summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
13 daysbpf: Emit verbose message when prog-specific btf_struct_access rejects a writeAlexei Starovoitov
When BPF_WRITE goes through a PTR_TO_BTF_ID register, check_ptr_to_btf_access() delegates to env->ops->btf_struct_access(). Most implementations (bpf_scx_btf_struct_access, tc_cls_act_btf_struct_access, etc.) return -EACCES for disallowed fields without logging anything, so the verifier rejects the program with an empty message. For example a scx program doing 1: R1=trusted_ptr_task_struct() ... 4: (7b) *(u64 *)(r1 +0) = r2 verification time 83 usec the program is rejected leaves the user guessing which field is off-limits. Emit verbose message. Signed-off-by: Alexei Starovoitov <ast@kernel.org> Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com> Acked-by: Yonghong Song <yonghong.song@linux.dev> Link: https://lore.kernel.org/r/20260615232146.5491-1-alexei.starovoitov@gmail.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
13 daysbpf: Fix build_id caching in stack_map_get_build_id_offset()Ihor Solodrai
This patch is a follow up to recent implementation of stack_map_get_build_id_offset_sleepable() [1]. stack_map_get_build_id_offset() and its sleepable variant each cached only the last successfully resolved VMA, with separate bookkeeping in each function. A run of IPs in a VMA with no usable build ID will repeat the lookup for every frame: find_vma() in the non-sleepable path, a VMA lock and a blocking build_id_parse_file() in the sleepable. Factor the per-call cache into a shared struct stack_map_build_id_cache with two independent slots [2][3], used by both functions: * resolved - last VMA that produced a build ID (file, build_id and range), reused to skip the lookup and the parse; * unresolved - last VMA with no usable build ID (range only), reused to emit a raw IP without another lookup or parse. Keeping the slots independent means a build-ID-less VMA no longer evicts the last resolved build ID, so a trace alternating between a binary and a region without one stops re-resolving the binary on every return. The shared lookup tests [vm_start, vm_end), matching the sleepable path; the non-sleepable path previously reused a build ID for ip == vm_end (range_in_vma() is inclusive) and now re-resolves it correctly. [1] https://lore.kernel.org/bpf/20260525223948.1920986-1-ihor.solodrai@linux.dev/ [2] https://lore.kernel.org/bpf/CAEf4Bza2fRDGhLQoPE-EzM7F34xaEJfi5Exmxb-iWVUN3F06=g@mail.gmail.com/ [3] https://lore.kernel.org/bpf/CAEf4BzZXJFr=1iiVx937ht=4PYQkQHg=eFk810zhMDzXQG3ihw@mail.gmail.com/ Suggested-by: Andrii Nakryiko <andrii@kernel.org> Signed-off-by: Ihor Solodrai <ihor.solodrai@linux.dev> Link: https://lore.kernel.org/r/20260615195536.1065107-1-ihor.solodrai@linux.dev Signed-off-by: Alexei Starovoitov <ast@kernel.org>
13 daysbpf: Fix partial copy of non-linear test_run outputSun Jian
For non-linear test_run output, bpf_test_finish() derives the linear data copy length from copy_size - frag_size. This only matches the linear data length when copy_size is the full packet size. When userspace provides a short data_out buffer, copy_size is clamped to that buffer size. If copy_size is smaller than frag_size, the computed length becomes negative and bpf_test_finish() returns -ENOSPC before copying the packet prefix or updating data_size_out. Compute the linear data length from the packet layout instead, and clamp the linear copy length to copy_size. This preserves the expected partial-copy semantics: return -ENOSPC, copy the packet prefix that fits in data_out, and report the full packet length through data_size_out. Fixes: 7855e0db150ad ("bpf: test_run: add xdp_shared_info pointer in bpf_test_finish signature") Signed-off-by: Sun Jian <sun.jian.kdev@gmail.com> Acked-by: Paul Chaignon <paul.chaignon@gmail.com> Link: https://lore.kernel.org/r/20260617093557.63880-2-sun.jian.kdev@gmail.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
13 daysMerge branch 'bpf-fix-stack-slot-index-for-spectre-v4-nospec-checks'Alexei Starovoitov
Nuoqi Gui says: ==================== bpf: Fix stack slot index for Spectre v4 nospec checks check_stack_write_fixed_off() uses one byte-indexing scheme when checking whether a fixed-offset stack write needs Spectre v4 sanitization, and another scheme when recording the write into slot_type[]. For sub-8-byte writes this can make the sanitization check look at bytes that are not overwritten by the write. A zeroed lower half-slot followed by a write to the upper half-slot can therefore miss the nospec barrier for the second write. Use the same stack-byte index for the sanitization check and the slot update, and add a focused verifier selftest that expects both half-slot writes to emit nospec through the unprivileged loader lane. Bounded impact: this fixes verifier/JIT Spectre v4 mitigation emission for a fixed-offset stack-write corner case. No architectural verifier memory-safety bypass, exploit chain, CVE, embargo, or security escalation is claimed. Fixes: 2039f26f3aca ("bpf: Fix leakage due to insufficient speculative store bypass mitigation") Signed-off-by: Nuoqi Gui <gnq25@mails.tsinghua.edu.cn> --- Changes in v3: - selftests/bpf: drop the stray space in the __xlated_unpriv stack-store expectations ("(r10 - 4)"/"(r10 - 8)" -> "(r10 -4)"/"(r10 -8)") - Link to v2: https://lore.kernel.org/bpf/20260618-f01-11-stack-nospec-slot-index-v2-0-ede9495359b6@mails.tsinghua.edu.cn/ Changes in v2: - drop __caps_unpriv(CAP_BPF) from the selftest - fix selftest style - use Fixes: 2039f26f3aca per review - Link to v1: https://lore.kernel.org/bpf/20260617-f01-11-stack-nospec-slot-index-v1-0-e3a080b0cd7e@mails.tsinghua.edu.cn/ ==================== Link: https://patch.msgid.link/20260618-f01-11-stack-nospec-slot-index-v3-0-780297041721@mails.tsinghua.edu.cn Signed-off-by: Alexei Starovoitov <ast@kernel.org>
13 daysselftests/bpf: Cover stack nospec slot indexingNuoqi Gui
Add a verifier test for the fixed-offset stack write case where two 4-byte stores initialize opposite halves of the same stack slot. The test runs through the unprivileged loader lane and expects both half-slot writes to emit nospec in the translated program. Acked-by: Luis Gerhorst <luis.gerhorst@fau.de> Signed-off-by: Nuoqi Gui <gnq25@mails.tsinghua.edu.cn> Link: https://lore.kernel.org/r/20260618-f01-11-stack-nospec-slot-index-v3-2-780297041721@mails.tsinghua.edu.cn Signed-off-by: Alexei Starovoitov <ast@kernel.org>
13 daysbpf: Fix stack slot index in nospec checksNuoqi Gui
check_stack_write_fixed_off() computes the byte slot for a fixed-offset stack write as -off - 1, and records each written byte in slot_type[] with (slot - i) % BPF_REG_SIZE. The Spectre v4 sanitization pre-check uses slot_type[i] instead. For a 4-byte write at fp-8 after the lower half of fp-8 has been zeroed, the pre-check scans bytes 0..3 and sees STACK_ZERO while the actual write updates bytes 7..4. That can leave the second half-slot write without nospec_result even though the bytes being overwritten still require sanitization. Use the same slot index in the sanitization pre-check that the write path uses when updating slot_type[]. Fixes: 2039f26f3aca ("bpf: Fix leakage due to insufficient speculative store bypass mitigation") Acked-by: Luis Gerhorst <luis.gerhorst@fau.de> Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev> Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com> Signed-off-by: Nuoqi Gui <gnq25@mails.tsinghua.edu.cn> Link: https://lore.kernel.org/r/20260618-f01-11-stack-nospec-slot-index-v3-1-780297041721@mails.tsinghua.edu.cn Signed-off-by: Alexei Starovoitov <ast@kernel.org>
13 daysrtc: Use named initializers for platform_device_id arraysUwe Kleine-König (The Capable Hub)
Named initializers are better readable and more robust to changes of the struct definition. This robustness is relevant for a planned change to struct platform_device_id replacing .driver_data by an anonymous union. While touching these arrays unify spacing and usage of commas. Signed-off-by: Uwe Kleine-König (The Capable Hub) <u.kleine-koenig@baylibre.com> Reviewed-by: Matti Vaittinen <mazziesaccount@gmail.com> Reviewed-by: Linus Walleij <linusw@kernel.org> Acked-by: Karel Balej <balejk@matfyz.cz> # for Marvell 88PM886 Link: https://patch.msgid.link/d14b9076b2c7703708bcc5cc35f339cd97fc10cd.1779950275.git.u.kleine-koenig@baylibre.com Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
13 daysrtc: ab8500: Simplify driver_data handlingUwe Kleine-König (The Capable Hub)
Instead of hiding the rtc ops for the only supported device behind an abstraction for multi-device support, hardcode the used ops which gets rid of the need to call platform_get_device_id and two casts. Signed-off-by: Uwe Kleine-König (The Capable Hub) <u.kleine-koenig@baylibre.com> Reviewed-by: Linus Walleij <linusw@kernel.org> Link: https://patch.msgid.link/a909d3c59d00756130ac16051ceedbec0ce9cec7.1779950275.git.u.kleine-koenig@baylibre.com Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
13 daysrtc: Drop unused assignment of platform_device_id driver dataUwe Kleine-König (The Capable Hub)
The two drivers explicitly set the .driver_data member of struct platform_device_id to zero without relying on that value. Drop this unused assignments. While touching these array unify spacing, usage of commas and use named initializers for .name. Signed-off-by: Uwe Kleine-König (The Capable Hub) <u.kleine-koenig@baylibre.com> Reviewed-by: Tzung-Bi Shih <tzungbi@kernel.org> Link: https://patch.msgid.link/9ec7a174605a17dd19c011ee2253de28d09b02bd.1779950275.git.u.kleine-koenig@baylibre.com Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
13 daysrtc: Use named initializers for arrays of i2c_device_dataUwe Kleine-König (The Capable Hub)
While being less compact, using named initializers allows to more easily see which members of the structs are assigned which value without having to lookup the declaration of the struct. And it's also more robust against changes to the struct definition. The mentioned robustness is relevant for a planned change to struct i2c_device_id that replaces .driver_data by an anonymous union. While touching all these arrays, unify usage of whitespace and commas. This patch doesn't modify the compiled arrays, only their representation in source form benefits. The former was confirmed with x86 and arm64 builds. Signed-off-by: Uwe Kleine-König (The Capable Hub) <u.kleine-koenig@baylibre.com> Reviewed-by: Tóth János <gomba007@gmail.com> Link: https://patch.msgid.link/20260515154720.406128-2-u.kleine-koenig@baylibre.com Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
13 daysrtc: ds1307: handle oscillator stop flag for ds1337/ds1339/ds3231Ronan Dalton
Prior to commit 48458654659c ("rtc: ds1307: remove clear of oscillator stop flag (OSF) in probe"), the oscillator stop flag (OSF) bit was checked during device probe for the ds1337, ds1339, ds1341, and ds3231 chips; if it was set, it would be cleared and a warning would be logged saying "SET TIME!". Since that commit, the OSF bit is no longer cleared, but the warning is still printed. Directly following that commit, there was no way to get rid of this warning because nothing cleared the OSF bit on these chips. The commit associated with the previous commit, 523923cfd5d6 ("rtc: ds1307: handle oscillator stop flag (OSF) for ds1341"), made proper use of the OSF when getting and setting the time in the RTC. However, the other RTC variants ds1337, ds1339 and ds3231 didn't have a corresponding change made. Given that the OSF bit is no longer cleared at probe time when it is set, the remaining three chips should have the same handling as the ds1341 chip has for the OSF bit. Fix the issue on the ds1337, ds1339 and ds3231 chips by applying the same logic as the ds1341 has to these chips. Note that any devices brought up between the first referenced commit and this one may begin mistrusting the time reported by the RTC until it is set again, if the bit was never explicitly cleared. Note that only the ds1339 was tested with this change, but the datasheets for the other chips contain essentially identical descriptions of the OSF bit so the same change should work. Signed-off-by: Ronan Dalton <ronan.dalton@alliedtelesis.co.nz> Cc: linux-rtc@vger.kernel.org Cc: linux-kernel@vger.kernel.org Cc: Alexandre Belloni <alexandre.belloni@bootlin.com> Cc: Tyler Hicks <code@tyhicks.com> Cc: Sasha Levin <sashal@kernel.org> Cc: Meagan Lloyd <meaganlloyd@linux.microsoft.com> Cc: Rodolfo Giometti <giometti@enneenne.com> Cc: Chris Packham <chris.packham@alliedtelesis.co.nz> Fixes: 48458654659c ("rtc: ds1307: remove clear of oscillator stop flag (OSF) in probe") Reviewed-by: Meagan Lloyd <meaganlloyd@linux.microsoft.com> Reviewed-by: Tyler Hicks <code@tyhicks.com> Link: https://patch.msgid.link/20260508032518.3696705-2-ronan.dalton@alliedtelesis.co.nz Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
13 daysrtc: mpfs: fix counter upload completion conditionConor Dooley
The condition that needs to be checked for upload completion is the UPLOAD bit in the completion register going low. The original iterations of this driver used a do-while and this was converted to a read_poll_timeout() during upstreaming without the condition being inverted as it should have been. I suspect that this went unnoticed until now because a) the first read was done when the bit was still set, immediately completing the read_poll_timeout() and b) because the RTC doesn't hold time when power is removed from the SoC reducing its utility (I for one keep it disabled). If my first suspicion was true when the driver was upstreamed, it's not true any longer though, hence the detection of the problem. Fixes: 0b31d703598dc ("rtc: Add driver for Microchip PolarFire SoC") CC: stable@vger.kernel.org Signed-off-by: Conor Dooley <conor.dooley@microchip.com> Tested-by: Valentina Fernandez <valentina.fernandezalanis@microchip.com> Link: https://patch.msgid.link/20260513-panhandle-ashy-70c6abf84d59@spud Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
13 daysrtc: abx80x: fix the RTC_VL_CLR clearing all status flagsAntoni Pokusinski
The RTC_VL_CLR ioctl intends to clear only the battery low flag (BLF), however the current implementation writes 0 to the status register, clearing all status bits. Fix this by writing back the masked status value so that only BLF is cleared, preserving other status flags. Fixes: ffe1c5a2d427 ("rtc: abx80x: Implement RTC_VL_READ,CLR ioctls") Signed-off-by: Antoni Pokusinski <apokusinski01@gmail.com> Link: https://patch.msgid.link/20260415160610.127155-2-apokusinski01@gmail.com Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
13 daysrtc: renesas-rtca3: Factor out year decoding helperLad Prabhakar
The logic to decode the year value from the hardware registers is duplicated in both rtca3_read_time() and rtca3_read_alarm(). Introduce a helper rtca3_decode_year() to centralize this conversion. Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com> Reviewed-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com> Tested-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com> # on RZ/G3S Link: https://patch.msgid.link/20260602192559.1791344-6-prabhakar.mahadev-lad.rj@bp.renesas.com Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
13 daysrtc: renesas-rtca3: Fix typo in rtca3_ppb_per_cycle documentationLad Prabhakar
Correct a typo in the kernel-doc comment for struct rtca3_ppb_per_cycle by fixing "adjutment" to "adjustment". Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com> Reviewed-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com> Tested-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com> # on RZ/G3S Link: https://patch.msgid.link/20260602192559.1791344-5-prabhakar.mahadev-lad.rj@bp.renesas.com Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
13 daysrtc: renesas-rtca3: Fix incorrect error message for reset assertLad Prabhakar
Update the message to "assert reset" to accurately reflect the operation being performed. Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com> Reviewed-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com> Tested-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com> # on RZ/G3S Link: https://patch.msgid.link/20260602192559.1791344-4-prabhakar.mahadev-lad.rj@bp.renesas.com Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
13 daysrtc: renesas-rtca3: Check RADJ poll result during initial setupLad Prabhakar
In rtca3_initial_setup(), the driver clears the RTCA3_RADJ register and waits for it to reach zero using readb_poll_timeout(). Check the return value of readb_poll_timeout() and propagate the error if the poll fails. Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com> Reviewed-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com> Tested-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com> # on RZ/G3S Link: https://patch.msgid.link/20260602192559.1791344-3-prabhakar.mahadev-lad.rj@bp.renesas.com Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
13 daysrtc: renesas-rtca3: Fix PIE clear polling condition in alarm setup error pathLad Prabhakar
In rtca3_set_alarm(), the setup_failed path attempts to disable the Periodic Interrupt Enable (PIE) bit and wait until it is cleared. However, the polling condition passed to readb_poll_timeout_atomic() uses an incorrect expression: !(tmp & ~RTCA3_RCR1_PIE) As ~RTCA3_RCR1_PIE evaluates to a mask of all bits except PIE, the condition effectively waits for all non-PIE bits to become zero, which is unrelated to the intended operation and is unlikely to ever be true. This causes the poll to time out unnecessarily. Fix the condition to check for the PIE bit itself being cleared: !(tmp & RTCA3_RCR1_PIE) This correctly waits until PIE is deasserted after being cleared. Fixes: d4488377609e3 ("rtc: renesas-rtca3: Add driver for RTCA-3 available on Renesas RZ/G3S SoC") Cc: stable@vger.kernel.org Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com> Reviewed-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com> Tested-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com> # on RZ/G3S Link: https://patch.msgid.link/20260602192559.1791344-2-prabhakar.mahadev-lad.rj@bp.renesas.com Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
13 daysdt-bindings: rtc: epson,rx6110: Convert to DT SchemaUdaya Kiran Challa
Convert the Epson RX6110 Real Time Clock devicetree binding from the legacy text format to DT schema. Signed-off-by: Udaya Kiran Challa <challauday369@gmail.com> Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com> Link: https://patch.msgid.link/20260514173851.25088-1-challauday369@gmail.com Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
13 daysMerge tag 'amd-drm-fixes-7.2-2026-06-19' of ↵Dave Airlie
https://gitlab.freedesktop.org/agd5f/linux into drm-next amd-drm-fixes-7.2-2026-06-19: amdgpu: - devcoredump fixes - SMU15 fix - Various irq put/get imbalance cleanup fixes - 8K panel fix - DCN3.5 fix - lockdep fix - Cleaner shader sysfs IB overflow fix - Async flip fixes - GET_MAPPING_INFO fix - CP_GFX_SHADOW fix - Ctx pstate handling fix - GTT bo move handling fixes - Old UVD BO placement fixes - GC9 mode2 reset fix - IH6.1 version fix - Soft IH ring fix amdkfd: - Fix doorbell/mmio double unpin on free - CRIU fixes - SMI event fixes - Sysfs teardown fix - Various boundary checking fixes - Various error checking fixes - SVM fix radeon: - r100_copy_blit fix for large BOs Signed-off-by: Dave Airlie <airlied@redhat.com> From: Alex Deucher <alexander.deucher@amd.com> Link: https://patch.msgid.link/20260619152610.776982-1-alexander.deucher@amd.com
13 daysMerge tag 'drm-xe-next-fixes-2026-06-17' of ↵Dave Airlie
https://gitlab.freedesktop.org/drm/xe/kernel into drm-next - Set TTM beneficial order to 9 in Xe - Several error path cleanups - Fix TDR for unstarted jobs on kernel queues - Several TLB invalidation fixes related to suspending LR queues - Some small RAS fixes - Multi-queue suspend fix for LR queues - Revert inclusion of NVL_S firmware Signed-off-by: Dave Airlie <airlied@redhat.com> From: Matthew Brost <matthew.brost@intel.com> Link: https://patch.msgid.link/ajLy2brwvOZEFNNN@gsse-cloud1.jf.intel.com
13 daysMerge tag 'drm-intel-next-fixes-2026-06-17' of ↵Dave Airlie
https://gitlab.freedesktop.org/drm/i915/kernel into drm-next Only a few simple display fixes around DP MST, CRTC color state, and PLL sequencing. Signed-off-by: Dave Airlie <airlied@redhat.com> From: Rodrigo Vivi <rodrigo.vivi@intel.com> Link: https://patch.msgid.link/ajJxbrt3a_USBecY@intel.com
13 dayserofs: simplify RCU read critical sectionsGao Xiang
- use scoped_guard() for RCU read critical section in z_erofs_decompress_kickoff(); - simplify the RCU critical section loop in z_erofs_pcluster_begin(). Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
13 dayserofs: add sparse support to pcluster layoutGao Xiang
Although zeros can be compressed transparently on EROFS using fixed-size output compression so that it is never prioritized in the Android use cases, indicating entire pclusters as holes is still useful to preserve holes in the sparse datasets; otherwise overlayfs will allocate more space when copying up, and SEEK_HOLE won't report any hole. This patch introduces two ways to mark a pcluster as a hole: - A new Z_EROFS_LI_HOLE compatible flag (bit 14) in the HEAD lcluster advise field for non-compact (full) indexes; - A 0-block CBLKCNT value on the first NONHEAD lcluster. The hole tag is preferred for maximum compatibility since pre-existing kernels that do not understand Z_EROFS_LI_HOLE will decompress at the stored blkaddr (the same blkaddr will be shared among all sparse pclusters). Only the 0-block CBLKCNT approach also works for compact indexes, but it is limited to big pclusters and new kernels. Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
13 daysdpaa2-switch: do not accept VLAN uppers while bridgedIoana Ciornei
The dpaa2-switch driver does not support VLAN uppers while its ports are bridged. This scenario tried to be prevented by rejecting a bridge join while VLAN uppers exist but the reverse order was still possible. This patches adds a check so that the dpaa2-switch also does not accept VLAN uppers while bridged. Fixes: f48298d3fbfa ("staging: dpaa2-switch: move the driver out of staging") Signed-off-by: Ioana Ciornei <ioana.ciornei@nxp.com> Link: https://patch.msgid.link/20260618092813.432535-2-ioana.ciornei@nxp.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
13 daysipv6: ioam: fix type confusion of dst_entryJiayuan Chen
IOAM uses a dummy dst_entry(null_dst) to mark that the destination should not be changed after the transformation. This dst is stored in the IOAM lwt state and may be passed to dst_cache_set_ip6(). However, the IPv6 dst cache path eventually calls rt6_get_cookie(), which treats the dst_entry as part of a struct rt6_info. Since the null_dst was embedded directly as a struct dst_entry in struct ioam6_lwt, this resulted in an invalid cast and rt6_get_cookie() reading fields from the wrong object. In practice, the wrong cookie is not used while dst->obsolete is zero, but rt6_get_cookie() may also access per-cpu value when rt->sernum is zero. In this case, rt->sernum aliases ioam6_lwt::cache::reset_ts, which can become zero, making this a potential invalid pointer access. Fix this by embedding a full struct rt6_info for the dummy IPv6 route and passing its dst member to the dst APIs. Fixes: 47ce7c854563 ("net: ipv6: ioam6: fix double reallocation") Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev> Reviewed-by: Justin Iurman <justin.iurman@gmail.com> Link: https://patch.msgid.link/20260618104336.48934-1-jiayuan.chen@linux.dev Signed-off-by: Jakub Kicinski <kuba@kernel.org>
13 daysMerge branch 'ipv4-ipv6-account-for-fraggap-on-paged-allocation-paths'Jakub Kicinski
Wongi Lee says: ==================== ipv4/ipv6: account for fraggap on paged allocation paths Fix fraggap accounting in the paged-allocation paths of IPv4 and IPv6. The IPv6 patch is the v4 update of the previously posted patch. The IPv4 patch handles the same code pattern (by Ido). v3: https://lore.kernel.org/aiq3f7UZGFp0F3MV@DESKTOP-19IMU7U.localdomain v2: https://lore.kernel.org/aigx83czv+UJZA0d@DESKTOP-19IMU7U.localdomain v1: https://lore.kernel.org/aibiIYMAwUErTw5U@DESKTOP-19IMU7U.localdomain ==================== Link: https://patch.msgid.link/ajFQn6yh43eDeQm9@DESKTOP-19IMU7U.localdomain Signed-off-by: Jakub Kicinski <kuba@kernel.org>
13 daysipv6: account for fraggap on the paged allocation pathWongi Lee
In __ip6_append_data(), when the paged-allocation branch is taken (MSG_MORE / NETIF_F_SG / large fraglen), alloclen and pagedlen are computed as alloclen = fragheaderlen + transhdrlen; pagedlen = datalen - transhdrlen; datalen already includes fraggap (datalen = length + fraggap). When fraggap is non-zero, this is not the first skb and transhdrlen is zero. The fraggap bytes carried over from the previous skb are copied just past the fragment headers in the new skb's linear area. The linear area is therefore undersized by fraggap bytes while pagedlen is overstated by the same amount, and the copy writes past skb->end into the trailing skb_shared_info. An unprivileged user can trigger this via a UDPv6 socket using MSG_MORE together with MSG_SPLICE_PAGES. The bad accounting was introduced by commit 773ba4fe9104 ("ipv6: avoid partial copy for zc"). Before commit ce650a166335 ("udp6: Fix __ip6_append_data()'s handling of MSG_SPLICE_PAGES"), the negative copy value caused -EINVAL to be returned. That later commit allowed MSG_SPLICE_PAGES to proceed in this case, making the corruption triggerable. The non-paged branch sets alloclen to fraglen, which already accounts for fraggap because datalen does. Bring the paged branch in line by adding fraggap to alloclen and subtracting it from pagedlen. After this adjustment, copy no longer collapses to -fraggap on the paged path, so remove the stale comment describing that old arithmetic. Since a negative copy is no longer expected for a valid MSG_SPLICE_PAGES case, remove the MSG_SPLICE_PAGES exception from the negative copy check. Fixes: 773ba4fe9104 ("ipv6: avoid partial copy for zc") Signed-off-by: Jungwoo Lee <jwlee2217@gmail.com> Signed-off-by: Wongi Lee <qw3rtyp0@gmail.com> Reviewed-by: Ido Schimmel <idosch@nvidia.com> Link: https://patch.msgid.link/ajFTqRljatR17fFy@DESKTOP-19IMU7U.localdomain Signed-off-by: Jakub Kicinski <kuba@kernel.org>
13 daysipv4: account for fraggap on the paged allocation pathWongi Lee
In __ip_append_data(), when the paged-allocation branch is taken, alloclen and pagedlen are computed as alloclen = fragheaderlen + transhdrlen; pagedlen = datalen - transhdrlen; datalen already includes fraggap, but the fraggap bytes carried over from the previous skb are copied into the new skb's linear area at offset transhdrlen by the subsequent skb_copy_and_csum_bits(). The linear area is therefore undersized by fraggap bytes while pagedlen is overstated by the same amount. The non-paged branch sets alloclen to fraglen, which already accounts for fraggap because datalen does. Bring the paged branch in line by adding fraggap to alloclen and subtracting it from pagedlen. After this adjustment, copy no longer collapses to -fraggap on the paged path, so remove the stale comment describing that old arithmetic. Fixes: 8eb77cc73977 ("ipv4: avoid partial copy for zc") Signed-off-by: Jungwoo Lee <jwlee2217@gmail.com> Signed-off-by: Wongi Lee <qw3rtyp0@gmail.com> Reviewed-by: Ido Schimmel <idosch@nvidia.com> Link: https://patch.msgid.link/ajFR1eLAIs42TN3g@DESKTOP-19IMU7U.localdomain Signed-off-by: Jakub Kicinski <kuba@kernel.org>
13 daysselftests/tc-testing: Add DualPI2 GSO backlog accounting testXingquan Liu
Add a regression test for DualPI2 GSO backlog accounting when it is used as a child qdisc of QFQ. The test sends one UDP GSO datagram through a QFQ class with DualPI2 as the leaf qdisc. DualPI2 splits the skb into two segments. After the traffic drains, both QFQ and DualPI2 must report zero backlog and zero qlen. On kernels with the broken accounting, QFQ can keep a stale non-zero qlen after all real packets have been dequeued. Signed-off-by: Xingquan Liu <b1n@b1n.io> Acked-by: Jamal Hadi Salim <jhs@mojatatu.com> Reviewed-by: Victor Nogueira <victor@mojatatu.com> Link: https://patch.msgid.link/20260619151447.223640-2-b1n@b1n.io Signed-off-by: Jakub Kicinski <kuba@kernel.org>
13 daysnet/sched: dualpi2: fix GSO backlog accountingXingquan Liu
When DualPI2 splits a GSO skb into N segments, it propagates N additional packets to its parent before returning NET_XMIT_SUCCESS. The parent then accounts for the original skb once more, leaving its qlen one larger than the number of packets actually queued. With QFQ as the parent, after all real packets are dequeued, QFQ still has a non-zero qlen while its in-service aggregate has no active classes. qfq_choose_next_agg() returns NULL and qfq_dequeue() passes the result to qfq_peek_skb(), causing a NULL pointer dereference. Follow the same pattern used by tbf_segment() and taprio: count only successfully queued segments, propagate the difference between the original skb and those segments, and return NET_XMIT_SUCCESS whenever at least one segment was queued. Fixes: 8f9516daedd6 ("sched: Add enqueue/dequeue of dualpi2 qdisc") Cc: stable@vger.kernel.org Signed-off-by: Xingquan Liu <b1n@b1n.io> Acked-by: Jamal Hadi Salim <jhs@mojatatu.com> Reviewed-by: Victor Nogueira <victor@mojatatu.com> Link: https://patch.msgid.link/20260619151447.223640-1-b1n@b1n.io Signed-off-by: Jakub Kicinski <kuba@kernel.org>
13 daysipv6: ndisc: fix NULL deref in accept_untracked_na()Weiming Shi
accept_untracked_na() re-fetches the inet6_dev with __in6_dev_get(dev) and dereferences idev->cnf.accept_untracked_na without a NULL check, even though its only caller ndisc_recv_na() already fetched and NULL-checked idev for the same device. Both reads of dev->ip6_ptr run in the same RCU read-side critical section, but a concurrent addrconf_ifdown() can clear dev->ip6_ptr between them: lowering the MTU below IPV6_MIN_MTU calls addrconf_ifdown() without the synchronize_net() that orders the unregister path, so the re-fetch returns NULL and oopses: BUG: KASAN: null-ptr-deref in ndisc_recv_na (net/ipv6/ndisc.c:974) Read of size 4 at addr 0000000000000364 Call Trace: <IRQ> ndisc_recv_na (net/ipv6/ndisc.c:974) icmpv6_rcv (net/ipv6/icmp.c:1193) ip6_protocol_deliver_rcu (net/ipv6/ip6_input.c:479) ip6_input_finish (net/ipv6/ip6_input.c:534) ip6_input (net/ipv6/ip6_input.c:545) ip6_mc_input (net/ipv6/ip6_input.c:635) ipv6_rcv (net/ipv6/ip6_input.c:351) </IRQ> It is reachable by an unprivileged user via a network namespace. Pass the caller's already validated idev instead of re-fetching it; the idev stays alive for the whole RCU critical section, so it is safe even after dev->ip6_ptr has been cleared. Fixes: aaa5f515b16b ("net: ipv6: new accept_untracked_na option to accept na only if in-network") Reported-by: Xiang Mei <xmei5@asu.edu> Signed-off-by: Weiming Shi <bestswngs@gmail.com> Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev> Link: https://patch.msgid.link/20260617065512.2529757-2-bestswngs@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
14 daysnet: sit: require CAP_NET_ADMIN in the device netns for changelinkMaoyi Xie
ipip6_changelink() operates on at most two netns, dev_net(dev) and the tunnel link netns t->net. They differ once the device is created in or moved to a netns other than the one the request runs in. The rtnl changelink path checks CAP_NET_ADMIN only against dev_net(dev), so a caller privileged there but not in t->net can rewrite a tunnel that lives in t->net. Gate ipip6_changelink() on rtnl_dev_link_net_capable() at its top, before any attribute is parsed. sit was the one tunnel type not covered by the recent series that added this check to the other changelink() handlers. Fixes: 5e6700b3bf98 ("sit: add support of x-netns") Link: https://lore.kernel.org/netdev/20260612085941.3158249-1-maoyixie.tju@gmail.com/ Cc: stable@vger.kernel.org Signed-off-by: Maoyi Xie <maoyixie.tju@gmail.com> Reviewed-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com> Link: https://patch.msgid.link/20260618070817.3378283-1-maoyixie.tju@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
14 daysnet: airoha: Fix skb->priority underflow in airoha_dev_select_queue()Wayen Yan
In airoha_dev_select_queue(), the expression: queue = (skb->priority - 1) % AIROHA_NUM_QOS_QUEUES; implicitly converts to unsigned arithmetic: when skb->priority is 0 (the default for unclassified traffic), (0u - 1u) wraps to UINT_MAX, and UINT_MAX % 8 = 7, routing default best-effort packets to the highest-priority QoS queue. This causes QoS inversion where the majority of traffic on a PON gateway starves actual high-priority flows (VoIP, gaming, etc.). The "- 1" offset was a leftover from the ETS offload implementation that has since been removed. The correct mapping is a direct modulo: queue = skb->priority % AIROHA_NUM_QOS_QUEUES; This maps priority 0 → queue 0 (lowest), priority 7 → queue 7 (highest), with higher priorities wrapping around. This is the standard Linux sk_prio → HW queue mapping used by other drivers. Fixes: 2b288b81560b ("net: airoha: Introduce ndo_select_queue callback") Link: https://lore.kernel.org/netdev/178185573207.2378135.3729126358670287878@gmail.com/ Acked-by: Lorenzo Bianconi <lorenzo@kernel.org> Reviewed-by: Joe Damato <joe@dama.to> Signed-off-by: Wayen Yan <win847@gmail.com> Link: https://patch.msgid.link/178194366700.2485734.5368768965976693502@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
14 daysnet/sched: act_ct: fix nf_connlabels leak on two error pathsMichael Bommarito
tcf_ct_fill_params() calls nf_connlabels_get() (setting put_labels) when TCA_CT_LABELS is present, but two later error sites use a bare return instead of "goto err", skipping the err: nf_connlabels_put() cleanup. They also precede the "p->put_labels = put_labels" assignment, so the tcf_ct_params_free() fallback does not release the count either. Each failed RTM_NEWACTION on these paths leaks one nf_connlabels reference: net->ct.labels_used is incremented and never released. The action is reachable with CAP_NET_ADMIN over the netns, i.e. from an unprivileged user namespace on default-userns kernels. Impact: an unprivileged user with CAP_NET_ADMIN over a network namespace (e.g. via user namespaces) leaks one nf_connlabels reference per failed RTM_NEWACTION on the two error paths; net->ct.labels_used is never released. The err: label is safe to reach from both sites: p->tmpl is still NULL there (kzalloc'd, not yet assigned) and nf_ct_put(NULL) is a no-op, so no inline release is needed. Fixes: 70f06c115bcc ("sched: act_ct: switch to per-action label counting") Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com> Acked-by: Jamal Hadi Salim <jhs@mojatatu.com> Link: https://patch.msgid.link/20260617215708.1115818-1-michael.bommarito@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
14 daysnet: emac: Fix NULL pointer dereference in emac_probeRosen Penev
Move devm_request_irq() after devm_platform_ioremap_resource() so that dev->emacp is mapped before the interrupt handler can fire. An early interrupt hitting emac_irq() would dereference the NULL dev->emacp and crash. Also remove redundant error message. devm_platform_ioremap_resource() already returns an error message with dev_err_probe(). Fixes: dcc34ef7c834 ("net: ibm: emac: manage emac_irq with devm") Signed-off-by: Rosen Penev <rosenp@gmail.com> Reviewed-by: Andrew Lunn <andrew@lunn.ch> Link: https://patch.msgid.link/20260618023405.415644-1-rosenp@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
14 daysMerge tag 'ieee802154-for-net-next-2026-06-20' of ↵Jakub Kicinski
git://git.kernel.org/pub/scm/linux/kernel/git/wpan/wpan-next Stefan Schmidt says: ==================== pull-request: ieee802154-next 2026-06-20 An overdue pull request for ieee802154, catching up on all the AI found issues at last. Shitalkumar Gandhi fixed problems in the ca8210 driver for cases where we could have a leak or a pointer truncation. Robertus Diawan Chris made sure we do not overwrite the return code when associating. Michael Bommarito worked on properly gating our netlink API use in the llsec security context. Ivan Abramov cleaned up the netns cases as he did in other subsystems. Doruk Tan Ozturk ensures we have the correct skn ready in cryptoo operation (to avoid a silent overwrite). Aleksandr Nogikh fixed a kernel-infoleak detected by syzbot. * tag 'ieee802154-for-net-next-2026-06-20' of git://git.kernel.org/pub/scm/linux/kernel/git/wpan/wpan-next: ieee802154: allow legacy LLSEC ADD/DEL ops to pass strict validation ieee802154: admin-gate legacy LLSEC dump operations mac802154: Prevent overwrite return code in mac802154_perform_association() ieee802154: fix kernel-infoleak in dgram_recvmsg() mac802154: llsec: add skb_cow_data() before in-place crypto ieee802154: ca8210: fix pointer truncation in kfifo on 64-bit ieee802154: ca8210: fix cas_ctl leak on spi_async failure ieee802154: Remove WARN_ON() in cfg802154_pernet_exit() ieee802154: Avoid calling WARN_ON() on -ENOMEM in cfg802154_switch_netns() ieee802154: Restore initial state on failed device_rename() in cfg802154_switch_netns() ==================== Link: https://patch.msgid.link/20260620174903.1010671-1-stefan@datenfreihafen.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
14 daysMerge tag 'batadv-net-pullrequest-20260619' of https://git.open-mesh.org/batadvJakub Kicinski
Simon Wunderlich says: ==================== Here are some batman-adv bugfixes, all by Sven Eckelmann: - gw: don't deselect gateway with active hardif - TTL fixes in bcast/mcast and fragmentation handling (4 patches) - BATMAN V: prevent OGM aggregation on disabled hardif - tp_meter: concurrency and range fixes, add cap to unacked list (4 patches) - tt: fix unchecked VLAN ID in tt for local add and roam (2 patches) - dat: check VLAN ID in the hash - tvlv: enforce 2-byte alignment - tvlv: avoid race of cifsnotfound handler state * tag 'batadv-net-pullrequest-20260619' of https://git.open-mesh.org/batadv: batman-adv: tvlv: avoid race of cifsnotfound handler state batman-adv: tvlv: enforce 2-byte alignment batman-adv: dat: prevent false sharing between VLANs batman-adv: tt: track roam count per VID batman-adv: tt: don't merge change entries with different VIDs batman-adv: tp_meter: handle overlapping packets batman-adv: tp_meter: prevent parallel modifications of last_recv batman-adv: tp_meter: annotate last_recv_time access with READ/WRITE_ONCE batman-adv: tp_meter: restrict number of unacked list entries batman-adv: v: prevent OGM aggregation on disabled hardif batman-adv: frag: avoid underflow of TTL batman-adv: frag: ensure fragment is writable before modifying TTL batman-adv: fix (m|b)cast csum after decrementing TTL batman-adv: ensure bcast is writable before modifying TTL batman-adv: gw: don't deselect gateway with active hardif ==================== Link: https://patch.msgid.link/20260619070045.438101-1-sw@simonwunderlich.de Signed-off-by: Jakub Kicinski <kuba@kernel.org>
14 daysocteontx2-pf: mcs: Fix mcs resources free on PF shutdownGeetha sowjanya
On PF shutdown, the current driver free mcs hardware resources though mcs resources are not allocated to it. This patch checks the mcs resources status and if resources are allocated then only sends mailbox message to free them. Fixes: c54ffc73601c ("octeontx2-pf: mcs: Introduce MACSEC hardware offloading") Signed-off-by: Geetha sowjanya <gakula@marvell.com> Signed-off-by: Subbaraya Sundeep <sbhatta@marvell.com> Link: https://patch.msgid.link/1781636420-19816-3-git-send-email-sbhatta@marvell.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
14 daysocteontx2-pf: Clear stats of all resources when freeing resourcesSubbaraya Sundeep
When all MCS resources mapped to a PF are being freed then clear stats of all those resources too. Fixes: 815debbbf7b5 ("octeontx2-pf: mcs: Clear stats before freeing resource") Signed-off-by: Subbaraya Sundeep <sbhatta@marvell.com> Link: https://patch.msgid.link/1781636420-19816-2-git-send-email-sbhatta@marvell.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
14 daysocteontx2-af: mcs: Fix unsupported secy stats readGeetha sowjanya
Secy control stats counter doesn't exist for CNF10KB platform. Skip reading this respective register for CNF10KB silicon while fetching secy stats. Fixes: 9312150af8da ("octeontx2-af: cn10k: mcs: Support for stats collection") Signed-off-by: Geetha sowjanya <gakula@marvell.com> Signed-off-by: Subbaraya Sundeep <sbhatta@marvell.com> Link: https://patch.msgid.link/1781636420-19816-1-git-send-email-sbhatta@marvell.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
14 daysocteontx2-af: npc: cn20k: fix NPC defragRatheesh Kannoth
npc_defrag_alloc_free_slots() always passed NPC_MCAM_KEY_X2 into __npc_subbank_alloc(), which must match sb->key_type, so defrag never allocated replacement slots on X4 banks. Pass the subbank key type for bank 0, and only extend the search into bank 1 for X2 (X4 MCAM indices are confined to b0b..b0t). Fixes: 645c6e3c1999 ("octeontx2-af: npc: cn20k: virtual index support") Signed-off-by: Ratheesh Kannoth <rkannoth@marvell.com> Reviewed-by: Simon Horman <horms@kernel.org> Link: https://patch.msgid.link/20260617102149.1309913-1-rkannoth@marvell.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
14 daysnet: ethernet: mtk_ppe: Fix rhashtable leak in mtk_ppe_init error pathsWayen Yan
In mtk_ppe_init(), when accounting is enabled, the error paths for dmam_alloc_coherent(mib) and devm_kzalloc(acct) failures return NULL directly, bypassing the err_free_l2_flows label that destroys the rhashtable initialized earlier. While this leak only occurs during probe (not runtime) and the leaked memory is minimal (an empty rhash table), fixing it ensures proper error path cleanup consistency. Fix by changing the two return NULL statements to goto err_free_l2_flows. Fixes: 603ea5e7ffa7 ("net: ethernet: mtk_eth_soc: fix memory leak in error path") Signed-off-by: Wayen Yan <win847@gmail.com> Acked-by: Lorenzo Bianconi <lorenzo@kernel.org> Link: https://patch.msgid.link/178167550101.2217645.14579307712717502425@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
14 daysnet: dst_metadata: fix false-positive memcpy overflow in tun_dst_uncloneIlya Maximets
kmalloc_flex() in metadata_dst_alloc() sets __counted_by for the structure to the options_len, which is then initialized to zero. Later, we're initializing the structure by copying the tunnel info together with the options, and this triggers a warning for a potential memcpy overflow, since the compiler estimates that the options can't fit into the structure, even though the memory for them is actually allocated. memcpy: detected buffer overflow: 104 byte write of buffer size 96 WARNING: CPU: X PID: Y at lib/string_helpers.c:1036 __fortify_report skb_tunnel_info_unclone+0x179/0x190 geneve_xmit+0x7fe/0xe00 The issue is triggered when built with clang and source fortification. Fix that by doing the copy in two stages: first - the main data with the options_len, then the options. This way the correct length should be known at the time of the copy. It would be better if the options_len never changed after allocation, but the allocation code is a little separate from the initialization and it would be awkward and potentially dangerous to return a struct with options_len set to a non-zero value from the metadata_dst_alloc(). Another option would be to use ip_tunnel_info_opts_set(), but it is doing too many unnecessary operations for the use case here. Fixes: 69050f8d6d07 ("treewide: Replace kmalloc with kmalloc_obj for non-scalar types") Reported-by: Johan Thomsen <write@ownrisk.dk> Closes: https://lore.kernel.org/netdev/CAKv6aAM8_EWgXScnKmKYm_4SwGDVBK++dzfP+Y6msUXbp99QUw@mail.gmail.com/ Signed-off-by: Ilya Maximets <i.maximets@ovn.org> Link: https://patch.msgid.link/20260616100332.1308294-1-i.maximets@ovn.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
14 daystipc: fix use-after-free of the discoverer in tipc_disc_rcv()Weiming Shi
bearer_disable() frees b->disc with tipc_disc_delete()'s plain kfree(), but tipc_disc_rcv() still dereferences b->disc in RX softirq under rcu_read_lock() (tipc_udp_recv -> tipc_rcv -> tipc_disc_rcv). L2 bearers are safe thanks to the synchronize_net() in tipc_disable_l2_media(), but the UDP bearer defers that call to the cleanup_bearer() workqueue, so the discoverer is freed with no grace period: BUG: KASAN: slab-use-after-free in tipc_disc_rcv (net/tipc/discover.c:149) Read of size 8 at addr ffff88802348b728 by task poc_tipc/184 <IRQ> tipc_disc_rcv (net/tipc/discover.c:149) tipc_rcv (net/tipc/node.c:2126) tipc_udp_recv (net/tipc/udp_media.c:391) udp_rcv (net/ipv4/udp.c:2643) ip_local_deliver_finish (net/ipv4/ip_input.c:241) </IRQ> Freed by task 181: kfree (mm/slub.c:6565) bearer_disable (net/tipc/bearer.c:418) tipc_nl_bearer_disable (net/tipc/bearer.c:1001) The bearer is freed with kfree_rcu(); free the discoverer the same way. Add an rcu_head to struct tipc_discoverer and free it and its skb from an RCU callback. Because the RCU callback (tipc_disc_free_rcu) lives in module text, a call_rcu() that is still pending when the tipc module is unloaded would invoke a freed function. Add an rcu_barrier() to tipc_exit() after the bearer subsystem has been torn down, so all pending discoverer callbacks have run before the module text goes away. Reachable from an unprivileged user namespace: the TIPCv2 genl family is netnsok and its bearer commands have no GENL_ADMIN_PERM. Needs CONFIG_TIPC and CONFIG_TIPC_MEDIA_UDP. Fixes: 25b0b9c4e835 ("tipc: handle collisions of 32-bit node address hash values") Reported-by: Xiang Mei <xmei5@asu.edu> Signed-off-by: Weiming Shi <bestswngs@gmail.com> Reviewed-by: Tung Nguyen <tung.quang.nguyen@est.tech> Link: https://patch.msgid.link/20260617135744.3383175-3-bestswngs@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
14 daysnet: marvell: prestera: initialize err in prestera_port_sfp_bindRuoyu Wang
prestera_port_sfp_bind() returns err after walking the ports node. If no child node matches the port's front-panel id, err is never assigned. Initialize err to 0 because absence of a matching optional port device tree node is not an error. In that case no phylink is created and port creation should continue with port->phy_link left NULL. Errors from malformed matched nodes and phylink_create() still propagate. Fixes: 52323ef75414 ("net: marvell: prestera: add phylink support") Signed-off-by: Ruoyu Wang <ruoyuw560@gmail.com> Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com> Acked-by: Elad Nachman <enachman@marvell.com> Link: https://patch.msgid.link/20260617193228.1653582-1-ruoyuw560@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
14 dayslib: Add stale 'raid6' directory to .gitignore fileLinus Torvalds
I keep having to do this, because people think they can just move directories around and move the gitignore files around with them. You really can't do that - the old generated files stay around for others, and still need to be ignored in the old location. So when moving gitignore entries around because you moved the files (or when moving a whole gitignore file around because the directory it was in moved), the old gitignore situation needs to be dealt with. Yes, those files may have moved in *your* tree when you moved the directory. And yes, new repositories will never even have seen them. But all those other developers that see the result of your move still likely have a working tree with the old state, and the files that were hidden from git by an old gitignore file do not suddenly become relevant. Fixes: 3626738bc714 ("raid6: move to lib/raid/") Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
14 daysMerge tag 'mm-nonmm-stable-2026-06-21-10-22' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Pull non-MM updates from Andrew Morton: - "taskstats: fix TGID dead-thread stat retention" (Yiyang Chen) Fix a taskstats TGID aggregation bug where fields added in the TGID query path were not preserved after thread exit, and adds a kselftest covering the regression. - "lib/tests: string_helpers: Slight improvements" (Andy Shevchenko) Improve lib/tests/string_helpers_kunit.c a little - "lib/base64: decode fixes" (Josh Law) Address minor issues in lib/base64.c - "selftests/filelock: Make output more kselftestish" (Mark Brown) Make the output from the ofdlocks test a bit easier for tooling to work with. Also ignore the generated file - "uaccess: unify inline vs outline copy_{from,to}_user() selection" (Yury Norov) Simplify the usercopy code by removing the selectability of inlining copy_{from,to}_user(). - "ocfs2: validate inline xattr header consumers" (ZhengYuan Huang) Fix a number of possible issues in the ocfs2 xattr code - "lib and lib/cmdline enhancements" (Dmitry Antipov) Provide additional robustness checking in the cmdline handling code and its in-kernel testing and selftests - "cleanup the RAID6 P/Q library" (Christoph Hellwig) Clean up the RAID6 P/Q library to match the recent updates to the RAID 5 XOR library and other CRC/crypto libraries - "ocfs2: harden inode validators against forged metadata" (Michael Bommarito) Add three structural checks to OCFS2 dinode validation so malformed on-disk fields are rejected before ocfs2_populate_inode() copies them into the in-core inode - "lib/raid: replace __get_free_pages() call with kmalloc()" (Mike Rapoport) Clean up the lib/raid code by using kmalloc() in more places * tag 'mm-nonmm-stable-2026-06-21-10-22' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm: (108 commits) ocfs2: fix circular locking dependency in ocfs2_dio_end_io_write ocfs2: fix NULL h_transaction deref in ocfs2_assure_trans_credits lib: interval_tree_test: validate benchmark parameters ocfs2: avoid moving extents to occupied clusters treewide: fix transposed "sign" typos and update spelling.txt ocfs2: fix UBSAN array-index-out-of-bounds in ocfs2_sum_rightmost_rec fat: reject BPB volumes whose data area starts beyond total sectors selftests/uevent: increase __UEVENT_BUFFER_SIZE to avoid ENOBUFS on busy systems lib/test_firmware: allocate the configured into_buf size fs: efs: remove unneeded debug prints checkpatch: cuppress warnings when Reported-by: is followed by Link: MAINTAINERS: add Alexander as a kcov reviewer mailmap: update Alexander Sverdlin's Email addresses fs: fat: inode: replace sprintf() with scnprintf() ocfs2: fix out-of-bounds write in ocfs2_remove_refcount_extent ocfs2: fix race between ocfs2_control_install_private() and ocfs2_control_release() ocfs2/dlm: require a ref for locking_state debugfs open ocfs2: reject FITRIM ranges shorter than a cluster ocfs2: validate fast symlink target during inode read ocfs2: add journal NULL check in ocfs2_checkpoint_inode() ...
14 daysMerge tag 'mtd/for-7.2' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux Pull mtd updates from Miquel Raynal: "NAND changes: - Extend SPI NAND continuous read to Winbond devices, which requires numerous changes in the spi-{mem,nand} layers such as the need for a secondary read operation template - Continuous reads in general have also been enhanced/fixed for avoiding potential issues at probe time and at block boundaries SPI NOR changes: - Big set of cleanups and improvements to the locking support. This series contains some cleanups and bug fixes for code and documentation around write protection. Then support is added for complement locking, which allows finer grained configuration of what is considered locked and unlocked. Then complement locking is enabled on a bunch of Winbond W25 flashes - Fix die erase support on Spansion flashes. Die erase is only supported on multi-die flashes, but the die erase opcode was set for all. When the opcode is set, it overrides the default chip erase opcode which should be used for single-die flashes. Only set the opcode on multi-die flashes. Also, the opcode was not set on multi-die s28hx-t flashes. Set it so they can use die-erase correctly General changes: - A few drivers and mappings have been removed following SoCs support removal - And again, there is the usual load of misc improvements and fixes" * tag 'mtd/for-7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux: (63 commits) mtd: cfi: Use common error handling code in two functions mtd: slram: simplify register_device() cleanup mtd: slram: remove failed entries from the device list mtd: rawnand: ndfc: use ioread32be/iowrite32be and allow COMPILE_TEST mtd: spi-nor: spansion: add die erase support in s28hx-t mtd: spi-nor: spansion: use die erase for multi-die devices only mtd: spi-nor: winbond: Add W25Q02NWxxIM CMP locking support mtd: spi-nor: winbond: Add W25Q01NWxxIM CMP locking support mtd: spi-nor: winbond: Add W25Q01NWxxIQ CMP locking support mtd: spi-nor: winbond: Add W25H02NWxxAM CMP locking support mtd: spi-nor: winbond: Add W25H01NWxxAM CMP locking support mtd: spi-nor: winbond: Add W25H512NWxxAM CMP locking support mtd: spi-nor: Add steps for testing locking with CMP mtd: spi-nor: swp: Add support for the complement feature mtd: spi-nor: Add steps for testing locking support mtd: maps: remove obsolete impa7 map driver mtd: maps: remove uclinux map driver mtd: maps: remove AMD Élan specific drivers mtd: inftlmount: convert printk(KERN_WARNING) to pr_warn mtd: Consistently define pci_device_ids ...
14 dayscpu: hotplug: Bound hotplug states sysfs outputBradley Morgan
states_show() adds CPU hotplug state names into a single sysfs buffer using sprintf(). With enough registered states, this can write past the end of the PAGE_SIZE buffer. Use sysfs_emit_at() so output is bounded. Fixes: 98f8cdce1db5 ("cpu/hotplug: Add sysfs state interface") Signed-off-by: Bradley Morgan <include@grrlz.net> Signed-off-by: Thomas Gleixner <tglx@kernel.org> Cc: stable@vger.kernel.org Link: https://patch.msgid.link/20260619163719.12103-2-include@grrlz.net