<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/lib, branch master</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>Merge tag 'riscv-for-linus-7.2-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux</title>
<updated>2026-07-04T01:07:24+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2026-07-04T01:07:24+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=590cae7152cab2dd954b8db20522769e1c62deec'/>
<id>590cae7152cab2dd954b8db20522769e1c62deec</id>
<content type='text'>
Pull RISC-V fixes from Paul Walmsley:

 - Fix a crash when a kretprobe reads from the stack

 - Fix an issue with the build-time mcount sorter that broke ftrace

 - Fix the rv32 IRQ stack frame padding to match the ABI

 - Only defer IOMMU configuration during initialization. This avoids an
   issue where IOMMU configuration could be indefinitely deferred

 - Add the missing build salt to the vDSO

 - Now that RISC-V systems with higher numbers of cores are starting to
   become available, raise NR_CPUS for RISC-V to 256

 - Clean up some warnings from sparse caused by the RISC-V-optimized
   RAID6 code

 - Clean up our __cpu_up() code with a few minor fixes

* tag 'riscv-for-linus-7.2-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux:
  riscv: probes: save original sp in rethook trampoline
  riscv: Fix 32-bit call_on_irq_stack() frame pointer ABI
  scripts/sorttable: Handle RISC-V patchable ftrace entries
  riscv: smp: use secs_to_jiffies in __cpu_up
  ACPI: RIMT: Only defer the IOMMU configuration in init stage
  riscv: Add build salt to the vDSO
  raid6: fix raid6_recov_rvv symbol undeclared warning
  raid6: fix riscv symbol undeclared warnigns
  riscv: Raise default NR_CPUS for 64BIT to 256
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Pull RISC-V fixes from Paul Walmsley:

 - Fix a crash when a kretprobe reads from the stack

 - Fix an issue with the build-time mcount sorter that broke ftrace

 - Fix the rv32 IRQ stack frame padding to match the ABI

 - Only defer IOMMU configuration during initialization. This avoids an
   issue where IOMMU configuration could be indefinitely deferred

 - Add the missing build salt to the vDSO

 - Now that RISC-V systems with higher numbers of cores are starting to
   become available, raise NR_CPUS for RISC-V to 256

 - Clean up some warnings from sparse caused by the RISC-V-optimized
   RAID6 code

 - Clean up our __cpu_up() code with a few minor fixes

* tag 'riscv-for-linus-7.2-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux:
  riscv: probes: save original sp in rethook trampoline
  riscv: Fix 32-bit call_on_irq_stack() frame pointer ABI
  scripts/sorttable: Handle RISC-V patchable ftrace entries
  riscv: smp: use secs_to_jiffies in __cpu_up
  ACPI: RIMT: Only defer the IOMMU configuration in init stage
  riscv: Add build salt to the vDSO
  raid6: fix raid6_recov_rvv symbol undeclared warning
  raid6: fix riscv symbol undeclared warnigns
  riscv: Raise default NR_CPUS for 64BIT to 256
</pre>
</div>
</content>
</entry>
<entry>
<title>Merge tag 'vfs-7.2-rc2.fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs</title>
<updated>2026-07-03T15:48:05+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2026-07-03T15:48:05+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=71dfdfb0209b43dfd6f494f84f5548e4cfd18cb5'/>
<id>71dfdfb0209b43dfd6f494f84f5548e4cfd18cb5</id>
<content type='text'>
Pull vfs fixes from Christian Brauner:

 - netfs:

    - fix the decision when to disallow write-streaming with fscache in
      use, handling of asynchronous cache object creation, a double fput
      in cachefiles, clearing S_KERNEL_FILE without the inode lock held,
      page extraction bugs in the iov_iter helpers (a potential
      underflow, a missing allocation failure check, a memory leak, and
      a folio offset miscalculation), writeback error and ENOMEM
      handling, DIO write retry for filesystems without a
      -&gt;prepare_write() method, and the replacement of the wb_lock mutex
      with a bit lock plus writethrough collection offload so that
      multiple asynchronous writebacks don't interfere with each other.

    - Fix the barriering when walking the netfs subrequest list during
      retries as it was possible to see a subrequest that was just added
      by the application thread.

 - iomap:

    - Change iomap to submit read bios after each extent instead of
      building them up across extents. The old behavior was considered
      problematic for a while and now caused an actual erofs bug.

    - Guard the ioend io_size EOF trim in iomap against underflow when a
      concurrent truncate moves EOF below the start of the ioend,
      wrapping io_size to a huge value.

 - overlayfs

    - Fix a stale overlayfs comment about the locking order.

    - Store the linked-in upper dentry instead of the disconnected
      O_TMPFILE dentry during overlayfs tmpfile copy-up. With a FUSE or
      virtiofs upper layer -&gt;d_revalidate() would try to look up "/" in
      the workdir and fail, causing persistent ESTALE errors that broke
      dpkg and apt.

 - vfs-bpf:

   Have the bpf_real_data_inode() kfunc take a struct file instead of a
   dentry so it is usable from the bprm_check_security, mmap_file, and
   file_mprotect hooks, and rename it from bpf_real_inode() to make the
   data-inode semantics explicit. The kfunc landed this cycle so the
   change is safe.

 - afs:

   NULL pointer dereferences in the callback service and in
   afs_get_tree(), several memory and refcount leaks, missing locking
   around the dynamic root inode numbers and premature cell exposure
   through /afs, a netns destruction hang caused by a misplaced
   increment of net-&gt;cells_outstanding, a bulk lookup malfunction caused
   by the dir_emit() API change, inode (re)initialisation issues, and
   assorted smaller fixes to error codes, seqlock handling, and debug
   output.

 - vfs:

   Refuse O_TMPFILE creation with an unmapped fsuid or fsgid and add a
   selftest for it.

 - vboxsf:

   Add Jori Koolstra as vboxsf maintainer, taking over from Hans de
   Goede.

 - dio:

   Release the pages attached to a short atomic dio bio; the REQ_ATOMIC
   size check error path leaked them.

 - procfs:

   Only bump the parent directory link count when registering
   directories in procfs. Registering regular files inflated the count
   and leaked a link on every create and remove cycle.

 - minix:

   Avoid an unsigned overflow in the minix bitmap block count
   calculation that let crafted images with huge inode or zone counts
   pass superblock validation and crash the kernel during mount.

 - cachefiles:

   Fix a double unlock in the cachefiles nomem_d_alloc error path left
   over from the start_creating() conversion.

 - fat:

   Stop fat from reading directory entries past the 0x00
   end-of-directory marker. If the trailing on-disk slots aren't
   zero-filled the driver surfaced arbitrary garbage as directory
   entries.

 - freexvfs:

   Don't BUG() on unknown typed-extent types in freevxfs, reachable via
   ioctl(FIBMAP) on a crafted image; fail with an I/O error instead.

 - orangefs:

   Keep the readdir entry size 64-bit in orangefs fill_from_part().
   Truncating it to __u32 bypassed the bounds check and led to
   out-of-bounds reads triggerable by the userspace client.

 - xfs:

   Fix the error unwind in xfs_open_devices() which released the rt
   device file twice and left dangling buftarg pointers behind that were
   freed again when the failed mount was torn down.

 - exec:

   Fix an off-by-one in the comment documenting the maximum binfmt
   rewrite depth in exec_binprm(). The code allows five rewrites, not
   four; restricting the code would break userspace so the comment is
   fixed instead.

 - file handles:

   Reject detached mounts in capable_wrt_mount(). A detached mount can
   be dissolved concurrently, leaving a NULL mount namespace that
   open_by_handle_at() would dereference.

* tag 'vfs-7.2-rc2.fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs: (57 commits)
  netfs: Fix barriering when walking subrequest list
  iomap: submit read bio after each extent
  fuse: call fuse_send_readpages explicitly from fuse_readahead
  iomap: consolidate bio submission
  fhandle: reject detached mounts in capable_wrt_mount()
  netfs: Fix DIO write retry for filesystems without a -&gt;prepare_write()
  netfs: Fix folio state after ENOMEM whilst under writeback iteration
  netfs: Fix writeback error handling
  netfs: Fix writethrough to use collection offload
  netfs: Replace wb_lock with a bit lock for asynchronicity
  netfs: Fix kdoc warning
  scatterlist: Fix offset in folio calc in extract_xarray_to_sg()
  iov_iter: Remove unused variable in kunit_iov_iter.c
  iov_iter: Fix a memory leak in iov_iter_extract_user_pages()
  iov_iter: Fix missing alloc fail check in iov_iter_extract_bvec_pages()
  iov_iter: Fix potential underflow in iov_iter_extract_xarray_pages()
  cachefiles: Fix file burial to take lock when unsetting S_KERNEL_FILE
  cachefiles: Fix double fput
  netfs: Fix netfs_create_write_req() to handle async cache object creation
  netfs: Fix decision whether to disallow write-streaming due to fscache use
  ...
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Pull vfs fixes from Christian Brauner:

 - netfs:

    - fix the decision when to disallow write-streaming with fscache in
      use, handling of asynchronous cache object creation, a double fput
      in cachefiles, clearing S_KERNEL_FILE without the inode lock held,
      page extraction bugs in the iov_iter helpers (a potential
      underflow, a missing allocation failure check, a memory leak, and
      a folio offset miscalculation), writeback error and ENOMEM
      handling, DIO write retry for filesystems without a
      -&gt;prepare_write() method, and the replacement of the wb_lock mutex
      with a bit lock plus writethrough collection offload so that
      multiple asynchronous writebacks don't interfere with each other.

    - Fix the barriering when walking the netfs subrequest list during
      retries as it was possible to see a subrequest that was just added
      by the application thread.

 - iomap:

    - Change iomap to submit read bios after each extent instead of
      building them up across extents. The old behavior was considered
      problematic for a while and now caused an actual erofs bug.

    - Guard the ioend io_size EOF trim in iomap against underflow when a
      concurrent truncate moves EOF below the start of the ioend,
      wrapping io_size to a huge value.

 - overlayfs

    - Fix a stale overlayfs comment about the locking order.

    - Store the linked-in upper dentry instead of the disconnected
      O_TMPFILE dentry during overlayfs tmpfile copy-up. With a FUSE or
      virtiofs upper layer -&gt;d_revalidate() would try to look up "/" in
      the workdir and fail, causing persistent ESTALE errors that broke
      dpkg and apt.

 - vfs-bpf:

   Have the bpf_real_data_inode() kfunc take a struct file instead of a
   dentry so it is usable from the bprm_check_security, mmap_file, and
   file_mprotect hooks, and rename it from bpf_real_inode() to make the
   data-inode semantics explicit. The kfunc landed this cycle so the
   change is safe.

 - afs:

   NULL pointer dereferences in the callback service and in
   afs_get_tree(), several memory and refcount leaks, missing locking
   around the dynamic root inode numbers and premature cell exposure
   through /afs, a netns destruction hang caused by a misplaced
   increment of net-&gt;cells_outstanding, a bulk lookup malfunction caused
   by the dir_emit() API change, inode (re)initialisation issues, and
   assorted smaller fixes to error codes, seqlock handling, and debug
   output.

 - vfs:

   Refuse O_TMPFILE creation with an unmapped fsuid or fsgid and add a
   selftest for it.

 - vboxsf:

   Add Jori Koolstra as vboxsf maintainer, taking over from Hans de
   Goede.

 - dio:

   Release the pages attached to a short atomic dio bio; the REQ_ATOMIC
   size check error path leaked them.

 - procfs:

   Only bump the parent directory link count when registering
   directories in procfs. Registering regular files inflated the count
   and leaked a link on every create and remove cycle.

 - minix:

   Avoid an unsigned overflow in the minix bitmap block count
   calculation that let crafted images with huge inode or zone counts
   pass superblock validation and crash the kernel during mount.

 - cachefiles:

   Fix a double unlock in the cachefiles nomem_d_alloc error path left
   over from the start_creating() conversion.

 - fat:

   Stop fat from reading directory entries past the 0x00
   end-of-directory marker. If the trailing on-disk slots aren't
   zero-filled the driver surfaced arbitrary garbage as directory
   entries.

 - freexvfs:

   Don't BUG() on unknown typed-extent types in freevxfs, reachable via
   ioctl(FIBMAP) on a crafted image; fail with an I/O error instead.

 - orangefs:

   Keep the readdir entry size 64-bit in orangefs fill_from_part().
   Truncating it to __u32 bypassed the bounds check and led to
   out-of-bounds reads triggerable by the userspace client.

 - xfs:

   Fix the error unwind in xfs_open_devices() which released the rt
   device file twice and left dangling buftarg pointers behind that were
   freed again when the failed mount was torn down.

 - exec:

   Fix an off-by-one in the comment documenting the maximum binfmt
   rewrite depth in exec_binprm(). The code allows five rewrites, not
   four; restricting the code would break userspace so the comment is
   fixed instead.

 - file handles:

   Reject detached mounts in capable_wrt_mount(). A detached mount can
   be dissolved concurrently, leaving a NULL mount namespace that
   open_by_handle_at() would dereference.

* tag 'vfs-7.2-rc2.fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs: (57 commits)
  netfs: Fix barriering when walking subrequest list
  iomap: submit read bio after each extent
  fuse: call fuse_send_readpages explicitly from fuse_readahead
  iomap: consolidate bio submission
  fhandle: reject detached mounts in capable_wrt_mount()
  netfs: Fix DIO write retry for filesystems without a -&gt;prepare_write()
  netfs: Fix folio state after ENOMEM whilst under writeback iteration
  netfs: Fix writeback error handling
  netfs: Fix writethrough to use collection offload
  netfs: Replace wb_lock with a bit lock for asynchronicity
  netfs: Fix kdoc warning
  scatterlist: Fix offset in folio calc in extract_xarray_to_sg()
  iov_iter: Remove unused variable in kunit_iov_iter.c
  iov_iter: Fix a memory leak in iov_iter_extract_user_pages()
  iov_iter: Fix missing alloc fail check in iov_iter_extract_bvec_pages()
  iov_iter: Fix potential underflow in iov_iter_extract_xarray_pages()
  cachefiles: Fix file burial to take lock when unsetting S_KERNEL_FILE
  cachefiles: Fix double fput
  netfs: Fix netfs_create_write_req() to handle async cache object creation
  netfs: Fix decision whether to disallow write-streaming due to fscache use
  ...
</pre>
</div>
</content>
</entry>
<entry>
<title>scatterlist: Fix offset in folio calc in extract_xarray_to_sg()</title>
<updated>2026-07-01T13:26:29+00:00</updated>
<author>
<name>David Howells</name>
<email>dhowells@redhat.com</email>
</author>
<published>2026-06-25T14:06:27+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=2bcd3ab3728752425ff5ab1e4be1698eba13d0d8'/>
<id>2bcd3ab3728752425ff5ab1e4be1698eba13d0d8</id>
<content type='text'>
Fix the calculation of the offset in the folio being extracted in
extract_xarray_to_sg().

Note that in the near future, ITER_XARRAY should be removed.

Fixes: f5f82cd18732 ("Move netfs_extract_iter_to_sg() to lib/scatterlist.c")
Link: https://sashiko.dev/#/patchset/20260608145432.681865-1-dhowells%40redhat.com
Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
Link: https://patch.msgid.link/20260625140640.3116900-10-dhowells@redhat.com
Reviewed-by: Christoph Hellwig &lt;hch@lst.de&gt;
cc: Paulo Alcantara &lt;pc@manguebit.org&gt;
cc: Matthew Wilcox &lt;willy@infradead.org&gt;
cc: Christoph Hellwig &lt;hch@infradead.org&gt;
cc: Jens Axboe &lt;axboe@kernel.dk&gt;
cc: Mike Marshall &lt;hubcap@omnibond.com&gt;
cc: netfs@lists.linux.dev
cc: linux-fsdevel@vger.kernel.org
Signed-off-by: Christian Brauner (Amutable) &lt;brauner@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Fix the calculation of the offset in the folio being extracted in
extract_xarray_to_sg().

Note that in the near future, ITER_XARRAY should be removed.

Fixes: f5f82cd18732 ("Move netfs_extract_iter_to_sg() to lib/scatterlist.c")
Link: https://sashiko.dev/#/patchset/20260608145432.681865-1-dhowells%40redhat.com
Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
Link: https://patch.msgid.link/20260625140640.3116900-10-dhowells@redhat.com
Reviewed-by: Christoph Hellwig &lt;hch@lst.de&gt;
cc: Paulo Alcantara &lt;pc@manguebit.org&gt;
cc: Matthew Wilcox &lt;willy@infradead.org&gt;
cc: Christoph Hellwig &lt;hch@infradead.org&gt;
cc: Jens Axboe &lt;axboe@kernel.dk&gt;
cc: Mike Marshall &lt;hubcap@omnibond.com&gt;
cc: netfs@lists.linux.dev
cc: linux-fsdevel@vger.kernel.org
Signed-off-by: Christian Brauner (Amutable) &lt;brauner@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>iov_iter: Remove unused variable in kunit_iov_iter.c</title>
<updated>2026-07-01T13:26:29+00:00</updated>
<author>
<name>David Howells</name>
<email>dhowells@redhat.com</email>
</author>
<published>2026-06-25T14:06:26+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=0442e23a5f72c74ba18882e4a2eed305c687009d'/>
<id>0442e23a5f72c74ba18882e4a2eed305c687009d</id>
<content type='text'>
Remove the no longer used variable 'b' from iov_kunit_copy_to_bvec().  The
variable is initialised and incremented, but nothing now makes use of the
value.

Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
Link: https://patch.msgid.link/20260625140640.3116900-9-dhowells@redhat.com
Reviewed-by: Christoph Hellwig &lt;hch@lst.de&gt;
cc: Ming Lei &lt;ming.lei@redhat.com&gt;
cc: Paulo Alcantara &lt;pc@manguebit.org&gt;
cc: Matthew Wilcox &lt;willy@infradead.org&gt;
cc: Christoph Hellwig &lt;hch@infradead.org&gt;
cc: Jens Axboe &lt;axboe@kernel.dk&gt;
cc: netfs@lists.linux.dev
cc: linux-fsdevel@vger.kernel.org
Signed-off-by: Christian Brauner (Amutable) &lt;brauner@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Remove the no longer used variable 'b' from iov_kunit_copy_to_bvec().  The
variable is initialised and incremented, but nothing now makes use of the
value.

Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
Link: https://patch.msgid.link/20260625140640.3116900-9-dhowells@redhat.com
Reviewed-by: Christoph Hellwig &lt;hch@lst.de&gt;
cc: Ming Lei &lt;ming.lei@redhat.com&gt;
cc: Paulo Alcantara &lt;pc@manguebit.org&gt;
cc: Matthew Wilcox &lt;willy@infradead.org&gt;
cc: Christoph Hellwig &lt;hch@infradead.org&gt;
cc: Jens Axboe &lt;axboe@kernel.dk&gt;
cc: netfs@lists.linux.dev
cc: linux-fsdevel@vger.kernel.org
Signed-off-by: Christian Brauner (Amutable) &lt;brauner@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>iov_iter: Fix a memory leak in iov_iter_extract_user_pages()</title>
<updated>2026-07-01T13:26:29+00:00</updated>
<author>
<name>David Howells</name>
<email>dhowells@redhat.com</email>
</author>
<published>2026-06-25T14:06:25+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=72698020e15db16fc141e191b460bc335263b0ad'/>
<id>72698020e15db16fc141e191b460bc335263b0ad</id>
<content type='text'>
There's a potential memory leak in callers of iov_iter_extract_user_pages()
whereby if a pages array is allocated in function, it isn't freed before
returning of an error or 0.

Now, it's not a leak per se in iov_iter_extract_user_pages() as, if an
array is allocated, it's returned through *pages, so it's incumbent on the
caller to free it.  However, not all callers do.

Fix this by freeing the table and clearing *pages before returning an error
or 0.  Note that iov_iter_extract_pages() and its subfunctions are allowed
to return 0 without returning an array (for instance if the iterator count
is 0).

Fixes: 7d58fe731028 ("iov_iter: Add a function to extract a page list from an iterator")
Closes: https://sashiko.dev/#/patchset/20260616100821.2062304-1-dhowells%40redhat.com
Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
Link: https://patch.msgid.link/20260625140640.3116900-8-dhowells@redhat.com
Reviewed-by: Christoph Hellwig &lt;hch@lst.de&gt;
cc: Paulo Alcantara &lt;pc@manguebit.org&gt;
cc: Matthew Wilcox &lt;willy@infradead.org&gt;
cc: Christoph Hellwig &lt;hch@infradead.org&gt;
cc: Jens Axboe &lt;axboe@kernel.dk&gt;
cc: netfs@lists.linux.dev
cc: linux-fsdevel@vger.kernel.org
Signed-off-by: Christian Brauner (Amutable) &lt;brauner@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
There's a potential memory leak in callers of iov_iter_extract_user_pages()
whereby if a pages array is allocated in function, it isn't freed before
returning of an error or 0.

Now, it's not a leak per se in iov_iter_extract_user_pages() as, if an
array is allocated, it's returned through *pages, so it's incumbent on the
caller to free it.  However, not all callers do.

Fix this by freeing the table and clearing *pages before returning an error
or 0.  Note that iov_iter_extract_pages() and its subfunctions are allowed
to return 0 without returning an array (for instance if the iterator count
is 0).

Fixes: 7d58fe731028 ("iov_iter: Add a function to extract a page list from an iterator")
Closes: https://sashiko.dev/#/patchset/20260616100821.2062304-1-dhowells%40redhat.com
Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
Link: https://patch.msgid.link/20260625140640.3116900-8-dhowells@redhat.com
Reviewed-by: Christoph Hellwig &lt;hch@lst.de&gt;
cc: Paulo Alcantara &lt;pc@manguebit.org&gt;
cc: Matthew Wilcox &lt;willy@infradead.org&gt;
cc: Christoph Hellwig &lt;hch@infradead.org&gt;
cc: Jens Axboe &lt;axboe@kernel.dk&gt;
cc: netfs@lists.linux.dev
cc: linux-fsdevel@vger.kernel.org
Signed-off-by: Christian Brauner (Amutable) &lt;brauner@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>iov_iter: Fix missing alloc fail check in iov_iter_extract_bvec_pages()</title>
<updated>2026-07-01T13:26:28+00:00</updated>
<author>
<name>David Howells</name>
<email>dhowells@redhat.com</email>
</author>
<published>2026-06-25T14:06:24+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=70531f4f3a143f81baf549da7f59a24a9f87a65c'/>
<id>70531f4f3a143f81baf549da7f59a24a9f87a65c</id>
<content type='text'>
Fix iov_iter_extract_bvec_pages() to check if want_pages_array() fails and,
if so, return -ENOMEM appropriately.

Fixes: e4e535bff2bc ("iov_iter: don't require contiguous pages in iov_iter_extract_bvec_pages")
Link: https://sashiko.dev/#/patchset/20260608145432.681865-1-dhowells%40redhat.com
Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
Link: https://patch.msgid.link/20260625140640.3116900-7-dhowells@redhat.com
Reviewed-by: Christoph Hellwig &lt;hch@lst.de&gt;
cc: Ming Lei &lt;ming.lei@redhat.com&gt;
cc: Paulo Alcantara &lt;pc@manguebit.org&gt;
cc: Matthew Wilcox &lt;willy@infradead.org&gt;
cc: Christoph Hellwig &lt;hch@infradead.org&gt;
cc: Jens Axboe &lt;axboe@kernel.dk&gt;
cc: netfs@lists.linux.dev
cc: linux-fsdevel@vger.kernel.org
Signed-off-by: Christian Brauner (Amutable) &lt;brauner@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Fix iov_iter_extract_bvec_pages() to check if want_pages_array() fails and,
if so, return -ENOMEM appropriately.

Fixes: e4e535bff2bc ("iov_iter: don't require contiguous pages in iov_iter_extract_bvec_pages")
Link: https://sashiko.dev/#/patchset/20260608145432.681865-1-dhowells%40redhat.com
Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
Link: https://patch.msgid.link/20260625140640.3116900-7-dhowells@redhat.com
Reviewed-by: Christoph Hellwig &lt;hch@lst.de&gt;
cc: Ming Lei &lt;ming.lei@redhat.com&gt;
cc: Paulo Alcantara &lt;pc@manguebit.org&gt;
cc: Matthew Wilcox &lt;willy@infradead.org&gt;
cc: Christoph Hellwig &lt;hch@infradead.org&gt;
cc: Jens Axboe &lt;axboe@kernel.dk&gt;
cc: netfs@lists.linux.dev
cc: linux-fsdevel@vger.kernel.org
Signed-off-by: Christian Brauner (Amutable) &lt;brauner@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>iov_iter: Fix potential underflow in iov_iter_extract_xarray_pages()</title>
<updated>2026-07-01T13:26:28+00:00</updated>
<author>
<name>David Howells</name>
<email>dhowells@redhat.com</email>
</author>
<published>2026-06-25T14:06:23+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=55f4bb9373ca4a521f3b0119366db92715a39b81'/>
<id>55f4bb9373ca4a521f3b0119366db92715a39b81</id>
<content type='text'>
In iov_iter_extract_xarray_pages(), if no pages are extracted because
there's a hole (or something otherwise unextractable) in the xarray, then
the calculation of maxsize at the end can go wrong if the starting offset
is not zero.

Fix this by returning 0 in such a case and freeing the page array if
allocated here rather than being passed in.

Note that in the near future, ITER_XARRAY should be removed.

Fixes: 7d58fe731028 ("iov_iter: Add a function to extract a page list from an iterator")
Link: https://sashiko.dev/#/patchset/20260608145432.681865-1-dhowells%40redhat.com
Link: https://sashiko.dev/#/patchset/20260616100821.2062304-1-dhowells%40redhat.com
Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
Link: https://patch.msgid.link/20260625140640.3116900-6-dhowells@redhat.com
Reviewed-by: Christoph Hellwig &lt;hch@lst.de&gt;
cc: Paulo Alcantara &lt;pc@manguebit.org&gt;
cc: Matthew Wilcox &lt;willy@infradead.org&gt;
cc: Christoph Hellwig &lt;hch@infradead.org&gt;
cc: Jens Axboe &lt;axboe@kernel.dk&gt;
cc: Mike Marshall &lt;hubcap@omnibond.com&gt;
cc: netfs@lists.linux.dev
cc: linux-fsdevel@vger.kernel.org
Signed-off-by: Christian Brauner (Amutable) &lt;brauner@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
In iov_iter_extract_xarray_pages(), if no pages are extracted because
there's a hole (or something otherwise unextractable) in the xarray, then
the calculation of maxsize at the end can go wrong if the starting offset
is not zero.

Fix this by returning 0 in such a case and freeing the page array if
allocated here rather than being passed in.

Note that in the near future, ITER_XARRAY should be removed.

Fixes: 7d58fe731028 ("iov_iter: Add a function to extract a page list from an iterator")
Link: https://sashiko.dev/#/patchset/20260608145432.681865-1-dhowells%40redhat.com
Link: https://sashiko.dev/#/patchset/20260616100821.2062304-1-dhowells%40redhat.com
Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
Link: https://patch.msgid.link/20260625140640.3116900-6-dhowells@redhat.com
Reviewed-by: Christoph Hellwig &lt;hch@lst.de&gt;
cc: Paulo Alcantara &lt;pc@manguebit.org&gt;
cc: Matthew Wilcox &lt;willy@infradead.org&gt;
cc: Christoph Hellwig &lt;hch@infradead.org&gt;
cc: Jens Axboe &lt;axboe@kernel.dk&gt;
cc: Mike Marshall &lt;hubcap@omnibond.com&gt;
cc: netfs@lists.linux.dev
cc: linux-fsdevel@vger.kernel.org
Signed-off-by: Christian Brauner (Amutable) &lt;brauner@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>bootconfig: fix NULL-pointer arithmetic in xbc_snprint_cmdline()</title>
<updated>2026-06-30T23:08:27+00:00</updated>
<author>
<name>Breno Leitao</name>
<email>leitao@debian.org</email>
</author>
<published>2026-06-26T12:50:10+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=dec4d8118c179b3d12bca7e609054c6011c4f2ce'/>
<id>dec4d8118c179b3d12bca7e609054c6011c4f2ce</id>
<content type='text'>
xbc_snprint_cmdline() is meant to be called twice: first with
buf=NULL, size=0 to probe the rendered length, then with a real
buffer to fill it (the standard snprintf() two-pass pattern). The
probe call makes the function compute "buf + size" (NULL + 0) and,
on every iteration, advance "buf += ret" from that NULL base and
pass the result back into snprintf().

Pointer arithmetic on a NULL pointer is undefined behavior. It is
harmless in the in-kernel callers today, but the follow-up patches
run this same code in the userspace tools/bootconfig parser at kernel
build time, where host UBSan / FORTIFY_SOURCE abort the build.

Track a running written length (size_t) instead of mutating @buf, and
only form "buf + len" when @buf is non-NULL. snprintf(NULL, 0, ...)
is itself well defined and returns the would-be length, so the
two-pass "probe then fill" usage returns identical byte counts.

Link: https://lore.kernel.org/all/20260626-bootconfig_using_tools-v7-1-24ab72139c29@debian.org/

Fixes: 51887d03aca1 ("bootconfig: init: Allow admin to use bootconfig for kernel command line")
Cc: stable@vger.kernel.org
Signed-off-by: Breno Leitao &lt;leitao@debian.org&gt;
Signed-off-by: Masami Hiramatsu (Google) &lt;mhiramat@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
xbc_snprint_cmdline() is meant to be called twice: first with
buf=NULL, size=0 to probe the rendered length, then with a real
buffer to fill it (the standard snprintf() two-pass pattern). The
probe call makes the function compute "buf + size" (NULL + 0) and,
on every iteration, advance "buf += ret" from that NULL base and
pass the result back into snprintf().

Pointer arithmetic on a NULL pointer is undefined behavior. It is
harmless in the in-kernel callers today, but the follow-up patches
run this same code in the userspace tools/bootconfig parser at kernel
build time, where host UBSan / FORTIFY_SOURCE abort the build.

Track a running written length (size_t) instead of mutating @buf, and
only form "buf + len" when @buf is non-NULL. snprintf(NULL, 0, ...)
is itself well defined and returns the would-be length, so the
two-pass "probe then fill" usage returns identical byte counts.

Link: https://lore.kernel.org/all/20260626-bootconfig_using_tools-v7-1-24ab72139c29@debian.org/

Fixes: 51887d03aca1 ("bootconfig: init: Allow admin to use bootconfig for kernel command line")
Cc: stable@vger.kernel.org
Signed-off-by: Breno Leitao &lt;leitao@debian.org&gt;
Signed-off-by: Masami Hiramatsu (Google) &lt;mhiramat@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>raid6: fix raid6_recov_rvv symbol undeclared warning</title>
<updated>2026-06-25T17:51:32+00:00</updated>
<author>
<name>Ben Dooks</name>
<email>ben.dooks@codethink.co.uk</email>
</author>
<published>2026-06-22T13:55:35+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=5c5dea43f6354e8dbd13bcb7e478f85593e19d90'/>
<id>5c5dea43f6354e8dbd13bcb7e478f85593e19d90</id>
<content type='text'>
The riscv recov_rvv.c should have included pq_arch.h for
the definition of raid6_recov_rvv. Add the include to
fix the following sparse warning:

lib/raid/raid6/riscv/recov_rvv.c:218:32: warning: symbol 'raid6_recov_rvv' was not declared. Should it be static?

Signed-off-by: Ben Dooks &lt;ben.dooks@codethink.co.uk&gt;
Reviewed-by: Nam Cao &lt;namcao@linutronix.de&gt;
Link: https://patch.msgid.link/20260622135535.481534-1-ben.dooks@codethink.co.uk
Signed-off-by: Paul Walmsley &lt;pjw@kernel.org&gt;</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The riscv recov_rvv.c should have included pq_arch.h for
the definition of raid6_recov_rvv. Add the include to
fix the following sparse warning:

lib/raid/raid6/riscv/recov_rvv.c:218:32: warning: symbol 'raid6_recov_rvv' was not declared. Should it be static?

Signed-off-by: Ben Dooks &lt;ben.dooks@codethink.co.uk&gt;
Reviewed-by: Nam Cao &lt;namcao@linutronix.de&gt;
Link: https://patch.msgid.link/20260622135535.481534-1-ben.dooks@codethink.co.uk
Signed-off-by: Paul Walmsley &lt;pjw@kernel.org&gt;</pre>
</div>
</content>
</entry>
<entry>
<title>raid6: fix riscv symbol undeclared warnigns</title>
<updated>2026-06-25T17:47:39+00:00</updated>
<author>
<name>Ben Dooks</name>
<email>ben.dooks@codethink.co.uk</email>
</author>
<published>2026-06-22T13:52:07+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=625ee71c3283dd322856060f9f4d344e2edc3c14'/>
<id>625ee71c3283dd322856060f9f4d344e2edc3c14</id>
<content type='text'>
The riscv rvv.c file is missing the include of pq_arch.h
which defines all the exported functions. Include this
to remove the following sparse warnings:

lib/raid/raid6/riscv/rvv.c:1225:1: warning: symbol 'raid6_rvvx1' was not declared. Should it be static?
lib/raid/raid6/riscv/rvv.c:1226:1: warning: symbol 'raid6_rvvx2' was not declared. Should it be static?
lib/raid/raid6/riscv/rvv.c:1227:1: warning: symbol 'raid6_rvvx4' was not declared. Should it be static?
lib/raid/raid6/riscv/rvv.c:1228:1: warning: symbol 'raid6_rvvx8' was not declared. Should it be static?

Signed-off-by: Ben Dooks &lt;ben.dooks@codethink.co.uk&gt;
Reviewed-by: Nam Cao &lt;namcao@linutronix.de&gt;
Link: https://patch.msgid.link/20260622135207.480540-1-ben.dooks@codethink.co.uk
Signed-off-by: Paul Walmsley &lt;pjw@kernel.org&gt;</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The riscv rvv.c file is missing the include of pq_arch.h
which defines all the exported functions. Include this
to remove the following sparse warnings:

lib/raid/raid6/riscv/rvv.c:1225:1: warning: symbol 'raid6_rvvx1' was not declared. Should it be static?
lib/raid/raid6/riscv/rvv.c:1226:1: warning: symbol 'raid6_rvvx2' was not declared. Should it be static?
lib/raid/raid6/riscv/rvv.c:1227:1: warning: symbol 'raid6_rvvx4' was not declared. Should it be static?
lib/raid/raid6/riscv/rvv.c:1228:1: warning: symbol 'raid6_rvvx8' was not declared. Should it be static?

Signed-off-by: Ben Dooks &lt;ben.dooks@codethink.co.uk&gt;
Reviewed-by: Nam Cao &lt;namcao@linutronix.de&gt;
Link: https://patch.msgid.link/20260622135207.480540-1-ben.dooks@codethink.co.uk
Signed-off-by: Paul Walmsley &lt;pjw@kernel.org&gt;</pre>
</div>
</content>
</entry>
</feed>
