| Age | Commit message (Collapse) | Author |
|
Pull bpf fixes from Kumar Kartikeya Dwivedi:
- Fix a UAF in socket clone early bailout paths (Matt Bobrowski)
- Reject unhashed UDP sockets on sockmap update to prevent refcount
leaks (Michal Luczaj)
- Account for receive queue data in FIONREAD on sockmap sockets without
a verdict program (Mattia Meleleo)
- Reject negative constant offsets for verifier buffer pointers (Sun
Jian)
- Fix for tracing of kfuncs with implicit arguments (Ihor Solodrai)
* tag 'bpf-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf:
selftests/bpf: Cover tracing implicit kfunc args
bpf: Fix tracing of kfuncs with implicit args
selftests/bpf: Cover negative buffer pointer offsets
bpf: Reject negative const offsets for buffer pointers
selftests/bpf: Test FIONREAD on a sockmap socket without a verdict program
bpf, sockmap: Account for receive queue in FIONREAD without a verdict program
selftests/bpf: Fail unbound UDP on sockmap update
selftests/bpf: Adapt sockmap update error handling
bpf, sockmap: Reject unhashed UDP sockets on sockmap update
selftests/bpf: Ensure UDP sockets are bound
bpf: Fix UAF in sock clone early bailouts
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
Pull networking fixes from Paolo Abeni:
"Including fixes from Wireless, IPsec, Netfilter and Bluetooth.
Current release - new code bugs:
- netfilter: flowtable: use correct direction to set up tunnel route
Previous releases - regressions:
- wifi:
- mac80211:
- free AP_VLAN bc_buf SKBs outside IRQ lock
- defer link RX stats percpu free to RCU
- fix double free on alloc failure
- cfg80211: convert pmsr_free_wk to wiphy_work to fix deadlock
- ipv4: free fib_alias with kfree_rcu() on insert error path
- sched: act_tunnel_key: Defer dst_release to RCU callback
- xfrm: fix sk_dst_cache double-free in xfrm_user_policy()
- bluetooth: fix locking in unpair_device/disconnect_sync
- can: add locking for raw flags bitfield
- openvswitch: reject oversized nested action attrs
- eth:
- bnxt_en: handle partially initialized auxiliary devices
- ppp: defer channel free to an RCU grace period to fix UAF
Previous releases - always broken:
- netfilter: xt_nat: reject unsupported target families
- wifi:
- brcmfmac: fix heap overflow on a short auth frame
- cfg80211: add missing FTM API validation
- xfrm:
- reject optional IPTFS templates in outbound policies
- policy: preallocate inexact bins before xfrm_hash_rebuild reinsert
- bluetooth: revalidate LOAD_CONN_PARAM queued update
- can: fix lockless bound/ifindex race and silent RX_SETUP failure
- eth: mlx5: free mlx5_st_idx_data on final dealloc"
* tag 'net-7.2-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (108 commits)
mpls: fix NULL deref in mpls_valid_fib_dump_req() on CONFIG_INET=n
llc: fix SAP refcount leak when creating incoming sockets
selftests: netconsole: only restore MAC when it changed on resume
bnxt_en: Handle partially initialized auxiliary devices
sctp: fix auth_hmacs array size in struct sctp_cookie
net/sched: act_tunnel_key: Defer dst_release to RCU callback
dpll: fix NULL pointer dereference in dpll_msg_add_pin_ref_sync()
tcp: fix TIME_WAIT socket reference leak on PSP policy failure
net/mlx5: free mlx5_st_idx_data on final dealloc
can: isotp: serialize TX state transitions under so->rx_lock
can: isotp: fix use-after-free race with concurrent NETDEV_UNREGISTER
can: isotp: use unconditional synchronize_rcu() in isotp_release()
can: bcm: track a single source interface for ANYDEV timeout/throttle ops
can: bcm: fix data race on rx_stamp/rx_ifindex in bcm_rx_handler()
can: bcm: fix stale rx/tx ops after device removal
can: bcm: add missing device refcount for CAN filter removal
can: bcm: validate frame length in bcm_rx_setup() for RTR replies
can: bcm: extend bcm_tx_lock usage for data and timer updates
can: bcm: add missing rcu list annotations and operations
can: bcm: fix CAN frame rx/tx statistics
...
|
|
The "mac" bind mode reactivation downs the interface, restores the saved
MAC and renames it to trigger a target resume. This assumes the recreated
interface comes back with a different MAC, which is true under
MACAddressPolicy=none (as on the Netdev CI) but not when MACs are
persistent. In the persistent case netconsole resumes the target on its
own, and the down/restore/rename flow instead drops it and fails the test.
Guard the block on the MAC having actually changed so the test passes
under both policies.
Fixes: 6ecc08329bab ("selftests: netconsole: validate target resume")
Reported-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Closes: https://lore.kernel.org/netdev/f398373e-2cb4-4649-a491-9763df94d98b@kernel.org/
Signed-off-by: Andre Carvalho <asantostc@gmail.com>
Tested-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Reviewed-by: Breno Leitao <leitao@debian.org>
Link: https://patch.msgid.link/20260710-netcons-mac-reload-v1-1-3fb1bcc70b4a@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
|
|
KF_IMPLICIT_ARGS kfuncs have a BPF-call prototype and a real kernel
target prototype. Add a tracing selftest that attaches fentry and fexit
programs to bpf_kfunc_implicit_arg(), runs a syscall BPF program that
calls it, and checks that the tracing context exposes both the explicit
argument and the implicit prog aux pointer.
Co-developed-by: Ihor Solodrai <ihor.solodrai@linux.dev>
Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
Signed-off-by: Ihor Solodrai <ihor.solodrai@linux.dev>
Link: https://patch.msgid.link/20260713235223.1639022-3-ihor.solodrai@linux.dev
Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux
Pull landlock fix from Mickaël Salaün:
"This fixes TCP Fast Open support, specific test environments, and doc
warnings"
* tag 'landlock-7.2-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux:
selftests/landlock: Skip scoped_signal subtest with MSG_OOB if not available
selftests/landlock: Fix screwed up pointers in the scoped_signal_test
landlock: Update formatting
landlock: Fix kernel-doc for the nested quiet layer flag
selftests/landlock: Add test for TCP fast open
landlock: Fix TCP Fast Open connection bypass
|
|
Pull kvm fixes from Paolo Bonzini:
"arm64:
- Fix an accounting buglet when reclaiming pages from a protected
guest
- Fix a bunch of architectural compliance issues when injecting a
synthesised exception, most of which were missing the PSTATE.IL bit
indicating a 32bit-wide instruction
- Another set of fixes addressing issues with translation of
VNCR_EL2, including corner cases where the guest point that
register at a RO page...
- Don't warn when trapping accesses to ZCR_EL2 from an L2 guest, as
that's not unexpected at all
- Address a bunch of races with LPI migration vs LPIs being disabled
- Fix a total howler of a bug combining FEAT_MOPS and NV, resulting
in exception returning in the wrong place...
- Move locking for kvm_io_bus_get_dev() into the caller, ensuring
race-free checks that the returned object is of the correct type
- Fix initialisation of the page-table walk level when relaxing
permissions
- Correctly update the XN attribute when relaxing permissions
- Fix the sign extension of loads from emulated MMIO regions
- Assorted collection of fixes for pKVM's FFA proxy, together with a
couple of FFA driver adjustments
- Coerce Fuad Tabba into a reviewer role, and may his Inbox catch
fire!
s390:
- more gmap KVM memory management fixes
- PCI passthru fixes
x86:
- Fix a bug where KVM will trigger a UAF if updating IOMMU IRTEs
fails when registering an IRQ-bypass producer
- Ignore pending PV EOI instead of BUG()ing the host if the feature
was disabled by the guest
- Fix nVMX bugs where KVM would run L1 with an L1-controlled CR3
after a failed "late" consistency check when KVM is NOT using EPT
- Disallow intra-host migration/mirroring of SNP VMs as KVM doesn't
yet support moving/mirroring SNP state
- Fix a TOCTOU bug in KVM's handling of the "trusted" CPUID for TDX
guests
- Fix a NULL pointer deref in trace_kvm_inj_exception() where a
change to the core infrastructure missed KVM's unique (ab)use of
__print_symbolic()
- Put vmcs12 pages if nested VM-Enter fails due to invalid guest
state
- Fix TLB conflicts between two VMs if one of them VM is run on a CPU
before and after it is hotplugged"
* tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm: (48 commits)
KVM: SVM: Bump asid_generation on CPU online to avoid ASID collision after hotplug
KVM: nVMX: Put vmcs12 pages if nested VM-Enter fails due to invalid guest state
KVM: x86: Fix null pointer deref due to dummy array in trace_kvm_inj_exception()
KVM: TDX: Reject concurrent change to CPUID entry count
KVM: selftests: Verify SNP VMs are rejected from migration and mirroring
KVM: SEV: Do not allow intra-host migration/mirroring of SNP VMs
KVM: s390: pci: Fix handling of AIF enable without AISB
KVM: s390: Improve kvm_s390_vm_stop_migration()
KVM: s390: Fix dat_crste_walk_range() early return
KVM: s390: vsie: Avoid potential deadlock with real spaces
KVM: s390: pci: Fix GISC refcount leak on AIF enable failure
KVM: nVMX: Don't use vmcs01.GUEST_CR3 to snapshot L1's CR3 when EPT is disabled
KVM: nVMX: Move vTPR vs. TPR Threshold consistency check into "normal" checks
KVM: x86: Ignore pending PV EOI if the vCPU has since disabled PV EOIs
KVM: x86: Nullify irqfd->producer if updating IRTE for bypass fails
KVM: arm64: Fix propagation of TLBI level in kvm_pgtable_stage2_relax_perms()
firmware: arm_ffa: Fix Endpoint Memory Access Descriptor offset calculation
firmware: arm_ffa: Fix out-of-bound writes in ffa_setup_and_transmit()
KVM: arm64: Zero out the stack initialized data in the FFA handler
KVM: arm64: Ensure FFA ranges are page aligned
...
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest
Pull kselftest fixes from Shuah Khan:
- Fix ftrace reading enabled_func test in add_remove_fprobe_module test
- Fix tracing trigger-hist-poll.tc to use sched_process_exit
* tag 'linux_kselftest-fixes-7.2-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest:
selftests/tracing: Have trigger-hist-poll.tc use sched_process_exit
selftests/ftrace: Fix reading enabled_functions in add_remove_fprobe_module test
|
|
KVM x86 fixes for 7.2-rcN
- Fix a bug where KVM will trigger a UAF if updating IOMMU IRTEs fails when
registering an IRQ-bypass producer.
- Ignore pending PV EOI instead of BUG()ing the host if the feature was
disabled by the guest.
- Fix nVMX bugs where KVM would run L1 with an L1-controlled CR3 after a
failed "late" consistency check when KVM is NOT using EPT.
- Disallow intra-host migration/mirroring of SNP VMs as KVM doesn't yet
support moving/mirroring SNP state.
- Fix a TOCTOU bug in KVM's handling of the "trusted" CPUID for TDX guests.
- Fix a NULL pointer deref in trace_kvm_inj_exception() where a change to the
core infrastructure missed KVM's unique (ab)use of __print_symbolic().
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/kvmarm/kvmarm into HEAD
KVM/arm64 fixes for 7.2, take #2
- Move locking for kvm_io_bus_get_dev() into the caller, ensuring
race-free checks that the returned object is of the correct type
- Fix initialisation of the page-table walk level when relaxing
permissions
- Correctly update the XN attribute when relaxing permissions
- Fix the sign extension of loads from emulated MMIO regions
- Assorted collection of fixes for pKVM's FFA proxy, together with a
couple of FFA driver adjustments
|
|
Add verifier coverage for constant negative offsets on PTR_TO_TP_BUFFER
and PTR_TO_BUF pointers. Both programs adjust the buffer pointer by -8
and access it at offset zero, so the negative effective start must be
rejected at load time.
Switch the raw tracepoint writable attach checks from nbd_send_request
to bpf_testmod_test_writable_bare_tp, avoiding a dependency on the NBD
tracepoint. Keep the existing past-end case and add a case with a
negative var_off compensated by a positive instruction offset. The
effective start remains non-negative, so the program loads, but its
access end exceeds the writable context size and
bpf_raw_tracepoint_open() must return -EINVAL.
Cc: stable@vger.kernel.org # 5.2.0
Signed-off-by: Sun Jian <sun.jian.kdev@gmail.com>
Acked-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
Link: https://patch.msgid.link/20260714093846.18159-3-sun.jian.kdev@gmail.com
Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
|
|
Add a test validating that FIONREAD on a TCP socket in a sockmap
without a verdict program reports data pending in sk_receive_queue.
Signed-off-by: Mattia Meleleo <mattia.meleleo@coralogix.com>
Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com>
Reviewed-by: John Fastabend <john.fastabend@gmail.com>
Link: https://lore.kernel.org/bpf/20260708-fionread-no-verdict-v3-2-b4ee31b3af53@coralogix.com
Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
|
|
sockmap now rejects unbound UDP sockets. Adjust test_maps. While at it,
check socket()'s return value.
This effectively reverts commit c39aa2159974 ("bpf, selftests: Fix
test_maps now that sockmap supports UDP").
Signed-off-by: Michal Luczaj <mhal@rbox.co>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Reviewed-by: Jakub Sitnicki <jakub@cloudflare.com>
Link: https://lore.kernel.org/bpf/20260707-sockmap-lookup-udp-leak-v4-4-f878346f27ab@rbox.co
Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
|
|
Update sockmap_listen to accommodate the recent change in sockmap that
rejects unbound UDP sockets.
TCP: Reject unbound and bound (unless established or listening).
UDP: Accept only bound sockets.
While at it, migrate to ASSERT_* and enforce reverse xmas tree.
Signed-off-by: Michal Luczaj <mhal@rbox.co>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Reviewed-by: Jakub Sitnicki <jakub@cloudflare.com>
Link: https://lore.kernel.org/bpf/20260707-sockmap-lookup-udp-leak-v4-3-f878346f27ab@rbox.co
Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
|
|
Update sockmap_basic tests to bind sockets before they are used. This
accommodates the recent change in sockmap that rejects unbound UDP sockets.
Signed-off-by: Michal Luczaj <mhal@rbox.co>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Reviewed-by: Jakub Sitnicki <jakub@cloudflare.com>
Link: https://lore.kernel.org/bpf/20260707-sockmap-lookup-udp-leak-v4-1-f878346f27ab@rbox.co
Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound
Pull sound fixes from Takashi Iwai:
"A collection of small fixes. All are device-specific fixes (including
regression fixes) or quirks accumulated since the last update. Some
highlights:
USB-audio:
- Fix per-channel volume imbalance regression for sticky mixers
- Validate input packet length in caiaq driver
- Quirks for iBasso DC-Elite, Musical Fidelity M6s DAC, and Redragon
H510-PRO Wireless headset
HD-audio:
- Fix a long-standing bug of cached processing coefficient verbs
- Make cs35l56 driver failing with missing firmware
- Fix cirrus codec Kconfig dependency, update MAINTAINERS
- Remove unneeded mic bias threshold override on Conexant
- Realtek codec quirks for ASUS ROG Ally X (headphone & mic), Dell
QCM1255, Legion Pro 7, HP/Victus laptops, Framework, and TongFang
laptops
ASoC:
- Add Eliza audio support on Qualcomm sc8280xp/sm8250 SoCs
- Fix SDCA linker error with ACP on AMD
- A few fixes for AMD ACP PCI driver
- Add TAS2783 support on AMD ACP 7.0 platforms
- Reset RT712-SDCA codec to fix silent headphone issue
- Soft reset S/PDIF datapath on Meson AIU FIFO
- Jack report fix for cs42l43
- TAS2562 shutdown GPIO clearing fix
- Sidecar amps quirk for Lenovo laptop in SOF SDW driver
Misc:
- Drop redundant mod_devicetable.h includes from FireWire drivers
- Fix memory leak and format mismatch in mixer kselftest"
* tag 'sound-7.2-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: (36 commits)
ALSA: usb-audio: Add delay quirk for iBasso DC-Elite
ALSA: hda: conexant: Remove mic bias threshold override
ALSA: hda/realtek: Fix speakers on Legion Pro 7 16ARX8H with codec SSID 17aa:38a7
ALSA: hda/realtek: Fix speakers on MECHREVO WUJIE Series
ALSA: hda: cs35l56: Fail if wmfw file is missing
ALSA: usb-audio: Skip DSD quirk for Musical Fidelity M6s DAC
ALSA: hda: MAINTAINERS: Fix missing cirrus* file reference
ALSA: hda/cirrus_scodec: Make Kconfig visible if KUNIT
ALSA: hda/realtek: Add quirk for TongFang X6xx45xU
ALSA: hda/realtek - Fixed Headphone noise issue for Dell QCM1255
ASoC: tas2562: fix deprecated 'shut-down' GPIO always cleared after lookup
ASoC: cs42l43: Correct report for forced microphone jack
ASoC: qcom: sc8280xp: Add support for Eliza
ASoC: dt-bindings: qcom,sm8250: Add Eliza sound card
ASoC: dt-bindings: qcom: Add Eliza LPASS macro codecs
ALSA: hda/realtek: Add mic mute LED quirk for HP Laptop 15-fd0xxx
ALSA: hda/realtek - Add quirk for HP Victus 15-fa0xxx (MB 8A50)
ALSA: usb-audio: Add quirk for Redragon H510-PRO Wireless headset
ASoC: amd: ps: replace bitwise OR with logical OR in IRQ return check
ASoC: amd: ps: fix wrong ACP version string in pci_request_regions()
...
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/tj/sched_ext
Pull sched_ext fixes from Tejun Heo:
- Lifecycle fixes for the new sub-scheduler support: two
use-after-frees and an enable-failure path that left a
half-initialized sub-scheduler linked.
- Two dispatch-path locking bugs: a spurious scheduler abort from a
migration race, and a lockdep splat from stale runqueue-lock
tracking.
- Callback and task-state fixes: stale scheduler-owned state on a task
leaving SCX, a weight callback running after disable, and a bogus
warning on core-scheduling forced idle.
- On nohz_full, finite-slice tasks could miss the tick that expires
their slice. Enable it when such a task is picked, with a selftest.
- Smaller fixes: userspace CPU-mask helpers, ratelimited deprecation
warnings, docs and a sparse annotation.
* tag 'sched_ext-for-7.2-rc3-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/sched_ext:
sched_ext: Skip ops.set_weight() for disabled tasks
tools/sched_ext: scx - Fix cmask_subset(), cmask_equal() and cmask_weight()
sched_ext: Fix premature ops->priv publication in scx_alloc_and_add_sched()
sched_ext: Record an error on errno-only sub-enable failure
selftests/sched_ext: Verify nohz_full tick behavior
sched_ext: Enable tick for finite slices on nohz_full
sched_ext: Preserve rq tracking across local DSQ dispatch
sched_ext: Documentation: Fix ops table header reference
sched_ext: Don't warn on core-sched forced idle in put_prev_task_scx()
sched_ext: Pin parent scx_sched across a child sub-scheduler's lifetime
sched_ext: Annotate ksyncs with __rcu in alloc/free_kick_syncs()
sched_ext: Check remote rq eligibility under task's rq lock
sched_ext: Reset dsq_vtime and slice when a task leaves SCX
sched_ext: Avoid flooding the log with deprecation warnings
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace
Pull RTLA fixes from Steven Rostedt:
- Fix missing unistd include
A missing #include <unistd.h> broke build on uclibc systems.
Add the include to fix it.
- Fix missing tools/lib/ctype.c dependency
RTLA links tools/lib/string.c as a dependency of libsubcmd, some of
its functions require _ctype. Link tools/lib/ctype.c as well, to fix
build without GCC LTO.
* tag 'trace-tools-v7.2-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace:
rtla: Also link in ctype.c
rtla: Fix missing unistd include
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb
Pull USB fixes from Greg KH:
"Here are a number of small USB driver fixes for many reported issues.
Included in here are:
- usb serial driver corruption and use-after-free fixes
- usb gadget rndis bugfixes for malicious/buggy host connections
- typec driver fixes for a load of different tiny reported issues
- typec mux driver revert for a broken patch in -rc1
- usb gadget driver fixes for many different reported problems
- new usb device quirks added
- usbip tool fixes and some core usbip fixes as well
- dwc3 driver fixes for minor issues
- xhci driver fixes for reported problems
- lots of other tiny usb driver fixes for many tiny issues
All of these have been in linux-next with no reported issues"
* tag 'usb-7.2-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: (56 commits)
USB: core: ratelimit cabling message
usb: misc: usbio: fix disconnect UAF in client teardown
Revert "usb: typec: mux: avoid duplicated mux switches"
USB: chaoskey: Fix slab-use-after-free in chaoskey_release()
usb: ucsi: huawei_gaokun: move typec_altmode off stack
usb: typec: tcpci_rt1711h: unregister TCPCI port with devres
usb: typec: tcpm: Fix VDM type for Enter Mode commands
usb: typec: ucsi: cancel pending work on system suspend
usb: typec: class: drop PD lookup reference
usb: typec: ps883x: Fix DP+USB3 configuration
usb: xhci: Fix sleep in atomic context in xhci_free_streams()
xhci: sideband: fix ring sg table pages leak
usb: gadget: udc: Fix use-after-free in gadget_match_driver
usb: dwc3: run gadget disconnect from sleepable suspend context
usb: sl811-hcd: disable controller wakeup on remove
usb: typec: anx7411: use devm_pm_runtime_enable()
usb: dwc3: fix dwc3_readl() and dwc3_writel() calls in dwc3_ulpi_setup()
USB: misc: uss720: unregister parport on probe failure
usb: gadget: function: rndis: add length check for header
usb: gadget: function: rndis: add length check to response query
...
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux
Pull RISC-V fixes from Paul Walmsley:
"The most notable change involves the rseq kselftest common Makefile
(as it is not RISC-V-specific). The basic approach in the patch
appears similar to one used in the KVM and S390 selftests (grep for
LINUX_TOOL_ARCH_INCLUDE and SUBARCH), and the rseq kselftests pass a
quick build test on x86 after this.
- Avoid a null pointer deference in machine_kexec_prepare() that the
IMA subsystem can trigger
- Bypass libc in part of the ptrace_v_not_enabled kselftest to avoid
noise from child atfork handlers that libc might run
- Include Kconfig support for UltraRISC SoCs, already referenced by
some device drivers; and enable it in our defconfig
- Fix the build of the rseq kselftest for RISC-V by borrowing a
technique from the KVM and S390 kselftests that includes
arch-specific header files from tools/arch/<arch>/include
- Fix some memory leaks in the RISC-V vector ptrace kselftests
- Clean up some DT bindings and hwprobe documentation"
* tag 'riscv-for-linus-7.2-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux:
selftests/riscv: ptrace: Fix memory leak of regset_data in vector tests
selftests/rseq: Fix a building error for riscv arch
riscv: defconfig: enable ARCH_ULTRARISC
riscv: add UltraRISC SoC family Kconfig support
riscv: hwprobe.rst: Document EXT_ZICFISS and EXT_ZICFILP
riscv: hwprobe.rst: Make indentation consistent
dt-bindings: riscv: sort multi-letter Z extensions alphanumerically
selftests: riscv: Bypass libc in inactive vector ptrace test
riscv: Prevent NULL pointer dereference in machine_kexec_prepare()
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace
Pull tracing fixes from Steven Rostedt:
- Free field in error path of synthetic event parse
In __create_synth_event() the field was allocated but was not freed
in the error path
- Fix ring_buffer_event_length() on 8 byte aligned architectures
On architectures with CONFIG_HAVE_64BIT_ALIGNED_ACCESS set to y, the
ring_buffer_event_length() may return the wrong size. This is because
archs with that config set will always use the "big event meta
header" as that is 8 bytes keeping the payload 8 bytes aligned, even
when a 4 byte header could hold the size of the event
But ring_buffer_event_length() doesn't take this into account and
only subtracts 4 bytes for the meta header in the length when it
should have subtracted 8 bytes
- Have osnoise wait for a full rcu synchronization on unregister
osnoise_unregister_instance() used to call synchronize_rcu() before
freeing its copy of the instance but was switched to kfree_rcu(). The
osniose tracer has code that traverses the instances that it uses,
and inst is just a pointer to that instance. By using kfree_rcu()
instead of synchronize_rcu(), the instance that the inst pointer is
pointing to can be freed while the osnoise code is still referencing
it
That is, a rmdir on an instance first unregisters the tracer. When
the unregister finishes, the rmdir expects that the tracer is
finished with the instance that it is using. By putting back the
synchronize_rcu() in osnoise_unregister_instance() the unregistering
of osnoise will now return when all the users of the instance have
finished
- Remove an unused setting of "ret" in tracing_set_tracer()
- Fix ring_buffer_read_page() copying events
The commit that changed ring_buffer_read_page() to show dropped
events from the buffer itself, split the "commit" variable between
the commit value (with flags) and "size" that holds the size of the
sub-buffer. A cut and paste error changed the test of the reading
from checking the size of the buffer to the size of the event causing
reads to only read one event at a time
- Make tracepoint_printk a static variable
When the tracing sysctl knobs were move from sysctl.c to trace.c, the
variable tracepoint_printk no longer needed to be global. Make it
static
- Fix some typos
- Fix NULL pointer dereference in func_set_flag()
The flags update of the function tracer first checks if the value of
the flag is the same and exits if they are, and then it checks if the
current tracer is the function tracer and exits if it isn't. The
problem is that these checks need to be in a reversed order, as if
the tracer isn't the function tracer, then the flag being checked may
not exist. Reverse the order of these checks
- Fix ufs core trace events to not dereference a pointer in TP_printk()
The TP_printk() part of the TRACE_EVENT() macro is called when the
user reads the "trace" file. This can be seconds, minutes, hours,
days, weeks, and even months after the data was recorded into the
ring buffer. Thus, saving a pointer to an object into the ring buffer
and then dereferencing it from TP_printk() can cause harm as the
object the pointer is pointing to may no longer exist
Fix all the trace events in ufs core to save the device name in the
ring buffer instead of dereferencing the device descriptor from
TP_printk()
- Prevent out-of-bound reads in glob matching of trace events
The filter logic of events allows simple glob logic to add wild cards
to filter on strings. But some events have fields that may not have a
terminating 'nul' character. This may cause the glob matching to go
beyond the string. Change the logic to always pass in the length of
the field that is being matched
- Add no-rcu-check version of trace_##event##_enabled()
The trace_##event##_enabled() usually wraps trace events to do extra
work that is only needed when the trace event is enabled. But this
can hide events that are placed in locations where RCU is not
watching, and can make lockdep not see these bugs when the event is
not enabled
The trace_##event##_enabled() was updated to always test to make sure
RCU is watching to catch locations that may call events without RCU
being active
This caused a false positive for the irq_disabled() and related
events. As that use trace_irq_disabled_enabled() to force RCU to be
watching when the event is enabled via the ct_irq_enter() function,
calls the event, and then calls ct_irq_exit() to put RCU back to its
original state
The trace_irq_disabled_enabled() should not trigger a warning when
RCU is not watching because the code within its block handles the
case properly. Make a __trace_##event##_enabled() version for this
event to use that doesn't check RCU is watching as it handles the
case when it isn't
- Fix use-after-free in user_event_mm_dup()
When the enabler is removed from the link list, it is freed
immediately. But it is protected via RCU and needs to be freed after
an RCU grace period. Use queue_rcu_work() so that the event_mutex can
also be taken as user_event_put() takes the mutex on the last
reference is released
- Free type string in error path of parse_synth_field()
There's an error path in parse_synth_field() where the allocated type
string is not freed
- Add selftest that tests deferred event teardown
- Fix leak in error path of trace_remote_alloc_buffer()
If page allocation fails, the desc->nr_cpus is not incremented for
the current CPU and the allocations done for it are not freed
- Fix allocation length in trace_remote_alloc_buffer()
The logic to calculate the struct_len was doing a double count and
setting the value too large. Calculate the size upfront to fix the
error and simplify the logic
- Fix sparse CPU masks in ring_buffer_desc()
If there are sparse CPUs (gaps in the numbering), the
ring_buffer_desc() will fail as it tests the CPU number against the
number of CPUs that are used
* tag 'trace-v7.2-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace:
ring-buffer: Allow sparse CPU masks in ring_buffer_desc()
tracing/remotes: Fix struct_len in trace_remote_alloc_buffer()
tracing/remotes: Fix leak in trace_remote_alloc_buffer() error path
selftests/user_events: Wait for deferred event teardown after unregister
tracing/synthetic: Free type string on error path
tracing/user_events: Fix use-after-free in user_event_mm_dup()
tracing: Add a no-rcu-check version of trace_##event##_enabled()
tracing: Prevent out-of-bounds read in glob matching
ufs: core: tracing: Do not dereference pointers in TP_printk()
tracing: Fix NULL pointer dereference in func_set_flag()
samples: ftrace: Fix typos in benchmark comment
tracing: Make tracepoint_printk static as not exported
ring-buffer: Fix ring_buffer_read_page() copying only one event per page
tracing: Remove unused ret assignment in tracing_set_tracer()
tracing/osnoise: Call synchronize_rcu() when unregistering
ring-buffer: Fix event length with forced 8-byte alignment
tracing/synthetic: Free pending field on error path
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux
Pull arm64 fixes from Will Deacon:
- Fix crash when using SMT hotplug on ACPI systems in conjunction with
maxcpus=
- Fix 30% kswapd performance regression introduced by C1-Pro SME
erratum workaround
- Fix TLB over-invalidation regression during memory hotplug
- Fix incorrect encoding of FEAT_BWE2 value in ID_AA64DFR2_EL1.BWE
- Typo fixes in the arm64 selftests
* tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
selftests/arm64: fix spelling errors in comments
arm64/sysreg: Fix BWE field encoding in ID_AA64DFR2_EL1
arm64/mm: Optimize TLB flush in unmap_hotplug_[pmd|pud]_range()
arm64: Avoid eager DVMSync reclaim batches with C1-Pro SME erratum
cpu/hotplug: Fix NULL kobject warning in cpuhp_smt_enable()
arm64: smp: Fix hot-unplug tearing by forcing unregistration
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux
Pull gpio fixes from Bartosz Golaszewski:
- provide the missing .get_direction() callback in gpio-palmas
- fix interrupt handling in gpio-dwapb
- add a GPIO self-test program binary to .gitignore
- fix a resource leak in gpio-mvebu
- make the GPIO sharing heuristic more adaptable
* tag 'gpio-fixes-for-v7.2-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux:
gpio: mvebu: free generic chips on unbind
selftests: gpio: add gpio-cdev-uaf to .gitignore
gpio: dwapb: Mask interrupts at hardware initialization
gpio: dwapb: Defer clock gating until noirq
gpio: shared: make the voting mechanism adaptable
gpios: palmas: add .get_direction() op
|
|
Currently trigger-hist-poll.tc uses sched_process_free to test the polling
of the histogram file. The way it does that is to run sleep, then execute
the poll.c code that polls on the sched_process_free for up to 4 seconds
to test that when sleep triggers the sched_process_free trace event, it
will update the histogram and wake the poll.c code up.
The issue is that sched_process_free trace event is called by
delayed_put_task_struct() which is called after a RCU grace period has
ended. If CONFIG_RCU_LAZY is enabled, RCU callbacks are batched together
and do not execute right away. This causes the delayed_put_task_struct()
to be called after the poll.c function finishes and it will report an
error that it did not wake up on the event. That's because the event
didn't trigger during its wait time.
Use sched_process_exit instead, which is called when a process exits and
doesn't depend on RCU callbacks that may be delayed.
Link: https://lore.kernel.org/r/20260708163436.058cc3df@gandalf.local.home
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
|
|
The add_remove_fprobe_module test checks the number of functions added to
the enabled_functions file to make sure that the functions added or
removed is as expected. The issue is that it expects this file to be empty
on start up.
Now that systemd uses BPF that attaches to functions via ftrace, this file
is not empty in several systems:
# cat /sys/kernel/tracing/enabled_functions
bpf_lsm_file_open (1) R D M tramp: ftrace_regs_caller+0x0/0x61 (call_direct_funcs+0x0/0x50)
direct(jmp)-->bpf_trampoline_6442529439+0x0/0xe9
Change the test to read the number of lines in enabled_functions at the
start of the test and subtract that from the value of the count for the
checks within the test.
Link: https://lore.kernel.org/r/20260708153239.055d56dd@gandalf.local.home
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
|
|
Migration and mirroring of SEV-SNP VMs are not supported yet.
Add two selftests that verify KVM rejects intra-host migration and
mirroring when the source VM is an SNP VM, so the restriction stays enforced
until proper SNP state transfer is implemented.
Signed-off-by: Atish Patra <atishp@meta.com>
Link: https://patch.msgid.link/20260602-sev_snp_fixes-v3-2-24bfd3ae047c@meta.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
|
|
The regset_data buffer allocated with calloc() in the parent process
of several vector ptrace tests is never freed before returning,
causing memory leaks in:
- ptrace_v_not_enabled
- ptrace_v_early_debug
- ptrace_v_syscall_clobbering
- v_csr_invalid/ptrace_v_invalid_values
- v_csr_valid/ptrace_v_valid_values
Add free(regset_data) before kill(pid, SIGKILL) to release the
allocated buffer.
Signed-off-by: Wang Yan <wangyan01@kylinos.cn>
Reviewed-by: Sergey Matyukevich <geomatsi@gmail.com>
Link: https://patch.msgid.link/20260710083437.489648-1-wangyan01@kylinos.cn
[pjw@kernel.org: Fixed Sergey's E-mail address]
Signed-off-by: Paul Walmsley <pjw@kernel.org>
|
|
Add a nft_flowtable.sh regression test for the bridge direct-xmit plus
IPIP/IP6IP6 underlay configuration that reproduces the reachable
DIRECT+tunnel tuple combination exercised by the flowtable fix.
The test reuses the existing bridge and tunnel topology, installs flow
rules for the tunnel egress and bridge reply path, verifies IPv4 and
IPv6 forwarding, and checks the flowtable counters after the transfer.
Signed-off-by: Zhengyang Chen <chzhengyang2023@lzu.edu.cn>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
MSG_OOB might be disabled in the kernel for unix sockets (by not
selecting CONFIG_AF_UNIX_OOB), and in this case the related tests
of the scoped_signal_test are currently failing. Add a runtime
probe using socketpair() to detect MSG_OOB support and skip the
test gracefully if it is unavailable.
Signed-off-by: Thomas Huth <thuth@redhat.com>
Link: https://patch.msgid.link/20260710081642.405916-1-thuth@redhat.com
Cc: stable@vger.kernel.org
Fixes: f34e9ce5f479 ("selftests/landlock: Test signal created by out-of-bound message")
Signed-off-by: Mickaël Salaün <mic@digikod.net>
|
|
The scoped_signal_test uses pthread_join(..., (void **)&ret)) in
a couple of places, i.e. the return value of the thread is stored
in the shape of a "void *" into the memory location of &ret.
Pointers are 64-bit on modern computers, but the ret variable is
declared as a simple "enum thread_return" which is only 32 bits.
So the pthread_join() will overflow the ret variable by 4 byte.
The problem is very visible on big endian systems like s390x
where the test is failing: The least significant byte that carries
the return code of the thread is not written into the ret variable
here, but somewhere else in the stack frame, so the comparison
for the right return code is failing here.
Fix it by getting rid of the enum and defining the THREAD_* constants
and "ret" variables as proper "void *" pointers. This way we can
also get rid of some ugly (void *) castings in a couple of spots.
Signed-off-by: Thomas Huth <thuth@redhat.com>
Link: https://patch.msgid.link/20260709164340.339656-1-thuth@redhat.com
Cc: stable@vger.kernel.org
Fixes: c8994965013e ("selftests/landlock: Test signal scoping for threads")
[mic: Add clang-format markups]
Signed-off-by: Mickaël Salaün <mic@digikod.net>
|
|
Enforce that TCP Fast Open is controlled by
LANDLOCK_ACCESS_NET_CONNECT_TCP. Semantics of connect() and
sendmsg(MSG_FASTOPEN) should be identical from Landlock's perspective.
Also enforce error code consistency, since UDP sockets ignore the
MSG_FASTOPEN flag while Unix sockets reject it.
Signed-off-by: Matthieu Buffet <matthieu@buffet.re>
Link: https://patch.msgid.link/20260701214628.33319-2-matthieu@buffet.re
Cc: stable@vger.kernel.org
[mic: Fix formatting]
Signed-off-by: Mickaël Salaün <mic@digikod.net>
|
|
cmask_equal(), cmask_weight() and cmask_subset() bounded their word walks
with CMASK_NR_WORDS(nr_cids), which pads by one word and can't tell the last
word in use without @base. The walks could thus cover a slack word past the
active range, which cmask_reframe() leaves non-zero: a stale bit there gave
cmask_equal() a spurious mismatch, cmask_weight() an inflated count, and
cmask_subset() a spurious violation. cmask_subset() could also read
@b->bits[] one word past its allocation (within the arena's fault-recovered
range, so harmless), and deviated from the kernel scx_cmask_subset() by
failing any @a range that doesn't nest inside @b's even when the overhanging
bits are all clear.
Bound the cmask_equal() and cmask_weight() walks by the words the range
actually spans, with early returns for empty ranges. Rewrite cmask_subset()
to match the kernel semantics: scan @a's overhangs for set bits with
cmask_next_set() and walk the words of the range intersection.
cmask_subset() moves below cmask_next_set(), which it now uses. Padding bits
don't need masking as every cmask helper keeps them clear.
Fixes: a58e6b79b432 ("sched_ext: Add cmask, a base-windowed bitmap over cid space")
Signed-off-by: Tejun Heo <tj@kernel.org>
Reviewed-by: Andrea Righi <arighi@nvidia.com>
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
Pull networking fixes from Paolo Abeni:
"Including fixes from netfilter, Bluetooth and batman-adv.
Current release - regressions:
- bluetooth: fix using chan->conn as indication to no remote netdev
Current release - new code bugs:
- netfilter: cap to maximum number of expectation per master on
updates
Previous releases - regressions:
- bluetooth:
- fix UAF of hci_conn_params in add_device_complete
- fix null ptr deref in hci_abort_conn()
- igmp: remove multicast group from hash table on device destruction
- batman-adv: prevent TVLV OOB check overflow
- eth: mlx5/mlx5e:
- fix off-by-one in single-FDB error rollback
- skip peer flow cleanup when LAG seq is unavailable
- fix crashes in dynamic per-channel stats and HV VHCA agent
- eth: mana: Sync page pool RX frags for CPU
Previous releases - always broken:
- netfilter:
- mark malformed IPv6 extension headers for hotdrop
- terminate table name before find_table_lock()
- ipvs: use parsed transport offset in TCP state lookup
- sched: act_pedit: fix TOCTOU heap OOB write in tc offload
- ethtool: rss: fix hfunc and input_xfrm parsing on big endian
- ipv4/ipv6: fix UAF and memory leak in IGMP/MLD
- tls: consume empty data records in tls_sw_read_sock()
- eth:
- octeontx2-af: fix VF bringup affecting PF promiscuous state
- gue: validate REMCSUM private option length"
* tag 'net-7.2-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (94 commits)
macsec: don't read an unset MAC header in macsec_encrypt()
dibs: loopback: validate offset and size in move_data()
octeontx2-af: fix VF bringup affecting PF promiscuous state
ethtool: rss: Fix hfunc and input_xfrm parsing on big endian
net/mlx5: Fix L3 tunnel entropy refcount leak
net: macb: drop in-flight Tx SKBs on close
net: mana: Sync page pool RX frags for CPU
net: mana: Validate the packet length reported by the NIC
selftests/net: fix EVP_MD_CTX leak in tcp_mmap
ipvs: ensure inner headers in ICMP errors are in headroom
ipvs: use parsed transport offset in SCTP state lookup
ipvs: use parsed transport offset in TCP state lookup
ipvs: pass parsed transport offset to state handlers
netfilter: handle unreadable frags
netfilter: flowtable: support IPIP tunnel with direct xmit
netfilter: flowtable: IPIP tunnel hardware offload is not yet support
netfilter: flowtable: use dst in this direction when pushing IPIP header
netfilter: ipset: allocate the proper memory for the generic hash structure
netfilter: ipset: cleanup the add/del backlog when resize failed
netfilter: ipset: exclude gc when resize is in progress
...
|
|
In tcp_mmap.c, both child_thread() and main() allocate an EVP_MD_CTX
via EVP_MD_CTX_new() when integrity checking is enabled, but neither
function releases the context. child_thread() misses the free in its
common cleanup block, and main() returns without freeing the context.
This results in a SHA256 context leak on every run that uses the
‑i (integrity) option. Add the missing EVP_MD_CTX_free() calls to
the appropriate cleanup paths to fix the leak.
Fixes: 5c5945dc695c ("selftests/net: Add SHA256 computation over data sent in tcp_mmap")
Signed-off-by: Wang Yan <wangyan01@kylinos.cn>
Link: https://patch.msgid.link/20260702025949.442523-1-wangyan01@kylinos.cn
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
|
|
Finite-slice EXT tasks need the periodic scheduler tick to expire their
slices even when nohz_full is enabled.
Add a regression test that selects a nohz_full CPU and exercises both
infinite-to-finite and finite-to-finite slice transitions across an idle
interval. For each finite task, verify that its ops.tick() callback is
invoked.
Skip the test when an allowed nohz_full CPU and a separate housekeeping
CPU are not available.
Signed-off-by: Andrea Righi <arighi@nvidia.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
|
|
RISC-V rseq selftests include asm/fence.h from tools/arch/riscv,
but the rseq Makefile only adds tools/include in the CFLAGS, this
results in the building failure both for native and cross build:
In file included from rseq.h:131,
from rseq.c:37:
rseq-riscv.h:11:10: fatal error: asm/fence.h: No such file or directory
To fix it, add the matching tools/arch/$(ARCH)/include path in the
CFLAGS and derive ARCH from SUBARCH for standalone native builds where
ARCH is not set.
Fixes: c92786e179e0 ("KVM: riscv: selftests: Use the existing RISCV_FENCE macro in `rseq-riscv.h`")
Cc: stable@vger.kernel.org
Signed-off-by: Hui Wang <hui.wang@canonical.com>
Link: https://patch.msgid.link/20260707082348.36896-1-hui.wang@canonical.com
Signed-off-by: Paul Walmsley <pjw@kernel.org>
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid
Pull HID fixes from Jiri Kosina:
- OOB, UAF, NULL-deref fixes in core and picolcd, logitech, letsketch,
appleir and multitouch drivers (Georgiy Osokin, HyeongJun An, Lee
Jones, Manish Khadka, Maoyi Xie and Trung Nguyen)
- fix for integer wraparound (and corresponding regression selftest) in
hid-bpf (Yiyang Chen)
* tag 'hid-for-linus-2026070801' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid:
selftests/hid: multitouch: test a large ContactCountMaximum
HID: multitouch: fix out-of-bounds bit access on mt_io_flags
selftests/hid: Cover hid_bpf_get_data() size overflow
selftests/hid: Load only requested struct_ops maps
HID: bpf: Fix hid_bpf_get_data() range check
HID: lg-g15: cancel pending work on remove to fix a use-after-free
HID: logitech-dj: Fix maxfield check in DJ short report validation
HID: core: Fix OOB read in hid_get_report for numbered reports
HID: picolcd: prevent NULL pointer dereference in picolcd_send_and_wait()
HID: appleir: fix UAF on pending key_up_timer in remove()
HID: letsketch: fix UAF on inrange_timer at driver unbind
|
|
Unregistering a user event now defers the drop of the enabler's event
reference (and the freeing of the enabler) past an RCU grace period. As a
result DIAG_IOCSDEL can transiently fail with -EBUSY while that last
reference is still being dropped, where it previously succeeded
immediately.
Two tests assumed the delete takes effect the instant the unregister
returns:
- abi_test "flags" deletes the event right after disabling it.
- perf_test's fixture teardown clear() deletes __test_event before the
next test registers the same name; a stale event makes the following
registration fail with -EADDRINUSE.
Retry the delete until it succeeds (or the event is already gone) with a
bounded wait, matching the existing wait_for_delete() idiom in the same
suite, so the tests are robust to the deferred teardown.
Link: https://patch.msgid.link/20260707180240.2887081-1-michael.bommarito@gmail.com
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
|
|
USB devices running at SuperSpeedPlus report "10000" or "20000" in
their sysfs speed attribute. usbip currently maps only "5000" to
USB_SPEED_SUPER, so a SuperSpeedPlus device is imported as
USB_SPEED_UNKNOWN.
The attach request is then rejected by vhci_hcd:
vhci_hcd: Failed attach request for unsupported USB speed: UNKNOWN
Map the SuperSpeedPlus sysfs speed values to USB_SPEED_SUPER_PLUS, use
the SuperSpeed VHCI hub for SuperSpeedPlus devices, and recognize the
gadget current_speed string used by the kernel.
Fixes: b2316645ca5e ("usb: show speed "10000" in sysfs for USB 3.1 SuperSpeedPlus devices")
Cc: stable <stable@kernel.org>
Signed-off-by: Yichong Chen <chenyichong@uniontech.com>
Reviewed-by: Shuah Khan <skhan@linuxfoundation.org>
Link: https://patch.msgid.link/00C828F338E43447+20260617020613.199086-1-chenyichong@uniontech.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
rtla started to only link parts of the tools library. It now misses the
ctype information used by all the related string operations. Just add
another single file to make it build again.
Signed-off-by: Bastian Blank <waldi@debian.org>
Fixes: 48209d763c22 ("rtla: Add libsubcmd dependency")
Link: https://lore.kernel.org/r/ako2S4mzIqWwYuas@steamhammer.waldi.eu.org
[ remove duplicated spaces in commit message ]
Signed-off-by: Tomas Glozar <tglozar@redhat.com>
|
|
Commit c7f92042d3f3 ("selftests: gpio: Add gpio-cdev-uaf tests") added
the gpio-cdev-uaf binary to TEST_GEN_PROGS_EXTENDED but never added it
to .gitignore. Building it with:
make -C tools/testing/selftests/gpio TARGETS=gpio
leaves gpio-cdev-uaf as an untracked file.
Fixes: c7f92042d3f3 ("selftests: gpio: Add gpio-cdev-uaf tests")
Signed-off-by: Cihan Karadag <cihan.cihan@gmail.com>
Reviewed-by: Tzung-Bi Shih <tzungbi@kernel.org>
Link: https://patch.msgid.link/20260707235707.1349969-1-cihan.cihan@gmail.com
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
|
|
The ptrace_v_not_enabled test expects the child to reach its ebreak
before it has used the vector extension. That is not guaranteed when
using fork(), because libc may run child atfork handlers before
returning to the test code. In those cases PTRACE_GETREGSET for
NT_RISCV_VECTOR then succeeds instead of returning ENODATA for
inactive vector state.
Use the raw clone syscall with SIGCHLD to keep fork-like semantics
while bypassing libc's fork wrapper and atfork handler chain.
Cc: Andy Chiu <tchiu@tenstorrent.com>
Assisted-by: Claude:claude-sonnet-4-6
Signed-off-by: Andrew Jones <andrew.jones@oss.qualcomm.com>
Link: https://patch.msgid.link/20260707153827.175245-1-andrew.jones@oss.qualcomm.com
Signed-off-by: Paul Walmsley <pjw@kernel.org>
|
|
Pull header inclusion fix for firewire drivers
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
Compiling RTLA 7.1.x with GCC 16 and uClibc as standard library fails
with these errors:
src/common.c: In function ‘set_signals’:
src/common.c:40:17: error: implicit declaration of function ‘alarm’ [-Wimplicit-function-declaration]
40 | alarm(params->duration);
| ^~~~~
src/common.c: In function ‘common_apply_config’:
src/common.c:187:44: error: implicit declaration of function ‘getpid’; did you mean ‘getpt’? [-Wimplicit-function-declaration]
187 | retval = sched_setaffinity(getpid(), sizeof(params->hk_cpu_set),
| ^~~~~~
| getpt
In file included from src/common.c:9:
src/common.c: In function ‘run_tool’:
src/common.c:262:19: error: implicit declaration of function ‘sysconf’; did you mean ‘sscanf’? [-Wimplicit-function-declaration]
262 | nr_cpus = get_nprocs_conf();
| ^~~~~~~~~~~~~~~
src/common.c:262:19: error: ‘_SC_NPROCESSORS_CONF’ undeclared (first use in this function)
262 | nr_cpus = get_nprocs_conf();
| ^~~~~~~~~~~~~~~
src/common.c:262:19: note: each undeclared identifier is reported only once for each function it appears in
src/common.c:370:17: error: implicit declaration of function ‘sleep’ [-Wimplicit-function-declaration]
370 | sleep(1);
| ^~~~~
Restore the missing unistd.h include.
Fixes: 115b06a00875 ("tools/rtla: Consolidate nr_cpus usage across all tools")
Signed-off-by: Andreas Ziegler <br025@umbiko.net>
Link: https://lore.kernel.org/r/20260624033342.129970-1-br025@umbiko.net
[ capital letter in patch subject, remove EOL after Fixes ]
Signed-off-by: Tomas Glozar <tglozar@redhat.com>
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
Pull misc fixes from Andrew Morton:
"20 hotfixes. 17 are for MM. 12 are cc:stable and the remaining 8
address post-7.1 issues or aren't considered suitable for backporting.
Two patches from SJ addresses a couple of quite old DAMON issues. And
two patches from Yichong Chen fixes tools/virtio build issues. The
remaining patches are singletons"
* tag 'mm-hotfixes-stable-2026-07-06-17-49' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm:
tools/include: include stdint.h for SIZE_MAX in overflow.h
tools/virtio: add missing compat definitions for vhost_net_test
mm: do file ownership checks with the proper mount idmap
samples/damon/mtier: fail early if address range parameters are invalid
mm: a second pagecache maintainer
mm/damon: add a kernel-doc comment for damon_ctx->rnd_state
mm/damon: add a kernel-doc comment for damon_ctx->probes
mailmap: add entries for Radu Rendec
selftests/mm: hmm-tests: include linux/mman.h to access MADV_COLLAPSE
selftests/mm: pagemap_ioctl: use the correct page size for transact_test()
fs/proc: fix KPF_KSM reported for all anonymous pages
mm: page_ext: add count limit to page_ext_iter_next to prevent invalid PFN access
mm/damon/ops-common: handle extreme intervals in damon_hot_score()
MAINTAINERS: add Lance as an rmap reviewer
mm/compaction: handle free_pages_prepare() properly in compaction_free()
mm/damon/sysfs-schemes: put stats for scheme_add_dirs() internal error
mm/damon/sysfs-schemes: fix dir put orders in access_pattern_add_dirs()
mm: shrinker: fix NULL pointer dereference in debugfs
mm: shrinker: fix shrinker_info teardown race with expansion
selftests/mm: fix ksft_process_madv.sh test category
|
|
Add a test for sign-extending MMIO loads (LDRSB, LDRSH, LDRSW) into Xt
and Wt destinations, with and without the sign bit set. The host supplies
the MMIO data and checks the guest register holds the sign-extended value.
Repeat the loads big-endian on a mixed-endian implementation. Issue those
at EL0: SCTLR_EL1.EE would make an EL1 load big-endian but also walk the
little-endian page tables big-endian, whereas SCTLR_EL1.E0E selects only
EL0 data endianness and leaves the walk little-endian.
Signed-off-by: Fuad Tabba <fuad.tabba@linux.dev>
Link: https://patch.msgid.link/20260706115522.954913-3-fuad.tabba@linux.dev
Signed-off-by: Marc Zyngier <maz@kernel.org>
|
|
loopy_wait() expects millisecond timestamps. However, Ubuntu Resolute
can use uutils date, where `date -u +%s%3N` returns seconds plus full
nanoseconds instead of a 3-digit millisecond field. This makes
busywait expire too early and can make vlan_bridge_binding.sh read a
stale operstate.
Fixes: 25ae948b4478 ("selftests/net: add lib.sh")
Cc: stable@vger.kernel.org # 6.8+
Link: https://github.com/uutils/coreutils/issues/11658
Signed-off-by: Nirmoy Das <nirmoyd@nvidia.com>
Link: https://patch.msgid.link/20260630165157.3814871-1-nirmoyd@nvidia.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
|
|
In the ctl_value_index_valid() function, when validating 64-bit integer
controls (SND_CTL_ELEM_TYPE_INTEGER64), the error message for maximum
value validation has two bugs:
1. Uses snd_ctl_elem_info_get_max() instead of the 64-bit variant
snd_ctl_elem_info_get_max64()
2. Uses %ld format specifier instead of %lld for long long type
This is inconsistent with the minimum value validation (line 335-339)
which correctly uses get_min64() and %lld. The mismatch can cause:
- Incorrect maximum values being reported on some architectures
- Undefined behavior due to format specifier mismatch
- Potential crashes when printing the error message
Fix by using snd_ctl_elem_info_get_max64() and %lld format specifier
to match the data type and be consistent with the minimum value check.
Signed-off-by: Malaya Kumar Rout <malayarout91@gmail.com>
Link: https://patch.msgid.link/20260705171038.171966-1-malayarout91@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull perf events fixes from Ingo Molnar:
- Fix a perf_event_attr::remove_on_exec bug for group events
(Taeyang Lee)
- Fix uprobes CALL emulation interaction with shadow stacks, and
add a testcase for this (David Windsor)
- Fix uprobes unregister bug (Jiri Olsa)
* tag 'perf-urgent-2026-07-05' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
uprobes/x86: Use proper mm_struct in __in_uprobe_trampoline
selftests/x86: Add shadow stack uprobe CALL test
x86/uprobes: Keep shadow stack in sync for emulated CALLs
perf/core: Detach event groups during remove_on_exec
|
|
In find_controls(), card_data is allocated with malloc() but when
snd_ctl_open_lconf() fails, the code jumps to next_card without
freeing the allocated memory. This results in a memory leak for
each card where snd_ctl_open_lconf() fails.
Add free(card_data) before goto next_card to ensure proper cleanup
of the allocated memory in the error path.
Fixes: 5aaf9efffc57 ("kselftest: alsa: Add simplistic test for ALSA mixer controls kselftest")
Signed-off-by: Malaya Kumar Rout <malayarout91@gmail.com>
Link: https://patch.msgid.link/20260704105736.94874-1-malayarout91@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs
Pull vfs fixes from Christian Brauner:
- netfs:
- fix the decision when to disallow write-streaming with fscache in
use, handling of asynchronous cache object creation, a double fput
in cachefiles, clearing S_KERNEL_FILE without the inode lock held,
page extraction bugs in the iov_iter helpers (a potential
underflow, a missing allocation failure check, a memory leak, and
a folio offset miscalculation), writeback error and ENOMEM
handling, DIO write retry for filesystems without a
->prepare_write() method, and the replacement of the wb_lock mutex
with a bit lock plus writethrough collection offload so that
multiple asynchronous writebacks don't interfere with each other.
- Fix the barriering when walking the netfs subrequest list during
retries as it was possible to see a subrequest that was just added
by the application thread.
- iomap:
- Change iomap to submit read bios after each extent instead of
building them up across extents. The old behavior was considered
problematic for a while and now caused an actual erofs bug.
- Guard the ioend io_size EOF trim in iomap against underflow when a
concurrent truncate moves EOF below the start of the ioend,
wrapping io_size to a huge value.
- overlayfs
- Fix a stale overlayfs comment about the locking order.
- Store the linked-in upper dentry instead of the disconnected
O_TMPFILE dentry during overlayfs tmpfile copy-up. With a FUSE or
virtiofs upper layer ->d_revalidate() would try to look up "/" in
the workdir and fail, causing persistent ESTALE errors that broke
dpkg and apt.
- vfs-bpf:
Have the bpf_real_data_inode() kfunc take a struct file instead of a
dentry so it is usable from the bprm_check_security, mmap_file, and
file_mprotect hooks, and rename it from bpf_real_inode() to make the
data-inode semantics explicit. The kfunc landed this cycle so the
change is safe.
- afs:
NULL pointer dereferences in the callback service and in
afs_get_tree(), several memory and refcount leaks, missing locking
around the dynamic root inode numbers and premature cell exposure
through /afs, a netns destruction hang caused by a misplaced
increment of net->cells_outstanding, a bulk lookup malfunction caused
by the dir_emit() API change, inode (re)initialisation issues, and
assorted smaller fixes to error codes, seqlock handling, and debug
output.
- vfs:
Refuse O_TMPFILE creation with an unmapped fsuid or fsgid and add a
selftest for it.
- vboxsf:
Add Jori Koolstra as vboxsf maintainer, taking over from Hans de
Goede.
- dio:
Release the pages attached to a short atomic dio bio; the REQ_ATOMIC
size check error path leaked them.
- procfs:
Only bump the parent directory link count when registering
directories in procfs. Registering regular files inflated the count
and leaked a link on every create and remove cycle.
- minix:
Avoid an unsigned overflow in the minix bitmap block count
calculation that let crafted images with huge inode or zone counts
pass superblock validation and crash the kernel during mount.
- cachefiles:
Fix a double unlock in the cachefiles nomem_d_alloc error path left
over from the start_creating() conversion.
- fat:
Stop fat from reading directory entries past the 0x00
end-of-directory marker. If the trailing on-disk slots aren't
zero-filled the driver surfaced arbitrary garbage as directory
entries.
- freexvfs:
Don't BUG() on unknown typed-extent types in freevxfs, reachable via
ioctl(FIBMAP) on a crafted image; fail with an I/O error instead.
- orangefs:
Keep the readdir entry size 64-bit in orangefs fill_from_part().
Truncating it to __u32 bypassed the bounds check and led to
out-of-bounds reads triggerable by the userspace client.
- xfs:
Fix the error unwind in xfs_open_devices() which released the rt
device file twice and left dangling buftarg pointers behind that were
freed again when the failed mount was torn down.
- exec:
Fix an off-by-one in the comment documenting the maximum binfmt
rewrite depth in exec_binprm(). The code allows five rewrites, not
four; restricting the code would break userspace so the comment is
fixed instead.
- file handles:
Reject detached mounts in capable_wrt_mount(). A detached mount can
be dissolved concurrently, leaving a NULL mount namespace that
open_by_handle_at() would dereference.
* tag 'vfs-7.2-rc2.fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs: (57 commits)
netfs: Fix barriering when walking subrequest list
iomap: submit read bio after each extent
fuse: call fuse_send_readpages explicitly from fuse_readahead
iomap: consolidate bio submission
fhandle: reject detached mounts in capable_wrt_mount()
netfs: Fix DIO write retry for filesystems without a ->prepare_write()
netfs: Fix folio state after ENOMEM whilst under writeback iteration
netfs: Fix writeback error handling
netfs: Fix writethrough to use collection offload
netfs: Replace wb_lock with a bit lock for asynchronicity
netfs: Fix kdoc warning
scatterlist: Fix offset in folio calc in extract_xarray_to_sg()
iov_iter: Remove unused variable in kunit_iov_iter.c
iov_iter: Fix a memory leak in iov_iter_extract_user_pages()
iov_iter: Fix missing alloc fail check in iov_iter_extract_bvec_pages()
iov_iter: Fix potential underflow in iov_iter_extract_xarray_pages()
cachefiles: Fix file burial to take lock when unsetting S_KERNEL_FILE
cachefiles: Fix double fput
netfs: Fix netfs_create_write_req() to handle async cache object creation
netfs: Fix decision whether to disallow write-streaming due to fscache use
...
|