linux.git/Documentation/userspace-api, branch v7.2-rc1 Linux kernel source tree Merge tag 'char-misc-7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc 2026-06-22T19:20:21+00:00 Linus Torvalds torvalds@linux-foundation.org 2026-06-22T19:20:21+00:00 0000d9ccbcfa90411c88f70850501723389312b9 Pull misc driver updates from Greg KH: "Here is the big set of char, misc, iio, fpga, and other small driver subsystems changes for 7.2-rc1. Lots of little stuff in here, the majority being of course the IIO driver updates, as a list they are: - IIO driver updates and additions - GPIB driver bugfixes and cleanups - Android binder driver updates (rust and C version) - counter driver updates - MHI driver updates - mei driver updates - w1 driver updates - interconnect driver updates - Comedi driver fixes and updates - some obsolete char drivers removed (applicom and dtlk) - hwtracing driver updates - other tiny driver updates All of these have been in linux-next for a while with no reported issues" * tag 'char-misc-7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc: (406 commits) w1: ds2482: Use named initializers for arrays of i2c_device_data firmware: stratix10-svc: Add support to query Arm Trusted Firmware (ATF) version firmware: stratix10-rsu: avoid blocking reboot_image sysfs when busy coresight: ultrasoc-smb: Fix OOB write in smb_sync_perf_buffer() iio: adc: nxp-sar-adc: harden buffer ISR against per-channel read failure iio: chemical: scd30: Replace manual locking with RAII locking iio: light: tsl2591: remove unneeded tsl2591_compatible_als_persist_cycle() iio: dac: ad5686: create bus ops struct iio: dac: ad5686: cleanup doc header of local structs iio: dac: ad5686: add control_sync() for single-channel devices iio: dac: ad5686: add helpers to handle powerdown masks iio: dac: ad5686: add of_match table to the spi driver iio: dac: ad5686: drop enum id iio: dac: ad5686: remove redundant register definition iio: dac: ad5686: refactor include headers iio: adc: ad4080: fix AD4880 chip ID iio: light: veml3328: add support for new device dt-bindings: iio: light: veml6030: add veml3328 fpga: microchip-spi: fix zero header_size OOB read in mpf_ops_parse_header() fpga: dfl-afu: validate DMA mapping length in afu_dma_map_region() ... 
Pull misc driver updates from Greg KH:
 "Here is the big set of char, misc, iio, fpga, and other small driver
  subsystems changes for 7.2-rc1.

  Lots of little stuff in here, the majority being of course the IIO
  driver updates, as a list they are:

   - IIO driver updates and additions

   - GPIB driver bugfixes and cleanups

   - Android binder driver updates (rust and C version)

   - counter driver updates

   - MHI driver updates

   - mei driver updates

   - w1 driver updates

   - interconnect driver updates

   - Comedi driver fixes and updates

   - some obsolete char drivers removed (applicom and dtlk)

   - hwtracing driver updates

   - other tiny driver updates

  All of these have been in linux-next for a while with no reported
  issues"

* tag 'char-misc-7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc: (406 commits)
  w1: ds2482: Use named initializers for arrays of i2c_device_data
  firmware: stratix10-svc: Add support to query Arm Trusted Firmware (ATF) version
  firmware: stratix10-rsu: avoid blocking reboot_image sysfs when busy
  coresight: ultrasoc-smb: Fix OOB write in smb_sync_perf_buffer()
  iio: adc: nxp-sar-adc: harden buffer ISR against per-channel read failure
  iio: chemical: scd30: Replace manual locking with RAII locking
  iio: light: tsl2591: remove unneeded tsl2591_compatible_als_persist_cycle()
  iio: dac: ad5686: create bus ops struct
  iio: dac: ad5686: cleanup doc header of local structs
  iio: dac: ad5686: add control_sync() for single-channel devices
  iio: dac: ad5686: add helpers to handle powerdown masks
  iio: dac: ad5686: add of_match table to the spi driver
  iio: dac: ad5686: drop enum id
  iio: dac: ad5686: remove redundant register definition
  iio: dac: ad5686: refactor include headers
  iio: adc: ad4080: fix AD4880 chip ID
  iio: light: veml3328: add support for new device
  dt-bindings: iio: light: veml6030: add veml3328
  fpga: microchip-spi: fix zero header_size OOB read in mpf_ops_parse_header()
  fpga: dfl-afu: validate DMA mapping length in afu_dma_map_region()
  ...
Merge tag 'tty-7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty 2026-06-22T18:51:49+00:00 Linus Torvalds torvalds@linux-foundation.org 2026-06-22T18:51:49+00:00 8a500fd09385a13ba598cda651f2e4ac40bfa578 Pull tty / serial driver updates from Greg KH: "Here is the big set of TTY and Serial driver updates for 7.2-rc1. Overall we end up removing more code than added, due to an obsolete synclink_gt driver being removed from the tree, always a nice thing to see happen. Other than that driver removal, major things included in here are: - max310x serial driver updates and fixes - 8250 driver updates and rework in places to make it more "modern" - dts file updates - serial driver core tweaks and updates - vt code cleanups - vc_screen crash fixes - other minor driver updates and cleanups All of these have been in linux-next for well over a week with no reported issues" * tag 'tty-7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty: (49 commits) serial: 8250_pci: Don't specify conflicting values to pci_device_id members vc_screen: fix null-ptr-deref in vcs_notifier() during concurrent vcs_write serial: qcom_geni: Fix RX DMA stall when SE_DMA_RX_LEN_IN is zero vt: merge ucs_is_zero_width()/ucs_is_double_width() into ucs_get_width() serial: 8250: fix possible ISR soft lockup dt-bindings: serial: rs485: remove deprecated .txt binding stub serial: qcom-geni: trace: Add tracepoint support for Qualcomm GENI serial tty: serial: Use named initializers for arrays of i2c_device_data serial: 8250_dw: remove clock-notifier infrastructure serial: 8250_dw: unregister 8250 port if clk_notifier_register() fails amba/serial: amba-pl011: Bring back zx29 UART support serial: 8250: Add support for console flow control serial: 8250: Check LSR timeout on console flow control serial: 8250: Set cons_flow on port registration tty: serial: 8250: protect against NULL uart->port.dev in register arm64: dts: add support for A9 based Amlogic BY401 dt-bindings: arm: amlogic: add A311Y3 support serial: max310x: fix compile errors if CONFIG_SPI_MASTER is disabled serial: qcom-geni: Avoid probing debug console UART without console support serial: max310x: add comments for PLL limits ... 
Pull tty / serial driver updates from Greg KH:
 "Here is the big set of TTY and Serial driver updates for 7.2-rc1.

  Overall we end up removing more code than added, due to an obsolete
  synclink_gt driver being removed from the tree, always a nice thing to
  see happen.

  Other than that driver removal, major things included in here are:

   - max310x serial driver updates and fixes

   - 8250 driver updates and rework in places to make it more "modern"

   - dts file updates

   - serial driver core tweaks and updates

   - vt code cleanups

   - vc_screen crash fixes

   - other minor driver updates and cleanups

  All of these have been in linux-next for well over a week with no
  reported issues"

* tag 'tty-7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty: (49 commits)
  serial: 8250_pci: Don't specify conflicting values to pci_device_id members
  vc_screen: fix null-ptr-deref in vcs_notifier() during concurrent vcs_write
  serial: qcom_geni: Fix RX DMA stall when SE_DMA_RX_LEN_IN is zero
  vt: merge ucs_is_zero_width()/ucs_is_double_width() into ucs_get_width()
  serial: 8250: fix possible ISR soft lockup
  dt-bindings: serial: rs485: remove deprecated .txt binding stub
  serial: qcom-geni: trace: Add tracepoint support for Qualcomm GENI serial
  tty: serial: Use named initializers for arrays of i2c_device_data
  serial: 8250_dw: remove clock-notifier infrastructure
  serial: 8250_dw: unregister 8250 port if clk_notifier_register() fails
  amba/serial: amba-pl011: Bring back zx29 UART support
  serial: 8250: Add support for console flow control
  serial: 8250: Check LSR timeout on console flow control
  serial: 8250: Set cons_flow on port registration
  tty: serial: 8250: protect against NULL uart->port.dev in register
  arm64: dts: add support for A9 based Amlogic BY401
  dt-bindings: arm: amlogic: add A311Y3 support
  serial: max310x: fix compile errors if CONFIG_SPI_MASTER is disabled
  serial: qcom-geni: Avoid probing debug console UART without console support
  serial: max310x: add comments for PLL limits
  ...
Merge tag 'liveupdate-v7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/liveupdate/linux 2026-06-21T16:46:14+00:00 Linus Torvalds torvalds@linux-foundation.org 2026-06-21T16:46:14+00:00 d639d9fa162aadec1ae9980c4dcf6e50bd2f8290 Pull liveupdate updates from Mike Rapoport: "Kexec Handover (KHO): - make memory preservation compatible with deferred initialization of the memory map Live Update Orchestrator (LUO): - add LIVEUPDATE_SESSION_GET_NAME ioctl and parameter verification for LIVEUPDATE_IOCTL_CREATE_SESSION ioctl - documentation updates for liveupdate=on command line option, systemd support and the current compatibility status - remove the fixed limits on the number of files that can be preserved within a single session, and the total number of sessions managed by the LUO Misc fixes: - reference count incoming File-Lifecycle-Bound (FLB) data so it cannot be freed while a subsystem is still using it - fixes for a TOCTOU race in luo_session_retrieve(), a use- after-free in the file finish and unpreserve paths, concurrent session mutations during reboot and serialization on preserve_context kexec - make sure ioctls for incoming LUO sessions are blocked for outgoing sessions and vice versa - make sure KHO scratch size is always aligned by CMA_MIN_ALIGNMENT_BYTES - fix memblock tests build issue introduced by KHO changes" * tag 'liveupdate-v7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/liveupdate/linux: (36 commits) liveupdate: Document that retrieve failure is permanent docs: memfd_preservation: fix rendering of ABI documentation selftests/liveupdate: Add stress-files kexec test selftests/liveupdate: Add stress-sessions kexec test selftests/liveupdate: Test session and file limit removal liveupdate: Remove limit on the number of files per session liveupdate: Remove limit on the number of sessions liveupdate: defer session block allocation and physical address setting kho: add support for linked-block serialization liveupdate: Extract luo_session_deserialize_one helper liveupdate: Extract luo_file_deserialize_one helper liveupdate: register luo_ser as KHO subtree liveupdate: centralize state management into struct luo_ser liveupdate: avoid mixing cleanup guards with goto in luo_session_retrieve_fd liveupdate: change file_set->count type to u64 for type safety liveupdate: Remove unused ser field from struct luo_session liveupdate: fix u-a-f in luo_file_unpreserve_files() and luo_file_finish() liveupdate: block session mutations during reboot liveupdate: fix TOCTOU race in luo_session_retrieve() liveupdate: skip serialization for context-preserving kexec ... 
Pull liveupdate updates from Mike Rapoport:
 "Kexec Handover (KHO):

   - make memory preservation compatible with deferred initialization
     of the memory map

  Live Update Orchestrator (LUO):

   - add LIVEUPDATE_SESSION_GET_NAME ioctl and parameter verification
     for LIVEUPDATE_IOCTL_CREATE_SESSION ioctl

   - documentation updates for liveupdate=on command line option,
     systemd support and the current compatibility status

   - remove the fixed limits on the number of files that can be
     preserved within a single session, and the total number of
     sessions managed by the LUO

  Misc fixes:

   - reference count incoming File-Lifecycle-Bound (FLB) data so
     it cannot be freed while a subsystem is still using it

   - fixes for a TOCTOU race in luo_session_retrieve(), a use-
     after-free in the file finish and unpreserve paths, concurrent
     session mutations during reboot and serialization on
     preserve_context kexec

   - make sure ioctls for incoming LUO sessions are blocked for
     outgoing sessions and vice versa

   - make sure KHO scratch size is always aligned by
     CMA_MIN_ALIGNMENT_BYTES

   - fix memblock tests build issue introduced by KHO changes"

* tag 'liveupdate-v7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/liveupdate/linux: (36 commits)
  liveupdate: Document that retrieve failure is permanent
  docs: memfd_preservation: fix rendering of ABI documentation
  selftests/liveupdate: Add stress-files kexec test
  selftests/liveupdate: Add stress-sessions kexec test
  selftests/liveupdate: Test session and file limit removal
  liveupdate: Remove limit on the number of files per session
  liveupdate: Remove limit on the number of sessions
  liveupdate: defer session block allocation and physical address setting
  kho: add support for linked-block serialization
  liveupdate: Extract luo_session_deserialize_one helper
  liveupdate: Extract luo_file_deserialize_one helper
  liveupdate: register luo_ser as KHO subtree
  liveupdate: centralize state management into struct luo_ser
  liveupdate: avoid mixing cleanup guards with goto in luo_session_retrieve_fd
  liveupdate: change file_set->count type to u64 for type safety
  liveupdate: Remove unused ser field from struct luo_session
  liveupdate: fix u-a-f in luo_file_unpreserve_files() and luo_file_finish()
  liveupdate: block session mutations during reboot
  liveupdate: fix TOCTOU race in luo_session_retrieve()
  liveupdate: skip serialization for context-preserving kexec
  ...
Merge tag 'landlock-7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux 2026-06-19T19:20:25+00:00 Linus Torvalds torvalds@linux-foundation.org 2026-06-19T19:20:25+00:00 5e2e14749c3d969e263a879db104db6e9f0eb484 Pull landlock updates from Mickaël Salaün: "This adds new Landlock access rights to control UDP bind and connect/send operations, and a new "quiet" feature to mute specific specific audit logs (and other future observability events). A few commits also fix Landlock issues" * tag 'landlock-7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux: (24 commits) selftests/landlock: Add tests for invalid use of quiet flag selftests/landlock: Add tests for quiet flag with scope selftests/landlock: Add tests for quiet flag with net rules selftests/landlock: Add tests for quiet flag with fs rules selftests/landlock: Replace hard-coded 16 with a constant samples/landlock: Add quiet flag support to sandboxer landlock: Suppress logging when quiet flag is present landlock: Add API support and docs for the quiet flags landlock: Add a place for flags to layer rules landlock: Add documentation for UDP support samples/landlock: Add sandboxer UDP access control selftests/landlock: Add tests for UDP send selftests/landlock: Add tests for UDP bind/connect landlock: Add UDP send+connect access control landlock: Add UDP bind() access control landlock: Fix unmarked concurrent access to socket family selftests/landlock: Explicitly disable audit in teardowns selftests/landlock: Test SCOPE_SIGNAL on the SIGIO/fowner pgid path landlock: Fix LANDLOCK_SCOPE_SIGNAL bypass on the SIGIO path landlock: Demonstrate best-effort allowed_access filtering ... 
Pull landlock updates from Mickaël Salaün:
 "This adds new Landlock access rights to control UDP bind and
  connect/send operations, and a new "quiet" feature to mute specific
  specific audit logs (and other future observability events).

  A few commits also fix Landlock issues"

* tag 'landlock-7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux: (24 commits)
  selftests/landlock: Add tests for invalid use of quiet flag
  selftests/landlock: Add tests for quiet flag with scope
  selftests/landlock: Add tests for quiet flag with net rules
  selftests/landlock: Add tests for quiet flag with fs rules
  selftests/landlock: Replace hard-coded 16 with a constant
  samples/landlock: Add quiet flag support to sandboxer
  landlock: Suppress logging when quiet flag is present
  landlock: Add API support and docs for the quiet flags
  landlock: Add a place for flags to layer rules
  landlock: Add documentation for UDP support
  samples/landlock: Add sandboxer UDP access control
  selftests/landlock: Add tests for UDP send
  selftests/landlock: Add tests for UDP bind/connect
  landlock: Add UDP send+connect access control
  landlock: Add UDP bind() access control
  landlock: Fix unmarked concurrent access to socket family
  selftests/landlock: Explicitly disable audit in teardowns
  selftests/landlock: Test SCOPE_SIGNAL on the SIGIO/fowner pgid path
  landlock: Fix LANDLOCK_SCOPE_SIGNAL bypass on the SIGIO path
  landlock: Demonstrate best-effort allowed_access filtering
  ...
Merge tag 'media/v7.2-1' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media 2026-06-19T00:21:54+00:00 Linus Torvalds torvalds@linux-foundation.org 2026-06-19T00:21:54+00:00 8c13415c8a4383447c21ec832b20b3b283f0e01a Pull media updates from Mauro Carvalho Chehab: - v4l2: - core: fix subdev sensor ownership - subdev: Allow accessing routes with STREAMS client capability - ctrls: Add validation for HEVC active reference counts and background detection control - common: Add YUV24 format info and has_alpha helper - vb2: Change vb2_read() and vb2_write() return types to ssize_t - i2c: cvs: Add driver of Intel Computer Vision Sensing Controller(CVS) - atmel-isc: remove deprecated driver - cec: Add CEC Latency Indication Protocol (LIP) support - imon: Add iMON VFD HID OEM v1.2 key mappings - AVMatrix: new HWS capture driver - isp4: new AMD capture driver - qcom: - iris: Add hierarchical coding, B-frame, and Long-Term Reference support for encoder - camss: Add SM6350 platform support - venus: Add SM6115 platform support - chips-media: wave5: Add support for Packed YUV422, CBP profile, and background detection - csi2rx: Add multistream support and 32 dma chans - Several cleanups and fixes * tag 'media/v7.2-1' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media: (394 commits) media: v4l2-fwnode: Fix subdev owner overwritten in v4l2_async_register_subdev_sensor() media: qcom: iris: vdec: allow GEN2 decoding into 10bit format media: qcom: iris: vdec: update find_format to handle 8bit and 10bit formats media: qcom: iris: vdec: update size and stride calculations for 10bit formats media: qcom: iris: gen2: add support for 10bit decoding media: qcom: iris: add QC10C & P010 buffer size calculations media: qcom: iris: add helpers for 8bit and 10bit formats media: qcom: iris: Fix FPS calculation and VPP FW overhead media: qcom: camss: vfe-340: Support for PIX client media: qcom: camss: vfe-340: Proper client handling media: qcom: camss: csid-340: Enable PIX interface routing media: qcom: camss: csid-340: Add port-to-interface mapping media: qcom: camss: csid-340: Switch to generic CSID_CFG/CTRL registers media: iris: Initialize HFI ops after firmware load in core init media: iris: drop struct iris_fmt media: iris: Add platform data for X1P42100 media: iris: Add hardware power on/off ops for X1P42100 media: iris: optimize COMV buffer allocation for VPU3x and VPU4x media: iris: add FPS calculation and VPP FW overhead in frequency formula media: qcom: iris: Simplify COMV size calculation ... 
Pull media updates from Mauro Carvalho Chehab:

 - v4l2:
     - core: fix subdev sensor ownership
     - subdev: Allow accessing routes with STREAMS client capability
     - ctrls: Add validation for HEVC active reference counts and
       background detection control
     - common: Add YUV24 format info and has_alpha helper

 - vb2: Change vb2_read() and vb2_write() return types to ssize_t

 - i2c: cvs: Add driver of Intel Computer Vision Sensing Controller(CVS)

 - atmel-isc: remove deprecated driver

 - cec: Add CEC Latency Indication Protocol (LIP) support

 - imon: Add iMON VFD HID OEM v1.2 key mappings

 - AVMatrix: new HWS capture driver

 - isp4: new AMD capture driver

 - qcom:
     - iris: Add hierarchical coding, B-frame, and Long-Term Reference
       support for encoder
     - camss: Add SM6350 platform support
     - venus: Add SM6115 platform support

 - chips-media: wave5: Add support for Packed YUV422, CBP profile, and
   background detection

 - csi2rx: Add multistream support and 32 dma chans

 - Several cleanups and fixes

* tag 'media/v7.2-1' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media: (394 commits)
  media: v4l2-fwnode: Fix subdev owner overwritten in v4l2_async_register_subdev_sensor()
  media: qcom: iris: vdec: allow GEN2 decoding into 10bit format
  media: qcom: iris: vdec: update find_format to handle 8bit and 10bit formats
  media: qcom: iris: vdec: update size and stride calculations for 10bit formats
  media: qcom: iris: gen2: add support for 10bit decoding
  media: qcom: iris: add QC10C & P010 buffer size calculations
  media: qcom: iris: add helpers for 8bit and 10bit formats
  media: qcom: iris: Fix FPS calculation and VPP FW overhead
  media: qcom: camss: vfe-340: Support for PIX client
  media: qcom: camss: vfe-340: Proper client handling
  media: qcom: camss: csid-340: Enable PIX interface routing
  media: qcom: camss: csid-340: Add port-to-interface mapping
  media: qcom: camss: csid-340: Switch to generic CSID_CFG/CTRL registers
  media: iris: Initialize HFI ops after firmware load in core init
  media: iris: drop struct iris_fmt
  media: iris: Add platform data for X1P42100
  media: iris: Add hardware power on/off ops for X1P42100
  media: iris: optimize COMV buffer allocation for VPU3x and VPU4x
  media: iris: add FPS calculation and VPP FW overhead in frequency formula
  media: qcom: iris: Simplify COMV size calculation
  ...
Merge tag 'net-next-7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next 2026-06-17T07:17:00+00:00 Linus Torvalds torvalds@linux-foundation.org 2026-06-17T07:17:00+00:00 b85966adbf5de0668a815c6e3527f87e0c387fb4 Pull networking updates from Jakub Kicinski: "Core & protocols: - Work on removing rtnl_lock protection throughout the stack continues. In this chapter: - don't use rtnl_lock for IPv6 multicast routing configuration - don't take rtnl_lock in ethtool for modern drivers - prepare Qdisc dump callbacks for rtnl_lock removal - Support dumping just ifindex + name of all interfaces, under RCU. It's a common operation for Netlink CLI tools (when translating names to ifindexes) and previously required full rtnl_lock. - Support dumping qdiscs and page pools for a specific netdev. Even tho user space wants a dump of all netdevs, most of the time, the OOO programming model results in repeating the dump for each netdev. Which, in absence of a cache, leads to a O(n^2) behavior. - Flush nexthops once on multi-nexthop removal (e.g. when device goes down), another O(n^2) -> O(n) improvement. - Rehash locally generated traffic to a different nexthop on retransmit timeout. - Honor oif when choosing nexthop for locally generated IPv6 traffic. - Convert TCP Auth Option to crypto library, and drop non-RFC algos. - Increase subflow limits in MPTCP to 64 and endpoint limit to 256. - Support MPTCP signaling of IPv6 address + port (ADD_ADDR). We need to selectively skip reporting of the standard TCP Timestamp option, because they won't fit into the header space together (12 + 30 > 40). - Support using bridge neighbor suppression, Duplicate Address Detection, Gratuitous ARP and unsolicited NA forwarding - in EVPN deployments, e.g. VXLAN fabrics (IPv4 and IPv6). - Improve link state reporting for upper netdevs (e.g. macvlan) over tunnel devices (again, mostly for EVPN deployments). - Support binding GENEVE tunnels to a local address. - Speed up UDP tunnel destruction (remove one synchronize_rcu()). - Support exponential field encoding in multicast (IGMPv3 and MLDv2). - Support attaching PSP crypto offload to containers (veth, netkit). - Add a new IPSec Netlink message XFRM_MSG_MIGRATE_STATE that allows migrating individual IPsec SAs independently of their policies. The existing XFRM_MSG_MIGRATE is tightly coupled to policy+SA migration, lacks SPI for unique SA identification, and cannot express reqid changes or migrate Transport mode selectors. The new interface identifies the SA via SPI and mark, supports reqid changes, address family changes, encap removal, and uses an atomic create+install flow under x->lock to prevent SN/IV reuse during AEAD SA migration. - Implement GRO/GSO support for PPPoE. - Convert sockopt callbacks in a number of protocols to iov_iter. Cross-tree stuff: - Remove support for Crypto TFM cloning (unblocked after the TCP Auth Option rework). This feature regressed performance for all crypto API users, since it changed crypto transformation objects into reference-counted objects. - Add FCrypt-PCBC implementation to rxrpc and remove it from the global crypto API as obsolete and insecure. Wireless: - Major rework of station bandwidth handling, fixing issues with lower capability than AP. - Cleanups for EMLSR spec issues (drafts differed). - More Neighbor Awareness Networking (Wi-Fi Aware) work (multicast, schedule improvements, multi-station etc.) - Some Ultra High Reliability (UHR) / IEEE 802.11bn (D1.4) work (e.g. non-primary channel access, UHR DBE support). - Fine Timing Measurement ranging (i.e. distance measurement) APIs. Netfilter: - Use per-rule hash initval in nf_conncount. This avoids unnecessary lock contention with short keys (e.g. conntrack zones) in different namespaces. - Various safety improvements, both in packet parsing and object lifetimes. Notably add refcounts to conntrack timeout policy. Deletions: - Remove TLS + sockmap integration. TLS wants to pin user pages to avoid a copy, and sockmap wants to write to the input stream. More work on this integration is clearly needed, and we can't find any users (original author admitted that they never deployed it). - Remove support for TLS offload with TCP Offload Engine (the far more common opportunistic offload is retained). The locking looks unfixable (driver sleeps under TCP spin locks) and people from the vendor that added this are AWOL. - Remove more ATM code, trying to leave behind only what PPPoATM needs, AAL5 and br2684 with permanent circuits. - Remove AppleTalk. Let it join hamradio in our out of tree protocol graveyard, I mean, repository. - Disable 32-bit x_tables compatibility (32bit binaries on 64bit kernel) interface in user namespaces. To be deleted completely, soon. - Remove 5/10 MHz support from cfg80211/mac80211. Drivers: - Software: - Support DEVMEM/DMABUF Tx over NETMEM_TX_NO_DMA devices (netkit) - bonding: add knob to strictly follow 802.3ad for link state - New drivers: - Alibaba Elastic Ethernet Adaptor (cloud vNIC). - NXP NETC switch within i.MX94. - DPLL: - Add operational state to pins (implement in zl3073x). - Add generic DPLL type, for daisy-chaining DPLLs (implement in ice). - Ethernet high-speed NICs: - Huawei (hinic3): - enhance tc flow offload support with queue selection, tunnels - nVidia/Mellanox: - avoid over-copying payload to the skb's linear part (up to 60% win for LRO on slow CPUs like ARM64 V2) - expose more per-queue stats over the standard API - support additional, unprivileged PFs in the DPU configuration - support Socket Direct (multi-PF) with switchdev offloads - add a pool / frag allocator for DMA mapped buffers for control objects, save memory on systems with 64kB page size - take advantage of the ability to dynamically change RSS table size, even when table is configured by the user - increase the max RSS table size for even traffic distribution - Ethernet NICs: - Marvell/Aquantia: - AQC113 PTP support - Realtek USB (r8152): - support 10Gbit Link Speeds and Energy-Efficient Ethernet (EEE) - support firmware loaded (for RTL8157/RTL8159) - support for the RTL8159 - Intel (ixgbe): - support Energy-Efficient Ethernet (EEE) on E610 devices - Ethernet switches: - Airoha: - support multiple netdevs on a single GDM block / port - Marvell (mv88e6xxx): - support SERDES of mv88e6321 - Microchip (ksz8/9): - rework the driver callbacks to remove one indirection layer - Motorcomm (yt921x): - support port rate policing - support TBF qdisc offload - support ACL/flower offload - nVidia/Mellanox: - expose per-PG rx_discards - Realtek: - rtl8365mb: bridge offloading and VLAN support - Ethernet PHYs: - Airoha: - support Airoha AN8801R Gigabit PHYs. - Micrel: - implement 3 low-loss cable tunables - Realtek: - support MDI swapping for RTL8226-CG - support MDIO for RTL931x - Qualcomm: - at803x: Rx and Tx clock management for IPQ5018 PHY - Motorcomm: - support YT8522 100M RMII PHY - set drive strength in YT8531s RGMII - TI: - dp83822: add optional external PHY clock - Bluetooth: - hci_sync: add support for HCI_LE_Set_Host_Feature [v2] - SMP: use AES-CMAC library API - Intel: - support Product level reset - support smart trigger dump - Mediatek: - add event filter to filter specific event - Realtek: - fix RTL8761B/BU broken LE extended scan - WiFi: - Broadcom (b43): - new support for a 11n device - MediaTek (mt76): - support mt7927 - mt792x: broken usb transport detection - mt7921: regulatory improvements - Qualcomm (ath9k): - GPIO interface improvements - Qualcomm (ath12k): - WDS support - replace dynamic memory allocation in WMI Rx path - thermal throttling/cooling device support - 6 GHz incumbent interference detection - channel 177 in 5 GHz - Realtek (rt89): - RTL8922AU support - USB 3 mode switch for performance - better monitor radiotap support - RTL8922DE preparations" * tag 'net-next-7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next: (1778 commits) ipv4: fib_rule: Move fib4_rules_exit() to ->exit(). net: serialize netif_running() check in enqueue_to_backlog() net: skmsg: preserve sg.copy across SG transforms appletalk: move the protocol out of tree appletalk: stop storing per-interface state in struct net_device selftests/bpf: test that TLS crypto is rejected on a sockmap socket selftests/bpf: drop the unused kTLS program from test_sockmap selftests/bpf: remove sockmap + ktls tests tls: remove dead sockmap (psock) handling from the SW path tls: reject the combination of TLS and sockmap atm: remove orphaned uAPI for deleted drivers, protocols and SVCs atm: remove unused ATM PHY operations atm: remove the unused pre_send and send_bh device operations atm: remove the unused change_qos device operation atm: remove SVC socket support and the signaling daemon interface atm: remove the local ATM (NSAP) address registry atm: remove dead SONET PHY ioctls atm: remove the unused send_oam / push_oam callbacks atm: remove AAL3/4 transport support net: dsa: sja1105: fix lastused timestamp in flower stats ... 
Pull networking updates from Jakub Kicinski:
 "Core & protocols:

   - Work on removing rtnl_lock protection throughout the stack
     continues. In this chapter:
       - don't use rtnl_lock for IPv6 multicast routing configuration
       - don't take rtnl_lock in ethtool for modern drivers
       - prepare Qdisc dump callbacks for rtnl_lock removal

   - Support dumping just ifindex + name of all interfaces, under RCU.
     It's a common operation for Netlink CLI tools (when translating
     names to ifindexes) and previously required full rtnl_lock.

   - Support dumping qdiscs and page pools for a specific netdev. Even
     tho user space wants a dump of all netdevs, most of the time, the
     OOO programming model results in repeating the dump for each
     netdev. Which, in absence of a cache, leads to a O(n^2) behavior.

   - Flush nexthops once on multi-nexthop removal (e.g. when device goes
     down), another O(n^2) -> O(n) improvement.

   - Rehash locally generated traffic to a different nexthop on
     retransmit timeout.

   - Honor oif when choosing nexthop for locally generated IPv6 traffic.

   - Convert TCP Auth Option to crypto library, and drop non-RFC algos.

   - Increase subflow limits in MPTCP to 64 and endpoint limit to 256.

   - Support MPTCP signaling of IPv6 address + port (ADD_ADDR). We need
     to selectively skip reporting of the standard TCP Timestamp option,
     because they won't fit into the header space together (12 + 30 >
     40).

   - Support using bridge neighbor suppression, Duplicate Address
     Detection, Gratuitous ARP and unsolicited NA forwarding - in EVPN
     deployments, e.g. VXLAN fabrics (IPv4 and IPv6).

   - Improve link state reporting for upper netdevs (e.g. macvlan) over
     tunnel devices (again, mostly for EVPN deployments).

   - Support binding GENEVE tunnels to a local address.

   - Speed up UDP tunnel destruction (remove one synchronize_rcu()).

   - Support exponential field encoding in multicast (IGMPv3 and MLDv2).

   - Support attaching PSP crypto offload to containers (veth, netkit).

   - Add a new IPSec Netlink message XFRM_MSG_MIGRATE_STATE that allows
     migrating individual IPsec SAs independently of their policies.

     The existing XFRM_MSG_MIGRATE is tightly coupled to policy+SA
     migration, lacks SPI for unique SA identification, and cannot
     express reqid changes or migrate Transport mode selectors.

     The new interface identifies the SA via SPI and mark, supports
     reqid changes, address family changes, encap removal, and uses an
     atomic create+install flow under x->lock to prevent SN/IV reuse
     during AEAD SA migration.

   - Implement GRO/GSO support for PPPoE.

   - Convert sockopt callbacks in a number of protocols to iov_iter.

  Cross-tree stuff:

   - Remove support for Crypto TFM cloning (unblocked after the TCP Auth
     Option rework). This feature regressed performance for all crypto
     API users, since it changed crypto transformation objects into
     reference-counted objects.

   - Add FCrypt-PCBC implementation to rxrpc and remove it from the
     global crypto API as obsolete and insecure.

  Wireless:

   - Major rework of station bandwidth handling, fixing issues with
     lower capability than AP.

   - Cleanups for EMLSR spec issues (drafts differed).

   - More Neighbor Awareness Networking (Wi-Fi Aware) work (multicast,
     schedule improvements, multi-station etc.)

   - Some Ultra High Reliability (UHR) / IEEE 802.11bn (D1.4) work
     (e.g. non-primary channel access, UHR DBE support).

   - Fine Timing Measurement ranging (i.e. distance measurement) APIs.

  Netfilter:

   - Use per-rule hash initval in nf_conncount. This avoids unnecessary
     lock contention with short keys (e.g. conntrack zones) in different
     namespaces.

   - Various safety improvements, both in packet parsing and object
     lifetimes. Notably add refcounts to conntrack timeout policy.

  Deletions:

   - Remove TLS + sockmap integration. TLS wants to pin user pages to
     avoid a copy, and sockmap wants to write to the input stream. More
     work on this integration is clearly needed, and we can't find any
     users (original author admitted that they never deployed it).

   - Remove support for TLS offload with TCP Offload Engine (the far
     more common opportunistic offload is retained). The locking looks
     unfixable (driver sleeps under TCP spin locks) and people from the
     vendor that added this are AWOL.

   - Remove more ATM code, trying to leave behind only what PPPoATM
     needs, AAL5 and br2684 with permanent circuits.

   - Remove AppleTalk. Let it join hamradio in our out of tree protocol
     graveyard, I mean, repository.

   - Disable 32-bit x_tables compatibility (32bit binaries on 64bit
     kernel) interface in user namespaces. To be deleted completely,
     soon.

   - Remove 5/10 MHz support from cfg80211/mac80211.

  Drivers:

   - Software:
       - Support DEVMEM/DMABUF Tx over NETMEM_TX_NO_DMA devices (netkit)
       - bonding: add knob to strictly follow 802.3ad for link state

   - New drivers:
       - Alibaba Elastic Ethernet Adaptor (cloud vNIC).
       - NXP NETC switch within i.MX94.

   - DPLL:
       - Add operational state to pins (implement in zl3073x).
       - Add generic DPLL type, for daisy-chaining DPLLs (implement in ice).

   - Ethernet high-speed NICs:
       - Huawei (hinic3):
           - enhance tc flow offload support with queue selection,
             tunnels
       - nVidia/Mellanox:
           - avoid over-copying payload to the skb's linear part (up to
             60% win for LRO on slow CPUs like ARM64 V2)
           - expose more per-queue stats over the standard API
           - support additional, unprivileged PFs in the DPU
             configuration
           - support Socket Direct (multi-PF) with switchdev offloads
           - add a pool / frag allocator for DMA mapped buffers for
             control objects, save memory on systems with 64kB page size
           - take advantage of the ability to dynamically change RSS
             table size, even when table is configured by the user
           - increase the max RSS table size for even traffic
             distribution

   - Ethernet NICs:
       - Marvell/Aquantia:
           - AQC113 PTP support
       - Realtek USB (r8152):
           - support 10Gbit Link Speeds and Energy-Efficient Ethernet
             (EEE)
           - support firmware loaded (for RTL8157/RTL8159)
           - support for the RTL8159
       - Intel (ixgbe):
           - support Energy-Efficient Ethernet (EEE) on E610 devices

   - Ethernet switches:
       - Airoha:
           - support multiple netdevs on a single GDM block / port
       - Marvell (mv88e6xxx):
           - support SERDES of mv88e6321
       - Microchip (ksz8/9):
           - rework the driver callbacks to remove one indirection layer
       - Motorcomm (yt921x):
           - support port rate policing
           - support TBF qdisc offload
           - support ACL/flower offload
       - nVidia/Mellanox:
           - expose per-PG rx_discards
       - Realtek:
           - rtl8365mb: bridge offloading and VLAN support

   - Ethernet PHYs:
       - Airoha:
           - support Airoha AN8801R Gigabit PHYs.
       - Micrel:
           - implement 3 low-loss cable tunables
       - Realtek:
           - support MDI swapping for RTL8226-CG
           - support MDIO for RTL931x
       - Qualcomm:
           - at803x: Rx and Tx clock management for IPQ5018 PHY
       - Motorcomm:
           - support YT8522 100M RMII PHY
           - set drive strength in YT8531s RGMII
       - TI:
           - dp83822: add optional external PHY clock

   - Bluetooth:
       - hci_sync: add support for HCI_LE_Set_Host_Feature [v2]
       - SMP: use AES-CMAC library API
       - Intel:
           - support Product level reset
           - support smart trigger dump
       - Mediatek:
           - add event filter to filter specific event
       - Realtek:
           - fix RTL8761B/BU broken LE extended scan

   - WiFi:
       - Broadcom (b43):
           - new support for a 11n device
       - MediaTek (mt76):
           - support mt7927
           - mt792x: broken usb transport detection
           - mt7921: regulatory improvements
       - Qualcomm (ath9k):
           - GPIO interface improvements
       - Qualcomm (ath12k):
           - WDS support
           - replace dynamic memory allocation in WMI Rx path
           - thermal throttling/cooling device support
           - 6 GHz incumbent interference detection
           - channel 177 in 5 GHz
       - Realtek (rt89):
           - RTL8922AU support
           - USB 3 mode switch for performance
           - better monitor radiotap support
           - RTL8922DE preparations"

* tag 'net-next-7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next: (1778 commits)
  ipv4: fib_rule: Move fib4_rules_exit() to ->exit().
  net: serialize netif_running() check in enqueue_to_backlog()
  net: skmsg: preserve sg.copy across SG transforms
  appletalk: move the protocol out of tree
  appletalk: stop storing per-interface state in struct net_device
  selftests/bpf: test that TLS crypto is rejected on a sockmap socket
  selftests/bpf: drop the unused kTLS program from test_sockmap
  selftests/bpf: remove sockmap + ktls tests
  tls: remove dead sockmap (psock) handling from the SW path
  tls: reject the combination of TLS and sockmap
  atm: remove orphaned uAPI for deleted drivers, protocols and SVCs
  atm: remove unused ATM PHY operations
  atm: remove the unused pre_send and send_bh device operations
  atm: remove the unused change_qos device operation
  atm: remove SVC socket support and the signaling daemon interface
  atm: remove the local ATM (NSAP) address registry
  atm: remove dead SONET PHY ioctls
  atm: remove the unused send_oam / push_oam callbacks
  atm: remove AAL3/4 transport support
  net: dsa: sja1105: fix lastused timestamp in flower stats
  ...
Merge tag 'v7.2-p1' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 2026-06-16T03:31:23+00:00 Linus Torvalds torvalds@linux-foundation.org 2026-06-16T03:31:23+00:00 0d8c1134936f1fb6678156ab4248ac740d274525 Pull crypto updates from Herbert Xu: "API: - Drop support for off-CPU cryptography in af_alg - Document that af_alg is *always* slower - Document the deprecation of af_alg - Remove zero-copy support from skcipher and aead in af_alg - Cap AEAD AD length to 0x80000000 in af_alg - Free default RNG on module exit Algorithms: - Fix vli multiplication carry overflow in ecc - Drop unused cipher_null crypto_alg - Remove unused variants of drbg - Use lib/crypto in drbg - Use memcpy_from/to_sglist in authencesn - Allow authenc(hmac(sha{256,384}),cts(cbc(aes))) in FIPS mode - Disallow RSA PKCS#1 SHA-1 sig algs in FIPS mode - Filter out async aead implementations at alloc in krb5 - Fix non-parallel fallback by rstoring callback in pcrypt - Validate poly1305 template argument in chacha20poly1305 Drivers: - Add sysfs PCI reset support to qat - Add KPT support for GEN6 devices to qat - Remove unused character device and ioctls from qat - Add support for hw access via SMCC to mtk - Remove prng support from crypto4xx - Remove prng support from hisi-trng - Remove prng support from sun4i-ss - Remove prng support from xilinx-trng - Remove loongson-rng - Remove exynos-rng Others: - Remove support for AIO on sockets" * tag 'v7.2-p1' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: (196 commits) crypto: tegra - fix refcount leak in tegra_se_host1x_submit() crypto: rng - Free default RNG on module exit crypto: testmgr - allow authenc(hmac(sha{256,384}),cts(cbc(aes))) in FIPS mode hwrng: jh7110 - fix refcount leak in starfive_trng_read() crypto: atmel-ecc - drop dead code in atmel_ecdh_max_size crypto: cavium/cpt - fix DMA cleanup using wrong loop index crypto: marvell/octeontx - fix DMA cleanup using wrong loop index MAINTAINERS: make myself the maintainer of the Qualcomm QCE driver crypto: amcc - convert irq_of_parse_and_map to platform_get_irq crypto: sun4i-ss - Remove insecure and unused rng_alg hwrng: xilinx - Move xilinx-rng into drivers/char/hw_random/ crypto: xilinx-trng - Replace crypto_drbg_ctr_df() with HMAC-SHA512 crypto: xilinx-trng - Fix return value of xtrng_hwrng_trng_read() crypto: xilinx-trng - Remove crypto_rng interface crypto: exynos-rng - Remove exynos-rng driver hwrng: hisi-trng - Move hisi-trng into drivers/char/hw_random/ crypto: hisi-trng - Remove crypto_rng interface crypto: loongson - Remove broken and unused loongson-rng crypto: crypto4xx - Remove insecure and unused rng_alg crypto: qat - validate RSA CRT component lengths ... 
Pull crypto updates from Herbert Xu:
 "API:
   - Drop support for off-CPU cryptography in af_alg
   - Document that af_alg is *always* slower
   - Document the deprecation of af_alg
   - Remove zero-copy support from skcipher and aead in af_alg
   - Cap AEAD AD length to 0x80000000 in af_alg
   - Free default RNG on module exit

  Algorithms:
   - Fix vli multiplication carry overflow in ecc
   - Drop unused cipher_null crypto_alg
   - Remove unused variants of drbg
   - Use lib/crypto in drbg
   - Use memcpy_from/to_sglist in authencesn
   - Allow authenc(hmac(sha{256,384}),cts(cbc(aes))) in FIPS mode
   - Disallow RSA PKCS#1 SHA-1 sig algs in FIPS mode
   - Filter out async aead implementations at alloc in krb5
   - Fix non-parallel fallback by rstoring callback in pcrypt
   - Validate poly1305 template argument in chacha20poly1305

  Drivers:
   - Add sysfs PCI reset support to qat
   - Add KPT support for GEN6 devices to qat
   - Remove unused character device and ioctls from qat
   - Add support for hw access via SMCC to mtk
   - Remove prng support from crypto4xx
   - Remove prng support from hisi-trng
   - Remove prng support from sun4i-ss
   - Remove prng support from xilinx-trng
   - Remove loongson-rng
   - Remove exynos-rng

  Others:
   - Remove support for AIO on sockets"

* tag 'v7.2-p1' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: (196 commits)
  crypto: tegra - fix refcount leak in tegra_se_host1x_submit()
  crypto: rng - Free default RNG on module exit
  crypto: testmgr - allow authenc(hmac(sha{256,384}),cts(cbc(aes))) in FIPS mode
  hwrng: jh7110 - fix refcount leak in starfive_trng_read()
  crypto: atmel-ecc - drop dead code in atmel_ecdh_max_size
  crypto: cavium/cpt - fix DMA cleanup using wrong loop index
  crypto: marvell/octeontx - fix DMA cleanup using wrong loop index
  MAINTAINERS: make myself the maintainer of the Qualcomm QCE driver
  crypto: amcc - convert irq_of_parse_and_map to platform_get_irq
  crypto: sun4i-ss - Remove insecure and unused rng_alg
  hwrng: xilinx - Move xilinx-rng into drivers/char/hw_random/
  crypto: xilinx-trng - Replace crypto_drbg_ctr_df() with HMAC-SHA512
  crypto: xilinx-trng - Fix return value of xtrng_hwrng_trng_read()
  crypto: xilinx-trng - Remove crypto_rng interface
  crypto: exynos-rng - Remove exynos-rng driver
  hwrng: hisi-trng - Move hisi-trng into drivers/char/hw_random/
  crypto: hisi-trng - Remove crypto_rng interface
  crypto: loongson - Remove broken and unused loongson-rng
  crypto: crypto4xx - Remove insecure and unused rng_alg
  crypto: qat - validate RSA CRT component lengths
  ...
landlock: Add API support and docs for the quiet flags 2026-06-14T18:17:19+00:00 Tingmao Wang m@maowtm.org 2026-06-12T01:48:48+00:00 29752205db5ff1793437b352c9e343b8e41fb184 Adds the UAPI for the quiet flags feature (but not the implementation yet). Even though currently LANDLOCK_ADD_RULE_QUIET only affects audit logging, in the future this can also be used as part of a supervisor mechanism, where it will also suppress denial notifications on a per-object basis. Thus the name is deliberately generic, as opposed to e.g. LANDLOCK_ADD_RULE_LOG_QUIET. According to pahole, even after adding the struct access_masks quiet_masks in struct landlock_hierarchy, the u32 log_* bitfield still only has a size of 2 bytes, so there's minimal wasted space. Assisted-by: GitHub-Copilot:claude-opus-4.8 Signed-off-by: Tingmao Wang <m@maowtm.org> [mic: Update date, fix comment formatting] Link: https://patch.msgid.link/031184748a8e74c0bb02f1fa13d7a3f10918c627.1781228815.git.m@maowtm.org Signed-off-by: Mickaël Salaün <mic@digikod.net> 
Adds the UAPI for the quiet flags feature (but not the implementation
yet).

Even though currently LANDLOCK_ADD_RULE_QUIET only affects audit
logging, in the future this can also be used as part of a supervisor
mechanism, where it will also suppress denial notifications on a
per-object basis.  Thus the name is deliberately generic, as opposed to
e.g. LANDLOCK_ADD_RULE_LOG_QUIET.

According to pahole, even after adding the struct access_masks
quiet_masks in struct landlock_hierarchy, the u32 log_* bitfield still
only has a size of 2 bytes, so there's minimal wasted space.

Assisted-by: GitHub-Copilot:claude-opus-4.8
Signed-off-by: Tingmao Wang <m@maowtm.org>
[mic: Update date, fix comment formatting]
Link: https://patch.msgid.link/031184748a8e74c0bb02f1fa13d7a3f10918c627.1781228815.git.m@maowtm.org
Signed-off-by: Mickaël Salaün <mic@digikod.net>
landlock: Add documentation for UDP support 2026-06-14T18:17:16+00:00 Matthieu Buffet matthieu@buffet.re 2026-06-11T16:21:06+00:00 299eccf996681273da0290f47db710de8d61c163 Add example of UDP usage, without detailing the two access right. Slightly change the example used in code blocks: build a ruleset for a DNS client, so that it uses both TCP and UDP. Test coverage for security/landlock is 91.3% of 2245 lines according to LLVM 22. Signed-off-by: Matthieu Buffet <matthieu@buffet.re> Link: https://patch.msgid.link/20260611162107.49278-7-matthieu@buffet.re [mic: Fix doc formatting, update audit doc, add test coverage] Signed-off-by: Mickaël Salaün <mic@digikod.net> 
Add example of UDP usage, without detailing the two access right.
Slightly change the example used in code blocks: build a ruleset for a
DNS client, so that it uses both TCP and UDP.

Test coverage for security/landlock is 91.3% of 2245 lines according to
LLVM 22.

Signed-off-by: Matthieu Buffet <matthieu@buffet.re>
Link: https://patch.msgid.link/20260611162107.49278-7-matthieu@buffet.re
[mic: Fix doc formatting, update audit doc, add test coverage]
Signed-off-by: Mickaël Salaün <mic@digikod.net>
landlock: Demonstrate best-effort allowed_access filtering 2026-06-13T21:14:59+00:00 Mickaël Salaün mic@digikod.net 2026-05-13T15:18:53+00:00 143c656e2588b60e69df4287131413dab93ff53c Landlock provides best-effort sandboxing across ABI versions: applications request the rights they need, and on older kernels the unsupported rights are silently dropped from handled_access_* by the documented compatibility switch. The recommended pattern for landlock_add_rule(2) calls is to mirror this filtering at the rule level, which wasn't explicitly described in the exemple. Show the pattern explicitly in the filesystem and network rule examples by masking each rule's allowed_access against the ruleset's handled_access_* and adding the rule only when at least one bit remains set. This makes the recommended best-effort pattern self-documenting. Reviewed-by: Günther Noack <gnoack3000@gmail.com> Link: https://patch.msgid.link/20260513151856.148423-1-mic@digikod.net Signed-off-by: Mickaël Salaün <mic@digikod.net> 
Landlock provides best-effort sandboxing across ABI versions:
applications request the rights they need, and on older kernels the
unsupported rights are silently dropped from handled_access_* by the
documented compatibility switch.  The recommended pattern for
landlock_add_rule(2) calls is to mirror this filtering at the rule
level, which wasn't explicitly described in the exemple.

Show the pattern explicitly in the filesystem and network rule examples
by masking each rule's allowed_access against the ruleset's
handled_access_* and adding the rule only when at least one bit remains
set.  This makes the recommended best-effort pattern self-documenting.

Reviewed-by: Günther Noack <gnoack3000@gmail.com>
Link: https://patch.msgid.link/20260513151856.148423-1-mic@digikod.net
Signed-off-by: Mickaël Salaün <mic@digikod.net>