address post-7.1 issues or aren't considered suitable for backporting.
Thre's a 2 patch series "mm/damon/{reclaim,lru_sort}: handle ctx
allocation failures" from SeongJae Park which fixes a couple of DAMON
-ENOMEM bloopers. The rest are singletons - please see the individual
changelogs for details.
-----BEGIN PGP SIGNATURE-----
iHUEABYKAB0WIQTTMBEPP41GrTpTJgfdBJ7gKXxAjgUCaieN5AAKCRDdBJ7gKXxA
jkN7AP9wXhRFOUq0EPeQxnlie7vgM/jiDuOoPAn7EUt9S7pqCwEApJnxEbMzXioD
Jx6MxoUqqa/d5wXb7u0MRgT76n9KOwk=
=hdKc
-----END PGP SIGNATURE-----
Merge tag 'mm-hotfixes-stable-2026-06-08-20-51' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
Pull misc fixes from Andrew Morton:
"11 hotfixes. 9 are for MM. 8 are cc:stable and the remaining 3 address
post-7.1 issues or aren't considered suitable for backporting.
Thre's a two-patch series "mm/damon/{reclaim,lru_sort}: handle ctx
allocation failures" from SeongJae Park which fixes a couple of DAMON
-ENOMEM bloopers. The rest are singletons - please see the individual
changelogs for details"
* tag 'mm-hotfixes-stable-2026-06-08-20-51' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm:
mm/mincore: handle non-swap entries before !CONFIG_SWAP guard
arm64: mm: call pagetable dtor when freeing hot-removed page tables
mm/list_lru: drain before clearing xarray entry on reparent
mm/huge_memory: use correct flags for device private PMD entry
mm/damon/lru_sort: handle ctx allocation failure
mm/damon/reclaim: handle ctx allocation failure
zram: fix use-after-free in zram_bvec_write_partial()
MAINTAINERS: update Baoquan He's email address
tools headers UAPI: sync linux/taskstats.h for procacct.c
mm/cma_sysfs: skip inactive CMA areas in sysfs
ipc/shm: serialize orphan cleanup with shm_nattch updates
Several significant bug fixes of pre-existing issues:
- Missing validation on ucap fd types passed from userspace
- Missing validation of HW DMA space vs userpace expected sizes in EFA
queue setup
- DMA corruption when using DMA block sizes >= 4G when setting up MRs in
all drivers
- Missing validation of CPU IDs when setting up dma handles
- Missing validation of IB_MR_REREG_ACCESS when changing writability of a
MR
- Missing validation of received message/packet size in ISER and SRP
-----BEGIN PGP SIGNATURE-----
iHUEABYKAB0WIQRRRCHOFoQz/8F5bUaFwuHvBreFYQUCaib4qwAKCRCFwuHvBreF
YRPNAP0TslA/smVGQcGPVHHtLl3b5n47NSE+pwNXFlWUp8yO5AD/T1VmGSRbjbc+
5eqr/1yMqGha1sHBY8XFEbqJKIPFOQY=
=CmEv
-----END PGP SIGNATURE-----
Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma
Pull rdma fixes from Jason Gunthorpe:
"Several significant bug fixes of pre-existing issues:
- Missing validation on ucap fd types passed from userspace
- Missing validation of HW DMA space vs userpace expected sizes in
EFA queue setup
- DMA corruption when using DMA block sizes >= 4G when setting up MRs
in all drivers
- Missing validation of CPU IDs when setting up dma handles
- Missing validation of IB_MR_REREG_ACCESS when changing writability
of a MR
- Missing validation of received message/packet size in ISER and SRP"
* tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma:
RDMA/srp: bound SRP_RSP sense copy by the received length
IB/isert: Reject login PDUs shorter than ISER_HEADERS_LEN
RDMA: During rereg_mr ensure that REREG_ACCESS is compatible
RDMA/core: Validate cpu_id against nr_cpu_ids in DMAH alloc
RDMA/umem: Fix truncation for block sizes >= 4G
RDMA/efa: Validate SQ ring size against max LLQ size
RDMA/core: Validate the passed in fops for ib_get_ucaps()
srp_process_rsp() copies sense data from rsp->data + resp_data_len,
where resp_data_len is the full 32-bit value supplied by the SRP target
and is never checked against the number of bytes actually received
(wc->byte_len). The copy length is bounded to SCSI_SENSE_BUFFERSIZE, so
at most 96 bytes are copied, but the source offset is not bounded.
A malicious or compromised SRP target on the InfiniBand/RoCE fabric that
the initiator has logged into can return an SRP_RSP with
SRP_RSP_FLAG_SNSVALID set and a large resp_data_len. The receive buffer
is allocated at the target-chosen max_ti_iu_len, so the source of the
sense copy lands past the bytes actually received; with resp_data_len
near 0xFFFFFFFF it is gigabytes past the buffer and the read faults.
Copy the sense data only if it has not been truncated, that is, only if
the response header, the response data, and the sense region fit within
the bytes actually received; otherwise drop the sense and log. The
in-tree iSER and NVMe-RDMA receive paths already bound their parse by
wc->byte_len; this brings ib_srp into line with them.
Fixes: aef9ec39c4 ("IB: Add SCSI RDMA Protocol (SRP) initiator")
Link: https://patch.msgid.link/r/20260602220457.2542840-1-michael.bommarito@gmail.com
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
In drivers/infiniband/ulp/isert/ib_isert.c, isert_login_recv_done()
computes the login request payload length as wc->byte_len minus
ISER_HEADERS_LEN with no lower bound, and login_req_len is a signed int.
A remote iSER initiator can post a login Send work request carrying
fewer than ISER_HEADERS_LEN (76) bytes, so the subtraction underflows
and login_req_len becomes negative.
isert_rx_login_req() then reads that negative length back into a signed
int, takes size = min(rx_buflen, MAX_KEY_VALUE_PAIRS), and because the
min() is signed it keeps the negative value; the value is then passed as
the memcpy() length and sign-extended to a multi-gigabyte size_t. The
copy into the 8192-byte login->req_buf runs far out of bounds and
faults, crashing the target node. The login phase precedes iSCSI
authentication, so no credentials are required to reach this path.
Reject any login PDU shorter than ISER_HEADERS_LEN before the
subtraction, mirroring the existing early return on a failed work
completion, so login_req_len can never go negative. The upper bound was
already safe: a posted login buffer cannot deliver more than
ISER_RX_PAYLOAD_SIZE, so the difference stays at or below
MAX_KEY_VALUE_PAIRS and the existing min() clamps it; only the missing
lower bound needs to be added.
Fixes: b8d26b3be8 ("iser-target: Add iSCSI Extensions for RDMA (iSER) target driver")
Link: https://patch.msgid.link/r/20260602194642.2273217-1-michael.bommarito@gmail.com
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
If IB_MR_REREG_ACCESS changes from RO to RW then the umem has to be
re-evaluated to ensure it is properly pinned as RW. Since the umem is
hidden inside each driver's mr struct add a ib_umem_check_rereg() function
that each driver has to call before processing IB_MR_REREG_ACCESS.
mlx4 has to retain its duplicate ib_access_writable check because it
implements IB_MR_REREG_ACCESS | IB_MR_REREG_TRANS by changing both items
in place sequentially while the MR is live, so it will continue to not
support this combination.
Cc: stable@vger.kernel.org
Fixes: b40656aa7d ("RDMA/umem: remove FOLL_FORCE usage")
Link: https://patch.msgid.link/r/0-v1-06fb1a2d6cf5+107-rereg_access_jgg@nvidia.com
Reported-by: Philip Tsukerman <philiptsukerman@gmail.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
-----BEGIN PGP SIGNATURE-----
iQFHBAABCgAxFiEEIbPD0id6easf0xsudhRwX5BBoF4FAmomTIwTHHdlaS5saXVA
a2VybmVsLm9yZwAKCRB2FHBfkEGgXqyECADL9eYwEkfwQDB+CmyemmINo/wvOfGu
u6husKyGqs3eBe7sPtERarHtN8UlQMGLMVd2CR8QqtD+P9yZjSnNX54ljtweEdIr
eAijVHEFmw1e1Lo/lGOv8eldNP3FuUGopz6rkfuQ2S+6xZ9MHIYda5MCZ3I0rbOe
Mq+aB17Qhvqp+O4+zfk5wDh9OJ1Wa5c0U0xfKx51SX4qf1KDL7AUIz0Cyy7P8h5q
u7MDYFaE4U9d8M5GbRQUGyHr6W0YQuMMUW5Ip04OsQXRKyMR5W20dFtiwoqI4UbF
loWUakk4RkC9tEMs6WeLSvqrLgKqbqfDOScYB8OPEUlh5CRMhYp7uhkA
=fcaL
-----END PGP SIGNATURE-----
Merge tag 'hyperv-fixes-signed-20260607' of git://git.kernel.org/pub/scm/linux/kernel/git/hyperv/linux
Pull hyperv fixes from Wei Liu:
- MSHV driver fixes from various people (Anirudh Rayabharam, Can Peng,
Dexuan Cui, Michael Kelley, Jork Loeser, Wei Liu)
- Hyper-V user space tools fixes (Thorsten Blum)
- Allow VMBus to be unloaded after frame buffer is flushed (Michael
Kelley)
* tag 'hyperv-fixes-signed-20260607' of git://git.kernel.org/pub/scm/linux/kernel/git/hyperv/linux:
mshv: support 1G hugepages by passing them as 2M-aligned chunks
Drivers: hv: vmbus: Improve the logic of reserving fb_mmio on Gen2 VMs
mshv: use kmalloc_array in mshv_root_scheduler_init
mshv: Add conditional VMBus dependency
hyperv: Clean up and fix the guest ID comment in hvgdk.h
drm/hyperv: During panic do VMBus unload after frame buffer is flushed
Drivers: hv: vmbus: Provide option to skip VMBus unload on panic
mshv: unmap debugfs stats pages on kexec
mshv: clean up SynIC state on kexec for L1VH
mshv: limit SynIC management to MSHV-owned resources
hv: utils: replace deprecated strcpy with strscpy in kvp_register
hv: utils: handle and propagate errors in kvp_register
mshv: add a missing padding field
- Add more AMD Zen6 models (Pratik Vishwakarma)
- Avoid confusing bootup message by the Intel resctl enumeration
code when running on certain AMD systems (Tony Luck)
Signed-off-by: Ingo Molnar <mingo@kernel.org>
-----BEGIN PGP SIGNATURE-----
iQJFBAABCgAvFiEEBpT5eoXrXCwVQwEKEnMQ0APhK1gFAmok/S0RHG1pbmdvQGtl
cm5lbC5vcmcACgkQEnMQ0APhK1iOHw//Q2lG+XKJAG5wPgvkyp7EcQDgerj22LQS
ybapgg4u0scz4+24yt1vbzSRdvp+wTowSpviw7IH3rbemhWTkB7WZisjaKwPiPzo
gSYC3EtdcJvhaC2jqyhx1JSeR8I+d2U+tzE3OeOOxTvgOK4m3cvZhCsQIttPaO7I
DPW3ctqDYQc8/T4UQWMEyOhsKEGSplxrk8AdvzSG2QP+OOZ0gDBMh2s5ywREjSMq
OFf/tW6QdZm0CuxIYMV1PsdsYFZPI+v8MEtfGyjNw+NmkUEO/VYqQ80J0UC0rbbt
6MUT32vyLkDz0JN+IWW9YQn4OccuFfI+IZStmuZJr9jOFICpMogmIW77oobwN9ai
QeEXEvqvazmVlqMukzaDSlr42yV5nknr6bF+mlTbGIMUkCV2w40OkciyeI30LzNm
cCs/KsJeGb384ArsqH7+5coTHILvacAN9LWjf5E96APCp/2mzXwWT1bMvr7VM7Q/
65C1scpoQ5KgIewf+nijWOn+5FEN6cKVPgW1y06GpI55KDUUGIMgSyb+V5pwwVNa
fRa3qPbASopfyCni/mxPnNqSDVodFks9pDqSrg0WvmQLDdlaAzfwPf5l4F47YNGr
CmnZ7GJb00SZC/M9Pkecy0zXBZv+dfiwjiVnXBDjqYwIC1wOnlj4JTeVuaC7cFuu
688Dr2YMEEk=
=PMk2
-----END PGP SIGNATURE-----
Merge tag 'x86-urgent-2026-06-07' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull x86 fixes from Ingo Molnar:
- Add more AMD Zen6 models (Pratik Vishwakarma)
- Avoid confusing bootup message by the Intel resctl enumeration
code when running on certain AMD systems (Tony Luck)
* tag 'x86-urgent-2026-06-07' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
x86/resctrl: Only check Intel systems for SNC
x86/CPU/AMD: Add more Zen6 models
- Fix the arch_inlined_clockevent_set_next_coupled() prototype
in the !CONFIG_GENERIC_CLOCKEVENTS_MIN_ADJUST case
(Naveen Kumar Chaudhary)
- Fix an off-by-1 bug in the sys_settimeofday() usecs validation
code (Naveen Kumar Chaudhary)
- Mark vdso_k_*_data pointers as __ro_after_init
(Thomas Weißschuh)
- Fix livelock race in tmigr_handle_remote_up()
(Amit Matityahu)
Signed-off-by: Ingo Molnar <mingo@kernel.org>
-----BEGIN PGP SIGNATURE-----
iQJFBAABCgAvFiEEBpT5eoXrXCwVQwEKEnMQ0APhK1gFAmok/CQRHG1pbmdvQGtl
cm5lbC5vcmcACgkQEnMQ0APhK1hpFw//US/OxvhU9WBdRsaULcezejwAkq+bUMHe
hrmGtdHSztO+6SsSMaRei9IaJz3YsZCNOYX2bMO3TwMBTtFBAmq5NVGWT6tYcnam
uHpH7qkt8n2HAsRHprBKzyM4Vo9ecYqVKXwd/lLyZyhs04q6iqmu8A99tIHb4e4C
tsNFxWJfhT+bjR/gwvU7uGSkQ1FUqlVNeRtN939/sPlXsRLKBOCHXTSnZ4JOTfL0
+QLae7LemYDxMT9M4fej3fJjoDGNQM0gb7K7FkOjwOHB8tHw2NJ9lRnD5MMh/oFx
Mq2BDfEQMum+LHjS3A/QhiymQQzbghnb6CVf4ae/hcBEdC7athoxJ1AzRDoqsD/N
EfFMaFVEaD3IZkNvU1u4BYDjQpNnnoK/TnYxa5fDoSD/VjVTknlr7gbfkUsJpwR5
cZ4EPk/zmilOJ8xWYlCJi9NHGMc+zsWT3FNdsOXiBt/GGOcu3lTQr8sjHBjm5cFi
coCbokGi6TRj9PA//oEds2JWTYIqXMADte7bleC0qmTfWPsJSHKECn+uOnUOyvg+
rlI8pRIo8uWo20MPjpwF+P4Dc5XGiR3TpvJ8iuXJvQNObItAjfBnJxbgo5fAM13d
VxfzZV2F++6ua/hsd8luAuMcdrFILTaiOEuXT9uyOPoMoBtORE+0CEQKTOgU0Z4e
rvoO+R992e8=
=Sp9X
-----END PGP SIGNATURE-----
Merge tag 'timers-urgent-2026-06-07' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull timer fixes from Ingo Molnar:
- Fix the arch_inlined_clockevent_set_next_coupled() prototype in the
!CONFIG_GENERIC_CLOCKEVENTS_MIN_ADJUST case (Naveen Kumar Chaudhary)
- Fix an off-by-1 bug in the sys_settimeofday() usecs validation code
(Naveen Kumar Chaudhary)
- Mark vdso_k_*_data pointers as __ro_after_init (Thomas Weißschuh)
- Fix livelock race in tmigr_handle_remote_up() (Amit Matityahu)
* tag 'timers-urgent-2026-06-07' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
timers/migration: Fix livelock in tmigr_handle_remote_up()
vdso/datastore: Mark vdso_k_*_data pointers as __ro_after_init
time: Fix off-by-one in settimeofday() usec validation
clockevents: Fix duplicate type specifier in stub function parameter
- Fix a NULL pointer dereference bug in the FUTEX_CMP_REQUEUE_PI
code (Ji'an Zhou)
- Fix a NULL pointer dereference bug in the rtmutex code
(Davidlohr Bueso)
Signed-off-by: Ingo Molnar <mingo@kernel.org>
-----BEGIN PGP SIGNATURE-----
iQJFBAABCgAvFiEEBpT5eoXrXCwVQwEKEnMQ0APhK1gFAmok97sRHG1pbmdvQGtl
cm5lbC5vcmcACgkQEnMQ0APhK1hq8A//YmVZmkJVV/5AFYZTJEHQmTpHYR4oyIKE
7u0glsuWfgO+m70RQLQK6FHFC8LRUVmn692fbTrXRb3sEmQvZwpvLjy0JfM2HgFm
Sv/1C0KKGQOE6UVcMIaiJIr+/uNXz6iC1zlln5rbdJOWfQdobNENTC1QDnzUPsWp
810up6kwkG/fgivaemsL29JH7HM5y7dWg8x9RmRmzRMsAVuX2NNeZWr3UVSB1ThA
n9DGR7rhZa2MSb0lDgmzEPn1mn3/8wvMDEaore9qAgXqwQ6wIxKc+9YQoi/CcpH3
Ar7/gsDXpgy1CS5qtwYBajFgwEhqLwtrN90bR4nW7CKFrFxRLZz/G7kS/iV2vjWd
CtlBYMINTNhXA2omuIaTSykt76Y44iV9tul/+m7XCTDocl2gKU/SYSn6+MoEnW+G
Nu3m8clJHQc5SavDJJL/LvIceemeiBUvOwRHYS6jrNcnaUbdwqXrRDYJNYVTIpYX
bdI3moWI25q8nC+rOSXDO9FxY+znJ5ZOEvd/j2W8nl2d7Io+NcJdC6Ec/vKsjIzq
3dORTAevrrqNi37VVRum2ht4QnFXRverFGrpLmgGHbufsBeFCQ7p4n6ovj2AjIg2
jpzwGrkDNZKnjFQrUi5vh70bKkrDlijLGvPGvTfu/7Ah7EYFqTLzNszor8B3XIkd
7eIAsWVGbIk=
=a6/Z
-----END PGP SIGNATURE-----
Merge tag 'locking-urgent-2026-06-07' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull locking fixes from Ingo Molnar:
- Fix a NULL pointer dereference bug in the FUTEX_CMP_REQUEUE_PI
code (Ji'an Zhou)
- Fix a NULL pointer dereference bug in the rtmutex code (Davidlohr
Bueso)
* tag 'locking-urgent-2026-06-07' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
locking/rtmutex: Skip remove_waiter() when waiter is not enqueued
futex/requeue: Prevent NULL pointer dereference in remove_waiter() on self-deadlock
Arnd's randconfig testing turned up a missing selection of
CONFIG_IRQ_DOMAIN which was causing build breaks.
-----BEGIN PGP SIGNATURE-----
iQEzBAABCgAdFiEEreZoqmdXGLWf4p/qJNaLcl1Uh9AFAmolTPsACgkQJNaLcl1U
h9Bl/Qf8Dnbw3XoVw2UwJShpXGwPy5QJm0DTDcWOsiiRBge1qLpef+N+7oVf8yxJ
O+03DLHEfTe27YU49M76TIzpYakLvR0QVMK5Zg01ffQOCXT1CMTOR6KFeEaP1AOE
Fm2LU50IrQtor4WtuWxVzOu/jBZkli2l+0qeElJwsReWCigBFC6crx+wtSxc9YI4
U1H/iEcH+Yu2syLHMH0uAa+2OFsgVQEdz2wZn0unkkB9JcqjCB/dtNntrqxsGLX1
Xq3Xs/KhHMpOS6+zaPHR8qgzf3q2znsnUfW4gitKGHaQwP9o9JxKfNMm47H8eFAm
8XqW+ktte4lazvfvpwZKSJ04AVy1aA==
=AwZI
-----END PGP SIGNATURE-----
Merge tag 'regulator-fix-v7.1-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator
Pull regulator fix from Mark Brown:
"Arnd's randconfig testing turned up a missing selection of
CONFIG_IRQ_DOMAIN which was causing build breaks"
* tag 'regulator-fix-v7.1-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator:
regulator: mt6363: select CONFIG_IRQ_DOMAIN
- two quirks for atkbd to deal with laptops that can not handle
"deactivate" command on the keyboard PS/2 port.
-----BEGIN PGP SIGNATURE-----
iHUEABYKAB0WIQST2eWILY88ieB2DOtAj56VGEWXnAUCaiT7xAAKCRBAj56VGEWX
nIomAQDJ9sUO/BpoilRA48fsZr+BMOBmnAvtm6MlpnWkrJKFwAD8D7SmCEwY+blM
cmBR5dHgGzb5PD1smow4kGTW7HV20wA=
=9ZkJ
-----END PGP SIGNATURE-----
Merge tag 'input-for-v7.1-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input
Pull input fixes from Dmitry Torokhov:
- two quirks for atkbd to deal with laptops that can not handle
"deactivate" command on the keyboard PS/2 port
* tag 'input-for-v7.1-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
Input: atkbd - skip deactivate for HONOR BCC-N's internal keyboard
Input: atkbd - add DMI quirk for Lenovo Yoga Air 14 (83QK)
After commit 0652a3daa7 ("tracing: Fix CFI violation in probestub
being called by tprobes"), there are many build errors when building
ARCH=arm multi_v7_defconfig + CONFIG_CFI=y like:
In file included from drivers/base/devres.c:17:
In file included from drivers/base/trace.h:16:
In file included from include/linux/tracepoint.h:23:
include/linux/cfi.h:44:6: error: call to undeclared function 'get_kernel_nofault'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration]
44 | if (get_kernel_nofault(hash, func - cfi_get_offset()))
| ^
1 error generated.
get_kernel_nofault() is called in the generic version of
cfi_get_func_hash() but nothing ensures uaccess.h is always included for
a proper expansion and prototype. Include uaccess.h in cfi.h to clear
up the errors.
Cc: stable@vger.kernel.org
Fixes: 0652a3daa7 ("tracing: Fix CFI violation in probestub being called by tprobes")
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Reviewed-by: Sami Tolvanen <samitolvanen@google.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
It's getting calmer, but we cam up with still a handful small fixes,
including two core fixes. All look sane and safe.
* Core:
- Fix wait queue list corruption in snd_pcm_drain() on linked streams
- Fix UMP event stack overread in seq dummy driver
* USB-audio:
- Add quirk for AB13X USB Audio
- Fix the regression with sticky mixer volumes in 7.1-rc
* ASoC:
- Fix 32-slot TDM breakage on Freescale SAI
- Varioud DMI quirks for AMD ACP
-----BEGIN PGP SIGNATURE-----
iQJCBAABCAAsFiEEIXTw5fNLNI7mMiVaLtJE4w1nLE8FAmokRfcOHHRpd2FpQHN1
c2UuZGUACgkQLtJE4w1nLE9uuw/9Fjp6ZQOfGXWzrn4UFiCPE2mzVNbclSIYIIUI
iPRAM7+66Rj5IjPaY/a+csAjRAAodqYoTtZgA8rFfjpv4T4nEUbSfEFWnV252vzM
JAHZxq4uuxEqUoy7iXPp4k3k9MzEY7AlOYm2F+3CY9cSwn3hwedD03Uq+2qzupmK
GrVbYhsJD672rFWM9wmGS4hxarEbXjdtxXJ0i9m10/ydJ8bafURcAO62/74ly/JC
YpF4EJpM1oYlDXrsDvWz226MTiu1o/NuIWU5cHEHeMejX5HXKpdR54mVcR9T/CO4
KCw2M2nddn92zInm4yRM05MS2dvlcVxixITTclnRS6bFi0N53wWuX2B1UHYiI+Ko
aKM9Ph3GCaWP+4LwEXM0qG5AscRmpJ5aDx22SLB0ObdjjA4boYIrkLSQeocyWrP3
9JucaBD36IEYfwbYN4rK1iEBktzoPzTR57GGqVav0+B4b6D688mlgGjo4WtFowc1
F7AFrwmVozbKyAkq2gqF/6ufIrEY8RB+bRr41MtaG89gu6EiEyNE7V52Jg0WDr7L
yw/XtZtN4H2t2TO+0hKTV0sLR1HPC/PoCNb5ayHq/8jpcKJ8uC0KfyxVsgpaC0AZ
3CmtQ4J3hWAFx0Hrl0YKH33taQyAD9M/iOa8WV068YoaxamrkmC3wpIV6C86wL8C
FbUW4Uk=
=HHlm
-----END PGP SIGNATURE-----
Merge tag 'sound-7.1-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound
Pull sound fixes from Takashi Iwai:
"It's getting calmer, but we still came up with a handful of small
fixes, including two core fixes. All look sane and safe.
Core:
- Fix wait queue list corruption in snd_pcm_drain() on linked streams
- Fix UMP event stack overread in seq dummy driver
USB-audio:
- Add quirk for AB13X USB Audio
- Fix the regression with sticky mixer volumes in 7.1-rc
ASoC:
- Fix 32-slot TDM breakage on Freescale SAI
- Varioud DMI quirks for AMD ACP"
* tag 'sound-7.1-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
ALSA: seq: dummy: fix UMP event stack overread
ALSA: usb-audio: Add iface reset and delay quirk for AB13X USB Audio
ALSA: PCM: Fix wait queue list corruption in snd_pcm_drain() on linked streams
ASoC: amd: acp70: add standalone RT721 SoundWire machine
ASoC: amd: yc: Add MSI Raider A18 HX A9WJG to quirk table
ASoC: fsl_sai: Fix 32 slots TDM broken by integer shift UB in xMR write
ASoC: amd: yc: Enable internal mic on MSI Bravo 17 C7VF
ASoC: amd: acp: Add DMI quirk for Lenovo Yoga Pro 7 15ASH11
ALSA: usb-audio: Set the value of potential sticky mixers to maximum
Toolchain and infrastructure:
- Fix 'rustc-option' (the Makefile one) when cross-compiling that leads
to build or boot failures in certain configs.
- Work around a Rust compiler bug (already fixed for Rust 1.98.0) thats
lead to boot failures in certain configs due to missing 'uwtable'
LLVM module flags.
- Support a Rust compiler change (starting with Rust 1.98.0) in the
unstable target specification JSON files.
- Forbid Rust + arm + KASAN configs, which do not build.
'kernel' crate:
- Fix NOMMU build by adding a missing helper.
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEPjU5OPd5QIZ9jqqOGXyLc2htIW0FAmokBWQACgkQGXyLc2ht
IW02uw//a6zLSwQh3c6wevbyfogCtFXA9zfEmS0VIgaFQ7rtBIMPGCIujXrg7mtM
uc0ZKg27dUyZQfrsKufjkP7ziQbwNaVowuR1/EVeFkF3bWH6BsaJic0/ewFAqbET
lua0IORlqIjxgCCYW4y93NdzzUAwM1ClENzxWsNBd1HdY0t3ZZqpySie6q2sbjws
MVr49Ghne5Q+HOeAgL3vK0ZblPx0Ujd+NcCBDVTzfliwNziGnVW5cS4QKdcYpEdc
nHIHUCpkV2oBivalLSXHPiZBVKRRRq8cNL0iS+6fZdukDER87HJ81EPESfndQFen
xdU5Qj7VHbr/PRR56P6dUpFdqcKCY3/HyoTBbr3GVGnH6pz0hs2605YoMsJI3Js8
IBkVNIAm2P3ud+oTDdA9+2vW/mBFCunfIdogqVPqb5DrPzjSl5uCgAOgX4J2yLLF
FfytH8kSqplLDdCuFq6bFNdZMgEK9qzZR99OqChh2N4xBxFeTuF1Ng+OPGJRSOxz
vlLXCav/j92ckoocqPzMG0V5AjxnrdRfql6lYZqrw7D6lrmMzwJuO7SaXiX+OkL4
hn6GB9FgWX+D6kKHotoMa51UjaDvCHOm3c2K/ROLQ5uuidFsK/585cQDg72/sq+3
nvAAjleYK9VESnlJ8h5BJWdgdWY5CRW/wwh3rprcc1gfXz1jtkA=
=7GFy
-----END PGP SIGNATURE-----
Merge tag 'rust-fixes-7.1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/ojeda/linux
Pull Rust fixes from Miguel Ojeda:
"Toolchain and infrastructure:
- Fix 'rustc-option' (the Makefile one) when cross-compiling that
leads to build or boot failures in certain configs
- Work around a Rust compiler bug (already fixed for Rust 1.98.0)
thats lead to boot failures in certain configs due to missing
'uwtable' LLVM module flags
- Support a Rust compiler change (starting with Rust 1.98.0) in the
unstable target specification JSON files
- Forbid Rust + arm + KASAN configs, which do not build
'kernel' crate:
- Fix NOMMU build by adding a missing helper"
* tag 'rust-fixes-7.1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/ojeda/linux:
rust: x86: support Rust >= 1.98.0 target spec
rust: arm64: set uwtable llvm module flag for CONFIG_UNWIND_TABLES
rust: helpers: add is_vmalloc_addr wrapper for NOMMU builds
rust: kasan/kbuild: fix rustc-option when cross-compiling
ARM: Do not select HAVE_RUST when KASAN is enabled
Please consider pulling these changes from the signed vfs-7.1-rc7.fixes tag.
Thanks!
Christian
-----BEGIN PGP SIGNATURE-----
iHUEABYKAB0WIQRAhzRXHqcMeLMyaSiRxhvAZXjcogUCaiQb2wAKCRCRxhvAZXjc
ol4fAP46Ta2gcT8uzJRHaXo3HMWJYY02dK1pXQ4zZDdiQMMSTgEAuaj/mOvx0VeX
prloV/t7TBri6GAiWeE7Wu54d9rJZQ4=
=clMX
-----END PGP SIGNATURE-----
Merge tag 'vfs-7.1-rc7.fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs
Pull vfs fixes from Christian Brauner:
- Fix error handling in ovl_cache_get()
- Tighten access checks for exited tasks in pidfd_getfd()
- Fix selftests leak in __wait_for_test()
- Limit FUSE_NOTIFY_RETRIEVE to uptodate folios
- Reject fuse_notify() pagecache ops on directories
- Clear JOBCTL_PENDING_MASK for caller in zap_other_threads()
- Fix failure to unlock in nfsd4_create_file()
- Fix pointer arithmetic in qnx6 directory iteration
- Fix UAF due to unlocked ->mnt_ns read in may_decode_fh()
- Avoid potential null folio->mapping deref during iomap error
reporting
* tag 'vfs-7.1-rc7.fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs:
iomap: avoid potential null folio->mapping deref during error reporting
fhandle: fix UAF due to unlocked ->mnt_ns read in may_decode_fh()
fs/qnx6: fix pointer arithmetic in directory iteration
VFS: fix possible failure to unlock in nfsd4_create_file()
signal: clear JOBCTL_PENDING_MASK for caller in zap_other_threads()
fuse: reject fuse_notify() pagecache ops on directories
fuse: limit FUSE_NOTIFY_RETRIEVE to uptodate folios
selftests: harness: fix pidfd leak in __wait_for_test
pidfd: refuse access to tasks that have started exiting harder
ovl: keep err zero after successful ovl_cache_get()
core:
- disable the gem change handle ioctl for security reasons
(plan to fix it on list later with proper test coverage)
dumb-buffer:
- remove strict limits on buffer geometry
amdgpu:
- BT.2020 fix for DCE
- DC bounds checking fixes
- SDMA 7.1 fix
- UserQ fixes
- SI fix
- SMU 13 fixes
- SMU 14 fixes
- GC 12.1 fix
- Userptr fix
- GC 10.1 fix
- GART fix for non-4K pages
amdkfd:
- UAF race fix
- Fix a potential NULL pointer dereference
- GC 11 buffer overflow fix for SDMA
xe:
- Revert removing support for unpublished NVL-S GuC
- Suspend fixes related to multi-queue
i915:
- Fix color blob reference handling in intel_plane_state
- Revert "drm/i915/backlight: Remove try_vesa_interface"
ethosu:
- reject unsupported NPU_OP_RESIZE
- fix index of IFM region
- fix weight index
- fix overflows in DMA-size calculations
- reject DMA commands with uninitialized length
- fix OOB write in ethosu_gem_cmdstream_copy_and_validate
imx:
- fix kernel-doc warnings
ivpu:
- add overflow checks in firmware handling and get_info_ioctl
v3d:
- wait for pending L2T flush before cleaning caches
- fix leak of vaddr
- skip CSD when it has zeroed workgroups
- fix ref counting in performance monitoring
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEEKbZHaGwW9KfbeusDHTzWXnEhr4FAmojVuUACgkQDHTzWXnE
hr4uYxAAlYQS0NuQoNrXkLG/4jIwD8aG+83bnUWCEYn59Qurk7ojH4frwDSkxSi/
Klqzk1zdbsIC6LOjI1gevhBY1Z1ASgzBAr7G44lpofeGI7zdxiSAZ6lEu9ClUVLI
I6dO73xLtGve5/0pgTrxsSz5p8ZKJhLSHhBf0oCyaKxGEsrirWR3ofV5RqWMy4HS
+Y/wouBG69pe8B3OK8SZhXQhJxvhnws6i8p4+pMSAhfICIsMh5aTLsNEwRxdIGzh
xXaOsE+mrhWOd6vmwK4qX4HprSocNTJyoRW7hkIFeWLwn0ZIJAmKwgWxmMAgebBe
RRHB5dBAm0Krn3RDc1od8dqwZ6YxWRDi1rROJmV93u+qKoYdAIoxpofTW6eB4p4q
lphLjTM0EQvreF4XShydMPWta5tiEYIUFL4OWf1eUR8C9Ejd0G8CeKZpDT/gLwWO
lxozV9+EZdLAkaGLoBxeghCZPBlsmkYWZ8M++8jLaJQWx1QeCSBCulMEyDEO2MN6
4kM+awVZJ3Ou28Pjux23jSXxRgzRC/Bk373MEijX9FnB2lEYmgFDs9+kMNX1dmsj
BcRi8+XSoUh9m1PoLuM+t+/Q+0neUdIfAX/6hqwbWp3knXtM7lQmUpgSo1hcpmop
vMIbWZT3/ZjoFrwJSv1HuvYzpiF7YTCzv/BpVZU938FLMyBcOlk=
=mrV8
-----END PGP SIGNATURE-----
Merge tag 'drm-fixes-2026-06-06' of https://gitlab.freedesktop.org/drm/kernel
Pull drm fixes from Dave Airlie:
"Weekly drm fixes, not contributing to things settling down
unfortunately. Lots of driver fixes for various bounds checks, leaks
and UAF type things, i915/xe probably the most sane, amdgpu has a mix
of fixes all over, then ethosu has lots of small fixes.
The problem of fixing thing in private has really hit us with the
change handle ioctl, and "Sima was right" and we should have disabled
the ioctl, since it was only introduced a couple of kernels ago and
failed to upstream it's tests in time.
The patch here fixes the problems Sima identified, but disables the
ioctl as well, with a list of known problems in it and a request for
proper tests to be written and upstreamed. It's a niche user ioctl
designed for CRIU with AMD ROCm, so I think it's fine to just disable
it.
Maybe this week will settle down.
core:
- disable the gem change handle ioctl for security reasons (plan to
fix it on list later with proper test coverage)
dumb-buffer:
- remove strict limits on buffer geometry
amdgpu:
- BT.2020 fix for DCE
- DC bounds checking fixes
- SDMA 7.1 fix
- UserQ fixes
- SI fix
- SMU 13 fixes
- SMU 14 fixes
- GC 12.1 fix
- Userptr fix
- GC 10.1 fix
- GART fix for non-4K pages
amdkfd:
- UAF race fix
- Fix a potential NULL pointer dereference
- GC 11 buffer overflow fix for SDMA
xe:
- Revert removing support for unpublished NVL-S GuC
- Suspend fixes related to multi-queue
i915:
- Fix color blob reference handling in intel_plane_state
- Revert "drm/i915/backlight: Remove try_vesa_interface"
ethosu:
- reject unsupported NPU_OP_RESIZE
- fix index of IFM region
- fix weight index
- fix overflows in DMA-size calculations
- reject DMA commands with uninitialized length
- fix OOB write in ethosu_gem_cmdstream_copy_and_validate
imx:
- fix kernel-doc warnings
ivpu:
- add overflow checks in firmware handling and get_info_ioctl
v3d:
- wait for pending L2T flush before cleaning caches
- fix leak of vaddr
- skip CSD when it has zeroed workgroups
- fix ref counting in performance monitoring"
* tag 'drm-fixes-2026-06-06' of https://gitlab.freedesktop.org/drm/kernel: (50 commits)
drm/gem: Try to fix change_handle ioctl, attempt 4
Revert "drm/i915/backlight: Remove try_vesa_interface"
accel/ethosu: fix OOB write in ethosu_gem_cmdstream_copy_and_validate()
accel/ethosu: reject DMA commands with uninitialized length
accel/ethosu: fix arithmetic issues in dma_length()
accel/ethosu: fix wrong weight index in NPU_SET_SCALE1_LENGTH on U85
accel/ethosu: reject NPU_OP_RESIZE commands from userspace
accel/ethosu: fix IFM region index out-of-bounds in command stream parser
drm/v3d: Fix global performance monitor reference counting
drm/xe/multi_queue: skip submit when primary queue is suspended
drm/xe: Clear pending_disable before signaling suspend fence
Revert "drm/xe: Skip exec queue schedule toggle if queue is idle during suspend"
drm/amd/pm: smu_v14_0_0: use SoftMin for gfxclk in set_soft_freq_limited_range
drm/amdgpu: Fix incorrect VRAM GART mappings on non-4K page size systems
drm/amdgpu/userq: move wptr_obj cleanup in mqd_destroy
drm/amdgpu: improve the userq seq BO free bit lookup
drm/amdgpu/userq: remove the vital queue unmap logging
drm/amdkfd: Fix buffer overflow in SDMA queue checkpoint/restore on GFX11
drm/amdkfd: fix NULL dereference in get_queue_ids()
drm/amdgpu: set noretry=1 as default for GFX 10.1.x (Navi10/12/14)
...
[airlied: just added some comments on how to reenable]
On-list because the cat is out of the bag and we're clearly not good
enough to figure this out in private. The story thus far:
5e28b7b944 ("drm: Set old handle to NULL before prime swap in
change_handle") tried to fix a race condition between the gem_close and
gem_change_handle ioctls, but got a few things wrong:
- There's a confusion with the local variable handle, which is actually
the new handle, and so the two-stage trick was actually applied to the
wrong idr slot. 7164d78559 ("drm/gem: fix race between
change_handle and handle_delete") tried to fix that by adding yet
another code block, but forgot to add the error handling. Which meant
we now have two paths, both kinda wrong.
- dc366607c4 ("drm: Replace old pointer to new idr") tried to apply
another fix, but inconsistently, again because of the handle confusion
- this would be the right fix (kinda, somewhat, it's a mess) if we'd
do the two-stage approach for the new handle. Except that wasn't the
intent of the original fix.
We also didn't have an igt merged for the original ioctl, which is a big
no-go. This was attempted to address off-list in the original bugfix,
and amd QA people claimed the bug was fixed now. Very clearly that's not
the case. Here's my attempt to sort this out:
- Rename the local variable to new_handle, the old aliasing with
args->handle is just too dangerously confusing.
- Merge the gem obj lookup with the two-stage idr_replace so that we
avoid getting ourselves confused there.
- This means we don't have a surplus temporary reference anymore, only
an inherited from the idr. A concurrent gem_close on the new_handle
could steal that. Fix that with the same two-stage approach
create_tail uses. This is a bit overkill as documented in the comment,
but I also don't trust my ability to understand this all correctly, so
go with the established pattern we have from other ioctls instead for
maximum paranoia.
- Adjust error paths. I've tried to make the error and success paths
common, because they are identical except for which handle is removed
and on which we call idr_replace to (re)install the object again. But
that made things messier to read, so I've left it at the more verbose
version, which unfortunately hides the symmetry in the entire code
flow a bit.
- While at it, also replace the 7 space indent with 1 tab.
And finally, because I flat out don't trust my abilities here at all
anymore:
- Disable the ioctl until we have the igt situation and everything else
sorted out on-list and with full consensus.
v2:
Sashiko noticed that I didn't handle the error path for idr_replace
correctly, it must be checked with IS_ERR_OR_NULL like in
gem_handle_delete. So yeah, definitely should just the existing paths
1:1 because this is endless amounts of tricky.
Also add the Fixes: line for the original ioctl, I forgot that too.
Reported-by: DARKNAVY (@DarkNavyOrg) <vr@darknavy.com>
Signed-off-by: Simona Vetter <simona.vetter@ffwll.ch>
Fixes: dc366607c4 ("drm: Replace old pointer to new idr")
Cc: syzbot+d7c9eed171647e421013@syzkaller.appspotmail.com
Cc: stable@vger.kernel.org
Cc: Edward Adam Davis <eadavis@qq.com>
Cc: Dave Airlie <airlied@redhat.com>
Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Cc: Maxime Ripard <mripard@kernel.org>
Cc: Thomas Zimmermann <tzimmermann@suse.de>
Fixes: 5e28b7b944 ("drm: Set old handle to NULL before prime swap in change_handle")
Cc: David Francis <David.Francis@amd.com>
Cc: Puttimet Thammasaeng <pwn8official@gmail.com>
Cc: Christian Koenig <Christian.Koenig@amd.com>
Fixes: 7164d78559 ("drm/gem: fix race between change_handle and handle_delete")
Cc: Zhenghang Xiao <kipreyyy@gmail.com>
Fixes: 5e28b7b944 ("drm: Set old handle to NULL before prime swap in change_handle")
Reviewed-by: David Francis <David.Francis@amd.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Link: https://patch.msgid.link/20260604194437.1725314-1-simona.vetter@ffwll.ch
-----BEGIN PGP SIGNATURE-----
iQJEBAABCAAuFiEEwPw5LcreJtl1+l5K99NY+ylx4KYFAmojJQ0QHGF4Ym9lQGtl
cm5lbC5kawAKCRD301j7KXHgppGsD/0d9CxOz1SLooS0ufvmb0+Jm1d8tHe+NeNv
ALINBbvytrEppGNh4M+u25ZcWzevKHZTCIM9++nBNJOlTHLvP+E8dIdUuZvct2GU
y1jK28y/K9iM11MMAN2ey7OI8J20ABQGoCfXXwmBbqw3eM27gap74GpLwQ6vDG7E
xCnzS8M9R7MUxO2Y2ZfQkfgMUuViNMe3V9r4zz0Dgjn1Ao8cWduJ4BsZBN3sRMtA
D9EqU2kd4SscnwYSb8guPlshf3u0oY1GBTFozgUiqPw9bz6EAPk90ikr8gUgsWyk
UxgEWQLgIcwkpM+ym5kBGYcy4htA3bYM0XkYN5CaTzFg47roaQW9XVe+w14IAtKR
iSVpVGjDv/zZRJjDadN95GEXtVy5ZYZrIt2+2qwns9lTqGwAzHfVlnjNx2tqq4VS
LVhqgM6UzXHXun0CpBJVZ66j6kKjDyme8j0RjgZ/Gt2QhnrFIBfUiXjac5UgiZjp
+4s9VWdNViomho24lgxgtpGwRPXfdZjbl8LPS2O3tywOQOikUGBpVM7Nja82N/0b
mV2szmMl6nCu0wHfqQ54nP7maZa0TtLU6K1ozSd5spOrY5ZDsrleLiciRSCbNR2R
jRKEUsReZe7CZ/4h/atZws2/eVCpYh2PMnSFMb1w8v5gnQk94ryPd9KKYbK8dsGk
zU0OdJxJ2A==
=OdYU
-----END PGP SIGNATURE-----
Merge tag 'io_uring-7.1-20260605' of git://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux
Pull io_uring fix from Jens Axboe:
"A single fix for a missing flag mask when multishot is used with
an incrementally consumed buffer ring, potentially leading to
application confusion because of lack of IORING_CQE_F_BUF_MORE
consistency"
* tag 'io_uring-7.1-20260605' of git://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux:
io_uring/net: inherit IORING_CQE_F_BUF_MORE across bundle recv retries
- Correctly drop the ITS translation cache reference when it actually
gets invalidated
- Take the SRCU lock for SW page table walks
- Restore POR_EL0 access to host EL0, avoiding POR_EL0 becoming
inaccessible from EL0 after running a guest
- Reassign nested_mmus array behind mmu_lock, ensuring that vcpu init
and MMU notifiers are mutually exclusive
- Correctly handle FEAT_XNX at stage-2
s390:
- More fixes for the new page table management and nested virtualization
x86:
- More fixes for GHCB issues
- Read start/end indices of page size change requests exactly one per vmexit
- Unmap and unpin the GHCB as needed on vCPU free
-----BEGIN PGP SIGNATURE-----
iQFIBAABCgAyFiEE8TM4V0tmI4mGbHaCv/vSX3jHroMFAmoi/4cUHHBib256aW5p
QHJlZGhhdC5jb20ACgkQv/vSX3jHroOhbQgAryMnK/ik3rzTO/FW6LlHzkQRMN/J
WUE/LB7X9DNynWb5MDfE4dDPrH+jxb8YHeX82vMs3vXi5FXqvdBUTR96O0p9PWuE
pvjiICmpIqYn63vCZiIh0UwvbvaF8ADGr6moCvUfzoxanvnhZBFCzFEDdrKTIw3B
RimdLJ61zEGc8Sjly8GIT8IB3bDmS/GqdKk61fAYGXsDf8QJ2dESuM4/+hed7Yyq
NbT6ar4mrMjZKD2tcPx9ZgrCnqCJFnXmir3EEU2OMxxdXgbpz3cf2YOmA1fwBoQ0
E9qjNybNwnYJnhBn94vZdPSxOADzTKjRmhJ7LSxpvaq3HaZg3ZG1/bshCg==
=tJp+
-----END PGP SIGNATURE-----
Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm
Pull kvm fixes from Paolo Bonzini:
"arm64:
- Correctly drop the ITS translation cache reference when it actually
gets invalidated
- Take the SRCU lock for SW page table walks
- Restore POR_EL0 access to host EL0, avoiding POR_EL0 becoming
inaccessible from EL0 after running a guest
- Reassign nested_mmus array behind mmu_lock, ensuring that vcpu init
and MMU notifiers are mutually exclusive
- Correctly handle FEAT_XNX at stage-2
s390:
- More fixes for the new page table management and nested
virtualization
x86:
- More fixes for GHCB issues:
- Read start/end indices of page size change requests exactly once
per vmexit
- Unmap and unpin the GHCB as needed on vCPU free"
* tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm: (23 commits)
KVM: arm64: Correctly identify executable PTEs at stage-2
KVM: arm64: nv: Fix handling of XN[0] when !FEAT_XNX
KVM: arm64: Reassign nested_mmus array behind mmu_lock
KVM: arm64: Restore POR_EL0 access to host EL0
KVM: arm64: Take the SRCU lock for page table walks in fault injection and AT emulation
KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry
KVM: SEV: Unmap and unpin the GHCB as needed on vCPU free
KVM: SEV: Decouple the need to sync the GHCB SA from the need to free the SA
KVM: SEV: Move sev_free_vcpu() down below sev_es_unmap_ghcb()
KVM: Don't WARN if memory is dirtied without a vCPU when the VM is dying
KVM: SEV: Read start/end indices of PSC requests exactly once per #VMGEXIT
KVM: SEV: Add an anonymous "psc" struct to track current PSC metadata
KVM: SEV: Make it more obvious when KVM is writing back the current PSC index
KVM: s390: Remove ptep_zap_softleaf_entry()
KVM: s390: Fix possible reference leak in fault-in code
KVM: s390: Prevent memslots outside the ASCE range
KVM: s390: Lock pte when making page secure
KVM: s390: Fix fault-in code
KVM: s390: vsie: Fix rmap handling in _do_shadow_crste()
KVM: s390: Fix guest / virtual address confusion in _essa_clear_cbrl()
...
- tracing/probes: Point the error offset correctly for eprobe argument error
Fix the eprobe event parser to point error position correctly.
-----BEGIN PGP SIGNATURE-----
iQFPBAABCgA5FiEEh7BulGwFlgAOi5DV2/sHvwUrPxsFAmoi0xkbHG1hc2FtaS5o
aXJhbWF0c3VAZ21haWwuY29tAAoJENv7B78FKz8b5awIAL8sYmBb+0dZO9uPvAwS
Ar0IlPGd/lnfLNUF5nmin+fSyAr4TIqLIuKjHZ2MxFGxtyITzWQDbXIBT7Wan5vy
3adAJTVgby+jz2k+MvTU1hU1wBt4E4nGvJQJf9Ohk7NuqiUYSDjbkPa2yA3fGFFY
HGvvRlj0OF6eYbyiGIUTk5S4AYeBOFB6/qB9MbMTUHPXiM0LgzBVuR+Rimo1iFNO
wdqJ9atrj8r4hdvAQLPeKXAfhahhHXlviGVDjtgGa9Gt7jESPw8fDdh5PWKWr7Vy
6Mr/o/16V13bFx4zWRacSwgSFsJsZukDS+bdD5HnEGhb8AYZxOYvy79H6URT3S4e
rws=
=rQ/U
-----END PGP SIGNATURE-----
Merge tag 'probes-fixes-v7.1-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace
Pull tracing/probes fix from Masami Hiramatsu:
"Fix the eprobe event parser to point error position correctly"
* tag 'probes-fixes-v7.1-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace:
tracing/probes: Point the error offset correctly for eprobe argument error
The err_repeated_inc test was added with an expected stderr fixture
that does not match the diagnostic printed by kconfig.
Running "make testconfig" currently fails in that test even though the
parser reports the duplicated include correctly:
[stderr]
Kconfig.inc1:4: error: repeated inclusion of Kconfig.inc3
Kconfig.inc2:3: note: location of first inclusion of Kconfig.inc3
The fixture expects "Repeated" and "Location" with capital letters, but
the diagnostic emitted by scripts/kconfig/util.c uses lowercase words.
Update the fixture to match the real message.
Fixes: 102d712ded ("kconfig: Error out on duplicated kconfig inclusion")
Signed-off-by: Zhou Yuhang <zhouyuhang@kylinos.cn>
Tested-by: Nicolas Schier <nsc@kernel.org>
Reviewed-by: Nathan Chancellor <nathan@kernel.org>
Link: https://patch.msgid.link/20260520070800.2265479-1-zhouyuhang1010@163.com
Signed-off-by: Nicolas Schier <nsc@kernel.org>
- Correctly drop the ITS translation cache reference when it actually
gets invalidated
- Take the SRCU lock for SW page table walks
- Restore POR_EL0 access to host EL0, avoiding POR_EL0 becoming
inaccessible from EL0 after running a guest
- Reassign nested_mmus array behind mmu_lock, ensuring that vcpu init
and MMU notifiers are mutually exclusive
- Correctly handle FEAT_XNX at stage-2
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEn9UcU+C1Yxj9lZw9I9DQutE9ekMFAmoi9m8ACgkQI9DQutE9
ekMOqRAAwCXKfCTXWTbWVrzyPvkHHktQUnUANY262VxFmOzvIlxONu0zQK/Saagl
YMJ/nfLbwI4Cz2sLeBplxcyh8dVoc6EglDbB+d+7gXIJWVxA5ToM3yt1Yn+g4hpc
4LTIapANeIDlQ+Z8PyR2WdEdo9a89j9qs+goBgscjHF85N2Qh10G3wioeCGQVTYw
Z1woVhyx4VlcUOPWYS3Ws3yqbICousxe5zsKLXb2v5nybauBS7fjh7ACbX2pBlmi
X4Pip4vIyfv0hyq5rdvcb/m8pjXgXrrdaZ2pJpvm2ioa5MAQ1SvvHo+HDsOPuoCl
p0TlDARd9JpMZdNko5/3qmAmMlE2ap9Qqh7zaAlxt/THoI/0G/7NOaKBclGcp/nw
+KjDEFriws2Yeqce+Tl8pF0/MBCmNV61BVSa91xGG3pRdxThV/NCxD4oRWLCDMRJ
3UEAwNVV6FZW7rAbdzlG/spjmloMGPzWq4Mg+iu6BunfOBI6RlabHlRqhaU8SZ/O
dX82lzfCpouikgETSJNi7Ta/aCBDWLeuM01TuZ05RO5vCfTdB50SFlmXMRO5zjR0
tVCKg5roKkVd2D81g/kssehpGgOsiBqqiNK7LMYhxzEMC0aySobrtbbq6KT0RVez
fbQsrLvFFVGUAMp3k84s2BF+K7EXUh98GgqLerwbg2mp7UhqpW0=
=8bS2
-----END PGP SIGNATURE-----
Merge tag 'kvmarm-fixes-7.1-5' of git://git.kernel.org/pub/scm/linux/kernel/git/kvmarm/kvmarm into HEAD
KVM/arm64 fixes for 7.1, take #5
- Correctly drop the ITS translation cache reference when it actually
gets invalidated
- Take the SRCU lock for SW page table walks
- Restore POR_EL0 access to host EL0, avoiding POR_EL0 becoming
inaccessible from EL0 after running a guest
- Reassign nested_mmus array behind mmu_lock, ensuring that vcpu init
and MMU notifiers are mutually exclusive
- Correctly handle FEAT_XNX at stage-2
Bugfixes:
- Fix a use after free in nfs_write_completion
-----BEGIN PGP SIGNATURE-----
iHUEABYKAB0WIQR8xgHcVzJNfOYElJo6EXfx2a6V0QUCaiLziAAKCRA6EXfx2a6V
0fX1AP0VI3hJgrOufhJZNFh5/yYTKNtuNIsVzObrbKDirhZjMwEAgQEXgXeB8tN4
IxCq3qi8eK600iLKqn7PwjAvHMrZiwY=
=qHOO
-----END PGP SIGNATURE-----
Merge tag 'nfs-for-7.1-2' of git://git.linux-nfs.org/projects/trondmy/linux-nfs
Pull NFS client fix from Trond Myklebust:
- Fix a use after free in nfs_write_completion
* tag 'nfs-for-7.1-2' of git://git.linux-nfs.org/projects/trondmy/linux-nfs:
NFS: write_completion: dereference loop-local req, not hdr->req
Signed-off-by: Carlos Maiolino <cem@kernel.org>
-----BEGIN PGP SIGNATURE-----
iJUEABMJAB0WIQSmtYVZ/MfVMGUq1GNcsMJ8RxYuYwUCaiKcdwAKCRBcsMJ8RxYu
Y4d+AX9CjmcF5yEZVe+7YCc0ktUUvm0EQwXmGDMCm8UzT1kcWVRDF2eIxu/cYKjo
a1AfN9gBgMA/yJNYWyUluSiF+vTD2y2iuCX08k2p/8qplUEuEINRjooEp6bgJ6bN
BYeFp1mXSw==
=Kpi8
-----END PGP SIGNATURE-----
Merge tag 'xfs-fixes-7.1-rc7' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux
Pull xfs fixes from Carlos Maiolino:
"A collection of fixes mostly for the RT device, including a small
refactor that has no functional change"
* tag 'xfs-fixes-7.1-rc7' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux:
xfs: Remove mention of PageWriteback
xfs: abort mount if xfs_fs_reserve_ag_blocks fails
xfs: factor rtgroup geom write pointer reporting into a helper
xfs: drop the RTG reference later in xfs_ioc_rtgroup_geometry
xfs: fix rtgroup cleanup in CoW fork repair
xfs: fix error returns in CoW fork repair
xfs: fix overlapping extents returned for pNFS LAYOUTGET
xfs: fix use of uninitialized imap in xfs_fs_map_blocks error path
xfs: handle racing deletions in xfs_zone_gc_iter_irec
- Fix a UAF of sbi->sync_decompress when compressed I/Os
race with unmount
- Fix a regression introduced this development cycle that
incorrectly rejects multiple-algorithm images
-----BEGIN PGP SIGNATURE-----
iQJFBAABCgAvFiEEQ0A6bDUS9Y+83NPFUXZn5Zlu5qoFAmoiGEoRHHhpYW5nQGtl
cm5lbC5vcmcACgkQUXZn5Zlu5qrkCQ/9HTsNbR3k+xFvSd7wNtV3s2pKRX2ctEVn
KWiOk5ZNRWUWImL7a0gEwjGtkGPDg4yXWHQnm0hPO6bBqXOXoPuDomsSDC5EzvQ+
ID2dxkc+nJeg9MkiKEY3W78yTkOI8Xrn8ZYi02U30Vk0vzWiiEnJG9pKp6XTheAi
zRA2iqoiE00wTbAZCW3xqyHcw2djBRuaBYPYycHJCw3D+sVcnuVrLUeeFNKXsar1
p2FG+9tzPgMhMFJgTkiD7SA0dmRp4PoJsY1d1P1uuqBJ/PFWmWTbnCmNvUZUQFcR
d2rT0jxlW4oA+lzP/RT0lDmvR3howEy4F+gLlsh8jYO5RmtLyAv5gVzxqugN0Jc4
ZSRX6qgVYhsHe/DzbPIbZFjcWUNs7Q1gS6NwUhjlZ9r4CJ2Yh/n43koPWwJB/xTt
HmkSuaOatu5zDHvohlbX2AAoxALDs+fO9lu9C9cgCAx/dS01zdgUyCWYIH43+OAp
BveL+jmzdzLnMakCs3ImsrgTZXxqrmCe0HgsCVjqGsmDCk8y3CDmMhG1EYn0bOgA
OnbkGj2Q/MmXJbrgsogOgc6oIg+sFf1GzMiNFeUTm7nSHgmoqI2f+aTMz9qNmKZu
9XPvyzfPFF/0NPxF9c0e7bwiMyaZLXaHn1wG2eXbubSQbIxRBmnid8XiA/SaOHUq
kY6gkXUB+4k=
=CHHg
-----END PGP SIGNATURE-----
Merge tag 'erofs-for-7.1-rc7-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs
Pull erofs fixes from Gao Xiang:
- Fix a UAF of sbi->sync_decompress when compressed I/Os
race with unmount
- Fix a regression introduced this development cycle that
incorrectly rejects multiple-algorithm images
* tag 'erofs-for-7.1-rc7-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs:
erofs: fix EFSCORRUPTED on multi-algorithm images in z_erofs_map_sanity_check()
erofs: fix use-after-free on sbi->sync_decompress
-----BEGIN PGP SIGNATURE-----
iQGzBAABCgAdFiEE6fsu8pdIjtWE/DpLiiy9cAdyT1EFAmoh6iQACgkQiiy9cAdy
T1HZagv+PVKZ5Djru4YzKQH19sYHkiav7FLzwZZy+bTmGlApWci6m/7aBojZOeac
t5vaFURjrrGSAY5QQGjtr7rFgsQsQkU6AuSo8BnaGXRdzf9HoMkI0TI/OOGfuELX
BCD10yoX8m8SwnrXIPaqHoyfn0uhUHRZk8okWPtPzv19VZK3t84XkQjLjR+IYHwb
UZWhmGanjqw2yS5kTuWr6M3+POLnDqrdEzNj8R1ugcQ5aH/s1vfVEUi1vXKnGSBa
ZPldxXRUpbEUMwrk1PyXd4Hb/OKpQrAoj3kl6sBXLNvLHtiw4i8+NkpGDg00eXYE
xOqAdADNFpWx1lIJVJ845Enn5twaGM8y7KlXr+lEGfVU7iCKahs4d0RkjQON5aTo
1HTx+nov4cP0nojvnPONU0li576E66ryqWzpBqsfEN93ROi+x7snuT9vB6QCjGHH
lDv0UgsGF9TGWw2sBBQXhgYBXiFs2e1YSvdfT6KAd2x2SEJOIZ8yM6+ZNLzS1zTP
XGjnnZ7S
=7kge
-----END PGP SIGNATURE-----
Merge tag 'v7.1-rc7-ksmbd-server-fixes' of git://git.samba.org/ksmbd
Pull smb server fixes from Steve French:
- Fix use after free in SMB2_CANCEL
- Fix race in ksmbd_reopen_durable_fd
- Fix oplock and lease break potential NULL-dref
* tag 'v7.1-rc7-ksmbd-server-fixes' of git://git.samba.org/ksmbd:
ksmbd: fix use-after-free of a deferred file_lock on double SMB2_CANCEL
ksmbd: fix durable reconnect double-bind race in ksmbd_reopen_durable_fd
ksmbd: fix NULL-deref of opinfo->conn in oplock/lease break notifiers
KVM invalidates the I-cache before installing an executable PTE on
implementations without DIC. Unfortunately, support for FEAT_XNX
broke this check as KVM_PTE_LEAF_ATTR_HI_S2_XN was expanded to a
bitfield.
Fix it by reusing kvm_pgtable_stage2_pte_prot() and testing the abstract
permission bits instead.
Fixes: 2608563b46 ("KVM: arm64: Add support for FEAT_XNX stage-2 permissions")
Reported-by: Sashiko (gemini/gemini-3.1-pro-preview)
Signed-off-by: Oliver Upton <oupton@kernel.org>
Reviewed-by: Wei-Lin Chang <weilin.chang@arm.com>
Link: https://patch.msgid.link/20260602165901.52800-3-oupton@kernel.org
Signed-off-by: Marc Zyngier <maz@kernel.org>
Cc: stable@vger.kernel.org
XN has already been extracted from its bitfield position so using
FIELD_PREP() on the mask that clears XN[0] is completely broken, having
the effect of unconditionally granting execute permissions...
Fix the obvious mistake by manipulating the right bit.
Cc: stable@vger.kernel.org
Fixes: d93febe2ed ("KVM: arm64: nv: Forward FEAT_XNX permissions to the shadow stage-2")
Reviewed-by: Wei-Lin Chang <weilin.chang@arm.com>
Signed-off-by: Oliver Upton <oupton@kernel.org>
Link: https://patch.msgid.link/20260602165901.52800-2-oupton@kernel.org
Signed-off-by: Marc Zyngier <maz@kernel.org>
When a bundle recv retries inside io_recv_finish(), the merge logic OR
the saved cflags from the previous iteration with the cflags returned by
the new iteration:
cflags = req->cqe.flags | (cflags & CQE_F_MASK);
Bits listed in CQE_F_MASK are inherited from the new iteration, and all
other bits (notably IORING_CQE_F_BUFFER and the buffer ID) come from the
saved cflags. Before this change CQE_F_MASK covered only
IORING_CQE_F_SOCK_NONEMPTY and IORING_CQE_F_MORE.
When using provided buffer rings (IOU_PBUF_RING_INC) with incremental
mode, and bundle recv, io_kbuf_inc_commit() can leave the head ring
entry partially consumed, __io_put_kbufs() then sets
IORING_CQE_F_BUF_MORE on the returned cflags so userspace knows the
buffer ID will be reused for subsequent completions.
Because IORING_CQE_F_BUF_MORE was not in CQE_F_MASK, the merge above
silently dropped it whenever the final retry iteration partially
consumed the buffer, and the subsequent req->cqe.flags = cflags &
~CQE_F_MASK save would have left a stale IORING_CQE_F_BUF_MORE in the
carried-over cflags had one been present. Userspace would then
wrongfully advance it ring head past an entry the kernel still uses.
Add IORING_CQE_F_BUF_MORE to CQE_F_MASK so it is both inherited from the
new iteration into the user-visible CQE and stripped from the saved
cflags between iterations.
Cc: stable@vger.kernel.org
Signed-off-by: Clément Léger <cleger@meta.com>
Assisted-by: Claude:claude-opus-4.6
Fixes: ae98dbf43d ("io_uring/kbuf: add support for incremental buffer consumption")
Link: https://patch.msgid.link/20260604160715.2482972-1-cleger@meta.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
kvm->arch.nested_mmus[] is walked under kvm->mmu_lock, including from the
MMU notifier path (kvm_unmap_gfn_range() -> kvm_nested_s2_unmap()), which
can run at any time. kvm_vcpu_init_nested() reallocates the array and frees
the old buffer while holding only kvm->arch.config_lock, so such a walker
can reference the freed array.
Allocate the new array outside of mmu_lock, as the allocation can sleep.
Under the lock, copy the existing entries, fix up the back pointers and
reassign the array. Free the old buffer after dropping the lock, as
kvfree() can sleep as well.
Fixes: 4f128f8e1a ("KVM: arm64: nv: Support multiple nested Stage-2 mmu structures")
Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
Reviewed-by: Oliver Upton <oupton@kernel.org>
Link: https://patch.msgid.link/aiKIVVeIr1aAB1yp@v4bel
Signed-off-by: Marc Zyngier <maz@kernel.org>
Cc: stable@vger,kernel.org
This reverts commit 40d2f58209.
Removing the try_vesa_interface gate caused a backlight regression on
panels whose VBT correctly reports INTEL_BACKLIGHT_DISPLAY_DDI and whose
PWM path is the actual backlight control, but whose DPCD optimistically
advertises DP_EDP_BACKLIGHT_AUX_ENABLE_CAP / _BRIGHTNESS_AUX_SET_CAP.
After the commit such panels silently bind to the VESA AUX backlight
funcs; AUX writes complete but the panel ignores them, leaving
brightness stuck (no-op backlight). Observed on at least KBL and TGL
eDP setups.
Signed-off-by: Suraj Kandpal <suraj.kandpal@intel.com>
Reviewed-by: Ankit Nautiyal <ankit.k.nautiyal@intel.com>
Link: https://patch.msgid.link/20260517024709.1016121-1-suraj.kandpal@intel.com
(cherry picked from commit f30fddb4402313aa5301a74d721638d343395269)
Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin@igalia.com>
walk_s1() and kvm_walk_nested_s2() expect to be called while holding
kvm->srcu to guard against memslot changes. While this is generally
the case, __kvm_at_s12() and __kvm_find_s1_desc_level() call into the
respective walkers without taking kvm->srcu.
Fix by acquiring kvm->srcu prior to the table walk in both instances.
Cc: stable@vger.kernel.org
Fixes: 50f77dc87f ("KVM: arm64: Populate level on S1PTW SEA injection")
Fixes: be04cebf3e ("KVM: arm64: nv: Add emulation of AT S12E{0,1}{R,W}")
Suggested-by: Oliver Upton <oupton@kernel.org>
Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
Reviewed-by: Oliver Upton <oupton@kernel.org>
Link: https://patch.msgid.link/aiAZfdeyanIvP8SD@v4bel
Signed-off-by: Marc Zyngier <maz@kernel.org>
vgic_its_invalidate_cache() walks the per-ITS translation cache with
xa_for_each() and drops the cache's reference on each entry with
vgic_put_irq(). It puts the iterated pointer, though, rather than the
value returned by xa_erase().
The function is called from contexts that do not exclude one another: the
ITS command handlers hold its_lock, the GITS_CTLR write path holds
cmd_lock, and the path that clears EnableLPIs in a redistributor's
GICR_CTLR holds neither. Two or more of them can drain the same cache
concurrently, and if each one observes the same entry, erases it and then
puts it, the single reference the cache holds on that entry is dropped
more than once. The entry can then be freed while an ITE still maps it.
xa_erase() is atomic and returns the previous entry, so put only the entry
that this context actually removed. The cache reference is then dropped
exactly once per entry even when the invalidations run concurrently, and
the behavior is unchanged when only one context runs.
Fixes: 8201d1028c ("KVM: arm64: vgic-its: Maintain a translation cache per ITS")
Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
Reviewed-by: Oliver Upton <oupton@kernel.org>
Link: https://patch.msgid.link/ah2c5lu4JbUg7dj-@v4bel
Signed-off-by: Marc Zyngier <maz@kernel.org>
Cc: stable@vger.kernel.org
topology_num_nodes_per_package() reports values greater than one on certain
AMD systems resulting in resctrl's Intel model specific SNC detection
printing the confusing message:
"CoD enabled system? Resctrl not supported"
Add a check for Intel systems before looking at the topology.
[ reinette: Add Closes tag, fix tag typos, rework changelog ]
Fixes: 59674fc9d0 ("x86/resctrl: Fix SNC detection")
Reported-by: Babu Moger <babu.moger@amd.com>
Signed-off-by: Tony Luck <tony.luck@intel.com>
Signed-off-by: Reinette Chatre <reinette.chatre@intel.com>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Tested-by: Babu Moger <babu.moger@amd.com>
Link: https://patch.msgid.link/9849330f45ac86344cc5ac54df2d313906d70bc4.1780634584.git.reinette.chatre@intel.com
Closes: https://lore.kernel.org/lkml/37ac0376-43a3-4283-a3d5-4d57b3bec578@amd.com/
The dummy sequencer port forwards events by copying an incoming
struct snd_seq_event into a stack temporary, rewriting source and
destination, and dispatching the temporary to subscribers. That legacy
event storage is smaller than struct snd_seq_ump_event.
When a UMP event reaches the dummy client, the copy leaves the UMP flag
set but only provides legacy-sized stack storage. The subscriber
delivery path then uses snd_seq_event_packet_size() and copies a
UMP-sized packet from that stack object, reading past the end of the
temporary.
Use the existing union __snd_seq_event storage and copy the packet size
reported for the incoming event before rewriting the common routing
fields. This preserves the full UMP packet for UMP events while keeping
legacy event handling unchanged.
Fixes: 32cb23a0f9 ("ALSA: seq: dummy: Allow UMP conversion")
Signed-off-by: Kyle Zeng <kylebot@openai.com>
Link: https://patch.msgid.link/20260605080204.32045-1-kylebot@openai.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
The command stream parsing loop increments the index variable a second
time when a 64-bit command word is encountered (bit 14 set), but does
not re-check the loop bound before writing the second word:
for (i = 0; i < size / 4; i++) {
bocmds[i] = cmds[0];
if (cmd & 0x4000) {
i++;
bocmds[i] = cmds[1]; /* unchecked */
}
}
The buffer bocmds is backed by a DMA allocation of exactly size bytes
from drm_gem_dma_create(ddev, size), giving valid indices [0, size/4-1].
When i == size/4 - 1 on entry to an iteration and bit 14 of cmds[0] is
set, bocmds[size/4-1] is written in bounds, i is then incremented to
size/4, and bocmds[size/4] writes four bytes past the end of the
allocation.
Userspace controls both the buffer contents and the size argument via
the ioctl, making this a userspace-triggerable heap out-of-bounds write.
Fix by checking the incremented index against the buffer bound before
the second write and returning -EINVAL if the buffer is too small to
contain the extended command.
Fixes: 5a5e9c0228 ("accel: Add Arm Ethos-U NPU driver")
Cc: stable@vger.kernel.org
Signed-off-by: Muhammad Bilal <meatuni001@gmail.com>
Link: https://patch.msgid.link/20260523190843.33977-1-meatuni001@gmail.com
Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
cmd_state_init() initializes the command state with memset(0xff),
leaving dma->len at U64_MAX to signal missing setup. The only setter
is NPU_SET_DMA0_LEN; if userspace omits this command and issues
NPU_OP_DMA_START, dma->len remains U64_MAX.
In dma_length(), a positive stride added to U64_MAX wraps to a small
value. With size0 == 1, check_mul_overflow() does not trigger and
dma_length() returns 0 instead of U64_MAX. The caller's U64_MAX check
then passes, region_size[] stays 0, and the bounds check in
ethosu_job.c is bypassed, allowing hardware to execute DMA with stale
physical addresses.
Fix by checking for U64_MAX at the start of dma_length() before any
arithmetic, consistent with the sentinel value used throughout the
driver to detect uninitialized fields.
Fixes: 5a5e9c0228 ("accel: Add Arm Ethos-U NPU driver")
Cc: stable@vger.kernel.org
Signed-off-by: Muhammad Bilal <meatuni001@gmail.com>
Link: https://patch.msgid.link/20260524130319.12747-1-meatuni001@gmail.com
Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
dma_length() derives DMA region usage from command stream values and
updates region_size[]:
len = ((len + stride[0]) * size0 + stride[1]) * size1
region_size[region] = max(..., len + dma->offset)
Several arithmetic issues can corrupt the derived region size:
- signed stride values may underflow when added to len
- intermediate multiplications may overflow
- len + dma->offset may overflow during region_size updates
- dma_length() error returns were not validated by the caller
region_size[] is later used by ethosu_job.c to validate command stream
accesses against GEM buffer sizes. Arithmetic wraparound can therefore
under-report region usage and bypass the bounds validation.
Fix by validating signed additions, using overflow helpers for
multiplications and offset updates, and propagating dma_length()
failures to the caller.
Fixes: 5a5e9c0228 ("accel: Add Arm Ethos-U NPU driver")
Cc: stable@vger.kernel.org
Signed-off-by: Muhammad Bilal <meatuni001@gmail.com>
Link: https://patch.msgid.link/20260524103710.47397-1-meatuni001@gmail.com
Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
On non-U65 hardware (e.g. U85), opcode 0x4093 is NPU_SET_WEIGHT2_LENGTH.
The BASE handler for the same opcode correctly assigns to
st.weight[2].base, but the LENGTH handler mistakenly assigns cmds[1]
to st.weight[1].length instead of st.weight[2].length.
This leaves weight[2].length at its initialised sentinel value of
0xffffffff and corrupts weight[1].length with the user-supplied value,
breaking the software bounds-check state for both weight buffers on U85.
Fix the index to match the BASE handler.
Fixes: 5a5e9c0228 ("accel: Add Arm Ethos-U NPU driver")
Cc: stable@vger.kernel.org
Signed-off-by: Muhammad Bilal <meatuni001@gmail.com>
Link: https://patch.msgid.link/20260523210840.92039-3-meatuni001@gmail.com
Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
NPU_OP_RESIZE is a U85-only command that the driver does not yet
implement. The existing WARN_ON(1) placeholder fires unconditionally
whenever userspace submits this command via DRM_IOCTL_ETHOSU_GEM_CREATE,
causing unbounded kernel log spam.
If panic_on_warn is set the kernel panics, giving any unprivileged user
with access to the DRM device a trivial denial-of-service primitive.
Replace the WARN_ON(1) with an explicit -EINVAL return so the ioctl
rejects the command before it reaches hardware.
Fixes: 5a5e9c0228 ("accel: Add Arm Ethos-U NPU driver")
Cc: stable@vger.kernel.org
Signed-off-by: Muhammad Bilal <meatuni001@gmail.com>
Link: https://patch.msgid.link/20260523210840.92039-2-meatuni001@gmail.com
Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
NPU_SET_IFM_REGION extracts the region index with param & 0x7f, giving
a maximum value of 127. However region_size[] and output_region[] in
struct ethosu_validated_cmdstream_info are both sized to
NPU_BASEP_REGION_MAX (8), giving valid indices [0..7].
Every other region assignment in the same switch uses param & 0x7:
NPU_SET_OFM_REGION: st.ofm.region = param & 0x7;
NPU_SET_IFM2_REGION: st.ifm2.region = param & 0x7;
NPU_SET_WEIGHT_REGION: st.weight[0].region = param & 0x7;
NPU_SET_SCALE_REGION: st.scale[0].region = param & 0x7;
The 0x7f mask on IFM is inconsistent and appears to be a typo.
feat_matrix_length() and calc_sizes() use the region index directly
as an array subscript into the kzalloc'd info struct:
info->region_size[fm->region] = max(...);
A userspace caller supplying NPU_SET_IFM_REGION with param > 7 causes
a write up to 127*8 = 1016 bytes past the start of region_size[],
corrupting adjacent kernel heap data.
Fix by applying the same & 0x7 mask used by all other region
assignments.
Fixes: 5a5e9c0228 ("accel: Add Arm Ethos-U NPU driver")
Cc: stable@vger.kernel.org
Signed-off-by: Muhammad Bilal <meatuni001@gmail.com>
Link: https://patch.msgid.link/20260523195159.55801-1-meatuni001@gmail.com
Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
Current release - fix to a fix:
- Bluetooth: MGMT: fix backward compatibility with bluetoothd
which adds stray bytes to MGMT_OP_ADD_EXT_ADV_DATA
Previous releases - regressions:
- af_unix: fix inq_len update inaccuracy on partial read
- eth: fec: fix pinctrl default state restore order on resume
- wifi: iwlwifi: mvm: don't support the reset handshake for old firmwares
- wifi: iwlwifi: pcie: simplify the resume flow if fast resume is
not used, work around NIC access failures
Previous releases - always broken:
- Bluetooth: L2CAP: reject BR/EDR signaling packets over MTUsig
- sctp: fix a couple of bugs in COOKIE_ECHO processing
- sched: fix pedit partial COW leading to page cache corruption
- wifi: nl80211: reject oversized EMA RNR lists
- netfilter: conntrack_irc: fix possible out-of-bounds read
- netfilter: bridge: make ebt_snat ARP rewrite writable
- appletalk: zero-initialize aarp_entry to prevent heap info leak
- ipv4: restrict IPOPT_SSRR and IPOPT_LSRR options
- mptcp: fix number of bugs reported by AI scans and discovered during
NVMe over MPTCP testing
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEE6jPA+I1ugmIBA4hXMUZtbf5SIrsFAmohtisACgkQMUZtbf5S
Irs3Cw/+KafCtRro8w+HJav1cWfbzoJn/Iv/vLVKqPziFsmgdxDcIh/xl3duJDE2
uNwompsC0G40Cs45z901LjenFuvZ20FnJixYdpYKSGTudbRybxTzUdjUBHz+I5q2
nJ8YWNvemscmxxJehy6V+iOaNgVvR03ZUE/Zdt8iZ47ZcAiJ4HU4TDw35aJgUiB0
lImzJNU9imwV+1AWdIvaYbIatqX/+1qbpoNv3YVGskB/RSQDzjFcUiF4uueyet0f
LZrYXtrqMAWED9fnmoPDLvY+dkN+CSbH+PpjV1V5/hjO7ilpe4Vhb9EBngKSP9zr
ke1p5SnIlm12CtxatEeODdZfLGUcmwlxob2U6AFVHj9pp+Yiw/nw22Xi5zthh+WR
Az3Kim8g+rxu5ljpr5rhHLXBiSlYy0Xj3clVst8wzvWxf0ot3+hX9gCteM1Oj0+E
M/s8a6FwKhxA3HQEsi0TmQgkSUrzkbUe4fXteKxSDVnb91YAZd1woGB4AWkZFRTv
QohPrESf+4ldXI1udIpv8+x1SytlGLsrbd8knocq4Xc9XA6+ETkeg9gL4HWoGvVB
JSgygByyLzjqOD8/CapAPFguSE6AoFKN1RWmCh85cypbTOt5vZ0jfp1IowbHUjdL
d9oCPK9LlK3fqPNcyotB1vGUDU7c0gW8ZFTPC94k6RrU+RY2sJ0=
=zpoM
-----END PGP SIGNATURE-----
Merge tag 'net-7.1-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
Pull networking fixes from Jakub Kicinski:
"Including fixes from Netfilter, wireless and Bluetooth.
Current release - fix to a fix:
- Bluetooth: MGMT: fix backward compatibility with bluetoothd
which adds stray bytes to MGMT_OP_ADD_EXT_ADV_DATA
Previous releases - regressions:
- af_unix: fix inq_len update inaccuracy on partial read
- eth: fec: fix pinctrl default state restore order on resume
- wifi: iwlwifi:
- mvm: don't support the reset handshake for old firmwares
- pcie: simplify the resume flow if fast resume is not used,
work around NIC access failures
Previous releases - always broken:
- Bluetooth: L2CAP: reject BR/EDR signaling packets over MTUsig
- sctp: fix a couple of bugs in COOKIE_ECHO processing
- sched: fix pedit partial COW leading to page cache corruption
- wifi: nl80211: reject oversized EMA RNR lists
- netfilter:
- conntrack_irc: fix possible out-of-bounds read
- bridge: make ebt_snat ARP rewrite writable
- appletalk: zero-initialize aarp_entry to prevent heap info leak
- ipv4: restrict IPOPT_SSRR and IPOPT_LSRR options
- mptcp: fix number of bugs reported by AI scans and discovered
during NVMe over MPTCP testing"
* tag 'net-7.1-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (85 commits)
Reapply "bnxt_en: bring back rtnl_lock() in the bnxt_open() path"
udp: clear skb->dev before running a sockmap verdict
sctp: purge outqueue on stale COOKIE-ECHO handling
bonding: annotate data-races arcound churn variables
net/802/mrp: fix vector attribute parsing in mrp_pdu_parse_vecattr
rtase: Avoid sleeping in get_stats64()
ieee802154: 6lowpan: only accept IPv6 packets in lowpan_xmit()
ipv6: mcast: Fix use-after-free when processing MLD queries
selftests: net: add vxlan vnifilter notification test
vxlan: vnifilter: fix spurious notification on VNI update
vxlan: vnifilter: send notification on VNI add
rtase: Reset TX subqueue when clearing TX ring
octeontx2-af: npc: Fix CPT channel mask in npc_install_flow
dt-bindings: ethernet: eswin: fix hsp-sp-csr backward compatibility
sctp: validate cached peer INIT chunk length in COOKIE_ECHO processing
net/sched: fix pedit partial COW leading to page cache corruption
vsock/vmci: fix sk_ack_backlog leak on failed handshake
net: bonding: fix NULL pointer dereference in bond_do_ioctl()
geneve: fix length used in GRO hint UDP checksum adjustment
net: ethernet: mtk_eth_soc: Fix use-after-free in metadata dst teardown
...