WireGuard for the Linux kernel https://git.zx2c4.com/wireguard-linux/atom/lib?h=stable 2026-05-26T20:37:26Z 2026-05-26T20:37:26Z Linus Torvalds torvalds@linux-foundation.org 2026-05-26T20:37:26Z urn:sha1:e909cedf6800ef493063f18a089f3632817a8c2d Pull kunit fix from Shuah Khan: "Fix a use-after-free in kunit debugfs when using kunit.filter when the executor frees dynamically allocated resources after running boot-time tests. This resulted in fatal hardware exception due to invalidation of capability flags on the reclaimed memory on some architectures such as CHERI RISC-V that support the feature, and silent memory corruption on others. The fix for this couples the lifetime of the filtered suite memory allocation to the lifetime of the kunit subsystem and its associated VFS nodes. Ownership of the boot-time suite_set is now transferred to a global tracker ('kunit_boot_suites'), and the memory is cleanly released in kunit_exit() during module teardown" * tag 'linux_kselftest-kunit-fixes-7.1-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest: kunit: fix use-after-free in debugfs when using kunit.filter 2026-05-24T17:48:55Z Linus Torvalds torvalds@linux-foundation.org 2026-05-24T17:48:55Z urn:sha1:ee651da6d3e1e3c57d22dd6f03850af980b7cd10 Pull debugobjects fix from Ingo Molnar:: - Fix debugobjects regression on -rt kernels: don't fill the pool (which uses a coarse lock) if ->pi_blocked_on, because that messes up the priority inheritance of callers * tag 'core-urgent-2026-05-24' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: debugobjects: Do not fill_pool() if pi_blocked_on 2026-05-21T16:45:49Z Florian Schmaus florian.schmaus@codasip.com 2026-05-07T08:48:54Z urn:sha1:fb6988b83b4cafe8db63999c1ddff1b7c66d2ff5 When the kernel is booted with a kunit filter (e.g., kunit.filter="speed!=slow"), the kunit executor dynamically allocates copies of the filtered test suites using kmalloc/kmemdup. During the initial boot execution, kunit_debugfs_create_suite() creates debugfs files (such as /sys/kernel/debug/kunit/<suite>/run) and permanently stores a pointer to the dynamically allocated suite in the inode's i_private field. Previously, the executor freed this dynamically allocated suite_set immediately after executing the boot-time tests. Because the debugfs nodes were not destroyed, any subsequent interaction with the debugfs `run` file from userspace triggered a use-after-free (UAF). On systems with architectural capabilities, like CHERI RISC-V, this resulted in an immediate fatal hardware exception due to the invalidation of the capability tags on the reclaimed memory. On other architectures, it resulted in silent memory corruption. Fix this UAF by properly coupling the lifetime of the filtered suite memory allocation to the lifetime of the kunit subsystem and its associated VFS nodes. Ownership of the boot-time suite_set is now transferred to a global tracker ('kunit_boot_suites'), and the memory is cleanly released in kunit_exit() during module teardown. Link: https://lore.kernel.org/r/20260507084854.233984-1-florian.schmaus@codasip.com Fixes: e2219db280e3 ("kunit: add debugfs /sys/kernel/debug/kunit/<suite>/results display") Signed-off-by: Florian Schmaus <florian.schmaus@codasip.com> Reviewed-by: Martin Kaiser <martin@kaiser.cx> Reviewed-by: David Gow <david@davidgow.net> Signed-off-by: Shuah Khan <skhan@linuxfoundation.org> 2026-05-19T14:49:33Z Linus Torvalds torvalds@linux-foundation.org 2026-05-19T14:49:33Z urn:sha1:c6e99c10fd9855082568cbd71bb2cc5dc90eda53 Pull misc fixes from Andrew Morton: "14 hotfixes. 9 are for MM. 10 are cc:stable and the remainder are for post-7.1 issues or aren't deemed suitable for backporting. There's a two-patch MAINTAINERS series from Mike Rapoport which updates us for the new KEXEC/KDUMP/crash/LUO/etc arrangements. And another two-patch series from Muchun Song to fix a couple of memory-hotplug issues. Otherwise singletons, please see the changelogs for details" * tag 'mm-hotfixes-stable-2026-05-18-21-07' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm: mm/memory: fix spurious warning when unmapping device-private/exclusive pages mm: fix __vm_normal_page() to handle missing support for pmd_special()/pud_special() drivers/base/memory: fix memory block reference leak in poison accounting mm/memory_hotplug: fix memory block reference leak on remove lib: kunit_iov_iter: fix test fail on powerpc mm/page_alloc: fix initialization of tags of the huge zero folio with init_on_free MAINTAINERS: add kexec@ list to LIVE UPDATE ENTRY MAINTAINERS: add tree for KDUMP and KEXEC selftests/mm: run_vmtests.sh: fix destructive tests invocation scripts/gdb: slab: update field names of struct kmem_cache scripts/gdb: mm: cast untyped symbols in x86_page_ops mm/damon: fix damos_stat tracepoint format for sz_applied mm/damon/sysfs-schemes: call missing mem_cgroup_iter_break() mm/migrate_device: fix spinlock leak in migrate_vma_insert_huge_pmd_page 2026-05-18T08:56:36Z Helen Koike koike@igalia.com 2026-05-11T21:53:05Z urn:sha1:5f41161059fd0f1bbf18c90f3180e38cc45a14eb On RT enabled kernels, fill_pool() ends up calling rtlock_lock(), which asserts if current::pi_blocked_on is set, because a task can obviously only block on one lock as otherwise the priority inheritenace chain gets corrupted. Prevent this by expanding the conditional to take current::pi_blocked_on into account. Fixes: 4bedcc28469a ("debugobjects: Make them PREEMPT_RT aware") Reported-by: syzbot+b8ca586b9fc235f0c0df@syzkaller.appspotmail.com Signed-off-by: Helen Koike <koike@igalia.com> Signed-off-by: Thomas Gleixner <tglx@kernel.org> Link: https://patch.msgid.link/20260511215359.3351259-1-koike@igalia.com Closes: https://syzkaller.appspot.com/bug?extid=b8ca586b9fc235f0c0df 2026-05-17T18:07:09Z Linus Torvalds torvalds@linux-foundation.org 2026-05-17T18:07:09Z urn:sha1:46cd5b22e58805b5651dfc732cd23615e940ac8d Pull timer fix from Ingo Molnar: - Fix potential garbage reads in the vDSO gettimeofday code (Thomas Weißschuh) * tag 'timers-urgent-2026-05-17' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: vdso/gettimeofday: Reload sequence counter after switch to time page in do_aux() 2026-05-15T17:38:37Z Linus Torvalds torvalds@linux-foundation.org 2026-05-15T17:38:37Z urn:sha1:fd6b56615696c2addca7b43c862b21a9a386c116 Pull crypto fixes from Herbert Xu: - Fix potential dead-lock in rhashtable when used by xattr - Avoid calling kvfree on atomic path in rhashtable * tag 'v7.1-p4' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: rhashtable: Add bucket_table_free_atomic() helper mm/slab: Add kvfree_atomic() helper rhashtable: drop ht->mutex in rhashtable_free_and_destroy() 2026-05-14T10:30:53Z Thomas Weißschuh thomas.weissschuh@linutronix.de 2026-04-22T09:42:32Z urn:sha1:602d60ebae0f10bfbc7ba90eee026fdbd0203df3 After switching to the real data pages, the sequence counter needs to be reloaded from there. The code using vdso_read_begin_timens() assumed this worked by 'continue' jumping to the *beginning* of the do-while retry loop. However the 'continue' jumps to the *end* of said loop, evaluating the exit condition. If the data page has a sequence counter of '1' it will match the one from the time namespace page and prematurely exit the retry loop. This would result in garbage returned to the caller. Reload the sequence counter after switching the pages by using an inner while loop again, which will loop at most once. The loop generates slightly better code than an explicit reload through 'seq = vdso_read_begin()'. Fixes: ed78b7b2c5ae ("vdso/gettimeofday: Add a helper to read the sequence lock of a time namespace aware clock") Reported-by: Ricardo Ribalda <ribalda@chromium.org> Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de> Signed-off-by: Thomas Gleixner <tglx@kernel.org> Tested-by: Ricardo Ribalda <ribalda@chromium.org> Reviewed-by: Christophe Leroy (CS GROUP) <chleroy@kernel.org> Link: https://patch.msgid.link/20260422-vdso-aux-timens-loop-v1-1-e2dd8c7164cc@linutronix.de Closes: https://lore.kernel.org/lkml/CANiDSCsOy0P1if-gJZqOM5pTJ0RDcwVfru1B7KFbTOEMqjPKJw@mail.gmail.com/ 2026-05-14T00:40:02Z Christian A. Ehrhardt lk@c--e.de 2026-04-21T07:07:07Z urn:sha1:efdadbc180e53fe257a6e85f6bc706cb58088653 Increase buffer size to accommodate machines with 64K PAGE_SIZE. Link: https://lore.kernel.org/20260421070707.992873-1-lk@c--e.de Fixes: 0913b7554726 ("lib: kunit_iov_iter: add tests for extract_iter_to_sg") Signed-off-by: Christian A. Ehrhardt <lk@c--e.de> Reported-by: David Gow <davidgow@google.com> Closes: https://lore.kernel.org/34a81ec2-af84-465d-9b5e-7bb5bf01680f@davidgow.net Tested-by: David Gow <davidgow@google.com> Tested-by: Josh Law <joshlaw48@gmail.com> Reviewed-by: Josh Law <joshlaw48@gmail.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> 2026-05-12T17:18:02Z Linus Torvalds torvalds@linux-foundation.org 2026-05-12T17:18:02Z urn:sha1:1d5dcaa3bd65f2e8c9baa14a393d3a2dc5db7524 Pull probes fixes from Masami Hiramatsu: - kprobes: skip non-symbol addresses in kprobe_add_ksym_blacklist() Since the ftrace adds its NOPs at .kprobes.text section (which stores an array), a wrong entry is added when loading a module which uses "__kprobes" attribute. To solve this, add "notrace" to __kprobes functions - test_kprobes: clear kprobes between test runs Clear all kprobes in the test program after running a test set, because Kunit test can run several times - fprobe: Fix unregister_fprobe() to wait for RCU grace period Since the fprobe data structure is removed with hlist_del_rcu(), it should wait for the RCU grace period. If the caller waits for RCU, we can use the async variant (e.g. eBPF) * tag 'probes-fixes-v7.1-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace: fprobe: Fix unregister_fprobe() to wait for RCU grace period test_kprobes: clear kprobes between test runs kprobes: skip non-symbol addresses in kprobe_add_ksym_blacklist()