summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
14 hoursMerge tag 's390-7.2-3' of ↵HEADmasterLinus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux Pull s390 fixes from Vasily Gorbik: - Fix PKEY_VERIFYPROTK ioctl key type handling by removing the generic key-length based type check with its wrong bit-size calculation, and leaving protected key verification to the pkey handler - Fix monwriter buffer reuse by rejecting records that change the data length, preventing out of bounds user copy into the kernel buffer * tag 's390-7.2-3' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux: s390/monwriter: Reject buffer reuse with different data length pkey: Move keytype check from pkey api to handler
14 hoursMerge tag 'mips-fixes_7.2_1' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux Pull MIPS fixes from Thomas Bogendoerfer. * tag 'mips-fixes_7.2_1' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux: MIPS: configs: Enable the current Ingenic USB PHY symbol MIPS: loongson64: add IRQ work based on self-IPI MIPS: mm: Add check for highmem before removing memory block mips: Add build salt to the vDSO MIPS: DEC: Ensure RTC platform device deregistration upon failure
26 hoursMerge tag 'v7.2-rc1-smb3-server-fixes' of git://git.samba.org/ksmbdLinus Torvalds
Pull smb server fixes from Steve French: - Fix several use-after-free races in durable handle reconnect, supersede, and oplock handling - Avoid holding the inode oplock lock while waiting for a lease break acknowledgement. This removes delays of up to 35 seconds when cifs.ko closes a deferred handle in response to a lease break - Fix malformed security descriptor handling, including an undersized DACL allocation issue and an out-of-bounds ACE SID read - Fix memory leaks in security descriptor and DOS attribute xattr encoding/decoding error paths - Fix outstanding SMB2 credit leaks on aborted requests and correct the QUERY_INFO credit charge calculation - Fix hard-link creation without replacement being incorrectly rejected when the handle lacks DELETE access - Avoid unnecessary zeroing of large SMB2 read buffers - Add an oplock list lockdep annotation and update the documented support status for durable handles and SMB3.1.1 compression - Durable handle fixes to address ownership and lifetime races during reconnect, session teardown, oplock handling, and superseding opens, preventing stale session and file references from being used by concurrent operations * tag 'v7.2-rc1-smb3-server-fixes' of git://git.samba.org/ksmbd: ksmbd: fix app-instance durable supersede session UAF ksmbd: snapshot previous oplock state before durable checks ksmbd: close superseded durable handles through refcount handoff ksmbd: fix use-after-free of fp->owner.name in durable handle owner check smb/server: do not require delete access for non-replacing links ksmbd: don't hold ci->m_lock while waiting for a lease break ack ksmbd: doc: update feature support status for durable handles and compression ksmbd: annotate oplock list traversals under m_lock ksmbd: fix outstanding credit leak on abort and error paths ksmbd: fix credit charge calculation for SMB2 QUERY_INFO ksmbd: avoid zeroing the read buffer in smb2_read() ksmbd: validate num_subauth when copying ACE in set_ntacl_dacl ksmbd: reject undersized DACLs before parsing ACEs ksmbd: fix n.data memory leak in ksmbd_vfs_set_dos_attrib_xattr ksmbd: Fix acl.sd_buf memory leak and invalid sd_size error handling ksmbd: fix sd_ndr.data memory leak in ksmbd_vfs_set_sd_xattr
29 hoursMerge tag 'drm-fixes-2026-07-04' of https://gitlab.freedesktop.org/drm/kernelLinus Torvalds
Pull drm fixes from Dave Airlie: "Weekly fixes for drm. This is large for rc2 but it's just a lot of small fixes across a bunch of drivers, xe, amdgpu as usual, plus some sashiko-inspired fixes for panthor, and some dma-fence updates. core: - kernel doc fix - include types.h in drm_ras.h dma-fence: - fix NULL ptr dereference - use correct callback - make dma_fence_dedup_array more robust dp: - handle torn down topology gracefully - fix kernel doc i915: - Input validation fixes for BIOS and EDID - Fix HDCP code buffer overflow and seq_num_v monotonic increase check - Fix near-NULL deref in i915_active during GFP_ATOMIC exhaustion xe: - Wedge from the timeout handler only after releasing the queue - Fix a NULL pointer dereference - Remove redundant exec_queue_suspended - RTP / OA whitelist fixes - Return error on non-migratable faults requiring devmem - Skip FORCE_WC and vm_bound check for external dma-bufs - Hold notifier lock for write on inject test path - Drop bogus static from finish in force_invalidate - Fix double-free of managed BO in error path - Don't attempt to process FAST_REQ or EVENT relays - Fix NPD in bo_meminfo - Prevent invalid cursor access for purged BOs - Fix offset alignment for MERT WHITELST_OA_MERT_MMIO_TRG amdgpu: - Soc24 aborted suspend fix - Drop unecessary BUG() and BUG_ON() from error paths - SCPM fix - Power reporting fix - DCE HDR fix - UVD boundary checks - VCN boundary checks - VCE boundary checks - DCN 4.2 fixes - Large stack allocation fixes - Fix aperture mapping leak - UserQ fixes - Ignore_damage_clips fix - ACP fixes - DC boundary checks - GPUVM fixes - JPEG idle check fixes - Userptr fix - GC 11.7 updates - Non-4K page fix - SMU 13 fixes - DP alt mode fix amdkfd: - Boundary checks - CRIU fixes amdxdna: - fix device removal issues - fix use after free in debug BO imagination: - fix double call to scheduler fini - fix ioctl return values - fix user array stride virtio: - handle EDIDs better panthor: - irq safe fence lock fix - reset work fix - fix invalid pointer - fix iomem access in suspended state - sched resume fix - unplug suspend fix - drop needless check - eviction leak fix - bail on group start/resume fix - keep irqs masked malidp: - use clock bulk API komeda: - clock prepare fixes" * tag 'drm-fixes-2026-07-04' of https://gitlab.freedesktop.org/drm/kernel: (105 commits) drm/xe/oa: Fix offset alignment for MERT WHITELIST_OA_MERT_MMIO_TRG drm/xe/pt: prevent invalid cursor access for purged BOs drm/xe: fix NPD in bo_meminfo() drm/xe/pf: Don't attempt to process FAST_REQ or EVENT relays drm/xe/hw_engine: Fix double-free of managed BO in error path drm/xe/userptr: Drop bogus static from finish in force_invalidate drm/xe/userptr: Hold notifier_lock for write on inject test path drm/xe/display: skip FORCE_WC and vm_bound check for external dma-bufs drm/xe: Return error on non-migratable faults requiring devmem drm/xe/rtp: Ensure locking/ref counting for OA whitelists drm/xe/oa: (De-)whitelist OA registers on OA stream open/release drm/xe/rtp: (De-)whitelist OA registers for all hwe's for a gt drm/xe/rtp: Toggle 'deny' bit to (de-)whitelist OA regs drm/xe/rtp: Save OA nonpriv registers to register save/restore lists drm/xe/rtp: Generalize whitelist_apply_to_hwe drm/xe/rtp: Keep track of non-OA nonpriv slots drm/xe/rtp: Maintain OA whitelists separately drm/xe/rtp: Fix build error with clang < 21 and non-const initializers drm/imagination: Fix user array stride in pvr_set_uobj_array() drm/imagination: Fix returned size for DRM_IOCTL_PVR_DEV_QUERY ...
29 hoursMerge tag 'acpi-7.2-rc2' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull ACPI support fixes from Rafael Wysocki: "These fix a coding mistake in the ACPI TAD (Time and Alarm Device) driver introduced by one of its previous updates and get rid of the ugly #ifdef __KERNEL__ conditional compilation in acpi_ut_safe_strncpy() by redefining that function as an alias for strscpy_pad(): - Add a missing ACPI_TAD_AC_WAKE capability check omitted by mistake to the ACPI TAD driver (Xu Rao) - Define acpi_ut_safe_strncpy() as an alias for strscpy_pad() which is viable because that function is only called from kernel code (Rafael Wysocki)" * tag 'acpi-7.2-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: ACPICA: Define acpi_ut_safe_strncpy() as strscpy_pad() alias ACPI: TAD: Check AC wake capability before enabling wakeup
29 hoursMerge tag 'riscv-for-linus-7.2-rc2' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux Pull RISC-V fixes from Paul Walmsley: - Fix a crash when a kretprobe reads from the stack - Fix an issue with the build-time mcount sorter that broke ftrace - Fix the rv32 IRQ stack frame padding to match the ABI - Only defer IOMMU configuration during initialization. This avoids an issue where IOMMU configuration could be indefinitely deferred - Add the missing build salt to the vDSO - Now that RISC-V systems with higher numbers of cores are starting to become available, raise NR_CPUS for RISC-V to 256 - Clean up some warnings from sparse caused by the RISC-V-optimized RAID6 code - Clean up our __cpu_up() code with a few minor fixes * tag 'riscv-for-linus-7.2-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux: riscv: probes: save original sp in rethook trampoline riscv: Fix 32-bit call_on_irq_stack() frame pointer ABI scripts/sorttable: Handle RISC-V patchable ftrace entries riscv: smp: use secs_to_jiffies in __cpu_up ACPI: RIMT: Only defer the IOMMU configuration in init stage riscv: Add build salt to the vDSO raid6: fix raid6_recov_rvv symbol undeclared warning raid6: fix riscv symbol undeclared warnigns riscv: Raise default NR_CPUS for 64BIT to 256
30 hoursMerge tag 'v7.2-rc1-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6Linus Torvalds
Pull smb client fixes from Steve French: - Credit fix - Fix alignment issue in parse_posix_ctxt - SID parsing fix * tag 'v7.2-rc1-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6: cifs: Fix missing credit release on failure in cifs_issue_read() cifs: update internal module version number smb: client: use unaligned reads in parse_posix_ctxt() smb: client: harden POSIX SID length parsing
36 hoursMerge branch 'acpi-tad'Rafael J. Wysocki
Merge an ACPI TAD (Time and Alarm Device) driver fix for 7.2-rc2. * acpi-tad: ACPI: TAD: Check AC wake capability before enabling wakeup
39 hoursMerge tag 'vfs-7.2-rc2.fixes' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs Pull vfs fixes from Christian Brauner: - netfs: - fix the decision when to disallow write-streaming with fscache in use, handling of asynchronous cache object creation, a double fput in cachefiles, clearing S_KERNEL_FILE without the inode lock held, page extraction bugs in the iov_iter helpers (a potential underflow, a missing allocation failure check, a memory leak, and a folio offset miscalculation), writeback error and ENOMEM handling, DIO write retry for filesystems without a ->prepare_write() method, and the replacement of the wb_lock mutex with a bit lock plus writethrough collection offload so that multiple asynchronous writebacks don't interfere with each other. - Fix the barriering when walking the netfs subrequest list during retries as it was possible to see a subrequest that was just added by the application thread. - iomap: - Change iomap to submit read bios after each extent instead of building them up across extents. The old behavior was considered problematic for a while and now caused an actual erofs bug. - Guard the ioend io_size EOF trim in iomap against underflow when a concurrent truncate moves EOF below the start of the ioend, wrapping io_size to a huge value. - overlayfs - Fix a stale overlayfs comment about the locking order. - Store the linked-in upper dentry instead of the disconnected O_TMPFILE dentry during overlayfs tmpfile copy-up. With a FUSE or virtiofs upper layer ->d_revalidate() would try to look up "/" in the workdir and fail, causing persistent ESTALE errors that broke dpkg and apt. - vfs-bpf: Have the bpf_real_data_inode() kfunc take a struct file instead of a dentry so it is usable from the bprm_check_security, mmap_file, and file_mprotect hooks, and rename it from bpf_real_inode() to make the data-inode semantics explicit. The kfunc landed this cycle so the change is safe. - afs: NULL pointer dereferences in the callback service and in afs_get_tree(), several memory and refcount leaks, missing locking around the dynamic root inode numbers and premature cell exposure through /afs, a netns destruction hang caused by a misplaced increment of net->cells_outstanding, a bulk lookup malfunction caused by the dir_emit() API change, inode (re)initialisation issues, and assorted smaller fixes to error codes, seqlock handling, and debug output. - vfs: Refuse O_TMPFILE creation with an unmapped fsuid or fsgid and add a selftest for it. - vboxsf: Add Jori Koolstra as vboxsf maintainer, taking over from Hans de Goede. - dio: Release the pages attached to a short atomic dio bio; the REQ_ATOMIC size check error path leaked them. - procfs: Only bump the parent directory link count when registering directories in procfs. Registering regular files inflated the count and leaked a link on every create and remove cycle. - minix: Avoid an unsigned overflow in the minix bitmap block count calculation that let crafted images with huge inode or zone counts pass superblock validation and crash the kernel during mount. - cachefiles: Fix a double unlock in the cachefiles nomem_d_alloc error path left over from the start_creating() conversion. - fat: Stop fat from reading directory entries past the 0x00 end-of-directory marker. If the trailing on-disk slots aren't zero-filled the driver surfaced arbitrary garbage as directory entries. - freexvfs: Don't BUG() on unknown typed-extent types in freevxfs, reachable via ioctl(FIBMAP) on a crafted image; fail with an I/O error instead. - orangefs: Keep the readdir entry size 64-bit in orangefs fill_from_part(). Truncating it to __u32 bypassed the bounds check and led to out-of-bounds reads triggerable by the userspace client. - xfs: Fix the error unwind in xfs_open_devices() which released the rt device file twice and left dangling buftarg pointers behind that were freed again when the failed mount was torn down. - exec: Fix an off-by-one in the comment documenting the maximum binfmt rewrite depth in exec_binprm(). The code allows five rewrites, not four; restricting the code would break userspace so the comment is fixed instead. - file handles: Reject detached mounts in capable_wrt_mount(). A detached mount can be dissolved concurrently, leaving a NULL mount namespace that open_by_handle_at() would dereference. * tag 'vfs-7.2-rc2.fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs: (57 commits) netfs: Fix barriering when walking subrequest list iomap: submit read bio after each extent fuse: call fuse_send_readpages explicitly from fuse_readahead iomap: consolidate bio submission fhandle: reject detached mounts in capable_wrt_mount() netfs: Fix DIO write retry for filesystems without a ->prepare_write() netfs: Fix folio state after ENOMEM whilst under writeback iteration netfs: Fix writeback error handling netfs: Fix writethrough to use collection offload netfs: Replace wb_lock with a bit lock for asynchronicity netfs: Fix kdoc warning scatterlist: Fix offset in folio calc in extract_xarray_to_sg() iov_iter: Remove unused variable in kunit_iov_iter.c iov_iter: Fix a memory leak in iov_iter_extract_user_pages() iov_iter: Fix missing alloc fail check in iov_iter_extract_bvec_pages() iov_iter: Fix potential underflow in iov_iter_extract_xarray_pages() cachefiles: Fix file burial to take lock when unsetting S_KERNEL_FILE cachefiles: Fix double fput netfs: Fix netfs_create_write_req() to handle async cache object creation netfs: Fix decision whether to disallow write-streaming due to fscache use ...
39 hoursMerge tag 'xfs-fixes-7.2-rc2' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linuxLinus Torvalds
Pull xfs fixes from Carlos Maiolino: "A collection of bugfixes and some small code refactoring" * tag 'xfs-fixes-7.2-rc2' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux: xfs: simplify __xfs_buf_ioend xfs: fix handling of synchronous errors in xfs_buf_submit xfs: remove xfs_buf_ioend xfs: improve the xfs_buf_ioend_fail calling convention xfs: use null daddr for unset first bad log block xfs: fix memory leak in xfs_dqinode_metadir_create() xfs: release dquot buffer after dqflush failure xfs: also mark the buffer stale on verifier failure in xfs_buf_submit xfs: open code xfs_buf_ioend_fail in xfs_buf_submit xfs: fix AGFL extent count calculation in xrep_agfl_fill xfs: simplify the failure path in xfs_buf_alloc_vmalloc xfs: fix incorrect use of gfp flags in xfs_buf_alloc_backing_mem xfs: lift setting __GFP_NOFAIL from xfs_buf_alloc_kmem to the caller xfs: split up xfs_buf_alloc_backing_mem
39 hoursMerge tag 'for-linus-7.2a-rc2-tag' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip Pull xen fixes from Juergen Gross: - rename function parameters and a comment related to xen_exchange_memory() (Jan Beulich) - replace __ASSEMBLY__ with __ASSEMBLER__ (Thomas Huth) - add some sanity checking to the Xen pvcalls frontend driver (Michael Bommarito) - fix error handling in the Xen gntdev driver (Wentao Liang) - fix several minor bugs in Xen related drivers (Yousef Alhouseen) * tag 'for-linus-7.2a-rc2-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip: x86/Xen: correct commentary and parameter naming of xen_exchange_memory() xenbus: reject unterminated directory replies xen/gntalloc: validate grant count before allocation xen/gntalloc: make grant counters unsigned xen/front-pgdir-shbuf: free grant reference head on errors xen/gntdev: fix error handling in ioctl xen: Replace __ASSEMBLY__ with __ASSEMBLER__ in header files xen/pvcalls: bound backend response req_id before indexing rsp[]
39 hoursMerge tag 'gpio-fixes-for-v7.2-rc2' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux Pull gpio fixes from Bartosz Golaszewski: - check the return value of gpiochip_add_data() in gpio-mvebu and gpio-htc-egpio - avoid locking context issues with GPIO drivers using the shared GPIO proxy by only allowing sleeping operations (atomic GPIO ops don't really make sense in shared context anyway) - with the above: restore non-sleeping GPIO access in pinctrl-meson - fix return value on OOM in gpio-timberdale - fix interrupt handling in gpio-mt7621 - support both A and B variants of NCT6126D in gpio-f7188x * tag 'gpio-fixes-for-v7.2-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux: pinctrl: meson: restore non-sleeping GPIO access gpio: timberdale: Return -ENOMEM on dynamic memory allocation in probe gpio: mt7621: be sure IRQ domain is created before exposing GPIO chips gpio: mt7621: more robust management of IRQ domain teardown gpio: mt7621: avoid corruption of shared interrupt trigger state gpio: shared-proxy: always serialize with a sleeping mutex gpio-f7188x: Add support for NCT6126D version B gpio: htc-egpio: use managed gpiochip registration gpio: mvebu: fail probe if gpiochip registration fails
45 hoursnetfs: Fix barriering when walking subrequest listDavid Howells
Fix the barriering used when walking the subrequest list in retry as there's a possibility of seeing a subreq that's just been added by the application thread. Fixes: ee4cdf7ba857 ("netfs: Speed up buffered reading") Fixes: 288ace2f57c9 ("netfs: New writeback implementation") Link: https://sashiko.dev/#/patchset/20260608145432.681865-1-dhowells%40redhat.com Signed-off-by: David Howells <dhowells@redhat.com> Link: https://patch.msgid.link/138807.1782980582@warthog.procyon.org.uk Reviewed-by: Paulo Alcantara (Red Hat) <pc@manguebit.org> cc: Paulo Alcantara <pc@manguebit.org> cc: netfs@lists.linux.dev cc: linux-fsdevel@vger.kernel.org Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>
48 hoursMerge tag 'device-id-rework' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/ukleinek/linux Pull mod_devicetable.h header split from Uwe Kleine-König: "Split <linux/mod_devicetable.h> in per subsystem headers <linux/mod_devicetable.h> is included transitively in nearly every driver in an x86_64 allmodconfig build of v7.1: $ find drivers -name \*.o -not -name \*.mod.o | wc -l 21330 $ find drivers -name \*.o.cmd -not -name \*.mod.o.cmd | xargs grep -l mod_devicetable.h | wc -l 17038 The result of this mixture of different and unrelated subsystem details is that even when touching an obscure device id struct most of the kernel needs to be recompiled. Given that each driver typically only needs one or two of these structures, splitting into per subsystem headers and only including what is really needed reduces the amount of needed recompilation. This split is implemented in the first commit and then after some preparatory work in the following commits, the last two replace includes of <linux/mod_devicetable.h> by the actually needed more specific headers. There are still a few instances left, but the ones with high impact (that is in headers that are used a lot) and the easy ones (.c files) are handled. These remaining includes will be addressed during the next merge window" * tag 'device-id-rework' of git://git.kernel.org/pub/scm/linux/kernel/git/ukleinek/linux: Replace <linux/mod_devicetable.h> by more specific <linux/device-id/*.h> (c files) Replace <linux/mod_devicetable.h> by more specific <linux/device-id/*.h> (headers) parisc: #include <linux/compiler.h> for unlikely() in <asm/ptrace.h> media: em28xx: Add include for struct usb_device_id LoongArch: KVM: Add include defining struct cpu_feature ALSA: hda/core: Add include defining struct hda_device_id usb: dwc2: Add include defining struct pci_device_id platform/x86: int3472: Add include defining struct dmi_system_id platform/x86: x86-android-tablets: Add include defining struct dmi_system_id i2c: Let i2c-core.h include <linux/i2c.h> of: Explicitly include <linux/types.h> and <linux/err.h> platform/x86: msi-ec: Ensure dmi_system_id is defined usb: serial: Include <linux/usb.h> in <linux/usb/serial.h> driver core: platform: Include header for struct platform_device_id driver: core: Include headers for acpi_device_id and of_device_id for struct device_driver media: ti: vpe: #include <linux/platform_device.h> explicitly mod_devicetable.h: Split into per subsystem headers
2 daysMerge tag 'ata-7.2-rc2' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/libata/linux Pull ata fixes from Damien Le Moal: - Quirk the Phison PS3111-S11 SSD with NOLPM due to its defective link power management (Bryam) - Strengthen checks on a device concurrent positioning range information to make sure to reject any invalid report (Bryam) - Fix probe error handling in the pata_pxa and sata_gemini drivers (Myeonghun, Wentao) - Limit buffer size of replies from translated commands to what libata actually generated (Karuna) * tag 'ata-7.2-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/libata/linux: ata: libata-scsi: limit simulated SCSI command copy to response length ata: pata_pxa: Fix DMA channel leak on probe error ata: sata_gemini: unwind clocks on IDE pinctrl errors ata: libata-core: Reject an invalid concurrent positioning ranges count ata: libata-core: Add NOLPM quirk for PNY CS900 1TB SSD
2 daysReplace <linux/mod_devicetable.h> by more specific <linux/device-id/*.h> (c ↵Uwe Kleine-König (The Capable Hub)
files) Replace the #include of <linux/mod_devicetable.h> by the more specific <linux/device-id/*.h> where applicable. For most cases the include can be dropped completely, only a few drivers need one or two headers added. Acked-by: Danilo Krummrich <dakr@kernel.org> Acked-by: Takashi Sakamoto <o-takashi@sakamocchi.jp> Acked-by: Bjorn Helgaas <bhelgaas@google.com> Link: https://patch.msgid.link/1a3f2007c5c5dcf555c09a4035ce3ae8ef1b6c49.1782808461.git.u.kleine-koenig@baylibre.com Signed-off-by: Uwe Kleine-König (The Capable Hub) <u.kleine-koenig@baylibre.com>
2 daysReplace <linux/mod_devicetable.h> by more specific <linux/device-id/*.h> ↵Uwe Kleine-König (The Capable Hub)
(headers) <linux/mod_devicetable.h> is included in a many files: $ git grep '<linux/mod_devicetable.h>' ef0c9f75a195 | wc -l 1598 ; some of them are widely used headers. To stop mixing up different and unrelated driver( type)s let the subsystem headers only use the subset of the recently split <linux/mod_devicetable.h> that are relevant for them. The fallout (I hope) is addressed in the previous commits that handle sources relying on e.g. <linux/i2c.h> pulling in the full legacy header and thus providing pci_device_id. Acked-by: Danilo Krummrich <dakr@kernel.org> Acked-by: Takashi Sakamoto <o-takashi@sakamocchi.jp> Link: https://patch.msgid.link/199fe46b624ba07fb9bd3e0cd6ff13757932cb5f.1782808461.git.u.kleine-koenig@baylibre.com Signed-off-by: Uwe Kleine-König (The Capable Hub) <u.kleine-koenig@baylibre.com>
2 daysparisc: #include <linux/compiler.h> for unlikely() in <asm/ptrace.h>Uwe Kleine-König (The Capable Hub)
Currently <linux/compiler.h> isn't included at all (not even transitively) in <asm/ptrace.h>. arch/parisc/kernel/asm-offsets.c just happens to include the following chain of includes before <asm/ptrace.h>: <linux/sched.h> -> <asm/processor.h> -> <asm/hardware.h> -> <linux/mod_devicetable.h> -> <linux/uuid.h> -> <linux/string.h> -> <linux/compiler.h> . That chain will be broken, because in one of the next commits <asm/hardware.h> is changed to only include <linux/device-id/parisc.h> instead of <linux/mod_devicetable.h>. So to ensure arch/parisc/kernel/asm-offsets.c knows about unlikely() even after that change, #include <linux/compiler.h> explicitly. Link: https://patch.msgid.link/0574a2b73363c3cbf21c55c27455c3cecfb33583.1782808461.git.u.kleine-koenig@baylibre.com Signed-off-by: Uwe Kleine-König (The Capable Hub) <u.kleine-koenig@baylibre.com>
2 daysmedia: em28xx: Add include for struct usb_device_idUwe Kleine-König (The Capable Hub)
Traditionally <linux/mod_devicetable.h> was a header defining a plethora of structs, among them struct usb_device_id. This was split now with the objective that only the relevant bits are included. Currently <linux/mod_devicetable.h> is transitively included in drivers/media/usb/em28xx/em28xx.h via: drivers/media/usb/em28xx/em28xx.h -> <linux/i2c.h> -> <linux/acpi.h> -> <linux/device.h> -> <linux/device/driver.h> -> <linux/mod_devicetable.h To keep struct usb_device_id available once <linux/device/driver.h> stops including <linux/mod_devicetable.h>, include it the header providing that struct explictly. Acked-by: Danilo Krummrich <dakr@kernel.org> Acked-by: Takashi Sakamoto <o-takashi@sakamocchi.jp> Link: https://patch.msgid.link/e72de5b4b9f1aa77a3c19a5e698a195dfd81ae0b.1782808461.git.u.kleine-koenig@baylibre.com Signed-off-by: Uwe Kleine-König (The Capable Hub) <u.kleine-koenig@baylibre.com>
2 daysLoongArch: KVM: Add include defining struct cpu_featureUwe Kleine-König (The Capable Hub)
Traditionally <linux/mod_devicetable.h> was a header defining a plethora of structs, among them struct cpu_features. This was split now with the objective that only the relevant bits are included. Currently <linux/mod_devicetable.h> is transitively included in arch/loongarch/kvm/main.c via: arch/loongarch/kvm/main.c -> <linux/kvm_host.h> -> <linux/entry-virt.h> -> <linux/resume_user_mode.h> -> <linux/memcontrol.h> -> <linux/cgroup.h> -> <linux/kernel_stat.h> -> <linux/interrupt.h> -> <linux/hardirq> -> <asm/hardirq.h> -> <linux/irq.h> -> <asm/irq.h> -> <linux/irqdomain.h> -> <linux/of.h> -> <linux/mod_devicetable.h> To keep struct cpu_features available once <linux/of.h> stops including <linux/mod_devicetable.h>, include it here explicitly. Acked-by: Danilo Krummrich <dakr@kernel.org> Reviewed-by: Bibo Mao <maobibo@loongson.cn> Acked-by: Takashi Sakamoto <o-takashi@sakamocchi.jp> Link: https://patch.msgid.link/052feec0e04ea8f5b2706a19a5b236679eed0aba.1782808461.git.u.kleine-koenig@baylibre.com Signed-off-by: Uwe Kleine-König (The Capable Hub) <u.kleine-koenig@baylibre.com>
2 daysALSA: hda/core: Add include defining struct hda_device_idUwe Kleine-König (The Capable Hub)
Traditionally all *_device_id were defined in a single header <linux/mod_devicetable.h>. This was split now with the objective that only the relevant bits are included. So including <linux/pci.h> won't be enough to get a definition of (the unrelated to pci) struct hda_device_id. Add an explicit include for the header defining struct hda_device_id to keep working when <linux/pci.h> stops providing this defintion. Acked-by: Danilo Krummrich <dakr@kernel.org> Acked-by: Takashi Sakamoto <o-takashi@sakamocchi.jp> Reviewed-by: Takashi Iwai <tiwai@suse.de> Link: https://patch.msgid.link/376883bc5889d5cca01efb6f8d4e07a20158f2b8.1782808461.git.u.kleine-koenig@baylibre.com Signed-off-by: Uwe Kleine-König (The Capable Hub) <u.kleine-koenig@baylibre.com>
2 daysusb: dwc2: Add include defining struct pci_device_idUwe Kleine-König (The Capable Hub)
Up to now <linux/acpi.h> includes <linux/mod_devicetable.h> that provides struct pci_device_id. However <linux/mod_devicetable.h> was split into per bus headers and <linux/acpi.h> will only include the acpi related one (and similar for other bus headers). As struct pci_device_id is used in drivers/usb/dwc2/core.h, add an include to ensure it's defined also after the includes in <linux/acpi.h> are tightened. Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Acked-by: Danilo Krummrich <dakr@kernel.org> Acked-by: Takashi Sakamoto <o-takashi@sakamocchi.jp> Link: https://patch.msgid.link/bddfcdfaf36d735c244e03efada6083ef98ebd51.1782808461.git.u.kleine-koenig@baylibre.com Signed-off-by: Uwe Kleine-König (The Capable Hub) <u.kleine-koenig@baylibre.com>
2 daysplatform/x86: int3472: Add include defining struct dmi_system_idUwe Kleine-König (The Capable Hub)
Currently <linux/mod_devicetable.h> is included transitively in int3472.h via <linux/clk-provider.h> -> <linux/of.h> -> <linux/mod_devicetable.h> However these includes will be tightend such that only the bits relevant for of will be provided by <linux/of.h>. To ensure that dmi_system_id stays around, include the respective header explicitly. Acked-by: Danilo Krummrich <dakr@kernel.org> Acked-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> Acked-by: Takashi Sakamoto <o-takashi@sakamocchi.jp> Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com> Link: https://patch.msgid.link/0ba52730f67dc995d9d896b81fa6a7320bf8cb4b.1782808461.git.u.kleine-koenig@baylibre.com Signed-off-by: Uwe Kleine-König (The Capable Hub) <u.kleine-koenig@baylibre.com>
2 daysplatform/x86: x86-android-tablets: Add include defining struct dmi_system_idUwe Kleine-König (The Capable Hub)
Currently <linux/i2c.h> includes <linux/mod_devicetable.h> transitively which ensures that struct dmi_system_id is defined in drivers/platform/x86/x86-android-tablets/x86-android-tablets.h. However this include in <linux/i2c.h> will be replaced by one for i2c_device_id only. To ensure that dmi_system_id is available add the include for that explicitly. Acked-by: Danilo Krummrich <dakr@kernel.org> Acked-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> Acked-by: Takashi Sakamoto <o-takashi@sakamocchi.jp> Link: https://patch.msgid.link/32928d9ee47cefc7dfc4c385c06bd5e598b0fca1.1782808461.git.u.kleine-koenig@baylibre.com Signed-off-by: Uwe Kleine-König (The Capable Hub) <u.kleine-koenig@baylibre.com>
2 daysi2c: Let i2c-core.h include <linux/i2c.h>Uwe Kleine-König (The Capable Hub)
The subsystem private header i2c-core.h uses several symbols defined in <linux/i2c.h>, e.g. struct i2c_board_info and i2c_lock_bus()). This doesn't pose a problem in practise because all files including "i2c-core.h" also include <linux/i2c.h>. To make this more robust add an include statement for <linux/i2c.h> making the header self-contained. Acked-by: Danilo Krummrich <dakr@kernel.org> Reviewed-by: Wolfram Sang <wsa+renesas@sang-engineering.com> Acked-by: Takashi Sakamoto <o-takashi@sakamocchi.jp> Link: https://patch.msgid.link/46aa85ab3dc4e63bfb5bd8ff1fd212a3d0e31f58.1782808461.git.u.kleine-koenig@baylibre.com Signed-off-by: Uwe Kleine-König (The Capable Hub) <u.kleine-koenig@baylibre.com>
2 daysof: Explicitly include <linux/types.h> and <linux/err.h>Uwe Kleine-König (The Capable Hub)
<linux/of_platform.h> uses resource_size_t and relies on the transitive include <linux/mod_devicetable.h> -> <linux/types.h>. It also uses error constants and thus relying on the include chain <linux/mod_devicetable.h> -> <linux/uuid.h> -> <linux/string.h> -> <linux/err.h>. With the plan to split <linux/mod_devicetable.h> per subsystem and then only letting of_platform.h include the of-specific bits (which don't require these two headers), add the needed includes explicitly to keep the header self-contained. Acked-by: Danilo Krummrich <dakr@kernel.org> Acked-by: Takashi Sakamoto <o-takashi@sakamocchi.jp> Link: https://patch.msgid.link/a730991bc8813cf70c2445064ea425291538f709.1782808461.git.u.kleine-koenig@baylibre.com Signed-off-by: Uwe Kleine-König (The Capable Hub) <u.kleine-koenig@baylibre.com>
2 daysplatform/x86: msi-ec: Ensure dmi_system_id is definedUwe Kleine-König (The Capable Hub)
Currently <linux/acpi.h> includes <linux/mod_devicetable.h> and thus dmi_system_id is available for the driver. To disentangle includes <linux/acpi.h> will be changed to only include the header for acpi_device_id instead of the full <linux/mod_devicetable.h>. To prepare for that include the dedicated header for struct dmi_device_id. Acked-by: Danilo Krummrich <dakr@kernel.org> Acked-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> Acked-by: Takashi Sakamoto <o-takashi@sakamocchi.jp> Link: https://patch.msgid.link/600c7ab3263dcb8cee39b43dbd313eba8abef376.1782808461.git.u.kleine-koenig@baylibre.com Signed-off-by: Uwe Kleine-König (The Capable Hub) <u.kleine-koenig@baylibre.com>
2 daysusb: serial: Include <linux/usb.h> in <linux/usb/serial.h>Uwe Kleine-König (The Capable Hub)
All consumers of the latter also include the former, but without that struct usb_driver and struct usb_device_id (and maybe more) are not defined. Add an include for <linux/usb.h> to make the header self-contained. Acked-by: Danilo Krummrich <dakr@kernel.org> Acked-by: Takashi Sakamoto <o-takashi@sakamocchi.jp> Link: https://patch.msgid.link/82219ab65d16ee5bfe5a35d11bc938baac3fd3bc.1782808461.git.u.kleine-koenig@baylibre.com Signed-off-by: Uwe Kleine-König (The Capable Hub) <u.kleine-koenig@baylibre.com>
2 daysdriver core: platform: Include header for struct platform_device_idUwe Kleine-König (The Capable Hub)
Platform drivers can define an array containing the supported device variants to be assigned to the struct platform_driver's .id_table. While a forward declaration of struct platform_device_id is technically enough to make the driver self-contained, it's reasonable to provide the (very lightweight) data type definition for that array in <linux/platform_device.h> to not add that burden to all platform drivers with an id-table. Note that currently <linux/device.h> transitively includes <linux/mod_devicetable.h> that provides struct platform_device_id. But that include is planned to be replaced by a tighter set of includes that only define the structures relevant for the stuff in <linux/device.h>. Acked-by: Danilo Krummrich <dakr@kernel.org> Acked-by: Takashi Sakamoto <o-takashi@sakamocchi.jp> Link: https://patch.msgid.link/4ca29592c9d1c6d528a65e05b80af7355f3c79c5.1782808461.git.u.kleine-koenig@baylibre.com Signed-off-by: Uwe Kleine-König (The Capable Hub) <u.kleine-koenig@baylibre.com>
2 daysdriver: core: Include headers for acpi_device_id and of_device_id for struct ↵Uwe Kleine-König (The Capable Hub)
device_driver struct device_driver contains pointers of type struct of_device_id* and struct acpi_device_id* but doesn't ensure these are defined. To make the header self-contained add the (very lightweight) includes that contain the respective definitions. Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Acked-by: Danilo Krummrich <dakr@kernel.org> Acked-by: Rafael J. Wysocki (Intel) <rafael@kernel.org> Acked-by: Takashi Sakamoto <o-takashi@sakamocchi.jp> Link: https://patch.msgid.link/199ba71b4ac73f4b4d9f5d2be635c96eec73c70e.1782808461.git.u.kleine-koenig@baylibre.com Signed-off-by: Uwe Kleine-König (The Capable Hub) <u.kleine-koenig@baylibre.com>
2 daysmedia: ti: vpe: #include <linux/platform_device.h> explicitlyUwe Kleine-König (The Capable Hub)
The driver uses several symbols and structs defined in that header. The header is currently included transitively via "vip.h" -> <media/v4l2-ctrls.h> -> <media/media-request.h> -> <media/media-device.h> -> <linux/platform_device.h> which seems to be on the lower end of the scale between random and reliable. Acked-by: Danilo Krummrich <dakr@kernel.org> Reviewed-by: Yemike Abhilash Chandra <y-abhilashchandra@ti.com> Acked-by: Takashi Sakamoto <o-takashi@sakamocchi.jp> Link: https://patch.msgid.link/9f2e0e001eec087f00ac2c5af2de2e8f6d0978c1.1782808461.git.u.kleine-koenig@baylibre.com Signed-off-by: Uwe Kleine-König (The Capable Hub) <u.kleine-koenig@baylibre.com>
2 daysmod_devicetable.h: Split into per subsystem headersUwe Kleine-König (The Capable Hub)
<linux/mod_devicetable.h> is included transitively in nearly every driver in an x86_64 allmodconfig build of v7.1: $ find drivers -name \*.o -not -name \*.mod.o | wc -l 21330 $ find drivers -name \*.o.cmd -not -name \*.mod.o.cmd | xargs grep -l mod_devicetable.h | wc -l 17038 The result is that even when touching an obscure device id struct most of the kernel needs to be recompiled. Given that each driver typically only needs one or two of these structures, splitting into per subsystem headers and only including what is really needed reduces the amount of needed recompilation. Implement the first step and define each device id struct in a separate header (together with its associated #defines). <linux/mod_devicetable.h> is modified to include all the new headers to continue to provide the same symbols. Several headers currently include <linux/mod_devicetable.h>, those that are most lukrative to include only their subsystem headers only are: $ git -C source grep -l mod_devicetable.h include/linux | while read h; do echo -n "$h:"; find drivers -name \*.o.cmd -not -name \*.mod.o.cmd | xargs grep -l $h | wc -l; done | sort -t: -k2 -n -r | head include/linux/of.h:10897 include/linux/pci.h:7920 include/linux/acpi.h:7097 include/linux/i2c.h:5402 include/linux/spi/spi.h:1897 include/linux/dmi.h:1643 include/linux/usb.h:1222 include/linux/input.h:1205 include/linux/mdio.h:835 include/linux/phy.h:733 struct cpu_feature isn't really a device_id struct. That is kept in <linux/mod_devicetable.h> for now. Acked-by: Danilo Krummrich <dakr@kernel.org> Acked-by: Takashi Sakamoto <o-takashi@sakamocchi.jp> Acked-by: Geert Uytterhoeven <geert@linux-m68k.org> # zorro Link: https://patch.msgid.link/41400e323be8640702b906d04327e833c5bdaf4a.1782808461.git.u.kleine-koenig@baylibre.com [Drop "MOD" from the header guards] Signed-off-by: Uwe Kleine-König (The Capable Hub) <u.kleine-koenig@baylibre.com>
2 daysata: libata-scsi: limit simulated SCSI command copy to response lengthKaruna Ramkumar
The function ata_scsi_rbuf_fill() is used to copy the response of emulated SCSI commands from ata_scsi_rbuf to the SCSI command's scatterlist. Currently, sg_copy_from_buffer() is called with the size argument set to ATA_SCSI_RBUF_SIZE (2048 bytes). Since ata_scsi_rbuf is zeroed out before the simulation actor is invoked, copying the full buffer size causes the remainder of the SCSI command's transfer buffer (beyond the actual response length 'len') to be overwritten with zeroes. This clobbers any pre-existing sentinel values or data in the caller's buffer tail, even though the correct residual count is reported via scsi_set_resid(). Fix this by passing the actual response length 'len' as the copy size to sg_copy_from_buffer(), ensuring that the tail of the caller's buffer remains untouched. Also, add a defensive check to ensure that the actor does not return a length exceeding the static buffer capacity. If this occurs, trigger a WARN_ON(), fail the command with an aborted command error, and return immediately without copying any data. The fix was tested by invoking an SCSI SG_IO INQUIRY on an ATA disk on vanilla build, and build with the fix. Confirmed that the input buffer's tail end remains unmodified with the fix. Fixes: 5251ae224d8d ("ata: libata-scsi: Return residual for emulated SCSI commands") Assisted-by: Antigravity:gemini-3.5-flash Signed-off-by: Karuna Ramkumar <rkaruna@google.com> Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
2 daysata: pata_pxa: Fix DMA channel leak on probe errorWentao Liang
When dmaengine_slave_config() fails, the DMA channel acquired by dma_request_chan() is not released before returning the error, leaking the channel reference. Fix by adding dma_release_channel() in the error path. The ata_host_activate() error path already correctly releases the DMA channel. Cc: stable@vger.kernel.org Fixes: 88622d80af82 ("ata: pata_pxa: dmaengine conversion") Signed-off-by: Wentao Liang <vulab@iscas.ac.cn> Reviewed-by: Niklas Cassel <cassel@kernel.org> Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
2 daysata: sata_gemini: unwind clocks on IDE pinctrl errorsMyeonghun Pak
gemini_sata_bridge_init() prepares and enables both SATA PCLKs, then disables them again while keeping the clocks prepared for later bridge start and stop operations. If gemini_setup_ide_pins() fails after that, gemini_sata_probe() returns directly and skips the existing out_unprep_clk unwind path. Route the IDE pinctrl failure through out_unprep_clk so the clocks prepared by gemini_sata_bridge_init() are unprepared before probe fails. Fixes: d872ced29d5f ("ata: sata_gemini: Introduce explicit IDE pin control") Co-developed-by: Ijae Kim <ae878000@gmail.com> Signed-off-by: Ijae Kim <ae878000@gmail.com> Signed-off-by: Myeonghun Pak <mhun512@gmail.com> Reviewed-by: Niklas Cassel <cassel@kernel.org> Reviewed-by: Linus Walleij <linusw@kernel.org> Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
2 daysata: libata-core: Reject an invalid concurrent positioning ranges countBryam Vargas
ata_dev_config_cpr() takes the number of range descriptors from buf[0] of the concurrent positioning ranges log (up to 255), which the device reports independently of the log size in the GPL directory. The count is then walked at a fixed 32-byte stride in two places with no bound: the log read here, and the INQUIRY VPD page B9h emitter, which writes one descriptor per range into the fixed 2048-byte ata_scsi_rbuf. A device reporting a count larger than its own log overflows the read buffer (up to 7704 bytes past a 512-byte slab), and a count above 62 overflows the response buffer on the emit side. Bound the count once, on probe, against both the log the device returned and the number of descriptors the VPD B9h response buffer can hold (ATA_DEV_MAX_CPR, derived from the rbuf size). Reject an out-of-range count with a warning; this keeps the emitter in bounds with no separate change there. Suggested-by: Damien Le Moal <dlemoal@kernel.org> Fixes: fe22e1c2f705 ("libata: support concurrent positioning ranges log") Fixes: c745dfc541e7 ("libata: fix reading concurrent positioning ranges log") Cc: stable@vger.kernel.org Signed-off-by: Bryam Vargas <hexlabsecurity@proton.me> Reviewed-by: Niklas Cassel <cassel@kernel.org> Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
2 daysata: libata-core: Add NOLPM quirk for PNY CS900 1TB SSDBryam Vargas
The PNY CS900 1TB SSD (Phison PS3111-S11, DRAM-less) drops off the bus after entering Device-Initiated Slumber during idle. With the default med_power_with_dipm policy the link goes down (SStatus 1 SControl 300) and does not recover, forcing the filesystem read-only. Forcing max_performance keeps the link stable across prolonged idle. Add a NOLPM quirk so link power management is disabled for this drive specifically, leaving it intact for other devices on the host. Cc: stable@vger.kernel.org Signed-off-by: Bryam Vargas <hexlabsecurity@proton.me> Reviewed-by: Niklas Cassel <cassel@kernel.org> Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
2 daysMerge tag 'bpf-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpfLinus Torvalds
Pull BPF fixes from Daniel Borkmann: - Initialize task local storage before fork bails out to free the task (Jann Horn) - Fix insn_aux_data leak on verifier error path (KaFai Wan) - Reject BPF inode storage map creation when BPF LSM is uninitialized (Matt Bobrowski) - Mask pseudo pointer values in verifier logs when pointer leaks are not allowed (Nuoqi Gui) - Harden BPF JIT against spraying via IBPB flush (Pawan Gupta) - Reject a skb-modifying SK_SKB stream parser since the latter is only meant to measure the next message (Sechang Lim) - Fix bpf_refcount_acquire to reject refcounted allocation arguments with a non-zero fixed offset (Yiyang Chen) * tag 'bpf-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf: bpf: Prefer dirty packs for eBPF allocations bpf: Prefer packs that won't trigger an IBPB flush on allocation bpf: Skip redundant IBPB in pack allocator bpf: Restrict JIT predictor flush to cBPF x86/bugs: Enable IBPB flush on BPF JIT allocation bpf: Support for hardening against JIT spraying bpf: Reject BPF_MAP_TYPE_INODE_STORAGE creation if BPF LSM is uninitialized bpf,fork: wipe ->bpf_storage before bailouts that access it bpf: Fix insn_aux_data leak on verifier err_free_env path selftests/bpf: Cover pseudo-BTF ksym log masking bpf: Mask pseudo pointer values in verifier logs selftests/bpf: Cover refcount acquire node offsets bpf: Reject offset refcount acquire arguments selftests/bpf: test rejection of a packet-modifying SK_SKB stream parser bpf, sockmap: reject a packet-modifying SK_SKB stream parser selftests/bpf: don't modify the skb in the strparser parser prog
2 daysMerge tag 'vfio-v7.2-rc2' of https://github.com/awilliam/linux-vfioLinus Torvalds
Pull VFIO fixes from Alex Williamson: "Mostly straightforward fixes here, inconsistent runtime PM handling due to global device policies, bitfield races, unwind path gaps, teardown ordering, and a misplaced library flag. - Fix racy bitfield updates in vfio-pci-core and the mlx5 vfio-pci variant driver with a binary split between setup/release and runtime modified flags. These were noted across several Sashiko reviews as pre-existing issues (Alex Williamson) - Fix runtime PM inconsistency where the vfio-pci driver module_init could modify the idle PM policy of existing devices through globals managed in vfio-pci-core, leading to unbalanced runtime PM operations (Alex Williamson) - Restore mutability of writable vfio-pci module options by further pulling policy globals out of vfio-pci-core, to instead be latched per device at device init. Provide visibility of the per device latched values through debugfs (Alex Williamson) - Fix missing VGA arbiter uninit callback in unwind path (Alex Williamson) - Reorder device debugfs removal before device_del() to avoid gap where debugfs is available with stale devres pointers (Alex Williamson) - Move UUID library linking flag from vfio selftest Makefile into libvfio.mk to avoid exposing such dependencies when linking with KVM selftests (Sean Christopherson)" * tag 'vfio-v7.2-rc2' of https://github.com/awilliam/linux-vfio: vfio: selftests: Add luuid to libvfio.mk's list of libraries, not to the Makefile vfio/pci: Expose latched module parameter policy in debugfs vfio: Remove device debugfs before releasing devres vfio/pci: Latch all module parameters per device vfio/mlx5: Fix racy bitfields and tighten struct layout vfio/pci: Fix racy bitfields and tighten struct layout vfio/pci: Release the VGA arbiter client on register_device() failure vfio/pci: Latch disable_idle_d3 per device
2 daysMerge tag 'drm-misc-fixes-2026-07-02' of ↵Dave Airlie
https://gitlab.freedesktop.org/drm/misc/kernel into drm-fixes drm-misc-fixes for v7.2-rc2: - Fix potential null pointer dereference in dma-buf. - Handle 0 in dma_fence_dedup_array. - Use the correct callback in dma_fence_timeline_name. - Fix device removal handling in amdxdna. - kernel-doc fixes. - Include header fix for drm_ras.h - Handle edids better in virtio. - Use the clk_bulk api for error handling in malidp. - More clk handling fixes for komeda. - panthor scheduler block fallout fixes. - panthor unplug fixes. - other panthor fixes. - Fix unnecessary WARN_ON in topology probe after teardown. - Add refcount to amdxdna job to fix use-after free. - Fix increasing args->size in ioctl's of drm/imagination. - Handle stride correctly in pvr_set_uobj_array. - Only call imagination's drm_sched_entity_fini once. Signed-off-by: Dave Airlie <airlied@redhat.com> From: Maarten Lankhorst <maarten.lankhorst@linux.intel.com> Link: https://patch.msgid.link/786bdc92-0ce3-4c0f-9668-b0fa8a0047ea@linux.intel.com
2 daysMerge tag 'drm-xe-fixes-2026-07-02' of ↵Dave Airlie
https://gitlab.freedesktop.org/drm/xe/kernel into drm-fixes Driver Changes: - Wedge from the timeout handler only after releasing the queue (Rodrigo) - Fix a NULL pointer dereference (Francois) - Remove redundant exec_queue_suspended (Lu) - RTP / OA whitelist fixes (Ashutosh, Gustavo, Thomas) - Return error on non-migratable faults requiring devmem (Matt Brost) - Skip FORCE_WC and vm_bound check for external dma-bufs (Matt Auld) - Hold notifier lock for write on inject test path (Shuicheng) - Drop bogus static from finish in force_invalidate (Shuicheng) - Fix double-free of managed BO in error path (Shuicheng) - Don't attempt to process FAST_REQ or EVENT relays (Michal) - Fix NPD in bo_meminfo (Matthew Auld) - Prevent invalid cursor access for purged BOs (Matthew Auld) - Fix offset alignment for MERT WHITELST_OA_MERT_MMIO_TRG (Ashutosh) Signed-off-by: Dave Airlie <airlied@redhat.com> From: Thomas Hellstrom <thomas.hellstrom@linux.intel.com> Link: https://patch.msgid.link/akZ_UbrL94G4F2iA@fedora
2 daysMerge tag 'amd-drm-fixes-7.2-2026-07-02' of ↵Dave Airlie
https://gitlab.freedesktop.org/agd5f/linux into drm-fixes amd-drm-fixes-7.2-2026-07-02: amdgpu: - Soc24 aborted suspend fix - Drop unecessary BUG() and BUG_ON() from error paths - SCPM fix - Power reporting fix - DCE HDR fix - UVD boundary checks - VCN boundary checks - VCE boundary checks - DCN 4.2 fixes - Large stack allocation fixes - Fix aperture mapping leak - UserQ fixes - Ignore_damage_clips fix - ACP fixes - DC boundary checks - GPUVM fixes - JPEG idle check fixes - Userptr fix - GC 11.7 updates - Non-4K page fix - SMU 13 fixes - DP alt mode fix amdkfd: - Boundary checks - CRIU fixes Signed-off-by: Dave Airlie <airlied@redhat.com> From: Alex Deucher <alexander.deucher@amd.com> Link: https://patch.msgid.link/20260702143138.68463-1-alexander.deucher@amd.com
2 daysMerge tag 'drm-intel-fixes-2026-07-02' of ↵Dave Airlie
https://gitlab.freedesktop.org/drm/i915/kernel into drm-fixes - Input validation fixes for BIOS and EDID (Jani) - Fix HDCP code buffer overflow and seq_num_v monotonic increase check (Jani) - Fix near-NULL deref in i915_active during GFP_ATOMIC exhaustion (Joonas) Signed-off-by: Dave Airlie <airlied@redhat.com> From: Joonas Lahtinen <joonas.lahtinen@linux.intel.com> Link: https://patch.msgid.link/akYLxDea3kEyHqJA@jlahtine-mobl
3 daysMerge tag 'net-7.2-rc2' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net Pull networking fixes from Paolo Abeni: "Including fixes from netfilter and batman-adv. Current release - new code bugs: - netfilter: cthelper: cap to maximum number of expectation per master Previous releases - regressions: - netpoll: fix a use-after-free on shutdown path - tcp: restore RCU grace period in tcp_ao_destroy_sock - ipv6: fix NULL deref in fib6_walk_continiue() on multi-batch dump - batman-adv: dat: ensure accessible eth_hdr proto field - eth: - virtio_net: disable cb when NAPI is busy-polled - lan743x: Initialize eth_syslock spinlock before use Previous releases - always broken: - netfilter: - nft_set_pipapo: don't leak bad clone into future transaction - sched: - sch_teql: Introduce slaves_lock to avoid race condition and UAF - replace direct dequeue call with peek and qdisc_dequeue_peeked - sctp: add INIT verification after cookie unpacking - tipc: fix out-of-bounds read in broadcast Gap ACK blocks - seg6: validate SRH length before reading fixed fields - eth: - mlx5e: fix use-after-free of metadata_dst on RX SC delete - enetc: check the number of BDs needed for xdp_frame - fbnic: don't cache shinfo across skb realloc" * tag 'net-7.2-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (58 commits) net/mlx5: HWS, fix matcher leak on resize target setup failure net/sched: hhf: clear heavy-hitter state on reset net/sched: dualpi2: clear stale classification on filter miss net/sched: act_bpf: use rcu_dereference_bh() to read the filter selftests: drv-net: tso: don't touch dangerous feature bits cxgb4: Fix decode strings dump for T6 adapters virtio_net: disable cb when NAPI is busy-polled sctp: fix addr_wq_timer race in sctp_free_addr_wq() selftests: net: bump default cmd() timeout to 20 seconds bridge: stp: Fix a potential use-after-free when deleting a bridge net/sched: sch_teql: Introduce slaves_lock to avoid race condition and UAF net: gianfar: dispose irq mappings on probe failure and device removal net: lan743x: Initialize eth_syslock spinlock before use net: libwx: fix VMDQ mask for 1-queue mode net: airoha: fix max receive size configuration fsl/fman: Free init resources on KeyGen failure in fman_init() netfilter: nftables: restrict checkum update offset netfilter: nftables: restrict linklayer and network header writes netfilter: nfnetlink_queue: restrict writes to network header netfilter: nft_fib: reject fib expression on the netdev egress hook ...
3 daysMerge tag 'hwmon-for-v7.2-rc2' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging Pull hwmon fixes from Guenter Roeck: - adm1275: Detect coefficient overflow, and prevent reading uninitialized stack - aspeed-g6-pwm-tach: Guard fan RPM calculation against divide-by-zero - asus_atk0110: Check package count before accessing element - ltc4283: fix malformed table docs build error - occ: Unregister sysfs devices outside occ lock to avoid lockdep warning - pmbus core: Fix passing events to regulator core, and honor vrm_version in pmbus_data2reg_vid() - w83627hf: Remove VID sysfs files on error and remove - w83793: remove vrm sysfs file on probe failure - Various: Add missing 'select REGMAP_I2C' to Kconfig * tag 'hwmon-for-v7.2-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging: hwmon: (aspeed-g6-pwm-tach) Guard fan RPM calculation against divide-by-zero hwmon: (pmbus) Fix passing events to regulator core hwmon: adm1275: Detect coefficient overflow hwmon: adm1275: Prevent reading uninitialized stack hwmon: (max6697) add missing 'select REGMAP_I2C' to Kconfig hwmon: (ltc2992) add missing 'select REGMAP_I2C' to Kconfig hwmon: (max1619) add missing 'select REGMAP' to Kconfig hwmon: (w83627hf) remove VID sysfs files on error and remove hwmon: (w83793) remove vrm sysfs file on probe failure hwmon: (asus_atk0110) Check package count before accessing element docs: hwmon: ltc4283: fix malformed table docs build error hwmon: (pmbus/core) honor vrm_version in pmbus_data2reg_vid() hwmon: (occ) unregister sysfs devices outside occ lock
3 daysMerge tag 'mfd-fixes-7.2' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/lee/mfd Pull MFD fix from Lee Jones: - Add MFD mailing list to MAINTAINERS * tag 'mfd-fixes-7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/mfd: MAINTAINERS: Add a mailing list entry to MFD
3 dayss390/monwriter: Reject buffer reuse with different data lengthGerald Schaefer
When data buffers are reused, e.g. for interval sample records, the first record determines the data length, and the size of the buffer for user copy. Current monwriter code does not check if the data length was changed for subsequent records, which also would never happen for valid user programs. However, a malicious user could change the data length, resulting in out of bounds user copy to the kernel buffer, and memory corruption. By default, the monwriter misc device is created with root-only permissions, so practical impact is typically low. Fix this by checking for changed data length and rejecting such records. Cc: stable@vger.kernel.org Signed-off-by: Gerald Schaefer <gerald.schaefer@linux.ibm.com> Reviewed-by: Christian Borntraeger <borntraeger@linux.ibm.com> Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
3 dayscifs: Fix missing credit release on failure in cifs_issue_read()David Howells
Fix missing release of credits in the failure path in cifs_issue_read() lest retrying the subreq just overwrites the credits value. Fixes: 69c3c023af25 ("cifs: Implement netfslib hooks") Link: https://sashiko.dev/#/patchset/20260608145432.681865-1-dhowells%40redhat.com Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Paulo Alcantara (Red Hat) <pc@manguebit.org> cc: linux-cifs@vger.kernel.org cc: netfs@lists.linux.dev cc: linux-fsdevel@vger.kernel.org Signed-off-by: Steve French <stfrench@microsoft.com>
3 daysdrm/xe/oa: Fix offset alignment for MERT WHITELIST_OA_MERT_MMIO_TRGAshutosh Dixit
'head' argument for WHITELIST_OA_MERT_MMIO_TRG was previously wrong (not multiple of 16). Fix this. Fixes: ec02e49f21bc ("drm/xe/rtp: Whitelist OAMERT MMIO trigger registers") Cc: stable@vger.kernel.org Reviewed-by: Umesh Nerlige Ramappa <umesh.nerlige.ramappa@intel.com> Signed-off-by: Ashutosh Dixit <ashutosh.dixit@intel.com> Link: https://patch.msgid.link/20260629172634.1100983-1-ashutosh.dixit@intel.com (cherry picked from commit f6c23e4589bdc69a5d2f79aed5c5bddd5d406cbe) Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
3 daysdrm/xe/pt: prevent invalid cursor access for purged BOsMatthew Auld
During a page table walk for binding, xe_pt_stage_bind() explicitly skips initializing the xe_res_cursor for purged BOs, treating them similarly to NULL VMAs by only setting the cursor size. However, xe_pt_hugepte_possible() and xe_pt_scan_64K() did not check if the BO was purged before attempting to walk the cursor using xe_res_dma() and xe_res_next(). Because the cursor was left uninitialized for purged BOs, this falls through and triggers warnings like: WARNING: drivers/gpu/drm/xe/xe_res_cursor.h:274 at xe_res_next Fix this by explicitly checking if the BO is purged in both xe_pt_hugepte_possible() and xe_pt_scan_64K(), returning early just as we do for NULL VMAs, avoiding the invalid cursor accesses entirely. As a precaution, also zero-initialize the cursor in xe_pt_stage_bind() to ensure we don't pass garbage data into the page table walkers if we ever hit a similar edge case in the future. Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/work_items/8418 Fixes: ad9843aac91a ("drm/xe/madvise: Implement purgeable buffer object support") Assisted-by: Copilot:gemini-3.1-pro-preview Reported-by: Matthew Schwartz <matthew.schwartz@linux.dev> Signed-off-by: Matthew Auld <matthew.auld@intel.com> Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com> Cc: Matthew Brost <matthew.brost@intel.com> Cc: Arvind Yadav <arvind.yadav@intel.com> Reviewed-by: Matthew Brost <matthew.brost@intel.com> Tested-by: Matthew Schwartz <matthew.schwartz@linux.dev> Link: https://patch.msgid.link/20260625152054.450125-8-matthew.auld@intel.com (cherry picked from commit 4c7b9c6ece32440e5a435a92076d049450cd2d2e) Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>