summaryrefslogtreecommitdiff
path: root/lib
AgeCommit message (Collapse)Author
2026-05-28uaccess: unify inline vs outline copy_{from,to}_user() selectionYury Norov
The kernel allows arches to select between inline and outline implementations of the copy_{from,to}_user() by defining individual INLINE_COPY_FROM_USER and INLINE_COPY_TO_USER, correspondingly. However, all arches enable or disable them always together. Without the real use-case for one helper being inlined while the other outlined, having independent controls is excessive and error prone. Switch the codebase to the single unified INLINE_COPY_USER control. Link: https://lore.kernel.org/20260425020857.356850-3-ynorov@nvidia.com Signed-off-by: Yury Norov <ynorov@nvidia.com> Tested-by: Alice Ryhl <aliceryhl@google.com> Cc: Arnd Bergmann <arnd@arndb.de> Cc: Christophe Leroy (CS GROUP) <chleroy@kernel.org> Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Randy Dunlap <rdunlap@infradead.org> Cc: Viktor Malik <vmalik@redhat.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2026-05-28lib/base64: fix copy-pasted @padding doc in base64_decode()Josh Law
The @padding kernel-doc for base64_decode() says "whether to append '=' padding characters", which was copy-pasted from base64_encode(). In the decode context, it controls whether the input is expected to include padding, not whether to append it. Link: https://lore.kernel.org/20260324223210.47676-3-objecting@objecting.org Signed-off-by: Josh Law <objecting@objecting.org> Reviewed-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2026-05-28lib/base64: validate before writing in decode tail pathJosh Law
Patch series "lib/base64: decode fixes", v2. Two small fixes for lib/base64.c: 1. base64_decode() writes a decoded byte to the output buffer before validating the input in the trailing-bytes path. Move the validity checks before any writes so dst is untouched on invalid input. 2. The @padding kernel-doc for base64_decode() was copy-pasted from base64_encode() and describes the wrong direction. This patch (of 2): The trailing-bytes path in base64_decode() writes a decoded byte to the output buffer before checking whether the input characters are valid. If the input is malformed, garbage is written to dst before the function returns -1. Move the validity checks before any writes so the output buffer is left untouched on invalid input. Link: https://lore.kernel.org/20260324223210.47676-1-objecting@objecting.org Link: https://lore.kernel.org/20260324223210.47676-2-objecting@objecting.org Fixes: 9c7d3cf94d33 ("lib/base64: rework encode/decode for speed and stricter validation") Signed-off-by: Josh Law <objecting@objecting.org> Reviewed-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2026-05-28lib/tests: string_helpers: don't use "proxy" headersAndy Shevchenko
Update header inclusions to follow IWYU (Include What You Use) principle. Link: https://lore.kernel.org/20260406193425.1534197-3-andriy.shevchenko@linux.intel.com Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com> Cc: Kees Cook <kees@kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2026-05-28lib/tests: string_helpers: decouple unescape and escape casesAndy Shevchenko
Patch series "lib/tests: string_helpers: Slight improvements". Two ad-hoc patches to improve the test module. It was induced by another patch that poorly tried to add (existing) test cases and make me revisit string_helpers_kunit.c. This patch (of 2): Currently the escape and unescape test cases go in one step. Decouple them for the better granularity and understanding test coverage in the results. Link: https://lore.kernel.org/20260406193425.1534197-1-andriy.shevchenko@linux.intel.com Link: https://lore.kernel.org/20260406193425.1534197-2-andriy.shevchenko@linux.intel.com Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com> Cc: Kees Cook <kees@kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2026-05-28treewide: fix indentation and whitespace in Kconfig filesAnand Moon
Clean up inconsistent indentation (mixing tabs and spaces) and remove extraneous whitespace in several Kconfig files across the tree. This is a purely cosmetic change to improve readability. Adjust indentation from spaces to tab (+optional two spaces) as in coding style with command like: $ sed -e 's/^ /\t/' -i */Kconfig Link: https://lore.kernel.org/20260407053945.14116-1-linux.amoon@gmail.com Signed-off-by: Anand Moon <linux.amoon@gmail.com> Reviewed-by: Jan Kara <jack@suse.cz> [fs] Reviewed-by: Liam R. Howlett <Liam.Howlett@oracle.com> [mm] Reviewed-by: Lorenzo Stoakes <ljs@kernel.org> [mm] Reviewed-by: Christian Brauner <brauner@kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2026-05-28seq_buf: export seq_buf_putmem_hex() and add KUnit testsShuvam Pandey
The seq_buf KUnit suite does not exercise seq_buf_putmem_hex(). Add one test for the len > 8 chunking path and one overflow test where a later chunk no longer fits in the buffer. Export seq_buf_putmem_hex() as well so SEQ_BUF_KUNIT_TEST=m links cleanly. Without the export, modpost reports seq_buf_putmem_hex as undefined when seq_buf_kunit is built as a module. Link: https://lore.kernel.org/20260408202351.21829-1-shuvampandey1@gmail.com Signed-off-by: Shuvam Pandey <shuvampandey1@gmail.com> Acked-by: Steven Rostedt (Google) <rostedt@goodmis.org> Cc: David Gow <david@davidgow.net> Cc: "Masami Hiramatsu (Google)" <mhiramat@kernel.org> Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2026-05-28lib/crc: arm: Enable arm64's NEON intrinsics implementation of crc64Ard Biesheuvel
Tweak the NEON intrinsics crc64 code written for arm64 so it can be built for 32-bit ARM as well. The only workaround needed is to provide alternatives for vmull_p64() and vmull_high_p64() on Clang, which only defines those when building for the AArch64 or arm64ec ISA. Use the same helpers for GCC too, to avoid doubling the size of the test/validation matrix. KUnit benchmark results (Cortex-A53 @ 1 Ghz) Before: # crc64_nvme_benchmark: len=1: 35 MB/s # crc64_nvme_benchmark: len=16: 78 MB/s # crc64_nvme_benchmark: len=64: 87 MB/s # crc64_nvme_benchmark: len=127: 88 MB/s # crc64_nvme_benchmark: len=128: 88 MB/s # crc64_nvme_benchmark: len=200: 89 MB/s # crc64_nvme_benchmark: len=256: 89 MB/s # crc64_nvme_benchmark: len=511: 89 MB/s # crc64_nvme_benchmark: len=512: 89 MB/s # crc64_nvme_benchmark: len=1024: 90 MB/s # crc64_nvme_benchmark: len=3173: 90 MB/s # crc64_nvme_benchmark: len=4096: 90 MB/s # crc64_nvme_benchmark: len=16384: 90 MB/s After: # crc64_nvme_benchmark: len=1: 32 MB/s # crc64_nvme_benchmark: len=16: 76 MB/s # crc64_nvme_benchmark: len=64: 71 MB/s # crc64_nvme_benchmark: len=127: 88 MB/s # crc64_nvme_benchmark: len=128: 618 MB/s # crc64_nvme_benchmark: len=200: 542 MB/s # crc64_nvme_benchmark: len=256: 920 MB/s # crc64_nvme_benchmark: len=511: 836 MB/s # crc64_nvme_benchmark: len=512: 1261 MB/s # crc64_nvme_benchmark: len=1024: 1531 MB/s # crc64_nvme_benchmark: len=3173: 1731 MB/s # crc64_nvme_benchmark: len=4096: 1851 MB/s # crc64_nvme_benchmark: len=16384: 1858 MB/s Don't bother with big-endian, as it doesn't work correctly on Clang, and is barely used these days. Note that ARM disables preemption and softirq processing when using kernel mode SIMD, so take care not to hog the CPU for too long. Signed-off-by: Ard Biesheuvel <ardb@kernel.org> Link: https://patch.msgid.link/20260422171655.3437334-15-ardb+git@google.com Signed-off-by: Eric Biggers <ebiggers@kernel.org>
2026-05-28lib/crc: Turn NEON intrinsics crc64 implementation into common codeArd Biesheuvel
Move and rename the CRC64 NEON intrinsics implementation source file and rename the function name to reflect that it is NEON code that can be shared. This will be wired up for 32-bit ARM in a subsequent patch. Signed-off-by: Ard Biesheuvel <ardb@kernel.org> Link: https://patch.msgid.link/20260422171655.3437334-14-ardb+git@google.com Signed-off-by: Eric Biggers <ebiggers@kernel.org>
2026-05-28xor/arm64: Use shared NEON intrinsics implementation from 32-bit ARMArd Biesheuvel
Tweak the arm64 code so that the pure NEON intrinsics implementation of XOR is shared between arm64 and ARM. While at it, rename the arm64 specific piece xor-eor3.c to reflect that only the version based on the EOR3 instruction is kept there. Signed-off-by: Ard Biesheuvel <ardb@kernel.org> Link: https://patch.msgid.link/20260422171655.3437334-13-ardb+git@google.com Signed-off-by: Eric Biggers <ebiggers@kernel.org>
2026-05-28xor/arm: Replace vectorized implementation with arm64's intrinsicsArd Biesheuvel
Drop the XOR implementation generated by the vectorizer: this has always been a bit of a hack, and now that arm64 has an intrinsics version that works on ARM too, let's use that instead. So copy the part of the arm64 code that can be shared (so not the EOR3 version). The arm64 code will be updated in a subsequent patch to share this implementation. Performance (QEMU mach-virt VM running on Synquacer [Cortex-A53 @ 1 GHz] Before: [ 3.519687] xor: measuring software checksum speed [ 3.521725] neon : 1660 MB/sec [ 3.524733] 32regs : 1105 MB/sec [ 3.527751] 8regs : 1098 MB/sec [ 3.529911] arm4regs : 1540 MB/sec After: [ 3.517654] xor: measuring software checksum speed [ 3.519454] neon : 1896 MB/sec [ 3.522499] 32regs : 1090 MB/sec [ 3.525560] 8regs : 1083 MB/sec [ 3.527700] arm4regs : 1556 MB/sec Signed-off-by: Ard Biesheuvel <ardb@kernel.org> Acked-by: Christoph Hellwig <hch@lst.de> Link: https://patch.msgid.link/20260422171655.3437334-12-ardb+git@google.com Signed-off-by: Eric Biggers <ebiggers@kernel.org>
2026-05-28lib/bitrev: Introduce GENERIC_BITREVERSEYury Norov
The generic bit reversal implementation is controlled by !HAVE_ARCH_BITREVERSE. This makes it difficult for architectures to provide a hardware-accelerated implementation while being able to fall back to the generic version if needed. This patch adds GENERIC_BITREVERSE, so bitreverse API is controlled by BITREVERSE, GENERIC_BITREVERSE and HAVE_ARCH_BITREVERSE options. The relationship between them is described as follows: - BITREVERSE is selected by user code; it's required to generate the API; - Architectures may select HAVE_ARCH_BITREVERSE and provide an arch implementation in arch/$(ARCH)/include/asm/bitrev.h. - if HAVE_ARCH_BITREVERSE isn't set, BITREVERSE selects GENERIC_BITREVERSE; - if GENERIC_BITREVERSE is set and HAVE_ARCH_BITREVERSE is not, the kernel provides generic implementation only, and wires bitrevXX() to it. - if HAVE_ARCH_BITREVERSE is set and GENERIC_BITREVERSE is not, the arch code provides __arch_bitrevXX(), and it is wired to bitrevXX(); - if both GENERIC_BITREVERSE and HAVE_ARCH_BITREVERSE are selected, the kernel generates generic___bitrev(), but wires bitrev() to the __arch_bitrev(). The last option allows architectures to use generic___bitrev() as a fallback option. Drivers and core code should never select GENERIC_BITREVERSE or HAVE_ARCH_BITREVERSE explicitly. Architectures that require generic bitreverse API as a fallback should explicitly enable GENERIC_BITREVERSE together with HAVE_ARCH_BITREVERSE. Signed-off-by: Yury Norov <ynorov@nvidia.com>
2026-05-28arch: select HAVE_ARCH_BITREVERSE conditionally on BITREVERSEYury Norov
Architectures may have bit reversal instructions, but if the API not needed, the corresponding option should not be selected because it may lead to generating the unneeded code. Signed-off-by: Yury Norov <ynorov@nvidia.com>
2026-05-28bitmap: drop bitmap_print_to_pagebuf()Yury Norov
Now that all users of bitmap_print_to_pagebuf() are switched to the alternatives, drop the function. Signed-off-by: Yury Norov <ynorov@nvidia.com>
2026-05-28compiler-context-analysis: Bump required Clang version to 23Marco Elver
Clang 23 introduces several major improvements: 1. Support for multiple arguments in the `guarded_by` and `pt_guarded_by` attributes [1]. This allows defining variables protected by multiple context locks, where read access requires holding at least one lock (shared or exclusive), and write access requires holding all of them exclusively. 2. Function pointer support [2]. We can now add attributes to function pointers just like we do on normal functions. 3. A fix to use arrays of locks [3]. Each index is now correctly treated as a separate lock instance. 4. A fix for implicit member access in attributes [4]. This allows to use __guarded_by(&foo->lock) correctly. Overall that makes it worthwhile bumping the compiler version instead of trying to make both Clang 22 and later work while supporting these new features. Signed-off-by: Marco Elver <elver@google.com> Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> Reviewed-by: Nathan Chancellor <nathan@kernel.org> Reviewed-by: Bart Van Assche <bvanassche@acm.org> Link: https://github.com/llvm/llvm-project/pull/186838 [1] Link: https://github.com/llvm/llvm-project/pull/191187 [2] Link: https://github.com/llvm/llvm-project/pull/148551 [3] Link: https://github.com/llvm/llvm-project/pull/194457 [4] Link: https://patch.msgid.link/20260515124426.2227783-1-elver@google.com
2026-05-28iommu, debugobjects: avoid gcc-16.1 section mismatch warningsArnd Bergmann
gcc-16 has gained some more advanced inter-procedual optimization techniques that enable it to inline the dummy_tlb_add_page() and dummy_tlb_flush() function pointers into a specialized version of __arm_v7s_unmap: WARNING: modpost: vmlinux: section mismatch in reference: __arm_v7s_unmap+0x2cc (section: .text) -> dummy_tlb_add_page (section: .init.text) ERROR: modpost: Section mismatches detected. >From what I can tell, the transformation is correct, as this is only called when __arm_v7s_unmap() is called from arm_v7s_do_selftests(), which is also __init. Since __arm_v7s_unmap() however is not __init, gcc cannot inline the inner function calls directly. In debug_objects_selftest(), the same thing happens. Both the caller and the leaf function are __init, but the IPA pulls it into a non-init one: WARNING: modpost: vmlinux: section mismatch in reference: lookup_object_or_alloc+0x7c (section: .text.lookup_object_or_alloc) -> is_static_object (section: .init.text) Marking the affected functions as not "__init" would reliably avoid this issue but is not a good solution because it removes an otherwise correct annotation. I tried marking the functions as 'noinline', but that ended up not covering all the affected configurations. With some more experimenting, I found that marking these functions as __attribute__((noipa)) is both logical and reliable. In order to keep the syntax readable, add a custom macro for this in include/linux/compiler_attributes.h next to other related macros and use it to annotate both files. Link: https://lore.kernel.org/all/abRB6g-48ZX6Yl2r@willie-the-truck/ Cc: Will Deacon <will@kernel.org> Cc: Thomas Gleixner <tglx@kernel.org> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Miguel Ojeda <ojeda@kernel.org> Cc: linux-kbuild@vger.kernel.org Cc: stable@vger.kernel.org Signed-off-by: Arnd Bergmann <arnd@arndb.de> Acked-by: Will Deacon <will@kernel.org> Acked-by: Thomas Gleixner <tglx@kernel.org> Acked-by: Miguel Ojeda <ojeda@kernel.org> Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
2026-05-26audit: use 'unsigned int' instead of 'unsigned'Ricardo Robaina
Address checkpatch.pl warning below, across the audit subsystem: WARNING: Prefer 'unsigned int' to bare use of 'unsigned' Minor cleanup, no functional changes. Signed-off-by: Ricardo Robaina <rrobaina@redhat.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
2026-05-26Merge tag 'linux_kselftest-kunit-fixes-7.1-rc6' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest Pull kunit fix from Shuah Khan: "Fix a use-after-free in kunit debugfs when using kunit.filter when the executor frees dynamically allocated resources after running boot-time tests. This resulted in fatal hardware exception due to invalidation of capability flags on the reclaimed memory on some architectures such as CHERI RISC-V that support the feature, and silent memory corruption on others. The fix for this couples the lifetime of the filtered suite memory allocation to the lifetime of the kunit subsystem and its associated VFS nodes. Ownership of the boot-time suite_set is now transferred to a global tracker ('kunit_boot_suites'), and the memory is cleanly released in kunit_exit() during module teardown" * tag 'linux_kselftest-kunit-fixes-7.1-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest: kunit: fix use-after-free in debugfs when using kunit.filter
2026-05-26kunit: provide kunit_platform_device_unregister()Bartosz Golaszewski
Tests may want to unregister a platform device as part of the test case logic. Using the regular platform_device_register() with kunit assertions may result in a platform device leak or otherwise requires cumbersome error handling. Provide a function that unregisters a kunit-managed platform device and drops the release action from the test's list. Reviewed-by: David Gow <david@davidgow.net> Reviewed-by: Linus Walleij <linusw@kernel.org> Link: https://patch.msgid.link/20260522-gpiolib-kunit-v3-2-b15fe6987430@oss.qualcomm.com Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
2026-05-26kunit: provide kunit_platform_device_register_full()Bartosz Golaszewski
Provide a kunit-managed variant of platform_device_register_full(). Reviewed-by: David Gow <david@davidgow.net> Reviewed-by: Linus Walleij <linusw@kernel.org> Link: https://patch.msgid.link/20260522-gpiolib-kunit-v3-1-b15fe6987430@oss.qualcomm.com Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
2026-05-26lib/vsprintf: Require exact hash_pointers mode matchesKaitao Cheng
hash_pointers= accepts a small set of mode strings, but the parser uses strncmp() with the length of each valid mode. That accepts values with trailing garbage, such as hash_pointers=autobots or hash_pointers=nevermind, as valid aliases for auto and never. Use strcmp() so that only the documented mode strings are accepted. Invalid values will continue to fall back to auto through the existing unknown-mode path. Signed-off-by: Kaitao Cheng <chengkaitao@kylinos.cn> Reviewed-by: Petr Mladek <pmladek@suse.com> Link: https://patch.msgid.link/20260519130117.48097-1-kaitao.cheng@linux.dev Signed-off-by: Petr Mladek <pmladek@suse.com>
2026-05-25Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf 7.1-rc5Alexei Starovoitov
Cross-merge BPF and other fixes after downstream PR. Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-05-24Merge tag 'core-urgent-2026-05-24' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull debugobjects fix from Ingo Molnar:: - Fix debugobjects regression on -rt kernels: don't fill the pool (which uses a coarse lock) if ->pi_blocked_on, because that messes up the priority inheritance of callers * tag 'core-urgent-2026-05-24' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: debugobjects: Do not fill_pool() if pi_blocked_on
2026-05-21seq_buf: Export seq_buf_putmem_hex() and add KUnit testsShuvam Pandey
The seq_buf KUnit suite does not exercise seq_buf_putmem_hex(). Add one test for the len > 8 chunking path and one overflow test where a later chunk no longer fits in the buffer. Export seq_buf_putmem_hex() as well so SEQ_BUF_KUNIT_TEST=m links cleanly. Without the export, modpost reports seq_buf_putmem_hex as undefined when seq_buf_kunit is built as a module. Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Masami Hiramatsu <mhiramat@kernel.org> Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com> Cc: David Gow <david@davidgow.net> Link: https://patch.msgid.link/20260408202351.21829-1-shuvampandey1@gmail.com Acked-by: Steven Rostedt (Google) <rostedt@goodmis.org> Signed-off-by: Shuvam Pandey <shuvampandey1@gmail.com> Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
2026-05-21kunit: fix use-after-free in debugfs when using kunit.filterFlorian Schmaus
When the kernel is booted with a kunit filter (e.g., kunit.filter="speed!=slow"), the kunit executor dynamically allocates copies of the filtered test suites using kmalloc/kmemdup. During the initial boot execution, kunit_debugfs_create_suite() creates debugfs files (such as /sys/kernel/debug/kunit/<suite>/run) and permanently stores a pointer to the dynamically allocated suite in the inode's i_private field. Previously, the executor freed this dynamically allocated suite_set immediately after executing the boot-time tests. Because the debugfs nodes were not destroyed, any subsequent interaction with the debugfs `run` file from userspace triggered a use-after-free (UAF). On systems with architectural capabilities, like CHERI RISC-V, this resulted in an immediate fatal hardware exception due to the invalidation of the capability tags on the reclaimed memory. On other architectures, it resulted in silent memory corruption. Fix this UAF by properly coupling the lifetime of the filtered suite memory allocation to the lifetime of the kunit subsystem and its associated VFS nodes. Ownership of the boot-time suite_set is now transferred to a global tracker ('kunit_boot_suites'), and the memory is cleanly released in kunit_exit() during module teardown. Link: https://lore.kernel.org/r/20260507084854.233984-1-florian.schmaus@codasip.com Fixes: e2219db280e3 ("kunit: add debugfs /sys/kernel/debug/kunit/<suite>/results display") Signed-off-by: Florian Schmaus <florian.schmaus@codasip.com> Reviewed-by: Martin Kaiser <martin@kaiser.cx> Reviewed-by: David Gow <david@davidgow.net> Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
2026-05-21vsprintf: Add test for restricted kernel pointersThomas Weißschuh
Fill out the tests for restricted kernel pointers, using the %pK format. Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de> Reviewed-by: Petr Mladek <pmladek@suse.com> Tested-by: Petr Mladek <pmladek@suse.com> Link: https://patch.msgid.link/20260504-restricted-pointers-kunit-test-v2-2-19e8b1c0fbeb@linutronix.de [pmladek@suse.com: Removed questionable ifdeffery.] Signed-off-by: Petr Mladek <pmladek@suse.com>
2026-05-21vsprintf: Only export no_hash_pointers to test moduleThomas Weißschuh
Aside from the printf test module, no module should ever use this symbol. Suggested-by: Petr Mladek <pmladek@suse.com> Link: https://lore.kernel.org/all/aWpwMyFEfpCNN297@pathway.suse.cz/ Suggested-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com> Link: https://lore.kernel.org/all/aW3em-KplLVofU5z@smile.fi.intel.com/ Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de> Reviewed-by: Petr Mladek <pmladek@suse.com> Tested-by: Petr Mladek <pmladek@suse.com> Link: https://patch.msgid.link/20260504-restricted-pointers-kunit-test-v2-1-19e8b1c0fbeb@linutronix.de [pmladek@suse.com: Removed questionable ifdeffery.] Signed-off-by: Petr Mladek <pmladek@suse.com>
2026-05-21iov_iter: use kmemdup_array for dup_iter to harden against overflowWang Haoran
While auditing the Linux 7.0-rc2 kernel, I identified a potential security vulnerability in the iov_iter framework's memory allocation logic. The dup_iter() function, which is exported via EXPORT_SYMBOL, currently uses kmemdup() with a raw multiplication to allocate the duplicate iovec array: new->iov = kmemdup(from->iov, nr_segs * sizeof(struct iovec), gfp); The hazard here is that dup_iter() relies on a primitive multiplication without any integrated overflow check. Since nr_segs is often derived from user-space input, this line is vulnerable to integer overflow (on 32-bit systems or via type narrowing), potentially leading to a small allocation followed by a large out-of-bounds memory copy. Furthermore, it allows for unbounded memory allocations, as the function lacks intrinsic knowledge of safe limits. On the 7.0-rc2 branch, several high-impact callchains still rely on this exported function: drivers/usb/gadget/function/f_fs.c: The ffs_epfile_read_iter() path demonstrates why relying on dup_iter() is dangerous: it performs allocation based on user input before verifying driver state. This confirms that dup_iter() must be hardened internally as it cannot assume pre-validated input. drivers/usb/gadget/legacy/inode.c: The ep_read_iter() path illustrates how dup_iter()’s lack of boundary awareness compounds resource risks. When combined with other allocations, it creates a multiplier effect for kernel memory pressure. This patch replaces kmemdup() with kmemdup_array(), which utilizes check_mul_overflow() to ensure the allocation size is calculated safely, hardening dup_iter() against malicious or malformed inputs from its callers Signed-off-by: Wang Haoran <haoranwangsec@gmail.com> Link: https://patch.msgid.link/20260413060655.1139141-1-haoranwangsec@gmail.com Reviewed-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Christian Brauner <brauner@kernel.org>
2026-05-21vsprintf: Revert "add simple_strntoul"Andy Shevchenko
No users anymore and none should be in the first place. This reverts commit fcc155008a20fa31b01569e105250490750f0687. Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com> Link: https://patch.msgid.link/20260331070519.5974-6-ddiss@suse.de Acked-by: Petr Mladek <pmladek@suse.com> Reviewed-by: David Disseldorp <ddiss@suse.de> Signed-off-by: Christian Brauner <brauner@kernel.org>
2026-05-19Merge tag 'mm-hotfixes-stable-2026-05-18-21-07' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Pull misc fixes from Andrew Morton: "14 hotfixes. 9 are for MM. 10 are cc:stable and the remainder are for post-7.1 issues or aren't deemed suitable for backporting. There's a two-patch MAINTAINERS series from Mike Rapoport which updates us for the new KEXEC/KDUMP/crash/LUO/etc arrangements. And another two-patch series from Muchun Song to fix a couple of memory-hotplug issues. Otherwise singletons, please see the changelogs for details" * tag 'mm-hotfixes-stable-2026-05-18-21-07' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm: mm/memory: fix spurious warning when unmapping device-private/exclusive pages mm: fix __vm_normal_page() to handle missing support for pmd_special()/pud_special() drivers/base/memory: fix memory block reference leak in poison accounting mm/memory_hotplug: fix memory block reference leak on remove lib: kunit_iov_iter: fix test fail on powerpc mm/page_alloc: fix initialization of tags of the huge zero folio with init_on_free MAINTAINERS: add kexec@ list to LIVE UPDATE ENTRY MAINTAINERS: add tree for KDUMP and KEXEC selftests/mm: run_vmtests.sh: fix destructive tests invocation scripts/gdb: slab: update field names of struct kmem_cache scripts/gdb: mm: cast untyped symbols in x86_page_ops mm/damon: fix damos_stat tracepoint format for sz_applied mm/damon/sysfs-schemes: call missing mem_cgroup_iter_break() mm/migrate_device: fix spinlock leak in migrate_vma_insert_huge_pmd_page
2026-05-18debugobjects: Do not fill_pool() if pi_blocked_onHelen Koike
On RT enabled kernels, fill_pool() ends up calling rtlock_lock(), which asserts if current::pi_blocked_on is set, because a task can obviously only block on one lock as otherwise the priority inheritenace chain gets corrupted. Prevent this by expanding the conditional to take current::pi_blocked_on into account. Fixes: 4bedcc28469a ("debugobjects: Make them PREEMPT_RT aware") Reported-by: syzbot+b8ca586b9fc235f0c0df@syzkaller.appspotmail.com Signed-off-by: Helen Koike <koike@igalia.com> Signed-off-by: Thomas Gleixner <tglx@kernel.org> Link: https://patch.msgid.link/20260511215359.3351259-1-koike@igalia.com Closes: https://syzkaller.appspot.com/bug?extid=b8ca586b9fc235f0c0df
2026-05-17Merge tag 'timers-urgent-2026-05-17' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull timer fix from Ingo Molnar: - Fix potential garbage reads in the vDSO gettimeofday code (Thomas Weißschuh) * tag 'timers-urgent-2026-05-17' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: vdso/gettimeofday: Reload sequence counter after switch to time page in do_aux()
2026-05-15Merge tag 'v7.1-p4' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 Pull crypto fixes from Herbert Xu: - Fix potential dead-lock in rhashtable when used by xattr - Avoid calling kvfree on atomic path in rhashtable * tag 'v7.1-p4' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: rhashtable: Add bucket_table_free_atomic() helper mm/slab: Add kvfree_atomic() helper rhashtable: drop ht->mutex in rhashtable_free_and_destroy()
2026-05-14kunit: Add backtrace suppression self-testsGuenter Roeck
Add unit tests to verify that warning backtrace suppression works. Tests cover both API forms: - Scoped: kunit_warning_suppress() with in-block count verification and post-block inactivity check. - Direct functions: kunit_start/end_suppress_warning() with sequential independent suppression blocks and per-block counts. Furthermore, tests verify incremental warning counting, that kunit_has_active_suppress_warning() transitions correctly around suppression boundaries, and that suppression active in the test kthread does not leak to a separate kthread. If backtrace suppression does _not_ work, the unit tests will likely trigger unsuppressed backtraces, which should actually help to get the affected architectures / platforms fixed. Link: https://lore.kernel.org/r/20260514-kunit_add_support-v11-2-b36a530a6d8f@redhat.com Tested-by: Linux Kernel Functional Testing <lkft@linaro.org> Acked-by: Dan Carpenter <dan.carpenter@linaro.org> Reviewed-by: Kees Cook <keescook@chromium.org> Signed-off-by: Guenter Roeck <linux@roeck-us.net> Signed-off-by: Alessandro Carminati <acarmina@redhat.com> Reviewed-by: David Gow <david@davidgow.net> Signed-off-by: Albert Esteve <aesteve@redhat.com> Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
2026-05-14bug/kunit: Core support for suppressing warning backtracesAlessandro Carminati
Some unit tests intentionally trigger warning backtraces by passing bad parameters to kernel API functions. Such unit tests typically check the return value from such calls, not the existence of the warning backtrace. Such intentionally generated warning backtraces are neither desirable nor useful for a number of reasons: - They can result in overlooked real problems. - A warning that suddenly starts to show up in unit tests needs to be investigated and has to be marked to be ignored, for example by adjusting filter scripts. Such filters are ad hoc because there is no real standard format for warnings. On top of that, such filter scripts would require constant maintenance. Solve the problem by providing a means to suppress warning backtraces originating from the current kthread while executing test code. Since each KUnit test runs in its own kthread, this effectively scopes suppression to the test that enabled it. Limit changes to generic code to the absolute minimum. Implementation details: Suppression is integrated into the existing KUnit hooks infrastructure in test-bug.h, reusing the kunit_running static branch for zero overhead when no tests are running. Suppression is checked at three points in the warning path: - In warn_slowpath_fmt(), the check runs before any output, fully suppressing both message and backtrace. This covers architectures without __WARN_FLAGS. - In __warn_printk(), the check suppresses the warning message text. This covers architectures that define __WARN_FLAGS but not their own __WARN_printf (arm64, loongarch, parisc, powerpc, riscv, sh), where the message is printed before the trap enters __report_bug(). - In __report_bug(), the check runs before __warn() is called, suppressing the backtrace and stack dump. To avoid double-counting on architectures where both __warn_printk() and __report_bug() run for the same warning, kunit_is_suppressed_warning() takes a bool parameter: true to increment the suppression counter (used in warn_slowpath_fmt and __report_bug), false to check only (used in __warn_printk). The suppression state is dynamically allocated via kunit_kzalloc() and tied to the KUnit test lifecycle via kunit_add_action(), ensuring automatic cleanup at test exit. Writer-side access to the global suppression list is serialized with a spinlock; readers use RCU. Two API forms are provided: - kunit_warning_suppress(test) { ... }: scoped, uses __cleanup for automatic teardown on scope exit, kunit_add_action() as safety net for abnormal exits (e.g. kthread_exit from failed assertions). Suppression handle is only accessible inside the block. - kunit_start/end_suppress_warning(test): direct functions returning an explicit handle, for retaining the handle within the test, or for cross-function usage. Link: https://lore.kernel.org/r/20260514-kunit_add_support-v11-1-b36a530a6d8f@redhat.com Signed-off-by: Guenter Roeck <linux@roeck-us.net> Signed-off-by: Alessandro Carminati <acarmina@redhat.com> Reviewed-by: Kees Cook <kees@kernel.org> Reviewed-by: David Gow <david@davidgow.net> Signed-off-by: Albert Esteve <aesteve@redhat.com> Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
2026-05-14vdso/gettimeofday: Reload sequence counter after switch to time page in do_aux()Thomas Weißschuh
After switching to the real data pages, the sequence counter needs to be reloaded from there. The code using vdso_read_begin_timens() assumed this worked by 'continue' jumping to the *beginning* of the do-while retry loop. However the 'continue' jumps to the *end* of said loop, evaluating the exit condition. If the data page has a sequence counter of '1' it will match the one from the time namespace page and prematurely exit the retry loop. This would result in garbage returned to the caller. Reload the sequence counter after switching the pages by using an inner while loop again, which will loop at most once. The loop generates slightly better code than an explicit reload through 'seq = vdso_read_begin()'. Fixes: ed78b7b2c5ae ("vdso/gettimeofday: Add a helper to read the sequence lock of a time namespace aware clock") Reported-by: Ricardo Ribalda <ribalda@chromium.org> Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de> Signed-off-by: Thomas Gleixner <tglx@kernel.org> Tested-by: Ricardo Ribalda <ribalda@chromium.org> Reviewed-by: Christophe Leroy (CS GROUP) <chleroy@kernel.org> Link: https://patch.msgid.link/20260422-vdso-aux-timens-loop-v1-1-e2dd8c7164cc@linutronix.de Closes: https://lore.kernel.org/lkml/CANiDSCsOy0P1if-gJZqOM5pTJ0RDcwVfru1B7KFbTOEMqjPKJw@mail.gmail.com/
2026-05-13lib: kunit_iov_iter: fix test fail on powerpcChristian A. Ehrhardt
Increase buffer size to accommodate machines with 64K PAGE_SIZE. Link: https://lore.kernel.org/20260421070707.992873-1-lk@c--e.de Fixes: 0913b7554726 ("lib: kunit_iov_iter: add tests for extract_iter_to_sg") Signed-off-by: Christian A. Ehrhardt <lk@c--e.de> Reported-by: David Gow <davidgow@google.com> Closes: https://lore.kernel.org/34a81ec2-af84-465d-9b5e-7bb5bf01680f@davidgow.net Tested-by: David Gow <davidgow@google.com> Tested-by: Josh Law <joshlaw48@gmail.com> Reviewed-by: Josh Law <joshlaw48@gmail.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2026-05-13lib/string_helpers: annotate struct strarray with __counted_by_ptrThorsten Blum
Add the __counted_by_ptr() compiler attribute to 'array' to improve bounds checking via CONFIG_UBSAN_BOUNDS and CONFIG_FORTIFY_SOURCE. Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev> Link: https://patch.msgid.link/20260415122542.370926-6-thorsten.blum@linux.dev Signed-off-by: Kees Cook <kees@kernel.org>
2026-05-13lib/string_helpers: drop redundant allocation in kasprintf_strarrayThorsten Blum
kasprintf_strarray() returns an array of N strings and kfree_strarray() also frees N entries. However, kasprintf_strarray() currently allocates N+1 char pointers. Allocate exactly N pointers instead of N+1. Also update the kernel-doc for @n. Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev> Link: https://patch.msgid.link/20260415122542.370926-4-thorsten.blum@linux.dev Signed-off-by: Kees Cook <kees@kernel.org>
2026-05-12Merge tag 'probes-fixes-v7.1-rc3' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace Pull probes fixes from Masami Hiramatsu: - kprobes: skip non-symbol addresses in kprobe_add_ksym_blacklist() Since the ftrace adds its NOPs at .kprobes.text section (which stores an array), a wrong entry is added when loading a module which uses "__kprobes" attribute. To solve this, add "notrace" to __kprobes functions - test_kprobes: clear kprobes between test runs Clear all kprobes in the test program after running a test set, because Kunit test can run several times - fprobe: Fix unregister_fprobe() to wait for RCU grace period Since the fprobe data structure is removed with hlist_del_rcu(), it should wait for the RCU grace period. If the caller waits for RCU, we can use the async variant (e.g. eBPF) * tag 'probes-fixes-v7.1-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace: fprobe: Fix unregister_fprobe() to wait for RCU grace period test_kprobes: clear kprobes between test runs kprobes: skip non-symbol addresses in kprobe_add_ksym_blacklist()
2026-05-12rhashtable: give each instance its own lockdep classChristian Brauner
syzbot reported a possible circular locking dependency between &ht->mutex and fs_reclaim: CPU0 (kswapd0) CPU1 (kworker) -------------- -------------- fs_reclaim ht->mutex shmem_evict_inode rhashtable_rehash_alloc simple_xattrs_free bucket_table_alloc(GFP_KERNEL) rhashtable_free_and_destroy __kvmalloc_node mutex_lock(&ht->mutex) might_alloc -> fs_reclaim The two halves of the splat refer to two different events on &ht->mutex. The kswapd0 path is unambiguous: shmem_evict_inode at mm/shmem.c:1429 calls simple_xattrs_free(), which calls rhashtable_free_and_destroy() on the per-inode simple_xattrs rhashtable being torn down with the inode. The previously-recorded ht->mutex -> fs_reclaim edge comes from rht_deferred_worker -> rhashtable_rehash_alloc -> bucket_table_alloc(GFP_KERNEL) -> __kvmalloc_node -> might_alloc -> fs_reclaim. That stack stops at generic library code: there is no subsystem-specific frame above rht_deferred_worker, so the splat does not identify which rhashtable's worker recorded the edge -- only that some rhashtable in the system did. Whether or not that recording happened on the same simple_xattrs ht that is now being destroyed, the predicted deadlock cannot occur: rhashtable_free_and_destroy() does cancel_work_sync(&ht->run_work) before taking ht->mutex, so the deferred worker cannot be running on the instance being torn down. If the recording was on a different rhashtable instance, the two ht->mutex acquisitions are on distinct mutex objects and cannot deadlock either. Lockdep flags a cycle regardless because mutex_init(&ht->mutex) lives on a single source line in rhashtable_init_noprof(), so every ht->mutex in the kernel shares one static lockdep class. Lockdep matches by class, not by instance, and collapses all of these into one node. Lift the lockdep key out of rhashtable_init_noprof() and into the caller. The user-visible rhashtable_init_noprof() / rhltable_init_noprof() identifiers become macros that declare a per-call-site static lock_class_key. Link: https://patch.msgid.link/20260427-work-rhashtable-lockdep-v1-1-f69e8bd91cb2@kernel.org Fixes: c6307674ed82 ("mm: kvmalloc: add non-blocking support for vmalloc") Acked-by: Michal Hocko <mhocko@suse.com> Reported-by: syzbot+5af806780f38a5fe691f@syzkaller.appspotmail.com Closes: https://lore.kernel.org/69e798fe.050a0220.24bfd3.0032.GAE@google.com Signed-off-by: Christian Brauner <brauner@kernel.org>
2026-05-12bootconfig: move xbc_snprint_cmdline() to lib/bootconfig.cBreno Leitao
Move xbc_snprint_cmdline() from init/main.c to lib/bootconfig.c so the function (and its xbc_namebuf scratch buffer) becomes part of the shared parser library. tools/bootconfig already compiles lib/bootconfig.c directly, which lets a follow-up patch reuse the same renderer in the userspace tool to convert a bootconfig file into a flat cmdline string at build time. No functional change. Link: https://lore.kernel.org/all/20260508-bootconfig_using_tools-v1-1-1132219aa773@debian.org/ Signed-off-by: Breno Leitao <leitao@debian.org> Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
2026-05-11Merge tag 'linux_kselftest-kunit-fixes-7.1-rc4' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest Pull kunit fixes from Shuah Khan: "Fix to decouple KUNIT_DEBUGFS and KUNIT_ALL_TESTS options and fix KUNIT_DEBUGFS dependencies so it depends on DEBUG_FS without which it will not be useful" * tag 'linux_kselftest-kunit-fixes-7.1-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest: kunit: config: KUNIT_DEBUGFS should depend on DEBUG_FS kunit: config: Enable KUNIT_DEBUGFS by default
2026-05-11workqueue: forbid TEST_WORKQUEUE from being built-inBreno Leitao
The benchmark drives the workqueue's affinity_scope through sysfs by filp_open()'ing /sys/bus/workqueue/devices/bench_wq/affinity_scope. When CONFIG_TEST_WORKQUEUE=y, the module_init runs during kernel init before userspace has mounted sysfs, so every open returns -ENOENT and the benchmark loop spins emitting: test_workqueue: open /sys/bus/workqueue/devices/bench_wq/affinity_scope failed: -2 Mirror the TEST_BPF pattern and add "depends on m" so Kconfig will not let this be built into the kernel image, and document the reason in the help text. Fixes: 24b2e73f9700 ("workqueue: add test_workqueue benchmark module") Signed-off-by: Breno Leitao <leitao@debian.org> Signed-off-by: Tejun Heo <tj@kernel.org>
2026-05-10Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf 7.1-rc3Alexei Starovoitov
Cross-merge BPF and other fixes after downstream PR. Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-05-09lib/crypto: powerpc/md5: Drop powerpc optimized MD5 codeEric Biggers
MD5 is obsolete, is vulnerable to collision attacks, and is being replaced by SHA-256 in new systems. It doesn't make sense to continue to maintain architecture-optimized implementations of MD5. Effort should be spent on modern algorithms. Indeed, architecture-optimized MD5 code remains only for powerpc. It was already removed from mips and sparc, and it never existed for any other architecture (e.g. x86, arm, or arm64) in the first place. Earlier the decision was made to keep the powerpc MD5 code for a while anyway because of someone using it via AF_ALG via libkcapi-hasher (https://lore.kernel.org/r/f0d771d5-ed70-444c-957a-ad4c16f6c115@csgroup.eu/) However, with AF_ALG itself now being on its way out due to its continuous stream of security vulnerabilities (https://lore.kernel.org/r/20260430011544.31823-1-ebiggers@kernel.org/), it's also time to be a bit more forceful with nudging people towards userspace crypto code. It's always been the better solution anyway, and it's much more efficient if properly optimized code is used. Note that the md5-asm.S file contains no privileged instructions and could be run in userspace just fine. Thus, we now have two factors going against keeping the powerpc MD5 code. Different people might weigh these two factors differently, but I think the two of them together make the removal the clear choice. Let's remove it. Acked-by: Christophe Leroy (CS GROUP) <chleroy@kernel.org> Acked-by: Ard Biesheuvel <ardb@kernel.org> Link: https://patch.msgid.link/20260506030005.9698-1-ebiggers@kernel.org Signed-off-by: Eric Biggers <ebiggers@kernel.org>
2026-05-08test_kprobes: clear kprobes between test runsMartin Kaiser
Running the kprobes sanity tests twice makes all tests fail and eventually crashes the kernel. [root@martin-riscv-1 ~]# echo 1 > /sys/kernel/debug/kunit/kprobes_test/run ... # Totals: pass:5 fail:0 skip:0 total:5 ok 1 kprobes_test [root@martin-riscv-1 ~]# echo 1 > /sys/kernel/debug/kunit/kprobes_test/run ... # test_kprobe: EXPECTATION FAILED at lib/tests/test_kprobes.c:64 Expected 0 == register_kprobe(&kp), but register_kprobe(&kp) == -22 (0xffffffffffffffea) ... Unable to handle kernel paging request ... The testsuite defines several kprobes and kretprobes as static variables that are preserved across test runs. After register_kprobe and unregister_kprobe, a kprobe contains some leftover data that must be cleared before the kprobe can be registered again. The tests are setting symbol_name to define the probe location. Address and flags must be cleared. The existing code clears some of the probes between subsequent tests, but not between two test runs. The leftover data from a previous test run makes the registrations fail in the next run. Move the cleanups for all kprobes into kprobes_test_init, this function is called before each single test (including the first test of a test run). Link: https://lore.kernel.org/all/20260507134615.1010905-1-martin@kaiser.cx/ Fixes: e44e81c5b90f ("kprobes: convert tests to kunit") Signed-off-by: Martin Kaiser <martin@kaiser.cx> Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
2026-05-05Merge tag 'fbdev-for-7.1-rc3' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/deller/linux-fbdev Pull fbdev fixes from Helge Deller: "Four small patches for fbdev, of which two are important: One fixes the bitmap font generation and the other prevents a possible use-after-free in udlfb: - Fix rotating fonts by 180 degrees (Thomas Zimmermann) - Drop duplicate include of linux/module.h in fb_defio (Chen Ni) - Add vm_ops in udlfb to prevent use-after-free (Rajat Gupta) - ipu-v3: clean up kernel-doc warnings (Randy Dunlap)" * tag 'fbdev-for-7.1-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/linux-fbdev: fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free lib/fonts: Fix bit position when rotating by 180 degrees fbdev: defio: Remove duplicate include of linux/module.h fbdev: ipu-v3: clean up kernel-doc warnings
2026-05-05lib/vsprintf: Limit the returning size to INT_MAXMasami Hiramatsu (Google)
The return value of vsnprintf() and bstr_printf() can overflow INT_MAX and return a minus value. In the @size is checked input overflow, but it does not check the output, which is expected required size. This should never happen but it should be checked and limited. Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org> Reviewed-by: Petr Mladek <pmladek@suse.com> Link: https://patch.msgid.link/177452713020.197965.3164174544083829000.stgit@devnote2 Signed-off-by: Petr Mladek <pmladek@suse.com>
2026-05-05lib/vsprintf: Fix to check field_width and precisionMasami Hiramatsu (Google)
Check the field_width and presition correctly. Previously it depends on the bitfield conversion from int to check out-of-range error. However, commit 938df695e98d ("vsprintf: associate the format state with the format pointer") changed those fields to int. We need to check the out-of-range correctly without bitfield conversion. Fixes: 938df695e98d ("vsprintf: associate the format state with the format pointer") Reported-by: David Laight <david.laight.linux@gmail.com> Closes: https://lore.kernel.org/all/20260318151250.40fef0ab@pumpkin/ Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org> Reviewed-by: Petr Mladek <pmladek@suse.com> Link: https://patch.msgid.link/177452712047.197965.16376597502504928495.stgit@devnote2 Signed-off-by: Petr Mladek <pmladek@suse.com>