summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2026-06-15Merge tag 'core-rseq-2026-06-13' of ↵Linus Torvalds
gitolite.kernel.org:pub/scm/linux/kernel/git/tip/tip Pull rseq update from Thomas Gleixner: "A trivial update for RSEQ selftests to provide the config fragments which contain the config options required to actually run the tests" * tag 'core-rseq-2026-06-13' of gitolite.kernel.org:pub/scm/linux/kernel/git/tip/tip: selftests/rseq: Add config fragment
2026-06-15x86/ioperm: Prevent NULL dereference on theoretical missing IO bitmapLi RongQing
Outside the IOPL emulation path, the IO bitmap is always expected to be allocated when TIF_IO_BITMAP is set. The paranoid WARN_ON_ONCE() handles the case where the flag and the pointer got out of sync. In this theoretical scenario, which presumes some other bug in the code that triggers the WARN_ON_ONCe(), return early, instead of continuing and dereferencing a NULL pointer. [ mingo: Clarified the changelog. ] Signed-off-by: Li RongQing <lirongqing@baidu.com> Signed-off-by: Ingo Molnar <mingo@kernel.org> Reviewed-by: Sohil Mehta <sohil.mehta@intel.com> Cc: H. Peter Anvin <hpa@zytor.com> Link: https://patch.msgid.link/20260615070115.4720-1-lirongqing@baidu.com
2026-06-15ALSA: hda/realtek: Add CS35L41 I2C quirk for ASUS UM3405GAColton Jones
The ASUS Zenbook 14 UM3405GA uses a Realtek ALC294 codec with two Cirrus Logic CS35L41 speaker amplifiers exposed through the CSC3551 ACPI device. The machine reports the Realtek subsystem ID 1043:19f4. Without a PCI quirk, the codec falls back to generic pin matching and the internal speakers remain silent even though PCM playback completes. Add the UM3405GA subsystem ID and reuse the same ASUS I2C headset-mic fixup used by the closely related UM3406HA. That fixup configures the headset microphone pin and chains to CS35L41 I2C speaker-amp binding. Signed-off-by: Colton Jones <cjones1308@pm.me> Link: https://patch.msgid.link/20260615033619.7-1-cjones1308@pm.me Signed-off-by: Takashi Iwai <tiwai@suse.de>
2026-06-15Merge branch 'for-linus' into for-nextTakashi Iwai
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2026-06-15selftests/bpf: Work around llvm stack overflow in crypto progsAlexei Starovoitov
clang 23 fails to build crypto_bench.c and crypto_sanity.c with "BPF stack limit exceeded". The progs fill a 408-byte bpf_crypto_params on the stack and pass it to bpf_crypto_ctx_create(). clang 23 copies the byte-aligned cipher/key globals into it one byte at a time through the stack, and keeps more than one copy of the struct around. Together that blows the 512-byte limit. Align the source arrays to 8 bytes so the copy is word-wise, and move params off the stack into a static .bss var. static keeps it out of the skeleton, where bpf_crypto_params is an incomplete type. Either change alone is not enough. Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-15Merge tag 'driver-core-7.2-rc1' of ↵Linus Torvalds
gitolite.kernel.org:pub/scm/linux/kernel/git/driver-core/driver-core Pull driver core updates from Danilo Krummrich: "Deferred probe: - Fix race where deferred probe timeout work could be permanently canceled by using mod_delayed_work() - Fix missing jiffies conversion in deferred_probe_extend_timeout() - Guard timeout extension with delayed_work_pending() to prevent premature firing - Use system_percpu_wq instead of the deprecated system_wq - Update deferred_probe_timeout documentation device: - Replace direct struct device bitfield access (can_match, dma_iommu, dma_skip_sync, dma_ops_bypass, state_synced, dma_coherent, of_node_reused, offline, offline_disabled) with flag-based accessors using bit operations - Reject devices with unregistered buses - Delete unused DEVICE_ATTR_PREALLOC() - Add low-level device attribute macros with const show/store callbacks, allowing device attributes to reside in read-only memory - Move core device attributes to read-only memory - Constify group array pointers in driver_add_groups() / driver_remove_groups(), struct bus_type, and struct device_driver device property: - Fix fwnode reference leak in fwnode_graph_get_endpoint_by_id() - Initialize all fields of fwnode_handle in fwnode_init() - Provide swnode_get()/swnode_put() wrappers around kobject_get/put() - Allow passing struct software_node_ref_args pointers directly to PROPERTY_ENTRY_REF() driver_override: - Migrate amba, cdx, vmbus, and rpmsg to the generic driver_override infrastructure, fixing a UAF from unsynchronized access to driver_override in bus match() callbacks - Remove the now-unused driver_set_override() firmware loader: - Fix recursive lock deadlock in device_cache_fw_images() when async work falls back to synchronous execution - Fix device reference leak in firmware_upload_register() platform: - Pass KBUILD_MODNAME through the platform driver registration macro to create module symlinks in sysfs for built-in drivers; move module_kset initialization to a pure_initcall and tegra cbb registration to core_initcall to ensure correct ordering - Pass THIS_MODULE implicitly through a coresight_init_driver() macro sysfs: - Upgrade OOB write detection in sysfs_kf_seq_show() from printk to WARN - Add return value clamping to sysfs_kf_read() Rust: - ACPI: Fix missing match data for PRP0001 by exporting acpi_of_match_device() - Auxiliary: Replace drvdata() with dedicated registration data on auxiliary_device. drvdata() exposed the driver's bus device private data beyond the driver's own scope, creating ordering constraints and forcing the data to outlive all registrations that access it. Registration data is instead scoped structurally to the Registration object, making lifecycle ordering enforced by construction rather than convention. - Rust-native device driver lifetimes (HRT): Allow Rust device drivers to carry a lifetime parameter on their bus device private data, tied to the device binding scope -- the interval during which a bus device is bound to a driver. Device resources like pci::Bar<'a> and IoMem<'a> can be stored directly in the driver's bus device private data with a lifetime bounded by the binding scope, so the compiler enforces at build time that they do not outlive the binding. This removes Devres indirection from every access site and eliminates try_access() failure paths in destructors. Bus driver traits use a Generic Associated Type (GAT) Data<'bound> to introduce the lifetime on the private data, rather than parameterizing the Driver trait itself. Auxiliary registration data, where the lifetime is not introduced by a trait callback but must be threaded through Registration, uses the ForLt trait (a type-level abstraction for types generic over a lifetime). Misc: - Fix DT overlayed devices not probing by reverting the broken treewide overlay fix and re-running fw_devlink consumer pickup when an overlay is applied to a bound device - Use root_device_register() for faux bus root device; add sanity check for failed bus init - Fix dev_has_sync_state() data race with READ_ONCE() and move it to base.h - Avoid spurious device_links warning when removing a device while its supplier is unbinding - Switch ISA bus to dynamic root device - Fix suspicious RCU usage in kernfs_put() - Remove devcoredump exit callback - Constify devfreq_event_class" * tag 'driver-core-7.2-rc1' of gitolite.kernel.org:pub/scm/linux/kernel/git/driver-core/driver-core: (81 commits) software node: allow passing reference args to PROPERTY_ENTRY_REF() driver core: platform: set mod_name in driver registration coresight: pass THIS_MODULE implicitly through a macro kernel: param: initialize module_kset in a pure_initcall soc/tegra: cbb: Move driver registration from pure_initcall to core_initcall firmware_loader: Fix recursive lock in device_cache_fw_images() driver core: Use system_percpu_wq instead of system_wq driver core: remove driver_set_override() rpmsg: use generic driver_override infrastructure Drivers: hv: vmbus: use generic driver_override infrastructure cdx: use generic driver_override infrastructure amba: use generic driver_override infrastructure rust: devres: add 'static bound to Devres<T> samples: rust: rust_driver_auxiliary: showcase lifetime-bound registration data rust: auxiliary: generalize Registration over ForLt rust: types: add `ForLt` trait for higher-ranked lifetime support gpu: nova-core: separate driver type from driver data samples: rust: rust_driver_pci: use HRT lifetime for Bar rust: io: make IoMem and ExclusiveIoMem lifetime-parameterized rust: pci: make Bar lifetime-parameterized ...
2026-06-15accel/ivpu: fix HWS command queue leak on registration failureKarol Wachowski
A command queue is considered valid and usable by the driver only when it has a doorbell ID assigned (db_id != 0), meaning both the FW cmdq creation and doorbell registration completed successfully. However, when either ivpu_register_db() or set_context_sched_properties() fails after ivpu_hws_cmdq_init() has already created the cmdq in FW, the command queue is left registered in FW while the driver treats it as uninitialized (db_id remains 0). On the next submission attempt the driver tries to register the same cmdq again, which fails because FW already has an entry for it. Fix by calling ivpu_jsm_hws_destroy_cmdq() on error paths to properly unwind FW state and allow subsequent registration attempts to succeed. Fixes: 465a3914b254 ("accel/ivpu: Add API for command queue create/destroy/submit") Reviewed-by: Andrzej Kacprowski <andrzej.kacprowski@linux.intel.com> Signed-off-by: Karol Wachowski <karol.wachowski@linux.intel.com> Link: https://patch.msgid.link/20260611055140.948684-1-karol.wachowski@linux.intel.com
2026-06-15Merge tag 'pm-7.2-rc1' of ↵Linus Torvalds
gitolite.kernel.org:pub/scm/linux/kernel/git/rafael/linux-pm Pull power management updates from Rafael Wysocki: "Over a half of the changes here are cpufreq updates that include core modifications, fixes of the old-style governors, new hardware support in drivers, assorded driver fixes and cleanups, and the removal of one driver (AMD Elan SC4*). Apart from that, the intel_idle driver will now be able to avoid exposing redundant C-states if PC6 is disabled and there are new sysctl knobs for device suspend/resume watchdog timeouts, hibernation gets built-in LZ4 support for image compression and there is the usual collection of assorted fixes and cleanups. Specifics: - Fix a race between cpufreq suspend and CPU hotplug during system shutdown (Tianxiang Chen) - Avoid redundant target() calls for unchanged limits and fix a typo in a comment in the cpufreq core (Viresh Kumar) - Fix concurrency issues related to sysfs attributes access that affect cpufreq governors using the common governor code (Zhongqiu Han) - Simplify frequency limit handling in the conservative cpufreq governor (Lifeng Zheng) - Fix descriptions of the conservative governor freq_step tunable and the ondemand governor sampling_down_factor tunable in the cpufreq documentation (Pengjie Zhang) - Fix use-after-free and double free during _OSC evaluation in the PCC cpufreq driver (Yuho Choi) - Rework the handling of policy min and max frequency values in the cpufreq core to allow drivers to specify special initial values for the scaling_min_freq and scaling_max_freq sysfs attributes (Pierre Gondois) - Add cpufreq scaling support for Qualcomm Shikra SoC (Taniya Das, Imran Shaik). - Improve the warning message on HWP-disabled hybrid processors printed by the intel_pstate driver and sync policy->cur during CPU offline in it (Yohei Kojima, Fushuai Wang) - Drop cpufreq support for AMD Elan SC4* (Sean Young) - Minor fixes for cpufreq drivers (Krzysztof Kozlowski, Akashdeep Kaur, Hans Zhang, Guangshuo Li, Xueqin Luo) - Clean up dead dependencies on X86 in the cpufreq Kconfig (Julian Braha) - Allow the intel_idle driver to avoid exposing C-states that are redundant when PC6 is disabled (Artem Bityutskiy) - Fix memory leak and a potential race in the OPP core (Abdun Nihaal, Di Shen) - Mark Rust OPP methods as inline (Nicolás Antinori) - Fix misc device registration failure path in the PM QoS core (Yuho Choi) - Add sysctl interface for DPM watchdog timeouts (Tzung-Bi Shih) - Use complete() instead of complete_all() in device_pm_sleep_init() to avoid a false-positive warning from lockdep_assert_RT_in_threaded_ctx() when CONFIG_PROVE_RAW_LOCK_NESTING is enabled (Jiakai Xu) - Use a flexible array for CRC uncompressed buffers during hibernation image saving (Rosen Penev) - Make the LZ4 algorithm available for hibernation compression (l1rox3) - Move the preallocate_image() call during hibernation after the "prepare" phase of the "freeze" transition (Matthew Leach) - Fix a memory leak in rapl_add_package_cpuslocked() in the intel_rapl power capping driver and use sysfs_emit() in cpumask_show() in that driver (Sumeet Pawnikar, Yury Norov) - Fix ValueError when parsing incomplete device properties in the pm-graph utility (Gongwei Li)" * tag 'pm-7.2-rc1' of gitolite.kernel.org:pub/scm/linux/kernel/git/rafael/linux-pm: (40 commits) PM: dpm_watchdog: Add sysctl interface for DPM watchdog timeouts PM: QoS: Fix misc device registration unwind cpufreq: Use policy->min/max init as QoS request cpufreq: Remove driver default policy->min/max init cpufreq: Set default policy->min/max values for all drivers cpufreq: Extract cpufreq_policy_init_qos() function cpufreq: Documentation: fix conservative governor freq_step description cpufreq: ti: Add EPROBE_DEFER for K3 SoCs cpufreq: qcom: Add cpufreq scaling support for Qualcomm Shikra SoC dt-bindings: cpufreq: Document Qualcomm Shikra SoC EPSS powercap: intel_rapl: Use sysfs_emit() in cpumask_show() cpufreq: governor: Fix stale prev_cpu_nice spike when enabling ignore_nice_load cpufreq: governor: Fix data races on per-CPU idle/nice baselines PM: hibernate: Use flexible array for CRC uncompressed buffers powercap: intel_rapl: Fix memory leak in rapl_add_package_cpuslocked() PM: hibernate: make LZ4 available for hibernation compression PM: sleep: Use complete() in device_pm_sleep_init() opp: rust: mark OPP methods as inline cpufreq: intel_pstate: Improve warning message on HWP-disabled hybrid CPUs cpufreq: elanfreq: Drop support for AMD Elan SC4* ...
2026-06-15Merge tag 'thermal-7.2-rc1' of ↵Linus Torvalds
gitolite.kernel.org:pub/scm/linux/kernel/git/rafael/linux-pm Pull thermal control updates from Rafael Wysocki: "These add new hardware support (i.MX93 TMU, Amlogic T7, Intel Arrow Lake, QCom Nord, Shikra and Hawi), fix issues in a number of places in the thermal control core and drivers, clean up code and refactor it in preparation for future changes: - Rework the initialization and cleanup of thermal class cooling devices to separate DT-based cooling device registration and cooling device registration without DT (Daniel Lezcano, Ovidiu Panait) - Update the cooling device DT bindings to support 3-cell cooling device representation, where the additional cell holds an ID to select a cooling mechanism for devices that offer multiple cooling mechanisms, and adjust the cooling device registration code accordingly (Gaurav Kohli, Daniel Lezcano) - Remove dead code from two functions in the thermal core and simplify the unregistration of thermal governors (Rafael Wysocki) - Fix critical temperature attribute removal handling in the generic thermal zone hwmon support code and rework that code to register a separate hwmon class device for each thermal zone (instead of using one hwmon class device for all thermal zones of the same type) to address thermal zone removal deadlocks (Rafael Wysocki) - Use attribute groups for adding temperature attributes to hwmon class devices associated with thermal zones (Rafael Wysocki) - Pass WQ_UNBOUND when allocating the thermal workqueue (Marco Crivellari) - Fix potential shift overflow in ptc_mmio_write() and improve error handling in proc_thermal_ptc_add() in the int340x thermal control driver (Aravind Anilraj) - Use sysfs_emit() for cpumask printing in the Intel powerclamp thermal driver (Yury Norov) - Add Arrow Lake CPU models to the intel_tcc_cooling driver (Srinivas Pandruvada) - Add QCom Nord, Shikra and Hawi temperature sensor DT bindings (Deepti Jaggi, Gaurav Kohli, Dipa Ramesh Mantre) - Use devm_add_action_or_reset() for clock disable on the NVidia soctherm and switch it to devm cooling device registration version (Daniel Lezcano) - Add the Amlogic T7 thermal sensor along with thermal calibration data read from SMC calls (Ronald Claveau) - Fix atomic temperature read in the QCom tsens driver to comply with hardware documentation (Priyansh Jain) - Add SpacemiT K1 thermal sensor support (Shuwei Wu) - Add i.MX93 temperature sensor support and filter out the invalid temperature (Jacky Bai) - Enable by default the TMU (Thermal Monitoring Unit) on Exynos platform (Krzysztof Kozlowski) - Rework interrupt initialization in the Tsens driver and add the optional wakeup source (Priyansh Jain) - Fix typo in a comment in the TSens QCom driver (Jinseok Kim) - Fix trailing whitespace and repeated word in the OF code, remove quoted string splitting across lines from the iMX7 driver, and remove a stray space from the thermal_trip_of_attr() macro definition (Mayur Kumar) - Update the thermal testing facility code to avoid NULL pointer dereferences by rejecting missing command arguments and replace sscanf() with kstrtoint() or kstrtoul() in that code (Ovidiu Panait, Samuel Moelius)" * tag 'thermal-7.2-rc1' of gitolite.kernel.org:pub/scm/linux/kernel/git/rafael/linux-pm: (54 commits) thermal: sysfs: Replace sscanf() with kstrtoul() thermal: testing: Replace sscanf() with kstrtoint() thermal: testing: reject missing command arguments thermal: intel: intel_tcc_cooling: Add Arrow Lake CPU models thermal/drivers/qcom/tsens: Disable wakeup interrupt setup on automotive targets thermal/drivers/qcom/tsens: Switch wake IRQ handling to PM callbacks thermal/core: Fix missing stub for devm_thermal_cooling_device_register dt-bindings: thermal: cooling-devices: Update support for 3 cells cooling device thermal/of: Support cooling device ID in cooling-spec thermal/of: Pass cdev_id and introduce devm registration helper thermal/of: Add cooling device ID support thermal/of: Rename the devm_thermal_of_cooling_device_register() function thermal/core: Make cooling device OF node conditional on CONFIG_THERMAL_OF thermal/of: Move cooling device OF helpers out of thermal core hwmon: Use non-OF thermal cooling device registration API thermal/core: Add devm_thermal_cooling_device_register() thermal/core: Introduce non-OF thermal_cooling_device_register() thermal/drivers/samsung: Enable TMU by default thermal/driver/qoriq: Workaround unexpected temperature readings from tmu thermal/drivers/qoriq: Add i.MX93 tmu support ...
2026-06-15Merge tag 'acpi-7.2-rc1' of ↵Linus Torvalds
gitolite.kernel.org:pub/scm/linux/kernel/git/rafael/linux-pm Pull ACPI support updates from Rafael Wysocki: "These update the ACPICA code in the kernel to upstream version 20260408, introduce support for devres-based management of ACPI notify handlers and update some core ACPI device drivers on top of that (which includes some fixes and cleanups), add _DEP support for PCI/CXL roots and Intel CVS devices, fix a couple of assorted issues and clean up code: - Fix multiple issues related to probe, removal and missing NVDIMM device notifications in the ACPI NFIT driver (Rafael Wysocki) - Add support for devres-based management of ACPI notify handlers to the ACPI core (Rafael Wysocki) - Switch multiple core ACPI device drivers (including the ACPI PAD, ACPI video bus, ACPI HED, ACPI thermal zone, ACPI AC, ACPI battery, and ACPI NFIT drivers) over to using devres-based resource management during probe (Rafael Wysocki) - Replace mutex_lock/unlock() with guard()/scoped_guard() in the ACPI PMIC driver (Maxwell Doose) - Fix message kref handling in the dead device path of the ACPI IPMI address space handler (Yuho Choi) - Use sysfs_emit() in idlecpus_show() in the ACPI processor aggregator device (PAD) driver (Yury Norov) - Clean up device_id_scheme initialization in the ACPI video bus driver (Jean-Ralph Aviles) - Clean up lid handling in the ACPI button driver and acpi_button_probe(), reorganize installing and removing event handlers in that driver and switch it over to using devres-based resource management during probe (Rafael Wysocki) - Add support for the Legacy Virtual Register (LVR) field in I2C serial bus resource descriptors to ACPICA (Akhil R) - Fix multiple issues related to bounds checks, input validation, use-after-free, and integer overflow checks in the AML interpreter in ACPICA (ikaros) - Update the copyright year to 2026 in ACPICA files and make minor changes related to ACPI 6.6 support (Pawel Chmielewski) - Remove spurious precision from format used to dump parse trees in ACPICA (David Laight) - Add modern standby DSM GUIDs to ACPICA header files (Daniel Schaefer) - Fix FADT 32/64X length mismatch warning in ACPICA (Abdelkader Boudih) - Update D3hot/cold device power states definitions in ACPICA header files (Aymeric Wibo) - Fix NULL pointer dereference in acpi_ns_custom_package() (Weiming Shi) - Update ACPICA version to 20260408 (Saket Dumbre) - Add cpuidle driver check in acpi_processor_register_idle_driver() to avoid evaluating _CST unnecessarily (Tony W Wang-oc) - Suppress UBSAN warning caused by field misuse during PCC-based register access in the ACPI CPPC library (Jeremy Linton) - Add support for CPPC v4 to the ACPI CPPC library (Sumit Gupta) - Update the ACPI device enumeration code to honor _DEP for ACPI0016 PCI/CXL host bridges and make the ACPI PCI root driver clear _DEP dependencies for PCI roots that have become operational (Chen Pei)" * tag 'acpi-7.2-rc1' of gitolite.kernel.org:pub/scm/linux/kernel/git/rafael/linux-pm: (74 commits) ACPI: processor: Add cpuidle driver check in acpi_processor_register_idle_driver() ACPI: IPMI: Fix message kref handling on dead device ACPI: CPPC: Suppress UBSAN warning caused by field misuse ACPI: scan: Honor _DEP for Intel CVS devices ACPI: NFIT: core: Fix possible deadlock and missing notifications ACPI: NFIT: core: Eliminate redundant local variable ACPI: NFIT: core: Fix acpi_nfit_init() error cleanup ACPI: NFIT: core: Fix possible NULL pointer dereference ACPI: bus: Clean up devm_acpi_install_notify_handler() ACPI: button: Switch over to devres-based resource management ACPI: button: Reorganize installing and removing event handlers ACPI: button: Use string literals for generating netlink messages ACPI: button: Clean up adding and removing lid procfs interface ACPI: button: Merge two switch () statements in acpi_button_probe() ACPI: button: Drop redundant variable from acpi_button_probe() ACPI: button: Rework device verification during probe ACPI: CPPC: Add support for CPPC v4 ACPI: PAD: Use sysfs_emit() in idlecpus_show() ACPI: scan: Honor _DEP for ACPI0016 PCI/CXL host bridge ACPI: PCI: Clear _DEP dependencies after PCI root bridge attach ...
2026-06-15Merge tag 'nolibc-20260614-for-7.2-1' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/nolibc/linux-nolibc Pull nolibc updates from Thomas Weißschuh: - New architectures: OpenRISC and 32-bit parisc - New library functionality: alloca(), assert(), creat() and ftruncate() - Automatic large file support - Proper 64-bit system call argument passing on x32 and MIPS N32 - Cleanups of the testmatrix - Various bugfixes and cleanups * tag 'nolibc-20260614-for-7.2-1' of git://git.kernel.org/pub/scm/linux/kernel/git/nolibc/linux-nolibc: (37 commits) selftests/nolibc: test against -Wwrite-strings selftests/nolibc: use mutable buffer for execve() argv string tools/nolibc: cast default values of program_invocation_name tools/nolibc: add ftruncate() tools/nolibc: add a helper to split a 64-bit argument into 32-bit halves selftests/nolibc: enable CONFIG_TMPFS for sparc32 tools/nolibc: stackprotector: Avoid stalling program startup if crng is not init yet tools/nolibc: getopt: Fix potential out of bounds access selftests/nolibc: test open mode handling tools/nolibc: always pass mode to open syscall tools/nolibc: split open mode handling into a macro tools/nolibc: split implicit open flags into a macro tools/nolibc: add support for 32-bit parisc selftests/nolibc: avoid function pointer comparisons tools/nolibc: add support for OpenRISC / or1k selftests/nolibc: use vmlinux for MIPS tests selftests/nolibc: trim IMAGE mappings selftests/nolibc: trim DEFCONFIG mappings selftests/nolibc: trim QEMU_ARCH mappings selftests/nolibc: use QEMU_ARCH for QEMU_ARCH_USER ...
2026-06-14Merge branch 'bpf-skmsg-some-fixes-for-skmsg'Alexei Starovoitov
Jiayuan Chen says: ==================== bpf, skmsg: some fixes for skmsg All fixes are from previous patches sent by Weiming Shi, Zhang Cen, Kuniyuki and Sechang Lim, which have already been reviewed by me and John and Jakub. https://lore.kernel.org/bpf/20260610081218.506709-2-rhkrqnwk98@gmail.com/ https://lore.kernel.org/bpf/20260520102715.3033936-1-rollkingzzc@gmail.com/ https://lore.kernel.org/bpf/20260424191602.1522411-3-bestswngs@gmail.com/ https://lore.kernel.org/bpf/20260423155807.1245644-2-bestswngs@gmail.com/ https://lore.kernel.org/bpf/20260221233234.3814768-4-kuniyu@google.com/ The automated reviewer (sashiko) may still flag a few other potential issues on top of this series. After looking into them, they are either already covered by the patches here, are the BPF program's own responsibility (e.g. initializing the payload it pushes) and intentionally left out, or only reachable under very narrow conditions that require a specially crafted BPF program and an unusual sk_msg ring state, so they are not practical to trigger and are left out of this series. I'm collecting these fixes together because the same problems have been re-sent many times in slightly different forms, and I hope this series can be prioritized for merging so the duplicates can finally settle. With so many AI-generated patches floating around for these spots, leaving them unmerged just keeps wasting maintainer review cycles on the same issues. v3->v4: Carry Kuniyuki Iwashima's reviewed-by tag. Drop the __GFP_ZERO patch; initializing the pushed payload is the BPF program's responsibility, not the kernel's (per maintainer feedback). https://lore.kernel.org/bpf/20260612130919.299124-1-jiayuan.chen@linux.dev/ v2->v3: Target to bpf-next and carry Emil's reviewed-by tag. Reverse xmas tree style is used suggested by Cong. (not all code match reverse xmas tree due to variable dependency) v1->v2: fix problem when fix the conflict. ==================== Link: https://patch.msgid.link/20260615021959.140010-1-jiayuan.chen@linux.dev Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-14selftests/bpf: add test for bpf_msg_pop_data() overflowSechang Lim
Add a test in sockmap_basic.c that calls bpf_msg_pop_data() with a length close to U32_MAX, which overflows the start + len bounds check. The sk_msg program records the return value over a sendmsg and the test checks that the call is rejected with -EINVAL. Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev> Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com> Cc: Jiayuan Chen <jiayuan.chen@linux.dev> Signed-off-by: Sechang Lim <rhkrqnwk98@gmail.com> Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev> Link: https://lore.kernel.org/r/20260615021959.140010-7-jiayuan.chen@linux.dev Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-14bpf, sockmap: fix integer overflow in bpf_msg_pop_data() bounds checkSechang Lim
start and len are u32, so u64 last = start + len; evaluates start + len in 32-bit and wraps before storing it in last. The bounds check if (start >= offset + l || last > msg->sg.size) return -EINVAL; can then be passed with an out-of-range start/len, after which the pop loop runs off the end of the scatterlist and sk_msg_shift_left() calls put_page() on the empty msg->sg.end slot: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] RIP: 0010:sk_msg_shift_left net/core/filter.c:2957 [inline] RIP: 0010:____bpf_msg_pop_data net/core/filter.c:3103 [inline] RIP: 0010:bpf_msg_pop_data+0x753/0x1a10 net/core/filter.c:2984 Call Trace: <TASK> bpf_prog_4cc92c278f4d5d56+0x1b1/0x1e8 bpf_prog_run_pin_on_cpu+0x107/0x320 include/linux/filter.h:746 sk_psock_msg_verdict+0x357/0x7f0 net/core/skmsg.c:934 tcp_bpf_send_verdict net/ipv4/tcp_bpf.c:420 [inline] tcp_bpf_sendmsg+0x766/0x1ae0 net/ipv4/tcp_bpf.c:583 __sock_sendmsg+0x153/0x1c0 net/socket.c:802 __sys_sendto+0x326/0x430 net/socket.c:2265 __x64_sys_sendto+0xe3/0x100 net/socket.c:2268 do_syscall_64+0x14c/0x480 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> Widen the addition with a (u64) cast so the bound is evaluated in 64-bit and a len near U32_MAX no longer wraps below msg->sg.size. While here, change pop from int to u32. It counts bytes against the unsigned scatterlist lengths and can never be negative, so the signed type only invites sign-confusion in the pop loop. Fixes: 7246d8ed4dcc ("bpf: helper to pop data from messages") Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev> Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com> Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com> Signed-off-by: Sechang Lim <rhkrqnwk98@gmail.com> Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev> Link: https://lore.kernel.org/r/20260615021959.140010-6-jiayuan.chen@linux.dev Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-14sockmap: Fix use-after-free in udp_bpf_recvmsg()Kuniyuki Iwashima
syzbot reported use-after-free of struct sk_msg in sk_msg_recvmsg(). [0] sk_msg_recvmsg() peeks sk_msg from psock->ingress_msg under a lock, but its processing is lockless. Thus, sk_msg_recvmsg() must be serialised by callers, otherwise multiple threads could touch the same sk_msg. For example, TCP uses lock_sock(), and AF_UNIX uses unix_sk(sk)->iolock. Initially, udp_bpf_recvmsg() had used lock_sock(), but the cited commit removed it. Let's serialise sk_msg_recvmsg() with lock_sock() in udp_bpf_recvmsg(). Note that holding spin_lock_bh(&sk->sk_receive_queue.lock) is not an option due to copy_page_to_iter() in sk_msg_recvmsg(). [0]: BUG: KASAN: slab-use-after-free in sk_msg_recvmsg+0xb54/0xc30 net/core/skmsg.c:428 Read of size 4 at addr ffff88814cdcf000 by task syz.0.24/6020 CPU: 1 UID: 0 PID: 6020 Comm: syz.0.24 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 01/13/2026 Call Trace: <TASK> dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xba/0x230 mm/kasan/report.c:482 kasan_report+0x117/0x150 mm/kasan/report.c:595 sk_msg_recvmsg+0xb54/0xc30 net/core/skmsg.c:428 udp_bpf_recvmsg+0x4bd/0xe00 net/ipv4/udp_bpf.c:84 inet_recvmsg+0x260/0x270 net/ipv4/af_inet.c:891 sock_recvmsg_nosec net/socket.c:1078 [inline] sock_recvmsg+0x1a8/0x270 net/socket.c:1100 ____sys_recvmsg+0x1e6/0x4a0 net/socket.c:2812 ___sys_recvmsg+0x215/0x590 net/socket.c:2854 do_recvmmsg+0x334/0x800 net/socket.c:2949 __sys_recvmmsg net/socket.c:3023 [inline] __do_sys_recvmmsg net/socket.c:3046 [inline] __se_sys_recvmmsg net/socket.c:3039 [inline] __x64_sys_recvmmsg+0x198/0x250 net/socket.c:3039 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb319f9aeb9 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fb31ad97028 EFLAGS: 00000246 ORIG_RAX: 000000000000012b RAX: ffffffffffffffda RBX: 00007fb31a216090 RCX: 00007fb319f9aeb9 RDX: 0000000000000001 RSI: 0000200000000400 RDI: 0000000000000004 RBP: 00007fb31a008c1f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000040000021 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fb31a216128 R14: 00007fb31a216090 R15: 00007ffe21dd0a98 </TASK> Allocated by task 6019: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 poison_kmalloc_redzone mm/kasan/common.c:398 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415 kasan_kmalloc include/linux/kasan.h:263 [inline] __kmalloc_cache_noprof+0x3d1/0x6e0 mm/slub.c:5780 kmalloc_noprof include/linux/slab.h:957 [inline] kzalloc_noprof include/linux/slab.h:1094 [inline] alloc_sk_msg net/core/skmsg.c:510 [inline] sk_psock_skb_ingress_self+0x60/0x350 net/core/skmsg.c:612 sk_psock_verdict_apply net/core/skmsg.c:1038 [inline] sk_psock_verdict_recv+0x7d9/0x8d0 net/core/skmsg.c:1236 udp_read_skb+0x73e/0x7e0 net/ipv4/udp.c:2045 sk_psock_verdict_data_ready+0x12d/0x550 net/core/skmsg.c:1257 __udp_enqueue_schedule_skb+0xc54/0x10b0 net/ipv4/udp.c:1789 __udp_queue_rcv_skb net/ipv4/udp.c:2346 [inline] udp_queue_rcv_one_skb+0xac5/0x19c0 net/ipv4/udp.c:2475 __udp4_lib_mcast_deliver+0xc06/0xcf0 net/ipv4/udp.c:2585 __udp4_lib_rcv+0x10f6/0x2620 net/ipv4/udp.c:2724 ip_protocol_deliver_rcu+0x282/0x440 net/ipv4/ip_input.c:207 ip_local_deliver_finish+0x3bb/0x6f0 net/ipv4/ip_input.c:241 NF_HOOK+0x336/0x3c0 include/linux/netfilter.h:318 dst_input include/net/dst.h:474 [inline] ip_sublist_rcv_finish+0x221/0x2a0 net/ipv4/ip_input.c:584 ip_list_rcv_finish net/ipv4/ip_input.c:628 [inline] ip_sublist_rcv+0x5c6/0xa70 net/ipv4/ip_input.c:644 ip_list_rcv+0x3f1/0x450 net/ipv4/ip_input.c:678 __netif_receive_skb_list_ptype net/core/dev.c:6195 [inline] __netif_receive_skb_list_core+0x7e5/0x810 net/core/dev.c:6242 __netif_receive_skb_list net/core/dev.c:6294 [inline] netif_receive_skb_list_internal+0x995/0xcf0 net/core/dev.c:6385 netif_receive_skb_list+0x54/0x410 net/core/dev.c:6437 xdp_recv_frames net/bpf/test_run.c:269 [inline] xdp_test_run_batch net/bpf/test_run.c:350 [inline] bpf_test_run_xdp_live+0x1946/0x1cf0 net/bpf/test_run.c:379 bpf_prog_test_run_xdp+0x81c/0x1160 net/bpf/test_run.c:1396 bpf_prog_test_run+0x2c7/0x340 kernel/bpf/syscall.c:4703 __sys_bpf+0x5cb/0x920 kernel/bpf/syscall.c:6182 __do_sys_bpf kernel/bpf/syscall.c:6274 [inline] __se_sys_bpf kernel/bpf/syscall.c:6272 [inline] __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:6272 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 6021: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584 poison_slab_object mm/kasan/common.c:253 [inline] __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285 kasan_slab_free include/linux/kasan.h:235 [inline] slab_free_hook mm/slub.c:2540 [inline] slab_free mm/slub.c:6674 [inline] kfree+0x1be/0x650 mm/slub.c:6882 kfree_sk_msg include/linux/skmsg.h:385 [inline] sk_msg_recvmsg+0xaa8/0xc30 net/core/skmsg.c:483 udp_bpf_recvmsg+0x4bd/0xe00 net/ipv4/udp_bpf.c:84 inet_recvmsg+0x260/0x270 net/ipv4/af_inet.c:891 sock_recvmsg_nosec net/socket.c:1078 [inline] sock_recvmsg+0x1a8/0x270 net/socket.c:1100 ____sys_recvmsg+0x1e6/0x4a0 net/socket.c:2812 ___sys_recvmsg+0x215/0x590 net/socket.c:2854 do_recvmmsg+0x334/0x800 net/socket.c:2949 __sys_recvmmsg net/socket.c:3023 [inline] __do_sys_recvmmsg net/socket.c:3046 [inline] __se_sys_recvmmsg net/socket.c:3039 [inline] __x64_sys_recvmmsg+0x198/0x250 net/socket.c:3039 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Fixes: 9f2470fbc4cb ("skmsg: Improve udp_bpf_recvmsg() accuracy") Reported-by: syzbot+9307c991a6d07ce6e6d8@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/69922ac9.a70a0220.2c38d7.00e0.GAE@google.com/ Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev> Reviewed-by: Jakub Sitnicki <jakub@cloudflare.com> Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com> Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com> Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev> Link: https://lore.kernel.org/r/20260615021959.140010-5-jiayuan.chen@linux.dev Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-14bpf, sockmap: keep sk_msg copy state in syncZhang Cen
SK_MSG uses msg->sg.copy as per-scatterlist-entry provenance. Entries with this bit set are copied before data/data_end are exposed to SK_MSG BPF programs for direct packet access. bpf_msg_pull_data(), bpf_msg_push_data(), and bpf_msg_pop_data() rewrite the sk_msg scatterlist ring by collapsing, splitting, and shifting entries. These operations move msg->sg.data[] entries, but the parallel copy bitmap can be left behind on the old slot. A copied entry can then return to msg->sg.start with its copy bit clear and be exposed as directly writable packet data. This corruption path requires an attached SK_MSG BPF program that calls the mutating helpers; ordinary sockmap/TLS traffic that never runs push/pop/pull helper sequences is not affected. Keep msg->sg.copy synchronized with scatterlist entry moves, preserve the copy bit when an entry is split, clear it when a helper replaces an entry with a private page, and clear slots vacated by pull-data compaction. Fixes: 015632bb30da ("bpf: sk_msg program helper bpf_sk_msg_pull_data") Fixes: 6fff607e2f14 ("bpf: sk_msg program helper bpf_msg_push_data") Fixes: 7246d8ed4dcc ("bpf: helper to pop data from messages") Cc: stable@vger.kernel.org Co-developed-by: Han Guidong <2045gemini@gmail.com> Reviewed-by: John Fastabend <john.fastabend@gmail.com> Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com> Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com> Signed-off-by: Han Guidong <2045gemini@gmail.com> Signed-off-by: Zhang Cen <rollkingzzc@gmail.com> Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev> Link: https://lore.kernel.org/r/20260615021959.140010-4-jiayuan.chen@linux.dev Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-14bpf, sockmap: Fix wrong rsge offset in bpf_msg_push_data()Weiming Shi
When bpf_msg_push_data() splits a scatterlist element into head and tail, the tail's page offset is advanced by `start` (absolute message byte offset) instead of `start - offset` (byte position within the element). This makes rsge.offset overshoot by `offset` bytes, pointing to the wrong location within the page or beyond its boundary. Consumers of the corrupted entry either silently read wrong data or trigger an out-of-bounds access. BUG: KASAN: slab-use-after-free in bpf_msg_pull_data (net/core/filter.c:2728) Read of size 32752 at addr ffff8881042f0010 by task poc/130 Call Trace: __asan_memcpy (mm/kasan/shadow.c:105) bpf_msg_pull_data (net/core/filter.c:2728) bpf_prog_run_pin_on_cpu (include/linux/bpf.h:1402) sk_psock_msg_verdict (net/core/skmsg.c:934) tcp_bpf_send_verdict (net/ipv4/tcp_bpf.c:421) sock_sendmsg_nosec (net/socket.c:727) Fixes: 6fff607e2f14 ("bpf: sk_msg program helper bpf_msg_push_data") Reported-by: Xiang Mei <xmei5@asu.edu> Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev> Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com> Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com> Signed-off-by: Weiming Shi <bestswngs@gmail.com> Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev> Link: https://lore.kernel.org/r/20260615021959.140010-3-jiayuan.chen@linux.dev Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-14bpf, sockmap: reject overflowing copy + len in bpf_msg_push_data()Weiming Shi
When the scatterlist ring is full or nearly full, bpf_msg_push_data() enters a copy fallback path and computes copy + len for the page allocation size. Since len comes from BPF with arg3_type = ARG_ANYTHING and both are u32, a crafted len can wrap the sum to a small value, causing an undersized allocation followed by an out-of-bounds memcpy. BUG: unable to handle page fault for address: ffffed104089a402 Oops: Oops: 0000 [#1] SMP KASAN NOPTI Call Trace: __asan_memcpy (mm/kasan/shadow.c:105) bpf_msg_push_data (net/core/filter.c:2852 net/core/filter.c:2788) bpf_prog_9ed8b5711920a7d7+0x2e/0x36 sk_psock_msg_verdict (net/core/skmsg.c:934) tcp_bpf_sendmsg (net/ipv4/tcp_bpf.c:421 net/ipv4/tcp_bpf.c:584) __sys_sendto (net/socket.c:2206) do_syscall_64 (arch/x86/entry/syscall_64.c:94) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) Add an overflow check before the allocation. Link: https://lore.kernel.org/all/20260424155913.A19FDC19425@smtp.kernel.org Fixes: 6fff607e2f14 ("bpf: sk_msg program helper bpf_msg_push_data") Tested-by: Xiang Mei <xmei5@asu.edu> Tested-by: Xinyu Ma <mmmxny@gmail.com> Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev> Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com> Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com> Signed-off-by: Weiming Shi <bestswngs@gmail.com> Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev> Link: https://lore.kernel.org/r/20260615021959.140010-2-jiayuan.chen@linux.dev Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-14selftsets/bpf: Retry map update on helper_fill_hashmap()Gabriele Monaco
helper_fill_hashmap() is used also on parallel and stress map tests. Those are consistently failing with ENOMEM on kernels built with PREEMPT_RT if preallocation is disabled. The failure is transient and only called by the memory cache refill running in a preemptible irq_work, which can easily stall in case of contention. Use a retriable update in those cases to handle transient ENOMEM and make the test more stable also on PREEMPT_RT. Also fix the sign of the value printed in case of error (strerror() expects a positive errno while updates return it negative). Signed-off-by: Gabriele Monaco <gmonaco@redhat.com> Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com> Link: https://lore.kernel.org/r/20260611150704.95133-1-gmonaco@redhat.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-15Merge tag 'rust-7.2' of gitolite.kernel.org:pub/scm/linux/kernel/git/ojeda/linuxLinus Torvalds
Pull Rust updates from Miguel Ojeda: "This one is big due to the vendoring of the `zerocopy` library, which allows us to replace a bunch of `unsafe` code dealing with conversions between byte sequences and other types with safe alternatives. More details on that below (and in its merge commit). Toolchain and infrastructure: - Introduce support for the 'zerocopy' library [1][2]: Fast, safe, compile error. Pick two. Zerocopy makes zero-cost memory manipulation effortless. We write `unsafe` so you don't have to. It essentially provides derivable traits (e.g. 'FromBytes') and macros (e.g. 'transmute!') for safely converting between byte sequences and other types. Having such support allows us to remove some 'unsafe' code. It is among the most downloaded Rust crates and it is also used by the Rust compiler itself. It is licensed under "BSD-2-Clause OR Apache-2.0 OR MIT". The crates are imported essentially as-is (only +2/-3 lines needed to be adapted), plus SPDX identifiers. Upstream has since added the SPDX identifiers as well as one of the tweaks at my request, thus reducing our future diffs on updates -- I keep the details in one of our usual live lists [3]. In total, it is about ~39k lines added, ~32k without counting 'benches/' which are just for documentation purposes. The series includes a few Kbuild and rust-analyzer improvements and an example patch using it in Nova, removing one 'unsafe impl'. I checked that the codegen of an isolated example function (similar to the Nova patch on top) is essentially identical. It also turns out that (for that particular case) the 'zerocopy' version, even with 'debug-assertions' enabled, has no remaining panics, unlike a few in the current code (since the compiler can prove the remaining 'ub_checks' statically). So their "fast, safe" does indeed check out -- at least in that case. - Support AutoFDO. This allows Rust code to be profiled and optimized based on the profile. Tested with Rust Binder: ~13% slower without AutoFDO in the binderAddInts benchmark (using an app-launch benchmark for the profile). - Support Software Tag-Based KASAN. In addition, fix KASAN Kconfig by requiring Clang. - Add Kconfig options for each existing Rust KUnit test suite, such as 'CONFIG_RUST_BITMAP_KUNIT_TEST'. They are placed within a new menu, 'CONFIG_RUST_KUNIT_TESTS', in the new 'rust/kernel/Kconfig.test' file. - Support the upcoming Rust 1.98.0 release (expected 2026-08-20): lint cleanups and an unstable flag rename. - Disable 'rustdoc' documentation inlining for all prelude items, which bloats the generated documentation. - Ignore (in Git) and clean (in Kbuild) the (rarely) 'rustc'-generated '*.long-type-*.txt' files. 'kernel' crate: - Add new 'bitfield' module with the 'bitfield!' macro (extracted from the existing 'register!' one), which declares integer types that are split into distinct bit fields of arbitrary length. Each field is a 'Bounded' of the appropriate bit width (ensuring values are properly validated and avoiding implicit data loss) and gets several generated getters and setters (infallible, 'const' and fallible) as well as associated constants ('_MASK', '_SHIFT' and '_RANGE'). It also supports fields that can be converted from/to custom types, either fallibly ('?=>') or infallibly ('=>'). For instance: bitfield! { struct Rgb(u16) { 15:11 blue; 10:5 green; 4:0 red; } } // Compile-time checks. let color = Rgb::zeroed().with_const_green::<0x1f>(); assert_eq!(color.green(), 0x1f); assert_eq!(color.into_raw(), 0x1f << Rgb::GREEN_SHIFT); Add as well documentation and a test suite for it, as usual; and update the 'register!' macro to use it. It will be maintained by Alexandre Courbot (with Yury Norov as reviewer) under a new 'MAINTAINERS' entry: 'RUST [BITFIELD]'. - 'ptr' module: rework index projection syntax into keyworded syntax and introduce panicking variant. The keyword syntax ('build:', 'try:', 'panic:') is more explicit and paves the way of perhaps adding more flavors in the future, e.g. an 'unsafe' index projection. For instance, projections now look like this: fn f(p: *const [u8; 32]) -> Result { // Ok, within bounds, checked at build time. project!(p, [build: 1]); // Build error. project!(p, [build: 128]); // `OutOfBound` runtime error (convertible to `ERANGE`). project!(p, [try: 128]); // Runtime panic. project!(p, [panic: 128]); Ok(()) } Update as well the users, which now look like e.g. // Pointer to the first entry of the GSP message queue. let data = project!(self.0.as_ptr(), .gspq.msgq.data[build: 0]); - 'build_assert' module: make the module the home of its macros instead of rendering them twice. - 'sync' module: add 'UniqueArc::as_ptr()' associated function. - 'alloc' module: - Fix the 'Vec::reserve()' doctest to properly account for the existing vector length in the capacity assertion. - Fix an incorrect operator in the 'Vec::extend_with()' 'SAFETY' comment; add a doc test demonstrating basic usage and the zero-length case. - Clean imports across several modules to follow the "kernel vertical" import style in order to minimize conflicts. 'pin-init' crate: - User visible changes: - Do not generate 'non_snake_case' warnings for identifiers that are syntactically just users of a field name. This would allow all '#[allow(non_snake_case)]' in nova-core to be removed, which Gary will send to the nova tree next cycle. - Filter non-cfg attributes out properly in derived structs. This improves pin-init compatibility with other derive macros. - Insert projection types' where clause properly. - Other changes: - Bump MSRV to 1.82, plus associated cleanups. - Overhaul how init slots are projected. The new approach is easier to justify with safety comments. - Mark more functions as inline, which should help mitigate the super-long symbol name issue due to lack of inlining. rust-analyzer: - Support '--envs' for passing env vars for crates like 'zerocopy'. 'MAINTAINERS': - Add the following reviewers to the 'RUST' entry: - Daniel Almeida - Tamir Duberstein - Alexandre Courbot - Onur Özkan They have been involved in the Rust for Linux project for about 7 collective years and bring expertise across several domains, which will be very useful to have around in the future. Thanks everyone for stepping up! And some other fixes, cleanups and improvements" Link: https://github.com/google/zerocopy [1] Link: https://docs.rs/zerocopy [2] Link: https://github.com/Rust-for-Linux/linux/issues/1239 [3] * tag 'rust-7.2' of gitolite.kernel.org:pub/scm/linux/kernel/git/ojeda/linux: (86 commits) MAINTAINERS: add Onur Özkan as Rust reviewer MAINTAINERS: add Alexandre Courbot as Rust reviewer MAINTAINERS: add Tamir Duberstein as Rust reviewer MAINTAINERS: add Daniel Almeida as Rust reviewer kbuild: rust: clean `zerocopy-derive` in `mrproper` rust: make `build_assert` module the home of related macros rust: str: clean unused import for Rust >= 1.98 rust: str: use the "kernel vertical" imports style rust: aref: use the "kernel vertical" imports style rust: page: use the "kernel vertical" imports style gpu: nova-core: firmware: parse `FalconUCodeDescV2` via `zerocopy` rust: prelude: add `zerocopy{,_derive}::FromBytes` rust: zerocopy-derive: enable support in kbuild rust: zerocopy-derive: add `README.md` rust: zerocopy-derive: avoid generating non-ASCII identifiers rust: zerocopy-derive: add SPDX License Identifiers rust: zerocopy-derive: import crate rust: zerocopy: enable support in kbuild rust: zerocopy: add `README.md` rust: zerocopy: remove float `Display` support ...
2026-06-15Merge tag 'rcu.release.v7.2' of ↵Linus Torvalds
gitolite.kernel.org:pub/scm/linux/kernel/git/rcu/linux Pull RCU updates from Uladzislau Rezki: "Torture test updates: - Improve kvm-series.sh script by adding examples in its header comment - Lazy RCU is more fully tested now by replacing call_rcu_hurry() with call_rcu() and doing rcu_barrier() to motivate lazy callbacks during a stutter pause - Add more synonyms for the "--do-normal" group of torture.sh command-line arguments Misc changes: - Reduce stack usage of nocb_gp_wait() to address frame size warning when built with CONFIG_UBSAN_ALIGNMENT - The synchronize_rcu() call can detect the flood and latches a normal/default path temporary switching to wait_rcu_gp() path - Document using rcu_access_pointer() to fetch the old pointer for lockless cmpxchg() updates - Simplify some RCU code using clamp_val() - Fix a kerneldoc header comment typo in srcu_down_read_fast()" * tag 'rcu.release.v7.2' of gitolite.kernel.org:pub/scm/linux/kernel/git/rcu/linux: rcu/nocb: reduce stack usage in nocb_gp_wait() rcu-tasks: Fix possible boot-time tests failed for the call_rcu_tasks() rcu: Latch normal synchronize_rcu() path on flood rcu: Document rcu_access_pointer() feeding into cmpxchg() rcu: Simplify param_set_next_fqs_jiffies() by applying clamp_val() rcu: Simplify rcu_do_batch() by applying clamp() checkpatch: Undeprecate rcu_read_lock_trace() and rcu_read_unlock_trace() srcu: Fix kerneldoc header comment typo in srcu_down_read_fast() torture: Allow "norm" abbreviation for "normal" torture: Improve kvm-series.sh header comment torture: Add torture_sched_set_normal() for user-specified nice values rcutorture: Fully test lazy RCU
2026-06-15Merge tag 'kcsan-20260612-v7.2-rc1' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/melver/linux Pull KCSAN update from Marco Elver: - Silence -Wmaybe-uninitialized when calling __kcsan_check_access() * tag 'kcsan-20260612-v7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/melver/linux: kcsan: Silence -Wmaybe-uninitialized when calling __kcsan_check_access()
2026-06-14selftests/bpf: Add test for sleepable lsm_cgroup rejectionDavid Windsor
Confirm the verifier rejects loading a sleepable BPF_LSM_CGROUP program, as introduced in commit 5b038319be44 ("bpf: Reject sleepable BPF_LSM_CGROUP programs at load time"). Signed-off-by: David Windsor <dwindsor@gmail.com> Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com> Link: https://lore.kernel.org/r/20260611143549.703914-1-dwindsor@gmail.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-14udf: fix nls leak on udf_fill_super() failureAl Viro
On all failure exits that go to error_out there we have already moved the nls reference from uopt->nls_map to sbi->s_nls_map, leaving NULL behind. Fixes: c4e89cc674ac ("udf: convert to new mount API") Acked-by: Jan Kara <jack@suse.cz> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2026-06-14Merge remote-tracking branches 'ras/edac-drivers' and 'ras/edac-misc' into ↵Borislav Petkov (AMD)
edac-updates * ras/edac-drivers: (21 commits) EDAC: Consistently define pci_device_ids using named initializers EDAC/igen6: Add Intel Nova Lake-H SoC support EDAC/igen6: Make registers for detecting IBECC configurable EDAC/imh: Add RRL support for Intel Diamond Rapids server EDAC/{skx_common,i10nm}: Prepare RRL for sub-channel granularity EDAC/skx_common: Add SubChannel support to ADXL decode EDAC/{skx_common,i10nm}: Move RRL handling to common code EDAC/{skx_common,i10nm}: Introduce rrl_ctrl_mode EDAC/{skx_common,i10nm}: Rename rrl_mode to rrl_source_type EDAC/{skx_common,skx,i10nm}: Split skx_set_decode() EDAC/{skx_common,i10nm,imh}: Move MC register access helpers to skx_common EDAC/{skx_common,skx}: Fix UBSAN shift-out-of-bounds in skx_get_dimm_info EDAC/igen6: Add one Intel Panther Lake-H SoC support EDAC/igen6: Fix memory topology parsing for Panther Lake-H SoCs EDAC/igen6: Fix call trace due to missing release() EDAC/sb_edac: fix grammar in sb_decode_ddr3 warning EDAC/i5400: disable error reporting at teardown and refactor helper EDAC/i5100: disable error reporting at teardown and create helper EDAC/i5000: disable error reporting at teardown and refactor helper EDAC/i7300: disable error reporting if init fails and refactor helper ... * ras/edac-misc: RAS/AMD/ATL: Drop malformed default N from Kconfig Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
2026-06-14apparmor: fix label can not be immediately before a declarationJohn Johansen
Fix error reported by kernel test robot security/apparmor/policy.c:1381:2: error: a label can only be part of a statement and a declaration is not a statement All errors (new ones prefixed by >>): security/apparmor/policy.c: In function 'aa_replace_profiles': >> security/apparmor/policy.c:1381:2: error: a label can only be part of a statement and a declaration is not a statement ssize_t udata_sz = udata->size; ^~~~~ Reported-by: kernel test robot <lkp@intel.com> Closes: https://lore.kernel.org/oe-kbuild-all/202606150525.npax8WiH-lkp@intel.com/ Fixes: 7b42f95813dc9 ("apparmor: fix potential UAF in aa_replace_profiles") Signed-off-by: John Johansen <john.johansen@canonical.com>
2026-06-14Merge branch 'bpf-fix-bpf_get-setsockopt-to-tos-for-ipv4-mapped-ipv6-socket'Alexei Starovoitov
Leon Hwang says: ==================== bpf: Fix bpf_get/setsockopt to tos for ipv4-mapped ipv6 socket When TCP over IPv4 via INET6 API, sk->sk_family is AF_INET6, but it is a v4 pkt. inet_csk(sk)->icsk_af_ops is ipv6_mapped and use ip_queue_xmit. The tos sockopt does not work for bpf [get,set]sockopt() helpers. Changelog: v3 -> v4: * Add 'sk->sk_type != SOCK_RAW && !ipv6_only_sock(sk)' check. * Re-implement test with LLM assistance. * v3: https://lore.kernel.org/all/20240914103226.71109-1-zhoufeng.zf@bytedance.com/ v2->v3: * Use sk_is_inet() helper. (Eric Dumazet) * https://lore.kernel.org/bpf/CANn89i+9GmBLCdgsfH=WWe-tyFYpiO27wONyxaxiU6aOBC6G8g@mail.gmail.com/T/ v1->v2: * Fix compilation error. (kernel test robot) * https://lore.kernel.org/bpf/202408152058.YXAnhLgZ-lkp@intel.com/T/ ==================== Link: https://patch.msgid.link/20260613162443.60515-1-leon.hwang@linux.dev Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-14selftests/bpf: Add test to verify the fix for bpf_setsockopt() helperLeon Hwang
Verify the fix by: 1. Attach cgroup sockops prog. 2. Build a tcp connection using ipv4 addr in ipv6 socket. 3. Verify the return value of bpf_setsockopt() helper. Assisted-by: Codex:gpt-5.5-xhigh Signed-off-by: Leon Hwang <leon.hwang@linux.dev> Link: https://lore.kernel.org/r/20260613162443.60515-3-leon.hwang@linux.dev Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-14bpf: Fix bpf_get/setsockopt to tos for ipv4-mapped ipv6 socketLeon Hwang
When TCP over IPv4 via INET6 API, bpf_get/setsockopt with ipv4 will fail, because sk->sk_family is AF_INET6. With ipv6 will success, not take effect, because inet_csk(sk)->icsk_af_ops is ipv6_mapped and use ip_queue_xmit, inet_sk(sk)->tos. To relax this restriction, allow getting/setting tos for those possible ipv4-mapped ipv6 sockets. Fixes: ee7f1e1302f5 ("bpf: Change bpf_setsockopt(SOL_IP) to reuse do_ip_setsockopt()") Signed-off-by: Feng Zhou <zhoufeng.zf@bytedance.com> Signed-off-by: Leon Hwang <leon.hwang@linux.dev> Link: https://lore.kernel.org/r/20260613162443.60515-2-leon.hwang@linux.dev Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-14Merge branch 'tools-build-bpf-append-extra_cflags-and-host_extracflags'Alexei Starovoitov
Leo Yan says: ==================== tools build: bpf: Append EXTRA_CFLAGS and HOST_EXTRACFLAGS Append EXTRA_CFLAGS and HOST_EXTRACFLAGS to the BPF build. This mitigates an issue introduced in GCC 15, where a {0} initializer does not guarantee zeroing the entire union [1]. The common changes under tools to support EXTRA_CFLAGS and HOST_EXTRACFLAGS are sent separately [2]. As suggested, BPF patches would be picked up via the bpf tree, so this series only includes BPF related changes. Verification on bpf-ci (with tools changes [2]: https://github.com/kernel-patches/bpf/actions/runs/26815163486 [1] https://gcc.gnu.org/gcc-15/changes.html [2] https://lore.kernel.org/all/20260602-tools_build_fix_zero_init-v7-0-631baf679fe7@arm.com/ Signed-off-by: Leo Yan <leo.yan@arm.com> --- Changes in v2: - Used strscpy() instead in patch 06 (Ihor). - Added prefix "bpf-next" in subject (Alexei). - Added patch 01 to pass host cflags to bootstrap libbpf. - Added patch 08 to avoid static LLVM linking for cross build. - Link to v1: https://lore.kernel.org/r/20260323-tools_build_fix_zero_init_bpf_only-v1-0-d1cfad2f4cd1@arm.com ==================== Link: https://patch.msgid.link/20260602-tools_build_fix_zero_init_bpf_only-v2-0-c76e5250ea1c@arm.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-14selftests/bpf: Avoid static LLVM linking for cross buildsLeo Yan
The BPF selftests prefer static LLVM linking, which works for native builds but can break cross builds. Its --link-static output may include host-only libraries that are unavailable for the cross compilation, causing link failures. Avoid static LLVM linking for cross builds and use shared LLVM libraries instead. Native builds keep the existing behavior. Signed-off-by: Leo Yan <leo.yan@arm.com> Link: https://lore.kernel.org/r/20260602-tools_build_fix_zero_init_bpf_only-v2-8-c76e5250ea1c@arm.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-14selftests/bpf: Use common CFLAGS for urandom_readLeo Yan
The urandom_read helper and its shared library are built with $(CLANG) directly rather than through the normal selftest $(CC) rules. The CFLAGS variable can contain specific flags only for $(CC) but might be imcompatible for $(CLANG) and those flags are not necessarily valid for the clang-only urandom_read build. Split the BPF selftest local flags into COMMON_CFLAGS and append them to CFLAGS for the normal build path. Use COMMON_CFLAGS directly for urandom_read and liburandom_read.so, while still filtering out -static as before. Signed-off-by: Leo Yan <leo.yan@arm.com> Link: https://lore.kernel.org/r/20260602-tools_build_fix_zero_init_bpf_only-v2-7-c76e5250ea1c@arm.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-14selftests/bpf: Initialize operation name before useLeo Yan
ASAN reports stack-buffer-overflow due to the uninitialized op_name. Initialize it to fix the issue. Fixes: 054b6c7866c7 ("selftests/bpf: Add verifier log tests for BPF_BTF_LOAD command") Signed-off-by: Leo Yan <leo.yan@arm.com> Acked-by: Ihor Solodrai <ihor.solodrai@linux.dev> Link: https://lore.kernel.org/r/20260602-tools_build_fix_zero_init_bpf_only-v2-6-c76e5250ea1c@arm.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-14tools/bpf: build: Append extra cflagsLeo Yan
Append EXTRA_CFLAGS to CFLAGS so that additional flags can be applied to the compiler. Signed-off-by: Leo Yan <leo.yan@arm.com> Acked-by: Ihor Solodrai <ihor.solodrai@linux.dev> Link: https://lore.kernel.org/r/20260602-tools_build_fix_zero_init_bpf_only-v2-5-c76e5250ea1c@arm.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-14libbpf: Initialize CFLAGS before including Makefile.includeLeo Yan
tools/scripts/Makefile.include may expand EXTRA_CFLAGS in a future change. This could alter the initialization of CFLAGS, as the default options "-g -O2" would never be set once EXTRA_CFLAGS is expanded. Prepare for this by moving the CFLAGS initialization before including tools/scripts/Makefile.include, so it is not affected by the extended EXTRA_CFLAGS. Append EXTRA_CFLAGS to CFLAGS only after including Makefile.include and place it last so that the extra flags propagate properly and can override the default options. tools/scripts/Makefile.include already appends $(CLANG_CROSS_FLAGS) to CFLAGS, the Makefile appends $(CLANG_CROSS_FLAGS) again, remove the redundant append. Signed-off-by: Leo Yan <leo.yan@arm.com> Acked-by: Ihor Solodrai <ihor.solodrai@linux.dev> Link: https://lore.kernel.org/r/20260602-tools_build_fix_zero_init_bpf_only-v2-4-c76e5250ea1c@arm.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-14bpftool: Append extra host flagsLeo Yan
Append HOST_EXTRACFLAGS to HOST_CFLAGS so that additional flags can be applied to the host compiler. Acked-by: Quentin Monnet <qmo@kernel.org> Signed-off-by: Leo Yan <leo.yan@arm.com> Link: https://lore.kernel.org/r/20260602-tools_build_fix_zero_init_bpf_only-v2-3-c76e5250ea1c@arm.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-14bpftool: Avoid adding EXTRA_CFLAGS to HOST_CFLAGSLeo Yan
Prepare for future changes where EXTRA_CFLAGS may include flags not applicable to the host compiler. Move the HOST_CFLAGS assignment before appending EXTRA_CFLAGS to CFLAGS so that HOST_CFLAGS does not inherit flags from EXTRA_CFLAGS. Acked-by: Quentin Monnet <qmo@kernel.org> Signed-off-by: Leo Yan <leo.yan@arm.com> Link: https://lore.kernel.org/r/20260602-tools_build_fix_zero_init_bpf_only-v2-2-c76e5250ea1c@arm.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-14bpftool: Pass host flags to bootstrap libbpfLeo Yan
bpftool builds a bootstrap libbpf with HOSTCC, but the libbpf submake can still inherit target build flags through CFLAGS. This can break cross builds when host objects are compiled with target-only options. Since HOST_CFLAGS contains warning options that are not suitable for building libbpf, use LIBBPF_BOOTSTRAP_CFLAGS with the warning options removed to build the bootstrap libbpf. Clear EXTRA_CFLAGS so target extra flags are not mixed into the host bootstrap libbpf build. Signed-off-by: Leo Yan <leo.yan@arm.com> Acked-by: Quentin Monnet <qmo@kernel.org> Link: https://lore.kernel.org/r/20260602-tools_build_fix_zero_init_bpf_only-v2-1-c76e5250ea1c@arm.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-14selftests/bpf: correct CONFIG_PPC64 macro name in commentEthan Nelson-Moore
A comment in tools/testing/selftests/bpf/progs/test_fill_link_info.c incorrectly refers to CONFIG_PPC6 instead of CONFIG_PPC64. Correct it. Discovered while searching for CONFIG_* symbols referenced in code but not defined in any Kconfig file. Signed-off-by: Ethan Nelson-Moore <enelsonmoore@gmail.com> Link: https://lore.kernel.org/r/20260610044023.225820-1-enelsonmoore@gmail.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-14Merge branch 'bpf-allow-uprobe_multi-binary-specified-by-file-descriptor'Alexei Starovoitov
Jiri Olsa says: ==================== bpf: Allow uprobe_multi binary specified by file descriptor Add ability to open uprobe_multi link on top of binary identified by file descriptor. This allows us to avoid the race where the binary is replaced between path resolution and attachment, ensuring we monitor the intended binary. v1: https://lore.kernel.org/bpf/20260609104244.588321-1-jolsa@kernel.org/T/#m0275d5f39805c57dc8fd3308c640237dc7aec4db v2: https://lore.kernel.org/bpf/20260610143627.804790-1-jolsa@kernel.org/T/#m153e18fa426140fdcc773cc97b10e006531656c0 v3 changes: - guard t_user acesss with access_ok [sashiko] v2 changes: - move path retrieval in separate function so CLASS(..) is not used in function with goto-based cleanup [sashiko] - force zero path_fd in case BPF_F_UPROBE_MULTI_PATH_FD is not set [sashiko] - add space around | in bpf_uprobe_multi_link_attach [Alexei] ==================== Link: https://patch.msgid.link/20260611114230.950379-1-jolsa@kernel.org Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-14selftests/bpf: Fix typo in verify_umulti_link_infoJiri Olsa
We verify info.uprobe_multi.flags against wrong kprobe-multi flag (BPF_F_KPROBE_MULTI_RETURN). It's the same value as the correct flag (BPF_F_UPROBE_MULTI_RETURN), so there's not functional change. Fixes: 147c69307bcf ("selftests/bpf: Add link_info test for uprobe_multi link") Signed-off-by: Jiri Olsa <jolsa@kernel.org> Link: https://lore.kernel.org/r/20260611114230.950379-8-jolsa@kernel.org Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-14selftests/bpf: Add uprobe_multi path_fd fail testsJiri Olsa
Adding tests to attach_api_fails suite to make sure we fail wrong setup for path_fd usage. Signed-off-by: Jiri Olsa <jolsa@kernel.org> Link: https://lore.kernel.org/r/20260611114230.950379-7-jolsa@kernel.org Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-14selftests/bpf: Add uprobe_multi path_fd testJiri Olsa
Add a uprobe_multi link API selftest that opens /proc/self/exe and passes the resulting descriptor through opts.uprobe_multi.path_fd with BPF_F_UPROBE_MULTI_PATH_FD set. Assisted-by: Codex:GPT-5.4 Signed-off-by: Jiri Olsa <jolsa@kernel.org> Link: https://lore.kernel.org/r/20260611114230.950379-6-jolsa@kernel.org Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-14libbpf: Add path_fd to struct bpf_link_create_optsJiri Olsa
Adding the path_fd field to struct bpf_link_create_opts and passing it through kernel attr interface. Assisted-by: Codex:GPT-5.4 Signed-off-by: Jiri Olsa <jolsa@kernel.org> Link: https://lore.kernel.org/r/20260611114230.950379-5-jolsa@kernel.org Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-14bpf: Add support to specify uprobe_multi target via file descriptorJiri Olsa
Allow uprobe_multi link to identify the target binary by an already opened file descriptor. Adding new BPF_F_UPROBE_MULTI_PATH_FD flag and the path_fd field for the attr.link_create.uprobe_multi struct. When the flag is set, we resolve the target from path_fd, without the flag, we keep the existing string path behavior. I don't see a use case for supporting O_PATH file descriptors, because we need to read the binary first to get probes offsets, so I'm using the CLASS(fd, f), which fails for O_PATH fds. Assisted-by: Codex:GPT-5.4 Signed-off-by: Jiri Olsa <jolsa@kernel.org> Link: https://lore.kernel.org/r/20260611114230.950379-4-jolsa@kernel.org Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-14bpf: Use user_path_at for path resolution in uprobe_multiJiri Olsa
Resolve the uprobe_multi user path with user_path_at() instead of copying the string with strndup_user() and passing it to kern_path(). This removes the temporary allocation and keeps the lookup logic in one helper. Signed-off-by: Jiri Olsa <jolsa@kernel.org> Link: https://lore.kernel.org/r/20260611114230.950379-3-jolsa@kernel.org Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-14bpf: Guard __get_user acesss with access_ok for uprobe_multi dataJiri Olsa
As reported by sashiko [1] we need to use access_ok to check the user space data bounds before we use __get-user to get it. [1] https://lore.kernel.org/bpf/20260610145235.CB1441F00893@smtp.kernel.org/ Fixes: 0b779b61f651 ("bpf: Add cookies support for uprobe_multi link") Fixes: 89ae89f53d20 ("bpf: Add multi uprobe link") Signed-off-by: Jiri Olsa <jolsa@kernel.org> Link: https://lore.kernel.org/r/20260611114230.950379-2-jolsa@kernel.org Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-15Merge tag 'for-linus-7.2-rc1-tag' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip Pull xen updates from Juergen Gross: - Several small cleanups of various Xen related drivers (xen/platform-pci, xen-balloon, xenbus, xen/mcelog) - Cleanup for Xen PV-mode related code (includes dropping the Xen debugfs code) - Drop the additional lazy mmu mode tracking done by Xen specific code * tag 'for-linus-7.2-rc1-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip: xen/xenbus: Replace strcpy() with memcpy() x86/xen: Replace generic lazy tracking with cpu specific one x86/xen: Get rid of last XEN_LAZY_MMU uses mm: Refactor lazy_mmu_mode_pause() and lazy_mmu_mode_resume() x86/xen: Change interface of xen_mc_issue() x86/xen: Drop lazy mode from trace entries x86/xen: Remove Xen debugfs support x86/xen: Cleanup Xen related trace points x86/xen: Guard PV-only stuff in xen-ops.h with CONFIG_XEN_PV xen: balloon: Replace sprintf() with sysfs_emit() xen/mcelog: mark g_physinfo, ncpus and xen_mce_chrdev_device as __ro_after_init xen: constify xsd_errors array xen/platform-pci: Simplify initialization of pci_device_id array
2026-06-15Merge tag 'kbuild-7.2-1' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/kbuild/linux Pull Kbuild / Kconfig updates from Nathan Chancellor: "Kbuild: - Remove broken module linking exclusion for BTF - Add documentation around how offset header files work - Include unstripped vDSO libraries in pacman packages - Bump minimum version of LLVM for building the kernel to 17.0.1 and clean up unnecessary workarounds - Use a context manager in run-clang-tools - Add dist macro value if present to release tag for RPM packages - Detect and report truncated buf_printf() output in modpost - Add __llvm_covfun and __llvm_covmap to section whitelist in modpost - Support Clang's distributed ThinLTO mode - Remove architecture specific configurations for AutoFDO and Propeller to ease individual architecture maintenance Kconfig: - Add kconfig-sym-check target to look for dangling Kconfig symbol references and invalid tristate literal values - Harden against potential NULL pointer dereference - Fix typo in Kconfig test comment" * tag 'kbuild-7.2-1' of git://git.kernel.org/pub/scm/linux/kernel/git/kbuild/linux: (31 commits) kconfig: tests: fix typo in comment kconfig: Remove the architecture specific config for Propeller kconfig: Remove the architecture specific config for AutoFDO modpost: Add __llvm_covfun and __llvm_covmap to section_white_list kconfig: add kconfig-sym-check static checker kbuild: Remove unnecessary 'T' modifier in cmd_ar_builtin_fixup kbuild: distributed build support for Clang ThinLTO kbuild: move vmlinux.a build rule to scripts/Makefile.vmlinux_a scripts: modpost: detect and report truncated buf_printf() output kbuild: rpm-pkg: append %{?dist} macro to Release tag run-clang-tools: run multiprocessing.Pool as context manager compiler-clang.h: Drop explicit version number from "all" diagnostic macro compiler-clang.h: Remove __cleanup -Wunused-variable workaround kbuild: Remove check for broken scoping with clang < 17 in CC_HAS_ASM_GOTO_OUTPUT x86/entry/vdso32: Remove conditional omission of '.cfi_offset eflags' x86/module: Revert "Deal with GOT based stack cookie load on Clang < 17" x86/build: Drop unnecessary '-ffreestanding' addition to KBUILD_CFLAGS scripts/Makefile.warn: Drop -Wformat handling for clang < 16 riscv: Drop tautological condition from TOOLCHAIN_NEEDS_OLD_ISA_SPEC riscv: Remove tautological condition from selection of ARCH_SUPPORTS_CFI ...
2026-06-14arm64: mm: Remove misleading pte_none() comment from ptep_try_set()Tejun Heo
This comment was thoughtlessly copied from the x86 version and doesn't apply to arm64. Remove it. Reported-by: Will Deacon <will@kernel.org> Signed-off-by: Tejun Heo <tj@kernel.org> Link: https://lore.kernel.org/r/20260614210209.2371030-1-tj@kernel.org Signed-off-by: Alexei Starovoitov <ast@kernel.org>