summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
14 daysdma-fence: use correct callback in dma_fence_timeline_name()André Draszik
dma_fence_timeline_name() is a wrapper around dma_fence_ops::get_timeline_name(). Since the blamed commit below, it calls an incorrect callback. Update it to restore functionality by calling the intended callback. Fixes: 62918542b7bf ("dma-fence: Fix sparse warnings due __rcu annotations") Cc: <stable@vger.kernel.org> # v7.1+ [tursulin: added cc stable] Signed-off-by: André Draszik <andre.draszik@linaro.org> Reviewed-by: Philipp Stanner <phasta@kernel.org> Signed-off-by: Tvrtko Ursulin <tursulin@ursulin.net> Link: https://lore.kernel.org/r/20260618-linux-drm_crtc_fix-v1-1-801f29c9853d@linaro.org
14 daysxfs: fix AGFL extent count calculation in xrep_agfl_filljiazhenyuan
In xrep_agfl_fill(), the call to xagb_bitmap_set() passes 'agbno - 1' as the length argument. However, xagb_bitmap_set() expects a length (number of blocks), not an end block number. Passing 'agbno - 1' causes used_extents to record an incorrect range. Fix this by calculating the correct length as 'agbno - start', which represents the actual number of blocks filled into the AGFL. Signed-off-by: jiazhenyuan <jiazhenyuan@uniontech.com> Fixes: 014ad53732d2ba ("xfs: use per-AG bitmaps to reap unused AG metadata blocks during repair") Reviewed-by: "Darrick J. Wong" <djwong@kernel.org> Signed-off-by: Carlos Maiolino <cem@kernel.org>
14 daysxfs: simplify the failure path in xfs_buf_alloc_vmallocChristoph Hellwig
Look at the __GFP_NORETRY flag set for readahead so that we don't have to pass both the gfp_t and the flags in. Signed-off-by: Christoph Hellwig <hch@lst.de> Reviewed-by: Carlos Maiolino <cmaiolino@redhat.com> Signed-off-by: Carlos Maiolino <cem@kernel.org>
14 daysxfs: fix incorrect use of gfp flags in xfs_buf_alloc_backing_memChristoph Hellwig
xfs_buf_alloc_backing_mem currently has two issues with how the GFP_ flags are set: - when aiming for a large folio allocation, the gfp mask is adjusted to try less hard, but these flags then persist for the vmalloc allocation, which is bogus. - the __GFP_NOFAIL for small allocations is also applied when readahead force __GFP_NORETRY which doesn't make any sense. Fix this by only applying __GFP_NOFAIL when __GFP_NORETRY is not set, and by reordering the code so that the large folio gfp adjustments are performed locally just for that allocation. Fixes: 94c78cfa3bd1 ("xfs: convert buffer cache to use high order folios") Signed-off-by: Christoph Hellwig <hch@lst.de> Reviewed-by: Carlos Maiolino <cmaiolino@redhat.com> Signed-off-by: Carlos Maiolino <cem@kernel.org>
14 daysxfs: lift setting __GFP_NOFAIL from xfs_buf_alloc_kmem to the callerChristoph Hellwig
The current __GFP_NOFAIL setting is wrong in some cases. Prepare for fixing that by giving control to the caller. Signed-off-by: Christoph Hellwig <hch@lst.de> Reviewed-by: Carlos Maiolino <cmaiolino@redhat.com> Signed-off-by: Carlos Maiolino <cem@kernel.org>
14 daysxfs: split up xfs_buf_alloc_backing_memChristoph Hellwig
Split out helpers for folio and vmalloc allocations to prepare for a bug fix. Signed-off-by: Christoph Hellwig <hch@lst.de> Reviewed-by: Carlos Maiolino <cmaiolino@redhat.com> Signed-off-by: Carlos Maiolino <cem@kernel.org>
14 daysMerge tag 'v7.2-rc1' of ↵Bartosz Golaszewski
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux into gpio/for-current Linux 7.2-rc1
2026-06-28Linux 7.2-rc1v7.2-rc1Linus Torvalds
2026-06-28Merge tag 'ntb-7.2' of https://github.com/jonmason/ntbLinus Torvalds
Pull NTB updates from Jon Mason: "An EPF bug fix to prevent an invalid unmap during device removal, along with documentation fixes and minor AMD driver cleanups" * tag 'ntb-7.2' of https://github.com/jonmason/ntb: ntb: amd: Use named initializer for pci_device_id::driver_data NTB: fix kernel-doc warnings in ntb.h NTB: epf: Avoid pci_iounmap() with offset when PEER_SPAD and CONFIG share BAR ntb_hw_amd: Fix incorrect debug message in link disable path
2026-06-28Merge tag 'input-for-v7.2-rc0-2' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input Pull more input updates from Dmitry Torokhov: - Updates to Synaptics RMI4 driver to fix potential OOB accesses in F30 and F3A keymap handling - A workaround in Synaptics RMI4 to tolerate buggy firmware on some touchpads (e.g. ThinkPad T14 Gen 1) that report incomplete register descriptor structures, preventing probe failures - A revert of an incorrect register descriptor address calculation in Synaptics RMI4 driver - A fix for a regression in HP GSC PS/2 (gscps2) driver where the receive buffer write index was not advanced, leaving keyboard and mouse unusable. * tag 'input-for-v7.2-rc0-2' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input: Input: gscps2 - advance receive buffer write index Input: rmi4 - tolerate short register descriptor structure Revert "Input: rmi4 - fix register descriptor address calculation" Input: synaptics-rmi4 - bound the F30 keymap to the GPIO/LED count Input: synaptics-rmi4 - bound the F3A keymap to the GPIO count
2026-06-28batman-adv: dat: ensure accessible eth_hdr proto fieldSven Eckelmann
When batadv_get_vid() accesses the proto field of the ethernet header, it is not checking if the data itself is accessible. The caller is responsible for it. But in contrast to other call sites, batadv_dat_get_vid() and its caller didn't make sure this is true. This could have caused an out-of-bounds access. Cc: stable@vger.kernel.org Reported-by: Sashiko <sashiko-bot@kernel.org> Fixes: be1db4f6615b ("batman-adv: make the Distributed ARP Table vlan aware") Signed-off-by: Sven Eckelmann <sven@narfation.org>
2026-06-28batman-adv: bla: reacquire gw address after skb reallocSven Eckelmann
The pskb_may_pull() called by batadv_bla_is_backbone_gw() could reallocate the buffer behind the skb. Variables which were pointing to the old buffer need to be reassigned to avoid an use-after-free. Cc: stable@vger.kernel.org Fixes: 9e794b6bf4a2 ("batman-adv: drop unicast packets from other backbone gw") Signed-off-by: Sven Eckelmann <sven@narfation.org>
2026-06-28batman-adv: dat: acquire ARP hw source only after skb reallocSven Eckelmann
The pskb_may_pull() called by batadv_get_vid() could reallocate the buffer behind the skb. Variables which were pointing to the old buffer need to be reassigned to avoid an use-after-free. Cc: stable@vger.kernel.org Fixes: b61ec31c8575 ("batman-adv: Snoop DHCPACKs for DAT") Signed-off-by: Sven Eckelmann <sven@narfation.org>
2026-06-28batman-adv: gw: acquire ethernet header only after skb reallocSven Eckelmann
The pskb_may_pull() called by batadv_get_vid() could reallocate the buffer behind the skb. Variables which were pointing to the old buffer need to be reassigned to avoid an use-after-free. Cc: stable@vger.kernel.org Fixes: 6c413b1c22a2 ("batman-adv: send every DHCP packet as bat-unicast") Signed-off-by: Sven Eckelmann <sven@narfation.org>
2026-06-28batman-adv: access unicast_ttvn skb->data only after skb reallocSven Eckelmann
The pskb_may_pull() called by batadv_get_vid() could reallocate the buffer behind the skb. Variables which were pointing to the old buffer need to be reassigned to avoid an use-after-free. This was done correctly for the ethernet header but missed for the unicast_packet pointer. Cc: stable@vger.kernel.org Reported-by: Sashiko <sashiko-bot@kernel.org> Fixes: c018ad3de61a ("batman-adv: add the VLAN ID attribute to the TT entry") Signed-off-by: Sven Eckelmann <sven@narfation.org>
2026-06-28batman-adv: retrieve ethhdr after potential skb realloc on RXSven Eckelmann
pskb_may_pull() in batadv_interface_rx() could reallocate the buffer behind the skb. Variables which were pointing to the old buffer need to be reassigned to avoid an use-after-free. This was done correctly for the VLAN header but missed for the ethernet header which is later used for the TT and AP isolation handling. Cc: stable@vger.kernel.org Reported-by: Sashiko <sashiko-bot@kernel.org> Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol") Fixes: c78296665c3d ("batman-adv: Check skb size before using encapsulated ETH+VLAN header") Signed-off-by: Sven Eckelmann <sven@narfation.org>
2026-06-27net: airoha: dma map xmit frags with skb_frag_dma_map()Lorenzo Bianconi
Map xmit skb fragments using skb_frag_dma_map() instead of dma_map_single(skb_frag_address()). skb_frag_address() relies on page_address() to obtain a kernel virtual address, which is not guaranteed to work for all page types (e.g. highmem pages or user-pinned pages from MSG_ZEROCOPY). skb_frag_dma_map() maps the fragment directly via its struct page and offset through dma_map_page(), avoiding the need for a kernel virtual address entirely. Introduce an enum airoha_dma_map_type to track how each queue entry was mapped (single vs page), so that the matching unmap function is called on completion and in error paths. Fixes: 23020f049327 ("net: airoha: Introduce ethernet support for EN7581 SoC") Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org> Reviewed-by: Harshitha Ramamurthy <hramamurthy@google.com> Link: https://patch.msgid.link/20260625-airoha-eth-skb_frag_dma_map-v1-1-31d9e460aae6@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-27net: dsa: Fix skb ownership in taggersLinus Walleij
The tag_8021q.c tagger calls vlan_insert_tag() in dsa_8021q_xmit(). vlan_insert_tag() will consume the skb with kfree_skb() on failure and return NULL. When NULL is returned as error code to ->xmit() in dsa_user_xmit() it will free the same skb again leading to a double-free. The idea of dsa_user_xmit() and dsa_switch_rcv() dropping the skb they held before the call to ->xmit() and ->rcv() is conceptually wrong: the pattern elsewhere in the networking code is that consumers drop their skb:s on failure. Modify the ->xmit() and ->rcv() call sites to not drop the SKB if the taggers return NULL from any of these calls. Move those drops into the taggers so every callback error path that retains ownership consumes the skb before returning NULL. Keep the existing helper ownership rules: VLAN insertion helpers already free on failure (this is the case in tag_8021q.c), while deferred transmit paths either transfer the skb reference to worker context or hold a worker reference with skb_get() and drop the caller's reference. For SJA1105 meta RX, transfer the buffered stampable skb under the meta lock and return NULL while the skb is waiting for its meta frame: the skb is not dropped in this case. NOTICE: Backporting patches to taggers (e.g. for stable kernels) after this point cannot be mechanical or they will introduce double kfree_skb(). Reported-by: Sashiko AI Review <sashiko-bot@kernel.org> Closes: https://lore.kernel.org/r/20260610153952.1685895-1-kuba@kernel.org/ Suggested-by: Jakub Kicinski <kuba@kernel.org> Acked-by: David Yang <mmyangfl@gmail.com> # yt921x Acked-by: Kurt Kanzenbach <kurt@linutronix.de> # hellcreek Reviewed-by: Wei Fang <wei.fang@nxp.com> # netc Signed-off-by: Linus Walleij <linusw@kernel.org> Link: https://patch.msgid.link/20260625-dsa-fix-free-skb-v5-1-b5931e4cbdb0@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-27sctp: add INIT verification after cookie unpackingXin Long
In SCTP handshake, the INIT chunk is initially processed by the server and embedded into the cookie carried in INIT-ACK. The client then returns this cookie via COOKIE-ECHO, where the server unpacks it and reconstructs the original INIT chunk. When cookie authentication is enabled, the cookie contents are protected against tampering, so reusing the unpacked INIT without re-verification is safe. However, when cookie authentication is disabled, the reconstructed INIT can no longer be trusted. In this case, the INIT must be explicitly validated after unpacking to avoid processing potentially tampered data. Add sctp_verify_init() checks after cookie unpacking in COOKIE-ECHO processing paths (sctp_sf_do_5_1D_ce() and sctp_sf_do_5_2_4_dupcook()) when cookie_auth_enable is disabled. On failure, the new association is freed and the packet is discarded. Also tighten cookie validation in sctp_unpack_cookie() by verifying the embedded chunk type is SCTP_CID_INIT before treating it as an INIT chunk. Finally, update sctp_verify_init() to validate parameter bounds using the actual embedded INIT length instead of chunk->chunk_end, since the INIT stored in COOKIE-ECHO may not span the entire chunk buffer. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Xin Long <lucien.xin@gmail.com> Link: https://patch.msgid.link/ebcbbac574815b0850f371b4bdb02f2e602b94d3.1782341592.git.lucien.xin@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-27netpoll: fix a use-after-free on shutdown pathBreno Leitao
There is a use-after-free error on netpoll, which is clearly detected by KASAN. BUG: KASAN: slab-use-after-free in _raw_spin_lock_irqsave+0x3b/0x80 Read of size 1 at addr ... by task kworker/9:1 Workqueue: events queue_process Call Trace: skb_dequeue+0x1e/0xb0 queue_process+0x2c/0x600 process_scheduled_works+0x4b6/0x850 worker_thread+0x414/0x5a0 Allocated by task 242: __netpoll_setup+0x201/0x4a0 netpoll_setup+0x249/0x550 enabled_store+0x32f/0x380 Freed by task 0: kfree+0x1b7/0x540 rcu_core+0x3f8/0x7a0 The problem happens when there is a pending TX worker running in parallel with the cleanup path. This is what happens on netpoll shutdown path: 1) __netpoll_cleanup() is called 2) set dev->npinfo to NULL 3) call_rcu() with rcu_cleanup_netpoll_info() 3.1) rcu_cleanup_netpoll_info() tries to cancel all workers with cancel_delayed_work(), but doesn't wait for the worker to finish 4) and kfree(npinfo); Because 3.1) doesn't really cancel the work, as the comment says "we can't call cancel_delayed_work_sync here, as we are in softirq", the TX worker can run after 4). Tl;DR: queue_process() is not an RCU reader, it reaches npinfo through the work item via container_of(). Use disable_delayed_work_sync() to ensure the worker is completely stopped and prevent any future re-arming attempts. Once npinfo is set to NULL, senders will bail out and not queue new work. The disable flag ensures any in-flight re-arming attempts also fail silently. In the future, we can do the cleanup inline here without needing the npinfo->rcu rcu_head, but that is net-next material. Cc: stable@vger.kernel.org Fixes: 38e6bc185d95 ("netpoll: make __netpoll_cleanup non-block") Reviewed-by: Pavan Chebbi <pavan.chebbi@broadcom.com> Signed-off-by: Breno Leitao <leitao@debian.org> Link: https://patch.msgid.link/20260625-netpoll_rcu_fix-v2-1-0748ffac1e98@debian.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-27sctp: fix SCTP_RESET_STREAMS stream list length limitYousef Alhouseen
SCTP_RESET_STREAMS carries a flexible array of u16 stream IDs, but the optlen clamps treat USHRT_MAX as a byte count and then multiply sizeof(__u16) by the fixed header size. That caps the copied and validated option buffer at about 64 KiB, which rejects valid requests containing more than about half of the u16 stream ID range. Use struct_size_t() for the maximum struct sctp_reset_streams layout instead, so the bound matches the flexible array described by srs_number_streams. Fixes: 5960cefab9df ("sctp: add a ceiling to optlen in some sockopts") Acked-by: Xin Long <lucien.xin@gmail.com> Signed-off-by: Yousef Alhouseen <alhouseenyousef@gmail.com> Link: https://patch.msgid.link/20260625142354.2600-1-alhouseenyousef@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-27net: enetc: check the number of BDs needed for xdp_frameWei Fang
The size of xdp_redirect_arr array is ENETC_MAX_SKB_FRAGS. However, the number of fragments contained in xdp_frame may be greater than or equal to ENETC_MAX_SKB_FRAGS, which will cause the access to xdp_redirect_arr to be out of bounds. Fixes: 9d2b68cc108d ("net: enetc: add support for XDP_REDIRECT") Signed-off-by: Wei Fang <wei.fang@nxp.com> Link: https://patch.msgid.link/20260626073244.2168214-1-wei.fang@oss.nxp.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-27MAINTAINERS: Update Marvell octeontx2 driver maintainersRatheesh Kannoth
Update the maintainer entries for the Marvell OcteonTX (RVU) drivers to reflect recent organizational changes. Signed-off-by: Ratheesh Kannoth <rkannoth@marvell.com> Link: https://patch.msgid.link/20260626044819.3004811-1-rkannoth@marvell.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-27Merge tag 'pwm/for-7.2-rc1-2' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/ukleinek/linux Pull pwm fixes from Uwe Kleine-König: "Two more fixes that I managed to put into the public branch merged into next before my first pull request but missed to include them in it. The first change is a relevant change that fixes misconfigurations due to a variable overflow. The second is only cosmetic but very obviously an improvement" * tag 'pwm/for-7.2-rc1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/ukleinek/linux: pwm: rzg2l-gpt: Add missing newlines to dev_err_probe() messages pwm: rzg2l-gpt: Fix period_ticks type from u32 to u64
2026-06-27Merge tag 'fbdev-for-7.2-rc1-2' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/deller/linux-fbdev Pull more fbdev updates from Helge Deller: "Fixes for generic fbdev & fbcon code for the handling of modelists and preventing a potential NULL ptr dereference in the console code. Fix missed cleanups in the error path of various fbdev drivers. And Uwe Kleine-König contributed a cleanup patch to use named initializers in the vga16fb driver" * tag 'fbdev-for-7.2-rc1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/linux-fbdev: fbdev: Fix fb_new_modelist to prevent null-ptr-deref in fb_videomode_to_var fbcon: fix NULL pointer dereference for a console without vc_data fbdev: fix use-after-free in store_modes() fbdev: viafb: return an error when DMA copy times out fbdev: goldfishfb: fail pan display on base-update timeout fbdev: fbcon: fix out-of-bounds read in err_out of fbcon_do_set_font() fbdev: pm2fb: unwind WC setup on probe failure fbdev: vga16fb: Drop unused assignment of platform_device_id driver data
2026-06-27Merge tag 'sound-fix-7.2-rc1' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound Pull sound fixes from Takashi Iwai: "A collection of small bug fixes accumulated over the last week. Most are device-specific fixes while there are a few core fixes as well. Here are the highlights: ALSA Core: - A fix for an uninitialised heap leak in ALSA sequencer core - A fix for error handling/resource leak in compress-offload API USB-audio: - A teardown-ordering fix in USB MIDI 2.0 to prevent use-after-free - Bounds and length checks for packet data in Native Instruments caiaq / Traktor Kontrol input parsers - Avoidance of expensive kobject path lookups in DualSense controller matches - Robustness/memory leak fixes for Qualcomm USB offload driver - Focusrite Control Protocol (FCP) NULL-pointer dereference fix and a new device quirk (ISA C8X) - Device-specific quirks for Yamaha CDS3000 and SC13A HD-Audio: - A bunch of quirks and mute/mic-mute LED fixups for various laptops (Acer, Clevo, Lenovo, HP) ASoC & SoundWire: - Avoid failing card registration if the device_link creation fails - A workaround for SoundWire randconfig build failures by making helper functions static inline - Corrected MCLK reference validation for CS530x codecs - Clean up of untested, problematic guard() macro replacements in Rockchip SAI driver - Fix for eDMA maxburst misalignment with channel count in Freescale ASRC - Miscellaneous hardware-specific fixes (qcom, rt5650, tlv320aic3x, tas2781/3) Others: - Bounds and length checks for packet data in Apple iSight" * tag 'sound-fix-7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: (46 commits) ALSA: FCP: Fix NULL pointer dereference in interface lookup ALSA: hda/realtek: Update Acer Nitro ANV15-41 quirk to enable mute LED ASoC: fsl_asrc_dma: fix eDMA maxburst misalignment with channel count ASoC: codecs: pcm512x: only print info once on no sclk ASoC: tas2781: Update default register address to TAS2563 ALSA: firewire: isight: bound the sample count to the packet payload ALSA: usb-audio: qcom: Free QMI handle ALSA: hda: Add Lenovo Legion 7i 16IAX7 17AA3874 quirk ALSA: usb-audio: avoid kobject path lookup in DualSense match ALSA: hda/realtek: Add quirk for Acer Nitro ANV15-41 ASoC: soc-core: Don't fail if device_link could not be created ASoC: rockchip: rockchip_sai: #include <linux/platform_device.h> explicitly ALSA: seq: Fix uninitialised heap leak in snd_seq_event_dup() ASoC: rt5575: Use __le32 for SPI burst write address ASoC: tas2783: Update loaded firmware names to linux-firmware 20260519 ASoC: SDCA: Validate written enum value in ge_put_enum_double() ASoC: realtek: Add back local call to sdw_show_ping_status() ASoC: ti: Add back local call to sdw_show_ping_status() ASoC: max98373: Add back local call to sdw_show_ping_status() ASoC: es9356: Add back local call to sdw_show_ping_status() ...
2026-06-27Merge tag 'i2c-fixes-7.2-rc1' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/andi.shyti/linux Pull i2c fixes from Andi Shyti: - i801: fix error path in smbus transfer - mpc: fix timeout calculation * tag 'i2c-fixes-7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/andi.shyti/linux: i2c: i801: fix hardware state machine corruption in error path i2c: mpc: Fix timeout calculations
2026-06-27Merge tag 'rtc-7.2' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/abelloni/linux Pull RTC updates from Alexandre Belloni: "Most of the work and improvements are for features of the m41t93. The ds1307 also gets support for OSF (Oscillator Stop Flag) for new variants. The pcap driver is being removed as the Motorola EZX support was removed a while ago. Subsystem: - add rtc_read_next_alarm() to read next expiring timer Drivers: - ds1307: handle OSF for ds1337/ds1339/ds3231, add clock provider for ds1307, fix wday for rx8130 - m41t93: DT support, alarm, clock provider, watchdog support - mv: add suspend/resume support for wakeup - pcap: remove driver - renesas-rtca3: many fixes" * tag 'rtc-7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/abelloni/linux: (36 commits) rtc: ds1307: update reference to removed CONFIG_RTC_DRV_DS1307_HWMON platform/x86: amd-pmc: Fix S0i3 wakeup with alarmtimer rtc: s35390a: fix typo in comment rtc: cmos: unregister HPET IRQ handler on probe failure rtc: ds1307: Fix off-by-one issue with wday for rx8130 dt-bindings: rtc: ds1307: Add epson,rx8901 rtc: bq32000: add delay between RTC reads rtc: m41t93: Add watchdog support rtc: m41t93: Add square wave clock provider support rtc: m41t93: Add alarm support rtc: m41t93: migrate to regmap api for register access rtc: m41t93: add device tree support dt-bindings: rtc: Add ST m41t93 rtc: ds1307: add support for clock provider in ds1307 rtc: mv: add suspend/resume support for wakeup rtc: aspeed: add AST2700 compatible dt-bindings: rtc: add ASPEED AST2700 compatible rtc: interface: fix typos in rtc_handle_legacy_irq() documentation rtc: msc313: fix NULL deref in shared IRQ handler at probe rtc: remove unused pcap driver ...
2026-06-27Merge tag 'fscrypt-for-linus' of git://git.kernel.org/pub/scm/fs/fscrypt/linuxLinus Torvalds
Pull fscrypt fixes from Eric Biggers: - Fix a bug where in a specific edge case, file contents en/decryption could be done with the wrong data unit size - Fix the data structure used for keeping track of users that have added an fscrypt key to be a simple list instead of a 'struct key' keyring This fixes issues such as a lockdep report found by syzbot and possible unintended interactions with the keyctl() system calls * tag 'fscrypt-for-linus' of git://git.kernel.org/pub/scm/fs/fscrypt/linux: fscrypt: Replace mk_users keyring with simple list fscrypt: Fix key setup in edge case with multiple data unit sizes
2026-06-26Input: gscps2 - advance receive buffer write indexXu Rao
Commit 44f920069911 ("Input: gscps2 - use guard notation when acquiring spinlock") moved the receive loop into gscps2_read_data() and gscps2_report_data(). While moving the code, it preserved the writes to buffer[ps2port->append], but omitted the following producer index update from the original loop: ps2port->append = (ps2port->append + 1) & BUFFER_SIZE; As a result, append never advances. Since gscps2_report_data() only reports bytes while act != append, the receive buffer always appears empty and no keyboard or mouse data reaches the serio core. Restore the omitted index update. Fixes: 44f920069911 ("Input: gscps2 - use guard notation when acquiring spinlock") Cc: stable@vger.kernel.org # 6.13+ Signed-off-by: Xu Rao <raoxu@uniontech.com> Link: https://patch.msgid.link/460B5655BA580C60+20260624094739.850306-1-raoxu@uniontech.com Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
2026-06-26Input: rmi4 - tolerate short register descriptor structureDmitry Torokhov
Some touchpads (e.g. ThinkPad T14 Gen 1) have buggy firmware that reports a register descriptor structure size that is too small for the number of registers it claims to have in the presence map. The remaining bytes in the structure are 0, which with the new strict bounds checking causes the parser to fail with -EIO, aborting the device probe. Tolerate such short reads by dropping the remaining (unparseable or 0-size) registers from the list instead of failing the probe, preventing the driver from trying to use them. Fixes: 0adb483fbf2d ("Input: rmi4 - refactor register descriptor parsing") Reported-by: Barry K. Nathan <barryn@pobox.com> Tested-by: Barry K. Nathan <barryn@pobox.com> Cc: stable@vger.kernel.org Assisted-by: Antigravity:gemini-3.5-flash Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
2026-06-26Revert "Input: rmi4 - fix register descriptor address calculation"Dmitry Torokhov
The register descriptor presence register is a packet register, which means its bytes share a single RMI address. It does not occupy consecutive addresses, and the register structure that follows it is located at the next RMI address (presence_address + 1), not (presence_address + presence_size). Revert the incorrect address calculation introduced in commit a98518e72439. Reported-by: "Barry K. Nathan" <barryn@pobox.com> Tested-by: "Barry K. Nathan" <barryn@pobox.com> Cc: stable@vger.kernel.org Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
2026-06-26ntb: amd: Use named initializer for pci_device_id::driver_dataUwe Kleine-König (The Capable Hub)
The current list initialisation depends on the well hidden two zeros in the PCI_VDEVICE macro. Instead use a named initialisation that is more robust and easier to understand. Signed-off-by: Uwe Kleine-König (The Capable Hub) <u.kleine-koenig@baylibre.com> Reviewed-by: Dave Jiang <dave.jiang@intel.com> Signed-off-by: Jon Mason <jdmason@kudzu.us>
2026-06-26NTB: fix kernel-doc warnings in ntb.hRandy Dunlap
Correct a function name and function parameter name to avoid kernel-doc warnings: Warning: include/linux/ntb.h:575 expecting prototype for ntb_default_port_count(). Prototype was for ntb_default_peer_port_count() instead Warning: include/linux/ntb.h:590 function parameter 'pidx' not described in 'ntb_default_peer_port_number' Signed-off-by: Randy Dunlap <rdunlap@infradead.org> Acked-by: Dave Jiang <dave.jiang@intel.com> Signed-off-by: Jon Mason <jdmason@kudzu.us>
2026-06-26NTB: epf: Avoid pci_iounmap() with offset when PEER_SPAD and CONFIG share BARKoichiro Den
When BAR_PEER_SPAD and BAR_CONFIG share one PCI BAR, the module teardown path ends up calling pci_iounmap() on the same iomem with some offset, which is unnecessary and triggers a kernel warning like the following: Trying to vunmap() nonexistent vm area (0000000069a5ffe8) WARNING: mm/vmalloc.c:3470 at vunmap+0x58/0x68, CPU#5: modprobe/2937 [...] Call trace: vunmap+0x58/0x68 (P) iounmap+0x34/0x48 pci_iounmap+0x2c/0x40 ntb_epf_pci_remove+0x44/0x80 [ntb_hw_epf] pci_device_remove+0x48/0xf8 device_remove+0x50/0x88 device_release_driver_internal+0x1c8/0x228 driver_detach+0x50/0xb0 bus_remove_driver+0x74/0x100 driver_unregister+0x34/0x68 pci_unregister_driver+0x34/0xa0 ntb_epf_pci_driver_exit+0x14/0xfe0 [ntb_hw_epf] [...] Fix it by unmapping only when PEER_SPAD and CONFIG use difference bars. Cc: stable@vger.kernel.org Fixes: e75d5ae8ab88 ("NTB: epf: Allow more flexibility in the memory BAR map method") Reviewed-by: Frank Li <Frank.Li@nxp.com> Signed-off-by: Koichiro Den <den@valinux.co.jp> Reviewed-by: Dave Jiang <dave.jiang@intel.com> Signed-off-by: Jon Mason <jdmason@kudzu.us>
2026-06-26ntb_hw_amd: Fix incorrect debug message in link disable pathAlok Tiwari
amd_ntb_link_disable() prints "Enabling Link" which is misleading. Update the message to reflect that the link is being disabled. Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com> Reviewed-by: Dave Jiang <dave.jiang@intel.com> Signed-off-by: Jon Mason <jdmason@kudzu.us>
2026-06-26Merge branch ↵Jakub Kicinski
'net-sched-finish-the-qdisc_dequeue_peeked-conversion-taprio-multiq' Bryam Vargas says: ==================== net/sched: finish the qdisc_dequeue_peeked conversion (taprio, multiq) Commit 77be155cba4e added peek emulation: a non-work-conserving qdisc's ->peek dequeues one skb and stashes it in the child's gso_skb. A parent that peeks such a child must then take the packet with qdisc_dequeue_peeked(), not a direct ->dequeue(), or the stashed skb is bypassed and the child's qlen/backlog desync. sch_red and sch_sfb were just fixed for this; taprio and multiq still take the direct path. With a qfq child the desync re-enters qfq_dequeue on an emptied aggregate list and dereferences NULL, panicking from softirq on ordinary egress. taprio reaches it on its own (root-only software path, all gates open); multiq reaches it when a peeking parent such as tbf wraps it over a non-work-conserving grandchild. Both need only CAP_NET_ADMIN. Confirmed under KASAN: the unpatched arm panics, the patched arm is clean, and a work-conserving-child control is clean. The reproducers and splats for both are below; the per-patch changes are one line each. taprio reproducer (self-triggering, no parent qdisc needed): ip link add dummy0 numtxqueues 4 type dummy; ip link set dummy0 up ip addr add 10.10.11.10/24 dev dummy0 tc qdisc add dev dummy0 root handle 1: taprio num_tc 2 \ map 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 queues 1@0 1@1 \ base-time 9000000000000000000 sched-entry S 03 200000 flags 0x0 clockid CLOCK_TAI tc qdisc replace dev dummy0 parent 1:1 handle 3: qfq tc class add dev dummy0 classid 3:1 parent 3: qfq maxpkt 512 weight 1 tc filter add dev dummy0 parent 3: protocol ip prio 1 matchall classid 3:1 ping -c1 10.10.11.99 -I dummy0 [ 903.769174] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000009: 0000 [#1] SMP KASAN NOPTI [ 903.769953] KASAN: null-ptr-deref in range [0x0000000000000048-0x000000000000004f] [ 903.770456] CPU: 7 UID: 0 PID: 16162 Comm: ping Not tainted 7.1.0-rc5 #1 PREEMPT(lazy) [ 903.771725] RIP: 0010:qfq_dequeue+0x362/0x1580 [sch_qfq] [ 903.777452] Call Trace: [ 903.778311] taprio_dequeue_from_txq+0x383/0x680 [sch_taprio] [ 903.778685] taprio_dequeue_tc_priority+0x19a/0x330 [sch_taprio] [ 903.779645] taprio_dequeue+0xa6/0x330 [sch_taprio] [ 903.780299] __qdisc_run+0x16c/0x1890 [ 903.780854] __dev_queue_xmit+0x1ece/0x3390 [ 903.784109] ip_finish_output2+0x571/0x1da0 [ 903.785996] ip_output+0x26c/0x4d0 [ 903.789572] ping_v4_sendmsg+0xd22/0x12b0 [ 903.796118] __x64_sys_sendto+0xe0/0x1c0 [ 903.796612] do_syscall_64+0xee/0x590 [ 903.818669] Kernel panic - not syncing: Fatal exception in interrupt multiq reproducer (needs a peeking parent over a stashing child; tbf values chosen to force it to throttle): ip link add dummy0 numtxqueues 2 type dummy; ip link set dummy0 up ip addr add 10.10.11.10/24 dev dummy0 tc qdisc add dev dummy0 root handle 1: tbf rate 88bit burst 1661b \ peakrate 2257333 minburst 1024 limit 7b tc qdisc add dev dummy0 parent 1: handle 2: multiq for b in 1 2; do # qfq on every band tc qdisc add dev dummy0 parent 2:$b handle 3$b: qfq tc class add dev dummy0 classid 3$b:1 parent 3$b: qfq maxpkt 512 weight 1 tc filter add dev dummy0 parent 3$b: protocol ip prio 1 matchall classid 3$b:1 done ping -c12 10.10.11.99 -I dummy0 [ 1066.385097] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000009: 0000 [#1] SMP KASAN NOPTI [ 1066.386385] KASAN: null-ptr-deref in range [0x0000000000000048-0x000000000000004f] [ 1066.387227] CPU: 1 UID: 0 PID: 5357 Comm: ping Not tainted 7.1.0-rc5 #1 PREEMPT(lazy) [ 1066.389183] RIP: 0010:qfq_dequeue+0x362/0x1580 [sch_qfq] [ 1066.396316] Call Trace: [ 1066.396768] multiq_dequeue+0x163/0x360 [sch_multiq] [ 1066.397885] tbf_dequeue+0x6b9/0xf17 [sch_tbf] [ 1066.398269] __qdisc_run+0x16c/0x1890 [ 1066.399315] __dev_queue_xmit+0x1ece/0x3390 [ 1066.403276] ip_finish_output2+0x571/0x1da0 [ 1066.404818] ip_output+0x26c/0x4d0 [ 1066.408620] ping_v4_sendmsg+0xd22/0x12b0 [ 1066.415264] __x64_sys_sendto+0xe0/0x1c0 [ 1066.416251] do_syscall_64+0xee/0x590 [ 1066.441210] Kernel panic - not syncing: Fatal exception in interrupt ==================== Link: https://patch.msgid.link/20260625-b4-disp-31bcb279-v1-0-85c40b83c529@proton.me Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-26net/sched: sch_multiq: Replace direct dequeue call with peek and ↵Bryam Vargas
qdisc_dequeue_peeked multiq_dequeue() takes a packet from a band's child with a direct ->dequeue() call after multiq_peek() peeked it. When the child is non-work-conserving the peek stashes the skb in the child's gso_skb, so the direct dequeue returns a different skb and orphans the stash, desyncing the child's qlen/backlog. With a qfq child reached through a peeking parent (e.g. tbf) this re-enters the child on an emptied list and dereferences NULL, panicking the kernel from softirq on ordinary egress. Take the packet through qdisc_dequeue_peeked(), as sch_prio already does and as sch_red and sch_sfb were just fixed to do. The helper is a no-op when the child has no stash, so a work-conserving child is unaffected. Fixes: 77be155cba4e ("pkt_sched: Add peek emulation for non-work-conserving qdiscs.") Cc: stable@vger.kernel.org Signed-off-by: Bryam Vargas <hexlabsecurity@proton.me> Reviewed-by: Victor Nogueira <victor@mojatatu.com> Acked-by: Jamal Hadi Salim <jhs@mojatatu.com> Link: https://patch.msgid.link/20260625-b4-disp-31bcb279-v1-2-85c40b83c529@proton.me Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-26net/sched: sch_taprio: Replace direct dequeue call with peek and ↵Bryam Vargas
qdisc_dequeue_peeked When taprio's software path peeks a non-work-conserving child qdisc, the child stashes the peeked skb in its gso_skb; taprio_dequeue_from_txq() then takes the packet with a direct child ->dequeue() call, which ignores that stash, orphans the peeked skb and desyncs the child's qlen/backlog. With a qfq child this re-enters the child on an emptied list and dereferences NULL, panicking the kernel from softirq on ordinary egress. Take the packet through qdisc_dequeue_peeked(), as sch_red and sch_sfb now do. The helper returns the child's stashed skb first and is a no-op when there is none, so a work-conserving child is unaffected and the gated path now consumes the skb whose length was charged to the budget. Fixes: 5a781ccbd19e ("tc: Add support for configuring the taprio scheduler") Cc: stable@vger.kernel.org Cc: Vladimir Oltean <vladimir.oltean@nxp.com> Signed-off-by: Bryam Vargas <hexlabsecurity@proton.me> Reviewed-by: Victor Nogueira <victor@mojatatu.com> Acked-by: Jamal Hadi Salim <jhs@mojatatu.com> Link: https://patch.msgid.link/20260625-b4-disp-31bcb279-v1-1-85c40b83c529@proton.me Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-26qede: fix out-of-bounds check for cqe->len_list[]Matvey Kovalev
Move index check before element access. Fixes: 896f1a2493b5 ("net: qlogic/qede: fix potential out-of-bounds read in qede_tpa_cont() and qede_tpa_end()") Signed-off-by: Matvey Kovalev <matvey.kovalev@ispras.ru> Link: https://patch.msgid.link/20260623144602.3521-1-matvey.kovalev@ispras.ru Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-26seg6: validate SRH length before reading fixed fieldsNuoqi Gui
seg6_validate_srh() reads fixed SRH fields such as srh->type and srh->hdrlen before checking that the supplied length covers the fixed struct ipv6_sr_hdr fields. The BPF SEG6 encap path reaches this with a BPF program-supplied pointer and length: bpf_lwt_push_encap() and the SEG6 local BPF END_B6 and END_B6_ENCAP actions call bpf_push_seg6_encap(), which forwards the length to seg6_validate_srh() with no minimum-size guard. A 2-byte SEG6 encap header can therefore make the validator read srh->type at offset 2 beyond the caller-supplied buffer. Reject lengths shorter than the fixed SRH at the top of seg6_validate_srh(), before any field is read. This fixes the BPF helper path and keeps the common validator robust. Fixes: fe94cc290f53 ("bpf: Add IPv6 Segment Routing helpers") Signed-off-by: Nuoqi Gui <gnq25@mails.tsinghua.edu.cn> Reviewed-by: Andrea Mayer <andrea.mayer@uniroma2.it> Link: https://patch.msgid.link/20260623-f01-17-seg6-srh-len-v2-1-2edc40e9e3e1@mails.tsinghua.edu.cn Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-26net: pse-pd: scope pse_control regulator handle to kref lifetimeCorey Leavitt
__pse_control_release() drops psec->ps via devm_regulator_put(), which only succeeds if the devres entry added by the matching devm_regulator_get_exclusive() is still present on pcdev->dev at the time the pse_control's kref hits zero. That assumption does not hold when the controller is unbound while a pse_control still has consumers: pcdev->dev's devres list is released LIFO, so every per-attach regulator-GET devres runs (and regulator_put()s the underlying regulator) before pse_controller_unregister() itself is invoked. Any later pse_control_put() from that unbind path then reads psec->ps as a dangling pointer inside devm_regulator_put() and WARNs at drivers/regulator/devres.c:232 (devres_release() fails to find the already-released match). The pse_control's consumer handle is logically scoped to the pse_control's refcount, not to pcdev->dev's devres lifetime. Switch to the plain regulator_get_exclusive() / regulator_put() pair so the regulator put in __pse_control_release() no longer depends on the controller's devres still being present. No change to the regulator-framework-visible refcount or lifetime of the underlying regulator: a single get paired with a single put. The existing devm_regulator_register() for the per-PI rails is unchanged (those ARE correctly scoped to the controller's lifetime). This addresses only the regulator handle. The same unbind-while-held scenario also leaves __pse_control_release() reading psec->pcdev->pi[] and psec->pcdev->owner after pse_controller_unregister() has freed pcdev->pi, because the controller does not drain its outstanding pse_control references on unregister. That wider pse_control vs pcdev lifetime problem pre-dates this change and is addressed by the PSE controller notifier series, which drains phydev->psec on PSE_UNREGISTERED before pcdev->pi is freed. Link: https://lore.kernel.org/netdev/20260620112440.1734404-1-github@szelinsky.de/ Fixes: d83e13761d5b ("net: pse-pd: Use regulator framework within PSE framework") Signed-off-by: Corey Leavitt <corey@leavitt.info> Acked-by: Kory Maincent <kory.maincent@bootlin.com> Signed-off-by: Carlo Szelinsky <github@szelinsky.de> Reviewed-by: Simon Horman <horms@kernel.org> Link: https://patch.msgid.link/20260624204017.2752934-1-github@szelinsky.de Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-26net: liquidio: fix BAR resource leak on PF number failureHaoxiang Li
If cn23xx_get_pf_num() fails, the function returns without unmapping either BAR. Unmap both BARs before returning from the error path. Found by manual code review. Fixes: 0c45d7fe12c7 ("liquidio: fix use of pf in pass-through mode in a virtual machine") Cc: stable@vger.kernel.org Signed-off-by: Haoxiang Li <haoxiang_li2024@163.com> Reviewed-by: Larysa Zaremba <larysa.zaremba@intel.com> Link: https://patch.msgid.link/20260624064013.2809570-1-haoxiang_li2024@163.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-26net: ipa: fix SMEM state handle leaks in SMP2P initHaoxiang Li
ipa_smp2p_init() acquires two Qualcomm SMEM state handles with qcom_smem_state_get(). However, neither the init error paths nor ipa_smp2p_exit() release them. Release both handles with qcom_smem_state_put() in the init error paths and in ipa_smp2p_exit(). Fixes: 530f9216a953 ("soc: qcom: ipa: AP/modem communications") Cc: stable@vger.kernel.org Signed-off-by: Haoxiang Li <haoxiang_li2024@163.com> Reviewed-by: Larysa Zaremba <larysa.zaremba@intel.com> Reviewed-by: Alex Elder <elder@riscstar.com> Link: https://patch.msgid.link/20260624065955.2822765-1-haoxiang_li2024@163.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-26Merge tag 'drm-fixes-2026-06-27' of https://gitlab.freedesktop.org/drm/kernelLinus Torvalds
Pull drm fixes from Dave Airlie: "These are just the fixes from our fixes branch, all pretty small and scattered. sysfb: - drm/sysfb truncation and alignment fixes edid: - fix edid OOB read in tile parsing - increase displayid topology id to correct size nouveau: - fix error handling paths in nouveau amdxdna: - get_bo_info fix ivpu: - fix leak when error handling in ivpu" * tag 'drm-fixes-2026-06-27' of https://gitlab.freedesktop.org/drm/kernel: drm/sysfb: Avoid truncating maximum stride drm/sysfb: Return errno code from drm_sysfb_get_visible_size() drm/sysfb: Avoid possible truncation with calculating visible size drm/sysfb: Do not page-align visible size of the framebuffer drm/edid: fix OOB read in drm_parse_tiled_block() drm/nouveau: fix reversed error cleanup order in ucopy functions drm/nouveau/acr: fix missing nvkm_done() in error path of nvkm_acr_oneinit() accel/amdxdna: Use caller client for debug BO sync drm/displayid: fix Tiled Display Topology ID size accel/ivpu: fix HWS command queue leak on registration failure
2026-06-26Merge tag 'drm-next-2026-06-27' of https://gitlab.freedesktop.org/drm/kernelLinus Torvalds
Pull drm merge window fixes from Dave Airlie: "This is the merge window fixes from our next tree, i915/xe and amdgpu make up all of it. I've got a separate fixes pull from our fixes branch arriving after this. i915: - Fix corrupted display output on GLK, #16209 - Add missing Spectre mitigation for parallel submit IOCTL - MTL+ fix for DP resume - clear CRTC blobs after dropping refs - fix sharpness filter on DP MST xe: - Set TTM beneficial order to 9 in Xe - Several error path cleanups - Fix TDR for unstarted jobs on kernel queues - Several TLB invalidation fixes related to suspending LR queues - Some small RAS fixes - Multi-queue suspend fix for LR queues - Revert inclusion of NVL_S firmware amdgpu: - devcoredump fixes - SMU15 fix - Various irq put/get imbalance cleanup fixes - 8K panel fix - DCN3.5 fix - lockdep fix - Cleaner shader sysfs IB overflow fix - Async flip fixes - GET_MAPPING_INFO fix - CP_GFX_SHADOW fix - Ctx pstate handling fix - GTT bo move handling fixes - Old UVD BO placement fixes - GC9 mode2 reset fix - IH6.1 version fix - Soft IH ring fix amdkfd: - Fix doorbell/mmio double unpin on free - CRIU fixes - SMI event fixes - Sysfs teardown fix - Various boundary checking fixes - Various error checking fixes - SVM fix" * tag 'drm-next-2026-06-27' of https://gitlab.freedesktop.org/drm/kernel: (52 commits) drm/i915/cdclk: Fix up CDCLK_FREQ_DECIMAL without a full PLL re-enable drm/i915/gem: Add missing nospec on parallel submit slot drm/amdgpu: Use system unbound workqueue for soft IH ring amdgpu/ih6.1: Fix minor version drm/amdkfd: Use exclusive bounds for SVM split alignment checks drm/amdgpu/gfx9: Fix Ring and IB test fail after mode2 drm/amdgpu/uvd: Fix forcing MSG, FB BOs into VCPU segment when it isn't at 0 (v2) drm/amdgpu/uvd: Place VCPU BO only in VRAM for UVD 4.x and older drm/amdgpu: Fix amdgpu_bo_move() when old_mem and new_mem are both GTT drm/amdgpu: Respect placement requirements in amdgpu_gtt_mgr functions drm/amdgpu: Fix context pstate override handling drm/amdkfd: Use memdup_array_user to copy data from/to user space at kfd ioctls drm/amdkfd: check find_first_zero_bit before __set_bit on kfd->doorbell_bitmap drm/amdkfd: Let driver decide buffer size at AMDKFD_IOC_GET_DMABUF_INFO ioctl drm/amdgpu: fix recursive ww_mutex acquire in amdgpu_devcoredump_format drm/amdgpu: convert amdgpu_vm_lock_by_pasid() to drm_exec drm/amdgpu: Don't use UTS_RELEASE directly drm/amdkfd: Fix NULL deref during sysfs teardown drm/amdgpu: validate CP_GFX_SHADOW chunk size in CS pass1 drm/amdgpu: check amdgpu_vm_bo_find() result in GET_MAPPING_INFO ...
2026-06-26Merge tag 'ceph-for-7.2-rc1' of https://github.com/ceph/ceph-clientLinus Torvalds
Pull ceph updates from Ilya Dryomov: "This adds support for manual client session reset in CephFS, allowing operators to get out of tricky livelock situations involving caps and file locks without evicting the problematic client instance on the MDS side or rebooting the client node both of which can be disruptive" * tag 'ceph-for-7.2-rc1' of https://github.com/ceph/ceph-client: ceph: add manual reset debugfs control and tracepoints ceph: add client reset state machine and session teardown ceph: add diagnostic timeout loop to wait_caps_flush() ceph: harden send_mds_reconnect and handle active-MDS peer reset ceph: use proper endian conversion for flock_len in reconnect ceph: convert inode flags to named bit positions and atomic bitops rbd: switch to dynamic root device
2026-06-26Merge tag 'gfs2-for-7.2' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/gfs2/linux-gfs2 Pull gfs2 updates from Andreas Gruenbacher: - fix page poisoning not handled correctly when growing files - quota initialization / destruction fixes: sleeping under a bitlock in PREEMPT_RT, broken quota_init error recovery, missing RCU synchronization * tag 'gfs2-for-7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/gfs2/linux-gfs2: gfs2: page poisoning fix gfs2: Remove unused fallocate_chunk argument gfs2: fix use-after-free in gfs2_qd_dealloc gfs2: move quota_init qc iterator increment gfs2: fix quota init duplicate scan
2026-06-26Merge tag 'thermal-7.2-rc1-2' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull thermal control fixes from Rafael Wysocki: "These fix a failure path in an Intel thermal driver and prevent thermal testing module code from being executed after it has been freed: - Fix dangling resources on thermal_throttle_online() failure in the Intel thermal_throttle driver (Ricardo Neri) - Eliminate a possibility of running thermal testing module code after that module has been removed (Rafael Wysocki)" * tag 'thermal-7.2-rc1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: thermal: testing: zone: Flush work items during cleanup thermal: intel: Fix dangling resources on thermal_throttle_online() failure
2026-06-26Merge tag 'pm-7.2-rc1-2' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull power management fixes from Rafael Wysocki: "These fix the schedutil cpufreq governor and drop a bogus warning from the cpuidle core: - Remove a misguided warning along with an inaccurate comment next to it from the cpuidle core (Rafael Wysocki) - Clear need_freq_update as appropriate in the .adjust_perf() path of the schedutil cpufreq governor to avoid calling cpufreq_driver_adjust_perf() unnecessarily on every scheduler utilization update (Zhongqiu Han)" * tag 'pm-7.2-rc1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: cpuidle: Allow exit latency to exceed target residency cpufreq: schedutil: Fix uncleared need_freq_update on the .adjust_perf() path