summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2026-06-19Merge tag 'strncpy-removal-v7.2-rc1' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux Pull strncpy removal from Kees Cook: - Remove the per-arch strncpy implementations in alpha, m68k, powerpc, x86, and xtensa - Remove strncpy API Over the last 6 years working on strncpy removal there were 362 commits by 70 contributors. Folks with more than 1 commit were: 211 Justin Stitt <justinstitt@google.com> 22 Xu Panda <xu.panda@zte.com.cn> 21 Kees Cook <kees@kernel.org> 17 Thorsten Blum <thorsten.blum@linux.dev> 12 Arnd Bergmann <arnd@arndb.de> 4 Pranav Tyagi <pranav.tyagi03@gmail.com> 4 Lee Jones <lee@kernel.org> 2 Steven Rostedt <rostedt@goodmis.org> 2 Sam Ravnborg <sam@ravnborg.org> 2 Marcelo Moreira <marcelomoreira1905@gmail.com> 2 Krzysztof Kozlowski <krzk@kernel.org> 2 Kalle Valo <kvalo@kernel.org> 2 Jaroslav Kysela <perex@perex.cz> 2 Daniel Thompson <danielt@kernel.org> 2 Andrew Lunn <andrew@lunn.ch> * tag 'strncpy-removal-v7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux: string: Remove strncpy() from the kernel xtensa: Remove arch-specific strncpy() implementation x86: Remove arch-specific strncpy() implementation powerpc: Remove arch-specific strncpy() implementation m68k: Remove arch-specific strncpy() implementation alpha: Remove arch-specific strncpy() implementation
2026-06-19ieee802154: allow legacy LLSEC ADD/DEL ops to pass strict validationMichael Bommarito
The LLSEC ADD/DEL doit handlers under the legacy IEEE802154_NL family consume IEEE802154_ATTR_LLSEC_KEY_BYTES and IEEE802154_ATTR_LLSEC_KEY_USAGE_COMMANDS, both declared in net/ieee802154/nl_policy.c as bare length entries with no .type (defaulting to NLA_UNSPEC). Generic netlink strict validation rejects all NLA_UNSPEC attributes via validate_nla(), so every LLSEC_ADD_KEY, LLSEC_DEL_KEY, LLSEC_ADD_DEV, LLSEC_DEL_DEV, LLSEC_ADD_DEVKEY, LLSEC_DEL_DEVKEY, LLSEC_ADD_SECLEVEL, and LLSEC_DEL_SECLEVEL request fails at the dispatcher with "Unsupported attribute" before reaching the handler. The doit path has been silently dead since strict validation became the default for genl families that do not opt out. The dump path is unaffected because dump requests carry no LLSEC attributes to validate, which is why the LLSEC_LIST_KEY read remained reachable (patch 1/2). Introduce IEEE802154_OP_RELAXED() mirroring IEEE802154_OP() but with .validate = GENL_DONT_VALIDATE_STRICT, and use it for the eight legacy LLSEC mutate ops so admin-driven LLSEC configuration via the legacy interface works again. Fixes: 3e9c156e2c21 ("ieee802154: add netlink interfaces for llsec") Cc: stable@vger.kernel.org Assisted-by: Claude:claude-opus-4-7 Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com> Link: https://lore.kernel.org/20260520141640.1149513-3-michael.bommarito@gmail.com Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
2026-06-19ieee802154: admin-gate legacy LLSEC dump operationsMichael Bommarito
In net/ieee802154/netlink.c, the legacy IEEE802154_NL family ops table builds the LLSEC dump entries (LLSEC_LIST_KEY, LLSEC_LIST_DEV, LLSEC_LIST_DEVKEY, LLSEC_LIST_SECLEVEL) with IEEE802154_DUMP() which sets no .flags, so generic netlink runs them ungated. The modern nl802154 family admin-gates the equivalent reads via NL802154_CMD_GET_SEC_KEY and friends with .flags = GENL_ADMIN_PERM. Any local uid that can open AF_NETLINK / NETLINK_GENERIC can resolve the "802.15.4 MAC" family and dump LLSEC_LIST_KEY on any wpan netdev that has an LLSEC key installed; the dump handler writes the raw 16-byte AES-128 key bytes (IEEE802154_ATTR_LLSEC_KEY_BYTES, copied verbatim from struct ieee802154_llsec_key.key) into the reply. Recovering the AES key compromises 802.15.4 LLSEC link confidentiality and authenticity, since LLSEC uses CCM* and the same key authenticates and encrypts frames. Impact: any local uid with no capabilities can read the raw 16-byte AES-128 LLSEC key from the kernel keytable on any wpan netdev that has an administrator-installed LLSEC key, by issuing an LLSEC_LIST_KEY dump on the legacy IEEE802154_NL generic-netlink family. Introduce IEEE802154_DUMP_PRIV() mirroring IEEE802154_DUMP() but setting .flags = GENL_ADMIN_PERM, and use it for the four LLSEC dump entries. LIST_PHY and LIST_IFACE retain IEEE802154_DUMP() because the modern nl802154 family exposes their equivalents to unprivileged readers by design (NL802154_CMD_GET_WPAN_PHY and NL802154_CMD_GET_INTERFACE carry "can be retrieved by unprivileged users" annotations). Fixes: 3e9c156e2c21 ("ieee802154: add netlink interfaces for llsec") Cc: stable@vger.kernel.org Assisted-by: Claude:claude-opus-4-7 Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com> Link: https://lore.kernel.org/20260520141640.1149513-2-michael.bommarito@gmail.com Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
2026-06-19mac802154: Prevent overwrite return code in mac802154_perform_association()Robertus Diawan Chris
When assoc_status not equal to IEEE802154_ASSOCIATION_SUCCESSFUL, the return value assigned to either "-ERANGE" or "-EPERM" but this return value will be overwritten to 0 after exiting the conditional scope. So, jump to clear_assoc label to preserve the return value when assoc_status not equal to IEEE802154_ASSOCIATION_SUCCESSFUL. This is reported by Coverity Scan as "Unused value". Fixes: fefd19807fe9 ("mac802154: Handle associating") Signed-off-by: Robertus Diawan Chris <robertusdchris@gmail.com> Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com> Link: https://lore.kernel.org/20260602054133.470293-1-robertusdchris@gmail.com Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
2026-06-19ieee802154: fix kernel-infoleak in dgram_recvmsg()Aleksandr Nogikh
KMSAN reported a kernel-infoleak in move_addr_to_user(): BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:131 [inline] BUG: KMSAN: kernel-infoleak in _inline_copy_to_user include/linux/uaccess.h:205 [inline] BUG: KMSAN: kernel-infoleak in _copy_to_user+0xcc/0x120 lib/usercopy.c:26 instrument_copy_to_user include/linux/instrumented.h:131 [inline] _inline_copy_to_user include/linux/uaccess.h:205 [inline] _copy_to_user+0xcc/0x120 lib/usercopy.c:26 copy_to_user include/linux/uaccess.h:236 [inline] move_addr_to_user+0x2e7/0x440 net/socket.c:302 ____sys_recvmsg+0x232/0x610 net/socket.c:2925 ... Uninit was stored to memory at: ieee802154_addr_to_sa include/net/ieee802154_netdev.h:369 [inline] dgram_recvmsg+0xa09/0xbe0 net/ieee802154/socket.c:739 The issue occurs because the `pan_id` field of `struct ieee802154_addr` is left uninitialized when the address mode is `IEEE802154_ADDR_NONE`. The execution flow is as follows: 1. `__ieee802154_rx_handle_packet()` declares a local `struct ieee802154_hdr hdr` on the stack. 2. `ieee802154_hdr_pull()` calls `ieee802154_hdr_get_addr()` to parse the source and destination addresses into this structure. 3. If the address mode is `IEEE802154_ADDR_NONE`, `ieee802154_hdr_get_addr()` previously only set the `mode` field, leaving the `pan_id` field containing uninitialized stack memory. 4. This uninitialized `pan_id` is later copied into a `struct sockaddr_ieee802154` in `dgram_recvmsg()` via `ieee802154_addr_to_sa()`. 5. Finally, `move_addr_to_user()` copies the socket address structure to user space, leaking the uninitialized bytes. Fix this by using `memset` to zero out the address structure in `ieee802154_hdr_get_addr()` when the mode is `IEEE802154_ADDR_NONE`. Fixes: 94b4f6c21cf5 ("ieee802154: add header structs with endiannes and operations") Assisted-by: Gemini:gemini-3.1-pro-preview Gemini:gemini-3-flash-preview syzbot Reported-by: syzbot+346474e3bf0b26bd3090@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=346474e3bf0b26bd3090 Link: https://syzkaller.appspot.com/ai_job?id=a507a109-d683-4a2c-bc03-93394f491b17 Signed-off-by: Aleksandr Nogikh <nogikh@google.com> Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com> Link: https://lore.kernel.org/62795fd9-fc0c-48eb-bb82-05ffc5a57104@mail.kernel.org Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
2026-06-19Merge tag 'exfat-for-7.2-rc1' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/linkinjeon/exfat Pull exfat updates from Namjae Jeon: - Convert exfat buffered and direct I/O to the iomap infrastructure - Add the supporting block mapping changes needed for that conversion, including multi-cluster allocation, byte-based cluster mapping helpers - Support SEEK_HOLE/SEEK_DATA and swapfile activation through iomap - Fix damaged upcase-table handling so a zero-sized table does not lead to an infinite loop - Fix a potential use-after-free in exfat_find_dir_entry() - Bound filename-entry advancement in exfat_find_dir_entry() - Preserve benign secondary entries during rename and move - Serialize truncate against in-flight direct I/O - Simplify exfat_lookup() - Replace unsafe arithmetic macros with static inline helpers * tag 'exfat-for-7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/linkinjeon/exfat: exfat: bound uniname advance in exfat_find_dir_entry() exfat: add swap_activate support exfat: preserve benign secondary entries during rename and move exfat: serialize truncate against in-flight DIO exfat: add support for SEEK_HOLE and SEEK_DATA in llseek exfat: add iomap direct I/O support exfat: add iomap buffered I/O support exfat: fix implicit declaration of brelse() exfat: add data_start_bytes and exfat_cluster_to_phys_bytes() helper exfat: add support for multi-cluster allocation exfat: add exfat_file_open() exfat: add balloc parameter to exfat_map_cluster() for iomap support exfat: replace unsafe macros with static inline functions exfat: simplify exfat_lookup() exfat: fix potential use-after-free in exfat_find_dir_entry() exfat: fix handling of damaged volume in exfat_create_upcase_table()
2026-06-19mac802154: llsec: add skb_cow_data() before in-place cryptoDoruk Tan Ozturk
llsec_do_encrypt_unauth(), llsec_do_encrypt_auth(), llsec_do_decrypt_unauth(), and llsec_do_decrypt_auth() all perform in-place cryptographic transformations on skb data. They build a scatterlist with sg_init_one() pointing into the skb's linear data area and then pass the same scatterlist as both src and dst to the crypto API (e.g. crypto_skcipher_encrypt/decrypt, crypto_aead_encrypt/decrypt). On the RX path, __ieee802154_rx_handle_packet() clones the received skb before handing it to each subscriber via ieee802154_subif_frame(). The cloned skb shares the same underlying data buffer via reference counting. When llsec_do_decrypt() subsequently modifies this shared buffer in place, it corrupts data that other clones -- potentially belonging to other sockets or subsystems -- still reference. On the TX path, similar data sharing can occur when an skb's head has been cloned (skb_cloned() returns true). The fix is to call skb_cow_data() before performing any in-place crypto operation. skb_cow_data() ensures that the skb's data area is not shared: if the skb head is cloned or the data spans multiple fragments, it copies the data into a private buffer that can be safely modified in place. This is the same pattern used by: - ESP (net/ipv4/esp4.c, net/ipv6/esp6.c) - MACsec (drivers/net/macsec.c) - WireGuard (drivers/net/wireguard/receive.c) - TIPC (net/tipc/crypto.c) Without this guard, in-place crypto on shared skb data leads to: - Silent data corruption of other skb clones - Use-after-free when the crypto API scatterwalk writes through a page that has already been freed by another clone's kfree_skb() - Kernel crashes under concurrent 802.15.4 traffic with security enabled (KASAN/KMSAN reports slab-use-after-free) Found by 0sec (https://0sec.ai) using automated source analysis. Fixes: 4c14a2fb5d14 ("mac802154: add llsec decryption method") Fixes: 03556e4d0dbb ("mac802154: add llsec encryption method") Cc: stable@vger.kernel.org Reported-by: Doruk Tan Ozturk <doruk@0sec.ai> Closes: https://lore.kernel.org/linux-wpan/20260525161806.96158-1-doruk@0sec.ai/ Reviewed-by: Alexander Lobakin <aleksander.lobakin@intel.com> Signed-off-by: Doruk Tan Ozturk <doruk@0sec.ai> Closes: <link to your mail on lore> Link: https://lore.kernel.org/20260526183726.56100-1-doruk@0sec.ai Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
2026-06-19ieee802154: ca8210: fix pointer truncation in kfifo on 64-bitShitalkumar Gandhi
ca8210_test_int_driver_write() and ca8210_test_int_user_read() exchange a kmalloc'd buffer pointer through a struct kfifo, but pass a literal '4' as the byte count to kfifo_in()/kfifo_out(). This is correct on 32-bit (pointer = 4 bytes), but on 64-bit only the low 4 bytes of the 8-byte pointer are written into the FIFO. The reader then reads back 4 bytes into an 8-byte local pointer variable, leaving the upper 4 bytes uninitialized stack data. The first dereference of the reconstructed pointer (fifo_buffer[1]) accesses an arbitrary kernel address and generally results in an oops. Use sizeof(fifo_buffer) so the byte count matches pointer width on every architecture. The driver has no architecture restriction in Kconfig, so any 64-bit build with CONFIG_IEEE802154_CA8210_DEBUGFS=y is exposed. Issue has been latent since the driver was added in 2017 because it is most commonly deployed on 32-bit MCUs. Found via a custom Coccinelle semantic patch hunting for short-byte kfifo I/O on byte-mode kfifos used to shuttle pointers. Fixes: ded845a781a5 ("ieee802154: Add CA8210 IEEE 802.15.4 device driver") Cc: stable@vger.kernel.org Signed-off-by: Shitalkumar Gandhi <shitalkumar.gandhi@cambiumnetworks.com> Reviewed-by: Simon Horman <horms@kernel.org> Link: https://lore.kernel.org/20260520105750.30144-1-shitalkumar.gandhi@cambiumnetworks.com Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
2026-06-19Merge tag 'ntfs-for-7.2-rc1' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/linkinjeon/ntfs Pull ntfs updates from Namjae Jeon: - Harden handling of malformed on-disk metadata. This adds stricter validation for attributes, attribute lists, index roots and entries, EA entries, mapping pairs, and $LogFile restart areas. These changes fix several out-of-bounds access, integer overflow, and inconsistent metadata handling issues. - Prevent a writeback deadlock involving extent MFT records - Fix resource leaks in fill_super() failure paths and the name cache - Serialize volume label access and improving its error handling - Fix mapping-pairs decoding bounds and LCN overflow checks - Keep resident index root metadata consistent during resize - Fix the reported size of symbolic links - Avoid an unnecessary allocation for resident inline data - Add support for following and creating Windows native symbolic links. Relative links, absolute links, and junctions are handled, with new mount options controlling native symlink creation and absolute target translation. The existing WSL symlink behavior remains the default. - The unsupported quota code is removed, along with several smaller cleanups * tag 'ntfs-for-7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/linkinjeon/ntfs: (39 commits) docs/fs/ntfs: add mount options to support Windows native symbolic links ntfs: support creating Windows native symlinks ntfs: clean up target name conversion for WSL symlinks ntfs: add native_symlink mount option ntfs: support following Windows native symlink with absolute paths ntfs: support following Windows native symlink with relative paths ntfs: fix incorrect size of symbolic link ntfs: use direct pointer for inline data to avoid redundant allocation ntfs: validate resident index root values on lookup ntfs: update index root allocated size before shrink ntfs: grow index root value before reparent header update ntfs: reject non-resident records for resident-only attributes ntfs: fix u16 truncation of restart-area length check ntfs: bound the attribute-list entry in ntfs_read_inode_mount() ntfs: bound the look-ahead attribute-list entry in ntfs_external_attr_find() ntfs: validate resident attribute lists and harden the validator ntfs: validate resident volume name values on lookup ntfs: reinit search context before volume information lookup ntfs: do not replace volume name after lookup errors ntfs: validate attribute values on lookup ...
2026-06-19ieee802154: ca8210: fix cas_ctl leak on spi_async failureShitalkumar Gandhi
ca8210_spi_transfer() allocates cas_ctl with kzalloc_obj(GFP_ATOMIC) and relies entirely on the SPI completion callback ca8210_spi_transfer_complete() to free it. The spi_async() API only invokes the completion callback on successful submission. On failure it returns a negative error code without ever queuing the callback, which leaves cas_ctl and its embedded spi_message and spi_transfer orphaned. Every kfree(cas_ctl) in the driver is inside the completion callback, so there is no other reclamation path. ca8210_spi_transfer() is called from ca8210_spi_exchange(), the interrupt handler ca8210_interrupt_handler(), and from the retry path inside the completion callback itself. The exchange and interrupt handler paths loop on -EBUSY, so under sustained SPI bus contention every retry iteration leaks a fresh cas_ctl (~600 bytes per occurrence). Fix it by freeing cas_ctl on the spi_async() error path. While here, correct the misleading error string: the function calls spi_async(), not spi_sync(). Fixes: ded845a781a5 ("ieee802154: Add CA8210 IEEE 802.15.4 device driver") Cc: stable@vger.kernel.org Signed-off-by: Shitalkumar Gandhi <shitalkumar.gandhi@cambiumnetworks.com> Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com> Link: https://lore.kernel.org/20260421073259.2259783-1-shitalkumar.gandhi@cambiumnetworks.com Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
2026-06-19sched/mmcid: Fix OOB clear_bit when CID is MM_CID_UNSET in fixup pathRik van Riel
In mm_cid_fixup_cpus_to_tasks(), when rq->curr has the target mm and mm_cid.active is set, the CID is checked with cid_in_transit() before setting the transition bit. In per-CPU mode a newly forked or exec'd task can be running with mm_cid.cid == MM_CID_UNSET because CIDs are assigned lazily on schedule-in. With cid_in_transit() the guard passes for MM_CID_UNSET (no transit bit), converts it to MM_CID_UNSET | MM_CID_TRANSIT and stores it back; later mm_cid_schedout() feeds this to clear_bit() with MM_CID_UNSET as the bit number, triggering an out-of-bounds write. Symptoms: this is genuine memory corruption, but a bounded out-of-bounds write, not an arbitrary one. MM_CID_UNSET is the fixed sentinel BIT(31), so once the bad value reaches mm_cid_schedout() the cid_from_transit_cid() strip leaves MM_CID_UNSET, which fails the "cid < max_cids" convergence test and falls into mm_drop_cid() -> clear_bit(MM_CID_UNSET, mm_cidmask(mm)). The cid bitmap is embedded in the mm_struct slab object (after cpu_bitmap and mm_cpus_allowed) and is only num_possible_cpus() bits wide, so clearing bit 31 is a deterministic OOB bit-clear at a fixed offset of 2^31 / 8 == 256 MiB past the bitmap base. The address is not attacker-influenced (fixed sentinel -> fixed offset) and the op only clears a single bit; what sits 256 MiB further along the direct map is whatever kernel object happens to live there, so this corrupts one bit of unpredictable kernel memory -- it is not an arbitrary-address or arbitrary-value write. It triggers only in per-CPU CID mode, when a CPU is running an active task of the target mm whose cid is still MM_CID_UNSET -- the fork()/execve() window before that task's next schedule-in assigns it a real CID -- and a per-CPU -> per-task fixup walks over it (the mode fallback driven by a thread exit, sched_mm_cid_exit(), or by the deferred max_cids recompute in mm_cid_work_fn()). In practice syzkaller surfaced it as a KASAN use-after-free reported in __schedule -> mm_cid_switch_to, where the offending clear_bit() is inlined via mm_cid_schedout() -> mm_drop_cid(). Guard the transition-bit assignment against MM_CID_UNSET, in addition to the existing cid_in_transit() check, so the bit is only set on a genuine task-owned CID. A CPU-owned (MM_CID_ONCPU) CID of a running active task is handled by the cid_on_cpu(pcp->cid) branch above and never reaches this path, so excluding MM_CID_UNSET (and the already-transitioning case) is sufficient. Fixes: fbd0e71dc370 ("sched/mmcid: Provide CID ownership mode fixup functions") Signed-off-by: Rik van Riel <riel@surriel.com> Signed-off-by: Thomas Gleixner <tglx@kernel.org> Assisted-by: Claude:claude-opus-4-8 syzkaller Reviewed-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com> Cc: stable@vger.kernel.org Link: https://patch.msgid.link/20260616203818.1516263-1-riel@surriel.com
2026-06-19ieee802154: Remove WARN_ON() in cfg802154_pernet_exit()Ivan Abramov
There's no need to call WARN_ON() in cfg802154_pernet_exit(), since every point of failure in cfg802154_switch_netns() is covered with WARN_ON(), so remove it. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Fixes: 66e5c2672cd1 ("ieee802154: add netns support") Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com> Signed-off-by: Ivan Abramov <i.abramov@mt-integration.ru> Link: https://lore.kernel.org/20250403101935.991385-4-i.abramov@mt-integration.ru Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
2026-06-19ieee802154: Avoid calling WARN_ON() on -ENOMEM in cfg802154_switch_netns()Ivan Abramov
It's pointless to call WARN_ON() in case of an allocation failure in dev_change_net_namespace() and device_rename(), since it only leads to useless splats caused by deliberate fault injections, so avoid it. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Fixes: 66e5c2672cd1 ("ieee802154: add netns support") Reported-by: syzbot+e0bd4e4815a910c0daa8@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/000000000000f4a1b7061f9421de@google.com/#t Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com> Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com> Signed-off-by: Ivan Abramov <i.abramov@mt-integration.ru> Link: https://lore.kernel.org/20250403101935.991385-3-i.abramov@mt-integration.ru Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
2026-06-19ieee802154: Restore initial state on failed device_rename() in ↵Ivan Abramov
cfg802154_switch_netns() Currently, the return value of device_rename() is not acted upon. To avoid an inconsistent state in case of failure, roll back the changes made before the device_rename() call. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Fixes: 66e5c2672cd1 ("ieee802154: add netns support") Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com> Signed-off-by: Ivan Abramov <i.abramov@mt-integration.ru> Link: https://lore.kernel.org/20250403101935.991385-2-i.abramov@mt-integration.ru Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
2026-06-19Merge tag 'landlock-7.2-rc1' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux Pull landlock updates from Mickaël Salaün: "This adds new Landlock access rights to control UDP bind and connect/send operations, and a new "quiet" feature to mute specific specific audit logs (and other future observability events). A few commits also fix Landlock issues" * tag 'landlock-7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux: (24 commits) selftests/landlock: Add tests for invalid use of quiet flag selftests/landlock: Add tests for quiet flag with scope selftests/landlock: Add tests for quiet flag with net rules selftests/landlock: Add tests for quiet flag with fs rules selftests/landlock: Replace hard-coded 16 with a constant samples/landlock: Add quiet flag support to sandboxer landlock: Suppress logging when quiet flag is present landlock: Add API support and docs for the quiet flags landlock: Add a place for flags to layer rules landlock: Add documentation for UDP support samples/landlock: Add sandboxer UDP access control selftests/landlock: Add tests for UDP send selftests/landlock: Add tests for UDP bind/connect landlock: Add UDP send+connect access control landlock: Add UDP bind() access control landlock: Fix unmarked concurrent access to socket family selftests/landlock: Explicitly disable audit in teardowns selftests/landlock: Test SCOPE_SIGNAL on the SIGIO/fowner pgid path landlock: Fix LANDLOCK_SCOPE_SIGNAL bypass on the SIGIO path landlock: Demonstrate best-effort allowed_access filtering ...
2026-06-19Merge tag 'for-next-keys-7.2-rc1-2' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd Pull keys update from Jarkko Sakkinen: "This contains only bug fixes" * tag 'for-next-keys-7.2-rc1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd: keys: keyctl_pkey: replace BUG with return -EOPNOTSUPP keys: request_key: replace BUG with return -EINVAL keys: Pin request_key_auth payload in instantiate paths keys: prevent slab cache merging for key_jar keys: Replace strcpy(derived_buf, "AUTH_KEY") with strscpy(..., HASH_SIZE) KEYS: Use acquire when reading state in keyring search keys/trusted_keys: mark 'migratable' as __ro_after_init keys: use kmalloc_flex in user_preparse KEYS: trusted: Debugging as a feature KEYS: encrypted: Remove unnecessary selection of CRYPTO_RNG KEYS: fix overflow in keyctl_pkey_params_get_2()
2026-06-19ACPI: IPMI: Fix inverted interface check in ipmi_bmc_gone()Xu Rao
Before commit a1a69b297e47 ("ACPI / IPMI: Fix race caused by the unprotected ACPI IPMI user"), ipmi_bmc_gone() skipped entries whose interface number did not match the SMI being removed, then killed the matching entry: if (ipmi_device->ipmi_ifnum != iface) continue; __ipmi_dev_kill(ipmi_device); That commit folded the removal block into the existing non-match test while converting the object lifetime handling, but left the comparison unchanged. The old != meant "continue past this entry"; after the refactor it meant "kill this entry". As a result, a single ACPI IPMI interface is never removed when its SMI disappears. If multiple interfaces are tracked, the first interface whose number differs from iface is removed instead, while the interface that actually disappeared remains on driver_data.ipmi_devices. The stale entry is not marked dead and can continue to be selected for ACPI IPMI transactions. It can also prevent the same ACPI handle from being registered again. Change the comparison to == so ipmi_bmc_gone() removes exactly the interface reported as gone by the SMI watcher. This restores the pre-a1a69b297e47 behavior and is the correct interface matching logic. Fixes: a1a69b297e47 ("ACPI / IPMI: Fix race caused by the unprotected ACPI IPMI user") Signed-off-by: Xu Rao <raoxu@uniontech.com> Link: https://patch.msgid.link/B486593E06E6F6E0+20260616093621.1039943-1-raoxu@uniontech.com Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
2026-06-19Merge tag 'integrity-v7.2' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity Pull IMA updates from Mimi Zohar: - Introduce IMA and EVM post-quantum ML-DSA signature support ML-DSA signature support for IMA and EVM is limited to sigv3 signatures, which calculates and verifies a hash of a compact structure containing the file data/metadata hash, hash type, and hash algorithm. IMA and EVM still calculate the file data/metadata hashes respectively. - Introduce support for removing IMA measurement list records stored in kernel memory The IMA measurement list can grow large depending on policy, but removing records breaks remote attestation, unless they are safely preserved and made available for attestation requests. Until environments are prepared to preserve the measurement records, a new CONFIG_IMA_STAGING Kconfig option is introduced to guard against deletion. Several approaches for removing measurement list records were evaluated but rejected due to filesystem constraints, the introduction of a new critical data record, and locking concerns. Two methods are being upstreamed: staged deletion with confirmation, and staged deletion of N records without confirmation. Both methods minimize the period during which new measurements are blocked from being appended to the measurement list by staging the measurement list. A comparison of the two methods is included in the documentation. - Some code cleanup, and a couple of bug fixes * tag 'integrity-v7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity: doc: security: Add documentation of exporting and deleting IMA measurements ima: Support staging and deleting N measurements records ima: Add support for flushing the hash table when staging measurements ima: Add support for staging measurements with prompt ima: Introduce ima_dump_measurement() ima: Use snprintf() in create_securityfs_measurement_lists ima: Mediate open/release method of the measurements list ima: Introduce _ima_measurements_start() and _ima_measurements_next() ima: Introduce per binary measurements list type binary_runtime_size value ima: Introduce per binary measurements list type ima_num_records counter ima: Replace static htable queue with dynamically allocated array ima: Remove ima_h_table structure evm: terminate and bound the evm_xattrs read buffer integrity: Add support for sigv3 verification using ML-DSA keys integrity: Refactor asymmetric_verify for reusability integrity: Check that algo parameter is within valid range integrity: Check for NULL returned by asymmetric_key_public_key ima: return error early if file xattr cannot be changed ima: Fix sigv3 signature handling for EVM_IMA_XATTR_DIGSIG
2026-06-19ACPI: resource: Amend kernel-doc styleAndy Shevchenko
The functions are referred as func() in the kernel-doc. The % (percent) character makes the rendering for constants as described in the respective documentation. Amend all these. Fixes: 8e345c991c8c ("ACPI: Centralized processing of ACPI device resources") Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com> Link: https://patch.msgid.link/20260617090555.2648709-1-andriy.shevchenko@linux.intel.com Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
2026-06-19ACPI: sysfs: Fix path of module parameters in commentsZenghui Yu
The correct path of module parameters should be /sys/module/acpi/parameters/xxx. Fix them. Signed-off-by: Zenghui Yu <zenghui.yu@linux.dev> Link: https://patch.msgid.link/20260611142518.77343-1-zenghui.yu@linux.dev Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
2026-06-19thermal: intel: Fix dangling resources on thermal_throttle_online() failureRicardo Neri
The function thermal_throttle_add_dev() may fail and abort a CPU hotplug online operation. Since the failure occurs within the online callback, thermal_throttle_online(), the CPU hotplug framework does not invoke the corresponding offline callback. As a result, the hardware and software resources set up during the failed operation are not torn down. Since only thermal_throttle_add_dev() can fail, call it before setting up the rest of the resources. Fixes: f6656208f04e ("x86/mce/therm_throt: Optimize notifications of thermal throttle") Signed-off-by: Ricardo Neri <ricardo.neri-calderon@linux.intel.com> Link: https://patch.msgid.link/20260613-rneri-directed-therm-intr-v3-1-3a26d1e47fc8@linux.intel.com Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
2026-06-19Merge tag 'mm-stable-2026-06-18-09-26' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Pull MM updates from Andrew Morton: - "selftests/mm: clean up build output and verbosity" (Li Wang) Remove some noise from the MM selftests build - "mm: Free contiguous order-0 pages efficiently" (Ryan Roberts) Speed up the freeing of a batch of 0-order pages by first scanning them for coalescing opportunities. This is applicable to vfree() and to the releasing of frozen pages - "mm/damon: introduce DAMOS failed region quota charge ratio" (SeongJae Park) Address a DAMOS usability issue: The DAMOS quota often exhausts prematurely because it charges for all memory attempted, causing slow and inconsistent performance when actions fail on unreclaimable memory. To fix this, a new feature lets users set a smaller, flexible quota charge ratio (via a numerator and denominator) for failed regions. Since failed actions cause less overhead, reducing their quota cost ensures more predictable and efficient DAMOS processing - "selftests/cgroup: improve zswap tests robustness and support large page sizes" (Li Wang) Fix various spurious failures and improves the overall robustness of the cgroup zswap selftests - "fix MAP_DROPPABLE not supported errno" (Anthony Yznaga) Fix an issue in the mlock selftests on arm32 - "mm: huge_memory: clean up defrag sysfs with shared" (Breno Leitao) Some maintenance work in the huge_memory code - "treewide: fixup gfp_t printks" (Brendan Jackman) Use the special vprintf() gfp_t conversion in various places - "mm: Fix vmemmap optimization accounting and initialization" (Muchun Song) Fix several bugs in the vmemmap optimization, mainly around incorrect page accounting and memmap initialization in the DAX and memory hotplug paths. It also fixes pageblock migratetype initialization and struct page initialization for ZONE_DEVICE compound pages - "mm/damon: repost non-hotfix reviewed patches in damon/next tree" A sprinkle of unrelated minor bugfixes for DAMON - "mm: remove page_mapped()" (David Hildenbrand) Remove this function from the tree, replacing it with folio_mapped() - "mm/damon: let DAMON be paused and resumed" (SeongJae Park) Allow DAMON to be paused and resumed without losing its current state - "kasan: hw_tags: Disable tagging for stack and page-tables" (Muhammad Usama Anjum) Simplify and speed up kasan by removing its ineffective tagging of stacks and page tables - "mm/damon/reclaim,lru_sort: monitor all system rams by default" (SeongJae Park) Simplify deployment on diverse hardware like NUMA systems by updating DAMON_RECLAIM and DAMON_LRU_SORT to automatically monitor the physical address range covering all System RAM areas by default, replacing the overly restrictive behavior that only targeted the single largest memory block to save on negligible overhead - "mm/damon/sysfs: document filters/ directory as deprecated" (SeongJae Park) Update some DAMON docs - "mm: use spinlock guards for zone lock" (Dmitry Ilvokhin) Switch zone->lock handling over to using the guard() mechanisms - "mm/filemap: tighten mmap_miss hit accounting" (fujunjie) Fix a flaw where the mmap_miss counter over-credited page cache hits during fault-arounds and page-fault retries. This results in significant reduction of redundant synchronous mmap readahead I/O, drastically cutting down execution time and gigabytes read for sparse random or strided memory access workloads - "selftests/cgroup: Fix false positive failures in test_percpu_basic" (Li Wang) Fix a couple of false-positives in the cgroup kmem selftests - "mm/damon/reclaim: support monitoring intervals auto-tuning" (SeongJae Park) Add a new parameter to DAMON permitting DAMON_RECLAIM to automatically tune DAMON's sampling and aggregation intervals - "mm/damon/stat: add kdamond_pid parameter" (SeongJae Park) Change DAMON_STAT to provide the pid of its kdamond - "mm/kmemleak: dedupe verbose scan output" (Breno Leitao) Remove large amounts of duplicated backtraces from the verbose-mode kmemleak output - "mm: remove CONFIG_HAVE_BOOTMEM_INFO_NODE (Part 1)" (David Hildenbrand) Reduce our use of CONFIG_HAVE_BOOTMEM_INFO_NODE, with a view to removing it entirely in a later series - "mm/damon: validate min_region_size to be power of 2" (Liew Rui Yan) Prevent users from passing a non-power-of-2 value of `addr_unit', as this later results in undesirable behavior - "mm: document read_pages and simplify usage" (Frederick Mayle) - "tools/mm/page-types: Fix misc bugs" (Ye Liu) Fix three issues in tools/mm/page-types.c - "mm: misc cleanups from __GFP_UNMAPPED series" (Brendan Jackman) Implement several cleanups in the page allocator and related code - "mm, swap: swap table phase IV: unify allocation" (Kairui Song) Unify the allocation and charging of anon and shmem swap in folios, provides better synchronization, consolidates the metadata management, hence dropping the static array and map, and improves performance - "mm/damon: introduce data attributes monitoring" (SeongJae Park( Extend DAMON to monitor general data attributes other than accesses - "mm/vmalloc: free unused pages on vrealloc() shrink" (Shivam Kalra) Implement the TODO in vrealloc() to unmap and free unused pages when shrinking across a page boundary - "mm/damon: documentation and comment fixes" (niecheng) - "remove mmap_action success, error hooks" (Lorenzo Stoakes) Eliminate custom hooks from mmap_action by removing the problematic success_hook which allowed drivers to improperly access uninitialized VMAs. It replaces the error_hook with a simple error-code field and updates the memory char driver accordingly - "mm/damon: minor improvements for code readability and tests" (SeongJae Park) - "mm/damon: fix macro arguments and clarify quota goals doc" (Maksym Shcherba) - "userfaultfd: merge fs/userfaultfd.c into mm/userfaultfd.c" (Mike Rapoport) - "mm/mglru: improve reclaim loop and dirty folio" (Kairui Song and others) Clean up and slightly improves MGLRU's reclaim loop and dirty writeback handling. Large performance improvements are measured - "use vma locks for proc/pid/{smaps|numa_maps} reads" (Suren Baghdasaryan) Use per-vma locks when reading /proc/pid/smaps and numa_maps similar to reduce contention on central mmap_lock - "refactors thpsize_shmem_enabled_store() and thpsize_shmem_enabled_show()" (Ran Xiaokai) Some cleanup work in the THP code - "selftests/memfd: fix compilation warnings" (Konstantin Khorenko) Fix a few build glitches in the memfd selftest code. - "memcg: shrink obj_stock_pcp and cache multiple objcgs" (Shakeel Butt) Resolve a 68% performance regression caused by NUMA-node cache thrashing around struct obj_stock_pcp by shrinking its existing fields and expanding it into a multi-slot array that caches up to five obj_cgroup pointers per CPU, allowing per-node variants of the same memcg to coexist within a single 64-byte cache line. - "zram: writeback fixes" (Sergey Senozhatsky) address a couple of unrelated zram writeback issues - "mm: switch THP shrinker to list_lru" (Johannes Weiner) Resolve NUMA-awareness issues and streamlines callsite interaction by refactoring and extending the list_lru API to completely replace the complex, open-coded deferred split queue for Transparent Huge Pages - "mm: improve large folio readahead for exec memory" (Usama Arif) Improve large-folio readahead on systems like 64K-page arm64 by preventing the mmap_miss check from permanently disabling target-oriented VM_EXEC readahead, and by generalizing the force_thp_readahead gate to support mappings with any usefully large maximum folio order under the cache cap. - "userfaultfd/pagemap: pre-existing fixes" (Kiryl Shutsemau) Fix a bunch of minor issues in the userfaultfd/pagemap, all of which were flagged by Sashiko review of proposed new material - "mm/sparse-vmemmap: Provide generic vmemmap_set_pmd() and vmemmap_check_pmd()" (Muchun Song) Provide generic versions of these two functions so the four arch-specific implementations can be removed. - "mm/swap, PM: hibernate: fix swapoff race in uswsusp by pinning swap device" (Youngjun Park) Address a uswsusp-vs-swapoff race and reduces the swap device reference taking/releasing frequency. - "mm/hmm: A fix and a selftest" (Dev Jain) * tag 'mm-stable-2026-06-18-09-26' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm: (321 commits) selftests/mm/hmm-tests: test pagemap reads of PMD device-private entries fs/proc/task_mmu: do not warn on seeing non-migration pmd entry lib/test_hmm: check alloc_page_vma() return value and handle OOM mm/compaction: cap compact_gap() at COMPACT_CLUSTER_MAX mm/swap: remove redundant swap device reference in alloc/free mm/swap, PM: hibernate: fix swapoff race in uswsusp by pinning swap device mm/filemap: use folio_next_index() for start vmalloc: fix NULL pointer dereference in is_vm_area_hugepages() sparc/mm: drop vmemmap_check_pmd helper and use generic code loongarch/mm: drop vmemmap_check_pmd helper and use generic code riscv/mm: drop vmemmap_pmd helpers and use generic code arm64/mm: drop vmemmap_pmd helpers and use generic code mm/sparse-vmemmap: provide generic vmemmap_set_pmd() and vmemmap_check_pmd() rust: page: mark Page::nid as inline userfaultfd: build __VMA_UFFD_FLAGS from config-gated masks userfaultfd: gate must_wait writability check on pte_present() mm/huge_memory: preserve pmd_swp_uffd_wp on device-private PMD downgrade fs/proc/task_mmu: fix hugetlb self-deadlock in pagemap_scan_pte_hole() fs/proc/task_mmu: use huge_page_size() in pagemap_scan_hugetlb_entry() fs/proc/task_mmu: fix make_uffd_wp_huge_pte() prot-update race ...
2026-06-19regulator: pca9450: Correct default t_off_deb for PCA9451A/PCA9452Joy Zou
The PMIC PCA9451A and PCA9452 have a default power-off debounce time of 2ms according to their datasheet, while PCA9450A and PCA9450BC use 120us. Add default_t_off_deb field to struct pca9450 to support per-variant default configuration when the device tree property is not specified. Datasheet reference links: - PCA9451A Rev.2.1: https://www.nxp.com/docs/en/data-sheet/PCA9451A.pdf - PCA9452 Rev.1.0: https://www.nxp.com/docs/en/data-sheet/PCA9452.pdf Signed-off-by: Joy Zou <joy.zou@nxp.com> Reviewed-by: Frank Li <Frank.Li@nxp.com> Link: https://patch.msgid.link/20260618-b4-regulator-opt-v1-1-c43b1f62aaf6@oss.nxp.com Signed-off-by: Mark Brown <broonie@kernel.org>
2026-06-19spi: dw: Add support for snps,dwc-ssi-2.00aChanghuang Liang
Add a new compatible entry "snps,dwc-ssi-2.00a" for the Synopsys DesignWare SSI controller version 2.00a. This variant uses the same initialization routine as snps,dwc-ssi-1.01a (dw_spi_hssi_init). Signed-off-by: Changhuang Liang <changhuang.liang@starfivetech.com> Link: https://patch.msgid.link/20260619143443.22267-3-changhuang.liang@starfivetech.com Signed-off-by: Mark Brown <broonie@kernel.org>
2026-06-19spi: dt-bindings: snps,dw-apb-ssi: Add starfive,jhb100-spiChanghuang Liang
Add a new compatible string "starfive,jhb100-spi" for the StarFive JHB100 SPI, it based on the Synopsys DesignWare SSI version 2.00a, uses snps,dwc-ssi-2.00a as the primary fallback and snps,dwc-ssi-1.01a as the secondary fallback. Signed-off-by: Changhuang Liang <changhuang.liang@starfivetech.com> Acked-by: Conor Dooley <conor.dooley@microchip.com> Link: https://patch.msgid.link/20260619143443.22267-2-changhuang.liang@starfivetech.com Signed-off-by: Mark Brown <broonie@kernel.org>
2026-06-19arm64/hw_breakpoint: reject unaligned watchpoints that would truncate BASBreno Leitao
hw_breakpoint_arch_parse() positions the BAS bit pattern in hw->ctrl.len with offset = hw->address & alignment_mask; /* 0..7 */ hw->ctrl.len <<= offset; ctrl.len is an 8-bit bitfield (struct arch_hw_breakpoint_ctrl::len is u32 :8), so the shift silently drops any bits past bit 7. For non-compat AArch64 watchpoints the offset is unbounded relative to ctrl.len: a perf_event_open(PERF_TYPE_BREAKPOINT) caller asking for HW_BREAKPOINT_W with bp_addr=page+1 and bp_len=HW_BREAKPOINT_LEN_8 ends up with 0xff << 1 = 0x1fe, stored as 0xfe. The kernel programs WCR.BAS=0xfe and the hardware watches bytes [1..7] instead of the requested [1..8] -- the eighth byte is silently dropped. The syscall still returns success, leaving userspace to discover the gap by empirical probing. The same class affects HW_BREAKPOINT_LEN_{2,4} when offset pushes the high BAS bit past bit 7 (e.g. LEN_4 with offset=5 yields 0xe0 instead of 0x1e0). No memory-safety impact -- the value is masked into 8 bits before encoding -- but debuggers and perf users observe missed events on bytes they thought they were watching. The AArch32 branch immediately above already rejects unrepresentable (offset, len) combinations via an explicit switch. Mirror that for the non-compat branch by checking that the shifted pattern fits in the BAS field, returning -EINVAL when it does not. GDB and similar debuggers are unaffected by the stricter check. aarch64_linux_set_debug_regs() already treats EINVAL on NT_ARM_HW_WATCH as a downgrade signal: it clears kernel_supports_any_contiguous_range, calls aarch64_downgrade_regs() to round the BAS up to a legacy 0x01/03/0f/ff mask with an aligned base, and retries -- the same fallback path that PR-20207 introduced. The new -EINVAL is therefore reachable only from a raw perf_event_open() that pairs an unaligned base with an oversized bp_len, which is precisely the bug. Reproducer: struct perf_event_attr a = { .type = PERF_TYPE_BREAKPOINT, .size = sizeof(a), .bp_type = HW_BREAKPOINT_W, .bp_addr = (uintptr_t)(buf + 1), .bp_len = HW_BREAKPOINT_LEN_8, .exclude_kernel = 1, .exclude_hv = 1, }; int fd = perf_event_open(&a, 0, -1, -1, 0); /* before this fix: succeeds, watches 7 bytes (buf+1..buf+7) */ /* after this fix: fails with EINVAL */ Fixes: b08fb180bb88 ("arm64: Allow hw watchpoint at varied offset from base address") Signed-off-by: Breno Leitao <leitao@debian.org> Signed-off-by: Will Deacon <will@kernel.org>
2026-06-19Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvmLinus Torvalds
Pull kvm updates from Paolo Bonzini: "arm64: This is a bit of an odd merge window on the KVM/arm64 front. There is absolutely no new feature in the pull request. It is purely fixes, because it is simply becoming too hard to review new stuff when so many AI-fuelled fixes hit the list. - Significant cleanup of the vgic-v5 PPI support which was merged in 7.1. This makes the code more maintainable, and squashes a couple of bugs in the meantime - Set of fixes for the handling of the MMU in an NV context, particularly VNCR-triggered faults. S1POE support is fixed as well - Large set of pKVM fixes, mostly addressing recurring issues around hypervisor tracking of donated pages in obscure cases where the donation could fail and leave things in a bizarre state - Fixes for the so-called "lazy vgic init", which resulted in sleeping operations in non-preemptible sections. This turned out to be far more invasive than initially expected.. - Reduce the overhead of L1/L2 context switch by not touching the FP registers - Fix the way non-implemented page sizes are dealt with when a guest insist on using them for S2 translation - The usual set of low-impact fixes and cleanups all over the map Loongarch: - On a request for lazy FPU load, load all FPU state that the VM supports instead of enabling only the part (FPU, LSX or LASX) that caused the FPU load request - Some enhancements about interrupt injection - Some bug fixes and other small changes RISC-V: - Batch G-stage TLB flushes for GPA range based page table updates - Convert HGEI line management to fully per-HART - Fix missing CSR dirty marking when FWFT state updated via ONE_REG - Fix stale FWFT feature exposure to Guest/VM - Speed up dirty logging write faults using MMU rwlock and atomic PTE updates using cmpxchg() for permission-only changes - Use flexible array for APLIC IRQ state - Use kvm_slot_dirty_track_enabled() for logging enable check on a memslot - Avoid skipping valid pages in kvm_riscv_gstage_wp_range() - Avoid skipping valid pages in kvm_riscv_gstage_unmap_range() - Use endian-specific __lelong for NACL shared memory S390: - KVM_PRE_FAULT_MEMORY support - Support for 2G hugepages - Support for the ASTFLEIE 2 facility - Support for fast inject using kvm_arch_set_irq_inatomic - Fix potential leak of uninitialized bytes - A few more misc gmap fixes x86: - Generic support for the more granular permissions allowed by EPT, namely "read" (which was previously usurping the U bit) and separate execution bits for kernel and userspace - Do not assume that all page tables start with U=1/W=1/NX=0 at the root, as AMD GMET needs to have U=0 at the root - Introduce common assembly macros for use within Intel and AMD vendor-specific vmentry code. This touches the SPEC_CTRL handling, which is now entirely done in assembly for Intel (by reusing the AMD code that already existed), and register save/restore which uses some macro magic to compute the offsets in the struct. Both of these are preparatory changes for upcoming APX support - Clean up KVM's register tracking and storage, primarily to prepare for APX support, which expands the maximum number of GPRs from 16 to 32 - Keep a single copy of the PDPTRs rather than two, since architecturally there is just one - Handle EXIT_FASTPATH_EXIT_USERSPACE in vendor code to ensure vendor code gets a chance to handle things like reaping the PML buffer - Update KVM's view of PV async enabling if and only if the MSR write fully succeeds - Fix a variety of issues where the emulator doesn't honor guest-debug state, and clean up related code along the way - Synthesize EPT Violation and #NPF "error code" bits when injecting faults into L1 that didn't originate in hardware (in which case the VMCS/VMCB doesn't hold relevant information) - Add support for virtualizing (well, emulating) AMD's flavor of CPL>0 CPUID faulting - Clean up the GPR APIs so that KVM's use of "raw" is consistent, and fix a variety of minor bugs along the way - Fix an OOB memory access due to not checking the VP ID when handling a Hyper-V PV TLB flush for L2 - Fix a bug in the mediated PMU's handling of fixed counters that allowed the guest to bypass the PMU event filter - Allow userspace to return EAGAIN when handling SNP and TDX hypercalls, so the KVM can forward a "retry" status code to the guest, and reserve all unused error codes for future usage - Overhaul the TDP MMU => S-EPT code to move as much S-EPT specific logic as possible into the TDX code, and to funnel (almost) all S-EPT updates into a single chokepoint. The motivation is largely to prepare for upcoming Dynamic PAMT support, but the cleanups are nice to have on their own - Plug a hole in shadow page table handling, where KVM fails to recursively zap nested EPT/NPT shadow page tables when the nested hypervisor tears down its own EPT/NPT page tables from the bottom up x86 (Intel): - Support for nested MBEC (Mode-Based Execute Control), see above in the generic section; also run with MBEC enabled even for non-nested mode - Use the kernel's "enum pg_level" in the TDX APIs instead of the TDX-Module's level definitions (which are 0-based) - Rework the TDX memory APIs to not require/assume that guest memory is backed by "struct page" (in prepartion for guest_memfd hugepage support) - Fix a largely benign bug where KVM TDX would incorrectly state it could emulate several x2APIC MSRs - Use the "safe" WRMSR API when proxying LBR MSR writes as the to-be-written value is guest controlled and completely unvalidated x86 (AMD): - Support for nested GMET (Guest Mode Execution Trap), see above in the generic section; also run with GMET enabled even for non-nested mode - Fixes and minor cleanups to GHCB handling, on top of the earlier work already merged into 7.1-rc - Ensure KVM's copy of CR0 and CR3 are up-to-date prior to invoking fastpath handlers - Add support for virtualizing gPAT (KVM previously just used L1's PAT when running L2) - Fix goofs where KVM mishandles side effects (e.g. single-step and PMC updates) when emulating VMRUN - Fix a variety of bugs in AVIC's handling of x2APIC MSR interception, most notably where KVM didn't disable interception of IRR, ISR, and TMR regs - Add support for virtualizing Host-Only/Guest-Only bits in the mediated PMU - Don't advertise support for unusable VM types, and account for VM types that are disabled by firmware, e.g. to mitigate security vulnerabilities - Rewrite the SEV {en,de}crypt debug ioctls as they were riddle with bugs and unnecessarily complicated, and add comprehensive tests - Clean up and deduplicate the SEV page pinning code - Fix minor goofs related to writing back CPUID information after firmware rejects a CPUID page for an SNP vCPU Generic: - Rename invalidate_begin() to invalidate_start() throughout KVM to follow the kernel's nomenclature, e.g. for mmu_notifiers - Use guard() to cleanup up various KVM+VFIO flows - Minor cleanups guest_memfd: - Return -EEXIST instead of -EINVAL if userspace attempts to bind a gmem range to multiple memslots, and fix the test that was supposed to ensure KVM returns -EEXIST - Treat memslot binding offsets and sizes as unsigned values to fix a bug where KVM interprets a large "offset + size" as a negative value and allows a nonsensical offset - Use the inode number instead of the page offset for the NUMA interleaving index to fix a bug where the effective index would jump by two for consecutive pages (the caller also adds in the page offset) Selftests: - Randomize the dirty log test's delay when reaping the bitmap on the first pass, as always waiting only 1ms hid a KVM RISC-V bug as the test reaped the bitmap before KVM could build up enough state to hit the bug - A pile of one-off fixes and cleanups" * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm: (326 commits) KVM: x86/mmu: Ensure hugepage is in by slot before checking max mapping level KVM: x86: Fix shadow paging use-after-free due to unexpected role KVM: s390: Introducing kvm_arch_set_irq_inatomic fast inject KVM: s390: Enable adapter_indicators_set to use mapped pages KVM: s390: Add map/unmap ioctl and clean mappings post-guest riscv: kvm: Use endian-specific __lelong for NACL shared memory KVM: selftests: access_tracking_perf_test: bump number of NUMA nodes to 32 KVM: s390: vsie: Implement ASTFLEIE facility 2 KVM: s390: vsie: Refactor handle_stfle s390/sclp: Detect ASTFLEIE 2 facility KVM: s390: Minor refactor of base/ext facility lists KVM: x86/mmu: move pdptrs out of the MMU KVM: x86: check that kvm_handle_invpcid is only invoked with shadow paging KVM: nSVM: invalidate cached PDPTRs across nested NPT transitions KVM: nVMX: remove unnecessary code in prepare_vmcs02_rare KVM: x86: remove nested_mmu from mmu_is_nested() KVM: arm64: vgic-its: Make ABI commit helpers return void KVM: s390: Initialize KVM_S390_GET_CMMA_BITS memory LoongArch: KVM: Add missing slots_lock for device register/unregister LoongArch: KVM: Validate irqchip index in irqfd routing ...
2026-06-19Merge tag 'mips_7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linuxLinus Torvalds
Pull MIPS updates from Thomas Bogendoerfer: - use software nodes for GPIO code - cleanups and fixes * tag 'mips_7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux: (41 commits) mips: select legacy gpiolib interfaces where used MIPS: lib: Remove '.hidden' for local symbols MIPS: VDSO: Avoid including .got in dynamic segment MIPS: smp: report dying CPU to RCU in stop_this_cpu() MIPS: kernel: proc: Delete unnecessary braces in show_cpuinfo() MIPS: kernel: proc: Use seq_putc() calls in show_cpuinfo() mips: sched: Fix CPUMASK_OFFSTACK memory corruption MIPS: mm: Fix out-of-bounds write in maar_res_walk() MIPS: ath79: reduce ARCH_DMA_MINALIGN mips: dts: ar9132: fix wdt node name mips: Remove remaining defconfig references to the pktcdvd driver MIPS: mm: remove comment referring to removed CONFIG_MIPS_CMP MIPS: alchemy: db1300: switch to static device properties MIPS: alchemy: gpr: switch to static device properties MIPS: alchemy: db1000: use nodes attached to GPIO chips in properties MIPS: alchemy: mtx1: attach software nodes to GPIO chips MIPS: alchemy: provide visible function prototypes to board files MIPS: alchemy: platform: add missing include MIPS: ip22-gio: do not export device release function MIPS: ip22-gio: switch to dynamic root device ...
2026-06-19Merge tag 'powerpc-7.2-1' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux Pull powerpc updates from Madhavan Srinivasan: - Enable GENERIC_ENTRY feature - Add missing property in DTS for mpc83xx platform - Enable building of DTB based on platfrom Kconfig - Add powerpc64 JIT support for timed may_goto - Add timeout to RTAS busy-wait loops - Simplify cpumask api usage for cpuinfo display - implement get_direction() in cpm1 (8xx platform) - MAINTAINERS file update for power VMX AES entries - Fixes to handle preempt count - Restore KUAP registers on syscall restart exit - define MIN_RMA in bytes rather than MB - misc fixes and cleanups Thanks to Aboorva Devarajan, Adriano Vero, Amit Machhiwal, Anushree Mathur, Bartosz Golaszewski, Christophe Leroy (CS GROUP), David Gow, Jinjie Ruan, J. Neuschäfer, Linus Walleij, Mahesh Salgaonkar, Mukesh Kumar Chaurasiya (IBM), Ritesh Harjani (IBM), Saket Kumar Bhaskar, Samir M, Sayali Patil, Shirisha G, Shivang Upadhyay, Shrikanth Hegde, Sourabh Jain, Thorsten Blum, Venkat Rao Bagalkote, and Yury Norov. * tag 'powerpc-7.2-1' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux: (32 commits) powerpc/fadump: define MIN_RMA in bytes rather than MB powerpc: Restore KUAP registers on syscall restart exit powerpc/kexec: fix double get_cpu() imbalance in kexec_prepare_cpus powerpc/powernv: fix preempt count leak in pnv_kexec_wait_secondaries_down powerpc/perf: fix preempt count underflow in fsl_emb_pmu_del powerpc/boot: Allow text relocations for pseries wrapper with binutils 2.46+ powerpc: Simplify access_ok() powerpc/entry: Disable interrupts before irqentry_exit powerpc/8xx: implement get_direction() in cpm1 powerpc/pseries/lparcfg: Replace deprecated strcpy in parse_system_parameter_string powerpc: Fix indentation and replace typedef with struct name powerpc/rtas: Replace one-element array with flexible array member powerpc: use sysfs_emit{_at} in sysfs show functions MAINTAINERS: powerpc: update VMX AES entries ppc/fadump: invoke kmsg_dump in fadump panic path powerpc/xive: Add warning if target CPU not found powerpc/perf: Use cpumask_intersects api for checking disable path powerpc: Simplify cpumask api usage for cpuinfo display powerpc: Use cpumask_next_wrap instead powerpc/fadump: Add timeout to RTAS busy-wait loops ...
2026-06-19arm64: static_call: include asm/insns.hArnd Bergmann
I came a cross a missing declaration in a randconfig build: arch/arm64/kernel/static_call.c:16:5: error: call to undeclared function 'aarch64_insn_adrp_get_offset'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration] 16 | aarch64_insn_adrp_get_offset(le32_to_cpup(tramp + 4)) + | ^ Include the header that contains this definition explicitly, rather than relying on it to come indirectly through another header. Fixes: 54ac9ff8f119 ("arm64: Use static call trampolines when kCFI is enabled") Signed-off-by: Arnd Bergmann <arnd@arndb.de> Signed-off-by: Will Deacon <will@kernel.org>
2026-06-19s390/pkey: Check length in pkey_pckmo handler implementationHolger Dengler
Explicitly check the length of the target buffer in the pkey_pckmo implementation of the key_to_protkey() handler function. The handler function fails, if the generated output data exceeds the length of the provided target buffer. Cc: stable@vger.kernel.org Fixes: 8fcc231ce3be ("s390/pkey: Introduce pkey base with handler registry and handler modules") Reported-by: Christian Borntraeger <borntraeger@linux.ibm.com> Reviewed-by: Harald Freudenberger <freude@linux.ibm.com> Signed-off-by: Holger Dengler <dengler@linux.ibm.com> Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
2026-06-19s390/pkey: Check length in PKEY_VERIFYPROTK ioctlHolger Dengler
Explicitly check the buffer length request structure provided by user-space and fail, if it exceeds the buffer size. Cc: stable@vger.kernel.org Fixes: 8fcc231ce3be ("s390/pkey: Introduce pkey base with handler registry and handler modules") Reported-by: Christian Borntraeger <borntraeger@linux.ibm.com> Reviewed-by: Harald Freudenberger <freude@linux.ibm.com> Reviewed-by: Ingo Franzki <ifranzki@linux.ibm.com> Signed-off-by: Holger Dengler <dengler@linux.ibm.com> Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
2026-06-19netfilter: flowtable: fix and simplify IP6IP6 tunnel handlingLorenzo Bianconi
Fix nf_flow_ip6_tunnel_proto() to use pskb_may_pull() instead of skb_header_pointer() to ensure the outer IPv6 header is in the skb headroom, which is required for subsequent packet processing. Move ctx->offset update inside the IPPROTO_IPV6 conditional block since it should only be adjusted when an IP6IP6 tunnel is actually detected. Simplify the rx path by removing ipv6_skip_exthdr() and checking ip6h->nexthdr directly, as the flowtable fast path only handles simple IP6IP6 encapsulation without extension headers. Drop the tunnel encapsulation limit destination option support from the tx path to match, since the rx path no longer handles extension headers. Remove the encap_limit parameter from nf_flow_offload_ipv6_forward(), nf_flow_tunnel_ip6ip6_push() and nf_flow_tunnel_v6_push(), along with the ipv6_tel_txoption struct and related headroom/MTU adjustments. Fixes: d98103575dcdd ("netfilter: flowtable: Add IP6IP6 rx sw acceleration") Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2026-06-19netfilter: xt_cluster: reject template conntracks in hash matchWyatt Feng
xt_cluster_mt() treats any non-NULL nf_ct_get() result as a fully initialized conntrack and passes it to xt_cluster_hash(). This causes a state confusion bug when the raw table CT target attaches a template conntrack to skb->_nfct before normal conntrack processing. Templates carry IPS_TEMPLATE status but do not have a valid tuple for hashing yet, so xt_cluster_hash() can hit its WARN_ON() path on the zeroed l3num field. Reject template conntracks before hashing them. This matches existing netfilter handling for template objects and avoids hashing incomplete conntrack state. Fixes: 0269ea493734 ("netfilter: xtables: add cluster match") Cc: stable@vger.kernel.org Reported-by: Yuan Tan <yuantan098@gmail.com> Reported-by: Yifan Wu <yifanwucs@gmail.com> Reported-by: Juefei Pu <tomapufckgml@gmail.com> Reported-by: Zhengchuan Liang <zcliangcn@gmail.com> Reported-by: Xin Liu <bird@lzu.edu.cn> Assisted-by: Codex:GPT-5.4 Signed-off-by: Wyatt Feng <bronzed_45_vested@icloud.com> Signed-off-by: Ren Wei <n05ec@lzu.edu.cn> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2026-06-19netfilter: nf_queue: pin bridge device while NFQUEUE holds fake dstHaoze Xie
The br_netfilter fake rtable is embedded in struct net_bridge and is attached to bridged packets with skb_dst_set_noref(). If such a packet is queued to NFQUEUE, __nf_queue() upgrades that fake dst with skb_dst_force(). At that point the queued skb can hold a real dst reference after bridge teardown has started. The problem is not that every bridged packet needs its own dst reference. The problem is that NFQUEUE can keep the bridge private fake dst alive after unregister begins. Fix this by keeping the bridge fake dst model unchanged and pinning the bridge master device only while the packet sits in NFQUEUE. Record the bridge device in nf_queue_entry when the queued skb carries a bridge fake dst, take a device reference for the queue lifetime, and drop it when the queue entry is freed. Also make sure queued entries are reaped when that bridge device goes down, and drop the redundant nf_bridge_info_exists() test from the fake dst detection. This keeps netdev_priv(br->dev) alive until verdict completion, so the embedded fake rtable and its metrics backing storage cannot be freed out from under dst_release(). It also avoids the constant refcount bump and avoids using ipv4-specific dst helpers for IPv6 bridge traffic. Fixes: 34666d467cbf ("netfilter: bridge: move br_netfilter out of the core") Cc: stable@kernel.org Reported-by: Yuan Tan <yuantan098@gmail.com> Reported-by: Yifan Wu <yifanwucs@gmail.com> Reported-by: Juefei Pu <tomapufckgml@gmail.com> Reported-by: Xin Liu <bird@lzu.edu.cn> Signed-off-by: Haoze Xie <royenheart@gmail.com> Signed-off-by: Ren Wei <n05ec@lzu.edu.cn> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2026-06-19perf: Fix addr_filter_ranges lifetimePeter Zijlstra
Lee Jia Jie reported that since event::addr_filter_ranges is used under RCU, it should be RCU freed. Reported-by: Lee Jia Jie <jiajie.lee@starlabs.sg> Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
2026-06-19netfilter: flowtable: fix offloaded ct timeout never being extendedAdrian Bente
OpenWrt has recently migrated many platforms to kernel 6.18. On the MediaTek platform, which supports hardware network offloading, WiFi connections accelerated via the WED path were observed to drop after roughly 300 seconds. After several debugging sessions, assisted by the Claude LLM, the problem was narrowed down as follows: nf_flow_table_extend_ct_timeout() extends ct->timeout for offloaded flows using: cmpxchg(&ct->timeout, expires, new_timeout); 'expires' comes from nf_ct_expires(ct) and is a relative value, while ct->timeout holds an absolute timestamp. The two are never equal, so the cmpxchg always fails and the timeout is never extended. This goes unnoticed for most flows, but a long-lived hardware (WED) offloaded flow on MediaTek MT7986 eventually has ct->timeout decay to zero, the conntrack entry is reaped and the connection breaks. Open-code the relative value from a single READ_ONCE(ct->timeout) snapshot and compare against that same absolute snapshot in the cmpxchg, so the timeout extension actually takes effect while the datapath remains authoritative if it updates ct->timeout concurrently. Fixes: 03428ca5cee9 ("netfilter: conntrack: rework offload nf_conn timeout extension logic") Cc: stable@vger.kernel.org Suggested-by: Florian Westphal <fw@strlen.de> Signed-off-by: Adrian Bente <adibente@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2026-06-19x86/platform/geode: reference the real node of the cs5535 GPIO controllerBartosz Golaszewski
GPIO software node lookup should rely exclusively on matching the addresses of the referenced firmware nodes. Commit e5d527be7e69 ("gpio: swnode: don't use the swnode's name as the key for GPIO lookup") tried to enforce this but had to be reverted: it broke existing users who abuse the software node mechanism by creating "dummy" software nodes named after the device they want to get GPIOs from, without ever attaching them to the actual GPIO devices. Those users rely on GPIOLIB matching the label of the GPIO controller against the name of the software node rather than on a real firmware node link. Un-reverting e5d527be7e69 therefore requires converting all such users to real firmware node lookup. The geode board setup is one of them: it references the cs5535 GPIO controller through a locally-defined dummy node named "cs5535-gpio". The cs5535 MFD driver now exports the software node associated with its GPIO controller cell as cs5535_gpio_swnode. Use it as the target of the GPIO software node references in geode-common.c instead of the dummy node, so the lookup resolves by firmware node address. As the referenced node must exist at lookup time, make the cs5535 driver built-in for all boards selecting GEODE_COMMON (depend on GPIO_CS5535=y). The node is exported in the "CS5535" namespace, so import it in this module. Acked-by: Borislav Petkov (AMD) <bp@alien8.de> Link: https://patch.msgid.link/20260611-cs5535-swnode-v3-1-2b0c517c0c03@oss.qualcomm.com Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
2026-06-19Merge commit '6beaec3aee9852438b89e4d7891caf5e84d45851' of ↵Bartosz Golaszewski
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux into gpio/for-current This pulls in the merge commit for MFD updates for v7.2. The PR contains a build-time dependency of one of the GPIO commits that will follow.
2026-06-19ALSA: hda/realtek: Enable mute LED on HP EliteBook 840 G6Ramcharan Rajpurohit
The HP EliteBook 840 G6 (PCI SSID 103c:854d) has an ALC215 codec whose mic-mute and audio-mute LEDs are wired to the same GPIOs as the already supported EliteBook 830 G6 and 840 G7. Without a matching quirk the LEDs are never registered, so the front-panel mic-mute LED stays permanently lit and does not track the mute state. Apply ALC285_FIXUP_HP_GPIO_LED, mirroring the sibling EliteBook entries. With this fixup the codec registers an "hda::micmute" LED class device and the LED correctly follows the capture-mute state. This was verified on the affected machine by forcing the same fixup at runtime via snd_sof_intel_hda_generic.hda_model=103c:8548, which made the LED work as expected. Signed-off-by: Ramcharan Rajpurohit <b23ci1032@iitj.ac.in> Link: https://patch.msgid.link/20260619062435.26256-1-b23ci1032@iitj.ac.in Signed-off-by: Takashi Iwai <tiwai@suse.de>
2026-06-19ALSA: usb-audio: Kill MIDI 2.0 URBs before freeing endpointsCen Zhang
MIDI 2.0 input URBs are started during snd_usb_midi_v2_create(). A later setup failure can still jump to snd_usb_midi_v2_free(), which currently frees each endpoint and its coherent URB buffers without first stopping the submitted URBs. A completion can then dereference the embedded URB context and endpoint state after they have been freed, or try to resubmit from the stale endpoint. This was observed as a KASAN slab-use-after-free in input_urb_complete(). The buggy scenario involves two paths, with each column showing the order within that path: probe error path: USB completion path: 1. start_input_streams() submits 1. The HCD still owns a input URBs. submitted input URB. 2. A later setup helper returns 2. input_urb_complete() runs an error. with urb->context in ep. 3. snd_usb_midi_v2_free() frees 3. The completion reads ep endpoint storage and URB buffers. state and can requeue URBs. Make the endpoint destructor follow the same teardown ordering used for disconnect when the endpoint has not already been disconnected: publish ep->disconnected, kill the URBs synchronously, and drain the endpoint before freeing URB buffers and endpoint storage. The guard avoids repeating the stop sequence after the normal snd_usb_midi_v2_disconnect_all() path, while still synchronizing the direct MIDI 2.0 create-error free path. Validation reproduced this kernel report: BUG: KASAN: slab-use-after-free in input_urb_complete+0x37/0x1b0 Workqueue: usb_hub_wq hub_event RIP: 0010:_raw_spin_unlock_irq+0x2e/0x50 Read of size 8 Call trace: dump_stack_lvl+0x77/0xb0 print_report+0xce/0x5f0 input_urb_complete+0x37/0x1b0 (sound/usb/midi2.c:186) srso_alias_return_thunk+0x5/0xfbef5 __virt_addr_valid+0x19f/0x330 kasan_report+0xe0/0x110 __usb_hcd_giveback_urb+0x112/0x1d0 dummy_timer+0xaaa/0x19a0 lock_is_held_type+0x9a/0x110 __lock_acquire+0x467/0x28b0 mark_held_locks+0x40/0x70 _raw_spin_unlock_irqrestore+0x44/0x60 lockdep_hardirqs_on_prepare+0xbb/0x1a0 __hrtimer_run_queues+0x101/0x520 hrtimer_run_softirq+0xd0/0x130 handle_softirqs+0x15b/0x670 __irq_exit_rcu+0xd0/0x170 irq_exit_rcu+0xe/0x20 sysvec_apic_timer_interrupt+0x6c/0x80 asm_sysvec_apic_timer_interrupt+0x1a/0x20 Fixes: d9c99876868c ("ALSA: usb-audio: Create UMP blocks from USB MIDI GTBs") Assisted-by: Codex:gpt-5.5 Signed-off-by: Cen Zhang <zzzccc427@gmail.com> Link: https://patch.msgid.link/20260618170010.191433-1-zzzccc427@gmail.com Signed-off-by: Takashi Iwai <tiwai@suse.de>
2026-06-19rust: Kbuild: set frame-pointer llvm module flag for CONFIG_FRAME_POINTERAlice Ryhl
Due to a rustc bug, the -Cforce-frame-pointers=y flag only emits the frame-pointer annotation for functions, but not for the module. This means that functions generated by the LLVM backend such as 'asan.module_ctor' do not receive the frame-pointer annotation. This is likely to lead to broken backtraces and may also cause issues with ftrace if these features are used with functions generated by the LLVM backend. Thus, use -Zllvm_module_flag to work around this rustc bug if using a rustc without the fix. [ The fix [1] has landed for Rust 1.98.0 (expected release on 2026-08-20). - Miguel ] Cc: stable@vger.kernel.org # 6.12.y and later (flag not available in pinned Rust in older LTSs). Fixes: 2f7ab1267dc9 ("Kbuild: add Rust support") Link: https://github.com/rust-lang/rust/pull/156980 [1] Signed-off-by: Alice Ryhl <aliceryhl@google.com> Link: https://patch.msgid.link/20260616-frame-ptr-fix-v1-1-dc6b29a631d9@google.com [ - Adjusted Cc: stable@ as discussed. - Added comment with link to the PR, similar to what we did in commit ac35b5580ace ("rust: arm64: set uwtable llvm module flag for CONFIG_UNWIND_TABLES"). - Miguel ] Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
2026-06-19rust: doctest: fix incorrect pattern in replacementGary Guo
The `-> Result<(), impl core::fmt::Debug>` string is generated by rustdoc and by adding "::" into the string it no longer finds anything, making the line useless. Remove the "::" in the pattern. Omit it in the replacement too, for consistency with upstream rustdoc. Fixes: de7cd3e4d638 ("rust: use absolute paths in macros referencing core and kernel") Signed-off-by: Gary Guo <gary@garyguo.net> Cc: stable@vger.kernel.org Link: https://patch.msgid.link/20260616132559.2245814-1-gary@kernel.org [ Added link in code comment to `rustdoc`'s 1.87 PR that fully qualified it for context. Improved comments for consistency. Reworded to drop changelog and to fix typo. - Miguel ] Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
2026-06-18Merge tag 'riscv-for-linus-7.2-mw1' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux Pull RISC-V updates from Paul Walmsley: - Prevent get_free_mem_region() from returning regions that are unmappable in certain circumstances by defining DIRECT_MAP_PHYSMEM_END for RISC-V - Fix an early boot problem with kexec_file when the amount of installed physical memory installed on the system exceeds the direct map size, which is possible in certain RISC-V virtual memory modes - Unconditionally sfence.vma in the new vmalloc area handling code in the page fault handler, since even the presence of Svvptc doesn't guarantee that the CPU won't immediately fault again after the exception handler completes and subsequently crash - Fix ftrace_graph_ret_addr() to use the correct task pointer (aligning with what other architectures do) - Fix the misaligned access performance checking code in cases when performance is specified on the kernel command line and when CPUs have been brought offline and back online - Get rid of a bogus address offset in the non-frame-pointer version of walk_stackframe(), aligning it with the frame pointer-based code - Fix a RISC-V kfence issue causing bogus use-after-free warnings - Add ARCH_HAS_CC_CAN_LINK for RISC-V, which needs different compiler command line flags than other architectures - Implement _THIS_IP_ using RISC-V-specific assembly, which seems to be less brittle (from a compiler point of view) than taking the address of a label - Reduce kernel startup overhead by defining HAVE_BUILDTIME_MCOUNT_SORT, since arch/riscv meets all the requirements - Patch the CFI vDSO during alternatives processing, not only the standard vDSO - Fix a potential memory leak in the cacheinfo code - Clean up kernel/setup.c:add_resource() to pass along the return value from insert_resource() and to improve the display of resource ranges - Clean up our purgatory.[ch] by aligning our purgatory() prototype to what's in arch/x86, and by cleaning up verify_sha256_digest() - Clean up cpu_is_stopped() to align its function a little more closely to its name - Replace some unbounded string function usage in get_early_cmdline() and the ptdump code with strscpy() - Replace sprintf() with sysfs_emit() in cpu_show_ghostwrite() for safer bounds checking - Standardize how compiler output flags are specified in the RISC-V kselftests, aligning them with what other architectures do - Use the Linux-generic cmp_int() macro in place of an open-coded "cmp_3way()" macro in kernel/module-sections.c - Panic early in boot if IRQ handler stacks can't be allocated rather than pretending to continue normally - Add support for Eswin SoCs in the RISC-V defconfig - Remove some unnecessary conditionals in sbi_hsm_hart_{start,stop}() - Clean up some Kconfig infelicities found by Kconfirm - Replace an open-coded version of min() in the kexec_elf code with the standard min() function * tag 'riscv-for-linus-7.2-mw1' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux: (36 commits) riscv: traps_misaligned: Avoid redundant unaligned access speed probe riscv: misaligned: Fix fast_unaligned_access_speed_key init riscv: also select ARCH_KEEP_MEMBLOCK if kexec is selected riscv: alternative: Also patch the CFI vDSO riscv: alternative: Pass vDSO start as parameter to apply_vdso_alternatives() riscv: alternative: Use IS_ENABLED() over ifdeffery for apply_vdso_alternatives() riscv: vdso: Always declare vdso_start symbols riscv: kexec: use min to simplify riscv_kexec_elf_load riscv: panic if IRQ handler stacks cannot be allocated riscv: mm: Unconditionally sfence.vma for spurious fault riscv: mm: Use the bitmap API for new_valid_map_cpus riscv: mm: Rename new_vmalloc into new_valid_map_cpus riscv: kfence: Call mark_new_valid_map() for kfence_unprotect() riscv: mm: Extract helper mark_new_valid_map() riscv: stacktrace: Remove bogus -0x4 offset in non-FP walk_stackframe riscv: cacheinfo: Fix node reference leak in populate_cache_leaves riscv: kexec_file: Constrain segment placement to direct map riscv: mm: Define DIRECT_MAP_PHYSMEM_END riscv: defconfig: Enable Eswin SoCs riscv: cpu_ops_sbi: No need to be bothered to check ret.error ...
2026-06-18Merge tag 'trace-ring-buffer-v7.2' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace Pull ring-buffer updates from Steven Rostedt - Do not invalidate entire buffer for invalid sub-buffers For the persistent ring buffer, if one sub-buffer is found to be invalid, it invalidates the entire per CPU ring buffer. This can lose a lot of valuable data if there's some corruption with the writes to the buffer not syncing properly on a hard crash. Instead, if a sub-buffer is found to be invalid, simply zero it out and mark it for "missed events". When the persistent ring buffer is read and a sub-buffer that was cleared due to being invalid on boot up is discovered, the output will show "[LOST EVENTS]" to let the user know that events were missing at that location. Displaying the events from valid buffers can still be useful. - Add a test to be able to test corrupted sub-buffers If a persistent ring buffer is created as "ptraingtest" and the new config that adds the test is enabled, when a panic happens, the kernel will randomly corrupt one of the per CPU ring buffers. On boot up, the sub-buffers with the corruption should be cleared and flagged. When reading this buffer, the missed events should should [LOST EVENTS]. - Add commit number in the sub-buffer meta debug info The commit is used to know the content of a meta page. Add it to the buffer_meta file that is shown for each per CPU buffer. - Clean up the persistent ring buffer validation code Add some helper functions and make variable names more consistent. * tag 'trace-ring-buffer-v7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace: ring-buffer: Better comment the use of RB_MISSED_EVENTS ring-buffer: Show persistent buffer dropped events in trace_pipe file ring-buffer: Show persistent buffer dropped events in trace file ring-buffer: Have dropped subbuffers be persistent across reboots ring-buffer: Cleanup buffer_data_page related code ring-buffer: Cleanup persistent ring buffer validation ring-buffer: Show commit numbers in buffer_meta file ring-buffer: Add persistent ring buffer invalid-page inject test ring-buffer: Skip invalid sub-buffers when rewinding persistent ring buffer ring-buffer: Skip invalid sub-buffers when validating persistent ring buffer
2026-06-18Merge tag 'trace-v7.2' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace Pull tracing updates from Steven Rostedt: - Remove a redundant IS_ERR() check trace_pipe_open() already checks for IS_ERR() and does it again in the return path. Remove the return check. - Export seq_buf_putmem_hex() to allow kunit tests against them To add Kunit tests on seq_buf_putmem_hex(), it needs to be exported. - Replace strcat() and strcpy() with seq_buf() logic The code for synthetic events uses a series of strcat() and strcpy() which can be error prone. Replace them with seq_buf() logic that does all the necessary bound checking. - Add a lockdep rcu_is_watching() to trace_##event##_enabled() call The trace_##event##_enabled() is a static branch that is true if the "event" is enabled. But this can hide bugs if this logic is in a location where RCU is disabled and not "watching". It would only trigger if lockdep is enabled and the event is enabled. Add a "rcu_is_watching()" warning if lockdep is enabled in that helper function to trigger regardless if the event is enabled or not. - Remove the local variable in the trace_printk() macro For name space integrity, remove the _______STR variable in the trace_printk() macro for using the sizeof() macro directly. - Use guard()s for the trace_recursion_record.c file - Fix typo in a comment of eventfs_callback() kerneldoc - Use trace_call__##event() in events within trace_##event##_enabled() A couple of events are called within an if block guarded by trace_##event##_enabled(). That is a static key that is only enabled when the event is enabled. The trace_call_##event() calls the tracepoint code directly without adding a redundant static key for that check. - Allow perf to read synthetic events Currently, perf does not have the ability to enable a synthetic event. If it does, it will either cause a kernel warning or error with "No such device". Synthetic events are not much different than kprobes and perf can handle fine with a few modifications. - Replace printk(KERN_WARNING ...) with pr_warn() - Replace krealloc() on an array with krealloc_array() - Fix README file path name for synthetic events - Change tracing_map tracing_map_array to use a flexible array Instead of allocating a separate pointer to hold the pages field of tracing_map_array, allocate the pages field as a flexible array when allocating the structure. - Fold trace_iterator_increment() into trace_find_next_entry_inc() The function trace_iterator_increment() was only used by trace_find_next_entry_inc(). It's not big enough to be a helper function for one user. Fold it into its caller. - Make field_var_str field a flexible array of hist_elt_data Instead of allocating a separate pointer for the field_var_str array of the hist_elt_data structure, allocate it as a flexible array when allocating the structure. - Disable KCOV for trace_irqsoff.c Like trace_preemptirq.c, trace_irqsoff.c has code that will crash when KCOV is enabled on ARM. The irqsoff tracing can be called on ARM because the irqsoff tracing code can be run from early interrupt code and produce coverage unrelated to syscall inputs. - Fix warning in __unregister_ftrace_function() called by perf Perf calls unregister_ftrace_function() without checking if its ftrace_ops has already been unregistered. There's an error path where on clean up it will unregister the ftrace_ops even if it wasn't registered and causes a warning. * tag 'trace-v7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace: perf/ftrace: Fix WARNING in __unregister_ftrace_function tracing: Disable KCOV instrumentation for trace_irqsoff.o tracing: Turn hist_elt_data field_var_str into a flexible array tracing: Move trace_iterator_increment() into trace_find_next_entry_inc() tracing: Simplify pages allocation for tracing_map logic tracing: Fix README path for synthetic_events tracing: Use krealloc_array() for trace option array growth tracing/branch: Use pr_warn() instead of printk(KERN_WARNING) tracing: Allow perf to read synthetic events HID: Use trace_call__##name() at guarded tracepoint call sites cpufreq: amd-pstate: Use trace_call__##name() at guarded tracepoint call site tracefs: Fix typo in a comment of eventfs_callback() kerneldoc tracing: Switch trace_recursion_record.c code over to use guard() tracing: Remove local variable for argument detection from trace_printk() tracepoint: Add lockdep rcu_is_watching() check to trace_##name##_enabled() tracing: Bound synthetic-field strings with seq_buf seq_buf: Export seq_buf_putmem_hex() and add KUnit tests tracing: Remove redundant IS_ERR() check in trace_pipe_open()
2026-06-18eth: fbnic: take netif_addr_lock_bh() around rx mode address programmingDaniel Zahka
When __fbnic_set_rx_mode() is called from contexts other than .ndo_set_rx_mode_async(), the uc and mc addr lists are accessed without the addr lock that __hw_addr_sync_dev() and __hw_addr_unsync_dev() require. Wrap these unprotected accesses with netif_addr_lock_bh(). fbnic_clear_rx_mode() has similar issues. Fixes: eb690ef8d1c2 ("eth: fbnic: Add L2 address programming") Signed-off-by: Daniel Zahka <daniel.zahka@gmail.com> Reviewed-by: Simon Horman <horms@kernel.org> Link: https://patch.msgid.link/20260617-linux-fbnic-hwaddr-v1-1-3f9f5dee7f99@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-18tipc: fix slab-use-after-free Read in tipc_aead_decrypt_doneDoruk Tan Ozturk
tipc_aead_decrypt() goes straight from tipc_bearer_hold(b) to crypto_aead_decrypt(req) without taking a reference on the netns, unlike the encrypt path. When crypto_aead_decrypt() is offloaded asynchronously (e.g. the SIMD aead wrapper queuing to cryptd), the cryptd worker runs tipc_aead_decrypt_done() later. If the bearer's netns is torn down in the meantime, cleanup_net() -> tipc_exit_net() -> tipc_crypto_stop() frees the per-netns tipc_crypto, and the completion then reads it: tipc_aead_decrypt_done() dereferences aead->crypto->stats and aead->crypto->net, and tipc_crypto_rcv_complete() dereferences aead->crypto->aead[] and the node table -- reading freed memory. Decoded KASAN splat (v7.1-rc7, CONFIG_KASAN_INLINE + TIPC + TIPC_CRYPTO): BUG: KASAN: slab-use-after-free in tipc_aead_decrypt_done (net/tipc/crypto.c:999) Read of size 8 at addr ffff8881056258a8 by task kworker/u16:2/51 Workqueue: events_unbound Call Trace: tipc_aead_decrypt_done (net/tipc/crypto.c:999) process_one_work (kernel/workqueue.c:3314) worker_thread (kernel/workqueue.c:3397 kernel/workqueue.c:3478) kthread (kernel/kthread.c:436) ret_from_fork (arch/x86/kernel/process.c:158) ret_from_fork_asm (arch/x86/entry/entry_64.S:245) Allocated by task 169: __kasan_kmalloc (mm/kasan/common.c:398 mm/kasan/common.c:415) tipc_crypto_start (net/tipc/crypto.c:1502) tipc_init_net (net/tipc/core.c:72) ops_init (net/core/net_namespace.c:137) setup_net (net/core/net_namespace.c:446) copy_net_ns (net/core/net_namespace.c:579) create_new_namespaces (kernel/nsproxy.c:132) __x64_sys_unshare (kernel/fork.c:3316) do_syscall_64 (arch/x86/entry/syscall_64.c:63) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121) Freed by task 8: kfree (mm/slub.c:6566) tipc_exit_net (net/tipc/core.c:119) cleanup_net (net/core/net_namespace.c:704) process_one_work (kernel/workqueue.c:3314) kthread (kernel/kthread.c:436) This is the same class of bug that commit e279024617134 ("net/tipc: fix slab-use-after-free Read in tipc_aead_encrypt_done") fixed for the encrypt side. The encrypt path takes maybe_get_net(aead->crypto->net) before crypto_aead_encrypt() and drops it with put_net() on the synchronous return paths and in tipc_aead_encrypt_done(); the -EINPROGRESS/-EBUSY return keeps the reference for the async callback to release. The decrypt path was left without the equivalent guard. Mirror the encrypt-side fix on the decrypt path: take a net reference before crypto_aead_decrypt() (failing with -ENODEV and the matching bearer put if it cannot be acquired), keep it across the -EINPROGRESS/-EBUSY async return, and drop it with put_net() on the synchronous success/error return and at the end of tipc_aead_decrypt_done(). Reproduced under KASAN on v7.1-rc7: a UDP bearer with a cluster key is flooded with crafted encrypted frames from an unknown peer (driving the cluster-key decrypt path) while the bearer's netns is repeatedly torn down. The completion must run asynchronously to outlive tipc_crypto_stop(); on x86 the stock aesni gcm(aes) now decrypts synchronously, so the async path was exercised via cryptd offload. The unguarded aead->crypto dereference in tipc_aead_decrypt_done() is the unpatched upstream path; tipc_aead_decrypt() still lacks maybe_get_net(aead->crypto->net), so the completion can outlive the free on any config where crypto_aead_decrypt() goes async. Found by 0sec automated security-research tooling (https://0sec.ai). Fixes: fc1b6d6de220 ("tipc: introduce TIPC encryption & authentication") Cc: stable@vger.kernel.org Signed-off-by: Doruk Tan Ozturk <doruk@0sec.ai> Reviewed-by: Alexander Lobakin <aleksander.lobakin@intel.com> Reviewed-by: Tung Nguyen <tung.quang.nguyen@est.tech> Reviewed-by: Simon Horman <horms@kernel.org> Link: https://patch.msgid.link/20260617075818.37431-1-doruk@0sec.ai Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-18net: rds: check cmsg_len before reading rds_rdma_args in size passMichael Bommarito
rds_rm_size() handles RDS_CMSG_RDMA_ARGS after only CMSG_OK() and then calls rds_rdma_extra_size(), which reads args->local_vec_addr and args->nr_local without first checking that cmsg_len covers struct rds_rdma_args. The other two RDS_CMSG_RDMA_ARGS consumers already guard this: rds_rdma_bytes() in rds_sendmsg() and rds_cmsg_rdma_args() in rds_cmsg_send() both reject cmsg_len < CMSG_LEN(sizeof(struct rds_rdma_args)). Add the same check to rds_rm_size() so all three RDMA args passes are consistent. This is a consistency and hardening change with no behavioral effect for well-formed senders and no reachable bug today: rds_rdma_bytes() runs before rds_rm_size() in rds_sendmsg() and already rejects a short RDS_CMSG_RDMA_ARGS, so the size pass is not reached with an undersized cmsg. But rds_rm_size() reads the args independently of that earlier pass, and nothing in rds_rm_size() itself records or enforces the precondition, so a reader or a future refactor of the size pass cannot tell the cmsg has already been length-checked. Applying the same cmsg_len guard in all three RDS_CMSG_RDMA_ARGS consumers keeps that invariant local to each and robust to reordering. Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com> Reviewed-by: Allison Henderson <achender@kernel.org> Link: https://patch.msgid.link/20260617023146.2780077-1-michael.bommarito@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-18selftests: net: fix file owner for broadcast_ether_dst testRoss Porter
Ensure the output file is always owned by root (even if tcpdump was compiled with `--with-user`), by passing the `-Z root` argument when invoking it. Cc: stable@vger.kernel.org Reported-by: Edoardo Canepa <edoardo.canepa@canonical.com> Closes: https://bugs.launchpad.net/ubuntu-kernel-tests/+bug/2129815 Fixes: bf59028ea8d4 ("selftests: net: add test for destination in broadcast packets") Suggested-by: Edoardo Canepa <edoardo.canepa@canonical.com> Tested-by: Ross Porter <ross.porter@canonical.com> Signed-off-by: Ross Porter <ross.porter@canonical.com> Link: https://patch.msgid.link/20260617061039.79717-2-ross.porter@canonical.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>