- updates to Elan I2C touchpad driver to handle a new IC type and to
validate size of supplied firmware to prevent OOB access
- updates to Xpad controller driver to recognize ASUS ROG RAIKIRI II and
"Nova 2 Lite" from GameSir controllers as well as a fix to prevent a
potential OOB access when handling "Share" button
- an update to Synaptics touchpad driver to use RMI mode for touchpad in
Thinkpad E490
- updates to Atmel MXT driver adding checks to prevent potential OOB
accesses
- a fix to IMS PCU driver to free correct amount of memory when
tearing it down
- a fixup to the recent change to Atlas buttons driver
- a small cleanup in fm801-fp for PCI IDs table initialisation
-----BEGIN PGP SIGNATURE-----
iHUEABYKAB0WIQST2eWILY88ieB2DOtAj56VGEWXnAUCahvBFwAKCRBAj56VGEWX
nP7XAQDH9WIYBX7XEHSPInN6GH8GngWA/94v3b6UpBSL2UFdQQEAo1+WoyOGL/Dh
0U0g5CcvDwx9irF8qJBWX2a3DRNPngo=
=hDBA
-----END PGP SIGNATURE-----
Merge tag 'input-for-v7.1-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input
Pull input fixes from Dmitry Torokhov:
- updates to Elan I2C touchpad driver to handle a new IC type and to
validate size of supplied firmware to prevent OOB access
- updates to Xpad controller driver to recognize ASUS ROG RAIKIRI II
and "Nova 2 Lite" from GameSir controllers as well as a fix to
prevent a potential OOB access when handling "Share" button
- an update to Synaptics touchpad driver to use RMI mode for touchpad
in Thinkpad E490
- updates to Atmel MXT driver adding checks to prevent potential OOB
accesses
- a fix to IMS PCU driver to free correct amount of memory when tearing
it down
- a fixup to the recent change to Atlas buttons driver
- a small cleanup in fm801-fp for PCI IDs table initialisation
* tag 'input-for-v7.1-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
Input: ims-pcu - fix usb_free_coherent() size in ims_pcu_buffers_free()
Input: synaptics - add LEN2058 to SMBus passlist for ThinkPad E490
Input: atlas - check ACPI_COMPANION() against NULL
Input: atmel_mxt_ts - check mem_size before calculating config memory size
Input: atmel_mxt_ts - fix boundary check in mxt_prepare_cfg_mem
Input: fm801-gp - simplify initialisation of pci_device_id array
Input: xpad - add "Nova 2 Lite" from GameSir
Input: xpad - add support for ASUS ROG RAIKIRI II
Input: elan_i2c - validate firmware size before use
Input: xpad - fix out-of-bounds access for Share button
Input: usbtouchscreen - clamp NEXIO data_len/x_len to URB buffer size
Input: elan_i2c - increase device reset wait timeout after update FW
Input: elan_i2c - add ic type 0x19
* fix order calculation for kho_unpreserve_pages() to make sure sure that
the order calculation in kho_unpreserve_pages() mathes the order
calculation in kho_preserve_pages().
* fix math in calculation of KHO_TREE_MAX_DEPTH to make it work with 16KB
pages.
-----BEGIN PGP SIGNATURE-----
iQEzBAABCgAdFiEEeOVYVaWZL5900a/pOQOGJssO/ZEFAmobGd4ACgkQOQOGJssO
/ZGaRQf/a0vTak489XqXhddHkulyMnif1UEEYsltxQ8bJkC0SRx+v/PcC0Uf2g7+
n/1vQZxWGUlLawjMDhubCWp2JawRZh9/rzPfb96z3nsjUckaQI3sKdEe7fK9jIVL
2y2QHa26RJj7dlEcJbUToSgVbRrP8qJbiUVjo1i3ViVFsevj1gaNBo8h8oJa694z
S1wXndBz7HYdSNuRgMc5rGUbzgVu9rl2rdTHR6ecRUfTVuQr1ZYrb7v6wi4AI3XL
KZp6TXmDuvPikJwoWsQtBRK5VmLQxsCa5ryu4M+GEBOwezNZex29Yi2TrZWZ2KZk
ViCFzYQLHY7RUrlhL7+tGN2SiLYKqg==
=LtZL
-----END PGP SIGNATURE-----
Merge tag 'liveupdate-fixes-2026-05-30' of git://git.kernel.org/pub/scm/linux/kernel/git/liveupdate/linux
Pull liveupdate fixes from Mike Rapoport:
"Two kexec handover regression fixes:
- fix order calculation for kho_unpreserve_pages() to make sure sure
that the order calculation in kho_unpreserve_pages() mathes the
order calculation in kho_preserve_pages().
- fix math in calculation of KHO_TREE_MAX_DEPTH to make it work with
16KB pages"
* tag 'liveupdate-fixes-2026-05-30' of git://git.kernel.org/pub/scm/linux/kernel/git/liveupdate/linux:
kho: fix order calculation for kho_unpreserve_pages()
kho: fix KHO_TREE_MAX_DEPTH for non-4KB page sizes
After refactoring of memblock_free_late() and free_init_pages() it became
possible to call memblock_free() after memblock init data was discarded.
Make sure memblock_free() does not touch memblock.reserved unless it is
called early enough or when ARCH_KEEP_MEMBLOCK is enabled.
-----BEGIN PGP SIGNATURE-----
iQEzBAABCgAdFiEEeOVYVaWZL5900a/pOQOGJssO/ZEFAmobERsACgkQOQOGJssO
/ZGiqQgArOfAxLDWWinyherNcejWY+GKsNdWNYoGOv8UEw2oTTBmjyrOqHrGcevQ
YlLjBxc2v9LzW9wCRnW0ngoq6/28ABLwyLpB+sMyHU8KaJDyYnAhfe7xt59aqE2N
JuQaSRY8irZG8g2Yks2ZWIPbDoIXJVvGI342L96OYLO63eehV9u5e7kbBebOZpH1
JlnbsaMGjhh2RgLrWWEy4EW1NZ5bYHer6fmCVIlUWtz9X67OjKD5na8bdi9ADEay
Wu2CjYwZFdScM4FQ8r2l9UHxjnU8EQKRxVOm2+hO8wRiE3efzezDCp5Laacvf9o6
KLrkVONfYUpScis3qLpNZly3IjAeVw==
=H1VN
-----END PGP SIGNATURE-----
Merge tag 'fixes-2026-05-30' of git://git.kernel.org/pub/scm/linux/kernel/git/rppt/memblock
Pull memblock fix from Mike Rapoport:
"Fix regression from memblock_free_late() refactoring
After refactoring of memblock_free_late() and free_init_pages() it
became possible to call memblock_free() after memblock init data was
discarded.
Make sure memblock_free() does not touch memblock.reserved unless it
is called early enough or when ARCH_KEEP_MEMBLOCK is enabled"
* tag 'fixes-2026-05-30' of git://git.kernel.org/pub/scm/linux/kernel/git/rppt/memblock:
memblock: don't touch memblock arrays when memblock_free() is called late
Here is a set of USB fixes and new device ids for 7.1-rc6. Nothing
major in here, just lots of tiny fixes for reported issues found by
users and some older patches found by some scanning tools. Included in
here are:
- typec fixes found by fuzzers that have decided to finally look at
that device interaction path (i.e. before a driver is bound to a
device).
- typec fixes for issues found by users
- thunderbolt driver fixes for reported problems
- cdns3 driver fixes
- dwc3 driver fixes
- new device quirks added
- usb serial driver fixes for broken devices
- other small driver fixes
All of these have been in linux-next for over a week with no reported
issues.
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-----BEGIN PGP SIGNATURE-----
iG0EABECAC0WIQT0tgzFv3jCIUoxPcsxR9QN2y37KQUCahrHyA8cZ3JlZ0Brcm9h
aC5jb20ACgkQMUfUDdst+ymLRgCeN/oLFmGYFHjcJEZ8d0AjKbRS34oAn3r822bO
1mEsGeOojdWNUm4wzu1k
=pf1m
-----END PGP SIGNATURE-----
Merge tag 'usb-7.1-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb
Pull USB and Thunderbolt fixes from Greg KH:
"Here is a set of USB fixes and new device ids for 7.1-rc6. Nothing
major in here, just lots of tiny fixes for reported issues found by
users and some older patches found by some scanning tools. Included in
here are:
- typec fixes found by fuzzers that have decided to finally look at
that device interaction path (i.e. before a driver is bound to a
device)
- typec fixes for issues found by users
- thunderbolt driver fixes for reported problems
- cdns3 driver fixes
- dwc3 driver fixes
- new device quirks added
- usb serial driver fixes for broken devices
- other small driver fixes
All of these have been in linux-next for over a week with no reported
issues"
* tag 'usb-7.1-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: (54 commits)
USB: serial: cypress_m8: validate interrupt packet headers
USB: serial: safe_serial: fix memory corruption with small endpoint
USB: serial: omninet: fix memory corruption with small endpoint
USB: serial: mxuport: fix memory corruption with small endpoint
USB: serial: cypress_m8: fix memory corruption with small endpoint
USB: cdc-acm: Fix bit overlap and move quirk definitions to header
usb: dwc2: Fix use after free in debug code
usb: chipidea: core: convert ci_role_switch to local variable
usb: gadget: f_fs: serialize DMABUF cancel against request completion
usb: gadget: f_fs: copy only received bytes on short ep0 read
usb: gadget: dummy_hcd: Reject hub port requests for non-existent ports
dt-bindings: usb: Fix EIC7700 USB reset's issue
usbip: vudc: Fix use after free bug in vudc_remove due to race condition
dt-bindings: usb: ti,omap4-musb: Drop duplicate 'usb-phy' property constraints
usb: storage: Add quirks for PNY Elite Portable SSD
USB: quirks: add NO_LPM for Lenovo ThinkPad USB-C Dock Gen2 hub controllers
usb: usbtmc: reject interrupt endpoints with small wMaxPacketSize
usb: usbtmc: check URB actual_length for interrupt-IN notifications
xhci: tegra: Fix ghost USB device on dual-role port unplug
usb: gadget: uvc: hold opts->lock across XU walks in uvc_function_bind
...
Here are some small serial driver fixes for 7.1-rc6. Included in here
are:
- mips serial driver fixes to resolve some long-standing issues with
how they interacted with the console. That's the "majority" of the
changes in this merge request
- sh-sci driver regression fix
- 8250 driver regression fixes
- other small serial driver fixes for reported problems.
All of these have been in linux-next for over a week with no reported
issues.
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-----BEGIN PGP SIGNATURE-----
iG0EABECAC0WIQT0tgzFv3jCIUoxPcsxR9QN2y37KQUCahrImA8cZ3JlZ0Brcm9h
aC5jb20ACgkQMUfUDdst+ykedQCfb1CR0Z6lElo/02m3wmR+EfvGyoUAoLj8QU71
dFaLWzZQk8Hb6ajmVYK5
=tgAC
-----END PGP SIGNATURE-----
Merge tag 'tty-7.1-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty
Pull tty/serial driver fixes from Greg KH:
"Here are some small serial driver fixes for 7.1-rc6. Included in here
are:
- mips serial driver fixes to resolve some long-standing issues with
how they interacted with the console. That's the "majority" of the
changes in this merge request
- sh-sci driver regression fix
- 8250 driver regression fixes
- other small serial driver fixes for reported problems.
All of these have been in linux-next for over a week with no reported
issues"
* tag 'tty-7.1-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty:
serial: dz: Enable modular build
serial: zs: Convert to use a platform device
serial: dz: Convert to use a platform device
serial: zs: Switch to using channel reset
serial: zs: Fix bootconsole handover lockup
serial: dz: Fix bootconsole handover lockup
serial: dz: Fix bootconsole message clobbering at chip reset
serial: 8250_dw: dispatch SysRq character in dw8250_handle_irq()
serial: 8250: dispatch SysRq character in serial8250_handle_irq()
serial: core: introduce guard(uart_port_lock_check_sysrq_irqsave)
tty: serial: samsung: Remove redundant port lock acquisition in rx helpers
serial: altera_jtaguart: handle uart_add_one_port() failures
serial: qcom_geni: fix kfifo underflow when flush precedes DMA completion IRQ
serial: fsl_lpuart: fix rx buffer and DMA map leaks in start_rx_dma
tty: add missing tty_driver include to tty_port.h
serial: qcom-geni: fix UART_RX_PAR_EN bit position
serial: sh-sci: fix memory region release in error path
tty: serial: pch_uart: add check for dma_alloc_coherent()
serial: zs: Fix swapped RI/DSR modem line transition counting
Here are some small char/misc/iio driver fixes for 7.1-rc6. Included in
here are:
- lots of small IIO driver fixes for reported problems.
- Android binder bugfixes for reported issues.
- small comedi test driver fixes
- counter driver fix
- parport driver fix (people still use this?)
- rpi driver fix
- uio driver fix
All of these have been in linux-next for over a week with no reported
problems.
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-----BEGIN PGP SIGNATURE-----
iG0EABECAC0WIQT0tgzFv3jCIUoxPcsxR9QN2y37KQUCahrJeQ8cZ3JlZ0Brcm9h
aC5jb20ACgkQMUfUDdst+ykKIwCfelyNaZgO2yRfSS1fGmzSv3+W8+sAoK5QHkEY
TvJIOm1Cwi8/n3vI42Hz
=EB+S
-----END PGP SIGNATURE-----
Merge tag 'char-misc-7.1-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc
Pull char/misc/iio fixes from Greg KH:
"Here are some small char/misc/iio driver fixes for 7.1-rc6. Included
in here are:
- lots of small IIO driver fixes for reported problems.
- Android binder bugfixes for reported issues.
- small comedi test driver fixes
- counter driver fix
- parport driver fix (people still use this?)
- rpi driver fix
- uio driver fix
All of these have been in linux-next for over a week with no reported
problems"
* tag 'char-misc-7.1-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc: (41 commits)
Revert "gpib: cb7210: Fix region leak when request_irq fails"
misc: rp1: Send IACK on IRQ activate to fix kdump/kexec
gpib: cb7210: Fix region leak when request_irq fails
parport: Fix race between port and client registration
uio: uio_pci_generic_sva: fix double free of devm_kzalloc() memory
rust_binder: Avoid holding lock when dropping delivered_death
rust_binder: avoid calling pending_oneway_finished() on TF_UPDATE_TXN
comedi: comedi_test: fix check for valid scan_begin_src in waveform_ai_cmdtest()
comedi: comedi_test: Fix limiting of convert_arg in waveform_ai_cmdtest()
iio: adc: viperboard: Fix error handling in vprbrd_iio_read_raw
iio: gyro: itg3200: fix i2c read into the wrong stack location
iio: dac: ad5686: fix powerdown control on dual-channel devices
iio: dac: ad5686: acquire lock when doing powerdown control
iio: temperature: tsys01: fix broken PROM checksum validation
iio: dac: ad3530r: Fix AD3531/AD3531R powerdown mode strings
iio: buffer: hw-consumer: fix use-after-free in error path
iio: dac: ad5686: fix input raw value check
iio: dac: ad5686: fix ref bit initialization for single-channel parts
iio: ssp_sensors: cancel delayed work_refresh on remove
iio: adc: meson-saradc: fix calibration buffer leak on error
...
-----BEGIN PGP SIGNATURE-----
iQGzBAABCgAdFiEE6fsu8pdIjtWE/DpLiiy9cAdyT1EFAmoZxw8ACgkQiiy9cAdy
T1HhnwwAvivw/s84qQhbkgQllNMdb4SPl+Ph+DRMiwyrZjXr36kv8jtiPIRIlplB
Uk+jXpswQXNk6qVKriUzbM1xGTyBin4iFhDzXfLoMmtZtETAmnbHWX9cVFblOibb
o+kMYMRXo+TGvQE5d47VKMioL7W5AUFoXfrIfOvWMhnRBaPwgb/aTblUxLFtHYLw
rhDm24p5JKxHv9YsR5+XWofGP2STstMDgkKBYjqYolmrEaq1ho3qBVQtcGY/DJFT
5heZ/b+Tv8N0s9ccMOAipAW509Qjn3Tml5SvgRCTZ56nEuZHeZBYCoXLhdV1tPG9
iuCPxTKrgFkDOZNSdweZscR5OD3MlbDC103K6W/mDEZk3IIv3ZGYe4atBwiz8kMl
09xvct3UJviHuOWjVgI7TBDV+Y0Gpf7zTeOLfixhn2RrVjU2IwrKUjZBjKGkZAFI
r5YcTK1FOe3a7WwXNYkVXVvTfwqvpIclQCs+qnQqAiEjvBNWvmTtgGg2eOlxEnBo
j4AE8Ryh
=0uMS
-----END PGP SIGNATURE-----
Merge tag 'v7.1-rc6-ksmbd-server-fixes' of git://git.samba.org/ksmbd
Pull smb server fixes from Steve French:
- security fix for FSCTL_SET_SPARSE
- fix leak in ksmbd_query_inode_status()
- fix OOB read in smb_check_perm_dacl()
* tag 'v7.1-rc6-ksmbd-server-fixes' of git://git.samba.org/ksmbd:
ksmbd: fix FSCTL permission bypass by adding a permission check for FSCTL_SET_SPARSE
ksmbd: release ksmbd_inode ref via ksmbd_inode_put on lookup paths
ksmbd: OOB read regression in smb_check_perm_dacl() ACE-walk loops
dumb-buffer:
- prevent overflows in dumb-buffer creation
dma-buf:
- fix UAF in dma_buf_fd() tracepoint
gem:
- fix for the fix for the fix for the change handle ioctl
i915:
- Fix potential UAF in TTM object purge
- Use polling when irqs are unavailable
- Fix HDR pre-CSC LUT programming loop
- Block DC states on vblank enable when Panel Replay supported
- Use DC_OFF wake reference to block DC6 on vblank enable
xe:
- Restore IDLEDLY regiter on engine reset
amdgpu:
- GEM_OP warning fix
- GEM_OP locking fix
- Userq fixes
- DCN 2.1 refclk fix
- SI fix
- HMM fixes
amdkfd:
- svm_range_set_attr locking fix
- CRIU restore fix
- KFD debugger fix
amdxdna:
- require IOMMU on AIE2
hyperv:
- improve protocol validation
ivpu:
- test write offset in debugfs
rocket:
- fix UAF in bo creation
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEEKbZHaGwW9KfbeusDHTzWXnEhr4FAmoaG2kACgkQDHTzWXnE
hr4euhAAl3u8saUVPRr3QObFBUdCi8X8ngZKd0o9L82TEqNz6iC8TFxwyVPr+0Mh
gEi2nvskopDRTb9So8LUAuevuT1r5KZRKH0w3FdR/bSCuO3hxrei0v3lM/L7D7Gn
ULQS1bP3kp4N1Bikt3UP5JSeJDhlpuwMqoapnA4Zz3WRnxVg6aFEYSc7Xb7dOWpS
2k5cJHd0IBxgF3/faw9vOM5DklwZqUAbIBxdziFA7Oepg0OxkypXpBPSioNhEW7f
hj8rlIDRXbLp33RXoL9UyJkXRIkFhjiAhmVcqTgO+nN7w8M2TKBsH/wkWly4d+aS
PveE+15zdRo0Tzw2DbTDYRCMyeBRpeik4s332ILSGse0MMt4RFz3wpB0fB/DriOz
BvHBOnUQerZfPk/dGarC8PxqoE70SZaPrMlvEkBmZpcY3OzIUEwV7Pd+r8W9PWjH
g6ECgPkvCyskJJPugrLYVqQkwjSIF5s+LmKwVfgvuqfyRenXPqrdPwSwEeZb43iC
NXGP8Au8QVsQKNdP6LzASclq3GcxYTfRK/v+wAgaSTpdvOkWhLBtyjPcO3aGWDgM
Ve8YFAPSobetEe5B9esBpliXQKj17juSxdJkut6B63RJ6fPk6r2Mza3lGmhHQs0R
FiyryFtQpzA5iETaiLe4TsaRZzWxzSHZEfV9GediQTRn8gQKEe0=
=tlSw
-----END PGP SIGNATURE-----
Merge tag 'drm-fixes-2026-05-30' of https://gitlab.freedesktop.org/drm/kernel
Pull drm fixes from Dave Airlie:
"Regular pull, doesn't seem too insane or AI owned, couple of UAF fixes
and another repair for an earlier fix, mostly amdgpu and i915 display
with xe/i915 accel, and misc core/driver fixes.
It might be a bit bigger than usual at this stage, but I'm not seeing
anything too scary here.
dumb-buffer:
- prevent overflows in dumb-buffer creation
dma-buf:
- fix UAF in dma_buf_fd() tracepoint
gem:
- fix for the fix for the fix for the change handle ioctl
i915:
- Fix potential UAF in TTM object purge
- Use polling when irqs are unavailable
- Fix HDR pre-CSC LUT programming loop
- Block DC states on vblank enable when Panel Replay supported
- Use DC_OFF wake reference to block DC6 on vblank enable
xe:
- Restore IDLEDLY regiter on engine reset
amdgpu:
- GEM_OP warning fix
- GEM_OP locking fix
- Userq fixes
- DCN 2.1 refclk fix
- SI fix
- HMM fixes
amdkfd:
- svm_range_set_attr locking fix
- CRIU restore fix
- KFD debugger fix
amdxdna:
- require IOMMU on AIE2
hyperv:
- improve protocol validation
ivpu:
- test write offset in debugfs
rocket:
- fix UAF in bo creation"
* tag 'drm-fixes-2026-05-30' of https://gitlab.freedesktop.org/drm/kernel: (33 commits)
drm/gem: fix race between change_handle and handle_delete
drm: prevent integer overflows in dumb buffer creation helpers
dma-buf: fix UAF in dma_buf_fd() tracepoint
drm/amdgpu: fix calling VM invalidation in amdgpu_hmm_invalidate_gfx
drm/amdgpu: fix amdgpu_hmm_range_get_pages
drm/amdgpu/userq: use array instead of list for userq_vas
drm/amdgpu/userq: move mqd_destroy to later stage to keep core obj valid
drm/amdkfd: fix a vulnerability of integer overflow in kfd debugger
drm/amdgpu/userq: remove amdgpu_userq_create/destroy_object wrapper
drm/amd/pm/si: Disregard vblank time when no displays are connected
drm/amdkfd: Check for pdd drm file first in CRIU restore path
drm/amdgpu: fix potential overflow in fs_info.debugfs_name
drm/amdgpu/userq: make sure queue is valid in the hang_detect_work
drm/amdgpu/userq: reserve root bo without interruption
drm/amdgpu/userq: add amdgpu_bo_unpin when amdgpu_ttm_alloc_gart fails
drm/amdgpu: simplify return value in amdgpu_userq_get_doorbell_index
drm/amdkfd: fix NULL pointer bug in svm_range_set_attr
drm/amd/display: Write REFCLK to 48MHz on DCN21
drm/amdgpu/userq: Fix the mutex_init cleanup for fence_drv_lock
drm/amdgpu/userq: Fix doorbell object cleanup of queue
...
One substantive fix here, fixing corruption of the maximum frequency for
spi-mem operations which caused users to remember what should have been
a temporarily modified maximum frequency as the standard going forward,
potentially causing instability when the modification raised rather than
lowered the frequency.
We also have a trivial patch which just documents the correct way to
describe the Qualcomm IPQ5210 SNAND controller in the DT, there are no
code changes.
-----BEGIN PGP SIGNATURE-----
iQEzBAABCgAdFiEEreZoqmdXGLWf4p/qJNaLcl1Uh9AFAmoZyKAACgkQJNaLcl1U
h9BkSQf+OPY/DuHr46oL4AH36df3FkihkFmaTlipyP2io7HiTgYG67wdXtVfh4H2
w8D9GT+ukrCGgWkJK+Qgf3IbX19BkL/1kyeDATBJErMd/XHQqn6u38+Lhe3EAqzP
L4S/pWHmtC/pKynPbsUUkunAYeUa3DK6ZHteZyCe/R+fTKizXOH5Lh74Dcm/pa+V
b8Aut8Igq32K5KXDkk+TzACkiGDaFs+M7QDfNGI9WN3zBrzxWtS/9ktF5/cN5gBG
dzjcLb+XJoZnJHwMa7geS7cVvKpPMbqX8fYwip+hhaPfyugP9EvdPibcAhUltGw3
TNFYV4HpFeGuf7yIoEIzapvVdvvbjA==
=iELF
-----END PGP SIGNATURE-----
Merge tag 'spi-fix-v7.1-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi
Pull spi fixes from Mark Brown:
"One substantive fix here, fixing corruption of the maximum frequency
for spi-mem operations which caused users to remember what should have
been a temporarily modified maximum frequency as the standard going
forward, potentially causing instability when the modification raised
rather than lowered the frequency.
We also have a trivial patch which just documents the correct way to
describe the Qualcomm IPQ5210 SNAND controller in the DT, there are no
code changes"
* tag 'spi-fix-v7.1-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi:
spi: spi-mem: avoid mutating op template in spi_mem_supports_op()
spi: dt-bindings: spi-qpic-snand: Add ipq5210 compatible
Some other fixing in an API user turned up the fact that we weren't
correctly applying cache only mode to volatile registers in
regmap_update_bits(), causing us to try to access hardware that was
powered off or otherwise not in a state to accept I/O. This fix returns
an error instead, avoiding more serious consequences.
-----BEGIN PGP SIGNATURE-----
iQEzBAABCgAdFiEEreZoqmdXGLWf4p/qJNaLcl1Uh9AFAmoZyXsACgkQJNaLcl1U
h9DJZgf/aOLHE/EBIBcq9QBczGj5Js2/diVO4YCR0WGISbYv4tRfhwkO5SMyPFZ0
Zk7c9rfzEqauQW3tpsPUhg/B5gK6HOZ/gIAZA7+CjmLCDxg2EBxclFFnl7UKWt8d
Xs5YdokBL4ZrlVBtgL3YerQ4dCSiDr6FLZYAnFWy5FLXkNbwqvxhUzc7LzAnY/Z3
pLw/LOnSc1LwXhf10gCKI8OoHdQSPu0pNr9ZYG1smD1J/K9V9Pgbdq0oLrGquwB1
F8mIFdncblhW4ChbWDUxhF26htKpv4qwdjWKdkHlNDXAYPrS70Ea2PqVP1XwEWdK
WxouWVBIpOOqGt0OCYooADmHADJ6VQ==
=9bVn
-----END PGP SIGNATURE-----
Merge tag 'regmap-fix-v7.1-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regmap
Pull regmap fix from Mark Brown:
"Some other fixing in an API user turned up the fact that we weren't
correctly applying cache only mode to volatile registers in
regmap_update_bits(), causing us to try to access hardware that was
powered off or otherwise not in a state to accept I/O. This fix
returns an error instead, avoiding more serious consequences"
* tag 'regmap-fix-v7.1-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regmap:
regmap: reject volatile update_bits() in cache-only mode
this out is because the IPsec and Bluetooth PRs did not make it
yesterday. I don't want to have to send you all of this + whatever
comes next week, for rc7. The fixes under "Previous releases -
regressions" are for real user-reported regressions from v7.0.
Previous releases - regressions:
- Revert "ipv6: preserve insertion order for same-scope addresses"
- xfrm: move policy_bydst RCU sync, a fix which added a sync RCU
on netns exit got backported to stable and was causing serious
accumulation of dying netns's for real workloads
- pcs-mtk-lynxi: fix bpi-r3 serdes configuration
Previous releases - always broken:
- usual grab bag of race, locking and leak fixes for Bluetooth
- handful of page handling fixes for IPsec
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEE6jPA+I1ugmIBA4hXMUZtbf5SIrsFAmoZ+wAACgkQMUZtbf5S
IrtXJQ/9Gwf702wvkRaeLdqrwQ/qLsvDfx5s+3ALIE0Xsm4z9g7V0XKrZ0cfiI1h
aWGX8HugXEQuy9QvlFt09tgGEd76159g2WdlsBbh1raqiJRUw4GJKXYvwCmBZxsT
o8bwfVTQ8CVmUTCKhYrpzJKroT6jR8dKHIrkRn5ZyBOBPMOhK8rnDs1OdseW5haI
b/EkQrzzvTxd7/dJETIJszMQh/nbS5XIlKpQ+f7dfzR1gtO2GOJ24VWqrimonRTo
qvMwyt+ca2axv7Af796I8mz7X9rqLjWVWzY2uSpd7Y5zITyQwHNbeNvxzr2Ivi4g
2BcIi+ZHeeRbgQ9EL+rzapTnnIPIw0APPXnp5NnnNDj0RRG3G6PzulW9SmcdsmGD
o6E7axSZPQT/KnCw1/N7uMfB9cPzgb1i0h8rbE6tCvtkDtJwECtey7Dc7RU9zLqP
e0jWDv99+MyEqGPcu2LAg2IWLfsuQiV4priy4mM1NgOTQVgS1yw7+x0GiTqiClJ0
GcOCTOdvYKlmzhLzsLo4I+AcKZq2uJi8wNXMUEP5pmuYByVeF5j+MmoFpQspzx+L
gdUh9IctAjd47oX/uNaRtocOriU+JJEApToE9WekMb0XYd5Qx1jnt3WqB9ZFuDf4
smjUirtAWYcT3d4SXR4wGzB5WEa8TITH07A7sa8noozzNmQRu1E=
=ttPc
-----END PGP SIGNATURE-----
Merge tag 'net-7.1-rc6-2' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
Pull more networking fixes from Jakub Kicinski:
"Quick follow up, nothing super urgent here. Main reason I'm sending
this out is because the IPsec and Bluetooth PRs did not make it
yesterday. I don't want to have to send you all of this + whatever
comes next week, for rc7. The fixes under "Previous releases -
regressions" are for real user-reported regressions from v7.0.
Previous releases - regressions:
- Revert "ipv6: preserve insertion order for same-scope addresses"
- xfrm: move policy_bydst RCU sync, a fix which added a sync RCU on
netns exit got backported to stable and was causing serious
accumulation of dying netns's for real workloads
- pcs-mtk-lynxi: fix bpi-r3 serdes configuration
Previous releases - always broken:
- usual grab bag of race, locking and leak fixes for Bluetooth
- handful of page handling fixes for IPsec"
* tag 'net-7.1-rc6-2' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (36 commits)
wireguard: send: append trailer after expanding head
Revert "ipv6: preserve insertion order for same-scope addresses"
net: skbuff: fix pskb_carve leaking zcopy pages
ipv6: fix possible infinite loop in fib6_select_path()
ipv6: fix possible infinite loop in rt6_fill_node()
bpf: sockmap: fix tail fragment offset in bpf_msg_push_data
vsock/virtio: bind uarg before filling zerocopy skb
Revert "esp: fix page frag reference leak on skb_to_sgvec failure"
net: pcs: pcs-mtk-lynxi: fix bpi-r3 serdes configuration
sctp: fix race between sctp_wait_for_connect and peeloff
net: mana: Skip redundant detach on already-detached port
net: mana: Add NULL guards in teardown path to prevent panic on attach failure
Bluetooth: hci_sync: Reset device counters in hci_dev_close_sync()
Bluetooth: hci_sync: Set HCI_CMD_DRAIN_WORKQUEUE during device close
Bluetooth: hci_core: Rework hci_dev_do_reset() to use hci_sync functions
Bluetooth: ISO: serialize iso_sock_clear_timer with socket lock
Bluetooth: ISO: fix UAF in iso_recv_frame
Bluetooth: L2CAP: Fix possible crash on l2cap_ecred_conn_rsp
Bluetooth: l2cap: clear chan->ident on ECRED reconfiguration success
Bluetooth: hci_qca: Use 100 ms SSR delay for rampatch and NVM loading
...
- Account for recently implemented -Wattribute-alias in clang by
disabling it in the same places it is disabled for GCC.
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
-----BEGIN PGP SIGNATURE-----
iHUEABYKAB0WIQR74yXHMTGczQHYypIdayaRccAalgUCahnrhQAKCRAdayaRccAa
loxRAP0dhAttt5Nzj1QVvVshp5gUdELM+zXD1qyXAY9Z81V3rgD8C867ax5pGAgO
kV2PwaBK5P6FJ8joUz4m3qB20FXXYQs=
=drMM
-----END PGP SIGNATURE-----
Merge tag 'clang-fixes-7.1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/nathan/linux
Pull clang build fix from Nathan Chancellor:
"A small fix to disable -Wattribute-alias for clang in the few places
it is already disabled for GCC, now that tip of tree clang has
implemented -Wattribute-alias as GCC has"
* tag 'clang-fixes-7.1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/nathan/linux:
Disable -Wattribute-alias for clang-23 and newer
drm_gem_change_handle_ioctl leaves the old handle live in the IDR
during the window between spin_unlock(table_lock) and the final
spin_lock(table_lock). A concurrent drm_gem_handle_delete on the old
handle succeeds in this window, decrements handle_count to 0, and frees
the GEM object while the new handle's IDR entry still references it.
NULL the old handle's IDR entry before dropping table_lock so that any
concurrent GEM_CLOSE on the old handle sees NULL and returns -EINVAL.
Restore the old entry on the prime-bookkeeping error path.
Fixes: 5e28b7b944 ("drm: Set old handle to NULL before prime swap in change_handle")
Signed-off-by: Zhenghang Xiao <kipreyyy@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Dave Airlie <airlied@redhat.com>
Link: https://patch.msgid.link/20260526085313.26791-1-kipreyyy@gmail.com
- Restore CONFIG_PKVM_DISABLE_STAGE2_ON_PANIC to its former glory by
making sure the config symbol is correctly spelled out in the code
- Don't reset the AArch32 view of the PMU counters to zero when the
guest is writing to them
- Fix an assorted collection of memory leaks in the newly added tracing
code
- Fix the capping of ZCR_EL2 which could be used in an unsanitised way
by an L2 guest
x86:
- Include the kernel's linux/mman.h in KVM selftests to ensure MADV_COLLAPSE
is defined, as older libc versions may not provide it.
- Include execinfo.h if and only if KVM selftests are building against glibc,
and provide a test_dump_stack() for non-glibc builds.
- Silence an annoying RCU splat on (even non-KVM-related) panics. The splat
is technically legit, but in practice not an issue. To have a race, you
would need to unload the KVM modules at exactly the time a panic happens;
and speaking of incredibly rare races, taking the locks risks introducing
a deadlock if the module unload code took the lock on a CPU that has been
halted. Which seems possibly more likely than the RCU grace period issue,
so just shut it up. This code used to be in KVM but is now outside it;
but the x86 maintainers haven't picked it up, so here we are.
- Rate-limit global clock updates once again (but without delayed work), as
KVM was subtly relying on the old rate-limiting for NPT correction to guard
against "update storms" when running without a master clock on systems with
overcommitted CPUs.
- Fix a brown paper bag goof where KVM checked if ERAPS is "dirty" instead of
marking it dirty when emulating INVPCID.
- Flush the TLB when transitioning from xAVIC => x2AVIC to ensure the CPU TLB
doesn't contain AVIC-tagged entries for the APIC base GPA.
- The top 10 commits fix buffer overflow (and potential TOC/TOU) flaws in the
page state change protocol for encrypted VMs. AI models find it quite
easily given it was reported three times, but aren't as good at writing
a comprehensive fix. There's more to clean up in the area, which will
come in 7.2.
-----BEGIN PGP SIGNATURE-----
iQFIBAABCgAyFiEE8TM4V0tmI4mGbHaCv/vSX3jHroMFAmoZ2qQUHHBib256aW5p
QHJlZGhhdC5jb20ACgkQv/vSX3jHroPPFQgAhDwSk+VVnn4vuerijZh6eo3Tz4EQ
af0Ccng1uDuTuz9HzkF/ffR4z3tBMYtUhVtUiPu5xrUabzmIW7T0roNvsCwzVZor
ekZt3Y8FgwSgF+nxbBQQXBPvv+tOHpoIhfbirftWE9tRRFivfK1Z1duRGwsv7Seb
0eK+iB1huJLjXqIZQtSLEY44LSoQbDIt/StkkYFLUr10oOvTRCFiu2wPA2gZrK56
KTVrCg7rtn135wh8TVA72u+pIszylIPFTQ1HbbzzBoQ8/Opp0olFL3q0HeAwkx6D
q0EJiNMP0QD8NDC7Q8efAit4wI0pXE4Y6ScHQJTm3p+hB6KXc9o7LKbCmA==
=6jit
-----END PGP SIGNATURE-----
Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm
Pull kvm fixes from Paolo Bonzini:
"arm64:
- Restore CONFIG_PKVM_DISABLE_STAGE2_ON_PANIC to its former glory by
making sure the config symbol is correctly spelled out in the code
- Don't reset the AArch32 view of the PMU counters to zero when the
guest is writing to them
- Fix an assorted collection of memory leaks in the newly added
tracing code
- Fix the capping of ZCR_EL2 which could be used in an unsanitised
way by an L2 guest
x86:
- Include the kernel's linux/mman.h in KVM selftests to ensure
MADV_COLLAPSE is defined, as older libc versions may not provide
it.
- Include execinfo.h if and only if KVM selftests are building
against glibc, and provide a test_dump_stack() for non-glibc
builds.
- Silence an annoying RCU splat on (even non-KVM-related) panics.
The splat is technically legit, but in practice not an issue. To
have a race, you would need to unload the KVM modules at exactly
the time a panic happens; and speaking of incredibly rare races,
taking the locks risks introducing a deadlock if the module unload
code took the lock on a CPU that has been halted. Which seems
possibly more likely than the RCU grace period issue, so just shut
it up. This code used to be in KVM but is now outside it; but the
x86 maintainers haven't picked it up, so here we are.
- Rate-limit global clock updates once again (but without delayed
work), as KVM was subtly relying on the old rate-limiting for NPT
correction to guard against "update storms" when running without a
master clock on systems with overcommitted CPUs.
- Fix a brown paper bag goof where KVM checked if ERAPS is "dirty"
instead of marking it dirty when emulating INVPCID.
- Flush the TLB when transitioning from xAVIC => x2AVIC to ensure the
CPU TLB doesn't contain AVIC-tagged entries for the APIC base GPA.
- The top 10 commits fix buffer overflow (and potential TOC/TOU)
flaws in the page state change protocol for encrypted VMs. AI
models find it quite easily given it was reported three times, but
aren't as good at writing a comprehensive fix. There's more to
clean up in the area, which will come in 7.2"
* tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm: (22 commits)
KVM: SEV: Use READ_ONCE() when reading entries/indices from PSC buffer
KVM: SEV: Check PSC request indices against the actual size of the buffer
KVM: SEV: Don't explicitly pass PSC buffer to snp_begin_psc()
KVM: SEV: WARN if KVM attempts to setup scratch area with min_len==0
KVM: SEV: Compute the correct max length of the in-GHCB scratch area
KVM: SEV: Use the size of the PSC header as the minimum size for PSC requests
KVM: SEV: Ignore Port I/O requests of length '0'
KVM: SEV: Reject MMIO requests larger than 8 bytes with GHCB v2+
KVM: SEV: Ignore MMIO requests of length '0'
KVM: SEV: Require in-GHCB scratch area if GHCB v2+ is in use
KVM: arm64: Correctly cap ZCR_EL2 provided by a guest hypervisor
KVM: arm64: Fix memory leak in hyp_trace_unload()
KVM: arm64: Fix rollback in hyp_trace_buffer_share_hyp()
KVM: arm64: Fix meta-page unsharing in pKVM hyp tracing
KVM: arm64: PMU: Preserve AArch32 counter low bits
KVM: SVM: Flush the current TLB when transitioning from xAVIC => x2AVIC
KVM: x86: Fix ERAPS RAP clear on INVPCID single-context invalidation
KVM: arm64: Fix CONFIG_PKVM_DISABLE_STAGE2_ON_PANIC
KVM: selftests: Guard execinfo.h inclusion for non-glibc builds
KVM: x86: Rate-limit global clock updates on vCPU load
...
Jason A. Donenfeld says:
====================
WireGuard fixes for 7.1-rc6
Please find one small patch, fixing the order of adding padding onto a
packet, to ensure padding bytes get zeroed properly.
====================
Link: https://patch.msgid.link/20260529173134.3080773-1-Jason@zx2c4.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
With how this is currently written, we add the trailer, zero it out, and
then add the header space on. If that header space requires a
reallocation + copy, the zeros in the trailer aren't copied, because the
skb len hasn't actually been yet expanded to cover that. Instead add the
padding at the end of the process rather than at the beginning.
Fixes: e7096c131e ("net: WireGuard secure network tunnel")
Cc: stable@vger.kernel.org
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Link: https://patch.msgid.link/20260529173134.3080773-2-Jason@zx2c4.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Chris Adams reported that preserving insertion order for same-scope
addresses is causing SSH connections to be dropped after stopping a VM
while running NetworkManager.
NetworkManager caches the IPv6 address configuration, when a RA arrives,
it determines the list of addresses to configure and checks if the
addresses are already in the right order in the kernel. If they aren't,
NetworkManager removes and re-adds them to achieve the desired order.
As the order changes, NetworkManager is confused and reconfigures the
addresses on every update. In addition, this would also affect to cloud
tooling that relies on IPv6 addresses order to identify primary and
secondaries addresses.
This reverts commit cb3de96eea.
Fixes: cb3de96eea ("ipv6: preserve insertion order for same-scope addresses")
Reported-by: Chris Adams <linux@cmadams.net>
Closes: https://lore.kernel.org/netdev/20260521135310.GC977@cmadams.net/
Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
Link: https://patch.msgid.link/20260529112357.5079-1-fmancera@suse.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEH7ZpcWbFyOOp6OJbrB3Eaf9PW7cFAmoZWqgACgkQrB3Eaf9P
W7cz1A//RDEq8pvp1kefBC6YLM9nAEpiIS+gdBWjUty/zC2bpuvWPnEaDKXeZVVx
Vvo9ITV6BsgNsiUEOyM5ehsDknY9TZMFXSawQQWGiRZmGtP+wM3fesoklUDUz+QD
JBaPg7JEcGjFXPlr1X+MF+bvPVfyPaf/s8VEcatFfkPVV2JZPiENwLmxq/ZV3LWF
R5pB0Mz1AreRJQ3IZuUn8ae/UqUQ+GSP3VtI45lrNDWDBeVeP8zT3orm4Tv9ITYm
doNvbXWYhZNlXUcP0qZ887G2Kn6dbrUbsdp0dOnQDAQu2NR0+tYQWxhoCN5Ps3zl
OisDsNEp4aUzwFkwIE84E43rygD6wc7lx+BGgdFUM2FtmxRv7fUiIuvVuCtC87hv
CsK0SueSgog5x3Ltx/P5O+hn80wKAUqPMESb/7Oxja0rUXi251E7WLVNJdgV0t2y
OJMOMFm1uFwsckFBoSi54QNbJkFFK2lvdl+jQ068E7Cqf88LeqtNe56TOLr/Ut7I
UnQakEDnOgzi1HHcpOs/hycyqvPgvBqhRI6IwAtZZFUzQ/i+usmLUIP4AhQRsA9u
ffI/m+7uF4EJ4H+L/FxZds+AMGh28sL6a3muKpYgcHRJ/3bDPOGaL8NHyy+sTfFW
U6GpFqjv2sEWZM8bCN1g7ymNg+70a/xeFwu6/38+X3cP7bg+QgE=
=NQJ5
-----END PGP SIGNATURE-----
Merge tag 'ipsec-2026-05-29' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec
Steffen Klassert says:
====================
pull request (net): ipsec 2026-05-29
1) xfrm: route MIGRATE notifications to caller's netns
Thread the caller's netns through km_migrate() so that
MIGRATE notifications go to the issuing netns, fixing both the
init_net listener leak and MOBIKE notifications inside
non-init netns. From Maoyi Xie.
2) xfrm: ipcomp: Free destination pages on acomp errors
Move the out_free_req label up so that allocated destination
pages are released on decompression errors, not only on success.
From Herbert Xu.
3) xfrm: Check for underflow in xfrm_state_mtu
Reject configurations that cause xfrm_state_mtu() to underflow,
preventing a negative TFCPAD value from becoming a memset size
that triggers an out-of-bounds write of several terabytes.
From David Ahern.
4) xfrm: ah: use skb_to_full_sk in async output callbacks
Convert the possibly-incomplete skb->sk to a full socket pointer
in async AH callbacks so that a request_sock or timewait_sock
never reaches xfrm_output_resume() downstream consumers.
From Michael Bommarito.
5) Add and revert: esp: fix page frag reference leak on skb_to_sgvec failure
The patch does not fix te issue completely.
6) xfrm: esp: restore combined single-frag length gate
Check the aligned post-trailer combined length against a page limit
in the fast path, preventing skb_page_frag_refill() from falling
back to a page too small for the destination scatterlist.
From Jingguo Tan.
7) xfrm: iptfs: reset runtime state when cloning SAs
Reinitialise the clone's mode_data runtime objects before
publishing it, preventing queued skbs from being freed with
list state copied from the original SA when migration fails.
From Shaomin Chen.
8) xfrm: move policy_bydst RCU sync from per-netns .exit to .pre_exit
Flush policy tables and drain the workqueue in a .pre_exit handler
so that cleanup_net() pays one RCU grace period per batch instead
of one per namespace, fixing stalls at high CLONE_NEWNET rates.
From Usama Arif.
9) xfrm: input: hold netns during deferred transport reinjection
Take a netns reference when queueing deferred transport reinjection
work and drop it after the callback completes, keeping the skb->cb
net pointer valid until the deferred work runs.
From Zhengchuan Liang.
* tag 'ipsec-2026-05-29' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec:
Revert "esp: fix page frag reference leak on skb_to_sgvec failure"
xfrm: input: hold netns during deferred transport reinjection
xfrm: move policy_bydst RCU sync from per-netns .exit to .pre_exit
xfrm: iptfs: reset runtime state when cloning SAs
xfrm: esp: restore combined single-frag length gate
esp: fix page frag reference leak on skb_to_sgvec failure
xfrm: ah: use skb_to_full_sk in async output callbacks
xfrm: Check for underflow in xfrm_state_mtu
xfrm: ipcomp: Free destination pages on acomp errors
xfrm: route MIGRATE notifications to caller's netns
====================
Link: https://patch.msgid.link/20260529092648.3878973-1-steffen.klassert@secunet.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
When SKBFL_MANAGED_FRAG_REFS is set, frag pages are not refcounted but
their lifetime is controlled by the attached ubuf_info. To make a copy
of the skb_shared_info, we either should clear the flag and reference
the frags, or keep the flag and have frags unreferenced.
pskb_carve_inside_header() and pskb_carve_inside_nonlinear() don't
follow the rule and thus can leak page references. Let's clear
SKBFL_MANAGED_FRAG_REFS from the original skb to fix it. It's the
simplest way to address it, but there are more performant ways to do
that if it ever becomes a problem.
Link: https://lore.kernel.org/all/20260523085809.26331-1-nvminh232@clc.fitus.edu.vn/
Fixes: 753f1ca4e1 ("net: introduce managed frags infrastructure")
Reported-by: Minh Nguyen <minhnguyen.080505@gmail.com>
Reported-by: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Link: https://patch.msgid.link/1e2086aa69217d7f9c8da3d38f5be7160f1b4cd1.1779993185.git.asml.silence@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Found while auditing the same pattern Sashiko reported in
rt6_fill_node() [1]. Apply the same fix as
commit f8d8ce1b51 ("ipv6: fix possible infinite loop in fib6_info_uses_dev()").
Writers holding tb6_lock can list_del_rcu(&first->fib6_siblings)
without waiting for RCU readers; first->fib6_siblings.next then
still points into the old ring and this softirq-side walker never
reaches &first->fib6_siblings as its terminator. fib6_purge_rt()
always WRITE_ONCE()s first->fib6_nsiblings to 0 before
list_del_rcu(), so an inside-loop check is a reliable detach signal.
[1] https://sashiko.dev/#/patchset/20260526020227.4857-1-jiayuan.chen%40linux.dev
Fixes: d9ccb18f83 ("ipv6: Fix soft lockups in fib6_select_path under high next hop churn")
Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Link: https://patch.msgid.link/20260527053133.180695-2-jiayuan.chen@linux.dev
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Sashiko reported this issue [1]. Apply the same fix as
commit f8d8ce1b51 ("ipv6: fix possible infinite loop in fib6_info_uses_dev()").
Writers holding tb6_lock can list_del_rcu(&rt->fib6_siblings)
without waiting for RCU readers; rt->fib6_siblings.next then still
points into the old ring and this softirq-side walker never reaches
&rt->fib6_siblings, causing a CPU stall. fib6_del_route() always
WRITE_ONCE()s rt->fib6_nsiblings to 0 before list_del_rcu(), so an
inside-loop check is a reliable detach signal.
[1] https://sashiko.dev/#/patchset/20260526020227.4857-1-jiayuan.chen%40linux.dev
Fixes: d9ccb18f83 ("ipv6: Fix soft lockups in fib6_select_path under high next hop churn")
Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Link: https://patch.msgid.link/20260527053133.180695-1-jiayuan.chen@linux.dev
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
When bpf_msg_push_data() inserts data in the middle of a scatterlist
entry, it splits the original entry into a left fragment and a right
fragment.
The right fragment offset is page-local, but the code advances it with
`start`, which is the message-global insertion point. For inserts into a
non-first SG entry, this over-advances the offset and leaves the split
layout inconsistent.
Advance the right fragment offset by the fragment-local delta,
`start - offset`, which matches the length removed from the front of the
original entry.
Fixes: 6fff607e2f ("bpf: sk_msg program helper bpf_msg_push_data")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Zhengchuan Liang <zcliangcn@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Yuqi Xu <xuyq21@lenovo.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Link: https://patch.msgid.link/8b129d10566aa3eb43f61a8f9757bcf51707d324.1779636774.git.xuyq21@lenovo.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
virtio_transport_send_pkt_info() allocates or reuses the zerocopy uarg
before entering the send loop, but virtio_transport_alloc_skb() still
fills the skb before it inherits that uarg. When fixed-buffer vectored
zerocopy hits MAX_SKB_FRAGS, io_sg_from_iter() may partially attach
managed frags and return -EMSGSIZE. The rollback path call kfree_skb()
to free an skb that carries SKBFL_MANAGED_FRAG_REFS but no uarg, so
skb_release_data() falls through to ordinary frag unref.
Pass the uarg into virtio_transport_alloc_skb() and bind it immediately
before virtio_transport_fill_skb(). This keeps control or no-payload skbs
untouched while ensuring success and rollback share one lifetime rule.
Fixes: 581512a6dc ("vsock/virtio: MSG_ZEROCOPY flag support")
Signed-off-by: Lin Ma <malin89@huawei.com>
Signed-off-by: Rongzhen Cui <cuirongzhen@huawei.com>
Signed-off-by: Jingguo Tan <tanjingguo@huawei.com>
Acked-by: Arseniy Krasnov <avkrasnov@salutedevices.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Link: https://patch.msgid.link/20260527023301.1075581-1-malin89@huawei.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Use READ_ONCE() when reading entries/indices from the guest-accessible
Page State Change buffer to defend against TOCTOU bugs.
Don't bother with READ_ONCE()/WRITE_ONCE() for cases where KVM is writing
(and not consuming the result!), as the guest isn't supposed to touch the
buffer while it's being processed. I.e. using READ_ONCE() is all about
protecting against misbehaving guests.
Fixes: 9b54e248d2 ("KVM: SEV: Add support to handle Page State Change VMGEXIT")
Cc: stable@vger.kernel.org
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-ID: <20260501202250.2115252-11-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
When processing Page State Change (PSC) requests, validate the PSC buffer
against the effective size of the scratch area, which could be less than
the maximum size if the guest provided a pointer that isn't exactly at the
start of the GHCB shared buffer.
Fixes: 9b54e248d2 ("KVM: SEV: Add support to handle Page State Change VMGEXIT")
Cc: stable@vger.kernel.org
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
Reviewed-by: Michael Roth <michael.roth@amd.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-ID: <20260501202250.2115252-10-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Stop explicitly passing the PSC buffer to snp_begin_psc(): it *must*
be the scratch area. This will allow fixing a variety of bugs without
further complicating the code.
No functional change intended.
Cc: stable@vger.kernel.org
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
Reviewed-by: Michael Roth <michael.roth@amd.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-ID: <20260501202250.2115252-9-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Now that all paths in KVM properly validate the length needed for the
scratch area, and are guaranteed to pass in a non-zero length, WARN if KVM
attempts to configured the scratch area with min_len==0 to guard against
future bugs.
Cc: stable@vger.kernel.org
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
Reviewed-by: Michael Roth <michael.roth@amd.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-ID: <20260501202250.2115252-8-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
When setting the length of the GHCB scratch area, and the area is in the
GHCB shared buffer, set the effective length of the scratch area to the max
possible size given the start of the guest-provided pointer, and the end of
the shared buffer.
The code was "fine" when first introduced, as KVM doesn't consult the
length of the buffer when emulating MMIO, because the passed in @len always
specifies the *max* size required. But for PSC requests, the incoming @len
is just the minimum length (to process the header), and KVM needs to know
the full size of the scratch area to avoid buffer overflows (spoiler alert).
Opportunistically rename @len => @min_len to better reflect its role.
Fixes: 9b54e248d2 ("KVM: SEV: Add support to handle Page State Change VMGEXIT")
Cc: stable@vger.kernel.org
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
Reviewed-by: Michael Roth <michael.roth@amd.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-ID: <20260501202250.2115252-7-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
When handling a Page State Change (PSC) #VMGEXIT use the size of the PSC
header as the minimum size for the scratch area. Per the GHCB spec, PSC
requests do NOT provide the length, i.e. using control->exit_info_2 for the
length is completely made up behavior. The existing code "works", e.g.
even though Linux-as-a-guest always passes '0', because KVM doesn't do
anything with the length when the request is in the GHCB's shared buffer.
Use the header as the min length. Once the header is retrieved, KVM can
use the specified indices to compute the full size of the request.
Fixes: 9b54e248d2 ("KVM: SEV: Add support to handle Page State Change VMGEXIT")
Cc: stable@vger.kernel.org
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
Reviewed-by: Michael Roth <michael.roth@amd.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-ID: <20260501202250.2115252-6-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Explicitly ignore Port I/O requests of length '0' (or count '0'), so that
setting up the software scratch area (and other code) doesn't have to
worry about underflowing the length, and to allow for WARNing on trying
to configure the scratch area with len==0.
Fixes: 291bd20d5d ("KVM: SVM: Add initial support for a VMGEXIT VMEXIT")
Cc: stable@vger.kernel.org
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-ID: <20260501202250.2115252-5-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
When using GHCB v2+, reject MMIO requests that are larger than 8 bytes.
Per the GHCB spec:
SW_EXITINFO2 must be less than or equal to 0x7fffffff for version 1 and
less than or equal to 0x8 for all other versions.
Fixes: 4af663c2f6 ("KVM: SEV: Allow per-guest configuration of GHCB protocol version")
Cc: stable@vger.kernel.org
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-ID: <20260501202250.2115252-4-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Explicitly ignore MMIO requests of length '0', so that setting up the
software scratch area (and other code) doesn't have to worry about
underflowing the length, and to allow for special casing '0' in the
future.
Fixes: 8f423a80d2 ("KVM: SVM: Support MMIO for an SEV-ES guest")
Cc: stable@vger.kernel.org
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-ID: <20260501202250.2115252-3-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
As per the GHCB spec, when using GHCB v2+ require the software scratch area
to reside in the GHCB's shared buffer. Note, things like Page State Change
(PSC) requests _rely_ on this behavior, as the guest can't provide a length
when making the request, i.e. the size of the guest payload is bounded by
the size of the shared buffer.
Failure to force usage of the GHCB, and a slew of other flaws, lets a
malicious SNP guest corrupt host kernel heap memory, and leak host heap
layout information.
setup_vmgexit_scratch() allocates a buffer via kvzalloc(exit_info_2),
where exit_info_2 is guest-controlled. With exit_info_2=24, this yields
a 24-byte allocation in kmalloc-cg-32 (32-byte slab objects). The buffer
holds an 8-byte psc_hdr followed by 8-byte psc_entry structs, so only
entries[0] and entries[1] are in-bounds.
snp_begin_psc() validates end_entry against VMGEXIT_PSC_MAX_COUNT (253)
but NOT against the actual buffer size:
idx_end = hdr->end_entry;
if (idx_end >= VMGEXIT_PSC_MAX_COUNT) { // checks 253, not buffer
snp_complete_psc(svm, ...);
return 1;
}
for (idx = idx_start; idx <= idx_end; idx++) {
entry_start = entries[idx]; // OOB when idx >= 2
The guest sets end_entry=10+, causing the host to iterate entries[2+]
which are OOB into adjacent slab objects. For each OOB entry:
- The host reads 8 bytes (OOB READ / info leak oracle)
- If the data passes PSC validation, __snp_complete_one_psc() writes
cur_page = 1 or 512 into the entry (OOB WRITE, sev.c:3806)
- If validation fails, the error response reveals whether adjacent
memory is zero vs non-zero (information disclosure to guest)
The guest controls allocation size (exit_info_2), entry range
(cur_entry/end_entry), and can fire unlimited VMGEXITs to repeatedly
hit different slab positions.
By exploiting the variety of bugs, a malicious SEV-SNP guest can:
- OOB read adjacent kmalloc-cg-32 objects (heap layout disclosure)
- OOB write cur_page bits into adjacent objects (heap corruption)
- Trigger use-after-free conditions across VMGEXITs
E.g. with KASAN enabled, a single insmod of the PoC guest module
produces 73 KASAN reports:
BUG: KASAN: slab-out-of-bounds in snp_begin_psc+0x126/0x890
Read of size 8 at addr ffff888219ffb5e0 by task qemu-system-x86/2199
BUG: KASAN: slab-out-of-bounds in snp_begin_psc+0x468/0x890
Write of size 8 at addr ffff888351566648 by task qemu-system-x86/2199
The buggy address belongs to the object at ffff888XXXXXXXXX
which belongs to the cache kmalloc-cg-32 of size 32
The buggy address is located N bytes to the right of
allocated 32-byte region [ffff888XXXXXXXXX, ffff888XXXXXXXXX)
Breakdown:
62 slab-out-of-bounds (reads + writes past allocation)
7 slab-use-after-free
4 use-after-free
All credit to Stan for the wonderful description and reproducer!
Reported-by: Stan Shaw <shawstan96@gmail.com>
Cc: Michael Roth <michael.roth@amd.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Peter Gonda <pgonda@google.com>
Cc: Jacky Li <jackyli@google.com>
Fixes: 4af663c2f6 ("KVM: SEV: Allow per-guest configuration of GHCB protocol version")
Cc: stable@vger.kernel.org
Signed-off-by: Michael Roth <michael.roth@amd.com>
[sean: write changelog]
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-ID: <20260501202250.2115252-2-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-----BEGIN PGP SIGNATURE-----
iQJEBAABCAAuFiEEwPw5LcreJtl1+l5K99NY+ylx4KYFAmoZxo8QHGF4Ym9lQGtl
cm5lbC5kawAKCRD301j7KXHgplONEADDu3cC/oIuivuKb/vW1x9Gy+heRkbV7PKQ
AqpvdsOODmFko9wbZ5Jzydiq1gqNoBIenl0rAD/lQAeWz6o1iR8cFWL6vTVCAwUl
nUUXW8189e/LffwgjoEHHQfKImUuNNYfNsbQCStUI2jPQNaxbOOQtlkg+EkiyCm1
E54ENp+qX18dsor7PlChzFdBU53Y5LFnJAivGpE/Pp0XfBjoNPiqIehYaPXidxws
XXl0mLGFOcxNgQ8C8pmo5koSI9KjLR4qLXT7dP44d+liwu9nIoLxHBn5050TNAw8
8p0mTl3oEdsIl3YJmzmlHCRGBWnHxxbMmTVFPRsn6sWKyGgZNfEfr/8vwTHo4T/+
uofPR21fUTzmEVFbSWa9h709DJguSQx0zCLex/MrUa4jY1k26RY2R1IfakFRs6xF
RA9LNnjjoHhuzb6cCe4ZKTANXajgsUSg4p1n5+d/0cBAekGEWkWMGxPMe4snRkdu
aW+1RVrzJeUkFBS2pLRjCg/Y376TD4M6Lg4r7xReP0dJQP5KihIp+Hg2aCS1tMQP
erIFcuvTjbSoAKw5FyGi/mACScZKMml/bnaMkQQNrYIW4CZXN473DHcfEu7DQhjY
S1VK4SGwTOoktqLFM5vXA5yNv3qaUyOjB/JR11P+twaDjug75oEvS0NCnXqvyXfe
SzznzpjEVg==
=YY45
-----END PGP SIGNATURE-----
Merge tag 'block-7.1-20260529' of git://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux
Pull block fix from Jens Axboe:
"Just a single fix for the block side, making a slight tweak to a fix
from this cycle"
* tag 'block-7.1-20260529' of git://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux:
blk-mq: reinsert cached request to the list
-----BEGIN PGP SIGNATURE-----
iQJEBAABCAAuFiEEwPw5LcreJtl1+l5K99NY+ylx4KYFAmoZxb4QHGF4Ym9lQGtl
cm5lbC5kawAKCRD301j7KXHgpgDQEADbTyZ2P1pOKJwr7Gt5HETXXuvsocb7Z+CY
qfdfVgTz3aUcIg1ui+2QbpNU6l5zQKlp8IA7igjLHMhiif9nNzZTUPHayBrlhTo2
gS/RNOLtwGEv5oz+7i+2JAl+SyNRLQzK+UH0kmePIZp0bQPr1ciS13Ndb33Eus/K
FmtfeRJEsT6fZ+Q+QooxiN5n5jRdcB/WKSX5cwoIOnKJxKCyms/C8hUsG8Tz+0L/
2Ys8W06as3tE5eWjwpOXo5sb2d0zhr6tiqPUNpwEVbaBzLiBqI2wQW9gAy2ZXa1Z
vgCSceKOtt1I9/tf0y3xOy/V6LgUe+fp8X5V4yNPiDOwDTVrTYDOfT0qeqWJpwF+
4W+ZaIjHCNY2q/lbdeEuHYOOstvc5hShH4AJFQqbhUCXyB/qivO0rwQtZ75pGZRF
RhYJ8VdBdC740OyAdHPyTTUxWHAHr3+9lA10DsEw2dMxeDDmqdNTUrnw5b4/OVFl
jk2/cC1MmxtnPWPFK4NQGj2BMWpTqNfTykD7WQWOHUwvtCj7ZQHH6g4qfovuu2VR
Jt0vQE2uAab440knpQZCbURkgRrlZLLNYImhtbgTUyN/Jsk7vrV5/bevFwGWsA4y
CiwHsdztx62J2OsAbNBGw/a4qvMn7X3cLeylEeJiWyQxtkpb8JgdmxDjBGDavwLB
H5rtGBToWg==
=tYXi
-----END PGP SIGNATURE-----
Merge tag 'io_uring-7.1-20260529' of git://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux
Pull io_uring fix from Jens Axboe:
"Just a single fix for a regression introduced in this cycle, where
we should ensure the node is visible before the entry is added to
the tctx list"
* tag 'io_uring-7.1-20260529' of git://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux:
io_uring/tctx: set ->io_uring before publishing the tctx node
- Restore CONFIG_PKVM_DISABLE_STAGE2_ON_PANIC to its former glory by
making sure the config symbol is correctly spelled out in the code
- Don't reset the AArch32 view of the PMU counters to zero when the
guest is writing to them
- Fix an assorted collection of memory leaks in the newly added tracing
code
- Fix the capping of ZCR_EL2 which could be used in an unsanitised way
by an L2 guest
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEn9UcU+C1Yxj9lZw9I9DQutE9ekMFAmoZbFAACgkQI9DQutE9
ekMqHA/+MUfOMP8C8q87SVWsb8JrtMoZKBl6YWsn19kSGXkR14HVTLwmTWsYCNfi
KvuOf5p0ALvCt9KhE8EUpsIScwdcLMJWjwKbzKkgooX9YwlgMLxA5w3He6GgyTzB
0fCqQ/2H/frJP1kdQI567Zc4eO7JNcMJfI+/lrZxUM6xbo0KyhehQcFlTBVm5/h/
RptX9n1NqdJ1qqbJw7UkAAt0hDMIAvDxZyTKGYTQla/+ckK+UEa6UUl/1pfXPs6Y
Domxu7OO9qQFSxR3KfFlHEml4lrLxNTiCFzoBgPCrf83vAkK0Ceudj3luCs7UDMX
j4sH44ddHDoO/8BmueNzsQ+gHTqmDaQGRu3G8m/4EN0dCnD5TsQ9FtaB7LErRFze
wZCTxiAuAxAaQC41H/Nul3S+7D92/vRW664b7HPf92uvD4QpGA96qvafnz9SK8AN
CyiB4EBElau+D4nOBJ7MO9vu0doWwnTXRHSIvJv8mRkkYedhEv9G8OX8QOgLGi2r
/uYtMYRcZ6tglvVhQzcOwpHe//oJ7CGxfACgwUhH2XjL1V3tDuCtCfQheo242UAe
nBUfs1R38UyaWKZmlkzymHygAprw2s/idAIJV7i80rDGwAuNTdMV3SyjC1so7ZGP
1grcr7yi2aPr3phA1RWD5bbGZhTl8a+fzyKrwIltz3rTAaV7lOk=
=bNQ/
-----END PGP SIGNATURE-----
Merge tag 'kvmarm-fixes-7.1-4' of git://git.kernel.org/pub/scm/linux/kernel/git/kvmarm/kvmarm into HEAD
KVM/arm64 fixes for 7.1, take #4
- Restore CONFIG_PKVM_DISABLE_STAGE2_ON_PANIC to its former glory by
making sure the config symbol is correctly spelled out in the code
- Don't reset the AArch32 view of the PMU counters to zero when the
guest is writing to them
- Fix an assorted collection of memory leaks in the newly added tracing
code
- Fix the capping of ZCR_EL2 which could be used in an unsanitised way
by an L2 guest
- Include the kernel's linux/mman.h in KVM selftests to ensure MADV_COLLAPSE
is defined, as older libc versions may not provide it.
- Include execinfo.h if and only if KVM selftests are building against glibc,
and provide a test_dump_stack() for non-glibc builds.
- Fudge around an RCU splat in the emegerncy reboot code that is technically
a legitimate flaw, but in practice is a non-issue and fixing the flaw, e.g.
by adding locking, would incur meaningful risk, i.e. do more harm than good.
- Rate-limit global clock updates once again (but without delayed work), as
KVM was subtly relying on the old rate-limiting for NPT correction to guard
against "update storms" when running without a master clock on systems with
overcommitted CPUs.
- Fix a brown paper bag goof where KVM checked if ERAPS is "dirty" instead of
marking it dirty when emulating INVPCID.
- Flush the TLB when transitioning from xAVIC => x2AVIC to ensure the CPU TLB
doesn't contain AVIC-tagged entries for the APIC base GPA.
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEKTobbabEP7vbhhN9OlYIJqCjN/0FAmoZtdgACgkQOlYIJqCj
N/26sw/+IWOA5AxyoNW/lKAhhkzDTzGWrNCQkpMv+F4tOUbHYniTxI/pv4L3eMvf
ZLUXijYxhpJtnblLtrnPpSFl5tll4xQdMUv7+fljgpYmy6+erQHodtCgRi5wHDbM
NlD7DWOgwmpvzYLcybq1RfjZ3n+OBRvq95haQ6Ph4FtoYuIomtJ5tF2mnMlyxlc/
aIK5wzQ/JeYdQxwwz1ctlHkgE5bPnS+Sxr33+MRFQ5cIpuwdoS9zYRITNBM107kg
bLeei8Cxh91sgEidgwS8JToLvaEQH8AodkROjcScllwUxYsshPKsHeH7sTMbCOVd
DiH9VbheZo7d4kb6pvhGsY891ec00dR5E/l2gZYLWHg4v0lINTw6uBdoJuq3t2TO
Q3KmGVaUWz+c6dY/0qntVpws35zG106S8Pp4mx/1EnUHbJKZYDsUMC1ppwhrr3Pz
WEyQ9PFXhOyoSbrtOaEfU+wsFPeAfT9eYADu7oV1t7l75TJAKW1EEaSGfzOO/crj
3GK3vRq2B1cMHX9c4fwhSs4h8k5JvKlI/mtGPxZN3khVorx9dv/rTqOoeQEsFS5+
8s5XcNPPJlKfNXcu3Jq6rn8U/JA2HnbH298Nk5uXTCfTrZtDgbOnI8YVYWnoadOl
8xJoie5ccEsysVj1npNNh61LNMF1XBUUC+eNn0I1o0NzeRauxF8=
=QQUn
-----END PGP SIGNATURE-----
Merge tag 'kvm-x86-fixes-7.1-rc6' of https://github.com/kvm-x86/linux into HEAD
KVM x86 fixes for 7.1-rcN
- Include the kernel's linux/mman.h in KVM selftests to ensure MADV_COLLAPSE
is defined, as older libc versions may not provide it.
- Include execinfo.h if and only if KVM selftests are building against glibc,
and provide a test_dump_stack() for non-glibc builds.
- Fudge around an RCU splat in the emegerncy reboot code that is technically
a legitimate flaw, but in practice is a non-issue and fixing the flaw, e.g.
by adding locking, would incur meaningful risk, i.e. do more harm than good.
- Rate-limit global clock updates once again (but without delayed work), as
KVM was subtly relying on the old rate-limiting for NPT correction to guard
against "update storms" when running without a master clock on systems with
overcommitted CPUs.
- Fix a brown paper bag goof where KVM checked if ERAPS is "dirty" instead of
marking it dirty when emulating INVPCID.
- Flush the TLB when transitioning from xAVIC => x2AVIC to ensure the CPU TLB
doesn't contain AVIC-tagged entries for the APIC base GPA.
cxl/test: Update mock dev array before calling platform_device_add()
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEE5DAy15EJMCV1R6v9YGjFFmlTOEoFAmoZsZYACgkQYGjFFmlT
OEqWGQ//dw5RvgcSxTF9+bUE/kyBJD37UfsmUXMAbC8AhVbBgQsXaWUM72azi/s2
Ht+lYgQbtyGC5RmK+A0GCOLh6UtYP3WW49eii7otbJUafdbXHwNiTxdkUXCqX2Mn
voE5Sw8bClNq3g2dIQuXDAPi0AFYzpMpvqjyzB8v1BzxqrFCZm8IUIubjcPwsan1
E6vQZ0arAGBqgWsbYyOkvWHHyhKIp7ymI2yQ8xljjoPeqHvcVbpFeJUSwS1XDh0d
HciWK0VQZhRvonP5xM7lJLN5RMIBXBnPk98LWQO4xgmxuKOxVkxapsHY2yfrzkE3
PFqlVgddPN/wT3XgPXP/1B2TvqqPJEUHImU8YlMNL3PT6IJhhyNcf5qbvr29rdSq
T2ysQCDrBZDXe4FqvVc02JkUuY9/yJ83Z4CY6iTRCSUIuAMk5dL0Y4dOA/O1hLbc
fnxbbj0bV9tgpjt2bOyPqcs/3p7eRkteJHJ8FoCyZFBdGk2hROoyD3vvCH8DI10/
kZ/ZUnLuBYxRIDwSIbv9yIsTKHz9eO58gBrf3zEm/1HuWY0e4R4CCllGKrwiBJ89
Q+TpJwCWQ7nwyf5uhI3WK2dAAZO22U+rW1noGLbbRTDX66HSFVk1dUXqPw9p7V4R
AiaJksa0apPSp69wiVeBy2rVZz3lxSnRlvCvKra7qZ26N45iqFw=
=a0MQ
-----END PGP SIGNATURE-----
Merge tag 'cxl-fixes-7.1-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/cxl/cxl
Pull Compute Express Link (CXL) fixes from Dave Jiang:
- cxl/test: update mock dev array before calling platform_device_add()
* tag 'cxl-fixes-7.1-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/cxl/cxl:
cxl/test: Update mock dev array before calling platform_device_add()
A collection of recent small fixes and quirks.
We still see a bit more changes than wished, but most of them are
device-specific ones that are pretty safe to apply, while a core fix
is a typical UAF fix for PCM core that was recently caught by fuzzer;
so overall nothing looks really worrisome.
* Core:
- Fix a UAF in PCM OSS proc interface
* HD-audio:
- Fix memory leaks in CS35L56 driver
- Various device-specific quirks for Realtek and CS420x codecs
* USB-audio:
- Quirk for TAE1160 USB Audio
- Fix for Scarlett2 Gen4 direct monitor gain
* ASoC:
- Fixes for QCom q6asm-dai, Intel bytcht_es8316, and simple-mux codec
* FireWire:
- Fix for Motu DSP event queue protection
-----BEGIN PGP SIGNATURE-----
iQJCBAABCAAsFiEEIXTw5fNLNI7mMiVaLtJE4w1nLE8FAmoZTLUOHHRpd2FpQHN1
c2UuZGUACgkQLtJE4w1nLE8RMxAAmdvBYW7xB64onopKCTjdHewCx3nsK9V9jiWi
0xsQDEs1+JukXG4Bag06R2W9EJLrdFewa88QnuwtEG+wMxJO30oJxm/b6k5EkwNu
ai8Vd8pFkcxmpAC7cL/ROtQurqW9Tfr+w9qGUTcS12tRuvQV+AjfHvGSlwqiS3K0
ZFPozyPVD6kQ5g3io/GH3HW76ZTLB+jtVx+VYvQsJ43Bii3g2pfNW6HlWQyundPt
Q6vLgUHEhvf9fgA76YztQedtoxBxQyuWrZCOV2+qzobW5sJHdOAlh4XmR6VjYzui
Gp6Xn4U1wPsP722kqzm+uK6QDVsaGGzKOuwKWYpGBwRYVol0CY/YFC1ZcT19VCMI
k6J93OMYZRoAl+ECbbWQjhVN4g8Ut7CQlvcZpPVwr5+HgcoitvuBt41KGUesKFkp
0h8kgy/X59JCJJ+AaZlxKOKoPL+WeVCXm1z9GF3VcS1h9kT1ZXfB1d3nSi9383xR
ho+YJYQQiyvXK7ZfESKZgChmC9LBSU5joW77HslXU5tM9ZkLGW1w8O7Zasas7cSm
xeNhhR6J3AnfTLX2XHDKWR/w32kqaEYTUr+t1Z997Vm33D7idcOtQIr20AgQon+0
EfKLijHFQB0HCkqgndMXdgjnus9TnXOoJE9aQudRr8rSUgu3dONrPguv+z23y25n
9u7awX4=
=IHLg
-----END PGP SIGNATURE-----
Merge tag 'sound-7.1-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound
Pull sound fixes from Takashi Iwai:
"A collection of recent small fixes and quirks.
We still see a bit more changes than wished, but most of them are
device-specific ones that are pretty safe to apply, while a core fix
is a typical UAF fix for PCM core that was recently caught by fuzzer;
so overall nothing looks really worrisome.
Core:
- Fix a UAF in PCM OSS proc interface
HD-audio:
- Fix memory leaks in CS35L56 driver
- Various device-specific quirks for Realtek and CS420x codecs
USB-audio:
- Quirk for TAE1160 USB Audio
- Fix for Scarlett2 Gen4 direct monitor gain
ASoC:
- Fixes for QCom q6asm-dai, Intel bytcht_es8316, and simple-mux codec
FireWire:
- Fix for Motu DSP event queue protection"
* tag 'sound-7.1-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
ASoC: codecs: simple-mux: Fix enum control bounds check
ALSA: usb-audio: Add iface reset and delay quirk for TAE1160 USB Audio
ALSA: hda/cs420x: Add CS4208 fixup for iMac16,1
ALSA: hda/realtek: add quirk for HP Dragonfly Folio G3 2-in-1
ALSA: hda/realtek: Fix speaker output on ASUS ROG Strix G615LP
ASoC: qcom: q6asm-dai: use pointer type with kzalloc_obj()
ASoC: qcom: q6asm-dai: remove unnecessary braces
ASoC: qcom: q6asm-dai: fix error handling in prepare and set_params
ASoC: qcom: q6asm-dai: close stream only when running
ASoC: qcom: q6asm-dai: do not set stream state in event and trigger callbacks
ASoC: Intel: bytcht_es8316: Fix MCLK leak on init errors
ALSA: hda/realtek: Limit mic boost on Positivo DN140
ALSA: scarlett2: Fix 2i2 Gen 4 direct monitor gain on firmware 2417
ALSA: pcm: oss: Fix setup list UAF on proc write error
ALSA: hda: cs35l56: Fix system name string leaks
ALSA: hda/realtek: Add HDA_CODEC_QUIRK for Lenovo Yoga Slim 7 14AGP11
ALSA: hda/realtek: Fix incorrect comment for ALC299_FIXUP_PREDATOR_SPK
ALSA: firewire-motu: Protect register DSP event queue positions
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEoEVH9lhNrxiMPSyI7MXwXhnZSjYFAmoYZ3EACgkQ7MXwXhnZ
SjY8QQ/8DjopbIJ9mJzOLRRzCyKf/+JthOL48Vg7lu7uftRkgZ/IfOp9n7dWguG2
yiOI2/yyQDL3wsd3DoUEtMwTPhd/JNpc7qJ+N19l/tpcnup+PaDxpiZWD1k1zKz6
cNROdNtGKyBlSl80qWNDN65u/AkEv7QTcvZS2Nw/Kh+0jmiOf/FqplyjNwHXsDsi
VCSfkpAAPz3zaHaJcaWMMImV/s6MOwVAI+2PlO/Kbgv62BrzGXTJBdiWK2LIbxPh
Udo/fXwnX/I/SuQ+j5IGRMJOokbWXugyKnstpDIv/1brVEmrTzp0CB0yoKGNTjy0
S8/ZYJBsnCAXMA9pcpzM86jtB2yrA/HHwtOo+mH2AD3z9r25qHTiWbTh9/tnSAiW
MYNcwvpbgvFHmwWrjpt7jrndlFhbXT2fHjyMZg3j9tmisXZCqwmU972J1jXTb8wL
xjhkKJFjjgTkRwXXx3BP51I+W+15P1DKhsAOqJS2K19At5dgZTD5KY6wQXkDVbk7
c+o9Duq7PoBGzHz/gl1Z2nqA5KEgP17HQIAhM+HEjvrmOscnKpGdHLTpMSwqyKhF
e/4yLeZdpvn6KB/B1fXYIPhTAmjKI2JxNNsae4ir7m7S6HxwamXZ406A05NoCGIQ
XDm3B1xDYcS4NYKE9G6oO5+HcanZD1QBAJBa5k8COTyIQ42svnY=
=pFq/
-----END PGP SIGNATURE-----
Merge tag 'hid-for-linus-2026052801' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid
Pull HID fixes from Benjamin Tissoires:
- buffer overflow fix for lenovo (Kean) and wacom (Lee Jones) drivers
- segfaults prevention in lenovo-go driver when used with an emulated
device (Louis Clinckx)
- cleanup of resources in u2fzero (Myeonghun Pak)
- a quirk for a USB mouse and a cleanup in hid.h (hlleng and Liu Kai)
* tag 'hid-for-linus-2026052801' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid:
HID: wacom: Fix OOB write in wacom_hid_set_device_mode()
HID: lenovo-go: drop dead NULL check on to_usb_interface()
HID: lenovo-go: reject non-USB transports in probe
HID: lenovo: Fix buffer over-read and unaligned access in X12 Tab raw_event handler
HID: quirks: Add ALWAYS_POLL quirk for SIGMACHIP USB mouse
HID: remove duplicate hid_warn_ratelimited definition
HID: u2fzero: free allocated URB on probe errors
ZCR_EL2 can be updated by a VHE guest hypervisor either using ZCR_EL2
(which traps) or ZCR_EL1 (which does not trap). KVM handles both in
different way:
- on ZCR_EL2 trap, ZCR_EL2.LEN is immediately capped at the VM's own
VL limit. This has the potential to break existing SW that relies
on the full LEN field to be stateful.
- on ZCR_EL1 access, we do absolutely nothing.
On restoring the SVE context for an L2 guest, we directly restore the
guest hypervisor's view of ZCR_EL2 into the physical ZCR_EL2. If the
guest's view of the register was updated using the ZCR_EL2 accessor,
the value has already been sanitised (with the caveat mentioned above).
But if the guest used ZCR_EL1, the raw value is written into the HW,
and the L2 guest can now access VLs that it shouldn't.
Fix all the above by moving the VL capping to the restore points,
ensuring that:
- the HW is always programmed with a capped value, irrespective of
the accessor being used,
- the ZCR_EL2.LEN field is always completely stateful, irrespective
of the accessor being used.
Additionally, move ZCR_EL2 to be a sanitised register, ensuring that
only the LEN field is actually stateful. This requires some creative
construction of the RES0 mask, as the sysreg generation script does
not yet generate RAZ/WI fields.
Fixes: b3d29a8230 ("KVM: arm64: nv: Handle ZCR_EL2 traps")
Signed-off-by: Mark Brown <broonie@kernel.org>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260529-kvm-arm64-fix-zcr-len-nv-v2-1-86cad51992bd@kernel.org
[maz: rewrote commit message, tidy up access_zcr_el2()]
Signed-off-by: Marc Zyngier <maz@kernel.org>
This reverts commit 2982e599ff.
The patch does not fully fix the issue and the Author does
not match the 'Signed-off-by:' tag, so revert it for now.
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Fix integer overflow issues in the dumb buffer creation path:
1. drm_mode_create_dumb() does not bound width, height, or bpp
before passing them to driver callbacks. Downstream helpers
(e.g. drm_gem_dma_dumb_create_internal) perform pitch/size
alignment in u32 arithmetic that can overflow for extreme
values. Add hard limits: width and height < 8192, bpp <= 32.
No legitimate software rendering use case exceeds these.
2. drm_mode_align_dumb() uses roundup(pitch, hw_pitch_align)
without checking for overflow. If pitch is near U32_MAX,
roundup() wraps to a small value, making subsequent
check_mul_overflow() pass with a much smaller pitch than
intended. Add an overflow check after roundup.
3. drm_mode_align_dumb() uses ALIGN(size, hw_size_align) which
only works correctly for power-of-two alignment values.
Replace with roundup() which works for any alignment.
Suggested-by: Thomas Zimmermann <tzimmermann@suse.de>
Signed-off-by: Rajat Gupta <rajat.gupta@oss.qualcomm.com>
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Linus Torvalds