<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/lib, branch v7.2-rc3</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>tracing: Prevent out-of-bounds read in glob matching</title>
<updated>2026-07-07T14:42:28+00:00</updated>
<author>
<name>Huihui Huang</name>
<email>hhhuang@smu.edu.sg</email>
</author>
<published>2026-07-01T10:28:46+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=0a6070839b1ef276d5b05bedfb787743e140fb17'/>
<id>0a6070839b1ef276d5b05bedfb787743e140fb17</id>
<content type='text'>
String event fields are not necessarily NUL-terminated, so the filter
predicate functions (filter_pred_string(), filter_pred_strloc() and
filter_pred_strrelloc()) pass the field length to the regex match
callbacks, and the length-aware matchers honour it.

regex_match_glob() was the exception: it ignored the length and called
glob_match(), which scans the string until it hits a NUL byte. Some
string fields are not NUL-terminated. One example is the dynamic char
array of the xfs_* namespace tracepoints, which is copied without a
trailing NUL. For such a field, glob matching reads past the end of
the event field, causing a KASAN slab-out-of-bounds read in
glob_match(), reached via regex_match_glob() and filter_match_preds()
from the xfs_lookup tracepoint.

Add a length-bounded glob_match_len() and use it from regex_match_glob()
so glob matching always stops at the field boundary. The matching loop
is factored into a shared helper so glob_match() keeps its behaviour.

Fixes: 60f1d5e3bac4 ("ftrace: Support full glob matching")
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/da1aaf125fc3b63320b0c540fd6afa7c3d5b4f1a.1782836943.git.hhhuang@smu.edu.sg
Reported-by: Yuan Tan &lt;yuantan098@gmail.com&gt;
Reported-by: Yifan Wu &lt;yifanwucs@gmail.com&gt;
Reported-by: Juefei Pu &lt;tomapufckgml@gmail.com&gt;
Reported-by: Zhengchuan Liang &lt;zcliangcn@gmail.com&gt;
Reported-by: Xin Liu &lt;bird@lzu.edu.cn&gt;
Assisted-by: Codex:GPT-5.4
Signed-off-by: Huihui Huang &lt;hhhuang@smu.edu.sg&gt;
Signed-off-by: Ren Wei &lt;n05ec@lzu.edu.cn&gt;
Acked-by: Masami Hiramatsu (Google) &lt;mhiramat@kernel.org&gt;
Signed-off-by: Steven Rostedt &lt;rostedt@goodmis.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
String event fields are not necessarily NUL-terminated, so the filter
predicate functions (filter_pred_string(), filter_pred_strloc() and
filter_pred_strrelloc()) pass the field length to the regex match
callbacks, and the length-aware matchers honour it.

regex_match_glob() was the exception: it ignored the length and called
glob_match(), which scans the string until it hits a NUL byte. Some
string fields are not NUL-terminated. One example is the dynamic char
array of the xfs_* namespace tracepoints, which is copied without a
trailing NUL. For such a field, glob matching reads past the end of
the event field, causing a KASAN slab-out-of-bounds read in
glob_match(), reached via regex_match_glob() and filter_match_preds()
from the xfs_lookup tracepoint.

Add a length-bounded glob_match_len() and use it from regex_match_glob()
so glob matching always stops at the field boundary. The matching loop
is factored into a shared helper so glob_match() keeps its behaviour.

Fixes: 60f1d5e3bac4 ("ftrace: Support full glob matching")
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/da1aaf125fc3b63320b0c540fd6afa7c3d5b4f1a.1782836943.git.hhhuang@smu.edu.sg
Reported-by: Yuan Tan &lt;yuantan098@gmail.com&gt;
Reported-by: Yifan Wu &lt;yifanwucs@gmail.com&gt;
Reported-by: Juefei Pu &lt;tomapufckgml@gmail.com&gt;
Reported-by: Zhengchuan Liang &lt;zcliangcn@gmail.com&gt;
Reported-by: Xin Liu &lt;bird@lzu.edu.cn&gt;
Assisted-by: Codex:GPT-5.4
Signed-off-by: Huihui Huang &lt;hhhuang@smu.edu.sg&gt;
Signed-off-by: Ren Wei &lt;n05ec@lzu.edu.cn&gt;
Acked-by: Masami Hiramatsu (Google) &lt;mhiramat@kernel.org&gt;
Signed-off-by: Steven Rostedt &lt;rostedt@goodmis.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Merge tag 'riscv-for-linus-7.2-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux</title>
<updated>2026-07-04T01:07:24+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2026-07-04T01:07:24+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=590cae7152cab2dd954b8db20522769e1c62deec'/>
<id>590cae7152cab2dd954b8db20522769e1c62deec</id>
<content type='text'>
Pull RISC-V fixes from Paul Walmsley:

 - Fix a crash when a kretprobe reads from the stack

 - Fix an issue with the build-time mcount sorter that broke ftrace

 - Fix the rv32 IRQ stack frame padding to match the ABI

 - Only defer IOMMU configuration during initialization. This avoids an
   issue where IOMMU configuration could be indefinitely deferred

 - Add the missing build salt to the vDSO

 - Now that RISC-V systems with higher numbers of cores are starting to
   become available, raise NR_CPUS for RISC-V to 256

 - Clean up some warnings from sparse caused by the RISC-V-optimized
   RAID6 code

 - Clean up our __cpu_up() code with a few minor fixes

* tag 'riscv-for-linus-7.2-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux:
  riscv: probes: save original sp in rethook trampoline
  riscv: Fix 32-bit call_on_irq_stack() frame pointer ABI
  scripts/sorttable: Handle RISC-V patchable ftrace entries
  riscv: smp: use secs_to_jiffies in __cpu_up
  ACPI: RIMT: Only defer the IOMMU configuration in init stage
  riscv: Add build salt to the vDSO
  raid6: fix raid6_recov_rvv symbol undeclared warning
  raid6: fix riscv symbol undeclared warnigns
  riscv: Raise default NR_CPUS for 64BIT to 256
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Pull RISC-V fixes from Paul Walmsley:

 - Fix a crash when a kretprobe reads from the stack

 - Fix an issue with the build-time mcount sorter that broke ftrace

 - Fix the rv32 IRQ stack frame padding to match the ABI

 - Only defer IOMMU configuration during initialization. This avoids an
   issue where IOMMU configuration could be indefinitely deferred

 - Add the missing build salt to the vDSO

 - Now that RISC-V systems with higher numbers of cores are starting to
   become available, raise NR_CPUS for RISC-V to 256

 - Clean up some warnings from sparse caused by the RISC-V-optimized
   RAID6 code

 - Clean up our __cpu_up() code with a few minor fixes

* tag 'riscv-for-linus-7.2-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux:
  riscv: probes: save original sp in rethook trampoline
  riscv: Fix 32-bit call_on_irq_stack() frame pointer ABI
  scripts/sorttable: Handle RISC-V patchable ftrace entries
  riscv: smp: use secs_to_jiffies in __cpu_up
  ACPI: RIMT: Only defer the IOMMU configuration in init stage
  riscv: Add build salt to the vDSO
  raid6: fix raid6_recov_rvv symbol undeclared warning
  raid6: fix riscv symbol undeclared warnigns
  riscv: Raise default NR_CPUS for 64BIT to 256
</pre>
</div>
</content>
</entry>
<entry>
<title>Merge tag 'vfs-7.2-rc2.fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs</title>
<updated>2026-07-03T15:48:05+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2026-07-03T15:48:05+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=71dfdfb0209b43dfd6f494f84f5548e4cfd18cb5'/>
<id>71dfdfb0209b43dfd6f494f84f5548e4cfd18cb5</id>
<content type='text'>
Pull vfs fixes from Christian Brauner:

 - netfs:

    - fix the decision when to disallow write-streaming with fscache in
      use, handling of asynchronous cache object creation, a double fput
      in cachefiles, clearing S_KERNEL_FILE without the inode lock held,
      page extraction bugs in the iov_iter helpers (a potential
      underflow, a missing allocation failure check, a memory leak, and
      a folio offset miscalculation), writeback error and ENOMEM
      handling, DIO write retry for filesystems without a
      -&gt;prepare_write() method, and the replacement of the wb_lock mutex
      with a bit lock plus writethrough collection offload so that
      multiple asynchronous writebacks don't interfere with each other.

    - Fix the barriering when walking the netfs subrequest list during
      retries as it was possible to see a subrequest that was just added
      by the application thread.

 - iomap:

    - Change iomap to submit read bios after each extent instead of
      building them up across extents. The old behavior was considered
      problematic for a while and now caused an actual erofs bug.

    - Guard the ioend io_size EOF trim in iomap against underflow when a
      concurrent truncate moves EOF below the start of the ioend,
      wrapping io_size to a huge value.

 - overlayfs

    - Fix a stale overlayfs comment about the locking order.

    - Store the linked-in upper dentry instead of the disconnected
      O_TMPFILE dentry during overlayfs tmpfile copy-up. With a FUSE or
      virtiofs upper layer -&gt;d_revalidate() would try to look up "/" in
      the workdir and fail, causing persistent ESTALE errors that broke
      dpkg and apt.

 - vfs-bpf:

   Have the bpf_real_data_inode() kfunc take a struct file instead of a
   dentry so it is usable from the bprm_check_security, mmap_file, and
   file_mprotect hooks, and rename it from bpf_real_inode() to make the
   data-inode semantics explicit. The kfunc landed this cycle so the
   change is safe.

 - afs:

   NULL pointer dereferences in the callback service and in
   afs_get_tree(), several memory and refcount leaks, missing locking
   around the dynamic root inode numbers and premature cell exposure
   through /afs, a netns destruction hang caused by a misplaced
   increment of net-&gt;cells_outstanding, a bulk lookup malfunction caused
   by the dir_emit() API change, inode (re)initialisation issues, and
   assorted smaller fixes to error codes, seqlock handling, and debug
   output.

 - vfs:

   Refuse O_TMPFILE creation with an unmapped fsuid or fsgid and add a
   selftest for it.

 - vboxsf:

   Add Jori Koolstra as vboxsf maintainer, taking over from Hans de
   Goede.

 - dio:

   Release the pages attached to a short atomic dio bio; the REQ_ATOMIC
   size check error path leaked them.

 - procfs:

   Only bump the parent directory link count when registering
   directories in procfs. Registering regular files inflated the count
   and leaked a link on every create and remove cycle.

 - minix:

   Avoid an unsigned overflow in the minix bitmap block count
   calculation that let crafted images with huge inode or zone counts
   pass superblock validation and crash the kernel during mount.

 - cachefiles:

   Fix a double unlock in the cachefiles nomem_d_alloc error path left
   over from the start_creating() conversion.

 - fat:

   Stop fat from reading directory entries past the 0x00
   end-of-directory marker. If the trailing on-disk slots aren't
   zero-filled the driver surfaced arbitrary garbage as directory
   entries.

 - freexvfs:

   Don't BUG() on unknown typed-extent types in freevxfs, reachable via
   ioctl(FIBMAP) on a crafted image; fail with an I/O error instead.

 - orangefs:

   Keep the readdir entry size 64-bit in orangefs fill_from_part().
   Truncating it to __u32 bypassed the bounds check and led to
   out-of-bounds reads triggerable by the userspace client.

 - xfs:

   Fix the error unwind in xfs_open_devices() which released the rt
   device file twice and left dangling buftarg pointers behind that were
   freed again when the failed mount was torn down.

 - exec:

   Fix an off-by-one in the comment documenting the maximum binfmt
   rewrite depth in exec_binprm(). The code allows five rewrites, not
   four; restricting the code would break userspace so the comment is
   fixed instead.

 - file handles:

   Reject detached mounts in capable_wrt_mount(). A detached mount can
   be dissolved concurrently, leaving a NULL mount namespace that
   open_by_handle_at() would dereference.

* tag 'vfs-7.2-rc2.fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs: (57 commits)
  netfs: Fix barriering when walking subrequest list
  iomap: submit read bio after each extent
  fuse: call fuse_send_readpages explicitly from fuse_readahead
  iomap: consolidate bio submission
  fhandle: reject detached mounts in capable_wrt_mount()
  netfs: Fix DIO write retry for filesystems without a -&gt;prepare_write()
  netfs: Fix folio state after ENOMEM whilst under writeback iteration
  netfs: Fix writeback error handling
  netfs: Fix writethrough to use collection offload
  netfs: Replace wb_lock with a bit lock for asynchronicity
  netfs: Fix kdoc warning
  scatterlist: Fix offset in folio calc in extract_xarray_to_sg()
  iov_iter: Remove unused variable in kunit_iov_iter.c
  iov_iter: Fix a memory leak in iov_iter_extract_user_pages()
  iov_iter: Fix missing alloc fail check in iov_iter_extract_bvec_pages()
  iov_iter: Fix potential underflow in iov_iter_extract_xarray_pages()
  cachefiles: Fix file burial to take lock when unsetting S_KERNEL_FILE
  cachefiles: Fix double fput
  netfs: Fix netfs_create_write_req() to handle async cache object creation
  netfs: Fix decision whether to disallow write-streaming due to fscache use
  ...
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Pull vfs fixes from Christian Brauner:

 - netfs:

    - fix the decision when to disallow write-streaming with fscache in
      use, handling of asynchronous cache object creation, a double fput
      in cachefiles, clearing S_KERNEL_FILE without the inode lock held,
      page extraction bugs in the iov_iter helpers (a potential
      underflow, a missing allocation failure check, a memory leak, and
      a folio offset miscalculation), writeback error and ENOMEM
      handling, DIO write retry for filesystems without a
      -&gt;prepare_write() method, and the replacement of the wb_lock mutex
      with a bit lock plus writethrough collection offload so that
      multiple asynchronous writebacks don't interfere with each other.

    - Fix the barriering when walking the netfs subrequest list during
      retries as it was possible to see a subrequest that was just added
      by the application thread.

 - iomap:

    - Change iomap to submit read bios after each extent instead of
      building them up across extents. The old behavior was considered
      problematic for a while and now caused an actual erofs bug.

    - Guard the ioend io_size EOF trim in iomap against underflow when a
      concurrent truncate moves EOF below the start of the ioend,
      wrapping io_size to a huge value.

 - overlayfs

    - Fix a stale overlayfs comment about the locking order.

    - Store the linked-in upper dentry instead of the disconnected
      O_TMPFILE dentry during overlayfs tmpfile copy-up. With a FUSE or
      virtiofs upper layer -&gt;d_revalidate() would try to look up "/" in
      the workdir and fail, causing persistent ESTALE errors that broke
      dpkg and apt.

 - vfs-bpf:

   Have the bpf_real_data_inode() kfunc take a struct file instead of a
   dentry so it is usable from the bprm_check_security, mmap_file, and
   file_mprotect hooks, and rename it from bpf_real_inode() to make the
   data-inode semantics explicit. The kfunc landed this cycle so the
   change is safe.

 - afs:

   NULL pointer dereferences in the callback service and in
   afs_get_tree(), several memory and refcount leaks, missing locking
   around the dynamic root inode numbers and premature cell exposure
   through /afs, a netns destruction hang caused by a misplaced
   increment of net-&gt;cells_outstanding, a bulk lookup malfunction caused
   by the dir_emit() API change, inode (re)initialisation issues, and
   assorted smaller fixes to error codes, seqlock handling, and debug
   output.

 - vfs:

   Refuse O_TMPFILE creation with an unmapped fsuid or fsgid and add a
   selftest for it.

 - vboxsf:

   Add Jori Koolstra as vboxsf maintainer, taking over from Hans de
   Goede.

 - dio:

   Release the pages attached to a short atomic dio bio; the REQ_ATOMIC
   size check error path leaked them.

 - procfs:

   Only bump the parent directory link count when registering
   directories in procfs. Registering regular files inflated the count
   and leaked a link on every create and remove cycle.

 - minix:

   Avoid an unsigned overflow in the minix bitmap block count
   calculation that let crafted images with huge inode or zone counts
   pass superblock validation and crash the kernel during mount.

 - cachefiles:

   Fix a double unlock in the cachefiles nomem_d_alloc error path left
   over from the start_creating() conversion.

 - fat:

   Stop fat from reading directory entries past the 0x00
   end-of-directory marker. If the trailing on-disk slots aren't
   zero-filled the driver surfaced arbitrary garbage as directory
   entries.

 - freexvfs:

   Don't BUG() on unknown typed-extent types in freevxfs, reachable via
   ioctl(FIBMAP) on a crafted image; fail with an I/O error instead.

 - orangefs:

   Keep the readdir entry size 64-bit in orangefs fill_from_part().
   Truncating it to __u32 bypassed the bounds check and led to
   out-of-bounds reads triggerable by the userspace client.

 - xfs:

   Fix the error unwind in xfs_open_devices() which released the rt
   device file twice and left dangling buftarg pointers behind that were
   freed again when the failed mount was torn down.

 - exec:

   Fix an off-by-one in the comment documenting the maximum binfmt
   rewrite depth in exec_binprm(). The code allows five rewrites, not
   four; restricting the code would break userspace so the comment is
   fixed instead.

 - file handles:

   Reject detached mounts in capable_wrt_mount(). A detached mount can
   be dissolved concurrently, leaving a NULL mount namespace that
   open_by_handle_at() would dereference.

* tag 'vfs-7.2-rc2.fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs: (57 commits)
  netfs: Fix barriering when walking subrequest list
  iomap: submit read bio after each extent
  fuse: call fuse_send_readpages explicitly from fuse_readahead
  iomap: consolidate bio submission
  fhandle: reject detached mounts in capable_wrt_mount()
  netfs: Fix DIO write retry for filesystems without a -&gt;prepare_write()
  netfs: Fix folio state after ENOMEM whilst under writeback iteration
  netfs: Fix writeback error handling
  netfs: Fix writethrough to use collection offload
  netfs: Replace wb_lock with a bit lock for asynchronicity
  netfs: Fix kdoc warning
  scatterlist: Fix offset in folio calc in extract_xarray_to_sg()
  iov_iter: Remove unused variable in kunit_iov_iter.c
  iov_iter: Fix a memory leak in iov_iter_extract_user_pages()
  iov_iter: Fix missing alloc fail check in iov_iter_extract_bvec_pages()
  iov_iter: Fix potential underflow in iov_iter_extract_xarray_pages()
  cachefiles: Fix file burial to take lock when unsetting S_KERNEL_FILE
  cachefiles: Fix double fput
  netfs: Fix netfs_create_write_req() to handle async cache object creation
  netfs: Fix decision whether to disallow write-streaming due to fscache use
  ...
</pre>
</div>
</content>
</entry>
<entry>
<title>scatterlist: Fix offset in folio calc in extract_xarray_to_sg()</title>
<updated>2026-07-01T13:26:29+00:00</updated>
<author>
<name>David Howells</name>
<email>dhowells@redhat.com</email>
</author>
<published>2026-06-25T14:06:27+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=2bcd3ab3728752425ff5ab1e4be1698eba13d0d8'/>
<id>2bcd3ab3728752425ff5ab1e4be1698eba13d0d8</id>
<content type='text'>
Fix the calculation of the offset in the folio being extracted in
extract_xarray_to_sg().

Note that in the near future, ITER_XARRAY should be removed.

Fixes: f5f82cd18732 ("Move netfs_extract_iter_to_sg() to lib/scatterlist.c")
Link: https://sashiko.dev/#/patchset/20260608145432.681865-1-dhowells%40redhat.com
Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
Link: https://patch.msgid.link/20260625140640.3116900-10-dhowells@redhat.com
Reviewed-by: Christoph Hellwig &lt;hch@lst.de&gt;
cc: Paulo Alcantara &lt;pc@manguebit.org&gt;
cc: Matthew Wilcox &lt;willy@infradead.org&gt;
cc: Christoph Hellwig &lt;hch@infradead.org&gt;
cc: Jens Axboe &lt;axboe@kernel.dk&gt;
cc: Mike Marshall &lt;hubcap@omnibond.com&gt;
cc: netfs@lists.linux.dev
cc: linux-fsdevel@vger.kernel.org
Signed-off-by: Christian Brauner (Amutable) &lt;brauner@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Fix the calculation of the offset in the folio being extracted in
extract_xarray_to_sg().

Note that in the near future, ITER_XARRAY should be removed.

Fixes: f5f82cd18732 ("Move netfs_extract_iter_to_sg() to lib/scatterlist.c")
Link: https://sashiko.dev/#/patchset/20260608145432.681865-1-dhowells%40redhat.com
Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
Link: https://patch.msgid.link/20260625140640.3116900-10-dhowells@redhat.com
Reviewed-by: Christoph Hellwig &lt;hch@lst.de&gt;
cc: Paulo Alcantara &lt;pc@manguebit.org&gt;
cc: Matthew Wilcox &lt;willy@infradead.org&gt;
cc: Christoph Hellwig &lt;hch@infradead.org&gt;
cc: Jens Axboe &lt;axboe@kernel.dk&gt;
cc: Mike Marshall &lt;hubcap@omnibond.com&gt;
cc: netfs@lists.linux.dev
cc: linux-fsdevel@vger.kernel.org
Signed-off-by: Christian Brauner (Amutable) &lt;brauner@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>iov_iter: Remove unused variable in kunit_iov_iter.c</title>
<updated>2026-07-01T13:26:29+00:00</updated>
<author>
<name>David Howells</name>
<email>dhowells@redhat.com</email>
</author>
<published>2026-06-25T14:06:26+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=0442e23a5f72c74ba18882e4a2eed305c687009d'/>
<id>0442e23a5f72c74ba18882e4a2eed305c687009d</id>
<content type='text'>
Remove the no longer used variable 'b' from iov_kunit_copy_to_bvec().  The
variable is initialised and incremented, but nothing now makes use of the
value.

Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
Link: https://patch.msgid.link/20260625140640.3116900-9-dhowells@redhat.com
Reviewed-by: Christoph Hellwig &lt;hch@lst.de&gt;
cc: Ming Lei &lt;ming.lei@redhat.com&gt;
cc: Paulo Alcantara &lt;pc@manguebit.org&gt;
cc: Matthew Wilcox &lt;willy@infradead.org&gt;
cc: Christoph Hellwig &lt;hch@infradead.org&gt;
cc: Jens Axboe &lt;axboe@kernel.dk&gt;
cc: netfs@lists.linux.dev
cc: linux-fsdevel@vger.kernel.org
Signed-off-by: Christian Brauner (Amutable) &lt;brauner@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Remove the no longer used variable 'b' from iov_kunit_copy_to_bvec().  The
variable is initialised and incremented, but nothing now makes use of the
value.

Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
Link: https://patch.msgid.link/20260625140640.3116900-9-dhowells@redhat.com
Reviewed-by: Christoph Hellwig &lt;hch@lst.de&gt;
cc: Ming Lei &lt;ming.lei@redhat.com&gt;
cc: Paulo Alcantara &lt;pc@manguebit.org&gt;
cc: Matthew Wilcox &lt;willy@infradead.org&gt;
cc: Christoph Hellwig &lt;hch@infradead.org&gt;
cc: Jens Axboe &lt;axboe@kernel.dk&gt;
cc: netfs@lists.linux.dev
cc: linux-fsdevel@vger.kernel.org
Signed-off-by: Christian Brauner (Amutable) &lt;brauner@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>iov_iter: Fix a memory leak in iov_iter_extract_user_pages()</title>
<updated>2026-07-01T13:26:29+00:00</updated>
<author>
<name>David Howells</name>
<email>dhowells@redhat.com</email>
</author>
<published>2026-06-25T14:06:25+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=72698020e15db16fc141e191b460bc335263b0ad'/>
<id>72698020e15db16fc141e191b460bc335263b0ad</id>
<content type='text'>
There's a potential memory leak in callers of iov_iter_extract_user_pages()
whereby if a pages array is allocated in function, it isn't freed before
returning of an error or 0.

Now, it's not a leak per se in iov_iter_extract_user_pages() as, if an
array is allocated, it's returned through *pages, so it's incumbent on the
caller to free it.  However, not all callers do.

Fix this by freeing the table and clearing *pages before returning an error
or 0.  Note that iov_iter_extract_pages() and its subfunctions are allowed
to return 0 without returning an array (for instance if the iterator count
is 0).

Fixes: 7d58fe731028 ("iov_iter: Add a function to extract a page list from an iterator")
Closes: https://sashiko.dev/#/patchset/20260616100821.2062304-1-dhowells%40redhat.com
Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
Link: https://patch.msgid.link/20260625140640.3116900-8-dhowells@redhat.com
Reviewed-by: Christoph Hellwig &lt;hch@lst.de&gt;
cc: Paulo Alcantara &lt;pc@manguebit.org&gt;
cc: Matthew Wilcox &lt;willy@infradead.org&gt;
cc: Christoph Hellwig &lt;hch@infradead.org&gt;
cc: Jens Axboe &lt;axboe@kernel.dk&gt;
cc: netfs@lists.linux.dev
cc: linux-fsdevel@vger.kernel.org
Signed-off-by: Christian Brauner (Amutable) &lt;brauner@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
There's a potential memory leak in callers of iov_iter_extract_user_pages()
whereby if a pages array is allocated in function, it isn't freed before
returning of an error or 0.

Now, it's not a leak per se in iov_iter_extract_user_pages() as, if an
array is allocated, it's returned through *pages, so it's incumbent on the
caller to free it.  However, not all callers do.

Fix this by freeing the table and clearing *pages before returning an error
or 0.  Note that iov_iter_extract_pages() and its subfunctions are allowed
to return 0 without returning an array (for instance if the iterator count
is 0).

Fixes: 7d58fe731028 ("iov_iter: Add a function to extract a page list from an iterator")
Closes: https://sashiko.dev/#/patchset/20260616100821.2062304-1-dhowells%40redhat.com
Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
Link: https://patch.msgid.link/20260625140640.3116900-8-dhowells@redhat.com
Reviewed-by: Christoph Hellwig &lt;hch@lst.de&gt;
cc: Paulo Alcantara &lt;pc@manguebit.org&gt;
cc: Matthew Wilcox &lt;willy@infradead.org&gt;
cc: Christoph Hellwig &lt;hch@infradead.org&gt;
cc: Jens Axboe &lt;axboe@kernel.dk&gt;
cc: netfs@lists.linux.dev
cc: linux-fsdevel@vger.kernel.org
Signed-off-by: Christian Brauner (Amutable) &lt;brauner@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>iov_iter: Fix missing alloc fail check in iov_iter_extract_bvec_pages()</title>
<updated>2026-07-01T13:26:28+00:00</updated>
<author>
<name>David Howells</name>
<email>dhowells@redhat.com</email>
</author>
<published>2026-06-25T14:06:24+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=70531f4f3a143f81baf549da7f59a24a9f87a65c'/>
<id>70531f4f3a143f81baf549da7f59a24a9f87a65c</id>
<content type='text'>
Fix iov_iter_extract_bvec_pages() to check if want_pages_array() fails and,
if so, return -ENOMEM appropriately.

Fixes: e4e535bff2bc ("iov_iter: don't require contiguous pages in iov_iter_extract_bvec_pages")
Link: https://sashiko.dev/#/patchset/20260608145432.681865-1-dhowells%40redhat.com
Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
Link: https://patch.msgid.link/20260625140640.3116900-7-dhowells@redhat.com
Reviewed-by: Christoph Hellwig &lt;hch@lst.de&gt;
cc: Ming Lei &lt;ming.lei@redhat.com&gt;
cc: Paulo Alcantara &lt;pc@manguebit.org&gt;
cc: Matthew Wilcox &lt;willy@infradead.org&gt;
cc: Christoph Hellwig &lt;hch@infradead.org&gt;
cc: Jens Axboe &lt;axboe@kernel.dk&gt;
cc: netfs@lists.linux.dev
cc: linux-fsdevel@vger.kernel.org
Signed-off-by: Christian Brauner (Amutable) &lt;brauner@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Fix iov_iter_extract_bvec_pages() to check if want_pages_array() fails and,
if so, return -ENOMEM appropriately.

Fixes: e4e535bff2bc ("iov_iter: don't require contiguous pages in iov_iter_extract_bvec_pages")
Link: https://sashiko.dev/#/patchset/20260608145432.681865-1-dhowells%40redhat.com
Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
Link: https://patch.msgid.link/20260625140640.3116900-7-dhowells@redhat.com
Reviewed-by: Christoph Hellwig &lt;hch@lst.de&gt;
cc: Ming Lei &lt;ming.lei@redhat.com&gt;
cc: Paulo Alcantara &lt;pc@manguebit.org&gt;
cc: Matthew Wilcox &lt;willy@infradead.org&gt;
cc: Christoph Hellwig &lt;hch@infradead.org&gt;
cc: Jens Axboe &lt;axboe@kernel.dk&gt;
cc: netfs@lists.linux.dev
cc: linux-fsdevel@vger.kernel.org
Signed-off-by: Christian Brauner (Amutable) &lt;brauner@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>iov_iter: Fix potential underflow in iov_iter_extract_xarray_pages()</title>
<updated>2026-07-01T13:26:28+00:00</updated>
<author>
<name>David Howells</name>
<email>dhowells@redhat.com</email>
</author>
<published>2026-06-25T14:06:23+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=55f4bb9373ca4a521f3b0119366db92715a39b81'/>
<id>55f4bb9373ca4a521f3b0119366db92715a39b81</id>
<content type='text'>
In iov_iter_extract_xarray_pages(), if no pages are extracted because
there's a hole (or something otherwise unextractable) in the xarray, then
the calculation of maxsize at the end can go wrong if the starting offset
is not zero.

Fix this by returning 0 in such a case and freeing the page array if
allocated here rather than being passed in.

Note that in the near future, ITER_XARRAY should be removed.

Fixes: 7d58fe731028 ("iov_iter: Add a function to extract a page list from an iterator")
Link: https://sashiko.dev/#/patchset/20260608145432.681865-1-dhowells%40redhat.com
Link: https://sashiko.dev/#/patchset/20260616100821.2062304-1-dhowells%40redhat.com
Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
Link: https://patch.msgid.link/20260625140640.3116900-6-dhowells@redhat.com
Reviewed-by: Christoph Hellwig &lt;hch@lst.de&gt;
cc: Paulo Alcantara &lt;pc@manguebit.org&gt;
cc: Matthew Wilcox &lt;willy@infradead.org&gt;
cc: Christoph Hellwig &lt;hch@infradead.org&gt;
cc: Jens Axboe &lt;axboe@kernel.dk&gt;
cc: Mike Marshall &lt;hubcap@omnibond.com&gt;
cc: netfs@lists.linux.dev
cc: linux-fsdevel@vger.kernel.org
Signed-off-by: Christian Brauner (Amutable) &lt;brauner@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
In iov_iter_extract_xarray_pages(), if no pages are extracted because
there's a hole (or something otherwise unextractable) in the xarray, then
the calculation of maxsize at the end can go wrong if the starting offset
is not zero.

Fix this by returning 0 in such a case and freeing the page array if
allocated here rather than being passed in.

Note that in the near future, ITER_XARRAY should be removed.

Fixes: 7d58fe731028 ("iov_iter: Add a function to extract a page list from an iterator")
Link: https://sashiko.dev/#/patchset/20260608145432.681865-1-dhowells%40redhat.com
Link: https://sashiko.dev/#/patchset/20260616100821.2062304-1-dhowells%40redhat.com
Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
Link: https://patch.msgid.link/20260625140640.3116900-6-dhowells@redhat.com
Reviewed-by: Christoph Hellwig &lt;hch@lst.de&gt;
cc: Paulo Alcantara &lt;pc@manguebit.org&gt;
cc: Matthew Wilcox &lt;willy@infradead.org&gt;
cc: Christoph Hellwig &lt;hch@infradead.org&gt;
cc: Jens Axboe &lt;axboe@kernel.dk&gt;
cc: Mike Marshall &lt;hubcap@omnibond.com&gt;
cc: netfs@lists.linux.dev
cc: linux-fsdevel@vger.kernel.org
Signed-off-by: Christian Brauner (Amutable) &lt;brauner@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>bootconfig: fix NULL-pointer arithmetic in xbc_snprint_cmdline()</title>
<updated>2026-06-30T23:08:27+00:00</updated>
<author>
<name>Breno Leitao</name>
<email>leitao@debian.org</email>
</author>
<published>2026-06-26T12:50:10+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=dec4d8118c179b3d12bca7e609054c6011c4f2ce'/>
<id>dec4d8118c179b3d12bca7e609054c6011c4f2ce</id>
<content type='text'>
xbc_snprint_cmdline() is meant to be called twice: first with
buf=NULL, size=0 to probe the rendered length, then with a real
buffer to fill it (the standard snprintf() two-pass pattern). The
probe call makes the function compute "buf + size" (NULL + 0) and,
on every iteration, advance "buf += ret" from that NULL base and
pass the result back into snprintf().

Pointer arithmetic on a NULL pointer is undefined behavior. It is
harmless in the in-kernel callers today, but the follow-up patches
run this same code in the userspace tools/bootconfig parser at kernel
build time, where host UBSan / FORTIFY_SOURCE abort the build.

Track a running written length (size_t) instead of mutating @buf, and
only form "buf + len" when @buf is non-NULL. snprintf(NULL, 0, ...)
is itself well defined and returns the would-be length, so the
two-pass "probe then fill" usage returns identical byte counts.

Link: https://lore.kernel.org/all/20260626-bootconfig_using_tools-v7-1-24ab72139c29@debian.org/

Fixes: 51887d03aca1 ("bootconfig: init: Allow admin to use bootconfig for kernel command line")
Cc: stable@vger.kernel.org
Signed-off-by: Breno Leitao &lt;leitao@debian.org&gt;
Signed-off-by: Masami Hiramatsu (Google) &lt;mhiramat@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
xbc_snprint_cmdline() is meant to be called twice: first with
buf=NULL, size=0 to probe the rendered length, then with a real
buffer to fill it (the standard snprintf() two-pass pattern). The
probe call makes the function compute "buf + size" (NULL + 0) and,
on every iteration, advance "buf += ret" from that NULL base and
pass the result back into snprintf().

Pointer arithmetic on a NULL pointer is undefined behavior. It is
harmless in the in-kernel callers today, but the follow-up patches
run this same code in the userspace tools/bootconfig parser at kernel
build time, where host UBSan / FORTIFY_SOURCE abort the build.

Track a running written length (size_t) instead of mutating @buf, and
only form "buf + len" when @buf is non-NULL. snprintf(NULL, 0, ...)
is itself well defined and returns the would-be length, so the
two-pass "probe then fill" usage returns identical byte counts.

Link: https://lore.kernel.org/all/20260626-bootconfig_using_tools-v7-1-24ab72139c29@debian.org/

Fixes: 51887d03aca1 ("bootconfig: init: Allow admin to use bootconfig for kernel command line")
Cc: stable@vger.kernel.org
Signed-off-by: Breno Leitao &lt;leitao@debian.org&gt;
Signed-off-by: Masami Hiramatsu (Google) &lt;mhiramat@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>raid6: fix raid6_recov_rvv symbol undeclared warning</title>
<updated>2026-06-25T17:51:32+00:00</updated>
<author>
<name>Ben Dooks</name>
<email>ben.dooks@codethink.co.uk</email>
</author>
<published>2026-06-22T13:55:35+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=5c5dea43f6354e8dbd13bcb7e478f85593e19d90'/>
<id>5c5dea43f6354e8dbd13bcb7e478f85593e19d90</id>
<content type='text'>
The riscv recov_rvv.c should have included pq_arch.h for
the definition of raid6_recov_rvv. Add the include to
fix the following sparse warning:

lib/raid/raid6/riscv/recov_rvv.c:218:32: warning: symbol 'raid6_recov_rvv' was not declared. Should it be static?

Signed-off-by: Ben Dooks &lt;ben.dooks@codethink.co.uk&gt;
Reviewed-by: Nam Cao &lt;namcao@linutronix.de&gt;
Link: https://patch.msgid.link/20260622135535.481534-1-ben.dooks@codethink.co.uk
Signed-off-by: Paul Walmsley &lt;pjw@kernel.org&gt;</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The riscv recov_rvv.c should have included pq_arch.h for
the definition of raid6_recov_rvv. Add the include to
fix the following sparse warning:

lib/raid/raid6/riscv/recov_rvv.c:218:32: warning: symbol 'raid6_recov_rvv' was not declared. Should it be static?

Signed-off-by: Ben Dooks &lt;ben.dooks@codethink.co.uk&gt;
Reviewed-by: Nam Cao &lt;namcao@linutronix.de&gt;
Link: https://patch.msgid.link/20260622135535.481534-1-ben.dooks@codethink.co.uk
Signed-off-by: Paul Walmsley &lt;pjw@kernel.org&gt;</pre>
</div>
</content>
</entry>
</feed>
