summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2026-06-15platform/x86/intel/pmc/ssram: Switch to static array with per-index probe stateDavid E. Box
Replace devm-allocated pmc_ssram_telems pointer with a fixed-size static array and introduce per-index probe state tracking. This prepares the driver for later per-device probe handling where tying the PMC tracking storage to one probed PCI device is no longer suitable. The previous single global device_probed flag cannot describe the state of individual PMC indices when multiple devices can be probed independently. Replace it with per-index state (UNPROBED, PROBING, PRESENT, ABSENT) and a staging cache that publishes discovered values only after probe completes. This avoids races between probe/unbind and concurrent readers. Use marked state accesses with release/acquire ordering to prevent compiler and CPU reordering issues across concurrent probe/unbind cycles. This patch was substantially rewritten in later revisions. Originally developed from earlier work by Xi Pardee. Signed-off-by: David E. Box <david.e.box@linux.intel.com> Assisted-by: Claude:claude-sonnet-4-5 Link: https://patch.msgid.link/a2cccf532bec04fcc370819890d936212bc1b14c.1781294741.git.david.e.box@linux.intel.com Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
2026-06-15platform/x86/intel/pmc/ssram: Refactor DEVID/PWRMBASE extraction into helperDavid E. Box
Move DEVID/PWRMBASE extraction into pmc_ssram_get_devid_pwrmbase(). This is a preparatory refactor to place functionality in a common helper for reuse by a subsequent patch. Additionally add missing bits.h include and define SSRAM_BASE_ADDR_MASK for the address extraction mask. Signed-off-by: David E. Box <david.e.box@linux.intel.com> Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> Link: https://patch.msgid.link/75ca738c88729f37f286f342c1fe8ff86f7eafe7.1781294741.git.david.e.box@linux.intel.com Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
2026-06-15platform/x86/intel/pmc/ssram: Add PCI platform dataDavid E. Box
Add per-device platform data for SSRAM telemetry PCI IDs and route probe through a method selector driven by id->driver_data. This is a preparatory refactor for follow-on discovery methods while preserving current behavior: all supported IDs continue to use the PCI initialization path. Signed-off-by: David E. Box <david.e.box@linux.intel.com> Link: https://patch.msgid.link/1c6180097b20dbe1337828bf6d3667854d63583a.1781294741.git.david.e.box@linux.intel.com Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
2026-06-15platform/x86/intel/pmc/ssram: Rename probe and PCI ID table for consistencyDavid E. Box
Rename intel_pmc_ssram_telemetry_probe() to pmc_ssram_telemetry_probe() and intel_pmc_ssram_telemetry_pci_ids[] to pmc_ssram_telemetry_pci_ids[], updating the MODULE_DEVICE_TABLE() and pci_driver wiring accordingly. This aligns the symbol names with the driver filename and module name, reduces redundant intel_ prefixes, and improves readability. No functional behavior changes are intended. Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> Signed-off-by: David E. Box <david.e.box@linux.intel.com> Link: https://patch.msgid.link/6d3935858214fdd0f530f9a7c08a387fa4e5e8cd.1781294741.git.david.e.box@linux.intel.com Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
2026-06-15platform/x86/intel/pmc: Add ACPI PWRM telemetry driver for Nova Lake SDavid E. Box
Add an ACPI-based PMC PWRM telemetry driver for Nova Lake S. The driver locates PMT discovery data in _DSD under the Intel VSEC UUID, parses it, and registers telemetry regions with the PMT/VSEC framework so PMC telemetry is exposed via existing PMT interfaces. Export pmc_parse_telem_dsd() and pmc_find_telem_guid() to support ACPI discovery in other PMC drivers (e.g., ssram_telemetry) without duplicating ACPI parsing logic. Also export acpi_disc_t typedef from core.h for callers to properly declare discovery table arrays. Selected by INTEL_PMC_CORE. Existing PCI functionality is preserved. Assisted-by: GitHub-Copilot:claude-opus-4.7 Signed-off-by: David E. Box <david.e.box@linux.intel.com> Link: https://patch.msgid.link/09b8211d8a5a79fa019ee2397137a6a43cf19430.1781294741.git.david.e.box@linux.intel.com Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
2026-06-15platform/x86/intel/pmc: Add PMC SSRAM Kconfig descriptionDavid E. Box
Add a proper description for the intel_pmc_ssram driver. Signed-off-by: David E. Box <david.e.box@linux.intel.com> Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> Link: https://patch.msgid.link/bd7ba2f98450751af1de054dac0469acc1138513.1781294741.git.david.e.box@linux.intel.com Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
2026-06-15platform/x86/intel/pmt: Unify header fetch and add ACPI sourceDavid E. Box
Allow the PMT class to read discovery headers from either PCI MMIO or ACPI-provided entries, depending on the discovery source. The new source-aware fetch helper caches the canonical discovery header for both paths, capping PCI MMIO reads to the mapped resource size, while keeping the mapped PCI discovery table available for users such as crashlog. Split intel_pmt_populate_entry() into source-specific resolvers: - pmt_resolve_access_pci(): handles both ACCESS_LOCAL and ACCESS_BARID for PCI-backed devices and sets entry->pcidev. Same existing functionality. - pmt_resolve_access_acpi(): handles only ACCESS_BARID for ACPI-backed devices, rejecting ACCESS_LOCAL which has no valid semantics without a physical discovery resource. This maintains existing PCI behavior and makes no functional changes for PCI devices. Assisted-by: GitHub-Copilot:claude-opus-4.7 Signed-off-by: David E. Box <david.e.box@linux.intel.com> Link: https://patch.msgid.link/4b33b04ffaf0943b67d330f48b5d1dfcb6d1be5d.1781294741.git.david.e.box@linux.intel.com Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
2026-06-15platform/x86/intel/pmt: Cache the telemetry discovery headerDavid E. Box
pmt_telem_header_decode() only needs the discovery header dwords, but it currently decodes them by reading directly from entry->disc_table. Cache the discovery header in intel_pmt_entry when the device is created and have telemetry decode use the cached values instead of performing MMIO reads at decode time. The DVSEC discovery resource for a namespace is sized by its per-entry entry_size (in dwords), which can be less than the 4-dword cache (e.g. telemetry uses entry_size = 3, i.e. 12 bytes). Cap the memcpy_fromio() to resource_size(disc_res) so the new cache does not read past the mapped region. Any unread dwords stay zero from the zero-initialized allocation of the containing struct. This keeps the telemetry header decode path independent of how the discovery data is backed and avoids baking a direct MMIO assumption into the feature-specific decode logic. Assisted-by: GitHub-Copilot:claude-opus-4.7 Signed-off-by: David E. Box <david.e.box@linux.intel.com> Link: https://patch.msgid.link/f805e2ada52dc0661761cda7f692e76e6ea2d257.1781294741.git.david.e.box@linux.intel.com Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
2026-06-15platform/x86/intel/pmt: Pass discovery index instead of resourceDavid E. Box
Change PMT class code to pass a discovery index rather than a direct struct resource when creating entries. This allows the class to identify the discovery source generically without assuming PCI BAR resources. For PCI devices, the index still resolves to a resource in the intel_vsec_device. Other discovery sources, such as ACPI, can use the same index without needing a struct resource. Signed-off-by: David E. Box <david.e.box@linux.intel.com> Link: https://patch.msgid.link/8e785902c6a3ac1b5a9c3f0f65096553dc5acd4f.1781294741.git.david.e.box@linux.intel.com Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
2026-06-15platform/x86/intel/pmt/telemetry: Move overlap check to post-decode hookDavid E. Box
Update the telemetry namespace to use the new PMT class pre/post decode interface. The overlap check, which previously occurred during header decode, is now performed in the post-decode hook once header fields are populated. This preserves existing behavior while reusing the same header decode logic across PMT drivers. Signed-off-by: David E. Box <david.e.box@linux.intel.com> Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> Link: https://patch.msgid.link/2f5e429a38e22eb45fcfaaca4e037fa395d4f199.1781294741.git.david.e.box@linux.intel.com Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
2026-06-15platform/x86/intel/pmt/crashlog: Split init into pre-decodeDavid E. Box
Refactor crashlog initialization to use the PMT namespace pre-decode hook: - Add pmt_crashlog_pre_decode() to parse type/version, select the crashlog_info, initialize the control mutex, and set entry->attr_grp. - Simplify pmt_crashlog_header_decode() to only read header fields from the discovery table. - Wire the namespace with .pmt_pre_decode = pmt_crashlog_pre_decode. This separates structural initialization from header parsing, aligning crashlog with the PMT class pre/post decode flow. Signed-off-by: David E. Box <david.e.box@linux.intel.com> Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> Link: https://patch.msgid.link/ed8cda8456c97132cf2d2b4ff6a5cffb1ce3a666.1781294741.git.david.e.box@linux.intel.com Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
2026-06-15platform/x86/intel/pmt: Add pre/post decode hooks around header parsingDavid E. Box
Add optional pre- and post-decode callbacks to the PMT class so namespaces can perform setup and cleanup steps around header parsing. - Add pmt_pre_decode() and pmt_post_decode() to struct intel_pmt_namespace. - Update intel_pmt_dev_create() to invoke, in order: pre → header_decode() → post. - Keep the existing pmt_header_decode() callback unchanged. No functional changes. This adds flexibility for upcoming decoders while preserving current behavior. Signed-off-by: David E. Box <david.e.box@linux.intel.com> Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> Link: https://patch.msgid.link/b178a341601ca694db99c3b738fe4ed9e0c2bede.1781294741.git.david.e.box@linux.intel.com Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
2026-06-15Merge tag 'pull-configfs-fixed' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs Pull configfs updates from Al Viro: "A couple of fixes (UAF in configfs_lookup() and really old races introduced when lseek() on configfs directories stopped locking those directories; impact up to and including UAF). Fixes aside, the main result is that configfs is finally switched to tree-in-dcache machinery. It's *not* making use of recursive removal helpers yet, and it still does the bloody awful "build subtree in full sight of userland, with possibility of failure halfway through and need to unroll" that forces the locking model from hell; dealing with that is a separate patch series, once this one is out of the way. However, it is using DCACHE_PERSISTENT properly now. And apparmorfs is the sole remaining user of __simple_{unlink,rmdir}() at that point" * tag 'pull-configfs-fixed' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: create_default_group(): pass parent's dentry instead of config_group configfs_attach_group(): drop the unused parent_item argument configs_attach_item(): drop unused parent_item argument configfs_create(): lift parent timestamp updates into callers kill configfs_drop_dentry() configfs: mark pinned dentries persistent configfs: dentry refcount needs to be pinned only once switch configfs_detach_{group,item}() to passing dentry configfs_remove_dir(), detach_attrs(): switch to passing dentry populate_attrs(): move cleanup to the sole caller populate_group(): move cleanup on failure to the sole caller configfs_detach_rollback(): pass configfs_dirent instead of dentry configfs_do_depend_item(): pass configfs_dirent instead of dentry configfs_depend_prep(): pass configfs_dirent instead of dentry configfs_detach_prep(): pass configfs_dirent instead of dentry configfs_mkdir(): use take_dentry_name_snapshot() configfs: fix lockless traversals of ->s_children configfs_lookup(): don't leave ->s_dentry dangling on failure
2026-06-15Merge tag 'pull-d_add' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfsLinus Torvalds
Pull dentry d_add() cleanups from Al Viro: "This converts a bunch of unidiomatic uses of d_add() in ->lookup() instances to equivalent uses of d_splice_alias(), which is the normal mechanism for ->lookup()" * tag 'pull-d_add' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: gfs2: use d_splice_alias() for ->lookup() return value ntfs: use d_splice_alias() for ->lookup() return value simple_lookup(): use d_splice_alias() for ->lookup() return value ecryptfs: use d_splice_alias() for ->lookup() return value configfs_lookup(): switch to d_splice_alias() tracefs: use d_splice_alias() in ->lookup() instances
2026-06-15Merge tag 'pull-dcache' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs Pull dcache updates from Al Viro: - d_alloc_parallel() API change (Neil's with my changes) - NORCU fixes - Reorganization and simplification of dentry eviction logic - Simplifying rcu_read_lock() scopes in fs/dcache.c - Secondary roots work - getting rid of NFS fake root dentries and dealing with remaining shrink_dcache_for_umount() and shrink_dentry_list() races - making cursors NORCU (surprisingly easy) * tag 'pull-dcache' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: (22 commits) make cursors NORCU nfs: get rid of fake root dentries wind ->s_roots via ->d_sib instead of ->d_hash shrink_dentry_tree(): unify the calls of shrink_dentry_list() shrinking rcu_read_lock() scope in d_alloc_parallel() d_walk(): shrink rcu_read_lock() scope document dentry_kill() adjust calling conventions of lock_for_kill(), fold __dentry_kill() into dentry_kill() Document rcu_read_lock() use in select_collect2() Shift rcu_read_{,un}lock() inside fast_dput() simplify safety for lock_for_kill() slowpath fold lock_for_kill() and __dentry_kill() into common helper fold lock_for_kill() into shrink_kill() shrink_dentry_list(): start with removing from shrink list d_prune_aliases(): make sure to skip NORCU aliases kill d_dispose_if_unused() make to_shrink_list() return whether it has moved dentry to list select_collect(): ignore dentries on shrink lists if they have positive refcounts find_acceptable_alias(): skip NORCU aliases with zero refcount fix a race between d_find_any_alias() and final dput() of NORCU dentries ...
2026-06-15Merge tag 'vfs-7.2-rc1.procfs' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs Pull procfs updates from Christian Brauner: - Revamp fs/filesystems.c The file was a mess with a hand-rolled linked list in desperate need of a cleanup. The filesystems list is now RCU-ified, /proc files can be marked permanent from outside fs/proc/, and the string emitted when reading /proc/filesystems is pre-generated and cached instead of pointer-chasing and printfing entry by entry on every read. The file is read frequently because libselinux reads it and is linked into numerous frequently used programs (even ones you would not suspect, like sed!). Scalability also improves since reference maintenance on open/close is bypassed. open+read+close cycle single-threaded (ops/s): before: 442732 after: 1063462 (+140%) open+read+close cycle with 20 processes (ops/s): before: 606177 after: 3300576 (+444%) A follow-up patch adds missing unlocks in some corner cases and tidies things up. - Relax the mount visibility check for subset=pid mounts When procfs is mounted with subset=pid, all static files become unavailable and only the dynamic pid information is accessible. In that case there is no point in imposing the full mount visibility restrictions on the mounter - everything that can be hidden in procfs is already inaccessible. These restrictions prevented procfs from being mounted inside rootless containers since almost all container implementations overmount parts of procfs to hide certain directories. As part of this /proc/self/net is only shown in subset=pid mounts for CAP_NET_ADMIN, reconfiguring subset=pid is rejected, the SB_I_USERNS_VISIBLE superblock flag is replaced with an FS_USERNS_MOUNT_RESTRICTED filesystem flag, fully visible mounts are recorded in a list, and the mount restrictions are finally documented. - Protect ptrace_may_access() with exec_update_lock in procfs Most uses of ptrace_may_access() in procfs should hold exec_update_lock to avoid TOCTOU issues with concurrent privileged execve() (like setuid binary execution). This fixes the easy cases - the owner and visibility checks and the FD link permission checks - with the gnarlier ones to follow later. * tag 'vfs-7.2-rc1.procfs' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs: fs: fix ups and tidy ups to /proc/filesystems caching proc: protect ptrace_may_access() with exec_update_lock (FD links) proc: protect ptrace_may_access() with exec_update_lock (part 1) docs: proc: add documentation about mount restrictions proc: handle subset=pid separately in userns visibility checks proc: prevent reconfiguring subset=pid proc: subset=pid: Show /proc/self/net only for CAP_NET_ADMIN fs: cache the string generated by reading /proc/filesystems sysfs: remove trivial sysfs_get_tree() wrapper fs: RCU-ify filesystems list fs: move SB_I_USERNS_VISIBLE to FS_USERNS_MOUNT_RESTRICTED proc: allow to mark /proc files permanent outside of fs/proc/ namespace: record fully visible mounts in list
2026-06-15Merge tag 'vfs-7.2-rc1.misc' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs Pull misc vfs updates from Christian Brauner: "Features: - Reduce pipe->mutex contention by pre-allocating pages outside the lock in anon_pipe_write(). anon_pipe_write() called alloc_page() once per page while holding pipe->mutex. The allocation can sleep doing direct reclaim and runs memcg charging, which extends the critical section and stalls any concurrent reader on the same mutex. Now up to 8 pages are pre-allocated before the mutex is taken, leftovers are recycled into the per-pipe tmp_page[] cache before unlock, and any remainder is released after unlock, keeping the allocator out of the critical section on both sides. On a writers x readers sweep with 64KB writes against a 1 MB pipe throughput improves 6-28% and average write latency drops 5-22%; under memory pressure - when the cost of holding the mutex across reclaim is highest - throughput improves 21-48% and latency drops 17-33%. The microbenchmark is added to selftests. - uaccess/sockptr: fix the ignored_trailing logic in copy_struct_to_user() to behave as documented and the usize check in copy_struct_from_sockptr() for user pointers, and add copy_struct_{from,to}_bounce_buffer() and copy_struct_to_sockptr() helpers for upcoming users (IPPROTO_SMBDIRECT, IPPROTO_QUIC). - bpf: add a sleepable bpf_real_inode() kfunc that resolves the real inode backing a dentry via d_real_inode(). On overlayfs the inode attached to the dentry doesn't carry the underlying device information; this is used by the filesystem restriction BPF program that was merged into systemd. - docs: add guidelines for submitting new filesystems, motivated by the maintenance burden abandoned and untestable filesystems impose on VFS developers, blocking infrastructure work like folio conversions and iomap migration. Fixes: - libfs: set SB_I_NOEXEC and SB_I_NODEV by default in init_pseudo() and drop the now-redundant assignments in callers. This began as a one-line dma-buf fix for a path_noexec() warning; a pseudo filesystem has no reason not to set SB_I_NOEXEC. All init_pseudo() callers were audited: the only visible effect is on dma-buf where SB_I_NOEXEC silences the warning. - Handle set_blocksize() failures in legacy filesystems (bfs, hpfs, qnx4, jfs, befs, affs, isofs, minix, ntfs3, omfs). Mounting a device with a sector size > PAGE_SIZE crashed roughly half of them; the rest had the same missing error handling pattern. Plus a follow-up releasing the superblock buffer_head when setting the minix v3 block size fails. - mount: honour SB_NOUSER in the new mount API. - fs/fcntl: fix a SOFTIRQ-unsafe lock order in fasync signaling by switching the process-group paths of send_sigio() and send_sigurg() from read_lock(&tasklist_lock) to RCU, matching the single-PID path. - vfs: add an FS_USERNS_DELEGATABLE flag and set it for NFS, fixing delegated NFS mounts (fsopen() in a container with the mount performed by a privileged daemon) that broke when non-init s_user_ns was tied to FS_USERNS_MOUNT. - selftests/namespaces: fix a hang in nsid_test where an unreaped grandchild kept the TAP pipe write-end open, a waitpid(-1) race in listns_efault_test, and a false FAIL on kernels without listns() where the tests should SKIP. - filelock: fix the break_lease() stub signature for CONFIG_FILE_LOCKING=n. - init/initramfs_test: wait for the async initramfs unpacking before running; the test and do_populate_rootfs() share the parser state. - fs/coredump: reduce redundant log noise in validate_coredump_safety(). - iomap: pass the correct length to fserror_report_io() in __iomap_write_begin(). - backing-file: fix the backing_file_open() kerneldoc. Cleanups: - initramfs: refactor the cpio hex header parsing to use hex2bin() instead of the hand-rolled simple_strntoul() which is reverted, and extend the initramfs KUnit tests to cover header fields with 0x prefixes. - Replace __get_free_pages() and friends with kmalloc()/kzalloc() across quota, proc, ocfs2/dlm, nilfs2, nfs, nfsd, libfs, jfs, jbd2, isofs, fuse, select, namespace, configfs, binfmt_misc, bfs, and the do_mounts init code - part of the larger work of replacing page allocator calls with kmalloc(). - Use clear_and_wake_up_bit() in unlock_buffer() and journal_end_buffer_io_sync() instead of open-coding the sequence. - Drop unused VFS exports: unexport drop_super_exclusive(), remove start_removing_user_path_at(), and fold __start_removing_path() into start_removing_path(). - fs/read_write: narrow the __kernel_write() export with EXPORT_SYMBOL_FOR_MODULES(). - vfs: uapi: retire octal and hex constants in favor of (1 << n) for the O_ flags. Finding a free bit for a new flag across the architectures was needlessly hard with the mixed bases. - dcache: add extra sanity checks of dead dentries in dentry_free() via a new DENTRY_WARN_ONCE() that also prints d_flags. - iov_iter: use kmemdup_array() in dup_iter() to harden the allocation against multiplication overflow. - fs/pipe: write to ->poll_usage only once. - vfs: remove an always-taken if-branch in find_next_fd(). - dcache: use kmalloc_flex() for struct external_name in __d_alloc(). - namei: use QSTR() instead of QSTR_INIT() in path_pts(). - sync_file_range: delete dead S_ISLNK code. - Comment fixes: retire a stale comment in fget_task_next() and fix assorted spelling mistakes" * tag 'vfs-7.2-rc1.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs: (73 commits) backing-file: fix backing_file_open() kerneldoc parameter iomap: pass the correct len to fserror_report_io in __iomap_write_begin vfs: add FS_USERNS_DELEGATABLE flag and set it for NFS filelock: fix break_lease() stub signature for CONFIG_FILE_LOCKING=n vfs: uapi: retire octal and hex numbers in favor of (1 << n) for O_ flags bpf: add bpf_real_inode() kfunc fs/read_write: Do not export __kernel_write() to the entire world libfs: drop redundant SB_I_NOEXEC/SB_I_NODEV in init_pseudo() callers libfs: set SB_I_NOEXEC and SB_I_NODEV by default in init_pseudo() mount: honour SB_NOUSER in the new mount API fs/fcntl: fix SOFTIRQ-unsafe lock order in fasync signaling selftests/pipe: add pipe_bench microbenchmark fs/pipe: pre-allocate pages outside pipe->mutex in anon_pipe_write fs: retire stale comment in fget_task_next() fs: fix spelling mistakes in comment bfs: replace get_zeroed_page() with kzalloc() binfmt_misc: replace __get_free_page() with kmalloc() configfs: replace __get_free_pages() with kzalloc() fs/namespace: use __getname() to allocate mntpath buffer fs/select: replace __get_free_page() with kmalloc() ...
2026-06-15Merge tag 'vfs-7.2-rc1.xattr' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs Pull simple_xattr updates from Christian Brauner: "This reworks the simple xattr api to make it more efficient and easier to use for all consumers. The simple_xattr hash table moves from the inode into a per-superblock cache, removing the per-inode overhead for the common case of few or no xattrs. The interface now passes struct simple_xattrs ** so lazy allocation is handled internally instead of by every caller, kernfs xattr operations on kernfs nodes shared between multiple superblocks are properly serialized, and tmpfs constructs "security.foo" xattr names with kasprintf() instead of kmalloc() plus two memcpy()s. A follow-up fix links kernfs nodes to their parent before the LSM init hook runs: with the per-sb cache kernfs_xattr_set() computes the cache via kernfs_root(kn), which faulted on a freshly allocated node when selinux_kernfs_init_security() called into it - reproducible as a NULL pointer dereference on the first cgroup mkdir on SELinux-enabled systems. On top of this bpffs gains support for trusted.* and security.* xattrs so that user space and BPF LSM programs can attach metadata - for example a content hash or a security label - to pinned objects and directories and inspect it uniformly like on other filesystems. The store is in-memory and non-persistent, living only for the lifetime of the mount like everything else in bpffs" * tag 'vfs-7.2-rc1.xattr' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs: bpf: Add simple xattr support to bpffs kernfs: link kn to its parent before the LSM init hook simpe_xattr: use per-sb cache simple_xattr: change interface to pass struct simple_xattrs ** tmpfs: simplify constructing "security.foo" xattr names kernfs: fix xattr race condition with multiple superblocks
2026-06-15Merge tag 'vfs-7.2-rc1.iomap' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs Pull iomap updates from Christian Brauner: - Add the vfs infrastructure required to implement fs-verity support for XFS with a post-EOF merkle tree: fsverity generates and stores a zero-block hash, and iomap learns to verify data on buffered reads, to handle fsverity during writeback via the new IOMAP_F_FSVERITY flag, and to write fsverity metadata through iomap_fsverity_write(). - Skip the memset of the iomap in iomap_iter() once the iteration is done. In high-IOPS scenarios (4k randread NVMe polling via io_uring) the pointless memset wasted memory write bandwidth; this improves IOPS by about 5% on ext4 and xfs. - Add balance_dirty_pages_ratelimited() to iomap_zero_iter(), aligning it with iomap_write_iter(). This prepares for the exFAT iomap conversion where zeroing beyond valid_size can trigger large-scale zeroing operations that caused memory pressure without throttling. - Remove the over-strict inline data boundary check. If a filesystem provides a valid inline_data pointer and length there is no reason to require that inline data must not cross a page boundary. - Don't make REQ_POLLED imply REQ_NOWAIT, matching the earlier equivalent block layer fix: there are valid cases to poll for I/O completion without REQ_NOWAIT, and REQ_NOWAIT for file system writes is currently not supported as writes aren't idempotent. - Introduce IOMAP_F_ZERO_TAIL for filesystems that maintain a separate valid data length (exFAT, NTFS). For a write starting at or beyond valid_size, __iomap_write_begin() now zeroes only the tail portion of the block while preserving valid data before it, instead of leaving stale data in the page cache. The flag is also added to the iomap trace event strings. * tag 'vfs-7.2-rc1.iomap' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs: iomap: Add IOMAP_F_ZERO_TAIL flag to trace event strings iomap: introduce iomap_fsverity_write() for writing fsverity metadata iomap: teach iomap to read files with fsverity iomap: introduce IOMAP_F_FSVERITY and teach writeback to handle fsverity fsverity: generate and store zero-block hash iomap: introduce IOMAP_F_ZERO_TAIL flag iomap: don't make REQ_POLLED imply REQ_NOWAIT iomap: remove over-strict inline data boundary check iomap: add dirty page control to iomap_zero_iter iomap: avoid memset iomap when iter is done
2026-06-15Merge tag 'vfs-7.2-rc1.eventpoll' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs Pull eventpoll updates from Christian Brauner: - eventpoll clarity refactor The recent eventpoll UAF fixes (a6dc643c6931 and follow-ups) depended on invariants in fs/eventpoll.c that were nowhere documented and had to be reverse-engineered from the code: the lifetime relationships between struct eventpoll, struct epitem, and struct file, the three removal paths coordinating via epi_fget() pins and ep->mtx, the ovflist sentinel-encoded scan state machine, the POLLFREE release/acquire handshake, and the loop / path check globals serialized by epnested_mutex. The fixes were correct but the next person to touch this code would hit the same learning curve. This series codifies those invariants in source and tightens the surrounding structure. No functional changes intended: - Documentation: a top-of-file overview with field-protection tables for struct eventpoll and struct epitem, a section gathering the loop-check / path-check globals next to their declarations, labelled comments on the two sides of the POLLFREE handshake, refreshed comments on epi_fget() and ep_remove_file(), and a docblock on ep_clear_and_put() that names its two-pass structure as load-bearing. - Mechanical renames: ep_refcount_dec_and_test() -> ep_put() to pair with ep_get(), attach_epitem() -> ep_attach_file() for ep_remove_file() symmetry, the unused depth argument dropped from epoll_mutex_lock(), and the CONFIG_KCMP block relocated next to CONFIG_COMPAT so the hot-path code is contiguous. - Helper extraction: ep_insert() splits into ep_alloc_epitem() and ep_register_epitem(), ep_clear_and_put()'s two passes become ep_drain_pollwaits() and ep_drain_tree() so the ordering invariant is enforced by the call sequence rather than convention, the per-event delivery loop body becomes ep_deliver_event(), and the ep->mtx + epnested_mutex acquisition dance lifts out of do_epoll_ctl() into ep_ctl_lock() / ep_ctl_unlock(). - Sentinel and predicate cleanup: the EP_UNACTIVE_PTR overload is hidden behind named helpers (ep_is_scanning, epi_on_ovflist, ...), epi->next is renamed to epi->ovflist_next, and the boolean predicates return bool. - The per-CTL_ADD scratch state (tfile_check_list, path_count[], inserting_into) moves from file-scope globals into a stack-allocated struct ep_ctl_ctx plumbed through the loop / path check chain. Two follow-up fixes are included: missing kernel-doc for the new @ctx parameters, and restoring the EP_UNACTIVE_PTR sentinel for ctx->tfile_check_list - replacing it with NULL termination broke ep_remove_file()'s "never listed" check for the list tail, causing a syzbot-reported use-after-free. - io_uring related epoll cleanups One of the nastier things about epoll is how it allows nesting contexts inside each other, leading to the necessity of loop detection and the issues that have come with that. There is no reason to support nesting on the io_uring side, so contain the damage and disallow nested contexts from there: eventpoll gains a file based control interface and struct epoll_filefd is renamed to epoll_key. The io_uring side proper goes on top of this through the block tree. - Fix epoll_wait() reporting false negatives ep_events_available() checks ep->rdllist and ep_is_scanning() without a lock and can race with a concurrent scan such that neither check sees the events, causing epoll_wait() with a zero timeout to wrongly report no events even though events are available. A sequence lock closes the race and a reproducer is added to the eventpoll selftests. * tag 'vfs-7.2-rc1.eventpoll' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs: (25 commits) eventpoll: restore EP_UNACTIVE_PTR sentinel for ctx->tfile_check_list eventpoll: Fix epoll_wait() report false negative selftests/eventpoll: Add test for multiple waiters eventpoll: add missing kernel-doc for @ctx function parameters eventpoll: rename struct epoll_filefd to epoll_key eventpoll: add file based control interface eventpoll: export is_file_epoll() eventpoll: pass struct epoll_filefd through ep_find() and ep_insert() eventpoll: hoist CTL_ADD scratch state into struct ep_ctl_ctx eventpoll: use bool for predicate helpers eventpoll: rename epi->next and txlist for clarity eventpoll: wrap EP_UNACTIVE_PTR in typed sentinel helpers eventpoll: extract lock dance from do_epoll_ctl() into ep_ctl_lock() eventpoll: extract ep_deliver_event() from ep_send_events() eventpoll: split ep_clear_and_put() into drain helpers eventpoll: split ep_insert() into alloc + register stages eventpoll: relocate KCMP helpers near compat syscalls eventpoll: rename attach_epitem() to ep_attach_file() eventpoll: drop unused depth argument from epoll_mutex_lock() eventpoll: rename ep_refcount_dec_and_test() to ep_put() ...
2026-06-15Merge tag 'vfs-7.2-rc1.bh' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs Pull buffer_head updates from Christian Brauner: "This removes b_end_io from struct buffer_head. Instead of setting bio->bi_end_io to end_bio_bh_io_sync() which then calls bh->b_end_io(), the new bh_submit() and __bh_submit() interfaces set bio->bi_end_io to the appropriate completion handler directly, replacing two indirect function calls in the completion path with one. It is also one fewer function pointer in the middle of a writable data structure that can be corrupted, it shrinks struct buffer_head from 104 to 96 bytes allowing roughly 7% more buffer_heads to be cached in the same amount of memory, and it removes some atomic operations as the buffer refcount is no longer incremented before calling the end_io handler. All in-tree users (fs/buffer.c itself, ext4, jbd2, ocfs2, gfs2, nilfs2, and md-bitmap) are converted, and submit_bh(), mark_buffer_async_write(), and end_buffer_write_sync() are removed" * tag 'vfs-7.2-rc1.bh' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs: (34 commits) buffer: Remove end_buffer_write_sync() buffer: Change calling convention for end_buffer_read_sync() buffer: Remove b_end_io buffer: Remove submit_bh() md-bitmap: Convert read_file_page and write_file_page to bh_submit() nilfs2: Convert nilfs_mdt_submit_block to bh_submit() nilfs2: Convert nilfs_gccache_submit_read_data to bh_submit() nilfs2: Convert nilfs_btnode_submit_block to bh_submit() buffer: Remove mark_buffer_async_write() gfs2: Convert gfs2_aspace_write_folio to bh_submit() gfs2: Remove use of b_end_io in gfs2_meta_read_endio() gfs2: Convert gfs2_dir_readahead to bh_submit() gfs2: Convert gfs2_metapath_ra to bh_submit() ocfs2: Convert ocfs2_write_super_or_backup to bh_submit() ocfs2: Convert ocfs2_read_blocks to bh_submit() ocfs2: Convert ocfs2_read_block to bh_submit() ocfs2: Convert ocfs2_write_block to bh_submit() jbd2: Convert jbd2_write_superblock() to bh_submit() jbd2: Convert journal commit to bh_submit() ext4: Convert ext4_commit_super() to bh_submit() ...
2026-06-14drm/bridge: anx7625: Add WQ_PERCPU add to alloc_workqueueMarco Crivellari
This continues the effort to refactor workqueue APIs, which began with the introduction of new workqueues and a new alloc_workqueue flag in: commit 128ea9f6ccfb ("workqueue: Add system_percpu_wq and system_dfl_wq") commit 930c2ea566af ("workqueue: Add new WQ_PERCPU flag") The refactoring is going to alter the default behavior of alloc_workqueue() to be unbound by default. With the introduction of the WQ_PERCPU flag (equivalent to !WQ_UNBOUND), any alloc_workqueue() caller that doesn’t explicitly specify WQ_UNBOUND must now use WQ_PERCPU. For more details see the Link tag below. In order to keep alloc_workqueue() behavior identical, explicitly request WQ_PERCPU. Link: https://lore.kernel.org/all/20250221112003.1dSuoGyc@linutronix.de/ Suggested-by: Tejun Heo <tj@kernel.org> Signed-off-by: Marco Crivellari <marco.crivellari@suse.com> Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de> Signed-off-by: Tejun Heo <tj@kernel.org>
2026-06-14wifi: ath6kl: fix invalid workqueue flags in ath6kl_usb_create()wuyankun
ath6kl_usb_create() currently creates ath6kl_wq with flags set to 0: alloc_workqueue("ath6kl_wq", 0, 0) This triggers a runtime warning in __alloc_workqueue() because the queue is created with neither WQ_PERCPU nor WQ_UNBOUND set: workqueue: ath6kl_wq is using neither WQ_PERCPU or WQ_UNBOUND. Setting WQ_PERCPU. Set WQ_PERCPU explicitly to match the actual execution model and remove the warning during device probe. No functional change intended. Fixes: 21c05ca88a54 ("workqueue: Add warnings and ensure one among WQ_PERCPU or WQ_UNBOUND is present") Reported-by: syzbot+f80c62f371ba6a1e7d79@syzkaller.appspotmail.com Link: https://lore.kernel.org/all/6a289c01.39669fcc.33b062.00aa.GAE@google.com/T/ Signed-off-by: wuyankun <wuyankun@uniontech.com> Signed-off-by: Tejun Heo <tj@kernel.org>
2026-06-14btrfs: Drop WQ_PERCPU from ordered_flags in btrfs_init_workqueues()Nathan Chancellor
After commit 21c05ca88a54 ("workqueue: Add warnings and ensure one among WQ_PERCPU or WQ_UNBOUND is present"), there is a warning from the btrfs-qgroup-rescan workqueue at run time: workqueue: btrfs-qgroup-rescan uses both WQ_PERCPU and WQ_UNBOUND. Dropped WQ_PERCPU, keeping WQ_UNBOUND. WQ_PERCPU is included in ordered_flags after commit 69635d7f4b34 ("fs: WQ_PERCPU added to alloc_workqueue users") and WQ_UNBOUND is set in alloc_ordered_workqueue(), which btrfs_alloc_ordered_workqueue() calls. Drop WQ_PERCPU from ordered_flags, as alloc_ordered_workqueue() notes that only WQ_FREEZABLE and WQ_MEM_RECLAIM are meaningful. Fixes: 69635d7f4b34 ("fs: WQ_PERCPU added to alloc_workqueue users") Fixes: 21c05ca88a54 ("workqueue: Add warnings and ensure one among WQ_PERCPU or WQ_UNBOUND is present") Signed-off-by: Nathan Chancellor <nathan@kernel.org> Reviewed-by: Breno Leitao <leitao@debian.org> Acked-by: Marco Crivellari <marco.crivellari@suse.com> Acked-by: David Sterba <dsterba@suse.com> Signed-off-by: Tejun Heo <tj@kernel.org>
2026-06-15Merge tag 'vfs-7.2-rc1.writeback' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs Pull vfs writeback updates from Christian Brauner: - Fix a race between cgroup_writeback_umount() and inode_switch_wbs() When a container exits, a race between cgroup_writeback_umount() and inode_switch_wbs()/cleanup_offline_cgwb() can trigger "VFS: Busy inodes after unmount" followed by a use-after-free on percpu counters. There is a window between inode_prepare_wbs_switch() returning true (having passed the SB_ACTIVE check and grabbed the inode) and the subsequent wb_queue_isw() call: if cgroup_writeback_umount() observes the global isw_nr_in_flight counter as non-zero but flush_workqueue() finds nothing queued yet, it returns early - leaving a held inode reference that blocks evict_inodes() and a later iput() that hits freed percpu counters. The race is closed by covering the window from inode_prepare_wbs_switch() through wb_queue_isw() with an RCU read-side critical section and synchronizing in the umount path. On top of that the now-dead rcu_barrier() left over from the queue_rcu_work() era is removed, and the global synchronize_rcu()/flush_workqueue() pair is replaced with a per-sb in-flight counter plus pin/unpin/drain helpers so umount no longer serializes against switch activity on unrelated superblocks. Under cgroup writeback churn on a 16 vCPU guest this takes umount latency from ~92-138ms p50 down to ~5-8ms p50 and the cumulative cost of cgroup_writeback_umount() from ~62ms to ~4us per call. The initial race fix is kept separate and minimal so it backports cleanly to stable trees that still queue switches via queue_rcu_work(). - Improve write performance with RWF_DONTCACHE Dirty DONTCACHE pages are now tracked per bdi_writeback so that the writeback flusher can be kicked in a targeted fashion for IOCB_DONTCACHE writes instead of relying on global writeback, and the PG_dropbehind flag is preserved when a folio is split. * tag 'vfs-7.2-rc1.writeback' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs: mm: kick writeback flusher for IOCB_DONTCACHE with targeted dirty tracking mm: track DONTCACHE dirty pages per bdi_writeback mm: preserve PG_dropbehind flag during folio split writeback: use a per-sb counter to drain inode wb switches at umount writeback: drop now-unnecessary rcu_barrier() in cgroup_writeback_umount() writeback: fix race between cgroup_writeback_umount() and inode_switch_wbs()
2026-06-15Merge tag 'vfs-7.2-rc1.super' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs Pull vfs superblock updates from Christian Brauner: "This retires sget(). CIFS plus the two ext4 KUnit tests (extents-test, mballoc-test) were the last in-tree callers, and all three convert cleanly to sget_fc(). That lets sget() and its prototype come out, taking ~60 lines that only existed to be kept in lockstep with sget_fc() on every publish-path change" * tag 'vfs-7.2-rc1.super' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs: fs: retire sget() smb: client: convert cifs_smb3_do_mount() to sget_fc() ext4: convert mballoc KUnit test to sget_fc() ext4: convert extents KUnit test to sget_fc()
2026-06-15Merge tag 'vfs-7.2-rc1.openat2' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs Pull openat2 updates from Christian Brauner: "Features: - Add O_EMPTYPATH to openat(2)/openat2(2). To get an operable file descriptor from an O_PATH file descriptor it is possible to use openat(fd, ".", O_DIRECTORY) for directories, but other file types require going through open("/proc/<pid>/fd/<nr>") and thus depend on a functioning procfs. With O_EMPTYPATH an empty path string is accepted and LOOKUP_EMPTY is set at path resolution time, allowing to reopen the file behind the file descriptor directly. Selftests are included. - Add an OPENAT2_REGULAR flag for openat2(2) which refuses to open anything but regular files with the new EFTYPE error code. This implements the "ability to only open regular files" feature requested by userspace via uapi-group.org and protects services from being redirected to fifos, device nodes, and friends. All atomic_open implementations were audited for OPENAT2_REGULAR handling. Explicit checks were added to ceph, gfs2, nfs (v4), and cifs/smb - these are the filesystems whose atomic_open can encounter an existing non-regular file and would otherwise call finish_open() on it or return a misleading error code. The remaining implementations (9p, fuse, vboxsf, nfs v2/v3) only call finish_open() on freshly created files and use finish_no_open() for lookup hits, letting the VFS catch non-regular files via the do_open() safety net. Cleanups: - Migrate the openat2 selftests to the kselftest harness and move them under selftests/filesystems/. The tests were written in the early days of selftests' TAP support and the modern kselftest harness is much easier to follow and maintain. The contents of the tests are unchanged and the new emptypath tests are ported on top. - Make the LAST_XXX last-type constants private to fs/namei.c. The only user outside of fs/namei.c was ksmbd which only needs to know whether the last component is a regular one, so vfs_path_parent_lookup() now performs the LAST_NORM check internally. The ints are replaced with a dedicated enum last_type" * tag 'vfs-7.2-rc1.openat2' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs: vfs: replace ints with enum last_type for LAST_XXX vfs: make LAST_XXX private to fs/namei.c selftests: openat2: port emptypath_test to kselftest harness kselftest/openat2: test for OPENAT2_REGULAR flag openat2: new OPENAT2_REGULAR flag support openat2: introduce EFTYPE error code selftest: add tests for O_EMPTYPATH vfs: add O_EMPTYPATH to openat(2)/openat2(2) selftests: openat2: migrate to kselftest harness selftests: openat2: switch from custom ARRAY_LEN to ARRAY_SIZE selftests: openat2: move helpers to header selftests: move openat2 tests to selftests/filesystems/
2026-06-15Merge tag 'kernel-7.2-rc1.misc' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs Pull misc kernel updates from Christian Brauner: "Fixes - rhashtable: give each instance its own lockdep class syzbot reported a circular locking dependency between ht->mutex and fs_reclaim via the simple_xattrs rhashtable being torn down during inode eviction. The predicted deadlock cannot occur: rhashtable_free_and_destroy() cancels the deferred worker before taking ht->mutex and acquisitions on distinct rhashtables are on distinct mutexes. Lockdep flags a cycle anyway because every ht->mutex in the kernel shared the single static lockdep class from rhashtable_init_noprof(). The lockdep key is lifted to a per-call-site static key so every rhashtable instance gets its own class. - selftests/clone3: fix misuse of the libcap library interface in the cap_checkpoint_restore test and remove unused variables - selftests/pid_namespace: compute the pid_max test limits dynamically instead of hardcoding values below the kernel-enforced minimum of PIDS_PER_CPU_MIN * num_possible_cpus() which made the tests fail on machines with many possible CPUs - selftests: fix the Makefile TARGETS entry for nsfs which wasn't adjusted when the tests moved under filesystems/ Cleanups - ipc/sem.c: use unsigned int for nsops to match the declaration in syscalls.h" * tag 'kernel-7.2-rc1.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs: selftests/clone3: remove unused variables selftests/clone3: fix libcap interface usage ipc/sem.c: use unsigned int for nsops selftests: Fix Makefile target for nsfs rhashtable: give each instance its own lockdep class selftests/pid_namespace: compute pid_max test limits dynamically
2026-06-15Merge tag 'kernel-7.2-rc1.task_exec_state' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs Pull task_exec_state updates from Christian Brauner: "This introduces a new per-task task_exec_state structure and relocates the dumpable mode and the user namespace captured at execve() from mm_struct onto it. It stays attached to the task for its full lifetime. __ptrace_may_access() and several /proc owner and visibility checks need to consult two pieces of state for any observable task, including zombies that have already gone through exit_mm(): the dumpable mode and the user namespace captured at execve(). Both live on mm_struct today, which exit_mm() clears from the task long before the task is reaped. A reader that races with do_exit() observes task->mm == NULL and either fails the check or falls back to init_user_ns - which denies legitimate access to non-dumpable zombies that were running in a nested user namespace. mm_struct loses ->user_ns and the dumpability bits in ->flags. MMF_DUMPABLE_BITS is reserved so the MMF_DUMP_FILTER_* layout exposed via /proc/<pid>/coredump_filter stays stable. task->user_dumpable and its exit_mm() snapshot are removed. task_exec_state is the privilege domain established by an execve(). Within a thread group it is shared via refcount; across thread groups each task has its own: - CLONE_VM siblings (thread-group members, io_uring workers) refcount-share the parent's exec_state. - Non-CLONE_VM clones (fork(), vfork() without CLONE_VM) allocate a fresh exec_state inheriting the parent's dumpable mode and user_ns. - execve() in the child allocates a fresh instance and installs it under task_lock + exec_update_lock via task_exec_state_replace(). - Credential changes (setresuid, capset, ...) and prctl(PR_SET_DUMPABLE) update dumpability on the current task's exec_state, i.e., on the thread group's shared instance. On top of this exec_mmap() no longer tears down the old mm while holding exec_update_lock for writing and cred_guard_mutex. Neither lock is needed for that: exec_update_lock only exists to make the mm swap atomic with the later commit_creds() and all its readers operate on the new mm; none looks at the detached old mm. The cost was real: __mmput() runs exit_mmap() over the entire old address space and can block in exit_aio() waiting for in-flight AIO, so execve() of a large process blocked ptrace_attach() and every exec_update_lock reader for the duration of the teardown. The old mm is now stashed in bprm->old_mm and released from setup_new_exec() after both locks are dropped, with a backstop in free_bprm() for the error paths" * tag 'kernel-7.2-rc1.task_exec_state' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs: exec: free the old mm outside the exec locks exec_state: relocate dumpable information ptrace: add ptracer_access_allowed() exec: introduce struct task_exec_state sched/coredump: introduce enum task_dumpable
2026-06-15Merge tag 'vfs-7.2-rc1.casefold' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs Pull vfs casefolding updates from Christian Brauner: "This exposes the case folding behavior of local filesystems so that file servers - nfsd, ksmbd, and user space file servers - can report the actual behavior to clients instead of guessing. Filesystems report case-insensitive and case-nonpreserving behavior via new file_kattr flags in their fileattr_get implementations. fat, exfat, ntfs3, hfs, hfsplus, xfs, cifs, nfs, vboxsf, and isofs are wired up. Local filesystems that are not explicitly handled default to the usual POSIX behavior of case-sensitive and case-preserving. nfsd uses this to report case folding via NFSv3 PATHCONF and to implement the NFSv4 FATTR4_CASE_INSENSITIVE and FATTR4_CASE_PRESERVING attributes - both have been part of the NFS protocols for decades to support clients on non-POSIX systems - and ksmbd reports it via FS_ATTRIBUTE_INFORMATION. Exposing the information through the fileattr uapi covers user space file servers. The immediate motivation is interoperability: Windows NFS clients hard-require servers to report case-insensitivity for Win32 applications to work correctly, and a client that knows the server is case-insensitive can avoid issuing multiple LOOKUP/READDIR requests searching for case variants. The Linux NFS client already grew support for case-insensitive shares years ago in support of the Hammerspace NFS server - negative dentry caching must be disabled (a lookup for "FILE.TXT" failing must not cache a negative entry when "file.txt" exists) and directory change invalidation must drop cached case-folded name variants. Such servers often operate in multi-protocol environments where a single file service instance caters to both NFS and SMB clients, and nfsd needs to report case folding properly to participate as a first-class citizen there. A follow-up series brings fixes for the initial work: the nfsd case-info probe now uses kernel credentials, maps -ESTALE to NFS3ERR_STALE, and has its cost capped across READDIR entries; the nfs client avoids transiently zeroed case capability bits during the probe and skips the pathconf probe when neither field is consumed; the FS_CASEFOLD_FL semantics are clarified in the UAPI header; and the tools UAPI headers are synced" * tag 'vfs-7.2-rc1.casefold' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs: (22 commits) nfsd: Cap case-folding probe cost across READDIR entries nfsd: Map -ESTALE from case probe to NFS3ERR_STALE nfsd: Use kernel credentials for case-info probe fs: Clarify FS_CASEFOLD_FL semantics in UAPI header nfs: Skip pathconf probe when neither field is consumed nfs: Avoid transient zeroed case capability bits during probe tools headers UAPI: Sync case-sensitivity flags from linux/fs.h ksmbd: Report filesystem case sensitivity via FS_ATTRIBUTE_INFORMATION nfsd: Implement NFSv4 FATTR4_CASE_INSENSITIVE and FATTR4_CASE_PRESERVING nfsd: Report export case-folding via NFSv3 PATHCONF isofs: Implement fileattr_get for case sensitivity vboxsf: Implement fileattr_get for case sensitivity nfs: Implement fileattr_get for case sensitivity cifs: Implement fileattr_get for case sensitivity xfs: Report case sensitivity in fileattr_get hfsplus: Report case sensitivity in fileattr_get hfs: Implement fileattr_get for case sensitivity ntfs3: Implement fileattr_get for case sensitivity exfat: Implement fileattr_get for case sensitivity fat: Implement fileattr_get for case sensitivity ...
2026-06-15Merge tag 'vfs-7.2-rc1.directory.delegations' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs Pull vfs directory delegations from Christian Brauner: "This contains the VFS prerequisites for supporting directory delegations in nfsd via CB_NOTIFY callbacks. The filelock core gains support for ignoring delegation breaks for directory change events together with an inode_lease_ignore_mask() helper, and fsnotify gains fsnotify_modify_mark_mask() and a FSNOTIFY_EVENT_RENAME data type. With this in place nfsd can request delegations on directories and set up inotify watches to trigger sending CB_NOTIFY events to clients instead of having every directory change break the delegation. New tracepoints are added to fsnotify() and to the start of break_lease(), and trace_break_lease_block() is passed the currently blocking lease instead of the new one. A follow-up fix moves the LEASE_BREAK_* flags out of #ifdef CONFIG_FILE_LOCKING to fix the build for CONFIG_FILE_LOCKING=n configurations" * tag 'vfs-7.2-rc1.directory.delegations' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs: filelock: move LEASE_BREAK_* flags out of #ifdef CONFIG_FILE_LOCKING fsnotify: add FSNOTIFY_EVENT_RENAME data type fsnotify: add fsnotify_modify_mark_mask() fsnotify: new tracepoint in fsnotify() filelock: add an inode_lease_ignore_mask helper filelock: add a tracepoint to start of break_lease() filelock: add support for ignoring deleg breaks for dir change events filelock: pass current blocking lease to trace_break_lease_block() rather than "new_fl"
2026-06-15Merge tag 'vfs-7.2-rc1.inode' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs Pull vfs inode updates from Christian Brauner: "This extends the lockless ->i_count handling. iput() could already decrement any value greater than one locklessly but acquiring a reference always required taking inode->i_lock. Now acquiring a reference is lockless as long as the count was already at least 1, i.e., only the 0->1 and 1->0 transitions take the lock. This avoids the lock for the common cases of nfs calling into the inode hash and btrfs using igrab(). Cleanup-wise icount_read_once() is added to line up with inode_state_read_once() and the open-coded ->i_count loads across the tree are converted, and ihold() is relocated and tidied up. On top of that some stale lock ordering annotations are retired from the inode hash code: iunique() no longer takes the hash lock since the inode hash became RCU-searchable and s_inode_list_lock is no longer taken under the hash lock either" * tag 'vfs-7.2-rc1.inode' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs: fs: retire stale lock ordering annotations from inode hash fs: allow lockless ->i_count bumps as long as it does not transition 0->1 fs: relocate and tidy up ihold() fs: add icount_read_once() and stop open-coding ->i_count loads
2026-06-15Merge tag 'vfs-7.2-rc1.exportfs' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs Pull exportfs updates from Christian Brauner: "This cleans up the exportfs support for block-style layouts that provide direct block device access: the operations for layout-based block device access are split out of struct export_operations into a separate header, ->commit_blocks() no longer takes a struct iattr argument, and the way support for layout-based block device access is detected is reworked. nfsd's blocklayout code also stops honoring loca_time_modify. This is preparation for supporting export of more than a single device per file system" * tag 'vfs-7.2-rc1.exportfs' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs: exportfs,nfsd: rework checking for layout-based block device access support exportfs: don't pass struct iattr to ->commit_blocks exportfs: split out the ops for layout-based block device access nfsd/blocklayout: always ignore loca_time_modify
2026-06-15Merge tag 'vfs-7.2-rc1.kfunc' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs Pull bpf filesystem kfunc fix from Christian Brauner: "The bpf_set_dentry_xattr() and bpf_remove_dentry_xattr() kfuncs locked the inode of the supplied dentry without checking whether the dentry is negative. Passing a negative dentry (e.g., from security_inode_create) caused a NULL pointer dereference. Negative dentries now fail with EINVAL. The WARN_ON(!inode) in the bpf xattr permission helpers is dropped as well since it could be triggered the same way, amounting to a denial of service on systems with panic_on_warn enabled" * tag 'vfs-7.2-rc1.kfunc' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs: bpf: fix crash in bpf_[set|remove]_dentry_xattr for negative dentries
2026-06-14Input: touchwin - reset the packet index on every complete packetBryam Vargas
tw_interrupt() accumulates each non-zero serial byte into a fixed three-byte buffer with a running index that is only reset once a full packet has been received *and* the device's two Y bytes agree: tw->data[tw->idx++] = data; if (tw->idx == TW_LENGTH && tw->data[1] == tw->data[2]) { ... tw->idx = 0; } The reset is gated on tw->data[1] == tw->data[2], a value the device controls. A malicious, malfunctioning or counterfeit Touchwindow peripheral can stream non-zero bytes whose 2nd and 3rd bytes differ: the index reaches TW_LENGTH without the equality holding, is never reset, and keeps growing, so tw->data[tw->idx++] walks off the end of the three-byte array and the rest of the heap-allocated struct tw, one attacker-chosen byte at a time -- an unbounded, device-driven heap out-of-bounds write. Reset the index on every completed packet and report an event only when the two Y bytes match, like the other serio touchscreen drivers do. Fixes: 11ea3173d5f2 ("Input: add driver for Touchwin serial touchscreens") Cc: stable@vger.kernel.org Signed-off-by: Bryam Vargas <hexlabsecurity@proton.me> Link: https://patch.msgid.link/20260613-b4-disp-69921bfd-v1-1-82c036899959@proton.me Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
2026-06-14bpf: Raise maximum call chain depth to 16 framesAlexei Starovoitov
Bump MAX_CALL_FRAMES from 8 to 16 to allow deeper call chains that Rust-BPF requires and update selftests. Link: https://lore.kernel.org/r/20260613180755.29671-1-alexei.starovoitov@gmail.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-14i3c: mipi-i3c-hci: add microchip sama7d65 SoC compatible with the required quirkManikandan Muralidharan
Add support for microchip sama7d65 SoC I3C HCI master only IP with additional clock support to enable bulk clock acquisition and apply the required quirks. Reviewed-by: Adrian Hunter <adrian.hunter@intel.com> Signed-off-by: Manikandan Muralidharan <manikandan.m@microchip.com> Reviewed-by: Frank Li <Frank.Li@nxp.com> Link: https://patch.msgid.link/20260525092405.1514213-4-manikandan.m@microchip.com Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
2026-06-14dt-bindings: i3c: mipi-i3c-hci: add Microchip SAMA7D65 compatibleManikandan Muralidharan
Add the microchip,sama7d65-i3c-hci compatible string to the MIPI I3C HCI binding. The Microchip SAMA7D65 I3C controller is based on the MIPI HCI specification but requires two clocks, so add a conditional constraint when this compatible is present. Acked-by: Conor Dooley <conor.dooley@microchip.com> Reviewed-by: Frank Li <Frank.Li@nxp.com> Signed-off-by: Manikandan Muralidharan <manikandan.m@microchip.com> Link: https://patch.msgid.link/20260525092405.1514213-2-manikandan.m@microchip.com Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
2026-06-14i3c: Consistently define pci_device_ids using named initializersUwe Kleine-König (The Capable Hub)
The .driver_data member of the various struct pci_device_id arrays were initialized by list expressions. This isn't easily readable if you're not into PCI. Using named initializers is more explicit and thus easier to parse. This change doesn't introduce changes to the compiled pci_device_id arrays. Tested on x86 and arm64. Signed-off-by: Uwe Kleine-König (The Capable Hub) <u.kleine-koenig@baylibre.com> Reviewed-by: Adrian Hunter <adrian.hunter@intel.com> Reviewed-by: Frank Li <Frank.Li@nxp.com> Link: https://patch.msgid.link/20260504143324.2122737-2-u.kleine-koenig@baylibre.com Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
2026-06-14smb: client: Use more common code in SMB2_tcon()Markus Elfring
Use an additional label so that a bit of common code can be better reused at the end of this function implementation. Signed-off-by: Markus Elfring <elfring@users.sourceforge.net> Signed-off-by: Steve French <stfrench@microsoft.com>
2026-06-14smb: client: Use more common error handling code in smb3_reconfigure()Markus Elfring
Use an additional label so that a bit of exception handling can be better reused at the end of this function implementation. This issue was detected by using the Coccinelle software. Signed-off-by: Markus Elfring <elfring@users.sourceforge.net> Signed-off-by: Steve French <stfrench@microsoft.com>
2026-06-14smb/client: Fix error code in smb2_aead_req_alloc()Dan Carpenter
The "*num_sgs" variable is a u32 so "ERR_PTR(*num_sgs)" doesn't work. We would have to do something similar to the previous line where it's cast to int and then long. However, it's simpler to store the return in an int ret variable. This bug would eventually result in a crash when dereference the invalid error pointer. Fixes: d08089f649a0 ("cifs: Change the I/O paths to use an iterator rather than a page list") Cc: stable@kernel.org Signed-off-by: Dan Carpenter <error27@gmail.com> Signed-off-by: Steve French <stfrench@microsoft.com>
2026-06-14smb/client: clean up a type issue in cifs_xattr_get()Dan Carpenter
The cifs_xattr_get() function returns type int, not ssize_t so declare "rc" as int as well. This has no effect on runtime. Signed-off-by: Dan Carpenter <error27@gmail.com> Signed-off-by: Steve French <stfrench@microsoft.com>
2026-06-14smb/client: allow FS_IOC_SETFLAGS to clear compressionHuiwen He
The CIFS FS_IOC_SETFLAGS path can set FS_COMPR_FL now, but it cannot clear it again. This can be reproduced on a share backed by a filesystem that supports compression, for example btrfs exported by Samba: [compress_share] vfs objects = btrfs $ touch test.bin $ chattr +c test.bin $ lsattr test.bin $ chattr -c test.bin The final chattr -c fails with EOPNOTSUPP, and leaves the remote object with the compressed attribute still set, because the client always sends FSCTL_SET_COMPRESSION with COMPRESSION_FORMAT_DEFAULT. That is correct for setting FS_COMPR_FL, but clearing FS_COMPR_FL requires sending COMPRESSION_FORMAT_NONE. Fix this by passing the requested compression state through the set_compression operation. The SMB1 and SMB2 helpers no longer hard-code COMPRESSION_FORMAT_DEFAULT. When FS_COMPR_FL is set, send COMPRESSION_FORMAT_DEFAULT. When it is cleared, send COMPRESSION_FORMAT_NONE. If the server accepts the request, update the cached FILE_ATTRIBUTE_COMPRESSED bit under i_lock so FS_IOC_GETFLAGS reports the new state. Signed-off-by: Huiwen He <hehuiwen@kylinos.cn> Reviewed-by: ChenXiaoSong <chenxiaosong@kylinos.cn> Signed-off-by: Steve French <stfrench@microsoft.com>
2026-06-14smb/client: use writable handle for FS_IOC_SETFLAGS compressionHuiwen He
Setting the compressed flag on a CIFS mount can fail with -EACCES: [compress_share] vfs objects = btrfs $ touch test.bin $ chattr +c test.bin chattr: Permission denied while setting flags on test.bin This can be reproduced against a Samba share backed by a filesystem that supports compression, such as btrfs. FS_IOC_SETFLAGS is issued on the file handle opened by userspace. chattr opens the target read-only before setting FS_COMPR_FL, so the SMB client currently sends FSCTL_SET_COMPRESSION on a handle that may not have FILE_WRITE_DATA access. Samba requires FILE_WRITE_DATA for FSCTL_SET_COMPRESSION and rejects the request. Use the current handle only if it already has FILE_WRITE_DATA. Otherwise try an existing writable handle for the inode. If none is available, open a temporary FILE_WRITE_DATA handle for the compression request. After FSCTL_SET_COMPRESSION succeeds, update the cached compressed attribute immediately, matching how smb2_set_sparse() updates FILE_ATTRIBUTE_SPARSE_FILE after a successful FSCTL_SET_SPARSE. Signed-off-by: Huiwen He <hehuiwen@kylinos.cn> Reviewed-by: ChenXiaoSong <chenxiaosong@kylinos.cn> Signed-off-by: Steve French <stfrench@microsoft.com>
2026-06-14smb/client: always return a value for FS_IOC_GETFLAGSHuiwen He
Currently, repeated lsattr calls on a regular CIFS file without the compressed attribute may show random flags: $ touch test.bin $ lsattr test.bin s-S-ia-A-EjI---------m test.bin $ lsattr test.bin ------d-cEjI---------m test.bin The lsattr reproducer depends on the previous contents of its userspace buffer, so it may not reproduce on every setup. A deterministic reproducer is to initialize the ioctl argument before FS_IOC_GETFLAGS on a file without the compressed attribute: int flags = 0x7fffffff; ioctl(fd, FS_IOC_GETFLAGS, &flags); On an affected kernel, flags remains 0x7fffffff. With the fix, it is set to 0. This happens because when the cached inode does not have the compressed bit set, the CIFS fallback path in FS_IOC_GETFLAGS returns success without calling put_user() to write the zero flags value into the user buffer. As a result, the caller observes stale contents from its own buffer. Fix this by always writing the visible flags value back to the user buffer before returning success, even when the value is zero. Fixes: 64a5cfa6db94 ("Allow setting per-file compression via SMB2/3") Signed-off-by: Huiwen He <hehuiwen@kylinos.cn> Reviewed-by: ChenXiaoSong <chenxiaosong@kylinos.cn> Signed-off-by: Steve French <stfrench@microsoft.com>
2026-06-14smb/client: update i_blocks after contiguous writesHuiwen He
When a lease allows CIFS to use cached inode attributes, getattr may return the locally cached attributes instead of revalidating them from the server. After local writes extend a file, the write path updates the file size, but i_blocks can remain based on the old allocation size. For example, while the file is still open after two contiguous writes, the local block count can remain smaller than the written range: after first write: st_size = 4096, st_blocks = 7 after second write: st_size = 12288, st_blocks = 21 after close: st_size = 12288, st_blocks = 24 This can make a fully written file look sparse: i_blocks * 512 < i_size and can cause swap activation to reject a valid write-created swapfile as having holes. This results in xfstests skipping swap-related tests on CIFS mounts: generic/472 [not run] swapfiles are not supported generic/494 [not run] swapfiles are not supported generic/497 [not run] swapfiles are not supported generic/569 [not run] swapfiles are not supported generic/636 [not run] swapfiles are not supported generic/643 [not run] swapfiles are not supported Update the local i_blocks estimate after successful writes, but only when the write starts at or before the currently known allocated range. This lets sequential writes grow i_blocks while avoiding treating write-past-EOF holes as allocated. Skip the local estimate for files that are already marked sparse, since their allocation needs to come from the server rather than from a contiguous-write estimate. Signed-off-by: Huiwen He <hehuiwen@kylinos.cn> Reviewed-by: ChenXiaoSong <chenxiaosong@kylinos.cn> Signed-off-by: Steve French <stfrench@microsoft.com>
2026-06-14smb: client: fix races in cifsd thread creationFredric Cover
The cifsd demultiplex thread can run and access tcp_ses before the parent thread has finished populating tcp_ses, which the worker thread accesses locklessly. Also, the kthread_run macro may start the thread before returning the thread pointer. Because the pointer is part of the structure that the thread can access, if the kernel is preempted after the thread is spawned, but before the thread pointer is populated and the thread attempts to exit, it will sleep, waiting for a SIGKILL signal. Fix this by moving creation of the thread to after all of tcp_ses'es fields are populated, and spawning the thread last, using a split kthread_create/wake_up_process logic. Signed-off-by: Fredric Cover <fredric.cover.lkernel@gmail.com> Signed-off-by: Steve French <stfrench@microsoft.com>
2026-06-14cifs: validate full SID length in security descriptorsQihang
parse_sid() only verified that the fixed SID header fit in the returned security descriptor, but did not verify that the full SID body described by num_subauth was present. A malicious server can return a truncated owner or group SID whose header lies within the descriptor buffer while sub_auth[] extends past the end of the allocation, leading to an out-of-bounds read when the client later parses or copies that SID. Validate the full SID body in parse_sid(), centralize owner/group SID lookup and bounds checking in sid_from_sd(), and use that validation in parse_sec_desc(), build_sec_desc(), and copy_sec_desc() before sub_auth[] is accessed. Signed-off-by: Qihang <q.h.hack.winter@gmail.com> Signed-off-by: Steve French <stfrench@microsoft.com>
2026-06-14smb: client: resolve SWN tcon from live registrationsMichael Bommarito
cifs_swn_notify() looks up a witness registration by id under cifs_swnreg_idr_mutex, drops the mutex, and then uses the registration's cached tcon pointer. That pointer is not a lifetime reference, and it is not a stable representative once cifs_get_swn_reg() lets multiple tcons for the same net/share name share one registration id. A same-share second mount can keep the cifs_swn_reg alive after the first tcon unregisters and is freed. The registration then still points at the freed first tcon, so taking tc_lock or incrementing tc_count through swnreg->tcon only moves the use-after-free earlier. Taking tc_lock while holding cifs_swnreg_idr_mutex also violates the documented CIFS lock order. Fix this by making the registration store only the stable witness identity: id, net name, share name, and notify flags. When a notify arrives, copy that identity under cifs_swnreg_idr_mutex, drop the mutex, then find and pin a live witness tcon that currently matches the net/share pair under the normal cifs_tcp_ses_lock -> tc_lock order. The notification path uses that pinned tcon directly and drops the reference when done. Registration and unregister messages now use the live tcon passed by the caller instead of a cached tcon in the registration. The final unregister send is folded into cifs_swn_unregister() while the registration is still protected by cifs_swnreg_idr_mutex. This removes the previous find/drop/reacquire raw-pointer window. The release path only removes the idr entry and frees the stable identity strings. This preserves the intended one-registration/many-tcon behavior: a registration id represents a net/share pair, and notify handling acts on a live representative selected at use time. It also preserves CLIENT_MOVE ordering for the representative tcon because the old-IP unregister is sent before cifs_swn_register() sends the new-IP register. Fixes: fed979a7e082 ("cifs: Set witness notification handler for messages from userspace daemon") Cc: stable@vger.kernel.org Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com> Assisted-by: Claude:claude-opus-4-7 Signed-off-by: Steve French <stfrench@microsoft.com>