summaryrefslogtreecommitdiff
path: root/tools/testing/selftests
AgeCommit message (Collapse)Author
3 daysMerge tag 'riscv-for-linus-7.2-rc3' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux Pull RISC-V fixes from Paul Walmsley: "The most notable change involves the rseq kselftest common Makefile (as it is not RISC-V-specific). The basic approach in the patch appears similar to one used in the KVM and S390 selftests (grep for LINUX_TOOL_ARCH_INCLUDE and SUBARCH), and the rseq kselftests pass a quick build test on x86 after this. - Avoid a null pointer deference in machine_kexec_prepare() that the IMA subsystem can trigger - Bypass libc in part of the ptrace_v_not_enabled kselftest to avoid noise from child atfork handlers that libc might run - Include Kconfig support for UltraRISC SoCs, already referenced by some device drivers; and enable it in our defconfig - Fix the build of the rseq kselftest for RISC-V by borrowing a technique from the KVM and S390 kselftests that includes arch-specific header files from tools/arch/<arch>/include - Fix some memory leaks in the RISC-V vector ptrace kselftests - Clean up some DT bindings and hwprobe documentation" * tag 'riscv-for-linus-7.2-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux: selftests/riscv: ptrace: Fix memory leak of regset_data in vector tests selftests/rseq: Fix a building error for riscv arch riscv: defconfig: enable ARCH_ULTRARISC riscv: add UltraRISC SoC family Kconfig support riscv: hwprobe.rst: Document EXT_ZICFISS and EXT_ZICFILP riscv: hwprobe.rst: Make indentation consistent dt-bindings: riscv: sort multi-letter Z extensions alphanumerically selftests: riscv: Bypass libc in inactive vector ptrace test riscv: Prevent NULL pointer dereference in machine_kexec_prepare()
3 daysMerge tag 'trace-v7.2-rc2' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace Pull tracing fixes from Steven Rostedt: - Free field in error path of synthetic event parse In __create_synth_event() the field was allocated but was not freed in the error path - Fix ring_buffer_event_length() on 8 byte aligned architectures On architectures with CONFIG_HAVE_64BIT_ALIGNED_ACCESS set to y, the ring_buffer_event_length() may return the wrong size. This is because archs with that config set will always use the "big event meta header" as that is 8 bytes keeping the payload 8 bytes aligned, even when a 4 byte header could hold the size of the event But ring_buffer_event_length() doesn't take this into account and only subtracts 4 bytes for the meta header in the length when it should have subtracted 8 bytes - Have osnoise wait for a full rcu synchronization on unregister osnoise_unregister_instance() used to call synchronize_rcu() before freeing its copy of the instance but was switched to kfree_rcu(). The osniose tracer has code that traverses the instances that it uses, and inst is just a pointer to that instance. By using kfree_rcu() instead of synchronize_rcu(), the instance that the inst pointer is pointing to can be freed while the osnoise code is still referencing it That is, a rmdir on an instance first unregisters the tracer. When the unregister finishes, the rmdir expects that the tracer is finished with the instance that it is using. By putting back the synchronize_rcu() in osnoise_unregister_instance() the unregistering of osnoise will now return when all the users of the instance have finished - Remove an unused setting of "ret" in tracing_set_tracer() - Fix ring_buffer_read_page() copying events The commit that changed ring_buffer_read_page() to show dropped events from the buffer itself, split the "commit" variable between the commit value (with flags) and "size" that holds the size of the sub-buffer. A cut and paste error changed the test of the reading from checking the size of the buffer to the size of the event causing reads to only read one event at a time - Make tracepoint_printk a static variable When the tracing sysctl knobs were move from sysctl.c to trace.c, the variable tracepoint_printk no longer needed to be global. Make it static - Fix some typos - Fix NULL pointer dereference in func_set_flag() The flags update of the function tracer first checks if the value of the flag is the same and exits if they are, and then it checks if the current tracer is the function tracer and exits if it isn't. The problem is that these checks need to be in a reversed order, as if the tracer isn't the function tracer, then the flag being checked may not exist. Reverse the order of these checks - Fix ufs core trace events to not dereference a pointer in TP_printk() The TP_printk() part of the TRACE_EVENT() macro is called when the user reads the "trace" file. This can be seconds, minutes, hours, days, weeks, and even months after the data was recorded into the ring buffer. Thus, saving a pointer to an object into the ring buffer and then dereferencing it from TP_printk() can cause harm as the object the pointer is pointing to may no longer exist Fix all the trace events in ufs core to save the device name in the ring buffer instead of dereferencing the device descriptor from TP_printk() - Prevent out-of-bound reads in glob matching of trace events The filter logic of events allows simple glob logic to add wild cards to filter on strings. But some events have fields that may not have a terminating 'nul' character. This may cause the glob matching to go beyond the string. Change the logic to always pass in the length of the field that is being matched - Add no-rcu-check version of trace_##event##_enabled() The trace_##event##_enabled() usually wraps trace events to do extra work that is only needed when the trace event is enabled. But this can hide events that are placed in locations where RCU is not watching, and can make lockdep not see these bugs when the event is not enabled The trace_##event##_enabled() was updated to always test to make sure RCU is watching to catch locations that may call events without RCU being active This caused a false positive for the irq_disabled() and related events. As that use trace_irq_disabled_enabled() to force RCU to be watching when the event is enabled via the ct_irq_enter() function, calls the event, and then calls ct_irq_exit() to put RCU back to its original state The trace_irq_disabled_enabled() should not trigger a warning when RCU is not watching because the code within its block handles the case properly. Make a __trace_##event##_enabled() version for this event to use that doesn't check RCU is watching as it handles the case when it isn't - Fix use-after-free in user_event_mm_dup() When the enabler is removed from the link list, it is freed immediately. But it is protected via RCU and needs to be freed after an RCU grace period. Use queue_rcu_work() so that the event_mutex can also be taken as user_event_put() takes the mutex on the last reference is released - Free type string in error path of parse_synth_field() There's an error path in parse_synth_field() where the allocated type string is not freed - Add selftest that tests deferred event teardown - Fix leak in error path of trace_remote_alloc_buffer() If page allocation fails, the desc->nr_cpus is not incremented for the current CPU and the allocations done for it are not freed - Fix allocation length in trace_remote_alloc_buffer() The logic to calculate the struct_len was doing a double count and setting the value too large. Calculate the size upfront to fix the error and simplify the logic - Fix sparse CPU masks in ring_buffer_desc() If there are sparse CPUs (gaps in the numbering), the ring_buffer_desc() will fail as it tests the CPU number against the number of CPUs that are used * tag 'trace-v7.2-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace: ring-buffer: Allow sparse CPU masks in ring_buffer_desc() tracing/remotes: Fix struct_len in trace_remote_alloc_buffer() tracing/remotes: Fix leak in trace_remote_alloc_buffer() error path selftests/user_events: Wait for deferred event teardown after unregister tracing/synthetic: Free type string on error path tracing/user_events: Fix use-after-free in user_event_mm_dup() tracing: Add a no-rcu-check version of trace_##event##_enabled() tracing: Prevent out-of-bounds read in glob matching ufs: core: tracing: Do not dereference pointers in TP_printk() tracing: Fix NULL pointer dereference in func_set_flag() samples: ftrace: Fix typos in benchmark comment tracing: Make tracepoint_printk static as not exported ring-buffer: Fix ring_buffer_read_page() copying only one event per page tracing: Remove unused ret assignment in tracing_set_tracer() tracing/osnoise: Call synchronize_rcu() when unregistering ring-buffer: Fix event length with forced 8-byte alignment tracing/synthetic: Free pending field on error path
5 daysMerge tag 'arm64-fixes' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux Pull arm64 fixes from Will Deacon: - Fix crash when using SMT hotplug on ACPI systems in conjunction with maxcpus= - Fix 30% kswapd performance regression introduced by C1-Pro SME erratum workaround - Fix TLB over-invalidation regression during memory hotplug - Fix incorrect encoding of FEAT_BWE2 value in ID_AA64DFR2_EL1.BWE - Typo fixes in the arm64 selftests * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux: selftests/arm64: fix spelling errors in comments arm64/sysreg: Fix BWE field encoding in ID_AA64DFR2_EL1 arm64/mm: Optimize TLB flush in unmap_hotplug_[pmd|pud]_range() arm64: Avoid eager DVMSync reclaim batches with C1-Pro SME erratum cpu/hotplug: Fix NULL kobject warning in cpuhp_smt_enable() arm64: smp: Fix hot-unplug tearing by forcing unregistration
5 daysMerge tag 'gpio-fixes-for-v7.2-rc3' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux Pull gpio fixes from Bartosz Golaszewski: - provide the missing .get_direction() callback in gpio-palmas - fix interrupt handling in gpio-dwapb - add a GPIO self-test program binary to .gitignore - fix a resource leak in gpio-mvebu - make the GPIO sharing heuristic more adaptable * tag 'gpio-fixes-for-v7.2-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux: gpio: mvebu: free generic chips on unbind selftests: gpio: add gpio-cdev-uaf to .gitignore gpio: dwapb: Mask interrupts at hardware initialization gpio: dwapb: Defer clock gating until noirq gpio: shared: make the voting mechanism adaptable gpios: palmas: add .get_direction() op
5 daysselftests/riscv: ptrace: Fix memory leak of regset_data in vector testsWang Yan
The regset_data buffer allocated with calloc() in the parent process of several vector ptrace tests is never freed before returning, causing memory leaks in: - ptrace_v_not_enabled - ptrace_v_early_debug - ptrace_v_syscall_clobbering - v_csr_invalid/ptrace_v_invalid_values - v_csr_valid/ptrace_v_valid_values Add free(regset_data) before kill(pid, SIGKILL) to release the allocated buffer. Signed-off-by: Wang Yan <wangyan01@kylinos.cn> Reviewed-by: Sergey Matyukevich <geomatsi@gmail.com> Link: https://patch.msgid.link/20260710083437.489648-1-wangyan01@kylinos.cn [pjw@kernel.org: Fixed Sergey's E-mail address] Signed-off-by: Paul Walmsley <pjw@kernel.org>
6 daysMerge tag 'net-7.2-rc3' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net Pull networking fixes from Paolo Abeni: "Including fixes from netfilter, Bluetooth and batman-adv. Current release - regressions: - bluetooth: fix using chan->conn as indication to no remote netdev Current release - new code bugs: - netfilter: cap to maximum number of expectation per master on updates Previous releases - regressions: - bluetooth: - fix UAF of hci_conn_params in add_device_complete - fix null ptr deref in hci_abort_conn() - igmp: remove multicast group from hash table on device destruction - batman-adv: prevent TVLV OOB check overflow - eth: mlx5/mlx5e: - fix off-by-one in single-FDB error rollback - skip peer flow cleanup when LAG seq is unavailable - fix crashes in dynamic per-channel stats and HV VHCA agent - eth: mana: Sync page pool RX frags for CPU Previous releases - always broken: - netfilter: - mark malformed IPv6 extension headers for hotdrop - terminate table name before find_table_lock() - ipvs: use parsed transport offset in TCP state lookup - sched: act_pedit: fix TOCTOU heap OOB write in tc offload - ethtool: rss: fix hfunc and input_xfrm parsing on big endian - ipv4/ipv6: fix UAF and memory leak in IGMP/MLD - tls: consume empty data records in tls_sw_read_sock() - eth: - octeontx2-af: fix VF bringup affecting PF promiscuous state - gue: validate REMCSUM private option length" * tag 'net-7.2-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (94 commits) macsec: don't read an unset MAC header in macsec_encrypt() dibs: loopback: validate offset and size in move_data() octeontx2-af: fix VF bringup affecting PF promiscuous state ethtool: rss: Fix hfunc and input_xfrm parsing on big endian net/mlx5: Fix L3 tunnel entropy refcount leak net: macb: drop in-flight Tx SKBs on close net: mana: Sync page pool RX frags for CPU net: mana: Validate the packet length reported by the NIC selftests/net: fix EVP_MD_CTX leak in tcp_mmap ipvs: ensure inner headers in ICMP errors are in headroom ipvs: use parsed transport offset in SCTP state lookup ipvs: use parsed transport offset in TCP state lookup ipvs: pass parsed transport offset to state handlers netfilter: handle unreadable frags netfilter: flowtable: support IPIP tunnel with direct xmit netfilter: flowtable: IPIP tunnel hardware offload is not yet support netfilter: flowtable: use dst in this direction when pushing IPIP header netfilter: ipset: allocate the proper memory for the generic hash structure netfilter: ipset: cleanup the add/del backlog when resize failed netfilter: ipset: exclude gc when resize is in progress ...
6 daysselftests/net: fix EVP_MD_CTX leak in tcp_mmapWang Yan
In tcp_mmap.c, both child_thread() and main() allocate an EVP_MD_CTX via EVP_MD_CTX_new() when integrity checking is enabled, but neither function releases the context. child_thread() misses the free in its common cleanup block, and main() returns without freeing the context. This results in a SHA256 context leak on every run that uses the ‑i (integrity) option. Add the missing EVP_MD_CTX_free() calls to the appropriate cleanup paths to fix the leak. Fixes: 5c5945dc695c ("selftests/net: Add SHA256 computation over data sent in tcp_mmap") Signed-off-by: Wang Yan <wangyan01@kylinos.cn> Link: https://patch.msgid.link/20260702025949.442523-1-wangyan01@kylinos.cn Signed-off-by: Paolo Abeni <pabeni@redhat.com>
7 daysselftests/rseq: Fix a building error for riscv archHui Wang
RISC-V rseq selftests include asm/fence.h from tools/arch/riscv, but the rseq Makefile only adds tools/include in the CFLAGS, this results in the building failure both for native and cross build: In file included from rseq.h:131, from rseq.c:37: rseq-riscv.h:11:10: fatal error: asm/fence.h: No such file or directory To fix it, add the matching tools/arch/$(ARCH)/include path in the CFLAGS and derive ARCH from SUBARCH for standalone native builds where ARCH is not set. Fixes: c92786e179e0 ("KVM: riscv: selftests: Use the existing RISCV_FENCE macro in `rseq-riscv.h`") Cc: stable@vger.kernel.org Signed-off-by: Hui Wang <hui.wang@canonical.com> Link: https://patch.msgid.link/20260707082348.36896-1-hui.wang@canonical.com Signed-off-by: Paul Walmsley <pjw@kernel.org>
7 daysMerge tag 'hid-for-linus-2026070801' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid Pull HID fixes from Jiri Kosina: - OOB, UAF, NULL-deref fixes in core and picolcd, logitech, letsketch, appleir and multitouch drivers (Georgiy Osokin, HyeongJun An, Lee Jones, Manish Khadka, Maoyi Xie and Trung Nguyen) - fix for integer wraparound (and corresponding regression selftest) in hid-bpf (Yiyang Chen) * tag 'hid-for-linus-2026070801' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid: selftests/hid: multitouch: test a large ContactCountMaximum HID: multitouch: fix out-of-bounds bit access on mt_io_flags selftests/hid: Cover hid_bpf_get_data() size overflow selftests/hid: Load only requested struct_ops maps HID: bpf: Fix hid_bpf_get_data() range check HID: lg-g15: cancel pending work on remove to fix a use-after-free HID: logitech-dj: Fix maxfield check in DJ short report validation HID: core: Fix OOB read in hid_get_report for numbered reports HID: picolcd: prevent NULL pointer dereference in picolcd_send_and_wait() HID: appleir: fix UAF on pending key_up_timer in remove() HID: letsketch: fix UAF on inrange_timer at driver unbind
7 daysselftests/user_events: Wait for deferred event teardown after unregisterMichael Bommarito
Unregistering a user event now defers the drop of the enabler's event reference (and the freeing of the enabler) past an RCU grace period. As a result DIAG_IOCSDEL can transiently fail with -EBUSY while that last reference is still being dropped, where it previously succeeded immediately. Two tests assumed the delete takes effect the instant the unregister returns: - abi_test "flags" deletes the event right after disabling it. - perf_test's fixture teardown clear() deletes __test_event before the next test registers the same name; a stale event makes the following registration fail with -EADDRINUSE. Retry the delete until it succeeds (or the event is already gone) with a bounded wait, matching the existing wait_for_delete() idiom in the same suite, so the tests are robust to the deferred teardown. Link: https://patch.msgid.link/20260707180240.2887081-1-michael.bommarito@gmail.com Assisted-by: Claude:claude-opus-4-8 Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com> Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
7 daysselftests: gpio: add gpio-cdev-uaf to .gitignoreCihan Karadag
Commit c7f92042d3f3 ("selftests: gpio: Add gpio-cdev-uaf tests") added the gpio-cdev-uaf binary to TEST_GEN_PROGS_EXTENDED but never added it to .gitignore. Building it with: make -C tools/testing/selftests/gpio TARGETS=gpio leaves gpio-cdev-uaf as an untracked file. Fixes: c7f92042d3f3 ("selftests: gpio: Add gpio-cdev-uaf tests") Signed-off-by: Cihan Karadag <cihan.cihan@gmail.com> Reviewed-by: Tzung-Bi Shih <tzungbi@kernel.org> Link: https://patch.msgid.link/20260707235707.1349969-1-cihan.cihan@gmail.com Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
7 daysselftests: riscv: Bypass libc in inactive vector ptrace testAndrew Jones
The ptrace_v_not_enabled test expects the child to reach its ebreak before it has used the vector extension. That is not guaranteed when using fork(), because libc may run child atfork handlers before returning to the test code. In those cases PTRACE_GETREGSET for NT_RISCV_VECTOR then succeeds instead of returning ENODATA for inactive vector state. Use the raw clone syscall with SIGCHLD to keep fork-like semantics while bypassing libc's fork wrapper and atfork handler chain. Cc: Andy Chiu <tchiu@tenstorrent.com> Assisted-by: Claude:claude-sonnet-4-6 Signed-off-by: Andrew Jones <andrew.jones@oss.qualcomm.com> Link: https://patch.msgid.link/20260707153827.175245-1-andrew.jones@oss.qualcomm.com Signed-off-by: Paul Walmsley <pjw@kernel.org>
8 daysMerge tag 'mm-hotfixes-stable-2026-07-06-17-49' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Pull misc fixes from Andrew Morton: "20 hotfixes. 17 are for MM. 12 are cc:stable and the remaining 8 address post-7.1 issues or aren't considered suitable for backporting. Two patches from SJ addresses a couple of quite old DAMON issues. And two patches from Yichong Chen fixes tools/virtio build issues. The remaining patches are singletons" * tag 'mm-hotfixes-stable-2026-07-06-17-49' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm: tools/include: include stdint.h for SIZE_MAX in overflow.h tools/virtio: add missing compat definitions for vhost_net_test mm: do file ownership checks with the proper mount idmap samples/damon/mtier: fail early if address range parameters are invalid mm: a second pagecache maintainer mm/damon: add a kernel-doc comment for damon_ctx->rnd_state mm/damon: add a kernel-doc comment for damon_ctx->probes mailmap: add entries for Radu Rendec selftests/mm: hmm-tests: include linux/mman.h to access MADV_COLLAPSE selftests/mm: pagemap_ioctl: use the correct page size for transact_test() fs/proc: fix KPF_KSM reported for all anonymous pages mm: page_ext: add count limit to page_ext_iter_next to prevent invalid PFN access mm/damon/ops-common: handle extreme intervals in damon_hot_score() MAINTAINERS: add Lance as an rmap reviewer mm/compaction: handle free_pages_prepare() properly in compaction_free() mm/damon/sysfs-schemes: put stats for scheme_add_dirs() internal error mm/damon/sysfs-schemes: fix dir put orders in access_pattern_add_dirs() mm: shrinker: fix NULL pointer dereference in debugfs mm: shrinker: fix shrinker_info teardown race with expansion selftests/mm: fix ksft_process_madv.sh test category
9 daysselftests: net: make busywait timeout clock portableNirmoy Das
loopy_wait() expects millisecond timestamps. However, Ubuntu Resolute can use uutils date, where `date -u +%s%3N` returns seconds plus full nanoseconds instead of a 3-digit millisecond field. This makes busywait expire too early and can make vlan_bridge_binding.sh read a stale operstate. Fixes: 25ae948b4478 ("selftests/net: add lib.sh") Cc: stable@vger.kernel.org # 6.8+ Link: https://github.com/uutils/coreutils/issues/11658 Signed-off-by: Nirmoy Das <nirmoyd@nvidia.com> Link: https://patch.msgid.link/20260630165157.3814871-1-nirmoyd@nvidia.com Signed-off-by: Paolo Abeni <pabeni@redhat.com>
10 daysMerge tag 'perf-urgent-2026-07-05' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull perf events fixes from Ingo Molnar: - Fix a perf_event_attr::remove_on_exec bug for group events (Taeyang Lee) - Fix uprobes CALL emulation interaction with shadow stacks, and add a testcase for this (David Windsor) - Fix uprobes unregister bug (Jiri Olsa) * tag 'perf-urgent-2026-07-05' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: uprobes/x86: Use proper mm_struct in __in_uprobe_trampoline selftests/x86: Add shadow stack uprobe CALL test x86/uprobes: Keep shadow stack in sync for emulated CALLs perf/core: Detach event groups during remove_on_exec
12 daysMerge tag 'vfs-7.2-rc2.fixes' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs Pull vfs fixes from Christian Brauner: - netfs: - fix the decision when to disallow write-streaming with fscache in use, handling of asynchronous cache object creation, a double fput in cachefiles, clearing S_KERNEL_FILE without the inode lock held, page extraction bugs in the iov_iter helpers (a potential underflow, a missing allocation failure check, a memory leak, and a folio offset miscalculation), writeback error and ENOMEM handling, DIO write retry for filesystems without a ->prepare_write() method, and the replacement of the wb_lock mutex with a bit lock plus writethrough collection offload so that multiple asynchronous writebacks don't interfere with each other. - Fix the barriering when walking the netfs subrequest list during retries as it was possible to see a subrequest that was just added by the application thread. - iomap: - Change iomap to submit read bios after each extent instead of building them up across extents. The old behavior was considered problematic for a while and now caused an actual erofs bug. - Guard the ioend io_size EOF trim in iomap against underflow when a concurrent truncate moves EOF below the start of the ioend, wrapping io_size to a huge value. - overlayfs - Fix a stale overlayfs comment about the locking order. - Store the linked-in upper dentry instead of the disconnected O_TMPFILE dentry during overlayfs tmpfile copy-up. With a FUSE or virtiofs upper layer ->d_revalidate() would try to look up "/" in the workdir and fail, causing persistent ESTALE errors that broke dpkg and apt. - vfs-bpf: Have the bpf_real_data_inode() kfunc take a struct file instead of a dentry so it is usable from the bprm_check_security, mmap_file, and file_mprotect hooks, and rename it from bpf_real_inode() to make the data-inode semantics explicit. The kfunc landed this cycle so the change is safe. - afs: NULL pointer dereferences in the callback service and in afs_get_tree(), several memory and refcount leaks, missing locking around the dynamic root inode numbers and premature cell exposure through /afs, a netns destruction hang caused by a misplaced increment of net->cells_outstanding, a bulk lookup malfunction caused by the dir_emit() API change, inode (re)initialisation issues, and assorted smaller fixes to error codes, seqlock handling, and debug output. - vfs: Refuse O_TMPFILE creation with an unmapped fsuid or fsgid and add a selftest for it. - vboxsf: Add Jori Koolstra as vboxsf maintainer, taking over from Hans de Goede. - dio: Release the pages attached to a short atomic dio bio; the REQ_ATOMIC size check error path leaked them. - procfs: Only bump the parent directory link count when registering directories in procfs. Registering regular files inflated the count and leaked a link on every create and remove cycle. - minix: Avoid an unsigned overflow in the minix bitmap block count calculation that let crafted images with huge inode or zone counts pass superblock validation and crash the kernel during mount. - cachefiles: Fix a double unlock in the cachefiles nomem_d_alloc error path left over from the start_creating() conversion. - fat: Stop fat from reading directory entries past the 0x00 end-of-directory marker. If the trailing on-disk slots aren't zero-filled the driver surfaced arbitrary garbage as directory entries. - freexvfs: Don't BUG() on unknown typed-extent types in freevxfs, reachable via ioctl(FIBMAP) on a crafted image; fail with an I/O error instead. - orangefs: Keep the readdir entry size 64-bit in orangefs fill_from_part(). Truncating it to __u32 bypassed the bounds check and led to out-of-bounds reads triggerable by the userspace client. - xfs: Fix the error unwind in xfs_open_devices() which released the rt device file twice and left dangling buftarg pointers behind that were freed again when the failed mount was torn down. - exec: Fix an off-by-one in the comment documenting the maximum binfmt rewrite depth in exec_binprm(). The code allows five rewrites, not four; restricting the code would break userspace so the comment is fixed instead. - file handles: Reject detached mounts in capable_wrt_mount(). A detached mount can be dissolved concurrently, leaving a NULL mount namespace that open_by_handle_at() would dereference. * tag 'vfs-7.2-rc2.fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs: (57 commits) netfs: Fix barriering when walking subrequest list iomap: submit read bio after each extent fuse: call fuse_send_readpages explicitly from fuse_readahead iomap: consolidate bio submission fhandle: reject detached mounts in capable_wrt_mount() netfs: Fix DIO write retry for filesystems without a ->prepare_write() netfs: Fix folio state after ENOMEM whilst under writeback iteration netfs: Fix writeback error handling netfs: Fix writethrough to use collection offload netfs: Replace wb_lock with a bit lock for asynchronicity netfs: Fix kdoc warning scatterlist: Fix offset in folio calc in extract_xarray_to_sg() iov_iter: Remove unused variable in kunit_iov_iter.c iov_iter: Fix a memory leak in iov_iter_extract_user_pages() iov_iter: Fix missing alloc fail check in iov_iter_extract_bvec_pages() iov_iter: Fix potential underflow in iov_iter_extract_xarray_pages() cachefiles: Fix file burial to take lock when unsetting S_KERNEL_FILE cachefiles: Fix double fput netfs: Fix netfs_create_write_req() to handle async cache object creation netfs: Fix decision whether to disallow write-streaming due to fscache use ...
12 daysMerge tag 'bpf-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpfLinus Torvalds
Pull BPF fixes from Daniel Borkmann: - Initialize task local storage before fork bails out to free the task (Jann Horn) - Fix insn_aux_data leak on verifier error path (KaFai Wan) - Reject BPF inode storage map creation when BPF LSM is uninitialized (Matt Bobrowski) - Mask pseudo pointer values in verifier logs when pointer leaks are not allowed (Nuoqi Gui) - Harden BPF JIT against spraying via IBPB flush (Pawan Gupta) - Reject a skb-modifying SK_SKB stream parser since the latter is only meant to measure the next message (Sechang Lim) - Fix bpf_refcount_acquire to reject refcounted allocation arguments with a non-zero fixed offset (Yiyang Chen) * tag 'bpf-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf: bpf: Prefer dirty packs for eBPF allocations bpf: Prefer packs that won't trigger an IBPB flush on allocation bpf: Skip redundant IBPB in pack allocator bpf: Restrict JIT predictor flush to cBPF x86/bugs: Enable IBPB flush on BPF JIT allocation bpf: Support for hardening against JIT spraying bpf: Reject BPF_MAP_TYPE_INODE_STORAGE creation if BPF LSM is uninitialized bpf,fork: wipe ->bpf_storage before bailouts that access it bpf: Fix insn_aux_data leak on verifier err_free_env path selftests/bpf: Cover pseudo-BTF ksym log masking bpf: Mask pseudo pointer values in verifier logs selftests/bpf: Cover refcount acquire node offsets bpf: Reject offset refcount acquire arguments selftests/bpf: test rejection of a packet-modifying SK_SKB stream parser bpf, sockmap: reject a packet-modifying SK_SKB stream parser selftests/bpf: don't modify the skb in the strparser parser prog
12 daysMerge tag 'vfio-v7.2-rc2' of https://github.com/awilliam/linux-vfioLinus Torvalds
Pull VFIO fixes from Alex Williamson: "Mostly straightforward fixes here, inconsistent runtime PM handling due to global device policies, bitfield races, unwind path gaps, teardown ordering, and a misplaced library flag. - Fix racy bitfield updates in vfio-pci-core and the mlx5 vfio-pci variant driver with a binary split between setup/release and runtime modified flags. These were noted across several Sashiko reviews as pre-existing issues (Alex Williamson) - Fix runtime PM inconsistency where the vfio-pci driver module_init could modify the idle PM policy of existing devices through globals managed in vfio-pci-core, leading to unbalanced runtime PM operations (Alex Williamson) - Restore mutability of writable vfio-pci module options by further pulling policy globals out of vfio-pci-core, to instead be latched per device at device init. Provide visibility of the per device latched values through debugfs (Alex Williamson) - Fix missing VGA arbiter uninit callback in unwind path (Alex Williamson) - Reorder device debugfs removal before device_del() to avoid gap where debugfs is available with stale devres pointers (Alex Williamson) - Move UUID library linking flag from vfio selftest Makefile into libvfio.mk to avoid exposing such dependencies when linking with KVM selftests (Sean Christopherson)" * tag 'vfio-v7.2-rc2' of https://github.com/awilliam/linux-vfio: vfio: selftests: Add luuid to libvfio.mk's list of libraries, not to the Makefile vfio/pci: Expose latched module parameter policy in debugfs vfio: Remove device debugfs before releasing devres vfio/pci: Latch all module parameters per device vfio/mlx5: Fix racy bitfields and tighten struct layout vfio/pci: Fix racy bitfields and tighten struct layout vfio/pci: Release the VGA arbiter client on register_device() failure vfio/pci: Latch disable_idle_d3 per device
13 daysMerge tag 'net-7.2-rc2' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net Pull networking fixes from Paolo Abeni: "Including fixes from netfilter and batman-adv. Current release - new code bugs: - netfilter: cthelper: cap to maximum number of expectation per master Previous releases - regressions: - netpoll: fix a use-after-free on shutdown path - tcp: restore RCU grace period in tcp_ao_destroy_sock - ipv6: fix NULL deref in fib6_walk_continiue() on multi-batch dump - batman-adv: dat: ensure accessible eth_hdr proto field - eth: - virtio_net: disable cb when NAPI is busy-polled - lan743x: Initialize eth_syslock spinlock before use Previous releases - always broken: - netfilter: - nft_set_pipapo: don't leak bad clone into future transaction - sched: - sch_teql: Introduce slaves_lock to avoid race condition and UAF - replace direct dequeue call with peek and qdisc_dequeue_peeked - sctp: add INIT verification after cookie unpacking - tipc: fix out-of-bounds read in broadcast Gap ACK blocks - seg6: validate SRH length before reading fixed fields - eth: - mlx5e: fix use-after-free of metadata_dst on RX SC delete - enetc: check the number of BDs needed for xdp_frame - fbnic: don't cache shinfo across skb realloc" * tag 'net-7.2-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (58 commits) net/mlx5: HWS, fix matcher leak on resize target setup failure net/sched: hhf: clear heavy-hitter state on reset net/sched: dualpi2: clear stale classification on filter miss net/sched: act_bpf: use rcu_dereference_bh() to read the filter selftests: drv-net: tso: don't touch dangerous feature bits cxgb4: Fix decode strings dump for T6 adapters virtio_net: disable cb when NAPI is busy-polled sctp: fix addr_wq_timer race in sctp_free_addr_wq() selftests: net: bump default cmd() timeout to 20 seconds bridge: stp: Fix a potential use-after-free when deleting a bridge net/sched: sch_teql: Introduce slaves_lock to avoid race condition and UAF net: gianfar: dispose irq mappings on probe failure and device removal net: lan743x: Initialize eth_syslock spinlock before use net: libwx: fix VMDQ mask for 1-queue mode net: airoha: fix max receive size configuration fsl/fman: Free init resources on KeyGen failure in fman_init() netfilter: nftables: restrict checkum update offset netfilter: nftables: restrict linklayer and network header writes netfilter: nfnetlink_queue: restrict writes to network header netfilter: nft_fib: reject fib expression on the netdev egress hook ...
13 daysselftests/x86: Add shadow stack uprobe CALL testDavid Windsor
Add coverage for entry uprobes installed on CALL instructions while user shadow stack is enabled. The test puts an entry uprobe on a helper whose first instruction is a relative CALL, then verifies that the call/return sequence completes without SIGSEGV. This catches regressions where x86 uprobe CALL emulation updates the regular user stack but leaves the CET shadow stack stale. Signed-off-by: David Windsor <dwindsor@gmail.com> Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> Link: https://patch.msgid.link/b957039191118c5eba97d01d80c494b859f115a6.1782777969.git.dwindsor@gmail.com
13 daysselftests/arm64: fix spelling errors in commentsWang Yan
Fix two spelling mistakes in arm64 selftest comments: - "whcih" -> "which" (arm64/gcs/libc-gcs.c) - "resutls" -> "results" (arm64/pauth/pac.c) Signed-off-by: Wang Yan <wangyan01@kylinos.cn> Signed-off-by: Will Deacon <will@kernel.org>
13 daysselftests/mm: hmm-tests: include linux/mman.h to access MADV_COLLAPSEZenghui Yu
The following compilation error occurs with an old version of glibc due to a recent commit adding MADV_COLLAPSE testing: [root@localhost mm]# getconf GNU_LIBC_VERSION glibc 2.34 [root@localhost mm]# make CC hmm-tests hmm-tests.c: In function 'hmm_migrate_anon_huge_fault': hmm-tests.c:2355:27: error: 'MADV_COLLAPSE' undeclared (first use in this function); did you mean 'MADV_COLD'? 2355 | ret = madvise(map, size, MADV_COLLAPSE); | ^~~~~~~~~~~~~ | MADV_COLD hmm-tests.c:2355:27: note: each undeclared identifier is reported only once for each function it appears in make: *** [../lib.mk:225: /root/code/linux/tools/testing/selftests/mm/hmm-tests] Error 1 Include linux/mman.h (which provides the definition of MADV_COLLAPSE) to fix the build error. Link: https://lore.kernel.org/20260628143111.36863-1-zenghui.yu@linux.dev Fixes: e3d8707358ea ("selftests/mm/hmm-tests: test pagemap reads of PMD device-private entries") Signed-off-by: Zenghui Yu <zenghui.yu@linux.dev> Reviewed-by: Lorenzo Stoakes <ljs@kernel.org> Reviewed-by: Dev Jain <dev.jain@arm.com> Cc: David Hildenbrand <david@kernel.org> Cc: Jason Gunthorpe <jgg@ziepe.ca> Cc: Leon Romanovsky <leon@kernel.org> Cc: Liam R. Howlett <liam@infradead.org> Cc: Michal Hocko <mhocko@suse.com> Cc: Mike Rapoport <rppt@kernel.org> Cc: Shuah Khan <shuah@kernel.org> Cc: Suren Baghdasaryan <surenb@google.com> Cc: Vlastimil Babka <vbabka@kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
13 daysselftests/mm: pagemap_ioctl: use the correct page size for transact_test()Zenghui Yu
There are several places in transact_test() where we use the hardcoded 0x1000 (4k) as page size, which is not always correct for architectures supporting multiple page sizes. Switch to use the correct page size. Otherwise ./ksft_pagemap.sh on a 16k-page-size arm64 box fails with $ ./ksft_pagemap.sh [...] # ok 96 mprotect_tests Both pages written after remap and mprotect # ok 97 mprotect_tests Clear and make the pages written # Bail out! ioctl failed # # Planned tests != run tests (117 != 97) # # Totals: pass:97 fail:0 xfail:0 xpass:0 skip:0 error:0 # [FAIL] not ok 1 pagemap_ioctl # exit=1 # SUMMARY: PASS=0 SKIP=0 FAIL=1 1..1 Link: https://lore.kernel.org/20260628101118.35861-1-zenghui.yu@linux.dev Fixes: 46fd75d4a3c9 ("selftests: mm: add pagemap ioctl tests") Signed-off-by: Zenghui Yu <zenghui.yu@linux.dev> Cc: Muhammad Usama Anjum <usama.anjum@arm.com> Cc: David Hildenbrand <david@kernel.org> Cc: Liam R. Howlett <liam@infradead.org> Cc: Lorenzo Stoakes <ljs@kernel.org> Cc: Michal Hocko <mhocko@suse.com> Cc: Mike Rapoport <rppt@kernel.org> Cc: Shuah Khan <shuah@kernel.org> Cc: Suren Baghdasaryan <surenb@google.com> Cc: Vlastimil Babka <vbabka@kernel.org> Cc: Zenghui Yu <zenghui.yu@linux.dev> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
13 daysselftests/mm: fix ksft_process_madv.sh test categorySarthak Sharma
ksft_process_madv.sh currently runs run_vmtests.sh with the mmap category. Update it to run the process_madv category, since ksft_mmap.sh already runs the mmap category tests. This avoids running mmap tests twice and ensures that process_madv tests are run through the kselftest harness. Link: https://lore.kernel.org/20260608103224.344101-1-sarthak.sharma@arm.com Fixes: 6ce964c02f1c ("selftests/mm: have the harness run each test category separately") Signed-off-by: Sarthak Sharma <sarthak.sharma@arm.com> Reviewed-by: Mark Brown <broonie@kernel.org> Reviewed-by: Dev Jain <dev.jain@arm.com> Acked-by: David Hildenbrand (Arm) <david@kernel.org> Cc: Liam R. Howlett <liam@infradead.org> Cc: Lorenzo Stoakes <ljs@kernel.org> Cc: Mark Brown <broonie@kernel.org> Cc: Michal Hocko <mhocko@suse.com> Cc: Mike Rapoport <rppt@kernel.org> Cc: Shuah Khan <shuah@kernel.org> Cc: Suren Baghdasaryan <surenb@google.com> Cc: Vlastimil Babka <vbabka@kernel.org> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
14 daysselftests/hid: multitouch: test a large ContactCountMaximumTrung Nguyen
Add a regression test for the out-of-bounds bit operations on struct mt_device.mt_io_flags. A HID multitouch device can advertise a ContactCountMaximum far larger than the number of contacts a single report describes, up to 255. The driver used to keep the per-slot active state in the bits of a single unsigned long and index set_bit()/clear_bit() by the slot number, so such a device drove those operations out of bounds. The sticky-fingers release timer made it fatal: mt_release_contacts() cleared one bit per slot and overwrote the adjacent members of struct mt_device. The new device advertises a ContactCountMaximum of 250 while exposing only a few finger collections (a large contact count cannot be expressed with one finger collection per contact within the HID descriptor size limit). The test sends a single contact and lets the 100ms sticky-fingers timer release it. A kernel without the fix panics in mt_release_contacts(); a fixed kernel reports the release cleanly. Signed-off-by: Trung Nguyen <trungnh@cystack.net> Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
14 daysselftests/filesystems: test O_TMPFILE creation on idmapped mountsChristian Brauner
Add a regression test for the fsuidgid_has_mapping() check in vfs_tmpfile(). It idmaps a detached tmpfs mount so that the caller-visible id range [0, 10000) maps onto the on-disk range [10000, 20000) and checks that: - a caller whose fsuid/fsgid fall outside that range cannot create an O_TMPFILE through the mount and gets -EOVERFLOW instead of an inode owned by (uid_t)-1; - a mapped caller can create an O_TMPFILE, link it into the namespace, and the ownership round-trips through the mount idmap: it is reported as 0 through the mount and stored as 10000 on the underlying tmpfs. The test runs entirely as root and uses setfsuid()/setfsgid() to become the unmapped caller, so it needs no helper user. The layer directory is world-writable so that an unmapped caller still clears the directory permission check and reaches the fsuidgid_has_mapping() test. Link: https://patch.msgid.link/20260615-work-idmapped-tmpfile-v1-2-754a94d81f83@kernel.org Reviewed-by: Jan Kara <jack@suse.cz> Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>
2026-07-01selftests/hid: Cover hid_bpf_get_data() size overflowYiyang Chen
Add a HID-BPF regression check for hid_bpf_get_data() requests whose size would overflow when added to the offset. The new rdesc fixup callback asks for offset 2 and size ~0ULL, then records whether the helper returns NULL. A vulnerable kernel returns a non-NULL pointer because the runtime check wraps the addition. A fixed kernel rejects the request. The callback records the helper result without dereferencing any returned pointer. The callback reports the helper result through BSS and returns 0 intentionally. hid_rdesc_fixup return values are consumed as report descriptor fixup results, so a positive test-result value would be interpreted as a replacement report descriptor size. Also add KHDR_INCLUDES to the HID selftest build so hid_bpf.c sees the current kernel UAPI HID definitions on systems whose installed headers do not provide enum hid_report_type. Fixes: 658ee5a64fcf ("HID: bpf: allocate data memory for device_event BPF programs") Signed-off-by: Yiyang Chen <chenyy23@mails.tsinghua.edu.cn> Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
2026-07-01selftests/hid: Load only requested struct_ops mapsYiyang Chen
The HID selftest skeleton contains several struct_ops maps, but each test usually wants to load only the programs named by that test. load_programs() disabled auto-attach for all maps, but left struct_ops autocreate enabled. libbpf can enable autoload for programs referenced by autocreated struct_ops maps, so an unrelated program can be loaded and fail even when the current test does not use it. Disable autocreate for all struct_ops maps by default, then re-enable it only for the maps selected by the test before loading the skeleton. Signed-off-by: Yiyang Chen <chenyy23@mails.tsinghua.edu.cn> Fixes: f64c1a459339 ("selftests/hid: disable struct_ops auto-attach") Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
2026-06-30selftests: drv-net: tso: don't touch dangerous feature bitsJakub Kicinski
query_nic_features() detects which offloads depend on tx-gso-partial by enabling everything, turning tx-gso-partial off, and seeing which active features drop out. Enabling all hw features is dangerous: we may end up enabling rx-fcs and loopback for example. For the ice driver we end up getting into problems with feature dependencies so the cleanup isn't successful either, and the test exits with rx-fcs and loopback enabled. Scope the feature probing just to segmentation bits. Fixes: 266b835e5e84 ("selftests: drv-net: tso: enable test cases based on hw_features") Reviewed-by: Pavan Chebbi <pavan.chebbi@broadcom.com> Reviewed-by: Daniel Zahka <daniel.zahka@gmail.com> Link: https://patch.msgid.link/20260629233923.2151144-1-kuba@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-30selftests: net: bump default cmd() timeout to 20 secondsJakub Kicinski
We always used 5 sec as the default command timeout. But soon after it was introduced, David effectively made us ignore the timeout (it was passed to process.communicate() as the wrong argument). Gal recently fixed that, but turns out the 5 sec is not enough for a lot of tests and setups. The fix caused regressions. In particular running reconfig commands (e.g. XDP attach) on mlx5 with 32 rings and 9k MTU, on a heavily-debug-enabled kernel takes more than 5 sec. The XDP installation command will time out after 5 sec but since the sleeps in the kernel are non interruptible the command finishes anyway, leaving the XDP program attached, but with non-zero exit code. defer()ed cleanups are not installed, breaking the environment for subsequent tests. Since "install XDP" is a pretty normal command a "point fix" does not seem appropriate. 32 rings is a fairly reasonable config, too, so we should just increase the timeout to 20 sec. There's no real reason behind the value of 20. Fixes: 1cf270424218 ("net: selftest: add test for netdev netlink queue-get API") Fixes: f0bd19316663 ("selftests: net: fix timeout passed as positional argument to communicate()") Reviewed-by: Pavan Chebbi <pavan.chebbi@broadcom.com> Acked-by: Breno Leitao <leitao@debian.org> Reviewed-by: Nimrod Oren <noren@nvidia.com> Link: https://patch.msgid.link/20260629233348.2145841-1-kuba@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-30vfio: selftests: Add luuid to libvfio.mk's list of libraries, not to the ↵Sean Christopherson
Makefile Link to the uuid library as part of libvfio.mk instead of as only linking it via VFIO selftests' Makefile, as the whole point of providing libvfio.mk is to allow linking the VFIO library functionality into KVM selftests, without KVM selftests having to know the gory details or duplicate code. Cc: Raghavendra Rao Ananta <rananta@google.com> Cc: David Matlack <dmatlack@google.com> Cc: Vipin Sharma <vipinsh@google.com> Cc: Alex Williamson <alex@shazbot.org> Fixes: e65f1bf8a2db ("vfio: selftests: Extend container/iommufd setup for passing vf_token") Signed-off-by: Sean Christopherson <seanjc@google.com> Reviewed-by: David Matlack <dmatlack@google.com> Link: https://lore.kernel.org/r/20260630212805.474418-1-seanjc@google.com Signed-off-by: Alex Williamson <alex@shazbot.org>
2026-06-26Merge tag 'loongarch-7.2' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/chenhuacai/linux-loongson Pull LoongArch updates from Huacai Chen: - Add THREAD_INFO_IN_TASK implementation - Add build salt to the vDSO - Add some BPF JIT inline helpers - Update DTS for I2C clocks and clock-frequency - Some bug fixes and other small changes * tag 'loongarch-7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/chenhuacai/linux-loongson: selftests/bpf: Test jited inline of bpf_get_smp_processor_id() for LoongArch selftests/bpf: Test jited inline of bpf_get_current_task() for LoongArch selftests/bpf: Add __arch_loongarch to limit test cases for LoongArch selftests/bpf: Add get_preempt_count() support for LoongArch LoongArch: dts: Add i2c clocks and clock-frequency properties to LS2K2000 LoongArch: dts: Add i2c clocks and clock-frequency properties to LS2K1000 LoongArch: dts: Add i2c clocks and clock-frequency properties to LS2K0500 LoongArch: BPF: Inline bpf_get_smp_processor_id() helper LoongArch: BPF: Inline bpf_get_current_task/_btf() helpers LoongArch: BPF: Fix off-by-one error in tail call LoongArch: BPF: Fix outdated tail call comments LoongArch: Add build salt to the vDSO LoongArch: Fix nr passing in set_direct_map_valid_noflush() LoongArch: Fix missing dirty page tracking in {pte,pmd}_wrprotect() LoongArch: Move struct kimage forward declaration before use LoongArch: Report dying CPU to RCU in stop_this_cpu() LoongArch: Add PIO for early access before ACPI PCI root register LoongArch: Add THREAD_INFO_IN_TASK implementation
2026-06-25selftests/bpf: Cover pseudo-BTF ksym log maskingNuoqi Gui
Add verifier_unpriv coverage for a raw socket-filter load of the bpf_prog_active typed ksym. The test verifies that the unprivileged load remains accepted and that the verbose verifier log prints the ldimm64 immediate as 0x0 instead of exposing a nonzero kernel address. Signed-off-by: Nuoqi Gui <gnq25@mails.tsinghua.edu.cn> Link: https://lore.kernel.org/r/20260623-f01-13-pseudo-btf-id-cap-bpf-v2-2-a190ebb8f3e2@mails.tsinghua.edu.cn Signed-off-by: Alexei Starovoitov <ast@kernel.org> Acked-by: Eduard Zingerman <eddyz87@gmail.com>
2026-06-25selftests/bpf: Cover refcount acquire node offsetsYiyang Chen
Add regression coverage for bpf_refcount_acquire() on graph-node-derived pointers. The rejected case passes a popped list node pointer directly to bpf_refcount_acquire(), which must fail because the pointer carries a non-zero fixed offset. Signed-off-by: Yiyang Chen <chenyy23@mails.tsinghua.edu.cn> Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com> Acked-by: Yonghong Song <yonghong.song@linux.dev> Link: https://lore.kernel.org/r/bf2a2033ced272106292de4465b8ef3fb991c912.1782192383.git.chenyy23@mails.tsinghua.edu.cn Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-25selftests/bpf: test rejection of a packet-modifying SK_SKB stream parserSechang Lim
Verify that attaching an SK_SKB stream parser that can modify the packet is rejected, while a read-only parser still attaches. Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev> Signed-off-by: Sechang Lim <rhkrqnwk98@gmail.com> Link: https://lore.kernel.org/r/20260620024423.4141004-4-rhkrqnwk98@gmail.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-25selftests/bpf: don't modify the skb in the strparser parser progSechang Lim
sockmap_parse_prog.c is attached as an SK_SKB stream parser and modifies the skb: it calls bpf_skb_pull_data() and writes a byte into the packet. A stream parser runs on strparser's message head and must not modify it. A resize frees the frag_list segments strparser still tracks, leading to a use-after-free. Make the parser read-only. It only needs to return the message length, which keeps it attaching once packet-modifying parsers are rejected. Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev> Signed-off-by: Sechang Lim <rhkrqnwk98@gmail.com> Link: https://lore.kernel.org/r/20260620024423.4141004-2-rhkrqnwk98@gmail.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-25Merge tag 'bpf-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpfLinus Torvalds
Pull bpf fixes from Alexei Starovoitov: - Fix effective prog array index with BPF_F_PREORDER (Amery Hung) - Zero-initialize the fib lookup flow struct (Avinash Duduskar) - Disable xfrm_decode_session hook attachment (Bradley Morgan) - Allow type tag BTF records to succeed other modifier records (Emil Tsalapatis) - Fix build_id caching in stack_map_get_build_id_offset() (Ihor Solodrai) - Add missing access_ok call to copy_user_syms (Jiri Olsa) - Fix stack slot index in nospec checks (Nuoqi Gui) - Preserve pointer spill metadata during half-slot cleanup (Nuoqi Gui) - Fix partial copy of non-linear test_run output (Sun Jian) - Fix BPF_PROG_ASSOC_STRUCT_OPS last field check (Thiébaud Weksteen) - Reset register bounds before narrowing retval range (Tristan Madani) - Fix vmlinux BTF leak in bpftool cgroup commands (Yichong Chen) - Guard error writes in conntrack kfuncs (Yiyang Chen) * tag 'bpf-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf: bpf: Disable xfrm_decode_session hook attachment selftests/bpf: Add test for stale bounds on LSM retval context load bpf: Reset register bounds before narrowing retval range in check_mem_access() selftests/bpf: Cover small conntrack opts error writes bpf: Guard conntrack opts error writes selftests/bpf: Cover half-slot cleanup of pointer spills bpf: Preserve pointer spill metadata during half-slot cleanup selftests/bpf: Test cgroup link replace with BPF_F_PREORDER bpf: Fix effective prog array index with BPF_F_PREORDER bpf: Fix BPF_PROG_ASSOC_STRUCT_OPS last field check bpf: zero-initialize the fib lookup flow struct bpftool: Fix vmlinux BTF leak in cgroup commands bpf: Add missing access_ok call to copy_user_syms bpf: Allow type tag BTF records to succeed other modifier records bpf: Emit verbose message when prog-specific btf_struct_access rejects a write bpf: Fix build_id caching in stack_map_get_build_id_offset() bpf: Fix partial copy of non-linear test_run output selftests/bpf: Cover stack nospec slot indexing bpf: Fix stack slot index in nospec checks
2026-06-25Merge tag 'net-7.2-rc1' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net Pull networking fixes from Jakub Kicinski: "Including fixes from netfilter and IPsec. Current release - regressions: - do not acquire dev->tx_global_lock in netdev_watchdog_up() - ethtool: keep rtnl_lock for ops using ethtool_op_get_link() - fix deadlock in nested UP notifier events Current release - new code bugs: - eth: - cn20k: fix subbank free list indexing for search order - airoha: fix BQL underflow in shared QDMA TX ring Previous releases - regressions: - netfilter: - flowtable: fix offloaded ct timeout never being extended - nf_conncount: prevent connlimit drops for early confirmed ct Previous releases - always broken: - require CAP_NET_ADMIN in the originating netns when modifying cross-netns devices - report NAPI thread PID in the caller's pid namespace - mac802154: fix dirty frag in in-place crypto for IOT radios - sctp: hold socket lock when dumping endpoints in sctp_diag, avoid an overflow - eth: gve: fix header buffer corruption with header-split and HW-GRO - af_key: initialize alg_key_len for IPComp states, prevent OOB read" * tag 'net-7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (213 commits) selftests: bonding: add a test for VLAN propagation over a bonded real device vlan: defer real device state propagation to netdev_work net: add the driver-facing netdev_work scheduling API net: turn the rx_mode work into a generic netdev_work facility net: ethtool: keep rtnl_lock for ops using ethtool_op_get_link() rxrpc: Fix rxrpc_rotate_tx_rotate() to check there's something to rotate rxrpc: Fix leak of released call in recvmsg(MSG_PEEK) rxrpc: Fix socket notification race rxrpc: Fix potential infinite loop in rxrpc_recvmsg() rxrpc: Fix oob challenge leak in cleanup after notification failure rxrpc: Fix the reception of a reply packet before data transmission afs: Fix uncancelled rxrpc OOB message handler afs: Fix further netns teardown to cancel the preallocation charger rxrpc: Fix double unlock in rxrpc_recvmsg() rxrpc: Fix leak of connection from OOB challenge rxrpc: Fix ACKALL packet handling net: hns3: differentiate autoneg default values between copper and fiber net: hns3: fix permanent link down deadlock after reset net: hns3: refactor MAC autoneg and speed configuration net: hns3: unify copper port ksettings configuration path ...
2026-06-25Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvmLinus Torvalds
Pull kvm fixes from Paolo Bonzini: "s390: - Fix S390_USER_OPEREXEC so it can now be enabled regardless of other unrelated capabilities - Fix handling of the _PAGE_UNUSED pte bit that could lead to guest memory corruption in some scenarios - A bunch of misc gmap fixes (locking, behaviour under memory pressure) - Fix CMMA dirty tracking x86: - Tidy up some WARN_ON() and BUG_ON(), replacing them with WARN_ON_ONCE() or KVM_BUG_ON(). All of these have obviously never triggered, or somebody would have been annoyed earlier, but still... - Fix missing interrupt due to stale CR8 intercept - Add a statistic that can come in handy to debug leaks as well as the vulnerability to a class of recently-discovered issues - Do not ask arch/x86/kernel to export default_cpu_present_to_apicid() just for KVM" * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm: (22 commits) x86/apic: KVM: Use cpu_physical_id() to get APIC ID of running vCPU for AVIC KVM: x86/mmu: Expose number of shadow MMU shadow pages as a stat KVM: x86: Unconditionally recompute CR8 intercept on PPR update KVM: VMX: Grab vmcs12 on CR8 interception update iff vCPU is in guest mode KVM: x86: WARN (once) if RTC pending EOI tracking goes off the rails KVM: x86: WARN and fail kvm_set_irq() if a PIC or I/O APIC vector is invalid KVM: x86: Bug the VM, not the kernel, if the ISR count {under,over}flows KVM: x86/mmu: Bug the VM, not the host kernel, if KVM write-protects upper SPTEs KVM: x86: Replace BUG_ON() with WARN_ON_ONCE() on "bad" nested GPA translation KVM: Replace guest-triggerable BUG_ON() in ioeventfd datamatch with get_unaligned() KVM: s390: Return failure in case of failure in kvm_s390_set_cmma_bits() KVM: s390: selftests: Fix cmma selftest KVM: s390: Fix cmma dirty tracking KVM: s390: Fix locking in kvm_s390_set_mem_control() KVM: s390: Fix handle_{sske,pfmf} under memory pressure KVM: s390: Fix code typo in gmap_protect_asce_top_level() KVM: s390: Do not set special large pages dirty KVM: s390: Fix dat_peek_cmma() overflow s390/mm: Fix handling of _PAGE_UNUSED pte bit KVM: s390: Fix typo in UCONTROL documentation ...
2026-06-25selftests: bonding: add a test for VLAN propagation over a bonded real deviceJakub Kicinski
Add a regression test for the VLAN notifier handling that the netdev_work deferral fixed. A VLAN's real device propagates its UP/DOWN, MTU and feature changes onto the VLANs stacked on top of it. This used to be done synchronously from the real device's notifier and deadlocked when the real device was brought up while enslaved to a bond (instance lock held across NETDEV_UP) and the VLAN on top was itself a bond member: the synchronous propagation re-entered the stack and took the same instance lock again. The test covers both halves: - that the deferred UP/DOWN, MTU and feature propagation actually lands on the VLAN (link state and MTU use an ops-locked dummy, i.e. the deferral path; features use veth, which exports vlan_features to inherit), and - that the deadlock-prone topology - a VLAN on a dummy, with the VLAN and the dummy each enslaved to a different bond - can be built without hanging. Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com> Acked-by: Stanislav Fomichev <sdf@fomichev.me> Link: https://patch.msgid.link/20260624182018.2445732-5-kuba@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-25selftests: tls: size splice_short pipe by page sizeNirmoy Das
splice_short grows its pipe with (MAX_FRAGS + 1) * 0x1000 so it can queue one short vmsplice() buffer for each fragment before draining the pipe. That assumes 4K pipe buffers. On 64K-page kernels the request is rounded to 262144 bytes, which provides only four pipe buffers. The fifth one-byte vmsplice() blocks in pipe_wait_writable and the test times out before it reaches the TLS path. Request enough bytes for the same number of pipe buffers using the runtime page size, and assert that the kernel granted at least that much. If an unprivileged run cannot raise the pipe above the system pipe-max-size limit, skip the test because it cannot exercise the intended path. Fixes: 3667e9b442b9 ("selftests: tls: add test for short splice due to full skmsg") Signed-off-by: Nirmoy Das <nirmoyd@nvidia.com> Reviewed-by: Simon Horman <horms@kernel.org> Link: https://patch.msgid.link/20260624134416.3235403-1-nirmoyd@nvidia.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-25selftests/bpf: Test jited inline of bpf_get_smp_processor_id() for LoongArchTiezhu Yang
Add the testcase for the jited inline of bpf_get_smp_processor_id(), only for LoongArch currently. Here is the test result on LoongArch: $ sudo ./test_progs -t verifier_jit_inline #604/1 verifier_jit_inline/inline_bpf_get_current_task:OK #604/2 verifier_jit_inline/inline_bpf_get_smp_processor_id:OK #604 verifier_jit_inline:OK Summary: 1/2 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Tiezhu Yang <yangtiezhu@loongson.cn> Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
2026-06-25selftests/bpf: Test jited inline of bpf_get_current_task() for LoongArchTiezhu Yang
Add the jited inline instruction of bpf_get_current_task() for LoongArch to pass the test case. Before: $ sudo ./test_progs -t verifier_jit_inline #604/1 verifier_jit_inline/inline_bpf_get_current_task:SKIP #604 verifier_jit_inline:SKIP Summary: 1/0 PASSED, 1 SKIPPED, 0 FAILED After: $ sudo ./test_progs -t verifier_jit_inline #604/1 verifier_jit_inline/inline_bpf_get_current_task:OK #604 verifier_jit_inline:OK Summary: 1/1 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Tiezhu Yang <yangtiezhu@loongson.cn> Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
2026-06-25selftests/bpf: Add __arch_loongarch to limit test cases for LoongArchTiezhu Yang
Make it possible to limit certain tests to LoongArch, just like it is already done for x86_64, arm64, riscv64, and s390x. This is a follow up patch of: commit ee7fe84468b1 ("selftests/bpf: __arch_* macro to limit test cases to specific archs") commit 1e4e6b9e260d ("selftests/bpf: Add __arch_s390x macro") Signed-off-by: Tiezhu Yang <yangtiezhu@loongson.cn> Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
2026-06-25selftests/bpf: Add get_preempt_count() support for LoongArchTiezhu Yang
There is no LoongArch support for get_preempt_count() currently and its fallback path always returns 0, just add it so that bpf_in_interrupt(), bpf_in_nmi(), bpf_in_hardirq(), bpf_in_serving_softirq(), bpf_in_task() work for LoongArch as well. The latest kernels select CONFIG_THREAD_INFO_IN_TASK, it can just read preempt_count from the thread_info which is embedded within task_struct. With this patch, "./test_progs -t exe_ctx" passes on LoongArch. Signed-off-by: Tiezhu Yang <yangtiezhu@loongson.cn> Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
2026-06-24Merge tag 'nf-26-06-23' of ↵Jakub Kicinski
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf Pablo Neira Ayuso says: ==================== Netfilter fixes for net The following patchset contains Netfilter fixes for net: 1) Add a workaround to avoid a possible crash if nf_nat and nft_chain_nat are compiled built-in and nf_nat fails to register, allowing nft_chain_nat to access the incorrect pernetns area. This is crash specific of all built-in compilation. From Matias Krause. 2) Revisit conncount GC optimization for confirmed conntracks, skip GC round if IPS_ASSURED is set on. This is addressing an issue for corner case use case scenario involving locally generated traffic. No crash, just a functionality fix. From Fernando F. Mancera. 3) Validate iph->ihl in flowtable IPIP tunnel support, from Lorenzo Bianconi. This a sanity check to bounces back malformed IPIP packets to classic forwarding path. 4) Kdoc fixes for x_tables.h, from Randy Dunlap. 5) Use info->options so nft_synproxy_tcp_options() stays on the same local snapshot, otherwise eval path can observe inconsistent mix of mss and timestamps. From Runyu Xiao. 6) Add conntrack_sctp_collision.sh to cover for SCTP INIT collisions. From Yi Chen. 7) Do not allow NFPROTO_UNSPEC targets if family is NFPROTO_BRIDGE in nft_compat. This allows to use non-sense targets such as xt_nat leading to crash. From Florian Westphal. 8) Add a selftest queueing from bridge family. From Florian Westphal. 9) Do not allow to reset a conntrack helper via ctnetlink. This feature antedates the creation of the conntrack-tools, and it is not used I don't have a usecase for it, I prefer to remove than fixing it. 10) Add deprecation warning for IPv4 only conntrack helpers for PPTP and IRC. From Florian Westphal. 11) Store the master tuple in the expectation object and use it, otherwise SLAB_TYPESAFE_RCU rules allow to display incorrect master tuple information through ctnetlink. 12) Run expectation eviction when inserting an expectation with no helper, this is a fix for the nft_ct custom expectation support. 13) Fix nft_ct custom expectation timeouts, userspace provides a timeout in milliseconds but kernel assumes this comes in seconds. From Florian Westphal. 14) Cap maximum number of expectations per class to 255 expectations per master conntrack at helper registration. This is a fix to restrict the maximum number of expectations per master conntrack which can be a issue for the new lazy GC expectation approach. * tag 'nf-26-06-23' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf: netfilter: nf_conntrack_helper: cap maximum number of expectation at helper registration netfilter: nft_ct: expectation timeouts are passed in milliseconds netfilter: nf_conntrack_expect: run expectation eviction with no helper netfilter: nf_conntrack_expect: store master_tuple in expectation netfilter: conntrack: add deprecation warnings for irc and pptp trackers netfilter: ctnetlink: do not allow to reset helper on existing conntrack selftests: nft_queue.sh: add a bridge queue test netfilter: nft_compat: ebtables emulation must reject non-bridge targets selftests: netfilter: conntrack_sctp_collision.sh: Introduce SCTP INIT collision test netfilter: nft_synproxy: stop bypassing the priv->info snapshot netfilter: x_tables.h: fix all kernel-doc warnings netfilter: flowtable: Validate iph->ihl in nf_flow_ip4_tunnel_proto() netfilter: nf_conncount: prevent connlimit drops for early confirmed ct netfilter: nf_nat: avoid invalid nat_net pointer use on failed nf_nat_init() ==================== Link: https://patch.msgid.link/20260623221548.701545-1-pablo@netfilter.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-24Merge tag 'kvm-s390-next-7.2-2' of ↵Paolo Bonzini
https://git.kernel.org/pub/scm/linux/kernel/git/kvms390/linux into HEAD * Fix S390_USER_OPEREXEC so it can now be enabled regardless of other unrelated capabilities * Fix handling of the _PAGE_UNUSED pte bit that could lead to guest memory corruption in some scenarios * A bunch of misc gmap fixes (locking, behaviour under memory pressure) * Fix CMMA dirty tracking
2026-06-24KVM: s390: selftests: Fix cmma selftestClaudio Imbrenda
The existing cmma selftest depended on the host allocating page tables for all present memslots. Since the gmap rewrite, memory that is not accessed by the guest might not have page tables allocated yet. This caused the test to fail due to a mismatch in the assertion. Fix by having the guest access also the second half of the test memslot, thus guaranteeing that its page tables are present. Fixes: e38c884df921 ("KVM: s390: Switch to new gmap") Signed-off-by: Claudio Imbrenda <imbrenda@linux.ibm.com> Message-ID: <20260623153331.233784-9-imbrenda@linux.ibm.com>
2026-06-24KVM: s390: selftests: Extended user_operexec testsEric Farman
There is a possibility that the user_operexec capability only works if facility bit 74 is enabled. This is now fixed, but add a selftest to demonstrate that. Signed-off-by: Eric Farman <farman@linux.ibm.com> Acked-by: Janosch Frank <frankja@linux.ibm.com> Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com> Signed-off-by: Claudio Imbrenda <imbrenda@linux.ibm.com> Message-ID: <20260507200836.3500368-3-farman@linux.ibm.com>
2026-06-23selftests/bpf: Add LWT encap tests for skb metadataJakub Sitnicki
Test that an LWT encapsulation does not silently corrupt XDP metadata sitting in the skb headroom. Exercise all three LWT dispatch paths: - BPF LWT xmit prog reserves headroom on the LWT .xmit redirect, - mpls pushes an MPLS label on the LWT .xmit redirect, - seg6 in encap mode runs on the LWT .input redirect, - ioam6 encap inserts an IOAM Hop-by-Hop option on LWT .output redirect. Signed-off-by: Jakub Sitnicki <jakub@cloudflare.com> Link: https://patch.msgid.link/20260619-bpf-lwt-drop-skb-metadata-v3-2-71d6a33ab76b@cloudflare.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>