<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux.git/tools/testing, branch master</title>
<subtitle>Linux kernel source tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/'/>
<entry>
<title>Merge tag 'vfs-7.2-rc2.fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs</title>
<updated>2026-07-03T15:48:05+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2026-07-03T15:48:05+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=71dfdfb0209b43dfd6f494f84f5548e4cfd18cb5'/>
<id>71dfdfb0209b43dfd6f494f84f5548e4cfd18cb5</id>
<content type='text'>
Pull vfs fixes from Christian Brauner:

 - netfs:

    - fix the decision when to disallow write-streaming with fscache in
      use, handling of asynchronous cache object creation, a double fput
      in cachefiles, clearing S_KERNEL_FILE without the inode lock held,
      page extraction bugs in the iov_iter helpers (a potential
      underflow, a missing allocation failure check, a memory leak, and
      a folio offset miscalculation), writeback error and ENOMEM
      handling, DIO write retry for filesystems without a
      -&gt;prepare_write() method, and the replacement of the wb_lock mutex
      with a bit lock plus writethrough collection offload so that
      multiple asynchronous writebacks don't interfere with each other.

    - Fix the barriering when walking the netfs subrequest list during
      retries as it was possible to see a subrequest that was just added
      by the application thread.

 - iomap:

    - Change iomap to submit read bios after each extent instead of
      building them up across extents. The old behavior was considered
      problematic for a while and now caused an actual erofs bug.

    - Guard the ioend io_size EOF trim in iomap against underflow when a
      concurrent truncate moves EOF below the start of the ioend,
      wrapping io_size to a huge value.

 - overlayfs

    - Fix a stale overlayfs comment about the locking order.

    - Store the linked-in upper dentry instead of the disconnected
      O_TMPFILE dentry during overlayfs tmpfile copy-up. With a FUSE or
      virtiofs upper layer -&gt;d_revalidate() would try to look up "/" in
      the workdir and fail, causing persistent ESTALE errors that broke
      dpkg and apt.

 - vfs-bpf:

   Have the bpf_real_data_inode() kfunc take a struct file instead of a
   dentry so it is usable from the bprm_check_security, mmap_file, and
   file_mprotect hooks, and rename it from bpf_real_inode() to make the
   data-inode semantics explicit. The kfunc landed this cycle so the
   change is safe.

 - afs:

   NULL pointer dereferences in the callback service and in
   afs_get_tree(), several memory and refcount leaks, missing locking
   around the dynamic root inode numbers and premature cell exposure
   through /afs, a netns destruction hang caused by a misplaced
   increment of net-&gt;cells_outstanding, a bulk lookup malfunction caused
   by the dir_emit() API change, inode (re)initialisation issues, and
   assorted smaller fixes to error codes, seqlock handling, and debug
   output.

 - vfs:

   Refuse O_TMPFILE creation with an unmapped fsuid or fsgid and add a
   selftest for it.

 - vboxsf:

   Add Jori Koolstra as vboxsf maintainer, taking over from Hans de
   Goede.

 - dio:

   Release the pages attached to a short atomic dio bio; the REQ_ATOMIC
   size check error path leaked them.

 - procfs:

   Only bump the parent directory link count when registering
   directories in procfs. Registering regular files inflated the count
   and leaked a link on every create and remove cycle.

 - minix:

   Avoid an unsigned overflow in the minix bitmap block count
   calculation that let crafted images with huge inode or zone counts
   pass superblock validation and crash the kernel during mount.

 - cachefiles:

   Fix a double unlock in the cachefiles nomem_d_alloc error path left
   over from the start_creating() conversion.

 - fat:

   Stop fat from reading directory entries past the 0x00
   end-of-directory marker. If the trailing on-disk slots aren't
   zero-filled the driver surfaced arbitrary garbage as directory
   entries.

 - freexvfs:

   Don't BUG() on unknown typed-extent types in freevxfs, reachable via
   ioctl(FIBMAP) on a crafted image; fail with an I/O error instead.

 - orangefs:

   Keep the readdir entry size 64-bit in orangefs fill_from_part().
   Truncating it to __u32 bypassed the bounds check and led to
   out-of-bounds reads triggerable by the userspace client.

 - xfs:

   Fix the error unwind in xfs_open_devices() which released the rt
   device file twice and left dangling buftarg pointers behind that were
   freed again when the failed mount was torn down.

 - exec:

   Fix an off-by-one in the comment documenting the maximum binfmt
   rewrite depth in exec_binprm(). The code allows five rewrites, not
   four; restricting the code would break userspace so the comment is
   fixed instead.

 - file handles:

   Reject detached mounts in capable_wrt_mount(). A detached mount can
   be dissolved concurrently, leaving a NULL mount namespace that
   open_by_handle_at() would dereference.

* tag 'vfs-7.2-rc2.fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs: (57 commits)
  netfs: Fix barriering when walking subrequest list
  iomap: submit read bio after each extent
  fuse: call fuse_send_readpages explicitly from fuse_readahead
  iomap: consolidate bio submission
  fhandle: reject detached mounts in capable_wrt_mount()
  netfs: Fix DIO write retry for filesystems without a -&gt;prepare_write()
  netfs: Fix folio state after ENOMEM whilst under writeback iteration
  netfs: Fix writeback error handling
  netfs: Fix writethrough to use collection offload
  netfs: Replace wb_lock with a bit lock for asynchronicity
  netfs: Fix kdoc warning
  scatterlist: Fix offset in folio calc in extract_xarray_to_sg()
  iov_iter: Remove unused variable in kunit_iov_iter.c
  iov_iter: Fix a memory leak in iov_iter_extract_user_pages()
  iov_iter: Fix missing alloc fail check in iov_iter_extract_bvec_pages()
  iov_iter: Fix potential underflow in iov_iter_extract_xarray_pages()
  cachefiles: Fix file burial to take lock when unsetting S_KERNEL_FILE
  cachefiles: Fix double fput
  netfs: Fix netfs_create_write_req() to handle async cache object creation
  netfs: Fix decision whether to disallow write-streaming due to fscache use
  ...
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Pull vfs fixes from Christian Brauner:

 - netfs:

    - fix the decision when to disallow write-streaming with fscache in
      use, handling of asynchronous cache object creation, a double fput
      in cachefiles, clearing S_KERNEL_FILE without the inode lock held,
      page extraction bugs in the iov_iter helpers (a potential
      underflow, a missing allocation failure check, a memory leak, and
      a folio offset miscalculation), writeback error and ENOMEM
      handling, DIO write retry for filesystems without a
      -&gt;prepare_write() method, and the replacement of the wb_lock mutex
      with a bit lock plus writethrough collection offload so that
      multiple asynchronous writebacks don't interfere with each other.

    - Fix the barriering when walking the netfs subrequest list during
      retries as it was possible to see a subrequest that was just added
      by the application thread.

 - iomap:

    - Change iomap to submit read bios after each extent instead of
      building them up across extents. The old behavior was considered
      problematic for a while and now caused an actual erofs bug.

    - Guard the ioend io_size EOF trim in iomap against underflow when a
      concurrent truncate moves EOF below the start of the ioend,
      wrapping io_size to a huge value.

 - overlayfs

    - Fix a stale overlayfs comment about the locking order.

    - Store the linked-in upper dentry instead of the disconnected
      O_TMPFILE dentry during overlayfs tmpfile copy-up. With a FUSE or
      virtiofs upper layer -&gt;d_revalidate() would try to look up "/" in
      the workdir and fail, causing persistent ESTALE errors that broke
      dpkg and apt.

 - vfs-bpf:

   Have the bpf_real_data_inode() kfunc take a struct file instead of a
   dentry so it is usable from the bprm_check_security, mmap_file, and
   file_mprotect hooks, and rename it from bpf_real_inode() to make the
   data-inode semantics explicit. The kfunc landed this cycle so the
   change is safe.

 - afs:

   NULL pointer dereferences in the callback service and in
   afs_get_tree(), several memory and refcount leaks, missing locking
   around the dynamic root inode numbers and premature cell exposure
   through /afs, a netns destruction hang caused by a misplaced
   increment of net-&gt;cells_outstanding, a bulk lookup malfunction caused
   by the dir_emit() API change, inode (re)initialisation issues, and
   assorted smaller fixes to error codes, seqlock handling, and debug
   output.

 - vfs:

   Refuse O_TMPFILE creation with an unmapped fsuid or fsgid and add a
   selftest for it.

 - vboxsf:

   Add Jori Koolstra as vboxsf maintainer, taking over from Hans de
   Goede.

 - dio:

   Release the pages attached to a short atomic dio bio; the REQ_ATOMIC
   size check error path leaked them.

 - procfs:

   Only bump the parent directory link count when registering
   directories in procfs. Registering regular files inflated the count
   and leaked a link on every create and remove cycle.

 - minix:

   Avoid an unsigned overflow in the minix bitmap block count
   calculation that let crafted images with huge inode or zone counts
   pass superblock validation and crash the kernel during mount.

 - cachefiles:

   Fix a double unlock in the cachefiles nomem_d_alloc error path left
   over from the start_creating() conversion.

 - fat:

   Stop fat from reading directory entries past the 0x00
   end-of-directory marker. If the trailing on-disk slots aren't
   zero-filled the driver surfaced arbitrary garbage as directory
   entries.

 - freexvfs:

   Don't BUG() on unknown typed-extent types in freevxfs, reachable via
   ioctl(FIBMAP) on a crafted image; fail with an I/O error instead.

 - orangefs:

   Keep the readdir entry size 64-bit in orangefs fill_from_part().
   Truncating it to __u32 bypassed the bounds check and led to
   out-of-bounds reads triggerable by the userspace client.

 - xfs:

   Fix the error unwind in xfs_open_devices() which released the rt
   device file twice and left dangling buftarg pointers behind that were
   freed again when the failed mount was torn down.

 - exec:

   Fix an off-by-one in the comment documenting the maximum binfmt
   rewrite depth in exec_binprm(). The code allows five rewrites, not
   four; restricting the code would break userspace so the comment is
   fixed instead.

 - file handles:

   Reject detached mounts in capable_wrt_mount(). A detached mount can
   be dissolved concurrently, leaving a NULL mount namespace that
   open_by_handle_at() would dereference.

* tag 'vfs-7.2-rc2.fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs: (57 commits)
  netfs: Fix barriering when walking subrequest list
  iomap: submit read bio after each extent
  fuse: call fuse_send_readpages explicitly from fuse_readahead
  iomap: consolidate bio submission
  fhandle: reject detached mounts in capable_wrt_mount()
  netfs: Fix DIO write retry for filesystems without a -&gt;prepare_write()
  netfs: Fix folio state after ENOMEM whilst under writeback iteration
  netfs: Fix writeback error handling
  netfs: Fix writethrough to use collection offload
  netfs: Replace wb_lock with a bit lock for asynchronicity
  netfs: Fix kdoc warning
  scatterlist: Fix offset in folio calc in extract_xarray_to_sg()
  iov_iter: Remove unused variable in kunit_iov_iter.c
  iov_iter: Fix a memory leak in iov_iter_extract_user_pages()
  iov_iter: Fix missing alloc fail check in iov_iter_extract_bvec_pages()
  iov_iter: Fix potential underflow in iov_iter_extract_xarray_pages()
  cachefiles: Fix file burial to take lock when unsetting S_KERNEL_FILE
  cachefiles: Fix double fput
  netfs: Fix netfs_create_write_req() to handle async cache object creation
  netfs: Fix decision whether to disallow write-streaming due to fscache use
  ...
</pre>
</div>
</content>
</entry>
<entry>
<title>Merge tag 'device-id-rework' of git://git.kernel.org/pub/scm/linux/kernel/git/ukleinek/linux</title>
<updated>2026-07-03T06:54:26+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2026-07-03T06:54:26+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=d2c9a99135da931377240942d44f3dea104cedb8'/>
<id>d2c9a99135da931377240942d44f3dea104cedb8</id>
<content type='text'>
Pull mod_devicetable.h header split from Uwe Kleine-König:
 "Split &lt;linux/mod_devicetable.h&gt; in per subsystem headers

  &lt;linux/mod_devicetable.h&gt; is included transitively in nearly every
  driver in an x86_64 allmodconfig build of v7.1:

      $ find drivers -name \*.o -not -name \*.mod.o | wc -l
      21330
      $ find drivers -name \*.o.cmd -not -name \*.mod.o.cmd | xargs grep -l mod_devicetable.h | wc -l
      17038

  The result of this mixture of different and unrelated subsystem
  details is that even when touching an obscure device id struct most of
  the kernel needs to be recompiled. Given that each driver typically
  only needs one or two of these structures, splitting into per
  subsystem headers and only including what is really needed reduces the
  amount of needed recompilation.

  This split is implemented in the first commit and then after some
  preparatory work in the following commits, the last two replace
  includes of &lt;linux/mod_devicetable.h&gt; by the actually needed more
  specific headers.

  There are still a few instances left, but the ones with high impact
  (that is in headers that are used a lot) and the easy ones (.c files)
  are handled. These remaining includes will be addressed during the
  next merge window"

* tag 'device-id-rework' of git://git.kernel.org/pub/scm/linux/kernel/git/ukleinek/linux:
  Replace &lt;linux/mod_devicetable.h&gt; by more specific &lt;linux/device-id/*.h&gt; (c files)
  Replace &lt;linux/mod_devicetable.h&gt; by more specific &lt;linux/device-id/*.h&gt; (headers)
  parisc: #include &lt;linux/compiler.h&gt; for unlikely() in &lt;asm/ptrace.h&gt;
  media: em28xx: Add include for struct usb_device_id
  LoongArch: KVM: Add include defining struct cpu_feature
  ALSA: hda/core: Add include defining struct hda_device_id
  usb: dwc2: Add include defining struct pci_device_id
  platform/x86: int3472: Add include defining struct dmi_system_id
  platform/x86: x86-android-tablets: Add include defining struct dmi_system_id
  i2c: Let i2c-core.h include &lt;linux/i2c.h&gt;
  of: Explicitly include &lt;linux/types.h&gt; and &lt;linux/err.h&gt;
  platform/x86: msi-ec: Ensure dmi_system_id is defined
  usb: serial: Include &lt;linux/usb.h&gt; in &lt;linux/usb/serial.h&gt;
  driver core: platform: Include header for struct platform_device_id
  driver: core: Include headers for acpi_device_id and of_device_id for struct device_driver
  media: ti: vpe: #include &lt;linux/platform_device.h&gt; explicitly
  mod_devicetable.h: Split into per subsystem headers
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Pull mod_devicetable.h header split from Uwe Kleine-König:
 "Split &lt;linux/mod_devicetable.h&gt; in per subsystem headers

  &lt;linux/mod_devicetable.h&gt; is included transitively in nearly every
  driver in an x86_64 allmodconfig build of v7.1:

      $ find drivers -name \*.o -not -name \*.mod.o | wc -l
      21330
      $ find drivers -name \*.o.cmd -not -name \*.mod.o.cmd | xargs grep -l mod_devicetable.h | wc -l
      17038

  The result of this mixture of different and unrelated subsystem
  details is that even when touching an obscure device id struct most of
  the kernel needs to be recompiled. Given that each driver typically
  only needs one or two of these structures, splitting into per
  subsystem headers and only including what is really needed reduces the
  amount of needed recompilation.

  This split is implemented in the first commit and then after some
  preparatory work in the following commits, the last two replace
  includes of &lt;linux/mod_devicetable.h&gt; by the actually needed more
  specific headers.

  There are still a few instances left, but the ones with high impact
  (that is in headers that are used a lot) and the easy ones (.c files)
  are handled. These remaining includes will be addressed during the
  next merge window"

* tag 'device-id-rework' of git://git.kernel.org/pub/scm/linux/kernel/git/ukleinek/linux:
  Replace &lt;linux/mod_devicetable.h&gt; by more specific &lt;linux/device-id/*.h&gt; (c files)
  Replace &lt;linux/mod_devicetable.h&gt; by more specific &lt;linux/device-id/*.h&gt; (headers)
  parisc: #include &lt;linux/compiler.h&gt; for unlikely() in &lt;asm/ptrace.h&gt;
  media: em28xx: Add include for struct usb_device_id
  LoongArch: KVM: Add include defining struct cpu_feature
  ALSA: hda/core: Add include defining struct hda_device_id
  usb: dwc2: Add include defining struct pci_device_id
  platform/x86: int3472: Add include defining struct dmi_system_id
  platform/x86: x86-android-tablets: Add include defining struct dmi_system_id
  i2c: Let i2c-core.h include &lt;linux/i2c.h&gt;
  of: Explicitly include &lt;linux/types.h&gt; and &lt;linux/err.h&gt;
  platform/x86: msi-ec: Ensure dmi_system_id is defined
  usb: serial: Include &lt;linux/usb.h&gt; in &lt;linux/usb/serial.h&gt;
  driver core: platform: Include header for struct platform_device_id
  driver: core: Include headers for acpi_device_id and of_device_id for struct device_driver
  media: ti: vpe: #include &lt;linux/platform_device.h&gt; explicitly
  mod_devicetable.h: Split into per subsystem headers
</pre>
</div>
</content>
</entry>
<entry>
<title>Replace &lt;linux/mod_devicetable.h&gt; by more specific &lt;linux/device-id/*.h&gt; (c files)</title>
<updated>2026-07-03T05:38:17+00:00</updated>
<author>
<name>Uwe Kleine-König (The Capable Hub)</name>
<email>u.kleine-koenig@baylibre.com</email>
</author>
<published>2026-06-30T09:24:36+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=995832b2cebe6969d1b42635db698803ee31294d'/>
<id>995832b2cebe6969d1b42635db698803ee31294d</id>
<content type='text'>
Replace the #include of &lt;linux/mod_devicetable.h&gt; by the more specific
&lt;linux/device-id/*.h&gt; where applicable. For most cases the include
can be dropped completely, only a few drivers need one or two headers
added.

Acked-by: Danilo Krummrich &lt;dakr@kernel.org&gt;
Acked-by: Takashi Sakamoto &lt;o-takashi@sakamocchi.jp&gt;
Acked-by: Bjorn Helgaas &lt;bhelgaas@google.com&gt;
Link: https://patch.msgid.link/1a3f2007c5c5dcf555c09a4035ce3ae8ef1b6c49.1782808461.git.u.kleine-koenig@baylibre.com
Signed-off-by: Uwe Kleine-König (The Capable Hub) &lt;u.kleine-koenig@baylibre.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Replace the #include of &lt;linux/mod_devicetable.h&gt; by the more specific
&lt;linux/device-id/*.h&gt; where applicable. For most cases the include
can be dropped completely, only a few drivers need one or two headers
added.

Acked-by: Danilo Krummrich &lt;dakr@kernel.org&gt;
Acked-by: Takashi Sakamoto &lt;o-takashi@sakamocchi.jp&gt;
Acked-by: Bjorn Helgaas &lt;bhelgaas@google.com&gt;
Link: https://patch.msgid.link/1a3f2007c5c5dcf555c09a4035ce3ae8ef1b6c49.1782808461.git.u.kleine-koenig@baylibre.com
Signed-off-by: Uwe Kleine-König (The Capable Hub) &lt;u.kleine-koenig@baylibre.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Merge tag 'bpf-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf</title>
<updated>2026-07-03T02:39:28+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2026-07-03T02:39:28+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=51512e22efe813d8223de27f6fd02a8a48ea2323'/>
<id>51512e22efe813d8223de27f6fd02a8a48ea2323</id>
<content type='text'>
Pull BPF fixes from Daniel Borkmann:

 - Initialize task local storage before fork bails out to free the task
   (Jann Horn)

 - Fix insn_aux_data leak on verifier error path (KaFai Wan)

 - Reject BPF inode storage map creation when BPF LSM is uninitialized
   (Matt Bobrowski)

 - Mask pseudo pointer values in verifier logs when pointer leaks are
   not allowed (Nuoqi Gui)

 - Harden BPF JIT against spraying via IBPB flush (Pawan Gupta)

 - Reject a skb-modifying SK_SKB stream parser since the latter is only
   meant to measure the next message (Sechang Lim)

 - Fix bpf_refcount_acquire to reject refcounted allocation arguments
   with a non-zero fixed offset (Yiyang Chen)

* tag 'bpf-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf:
  bpf: Prefer dirty packs for eBPF allocations
  bpf: Prefer packs that won't trigger an IBPB flush on allocation
  bpf: Skip redundant IBPB in pack allocator
  bpf: Restrict JIT predictor flush to cBPF
  x86/bugs: Enable IBPB flush on BPF JIT allocation
  bpf: Support for hardening against JIT spraying
  bpf: Reject BPF_MAP_TYPE_INODE_STORAGE creation if BPF LSM is uninitialized
  bpf,fork: wipe -&gt;bpf_storage before bailouts that access it
  bpf: Fix insn_aux_data leak on verifier err_free_env path
  selftests/bpf: Cover pseudo-BTF ksym log masking
  bpf: Mask pseudo pointer values in verifier logs
  selftests/bpf: Cover refcount acquire node offsets
  bpf: Reject offset refcount acquire arguments
  selftests/bpf: test rejection of a packet-modifying SK_SKB stream parser
  bpf, sockmap: reject a packet-modifying SK_SKB stream parser
  selftests/bpf: don't modify the skb in the strparser parser prog
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Pull BPF fixes from Daniel Borkmann:

 - Initialize task local storage before fork bails out to free the task
   (Jann Horn)

 - Fix insn_aux_data leak on verifier error path (KaFai Wan)

 - Reject BPF inode storage map creation when BPF LSM is uninitialized
   (Matt Bobrowski)

 - Mask pseudo pointer values in verifier logs when pointer leaks are
   not allowed (Nuoqi Gui)

 - Harden BPF JIT against spraying via IBPB flush (Pawan Gupta)

 - Reject a skb-modifying SK_SKB stream parser since the latter is only
   meant to measure the next message (Sechang Lim)

 - Fix bpf_refcount_acquire to reject refcounted allocation arguments
   with a non-zero fixed offset (Yiyang Chen)

* tag 'bpf-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf:
  bpf: Prefer dirty packs for eBPF allocations
  bpf: Prefer packs that won't trigger an IBPB flush on allocation
  bpf: Skip redundant IBPB in pack allocator
  bpf: Restrict JIT predictor flush to cBPF
  x86/bugs: Enable IBPB flush on BPF JIT allocation
  bpf: Support for hardening against JIT spraying
  bpf: Reject BPF_MAP_TYPE_INODE_STORAGE creation if BPF LSM is uninitialized
  bpf,fork: wipe -&gt;bpf_storage before bailouts that access it
  bpf: Fix insn_aux_data leak on verifier err_free_env path
  selftests/bpf: Cover pseudo-BTF ksym log masking
  bpf: Mask pseudo pointer values in verifier logs
  selftests/bpf: Cover refcount acquire node offsets
  bpf: Reject offset refcount acquire arguments
  selftests/bpf: test rejection of a packet-modifying SK_SKB stream parser
  bpf, sockmap: reject a packet-modifying SK_SKB stream parser
  selftests/bpf: don't modify the skb in the strparser parser prog
</pre>
</div>
</content>
</entry>
<entry>
<title>Merge tag 'vfio-v7.2-rc2' of https://github.com/awilliam/linux-vfio</title>
<updated>2026-07-03T01:25:54+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2026-07-03T01:25:54+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=826eec5b5efd785dc87638a54d5ecc9f88e5afce'/>
<id>826eec5b5efd785dc87638a54d5ecc9f88e5afce</id>
<content type='text'>
Pull VFIO fixes from Alex Williamson:
 "Mostly straightforward fixes here, inconsistent runtime PM handling
  due to global device policies, bitfield races, unwind path gaps,
  teardown ordering, and a misplaced library flag.

   - Fix racy bitfield updates in vfio-pci-core and the mlx5 vfio-pci
     variant driver with a binary split between setup/release and
     runtime modified flags. These were noted across several Sashiko
     reviews as pre-existing issues (Alex Williamson)

   - Fix runtime PM inconsistency where the vfio-pci driver module_init
     could modify the idle PM policy of existing devices through globals
     managed in vfio-pci-core, leading to unbalanced runtime PM
     operations (Alex Williamson)

   - Restore mutability of writable vfio-pci module options by further
     pulling policy globals out of vfio-pci-core, to instead be latched
     per device at device init. Provide visibility of the per device
     latched values through debugfs (Alex Williamson)

   - Fix missing VGA arbiter uninit callback in unwind path (Alex
     Williamson)

   - Reorder device debugfs removal before device_del() to avoid gap
     where debugfs is available with stale devres pointers (Alex
     Williamson)

   - Move UUID library linking flag from vfio selftest Makefile into
     libvfio.mk to avoid exposing such dependencies when linking with
     KVM selftests (Sean Christopherson)"

* tag 'vfio-v7.2-rc2' of https://github.com/awilliam/linux-vfio:
  vfio: selftests: Add luuid to libvfio.mk's list of libraries, not to the Makefile
  vfio/pci: Expose latched module parameter policy in debugfs
  vfio: Remove device debugfs before releasing devres
  vfio/pci: Latch all module parameters per device
  vfio/mlx5: Fix racy bitfields and tighten struct layout
  vfio/pci: Fix racy bitfields and tighten struct layout
  vfio/pci: Release the VGA arbiter client on register_device() failure
  vfio/pci: Latch disable_idle_d3 per device
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Pull VFIO fixes from Alex Williamson:
 "Mostly straightforward fixes here, inconsistent runtime PM handling
  due to global device policies, bitfield races, unwind path gaps,
  teardown ordering, and a misplaced library flag.

   - Fix racy bitfield updates in vfio-pci-core and the mlx5 vfio-pci
     variant driver with a binary split between setup/release and
     runtime modified flags. These were noted across several Sashiko
     reviews as pre-existing issues (Alex Williamson)

   - Fix runtime PM inconsistency where the vfio-pci driver module_init
     could modify the idle PM policy of existing devices through globals
     managed in vfio-pci-core, leading to unbalanced runtime PM
     operations (Alex Williamson)

   - Restore mutability of writable vfio-pci module options by further
     pulling policy globals out of vfio-pci-core, to instead be latched
     per device at device init. Provide visibility of the per device
     latched values through debugfs (Alex Williamson)

   - Fix missing VGA arbiter uninit callback in unwind path (Alex
     Williamson)

   - Reorder device debugfs removal before device_del() to avoid gap
     where debugfs is available with stale devres pointers (Alex
     Williamson)

   - Move UUID library linking flag from vfio selftest Makefile into
     libvfio.mk to avoid exposing such dependencies when linking with
     KVM selftests (Sean Christopherson)"

* tag 'vfio-v7.2-rc2' of https://github.com/awilliam/linux-vfio:
  vfio: selftests: Add luuid to libvfio.mk's list of libraries, not to the Makefile
  vfio/pci: Expose latched module parameter policy in debugfs
  vfio: Remove device debugfs before releasing devres
  vfio/pci: Latch all module parameters per device
  vfio/mlx5: Fix racy bitfields and tighten struct layout
  vfio/pci: Fix racy bitfields and tighten struct layout
  vfio/pci: Release the VGA arbiter client on register_device() failure
  vfio/pci: Latch disable_idle_d3 per device
</pre>
</div>
</content>
</entry>
<entry>
<title>Merge tag 'net-7.2-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net</title>
<updated>2026-07-02T16:01:12+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2026-07-02T16:01:12+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=87320be9f0d24fce67631b7eef919f0b79c3e45c'/>
<id>87320be9f0d24fce67631b7eef919f0b79c3e45c</id>
<content type='text'>
Pull networking fixes from Paolo Abeni:
 "Including fixes from netfilter and batman-adv.

  Current release - new code bugs:

   - netfilter: cthelper: cap to maximum number of expectation per master

  Previous releases - regressions:

   - netpoll: fix a use-after-free on shutdown path

   - tcp: restore RCU grace period in tcp_ao_destroy_sock

   - ipv6: fix NULL deref in fib6_walk_continiue() on multi-batch dump

   - batman-adv: dat: ensure accessible eth_hdr proto field

   - eth:
      - virtio_net: disable cb when NAPI is busy-polled
      - lan743x: Initialize eth_syslock spinlock before use

  Previous releases - always broken:

   - netfilter:
      - nft_set_pipapo: don't leak bad clone into future transaction

   - sched:
      - sch_teql: Introduce slaves_lock to avoid race condition and UAF
      - replace direct dequeue call with peek and qdisc_dequeue_peeked

   - sctp: add INIT verification after cookie unpacking

   - tipc: fix out-of-bounds read in broadcast Gap ACK blocks

   - seg6: validate SRH length before reading fixed fields

   - eth:
      - mlx5e: fix use-after-free of metadata_dst on RX SC delete
      - enetc: check the number of BDs needed for xdp_frame
      - fbnic: don't cache shinfo across skb realloc"

* tag 'net-7.2-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (58 commits)
  net/mlx5: HWS, fix matcher leak on resize target setup failure
  net/sched: hhf: clear heavy-hitter state on reset
  net/sched: dualpi2: clear stale classification on filter miss
  net/sched: act_bpf: use rcu_dereference_bh() to read the filter
  selftests: drv-net: tso: don't touch dangerous feature bits
  cxgb4: Fix decode strings dump for T6 adapters
  virtio_net: disable cb when NAPI is busy-polled
  sctp: fix addr_wq_timer race in sctp_free_addr_wq()
  selftests: net: bump default cmd() timeout to 20 seconds
  bridge: stp: Fix a potential use-after-free when deleting a bridge
  net/sched: sch_teql: Introduce slaves_lock to avoid race condition and UAF
  net: gianfar: dispose irq mappings on probe failure and device removal
  net: lan743x: Initialize eth_syslock spinlock before use
  net: libwx: fix VMDQ mask for 1-queue mode
  net: airoha: fix max receive size configuration
  fsl/fman: Free init resources on KeyGen failure in fman_init()
  netfilter: nftables: restrict checkum update offset
  netfilter: nftables: restrict linklayer and network header writes
  netfilter: nfnetlink_queue: restrict writes to network header
  netfilter: nft_fib: reject fib expression on the netdev egress hook
  ...
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Pull networking fixes from Paolo Abeni:
 "Including fixes from netfilter and batman-adv.

  Current release - new code bugs:

   - netfilter: cthelper: cap to maximum number of expectation per master

  Previous releases - regressions:

   - netpoll: fix a use-after-free on shutdown path

   - tcp: restore RCU grace period in tcp_ao_destroy_sock

   - ipv6: fix NULL deref in fib6_walk_continiue() on multi-batch dump

   - batman-adv: dat: ensure accessible eth_hdr proto field

   - eth:
      - virtio_net: disable cb when NAPI is busy-polled
      - lan743x: Initialize eth_syslock spinlock before use

  Previous releases - always broken:

   - netfilter:
      - nft_set_pipapo: don't leak bad clone into future transaction

   - sched:
      - sch_teql: Introduce slaves_lock to avoid race condition and UAF
      - replace direct dequeue call with peek and qdisc_dequeue_peeked

   - sctp: add INIT verification after cookie unpacking

   - tipc: fix out-of-bounds read in broadcast Gap ACK blocks

   - seg6: validate SRH length before reading fixed fields

   - eth:
      - mlx5e: fix use-after-free of metadata_dst on RX SC delete
      - enetc: check the number of BDs needed for xdp_frame
      - fbnic: don't cache shinfo across skb realloc"

* tag 'net-7.2-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (58 commits)
  net/mlx5: HWS, fix matcher leak on resize target setup failure
  net/sched: hhf: clear heavy-hitter state on reset
  net/sched: dualpi2: clear stale classification on filter miss
  net/sched: act_bpf: use rcu_dereference_bh() to read the filter
  selftests: drv-net: tso: don't touch dangerous feature bits
  cxgb4: Fix decode strings dump for T6 adapters
  virtio_net: disable cb when NAPI is busy-polled
  sctp: fix addr_wq_timer race in sctp_free_addr_wq()
  selftests: net: bump default cmd() timeout to 20 seconds
  bridge: stp: Fix a potential use-after-free when deleting a bridge
  net/sched: sch_teql: Introduce slaves_lock to avoid race condition and UAF
  net: gianfar: dispose irq mappings on probe failure and device removal
  net: lan743x: Initialize eth_syslock spinlock before use
  net: libwx: fix VMDQ mask for 1-queue mode
  net: airoha: fix max receive size configuration
  fsl/fman: Free init resources on KeyGen failure in fman_init()
  netfilter: nftables: restrict checkum update offset
  netfilter: nftables: restrict linklayer and network header writes
  netfilter: nfnetlink_queue: restrict writes to network header
  netfilter: nft_fib: reject fib expression on the netdev egress hook
  ...
</pre>
</div>
</content>
</entry>
<entry>
<title>selftests/filesystems: test O_TMPFILE creation on idmapped mounts</title>
<updated>2026-07-01T13:26:18+00:00</updated>
<author>
<name>Christian Brauner</name>
<email>brauner@kernel.org</email>
</author>
<published>2026-06-15T12:52:19+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=d943e68edc5cb98192d38e31373bb6b6a73230c6'/>
<id>d943e68edc5cb98192d38e31373bb6b6a73230c6</id>
<content type='text'>
Add a regression test for the fsuidgid_has_mapping() check in
vfs_tmpfile().  It idmaps a detached tmpfs mount so that the
caller-visible id range [0, 10000) maps onto the on-disk range
[10000, 20000) and checks that:

  - a caller whose fsuid/fsgid fall outside that range cannot create an
    O_TMPFILE through the mount and gets -EOVERFLOW instead of an inode
    owned by (uid_t)-1;

  - a mapped caller can create an O_TMPFILE, link it into the namespace,
    and the ownership round-trips through the mount idmap: it is reported
    as 0 through the mount and stored as 10000 on the underlying tmpfs.

The test runs entirely as root and uses setfsuid()/setfsgid() to become
the unmapped caller, so it needs no helper user.  The layer directory is
world-writable so that an unmapped caller still clears the directory
permission check and reaches the fsuidgid_has_mapping() test.

Link: https://patch.msgid.link/20260615-work-idmapped-tmpfile-v1-2-754a94d81f83@kernel.org
Reviewed-by: Jan Kara &lt;jack@suse.cz&gt;
Signed-off-by: Christian Brauner (Amutable) &lt;brauner@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Add a regression test for the fsuidgid_has_mapping() check in
vfs_tmpfile().  It idmaps a detached tmpfs mount so that the
caller-visible id range [0, 10000) maps onto the on-disk range
[10000, 20000) and checks that:

  - a caller whose fsuid/fsgid fall outside that range cannot create an
    O_TMPFILE through the mount and gets -EOVERFLOW instead of an inode
    owned by (uid_t)-1;

  - a mapped caller can create an O_TMPFILE, link it into the namespace,
    and the ownership round-trips through the mount idmap: it is reported
    as 0 through the mount and stored as 10000 on the underlying tmpfs.

The test runs entirely as root and uses setfsuid()/setfsgid() to become
the unmapped caller, so it needs no helper user.  The layer directory is
world-writable so that an unmapped caller still clears the directory
permission check and reaches the fsuidgid_has_mapping() test.

Link: https://patch.msgid.link/20260615-work-idmapped-tmpfile-v1-2-754a94d81f83@kernel.org
Reviewed-by: Jan Kara &lt;jack@suse.cz&gt;
Signed-off-by: Christian Brauner (Amutable) &lt;brauner@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>selftests: drv-net: tso: don't touch dangerous feature bits</title>
<updated>2026-07-01T00:23:25+00:00</updated>
<author>
<name>Jakub Kicinski</name>
<email>kuba@kernel.org</email>
</author>
<published>2026-06-29T23:39:23+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=2f7f2e311106cb838d3f3fb6ef25effdb3f8e366'/>
<id>2f7f2e311106cb838d3f3fb6ef25effdb3f8e366</id>
<content type='text'>
query_nic_features() detects which offloads depend on tx-gso-partial
by enabling everything, turning tx-gso-partial off, and seeing which
active features drop out. Enabling all hw features is dangerous:
we may end up enabling rx-fcs and loopback for example. For the
ice driver we end up getting into problems with feature dependencies
so the cleanup isn't successful either, and the test exits with
rx-fcs and loopback enabled.

Scope the feature probing just to segmentation bits.

Fixes: 266b835e5e84 ("selftests: drv-net: tso: enable test cases based on hw_features")
Reviewed-by: Pavan Chebbi &lt;pavan.chebbi@broadcom.com&gt;
Reviewed-by: Daniel Zahka &lt;daniel.zahka@gmail.com&gt;
Link: https://patch.msgid.link/20260629233923.2151144-1-kuba@kernel.org
Signed-off-by: Jakub Kicinski &lt;kuba@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
query_nic_features() detects which offloads depend on tx-gso-partial
by enabling everything, turning tx-gso-partial off, and seeing which
active features drop out. Enabling all hw features is dangerous:
we may end up enabling rx-fcs and loopback for example. For the
ice driver we end up getting into problems with feature dependencies
so the cleanup isn't successful either, and the test exits with
rx-fcs and loopback enabled.

Scope the feature probing just to segmentation bits.

Fixes: 266b835e5e84 ("selftests: drv-net: tso: enable test cases based on hw_features")
Reviewed-by: Pavan Chebbi &lt;pavan.chebbi@broadcom.com&gt;
Reviewed-by: Daniel Zahka &lt;daniel.zahka@gmail.com&gt;
Link: https://patch.msgid.link/20260629233923.2151144-1-kuba@kernel.org
Signed-off-by: Jakub Kicinski &lt;kuba@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>selftests: net: bump default cmd() timeout to 20 seconds</title>
<updated>2026-06-30T23:54:37+00:00</updated>
<author>
<name>Jakub Kicinski</name>
<email>kuba@kernel.org</email>
</author>
<published>2026-06-29T23:33:48+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=57bb59ab6fa39128b733c71eaa0ab511109a0ea1'/>
<id>57bb59ab6fa39128b733c71eaa0ab511109a0ea1</id>
<content type='text'>
We always used 5 sec as the default command timeout. But soon after
it was introduced, David effectively made us ignore the timeout
(it was passed to process.communicate() as the wrong argument).
Gal recently fixed that, but turns out the 5 sec is not enough
for a lot of tests and setups. The fix caused regressions.

In particular running reconfig commands (e.g. XDP attach) on mlx5
with 32 rings and 9k MTU, on a heavily-debug-enabled kernel takes
more than 5 sec. The XDP installation command will time out after
5 sec but since the sleeps in the kernel are non interruptible
the command finishes anyway, leaving the XDP program attached,
but with non-zero exit code. defer()ed cleanups are not installed,
breaking the environment for subsequent tests.

Since "install XDP" is a pretty normal command a "point fix"
does not seem appropriate. 32 rings is a fairly reasonable
config, too, so we should just increase the timeout to 20 sec.

There's no real reason behind the value of 20.

Fixes: 1cf270424218 ("net: selftest: add test for netdev netlink queue-get API")
Fixes: f0bd19316663 ("selftests: net: fix timeout passed as positional argument to communicate()")
Reviewed-by: Pavan Chebbi &lt;pavan.chebbi@broadcom.com&gt;
Acked-by: Breno Leitao &lt;leitao@debian.org&gt;
Reviewed-by: Nimrod Oren &lt;noren@nvidia.com&gt;
Link: https://patch.msgid.link/20260629233348.2145841-1-kuba@kernel.org
Signed-off-by: Jakub Kicinski &lt;kuba@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
We always used 5 sec as the default command timeout. But soon after
it was introduced, David effectively made us ignore the timeout
(it was passed to process.communicate() as the wrong argument).
Gal recently fixed that, but turns out the 5 sec is not enough
for a lot of tests and setups. The fix caused regressions.

In particular running reconfig commands (e.g. XDP attach) on mlx5
with 32 rings and 9k MTU, on a heavily-debug-enabled kernel takes
more than 5 sec. The XDP installation command will time out after
5 sec but since the sleeps in the kernel are non interruptible
the command finishes anyway, leaving the XDP program attached,
but with non-zero exit code. defer()ed cleanups are not installed,
breaking the environment for subsequent tests.

Since "install XDP" is a pretty normal command a "point fix"
does not seem appropriate. 32 rings is a fairly reasonable
config, too, so we should just increase the timeout to 20 sec.

There's no real reason behind the value of 20.

Fixes: 1cf270424218 ("net: selftest: add test for netdev netlink queue-get API")
Fixes: f0bd19316663 ("selftests: net: fix timeout passed as positional argument to communicate()")
Reviewed-by: Pavan Chebbi &lt;pavan.chebbi@broadcom.com&gt;
Acked-by: Breno Leitao &lt;leitao@debian.org&gt;
Reviewed-by: Nimrod Oren &lt;noren@nvidia.com&gt;
Link: https://patch.msgid.link/20260629233348.2145841-1-kuba@kernel.org
Signed-off-by: Jakub Kicinski &lt;kuba@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>vfio: selftests: Add luuid to libvfio.mk's list of libraries, not to the Makefile</title>
<updated>2026-06-30T21:50:55+00:00</updated>
<author>
<name>Sean Christopherson</name>
<email>seanjc@google.com</email>
</author>
<published>2026-06-30T21:28:05+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=e242e974e812e7a47e3088860c80d9492fac314f'/>
<id>e242e974e812e7a47e3088860c80d9492fac314f</id>
<content type='text'>
Link to the uuid library as part of libvfio.mk instead of as only linking
it via VFIO selftests' Makefile, as the whole point of providing libvfio.mk
is to allow linking the VFIO library functionality into KVM selftests,
without KVM selftests having to know the gory details or duplicate code.

Cc: Raghavendra Rao Ananta &lt;rananta@google.com&gt;
Cc: David Matlack &lt;dmatlack@google.com&gt;
Cc: Vipin Sharma &lt;vipinsh@google.com&gt;
Cc: Alex Williamson &lt;alex@shazbot.org&gt;
Fixes: e65f1bf8a2db ("vfio: selftests: Extend container/iommufd setup for passing vf_token")
Signed-off-by: Sean Christopherson &lt;seanjc@google.com&gt;
Reviewed-by: David Matlack &lt;dmatlack@google.com&gt;
Link: https://lore.kernel.org/r/20260630212805.474418-1-seanjc@google.com
Signed-off-by: Alex Williamson &lt;alex@shazbot.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Link to the uuid library as part of libvfio.mk instead of as only linking
it via VFIO selftests' Makefile, as the whole point of providing libvfio.mk
is to allow linking the VFIO library functionality into KVM selftests,
without KVM selftests having to know the gory details or duplicate code.

Cc: Raghavendra Rao Ananta &lt;rananta@google.com&gt;
Cc: David Matlack &lt;dmatlack@google.com&gt;
Cc: Vipin Sharma &lt;vipinsh@google.com&gt;
Cc: Alex Williamson &lt;alex@shazbot.org&gt;
Fixes: e65f1bf8a2db ("vfio: selftests: Extend container/iommufd setup for passing vf_token")
Signed-off-by: Sean Christopherson &lt;seanjc@google.com&gt;
Reviewed-by: David Matlack &lt;dmatlack@google.com&gt;
Link: https://lore.kernel.org/r/20260630212805.474418-1-seanjc@google.com
Signed-off-by: Alex Williamson &lt;alex@shazbot.org&gt;
</pre>
</div>
</content>
</entry>
</feed>
