linux.git/include/uapi/linux, branch master Linux kernel source tree Merge tag 'net-7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2026-06-25T19:25:36+00:00 Linus Torvalds torvalds@linux-foundation.org 2026-06-25T19:25:36+00:00 805185b7c7a1069e407b6f7b3bc98e44d415f484 Pull networking fixes from Jakub Kicinski: "Including fixes from netfilter and IPsec. Current release - regressions: - do not acquire dev->tx_global_lock in netdev_watchdog_up() - ethtool: keep rtnl_lock for ops using ethtool_op_get_link() - fix deadlock in nested UP notifier events Current release - new code bugs: - eth: - cn20k: fix subbank free list indexing for search order - airoha: fix BQL underflow in shared QDMA TX ring Previous releases - regressions: - netfilter: - flowtable: fix offloaded ct timeout never being extended - nf_conncount: prevent connlimit drops for early confirmed ct Previous releases - always broken: - require CAP_NET_ADMIN in the originating netns when modifying cross-netns devices - report NAPI thread PID in the caller's pid namespace - mac802154: fix dirty frag in in-place crypto for IOT radios - sctp: hold socket lock when dumping endpoints in sctp_diag, avoid an overflow - eth: gve: fix header buffer corruption with header-split and HW-GRO - af_key: initialize alg_key_len for IPComp states, prevent OOB read" * tag 'net-7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (213 commits) selftests: bonding: add a test for VLAN propagation over a bonded real device vlan: defer real device state propagation to netdev_work net: add the driver-facing netdev_work scheduling API net: turn the rx_mode work into a generic netdev_work facility net: ethtool: keep rtnl_lock for ops using ethtool_op_get_link() rxrpc: Fix rxrpc_rotate_tx_rotate() to check there's something to rotate rxrpc: Fix leak of released call in recvmsg(MSG_PEEK) rxrpc: Fix socket notification race rxrpc: Fix potential infinite loop in rxrpc_recvmsg() rxrpc: Fix oob challenge leak in cleanup after notification failure rxrpc: Fix the reception of a reply packet before data transmission afs: Fix uncancelled rxrpc OOB message handler afs: Fix further netns teardown to cancel the preallocation charger rxrpc: Fix double unlock in rxrpc_recvmsg() rxrpc: Fix leak of connection from OOB challenge rxrpc: Fix ACKALL packet handling net: hns3: differentiate autoneg default values between copper and fiber net: hns3: fix permanent link down deadlock after reset net: hns3: refactor MAC autoneg and speed configuration net: hns3: unify copper port ksettings configuration path ... 
Pull networking fixes from Jakub Kicinski:
 "Including fixes from netfilter and IPsec.

  Current release - regressions:

   - do not acquire dev->tx_global_lock in netdev_watchdog_up()

   - ethtool: keep rtnl_lock for ops using ethtool_op_get_link()

   - fix deadlock in nested UP notifier events

  Current release - new code bugs:

   - eth:
      - cn20k: fix subbank free list indexing for search order
      - airoha: fix BQL underflow in shared QDMA TX ring

  Previous releases - regressions:

   - netfilter:
     - flowtable: fix offloaded ct timeout never being extended
     - nf_conncount: prevent connlimit drops for early confirmed ct

  Previous releases - always broken:

   - require CAP_NET_ADMIN in the originating netns when modifying
     cross-netns devices

   - report NAPI thread PID in the caller's pid namespace

   - mac802154: fix dirty frag in in-place crypto for IOT radios

   - sctp: hold socket lock when dumping endpoints in sctp_diag, avoid
     an overflow

   - eth: gve: fix header buffer corruption with header-split and HW-GRO

   - af_key: initialize alg_key_len for IPComp states, prevent OOB read"

* tag 'net-7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (213 commits)
  selftests: bonding: add a test for VLAN propagation over a bonded real device
  vlan: defer real device state propagation to netdev_work
  net: add the driver-facing netdev_work scheduling API
  net: turn the rx_mode work into a generic netdev_work facility
  net: ethtool: keep rtnl_lock for ops using ethtool_op_get_link()
  rxrpc: Fix rxrpc_rotate_tx_rotate() to check there's something to rotate
  rxrpc: Fix leak of released call in recvmsg(MSG_PEEK)
  rxrpc: Fix socket notification race
  rxrpc: Fix potential infinite loop in rxrpc_recvmsg()
  rxrpc: Fix oob challenge leak in cleanup after notification failure
  rxrpc: Fix the reception of a reply packet before data transmission
  afs: Fix uncancelled rxrpc OOB message handler
  afs: Fix further netns teardown to cancel the preallocation charger
  rxrpc: Fix double unlock in rxrpc_recvmsg()
  rxrpc: Fix leak of connection from OOB challenge
  rxrpc: Fix ACKALL packet handling
  net: hns3: differentiate autoneg default values between copper and fiber
  net: hns3: fix permanent link down deadlock after reset
  net: hns3: refactor MAC autoneg and speed configuration
  net: hns3: unify copper port ksettings configuration path
  ...
Merge tag 'input-for-v7.2-rc0' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2026-06-24T18:16:06+00:00 Linus Torvalds torvalds@linux-foundation.org 2026-06-24T18:16:06+00:00 e1611017870fa1582b5ff9ec0edc09542318daa6 Pull input updates from Dmitry Torokhov: - A new driver for Wacom W9000-series penabled touchscreens - Updates to STM FTS driver adding support for reset line and preparing the driver for STMFTS5 support - Updates to RMI4 and IMS PCU drivers hardening the code - Support for half-duplex mode restored in ADS7846 driver - Updates to driver's device_id tables to use named initializers - Removal of no longer used PCAP keys and touchscreen drivers (support for the ezx series of phones was removed in 2022) - Removal of xilinx_ps2 driver which is no longer used either - Updates to userio to allow setting up additional serio port characteristics (such as id, extra and proto) - Assorted hardening and cleanup fixes for other drivers * tag 'input-for-v7.2-rc0' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input: (72 commits) Input: mms114 - fix touch indexing for MMS134S and MMS136 Input: elan_i2c - prevent division by zero and arithmetic underflow Input: stop force-feedback timer when unregistering input devices Input: iforce - bound the device-reported force-feedback effect index Input: goodix - clamp the device-reported contact count Input: mms114 - reject an oversized device packet size Input: touchwin - reset the packet index on every complete packet Input: rmi4 - update formatting in F12 Input: rmi4 - propagate proper error code in F12 sensor tuning Input: rmi4 - simplify size calculations in F12 Input: rmi4 - use sizeof(*ptr) and idiomatic checks in f12 allocators Input: rmi4 - use devm_kmalloc for F12 data packet buffer Input: rmi4 - use flexible array member for IRQ masks in F12 Input: rmi4 - use unaligned access helpers in F12 Input: rmi4 - change reg_size type to u32 Input: rmi4 - refactor F12 probe function Input: rmi4 - use kzalloc_flex() for struct rmi_function Input: rmi4 - refactor function allocation and registration Input: rmi4 - use local presence map in rmi_read_register_desc() Input: rmi4 - fix limit in rmi_register_desc_has_subpacket() ... 
Pull input updates from Dmitry Torokhov:

 - A new driver for Wacom W9000-series penabled touchscreens

 - Updates to STM FTS driver adding support for reset line and preparing
   the driver for STMFTS5 support

 - Updates to RMI4 and IMS PCU drivers hardening the code

 - Support for half-duplex mode restored in ADS7846 driver

 - Updates to driver's device_id tables to use named initializers

 - Removal of no longer used PCAP keys and touchscreen drivers (support
   for the ezx series of phones was removed in 2022)

 - Removal of xilinx_ps2 driver which is no longer used either

 - Updates to userio to allow setting up additional serio port
   characteristics (such as id, extra and proto)

 - Assorted hardening and cleanup fixes for other drivers

* tag 'input-for-v7.2-rc0' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input: (72 commits)
  Input: mms114 - fix touch indexing for MMS134S and MMS136
  Input: elan_i2c - prevent division by zero and arithmetic underflow
  Input: stop force-feedback timer when unregistering input devices
  Input: iforce - bound the device-reported force-feedback effect index
  Input: goodix - clamp the device-reported contact count
  Input: mms114 - reject an oversized device packet size
  Input: touchwin - reset the packet index on every complete packet
  Input: rmi4 - update formatting in F12
  Input: rmi4 - propagate proper error code in F12 sensor tuning
  Input: rmi4 - simplify size calculations in F12
  Input: rmi4 - use sizeof(*ptr) and idiomatic checks in f12 allocators
  Input: rmi4 - use devm_kmalloc for F12 data packet buffer
  Input: rmi4 - use flexible array member for IRQ masks in F12
  Input: rmi4 - use unaligned access helpers in F12
  Input: rmi4 - change reg_size type to u32
  Input: rmi4 - refactor F12 probe function
  Input: rmi4 - use kzalloc_flex() for struct rmi_function
  Input: rmi4 - refactor function allocation and registration
  Input: rmi4 - use local presence map in rmi_read_register_desc()
  Input: rmi4 - fix limit in rmi_register_desc_has_subpacket()
  ...
Merge tag 'char-misc-7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc 2026-06-22T19:20:21+00:00 Linus Torvalds torvalds@linux-foundation.org 2026-06-22T19:20:21+00:00 0000d9ccbcfa90411c88f70850501723389312b9 Pull misc driver updates from Greg KH: "Here is the big set of char, misc, iio, fpga, and other small driver subsystems changes for 7.2-rc1. Lots of little stuff in here, the majority being of course the IIO driver updates, as a list they are: - IIO driver updates and additions - GPIB driver bugfixes and cleanups - Android binder driver updates (rust and C version) - counter driver updates - MHI driver updates - mei driver updates - w1 driver updates - interconnect driver updates - Comedi driver fixes and updates - some obsolete char drivers removed (applicom and dtlk) - hwtracing driver updates - other tiny driver updates All of these have been in linux-next for a while with no reported issues" * tag 'char-misc-7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc: (406 commits) w1: ds2482: Use named initializers for arrays of i2c_device_data firmware: stratix10-svc: Add support to query Arm Trusted Firmware (ATF) version firmware: stratix10-rsu: avoid blocking reboot_image sysfs when busy coresight: ultrasoc-smb: Fix OOB write in smb_sync_perf_buffer() iio: adc: nxp-sar-adc: harden buffer ISR against per-channel read failure iio: chemical: scd30: Replace manual locking with RAII locking iio: light: tsl2591: remove unneeded tsl2591_compatible_als_persist_cycle() iio: dac: ad5686: create bus ops struct iio: dac: ad5686: cleanup doc header of local structs iio: dac: ad5686: add control_sync() for single-channel devices iio: dac: ad5686: add helpers to handle powerdown masks iio: dac: ad5686: add of_match table to the spi driver iio: dac: ad5686: drop enum id iio: dac: ad5686: remove redundant register definition iio: dac: ad5686: refactor include headers iio: adc: ad4080: fix AD4880 chip ID iio: light: veml3328: add support for new device dt-bindings: iio: light: veml6030: add veml3328 fpga: microchip-spi: fix zero header_size OOB read in mpf_ops_parse_header() fpga: dfl-afu: validate DMA mapping length in afu_dma_map_region() ... 
Pull misc driver updates from Greg KH:
 "Here is the big set of char, misc, iio, fpga, and other small driver
  subsystems changes for 7.2-rc1.

  Lots of little stuff in here, the majority being of course the IIO
  driver updates, as a list they are:

   - IIO driver updates and additions

   - GPIB driver bugfixes and cleanups

   - Android binder driver updates (rust and C version)

   - counter driver updates

   - MHI driver updates

   - mei driver updates

   - w1 driver updates

   - interconnect driver updates

   - Comedi driver fixes and updates

   - some obsolete char drivers removed (applicom and dtlk)

   - hwtracing driver updates

   - other tiny driver updates

  All of these have been in linux-next for a while with no reported
  issues"

* tag 'char-misc-7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc: (406 commits)
  w1: ds2482: Use named initializers for arrays of i2c_device_data
  firmware: stratix10-svc: Add support to query Arm Trusted Firmware (ATF) version
  firmware: stratix10-rsu: avoid blocking reboot_image sysfs when busy
  coresight: ultrasoc-smb: Fix OOB write in smb_sync_perf_buffer()
  iio: adc: nxp-sar-adc: harden buffer ISR against per-channel read failure
  iio: chemical: scd30: Replace manual locking with RAII locking
  iio: light: tsl2591: remove unneeded tsl2591_compatible_als_persist_cycle()
  iio: dac: ad5686: create bus ops struct
  iio: dac: ad5686: cleanup doc header of local structs
  iio: dac: ad5686: add control_sync() for single-channel devices
  iio: dac: ad5686: add helpers to handle powerdown masks
  iio: dac: ad5686: add of_match table to the spi driver
  iio: dac: ad5686: drop enum id
  iio: dac: ad5686: remove redundant register definition
  iio: dac: ad5686: refactor include headers
  iio: adc: ad4080: fix AD4880 chip ID
  iio: light: veml3328: add support for new device
  dt-bindings: iio: light: veml6030: add veml3328
  fpga: microchip-spi: fix zero header_size OOB read in mpf_ops_parse_header()
  fpga: dfl-afu: validate DMA mapping length in afu_dma_map_region()
  ...
Merge tag 'tty-7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty 2026-06-22T18:51:49+00:00 Linus Torvalds torvalds@linux-foundation.org 2026-06-22T18:51:49+00:00 8a500fd09385a13ba598cda651f2e4ac40bfa578 Pull tty / serial driver updates from Greg KH: "Here is the big set of TTY and Serial driver updates for 7.2-rc1. Overall we end up removing more code than added, due to an obsolete synclink_gt driver being removed from the tree, always a nice thing to see happen. Other than that driver removal, major things included in here are: - max310x serial driver updates and fixes - 8250 driver updates and rework in places to make it more "modern" - dts file updates - serial driver core tweaks and updates - vt code cleanups - vc_screen crash fixes - other minor driver updates and cleanups All of these have been in linux-next for well over a week with no reported issues" * tag 'tty-7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty: (49 commits) serial: 8250_pci: Don't specify conflicting values to pci_device_id members vc_screen: fix null-ptr-deref in vcs_notifier() during concurrent vcs_write serial: qcom_geni: Fix RX DMA stall when SE_DMA_RX_LEN_IN is zero vt: merge ucs_is_zero_width()/ucs_is_double_width() into ucs_get_width() serial: 8250: fix possible ISR soft lockup dt-bindings: serial: rs485: remove deprecated .txt binding stub serial: qcom-geni: trace: Add tracepoint support for Qualcomm GENI serial tty: serial: Use named initializers for arrays of i2c_device_data serial: 8250_dw: remove clock-notifier infrastructure serial: 8250_dw: unregister 8250 port if clk_notifier_register() fails amba/serial: amba-pl011: Bring back zx29 UART support serial: 8250: Add support for console flow control serial: 8250: Check LSR timeout on console flow control serial: 8250: Set cons_flow on port registration tty: serial: 8250: protect against NULL uart->port.dev in register arm64: dts: add support for A9 based Amlogic BY401 dt-bindings: arm: amlogic: add A311Y3 support serial: max310x: fix compile errors if CONFIG_SPI_MASTER is disabled serial: qcom-geni: Avoid probing debug console UART without console support serial: max310x: add comments for PLL limits ... 
Pull tty / serial driver updates from Greg KH:
 "Here is the big set of TTY and Serial driver updates for 7.2-rc1.

  Overall we end up removing more code than added, due to an obsolete
  synclink_gt driver being removed from the tree, always a nice thing to
  see happen.

  Other than that driver removal, major things included in here are:

   - max310x serial driver updates and fixes

   - 8250 driver updates and rework in places to make it more "modern"

   - dts file updates

   - serial driver core tweaks and updates

   - vt code cleanups

   - vc_screen crash fixes

   - other minor driver updates and cleanups

  All of these have been in linux-next for well over a week with no
  reported issues"

* tag 'tty-7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty: (49 commits)
  serial: 8250_pci: Don't specify conflicting values to pci_device_id members
  vc_screen: fix null-ptr-deref in vcs_notifier() during concurrent vcs_write
  serial: qcom_geni: Fix RX DMA stall when SE_DMA_RX_LEN_IN is zero
  vt: merge ucs_is_zero_width()/ucs_is_double_width() into ucs_get_width()
  serial: 8250: fix possible ISR soft lockup
  dt-bindings: serial: rs485: remove deprecated .txt binding stub
  serial: qcom-geni: trace: Add tracepoint support for Qualcomm GENI serial
  tty: serial: Use named initializers for arrays of i2c_device_data
  serial: 8250_dw: remove clock-notifier infrastructure
  serial: 8250_dw: unregister 8250 port if clk_notifier_register() fails
  amba/serial: amba-pl011: Bring back zx29 UART support
  serial: 8250: Add support for console flow control
  serial: 8250: Check LSR timeout on console flow control
  serial: 8250: Set cons_flow on port registration
  tty: serial: 8250: protect against NULL uart->port.dev in register
  arm64: dts: add support for A9 based Amlogic BY401
  dt-bindings: arm: amlogic: add A311Y3 support
  serial: max310x: fix compile errors if CONFIG_SPI_MASTER is disabled
  serial: qcom-geni: Avoid probing debug console UART without console support
  serial: max310x: add comments for PLL limits
  ...
Merge tag 'liveupdate-v7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/liveupdate/linux 2026-06-21T16:46:14+00:00 Linus Torvalds torvalds@linux-foundation.org 2026-06-21T16:46:14+00:00 d639d9fa162aadec1ae9980c4dcf6e50bd2f8290 Pull liveupdate updates from Mike Rapoport: "Kexec Handover (KHO): - make memory preservation compatible with deferred initialization of the memory map Live Update Orchestrator (LUO): - add LIVEUPDATE_SESSION_GET_NAME ioctl and parameter verification for LIVEUPDATE_IOCTL_CREATE_SESSION ioctl - documentation updates for liveupdate=on command line option, systemd support and the current compatibility status - remove the fixed limits on the number of files that can be preserved within a single session, and the total number of sessions managed by the LUO Misc fixes: - reference count incoming File-Lifecycle-Bound (FLB) data so it cannot be freed while a subsystem is still using it - fixes for a TOCTOU race in luo_session_retrieve(), a use- after-free in the file finish and unpreserve paths, concurrent session mutations during reboot and serialization on preserve_context kexec - make sure ioctls for incoming LUO sessions are blocked for outgoing sessions and vice versa - make sure KHO scratch size is always aligned by CMA_MIN_ALIGNMENT_BYTES - fix memblock tests build issue introduced by KHO changes" * tag 'liveupdate-v7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/liveupdate/linux: (36 commits) liveupdate: Document that retrieve failure is permanent docs: memfd_preservation: fix rendering of ABI documentation selftests/liveupdate: Add stress-files kexec test selftests/liveupdate: Add stress-sessions kexec test selftests/liveupdate: Test session and file limit removal liveupdate: Remove limit on the number of files per session liveupdate: Remove limit on the number of sessions liveupdate: defer session block allocation and physical address setting kho: add support for linked-block serialization liveupdate: Extract luo_session_deserialize_one helper liveupdate: Extract luo_file_deserialize_one helper liveupdate: register luo_ser as KHO subtree liveupdate: centralize state management into struct luo_ser liveupdate: avoid mixing cleanup guards with goto in luo_session_retrieve_fd liveupdate: change file_set->count type to u64 for type safety liveupdate: Remove unused ser field from struct luo_session liveupdate: fix u-a-f in luo_file_unpreserve_files() and luo_file_finish() liveupdate: block session mutations during reboot liveupdate: fix TOCTOU race in luo_session_retrieve() liveupdate: skip serialization for context-preserving kexec ... 
Pull liveupdate updates from Mike Rapoport:
 "Kexec Handover (KHO):

   - make memory preservation compatible with deferred initialization
     of the memory map

  Live Update Orchestrator (LUO):

   - add LIVEUPDATE_SESSION_GET_NAME ioctl and parameter verification
     for LIVEUPDATE_IOCTL_CREATE_SESSION ioctl

   - documentation updates for liveupdate=on command line option,
     systemd support and the current compatibility status

   - remove the fixed limits on the number of files that can be
     preserved within a single session, and the total number of
     sessions managed by the LUO

  Misc fixes:

   - reference count incoming File-Lifecycle-Bound (FLB) data so
     it cannot be freed while a subsystem is still using it

   - fixes for a TOCTOU race in luo_session_retrieve(), a use-
     after-free in the file finish and unpreserve paths, concurrent
     session mutations during reboot and serialization on
     preserve_context kexec

   - make sure ioctls for incoming LUO sessions are blocked for
     outgoing sessions and vice versa

   - make sure KHO scratch size is always aligned by
     CMA_MIN_ALIGNMENT_BYTES

   - fix memblock tests build issue introduced by KHO changes"

* tag 'liveupdate-v7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/liveupdate/linux: (36 commits)
  liveupdate: Document that retrieve failure is permanent
  docs: memfd_preservation: fix rendering of ABI documentation
  selftests/liveupdate: Add stress-files kexec test
  selftests/liveupdate: Add stress-sessions kexec test
  selftests/liveupdate: Test session and file limit removal
  liveupdate: Remove limit on the number of files per session
  liveupdate: Remove limit on the number of sessions
  liveupdate: defer session block allocation and physical address setting
  kho: add support for linked-block serialization
  liveupdate: Extract luo_session_deserialize_one helper
  liveupdate: Extract luo_file_deserialize_one helper
  liveupdate: register luo_ser as KHO subtree
  liveupdate: centralize state management into struct luo_ser
  liveupdate: avoid mixing cleanup guards with goto in luo_session_retrieve_fd
  liveupdate: change file_set->count type to u64 for type safety
  liveupdate: Remove unused ser field from struct luo_session
  liveupdate: fix u-a-f in luo_file_unpreserve_files() and luo_file_finish()
  liveupdate: block session mutations during reboot
  liveupdate: fix TOCTOU race in luo_session_retrieve()
  liveupdate: skip serialization for context-preserving kexec
  ...
netfilter: nf_conntrack_expect: use conntrack GC to reap expectations 2026-06-20T22:18:27+00:00 Pablo Neira Ayuso pablo@netfilter.org 2026-06-18T11:56:38+00:00 b8b09dc2bf35a00d4e0556b5d6308c7b917ebda2 This patch replaces the timer API by GC worker approach for expectations, as it already happened in many other subsystems. Use the existing conntrack GC worker to iterate over the local list of expectations in the master conntrack to reap expired expectations. Check IPS_HELPER_BIT to run GC for expectations, set it on for nft_ct expectation which nevers sets it. Hold the expectation spinlock while iterating over the master conntrack expectation list to synchronize with nf_ct_remove_expectations(). This also performs runtime packet path garbage collection through the expectation insertion and lookup functions while walking over one of the chains of the global expectation hashtables. Unconfirmed conntrack entries are skipped since ct->ext can be reallocated and dying are skipped since those will be gone soon. Set on IPS_HELPER_BIT if the helper ct extension is added, then the new GC worker does not need to bump the ct refcount to check if the ct->ext helper is available. This removes the extra bump on the refcount for expectation timers, this allows to remove several nf_ct_expect_put() calls after the unlink, after this update only refcount remains at 1 while on the expectation hashes. This patch implicitly addresses a race with the existing timer API allowing an expectation to access a stale exp->master pointer which has been already released when expectation removal loses races with an expiring timer, ie. timer_del() reporting false. Add a new NF_CT_EXPECT_DEAD flag to reap this expectation via GC. This is needed by nf_conntrack_unexpect_related() which is called in error paths to invalidate newly created expectations that has been added into the hashes. These expectactions cannot be inmediately released as GC or nf_ct_remove_expectations() could race to make it. On expectation insert, the runtime GC reaps stale expectations before checking the expectation limit set by policy. Set current timestamp in nf_ct_expect_alloc(), then add the expectation policy timeout (or custom timeout specified added on top of this) to specify the expectation lifetime. Fixes: bffcaad9afdf ("netfilter: ctnetlink: ensure safe access to master conntrack") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 
This patch replaces the timer API by GC worker approach for
expectations, as it already happened in many other subsystems.

Use the existing conntrack GC worker to iterate over the local list of
expectations in the master conntrack to reap expired expectations.
Check IPS_HELPER_BIT to run GC for expectations, set it on for nft_ct
expectation which nevers sets it. Hold the expectation spinlock while
iterating over the master conntrack expectation list to synchronize with
nf_ct_remove_expectations(). This also performs runtime packet path
garbage collection through the expectation insertion and lookup
functions while walking over one of the chains of the global expectation
hashtables. Unconfirmed conntrack entries are skipped since ct->ext can
be reallocated and dying are skipped since those will be gone soon.
Set on IPS_HELPER_BIT if the helper ct extension is added, then the new
GC worker does not need to bump the ct refcount to check if the ct->ext
helper is available.

This removes the extra bump on the refcount for expectation timers, this
allows to remove several nf_ct_expect_put() calls after the unlink,
after this update only refcount remains at 1 while on the expectation
hashes.

This patch implicitly addresses a race with the existing timer API
allowing an expectation to access a stale exp->master pointer which has
been already released when expectation removal loses races with an
expiring timer, ie. timer_del() reporting false.

Add a new NF_CT_EXPECT_DEAD flag to reap this expectation via GC. This
is needed by nf_conntrack_unexpect_related() which is called in error
paths to invalidate newly created expectations that has been added into
the hashes. These expectactions cannot be inmediately released as GC or
nf_ct_remove_expectations() could race to make it. On expectation
insert, the runtime GC reaps stale expectations before checking the
expectation limit set by policy.

Set current timestamp in nf_ct_expect_alloc(), then add the expectation
policy timeout (or custom timeout specified added on top of this) to
specify the expectation lifetime.

Fixes: bffcaad9afdf ("netfilter: ctnetlink: ensure safe access to master conntrack")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Merge tag 'landlock-7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux 2026-06-19T19:20:25+00:00 Linus Torvalds torvalds@linux-foundation.org 2026-06-19T19:20:25+00:00 5e2e14749c3d969e263a879db104db6e9f0eb484 Pull landlock updates from Mickaël Salaün: "This adds new Landlock access rights to control UDP bind and connect/send operations, and a new "quiet" feature to mute specific specific audit logs (and other future observability events). A few commits also fix Landlock issues" * tag 'landlock-7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux: (24 commits) selftests/landlock: Add tests for invalid use of quiet flag selftests/landlock: Add tests for quiet flag with scope selftests/landlock: Add tests for quiet flag with net rules selftests/landlock: Add tests for quiet flag with fs rules selftests/landlock: Replace hard-coded 16 with a constant samples/landlock: Add quiet flag support to sandboxer landlock: Suppress logging when quiet flag is present landlock: Add API support and docs for the quiet flags landlock: Add a place for flags to layer rules landlock: Add documentation for UDP support samples/landlock: Add sandboxer UDP access control selftests/landlock: Add tests for UDP send selftests/landlock: Add tests for UDP bind/connect landlock: Add UDP send+connect access control landlock: Add UDP bind() access control landlock: Fix unmarked concurrent access to socket family selftests/landlock: Explicitly disable audit in teardowns selftests/landlock: Test SCOPE_SIGNAL on the SIGIO/fowner pgid path landlock: Fix LANDLOCK_SCOPE_SIGNAL bypass on the SIGIO path landlock: Demonstrate best-effort allowed_access filtering ... 
Pull landlock updates from Mickaël Salaün:
 "This adds new Landlock access rights to control UDP bind and
  connect/send operations, and a new "quiet" feature to mute specific
  specific audit logs (and other future observability events).

  A few commits also fix Landlock issues"

* tag 'landlock-7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux: (24 commits)
  selftests/landlock: Add tests for invalid use of quiet flag
  selftests/landlock: Add tests for quiet flag with scope
  selftests/landlock: Add tests for quiet flag with net rules
  selftests/landlock: Add tests for quiet flag with fs rules
  selftests/landlock: Replace hard-coded 16 with a constant
  samples/landlock: Add quiet flag support to sandboxer
  landlock: Suppress logging when quiet flag is present
  landlock: Add API support and docs for the quiet flags
  landlock: Add a place for flags to layer rules
  landlock: Add documentation for UDP support
  samples/landlock: Add sandboxer UDP access control
  selftests/landlock: Add tests for UDP send
  selftests/landlock: Add tests for UDP bind/connect
  landlock: Add UDP send+connect access control
  landlock: Add UDP bind() access control
  landlock: Fix unmarked concurrent access to socket family
  selftests/landlock: Explicitly disable audit in teardowns
  selftests/landlock: Test SCOPE_SIGNAL on the SIGIO/fowner pgid path
  landlock: Fix LANDLOCK_SCOPE_SIGNAL bypass on the SIGIO path
  landlock: Demonstrate best-effort allowed_access filtering
  ...
Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm 2026-06-19T15:56:49+00:00 Linus Torvalds torvalds@linux-foundation.org 2026-06-19T15:56:49+00:00 c98d767b34574be82b74d77d02264a830ae1cadd Pull kvm updates from Paolo Bonzini: "arm64: This is a bit of an odd merge window on the KVM/arm64 front. There is absolutely no new feature in the pull request. It is purely fixes, because it is simply becoming too hard to review new stuff when so many AI-fuelled fixes hit the list. - Significant cleanup of the vgic-v5 PPI support which was merged in 7.1. This makes the code more maintainable, and squashes a couple of bugs in the meantime - Set of fixes for the handling of the MMU in an NV context, particularly VNCR-triggered faults. S1POE support is fixed as well - Large set of pKVM fixes, mostly addressing recurring issues around hypervisor tracking of donated pages in obscure cases where the donation could fail and leave things in a bizarre state - Fixes for the so-called "lazy vgic init", which resulted in sleeping operations in non-preemptible sections. This turned out to be far more invasive than initially expected.. - Reduce the overhead of L1/L2 context switch by not touching the FP registers - Fix the way non-implemented page sizes are dealt with when a guest insist on using them for S2 translation - The usual set of low-impact fixes and cleanups all over the map Loongarch: - On a request for lazy FPU load, load all FPU state that the VM supports instead of enabling only the part (FPU, LSX or LASX) that caused the FPU load request - Some enhancements about interrupt injection - Some bug fixes and other small changes RISC-V: - Batch G-stage TLB flushes for GPA range based page table updates - Convert HGEI line management to fully per-HART - Fix missing CSR dirty marking when FWFT state updated via ONE_REG - Fix stale FWFT feature exposure to Guest/VM - Speed up dirty logging write faults using MMU rwlock and atomic PTE updates using cmpxchg() for permission-only changes - Use flexible array for APLIC IRQ state - Use kvm_slot_dirty_track_enabled() for logging enable check on a memslot - Avoid skipping valid pages in kvm_riscv_gstage_wp_range() - Avoid skipping valid pages in kvm_riscv_gstage_unmap_range() - Use endian-specific __lelong for NACL shared memory S390: - KVM_PRE_FAULT_MEMORY support - Support for 2G hugepages - Support for the ASTFLEIE 2 facility - Support for fast inject using kvm_arch_set_irq_inatomic - Fix potential leak of uninitialized bytes - A few more misc gmap fixes x86: - Generic support for the more granular permissions allowed by EPT, namely "read" (which was previously usurping the U bit) and separate execution bits for kernel and userspace - Do not assume that all page tables start with U=1/W=1/NX=0 at the root, as AMD GMET needs to have U=0 at the root - Introduce common assembly macros for use within Intel and AMD vendor-specific vmentry code. This touches the SPEC_CTRL handling, which is now entirely done in assembly for Intel (by reusing the AMD code that already existed), and register save/restore which uses some macro magic to compute the offsets in the struct. Both of these are preparatory changes for upcoming APX support - Clean up KVM's register tracking and storage, primarily to prepare for APX support, which expands the maximum number of GPRs from 16 to 32 - Keep a single copy of the PDPTRs rather than two, since architecturally there is just one - Handle EXIT_FASTPATH_EXIT_USERSPACE in vendor code to ensure vendor code gets a chance to handle things like reaping the PML buffer - Update KVM's view of PV async enabling if and only if the MSR write fully succeeds - Fix a variety of issues where the emulator doesn't honor guest-debug state, and clean up related code along the way - Synthesize EPT Violation and #NPF "error code" bits when injecting faults into L1 that didn't originate in hardware (in which case the VMCS/VMCB doesn't hold relevant information) - Add support for virtualizing (well, emulating) AMD's flavor of CPL>0 CPUID faulting - Clean up the GPR APIs so that KVM's use of "raw" is consistent, and fix a variety of minor bugs along the way - Fix an OOB memory access due to not checking the VP ID when handling a Hyper-V PV TLB flush for L2 - Fix a bug in the mediated PMU's handling of fixed counters that allowed the guest to bypass the PMU event filter - Allow userspace to return EAGAIN when handling SNP and TDX hypercalls, so the KVM can forward a "retry" status code to the guest, and reserve all unused error codes for future usage - Overhaul the TDP MMU => S-EPT code to move as much S-EPT specific logic as possible into the TDX code, and to funnel (almost) all S-EPT updates into a single chokepoint. The motivation is largely to prepare for upcoming Dynamic PAMT support, but the cleanups are nice to have on their own - Plug a hole in shadow page table handling, where KVM fails to recursively zap nested EPT/NPT shadow page tables when the nested hypervisor tears down its own EPT/NPT page tables from the bottom up x86 (Intel): - Support for nested MBEC (Mode-Based Execute Control), see above in the generic section; also run with MBEC enabled even for non-nested mode - Use the kernel's "enum pg_level" in the TDX APIs instead of the TDX-Module's level definitions (which are 0-based) - Rework the TDX memory APIs to not require/assume that guest memory is backed by "struct page" (in prepartion for guest_memfd hugepage support) - Fix a largely benign bug where KVM TDX would incorrectly state it could emulate several x2APIC MSRs - Use the "safe" WRMSR API when proxying LBR MSR writes as the to-be-written value is guest controlled and completely unvalidated x86 (AMD): - Support for nested GMET (Guest Mode Execution Trap), see above in the generic section; also run with GMET enabled even for non-nested mode - Fixes and minor cleanups to GHCB handling, on top of the earlier work already merged into 7.1-rc - Ensure KVM's copy of CR0 and CR3 are up-to-date prior to invoking fastpath handlers - Add support for virtualizing gPAT (KVM previously just used L1's PAT when running L2) - Fix goofs where KVM mishandles side effects (e.g. single-step and PMC updates) when emulating VMRUN - Fix a variety of bugs in AVIC's handling of x2APIC MSR interception, most notably where KVM didn't disable interception of IRR, ISR, and TMR regs - Add support for virtualizing Host-Only/Guest-Only bits in the mediated PMU - Don't advertise support for unusable VM types, and account for VM types that are disabled by firmware, e.g. to mitigate security vulnerabilities - Rewrite the SEV {en,de}crypt debug ioctls as they were riddle with bugs and unnecessarily complicated, and add comprehensive tests - Clean up and deduplicate the SEV page pinning code - Fix minor goofs related to writing back CPUID information after firmware rejects a CPUID page for an SNP vCPU Generic: - Rename invalidate_begin() to invalidate_start() throughout KVM to follow the kernel's nomenclature, e.g. for mmu_notifiers - Use guard() to cleanup up various KVM+VFIO flows - Minor cleanups guest_memfd: - Return -EEXIST instead of -EINVAL if userspace attempts to bind a gmem range to multiple memslots, and fix the test that was supposed to ensure KVM returns -EEXIST - Treat memslot binding offsets and sizes as unsigned values to fix a bug where KVM interprets a large "offset + size" as a negative value and allows a nonsensical offset - Use the inode number instead of the page offset for the NUMA interleaving index to fix a bug where the effective index would jump by two for consecutive pages (the caller also adds in the page offset) Selftests: - Randomize the dirty log test's delay when reaping the bitmap on the first pass, as always waiting only 1ms hid a KVM RISC-V bug as the test reaped the bitmap before KVM could build up enough state to hit the bug - A pile of one-off fixes and cleanups" * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm: (326 commits) KVM: x86/mmu: Ensure hugepage is in by slot before checking max mapping level KVM: x86: Fix shadow paging use-after-free due to unexpected role KVM: s390: Introducing kvm_arch_set_irq_inatomic fast inject KVM: s390: Enable adapter_indicators_set to use mapped pages KVM: s390: Add map/unmap ioctl and clean mappings post-guest riscv: kvm: Use endian-specific __lelong for NACL shared memory KVM: selftests: access_tracking_perf_test: bump number of NUMA nodes to 32 KVM: s390: vsie: Implement ASTFLEIE facility 2 KVM: s390: vsie: Refactor handle_stfle s390/sclp: Detect ASTFLEIE 2 facility KVM: s390: Minor refactor of base/ext facility lists KVM: x86/mmu: move pdptrs out of the MMU KVM: x86: check that kvm_handle_invpcid is only invoked with shadow paging KVM: nSVM: invalidate cached PDPTRs across nested NPT transitions KVM: nVMX: remove unnecessary code in prepare_vmcs02_rare KVM: x86: remove nested_mmu from mmu_is_nested() KVM: arm64: vgic-its: Make ABI commit helpers return void KVM: s390: Initialize KVM_S390_GET_CMMA_BITS memory LoongArch: KVM: Add missing slots_lock for device register/unregister LoongArch: KVM: Validate irqchip index in irqfd routing ... 
Pull kvm updates from Paolo Bonzini:
 "arm64:

     This is a bit of an odd merge window on the KVM/arm64 front. There
     is absolutely no new feature in the pull request. It is purely
     fixes, because it is simply becoming too hard to review new stuff
     when so many AI-fuelled fixes hit the list.

   - Significant cleanup of the vgic-v5 PPI support which was merged in
     7.1. This makes the code more maintainable, and squashes a couple
     of bugs in the meantime

   - Set of fixes for the handling of the MMU in an NV context,
     particularly VNCR-triggered faults. S1POE support is fixed as well

   - Large set of pKVM fixes, mostly addressing recurring issues around
     hypervisor tracking of donated pages in obscure cases where the
     donation could fail and leave things in a bizarre state

   - Fixes for the so-called "lazy vgic init", which resulted in
     sleeping operations in non-preemptible sections. This turned out to
     be far more invasive than initially expected..

   - Reduce the overhead of L1/L2 context switch by not touching the FP
     registers

   - Fix the way non-implemented page sizes are dealt with when a guest
     insist on using them for S2 translation

   - The usual set of low-impact fixes and cleanups all over the map

  Loongarch:

   - On a request for lazy FPU load, load all FPU state that the VM
     supports instead of enabling only the part (FPU, LSX or LASX) that
     caused the FPU load request

   - Some enhancements about interrupt injection

   - Some bug fixes and other small changes

  RISC-V:

   - Batch G-stage TLB flushes for GPA range based page table updates

   - Convert HGEI line management to fully per-HART

   - Fix missing CSR dirty marking when FWFT state updated via ONE_REG

   - Fix stale FWFT feature exposure to Guest/VM

   - Speed up dirty logging write faults using MMU rwlock and atomic PTE
     updates using cmpxchg() for permission-only changes

   - Use flexible array for APLIC IRQ state

   - Use kvm_slot_dirty_track_enabled() for logging enable check on a
     memslot

   - Avoid skipping valid pages in kvm_riscv_gstage_wp_range()

   - Avoid skipping valid pages in kvm_riscv_gstage_unmap_range()

   - Use endian-specific __lelong for NACL shared memory

  S390:

   - KVM_PRE_FAULT_MEMORY support

   - Support for 2G hugepages

   - Support for the ASTFLEIE 2 facility

   - Support for fast inject using kvm_arch_set_irq_inatomic

   - Fix potential leak of uninitialized bytes

   - A few more misc gmap fixes

  x86:

   - Generic support for the more granular permissions allowed by EPT,
     namely "read" (which was previously usurping the U bit) and
     separate execution bits for kernel and userspace

   - Do not assume that all page tables start with U=1/W=1/NX=0 at the
     root, as AMD GMET needs to have U=0 at the root

   - Introduce common assembly macros for use within Intel and AMD
     vendor-specific vmentry code. This touches the SPEC_CTRL handling,
     which is now entirely done in assembly for Intel (by reusing the
     AMD code that already existed), and register save/restore which
     uses some macro magic to compute the offsets in the struct. Both of
     these are preparatory changes for upcoming APX support

   - Clean up KVM's register tracking and storage, primarily to prepare
     for APX support, which expands the maximum number of GPRs from 16
     to 32

   - Keep a single copy of the PDPTRs rather than two, since
     architecturally there is just one

   - Handle EXIT_FASTPATH_EXIT_USERSPACE in vendor code to ensure vendor
     code gets a chance to handle things like reaping the PML buffer

   - Update KVM's view of PV async enabling if and only if the MSR write
     fully succeeds

   - Fix a variety of issues where the emulator doesn't honor
     guest-debug state, and clean up related code along the way

   - Synthesize EPT Violation and #NPF "error code" bits when injecting
     faults into L1 that didn't originate in hardware (in which case the
     VMCS/VMCB doesn't hold relevant information)

   - Add support for virtualizing (well, emulating) AMD's flavor of
     CPL>0 CPUID faulting

   - Clean up the GPR APIs so that KVM's use of "raw" is consistent, and
     fix a variety of minor bugs along the way

   - Fix an OOB memory access due to not checking the VP ID when
     handling a Hyper-V PV TLB flush for L2

   - Fix a bug in the mediated PMU's handling of fixed counters that
     allowed the guest to bypass the PMU event filter

   - Allow userspace to return EAGAIN when handling SNP and TDX
     hypercalls, so the KVM can forward a "retry" status code to the
     guest, and reserve all unused error codes for future usage

   - Overhaul the TDP MMU => S-EPT code to move as much S-EPT specific
     logic as possible into the TDX code, and to funnel (almost) all
     S-EPT updates into a single chokepoint. The motivation is largely
     to prepare for upcoming Dynamic PAMT support, but the cleanups are
     nice to have on their own

   - Plug a hole in shadow page table handling, where KVM fails to
     recursively zap nested EPT/NPT shadow page tables when the nested
     hypervisor tears down its own EPT/NPT page tables from the bottom
     up

  x86 (Intel):

   - Support for nested MBEC (Mode-Based Execute Control), see above in
     the generic section; also run with MBEC enabled even for non-nested
     mode

   - Use the kernel's "enum pg_level" in the TDX APIs instead of the
     TDX-Module's level definitions (which are 0-based)

   - Rework the TDX memory APIs to not require/assume that guest memory
     is backed by "struct page" (in prepartion for guest_memfd hugepage
     support)

   - Fix a largely benign bug where KVM TDX would incorrectly state it
     could emulate several x2APIC MSRs

   - Use the "safe" WRMSR API when proxying LBR MSR writes as the
     to-be-written value is guest controlled and completely unvalidated

  x86 (AMD):

   - Support for nested GMET (Guest Mode Execution Trap), see above in
     the generic section; also run with GMET enabled even for non-nested
     mode

   - Fixes and minor cleanups to GHCB handling, on top of the earlier
     work already merged into 7.1-rc

   - Ensure KVM's copy of CR0 and CR3 are up-to-date prior to invoking
     fastpath handlers

   - Add support for virtualizing gPAT (KVM previously just used L1's
     PAT when running L2)

   - Fix goofs where KVM mishandles side effects (e.g. single-step and
     PMC updates) when emulating VMRUN

   - Fix a variety of bugs in AVIC's handling of x2APIC MSR
     interception, most notably where KVM didn't disable interception of
     IRR, ISR, and TMR regs

   - Add support for virtualizing Host-Only/Guest-Only bits in the
     mediated PMU

   - Don't advertise support for unusable VM types, and account for VM
     types that are disabled by firmware, e.g. to mitigate security
     vulnerabilities

   - Rewrite the SEV {en,de}crypt debug ioctls as they were riddle with
     bugs and unnecessarily complicated, and add comprehensive tests

   - Clean up and deduplicate the SEV page pinning code

   - Fix minor goofs related to writing back CPUID information after
     firmware rejects a CPUID page for an SNP vCPU

  Generic:

   - Rename invalidate_begin() to invalidate_start() throughout KVM to
     follow the kernel's nomenclature, e.g. for mmu_notifiers

   - Use guard() to cleanup up various KVM+VFIO flows

   - Minor cleanups

  guest_memfd:

   - Return -EEXIST instead of -EINVAL if userspace attempts to bind a
     gmem range to multiple memslots, and fix the test that was supposed
     to ensure KVM returns -EEXIST

   - Treat memslot binding offsets and sizes as unsigned values to fix a
     bug where KVM interprets a large "offset + size" as a negative
     value and allows a nonsensical offset

   - Use the inode number instead of the page offset for the NUMA
     interleaving index to fix a bug where the effective index would
     jump by two for consecutive pages (the caller also adds in the page
     offset)

  Selftests:

   - Randomize the dirty log test's delay when reaping the bitmap on the
     first pass, as always waiting only 1ms hid a KVM RISC-V bug as the
     test reaped the bitmap before KVM could build up enough state to
     hit the bug

   - A pile of one-off fixes and cleanups"

* tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm: (326 commits)
  KVM: x86/mmu: Ensure hugepage is in by slot before checking max mapping level
  KVM: x86: Fix shadow paging use-after-free due to unexpected role
  KVM: s390: Introducing kvm_arch_set_irq_inatomic fast inject
  KVM: s390: Enable adapter_indicators_set to use mapped pages
  KVM: s390: Add map/unmap ioctl and clean mappings post-guest
  riscv: kvm: Use endian-specific __lelong for NACL shared memory
  KVM: selftests: access_tracking_perf_test: bump number of NUMA nodes to 32
  KVM: s390: vsie: Implement ASTFLEIE facility 2
  KVM: s390: vsie: Refactor handle_stfle
  s390/sclp: Detect ASTFLEIE 2 facility
  KVM: s390: Minor refactor of base/ext facility lists
  KVM: x86/mmu: move pdptrs out of the MMU
  KVM: x86: check that kvm_handle_invpcid is only invoked with shadow paging
  KVM: nSVM: invalidate cached PDPTRs across nested NPT transitions
  KVM: nVMX: remove unnecessary code in prepare_vmcs02_rare
  KVM: x86: remove nested_mmu from mmu_is_nested()
  KVM: arm64: vgic-its: Make ABI commit helpers return void
  KVM: s390: Initialize KVM_S390_GET_CMMA_BITS memory
  LoongArch: KVM: Add missing slots_lock for device register/unregister
  LoongArch: KVM: Validate irqchip index in irqfd routing
  ...
Merge tag 'media/v7.2-1' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media 2026-06-19T00:21:54+00:00 Linus Torvalds torvalds@linux-foundation.org 2026-06-19T00:21:54+00:00 8c13415c8a4383447c21ec832b20b3b283f0e01a Pull media updates from Mauro Carvalho Chehab: - v4l2: - core: fix subdev sensor ownership - subdev: Allow accessing routes with STREAMS client capability - ctrls: Add validation for HEVC active reference counts and background detection control - common: Add YUV24 format info and has_alpha helper - vb2: Change vb2_read() and vb2_write() return types to ssize_t - i2c: cvs: Add driver of Intel Computer Vision Sensing Controller(CVS) - atmel-isc: remove deprecated driver - cec: Add CEC Latency Indication Protocol (LIP) support - imon: Add iMON VFD HID OEM v1.2 key mappings - AVMatrix: new HWS capture driver - isp4: new AMD capture driver - qcom: - iris: Add hierarchical coding, B-frame, and Long-Term Reference support for encoder - camss: Add SM6350 platform support - venus: Add SM6115 platform support - chips-media: wave5: Add support for Packed YUV422, CBP profile, and background detection - csi2rx: Add multistream support and 32 dma chans - Several cleanups and fixes * tag 'media/v7.2-1' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media: (394 commits) media: v4l2-fwnode: Fix subdev owner overwritten in v4l2_async_register_subdev_sensor() media: qcom: iris: vdec: allow GEN2 decoding into 10bit format media: qcom: iris: vdec: update find_format to handle 8bit and 10bit formats media: qcom: iris: vdec: update size and stride calculations for 10bit formats media: qcom: iris: gen2: add support for 10bit decoding media: qcom: iris: add QC10C & P010 buffer size calculations media: qcom: iris: add helpers for 8bit and 10bit formats media: qcom: iris: Fix FPS calculation and VPP FW overhead media: qcom: camss: vfe-340: Support for PIX client media: qcom: camss: vfe-340: Proper client handling media: qcom: camss: csid-340: Enable PIX interface routing media: qcom: camss: csid-340: Add port-to-interface mapping media: qcom: camss: csid-340: Switch to generic CSID_CFG/CTRL registers media: iris: Initialize HFI ops after firmware load in core init media: iris: drop struct iris_fmt media: iris: Add platform data for X1P42100 media: iris: Add hardware power on/off ops for X1P42100 media: iris: optimize COMV buffer allocation for VPU3x and VPU4x media: iris: add FPS calculation and VPP FW overhead in frequency formula media: qcom: iris: Simplify COMV size calculation ... 
Pull media updates from Mauro Carvalho Chehab:

 - v4l2:
     - core: fix subdev sensor ownership
     - subdev: Allow accessing routes with STREAMS client capability
     - ctrls: Add validation for HEVC active reference counts and
       background detection control
     - common: Add YUV24 format info and has_alpha helper

 - vb2: Change vb2_read() and vb2_write() return types to ssize_t

 - i2c: cvs: Add driver of Intel Computer Vision Sensing Controller(CVS)

 - atmel-isc: remove deprecated driver

 - cec: Add CEC Latency Indication Protocol (LIP) support

 - imon: Add iMON VFD HID OEM v1.2 key mappings

 - AVMatrix: new HWS capture driver

 - isp4: new AMD capture driver

 - qcom:
     - iris: Add hierarchical coding, B-frame, and Long-Term Reference
       support for encoder
     - camss: Add SM6350 platform support
     - venus: Add SM6115 platform support

 - chips-media: wave5: Add support for Packed YUV422, CBP profile, and
   background detection

 - csi2rx: Add multistream support and 32 dma chans

 - Several cleanups and fixes

* tag 'media/v7.2-1' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media: (394 commits)
  media: v4l2-fwnode: Fix subdev owner overwritten in v4l2_async_register_subdev_sensor()
  media: qcom: iris: vdec: allow GEN2 decoding into 10bit format
  media: qcom: iris: vdec: update find_format to handle 8bit and 10bit formats
  media: qcom: iris: vdec: update size and stride calculations for 10bit formats
  media: qcom: iris: gen2: add support for 10bit decoding
  media: qcom: iris: add QC10C & P010 buffer size calculations
  media: qcom: iris: add helpers for 8bit and 10bit formats
  media: qcom: iris: Fix FPS calculation and VPP FW overhead
  media: qcom: camss: vfe-340: Support for PIX client
  media: qcom: camss: vfe-340: Proper client handling
  media: qcom: camss: csid-340: Enable PIX interface routing
  media: qcom: camss: csid-340: Add port-to-interface mapping
  media: qcom: camss: csid-340: Switch to generic CSID_CFG/CTRL registers
  media: iris: Initialize HFI ops after firmware load in core init
  media: iris: drop struct iris_fmt
  media: iris: Add platform data for X1P42100
  media: iris: Add hardware power on/off ops for X1P42100
  media: iris: optimize COMV buffer allocation for VPU3x and VPU4x
  media: iris: add FPS calculation and VPP FW overhead in frequency formula
  media: qcom: iris: Simplify COMV size calculation
  ...
Merge tag 'nfsd-7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux 2026-06-18T16:14:15+00:00 Linus Torvalds torvalds@linux-foundation.org 2026-06-18T16:14:15+00:00 3dc7c001169d112b3e514cacff6c93091c57af9a Pull nfsd updates from Chuck Lever: "Jeff Layton wired up netlink upcalls for the auth.unix.ip and auth.unix.gid caches in SunRPC and the svc_export and nfsd.fh caches in NFSD. The new kernel-user API is more extensible and lays the groundwork for retiring the old pipe interface. The default NFS r/w block size rises to 4MB on hosts with at least 16GB of RAM, reducing per-RPC overhead on fast networks. Smaller machines keep their previously computed default, and the value remains tunable through /proc/fs/nfsd/max_block_size. Chuck Lever converted the server's RPCSEC GSS Kerberos code to the kernel's shared crypto/krb5 library. The conversion retires and removes SunRPC's bespoke implementation of Kerberos v5, but keeps RPCSEC GSS-API. Continuing the xdrgen migration that converted the NLMv4 server XDR layer in v7.1, Chuck Lever converted the NLM version 3 server-side XDR layer from hand-written C to xdrgen-generated code. As with the NLMv4 conversion in v7.1, the goals are improved memory safety, lower maintenance burden, and groundwork for generation of Rust code for this layer instead of C. Chuck Lever fixed an issue where lingering NFSv4 state pins a mounted file system after it is unexported. A new netlink-based mechanism can now release NLM locks and NFSv4 state by client address, by filesystem, and by export. Now an administrator can quiesce an export cleanly before unmounting it. The remaining patches are bug fixes, clean-ups, and minor optimizations, including a batch of memory-leak and use-after-free fixes in the ACL, lockd, and TLS handshake paths, many of them reported by Chris Mason. Sincere thanks to all contributors, reviewers, testers, and bug reporters who participated in the v7.2 NFSD development cycle" * tag 'nfsd-7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux: (106 commits) svcrdma: wake sq waiters when the transport closes nfsd: reset write verifier on deferred writeback errors nfsd: avoid leaking pre-allocated openowner on unconfirmed retry race sunrpc: wait for in-flight TLS handshake callback when cancel loses race sunrpc: pin svc_xprt across the asynchronous TLS handshake callback nfsd: fix posix_acl leak on SETACL decode failure nfsd: fix posix_acl leak and ignored error in nfsd4_create_file nfsd: check get_user() return when reading princhashlen nfsd: fix inverted cp_ttl check in async copy reaper nfsd: fix dead ACL conflict guard in nfsd4_create NFSD: Fix SECINFO_NO_NAME decode error cleanup sunrpc: harden rq_procinfo lifecycle to prevent double-free SUNRPC: Return an error from xdr_buf_to_bvec() on overflow SUNRPC: Bound-check xdr_buf_to_bvec() stores before writing nfsd: release layout stid on setlease failure lockd: Avoid hashing uninitialized bytes in nlm4svc_lookup_file() lockd: Plug nlm_file refcount leak on cached nlm_do_fopen() failure lockd: Plug nlm_file leak when nlm_do_fopen() fails Revert "NFSD: Defer sub-object cleanup in export put callbacks" Revert "svcrdma: Use contiguous pages for RDMA Read sink buffers" ... 
Pull nfsd updates from Chuck Lever:
 "Jeff Layton wired up netlink upcalls for the auth.unix.ip and
  auth.unix.gid caches in SunRPC and the svc_export and nfsd.fh caches
  in NFSD. The new kernel-user API is more extensible and lays the
  groundwork for retiring the old pipe interface.

  The default NFS r/w block size rises to 4MB on hosts with at least
  16GB of RAM, reducing per-RPC overhead on fast networks. Smaller
  machines keep their previously computed default, and the value remains
  tunable through /proc/fs/nfsd/max_block_size.

  Chuck Lever converted the server's RPCSEC GSS Kerberos code to the
  kernel's shared crypto/krb5 library. The conversion retires and
  removes SunRPC's bespoke implementation of Kerberos v5, but keeps
  RPCSEC GSS-API.

  Continuing the xdrgen migration that converted the NLMv4 server XDR
  layer in v7.1, Chuck Lever converted the NLM version 3 server-side XDR
  layer from hand-written C to xdrgen-generated code. As with the NLMv4
  conversion in v7.1, the goals are improved memory safety, lower
  maintenance burden, and groundwork for generation of Rust code for
  this layer instead of C.

  Chuck Lever fixed an issue where lingering NFSv4 state pins a mounted
  file system after it is unexported. A new netlink-based mechanism can
  now release NLM locks and NFSv4 state by client address, by
  filesystem, and by export. Now an administrator can quiesce an export
  cleanly before unmounting it.

  The remaining patches are bug fixes, clean-ups, and minor
  optimizations, including a batch of memory-leak and use-after-free
  fixes in the ACL, lockd, and TLS handshake paths, many of them
  reported by Chris Mason. Sincere thanks to all contributors,
  reviewers, testers, and bug reporters who participated in the v7.2
  NFSD development cycle"

* tag 'nfsd-7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux: (106 commits)
  svcrdma: wake sq waiters when the transport closes
  nfsd: reset write verifier on deferred writeback errors
  nfsd: avoid leaking pre-allocated openowner on unconfirmed retry race
  sunrpc: wait for in-flight TLS handshake callback when cancel loses race
  sunrpc: pin svc_xprt across the asynchronous TLS handshake callback
  nfsd: fix posix_acl leak on SETACL decode failure
  nfsd: fix posix_acl leak and ignored error in nfsd4_create_file
  nfsd: check get_user() return when reading princhashlen
  nfsd: fix inverted cp_ttl check in async copy reaper
  nfsd: fix dead ACL conflict guard in nfsd4_create
  NFSD: Fix SECINFO_NO_NAME decode error cleanup
  sunrpc: harden rq_procinfo lifecycle to prevent double-free
  SUNRPC: Return an error from xdr_buf_to_bvec() on overflow
  SUNRPC: Bound-check xdr_buf_to_bvec() stores before writing
  nfsd: release layout stid on setlease failure
  lockd: Avoid hashing uninitialized bytes in nlm4svc_lookup_file()
  lockd: Plug nlm_file refcount leak on cached nlm_do_fopen() failure
  lockd: Plug nlm_file leak when nlm_do_fopen() fails
  Revert "NFSD: Defer sub-object cleanup in export put callbacks"
  Revert "svcrdma: Use contiguous pages for RDMA Read sink buffers"
  ...