summaryrefslogtreecommitdiff
path: root/tools
AgeCommit message (Collapse)Author
2026-06-05perf mmap: Guard cpu__get_node() return in aio_bind()Arnaldo Carvalho de Melo
perf_mmap__aio_bind() passes the cpu__get_node() return value directly to an unsigned long variable (node_index). When cpu__get_node() returns -1 for an unknown CPU, the implicit int-to-unsigned-long conversion sign-extends it to ULONG_MAX. This causes bitmap_zalloc(ULONG_MAX + 1) which wraps to bitmap_zalloc(0), returning a zero-sized allocation. The subsequent __set_bit(ULONG_MAX, node_mask) then writes massively out of bounds. Check the return value in a signed temporary before assigning to node_index, and skip the NUMA binding when the node is unknown. Fixes: c44a8b44ca9f ("perf record: Bind the AIO user space buffers to nodes") Reported-by: sashiko-bot <sashiko-bot@kernel.org> Cc: Alexey Budankov <alexey.budankov@linux.intel.com> Cc: Jiri Olsa <jolsa@kernel.org> Cc: Namhyung Kim <namhyung@kernel.org> Assisted-by: Claude:claude-opus-4.6 Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
2026-06-05perf sched: Fix register_pid() overflow, strcpy, and BUG_ONArnaldo Carvalho de Melo
register_pid() has several issues when processing untrusted perf.data: 1. Integer overflow: (pid + 1) * sizeof(struct task_desc *) can wrap to a small value on 32-bit systems when pid is large (e.g. 0x40000000), causing realloc to return a tiny buffer followed by out-of-bounds writes in the initialization loop. 2. Heap buffer overflow: strcpy(task->comm, comm) copies the untrusted comm string into a fixed 20-byte COMM_LEN buffer with no length check. 3. BUG_ON on allocation failure: perf.data is untrusted input, so allocation failures should be handled gracefully rather than killing the process. 4. Realloc of sched->tasks assigned directly back, leaking the old pointer on failure; nr_tasks incremented before the realloc, leaving corrupted state on failure. Cap pid at PID_MAX_LIMIT (4194304, matching the kernel's maximum on 64-bit), replace strcpy with strlcpy, guard against NULL comm, replace BUG_ON with NULL returns using safe realloc patterns, and add NULL checks in callers that dereference the result. Fixes: ec156764d424 ("perf sched: Import schedbench.c") Reported-by: sashiko-bot <sashiko-bot@kernel.org> Cc: Ingo Molnar <mingo@elte.hu> Assisted-by: Claude:claude-opus-4.6 Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
2026-06-05perf sched: Cap max_cpu at MAX_CPUS in timehist sample processingArnaldo Carvalho de Melo
perf_timehist__process_sample() updates sched->max_cpu from the sample CPU without bounds checking. Later code uses max_cpu + 1 as an iteration count over arrays allocated with MAX_CPUS entries (curr_thread, cpu_last_switched). A recording with CPU IDs >= MAX_CPUS causes out-of-bounds array accesses. Also cap the env->nr_cpus_online initialization of max_cpu in perf_sched__timehist(), which could exceed MAX_CPUS on very large systems. Add bounds checks before both max_cpu updates, matching the pattern already used in map_switch_event(). Fixes: 49394a2a24c7 ("perf sched timehist: Introduce timehist command") Reviewed-by: David Ahern <dsahern@kernel.org> Reported-by: sashiko-bot <sashiko-bot@kernel.org> Assisted-by: Claude:claude-opus-4.6 Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
2026-06-05Merge tag 'probes-fixes-v7.1-rc6' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace Pull tracing/probes fix from Masami Hiramatsu: "Fix the eprobe event parser to point error position correctly" * tag 'probes-fixes-v7.1-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace: tracing/probes: Point the error offset correctly for eprobe argument error
2026-06-05KVM: riscv: selftests: Split SBI FWFT into separate feature-specific sublistsYong-Xuan Wang
Divide the monolithic SBI FWFT (Firmware Features) register list into separate sublists, each testing a specific FWFT feature independently with proper dependency checking. Previously, all FWFT features were tested together in a single sublist. This caused issues because: 1. Not all FWFT features are available on all platforms 2. Some features depend on specific ISA extensions (e.g., pointer_masking requires Smnpm) 3. Tests would fail if any single feature was unavailable Add the feature-specific SBI FWFT sublists with the following improvements: - Add check_fwft_feature() helper to verify FWFT feature availability at runtime - Update filter_reg() to handle per-feature FWFT register filtering Signed-off-by: Yong-Xuan Wang <yongxuan.wang@sifive.com> Reviewed-by: Anup Patel <anup@brainfault.org> Link: https://lore.kernel.org/r/20260601-kvm-get_reg_list-v2-v5-5-415d08a2813b@sifive.com Signed-off-by: Anup Patel <anup@brainfault.org>
2026-06-05KVM: riscv: selftests: Refactor ISA and SBI extension sublist macrosYong-Xuan Wang
Refactor the get-reg-list test to use unified sublist macros for ISA and SBI extensions, eliminating code duplication and improving maintainability. Previously, each extension had its own hand-coded sublist definition (e.g., SUBLIST_ZICBOM, SUBLIST_AIA, etc.) and the config structures repeated the same pattern. This made the code verbose and error-prone. Signed-off-by: Yong-Xuan Wang <yongxuan.wang@sifive.com> Reviewed-by: Anup Patel <anup@brainfault.org> Link: https://lore.kernel.org/r/20260601-kvm-get_reg_list-v2-v5-4-415d08a2813b@sifive.com Signed-off-by: Anup Patel <anup@brainfault.org>
2026-06-05selftests/bpf: Add resizable hashmap to benchmarksMykyta Yatsenko
Support resizable hashmap in BPF map benchmarks. 1. LOOKUP (single producer, M events/sec) key | max | nr | htab | rhtab | ratio | delta ----+-----+-------+---------+---------+-------+------- 8 | 1K | 750 | 99.85 | 81.92 | 0.82x | -18 % 8 | 1K | 1K | 100.71 | 80.19 | 0.80x | -20 % 8 | 1M | 750K | 23.37 | 72.09 | 3.08x | +208 % 8 | 1M | 1M | 13.39 | 53.72 | 4.01x | +301 % 32 | 1K | 750 | 51.57 | 42.78 | 0.83x | -17 % 32 | 1K | 1K | 50.81 | 45.83 | 0.90x | -10 % 32 | 1M | 750K | 11.27 | 15.29 | 1.36x | +36 % 32 | 1M | 1M | 7.32 | 8.75 | 1.19x | +19 % 256 | 1K | 750 | 7.58 | 7.88 | 1.04x | +4 % 256 | 1K | 1K | 7.43 | 7.81 | 1.05x | +5 % 256 | 1M | 750K | 3.69 | 4.27 | 1.16x | +16 % 256 | 1M | 1M | 2.60 | 3.12 | 1.20x | +20 % Pattern: * Small map (1K): htab wins for 8 / 32 byte keys by 10-20% * Large map (1M): rhtab wins everywhere, up to 4x at high load factor with 8 byte keys. * Higher load factor amplifies rhtab's lead: rhtab grows the bucket array; htab stays at user-declared max. 2. FULL UPDATE (M events/sec per producer) htab per-producer: 20.33 22.02 19.27 23.61 24.18 23.17 21.07 mean 21.94 range 19.27 - 24.18 rhtab per-producer: 133.51 129.47 74.52 129.29 102.26 129.98 107.64 mean 115.24 range 74.52 - 133.51 speedup (mean): 5.25x (+425 %) In-place memcpy avoids the per-update alloc + RCU pointer swap that htab pays. 3. MEMORY value_size | htab ops/s | rhtab ops/s | htab mem | rhtab mem -----------+-------------+-------------+----------+---------- 32 B | 122.87 k/s | 133.04 k/s | 2.47 MiB | 2.49 MiB 4096 B | 64.43 k/s | 65.38 k/s | 6.74 MiB | 6.44 MiB rhtab/htab : +8 % ops, +0.8 % mem (32 B) +1 % ops, -4 % mem (4096 B) Throughput effectively tied SUMMARY * Small / well-fitting map: htab is faster (cache-friendly fixed bucket array), but only by ~10-20 %. * Large / high-load-factor map: rhtab is dramatically faster (1.2x to 4x) because rhashtable resizes to keep the load factor sane while htab stays stuck at user-declared max. * Update-heavy workloads: rhtab is ~5x faster per producer via in-place memcpy. * Memory benchmark: effectively on par. Signed-off-by: Mykyta Yatsenko <yatsenko@meta.com> Link: https://lore.kernel.org/r/20260605-rhash-v7-12-5b8e05f8630d@meta.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-05bpftool: Add rhash map documentationMykyta Yatsenko
Make bpftool documentation aware of the resizable hash map. Signed-off-by: Mykyta Yatsenko <yatsenko@meta.com> Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com> Link: https://lore.kernel.org/r/20260605-rhash-v7-11-5b8e05f8630d@meta.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-05selftests/bpf: Add BPF iterator tests for resizable hash mapMykyta Yatsenko
Test basic BPF iterator functionality for BPF_MAP_TYPE_RHASH, verifying all elements are visited. Signed-off-by: Mykyta Yatsenko <yatsenko@meta.com> Link: https://lore.kernel.org/r/20260605-rhash-v7-10-5b8e05f8630d@meta.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-05selftests/bpf: Add basic tests for resizable hash mapMykyta Yatsenko
Test basic map operations (lookup, update, delete) for BPF_MAP_TYPE_RHASH including boundary conditions like duplicate key insertion and deletion of nonexistent keys. Signed-off-by: Mykyta Yatsenko <yatsenko@meta.com> Link: https://lore.kernel.org/r/20260605-rhash-v7-9-5b8e05f8630d@meta.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-05libbpf: Support resizable hashtableMykyta Yatsenko
Add BPF_MAP_TYPE_RHASH to libbpf's map type name table and feature probing so that libbpf-based tools can create and identify resizable hash maps. Signed-off-by: Mykyta Yatsenko <yatsenko@meta.com> Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com> Link: https://lore.kernel.org/r/20260605-rhash-v7-8-5b8e05f8630d@meta.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-05bpf: Implement resizable hashmap basic functionsMykyta Yatsenko
Use rhashtable_lookup_likely() for lookups, rhashtable_remove_fast() for deletes, and rhashtable_lookup_get_insert_fast() for inserts. Updates modify values in place under RCU rather than allocating a new element and swapping the pointer (as regular htab does). This trades read consistency for performance: concurrent readers may see partial updates. BPF_F_LOCK support and special-field handling (timers, kptrs, etc.) follow in a later commit. Initialize rhashtable with bpf_mem_alloc element cache. Require BPF_F_NO_PREALLOC. Limit max_entries to 2^31. Free elements via rhashtable_free_and_destroy(). Signed-off-by: Mykyta Yatsenko <yatsenko@meta.com> Link: https://lore.kernel.org/r/20260605-rhash-v7-4-5b8e05f8630d@meta.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-05iommufd/selftest: Cover invalid read counts on vEVENTQ FDNicolin Chen
The vEVENTQ file descriptor must reject reads whose buffer cannot hold even one event record. Add selftest coverage that exercises both the empty-queue path (the upfront size check) and the non-empty path (the in-loop check that fires only after an event is fetched). For iommufd_veventq_fops_read(): - count == 0 and count < sizeof(header) on an empty vEVENTQ both return -EINVAL. - count == 0 and count == sizeof(header) on a non-empty vEVENTQ (event has trailing payload) both return -EINVAL. Link: https://patch.msgid.link/r/7bcd153d306f2cf04c094c728c0ebe146855072a.1780343944.git.nicolinc@nvidia.com Assisted-by: Claude:claude-opus-4-7 Signed-off-by: Nicolin Chen <nicolinc@nvidia.com> Reviewed-by: Pranjal Shrivastava <praan@google.com> Reviewed-by: Kevin Tian <kevin.tian@intel.com> Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
2026-06-04selftests: rds: report missing RDMA prereqs as XFAILAllison Henderson
Make the RDMA test return XFAIL rather than skip when RXE is not available, since the RDMA datapath is not run in netdev CI. Change the three RDMA-prerequisite checks in check_rdma_conf() and check_rdma_conf_enabled() to exit with KSFT_XFAIL (2) and tag their messages [XFAIL] instead of [SKIP]. Signed-off-by: Allison Henderson <achender@kernel.org> Link: https://patch.msgid.link/20260602050657.26389-5-achender@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-04selftests: rds: support RDS built as loadable modulesAllison Henderson
Commit 92cc6708f4a2 ("selftests: rds: config: disable modules") set CONFIG_MODULES=n since run.sh required this kconfig. But disabling modules also forces every =m option to =n rather than =y, which can silently drop unrelated features. This patch removes CONFIG_MODULES=n from the rds selftest config and updates the check_*conf_enabled() routines to accept a config as either built-in (=y) or modular (=m). A new probe_module() function is added to load the backing module when a component is set to be modular (=m). config.sh no longer forces CONFIG_MODULES=n, so a user who follows the SKIP message to run config.sh does not silently end up with modules disabled again. rds.ko itself is auto-loaded on socket creation, and rds_rdma.ko is auto-loaded when SO_RDS_TRANSPORT is set with RDS_TRANS_IB, but the TCP transport (rds_tcp.ko) is not auto-loaded on the bind path, so the backing modules are loaded explicitly here. Signed-off-by: Allison Henderson <achender@kernel.org> Link: https://patch.msgid.link/20260602050657.26389-4-achender@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-04selftests: rds: pin RDS sockets to their intended transportAllison Henderson
The RDS selftests create AF_RDS sockets but never selects a transport, so the transport is chosen implicitly based on network topology when the socket is bound. If underlying connection establishment fails, RDS can fall back to another transport (e.g. loopback) and the test still passes, silently bypassing the intended datapath it is meant to exercise. Set SO_RDS_TRANSPORT to the proper RDS_TRANS_IB or RDS_TRANS_TCP before they are bound, so the test fails loudly if the intended transport is unavailable rather than passing on a different path. Signed-off-by: Allison Henderson <achender@kernel.org> Link: https://patch.msgid.link/20260602050657.26389-3-achender@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-04selftests: rds: Rename run.sh to rds_run.shAllison Henderson
This patch renames run.sh to rds_run.sh. This gives the test a self-describing name that appears in the netdev CI dashboard. Suggested-by: Matthieu Baerts <matttbe@kernel.org> Signed-off-by: Allison Henderson <achender@kernel.org> Link: https://patch.msgid.link/20260602050657.26389-2-achender@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-04tools: ynl: try to avoid the very slow YAML loaderJakub Kicinski
Turns out Python YAML defaults to a pure Python loader for YAML files which is a lot slower than the C loader (using libyaml). Try to use the C one whenever possible. The avg time to run: $ tools/net/ynl/pyynl/cli.py --family tc --no-schema drops from 300+ ms to 115 ms with this change (40 samples). We could drop the load time further to 85 ms if we "compiled" the specs to JSON. Slightly tricky parts are that we don't currently install the specs at all on make install, so it's unclear where to put the conversion. Also JSON has questionable support for comments and we need an SPDX line. Reviewed-by: Jacob Keller <jacob.e.keller@intel.com> Reviewed-by: Nicolai Buchwitz <nb@tipi-net.de> Reviewed-by: Donald Hunter <donald.hunter@gmail.com> Link: https://patch.msgid.link/20260603210810.2636193-1-kuba@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-04Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/netJakub Kicinski
Cross-merge networking fixes after downstream PR (net-7.1-rc7). Silent conflicts: net/wireless/nl80211.c cb9959ab5f99 ("wifi: cfg80211: enforce HE/EHT cap/oper consistency") a384ae969902 ("wifi: cfg80211: move AP HT/VHT/... operation to beacon info") https://lore.kernel.org/aiGJDaHV4UlCexIQ@sirena.org.uk Conflicts: drivers/net/wireless/intel/iwlwifi/mld/ap.c a342c99cb70d ("wifi: iwlwifi: mld: honor BSS_CHANGED_BEACON_ENABLED") 9bf1b409afc7 ("wifi: iwlwifi: mld: send tx power constraints before link activation") https://lore.kernel.org/ah2bfedhV45ZxMO8@sirena.org.uk drivers/net/wireless/intel/iwlwifi/pcie/drv.c 093305d801fa ("wifi: iwlwifi: pcie: simplify the resume flow if fast resume is not used") e2323929a68a ("wifi: iwlwifi: pcie: add debug print for resume flow if powered off") https://lore.kernel.org/ah2bfedhV45ZxMO8@sirena.org.uk Adjacent changes: drivers/net/ethernet/airoha/airoha_eth.c b38cae85d1c4 ("net: airoha: Fix use-after-free in metadata dst teardown") ec6c391bcca7 ("net: airoha: Introduce airoha_gdm_dev struct") drivers/net/ethernet/microchip/lan743x_main.c 8173d22b211f ("net: lan743x: permit VLAN-tagged packets up to configured MTU") e3c6508a46f5 ("net: lan743x: avoid netdev-based logging before netdev registration") Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-04perf sched: Fix thread reference leaks in timehist_get_thread()Arnaldo Carvalho de Melo
timehist_get_thread() acquires a thread reference via machine__findnew_thread() and an idle thread reference via get_idle_thread() (which calls thread__get()). Two error paths in the idle_hist block return NULL without releasing these references: - When get_idle_thread() fails, the thread reference leaks. - When thread__priv(idle) returns NULL, both idle and thread leak. Additionally, the idle thread reference acquired on the success path is never released, leaking a reference on every sample when --idle-hist is active. Add thread__put() calls on both error paths and release the idle reference after use on the success path. Fixes: 5d8f17fb5822 ("perf sched timehist: Add -I/--idle-hist option") Reported-by: sashiko-bot <sashiko-bot@kernel.org> Cc: Namhyung Kim <namhyung@kernel.org> Assisted-by: Claude:claude-opus-4.6 Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
2026-06-04perf tools: Add bounds check to cpu__get_node()Arnaldo Carvalho de Melo
cpu__get_node() accesses cpunode_map[cpu.cpu] without checking against max_cpu_num, the allocation size of cpunode_map. Callers such as builtin-kmem.c:evsel__process_alloc_event() pass sample->cpu from perf.data events, which may exceed the host's CPU count when analyzing cross-machine recordings. Add a bounds check against max_cpu_num before indexing, returning -1 for out-of-range values. This is a central fix that protects all callers. Fixes: 86895b480a2f ("perf stat: Add --per-node agregation support") Reported-by: sashiko-bot <sashiko-bot@kernel.org> Cc: Jiri Olsa <jolsa@kernel.org> Assisted-by: Claude:claude-opus-4.6 Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
2026-06-04perf tools: Guard remaining test_bit calls from OOB sample CPUArnaldo Carvalho de Melo
auxtrace.c:filter_cpu() and builtin-script.c:filter_cpu() call test_bit(cpu, cpu_bitmap) where cpu_bitmap is declared with MAX_NR_CPUS bits. When the CPU value from a perf.data event is corrupt or absent (e.g. negative or >= MAX_NR_CPUS), test_bit reads out of bounds. Add bounds checks before test_bit(): >= 0 for the int16_t cpu.cpu in auxtrace (which also covers the -1 sentinel), and < MAX_NR_CPUS for both sites. Matches the pattern applied in the previous series for builtin-annotate.c, builtin-diff.c, builtin-report.c, and builtin-sched.c. Fixes: 644e0840ad46 ("perf auxtrace: Add CPU filter support") Fixes: 5d67be97f890 ("perf report/annotate/script: Add option to specify a CPU range") Reported-by: sashiko-bot <sashiko-bot@kernel.org> Cc: Adrian Hunter <adrian.hunter@intel.com> Cc: Anton Blanchard <anton@samba.org> Cc: Jiri Olsa <jolsa@kernel.org> Assisted-by: Claude:claude-opus-4.6 Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
2026-06-04selftests/memfd: remove unused variable 'sig' in fuse_testKonstantin Khorenko
fuse_test.c: In function 'sealing_thread_fn': fuse_test.c:165:13: warning: unused variable 'sig' [-Wunused-variable] 165 | int sig, r; | ^~~ Remove unused 'sig' to fix -Wunused-variable warning. Link: https://lore.kernel.org/20260524193732.48853-3-eva.kurchatova@virtuozzo.com Signed-off-by: Konstantin Khorenko <khorenko@virtuozzo.com> Cc: Aristeu Rozanski <aris@redhat.com> Cc: Shuah Khan <shuah@kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2026-06-04selftests/memfd: fix -Wmaybe-uninitialized warning in memfd_testKonstantin Khorenko
Patch series "selftests/memfd: fix compilation warnings". This patchset fixes warnings about unused but initialized variables, and unused dummy buffer passed to pwrite() syscall in the tests. This patch (of 2): memfd_test.c: In function 'mfd_fail_grow_write.part.0': memfd_test.c:685:13: warning: '<unknown>' may be used uninitialized [-Wmaybe-uninitialized] 685 | l = pwrite(fd, buf, mfd_def_size * 8, 0); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ pwrite() is declared with attribute 'access (read_only, 2, 3)', so GCC knows it reads from the buffer. malloc() returns uninitialized memory, hence the warning. Use calloc() to zero-initialize the buffer. The actual contents don't matter here since the test verifies that pwrite() fails on a sealed memfd. Link: https://lore.kernel.org/20260524193732.48853-1-eva.kurchatova@virtuozzo.com Link: https://lore.kernel.org/20260524193732.48853-2-eva.kurchatova@virtuozzo.com Signed-off-by: Konstantin Khorenko <khorenko@virtuozzo.com> Signed-off-by: Eva Kurchatova <eva.kurchatova@virtuozzo.com> Cc: Aristeu Rozanski <aris@redhat.com> Cc: Shuah Khan <shuah@kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2026-06-04selftests/proc: add /proc/pid/smaps tearing testsSuren Baghdasaryan
Add tearing tests for /proc/pid/smaps file. New tests reuse the same logic as with maps file but skipping all the data except for the VMA addresses, which are the only part relevant for the tearing tests. Skip PROCMAP_QUERY parts of the tests because smaps does not implement that ioctl. Link: https://lore.kernel.org/20260426062718.1238437-4-surenb@google.com Signed-off-by: Suren Baghdasaryan <surenb@google.com> Reviewed-by: Liam R. Howlett <liam@infradead.org> Cc: Jann Horn <jannh@google.com> Cc: Lorenzo Stoakes <ljs@kernel.org> Cc: Matthew Wilcox (Oracle) <willy@infradead.org> Cc: "Paul E . McKenney" <paulmck@kernel.org> Cc: Pedro Falcato <pfalcato@suse.de> Cc: Shuah Khan <shuah@kernel.org> Cc: Wei Yang <richard.weiyang@gmail.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2026-06-04selftests/proc: ensure the test is performed at the right page boundarySuren Baghdasaryan
When running tearing tests we need to ensure the pages we use include VMAs that were mapped by the child process for this test. Currently we always use the first two pages, checking VMAs at their boundaries and this works, however once we add tests for /proc/pid/smaps, the first two pages might not contain the VMAs that child modifies. Locate the page that contains the first VMA mapped by the child and use that and the next page for the test. Link: https://lore.kernel.org/20260426062718.1238437-3-surenb@google.com Signed-off-by: Suren Baghdasaryan <surenb@google.com> Reviewed-by: Liam R. Howlett <liam@infradead.org> Cc: Jann Horn <jannh@google.com> Cc: Lorenzo Stoakes <ljs@kernel.org> Cc: Matthew Wilcox (Oracle) <willy@infradead.org> Cc: "Paul E . McKenney" <paulmck@kernel.org> Cc: Pedro Falcato <pfalcato@suse.de> Cc: Shuah Khan <shuah@kernel.org> Cc: Wei Yang <richard.weiyang@gmail.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2026-06-04selftests/damon/sysfs.sh: test pause file existenceSeongJae Park
sysfs.sh DAMON selftest is not testing the existence of the 'pause' sysfs file. Add the test. Link: https://lore.kernel.org/20260522154026.80546-15-sj@kernel.org Signed-off-by: SeongJae Park <sj@kernel.org> Cc: Brendan Higgins <brendan.higgins@linux.dev> Cc: Shuah Khan <shuah@kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2026-06-04selftests/damon/sysfs.sh: test addr_unit file existenceSeongJae Park
sysfs.sh DAMON selftest is not testing the existence of addr_unit sysfs file. Add the test. Link: https://lore.kernel.org/20260522154026.80546-14-sj@kernel.org Signed-off-by: SeongJae Park <sj@kernel.org> Cc: Brendan Higgins <brendan.higgins@linux.dev> Cc: Shuah Khan <shuah@kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2026-06-04selftests/damon/sysfs.sh: test monitoring intervals goal dirSeongJae Park
sysfs.sh DAMON selftest is not testing monitoring intervals goal directory. Add the test. Link: https://lore.kernel.org/20260522154026.80546-13-sj@kernel.org Signed-off-by: SeongJae Park <sj@kernel.org> Cc: Brendan Higgins <brendan.higgins@linux.dev> Cc: Shuah Khan <shuah@kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2026-06-04selftests/damon/sysfs.py: stop kdamonds before failingSeongJae Park
When an assertion is failed, sysfs.py DAMON selftest immediately exits the test program leaving the DAMON running behind. Many of the following tests need to start DAMON on their own. But because DAMON that was started by sysfs.py is still running, those start attempts fail, and the tests are failed or skipped. Update sysfs.py to stop DAMON before exiting the test program due to the assertion failure. Link: https://lore.kernel.org/20260522154026.80546-12-sj@kernel.org Signed-off-by: SeongJae Park <sj@kernel.org> Cc: Brendan Higgins <brendan.higgins@linux.dev> Cc: Shuah Khan <shuah@kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2026-06-04mm/vma: eliminate mmap_action->error_hook, introduce error_overrideLorenzo Stoakes
Rather than providing a hook, simplify things by providing the ability to override mmap action errors. This allows us to more carefully validate the value provided and thus ensure only a valid error code is specified, and simplifies the interface. This way, we eliminate all hooks but mmap_prepare and allow only mmap actions to be specified (which core mm controls). This significantly improves robustness and eliminates any unnecessary code duplication in driver mmap hooks. We also update the /dev/mem logic (the only user) to use mmap_action->error_override instead. Link: https://lore.kernel.org/55d13f7d016b827c459946d46a56105635be111c.1780397980.git.ljs@kernel.org Signed-off-by: Lorenzo Stoakes <ljs@kernel.org> Acked-by: David Hildenbrand (Arm) <david@kernel.org> Cc: Arnd Bergmann <arnd@arndb.de> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: Jann Horn <jannh@google.com> Cc: Liam R. Howlett <liam@infradead.org> Cc: Michal Hocko <mhocko@suse.com> Cc: Mike Rapoport <rppt@kernel.org> Cc: Pedro Falcato <pfalcato@suse.de> Cc: Suren Baghdasaryan <surenb@google.com> Cc: Vlastimil Babka <vbabka@kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2026-06-04mm/vma: remove mmap_action->success_hookLorenzo Stoakes
This hook was introduced to work around code that seemed to absolutely require access to a VMA pointer upon mmap(). However, providing this hook leaves a backdoor to drivers getting access to the very thing mmap_prepare eliminates - a pointer to the VMA. Let's solve this contradiction by removing it. The key intended user was hugetlb, however it seems that the best course now is to avoid allowing all drivers the ability to work around mmap_prepare, and find a different solution there. Link: https://lore.kernel.org/f79434e6d30af6d92999be6b76e197f1847105fa.1780397980.git.ljs@kernel.org Signed-off-by: Lorenzo Stoakes <ljs@kernel.org> Acked-by: David Hildenbrand (Arm) <david@kernel.org> Cc: Arnd Bergmann <arnd@arndb.de> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: Jann Horn <jannh@google.com> Cc: Liam R. Howlett <liam@infradead.org> Cc: Michal Hocko <mhocko@suse.com> Cc: Mike Rapoport <rppt@kernel.org> Cc: Pedro Falcato <pfalcato@suse.de> Cc: Suren Baghdasaryan <surenb@google.com> Cc: Vlastimil Babka <vbabka@kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2026-06-04drivers/char/mem: eliminate unnecessary use of success_hookLorenzo Stoakes
Patch series "remove mmap_action success, error hooks", v3. The mmap_action->success_hook was a strange beast added to enable code which appeared to absolutely require access to a VMA pointer to work correctly. Primarily this was for hugetlb, however a different approach will be taken there, as clearly more work is required to figure out a sensible way of converting hugetlb to use mmap_prepare. The other user was the memory char driver, specifically /dev/zero which has the unusual property of explicitly setting file-backed VMAs anonymous. Providing the success hook was always foolish, as it allowed drivers a way to workaround the restriction that they should not access a pointer to a not-yet-correctly-initialised VMA - which defeats the purpose of the mmap_prepare work. We can achieve the same thing in memory char driver without needing the success hook, so this series removes that, then removes the success hook altogether. The error hook is also unnecessary - the motivation for this was for functions which need to override the error code when performing an mmap action in order to avoid breaking userspace. We can achieve this by just providing a field for the error code. Doing this means we don't have to worry about the hook doing anything odd. We also add a check to ensure the error code is in fact valid. Again the memory char driver is the only current user of this, so this series updates it to use that. After this change mmap_action has no custom hooks at all, which seems rather more cromulent than before. This patch (of 3): /dev/zero, uniquely, marks memory mapped there as anonymous. This is currently achieved using the mmap_action->success_hook. However this hook circumvents the abstraction of VMA initialisation so it's preferable to do things a different way. To achieve this, this patch firstly defaults the VMA descriptor's vm_ops field to the dummy VMA operations, which is what file-backed VMAs default this field to. That way, we can detect whether a driver sets this field to NULL in order to mark it anonymous. We then introduce vma_desc_set_anonymous() to do this explicitly, and invoke it in mmap_zero_prepare(). This way, any driver which does not explicitly set desc->vm_ops, retains the dummy vm_ops as they would previously. We also update set_vma_user_defined_fields() to make clear that we are either setting vma->vm_ops to what is provided by the driver (or defaulting to dummy_vm_ops if not set), or setting the VMA anonymous. This lays the groundwork for removing the success hook. Link: https://lore.kernel.org/cover.1780397980.git.ljs@kernel.org Link: https://lore.kernel.org/010579cca6787cf7bb057ab1f7228978b10601c8.1780397980.git.ljs@kernel.org Signed-off-by: Lorenzo Stoakes <ljs@kernel.org> Acked-by: David Hildenbrand (Arm) <david@kernel.org> Cc: Arnd Bergmann <arnd@arndb.de> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: Jann Horn <jannh@google.com> Cc: Liam R. Howlett <liam@infradead.org> Cc: Michal Hocko <mhocko@suse.com> Cc: Mike Rapoport <rppt@kernel.org> Cc: Pedro Falcato <pfalcato@suse.de> Cc: Suren Baghdasaryan <surenb@google.com> Cc: Vlastimil Babka <vbabka@kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2026-06-04selftests/mm/split_huge_page_test.c: close fd on write errorWei Yang
When create_pagecache_thp_and_fd() write returns error on /proc/sys/vm/dropcache, it just "goto err_out_unlink", which left fd still open. Use "goto err_out_close" to close the fd. Link: https://lore.kernel.org/20260520020336.28914-1-richard.weiyang@gmail.com Signed-off-by: Wei Yang <richard.weiyang@gmail.com> Reviewed-by: Dev Jain <dev.jain@arm.com> Reviewed-by: SeongJae Park <sj@kernel.org> Cc: Baolin Wang <baolin.wang@linux.alibaba.com> Cc: Barry Song <baohua@kernel.org> Cc: David Hildenbrand <david@kernel.org> Cc: Lance Yang <lance.yang@linux.dev> Cc: "Liam R. Howlett" <liam@infradead.org> Cc: Lorenzo Stoakes <ljs@kernel.org> Cc: Michal Hocko <mhocko@suse.com> Cc: Mike Rapoport <rppt@kernel.org> Cc: Nico Pache <npache@redhat.com> Cc: Ryan Roberts <ryan.roberts@arm.com> Cc: Shuah Khan <shuah@kernel.org> Cc: Suren Baghdasaryan <surenb@google.com> Cc: Vlastimil Babka <vbabka@kernel.org> Cc: Wei Yang <richard.weiyang@gmail.com> Cc: Zi Yan <ziy@nvidia.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2026-06-04Merge tag 'net-7.1-rc7' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net Pull networking fixes from Jakub Kicinski: "Including fixes from Netfilter, wireless and Bluetooth. Current release - fix to a fix: - Bluetooth: MGMT: fix backward compatibility with bluetoothd which adds stray bytes to MGMT_OP_ADD_EXT_ADV_DATA Previous releases - regressions: - af_unix: fix inq_len update inaccuracy on partial read - eth: fec: fix pinctrl default state restore order on resume - wifi: iwlwifi: - mvm: don't support the reset handshake for old firmwares - pcie: simplify the resume flow if fast resume is not used, work around NIC access failures Previous releases - always broken: - Bluetooth: L2CAP: reject BR/EDR signaling packets over MTUsig - sctp: fix a couple of bugs in COOKIE_ECHO processing - sched: fix pedit partial COW leading to page cache corruption - wifi: nl80211: reject oversized EMA RNR lists - netfilter: - conntrack_irc: fix possible out-of-bounds read - bridge: make ebt_snat ARP rewrite writable - appletalk: zero-initialize aarp_entry to prevent heap info leak - ipv4: restrict IPOPT_SSRR and IPOPT_LSRR options - mptcp: fix number of bugs reported by AI scans and discovered during NVMe over MPTCP testing" * tag 'net-7.1-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (85 commits) Reapply "bnxt_en: bring back rtnl_lock() in the bnxt_open() path" udp: clear skb->dev before running a sockmap verdict sctp: purge outqueue on stale COOKIE-ECHO handling bonding: annotate data-races arcound churn variables net/802/mrp: fix vector attribute parsing in mrp_pdu_parse_vecattr rtase: Avoid sleeping in get_stats64() ieee802154: 6lowpan: only accept IPv6 packets in lowpan_xmit() ipv6: mcast: Fix use-after-free when processing MLD queries selftests: net: add vxlan vnifilter notification test vxlan: vnifilter: fix spurious notification on VNI update vxlan: vnifilter: send notification on VNI add rtase: Reset TX subqueue when clearing TX ring octeontx2-af: npc: Fix CPT channel mask in npc_install_flow dt-bindings: ethernet: eswin: fix hsp-sp-csr backward compatibility sctp: validate cached peer INIT chunk length in COOKIE_ECHO processing net/sched: fix pedit partial COW leading to page cache corruption vsock/vmci: fix sk_ack_backlog leak on failed handshake net: bonding: fix NULL pointer dereference in bond_do_ioctl() geneve: fix length used in GRO hint UDP checksum adjustment net: ethernet: mtk_eth_soc: Fix use-after-free in metadata dst teardown ...
2026-06-04perf sched: Fix comp_cpus heap overflow with cross-machine recordingsArnaldo Carvalho de Melo
setup_map_cpus() allocates comp_cpus based on sysconf(_SC_NPROCESSORS_CONF), the host machine's CPU count. But map_switch_event() indexes comp_cpus using cpus_nr derived from bitmap_weight(comp_cpus_mask, MAX_CPUS), where comp_cpus_mask is declared as DECLARE_BITMAP(..., MAX_CPUS) with MAX_CPUS=4096. When analyzing a perf.data recording from a machine with more CPUs than the analysis host (e.g. 128-CPU server recording analyzed on an 8-CPU laptop), cpus_nr exceeds the allocation size, causing a heap buffer overflow. Also fix a type mismatch: comp_cpus is 'struct perf_cpu *' (2 bytes per element) but was allocated with sizeof(int) (4 bytes per element). Allocate comp_cpus with MAX_CPUS entries using the correct element size, matching the comp_cpus_mask bitmap bounds. Remove the sysconf(_SC_NPROCESSORS_CONF) initialization of max_cpu — its only consumer was the comp_cpus allocation, and max_cpu is dynamically updated from the recording's events during processing. Fix the non-compact path to use max_cpu.cpu + 1 as cpus_nr, converting from 0-based index to count — sysconf() returned a count which masked this off-by-one. Fixes: 99623c628f54 ("perf sched: Add compact display option") Reported-by: sashiko-bot <sashiko-bot@kernel.org> Cc: Jiri Olsa <jolsa@kernel.org> Assisted-by: Claude:claude-opus-4.6 Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
2026-06-04perf sched: Fix NULL dereference in latency_runtime_eventArnaldo Carvalho de Melo
latency_runtime_event() passes the return value of machine__findnew_thread() directly to thread_atoms_search() at line 1216, before checking for NULL at line 1220. thread_atoms_search() calls pid_cmp() which dereferences the thread pointer via thread__tid(), causing a NULL pointer dereference if the allocation fails. All other callers of thread_atoms_search() in this file (latency_switch_event, latency_wakeup_event, latency_migrate_task_event) correctly check for NULL first. Move the atoms assignment after the NULL check to match the pattern used by the other callers. Fixes: b91fc39f4ad7 ("perf machine: Protect the machine->threads with a rwlock") Reported-by: sashiko-bot <sashiko-bot@kernel.org> Assisted-by: Claude:claude-opus-4.6 Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
2026-06-04perf sched: Fix thread reference leak in latency_switch_eventArnaldo Carvalho de Melo
In latency_switch_event(), after acquiring thread references for sched_out and sched_in via machine__findnew_thread(), the first add_sched_out_event() failure path does 'return -1', bypassing the out_put label that calls thread__put() on both references. The second and third add_sched_out_event() failures correctly use 'goto out_put'. Fix the first one to match. Fixes: b91fc39f4ad7 ("perf machine: Protect the machine->threads with a rwlock") Reported-by: sashiko-bot <sashiko-bot@kernel.org> Assisted-by: Claude:claude-opus-4.6 Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
2026-06-04perf tools: Guard test_bit from out-of-bounds sample CPUArnaldo Carvalho de Melo
When PERF_SAMPLE_CPU is absent from a perf.data file, sample->cpu is initialized to (u32)-1 by evsel__parse_sample(). Five call sites pass this value directly to test_bit(sample->cpu, cpu_bitmap), reading massively out of bounds past the DECLARE_BITMAP(..., MAX_NR_CPUS) allocation of 4096 bits. Add a sample->cpu >= MAX_NR_CPUS guard before each test_bit() call, matching the existing safe pattern in builtin-kwork.c. This catches both the (u32)-1 sentinel and any corrupted CPU value exceeding the bitmap size. Fixes: 5d67be97f890 ("perf report/annotate/script: Add option to specify a CPU range") Cc: Anton Blanchard <anton@samba.org> Reported-by: sashiko-bot <sashiko-bot@kernel.org> Assisted-by: Claude:claude-opus-4.6 Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
2026-06-04perf lock contention: Enable end-timestamp accounting for cgroup aggregationSuchit Karunakaran
update_lock_stat() handles lock contentions that start but never reach a contention_end event (e.g., locks still held when profiling stops), but previously treated LOCK_AGGR_CGROUP as a no-op due to missing cgroup context in userspace. Fix this by adding a cgroup_id field to struct tstamp_data, recording it at contention_begin using get_current_cgroup_id() when aggr_mode is LOCK_AGGR_CGROUP. Capturing it at contention_begin is semantically correct, the contention cost is incurred by the task that had to wait, not by whatever task happens to be running at contention_end. It is also preferable from a performance standpoint, as contention_end runs just before the task enters the critical section. Update contention_end to use pelem->cgroup_id instead of calling get_current_cgroup_id() dynamically, ensuring both complete and incomplete contention events attribute the wait time to the cgroup at wait-start time consistently. Reviewed-by: Namhyung Kim <namhyung@kernel.org> Signed-off-by: Suchit Karunakaran <suchitkarunakaran@gmail.com> Cc: Adrian Hunter <adrian.hunter@intel.com> Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com> Cc: Ian Rogers <irogers@google.com> Cc: Ingo Molnar <mingo@redhat.com> Cc: James Clark <james.clark@linaro.org> Cc: Jiri Olsa <jolsa@kernel.org> Cc: Mark Rutland <mark.rutland@arm.com> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Tycho Andersen (AMD) <tycho@kernel.org> Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
2026-06-04perf pmu: Recognize 'default_core' as a core PMU and document matchingIan Rogers
The is_pmu_core function checks if a PMU name corresponds to a core CPU PMU. However, it currently fails to recognize "default_core" as a core PMU. When "default_core" is used, the PMU scanning fallback in pmus.c scans the "other_pmus" list. This scan is slow and always misses because "default_core" is a core PMU, leading to unnecessary overhead. Update is_pmu_core to recognize "default_core" directly. Additionally, document the different matching approaches (exact name for x86/s390, sysfs-based cpus file check for ARM/hybrid) to clarify how core PMUs are classified. Also, explicitly treat "default_core" as `all_pmus` in `setup_metric_events()` to preserve the original metric resolution behavior for this pseudo-PMU. Assisted-by: Gemini-CLI:Google Gemini 3.1 Pro Signed-off-by: Ian Rogers <irogers@google.com> Cc: Adrian Hunter <adrian.hunter@intel.com> Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com> Cc: Ingo Molnar <mingo@redhat.com> Cc: James Clark <james.clark@linaro.org> Cc: Jiri Olsa <jolsa@kernel.org> Cc: Namhyung Kim <namhyung@kernel.org> Cc: Peter Zijlstra <peterz@infradead.org> Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
2026-06-04perf data ctf: replace libbabeltrace with babeltrace2-ctf-writerMichael Jeanson
The 1.x branch of Babeltrace has been superseded by 2.x in 2020 and has been unmaintained since 2022, efforts have started to remove it from popular distributions. Babeltrace 2.x offers a very similar 'ctf-writer' library that can be used with minimal changes for the '--to-ctf' feature and has been packaged since Debian 11 and Fedora 32. This patch replaces the 'libbabeltrace' build feature with 'babeltrace2-ctf-writer' using pkgconfig detection, adjusts the naming of the public headers and applies minor API cleanups. There is no changes to the output ctf traces, the ctf-writer API still implements version 1.8 of the CTF specification that can be read by either Babeltrace 1 / 2 or any CTF compliant reader. Also remove some ifdefs in the cli option parsing to allow printing the helpful error message with '--to-ctf' when built without babeltrace2. Reviewed-by: Ian Rogers <irogers@google.com> Signed-off-by: Michael Jeanson <mjeanson@efficios.com> Cc: Adrian Hunter <adrian.hunter@intel.com> Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com> Cc: Derek Foreman <derek.foreman@collabora.com> Cc: Ingo Molnar <mingo@redhat.com> Cc: James Clark <james.clark@linaro.org> Cc: Jiri Olsa <jolsa@kernel.org> Cc: Mark Rutland <mark.rutland@arm.com> Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com> Cc: Namhyung Kim <namhyung@kernel.org> Cc: Peter Zijlstra <peterz@infradead.org> Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
2026-06-04perf lock contention: Allow 'mmap_lock' in -L/--lock-filterNamhyung Kim
The -L/--lock-filter option is to specify target locks by name or address. It's basically for global locks where name or address is known and fixed. But 'mmap_lock' is a per-process lock so it cannot be used for the -L option. $ sudo perf lock con -ab -L mmap_lock ignore unknown symbol: mmap_lock libbpf: map 'addr_filter': failed to create: -EINVAL libbpf: failed to load BPF skeleton 'lock_contention_bpf': -EINVAL Failed to load lock-contention BPF skeleton lock contention BPF setup failed However, it's still a common source of contention especially in a large process so we want to use it for the -L/--lock-filter option. As there is check_lock_type() to check mmap_lock at runtime, let's used it to filter mmap_locks as a special case. Of course, this only works with -b/--use-bpf option. $ sudo perf lock con -b -L mmap_lock -- perf bench mem mmap -f demand -t 2 # Running 'mem/mmap' benchmark: # function 'demand' (Demand loaded mmap()) # Copying 1MB bytes ... 2.679184 GB/sec/thread ( +- 1.78% ) contended total wait max wait avg wait type caller 1 15.22 us 15.22 us 15.22 us rwsem:W __vm_munmap+0x7e 1 7.72 us 7.72 us 7.72 us rwsem:R lock_mm_and_find_vma+0x97 Signed-off-by: Namhyung Kim <namhyung@kernel.org> Cc: Adrian Hunter <adrian.hunter@intel.com> Cc: Ian Rogers <irogers@google.com> Cc: Ingo Molnar <mingo@kernel.org> Cc: James Clark <james.clark@linaro.org> Cc: Jiri Olsa <jolsa@kernel.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Suchit Karunakaran <suchitkarunakaran@gmail.com> Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
2026-06-04selftests/bpf: ignore call depth accounting for retbleed in verifier testsAlexis Lothoré (eBPF Foundation)
When running the selftests on a retbleed-affected platform (eg: Skylake), with call depth accounting enabled (CONFIG_CALL_DEPTH_TRACKING=y) _and_ with retbleed=stuff, some verifier selftests fail to validate the jited instructions. For example: MATCHED SUBSTR: ' endbr64' MATCHED SUBSTR: ' nopl (%rax,%rax)' MATCHED SUBSTR: ' xorq %rax, %rax' MATCHED SUBSTR: ' pushq %rbp' MATCHED SUBSTR: ' movq %rsp, %rbp' MATCHED SUBSTR: ' endbr64' MATCHED SUBSTR: ' cmpq $0x21, %rax' MATCHED SUBSTR: ' ja L0' MATCHED SUBSTR: ' pushq %rax' MATCHED SUBSTR: ' movq %rsp, %rax' MATCHED SUBSTR: ' jmp L1' MATCHED SUBSTR: 'L0: pushq %rax' MATCHED SUBSTR: 'L1: pushq %rax' MATCHED SUBSTR: ' movq -0x10(%rbp), %rax' WRONG LINE REGEX: ' callq 0x{{.*}}' Those affected selftests allways fail on some call instruction: this failure is due to the JIT compiler emitting call depth accounting for retbleed mitigation (see x86_call_depth_emit_accounting calls in bpf_jit_comp.c), resulting in an additional instruction being inserted in front of every call instruction, similar to this one: sarq $0x5, %gs:-0x39882741(%rip) Fix those selftests by allowing them to ignore this possibly present call depth accounting instruction. Signed-off-by: Alexis Lothoré (eBPF Foundation) <alexis.lothore@bootlin.com> Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com> Link: https://lore.kernel.org/r/20260528-fix_tests_for_retbleed_stuff-v1-1-c2022a1f3bee@bootlin.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-04selftests/bpf: Test signed loader error pathsDaniel Borkmann
The positive path for signed BPF loaders is covered today by the signed lskels (fentry_test, fexit_test, atomics). But the runtime metadata check the generated loader performs (libbpf gen_loader's emit_signature_match), the map content hash it relies on, the load-time signature, and the immutability invariants of its metadata map are not yet covered. Thus, add a new, extensive test suite which drives libbpf's gen_loader (bpf_object__gen_loader, gen_hash=true), the same machinery which bpftool uses for signed light skeletons, and exercise corner cases so that we can assert this in BPF CI: # LDLIBS=-static PKG_CONFIG='pkg-config --static' ./vmtest.sh -- ./test_progs -t signed_loader [...] [ 1.840842] clocksource: Switched to clocksource tsc #405/1 signed_loader/metadata_check_shape:OK #405/2 signed_loader/metadata_match:OK #405/3 signed_loader/metadata_sha_mismatch:OK #405/4 signed_loader/metadata_not_exclusive:OK #405/5 signed_loader/metadata_hash_not_computed:OK #405/6 signed_loader/signature_enforced:OK #405/7 signed_loader/signature_too_large:OK #405/8 signed_loader/signature_bad_keyring:OK #405/9 signed_loader/metadata_ctx_max_entries_ignored:OK #405/10 signed_loader/metadata_ctx_initial_value_ignored:OK #405/11 signed_loader/signature_authenticates_insns:OK #405/12 signed_loader/hash_requires_frozen:OK #405/13 signed_loader/no_update_after_freeze:OK #405/14 signed_loader/freeze_writable_mmap:OK #405/15 signed_loader/no_writable_mmap_frozen:OK #405/16 signed_loader/map_hash_matches_libbpf:OK #405/17 signed_loader/map_hash_multi_element:OK #405/18 signed_loader/map_hash_bad_size:OK #405/19 signed_loader/map_hash_unsupported_type:OK #405 signed_loader:OK Summary: 1/19 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Link: https://lore.kernel.org/r/20260603211658.471212-2-daniel@iogearbox.net Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-04selftests/bpf: Cover exclusive map create-time validationDaniel Borkmann
map_excl exercises exclusive-map binding (allowed/denied), map-in-map and map iterator rejection. It does not cover the create-time validation of excl_prog_hash: the kernel only accepts a SHA-256-sized hash and requires the pointer and size to be consistent. Add map_excl_create_validation to check the rejected combinations: # LDLIBS=-static PKG_CONFIG='pkg-config --static' ./vmtest.sh -- ./test_progs -t map_excl [...] [ 1.780305] clocksource: Switched to clocksource tsc #215/1 map_excl/map_excl_allowed:OK #215/2 map_excl/map_excl_denied:OK #215/3 map_excl/map_excl_no_map_in_map:OK #215/4 map_excl/map_excl_no_map_iter:OK #215/5 map_excl/map_excl_create_validation:OK #215 map_excl:OK Summary: 1/5 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Link: https://lore.kernel.org/r/20260603211658.471212-1-daniel@iogearbox.net Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-04selftests: net: add vxlan vnifilter notification testAndy Roulin
Add a selftest for VXLAN vnifilter netlink notifications that verifies RTM_NEWTUNNEL and RTM_DELTUNNEL are sent correctly when VNIs are added, deleted, or updated, and that no spurious notifications are sent when a VNI is re-added with the same attributes. Signed-off-by: Andy Roulin <aroulin@nvidia.com> Acked-by: Petr Machata <petrm@nvidia.com> Link: https://patch.msgid.link/20260602185138.253265-4-aroulin@nvidia.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-04cxl/test: Fix __fortify_panicDan Williams
Fix a runtime assertion in setup_xor_mapping(). Fortify complains that it is potentially overflowing the xormaps array per __counted_by(nr_maps). Quiet the false positive by initializing @nr_maps earlier. memcpy: detected buffer overflow: 32 byte write of buffer size 0 WARNING: lib/string_helpers.c:1036 at __fortify_report+0x4d/0xa0, CPU#8: modprobe/2728 Call Trace: __fortify_panic+0xd/0xf setup_xor_mapping+0x6c/0xa0 [cxl_translate] [ dj: Fixed up @nr_entries to @nr_maps in commit log. ] Fixes: 06377c54a133 ("cxl/test: Add cxl_translate module for address translation testing") Signed-off-by: Dan Williams <djbw@kernel.org> Reviewed-by: Alison Schofield <alison.schofield@intel.com> Reviewed-by: Dave Jiang <dave.jiang@intel.com> Link: https://patch.msgid.link/20260519221204.1517773-3-djbw@kernel.org Signed-off-by: Dave Jiang <dave.jiang@intel.com>
2026-06-04cxl/test: Enforce PMD alignment for volatile mock regionsRichard Cheng
cxl_test allocates synthetic CFMWS HPA windows from a gen_pool with SZ_256M alignment. On arm64 with CONFIG_ARM64_64K_PAGES=y and CONFIG_PGTABLE_LEVELS=3, PMD_SIZE is 512M, so every CXL region carved from a volatile window inherits a non-PMD-aligned start, and cxl_dax_region_probe() -> alloc_dax_region() fails: """ cxl_dax_region dax_region1: probe with driver cxl_dax_region failed with error -12 """ Enforce that every volatile mock CFMWS is PMD-aligned in both start and size Reviewed-by: Dave Jiang <dave.jiang@intel.com> Acked-by: Kai-Heng Feng <kaihengf@nvidia.com> Signed-off-by: Richard Cheng <icheng@nvidia.com> Reviewed-by: Alison Schofield <alison.schofield@intel.com> Link: https://patch.msgid.link/20260527090332.30002-1-icheng@nvidia.com Signed-off-by: Dave Jiang <dave.jiang@intel.com>
2026-06-04verification/rvgen: Fix ltl2k writing True as a literalGabriele Monaco
The rvgen parser for LTL stores literal true values in the python representation (capitalised True), this doesn't build in C. The Literal class should already handle this case but ASTNode skips its strigification method and converts the value (true/false) directly. Fix by delegating ASTNode stringification to the Literal and Variable classes instead of bypassing them. Fixes: 97ffa4ce6ab32 ("verification/rvgen: Add support for linear temporal logic") Reviewed-by: Nam Cao <namcao@linutronix.de> Link: https://lore.kernel.org/r/20260514152055.229162-8-gmonaco@redhat.com Signed-off-by: Gabriele Monaco <gmonaco@redhat.com>