping lock. This issue was found by our static analysis tool and then manually reviewed against the current tree. The grounded PoC kept the request_threaded_irq() -> __setup_irq() -> irq_startup() -> sch_irq_unmask() -> sch_irq_mask_unmask() carrier and used the original spin_lock_irqsave(&sch->lock) edge. Lockdep reported: BUG: sleeping function called from invalid context hardirqs last disabled at ... __setup_irq.constprop.0 ... [vuln_msv] sch_rt_spin_lock_irqsave+0x1c/0x30 [vuln_msv] sch_irq_mask_unmask.constprop.0+0x31/0x70 [vuln_msv] __setup_irq.constprop.0+0xd/0x30 [vuln_msv] Convert the SCH controller lock to raw_spinlock_t. The same lock is also used by the GPIO direction and value callbacks, but those critical sections only update MMIO-backed GPIO registers and do not contain sleepable operations. Keeping this register lock non-sleeping is therefore appropriate for the irqchip callbacks and does not change the GPIO-side locking contract. Fixes: 7a81638485c1 ("gpio: sch: Add edge event support") Cc: stable@vger.kernel.org Signed-off-by: Runyu Xiao <runyu.xiao@seu.edu.cn> Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de> Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com> Link: https://patch.msgid.link/20260617154035.1199948-2-runyu.xiao@seu.edu.cn Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
2026-06-17sctp: hold socket lock when dumping endpoints in sctp_diagXin Long
SCTP_DIAG endpoint dumping was traversing endpoint address lists without holding lock_sock(), while those lists could change concurrently via socket operations (e.g., bindx changes). This creates a race where nla_reserve() counts addresses under RCU protection, but the subsequent copy may see fewer entries, potentially leaking uninitialized memory to userspace. Fix this by: - Taking a reference on each endpoint during hash traversal - Moving socket operations (lock_sock()) outside read_lock_bh() - Serializing address list access during dump - Reworking sctp_for_each_endpoint() to support restart-based traversal with (net, pos) tracking Also: - Add WARN_ON_ONCE() for inconsistent address counts - Fix idiag_states filtering for LISTEN vs association cases - Skip dumping endpoints being freed (ep->base.dead) - Move dump position tracking into iterator, removing cb->args[4] and its comment for sctp_ep_dump()., - Update the comment for cb->args[4] and remove the comment for unused cb->args[5] for sctp_sock_dump(). Note: traversal is restart-based and may re-scan buckets multiple times, but this is acceptable due to small bucket sizes and required to support sleeping-safe callbacks. This issue was reported by Nico Yip (@_cyeaa_) working with TrendAI Zero Day Initiative. Reported-by: Zero Day Initiative <zdi-disclosures@trendmicro.com> Fixes: 8f840e47f190 ("sctp: add the sctp_diag.c file") Signed-off-by: Xin Long <lucien.xin@gmail.com> Link: https://patch.msgid.link/4c1b49ab87e0f7d552ebd8172b364b1994e913c9.1781552190.git.lucien.xin@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-17net: psample: fix info leak in PSAMPLE_ATTR_DATAJakub Kicinski
psample open codes nla_put() presumably to avoid wiping the data with 0s just to override it with packet data. This open coding is missing clearing the pad, however, each netlink attr is padded to 4B and data_len may not be divisible by 4B. Fixes: 6ae0a6286171 ("net: Introduce psample, a new genetlink channel for packet sampling") Reported-by: Weiming Shi <bestswngs@gmail.com> Reviewed-by: Jiri Pirko <jiri@nvidia.com> Link: https://patch.msgid.link/20260616003046.1099490-1-kuba@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-17net/mlx5: Remove broken and unused mlx5_query_mtppse()Li RongQing
mlx5_query_mtppse() reads the Event Trigger Pin (MTPPSE) register but reads the returned arm and mode values from the input buffer 'in' instead of the output buffer 'out', so it always returns the values that were written rather than the actual hardware state, making the query useless. The function has no in-tree callers. Remove it rather than fix it. Signed-off-by: Li RongQing <lirongqing@baidu.com> Reviewed-by: Gal Pressman <gal@nvidia.com> Link: https://patch.msgid.link/20260615140406.1828-1-lirongqing@baidu.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-17net: ipv4: bound TCP reordering sysctl writes and MTU probe sizesWyatt Feng
Reject invalid `net.ipv4.tcp_reordering` values before they reach TCP socket state. The sysctl is stored as an `int` but copied into the `u32` `tp->reordering` field for new sockets, so negative writes wrap to large values. With `tcp_mtu_probing=2`, the wrapped value can overflow the `tcp_mtu_probe()` size calculation and drive the MTU probing path into an out-of-bounds read. Route `tcp_reordering` writes through `proc_dointvec_minmax()` and require it to be at least 1. Also require `tcp_max_reordering` to be at least 1 so the configured maximum cannot become negative either. When registering the table for a non-init network namespace, relocate `extra2` pointers that refer into `init_net.ipv4` so the `tcp_reordering` upper bound follows that namespace's `tcp_max_reordering`. Harden `tcp_mtu_probe()` itself by computing `size_needed` as `u64`. This keeps the send queue and window checks from being bypassed through signed integer overflow. Fixes: 91cc17c0e5e5 ("[TCP]: MTUprobe: receiver window & data available checks fixed") Cc: stable@vger.kernel.org Reported-by: Yuan Tan <yuantan098@gmail.com> Reported-by: Zhengchuan Liang <zcliangcn@gmail.com> Reported-by: Xin Liu <bird@lzu.edu.cn> Suggested-by: Eric Dumazet <edumazet@google.com> Signed-off-by: Wyatt Feng <bronzed_45_vested@icloud.com> Signed-off-by: Ren Wei <n05ec@lzu.edu.cn> Reviewed-by: Eric Dumazet <edumazet@google.com> Link: https://patch.msgid.link/1a5b7e1ef4d70fbad8c8ee0b82d8405f3c964a3d.1781395200.git.bronzed_45_vested@icloud.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-17net: ehea: unwind probe_port sysfs file on failurePengpeng Hou
ehea_create_device_sysfs() creates probe_port and then remove_port. If the second device_create_file() fails, the helper returns the error but leaves probe_port installed even though probe treats the sysfs setup as failed. Remove probe_port on the remove_port creation failure path so the helper leaves no partial sysfs state behind. Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn> Reviewed-by: Andrew Lunn <andrew@lunn.ch> Link: https://patch.msgid.link/20260615070033.43461-1-pengpeng@iscas.ac.cn Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-17octeontx2-af: npc: Log successful MCAM drop-on-non-hit install at debug levelRatheesh Kannoth
npc_install_mcam_drop_rule() used dev_err() after a successful rvu_mbox_handler_npc_mcam_write_entry() call, so normal installs appeared as errors in dmesg. Use dev_dbg() for the success path and keep dev_err() for real failures. Fixes: 3571fe07a090 ("octeontx2-af: Drop rules for NPC MCAM") Signed-off-by: Ratheesh Kannoth <rkannoth@marvell.com> Reviewed-by: Simon Horman <horms@kernel.org> Link: https://patch.msgid.link/20260615033157.535237-1-rkannoth@marvell.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-17octeontx2-pf: Fix leak of SQ timestamp buffer on teardownRatheesh Kannoth
The send-queue timestamp ring is allocated with qmem_alloc() when timestamping is used, but otx2_free_sq_res() never freed sq->timestamps, leaking that memory across ifdown and device removal. Add the missing qmem_free() alongside the other SQ companion buffers. Fixes: c9c12d339d93 ("octeontx2-pf: Add support for PTP clock") Cc: Aleksey Makarov <amakarov@marvell.com> Signed-off-by: Ratheesh Kannoth <rkannoth@marvell.com> Reviewed-by: Simon Horman <horms@kernel.org> Link: https://patch.msgid.link/20260615030704.504536-1-rkannoth@marvell.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-17selftests/ftrace: Fix trace_marker_raw test on 64K page kernelsTianchen Ding
On ARM64 kernels with 64K pages, the trace_marker_raw test fails because bash's printf builtin uses stdio buffering which splits output into multiple small write() calls to the tracefs file. Since each individual write is within TRACE_MARKER_MAX_SIZE (4096), they all succeed, causing the "too big" write test to incorrectly pass. Fix by writing through dd with iflag=fullblock to guarantee a single atomic write() syscall to trace_marker_raw. Link: https://lore.kernel.org/r/20260601023251.1916483-1-dtcccc@linux.alibaba.com Fixes: 37f46601383a ("selftests/tracing: Add basic test for trace_marker_raw file") Signed-off-by: Tianchen Ding <dtcccc@linux.alibaba.com> Reviewed-by: Steven Rostedt <rostedt@goodmis.org> Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
2026-06-17netdev-genl: report NAPI thread PID in the caller's pid namespaceMaoyi Xie
netdev_nl_napi_fill_one() reports the NAPI kthread PID in NETDEV_A_NAPI_PID using task_pid_nr(), which returns the PID in the initial pid namespace. NETDEV_CMD_NAPI_GET does not have GENL_ADMIN_PERM and the netdev genl family is netnsok, so a caller in a child pid namespace can issue it. That caller then sees the kthread's global PID, even though the kthread is not visible in its pid namespace, where the value should be 0. Translate the PID through the caller's pid namespace, the same way commit 3799c2570982 ("io_uring/fdinfo: translate SqThread PID through caller's pid_ns") did for the io_uring SQPOLL thread. The doit and dumpit paths both run synchronously in the caller's context, so task_active_pid_ns(current) is the caller's pid namespace. Fixes: db4704f4e4df ("netdev-genl: Add PID for the NAPI thread") Cc: stable@vger.kernel.org Signed-off-by: Maoyi Xie <maoyixie.tju@gmail.com> Reviewed-by: Joe Damato <joe@dama.to> Reviewed-by: Samiullah Khawaja <skhawaja@google.com> Link: https://patch.msgid.link/20260615171736.1709318-1-maoyixie.tju@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-17net: ethernet: mtk_eth_soc: fix supported_interface set after phylink_createChristian Marangi
Everything configured in phylink_config it's assumed to be set before calling phylink_create() to permit correct parsing of all the different modes and capabilities. Commit 51cf06ddafc9 ("net: ethernet: mtk_eth_soc: add support for MT7988 internal 2.5G PHY") while introducing support for 2.5G phy for MT7988, probably due to an auto-rebase, placed the configuration of the INTERNAL interface mode for the supported_interfaces for phylink_config right after phylink_create() introducing a possible problem with supported interfaces parsing. While this doesn't currently create any problem/bug, move setting this bit before phylink_create() to prevent any possible regression in future code change in phylink core. Fixes: 51cf06ddafc9 ("net: ethernet: mtk_eth_soc: add support for MT7988 internal 2.5G PHY") Signed-off-by: Christian Marangi <ansuelsmth@gmail.com> Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com> Reviewed-by: Daniel Golle <daniel@makrotopia.org> Link: https://patch.msgid.link/20260615151106.15438-1-ansuelsmth@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-17Merge branch ↵Jakub Kicinski
'net-require-cap_net_admin-in-the-device-netns-for-tunnel-changelink' Maoyi Xie says: ==================== net: require CAP_NET_ADMIN in the device netns for tunnel changelink A tunnel changelink() operates on at most two netns, dev_net(dev) and the tunnel link netns t->net. They differ once the device is created in or moved to a netns other than the one the request runs in. The rtnl changelink path checks CAP_NET_ADMIN only against dev_net(dev), so a caller privileged there but not in the link netns can rewrite a tunnel that lives in the link netns. Commit 8b484efd5cb4 ("ip6: vti: Use ip6_tnl.net in vti6_siocdevprivate().") added the same check on the ioctl path. This series adds it on the RTM_NEWLINK path. Each changelink is gated at the top of the op, before any attribute is parsed, because the per-type parsers can update live tunnel fields first (for example ipgre_netlink_parms() sets t->collect_md). The check is skipped when the link netns is dev_net(dev), where the rtnl path already checked the cap. The check goes through a new helper, rtnl_dev_link_net_capable(), added in patch 1 next to rtnl_get_net_ns_capable() in net/core/rtnetlink.c. Tested on net/main. For every tunnel type in the series a migrated fake-root changelink is rejected with EPERM. For vti6 SIOCGETTUNNEL confirms the link netns hash is left unchanged. Legit non-migrated changelinks still succeed. v5: https://lore.kernel.org/20260611062814.2528793-1-maoyixie.tju@gmail.com v4: https://lore.kernel.org/20260609163110.1717419-1-maoyixie.tju@gmail.com v3: https://lore.kernel.org/20260604125055.3254652-1-maoyixie.tju@gmail.com v2: https://lore.kernel.org/20260601034148.1272080-1-maoyixie.tju@gmail.com v1: https://lore.kernel.org/20260527070824.2677331-1-maoyixie.tju@gmail.com ==================== Link: https://patch.msgid.link/20260612085941.3158249-1-maoyixie.tju@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-17xfrm: xfrm_interface: require CAP_NET_ADMIN in the device netns for changelinkMaoyi Xie
xfrmi_changelink() operates on at most two netns, dev_net(dev) and the interface link netns xi->net. They differ once the device is created in or moved to a netns other than the one the request runs in. The rtnl changelink path checks CAP_NET_ADMIN only against dev_net(dev), so a caller privileged there but not in xi->net can rewrite an interface that lives in xi->net. Gate xfrmi_changelink() on rtnl_dev_link_net_capable() at its top, before any attribute is parsed. Reported-by: Xiao Liang <shaw.leon@gmail.com> Closes: https://lore.kernel.org/netdev/CABAhCOSzP1vaThGV35_VnsRCb=87_CPjPVsTHbq905k8A+BuUg@mail.gmail.com/ Fixes: f203b76d7809 ("xfrm: Add virtual xfrm interfaces") Cc: stable@vger.kernel.org Signed-off-by: Maoyi Xie <maoyixie.tju@gmail.com> Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com> Link: https://patch.msgid.link/20260612085941.3158249-8-maoyixie.tju@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-17net: ip6_vti: require CAP_NET_ADMIN in the device netns for changelinkMaoyi Xie
vti6_changelink() operates on at most two netns, dev_net(dev) and the tunnel link netns t->net. They differ once the device is created in or moved to a netns other than the one the request runs in. The rtnl changelink path checks CAP_NET_ADMIN only against dev_net(dev), so a caller privileged there but not in t->net can rewrite a tunnel that lives in t->net. Gate vti6_changelink() on rtnl_dev_link_net_capable() at its top, before any attribute is parsed. Reported-by: Xiao Liang <shaw.leon@gmail.com> Closes: https://lore.kernel.org/netdev/CABAhCOSzP1vaThGV35_VnsRCb=87_CPjPVsTHbq905k8A+BuUg@mail.gmail.com/ Fixes: 61220ab34948 ("vti6: Enable namespace changing") Cc: stable@vger.kernel.org Signed-off-by: Maoyi Xie <maoyixie.tju@gmail.com> Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com> Link: https://patch.msgid.link/20260612085941.3158249-7-maoyixie.tju@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-17net: ip6_gre: require CAP_NET_ADMIN in the device netns for changelinkMaoyi Xie
ip6gre_changelink() and ip6erspan_changelink() operate on at most two netns, dev_net(dev) and the tunnel link netns t->net. They differ once the device is created in or moved to a netns other than the one the request runs in. The rtnl changelink path checks CAP_NET_ADMIN only against dev_net(dev), so a caller privileged there but not in t->net can rewrite a tunnel that lives in t->net. Gate both ops on rtnl_dev_link_net_capable() at their top, before any attribute is parsed. Reported-by: Xiao Liang <shaw.leon@gmail.com> Closes: https://lore.kernel.org/netdev/CABAhCOSzP1vaThGV35_VnsRCb=87_CPjPVsTHbq905k8A+BuUg@mail.gmail.com/ Fixes: 690afc165bb3 ("net: ip6_gre: fix moving ip6gre between namespaces") Cc: stable@vger.kernel.org Signed-off-by: Maoyi Xie <maoyixie.tju@gmail.com> Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com> Link: https://patch.msgid.link/20260612085941.3158249-6-maoyixie.tju@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-17net: ip6_tunnel: require CAP_NET_ADMIN in the device netns for changelinkMaoyi Xie
ip6_tnl_changelink() operates on at most two netns, dev_net(dev) and the tunnel link netns t->net. They differ once the device is created in or moved to a netns other than the one the request runs in. The rtnl changelink path checks CAP_NET_ADMIN only against dev_net(dev), so a caller privileged there but not in t->net can rewrite a tunnel that lives in t->net. Gate ip6_tnl_changelink() on rtnl_dev_link_net_capable() at its top, before any attribute is parsed. Reported-by: Xiao Liang <shaw.leon@gmail.com> Closes: https://lore.kernel.org/netdev/CABAhCOSzP1vaThGV35_VnsRCb=87_CPjPVsTHbq905k8A+BuUg@mail.gmail.com/ Fixes: 0bd8762824e7 ("ip6tnl: add x-netns support") Cc: stable@vger.kernel.org Signed-off-by: Maoyi Xie <maoyixie.tju@gmail.com> Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com> Link: https://patch.msgid.link/20260612085941.3158249-5-maoyixie.tju@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-17net: ip_vti: require CAP_NET_ADMIN in the device netns for changelinkMaoyi Xie
vti_changelink() operates on at most two netns, dev_net(dev) and the tunnel link netns t->net. They differ once the device is created in or moved to a netns other than the one the request runs in. The rtnl changelink path checks CAP_NET_ADMIN only against dev_net(dev), so a caller privileged there but not in t->net can rewrite a tunnel that lives in t->net. Gate vti_changelink() on rtnl_dev_link_net_capable() at its top, before any attribute is parsed. Reported-by: Xiao Liang <shaw.leon@gmail.com> Closes: https://lore.kernel.org/netdev/CABAhCOSzP1vaThGV35_VnsRCb=87_CPjPVsTHbq905k8A+BuUg@mail.gmail.com/ Fixes: 895de9a3488a ("vti4: Enable namespace changing") Cc: stable@vger.kernel.org Signed-off-by: Maoyi Xie <maoyixie.tju@gmail.com> Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com> Link: https://patch.msgid.link/20260612085941.3158249-4-maoyixie.tju@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-17net: ipip: require CAP_NET_ADMIN in the device netns for changelinkMaoyi Xie
ipip_changelink() operates on at most two netns, dev_net(dev) and the tunnel link netns t->net. They differ once the device is created in or moved to a netns other than the one the request runs in. The rtnl changelink path checks CAP_NET_ADMIN only against dev_net(dev), so a caller privileged there but not in t->net can rewrite a tunnel that lives in t->net. Gate ipip_changelink() on rtnl_dev_link_net_capable() at its top, before any attribute is parsed. Reported-by: Xiao Liang <shaw.leon@gmail.com> Closes: https://lore.kernel.org/netdev/CABAhCOSzP1vaThGV35_VnsRCb=87_CPjPVsTHbq905k8A+BuUg@mail.gmail.com/ Fixes: 6c742e714d8c ("ipip: add x-netns support") Cc: stable@vger.kernel.org Signed-off-by: Maoyi Xie <maoyixie.tju@gmail.com> Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com> Link: https://patch.msgid.link/20260612085941.3158249-3-maoyixie.tju@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-17net: ip_gre: require CAP_NET_ADMIN in the device netns for changelinkMaoyi Xie
A tunnel changelink() operates on at most two netns, dev_net(dev) and the tunnel link netns t->net. They differ once the device is created in or moved to a netns other than the one the request runs in. The rtnl changelink path checks CAP_NET_ADMIN only against dev_net(dev), so a caller privileged there but not in t->net can rewrite a tunnel that lives in t->net. Add rtnl_dev_link_net_capable() next to rtnl_get_net_ns_capable() in net/core/rtnetlink.c. It requires CAP_NET_ADMIN in the link netns and is skipped when the link netns is dev_net(dev), where the rtnl path already checked it. The other patches in this series use the same helper. Gate ipgre_changelink() and erspan_changelink() with it, at the top of the op before any attribute is parsed, because the parsers update live tunnel fields first. ipgre_netlink_parms() sets t->collect_md before ip_tunnel_changelink() runs. Commit 8b484efd5cb4 ("ip6: vti: Use ip6_tnl.net in vti6_siocdevprivate().") added the same check on the ioctl path. This adds it on RTM_NEWLINK. Reported-by: Xiao Liang <shaw.leon@gmail.com> Closes: https://lore.kernel.org/netdev/CABAhCOSzP1vaThGV35_VnsRCb=87_CPjPVsTHbq905k8A+BuUg@mail.gmail.com/ Fixes: b57708add314 ("gre: add x-netns support") Cc: stable@vger.kernel.org Signed-off-by: Maoyi Xie <maoyixie.tju@gmail.com> Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com> Link: https://patch.msgid.link/20260612085941.3158249-2-maoyixie.tju@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-17net: pse-pd: set user byte command SUB2 fieldRobert Marko
The Set User Byte to Save command has three subject bytes. The PD692x0 protocol guides defines SUB2 with value 0x4e, while SUB1 carries the NVM user byte. Template only initialized SUB and SUB1. Fill SUB2 explicitly so the command matches the documented layout. Signed-off-by: Robert Marko <robert.marko@sartura.hr> Acked-by: Kory Maincent <kory.maincent@bootlin.com> Link: https://patch.msgid.link/20260611102517.445549-1-robert.marko@sartura.hr Signed-off-by: Jakub Kicinski <kuba@kernel.org>