linux.git/drivers, branch v7.1-rc4 Linux kernel source tree virt: sev-guest: Do not use host-controlled page order in cleanup path 2026-05-17T18:45:07+00:00 Carlos López clopez@suse.de 2026-05-12T10:00:41+00:00 23e6a1ca04ae44806439a5a446e62e4d42e80bb4 When issuing an extended guest request (SVM_VMGEXIT_EXT_GUEST_REQUEST), get_ext_report() allocates a buffer to retrieve a certificate blob from the host, keeping track of its size in report_req->certs_len. However, the host may return SNP_GUEST_VMM_ERR_INVALID_LEN, indicating an invalid buffer size, as well as the expected length of such buffer. get_ext_report() subsequently updates report_req->certs_len with the host-controlled value, and cleans up the buffer by computing a page order from such value. This is incorrect, as the host-provided length may not match the page order of the original allocation, potentially resulting in corruption in the page allocator. Fix this by using alloc_pages_exact() instead, and reusing @npages to compute the size passed to free_pages_exact(). For consistency, also use @npages to compute the size when allocating the pages, even though this last change has no functional effect. Fixes: 3e385c0d6ce8 ("virt: sev-guest: Move SNP Guest Request data pages handling under snp_cmd_mutex") Signed-off-by: Carlos López <clopez@suse.de> Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de> Tested-by: Michael Roth <michael.roth@amd.com> Cc: stable@kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 
When issuing an extended guest request (SVM_VMGEXIT_EXT_GUEST_REQUEST),
get_ext_report() allocates a buffer to retrieve a certificate blob from the
host, keeping track of its size in report_req->certs_len.

However, the host may return SNP_GUEST_VMM_ERR_INVALID_LEN, indicating
an invalid buffer size, as well as the expected length of such buffer.
get_ext_report() subsequently updates report_req->certs_len with the
host-controlled value, and cleans up the buffer by computing a page order
from such value. This is incorrect, as the host-provided length may not
match the page order of the original allocation, potentially resulting
in corruption in the page allocator.

Fix this by using alloc_pages_exact() instead, and reusing @npages to
compute the size passed to free_pages_exact(). For consistency, also
use @npages to compute the size when allocating the pages, even though
this last change has no functional effect.

Fixes: 3e385c0d6ce8 ("virt: sev-guest: Move SNP Guest Request data pages handling under snp_cmd_mutex")
Signed-off-by: Carlos López <clopez@suse.de>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Tested-by: Michael Roth <michael.roth@amd.com>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Merge tag 'irq-urgent-2026-05-17' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2026-05-17T17:34:15+00:00 Linus Torvalds torvalds@linux-foundation.org 2026-05-17T17:34:15+00:00 ec296ebf6d6dffef27ab1f01b7fd8bdd9d097a4f Pull IRQ fixes from Ingo Molnar: - Fix use-after-free in irq_work_single() on PREEMPT_RT (Jiayuan Chen) - Don't call add_interrupt_randomness() for NMIs in handle_percpu_devid_irq() (Mark Rutland) - Remove unused function in the ath79-cpu irqchip driver causing LKP CI build warnings (Rosen Penev) - Fix IRQ allocation/teardown leakage regressions in the GICv5 irqchip driver (Sascha Bischoff) - Fix an IRQ trigger type regression in the Meson S4 SoC irqchip driver (Xianwei Zhao) - Fix CPU offlining regression in the RiscV IMSIC irqchip driver (Yong-Xuan Wang) * tag 'irq-urgent-2026-05-17' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: irq_work: Fix use-after-free in irq_work_single() on PREEMPT_RT irqchip/riscv-imsic: Clear interrupt move state during CPU offlining irqchip/meson-gpio: Use the correct register in meson_s4_gpio_irq_set_type() irqchip/ath79-cpu: Remove unused function genirq/chip: Don't call add_interrupt_randomness() for NMIs irqchip/gic-v5: Allocate ITS parent LPIs as a range irqchip/gic-v5: Support range allocation for LPIs irqchip/gic-v5: Move LPI allocation into the LPI domain 
Pull IRQ fixes from Ingo Molnar:

 - Fix use-after-free in irq_work_single() on PREEMPT_RT (Jiayuan Chen)

 - Don't call add_interrupt_randomness() for NMIs in
   handle_percpu_devid_irq() (Mark Rutland)

 - Remove unused function in the ath79-cpu irqchip driver causing LKP
   CI build warnings (Rosen Penev)

 - Fix IRQ allocation/teardown leakage regressions in the GICv5 irqchip
   driver (Sascha Bischoff)

 - Fix an IRQ trigger type regression in the Meson S4 SoC irqchip driver
   (Xianwei Zhao)

 - Fix CPU offlining regression in the RiscV IMSIC irqchip driver
   (Yong-Xuan Wang)

* tag 'irq-urgent-2026-05-17' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  irq_work: Fix use-after-free in irq_work_single() on PREEMPT_RT
  irqchip/riscv-imsic: Clear interrupt move state during CPU offlining
  irqchip/meson-gpio: Use the correct register in meson_s4_gpio_irq_set_type()
  irqchip/ath79-cpu: Remove unused function
  genirq/chip: Don't call add_interrupt_randomness() for NMIs
  irqchip/gic-v5: Allocate ITS parent LPIs as a range
  irqchip/gic-v5: Support range allocation for LPIs
  irqchip/gic-v5: Move LPI allocation into the LPI domain
Merge tag 'hwmon-for-v7.1-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging 2026-05-17T16:23:28+00:00 Linus Torvalds torvalds@linux-foundation.org 2026-05-17T16:23:28+00:00 1405a07192a3c5420c5fd7437f7945ebe1e71ad7 Pull hwmon fixes from Guenter Roeck: - asus_atk0110, acpi_power_meter: Add missing NULL pointer checks - lm90: Fix locking and UAF issues - sy7636a: Fix sysfs attribute name in documentation * tag 'hwmon-for-v7.1-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging: hwmon: (lm90) Add lock protection to lm90_alert hwmon: (lm90) Stop work before releasing hwmon device docs: hwmon: sy7636a: fix temperature sysfs attribute name hwmon: (asus_atk0110) Check ACPI_COMPANION() against NULL hwmon: (acpi_power_meter) Check ACPI_COMPANION() against NULL 
Pull hwmon fixes from Guenter Roeck:

 - asus_atk0110, acpi_power_meter: Add missing NULL pointer checks

 - lm90: Fix locking and UAF issues

 - sy7636a: Fix sysfs attribute name in documentation

* tag 'hwmon-for-v7.1-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging:
  hwmon: (lm90) Add lock protection to lm90_alert
  hwmon: (lm90) Stop work before releasing hwmon device
  docs: hwmon: sy7636a: fix temperature sysfs attribute name
  hwmon: (asus_atk0110) Check ACPI_COMPANION() against NULL
  hwmon: (acpi_power_meter) Check ACPI_COMPANION() against NULL
hwmon: (lm90) Add lock protection to lm90_alert 2026-05-16T15:10:33+00:00 Guenter Roeck linux@roeck-us.net 2026-05-14T21:41:00+00:00 873e919e3101063a7a75989510ccfc125a4391cf Sashiko reports: lm90_alert() executes in the smbus alert context and calls lm90_update_confreg() to disable the hardware alert line, without acquiring hwmon_lock. Concurrently, sysfs write operations (such as lm90_write_convrate) hold the hwmon_lock, temporarily modify data->config, and then restore it. If an alert interrupt occurs concurrently with a sysfs write, the sysfs path will overwrite the alert handler's modifications to data->config and the hardware register. This unintentionally re-enables the hardware alert line while the alarm is still active, causing an interrupt storm. Add the missing lock to lm90_alert() to solve the problem. Fixes: 7a1d220ccb0cc ("hwmon: (lm90) Introduce function to update configuration register") Reported-by: Sashiko <sashiko-bot@kernel.org> Signed-off-by: Guenter Roeck <linux@roeck-us.net> 
Sashiko reports:

lm90_alert() executes in the smbus alert context and calls
lm90_update_confreg() to disable the hardware alert line, without
acquiring hwmon_lock.

Concurrently, sysfs write operations (such as lm90_write_convrate) hold
the hwmon_lock, temporarily modify data->config, and then restore it.

If an alert interrupt occurs concurrently with a sysfs write, the sysfs
path will overwrite the alert handler's modifications to data->config
and the hardware register.

This unintentionally re-enables the hardware alert line while the alarm is
still active, causing an interrupt storm.

Add the missing lock to lm90_alert() to solve the problem.

Fixes: 7a1d220ccb0cc ("hwmon: (lm90) Introduce function to update configuration register")
Reported-by: Sashiko <sashiko-bot@kernel.org>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
hwmon: (lm90) Stop work before releasing hwmon device 2026-05-16T15:09:55+00:00 Guenter Roeck linux@roeck-us.net 2026-05-14T21:31:49+00:00 b09a45601094c7f4ec4db8090b825fa61e169d93 Sashiko reports: In lm90_probe(), the devm action to cancel the alert_work and report_work (lm90_restore_conf) is registered in lm90_init_client() before devm_hwmon_device_register_with_info() is called. Because devm executes cleanup actions in reverse order during module unbind or probe failure, the hwmon device is unregistered and freed first. If lm90_alert_work() or lm90_report_alarms() runs in the window between the hwmon device being freed and the delayed works being cancelled, lm90_update_alarms() will dereference the freed data->hwmon_dev here. Fix the problem by canceling the workers separately after registering the hwmon device and before registering the interrupt handler. This ensures that the workers are canceled after interrupts are disabled and before the hwmon device is released. Add "shutdown" flag to indicate that device shutdown is in progress to prevent workers from being re-armed. Fixes: f6d0775119fb9 ("hwmon: (lm90) Rework alarm/status handling") Reported-by: Sashiko <sashiko-bot@kernel.org> Signed-off-by: Guenter Roeck <linux@roeck-us.net> 
Sashiko reports:

In lm90_probe(), the devm action to cancel the alert_work and report_work
(lm90_restore_conf) is registered in lm90_init_client() before
devm_hwmon_device_register_with_info() is called.

Because devm executes cleanup actions in reverse order during module
unbind or probe failure, the hwmon device is unregistered and freed first.

If lm90_alert_work() or lm90_report_alarms() runs in the window between
the hwmon device being freed and the delayed works being cancelled,
lm90_update_alarms() will dereference the freed data->hwmon_dev here.

Fix the problem by canceling the workers separately after registering
the hwmon device and before registering the interrupt handler. This ensures
that the workers are canceled after interrupts are disabled and before
the hwmon device is released. Add "shutdown" flag to indicate that device
shutdown is in progress to prevent workers from being re-armed.

Fixes: f6d0775119fb9 ("hwmon: (lm90) Rework alarm/status handling")
Reported-by: Sashiko <sashiko-bot@kernel.org>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Merge tag 'drm-fixes-2026-05-16' of https://gitlab.freedesktop.org/drm/kernel 2026-05-16T00:00:45+00:00 Linus Torvalds torvalds@linux-foundation.org 2026-05-16T00:00:45+00:00 6916d5703ddf9a38f1f6c2cc793381a24ee914c6 Pull drm fixes from Dave Airlie: "Weekly fixes pull, small and all over fixes, mostly xe and amdgpu, with some ttm and a core fix for the handle change pain. core: - fix for the fix for the handle change race ttm: - avoid infinite loop in swap out - avoid infinite loop in BO shrinking - convert -EAGAIN from dmem_cgroup_try_charge to -ENOSPC bridge: - imx8qxp-pxl2dpi: avoid ERR_PTR with device_node cleanup i915: - Skip __i915_request_skip() for already signaled requests - Fix VSC dynamic range signaling for RGB formats [dp] xe: - Madvise fix around purgeability tracking - Restore engine mask for specific blitter style - Couple UAF fixes - Drop unused ggtt_balloon field amdgpu: - Userq fixes - DCN 3.2 fix - RAS fix - GC 12 fix gma500: - oaktrail_lvds: fix i2c handling loongson: - use managed cleanup for connector polling panfrost: - handle results from reservation locking correctly qaic: - check for integer overflows in mmap logic rocket: - handle results from reservation locking correctly" * tag 'drm-fixes-2026-05-16' of https://gitlab.freedesktop.org/drm/kernel: (26 commits) drm: Replace old pointer to new idr drm/loongson: Use managed KMS polling drm/ttm: Fix ttm_bo_shrink() infinite LRU walk on backup failure drm/ttm: Convert -EAGAIN from dmem_cgroup_try_charge to -ENOSPC drm/gma500/oaktrail_lvds: fix i2c adapter leaks on init drm/gma500/oaktrail_lvds: fix hang on init failure drm/gma500/oaktrail_hdmi: fix i2c adapter leak on setup drm/xe: Drop unused ggtt_balloon field accel/qaic: Add overflow check to remap_pfn_range during mmap drm/i915/dp: Fix VSC dynamic range signaling for RGB formats drm/i915: skip __i915_request_skip() for already signaled requests drm/bridge: imx8qxp-pxl2dpi: avoid ERR_PTR with device_node cleanup drm/amdgpu/gfx_v12_0: set gfx.rs64_enable from PFP header on GFX12 drm/amd/ras: Fix CPER ring debugfs read overflow drm/amd/display: Wrap DCN32 phantom-plane allocation in DC_RUN_WITH_PREEMPTION_ENABLED drm/amdgpu: fix userq hang detection and reset drm/amdgpu: remove almost all calls to amdgpu_userq_detect_and_reset_queues drm/amdgpu: rework amdgpu_userq_signal_ioctl v3 drm/amdgpu: remove deadlocks from amdgpu_userq_pre_reset drm/xe/dma-buf: fix UAF with retry loop ... 
Pull drm fixes from Dave Airlie:
 "Weekly fixes pull, small and all over fixes, mostly xe and amdgpu,
  with some ttm and a core fix for the handle change pain.

  core:
   - fix for the fix for the handle change race

  ttm:
   - avoid infinite loop in swap out
   - avoid infinite loop in BO shrinking
   - convert -EAGAIN from dmem_cgroup_try_charge to -ENOSPC

  bridge:
   - imx8qxp-pxl2dpi: avoid ERR_PTR with device_node cleanup

  i915:
   - Skip __i915_request_skip() for already signaled requests
   - Fix VSC dynamic range signaling for RGB formats [dp]

  xe:
   - Madvise fix around purgeability tracking
   - Restore engine mask for specific blitter style
   - Couple UAF fixes
   - Drop unused ggtt_balloon field

  amdgpu:
   - Userq fixes
   - DCN 3.2 fix
   - RAS fix
   - GC 12 fix

  gma500:
   - oaktrail_lvds: fix i2c handling

  loongson:
   - use managed cleanup for connector polling

  panfrost:
   - handle results from reservation locking correctly

  qaic:
   - check for integer overflows in mmap logic

  rocket:
   - handle results from reservation locking correctly"

* tag 'drm-fixes-2026-05-16' of https://gitlab.freedesktop.org/drm/kernel: (26 commits)
  drm: Replace old pointer to new idr
  drm/loongson: Use managed KMS polling
  drm/ttm: Fix ttm_bo_shrink() infinite LRU walk on backup failure
  drm/ttm: Convert -EAGAIN from dmem_cgroup_try_charge to -ENOSPC
  drm/gma500/oaktrail_lvds: fix i2c adapter leaks on init
  drm/gma500/oaktrail_lvds: fix hang on init failure
  drm/gma500/oaktrail_hdmi: fix i2c adapter leak on setup
  drm/xe: Drop unused ggtt_balloon field
  accel/qaic: Add overflow check to remap_pfn_range during mmap
  drm/i915/dp: Fix VSC dynamic range signaling for RGB formats
  drm/i915: skip __i915_request_skip() for already signaled requests
  drm/bridge: imx8qxp-pxl2dpi: avoid ERR_PTR with device_node cleanup
  drm/amdgpu/gfx_v12_0: set gfx.rs64_enable from PFP header on GFX12
  drm/amd/ras: Fix CPER ring debugfs read overflow
  drm/amd/display: Wrap DCN32 phantom-plane allocation in DC_RUN_WITH_PREEMPTION_ENABLED
  drm/amdgpu: fix userq hang detection and reset
  drm/amdgpu: remove almost all calls to amdgpu_userq_detect_and_reset_queues
  drm/amdgpu: rework amdgpu_userq_signal_ioctl v3
  drm/amdgpu: remove deadlocks from amdgpu_userq_pre_reset
  drm/xe/dma-buf: fix UAF with retry loop
  ...
drm: Replace old pointer to new idr 2026-05-15T23:32:43+00:00 Edward Adam Davis eadavis@qq.com 2026-05-13T04:30:50+00:00 dc366607c41c45fd0ae6f3db090f31dd611b644a Commit 5e28b7b94408 introduced a logical error by failing to replace the newly generated IDR pointer to old id's pointer at the correct location within the "change handle" logic; this resulted in the issue reported by syzbot [1]. Specifically, the new IDR object pointer is intended to replace the original id's pointer during the normal execution flow. Additionally, an unnecessary conditional check for the ret exit path has been removed. [1] !RB_EMPTY_ROOT(&prime_fpriv->dmabufs) WARNING: drivers/gpu/drm/drm_prime.c:224 at drm_prime_destroy_file_private+0x48/0x60 drivers/gpu/drm/drm_prime.c:224, CPU#0: syz.0.17/5833 Call Trace: drm_file_free.part.0+0x7e6/0xcc0 drivers/gpu/drm/drm_file.c:269 drm_file_free drivers/gpu/drm/drm_file.c:237 [inline] drm_close_helper.isra.0+0x186/0x200 drivers/gpu/drm/drm_file.c:290 drm_release+0x1ab/0x360 drivers/gpu/drm/drm_file.c:438 Fixes: 5e28b7b94408 ("drm: Set old handle to NULL before prime swap in change_handle") Reported-by: syzbot+d7c9eed171647e421013@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=d7c9eed171647e421013 Cc: stable@vger.kernel.org Tested-by: syzbot+d7c9eed171647e421013@syzkaller.appspotmail.com Signed-off-by: Edward Adam Davis <eadavis@qq.com> Signed-off-by: Dave Airlie <airlied@redhat.com> Link: https://patch.msgid.link/tencent_C267296443AAA4567771176886DFF364A305@qq.com 
Commit 5e28b7b94408 introduced a logical error by failing to replace the
newly generated IDR pointer to old id's pointer at the correct location
within the "change handle" logic; this resulted in the issue reported by
syzbot [1].

Specifically, the new IDR object pointer is intended to replace the original
id's pointer during the normal execution flow.

Additionally, an unnecessary conditional check for the ret exit path has
been removed.

[1]
!RB_EMPTY_ROOT(&prime_fpriv->dmabufs)
WARNING: drivers/gpu/drm/drm_prime.c:224 at drm_prime_destroy_file_private+0x48/0x60 drivers/gpu/drm/drm_prime.c:224, CPU#0: syz.0.17/5833
Call Trace:
 drm_file_free.part.0+0x7e6/0xcc0 drivers/gpu/drm/drm_file.c:269
 drm_file_free drivers/gpu/drm/drm_file.c:237 [inline]
 drm_close_helper.isra.0+0x186/0x200 drivers/gpu/drm/drm_file.c:290
 drm_release+0x1ab/0x360 drivers/gpu/drm/drm_file.c:438

Fixes: 5e28b7b94408 ("drm: Set old handle to NULL before prime swap in change_handle")
Reported-by: syzbot+d7c9eed171647e421013@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d7c9eed171647e421013
Cc: stable@vger.kernel.org
Tested-by: syzbot+d7c9eed171647e421013@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Link: https://patch.msgid.link/tencent_C267296443AAA4567771176886DFF364A305@qq.com
Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux 2026-05-15T22:40:25+00:00 Linus Torvalds torvalds@linux-foundation.org 2026-05-15T22:40:25+00:00 36343a8ff328efd3eb5604e3567d63e6c7906deb Pull arm64 MPAM fixes from Catalin Marinas: - Fix NULL dereference and a false-positive warning when the driver probes hardware with surprising version numbers - Fix writing values to the wrong registers when probing cache-utilisation counters. Replace 'NRDY' probing with a version that is robust for platforms where the bit is writeable by both hardware and software * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux: arm_mpam: Check whether the config array is allocated before destroying it arm_mpam: Fix false positive assert failure during mpam_disable() arm_mpam: Improve check for whether or not NRDY is hardware managed arm_mpam: Pretend that NRDY is always hardware managed arm_mpam: Fix monitor instance selection when checking for hardware NRDY 
Pull arm64 MPAM fixes from Catalin Marinas:

 - Fix NULL dereference and a false-positive warning when the driver
   probes hardware with surprising version numbers

 - Fix writing values to the wrong registers when probing
   cache-utilisation counters. Replace 'NRDY' probing with a version
   that is robust for platforms where the bit is writeable by both
   hardware and software

* tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
  arm_mpam: Check whether the config array is allocated before destroying it
  arm_mpam: Fix false positive assert failure during mpam_disable()
  arm_mpam: Improve check for whether or not NRDY is hardware managed
  arm_mpam: Pretend that NRDY is always hardware managed
  arm_mpam: Fix monitor instance selection when checking for hardware NRDY
Merge tag 'iommu-fixes-v7.1-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/iommu/linux 2026-05-15T22:22:26+00:00 Linus Torvalds torvalds@linux-foundation.org 2026-05-15T22:22:26+00:00 30e0ff6d6a83586486674c343db5e9d933bd92e0 Pull iommu fixes from Joerg Roedel: "This is probably the largest fixes pull-request ever sent for IOMMU. I partially blame it on AI code review which found some issues but there is also some rework in here to fix issues in the iommu parts of PCI device reset. AMD-Vi: - Add bounds checks to debugfs and table lookups Intel VT-d: - Apply an existing quirk for Q35 graphic device - Skip dev_pasid teardown for the blocked domain to avoid out-of-bounds access - Return early if dev_pasid is missing to prevent NULL dereference or UAF Core: - Fix bugs and corner cases in pci_dev_reset_iommu_prepare/done() - Fix various issues found by AI in iommupt code MAINTAINERS email address update for RISCV IOMMU" * tag 'iommu-fixes-v7.1-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/iommu/linux: MAINTAINERS: update Tomasz Jeznach's email address iommupt: Fix the end_index calculation in __map_range_leaf() iommupt: Check for missing PAGE_SIZE in the pgsize_bitmap iommu: Handle unmap error when iommu_debug is enabled iommu: Fix up map/unmap debugging for iommupt domains iommu: Fix loss of errno on map failure for classic ops iommu/vt-d: Avoid NULL pointer dereference or refcount corruption iommu/vt-d: Fix oops due to out of scope access iommu/vt-d: Disable DMAR for Intel Q35 IGFX iommu: Warn on premature unblock during DMA aliased sibling reset iommu: Fix WARN_ON in __iommu_group_set_domain_nofail() due to reset iommu: Fix ATS invalidation timeouts during __iommu_remove_group_pasid() iommu: Fix nested pci_dev_reset_iommu_prepare/done() iommu: Fix pasid attach in pci_dev_reset_iommu_prepare/done() iommu: Replace per-group resetting_domain with per-gdev blocked flag iommu: Fix kdocs of pci_dev_reset_iommu_done() iommu: Fix NULL group->domain dereference in pci_dev_reset_iommu_done() iommu/amd: Bounds-check devid in __rlookup_amd_iommu() iommu/amd: Remove latent out-of-bounds access in IOMMU debugfs 
Pull iommu fixes from Joerg Roedel:
 "This is probably the largest fixes pull-request ever sent for IOMMU. I
  partially blame it on AI code review which found some issues but there
  is also some rework in here to fix issues in the iommu parts of PCI
  device reset.

  AMD-Vi:
   - Add bounds checks to debugfs and table lookups

  Intel VT-d:
   - Apply an existing quirk for Q35 graphic device
   - Skip dev_pasid teardown for the blocked domain to avoid
     out-of-bounds access
   - Return early if dev_pasid is missing to prevent NULL dereference
     or UAF

  Core:
   - Fix bugs and corner cases in pci_dev_reset_iommu_prepare/done()
   - Fix various issues found by AI in iommupt code

  MAINTAINERS email address update for RISCV IOMMU"

* tag 'iommu-fixes-v7.1-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/iommu/linux:
  MAINTAINERS: update Tomasz Jeznach's email address
  iommupt: Fix the end_index calculation in __map_range_leaf()
  iommupt: Check for missing PAGE_SIZE in the pgsize_bitmap
  iommu: Handle unmap error when iommu_debug is enabled
  iommu: Fix up map/unmap debugging for iommupt domains
  iommu: Fix loss of errno on map failure for classic ops
  iommu/vt-d: Avoid NULL pointer dereference or refcount corruption
  iommu/vt-d: Fix oops due to out of scope access
  iommu/vt-d: Disable DMAR for Intel Q35 IGFX
  iommu: Warn on premature unblock during DMA aliased sibling reset
  iommu: Fix WARN_ON in __iommu_group_set_domain_nofail() due to reset
  iommu: Fix ATS invalidation timeouts during __iommu_remove_group_pasid()
  iommu: Fix nested pci_dev_reset_iommu_prepare/done()
  iommu: Fix pasid attach in pci_dev_reset_iommu_prepare/done()
  iommu: Replace per-group resetting_domain with per-gdev blocked flag
  iommu: Fix kdocs of pci_dev_reset_iommu_done()
  iommu: Fix NULL group->domain dereference in pci_dev_reset_iommu_done()
  iommu/amd: Bounds-check devid in __rlookup_amd_iommu()
  iommu/amd: Remove latent out-of-bounds access in IOMMU debugfs
Merge tag 'vfio-v7.1-rc4' of https://github.com/awilliam/linux-vfio 2026-05-15T22:13:02+00:00 Linus Torvalds torvalds@linux-foundation.org 2026-05-15T22:13:02+00:00 3bf83e47b497d2630d2dcb408ec14ad95050cead Pull VFIO fixes from Alex Williamson: - Convert vfio-pci BAR resource requests and iomaps initialization from a lazy, on-demand model to an eager pre-allocation model to avoid races while preserving legacy error behavior. Fix unchecked barmap access in dma-buf export path (Matt Evans) - Introduce an implicit unsigned cast in converting vfio-pci device offsets to region indexes, closing a potential out-of-bounds access through the vfio_pci_ioeventfd() interface (Matt Evans) - Fix a dma-buf kref underflow and stuck wait_for_completion() when closing a previously revoked dma-buf (Alex Williamson) * tag 'vfio-v7.1-rc4' of https://github.com/awilliam/linux-vfio: vfio/pci: Check BAR resources before exporting a DMABUF vfio/pci: Set up BAR resources and maps in vfio_pci_core_enable() vfio/pci: Make VFIO_PCI_OFFSET_TO_INDEX() return unsigned vfio/pci: fix dma-buf kref underflow after revoke 
Pull VFIO fixes from Alex Williamson:

 - Convert vfio-pci BAR resource requests and iomaps initialization
   from a lazy, on-demand model to an eager pre-allocation model to
   avoid races while preserving legacy error behavior.  Fix unchecked
   barmap access in dma-buf export path (Matt Evans)

 - Introduce an implicit unsigned cast in converting vfio-pci device
   offsets to region indexes, closing a potential out-of-bounds
   access through the vfio_pci_ioeventfd() interface (Matt Evans)

 - Fix a dma-buf kref underflow and stuck wait_for_completion() when
   closing a previously revoked dma-buf (Alex Williamson)

* tag 'vfio-v7.1-rc4' of https://github.com/awilliam/linux-vfio:
  vfio/pci: Check BAR resources before exporting a DMABUF
  vfio/pci: Set up BAR resources and maps in vfio_pci_core_enable()
  vfio/pci: Make VFIO_PCI_OFFSET_TO_INDEX() return unsigned
  vfio/pci: fix dma-buf kref underflow after revoke