<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/include, branch v7.2-rc3</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>Merge tag 'char-misc-7.2-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc</title>
<updated>2026-07-12T19:37:28+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2026-07-12T19:37:28+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=bffa972b3f66d28732f09d67db09711ac2f93ebe'/>
<id>bffa972b3f66d28732f09d67db09711ac2f93ebe</id>
<content type='text'>
Pull Android/IIO fixes from Greg KH:
 "Here is a set of bugfixes for 7.2-rc3 that resolve a bunch of reported
  issues in just the binder and iio codebases. Included in here are:

   - binder driver bugfixes for both the rust and c versions for
     reported problems

   - lots and lots of iio driver bugfixes for lots of reported issues
     (including a hid sensor driver bugfix)

  Full details are in the shortlog, all of these have been in linux-next
  with no reported issues"

* tag 'char-misc-7.2-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc: (36 commits)
  iio: event: Fix event FIFO reset race
  iio: imu: inv_icm42600: fix timestamp clock period by using lower value
  iio: light: al3010: fix incorrect scale for the highest gain range
  iio: adc: nxp-sar-adc: Fix the delay calculation in nxp_sar_adc_wait_for()
  iio: light: tsl2591: return actual error from probe IRQ failure
  iio: imu: inv_icm42600: fix timestamping by limiting FIFO reading
  iio: imu: st_lsm6dsx: deselect shub page before reading whoami
  rust_binder: clear freeze listener on node removal
  rust_binder: reject context manager self-transaction
  rust_binder: use a u64 stride when cleaning up the offsets array
  binder: fix UAF in binder_free_transaction()
  binder: fix UAF in binder_thread_release()
  rust_binder: synchronize Rust Binder stats with freeze commands
  binder: cache secctx size before release zeroes it
  rust_binder: fix BINDER_GET_EXTENDED_ERROR
  iio: adc: ad7779: add missing 'select IIO_TRIGGERED_BUFFER' to Kconfig
  iio: adc: ad4130: add missing `select IIO_TRIGGERED_BUFFER` to Kconfig
  iio: adc: ti-ads124s08: Return reset GPIO lookup errors
  iio: temperature: Build mlx90635 with CONFIG_MLX90635
  iio: light: al3320a: add missing REGMAP_I2C to Kconfig
  ...
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Pull Android/IIO fixes from Greg KH:
 "Here is a set of bugfixes for 7.2-rc3 that resolve a bunch of reported
  issues in just the binder and iio codebases. Included in here are:

   - binder driver bugfixes for both the rust and c versions for
     reported problems

   - lots and lots of iio driver bugfixes for lots of reported issues
     (including a hid sensor driver bugfix)

  Full details are in the shortlog, all of these have been in linux-next
  with no reported issues"

* tag 'char-misc-7.2-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc: (36 commits)
  iio: event: Fix event FIFO reset race
  iio: imu: inv_icm42600: fix timestamp clock period by using lower value
  iio: light: al3010: fix incorrect scale for the highest gain range
  iio: adc: nxp-sar-adc: Fix the delay calculation in nxp_sar_adc_wait_for()
  iio: light: tsl2591: return actual error from probe IRQ failure
  iio: imu: inv_icm42600: fix timestamping by limiting FIFO reading
  iio: imu: st_lsm6dsx: deselect shub page before reading whoami
  rust_binder: clear freeze listener on node removal
  rust_binder: reject context manager self-transaction
  rust_binder: use a u64 stride when cleaning up the offsets array
  binder: fix UAF in binder_free_transaction()
  binder: fix UAF in binder_thread_release()
  rust_binder: synchronize Rust Binder stats with freeze commands
  binder: cache secctx size before release zeroes it
  rust_binder: fix BINDER_GET_EXTENDED_ERROR
  iio: adc: ad7779: add missing 'select IIO_TRIGGERED_BUFFER' to Kconfig
  iio: adc: ad4130: add missing `select IIO_TRIGGERED_BUFFER` to Kconfig
  iio: adc: ti-ads124s08: Return reset GPIO lookup errors
  iio: temperature: Build mlx90635 with CONFIG_MLX90635
  iio: light: al3320a: add missing REGMAP_I2C to Kconfig
  ...
</pre>
</div>
</content>
</entry>
<entry>
<title>Merge tag 'trace-v7.2-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace</title>
<updated>2026-07-12T16:46:37+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2026-07-12T16:46:37+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=6205562c5904ee23786239298299043876b1a977'/>
<id>6205562c5904ee23786239298299043876b1a977</id>
<content type='text'>
Pull tracing fixes from Steven Rostedt:

 - Free field in error path of synthetic event parse

   In __create_synth_event() the field was allocated but was not freed
   in the error path

 - Fix ring_buffer_event_length() on 8 byte aligned architectures

   On architectures with CONFIG_HAVE_64BIT_ALIGNED_ACCESS set to y, the
   ring_buffer_event_length() may return the wrong size. This is because
   archs with that config set will always use the "big event meta
   header" as that is 8 bytes keeping the payload 8 bytes aligned, even
   when a 4 byte header could hold the size of the event

   But ring_buffer_event_length() doesn't take this into account and
   only subtracts 4 bytes for the meta header in the length when it
   should have subtracted 8 bytes

 - Have osnoise wait for a full rcu synchronization on unregister

   osnoise_unregister_instance() used to call synchronize_rcu() before
   freeing its copy of the instance but was switched to kfree_rcu(). The
   osniose tracer has code that traverses the instances that it uses,
   and inst is just a pointer to that instance. By using kfree_rcu()
   instead of synchronize_rcu(), the instance that the inst pointer is
   pointing to can be freed while the osnoise code is still referencing
   it

   That is, a rmdir on an instance first unregisters the tracer. When
   the unregister finishes, the rmdir expects that the tracer is
   finished with the instance that it is using. By putting back the
   synchronize_rcu() in osnoise_unregister_instance() the unregistering
   of osnoise will now return when all the users of the instance have
   finished

 - Remove an unused setting of "ret" in tracing_set_tracer()

 - Fix ring_buffer_read_page() copying events

   The commit that changed ring_buffer_read_page() to show dropped
   events from the buffer itself, split the "commit" variable between
   the commit value (with flags) and "size" that holds the size of the
   sub-buffer. A cut and paste error changed the test of the reading
   from checking the size of the buffer to the size of the event causing
   reads to only read one event at a time

 - Make tracepoint_printk a static variable

   When the tracing sysctl knobs were move from sysctl.c to trace.c, the
   variable tracepoint_printk no longer needed to be global. Make it
   static

 - Fix some typos

 - Fix NULL pointer dereference in func_set_flag()

   The flags update of the function tracer first checks if the value of
   the flag is the same and exits if they are, and then it checks if the
   current tracer is the function tracer and exits if it isn't. The
   problem is that these checks need to be in a reversed order, as if
   the tracer isn't the function tracer, then the flag being checked may
   not exist. Reverse the order of these checks

 - Fix ufs core trace events to not dereference a pointer in TP_printk()

   The TP_printk() part of the TRACE_EVENT() macro is called when the
   user reads the "trace" file. This can be seconds, minutes, hours,
   days, weeks, and even months after the data was recorded into the
   ring buffer. Thus, saving a pointer to an object into the ring buffer
   and then dereferencing it from TP_printk() can cause harm as the
   object the pointer is pointing to may no longer exist

   Fix all the trace events in ufs core to save the device name in the
   ring buffer instead of dereferencing the device descriptor from
   TP_printk()

 - Prevent out-of-bound reads in glob matching of trace events

   The filter logic of events allows simple glob logic to add wild cards
   to filter on strings. But some events have fields that may not have a
   terminating 'nul' character. This may cause the glob matching to go
   beyond the string. Change the logic to always pass in the length of
   the field that is being matched

 - Add no-rcu-check version of trace_##event##_enabled()

   The trace_##event##_enabled() usually wraps trace events to do extra
   work that is only needed when the trace event is enabled. But this
   can hide events that are placed in locations where RCU is not
   watching, and can make lockdep not see these bugs when the event is
   not enabled

   The trace_##event##_enabled() was updated to always test to make sure
   RCU is watching to catch locations that may call events without RCU
   being active

   This caused a false positive for the irq_disabled() and related
   events. As that use trace_irq_disabled_enabled() to force RCU to be
   watching when the event is enabled via the ct_irq_enter() function,
   calls the event, and then calls ct_irq_exit() to put RCU back to its
   original state

   The trace_irq_disabled_enabled() should not trigger a warning when
   RCU is not watching because the code within its block handles the
   case properly. Make a __trace_##event##_enabled() version for this
   event to use that doesn't check RCU is watching as it handles the
   case when it isn't

 - Fix use-after-free in user_event_mm_dup()

   When the enabler is removed from the link list, it is freed
   immediately. But it is protected via RCU and needs to be freed after
   an RCU grace period. Use queue_rcu_work() so that the event_mutex can
   also be taken as user_event_put() takes the mutex on the last
   reference is released

 - Free type string in error path of parse_synth_field()

   There's an error path in parse_synth_field() where the allocated type
   string is not freed

 - Add selftest that tests deferred event teardown

 - Fix leak in error path of trace_remote_alloc_buffer()

   If page allocation fails, the desc-&gt;nr_cpus is not incremented for
   the current CPU and the allocations done for it are not freed

 - Fix allocation length in trace_remote_alloc_buffer()

   The logic to calculate the struct_len was doing a double count and
   setting the value too large. Calculate the size upfront to fix the
   error and simplify the logic

 - Fix sparse CPU masks in ring_buffer_desc()

   If there are sparse CPUs (gaps in the numbering), the
   ring_buffer_desc() will fail as it tests the CPU number against the
   number of CPUs that are used

* tag 'trace-v7.2-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace:
  ring-buffer: Allow sparse CPU masks in ring_buffer_desc()
  tracing/remotes: Fix struct_len in trace_remote_alloc_buffer()
  tracing/remotes: Fix leak in trace_remote_alloc_buffer() error path
  selftests/user_events: Wait for deferred event teardown after unregister
  tracing/synthetic: Free type string on error path
  tracing/user_events: Fix use-after-free in user_event_mm_dup()
  tracing: Add a no-rcu-check version of trace_##event##_enabled()
  tracing: Prevent out-of-bounds read in glob matching
  ufs: core: tracing: Do not dereference pointers in TP_printk()
  tracing: Fix NULL pointer dereference in func_set_flag()
  samples: ftrace: Fix typos in benchmark comment
  tracing: Make tracepoint_printk static as not exported
  ring-buffer: Fix ring_buffer_read_page() copying only one event per page
  tracing: Remove unused ret assignment in tracing_set_tracer()
  tracing/osnoise: Call synchronize_rcu() when unregistering
  ring-buffer: Fix event length with forced 8-byte alignment
  tracing/synthetic: Free pending field on error path
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Pull tracing fixes from Steven Rostedt:

 - Free field in error path of synthetic event parse

   In __create_synth_event() the field was allocated but was not freed
   in the error path

 - Fix ring_buffer_event_length() on 8 byte aligned architectures

   On architectures with CONFIG_HAVE_64BIT_ALIGNED_ACCESS set to y, the
   ring_buffer_event_length() may return the wrong size. This is because
   archs with that config set will always use the "big event meta
   header" as that is 8 bytes keeping the payload 8 bytes aligned, even
   when a 4 byte header could hold the size of the event

   But ring_buffer_event_length() doesn't take this into account and
   only subtracts 4 bytes for the meta header in the length when it
   should have subtracted 8 bytes

 - Have osnoise wait for a full rcu synchronization on unregister

   osnoise_unregister_instance() used to call synchronize_rcu() before
   freeing its copy of the instance but was switched to kfree_rcu(). The
   osniose tracer has code that traverses the instances that it uses,
   and inst is just a pointer to that instance. By using kfree_rcu()
   instead of synchronize_rcu(), the instance that the inst pointer is
   pointing to can be freed while the osnoise code is still referencing
   it

   That is, a rmdir on an instance first unregisters the tracer. When
   the unregister finishes, the rmdir expects that the tracer is
   finished with the instance that it is using. By putting back the
   synchronize_rcu() in osnoise_unregister_instance() the unregistering
   of osnoise will now return when all the users of the instance have
   finished

 - Remove an unused setting of "ret" in tracing_set_tracer()

 - Fix ring_buffer_read_page() copying events

   The commit that changed ring_buffer_read_page() to show dropped
   events from the buffer itself, split the "commit" variable between
   the commit value (with flags) and "size" that holds the size of the
   sub-buffer. A cut and paste error changed the test of the reading
   from checking the size of the buffer to the size of the event causing
   reads to only read one event at a time

 - Make tracepoint_printk a static variable

   When the tracing sysctl knobs were move from sysctl.c to trace.c, the
   variable tracepoint_printk no longer needed to be global. Make it
   static

 - Fix some typos

 - Fix NULL pointer dereference in func_set_flag()

   The flags update of the function tracer first checks if the value of
   the flag is the same and exits if they are, and then it checks if the
   current tracer is the function tracer and exits if it isn't. The
   problem is that these checks need to be in a reversed order, as if
   the tracer isn't the function tracer, then the flag being checked may
   not exist. Reverse the order of these checks

 - Fix ufs core trace events to not dereference a pointer in TP_printk()

   The TP_printk() part of the TRACE_EVENT() macro is called when the
   user reads the "trace" file. This can be seconds, minutes, hours,
   days, weeks, and even months after the data was recorded into the
   ring buffer. Thus, saving a pointer to an object into the ring buffer
   and then dereferencing it from TP_printk() can cause harm as the
   object the pointer is pointing to may no longer exist

   Fix all the trace events in ufs core to save the device name in the
   ring buffer instead of dereferencing the device descriptor from
   TP_printk()

 - Prevent out-of-bound reads in glob matching of trace events

   The filter logic of events allows simple glob logic to add wild cards
   to filter on strings. But some events have fields that may not have a
   terminating 'nul' character. This may cause the glob matching to go
   beyond the string. Change the logic to always pass in the length of
   the field that is being matched

 - Add no-rcu-check version of trace_##event##_enabled()

   The trace_##event##_enabled() usually wraps trace events to do extra
   work that is only needed when the trace event is enabled. But this
   can hide events that are placed in locations where RCU is not
   watching, and can make lockdep not see these bugs when the event is
   not enabled

   The trace_##event##_enabled() was updated to always test to make sure
   RCU is watching to catch locations that may call events without RCU
   being active

   This caused a false positive for the irq_disabled() and related
   events. As that use trace_irq_disabled_enabled() to force RCU to be
   watching when the event is enabled via the ct_irq_enter() function,
   calls the event, and then calls ct_irq_exit() to put RCU back to its
   original state

   The trace_irq_disabled_enabled() should not trigger a warning when
   RCU is not watching because the code within its block handles the
   case properly. Make a __trace_##event##_enabled() version for this
   event to use that doesn't check RCU is watching as it handles the
   case when it isn't

 - Fix use-after-free in user_event_mm_dup()

   When the enabler is removed from the link list, it is freed
   immediately. But it is protected via RCU and needs to be freed after
   an RCU grace period. Use queue_rcu_work() so that the event_mutex can
   also be taken as user_event_put() takes the mutex on the last
   reference is released

 - Free type string in error path of parse_synth_field()

   There's an error path in parse_synth_field() where the allocated type
   string is not freed

 - Add selftest that tests deferred event teardown

 - Fix leak in error path of trace_remote_alloc_buffer()

   If page allocation fails, the desc-&gt;nr_cpus is not incremented for
   the current CPU and the allocations done for it are not freed

 - Fix allocation length in trace_remote_alloc_buffer()

   The logic to calculate the struct_len was doing a double count and
   setting the value too large. Calculate the size upfront to fix the
   error and simplify the logic

 - Fix sparse CPU masks in ring_buffer_desc()

   If there are sparse CPUs (gaps in the numbering), the
   ring_buffer_desc() will fail as it tests the CPU number against the
   number of CPUs that are used

* tag 'trace-v7.2-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace:
  ring-buffer: Allow sparse CPU masks in ring_buffer_desc()
  tracing/remotes: Fix struct_len in trace_remote_alloc_buffer()
  tracing/remotes: Fix leak in trace_remote_alloc_buffer() error path
  selftests/user_events: Wait for deferred event teardown after unregister
  tracing/synthetic: Free type string on error path
  tracing/user_events: Fix use-after-free in user_event_mm_dup()
  tracing: Add a no-rcu-check version of trace_##event##_enabled()
  tracing: Prevent out-of-bounds read in glob matching
  ufs: core: tracing: Do not dereference pointers in TP_printk()
  tracing: Fix NULL pointer dereference in func_set_flag()
  samples: ftrace: Fix typos in benchmark comment
  tracing: Make tracepoint_printk static as not exported
  ring-buffer: Fix ring_buffer_read_page() copying only one event per page
  tracing: Remove unused ret assignment in tracing_set_tracer()
  tracing/osnoise: Call synchronize_rcu() when unregistering
  ring-buffer: Fix event length with forced 8-byte alignment
  tracing/synthetic: Free pending field on error path
</pre>
</div>
</content>
</entry>
<entry>
<title>Merge tag 'nfs-for-7.2-2' of git://git.linux-nfs.org/projects/anna/linux-nfs</title>
<updated>2026-07-11T01:15:26+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2026-07-11T01:15:26+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=58d9f84279a86b1b24239107a3d1c4d8dccb41e6'/>
<id>58d9f84279a86b1b24239107a3d1c4d8dccb41e6</id>
<content type='text'>
Pull NFS client fixes from Anna Schumaker:

 - SUNRPC:
    - Release lower rpc_clnt if killed waiting for XPRT_LOCKED
    - Pin upper rpc_clnt across the TLS connect_worker

 - NFS:
    - Include MAY_WRITE in open permission mask for O_TRUNC
    - Charge unstable writes by request size, not folio size

* tag 'nfs-for-7.2-2' of git://git.linux-nfs.org/projects/anna/linux-nfs:
  NFS: Charge unstable writes by request size, not folio size
  NFSv4: include MAY_WRITE in open permission mask for O_TRUNC
  SUNRPC: pin upper rpc_clnt across the TLS connect_worker
  SUNRPC: release lower rpc_clnt if killed waiting for XPRT_LOCKED
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Pull NFS client fixes from Anna Schumaker:

 - SUNRPC:
    - Release lower rpc_clnt if killed waiting for XPRT_LOCKED
    - Pin upper rpc_clnt across the TLS connect_worker

 - NFS:
    - Include MAY_WRITE in open permission mask for O_TRUNC
    - Charge unstable writes by request size, not folio size

* tag 'nfs-for-7.2-2' of git://git.linux-nfs.org/projects/anna/linux-nfs:
  NFS: Charge unstable writes by request size, not folio size
  NFSv4: include MAY_WRITE in open permission mask for O_TRUNC
  SUNRPC: pin upper rpc_clnt across the TLS connect_worker
  SUNRPC: release lower rpc_clnt if killed waiting for XPRT_LOCKED
</pre>
</div>
</content>
</entry>
<entry>
<title>Merge tag 'drm-fixes-2026-07-10' of https://gitlab.freedesktop.org/drm/kernel</title>
<updated>2026-07-10T15:53:32+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2026-07-10T15:53:32+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=ba0b7c62cea942cd0afa35a3768a9f4874874b2f'/>
<id>ba0b7c62cea942cd0afa35a3768a9f4874874b2f</id>
<content type='text'>
Pull drm fixes from Dave Airlie:
 "Weekly fixes pull for drm, amdgpu, amdxdna, xe leading the way, some
  small core fixes and a nouveau stability fix along with some minor
  changes in other drivers.

  Seems to be a bit quiter than last week at least.

  fb-helper:
   - Sync on first active crtc in fb_dirty, rather than first crtc

  drm_exec:
   - Use direct label in drm_exec

  buddy:
   - Rework try_harder in the buddy allocator

  i915:
   - fix underrun on panthor lake
   - LT PHY SSC programming fix
   - fix some NULL derefs and leaks

  nouveau:
   - fix a vmm large/small page table update race

  xe:
   - Fix PTE index in xe_vm_populate_pgtable for chunked binds
   - Wait on external BO kernel fences in exec IOCTL
   - Remove duplicate include
   - Free madvise VMA array on L2 flush failure
   - Stub notifier_lock helpers when DRM_GPUSVM=n

  amdgpu:
   - PSP 15.0.9 update
   - SMU 15.0.9 update
   - VCN 5.3 fix
   - VI ASPM fix
   - Userq fix
   - lifetime fix for amdgpu_vm_get_task_info_pasid()
   - Gfx10 fix
   - SMU 14 fix

  amdkfd:
   - CRIU bounds checking fixes
   - secondary context id fix
   - Event bounds checking fix

  amdxdna:
   - Fix uaf in mmap failure path
   - A lot of deadlocks, access races and return value fixes

  analogix_dp:
   - Fix analogix_dp bitshifts during link training

  v3d:
   - Fix absent indirect bo handling

  imagination:
   - Make function static to solve compiler warning
   - Fix error checking"

* tag 'drm-fixes-2026-07-10' of https://gitlab.freedesktop.org/drm/kernel: (44 commits)
  nouveau/vmm: fix another SPT/LPT race
  drm/imagination: fix error checking of pvr_vm_context_lookup()
  drm/imagination: make pvr_fw_trace_init_mask_ops static
  gpu/buddy: bail out of try_harder when alignment cannot be honoured
  drm/xe/userptr: Stub notifier_lock helpers when DRM_GPUSVM=n
  drm/xe: free madvise VMA array on L2 flush failure
  drm/xe: remove duplicate &lt;kunit/test-bug.h&gt; include
  drm/xe: Wait on external BO kernel fences in exec IOCTL
  drm/xe: Fix PTE index in xe_vm_populate_pgtable() for chunked binds
  drm/fb-helper: Only consider active CRTCs for vblank sync
  drm/amdkfd: Check bounds on CRIU restore queue type and mqd size
  drm/amd/pm: fix smu14 power limit range calculation
  drm/amdkfd: Check bounds in allocate_event_notification_slot
  amdkfd: properly free secondary context id
  drm/amdkfd: Don't acquire buffers during CRIU queue restore
  drm/amdkfd: Check bounds on CRIU restore event id
  drm/gfx10: Program DB_RING_CONTROL
  drm/amdgpu: fix lifetime issue of amdgpu_vm_get_task_info_pasid()
  drm/amdgpu: trigger GPU recovery when userq destroy fails to unmap a hung queue
  drm/amd/amdgpu: disable ASPM on VI if pcie dpm is disabled
  ...
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Pull drm fixes from Dave Airlie:
 "Weekly fixes pull for drm, amdgpu, amdxdna, xe leading the way, some
  small core fixes and a nouveau stability fix along with some minor
  changes in other drivers.

  Seems to be a bit quiter than last week at least.

  fb-helper:
   - Sync on first active crtc in fb_dirty, rather than first crtc

  drm_exec:
   - Use direct label in drm_exec

  buddy:
   - Rework try_harder in the buddy allocator

  i915:
   - fix underrun on panthor lake
   - LT PHY SSC programming fix
   - fix some NULL derefs and leaks

  nouveau:
   - fix a vmm large/small page table update race

  xe:
   - Fix PTE index in xe_vm_populate_pgtable for chunked binds
   - Wait on external BO kernel fences in exec IOCTL
   - Remove duplicate include
   - Free madvise VMA array on L2 flush failure
   - Stub notifier_lock helpers when DRM_GPUSVM=n

  amdgpu:
   - PSP 15.0.9 update
   - SMU 15.0.9 update
   - VCN 5.3 fix
   - VI ASPM fix
   - Userq fix
   - lifetime fix for amdgpu_vm_get_task_info_pasid()
   - Gfx10 fix
   - SMU 14 fix

  amdkfd:
   - CRIU bounds checking fixes
   - secondary context id fix
   - Event bounds checking fix

  amdxdna:
   - Fix uaf in mmap failure path
   - A lot of deadlocks, access races and return value fixes

  analogix_dp:
   - Fix analogix_dp bitshifts during link training

  v3d:
   - Fix absent indirect bo handling

  imagination:
   - Make function static to solve compiler warning
   - Fix error checking"

* tag 'drm-fixes-2026-07-10' of https://gitlab.freedesktop.org/drm/kernel: (44 commits)
  nouveau/vmm: fix another SPT/LPT race
  drm/imagination: fix error checking of pvr_vm_context_lookup()
  drm/imagination: make pvr_fw_trace_init_mask_ops static
  gpu/buddy: bail out of try_harder when alignment cannot be honoured
  drm/xe/userptr: Stub notifier_lock helpers when DRM_GPUSVM=n
  drm/xe: free madvise VMA array on L2 flush failure
  drm/xe: remove duplicate &lt;kunit/test-bug.h&gt; include
  drm/xe: Wait on external BO kernel fences in exec IOCTL
  drm/xe: Fix PTE index in xe_vm_populate_pgtable() for chunked binds
  drm/fb-helper: Only consider active CRTCs for vblank sync
  drm/amdkfd: Check bounds on CRIU restore queue type and mqd size
  drm/amd/pm: fix smu14 power limit range calculation
  drm/amdkfd: Check bounds in allocate_event_notification_slot
  amdkfd: properly free secondary context id
  drm/amdkfd: Don't acquire buffers during CRIU queue restore
  drm/amdkfd: Check bounds on CRIU restore event id
  drm/gfx10: Program DB_RING_CONTROL
  drm/amdgpu: fix lifetime issue of amdgpu_vm_get_task_info_pasid()
  drm/amdgpu: trigger GPU recovery when userq destroy fails to unmap a hung queue
  drm/amd/amdgpu: disable ASPM on VI if pcie dpm is disabled
  ...
</pre>
</div>
</content>
</entry>
<entry>
<title>Merge tag 'drm-misc-fixes-2026-07-09' of https://gitlab.freedesktop.org/drm/misc/kernel into drm-fixes</title>
<updated>2026-07-10T03:03:15+00:00</updated>
<author>
<name>Dave Airlie</name>
<email>airlied@redhat.com</email>
</author>
<published>2026-07-10T03:03:14+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=7978a34fd6e4eae91db0741b553e7682288d022c'/>
<id>7978a34fd6e4eae91db0741b553e7682288d022c</id>
<content type='text'>
drm-misc-fixes for v7.2-rc3:
- Fix uaf in amdxdna mmap failure path.
- A lot of deadlocks, access races and return value fixes in amdxdna.
- Fix analogix_dp bitshifts during link training.
- Use direct label in drm_exec.
- Fix absent indirect bo handling in v3d.
- Sync on first active crtc in fb_dirty, rather than first crtc.
- Rework try_harder in the buddy allocator.
- Make imagination function static to solve compiler warning.
- Fix imagination error checking.

Signed-off-by: Dave Airlie &lt;airlied@redhat.com&gt;
From: Maarten Lankhorst &lt;maarten.lankhorst@linux.intel.com&gt;
Link: https://patch.msgid.link/71e5b48b-307f-47f5-8fd5-b60ea43e4196@linux.intel.com
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
drm-misc-fixes for v7.2-rc3:
- Fix uaf in amdxdna mmap failure path.
- A lot of deadlocks, access races and return value fixes in amdxdna.
- Fix analogix_dp bitshifts during link training.
- Use direct label in drm_exec.
- Fix absent indirect bo handling in v3d.
- Sync on first active crtc in fb_dirty, rather than first crtc.
- Rework try_harder in the buddy allocator.
- Make imagination function static to solve compiler warning.
- Fix imagination error checking.

Signed-off-by: Dave Airlie &lt;airlied@redhat.com&gt;
From: Maarten Lankhorst &lt;maarten.lankhorst@linux.intel.com&gt;
Link: https://patch.msgid.link/71e5b48b-307f-47f5-8fd5-b60ea43e4196@linux.intel.com
</pre>
</div>
</content>
</entry>
<entry>
<title>Merge tag 'net-7.2-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net</title>
<updated>2026-07-09T15:26:51+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2026-07-09T15:26:51+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=2c7c88a412aa6d09cd04b414211b4ef8553b5309'/>
<id>2c7c88a412aa6d09cd04b414211b4ef8553b5309</id>
<content type='text'>
Pull networking fixes from Paolo Abeni:
 "Including fixes from netfilter, Bluetooth and batman-adv.

  Current release - regressions:

   - bluetooth: fix using chan-&gt;conn as indication to no remote netdev

  Current release - new code bugs:

   - netfilter: cap to maximum number of expectation per master on
     updates

  Previous releases - regressions:

   - bluetooth:
      - fix UAF of hci_conn_params in add_device_complete
      - fix null ptr deref in hci_abort_conn()

   - igmp: remove multicast group from hash table on device destruction

   - batman-adv: prevent TVLV OOB check overflow

   - eth: mlx5/mlx5e:
      - fix off-by-one in single-FDB error rollback
      - skip peer flow cleanup when LAG seq is unavailable
      - fix crashes in dynamic per-channel stats and HV VHCA agent

   - eth: mana: Sync page pool RX frags for CPU

  Previous releases - always broken:

   - netfilter:
      - mark malformed IPv6 extension headers for hotdrop
      - terminate table name before find_table_lock()
      - ipvs: use parsed transport offset in TCP state lookup

   - sched: act_pedit: fix TOCTOU heap OOB write in tc offload

   - ethtool: rss: fix hfunc and input_xfrm parsing on big endian

   - ipv4/ipv6: fix UAF and memory leak in IGMP/MLD

   - tls: consume empty data records in tls_sw_read_sock()

   - eth:
      - octeontx2-af: fix VF bringup affecting PF promiscuous state
      - gue: validate REMCSUM private option length"

* tag 'net-7.2-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (94 commits)
  macsec: don't read an unset MAC header in macsec_encrypt()
  dibs: loopback: validate offset and size in move_data()
  octeontx2-af: fix VF bringup affecting PF promiscuous state
  ethtool: rss: Fix hfunc and input_xfrm parsing on big endian
  net/mlx5: Fix L3 tunnel entropy refcount leak
  net: macb: drop in-flight Tx SKBs on close
  net: mana: Sync page pool RX frags for CPU
  net: mana: Validate the packet length reported by the NIC
  selftests/net: fix EVP_MD_CTX leak in tcp_mmap
  ipvs: ensure inner headers in ICMP errors are in headroom
  ipvs: use parsed transport offset in SCTP state lookup
  ipvs: use parsed transport offset in TCP state lookup
  ipvs: pass parsed transport offset to state handlers
  netfilter: handle unreadable frags
  netfilter: flowtable: support IPIP tunnel with direct xmit
  netfilter: flowtable: IPIP tunnel hardware offload is not yet support
  netfilter: flowtable: use dst in this direction when pushing IPIP header
  netfilter: ipset: allocate the proper memory for the generic hash structure
  netfilter: ipset: cleanup the add/del backlog when resize failed
  netfilter: ipset: exclude gc when resize is in progress
  ...
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Pull networking fixes from Paolo Abeni:
 "Including fixes from netfilter, Bluetooth and batman-adv.

  Current release - regressions:

   - bluetooth: fix using chan-&gt;conn as indication to no remote netdev

  Current release - new code bugs:

   - netfilter: cap to maximum number of expectation per master on
     updates

  Previous releases - regressions:

   - bluetooth:
      - fix UAF of hci_conn_params in add_device_complete
      - fix null ptr deref in hci_abort_conn()

   - igmp: remove multicast group from hash table on device destruction

   - batman-adv: prevent TVLV OOB check overflow

   - eth: mlx5/mlx5e:
      - fix off-by-one in single-FDB error rollback
      - skip peer flow cleanup when LAG seq is unavailable
      - fix crashes in dynamic per-channel stats and HV VHCA agent

   - eth: mana: Sync page pool RX frags for CPU

  Previous releases - always broken:

   - netfilter:
      - mark malformed IPv6 extension headers for hotdrop
      - terminate table name before find_table_lock()
      - ipvs: use parsed transport offset in TCP state lookup

   - sched: act_pedit: fix TOCTOU heap OOB write in tc offload

   - ethtool: rss: fix hfunc and input_xfrm parsing on big endian

   - ipv4/ipv6: fix UAF and memory leak in IGMP/MLD

   - tls: consume empty data records in tls_sw_read_sock()

   - eth:
      - octeontx2-af: fix VF bringup affecting PF promiscuous state
      - gue: validate REMCSUM private option length"

* tag 'net-7.2-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (94 commits)
  macsec: don't read an unset MAC header in macsec_encrypt()
  dibs: loopback: validate offset and size in move_data()
  octeontx2-af: fix VF bringup affecting PF promiscuous state
  ethtool: rss: Fix hfunc and input_xfrm parsing on big endian
  net/mlx5: Fix L3 tunnel entropy refcount leak
  net: macb: drop in-flight Tx SKBs on close
  net: mana: Sync page pool RX frags for CPU
  net: mana: Validate the packet length reported by the NIC
  selftests/net: fix EVP_MD_CTX leak in tcp_mmap
  ipvs: ensure inner headers in ICMP errors are in headroom
  ipvs: use parsed transport offset in SCTP state lookup
  ipvs: use parsed transport offset in TCP state lookup
  ipvs: pass parsed transport offset to state handlers
  netfilter: handle unreadable frags
  netfilter: flowtable: support IPIP tunnel with direct xmit
  netfilter: flowtable: IPIP tunnel hardware offload is not yet support
  netfilter: flowtable: use dst in this direction when pushing IPIP header
  netfilter: ipset: allocate the proper memory for the generic hash structure
  netfilter: ipset: cleanup the add/del backlog when resize failed
  netfilter: ipset: exclude gc when resize is in progress
  ...
</pre>
</div>
</content>
</entry>
<entry>
<title>Merge tag 'nf-26-07-08' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf</title>
<updated>2026-07-09T09:42:57+00:00</updated>
<author>
<name>Paolo Abeni</name>
<email>pabeni@redhat.com</email>
</author>
<published>2026-07-09T09:42:56+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=24c4c88259464d38b35c3fbaecb68675de64137d'/>
<id>24c4c88259464d38b35c3fbaecb68675de64137d</id>
<content type='text'>
Florian Westphal says:

====================
netfilter: updates for net

The following patchset contains Netfilter fixes for *net*.

Most of these are LLM fixes for old issues flagged by sashiko/LLMs.

Many of these trigger drive-by-findings in sashiko. In particular:

- many load/store tearing and missing memory barriers, races
  etc. in ipset, esp. with GC and resizing.
  Keeping the proposed patches spinning for yet-another-iteration
  keeps legit fixes back, so I prefer to add these now and follow
  up with other reports later.
- flowtable work queue still has possible races with teardown,
  but same rationale as with ipset: drive-by findings, not
  problems coming with the flowtable IPIP changeset in this PR.
- ever since unreadable frag skb support was added in 6.12, we can no
  longer do: BUG_ON(skb_copy_bits( ...): it will fire with such skbs.
  Mina Almasry is looking at similar patterns elsewhere in the stack.

1) Guard skb-&gt;mac_header adjustment after IPv6 defragmentation in
nf_conntrack_reasm.  From Xiang Mei.

2) NUL-terminate ebtables table names before calling find_table_lock() to
prevent stack-out-of-bounds reads.  Also from Xiang Mei.

3) Zero the ebtables chainstack array, else error unwind may free bogus
pointer when CPU mask is sparse.  All three issues date from 2.6 days.

4) Ensure ebtables module names are c-strings, same bug pattern as 2).
Bug added in 4.6.

5) Fix catchall element handling for inverted lookups in nft_lookup. Fold the
catchall lookup into ext before computing the match status.  Was like
this ever since catchall elements got introduced in 5.13.
From Tamaki Yanagawa.

6-9) ipset updates from Jozsef Kadlecsik:
- mark rcu protected areas correctly
- address gc and resize clash in the comment extension
- add/del backlog cleanup in the error path
- allocate right size for the generic hash structure

10-12): IPIP flowtable updates from Pablo Neira Ayuso:
 - Use the current direction's route when pushing IPIP headers
   Fix incorrect headroom and fragmentation offset calculations.
 - Avoid hardware offload for IPIP tunnels due to lack of driver support.
 - Support IPIP tunnels with direct xmit in netfilter flowtable.
   dst_cache and dst_cookie are moved outside the union to share route
   state across flows.  This is a followup to work done in 6.19 cycle.

13) Don't BUG() on skb_copy_bits error. Handle unreadable fragments by
either returning an error or restricting the copy operations to linear area,
This became an issue when unreable frag support was merged in 6.12.

14-16): IPVS updates from Yizhou Zhao:
 - Pass parsed transport offset to IPVS state handlers.
   update callback signatures.
 - use correct transport header offset on state lookp in TCP.
   As-is it was possible for ipv6 extension header data to be
   treated as L4 header.
 - same for SCTP.  This was also broken since 2.6 days.

17) Ensure inner IP headers in ICMP errors are in the skb headroom after
stripping outer headers. Add more checks for the length of inner headers.
This was broken since 3.7 days.
From Julian Anastasov.

netfilter pull request nf-26-07-08

* tag 'nf-26-07-08' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf:
  ipvs: ensure inner headers in ICMP errors are in headroom
  ipvs: use parsed transport offset in SCTP state lookup
  ipvs: use parsed transport offset in TCP state lookup
  ipvs: pass parsed transport offset to state handlers
  netfilter: handle unreadable frags
  netfilter: flowtable: support IPIP tunnel with direct xmit
  netfilter: flowtable: IPIP tunnel hardware offload is not yet support
  netfilter: flowtable: use dst in this direction when pushing IPIP header
  netfilter: ipset: allocate the proper memory for the generic hash structure
  netfilter: ipset: cleanup the add/del backlog when resize failed
  netfilter: ipset: exclude gc when resize is in progress
  netfilter: ipset: mark the rcu locked areas properly
  netfilter: nft_lookup: fix catchall element handling with inverted lookups
  netfilter: ebtables: module names must be null-terminated
  netfilter: ebtables: zero chainstack array
  netfilter: ebtables: terminate table name before find_table_lock()
  netfilter: nf_conntrack_reasm: guard mac_header adjustment after IPv6 defrag
====================

Link: https://patch.msgid.link/20260708140309.19633-1-fw@strlen.de
Signed-off-by: Paolo Abeni &lt;pabeni@redhat.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Florian Westphal says:

====================
netfilter: updates for net

The following patchset contains Netfilter fixes for *net*.

Most of these are LLM fixes for old issues flagged by sashiko/LLMs.

Many of these trigger drive-by-findings in sashiko. In particular:

- many load/store tearing and missing memory barriers, races
  etc. in ipset, esp. with GC and resizing.
  Keeping the proposed patches spinning for yet-another-iteration
  keeps legit fixes back, so I prefer to add these now and follow
  up with other reports later.
- flowtable work queue still has possible races with teardown,
  but same rationale as with ipset: drive-by findings, not
  problems coming with the flowtable IPIP changeset in this PR.
- ever since unreadable frag skb support was added in 6.12, we can no
  longer do: BUG_ON(skb_copy_bits( ...): it will fire with such skbs.
  Mina Almasry is looking at similar patterns elsewhere in the stack.

1) Guard skb-&gt;mac_header adjustment after IPv6 defragmentation in
nf_conntrack_reasm.  From Xiang Mei.

2) NUL-terminate ebtables table names before calling find_table_lock() to
prevent stack-out-of-bounds reads.  Also from Xiang Mei.

3) Zero the ebtables chainstack array, else error unwind may free bogus
pointer when CPU mask is sparse.  All three issues date from 2.6 days.

4) Ensure ebtables module names are c-strings, same bug pattern as 2).
Bug added in 4.6.

5) Fix catchall element handling for inverted lookups in nft_lookup. Fold the
catchall lookup into ext before computing the match status.  Was like
this ever since catchall elements got introduced in 5.13.
From Tamaki Yanagawa.

6-9) ipset updates from Jozsef Kadlecsik:
- mark rcu protected areas correctly
- address gc and resize clash in the comment extension
- add/del backlog cleanup in the error path
- allocate right size for the generic hash structure

10-12): IPIP flowtable updates from Pablo Neira Ayuso:
 - Use the current direction's route when pushing IPIP headers
   Fix incorrect headroom and fragmentation offset calculations.
 - Avoid hardware offload for IPIP tunnels due to lack of driver support.
 - Support IPIP tunnels with direct xmit in netfilter flowtable.
   dst_cache and dst_cookie are moved outside the union to share route
   state across flows.  This is a followup to work done in 6.19 cycle.

13) Don't BUG() on skb_copy_bits error. Handle unreadable fragments by
either returning an error or restricting the copy operations to linear area,
This became an issue when unreable frag support was merged in 6.12.

14-16): IPVS updates from Yizhou Zhao:
 - Pass parsed transport offset to IPVS state handlers.
   update callback signatures.
 - use correct transport header offset on state lookp in TCP.
   As-is it was possible for ipv6 extension header data to be
   treated as L4 header.
 - same for SCTP.  This was also broken since 2.6 days.

17) Ensure inner IP headers in ICMP errors are in the skb headroom after
stripping outer headers. Add more checks for the length of inner headers.
This was broken since 3.7 days.
From Julian Anastasov.

netfilter pull request nf-26-07-08

* tag 'nf-26-07-08' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf:
  ipvs: ensure inner headers in ICMP errors are in headroom
  ipvs: use parsed transport offset in SCTP state lookup
  ipvs: use parsed transport offset in TCP state lookup
  ipvs: pass parsed transport offset to state handlers
  netfilter: handle unreadable frags
  netfilter: flowtable: support IPIP tunnel with direct xmit
  netfilter: flowtable: IPIP tunnel hardware offload is not yet support
  netfilter: flowtable: use dst in this direction when pushing IPIP header
  netfilter: ipset: allocate the proper memory for the generic hash structure
  netfilter: ipset: cleanup the add/del backlog when resize failed
  netfilter: ipset: exclude gc when resize is in progress
  netfilter: ipset: mark the rcu locked areas properly
  netfilter: nft_lookup: fix catchall element handling with inverted lookups
  netfilter: ebtables: module names must be null-terminated
  netfilter: ebtables: zero chainstack array
  netfilter: ebtables: terminate table name before find_table_lock()
  netfilter: nf_conntrack_reasm: guard mac_header adjustment after IPv6 defrag
====================

Link: https://patch.msgid.link/20260708140309.19633-1-fw@strlen.de
Signed-off-by: Paolo Abeni &lt;pabeni@redhat.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net: mana: Sync page pool RX frags for CPU</title>
<updated>2026-07-09T08:36:14+00:00</updated>
<author>
<name>Dexuan Cui</name>
<email>decui@microsoft.com</email>
</author>
<published>2026-07-02T04:12:37+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=c72a0f09c57f92113df69f9b902d11c9e4b132f5'/>
<id>c72a0f09c57f92113df69f9b902d11c9e4b132f5</id>
<content type='text'>
MANA allocates RX buffers from page pool fragments when frag_count is
greater than 1. In that case the buffers remain DMA mapped by page pool
and the RX completion path does not call dma_unmap_single(). As a result,
the implicit sync-for-CPU normally performed by dma_unmap_single() is
missing before the packet data is passed to the networking stack.

This breaks RX on configurations which require explicit DMA syncing, for
example when booted with swiotlb=force.

Fix this by recording the page pool page and DMA sync offset when the RX
buffer is allocated, and syncing the received packet range for CPU access
before handing the RX buffer to the stack.

Fixes: 730ff06d3f5c ("net: mana: Use page pool fragments for RX buffers instead of full pages to improve memory efficiency.")
Cc: stable@vger.kernel.org
Reviewed-by: Haiyang Zhang &lt;haiyangz@microsoft.com&gt;
Signed-off-by: Dexuan Cui &lt;decui@microsoft.com&gt;
Link: https://patch.msgid.link/20260702041237.617719-3-decui@microsoft.com
Signed-off-by: Paolo Abeni &lt;pabeni@redhat.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
MANA allocates RX buffers from page pool fragments when frag_count is
greater than 1. In that case the buffers remain DMA mapped by page pool
and the RX completion path does not call dma_unmap_single(). As a result,
the implicit sync-for-CPU normally performed by dma_unmap_single() is
missing before the packet data is passed to the networking stack.

This breaks RX on configurations which require explicit DMA syncing, for
example when booted with swiotlb=force.

Fix this by recording the page pool page and DMA sync offset when the RX
buffer is allocated, and syncing the received packet range for CPU access
before handing the RX buffer to the stack.

Fixes: 730ff06d3f5c ("net: mana: Use page pool fragments for RX buffers instead of full pages to improve memory efficiency.")
Cc: stable@vger.kernel.org
Reviewed-by: Haiyang Zhang &lt;haiyangz@microsoft.com&gt;
Signed-off-by: Dexuan Cui &lt;decui@microsoft.com&gt;
Link: https://patch.msgid.link/20260702041237.617719-3-decui@microsoft.com
Signed-off-by: Paolo Abeni &lt;pabeni@redhat.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>SUNRPC: pin upper rpc_clnt across the TLS connect_worker</title>
<updated>2026-07-08T18:07:19+00:00</updated>
<author>
<name>Chuck Lever</name>
<email>chuck.lever@oracle.com</email>
</author>
<published>2026-05-04T10:28:19+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=46bc86c833956219bbfd246c1ffd832a479c5199'/>
<id>46bc86c833956219bbfd246c1ffd832a479c5199</id>
<content type='text'>
The TLS connect path has a use-after-free: nothing pins the
upper rpc_clnt across the delayed connect_worker. xs_connect()
stores task-&gt;tk_client in sock_xprt::clnt as a raw pointer
and queues the worker; for TLS-secured transports that worker
is xs_tcp_tls_setup_socket(), which reads several fields out
of the saved pointer (cl_timeout, cl_program, cl_prog,
cl_vers, cl_cred, cl_stats) to construct the args for the
inner handshake rpc_clnt.

The xprt does not reference the rpc_clnt; the rpc_clnt
references the xprt. xs_destroy() does cancel the
connect_worker, but it runs only when the xprt's refcount
drops to zero, which cannot happen until the rpc_clnt
releases its cl_xprt reference in rpc_free_client_work().
When a TLS handshake fails fatally (for example, an mTLS
mount whose client cert does not match the server), the
connecting task is woken with -EACCES and exits, the mount
caller invokes rpc_shutdown_client(), and the upper rpc_clnt
is freed before the queued connect_worker fires.
xs_tcp_tls_setup_socket() then dereferences the freed clnt,
producing the refcount_t underflow Michael Nemanov reported.

Take a reference on the upper rpc_clnt in xs_connect() for
TLS transports via a new rpc_hold_client() helper, and drop
it in the connect_worker's exit path with rpc_release_client().
The xprt_lock_connect() / xprt_unlock_connect() pairing
already serialises xs_connect() with xs_tcp_tls_setup_socket(),
so the take and release are balanced one-for-one.

The non-TLS connect worker (xs_tcp_setup_socket) never reads
sock_xprt::clnt, so leave that path alone and avoid the
clnt-holds-xprt-holds-clnt cycle that would otherwise prevent
xprt destruction.

Reported-by: Michael Nemanov &lt;michael.nemanov@vastdata.com&gt;
Closes: https://lore.kernel.org/linux-nfs/40e3d522-dfcf-4fc1-9c55-b5e81f1536d5@vastdata.com/
Fixes: 75eb6af7acdf ("SUNRPC: Add a TCP-with-TLS RPC transport class")
Signed-off-by: Chuck Lever &lt;chuck.lever@oracle.com&gt;
Tested-by: Michael Nemanov &lt;michael.nemanov@vastdata.com&gt;
Reviewed-by: Michael Nemanov &lt;michael.nemanov@vastdata.com&gt;
Signed-off-by: Anna Schumaker &lt;anna.schumaker@hammerspace.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The TLS connect path has a use-after-free: nothing pins the
upper rpc_clnt across the delayed connect_worker. xs_connect()
stores task-&gt;tk_client in sock_xprt::clnt as a raw pointer
and queues the worker; for TLS-secured transports that worker
is xs_tcp_tls_setup_socket(), which reads several fields out
of the saved pointer (cl_timeout, cl_program, cl_prog,
cl_vers, cl_cred, cl_stats) to construct the args for the
inner handshake rpc_clnt.

The xprt does not reference the rpc_clnt; the rpc_clnt
references the xprt. xs_destroy() does cancel the
connect_worker, but it runs only when the xprt's refcount
drops to zero, which cannot happen until the rpc_clnt
releases its cl_xprt reference in rpc_free_client_work().
When a TLS handshake fails fatally (for example, an mTLS
mount whose client cert does not match the server), the
connecting task is woken with -EACCES and exits, the mount
caller invokes rpc_shutdown_client(), and the upper rpc_clnt
is freed before the queued connect_worker fires.
xs_tcp_tls_setup_socket() then dereferences the freed clnt,
producing the refcount_t underflow Michael Nemanov reported.

Take a reference on the upper rpc_clnt in xs_connect() for
TLS transports via a new rpc_hold_client() helper, and drop
it in the connect_worker's exit path with rpc_release_client().
The xprt_lock_connect() / xprt_unlock_connect() pairing
already serialises xs_connect() with xs_tcp_tls_setup_socket(),
so the take and release are balanced one-for-one.

The non-TLS connect worker (xs_tcp_setup_socket) never reads
sock_xprt::clnt, so leave that path alone and avoid the
clnt-holds-xprt-holds-clnt cycle that would otherwise prevent
xprt destruction.

Reported-by: Michael Nemanov &lt;michael.nemanov@vastdata.com&gt;
Closes: https://lore.kernel.org/linux-nfs/40e3d522-dfcf-4fc1-9c55-b5e81f1536d5@vastdata.com/
Fixes: 75eb6af7acdf ("SUNRPC: Add a TCP-with-TLS RPC transport class")
Signed-off-by: Chuck Lever &lt;chuck.lever@oracle.com&gt;
Tested-by: Michael Nemanov &lt;michael.nemanov@vastdata.com&gt;
Reviewed-by: Michael Nemanov &lt;michael.nemanov@vastdata.com&gt;
Signed-off-by: Anna Schumaker &lt;anna.schumaker@hammerspace.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ipvs: pass parsed transport offset to state handlers</title>
<updated>2026-07-08T13:33:44+00:00</updated>
<author>
<name>Yizhou Zhao</name>
<email>zhaoyz24@mails.tsinghua.edu.cn</email>
</author>
<published>2026-07-06T10:16:22+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=bae7ce7bafb59e42dc0e0e2999fdd9d1cffe3866'/>
<id>bae7ce7bafb59e42dc0e0e2999fdd9d1cffe3866</id>
<content type='text'>
IPVS callers already parse the packet into struct ip_vs_iphdr before
updating connection state. For IPv6 this records the real
transport-header offset after extension headers in iph.len.

Pass this parsed transport offset through ip_vs_set_state() and the
protocol state_transition() callback so protocol handlers can use the
same packet context as scheduling and NAT handling. This patch only
changes the common callback plumbing and adapts the protocol callback
signatures; TCP and SCTP start using the value in follow-up patches.

Signed-off-by: Yizhou Zhao &lt;zhaoyz24@mails.tsinghua.edu.cn&gt;
Acked-by: Julian Anastasov &lt;ja@ssi.bg&gt;
Signed-off-by: Florian Westphal &lt;fw@strlen.de&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
IPVS callers already parse the packet into struct ip_vs_iphdr before
updating connection state. For IPv6 this records the real
transport-header offset after extension headers in iph.len.

Pass this parsed transport offset through ip_vs_set_state() and the
protocol state_transition() callback so protocol handlers can use the
same packet context as scheduling and NAT handling. This patch only
changes the common callback plumbing and adapts the protocol callback
signatures; TCP and SCTP start using the value in follow-up patches.

Signed-off-by: Yizhou Zhao &lt;zhaoyz24@mails.tsinghua.edu.cn&gt;
Acked-by: Julian Anastasov &lt;ja@ssi.bg&gt;
Signed-off-by: Florian Westphal &lt;fw@strlen.de&gt;
</pre>
</div>
</content>
</entry>
</feed>
