aboutsummaryrefslogtreecommitdiffstatshomepage
AgeCommit message (Collapse)AuthorFilesLines
2026-05-23Merge tag 'for-linus-fwctl' of git://git.kernel.org/pub/scm/linux/kernel/git/fwctl/fwctlLinus Torvalds1-0/+3
Pull fwctl fix from Jason Gunthorpe: - Buffer overflow due to missing input validation in pds * tag 'for-linus-fwctl' of git://git.kernel.org/pub/scm/linux/kernel/git/fwctl/fwctl: fwctl: pds: Validate RPC input size before parsing
2026-05-23KVM: SVM: Disable AVIC IPI virtualization on Hygon Family 18h (erratum #1235)Tina Zhang1-5/+7
Hygon Family 18h CPUs are derived from AMD Family 17h (Zen1) silicon and share the same erratum #1235: hardware may read a stale IsRunning=1 bit during ICR write emulation and silently fail to generate an AVIC_IPI_FAILURE_TARGET_NOT_RUNNING VM-Exit on the sending vCPU. The absence of the VM-Exit causes KVM to miss the required wakeup of blocking target vCPUs, leading to hung vCPUs and unbounded delays in guest execution. Extend the existing AMD Family 17h erratum #1235 workaround to also cover Hygon Family 18h. With IPI virtualization disabled, KVM never sets IsRunning=1 in the Physical ID table, so every non-self IPI generates a VM-Exit and is correctly emulated. Fixes: 8de4a1c8164e ("KVM: SVM: Disable (x2)AVIC IPI virtualization if CPU has erratum #1235") Cc: <stable@vger.kernel.org> Signed-off-by: Tina Zhang <zhang_wei@open-hieco.net> Message-ID: <20260522040014.3380201-1-zhang_wei@open-hieco.net>
2026-05-23KVM: selftests: Verify that KVM returns the configured APIC cycle lengthSean Christopherson1-0/+4
Add checks in the APIC bus clock test to verify that querying KVM_CAP_X86_APIC_BUS_CYCLES_NS on the VM after changing the frequency returns the VM's actual APIC cycle length, not KVM's default. For giggles, verify that KVM still returns its default frequency for the system-scoped check. Signed-off-by: Sean Christopherson <seanjc@google.com> Message-ID: <20260522173526.3539407-3-seanjc@google.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2026-05-23KVM: x86: Return the VM's configured APIC bus frequency when queriedSean Christopherson1-1/+1
When KVM_CAP_X86_APIC_BUS_CYCLES_NS is queried on a specific VM, return the VM's configured APIC bus frequency, not KVM's default. Aside from the fact that returning the default frequency is blatantly wrong if userspace has changed the frequency, returning the configured frequency means userspace can blindly trust the result, e.g. when filling PV CPUID information that communicates the APIC bus frequency to the guest. Fixes: 6fef518594bc ("KVM: x86: Add a capability to configure bus frequency for APIC timer") Reported-by: David Woodhouse <dwmw2@infradead.org> Closes: https://lore.kernel.org/all/ab84153e33fbe7c25667f595c56b310d4d5a93ef.camel@infradead.org Signed-off-by: Sean Christopherson <seanjc@google.com> Message-ID: <20260522173526.3539407-2-seanjc@google.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2026-05-23KVM: selftests: elf: Include <endian.h> instead of <bits/endian.h>Hisam Mehboob1-1/+1
<bits/endian.h> is a glibc-internal header that explicitly states it should never be included directly: #error "Never use <bits/endian.h> directly; include <endian.h> instead." Replace it with the correct public header <endian.h> which works on all C libraries including musl. Building KVM selftests with musl-gcc fails with: lib/elf.c:10:10: fatal error: bits/endian.h: No such file or directory Fixes: 6089ae0bd5e1 ("kvm: selftests: add sync_regs_test") Signed-off-by: Hisam Mehboob <hisamshar@gmail.com> Message-ID: <20260409164020.1575176-4-hisamshar@gmail.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2026-05-23Merge tag 'kvm-riscv-fixes-7.1-1' of https://github.com/kvm-riscv/linux into HEADPaolo Bonzini4-10/+15
KVM/riscv fixes for 7.1, take #1 - Fix invalid HVA warning in steal-time recording - Return SBI_ERR_FAILURE to guest upon OOM in pmu_event_info() and pmu_snapshot_set_shmem() - Fix NULL pointer dereference in SBI v0.1 SEND_IPI handler - Fix sign extension of value for MMIO loads
2026-05-23Merge tag 'kvm-s390-master-7.1-2' of https://git.kernel.org/pub/scm/linux/kernel/git/kvms390/linux into HEADPaolo Bonzini343-2135/+6517
KVM: s390: some vSIE and UCONTROL fixes Fix some memory issues and some hangs in vSIE.
2026-05-23Merge tag 'kvmarm-fixes-7.1-3' of git://git.kernel.org/pub/scm/linux/kernel/git/kvmarm/kvmarm into HEADPaolo Bonzini3-3/+14
KVM/arm64 fixes for 7.1, take #3 - Fix ITS EventID sanitisation when restoring an interrupt translation table. - Fix PPI memory leak when failing to initialise a vcpu. - Correctly return an error when the validation of a hypervisor trace descriptor fails, and limit this validation to protected mode only.
2026-05-22ipv4: free net->ipv4.sysctl_local_reserved_ports after unregister_net_sysctl_table()Eric Dumazet1-1/+1
ipv4_sysctl_exit_net() is currently freeing net->ipv4.sysctl_local_reserved_ports too soon. Only after unregister_net_sysctl_table() we can be sure no threads can possibly use the sysctls, including /proc/sys/net/ipv4/ip_local_reserved_ports. Fixes: 122ff243f5f1 ("ipv4: make ip_local_reserved_ports per netns") Reported-by: Ji'an Zhou <eilaimemedsnaimel@gmail.com> Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Cong Wang <xiyou.wangcong@gmail.com> Reviewed-by: Jason Xing <kerneljasonxing@gmail.com> Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev> Link: https://patch.msgid.link/20260521122147.3584624-1-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-05-22vsock/virtio: fix skb overhead overflow on 32-bit buildsStefano Garzarella1-1/+1
On 32-bit architectures, both skb_queue_len() and SKB_TRUESIZE(0) evaluate to 32-bit values. The multiplication can overflow before being assigned to the u64 skb_overhead variable, making the skb overhead check ineffective. Cast skb_queue_len() to u64 so the multiplication is always performed in 64-bit arithmetic. This issue was reported by Sashiko while reviewing another patch. Fixes: 059b7dbd20a6 ("vsock/virtio: fix potential unbounded skb queue") Closes: https://sashiko.dev/#/patchset/20260518090656.134588-1-sgarzare%40redhat.com Cc: stable@vger.kernel.org Signed-off-by: Stefano Garzarella <sgarzare@redhat.com> Acked-by: Michael S. Tsirkin <mst@redhat.com> Link: https://patch.msgid.link/20260521124732.125771-1-sgarzare@redhat.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-05-22net/iucv: fix locking in .getsockoptBreno Leitao1-6/+14
Mirror iucv_sock_setsockopt() and wrap the whole switch in lock_sock()/release_sock(). The pre-existing SO_MSGLIMIT-only lock becomes redundant and is removed. Any AF_IUCV HIPER user can potentially crash the kernel by racing recvmsg() with getsockopt(SO_MSGSIZE): the SO_MSGSIZE arm dereferences iucv->hs_dev->mtu after iucv_sock_close() (called from the racing recvmsg()) has set hs_dev to NULL, producing a NULL pointer dereference oops. Suggested-by: Stanislav Fomichev <sdf.kernel@gmail.com> Fixes: 51363b8751a6 ("af_iucv: allow retrieval of maximum message size") Signed-off-by: Breno Leitao <leitao@debian.org> Reviewed-by: Alexandra Winter <wintera@linux.ibm.com> Tested-by: Alexandra Winter <wintera@linux.ibm.com> Link: https://patch.msgid.link/20260521-af_iucv_fix2-v1-1-f16b1c510aa9@debian.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-05-22net/smc: Do not re-initialize smc hashtablesAlexandra Winter1-2/+2
INIT_HLIST_HEAD(&smc_v*_hashinfo.ht) are called after smc_nl_init(), proto_register() and sock_register(). This can lead to smc_v*_hashinfo.ht being reset even though hash entries already exist and are being used, possibly resulting in a corrupted list. Remove unnecessary and dangerous re-initialisation of smc_v*_hashinfo.ht in smc_init(); it is implicitly initialised to zero anyhow. Add HLIST_HEAD_INIT to the definitions for clarity. Fixes: f16a7dd5cf27 ("smc: netlink interface for SMC sockets") Suggested-by: Halil Pasic <pasic@linux.ibm.com> Signed-off-by: Alexandra Winter <wintera@linux.ibm.com> Acked-by: Halil Pasic <pasic@linux.ibm.com> Reviewed-by: Mahanta Jambigi <mjambigi@linux.ibm.com> Link: https://patch.msgid.link/20260521145639.10317-1-wintera@linux.ibm.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-05-22Merge branch 'netlink-fixes-for-cross-namespace-nsid-reporting'Jakub Kicinski2-5/+67
Ilya Maximets says: ==================== netlink: fixes for cross-namespace nsid reporting While working on some new features for OVS and OVN we discovered that self-referential NSIDs get unintentionally allocated in the system as well as unexpectedly reported for local events on all-nsid listeners. More details in the patches. They change user-visible behavior, but the current behavior is arguably a bug, as it makes it hard to use all-nsid sockets without a decent amount of extra unrelated work of tracking when new NSIDs are allocated for your local namespace. Tests are added to check the expected behavior and YNL is extended to support all-nsid sockets in the tests. ==================== Link: https://patch.msgid.link/20260520172317.175168-1-i.maximets@ovn.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-05-22selftests: net: add a test case for nsid in all nsid notificationsIlya Maximets1-2/+59
The test subscribes to link events from all namespaces and makes sure that local events do not carry NSID in their ancillary data (even if there is a self-referential NSID allocated for the local namespace), and remote events do. Signed-off-by: Ilya Maximets <i.maximets@ovn.org> Acked-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> Link: https://patch.msgid.link/20260520172317.175168-5-i.maximets@ovn.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-05-22net: netlink: don't set nsid on local notificationsIlya Maximets1-3/+7
In most cases, notifications on sockets with NETLINK_LISTEN_ALL_NSID do not contain NSID in their ancillary data in case the event is local to the listener. However, when a self-referential NSID is allocated for a namespace, every local notification starts sending this ID to the user space. This is problematic, because the listener cannot tell if those notifications are local or not anymore without making extra requests to figure out if the provided NSID is local or not. The listener can also not figure out the local NSID beforehand as it can be allocated at any point in time by other processes, changing the structure of the future notifications for everyone. The value is practically not useful, since it's the namespace's own ID that the application has to obtain from other sources in order to figure out if it's the same or not. So, for the application it's just an extra busy work with no benefits. Moreover, applications that do not know about this quirk may be mishandling notifications with NSID set as notifications from remote namespaces. This is the case for ovs-vswitchd and the iproute2's 'ip monitor' that stops printing 'current' and starts printing the nsid number mid-session. Lack of clear documentation for this behavior is also not helping. A search though open-source projects doesn't reveal any projects that use NETNSA_NSID_NOT_ASSIGNED and rely on metadata to contain self-referential NSIDs (expected, since the value is not useful). Quite the opposite, as already mentioned, there are few applications that rely on NSID to not be present in local events. Since the value is not useful and actively harmful in some cases, let's not report it for local events, making the notifications more consistent. Also adding some blank lines for readability. Fixes: 59324cf35aba ("netlink: allow to listen "all" netns") Reported-by: Matteo Perin <matteo.perin@canonical.com> Signed-off-by: Ilya Maximets <i.maximets@ovn.org> Acked-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> Link: https://patch.msgid.link/20260520172317.175168-3-i.maximets@ovn.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-05-22net: netlink: fix sending unassigned nsid after assigned oneIlya Maximets1-0/+1
If the current skb is not shared, it is re-used directly for all the sockets subscribed to the notification. If we have remote all-nsid socket receiving a message first, then the 'nsid_is_set' will be set to 'true'. If the nsid is NOT_ASSIGNED for the next socket in the list, the 'nsid_is_set' will remain 'true' and the negative value is be delivered to the user space. All subsequent nsid values will be delivered as well, since there is no code path that sets the flag back to 'false'. Fix that by always dropping the flag to 'false' first. Fixes: 7212462fa6fd ("netlink: don't send unknown nsid") Signed-off-by: Ilya Maximets <i.maximets@ovn.org> Acked-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> Link: https://patch.msgid.link/20260520172317.175168-2-i.maximets@ovn.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-05-22Merge tag 'sched_ext-for-7.1-rc4-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/sched_extLinus Torvalds1-3/+36
Pull sched_ext fixes from Tejun Heo: - Spurious WARN in ops_dequeue() racing with concurrent dispatch - Self-deadlock between scheduler disable and a concurrent sub-sched enable * tag 'sched_ext-for-7.1-rc4-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/sched_ext: sched_ext: Fix spurious WARN on stale ops_state in ops_dequeue() sched_ext: Fix deadlock between scx_root_disable() and concurrent forks
2026-05-22Merge tag 'cgroup-for-7.1-rc4-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroupLinus Torvalds4-18/+28
Pull cgroup fixes from Tejun Heo: "Two rstat fixes: - Out-of-bounds access in the css_rstat_updated() BPF kfunc when called with an unchecked user-supplied cpu - Over-strict NMI guard after the recent switch to try_cmpxchg left sparc and ppc64 unable to queue rstat updates from NMI" * tag 'cgroup-for-7.1-rc4-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup: cgroup: rstat: relax NMI guard after switch to try_cmpxchg cgroup/rstat: validate cpu before css_rstat_cpu() access
2026-05-22Merge tag 'drm-fixes-2026-05-23' of https://gitlab.freedesktop.org/drm/kernelLinus Torvalds85-478/+733
Pull drm fixes from Dave Airlie: "Regular fixes pull, amdgpu/xe being the usual, with bonus msm content to bulk things out, otherwise it has the usual scattered changes, with amdxdna dropping a badly thought out userspace api. gem: - clean up LRU locking msm: - Core: - Fixed bindings for SM8650, SM8750 and Eliza - Don't use UTS_RELEASE directly - Fix typo in clock-names property - DPU: - Fixed CWB description on Kaanapali - Fixed scanline strides for YUV UBWC formats - Stopped DSI register dumping to access past the end of region - DSI: - Fix dumping unaligned regions - GPU: - Fix GMEM_BASE for a6xx gen3 - Fix userspace reachable crash on a2xx-a4xx - Fix sysprof_active for counter collection with IFPC enabled GPUs - Fix shrinker lockdep amdgpu: - Userq fixes - VPE fix - SMU 15 fix - Misc fixes - VCE fixes - DC bios parsing fixes - DC aux fix - Mode1 reset fix - RAS fixes amdkfd: - Misc fixes radeon: - CS parser fix xe: - SRIOV related fixes - Fix leak and double-free - Multi-cast register fixes - Multi-queue fix i915: - Fix joiner color pipeline selection [display] - Fix readback for target_rr in Adaptive Sync SDP [dp] - Apply Intel DPCD workaround when SDP on prior line used [psr] amdxdna: - remove mmap and export for ubuf bridge: - chipone-icn6211: managed bridge cleanup - lt66121: acquire reset GPIO - megachips: fix clean up on failed IRQ requests v3d: - fix UAF in error code paths - release GEM-object ref on free'd jobs virtio: - use uninterruptible resv locking in plane updates mediatek: - fix sparse warnings" * tag 'drm-fixes-2026-05-23' of https://gitlab.freedesktop.org/drm/kernel: (78 commits) drm/xe/oa: Fix exec_queue leak on width check in stream open drm/virtio: use uninterruptible resv lock for plane updates drm/amdgpu: fix handling in amdgpu_userq_create drm/radeon/evergreen_cs: Add missing NULL prefix check in surface check drm/amdgpu: userq_va_mapped should remain true once done drm/amdgpu: avoid integer overflow in VA range check drm/amd/ras: Fix UMC error address allocation leak drm/amdgpu: unmap all user mappings of framebuffer and doorbell before mode1 reset drm/amd/display: Validate payload length and link_index in dc_process_dmub_aux_transfer_async drm/amd/display: Validate GPIO pin LUT table size before iterating drm/amd/display: Fix integer overflow in bios_get_image() drm/amdkfd: Check bounds for allocate_sdma_queue restore_sdma_id drm/amdgpu: use atomic operation to achieve lockless serialization drm/amdkfd: Check bounds on allocate_doorbell drm/amdgpu/vce3: Fix VCE 3 firmware size and offsets drm/amdgpu/vce2: Fix VCE 2 firmware size and offsets drm/amdgpu/vce1: Stop using amdgpu_vce_resume drm/amdgpu/vce1: Fix VCE 1 firmware size and offsets drm/amdgpu/vce1: Don't repeat GTT MGR node allocation drm/amdgpu/vce1: Check if VRAM address is lower than GART. ...
2026-05-22Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsiLinus Torvalds3-4/+14
Pull SCSI fixes from James Bottomley: "Small fixes, two in drivers and the remaining a sign conversion probem in sd with no user visible consequences (non-zero is error)" * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi: scsi: target: tcm_loop: Fix NULL ptr dereference scsi: isci: Fix use-after-free in device removal path scsi: sd: Fix return code handling in sd_spinup_disk()
2026-05-22Merge tag 'platform-drivers-x86-v7.1-4' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86Linus Torvalds30-63/+338
Pull x86 platform driver fixes from - Add ACPI_HANDLE()/ACPI_COMPANION() NULL checks (many drivers) to handle match overrides gracefully - asus-armoury: - Fix mini-LED mode get/set - Add support for FA401EA, FX607VU, G614FR, and GU605CP - bitland-mifs-wmi: - Add CONFIG_LEDS_CLASS dependency - hp-wmi: - Add thermal support for Omen 16-c0xxx (board 8902) - intel/vsec: - Fix enable_cnt imbalance due to PCIe error recovery - surface/aggregator_registry: - Remove battery & AC nodes on Surface Laptop 7 to avoid duplicated devices - uniwill-laptop: - Handle uninitialized and invalid charging threshold values - Accept charging threshold of 0 through power supply sysfs ABI and clamp it to 1 - Make 'force' parameter to work also when device descriptor is found - Do not enable charging limit despite the 'force' parameter to avoid permanent damage to battery * tag 'platform-drivers-x86-v7.1-4' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86: (35 commits) platform/x86: bitland-mifs-wmi: add CONFIG_LEDS_CLASS dependency platform/x86: wireless-hotkey: Check ACPI_COMPANION() against NULL platform/x86: toshiba_haps: Check ACPI_COMPANION() against NULL platform/x86: toshiba_bluetooth: Check ACPI_COMPANION() against NULL platform/x86: toshiba_acpi: Check ACPI_COMPANION() against NULL platform/x86: system76: Check ACPI_COMPANION() against NULL platform/x86: sony-laptop: Check ACPI_COMPANION() against NULL platform/x86: panasonic-laptop: Check ACPI_COMPANION() against NULL platform/x86: lg-laptop: Check ACPI_COMPANION() against NULL platform/x86: intel/smartconnect: Check ACPI_HANDLE() against NULL platform/x86: intel/rst: Check ACPI_COMPANION() against NULL platform/x86: fujitsu-tablet: Check ACPI_COMPANION() against NULL platform/x86: fujitsu: Check ACPI_COMPANION() against NULL platform/x86: eeepc-laptop: Check ACPI_COMPANION() against NULL platform/x86: dell/dell-rbtn: Check ACPI_COMPANION() against NULL platform/x86: asus-laptop: Check ACPI_COMPANION() against NULL platform/x86: acer-wireless: Check ACPI_COMPANION() against NULL platform/x86: asus-armoury: add support for GU605CP platform/x86: asus-armoury: add support for FA401EA platform/x86: asus-armoury: add support for G614FR ...
2026-05-23Merge tag 'drm-xe-fixes-2026-05-21' of https://gitlab.freedesktop.org/drm/xe/kernel into drm-fixesDave Airlie11-34/+69
- SRIOV related fixes (Wajdeczko, Mohanram) - Fix leak and double-free (Lin) - Multi-cast register fixes (Gustavo) - Multi-queue fix (Niranjana) Signed-off-by: Dave Airlie <airlied@redhat.com> From: Rodrigo Vivi <rodrigo.vivi@intel.com> Link: https://patch.msgid.link/ag9rR5VwCdkA0lzI@intel.com
2026-05-22Merge tag 'phy-fixes-7.1' of git://git.kernel.org/pub/scm/linux/kernel/git/phy/linux-phyLinus Torvalds10-65/+240
Pull phy fixes from Vinod Koul: - Big pile of Qualcomm DP/eDP config fixes and kaanapali PHY PLL lock failure fix - Apple typec switch/mux leak fix - Marvell incoorect register fix for mvebu utmi phy - Tegra per-pad calibration fix * tag 'phy-fixes-7.1' of git://git.kernel.org/pub/scm/linux/kernel/git/phy/linux-phy: phy: qcom: qmp-usbc: Fix out-of-bounds array access in dp swing config phy: apple: atc: Fix typec switch/mux leak on unbind phy: spacemit: Remove incorrect clk_disable() in spacemit_usb2phy_init() phy: eswin: Fix incorrect error check in probe() phy: qcom-qmp-ufs: Fix kaanapali PHY PLL lock failure after SM8650 G4 fix phy: exynos5-usbdrd: fix USB 2.0 HS PHY tuning values for Exynos7870 phy: tegra: xusb: Fix per-pad high-speed termination calibration phy: marvell: mvebu-a3700-utmi: fix incorrect USB2_PHY_CTRL register access phy: qcom: edp: Add PHY-specific LDO config for eDP low vdiff phy: qcom: edp: Fix AUX_CFG8 programming for DP mode phy: qcom: edp: Add SC7280/SC8180X swing/pre-emphasis tables phy: qcom: edp: Add eDP/DP mode switch support phy: qcom: edp: Unify generic DP/eDP swing and pre-emphasis tables
2026-05-22Merge tag 'spi-fix-v7.1-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spiLinus Torvalds6-2/+12
Pull spi fixes from Mark Brown: "Another batch of driver fixes from Johan fixing error handling paths, plus another from Felix. We also have a new device ID added in the DT bindings for SpacemiT K3" * tag 'spi-fix-v7.1-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi: spi: dt-bindings: fsl-qspi: support SpacemiT K3 spi: ti-qspi: fix use-after-free after DMA setup failure spi: sprd: fix error pointer deref after DMA setup failure spi: qup: fix error pointer deref after DMA setup failure spi: mtk-snfi: Fix resource leak in mtk_snand_read_page_cache() spi: ep93xx: fix error pointer deref after DMA setup failure
2026-05-22Merge tag 'regulator-fix-v7.1-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulatorLinus Torvalds2-41/+96
Pull regulator fixes from Mark Brown: "A couple of fixes here, one very minor Kconfig fix and a fix for a nasty issue with error reporting in the tps65219 driver" * tag 'regulator-fix-v7.1-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator: regulator: tps65219: fix irq_data.rdev not being assigned regulator: Kconfig: fix a typo in help
2026-05-22Merge tag 'pinctrl-v7.1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrlLinus Torvalds10-30/+129
Pull pin control fixes from Linus Walleij: - Implement the GPIO .get_direction() callback in the Mediatek driver to rid dmesg warnings - Mark the Qualcomm IPQ4019 pins used as GPIO as using the GPIO pin function, so there is no conflict with orthogonal muxing - Fix incorrect settings of the "PUPD" (pull-up-pull-down) register during suspend/resume in the Renesas RZG2L - Fix the SMT register cache to be per-bank in the Renesas RZG2L - Fix the QDSS track clock and control pin group names in the Qualcomm Eliza driver - Fix a deadlock in the Amlogic driver, caused by playing around in sysfs - Fix some GPIO wakeup interrupt handling in Qualcomm QCS615. and a similar fix for the Qualcomm SM8150 - Allow parsing DTs without explicit function nodes in the Freescale i.MX1 driver - Enable the IRQ for the WACF2200 touchscreen using a DMI quirk * tag 'pinctrl-v7.1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl: pinctrl-amd: enable IRQ for WACF2200 touchscreen on Lenovo Yoga 7 14AGP11 pinctrl: imx1: Allow parsing DT without function nodes pinctrl: qcom: Fix wakeirq map by removing disconnected irqs for sm8150 pinctrl: qcom: Fix GPIO to PDC wake irq map for qcs615 pinctrl: meson: amlogic-a4: fix deadlock issue pinctrl: qcom: eliza: Fix QDSS trace clock/control pingroup names pinctrl: renesas: rzg2l: Fix SMT register cache handling pinctrl: renesas: rzg2l: Fix incorrect PUPD register offset for high pins during suspend/resume pinctrl: qcom: ipq4019: mark gpio as a GPIO pin function pinctrl: mediatek: moore: implement gpio_chip::get_direction()
2026-05-22Merge tag 'gpio-fixes-for-v7.1-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linuxLinus Torvalds5-12/+38
Pull gpio fixes from Bartosz Golaszewski: - propagate the error code from regulator_enable() in resume path in gpio-pca953x - take the device lock when calling device_is_bound() in virtual GPIO drivers - fix software node leak in remove path in gpio-aggregator - fix a potential use-after-free in gpio-aggregator - harden the GPIO character device uAPI: check that line config attributes are correctly zeroed * tag 'gpio-fixes-for-v7.1-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux: gpio: virtuser: lock device when calling device_is_bound() gpio: aggregator: lock device when calling device_is_bound() gpio: sim: lock device when calling device_is_bound() gpio: aggregator: remove the software node when deactivating the aggregator gpio: aggregator: fix a potential use-after-free gpio: cdev: check if uAPI v2 config attributes are correctly zeroed gpio: pca953x: propagate regulator_enable() error from resume
2026-05-22Merge tag 'sound-7.1-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/soundLinus Torvalds37-259/+384
Pull sound fixes from Takashi Iwai: "As expected, we still continue receiving lots of small fixes. One major change is about HD-audio pending IRQ handling, but this would influence only on odd machines or slow VMs. There are a few other fixes for the core part, but most of them are not-too-serious UAF fixes, while the rest are mostly device-specific fixes and quirks. ALSA Core: - Fix for PCM silencing with bogus iov_iter - Fixes for past-the-end iterators in timer and seq - Serialization of UMP output teardown - Rate-limit ELD parsing errors HD-audio: - Fixes for IRQ work handling and SSID matching - Various Realtek quirks for HP and ASUS laptops, including LED fixes ASoC: - Intel: ACPI match table updates for PTL, NVL, and ARL platforms - Cirrus Logic: Fixes for cs-amp-lib and cs35l56 codecs - Various platform fixes for AMD, FSL SAI, TI OMAP, and Qualcomm - DT-binding fix for MediaTek Others: - USB ua101: Reject too-short USB descriptors - Scarlett2: Fix for flash writes - ASIHPI: Fix for potential OOB access - AMD SPI: Fix for bus number in ACPI probe MAINTAINERS: - Updates for SOF and TI maintainers" * tag 'sound-7.1-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: (47 commits) ASoC: codecs: pcm512x: fix null-ptr dereference in pcm512x_overclock_xxx_put() ASoC: Intel: soc-acpi-intel-ptl-match: Remove unnecessary cs42l43 match ASoC: soc-acpi-intel-ptl-match: Make Chrome matches conditional ASoC: Intel: soc-acpi: Add entry for sof_es8336 in NVL match table. ASoC: Intel: sof_sdw: Add support for nvlrvp in NVL platform ASoC: cs-amp-lib: Fix typo in error message: write -> read ASoC: cs-amp-lib: Fix missing dput() after debugfs_lookup() ASoC: cs-amp-lib: Fix wrong sizeof() in _cs_amp_set_efi_calibration_data() ASoC: cs35l56: Fix flushing of IRQ work in cs35l56_sdw_remove() MAINTAINERS: ASoC: Intel/SOF: Remove Ranjani Sridharan as maintainer ALSA: seq: Serialize UMP output teardown with event_input ALSA: scarlett2: Allow flash writes ending at segment boundary ALSA: hda/realtek: Add LED quirk for HP ProBook 430 G6 ALSA: hda/intel: Make sure to cancel irq-pending work at closing PCM stream ALSA: hda: Move irq pending work into hda-intel stream ASoC: soc-utils: Add missing va_end in snd_soc_ret() ALSA: ua101: Reject too-short USB descriptors ALSA: hda/realtek: Fix mute and mic-mute LEDs for HP 16 Piston OmniBook X ALSA: seq: avoid past-the-end iterator in snd_seq_create_port() ALSA: timer: avoid past-the-end iterator in snd_timer_dev_register() ...
2026-05-22Merge tag 'block-7.1-20260522' of git://git.kernel.org/pub/scm/linux/kernel/git/axboe/linuxLinus Torvalds4-34/+47
Pull block fixes from Jens Axboe: - NVMe pull request via Keith: - Fix memory leak for peer-to-peer addresses - Fix dma map leaks on resource errors - Another bio integrity fix, fixing a recent regression - Fix for an issue with the request pre-allocation and caching when IO is queued, where if a bio split occurred and ended up blocking, the list could be corrupted * tag 'block-7.1-20260522' of git://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux: block: avoid use-after-free in disk_free_zone_resources() blk-mq: pop cached request if it is usable nvme-pci: fix dma mapping leak on data setup error nvme-pci: fix dma_vecs leak on p2p memory bio-integrity-fs: pass data iter to bio_integrity_verify()
2026-05-22Merge tag 'io_uring-7.1-20260522' of git://git.kernel.org/pub/scm/linux/kernel/git/axboe/linuxLinus Torvalds5-9/+35
Pull io_uring fixes from Jens Axboe: - Fix for an issue with IORING_OP_NOP and using injection results - Fix for an issue in IORING_OP_WAITID, where the info state was assumed cleared by the lower level syscall handler, but for some cases it is not. Just clear the data upfront, so that non-initialized data isn't copied back to userspace - Fix for a lockdep reported issue, where IORING_OP_BIND enters file create and hence hits mnt_want_write(), which creates a three part lockdep cycle between the super lock, io_uring's uring_lock, and the cred mutex - Fix a regression introduced in this cycle with how linked timeouts are deleted - Ensure that the ->opcode nospec indexing on the opcode issue side covers all the cases * tag 'io_uring-7.1-20260522' of git://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux: io_uring/nop: pass all errors to userspace io_uring/timeout: splice timed out link in timeout handler io_uring: propagate array_index_nospec opcode into req->opcode io_uring/waitid: clear waitid info before copying it to userspace io_uring/net: punt IORING_OP_BIND async if it needs file create
2026-05-22vsock: keep poll shutdown state consistentZiyu Zhang4-28/+52
vsock_poll() reads vsk->peer_shutdown before taking the socket lock to set EPOLLHUP and EPOLLRDHUP, then reads it again after taking the lock to report EOF readability. A shutdown packet can update peer_shutdown while poll is waiting for the lock, so one poll invocation can report EOF readability without the corresponding HUP/RDHUP bits. For connectible sockets, take one peer_shutdown snapshot after lock_sock() and use it for all peer-shutdown-derived poll bits. For datagram sockets, which do not take lock_sock() in poll(), take one lockless READ_ONCE() snapshot and pair it with WRITE_ONCE() on the writer side. This keeps the peer-shutdown-derived bits internally consistent for each poll pass. Fixes: d021c344051a ("VSOCK: Introduce VM Sockets") Signed-off-by: Ziyu Zhang <ziyuzhang201@gmail.com> Link: https://patch.msgid.link/20260519165636.62542-1-ziyuzhang201@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-05-22Merge tag 'v7.1-rc5-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6Linus Torvalds7-5/+29
Pull smb client fixes from Steve French: - Fix missing lock - Fix dentry in use after unmounting - cifs.upcall security fix - require CAP_NET_ADMIN for swn netlink - change allocation in DUP_CTX_STR to GFP_KERNEL - minor smbdirect debug fix - handle_read_data() folio fix * tag 'v7.1-rc5-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6: smb: client: change allocation requirements in DUP_CTX_STR macro smb: client: require net admin for CIFS SWN netlink smb: smbdirect: divide, not multiply, milliseconds by 1000 cifs: Fix busy dentry used after unmounting smb: client: use data_len for SMB2 READ encrypted folioq copy smb: client: reject userspace cifs.spnego descriptions smb: client: protect tc_count increment in smb2_find_smb_sess_tcon_unlocked()
2026-05-22Merge tag 'zonefs-7.1-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/dlemoal/zonefsLinus Torvalds1-1/+5
Pull zonefs fix from Damien Le Moal: - Avoid potential overflow when converting a zonefs file number string to an inode number (from Johannes) * tag 'zonefs-7.1-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/dlemoal/zonefs: zonefs: handle integer overflow in zonefs_fname_to_fno
2026-05-22tun: free page on build_skb failure in tun_xdp_one()Weiming Shi1-0/+1
When build_skb() fails in tun_xdp_one(), the function sets ret to -ENOMEM and jumps to the out label, which returns without freeing the page that vhost_net_build_xdp() allocated for the frame. As with the short-frame rejection path, tun_sendmsg() discards the per-buffer error and still returns total_len, so vhost_tx_batch() takes the success path and never frees the page. Each build_skb() failure in a batch leaks one page-frag chunk. Free the page before taking the error path, matching the put_page() the other error exits of tun_xdp_one() already perform. Fixes: 043d222f93ab ("tuntap: accept an array of XDP buffs through sendmsg()") Reported-by: Xiang Mei <xmei5@asu.edu> Signed-off-by: Weiming Shi <bestswngs@gmail.com> Reviewed-by: Dongli Zhang <dongli.zhang@oracle.com> Reviewed-by: Willem de Bruijn <willemb@google.com> Link: https://patch.msgid.link/20260521163312.1479805-2-bestswngs@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-05-22tap: free page on error paths in tap_get_user_xdp()Weiming Shi1-0/+2
tap_get_user_xdp() rejects a frame shorter than ETH_HLEN with -EINVAL, and returns -ENOMEM when build_skb() fails. Both paths jump to the err label without freeing the page that vhost_net_build_xdp() allocated for the frame. tap_sendmsg() discards the per-buffer return value and always returns 0, so vhost_tx_batch() takes the success path and never frees the page; each rejected frame in a batch leaks one page-frag chunk. Free the page on both error paths, before the skb is built. This is the tap counterpart of the same leak in tun_xdp_one(). Fixes: 0efac27791ee ("tap: accept an array of XDP buffs through sendmsg()") Fixes: ed7f2afdd0e0 ("tap: add missing verification for short frame") Reported-by: Xiang Mei <xmei5@asu.edu> Signed-off-by: Weiming Shi <bestswngs@gmail.com> Reviewed-by: Dongli Zhang <dongli.zhang@oracle.com> Reviewed-by: Willem de Bruijn <willemb@google.com> Link: https://patch.msgid.link/20260521163230.1478627-2-bestswngs@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-05-22tun: free page on short-frame rejection in tun_xdp_one()Weiming Shi1-1/+3
tun_xdp_one() returns -EINVAL on a frame shorter than ETH_HLEN without freeing the page that vhost_net_build_xdp() allocated for it. tun_sendmsg() discards that -EINVAL and still returns total_len, so vhost_tx_batch() takes the success path and never frees the page; each short frame in a batch leaks one page-frag chunk. A local process that can open /dev/net/tun and /dev/vhost-net can hit this path: it attaches a tun/tap device as the vhost-net backend and feeds TX descriptors whose length minus the virtio-net header is below ETH_HLEN. Each kick leaks the page-frag chunks for that batch, and a tight submission loop exhausts host memory and triggers an OOM panic. Free the page before returning -EINVAL, matching the XDP-program error path in the same function. Fixes: 049584807f1d ("tun: add missing verification for short frame") Reported-by: Xiang Mei <xmei5@asu.edu> Signed-off-by: Weiming Shi <bestswngs@gmail.com> Reviewed-by: Dongli Zhang <dongli.zhang@oracle.com> Reviewed-by: Willem de Bruijn <willemb@google.com> Link: https://patch.msgid.link/20260520160020.375349-2-bestswngs@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-05-22Merge tag 'pm-7.1-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pmLinus Torvalds6-40/+60
Pull power management fixes from Rafael Wysocki: "These fix maximum frequency computation in the intel_pstate driver for two processor models, update its documentation and fix issues related to the dynamic EPP support (added during the current development cycle) in the amd-pstate driver: - Fix maximum frequency computation in the intel_pstate driver for Raptor Lake-E and Bartlett Lake that are SMP platforms derived from hybrid ones (Rafael Wysocki, Henry Tseng) - Fix the description of asymmetric packing with SMT in the intel_pstate driver documentation (Ricardo Neri) - Fix multiple amd-pstate driver issues related to dynamic EPP support added recently, including making it opt-in only (K Prateek Nayak, Mario Limonciello)" * tag 'pm-7.1-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: cpufreq/amd-pstate: Drop Kconfig option for dynamic EPP cpufreq: intel_pstate: Use HYBRID_SCALING_FACTOR_ADL for Bartlett Lake cpufreq: intel_pstate: Use correct scaling factor on Raptor Lake-E Documentation: intel_pstate: Fix description of asymmetric packing with SMT cpufreq/amd-pstate-ut: Drop policy reference before driver switch cpufreq/amd-pstate: Use "epp_default_dc" as default when dynamic_epp is disabled cpufreq/amd-pstate: Reorder notifier unregistration and floor perf reset cpufreq/amd-pstate: Allow writes to dynamic_epp when state isn't modified cpufreq/amd-pstate: Return -ENOMEM on failure to allocate profile_name cpufreq/amd-pstate: Grab "amd_pstate_driver_lock" when toggling dynamic_epp
2026-05-22Merge tag 'acpi-7.1-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pmLinus Torvalds1-1/+3
Pull ACPI support fix from Rafael Wysocki: "Unbreak system wakeup on critical battery status in the ACPI battery driver inadvertently broken during the 7.0 development cycle" * tag 'acpi-7.1-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: ACPI: battery: Fix system wakeup on critical battery status
2026-05-22block: avoid use-after-free in disk_free_zone_resources()Damien Le Moal1-4/+3
The function disk_update_zone_resources() may call disk_free_zone_resources() in case of error, and following this, blk_revalidate_disk_zones() will again calls disk_free_zone_resources() if disk_update_zone_resources() failed. If a zone worker thread is being used (which is the default for a rotational media zoned device), disk_free_zone_resources() will try to stop the zone worker thread twice because disk->zone_wplugs_worker is not reset to NULL when the worker thread is stopped the first time. In disk_free_zone_resources(), fix this by correctly clearing disk->zone_wplugs_worker to NULL when the worker thread is stopped. And while at it, since disk_free_zone_resources() is always called after a failed call to disk_update_zone_resources(), remove the unnecessary call to disk_free_zone_resources() in disk_update_zone_resources(). Fixes: 1365b6904fd0 ("block: allow submitting all zone writes from a single context") Signed-off-by: Damien Le Moal <dlemoal@kernel.org> Reviewed-by: Christoph Hellwig <hch@lst.de> Link: https://patch.msgid.link/20260522115622.588535-1-dlemoal@kernel.org Signed-off-by: Jens Axboe <axboe@kernel.dk>
2026-05-22Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linuxLinus Torvalds2-2/+3
Pull arm64 fixes from Catalin Marinas: - Handle probe on hinted conditional branch instructions. BC.cond instructions can be simulated in the same way as B.cond instructions, so extend the decode mask for B.cond to cover BC.cond - Flush the walk cache when unsharing PMD tables. Recent changes to huge_pmd_unshare() introduced mmu_gather::unshared_tables but the arm64 code was still treating the TLB flushing as only targeting leaf entries (TLBI VALE1IS). Fix it by using non-leaf-only instructions (TLBI VAE1IS) when tlb->unshared_tables is set * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux: arm64: tlb: Flush walk cache when unsharing PMD tables arm64: probes: Handle probes on hinted conditional branch instructions
2026-05-22Merge tag 's390-7.1-3' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linuxLinus Torvalds5-26/+41
Pull s390 fixes from Alexander Gordeev: - Fix PAI NNPA mismatch between counting and recording, where sampling reports twice the value - Fix loss of PAI counter increments during recording on systems with many CPUs under heavy load, while counting is not affected - On some supported machines, CHSC cannot access memory outside the DMA zone, causing CHSC command failures. Restore GFP_DMA flag when allocating memory for CHSC control blocks - Align the numbering scheme for higher-level topology structures like socket, book, drawer with other hardware identifiers e.g. in sysfs, procfs and tools like lscpu * tag 's390-7.1-3' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux: s390/topology: Use zero-based numbering for containing entities s390/cio: Restore GFP_DMA for CHSC allocation s390/pai: Fix missing PAI counter increments under heavy load s390/pai: Disable duplicate read of kernel PAI counter value
2026-05-22Merge tag 'slab-for-7.1-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/vbabka/slabLinus Torvalds2-0/+3
Pull slab fix from Vlastimil Babka: - Stable fix for a missing cpus_read_lock in one of the cpu sheaves flushing paths (Qing Wang) * tag 'slab-for-7.1-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/vbabka/slab: mm/slub: hold cpus_read_lock around flush_rcu_sheaves_on_cache()
2026-05-22Merge tag 'dma-mapping-7.1-2026-05-22' of git://git.kernel.org/pub/scm/linux/kernel/git/mszyprowski/linuxLinus Torvalds3-7/+10
Pull dma-mapping fixes from Marek Szyprowski: "Two minor updates for the DMA-mapping code, mainly fixing some rare corner cases (Petr Tesarik, Jianpeng Chang)" * tag 'dma-mapping-7.1-2026-05-22' of git://git.kernel.org/pub/scm/linux/kernel/git/mszyprowski/linux: dma-mapping: move dma_map_resource() sanity check into debug code dma-direct: fix use of max_pfn
2026-05-22Merge tag 'trace-v7.1-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-traceLinus Torvalds2-8/+15
Pull tracing fixes from Steven Rostedt: - Avoid NULL return from hist_field_name() The function hist_field_name() is directly passed to a strcat() which does not handle "NULL" characters. Return a zero length string when size is greater than the limit. This is used only to output already created histograms and no field currently is greater than the limit. But it should still not return NULL. - Do not call map->ops->elt_free() on allocation failure When elt_alloc() fails, it should not call the map->ops->elt_free() function if it exists, as that function may not be able to handle the free on allocation failures. The ->elt_free() should only be called when elt_alloc() succeeds. * tag 'trace-v7.1-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace: tracing: Do not call map->ops->elt_free() if elt_alloc() fails tracing: Avoid NULL return from hist_field_name() on truncation
2026-05-22platform/x86: bitland-mifs-wmi: add CONFIG_LEDS_CLASS dependencyArnd Bergmann1-0/+1
The newly added driver requires the LED classdev support and causes a link failure when that is disabled: x86_64-linux-ld: vmlinux.o: in function `bitland_mifs_wmi_probe': bitland-mifs-wmi.c:(.text+0xede02a): undefined reference to `devm_led_classdev_register_ext' Fixes: dc1ec4fa86b2 ("platform/x86: bitland-mifs-wmi: Add new Bitland MIFS WMI driver") Signed-off-by: Arnd Bergmann <arnd@arndb.de> Link: https://patch.msgid.link/20260519202804.1339581-1-arnd@kernel.org Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
2026-05-22netfilter: nf_tables: fix dst corruption in same register operationFernando Fernandez Mancera3-7/+31
For lshift and rshift, the shift operations are performed in a loop over 32-bit words. The loop calculates the shifted value and write it to dst, and then immediately reads from src to calculate the carry for the next iteration. Because src and dst could point to the same memory location, the carry is incorrectly calculated using the newly modified dst value instead of the original src value. Adding a temporary local variable to cache the original value before writing to dst and using it for the carry calculation solves the problem. In addition, partial overlap is rejected from control plane for all kind of operations including byteorder. This was tested with the following bytecode: table test_table ip flags 0 use 1 handle 1 ip test_table test_chain use 3 type filter hook input prio 0 policy accept packets 0 bytes 0 flags 1 ip test_table test_chain 2 [ immediate reg 1 0x44332211 0x88776655 ] [ bitwise reg 1 = ( reg 1 << 0x08000000 ) ] [ cmp eq reg 1 0x66443322 0x00887766 ] [ counter pkts 0 bytes 0 ] ip test_table test_chain 4 3 [ immediate reg 1 0x44332211 0x88776655 ] [ bitwise reg 1 = ( reg 1 << 0x08000000 ) ] [ cmp eq reg 1 0x55443322 0x00887766 ] [ counter pkts 21794 bytes 1917798 ] Fixes: 567d746b55bc ("netfilter: bitwise: add support for shifts.") Acked-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de> Signed-off-by: Florian Westphal <fw@strlen.de>
2026-05-22selftests: netfilter: add nft_fib_nexthop testJiayuan Chen2-0/+153
Functional coverage of nft_fib6_eval()'s nexthop enumeration over three route shapes: 1) single external nexthop (nhid) 2) external nexthop group (nhid -> group) 3) old-style multipath (nexthop ... nexthop ...) Each scenario places one nexthop on the input device (veth0). For (2) and (3) the matching nexthop is the second member, so the walk has to traverse beyond the primary nh. Two nft counters on prerouting verify the data path: one increments only when fib reports veth0 as the oif, the other counts "missing" results and must stay at zero. ./nft_fib_nexthop.sh PASS: single external nexthop (nhid -> veth0) PASS: nexthop group (dummy0 + veth0) PASS: old-style multipath (sibling on veth0) Suggested-by: Florian Westphal <fw@strlen.de> Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev> Signed-off-by: Florian Westphal <fw@strlen.de>
2026-05-22netfilter: nft_fib_ipv6: handle routes via external nexthopJiayuan Chen1-0/+16
fib6_info has a union: union { struct list_head fib6_siblings; struct list_head nh_list; }; Old-style multipath (ip -6 route add ... nexthop ... nexthop ...) uses fib6_siblings. External nexthop (ip -6 route add ... nhid N) uses nh_list, linked into &nh->f6i_list. nft_fib6_info_nh_uses_dev() blindly walks &rt->fib6_siblings, causing an OOB read past the struct nexthop slab when rt->nh is set: ================================================================== BUG: KASAN: slab-out-of-bounds in nft_fib6_eval+0x1362/0x16c0 Read of size 8 at addr ffff888103a099d0 by task ping/386 CPU: 2 UID: 0 PID: 386 Comm: ping Not tainted 7.1.0-rc3+ #251 PREEMPT Call Trace: <IRQ> dump_stack_lvl+0x76/0xa0 print_report+0xd1/0x5f0 kasan_report+0xe7/0x130 __asan_report_load8_noabort+0x14/0x30 nft_fib6_eval+0x1362/0x16c0 nft_do_chain+0x279/0x18c0 nft_do_chain_ipv6+0x1a8/0x230 nf_hook_slow+0xad/0x200 ipv6_rcv+0x152/0x380 __netif_receive_skb_one_core+0x118/0x1c0 ================================================================== Branch by route shape: when rt->nh is set, walk via nexthop_for_each_fib6_nh() (also covers nh groups, which the original code missed); otherwise walk fib6_siblings, guarded by READ_ONCE() of rt->fib6_nsiblings as required by commit 31d7d67ba127 ("ipv6: annotate data-races around rt->fib6_nsiblings"). Fixes: 1c32b24c234b ("netfilter: nft_fib_ipv6: switch to fib6_lookup") Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev> Signed-off-by: Florian Westphal <fw@strlen.de>
2026-05-22netfilter: nft_fib_ipv6: walk fib6_siblings under RCUJiayuan Chen1-1/+1
nft_fib6_info_nh_uses_dev() runs from nft_fib6_eval() in softirq under rcu_read_lock(). fib6_siblings is modified by writers that hold tb6_lock but do not wait for RCU readers, so the sibling walk should use list_for_each_entry_rcu(): it adds READ_ONCE() on the ->next pointer and lets CONFIG_PROVE_RCU_LIST validate the locking. No functional change for non-debug builds. Fixes: 1c32b24c234b ("netfilter: nft_fib_ipv6: switch to fib6_lookup") Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev> Signed-off-by: Florian Westphal <fw@strlen.de>
2026-05-22netfilter: ebtables: fix OOB read in compat_mtw_from_userFlorian Westphal1-0/+30
Luxiao Xu says: The function compat_mtw_from_user() converts ebtables extensions from 32-bit user structures to kernel native structures. However, it lacks proper validation of the user-supplied match_size/target_size. When certain extensions are processed, the kernel-side translation logic may perform memory accesses based on the extension's expected size. If the user provides a size smaller than what the extension requires, it results in an out-of-bounds read as reported by KASAN. This fix introduces a check to ensure match_size is at least as large as the extension's required compatsize. This covers matches, watchers, and targets, while maintaining compatibility with standard targets. AFAIU this is relevant for matches that need to go though match->compat_from_user() call. Those that use plain memcpy with the user-provided size are ok because the caller checks that size vs the start of the next rule entry offset (which itself is checked vs. total size copied from userspace). The ->compat_from_user() callbacks assume they can read compatsize bytes, so they need this extra check. Based on an earlier patch from Luxiao Xu. Fixes: 81e675c227ec ("netfilter: ebtables: add CONFIG_COMPAT support") Reported-by: Yuan Tan <yuantan098@gmail.com> Reported-by: Yifan Wu <yifanwucs@gmail.com> Reported-by: Juefei Pu <tomapufckgml@gmail.com> Reported-by: Xin Liu <bird@lzu.edu.cn> Signed-off-by: Luxiao Xu <rakukuip@gmail.com> Signed-off-by: Ren Wei <n05ec@lzu.edu.cn> Reviewed-by: Fernando Fernandez Mancera <fmancera@suse.de> Signed-off-by: Florian Westphal <fw@strlen.de>