)]}' { "log": [ { "commit": "8a7f2bff2165e53595d1e91c160b340f978c0ab7", "tree": "6e262d82bedfd15931da17570ac2c044f59f9353", "parents": [ "c169a2a5fd9cfdb2ae93cf6d86be4d2a5e3d813c" ], "author": { "name": "Woojin Ji", "email": "random6.xyz@gmail.com", "time": "Wed Jun 03 09:33:39 2026 +0900" }, "committer": { "name": "Andrii Nakryiko", "email": "andrii@kernel.org", "time": "Wed Jun 03 15:30:23 2026 -0700" }, "message": "bpftool: Use libbpf error code for flow dissector query\n\nbpf_prog_query() returns a negative errno on failure.\nquery_flow_dissector() currently closes the namespace fd and then reads\nerrno to decide whether -EINVAL means that the running kernel does not\nsupport flow dissector queries.\n\nThat errno check controls behavior, not just diagnostics: -EINVAL is\nhandled as a non-fatal old-kernel case, while any other error makes bpftool\nnet fail.\n\nThe namespace fd is opened read-only, so close() is not expected to\ncommonly fail in normal use. Still, the BPF_PROG_QUERY error is already\navailable in err, and reading errno after an intervening close() is\nfragile. If close() does change errno, the compatibility branch may be\nbased on close()\u0027s error instead of the BPF_PROG_QUERY result.\n\nThis was reproduced with an LD_PRELOAD fault injector that forced\nBPF_PROG_QUERY for BPF_FLOW_DISSECTOR to fail with EINVAL and then\nforced close() on the netns fd to fail with EIO. The unpatched bpftool\nreported \"can\u0027t query prog: Input/output error\". With this change, the\nsame injected failure is handled as the intended non-fatal EINVAL\ncompatibility case.\n\nUse the libbpf-returned error code instead. Keep the existing errno reset\nin the non-fatal path to preserve batch mode behavior. The success path\nis unchanged.\n\nFixes: 7f0c57fec80f (\"bpftool: show flow_dissector attachment status\")\nSigned-off-by: Woojin Ji \u003crandom6.xyz@gmail.com\u003e\nSigned-off-by: Andrii Nakryiko \u003candrii@kernel.org\u003e\nAcked-by: Leon Hwang \u003cleon.hwang@linux.dev\u003e\nAcked-by: Yonghong Song \u003cyonghong.song@linux.dev\u003e\nAcked-by: Quentin Monnet \u003cqmo@kernel.org\u003e\nLink: https://lore.kernel.org/bpf/20260603003339.33791-1-random6.xyz@gmail.com\n\nAssisted-by: ChatGPT:gpt-5.5\n" }, { "commit": "c169a2a5fd9cfdb2ae93cf6d86be4d2a5e3d813c", "tree": "905d29c23e590d549827d46d40d29a1d1ade192b", "parents": [ "04de7bc1427255d920fae1ced6d4aeb5fdb2c6db" ], "author": { "name": "Amery Hung", "email": "ameryhung@gmail.com", "time": "Tue Jun 02 10:52:04 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Tue Jun 02 12:02:08 2026 -0700" }, "message": "bpf: Silence unused-but-set-variable warning in bpf_for_each_reg_in_vstate_mask\n\nThe macro requires callers to pass a stack variable, but not all\ncallbacks use it. Add (void)__stack to suppress the clang W\u003d1 warning.\n\nSigned-off-by: Amery Hung \u003cameryhung@gmail.com\u003e\nLink: https://lore.kernel.org/r/20260602175204.624401-1-ameryhung@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "04de7bc1427255d920fae1ced6d4aeb5fdb2c6db", "tree": "580d603b68b6ef69f51cdef50d7725abdb4cd6d8", "parents": [ "b93c55b4932dd7e32dca8cf34a3443cc87a02906", "8dedd34122d0950c6b69785db0fa740fdbbf5b2c" ], "author": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Tue Jun 02 09:46:52 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Tue Jun 02 09:46:53 2026 -0700" }, "message": "Merge branch \u0027more-gen_loader-fixes-2\u0027\n\nDaniel Borkmann says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nMore gen_loader fixes #2\n\nAnother small follow-up from the sashiko findings about signed loaders.\nIn particular, closing the gap to reject exclusive maps in iterators.\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260602133052.423725-1-daniel@iogearbox.net\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "8dedd34122d0950c6b69785db0fa740fdbbf5b2c", "tree": "580d603b68b6ef69f51cdef50d7725abdb4cd6d8", "parents": [ "082c412097716b93ff1365689fc4ddcd1ce8296f" ], "author": { "name": "Daniel Borkmann", "email": "daniel@iogearbox.net", "time": "Tue Jun 02 15:30:52 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Tue Jun 02 09:46:52 2026 -0700" }, "message": "selftests/bpf: Test that exclusive maps are rejected as iter targets\n\nAdd a subtest to map_excl that creates an exclusive map and verifies a\nbpf_map_elem iterator cannot be attached to it, which would otherwise\nlet an unrelated program read and overwrite the map\u0027s contents through\nthe iterator\u0027s writable value buffer.\n\n # LDLIBS\u003d-static PKG_CONFIG\u003d\u0027pkg-config --static\u0027 ./vmtest.sh -- ./test_progs -t map_excl\n [...]\n ./test_progs -t map_excl\n [ 1.704382] bpf_testmod: loading out-of-tree module taints kernel.\n [ 1.706068] bpf_testmod: module verification failed: signature and/or required key missing - tainting kernel\n #215/1 map_excl/map_excl_allowed:OK\n #215/2 map_excl/map_excl_denied:OK\n #215/3 map_excl/map_excl_no_map_in_map:OK\n #215/4 map_excl/map_excl_no_map_iter:OK\n #215 map_excl:OK\n Summary: 1/4 PASSED, 0 SKIPPED, 0 FAILED\n\nSigned-off-by: Daniel Borkmann \u003cdaniel@iogearbox.net\u003e\nLink: https://lore.kernel.org/r/20260602133052.423725-5-daniel@iogearbox.net\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "082c412097716b93ff1365689fc4ddcd1ce8296f", "tree": "eed9f949a00e98b72f51be86cf85cf9fec3746b8", "parents": [ "7fef1796ec4d8c4cce70c374efafdbbc8d6d6cbc" ], "author": { "name": "Daniel Borkmann", "email": "daniel@iogearbox.net", "time": "Tue Jun 02 15:30:51 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Tue Jun 02 09:46:52 2026 -0700" }, "message": "selftests/bpf: Keep verifier_map_ptr exercising ops pointer access\n\nsashiko complained that 38498c0ebacd (\"selftests/bpf: Adjust verifier_map_ptr\nfor the map\u0027s excl field\") would slightly decrease the test coverage given\nbefore the test was against the verifier rejecting the ops pointer. Recover\nthe old test with the right offsets and add the existing one as an additional\ntest case.\n\n # LDLIBS\u003d-static PKG_CONFIG\u003d\u0027pkg-config --static\u0027 ./vmtest.sh -- ./test_progs -t verifier_map_ptr\n [ 1.672932] bpf_testmod: module verification failed: signature and/or required key missing - tainting kernel\n #637/1 verifier_map_ptr/bpf_map_ptr: read with negative offset rejected:OK\n #637/2 verifier_map_ptr/bpf_map_ptr: read with negative offset rejected @unpriv:OK\n #637/3 verifier_map_ptr/bpf_map_ptr: write rejected:OK\n #637/4 verifier_map_ptr/bpf_map_ptr: write rejected @unpriv:OK\n #637/5 verifier_map_ptr/bpf_map_ptr: read non-existent field rejected:OK\n #637/6 verifier_map_ptr/bpf_map_ptr: read non-existent field rejected @unpriv:OK\n #637/7 verifier_map_ptr/bpf_map_ptr: read beyond excl field rejected:OK\n #637/8 verifier_map_ptr/bpf_map_ptr: read beyond excl field rejected @unpriv:OK\n #637/9 verifier_map_ptr/bpf_map_ptr: read ops field accepted:OK\n #637/10 verifier_map_ptr/bpf_map_ptr: read ops field accepted @unpriv:OK\n #637/11 verifier_map_ptr/bpf_map_ptr: r \u003d 0, map_ptr \u003d map_ptr + r:OK\n #637/12 verifier_map_ptr/bpf_map_ptr: r \u003d 0, map_ptr \u003d map_ptr + r @unpriv:OK\n #637/13 verifier_map_ptr/bpf_map_ptr: r \u003d 0, r \u003d r + map_ptr:OK\n #637/14 verifier_map_ptr/bpf_map_ptr: r \u003d 0, r \u003d r + map_ptr @unpriv:OK\n #637 verifier_map_ptr:OK\n [...]\n Summary: 2/20 PASSED, 0 SKIPPED, 0 FAILED\n\nSigned-off-by: Daniel Borkmann \u003cdaniel@iogearbox.net\u003e\nLink: https://lore.kernel.org/r/20260602133052.423725-4-daniel@iogearbox.net\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "7fef1796ec4d8c4cce70c374efafdbbc8d6d6cbc", "tree": "11c73a59914a000771826ee6fa54528263a5a089", "parents": [ "3c56ee343f9412d81918635c3e25e22a5dd6d87e" ], "author": { "name": "Daniel Borkmann", "email": "daniel@iogearbox.net", "time": "Tue Jun 02 15:30:50 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Tue Jun 02 09:46:52 2026 -0700" }, "message": "libbpf: Guard add_data() against size overflow\n\nadd_data() computes size8 \u003d roundup(size, 8) and then hands size8 to\nrealloc_data_buf() before doing memcpy(gen-\u003edata_cur, data, size) with\nthe original size. A wrapped size8 passes through the realloc_data_buf()\nINT32_MAX check. Harden this against overflow, though not realistic to\nhappen in practice.\n\nSigned-off-by: Daniel Borkmann \u003cdaniel@iogearbox.net\u003e\nLink: https://lore.kernel.org/r/20260602133052.423725-3-daniel@iogearbox.net\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "3c56ee343f9412d81918635c3e25e22a5dd6d87e", "tree": "9d855e79a87d36fc56da2e5de097fd499d8b7959", "parents": [ "b93c55b4932dd7e32dca8cf34a3443cc87a02906" ], "author": { "name": "Daniel Borkmann", "email": "daniel@iogearbox.net", "time": "Tue Jun 02 15:30:49 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Tue Jun 02 09:46:52 2026 -0700" }, "message": "bpf: Reject exclusive maps for bpf_map_elem iterators\n\nExclusive maps (aka excl_prog_hash) are meant to be reachable only\nfrom the single program whose hash matches. This is enforced by\ncheck_map_prog_compatibility() when the map is referenced from a\nprogram such as signed BPF loaders.\n\nA bpf_map_elem iterator, however, binds its target map at attach\ntime in bpf_iter_attach_map() instead of referencing it from the\nprogram, so the exclusivity check is never reached. On top of that,\nthe iterator exposes the map value as a writable buffer.\n\nFixes: baefdbdf6812 (\"bpf: Implement exclusive map creation\")\nSigned-off-by: Daniel Borkmann \u003cdaniel@iogearbox.net\u003e\nLink: https://lore.kernel.org/r/20260602133052.423725-2-daniel@iogearbox.net\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "b93c55b4932dd7e32dca8cf34a3443cc87a02906", "tree": "ae88270a095c411bdb6ec432ff61f95c00755d2f", "parents": [ "51321158a3657302c5e2e7892b7a5662f78d757a" ], "author": { "name": "Deepanshu Kartikey", "email": "kartikey406@gmail.com", "time": "Tue Jun 02 08:22:49 2026 +0530" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Mon Jun 01 21:07:06 2026 -0700" }, "message": "bpf: fix UAF by restoring RCU-delayed inode freeing in bpffs\n\ncommit 4f375ade6aa9 (\"bpf: Avoid RCU context warning when unpinning\nhtab with internal structs\") moved inode cleanup from -\u003efree_inode()\ninto -\u003edestroy_inode() to avoid sleeping in RCU context when calling\nbpf_any_put(). However this removed the RCU delay on freeing the\ninode itself and the cached symlink body (i_link), both of which\ncan be accessed by RCU pathwalk (pick_link, may_lookup etc.).\n\nThis causes a use-after-free when a concurrent unlinkat() drops the\nlast inode reference and destroy_inode() frees the inode immediately,\nwhile another task is still walking the path in RCU mode and reads\ninode-\u003ei_opflags (offset +2) inside current_time() -\u003e is_mgtime().\n\nKASAN reports:\n BUG: KASAN: slab-use-after-free in is_mgtime include/linux/fs.h:2313\n Read of size 2 at addr ffff8880407e4282 (offset +2 \u003d i_opflags)\n\nThe rules (per Al Viro):\n -\u003edestroy_inode() called immediately, can sleep, use for blocking\n cleanup e.g. bpf_any_put()\n -\u003efree_inode() called after RCU grace period, use for freeing\n inode and anything RCU-accessible e.g. i_link\n\nFix: split the two concerns properly:\n - keep bpf_any_put() in bpf_destroy_inode() since it is blocking\n and needs to run promptly\n - introduce bpf_free_inode() to handle kfree(i_link) and\n free_inode_nonrcu() with proper RCU delay, preventing the UAF\n\nFixes: 4f375ade6aa9 (\"bpf: Avoid RCU context warning when unpinning htab with internal structs\")\nReported-by: syzbot+36e50496c8ac4bcde3f9@syzkaller.appspotmail.com\nCloses: https://syzkaller.appspot.com/bug?extid\u003d36e50496c8ac4bcde3f9\nSuggested-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nLink: https://lore.kernel.org/all/20260423043906.GN3518998@ZenIV/\nLink: https://lore.kernel.org/all/20260602002607.110866-1-kartikey406@gmail.com/T/ [v1]\nSigned-off-by: Deepanshu Kartikey \u003ckartikey406@gmail.com\u003e\nAcked-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nLink: https://lore.kernel.org/r/20260602025249.113828-1-kartikey406@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "51321158a3657302c5e2e7892b7a5662f78d757a", "tree": "1dbd52aff1e72f07e0ac941296ad778bfc29ed1d", "parents": [ "b6aa0abf9fb92789598dbf0d1b8f30b8071badbe", "9fd5bf96ac4be2ec784598c818f672422182042c" ], "author": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Mon Jun 01 18:42:34 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Mon Jun 01 18:42:34 2026 -0700" }, "message": "Merge branch \u0027minimize-annotations-for-arena-programs\u0027\n\nEmil Tsalapatis says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nMinimize annotations for arena programs\n\nBPF programs must currently include code to address two limitations\nof function signatures that include arena types. First, arena arguments\nmust be annotated with __arg_arena in the function signature in addition\nto __arena. Second, it is currently not allowed to return an arena pointer\nfrom a subprog, even though it is safe to do so. These limitations require\nextra annotations and typecasts respectively, and have proven sources of\nconfusion to programmers.\n\nThe patchset improves arena-related function signatures in two ways.\nFirst, it removes the need for __arg_arena in function signatures.\nSecond, it allows subprogs to directly return arena pointers to their\ncaller.\n\nTo do this we add a new type tag to the existing __arena annotation.\nThe annotation is currently an alias for __attribute__((address_space(1))),\nwhich is not discoverable from BTF alone and so cannot be used to\ndetermine whether a pointer variable is an arena pointer during\nverification. With the new type tag, we can determine whether\neither the arguments and or the return value of a function belong\nin an arena.\n\nWe test the new code by modifying libarena to take advantage of these\nrelaxed limitations.\n\nCHANGELOG\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nv2 -\u003e v3 (https://lore.kernel.org/bpf/20260530002259.4505-1-emil@etsalapatis.com/)\n\n- Added Acks by Eduard\n- Complete the __arg_arena removal by removing them from htab (Alexei)\n- Add a test in verifier_arena_globals1.c to confirm the new __arena attribute\nworks as expected in function argument and return types\n- Reject type tags on non-pointer types, currently only possible in handcrafted\n BTF (Eduard)\n- Undo inaccurate change on verifier comment (AI)\n- Fix error return value for invalid BTF return types during BTF parsing (Eduard)\n\nv1 -\u003e v2 (lore.kernel.org/bpf/20260527071457.4598-1-emil@etsalapatis.com/)\n\n- Rebased to fix conflict\n- Removed the typedef foo * foo_t typedefs. Those were necessary to avoid\nannotating each instance of the type with __arena. The new version of the\npatch instead removes typedefs and uses __arena everywhere directly (see\npatch 4/5 for more details).\n- Reorganized the patchset to frontload all kernel-side changes and place\nthe libarena changes at the end.\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260602004120.17087-1-emil@etsalapatis.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "9fd5bf96ac4be2ec784598c818f672422182042c", "tree": "1dbd52aff1e72f07e0ac941296ad778bfc29ed1d", "parents": [ "367e6e4a8173d47b4c57181cdd9dcbfc291755f0" ], "author": { "name": "Emil Tsalapatis", "email": "emil@etsalapatis.com", "time": "Mon Jun 01 20:41:20 2026 -0400" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Mon Jun 01 18:42:34 2026 -0700" }, "message": "selftests/bpf: Add tests for the new type-tag based __arena identifier\n\nAdd selftests that combine the new type-based __arena identifier with\nthe volatile qualifier both in functions\u0027 arguments and return values.\nThis way we test both that they are recognized as arena arguments and\nthat they are not sensitive to the position they are placed in the type\ncompared to other qualifiers.\n\nSigned-off-by: Emil Tsalapatis \u003cemil@etsalapatis.com\u003e\nLink: https://lore.kernel.org/r/20260602004120.17087-7-emil@etsalapatis.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "367e6e4a8173d47b4c57181cdd9dcbfc291755f0", "tree": "2bab6626dbf6ea3c96ff4941911ba51158011ee3", "parents": [ "b9b23fe1761117f4a0109a25d16d337c900437ad" ], "author": { "name": "Emil Tsalapatis", "email": "emil@etsalapatis.com", "time": "Mon Jun 01 20:41:19 2026 -0400" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Mon Jun 01 18:42:33 2026 -0700" }, "message": "selftests/bpf: libarena: Directly return arena pointers from functions\n\nNow that the __arena annotation includes a BTF type tag, and the\nverifier can identify arena pointers at BTF loading time, return\narena pointers as their true type instead of casting to u64. Remove the\npreprocessor typecast wrappers used to hide this from the caller.\n\nAcked-by: Eduard Zingerman \u003ceddyz87@gmail.com\u003e\nSigned-off-by: Emil Tsalapatis \u003cemil@etsalapatis.com\u003e\nLink: https://lore.kernel.org/r/20260602004120.17087-6-emil@etsalapatis.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "b9b23fe1761117f4a0109a25d16d337c900437ad", "tree": "6598e3bde76bd7fb1ee38c389dd67d1ae5fd8bc8", "parents": [ "3e924e9272c80939677aa6902aced311c85fe48c" ], "author": { "name": "Emil Tsalapatis", "email": "emil@etsalapatis.com", "time": "Mon Jun 01 20:41:18 2026 -0400" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Mon Jun 01 18:42:33 2026 -0700" }, "message": "selftests/bpf: Remove __arg_arena from the codebase\n\nNow that BPF __arg_arena has been subsumed by __arena, remove\n__arg_arena from the codebase. This way the user has one fewer\nannotation to worry about.\n\nTo remove __arg_arena we remove the typedefs we were previously\nusing to minimize __arena annotations. This is because __arena\nnow also includes a BTF type tag, which is ignored for non-pointer\ntypes. As a result, we cannot capture the whole __arena annotation\ninside a typedef and need to directly annotate the pointer type when\ndeclaring the variable.\n\nThe extra verbosity is worth it because the use of the __arena tag\nis intuitive to the programmer and removes the __arg_arena tag that\nhas been a consistent source of confusion for users. The typedefs\ncan be reintroduced later (without __arg_arena) once compilers start\nsupporting BTF type tags for non-pointer types.\n\nAcked-by: Eduard Zingerman \u003ceddyz87@gmail.com\u003e\nSigned-off-by: Emil Tsalapatis \u003cemil@etsalapatis.com\u003e\nLink: https://lore.kernel.org/r/20260602004120.17087-5-emil@etsalapatis.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "3e924e9272c80939677aa6902aced311c85fe48c", "tree": "07acca4e2c827a181d46286257f5deb1a6759f3f", "parents": [ "5ab4bc67d818ba27388d64cb9c52cb0c3bdac254" ], "author": { "name": "Emil Tsalapatis", "email": "emil@etsalapatis.com", "time": "Mon Jun 01 20:41:17 2026 -0400" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Mon Jun 01 18:42:33 2026 -0700" }, "message": "bpf: Allow subprogs to return arena pointers\n\nBPF subprogs currently only return void or scalar values. However,\nit is also safe to return arena pointers between subprogs in the same\nBPF program: Arena pointers are guaranteed to be safe for both programs\nat any point. Expand the verifier to permit returning an arena pointer\nto the caller.\n\nThe main subprog is still not allowed to return an arena pointer because\narena pointers are internal to the BPF program, and the return values\npermitted for each main subprog depend on the program type anyway.\n\nAcked-by: Eduard Zingerman \u003ceddyz87@gmail.com\u003e\nSigned-off-by: Emil Tsalapatis \u003cemil@etsalapatis.com\u003e\nLink: https://lore.kernel.org/r/20260602004120.17087-4-emil@etsalapatis.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "5ab4bc67d818ba27388d64cb9c52cb0c3bdac254", "tree": "10ccf070fdfa6144a30e1e7ccad881e70793de97", "parents": [ "a0fa68d8ce759dbf6aaf19a043ddd77a2128c26c" ], "author": { "name": "Emil Tsalapatis", "email": "emil@etsalapatis.com", "time": "Mon Jun 01 20:41:16 2026 -0400" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Mon Jun 01 18:42:33 2026 -0700" }, "message": "verifier: parse BTF type tags for function arguments\n\nThe BTF parsing logic for function arguments goes through\nthe arguments\u0027 decl tags, but does not go into their type\ntags. Add type tag parsing for function arguments.\n\nAcked-by: Eduard Zingerman \u003ceddyz87@gmail.com\u003e\nSigned-off-by: Emil Tsalapatis \u003cemil@etsalapatis.com\u003e\nLink: https://lore.kernel.org/r/20260602004120.17087-3-emil@etsalapatis.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "a0fa68d8ce759dbf6aaf19a043ddd77a2128c26c", "tree": "a80fc1ef132f3f41c541e985003c381255e767ec", "parents": [ "b6aa0abf9fb92789598dbf0d1b8f30b8071badbe" ], "author": { "name": "Emil Tsalapatis", "email": "emil@etsalapatis.com", "time": "Mon Jun 01 20:41:15 2026 -0400" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Mon Jun 01 18:42:33 2026 -0700" }, "message": "selftests/bpf: libarena: Add \"arena\" BTF type tag to __arena qualifier\n\nThe arena qualifier currently designates its associated type\nas belonging to address space 1. This property affects code\ngeneration, but is not reflected in the BTF information of\nthe function.\n\nThis lack of information at the BTF level prevents us from\nreturning arena pointers from global subprograms. Subprogs\ncannot return any data structure more complex than a scalar,\nso pointers to structs are rejected as a return type. We\nhave no way of marking the return type as a pointer to an\narena, which is safe provided the two subprogs have the same\narena.\n\nExpand the __arena qualifier to also attach a BTF type tag\nto the type. This lets us determine whether a variable belongs\nto an arena from its type alone through BTF parsing.\n\nSigned-off-by: Emil Tsalapatis \u003cemil@etsalapatis.com\u003e\nLink: https://lore.kernel.org/r/20260602004120.17087-2-emil@etsalapatis.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "b6aa0abf9fb92789598dbf0d1b8f30b8071badbe", "tree": "3d71c582973062c1f3c756054412bdcdcaa35ec8", "parents": [ "3d781fffdc5dbb08bde8412c88e6f330ce7a4409", "32f725458a1ab5973c64e4636659ca2c0db42f48" ], "author": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Mon Jun 01 18:36:41 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Mon Jun 01 18:36:41 2026 -0700" }, "message": "Merge branch \u0027more-gen_loader-fixes\u0027\n\nDaniel Borkmann says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nMore gen_loader fixes\n\nFollow-up fixes for the signed loader, includes also the recent\nsashiko findings.\n\nv1-\u003ev2:\n - Fixed up verifier_map_ptr selftest\n - Added patch 1/2/6/7 with a new map-in-map fix and a\n redundant hash_buf memcpy cleanup as well as selftests\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260601150248.394863-1-daniel@iogearbox.net\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "32f725458a1ab5973c64e4636659ca2c0db42f48", "tree": "3d71c582973062c1f3c756054412bdcdcaa35ec8", "parents": [ "38498c0ebacd54dbaac3513a548a13f1a8455c4e" ], "author": { "name": "Daniel Borkmann", "email": "daniel@iogearbox.net", "time": "Mon Jun 01 17:02:48 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Mon Jun 01 18:36:41 2026 -0700" }, "message": "selftests/bpf: Test that exclusive maps are rejected in map-in-map\n\nAdd a subtest to map_excl that verifies an exclusive map (created with\nexcl_prog_hash) cannot be used in a map-of-maps, covering both kernel\nenforcement points: i) the inner-map template at map-of-maps creation\nand, ii) the element inserted into an existing map-of-maps.\n\n # LDLIBS\u003d-static PKG_CONFIG\u003d\u0027pkg-config --static\u0027 ./vmtest.sh -- ./test_progs -t map_excl\n ./test_progs -t map_excl\n [ 1.728106] bpf_testmod: loading out-of-tree module taints kernel.\n [ 1.730473] bpf_testmod: module verification failed: signature and/or required key missing - tainting kernel\n #215/1 map_excl/map_excl_allowed:OK\n #215/2 map_excl/map_excl_denied:OK\n #215/3 map_excl/map_excl_no_map_in_map:OK\n #215 map_excl:OK\n Summary: 1/3 PASSED, 0 SKIPPED, 0 FAILED\n\nSigned-off-by: Daniel Borkmann \u003cdaniel@iogearbox.net\u003e\nLink: https://lore.kernel.org/r/20260601150248.394863-8-daniel@iogearbox.net\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "38498c0ebacd54dbaac3513a548a13f1a8455c4e", "tree": "a30871f4cebb916e26de445a456afb1d88d302b3", "parents": [ "60214435b365ecdd40b2f96d4e54564b5c927645" ], "author": { "name": "KP Singh", "email": "kpsingh@kernel.org", "time": "Mon Jun 01 17:02:47 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Mon Jun 01 18:36:40 2026 -0700" }, "message": "selftests/bpf: Adjust verifier_map_ptr for the map\u0027s excl field\n\nAdding the u32 excl field at offset 32 of struct bpf_map right after the\nsha[SHA256_DIGEST_SIZE] hash shifts the ops pointer from offset 32 to 40.\nTherefore, fix up the test case.\n\n # LDLIBS\u003d-static PKG_CONFIG\u003d\u0027pkg-config --static\u0027 ./vmtest.sh -- ./test_progs -t verifier_map_ptr\n [...]\n #637/1 verifier_map_ptr/bpf_map_ptr: read with negative offset rejected:OK\n #637/2 verifier_map_ptr/bpf_map_ptr: read with negative offset rejected @unpriv:OK\n #637/3 verifier_map_ptr/bpf_map_ptr: write rejected:OK\n #637/4 verifier_map_ptr/bpf_map_ptr: write rejected @unpriv:OK\n #637/5 verifier_map_ptr/bpf_map_ptr: read non-existent field rejected:OK\n #637/6 verifier_map_ptr/bpf_map_ptr: read non-existent field rejected @unpriv:OK\n #637/7 verifier_map_ptr/bpf_map_ptr: read ops field accepted:OK\n #637/8 verifier_map_ptr/bpf_map_ptr: read ops field accepted @unpriv:OK\n [...]\n Summary: 2/18 PASSED, 0 SKIPPED, 0 FAILED\n\nSigned-off-by: KP Singh \u003ckpsingh@kernel.org\u003e\nSigned-off-by: Daniel Borkmann \u003cdaniel@iogearbox.net\u003e\nLink: https://lore.kernel.org/r/20260601150248.394863-7-daniel@iogearbox.net\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "60214435b365ecdd40b2f96d4e54564b5c927645", "tree": "251bd434d4a43854d979ff2e7cd19f8ddcf5a46b", "parents": [ "61e084152328867fe2279cc790573aae39959cd5" ], "author": { "name": "Daniel Borkmann", "email": "daniel@iogearbox.net", "time": "Mon Jun 01 17:02:46 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Mon Jun 01 18:36:40 2026 -0700" }, "message": "libbpf: Skip max_entries override on signed loaders\n\nbpf_gen__map_create() lets the host-supplied loader ctx override a\nmap\u0027s max_entries at runtime (map_desc[idx].max_entries, when non-zero).\nThis is how the light skeleton sizes maps to the target machine, but\nit happens after emit_signature_match() and is covered by neither the\nsigned loader instructions nor the hashed blob.\n\nFor a signed loader this means an untrusted host can re-dimension the\nprogram\u0027s maps, outside what the signature attests to. Gate the override\non gen_hash so signed loaders use the signer-provided max_entries baked\ninto the blob.\n\nFixes: ea923080c145 (\"libbpf: Embed and verify the metadata hash in the loader\")\nSigned-off-by: Daniel Borkmann \u003cdaniel@iogearbox.net\u003e\nLink: https://lore.kernel.org/r/20260601150248.394863-6-daniel@iogearbox.net\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "61e084152328867fe2279cc790573aae39959cd5", "tree": "f8dee428074708463deafea1d5454f70ca7970b0", "parents": [ "0fb6c9ed6493b4af01be8bb0a384574eba7df636" ], "author": { "name": "Daniel Borkmann", "email": "daniel@iogearbox.net", "time": "Mon Jun 01 17:02:45 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Mon Jun 01 18:36:40 2026 -0700" }, "message": "libbpf: Skip initial_value override on signed loaders\n\nbpf_gen__map_update_elem() emits code that, when the host-supplied\nloader ctx provides a non-NULL map_desc[idx].initial_value, overwrites\nthe blob value with bytes read from the host (bpf_copy_from_user /\nbpf_probe_read_kernel) before the BPF_MAP_UPDATE_ELEM that populates\nthe program\u0027s .data/.rodata/.bss maps.\n\nThis override runs after emit_signature_match() has validated map-\u003esha[],\nand initial_value is part of neither the signed loader instructions nor\nthe hashed data blob. For a signed loader this lets an untrusted host\nsubstitute global-variable contents into a program whose code carries\na valid signature, thus weakening what the signature attests to.\n\nThe blob already contains the signer-provided value (added via add_data()\nand covered by the embedded, signed hash), so simply skip emitting the\noverride for signed loaders (gen_hash). Runtime initialization stays\navailable for the unsigned light-skeleton path as before. The jump\noffsets within the override block are internal to it, so guarding the\nwhole block leaves them unchanged.\n\nFixes: ea923080c145 (\"libbpf: Embed and verify the metadata hash in the loader\")\nSigned-off-by: Daniel Borkmann \u003cdaniel@iogearbox.net\u003e\nLink: https://lore.kernel.org/r/20260601150248.394863-5-daniel@iogearbox.net\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "0fb6c9ed6493b4af01be8bb0a384574eba7df636", "tree": "3299bd7e8bf0f030fb8b0f0f4b61f52f403c785a", "parents": [ "c48c3a7e7d5bed644208ed443d63bb6a6f411676" ], "author": { "name": "KP Singh", "email": "kpsingh@kernel.org", "time": "Mon Jun 01 17:02:44 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Mon Jun 01 18:36:40 2026 -0700" }, "message": "libbpf: Reject non-exclusive metadata maps in the signed loader\n\nThe loader verifies map-\u003esha against the metadata hash in its\ninstructions. map-\u003esha is calculated when BPF_OBJ_GET_INFO_BY_FD is\ncalled on the frozen map.\n\nWhile the map is frozen, the /signed loader/ must also ensure the map\nis exclusive, as, without exclusivity (which a hostile host could just\nomit when loading the loader), another BPF program with map access can\nmutate the contents afterwards, so the check passes on stale data.\n\nWith the extra check as part of the signed loader, it now refuses to\nmove on with map-\u003esha validation if the host set it up wrongly.\n\nFixes: fb2b0e290147 (\"libbpf: Update light skeleton for signing\")\nSigned-off-by: KP Singh \u003ckpsingh@kernel.org\u003e\nCo-developed-by: Daniel Borkmann \u003cdaniel@iogearbox.net\u003e\nSigned-off-by: Daniel Borkmann \u003cdaniel@iogearbox.net\u003e\nLink: https://lore.kernel.org/r/20260601150248.394863-4-daniel@iogearbox.net\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "c48c3a7e7d5bed644208ed443d63bb6a6f411676", "tree": "0adfdb88c4df321214e314ab1b9680aa794a8ccc", "parents": [ "9a3c3c49c333760c8944dadacbe114c1884546ef" ], "author": { "name": "Daniel Borkmann", "email": "daniel@iogearbox.net", "time": "Mon Jun 01 17:02:43 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Mon Jun 01 18:36:40 2026 -0700" }, "message": "bpf: Drop redundant hash_buf from map_get_hash operation\n\nbpf_map_get_info_by_fd() is the only caller of the -\u003emap_get_hash\nand always invokes it with hash_buf \u003d\u003d map-\u003esha and hash_buf_size\nof SHA256_DIGEST_SIZE. array_map_get_hash() in turn lets sha256()\nwrite the digest directly into that buffer (map-\u003esha) and then\nperforms a trailing memcpy(), which evaluates to memcpy(map-\u003esha,\nmap-\u003esha, 32): a redundant self-copy. The hash_buf_size argument\nwas never used at all. Simplify this a bit, no functional change.\n\nSigned-off-by: Daniel Borkmann \u003cdaniel@iogearbox.net\u003e\nLink: https://lore.kernel.org/r/20260601150248.394863-3-daniel@iogearbox.net\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "9a3c3c49c333760c8944dadacbe114c1884546ef", "tree": "4da3bc94edf07d39d83ecbde3e6f4f39c46bec91", "parents": [ "3d781fffdc5dbb08bde8412c88e6f330ce7a4409" ], "author": { "name": "Daniel Borkmann", "email": "daniel@iogearbox.net", "time": "Mon Jun 01 17:02:42 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Mon Jun 01 18:36:40 2026 -0700" }, "message": "bpf: Reject exclusive maps as inner maps in map-in-map\n\nAn exclusive map (created with excl_prog_hash) is bound to a single\nprogram by hash: check_map_prog_compatibility() refuses to load any\nprogram whose digest does not match map-\u003eexcl_prog_sha. That check\nonly runs for maps a program references directly, i.e. its used_maps.\nA map reached at runtime through a map-of-maps is never in used_maps,\nand bpf_map_meta_equal() does not consider excl_prog_sha, so an\nexclusive map can be inserted into a non-exclusive outer map and\nthen looked up and mutated by an unrelated program, bypassing the\nexclusivity guarantee.\n\nFor the signed loader this defeats the metadata map exclusivity check\nadded in the signed loader: the cached map-\u003esha[] is validated against\nthe signed hash while another program on a hostile host rewrites the\nfrozen map\u0027s contents through the outer map.\n\nFixes: baefdbdf6812 (\"bpf: Implement exclusive map creation\")\nReported-by: sashiko \u003csashiko@sashiko.dev\u003e\nSigned-off-by: Daniel Borkmann \u003cdaniel@iogearbox.net\u003e\nLink: https://lore.kernel.org/r/20260601150248.394863-2-daniel@iogearbox.net\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "3d781fffdc5dbb08bde8412c88e6f330ce7a4409", "tree": "4a526b3df34f6570ca148ddfccac003ca4f8c67b", "parents": [ "868d43cf8f970b456fd93334bee40f792cf27e4d", "60c7c3b880c8b3ad7fe025bb68b13bfbc440ceaf" ], "author": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Mon Jun 01 18:31:42 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Mon Jun 01 18:31:43 2026 -0700" }, "message": "Merge branch \u0027refactor-verifier-object-relationship-tracking\u0027\n\nAmery Hung says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nRefactor verifier object relationship tracking\n\nHi all,\n\nThis patchset cleans up dynptr handling, refactors object relationship\ntracking in the verifier by introducing parent_id and folding ref_obj_id\ninto id, and fixes dynptr use-after-free bugs where file/skb dynptrs\nare not invalidated when the parent referenced object is freed.\n\n* Motivation *\n\nIn BPF qdisc programs, an skb can be freed through kfuncs. However,\nsince dynptr does not track the parent referenced object (e.g., skb),\nthe verifier does not invalidate the dynptr after the skb is freed,\nresulting in use-after-free. The same issue also affects file dynptr.\n\nThe figure below shows the current state of object tracking. The\nverifier tracks objects using three fields: id for nullness tracking,\nref_obj_id for lifetime tracking, and dynptr_id for tracking the parent\ndynptr of a slice (PTR_TO_MEM only). While dynptr_id links slices to\ntheir parent dynptr, there is no field that links a dynptr back to its\nparent skb. When the skb is freed via release_reference(ref_obj_id\u003d1),\nonly objects with ref_obj_id\u003d1 are invalidated. Since skb dynptr is\nnon-referenced (ref_obj_id\u003d0), the dynptr and its derived slices remain\naccessible.\n\nCurrent: object (id, ref_obj_id, dynptr_id)\n id \u003d unique id of the object (for nullness tracking)\n ref_obj_id \u003d id of the referenced object (for lifetime tracking)\n dynptr_id \u003d id of the parent dynptr (only for PTR_TO_MEM slices)\n\n skb (0,1,0)\n ^^\n ! No link from dynptr to skb !\n |+------------------------------+\n | bpf_dynptr_clone |\n dynptr A (2,0,0) dynptr C (4,0,0)\n ^ ^\n bpf_dynptr_slice | |\n | |\n slice B (3,0,2) slice D (5,0,4)\n\n* Why not simply use ref_obj_id to track the parent? *\n\nA natural first approach is to link dynptr to its parent by sharing\nthe parent\u0027s ref_obj_id and propagating it to slices. Now, releasing\nthe skb via release_reference(ref_obj_id\u003d1) correctly invalidates all\nderived objects.\n\nAttempted fix: share parent\u0027s ref_obj_id\n\n skb (0,1,0)\n ^^\n ||\n |+------------------------------+\n | bpf_dynptr_clone |\n dynptr A (2,1,0) dynptr C (4,1,0)\n ^ ^\n bpf_dynptr_slice | |\n | |\n slice B (3,1,2) slice D (5,1,4)\n\nHowever, this approach does not generalize to all dynptr types.\nReferenced dynptrs such as file dynptr acquire their own ref_obj_id to\ntrack the dynptr\u0027s lifetime. Since ref_obj_id is already used for the\ndynptr\u0027s own reference, it cannot also be used to point to the parent\nfile object. While it is possible to add specialized handling for\nindividual dynptr types [0], it adds complexity and does not generalize.\n\nAn alternative approach is to avoid introducing a new field and instead\nrepurpose ref_obj_id as parent_id by folding lifetime tracking into id\n[1]. In this design, each object is represented as (id, ref_obj_id)\nwhere id is used for both nullness and lifetime tracking, and ref_obj_id\ntracks the parent object\u0027s id.\n\nAttempted: object (id, ref_obj_id)\n id \u003d id of the object (for nullness and lifetime tracking)\n ref_obj_id \u003d id of the parent object\n \u0027 \u003d id is referenced\n\n skb (1\u0027,0)\n ^^\n ||\n bpf_dynptr_from_skb |+------------------------------+\n | bpf_dynptr_clone(A, C) |\n dynptr A (2,1\u0027) dynptr C (4,1\u0027)\n ^ ^\n bpf_dynptr_slice | |\n | |\n slice B (3,2) slice D (5,4)\n\nHowever, this design cannot express the relationship between referenced\nsocket pointers and their casted counterparts. After pointer casting,\nthe original and casted pointers need the same lifetime (same ref_obj_id\nin the current design) but different nullness (different id). The casted\npointer may be NULL even if the original is valid. With id serving as\nthe only field for both nullness and lifetime, and ref_obj_id repurposed\nas parent, there is no way to express \"different identity, same\nlifetime.\"\n\nReferenced socket pointer (expressed using current design):\n\n C \u003d ptr_casting_function(A)\n ptr A (1,1,0) ptr C (2,1,0)\n ^ ^\n | |\n ptr C may be NULL even if ptr A is valid\n but they have the same lifetime\n\n* New Design: parent_id with branch splitting and intermediate reference *\n\nThe patchset folds ref_obj_id into id and adds parent_id to\nbpf_reg_state (patch 5). A child object\u0027s parent_id points to the\nparent object\u0027s id. This replaces the PTR_TO_MEM-specific dynptr_id.\nWhether a register is referenced is determined by checking if its id\nappears in the reference array via reg_is_referenced() rather than\nreading a dedicated ref_obj_id field.\n\nPointer casting:\n\nThe challenge with pointer casting is that a cast result may be NULL\neven when the source is valid, requiring distinct identity but shared\nlifetime. This is solved using branch splitting: when a helper like\nbpf_sk_fullsock() is called with a referenced pointer, the verifier\npushes an explicit NULL branch and assigns the cast result the same id\nas the source. Since the cast may return NULL for a non-NULL input, the\nNULL case is explored as a separate verifier branch. This allows\nreleasing any of the original or cast pointers to invalidate all others,\nwhile avoiding the need for a separate tracking mechanism.\n\nReferenced dynptrs:\n\nThe challenge with referenced dynptrs is that clones of a referenced\ndynptr have the same lifetime but different identities. When a\nreferenced dynptr is overwritten, only slices derived from it will be\ninvalidated. To solve this, the verifier creates an intermediate\nreference. This reference serves as a shared lifetime anchor for the\ndynptr and all its clones. All clones share the same parent_id but get\nunique ids for independent slice tracking. Releasing a referenced dynptr\nreleases the intermediate reference, which in turn invalidates all\nclones and their derived slices. If the parent object is released while\nthe intermediate reference still exists, it is reported as a leaked\nreference.\n\nRelease cascading:\n\nWhen releasing an object, release_reference() performs a stack-based DFS\nto invalidate all descendants. It walks the object tree via parent_id\nlinks, invalidating registers and dynptr stack slots. Child references\nencountered during traversal are reported as leaked references.\n\nparent_id is also added to bpf_reference_state to enable intermediate\nreference. When acquiring a reference, a parent_id can be specified to\nlink the new reference to an existing one (e.g., file dynptr\u0027s\nintermediate reference has parent_id linking to the file\u0027s reference).\n\nFinal: object (id, parent_id)\n id \u003d unique id of the object (for nullness and lifetime\n tracking)\n parent_id \u003d id of the parent object (for object relationship\n tracking)\n I \u003d intermediate reference serving as lifetime anchor in\n acquired_refs\n \u0027 \u003d id is referenced (appears in reference array)\n\n skb (1\u0027,0)\n ^^\n ||\n bpf_dynptr_from_skb |+------------------------------+\n | bpf_dynptr_clone(A, C) |\n dynptr A (2,1\u0027) dynptr C (4,1\u0027)\n ^ ^\n bpf_dynptr_slice | |\n | |\n slice B (3,2) slice D (5,4)\n\n* Preserving reg-\u003eid after null-check *\n\nFor parent_id tracking to work, child objects need to refer to the\nparent\u0027s id. This requires two preparatory changes: assigning reg-\u003eid\nwhen reading referenced kptrs from program context (patch 3), and\npreserving reg-\u003eid of pointer objects after null-check (patch 4).\nPreviously, null-check would clear reg-\u003eid, making it impossible for\nchildren to reference the parent afterward. The latter causes a slight\nincrease in verified states for some programs. One selftest object\nsees +19 states (+5.01%). For Meta BPF objects, the increase is\nalso minor, with the largest being +34 states (+3.63%).\n\n* Object relationship in different scenarios (for reference) *\n\nThe figures below show how the final design handles all four\ncombinations of referenced/non-referenced dynptr with\nreferenced/non-referenced parent.\n\n(1) Non-referenced dynptr with referenced parent (e.g., skb in Qdisc):\n\n skb (1\u0027,0)\n ^^\n ||\n bpf_dynptr_from_skb |+------------------------------+\n | bpf_dynptr_clone(A, C) |\n dynptr A (2,1\u0027) dynptr C (4,1\u0027)\n\n dynptr A and C live independently\n\n(2) Non-referenced dynptr with non-referenced parent (e.g., skb in TC,\n always valid):\n\n bpf_dynptr_from_skb\n bpf_dynptr_clone(A, C)\n dynptr A (1,0) dynptr C (2,0)\n\n dynptr A and C live independently\n\n(3) Referenced dynptr with referenced parent:\n\n file (1\u0027,0)\n ^\n bpf_dynptr_from_file |\n I (2\u0027,1\u0027) \u003c-- intermediate reference\n ^^\n ||\n |+-------------------------------+\n | bpf_dynptr_clone(A, C) |\n dynptr A (3,2\u0027) dynptr C (4,2\u0027)\n\n dynptr A and C have the same lifetime\n\n Releasing either dynptr releases I, invalidating both.\n Releasing file (1\u0027) detects I as a leaked reference.\n\n(4) Referenced dynptr with non-referenced parent:\n\n bpf_ringbuf_reserve_dynptr\n I (1\u0027,0) \u003c-- intermediate reference\n ^^\n ||\n |+--------------------------------+\n | bpf_dynptr_clone(A, C) |\n dynptr A (2,1\u0027) dynptr C (3,1\u0027)\n\n dynptr A and C have the same lifetime\n\n[0] https://lore.kernel.org/bpf/20250414161443.1146103-2-memxor@gmail.com/\n[1] https://github.com/ameryhung/bpf/commits/obj_relationship_v2_no_parent_id/\n\nChangelog:\n\nv5 -\u003e v6\n - Squash \"bpf: Fold ref_obj_id into id and introduce virtual references\"\n (v5 patch 9) into \"bpf: Refactor object relationship tracking and\n fix dynptr UAF bug\" (now patch 5). ref_obj_id is removed in the same\n patch that introduces parent_id, eliminating the intermediate state\n where both coexist (Eduard)\n - Drop virtual references for pointer casting. Instead, cast results\n reuse the source pointer\u0027s id and use branch splitting to explore\n the NULL case as a separate verifier branch. This avoids adding\n virtual reference infrastructure for a case that can be handled more\n simply (Eduard, Andrii)\n - Address nit from Eduard\n Link: https://lore.kernel.org/bpf/20260519181314.2731658-1-ameryhung@gmail.com/\n\nv4 -\u003e v5\n - Add patch 9 folding ref_obj_id into id and introducing virtual\n references for pointer casting and referenced dynptr clones (Eduard, Andrii)\n - Add patch 10 fixing dynptr ref counting to scan all call frames\n instead of only the current frame (Eduard)\n - Add utility function validate_ref_obj() (Eduard)\n Link: https://lore.kernel.org/bpf/20260506142709.2298255-1-ameryhung@gmail.com/\n\nv3 -\u003e v4\n - Add patch 1 clean up mark_stack_slot_obj_read() and callers\n (to address v3 ignoring err returned from mark_dynptr_read) (Andrii)\n - Fix release_reference() and move the logic allowing destroying a\n referenced object when refcnt \u003e 1 from\n destroy_if_stack_slots_dynptr() to release_reference() (Mykyta)\n - Add patch 7 introducing ref_obj_desc and unifying ref_obj handling\n (to address Eduard\u0027s concern about unclear meta-\u003e{id,ref_obj_id}\n initialization/use and confusing function arguments of\n process_dynptr_func())\n - Add patch 8 unifying release_regno handling so that bpf_kptr_xchg\n also use release_reference()\n Link: https://lore.kernel.org/bpf/20260421221016.2967924-1-ameryhung@gmail.com/\n\nv2 -\u003e v3\n - Rebase to bpf-next/master\n - Update veristat numbers\n - Update commit msg to explain multiple dropped checks (Mykyta, Andrii)\n - Reuse idmap as idstack in release_reference() and check for\n duplicate id (Mykyta, Andrii)\n - Change to use RUN_TEST for qdisc dynptr selftest (Eduard)\n Link: https://lore.kernel.org/bpf/20260307064439.3247440-1-ameryhung@gmail.com/\n\nv1 -\u003e v2\n - Redesign: Use object (id, ref_obj_id, parent_id) instead of\n (id, ref_obj_id) as it cannot express ptr casting without\n introducing specialized code to handle the case\n - Use stack-based DFS to release objects to avoid recursion (Andrii)\n - Keep reg-\u003eid after null check\n - Add dynptr cleanup\n - Fix dynptr kfunc arg type determination\n - Add a file dynptr UAF selftest\n Link: https://lore.kernel.org/bpf/20260202214817.2853236-1-ameryhung@gmail.com/\n---\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260529014936.2811085-1-ameryhung@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "60c7c3b880c8b3ad7fe025bb68b13bfbc440ceaf", "tree": "4a526b3df34f6570ca148ddfccac003ca4f8c67b", "parents": [ "3f75a757a3afa9c0d5a2637910659e92d236e7f2" ], "author": { "name": "Amery Hung", "email": "ameryhung@gmail.com", "time": "Thu May 28 18:49:36 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Mon Jun 01 18:31:42 2026 -0700" }, "message": "selftests/bpf: Test using dynptr after freeing the underlying object\n\nMake sure the verifier invalidates the dynptr and dynptr slice derived\nfrom an skb after the skb is freed.\n\nSigned-off-by: Amery Hung \u003cameryhung@gmail.com\u003e\nLink: https://lore.kernel.org/r/20260529014936.2811085-14-ameryhung@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "3f75a757a3afa9c0d5a2637910659e92d236e7f2", "tree": "41868bea6f81dbaf29475e47d9ac2de2523394fa", "parents": [ "925320666e0644c2e884a0dc49ab2dc22b061891" ], "author": { "name": "Amery Hung", "email": "ameryhung@gmail.com", "time": "Thu May 28 18:49:35 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Mon Jun 01 18:31:42 2026 -0700" }, "message": "selftests/bpf: Test using file dynptr after the reference on file is dropped\n\nFile dynptr and slice should be invalidated when the parent file\u0027s\nreference is dropped in the program. Without the verifier tracking\ndyntpr\u0027s parent referenced object, the dynptr would continute to be\nincorrectly used even if the underlying file is being tear down or gone.\n\nSigned-off-by: Amery Hung \u003cameryhung@gmail.com\u003e\nLink: https://lore.kernel.org/r/20260529014936.2811085-13-ameryhung@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "925320666e0644c2e884a0dc49ab2dc22b061891", "tree": "21033b551e9f369277acdb9b760aeb5e70b11d2b", "parents": [ "fbcc68af60479c4beebe411c1ee5e3c873e3adcf" ], "author": { "name": "Amery Hung", "email": "ameryhung@gmail.com", "time": "Thu May 28 18:49:34 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Mon Jun 01 18:31:42 2026 -0700" }, "message": "selftests/bpf: Test using slice after invalidating dynptr clone\n\nThe parent object of a cloned dynptr is skb not the original dynptr.\nInvalidate the original dynptr should not prevent the program from\nusing the slice derived from the cloned dynptr.\n\nSigned-off-by: Amery Hung \u003cameryhung@gmail.com\u003e\nLink: https://lore.kernel.org/r/20260529014936.2811085-12-ameryhung@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "fbcc68af60479c4beebe411c1ee5e3c873e3adcf", "tree": "a26912fef052451350a04d2446d6e7afc6fd6ce8", "parents": [ "2eee6fe8ac2cd21e931c009d475e5a8407d42d76" ], "author": { "name": "Amery Hung", "email": "ameryhung@gmail.com", "time": "Thu May 28 18:49:33 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Mon Jun 01 18:31:42 2026 -0700" }, "message": "selftests/bpf: Test creating dynptr from dynptr data and slice\n\nThe verifier currently does not allow creating dynptr from dynptr data\nor slice. Add a selftest to test this explicitly.\n\nSigned-off-by: Amery Hung \u003cameryhung@gmail.com\u003e\nLink: https://lore.kernel.org/r/20260529014936.2811085-11-ameryhung@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "2eee6fe8ac2cd21e931c009d475e5a8407d42d76", "tree": "59e34ce662d6ff037e3b35d003ff0553ee45b23e", "parents": [ "bcfcb15fde94ed39068eb1d6e4b9b37d27111965" ], "author": { "name": "Amery Hung", "email": "ameryhung@gmail.com", "time": "Thu May 28 18:49:32 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Mon Jun 01 18:31:41 2026 -0700" }, "message": "bpf: Fix dynptr ref counting to scan all call frames\n\nWhen checking whether a referenced dynptr can be overwritten,\ndestroy_if_dynptr_stack_slot only counted sibling dynptrs in the\ncurrent call frame. If a clone sharing the same virtual ref parent\nexisted in a different frame (e.g., passed to a subprog), it would\nnot be counted, causing the verifier to incorrectly reject the\noverwrite with \"cannot overwrite referenced dynptr\".\n\nFix by extracting the counting into dynptr_ref_cnt() which uses\nbpf_for_each_reg_in_vstate_mask() to scan dynptr stack slots across\nall call frames.\n\nFixes: 017f5c4ef73c (\"bpf: Allow overwriting referenced dynptr when refcnt \u003e 1\")\nReported-by: Eduard Zingerman \u003ceddyz87@gmail.com\u003e\nAcked-by: Eduard Zingerman \u003ceddyz87@gmail.com\u003e\nSigned-off-by: Amery Hung \u003cameryhung@gmail.com\u003e\nLink: https://lore.kernel.org/r/20260529014936.2811085-10-ameryhung@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "bcfcb15fde94ed39068eb1d6e4b9b37d27111965", "tree": "647a209431a606d53b567d0c6c3ef3d41e2b8a9a", "parents": [ "b7dd2b388657d99689161e82ed13515505838232" ], "author": { "name": "Amery Hung", "email": "ameryhung@gmail.com", "time": "Thu May 28 18:49:31 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Mon Jun 01 18:31:41 2026 -0700" }, "message": "bpf: Unify release handling for helpers and kfuncs\n\nIntroduce release_reg() to consolidate the release logic shared by both\nhelpers and kfuncs: dynptr release, kptr_xchg percpu-to-RCU conversion,\nregular reference release, and NULL pass-through. NULL pass-through is\nonly allowed if the prototype indicates the argument may be null.\n\nDetermine release_regno from the function prototype/metadata before\nargument checking, rather than discovering it dynamically during\nargument processing. For helpers, scan the arg_type array in\ncheck_func_proto() via check_proto_release_reg(). For kfuncs, set\nrelease_regno to BPF_REG_1 in bpf_fetch_kfunc_arg_meta() when\nKF_RELEASE is set. In the future when we start adding decl_tag to\nkfunc arguments, we can just look at the function prototype instead\nof a release_regno.\n\nExtract ref_convert_alloc_rcu_protected() and\ninvalidate_rcu_protected_refs() to make it more clear what the code is\ndoing. For ref_convert_alloc_rcu_protected(), it pre-converts\nMEM_ALLOC | MEM_PERCPU registers to MEM_RCU (clearing id so they\nsurvive), then calls release_reference() to invalidate the remaining\nregisters and release the reference state.\n\nAdd KF_RELEASE to bpf_dynptr_file_discard() so its release_regno is set\nvia fetch_kfunc_meta rather than being assigned manually in the dynptr\nargument processing. Set arg_type to ARG_PTR_TO_DYNPTR for\nKF_ARG_PTR_TO_DYNPTR so that check_func_arg_reg_off() correctly allows\nnon-zero stack offsets for dynptr release arguments same as helper.\n\nAcked-by: Eduard Zingerman \u003ceddyz87@gmail.com\u003e\nSigned-off-by: Amery Hung \u003cameryhung@gmail.com\u003e\nLink: https://lore.kernel.org/r/20260529014936.2811085-9-ameryhung@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "b7dd2b388657d99689161e82ed13515505838232", "tree": "525696cfcba367c55918d19a82f36dd33a58a9fb", "parents": [ "92d681b42746d4497dcc8afb45edd4af5737542f" ], "author": { "name": "Amery Hung", "email": "ameryhung@gmail.com", "time": "Thu May 28 18:49:30 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Mon Jun 01 18:31:41 2026 -0700" }, "message": "bpf: Unify referenced object tracking in verifier\n\nHelpers and kfuncs independently tracked referenced object metadata\nusing standalone id fields in their respective arg_meta structs.\nThis led to duplicated logic and inconsistent error handling between the\ntwo paths.\n\nIntroduce struct ref_obj_desc to consolidate id and parent_id along with\na count of how many arguments carry a reference. Add update_ref_obj() to\npopulate it from a bpf_reg_state, replacing open-coded assignments in\ncheck_func_arg(), check_kfunc_args(), and process_iter_arg(). Add\nvalidate_ref_obj() to check for ambiguous ref_obj before using it.\n\nFor ref_obj releasing helpers and kfuncs, keep checking it before\ncalling update_ref_obj() for now. A later patch will make these\nfunctions not depending on ref_obj. For other users of ref_obj, move the\nchecks to the use locations. For helper, this means moving the checks\ninside helper_multiple_ref_obj_use() to use locations.\nis_acquire_function() is dropped as ref_obj is never used.\n\nPass ref_obj_desc into process_dynptr_func()/mark_stack_slots_dynptr()\ninstead of a bare parent_id to make it less confusing.\n\nDrop the selftest introduced in 7ec899ac90a2 (\"selftests/bpf: Negative\ntest case for ref_obj_id in args\") since the verifier no longer\ncomplains about ambiguous ref_obj if it is not used.\n\nAcked-by: Eduard Zingerman \u003ceddyz87@gmail.com\u003e\nSigned-off-by: Amery Hung \u003cameryhung@gmail.com\u003e\nLink: https://lore.kernel.org/r/20260529014936.2811085-8-ameryhung@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "92d681b42746d4497dcc8afb45edd4af5737542f", "tree": "c198acacc8dedac939585db77dda0719dd5ec27c", "parents": [ "308c7a0ae8859b34d9d90a3dff953b2d14242145" ], "author": { "name": "Amery Hung", "email": "ameryhung@gmail.com", "time": "Thu May 28 18:49:29 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Mon Jun 01 18:31:41 2026 -0700" }, "message": "bpf: Remove redundant dynptr arg check for helper\n\nunmark_stack_slots_dynptr() already makes sure that CONST_PTR_TO_DYNPTR\ncannot be released. process_dynptr_func() also prevents passing\nuninitialized dynptr to helpers expecting initialized dynptr. Now that\nunmark_stack_slots_dynptr() also reports error returned from\nrelease_reference(), there should be no reason to keep these redundant\nchecks.\n\nAcked-by: Eduard Zingerman \u003ceddyz87@gmail.com\u003e\nSigned-off-by: Amery Hung \u003cameryhung@gmail.com\u003e\nLink: https://lore.kernel.org/r/20260529014936.2811085-7-ameryhung@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "308c7a0ae8859b34d9d90a3dff953b2d14242145", "tree": "bc30559a547a9d6422852910dbf36dc989269046", "parents": [ "06d518a5583fa681dc5c204d578a894f5b11ffa5" ], "author": { "name": "Amery Hung", "email": "ameryhung@gmail.com", "time": "Thu May 28 18:49:28 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Mon Jun 01 18:31:41 2026 -0700" }, "message": "bpf: Refactor object relationship tracking and fix dynptr UAF bug\n\nRefactor object relationship tracking in the verifier and fix a dynptr\nuse-after-free bug where file/skb dynptrs are not invalidated when the\nparent referenced object is freed.\n\nAdd parent_id to bpf_reg_state to precisely track child-parent\nrelationships. A child object\u0027s parent_id points to the parent object\u0027s\nid. This replaces the PTR_TO_MEM-specific dynptr_id.\n\nRemove ref_obj_id from bpf_reg_state by folding its role into the\nexisting id field. Previously, id tracked pointer identity for null\nchecking while ref_obj_id tracked the owning reference for lifetime\nmanagement. These are now unified: acquire helpers and kfuncs set id\nto the acquired reference id, and release paths use id directly.\n\nAdd reg_is_referenced() which checks if a register is referenced by\nlooking up its id in the reference array. This replaces all former\nref_obj_id checks.\n\nFor release_reference(), invalidating an object now also invalidates\nall descendants by traversing the object tree. This is done using\nstack-based DFS to avoid recursive call chains of release_reference() -\u003e\nunmark_stack_slots_dynptr() -\u003e release_reference(). Referenced objects\nencountered during tree traversal are reported as leaked references.\n\nAdd parent_id to bpf_reference_state to enable hierarchical reference\ntracking. When acquiring a reference, a parent_id can be specified to\nlink the new reference to an existing one (e.g., referenced dynptrs\nacquire a reference with parent_id linking to the parent object\u0027s\nreference).\n\nPointer casting:\n\nFor pointer casting helpers (bpf_sk_fullsock, bpf_tcp_sock), instead of\npropagating ref_obj_id, the cast result reuses the same reference id as\nthe source pointer. Since the cast may return NULL for a non-NULL input,\nthe NULL case is explored as a separate verifier branch. This allows\nreleasing any of the original or cast pointers to invalidate all others.\n\nReferenced dynptrs:\n\nWhen constructing a referenced dynptr, acquire a intermediate reference\nwith parent_id linking to the parent referenced object. The dynptr and\nall clones share the same parent_id (pointing to the intermediate ref)\nbut get unique ids for independent slice tracking. Releasing a\nreferenced dynptr releases the parent reference, which in turn\ninvalidates all clones and their derived slices.\n\nOwning to non-owning reference conversion:\n\nAfter converting owning to non-owning by clearing id (e.g.,\nobject(id\u003d1) -\u003e object(id\u003d0)), the verifier releases the reference\nstate via release_reference_nomark().\n\nNote that the error message \"reference has not been acquired before\" in\nthe helper and kfunc release paths is removed. This message was already\nunreachable. The verifier only calls release_reference() after\nconfirming the reference is valid, so the condition could never trigger\nin practice.\n\nFixes: 870c28588afa (\"bpf: net_sched: Add basic bpf qdisc kfuncs\")\nSigned-off-by: Amery Hung \u003cameryhung@gmail.com\u003e\nAcked-by: Eduard Zingerman \u003ceddyz87@gmail.com\u003e\nLink: https://lore.kernel.org/r/20260529014936.2811085-6-ameryhung@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "06d518a5583fa681dc5c204d578a894f5b11ffa5", "tree": "26ad16d1b55e4b781b74f35fe8c968fc51851981", "parents": [ "94ac7553361f3f20b0a60c13f9e7d0a859c73c12" ], "author": { "name": "Amery Hung", "email": "ameryhung@gmail.com", "time": "Thu May 28 18:49:27 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Mon Jun 01 18:31:41 2026 -0700" }, "message": "bpf: Preserve reg-\u003eid of pointer objects after null-check\n\nPreserve reg-\u003eid of pointer objects after null-checking the register so\nthat children objects derived from it can still refer to it in the new\nobject relationship tracking mechanism introduced in a later patch. This\nchange incurs a slight increase in the number of states in one selftest\nbpf object, rbtree_search.bpf.o. For Meta bpf objects, the increase of\nstates is also negligible.\n\nSelftest BPF objects with insns_diff \u003e 0\n\nProgram Insns (A) Insns (B) Insns (DIFF) States (A) States (B) States (DIFF)\n------------------------ --------- --------- -------------- ---------- ---------- -------------\nrbtree_search 6820 7326 +506 (+7.42%) 379 398 +19 (+5.01%)\n\nMeta BPF objects with insns_diff \u003e 0\n\nProgram Insns (A) Insns (B) Insns (DIFF) States (A) States (B) States (DIFF)\n------------------------ --------- --------- -------------- ---------- ---------- -------------\nned_imex_be_tclass 52 57 +5 (+9.62%) 5 6 +1 (+20.00%)\nned_imex_be_tclass 52 57 +5 (+9.62%) 5 6 +1 (+20.00%)\nned_skop_auto_flowlabel 523 526 +3 (+0.57%) 39 40 +1 (+2.56%)\nned_skop_mss 289 292 +3 (+1.04%) 20 20 +0 (+0.00%)\nned_skopt_bet_classifier 78 82 +4 (+5.13%) 8 8 +0 (+0.00%)\ndctcp_update_alpha 252 320 +68 (+26.98%) 21 27 +6 (+28.57%)\ndctcp_update_alpha 252 320 +68 (+26.98%) 21 27 +6 (+28.57%)\nned_ts_func 119 126 +7 (+5.88%) 6 7 +1 (+16.67%)\ntw_egress 1119 1128 +9 (+0.80%) 95 96 +1 (+1.05%)\ntw_ingress 1128 1137 +9 (+0.80%) 95 96 +1 (+1.05%)\ntw_tproxy_router 4380 4465 +85 (+1.94%) 114 118 +4 (+3.51%)\ntw_tproxy_router4 3093 3170 +77 (+2.49%) 83 88 +5 (+6.02%)\nttls_tc_ingress 34656 35717 +1061 (+3.06%) 936 970 +34 (+3.63%)\ntw_twfw_egress 222327 222338 +11 (+0.00%) 10563 10564 +1 (+0.01%)\ntw_twfw_ingress 78295 78299 +4 (+0.01%) 3825 3826 +1 (+0.03%)\ntw_twfw_tc_eg 222839 222859 +20 (+0.01%) 10584 10585 +1 (+0.01%)\ntw_twfw_tc_in 78295 78299 +4 (+0.01%) 3825 3826 +1 (+0.03%)\ntw_twfw_egress 8080 8085 +5 (+0.06%) 456 456 +0 (+0.00%)\ntw_twfw_ingress 8053 8056 +3 (+0.04%) 454 454 +0 (+0.00%)\ntw_twfw_tc_eg 8154 8174 +20 (+0.25%) 456 457 +1 (+0.22%)\ntw_twfw_tc_in 8060 8063 +3 (+0.04%) 455 455 +0 (+0.00%)\ntw_twfw_egress 222327 222338 +11 (+0.00%) 10563 10564 +1 (+0.01%)\ntw_twfw_ingress 78295 78299 +4 (+0.01%) 3825 3826 +1 (+0.03%)\ntw_twfw_tc_eg 222839 222859 +20 (+0.01%) 10584 10585 +1 (+0.01%)\ntw_twfw_tc_in 78295 78299 +4 (+0.01%) 3825 3826 +1 (+0.03%)\ntw_twfw_egress 8080 8085 +5 (+0.06%) 456 456 +0 (+0.00%)\ntw_twfw_ingress 8053 8056 +3 (+0.04%) 454 454 +0 (+0.00%)\ntw_twfw_tc_eg 8154 8174 +20 (+0.25%) 456 457 +1 (+0.22%)\ntw_twfw_tc_in 8060 8063 +3 (+0.04%) 455 455 +0 (+0.00%)\n\nLooking into rbtree_search, the reason for such increase is that the\nverifier has to explore the main loop shown below for one more iteration\nuntil state pruning decides the current state is safe.\n\nlong rbtree_search(void *ctx)\n{\n\t...\n\tbpf_spin_lock(\u0026glock0);\n\trb_n \u003d bpf_rbtree_root(\u0026groot0);\n\twhile (can_loop) {\n\t\tif (!rb_n) {\n\t\t\tbpf_spin_unlock(\u0026glock0);\n\t\t\treturn __LINE__;\n\t\t}\n\n\t\tn \u003d rb_entry(rb_n, struct node_data, r0);\n\t\tif (lookup_key \u003d\u003d n-\u003ekey0)\n\t\t\tbreak;\n\t\tif (nr_gc \u003c NR_NODES)\n\t\t\tgc_ns[nr_gc++] \u003d rb_n;\n\t\tif (lookup_key \u003c n-\u003ekey0)\n\t\t\trb_n \u003d bpf_rbtree_left(\u0026groot0, rb_n);\n\t\telse\n\t\t\trb_n \u003d bpf_rbtree_right(\u0026groot0, rb_n);\n\t}\n\t...\n}\n\nBelow is what the verifier sees at the start of each iteration\n(65: may_goto) after preserving id of rb_n. Without id of rb_n, the\nverifier stops exploring the loop at iter 16.\n\n rb_n gc_ns[15]\niter 15 257 257\n\niter 16 290 257 rb_n: idmap add 257-\u003e290\n gc_ns[15]: check 257 !\u003d 290 --\u003e state not equal\n\niter 17 325 257 rb_n: idmap add 290-\u003e325\n gc_ns[15]: idmap add 257-\u003e257 --\u003e state safe\n\nAcked-by: Andrii Nakryiko \u003candrii@kernel.org\u003e\nAcked-by: Eduard Zingerman \u003ceddyz87@gmail.com\u003e\nSigned-off-by: Amery Hung \u003cameryhung@gmail.com\u003e\nLink: https://lore.kernel.org/r/20260529014936.2811085-5-ameryhung@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "94ac7553361f3f20b0a60c13f9e7d0a859c73c12", "tree": "75e28c744aed95bc4c688627c7be3e21ff3280ca", "parents": [ "b5c0a07eb2c23bfd0c42ad6b461e6881b4b0995b" ], "author": { "name": "Amery Hung", "email": "ameryhung@gmail.com", "time": "Thu May 28 18:49:26 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Mon Jun 01 18:31:40 2026 -0700" }, "message": "bpf: Assign reg-\u003eid when getting referenced kptr from ctx\n\nAssign reg-\u003eid when getting referenced kptr from read program context\nto be consistent with R0 of KF_ACQUIRE kfunc. skb dynptr will track the\nreferenced skb in qdisc programs using a new field reg-\u003eparent_id in\na later patch.\n\nAcked-by: Andrii Nakryiko \u003candrii@kernel.org\u003e\nAcked-by: Eduard Zingerman \u003ceddyz87@gmail.com\u003e\nSigned-off-by: Amery Hung \u003cameryhung@gmail.com\u003e\nLink: https://lore.kernel.org/r/20260529014936.2811085-4-ameryhung@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "b5c0a07eb2c23bfd0c42ad6b461e6881b4b0995b", "tree": "1eb9b84f144e4fdb3975f4e0986e5688cc7661b5", "parents": [ "bab08d1f70438cf06de9ab438313b7ef3099514c" ], "author": { "name": "Amery Hung", "email": "ameryhung@gmail.com", "time": "Thu May 28 18:49:25 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Mon Jun 01 18:31:40 2026 -0700" }, "message": "bpf: Unify dynptr handling in the verifier\n\nSimplify dynptr checking for helper and kfunc by unifying it. Remember\nthe initialized dynptr (i.e.,g !(arg_type |\u003d MEM_UNINIT)) pass to a\ndynptr kfunc during process_dynptr_func() so that we can easily\nretrieve the information for verification later. By saving it in\nmeta-\u003edynptr, there is no need to call dynptr helpers such as\ndynptr_id(), dynptr_ref_obj_id() and dynptr_type() in check_func_arg().\n\nRemove and open code the helpers in process_dynptr_func() when\nsaving id, ref_obj_id, and type.\n\nBesides, since dynptr ref_obj_id information is now pass around in\nmeta-\u003ebpf_dynptr_desc, drop the check in helper_multiple_ref_obj_use.\n\nAcked-by: Eduard Zingerman \u003ceddyz87@gmail.com\u003e\nAcked-by: Mykyta Yatsenko \u003cyatsenko@meta.com\u003e\nSigned-off-by: Amery Hung \u003cameryhung@gmail.com\u003e\nLink: https://lore.kernel.org/r/20260529014936.2811085-3-ameryhung@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "bab08d1f70438cf06de9ab438313b7ef3099514c", "tree": "4cb7b7bf171cd985e608510a8421d1e08f365dfc", "parents": [ "868d43cf8f970b456fd93334bee40f792cf27e4d" ], "author": { "name": "Amery Hung", "email": "ameryhung@gmail.com", "time": "Thu May 28 18:49:24 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Mon Jun 01 18:31:40 2026 -0700" }, "message": "bpf: Simplify mark_stack_slot_obj_read() and callers\n\nRename mark_stack_slot_obj_read() as mark_stack_slots_scratched() and\ndirectly call it from functions processing iter, dynptr and irq_flag.\nCommit 6762e3a0bce5 (\"bpf: simplify liveness to use (callsite, depth)\nkeyed func_instances\") has removed the dynamic liveness component in\nmark_stack_slot_obj_read(). The function effectively only marks stack\nslots as scratched and always succeed. Therefore, return void, drop the\nunused bpf_reg_state argument and rename it to\nmark_stack_slots_scratched() to reflect what it does now.\n\nIn addition, to prepare for unifying dynptr handling, dynptr_get_spi()\nwill be moved out of mark_dynptr_read(). As mark_dynptr_read() would join\nmark_iter_read() as a thin wrapper of mark_stack_slots_scratched(), just\nopen code these helpers.\n\nAcked-by: Eduard Zingerman \u003ceddyz87@gmail.com\u003e\nSigned-off-by: Amery Hung \u003cameryhung@gmail.com\u003e\nLink: https://lore.kernel.org/r/20260529014936.2811085-2-ameryhung@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "868d43cf8f970b456fd93334bee40f792cf27e4d", "tree": "45632a1f13191b9e3b3cfedab6b630c233585032", "parents": [ "de36adca634634c205a9eb8b56a28175ab7abf5f" ], "author": { "name": "Paul Moore", "email": "paul@paul-moore.com", "time": "Sat May 23 12:00:26 2026 -0400" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Sun May 31 18:40:01 2026 -0700" }, "message": "bpf: Fix security_bpf_prog_load() error handling\n\nIf security_bpf_prog_load() fails there is no need to call into\nsecurity_bpf_prog_free() as the LSM will handle the cleanup of any partial\nLSM state before returning to the caller with an error. Thankfully this\nisn\u0027t an issue with any of the existing code as the LSMs which currently\nprovide BPF hook callback implementations don\u0027t allocate any internal\nstate, but this is something we want to fix for potential future users.\n\nSigned-off-by: Paul Moore \u003cpaul@paul-moore.com\u003e\nLink: https://lore.kernel.org/r/20260523160025.16363-2-paul@paul-moore.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "de36adca634634c205a9eb8b56a28175ab7abf5f", "tree": "1f10a11e3915e23bed2278cfe586a79ffee5a64a", "parents": [ "44cee8dd8b6fad5a823ce11696a6e41748853678" ], "author": { "name": "Taegu Ha", "email": "hataegu0826@gmail.com", "time": "Thu May 28 15:21:55 2026 +0900" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Sun May 31 17:50:14 2026 -0700" }, "message": "bpf: reject overlarge global subprog argument sizes\n\nGlobal subprogram argument checking derives generic pointer sizes from BTF\nand passes the resolved size to check_mem_reg() as a u32. The access-size\nvalidation path then uses a signed int, and stack pointers negate the value\nbefore calling check_helper_mem_access().\n\nThis creates a wrap when BTF describes a pointee size larger than S32_MAX.\nFor example, a global subprogram argument of type:\n\n int (*p)[0x3fffffff]\n\nhas a BTF-resolved pointee size of 0xfffffffc bytes. At a call site the\ncaller can pass a pointer to a 4-byte stack slot at fp-4. The current\nPTR_TO_STACK path computes:\n\n size \u003d -(int)mem_size\n\nso 0xfffffffc becomes -4 as a signed int and the negation validates only\na 4-byte stack range. That range is covered by the caller\u0027s stack slot,\nso the call is accepted.\n\nThe callee is then verified independently with R1 as PTR_TO_MEM and\nmem_size 0xfffffffc. A small instruction such as:\n\n r0 \u003d *(u32 *)(r1 + 4)\n\nis accepted as being inside that BTF-described memory region. At run time,\nhowever, the actual argument value is still fp-4, so r1 + 4 addresses fp+0,\noutside the 4-byte object that the caller provided.\n\nReject sizes that cannot be represented by the verifier\u0027s signed\naccess-size API before the stack-specific negation. Add a verifier\nregression test for the oversized BTF argument.\n\nFixes: 2cb27158adb3 (\"bpf: poison dead stack slots\")\nSigned-off-by: Taegu Ha \u003chataegu0826@gmail.com\u003e\nAcked-by: Yonghong Song \u003cyonghong.song@linux.dev\u003e\nLink: https://lore.kernel.org/r/20260528062155.3988156-1-hataegu0826@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "44cee8dd8b6fad5a823ce11696a6e41748853678", "tree": "7e89c9fb83201c11c03eb2e7d18204cf152dc84f", "parents": [ "41300d032a1b1d91a3ed996ad21905463e344beb", "157317ba662a7c476320fdb334216154eaa8b856" ], "author": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Sun May 31 17:49:21 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Sun May 31 17:49:21 2026 -0700" }, "message": "Merge branch \u0027bpf-arm64-stack-argument-fixes\u0027\n\nPuranjay Mohan says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nbpf, arm64: Stack argument fixes\n\nPatch 1 fixes a redundant MOV in the arm64 JIT\u0027s\nemit_stack_arg_store_imm() and clarifies the stack layout comments. This\nis not a bug fix but an improvement.\n\nPatch 2 bumps the stack argument tests from 6-8 args to at least 10 so\nthey actually exercise the native stack on arm64, where x0-x7 cover the\nfirst 8 arguments.\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260528161750.1900674-1-puranjay@kernel.org\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "157317ba662a7c476320fdb334216154eaa8b856", "tree": "7e89c9fb83201c11c03eb2e7d18204cf152dc84f", "parents": [ "12a585e607fa6e3fbe2c02158c7ad284cbf75792" ], "author": { "name": "Puranjay Mohan", "email": "puranjay@kernel.org", "time": "Thu May 28 09:17:48 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Sun May 31 17:49:21 2026 -0700" }, "message": "selftests/bpf: Use at least 10 args in stack argument tests\n\nOn arm64, the first 8 arguments are passed in registers (x0-x7), so\ntests with 8 or fewer arguments never exercise the native stack argument\npath in the JIT. Increase argument counts to at least 10 across all\nBPF-to-BPF subprog and kfunc stack argument tests so that at least 2\narguments land on the arm64 stack.\n\nFor the two-callees test, bump foo1 from 8 to 10 and foo2 from 10 to 12\nargs to preserve the different-stack-depth flavor of the test.\n\nThe bpf_kfunc_call_stack_arg_mem kfunc is left unchanged at 7 args to\navoid breaking the precision backtracking test which relies on hardcoded\nverifier log instruction indices.\n\nSuggested-by: Will Deacon \u003cwill@kernel.org\u003e\nSigned-off-by: Puranjay Mohan \u003cpuranjay@kernel.org\u003e\nAcked-by: Yonghong Song \u003cyonghong.song@linux.dev\u003e\nLink: https://lore.kernel.org/r/20260528161750.1900674-3-puranjay@kernel.org\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "12a585e607fa6e3fbe2c02158c7ad284cbf75792", "tree": "9ed14d9a3dede247f10291e25f91462ce15c71a5", "parents": [ "41300d032a1b1d91a3ed996ad21905463e344beb" ], "author": { "name": "Puranjay Mohan", "email": "puranjay@kernel.org", "time": "Thu May 28 09:17:47 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Sun May 31 17:49:21 2026 -0700" }, "message": "bpf, arm64: Fix redundant MOV and clarify stack arg comments\n\nemit_stack_arg_store_imm() materializes the immediate into tmp and\nthen moves tmp to the target register (x5-x7). Emit the immediate\ndirectly into the target register to avoid the redundant MOV.\n\nWhile here, qualify the bare \"FP\" in the stack-layout ASCII art as\n\"A64_FP\" so it is not confused with BPF_FP, and note that incoming\nstack arguments sit above the FP/LR pair pushed by the callee\nprologue.\n\nSuggested-by: Will Deacon \u003cwill@kernel.org\u003e\nSigned-off-by: Puranjay Mohan \u003cpuranjay@kernel.org\u003e\nLink: https://lore.kernel.org/r/20260528161750.1900674-2-puranjay@kernel.org\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "41300d032a1b1d91a3ed996ad21905463e344beb", "tree": "7fbc9c327de4cb18a7edc1e13c4962dda5bc57de", "parents": [ "d2f7bd066ed492aeaf82864fbf1f06770f9d9f9d" ], "author": { "name": "Daniel Borkmann", "email": "daniel@iogearbox.net", "time": "Fri May 29 18:28:29 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Sun May 31 17:48:27 2026 -0700" }, "message": "libbpf: Skip endianness swap when loader generation failed\n\nbpf_gen__prog_load() byte-swaps the program insns and the {func,line}_info\nand CO-RE relo blobs in place for cross-endian targets. The blob offsets\ncome from add_data(), which returns 0 on failure: realloc_data_buf() either\nfrees and NULLs gen-\u003edata_start (realloc OOM) or returns early on an\nalready-latched gen-\u003eerror, leaving a stale, possibly too-small buffer.\n\nNeither bswap site checked for this. With gen-\u003eswapped_endian set and a\nfailed generation, \"gen-\u003edata_start + off\" becomes NULL + 0. Guard the\nsame way via !gen-\u003eerror so they are skipped once generation has failed.\n\nFixes: 8ca3323dce43 (\"libbpf: Support creating light skeleton of either endianness\")\nReported-by: sashiko \u003csashiko@sashiko.dev\u003e\nSigned-off-by: Daniel Borkmann \u003cdaniel@iogearbox.net\u003e\nLink: https://lore.kernel.org/r/20260529162829.315921-1-daniel@iogearbox.net\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "d2f7bd066ed492aeaf82864fbf1f06770f9d9f9d", "tree": "f8b48e2b73f8058844a3a916b7ca31f6f3c0999f", "parents": [ "3c5e2f1a85844abbb65df4694f5ebad0a13e219c" ], "author": { "name": "Daniel Borkmann", "email": "daniel@iogearbox.net", "time": "Fri May 29 11:41:18 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Sun May 31 17:47:48 2026 -0700" }, "message": "libbpf: Also reset {insn,data}_cur on realloc failure\n\nrealloc_insn_buf() as well as realloc_data_buf() free and NULL\ngen-\u003einsn_start / gen-\u003edata_start on -ENOMEM but leave gen-\u003einsn_cur /\ngen-\u003edata_cur pointing into the old, freed buffer. Just reset the\ncursors to NULL alongside the base pointers so the freed state is\ncoherent.\n\nSigned-off-by: Daniel Borkmann \u003cdaniel@iogearbox.net\u003e\nLink: https://lore.kernel.org/r/20260529094119.307264-3-daniel@iogearbox.net\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "3c5e2f1a85844abbb65df4694f5ebad0a13e219c", "tree": "742817537cb4289866c89d4efdea2ac68416feab", "parents": [ "e2c88266147ff92ca25e6577158a9a0b3b261a30" ], "author": { "name": "Daniel Borkmann", "email": "daniel@iogearbox.net", "time": "Fri May 29 11:41:17 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Sun May 31 17:47:48 2026 -0700" }, "message": "libbpf: Skip hash computation when loader generation failed\n\nbpf_gen__finish() calls compute_sha_update_offsets() gated only on\nthe gen_hash option, without first consulting gen-\u003eerror. On a failed\ngeneration this is buggy: a failed realloc_data_buf() sets gen-\u003edata_start\nto NULL (leaving gen-\u003edata_cur dangling), so compute_sha_update_offsets()\nruns libbpf_sha256() over a NULL buffer with a bogus length; a failed\nrealloc_insn_buf() likewise sets gen-\u003einsn_start to NULL and the hash\nimmediates get patched through that NULL base.\n\nThe computed program is discarded in either case, since the following\n\"if (!gen-\u003eerror)\" block does not publish opts-\u003einsns once an error is\nset. Thus, skip the hash pass when generation has already failed.\n\nFixes: ea923080c145 (\"libbpf: Embed and verify the metadata hash in the loader\")\nReported-by: sashiko \u003csashiko@sashiko.dev\u003e\nSigned-off-by: Daniel Borkmann \u003cdaniel@iogearbox.net\u003e\nLink: https://lore.kernel.org/r/20260529094119.307264-2-daniel@iogearbox.net\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "e2c88266147ff92ca25e6577158a9a0b3b261a30", "tree": "8939a4eb0f19c5c8272b25657ffd2899dc94e553", "parents": [ "7c7c42d606ed540301b14571ae000041a2d6f39d" ], "author": { "name": "Daniel Borkmann", "email": "daniel@iogearbox.net", "time": "Fri May 29 11:41:16 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Sun May 31 17:47:48 2026 -0700" }, "message": "libbpf: Drop redundant self-loop in emit_check_err\n\nWhen the cleanup-label jump offset does not fit in s16, emit_check_err()\nsets gen-\u003eerror \u003d -ERANGE and then emits a BPF_JMP_IMM(BPF_JA, 0, 0, -1)\nself-loop.\n\nThe latter emit() is dead: gen-\u003eerror is assigned on the preceding line,\nand emit() then bails out early in realloc_insn_buf() the moment gen-\u003eerror\nis set, so the jump is never written into the instruction stream.\n\ngen-\u003eerror alone already marks the generation as failed. This is a follow-up\nto 7dd62566e0d1 (\"libbpf: fix off-by-one in emit_signature_match jump offset\")\nwhich removed the jump in emit_signature_match() but not in other locations.\n\nSigned-off-by: Daniel Borkmann \u003cdaniel@iogearbox.net\u003e\nLink: https://lore.kernel.org/r/20260529094119.307264-1-daniel@iogearbox.net\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "7c7c42d606ed540301b14571ae000041a2d6f39d", "tree": "29ff2c19dd05e0fcfa436489d08e56ac47bb54f5", "parents": [ "b573cf651bea3e7926819b4fc6fae47b41810ee7" ], "author": { "name": "Martin KaFai Lau", "email": "martin.lau@kernel.org", "time": "Fri May 29 13:39:09 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Sun May 31 17:46:25 2026 -0700" }, "message": "bpf: Update bpf maintainers\n\nI am making a life change and will take a long break\nfrom my current work, so I will step down from the \"M:\" responsibility.\n\nI am currently a \"R:\" in \"BPF [GENERAL]\", this part stays unchanged.\nI am folding most of the parts into \"BPF [GENERAL]\".\n\nFor \"BPF [BTF]\", it is long overdue as I am no longer involved.\nIt is folded into the \"BPF [GENERAL]\".\n\nThe \"BPF [STORAGE \u0026 CGROUPS]\" will also be covered by \"BPF [GENERAL]\".\n\nFor struct_ops, its usage is no longer limited to networking,\nso this naturally should move back to \"BPF [GENERAL]\".\n\nFor the reuseport, it will continue to be maintained together\nby \"BPF [GENERAL]\" and the \"NETWORKING [SOCKETS]\".\n\nFor other \"BPF [NETWORKING]...\", I am moving myself to \"R:\".\n\nThanks!\n\nSigned-off-by: Martin KaFai Lau \u003cmartin.lau@kernel.org\u003e\nAcked-by: Daniel Borkmann \u003cdaniel@iogearbox.net\u003e\nLink: https://lore.kernel.org/r/20260529203909.1222164-1-martin.lau@linux.dev\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "b573cf651bea3e7926819b4fc6fae47b41810ee7", "tree": "17bf7fff99c0650a45f3b59680d557ab56fb5a49", "parents": [ "9a720e090eb5155fbd584a3f7eca18f82610a2b3", "5add3a4ad1a3bc15404e8bd338813ed0a636f5c9" ], "author": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Sun May 31 09:16:55 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Sun May 31 09:16:55 2026 -0700" }, "message": "Merge branch \u0027bpf-align-syscall-writeback-behavior-with-user-declared-size\u0027\n\nYuyang Huang says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nbpf: Align syscall writeback behavior with user-declared size\n\nThis series fixes an out-of-bounds write vulnerability in BPF_PROG_QUERY\nwhile maintaining backward compatibility for older userspace applications.\n\nBPF_PROG_QUERY unconditionally writes back the \u0027query.revision\u0027 field\nto userspace. If userspace passes a smaller \u0027bpf_attr\u0027 structure (e.g. 40\nbytes, which was the cgroup query layout before \u0027query.revision\u0027 was\nadded), the kernel performs an out-of-bounds write.\n\nWe address this by propagating the user-provided \u0027uattr_size\u0027 down to\nthe cgroup query handlers and conditionally skipping the write-back of\n\u0027query.revision\u0027 if the buffer is too small. This allows legacy cgroup\nqueries to succeed safely.\n\ntcx and netkit queries are left unchanged since they were introduced in\nthe same merge window as \u0027query.revision\u0027 and have no legacy callers.\n\nFinally, we add a selftest to verify these boundary behaviors.\n\nChanges since v2:\n- Propagate uattr_size to __cgroup_bpf_query() and conditionally write\n revision (instead of unconditionally rejecting smaller sizes in front-gate).\n- Update BPF selftests to verify that cgroup queries succeed with\n OLD_QUERY_SIZE without writing revision, and succeed with FULL_QUERY_SIZE.\n- Remove early size checks in the front-gate to keep the patch minimal.\n\nChanges since v1:\n- Simplify the kernel fix to checking the size only in bpf_prog_query().\n- Revert all other subsystem query plumbing changes.\n- Update BPF selftest to target BPF_CGROUP_INET_INGRESS cgroup query, and\n add verification for attr size boundaries.\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260531075600.4058207-1-yuyanghuang@google.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "5add3a4ad1a3bc15404e8bd338813ed0a636f5c9", "tree": "17bf7fff99c0650a45f3b59680d557ab56fb5a49", "parents": [ "21c4b99b27f3f85b89256e81b3e997dec0a460d0" ], "author": { "name": "Yuyang Huang", "email": "yuyanghuang@google.com", "time": "Sun May 31 15:56:00 2026 +0800" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Sun May 31 09:16:55 2026 -0700" }, "message": "selftests/bpf: add verification for BPF_PROG_QUERY attr size boundaries\n\nAdd a new selftest to verify that the BPF syscall (specifically\nBPF_PROG_QUERY) correctly handles different user-declared attribute sizes.\n\nSpecifically, verify that:\n- For cgroup queries, a query with a size that covers \u0027prog_cnt\u0027 but is\n smaller than \u0027revision\u0027 (OLD_QUERY_SIZE) succeeds, but does not write\n to \u0027revision\u0027 (verifying backward compatibility).\n- A query with full size (FULL_QUERY_SIZE) succeeds and writes both\n \u0027prog_cnt\u0027 and \u0027revision\u0027.\n\nFixes: 120933984460 (\"bpf: Implement mprog API on top of existing cgroup progs\")\nCc: Maciej Żenczykowski \u003cmaze@google.com\u003e\nCc: Lorenzo Colitti \u003clorenzo@google.com\u003e\nSigned-off-by: Yuyang Huang \u003cyuyanghuang@google.com\u003e\nLink: https://lore.kernel.org/r/20260531075600.4058207-3-yuyanghuang@google.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "21c4b99b27f3f85b89256e81b3e997dec0a460d0", "tree": "8a5a7da2a06871ab3dd160b427f81c38faa074a3", "parents": [ "9a720e090eb5155fbd584a3f7eca18f82610a2b3" ], "author": { "name": "Yuyang Huang", "email": "yuyanghuang@google.com", "time": "Sun May 31 15:55:59 2026 +0800" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Sun May 31 09:16:55 2026 -0700" }, "message": "bpf: fix BPF_PROG_QUERY OOB write and cgroup backward compat\n\nBPF_PROG_QUERY writes back the \u0027query.revision\u0027 field unconditionally to\nuserspace. If userspace passes a smaller \u0027bpf_attr\u0027 structure (e.g. 40\nbytes, which was the layout before the addition of \u0027query.revision\u0027),\nthe kernel performs an out-of-bounds write.\n\nFix this by propagating the user-provided attribute size \u0027uattr_size\u0027\ndown to the cgroup query handlers, and conditionally skipping writing\nthe revision field to userspace when the provided buffer size is\ninsufficient.\n\nquery.revision in bpf_mprog_query is structurally identical to the\ncgroup case: a late tail field, written unconditionally.\n\nBut the backward-compat hazard is not the same.\n\nThe min-historical-size test is per command, and bpf_mprog_query only\nserves attach types that were born with revision in the struct:\n\n- tcx_prog_query -\u003e BPF_TCX_INGRESS/EGRESS\n- netkit_prog_query -\u003e BPF_NETKIT_PRIMARY/PEER\n\ntcx, netkit, the revision field, and bpf_mprog_query itself all landed in\nthe same v6.6 merge window (053c8e1f235d added the mprog query API +\nrevision; tcx in e420bed02507, netkit in 35dfaad7188c). There has never\nbeen a tcx/netkit BPF_PROG_QUERY userspace that doesn\u0027t know about\nrevision. So for these commands the minimum legitimate struct already\ncovers offset 56-64 — no old binary can be broken here.\n\nContrast with cgroup: BPF_PROG_QUERY on cgroup attach types shipped in\n2017; revision write-back was bolted on years later (120933984460). That\npath has a real population of pre-revision callers.\n\nFixes: 120933984460 (\"bpf: Implement mprog API on top of existing cgroup progs\")\nCc: Maciej Żenczykowski \u003cmaze@google.com\u003e\nCc: Lorenzo Colitti \u003clorenzo@google.com\u003e\nSigned-off-by: Yuyang Huang \u003cyuyanghuang@google.com\u003e\nLink: https://lore.kernel.org/r/20260531075600.4058207-2-yuyanghuang@google.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "9a720e090eb5155fbd584a3f7eca18f82610a2b3", "tree": "c55d4a441fe7425ee686d654ef59adfdb1f85860", "parents": [ "9b435d23f51e55b62dda3a345a9f8931248ca514" ], "author": { "name": "Suchit Karunakaran", "email": "suchitkarunakaran@gmail.com", "time": "Sun May 24 08:28:53 2026 +0530" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Thu May 28 20:02:57 2026 -0700" }, "message": "bpf: replace pop/push emptiness check with bpf_list_empty()\n\nSimplify fq_flows_is_empty() by replacing the pop/push based emptiness\ncheck with a direct call to bpf_list_empty().\nThis avoids unnecessary list mutation and simplifies the code while\npreserving correctness.\n\nSigned-off-by: Suchit Karunakaran \u003csuchitkarunakaran@gmail.com\u003e\n\nChanges since v1:\n- Removed unused variable node\nReviewed-by: Emil Tsalapatis \u003cemil@etsalapatis.com\u003e\nLink: https://lore.kernel.org/r/20260524025853.13786-1-suchitkarunakaran@gmail.com\n\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "9b435d23f51e55b62dda3a345a9f8931248ca514", "tree": "dcad05018a1467a1a31ffa3017b85cf4a0a89969", "parents": [ "7f9ce282da0c397673be7d5870b0bcdbc8c6ce82" ], "author": { "name": "Leon Hwang", "email": "leon.hwang@linux.dev", "time": "Thu May 21 22:29:09 2026 +0800" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Thu May 28 19:56:37 2026 -0700" }, "message": "bpf: Fix race between bpf_map_new_fd() and close_fd()\n\nBecause there is time gap between bpf_map_new_fd() and close_fd(), a\nconcurrent thread is able to close the new fd and opens a new, unrelated\nfile with the exact same fd number. Thereafter, this close_fd() might\ninadvertently close the unrelated file.\n\nTo avoid such regression, do finalize log before security_bpf_map_create().\n\nHowever, in order to achieve it, move bpf_get_file_flag(),\nsecurity_bpf_map_create(), bpf_map_alloc_id(), and bpf_map_new_fd() from\n__map_create() to map_create(). And, rename __map_create() to\nmap_create_alloc() meanwhile.\n\nThen, in order to reuse the map and token when all checks pass in\nmap_create_alloc(), pass \"struct bpf_map **\" and \"struct bpf_token **\" to\nmap_create_alloc().\n\nFixes: 49f9b2b2a18c (\"bpf: Add syscall common attributes support for map_create\")\nSigned-off-by: Leon Hwang \u003cleon.hwang@linux.dev\u003e\nLink: https://lore.kernel.org/r/20260521142909.95818-1-leon.hwang@linux.dev\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "7f9ce282da0c397673be7d5870b0bcdbc8c6ce82", "tree": "2b5d551fe2ba2bac97e77180accc788ede78f05a", "parents": [ "a4a5d4ee061240a1d39053db0a87f841d43277c0", "5e9099d8ff24ec32aa5af872a4d84d086bd70579" ], "author": { "name": "Andrii Nakryiko", "email": "andrii@kernel.org", "time": "Thu May 28 14:58:14 2026 -0700" }, "committer": { "name": "Andrii Nakryiko", "email": "andrii@kernel.org", "time": "Thu May 28 14:58:14 2026 -0700" }, "message": "Merge branch \u0027bpf-implement-stack_map_get_build_id_offset_sleepable\u0027\n\nIhor Solodrai says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nbpf: Implement stack_map_get_build_id_offset_sleepable()\n\nThe series introduces stack_map_get_build_id_offset_sleepable(),\nfixing a gap with parsing build_id in sleepable context in stackmap.c\n\nIn particular, this fixes a deadlock in\nstack_map_get_build_id_offset() doing a blocking __kernel_read(),\nwhich happens since commit 777a8560fd29 (\"lib/buildid: use\n__kernel_read() for sleepable context\").\n\nSee previous revisions for more details.\n---\n\nv6-\u003ev7:\n * Addressed feedback from Andrii (mostly patch #2):\n * implement proper CONFIG_PER_VMA_LOCK\u003dn support, following a\n VMA locking pattern similar to one used in PROCMAP_QUERY\n * change the contract of stack_map_lock_vma(): if a non-NULL VMA\n is returned, then a read lock is held\n * remove now unnecessary vma_locked flag\n * and various other nits\n * Add vma_is_anonymous() checks where appropriate (AIs)\nv6: https://lore.kernel.org/bpf/20260521225022.2695755-1-ihor.solodrai@linux.dev/\n\nv5-\u003ev6:\n * Misc refactoring (Andrii):\n * add stack_map_build_id_set_valid() helper\n * simplify control flow in stack_map_get_build_id_offset_sleepable()\nv5: https://lore.kernel.org/bpf/20260515005244.1333013-1-ihor.solodrai@linux.dev/\n\nv4-\u003ev5:\n * Add comments explaining mmap_read_trylock() (Shakeel)\n * Rebase on bpf-next (Alexei)\nv4: https://lore.kernel.org/bpf/20260514184727.1067141-1-ihor.solodrai@linux.dev/\n\nv3-\u003ev4:\n * Change Fixes tag in patch #2 (AI)\n * Nit in caching implementation (Mykyta)\nv3: https://lore.kernel.org/bpf/20260512032906.2670326-1-ihor.solodrai@linux.dev/\n\nv2-\u003ev3:\n * Split patch #2 in two: stack_map_get_build_id_offset_sleepable()\n implementation, and then introduce caching\n * Drop taking mmap_lock if CONFIG_PER_VMA_LOCK\u003dn, fall back to raw\n IPs instead\n * Cache vm_{start,end} in addition to prev_file (Mykyta)\nv2: https://lore.kernel.org/bpf/20260409010604.1439087-1-ihor.solodrai@linux.dev/\n\nv1-\u003ev2:\n * Addressed feedback from Puranjay:\n * split out a small refactoring patch\n * use mmap_read_trylock()\n * take into account CONFIG_PER_VMA_LOCK\n * replace find_vma() with vma_lookup()\n * cache prev_build_id to avoid re-parsing the same file\n * Snapshot vm_pgoff and vm_start before unlocking (AI)\n * To avoid repetitive unlocking statements, introduce struct\n stack_map_vma_lock to hold relevant lock state info and add an\n unlock helper\nv1: https://lore.kernel.org/bpf/20260407223003.720428-1-ihor.solodrai@linux.dev/\n\n---\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260525223948.1920986-1-ihor.solodrai@linux.dev\nSigned-off-by: Andrii Nakryiko \u003candrii@kernel.org\u003e\n" }, { "commit": "5e9099d8ff24ec32aa5af872a4d84d086bd70579", "tree": "2b5d551fe2ba2bac97e77180accc788ede78f05a", "parents": [ "fad3021faf7b0b64e9daea41c5662b65c8ad7379" ], "author": { "name": "Ihor Solodrai", "email": "ihor.solodrai@linux.dev", "time": "Mon May 25 15:39:48 2026 -0700" }, "committer": { "name": "Andrii Nakryiko", "email": "andrii@kernel.org", "time": "Thu May 28 14:58:13 2026 -0700" }, "message": "bpf: Cache build IDs in sleepable stackmap path\n\nStack traces often contain adjacent IPs from the same VMA or from\ndifferent VMAs backed by the same ELF file. Cache the last successfully\nparsed build id together with the resolved VMA range and backing file\nso the sleepable build id path can avoid repeated VMA locking and file\nparsing in common cases.\n\nSuggested-by: Mykyta Yatsenko \u003cyatsenko@meta.com\u003e\nSigned-off-by: Ihor Solodrai \u003cihor.solodrai@linux.dev\u003e\nSigned-off-by: Andrii Nakryiko \u003candrii@kernel.org\u003e\nAcked-by: Mykyta Yatsenko \u003cyatsenko@meta.com\u003e\nAcked-by: Andrii Nakryiko \u003candrii@kernel.org\u003e\nLink: https://lore.kernel.org/bpf/20260525223948.1920986-4-ihor.solodrai@linux.dev\n" }, { "commit": "fad3021faf7b0b64e9daea41c5662b65c8ad7379", "tree": "1e5aeea655180205300079ffb081d2149f4c2c7a", "parents": [ "fc99547a8bda22a6a489284641385d8dcfb3ecd8" ], "author": { "name": "Ihor Solodrai", "email": "ihor.solodrai@linux.dev", "time": "Mon May 25 15:39:47 2026 -0700" }, "committer": { "name": "Andrii Nakryiko", "email": "andrii@kernel.org", "time": "Thu May 28 14:58:13 2026 -0700" }, "message": "bpf: Avoid faultable build ID reads under mm locks\n\nSleepable build ID parsing can block in __kernel_read() [1], so the\nstackmap sleepable path must not call it while holding mmap_lock or a\nper-VMA read lock.\n\nThe issue and the fix are conceptually similar to a recent procfs\npatch [2]. A similar VMA locking pattern has already been used in\nPROCMAP_QUERY [3].\n\nResolve each covered VMA with a stable read-side reference, preferring\nlock_vma_under_rcu() and falling back to mmap_read_trylock() only long\nenough to acquire the VMA read lock. Take a reference to the backing\nfile, drop the VMA lock, and then parse the build ID through\n(sleepable) build_id_parse_file().\n\nWe have to use mmap_read_trylock() (and give up on failure) in this\ncontext because taking mmap_read_lock() is generally unsafe on code\npaths reachable from BPF programs [4], and may lead to deadlocks.\n\n[1] https://lore.kernel.org/all/20251218005818.614819-1-shakeel.butt@linux.dev/\n[2] https://lore.kernel.org/all/20260128183232.2854138-1-andrii@kernel.org/\n[3] https://lore.kernel.org/all/20250808152850.2580887-1-surenb@google.com/\n[4] https://lore.kernel.org/bpf/2895ecd8-df1e-4cc0-b9f9-aef893dc2360@linux.dev/\n\nFixes: d4dd9775ec24 (\"bpf: wire up sleepable bpf_get_stack() and bpf_get_task_stack() helpers\")\nSuggested-by: Puranjay Mohan \u003cpuranjay@kernel.org\u003e\nSigned-off-by: Ihor Solodrai \u003cihor.solodrai@linux.dev\u003e\nSigned-off-by: Andrii Nakryiko \u003candrii@kernel.org\u003e\nLink: https://lore.kernel.org/bpf/20260525223948.1920986-3-ihor.solodrai@linux.dev\n" }, { "commit": "fc99547a8bda22a6a489284641385d8dcfb3ecd8", "tree": "57f0c57f6ccd58f4f97c3f871ab23d40a44dd9a2", "parents": [ "a4a5d4ee061240a1d39053db0a87f841d43277c0" ], "author": { "name": "Ihor Solodrai", "email": "ihor.solodrai@linux.dev", "time": "Mon May 25 15:39:46 2026 -0700" }, "committer": { "name": "Andrii Nakryiko", "email": "andrii@kernel.org", "time": "Thu May 28 14:58:13 2026 -0700" }, "message": "bpf: Factor out stack_map build ID helpers\n\nFactor out helpers from stack_map_get_build_id_offset() in\npreparation for adding a sleepable build ID resolution path:\nstack_map_build_id_set_ip(), stack_map_build_id_offset(), and\nstack_map_build_id_set_valid().\n\nWhile here, refactor stack_map_get_build_id_offset():\n * use continue-driven control flow in the main loop and remove\n build_id_valid label\n * update prev_vma and prev_build_id on the fall-back-to-IP branch so\n the cache reflects the actual VMA seen on the previous IP [1]\n * guard fetch_build_id() with vma_is_anonymous() [2] to skip parse\n attempts that would otherwise fail the ELF magic check\n\n[1] https://lore.kernel.org/bpf/CAEf4Bzac9uWWqBvzH0iFzKvJcq3vxscZ3pKm0sUHmN-F-z9wVQ@mail.gmail.com/\n[2] https://lore.kernel.org/bpf/226398c1ff3f2b686c0aeb010408d85fb15df13f9ff60a045bee31e79b9e41e9@mail.kernel.org/\n\nSigned-off-by: Ihor Solodrai \u003cihor.solodrai@linux.dev\u003e\nSigned-off-by: Andrii Nakryiko \u003candrii@kernel.org\u003e\nAcked-by: Mykyta Yatsenko \u003cyatsenko@meta.com\u003e\nLink: https://lore.kernel.org/bpf/20260525223948.1920986-2-ihor.solodrai@linux.dev\n" }, { "commit": "a4a5d4ee061240a1d39053db0a87f841d43277c0", "tree": "d5b3ff814655aa1c896c9905d518f0290a81e257", "parents": [ "b23705e6afb6ac4ae6d220dcb35975698667dd76" ], "author": { "name": "Tiezhu Yang", "email": "yangtiezhu@loongson.cn", "time": "Tue May 26 14:39:36 2026 +0800" }, "committer": { "name": "Andrii Nakryiko", "email": "andrii@kernel.org", "time": "Thu May 28 14:38:15 2026 -0700" }, "message": "libbpf: Add __NR_bpf definition for LoongArch\n\nLoongArch uses the generic syscall table, where __NR_bpf is defined\nas 280 in include/uapi/asm-generic/unistd.h.\n\nTo align with other architectures, add the __NR_bpf definition for\nLoongArch to avoid a potential compilation failure: \"error __NR_bpf\nnot defined. libbpf does not support your arch.\"\n\nThis is a follow up patch of:\n\n commit b0c47807d31d (\"bpf: Add sparc support to tools and samples.\")\n commit bad1926dd2f6 (\"bpf, s390: fix build for libbpf and selftest suite\")\n commit ca31ca8247e2 (\"tools/bpf: fix perf build error with uClibc (seen on ARC)\")\n commit e32cb12ff52a (\"bpf, mips: Fix build errors about __NR_bpf undeclared\")\n\nSigned-off-by: Tiezhu Yang \u003cyangtiezhu@loongson.cn\u003e\nSigned-off-by: Andrii Nakryiko \u003candrii@kernel.org\u003e\nLink: https://lore.kernel.org/bpf/20260526063936.16769-1-yangtiezhu@loongson.cn\n" }, { "commit": "b23705e6afb6ac4ae6d220dcb35975698667dd76", "tree": "2a1b40cdf4cb9dba06a5eeb7c1267fa899a8d335", "parents": [ "be4c6c7bc42952b71188894933946b410deadcfe" ], "author": { "name": "Carlos Llamas", "email": "cmllamas@google.com", "time": "Sat May 23 16:27:21 2026 +0000" }, "committer": { "name": "Andrii Nakryiko", "email": "andrii@kernel.org", "time": "Thu May 28 14:25:55 2026 -0700" }, "message": "libbpf: Fix UAF in strset__add_str()\n\nstrset_add_str_mem() might reallocate the strset data buffer in order to\naccommodate the provided string \u0027s\u0027. However, if \u0027s\u0027 points to a string\nalready present in the buffer, it becomes dangling after the realloc.\nThis leads to a use-after-free when attempting to memcpy() the string\ninto the new buffer.\n\nOne scenario that triggers this problematic path is when resolve_btfids\nattempts to patch kfunc prototypes using existing BTF parameter names:\n\n | resolve_btfids: function bpf_list_push_back_impl already exists in BTF\n | Segmentation fault (core dumped)\n\nCompiling resolve_btfids with fsanitize\u003daddress generates a detailed\nreport of the UAF:\n\n | \u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n | ERROR: AddressSanitizer: heap-use-after-free on address 0x7f4c4a500bd4\n | \u003d\u003d1507892\u003d\u003dERROR: AddressSanitizer: heap-use-after-free on address 0x7f4c4a500bd4 at pc 0x55d25155a2a8 bp 0x7ffcef879060 sp 0x7ffcef878818\n | READ of size 5 at 0x7f4c4a500bd4 thread T0\n | #0 0x55d25155a2a7 in memcpy (tools/bpf/resolve_btfids/resolve_btfids+0xcf2a7)\n | #1 0x55d2515d708e in strset__add_str tools/lib/bpf/strset.c:162:2\n | #2 0x55d2515c730b in btf__add_str tools/lib/bpf/btf.c:2109:8\n | #3 0x55d2515c9020 in btf__add_func_param tools/lib/bpf/btf.c:3108:14\n | #4 0x55d25159f0b5 in process_kfunc_with_implicit_args tools/bpf/resolve_btfids/main.c:1196:9\n | #5 0x55d25159e004 in btf2btf tools/bpf/resolve_btfids/main.c:1229:9\n | #6 0x55d25159cee7 in main tools/bpf/resolve_btfids/main.c:1535:6\n | #7 0x7f4c78e29f76 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16\n | #8 0x7f4c78e2a026 in __libc_start_main csu/../csu/libc-start.c:360:3\n | #9 0x55d2514bb860 in _start (tools/bpf/resolve_btfids/resolve_btfids+0x30860)\n |\n | 0x7f4c4a500bd4 is located 13268 bytes inside of 2829000-byte region [0x7f4c4a4fd800,0x7f4c4a7b02c8)\n | freed by thread T0 here:\n | #0 0x55d25155b700 in realloc (tools/bpf/resolve_btfids/resolve_btfids+0xd0700)\n | #1 0x55d2515c426c in libbpf_reallocarray tools/lib/bpf/./libbpf_internal.h:220:9\n | #2 0x55d2515c426c in libbpf_add_mem tools/lib/bpf/btf.c:224:13\n |\n | previously allocated by thread T0 here:\n | #0 0x55d25155b2e3 in malloc (tools/bpf/resolve_btfids/resolve_btfids+0xd02e3)\n | #1 0x55d2515d6e7d in strset__new tools/lib/bpf/strset.c:58:20\n\nWhile resolve_btfids could be refactored to avoid this call path, let\u0027s\ninstead fix this issue at the source in strset__add_str() and avoid\nsimilar scenarios.\n\nLet\u0027s check if set-\u003estrs_data was reallocated and whether \u0027s\u0027 points to\nan internal string within the old strset buffer. In such case, \u0027s\u0027 is\nreconstructed to point to the new buffer.\n\nWhile already here, also fix strset__find_str() which suffers from the\nsame problem by factoring out the common operations into a new helper\nfunction strset_str_append().\n\nFixes: 90d76d3ececc (\"libbpf: Extract internal set-of-strings datastructure APIs\")\nSuggested-by: Andrii Nakryiko \u003candrii@kernel.org\u003e\nSuggested-by: Mykyta Yatsenko \u003cyatsenko@meta.com\u003e\nSigned-off-by: Carlos Llamas \u003ccmllamas@google.com\u003e\nSigned-off-by: Andrii Nakryiko \u003candrii@kernel.org\u003e\nLink: https://lore.kernel.org/bpf/20260523162722.2718940-1-cmllamas@google.com\n" }, { "commit": "be4c6c7bc42952b71188894933946b410deadcfe", "tree": "d55e5c63a365f09946692f1e587c96e40af95d87", "parents": [ "fee9a38174f4c6454fb1fbaf2b9b5a1cca9070d0" ], "author": { "name": "Siddharth Nayyar", "email": "sidnayyar@google.com", "time": "Wed May 20 09:40:44 2026 +0000" }, "committer": { "name": "Andrii Nakryiko", "email": "andrii@kernel.org", "time": "Thu May 28 14:19:15 2026 -0700" }, "message": "bpftool: Fix typo in struct_ops map FD generation for light skeleton\n\nWhen generating light skeletons for BPF programs containing struct_ops\nmaps, bpftool incorrectly outputs a stray literal \u0027t\u0027 instead of a tab\ncharacter for the map file descriptor member in the links structure.\nThis causes a compilation error when the generated light skeleton is\nused.\n\nCorrect the format string by replacing \u0027t\u0027 with \u0027\\t\u0027.\n\nFixes: 08ac454e258e (\"libbpf: Auto-attach struct_ops BPF maps in BPF skeleton\")\nSigned-off-by: Siddharth Nayyar \u003csidnayyar@google.com\u003e\nSigned-off-by: Andrii Nakryiko \u003candrii@kernel.org\u003e\nAcked-by: Quentin Monnet \u003cqmo@kernel.org\u003e\nLink: https://lore.kernel.org/bpf/20260520-struct_ops_gen_typo_fix-v1-1-4dee3771da46@google.com\n" }, { "commit": "fee9a38174f4c6454fb1fbaf2b9b5a1cca9070d0", "tree": "b3851be1e2f108f4e1c43288dbd3c872f8faf4de", "parents": [ "e42e53ae23b7d41df22ccd7788192bf578f24da2" ], "author": { "name": "Michael Bommarito", "email": "michael.bommarito@gmail.com", "time": "Fri May 22 16:13:53 2026 -0400" }, "committer": { "name": "Andrii Nakryiko", "email": "andrii@kernel.org", "time": "Thu May 28 14:15:48 2026 -0700" }, "message": "libbpf: Harden parse_vma_segs() path parsing\n\nparse_vma_segs() in tools/lib/bpf/usdt.c parses /proc/\u003cpid\u003e/maps\nwith two widthless scansets, \"%s\" into mode[16] and \"%[^\\n]\"\ninto line[4096]. A VMA name in maps is not limited to that local\nbuffer; a deeply nested backing path can produce a maps record long\nenough to overflow the stack buffer.\n\nBound both scansets to the declared buffer sizes (\"%15s\" for mode[16]\nand \"%4095[^\\n]\" for line[4096]) and drain any residue past line[4094]\nwith \"%*[^\\n]\" before the trailing \"\\n\". Without the drain, the residue\nof an over-long record would stay in the stream and break the next\n\"%zx-%zx\" parse, so the loop would exit early and silently skip later\nmaps records.\n\nAlso stop using sscanf(..., \"%s\") to peel the /proc/\u003cpid\u003e/root prefix\nfrom lib_path. Parse the pid and prefix length with \"%n\", check for the\nfollowing slash, and copy the remainder with libbpf_strlcpy(). That\nremoves a second unbounded stack write and preserves paths containing\nspaces.\n\nFixes: 74cc6311cec9 (\"libbpf: Add USDT notes parsing and resolution logic\")\nSigned-off-by: Michael Bommarito \u003cmichael.bommarito@gmail.com\u003e\nSigned-off-by: Andrii Nakryiko \u003candrii@kernel.org\u003e\nReviewed-by: Emil Tsalapatis \u003cemil@etsalapatis.com\u003e\nLink: https://lore.kernel.org/bpf/20260522201353.1454653-1-michael.bommarito@gmail.com\n" }, { "commit": "e42e53ae23b7d41df22ccd7788192bf578f24da2", "tree": "09bf2cec8552c6a1d26623c059f259244c987700", "parents": [ "8496d9020ff37a33c2a7b2fc84350fd03ffbde78" ], "author": { "name": "Tejun Heo", "email": "tj@kernel.org", "time": "Wed May 27 09:26:32 2026 -1000" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Wed May 27 13:50:35 2026 -0700" }, "message": "bpf: Fix bpf_arena_handle_page_fault() redefinition without CONFIG_BPF_SYSCALL\n\nOn configs with CONFIG_BPF\u003dy but CONFIG_BPF_SYSCALL\u003dn (e.g. arm\nmulti_v7_defconfig), kernel/bpf/core.c defines a __weak\nbpf_arena_handle_page_fault() while bpf_defs.h already supplies a static\ninline stub for it, causing a redefinition error. Build the __weak\ndefinition only under CONFIG_BPF_SYSCALL, matching the bpf_defs.h\ndeclaration and the CONFIG_BPF_SYSCALL-gated strong definition in arena.c.\n\nFixes: dc11a4dba246 (\"bpf: Recover arena kernel faults with scratch page\")\nReported-by: Mark Brown \u003cbroonie@kernel.org\u003e\nSigned-off-by: Tejun Heo \u003ctj@kernel.org\u003e\nAcked-by: Song Liu \u003csong@kernel.org\u003e\nLink: https://lore.kernel.org/r/20260527192632.2109419-1-tj@kernel.org\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "8496d9020ff37a33c2a7b2fc84350fd03ffbde78", "tree": "ba0c676e678f26cff0b1c497423d933925ae2b76", "parents": [ "eb19eead368bb0f0ef06a4125d03ed661cd23d36", "53cc12a2dc88c2c6f62f507548640885a70a56a8" ], "author": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Mon May 25 08:35:07 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Mon May 25 08:35:48 2026 -0700" }, "message": "Merge branch \u0027arena_direct_access\u0027\n\nTejun Heo says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nThis makes BPF arena memory directly dereferenceable from kernel code\n(struct_ops callbacks, kfuncs). Each arena gets a per-arena scratch page\nthat an arch fault hook installs into empty PTEs on kernel-side faults,\nafter KFENCE. The faulting instruction retries and the violation is reported\nthrough the program\u0027s BPF stream.\n\nv4:\n- Patch 1: note that the strict-zero cmpxchg is narrower than pte_none() in\n inline comments on both x86 and arm64. (Andrea)\n- Patch 2: stub bpf_arena_handle_page_fault() for !CONFIG_BPF_SYSCALL via a\n new include/linux/bpf_defs.h. (lkp)\n- Patch 7: scx_arena_alloc() retries via a loop instead of a single retry on\n pool growth. (Andrea)\n- Picked up Reviewed-by tags from Emil and Andrea.\n\nv3: https://lore.kernel.org/r/20260520235052.4180316-1-tj@kernel.org\nv2: https://lore.kernel.org/r/20260517211232.1670594-1-tj@kernel.org\nv1 (RFC): https://lore.kernel.org/r/20260427105109.2554518-1-tj@kernel.org\n\nMotivation\n----------\n\nsched_ext\u0027s ops_cid.set_cmask() hands the BPF scheduler a struct scx_cmask\n*. The kernel translates a kernel cpumask to a cmask, but it had no way to\nwrite into the arena, so the cmask lived in kernel memory and was passed as\na trusted pointer. BPF cmask helpers all operate on arena cmasks though, so\nthe BPF side had to word-by-word probe-read the kernel cmask into an arena\ncmask via cmask_copy_from_kernel() before any helper could touch it. It\nworks, but is clumsy.\n\nThe shape isn\u0027t unique to set_cmask. Sub-scheduler support is on the way and\nmore sched_ext callbacks will want to pass structured data to BPF. Anywhere\na kfunc or struct_ops callback wants to hand a struct to a BPF program,\narena residence is the natural answer.\n\nApproach\n--------\n\nEach arena gets a per-arena scratch page. Arenas stay sparsely mapped as\ntoday - PTEs are populated only for allocated pages. A new arch fault hook\n(bpf_arena_handle_page_fault) is wired into x86 page_fault_oops() and arm64\n__do_kernel_fault(), after KFENCE. When a kernel-side access faults inside\nan arena\u0027s kern_vm range, the helper walks the stack to find the BPF program\nresponsible, range-checks the fault address against prog-\u003eaux-\u003earena, and\natomically installs the scratch page into the empty PTE via the new\nptep_try_set() wrapper. The kernel instruction retries and reads/writes the\nscratch page. Free paths and map destruction treat scratch as non-owned.\nReal allocation refuses to overwrite scratch (apply_range_set_cb returns\n-EBUSY). A scratched address stays dead until map destroy, since its\npresence means the BPF program has already malfunctioned.\n\nThe mechanism is default behavior - no UAPI flag.\n\nWhat this preserves\n-------------------\n\nAll the debugging properties of today\u0027s sparse-PTE design are preserved:\n\n* BPF programs still fault on unmapped arena accesses. The fault semantics\n (instruction retry with rdst \u003d 0) and the violation report through\n bpf_streams are unchanged for prog-side accesses.\n\n* The first kernel-side touch of an unmapped address is reported via\n bpf_streams the same way as a prog-side fault, with the stack walk\n attributing it to the originating prog.\n\n* User-side fault on a never-scratched address still lazy-allocates a real\n page (or returns SIGSEGV under BPF_F_SEGV_ON_FAULT). User-side fault on a\n scratched address SIGSEGVs.\n\nWhat changes for the kernel-side caller is just that an unmapped deref no\nlonger oopses - it retries through the scratch page and emits a violation\nreport. The same shape today\u0027s BPF instruction faults have.\n\nPatches 1-2 (atomic PTE install + arena scratch-page recovery)\n--------------------------------------------------------------\n\n mm: Add ptep_try_set() for lockless empty-slot installs\n bpf: Recover arena kernel faults with scratch page\n\nPatches 3-5 (helpers used by struct_ops registration)\n-----------------------------------------------------\n\n bpf: Add sleepable variant of bpf_arena_alloc_pages for kernel callers\n bpf: Add bpf_struct_ops_for_each_prog()\n bpf/arena: Add bpf_arena_map_kern_vm_start() and bpf_prog_arena()\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://lore.kernel.org/bpf/20260522172219.1423324-1-tj@kernel.org/\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "eb19eead368bb0f0ef06a4125d03ed661cd23d36", "tree": "c831fe5940f705d97ee4ff8a33b14fe8ef013f31", "parents": [ "b1fcdf9aa9f562d0768f59ae178ed4e67fd7f370", "e7ae89a0c97ce2b68b0983cd01eda67cf373517d" ], "author": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Mon May 25 06:33:15 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Mon May 25 06:33:30 2026 -0700" }, "message": "Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf 7.1-rc5\n\nCross-merge BPF and other fixes after downstream PR.\n\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "e7ae89a0c97ce2b68b0983cd01eda67cf373517d", "tree": "2d7df7d7acab76095da5d5f02fa43bce11231a30", "parents": [ "6a97c4d5262d02f04d1f41113b0d090ea51f08dd" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sun May 24 13:48:06 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sun May 24 13:48:06 2026 -0700" }, "message": "Linux 7.1-rc5\n" }, { "commit": "6a97c4d5262d02f04d1f41113b0d090ea51f08dd", "tree": "d8fc003a82eedbba37b878c6eacbe17e12e53c8c", "parents": [ "3526d7462355c4df269d4a87eed53dbd48a1df02", "9a12fa5213cfc391e0eed63902d3be98f0913765" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sun May 24 12:50:36 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sun May 24 12:50:36 2026 -0700" }, "message": "Merge tag \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/virt/kvm/kvm\n\nPull kvm fixes from Paolo Bonzini:\n \"arm64:\n\n - Fix ITS EventID sanitisation when restoring an interrupt\n translation table.\n\n - Fix PPI memory leak when failing to initialise a vcpu.\n\n - Correctly return an error when the validation of a hypervisor trace\n descriptor fails, and limit this validation to protected mode only.\n\n RISC-V:\n\n - Fix invalid HVA warning in steal-time recording\n\n - Return SBI_ERR_FAILURE to guest upon OOM in pmu_event_info() and\n pmu_snapshot_set_shmem()\n\n - Fix NULL pointer dereference in SBI v0.1 SEND_IPI handler\n\n - Fix sign extension of value for MMIO loads\n\n s390:\n\n - Fix bugs in vSIE (nested virtualization) and UCONTROL, caused by\n the page table rewrite.\n\n x86:\n\n - Apply erratum #1235 workaround (disable AVIC IPI virtualization) on\n Hygon Family 18h, just like on AMD Family 17h.\n\n - When KVM_CAP_X86_APIC_BUS_CYCLES_NS is queried on a specific VM,\n return the VM\u0027s configured APIC bus frequency instead of the\n default. This is less confusing (read: not wrong) and makes it\n easier to fill in CPUID information that communicates the APIC bus\n frequency to the guest.\n\n Selftests:\n\n - Do not include glibc-internal \u003cbits/endian.h\u003e; it worked by chance\n and broke building KVM selftests with musl\"\n\n* tag \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/virt/kvm/kvm:\n KVM: SVM: Disable AVIC IPI virtualization on Hygon Family 18h (erratum #1235)\n KVM: selftests: Verify that KVM returns the configured APIC cycle length\n KVM: x86: Return the VM\u0027s configured APIC bus frequency when queried\n KVM: selftests: elf: Include \u003cendian.h\u003e instead of \u003cbits/endian.h\u003e\n KVM: s390: Properly reset zero bit in PGSTE\n KVM: s390: vsie: Fix redundant rmap entries\n KVM: s390: vsie: Fix unshadowing logic\n KVM: s390: Fix leaking kvm_s390_mmu_cache in case of errors\n KVM: s390: vsie: Fix memory leak when unshadowing\n KVM: arm64: Fix nVHE/pKVM hyp tracing error on invalid desc\n KVM: arm64: vgic: Free private_irqs when init fails after allocation\n KVM: arm64: vgic-its: Reject restored DTE with out-of-range num_eventid_bits\n RISC-V: KVM: Fix sign extension for MMIO loads\n RISC-V: KVM: Fix NULL pointer dereference in SBI v0.1 SEND_IPI handler\n riscv: kvm: return SBI_ERR_FAILURE for pmu_event_info() when OOM\n riscv: kvm: return SBI_ERR_FAILURE for pmu_snapshot_set_shmem() when OOM\n RISC-V: KVM: Fix invalid HVA warning in steal-time recording\n" }, { "commit": "3526d7462355c4df269d4a87eed53dbd48a1df02", "tree": "9eee3b40fda02b288aa3cbcb27bab3fe5e2523a7", "parents": [ "a674bf74b31079782d7d8f333c8d832374f0b65c", "fd948c3f96b18ff9ba7d3e8eae13d196593e1aaf" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sun May 24 11:00:45 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sun May 24 11:00:45 2026 -0700" }, "message": "Merge tag \u0027x86-urgent-2026-05-24\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip\n\nPull x86 fixes from Ingo Molnar:\n\n - On SEV guests, handle set_memory_{encrypted,decrypted}() failures\n more conservatively by assuming that all affected pages are\n unencrypted (Carlos López)\n\n - Disable broadcast TLB flush when PCID is disabled (Tom Lendacky)\n\n - Fix VMX vs. hrtimer_rearm_deferred() regression (Peter Zijlstra)\n\n - Move IRQ/NMI dispatch code from KVM into x86 core, to prepare for a\n KVM x2apic fix (Peter Zijlstra)\n\n - Fix incorrect munmap() size on map_vdso() failure (Guilherme Giacomo\n Simoes)\n\n* tag \u0027x86-urgent-2026-05-24\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:\n virt: sev-guest: Explicitly leak pages in unknown state\n x86/mm: Disable broadcast TLB flush when PCID is disabled\n x86/kvm/vmx: Fix VMX vs hrtimer_rearm_deferred()\n x86/kvm/vmx: Move IRQ/NMI dispatch from KVM into x86 core\n x86/vdso: Fix incorrect size in munmap() on map_vdso() failure\n" }, { "commit": "a674bf74b31079782d7d8f333c8d832374f0b65c", "tree": "af47de05fff297bc7e6e58472a2987677c500e8d", "parents": [ "ee651da6d3e1e3c57d22dd6f03850af980b7cd10", "c9b7598eb013c6dbf2526dc050364bd8dc24f0d3" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sun May 24 10:55:21 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sun May 24 10:55:21 2026 -0700" }, "message": "Merge tag \u0027irq-urgent-2026-05-24\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip\n\nPull irqchip driver fixes from Ingo Molnar:\n\n - Fix the hardware probing error path of the renesas-rzt2h\n irqchip driver\n\n - Fix the exynos-combiner irqchip driver on -rt kernels\n by turning the IRQ controller spinlock into a raw spinlock\n\n* tag \u0027irq-urgent-2026-05-24\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:\n irqchip/renesas-rzt2h: Use pm_runtime_put_sync() in probe error path\n irqchip/exynos-combiner: Switch to raw_spinlock\n" }, { "commit": "ee651da6d3e1e3c57d22dd6f03850af980b7cd10", "tree": "8c2bcd61a715f17f3c68b857440119c6e4603de2", "parents": [ "2be86a8c57773bce1b5c845c49e0bfa3caac838c", "5f41161059fd0f1bbf18c90f3180e38cc45a14eb" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sun May 24 10:48:55 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sun May 24 10:48:55 2026 -0700" }, "message": "Merge tag \u0027core-urgent-2026-05-24\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip\n\nPull debugobjects fix from Ingo Molnar::\n\n - Fix debugobjects regression on -rt kernels: don\u0027t fill the pool\n (which uses a coarse lock) if -\u003epi_blocked_on, because that messes up\n the priority inheritance of callers\n\n* tag \u0027core-urgent-2026-05-24\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:\n debugobjects: Do not fill_pool() if pi_blocked_on\n" }, { "commit": "2be86a8c57773bce1b5c845c49e0bfa3caac838c", "tree": "c66c8e3bb96422cd855d06a22e98dfb72eb08311", "parents": [ "53676e4d44d6b38c8a0d9bff331f170ae2e41bbe", "4e4af55aaca7f6d7673d5f9889ad0529db86a048" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sun May 24 10:37:55 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sun May 24 10:37:55 2026 -0700" }, "message": "Merge tag \u0027hwmon-for-v7.1-rc5\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging\n\nPull hwmon fixes from Guenter Roeck:\n\n - adm1266: Various fixes from Abdurrahman Hussain\n\n The fixed issues were reported by Sashiko as part of a code review of\n a functional change in the driver.\n\n - lenovo-ec-sensors: Convert to devm_request_region() to fix\n release_region cleanup, and fix EC \"MCHP\" signature validation logic,\n from Kean Ren\n\n* tag \u0027hwmon-for-v7.1-rc5\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging:\n hwmon: (pmbus/adm1266) serialize sequencer_state debugfs read with pmbus_lock\n hwmon: (pmbus/adm1266) serialize NVMEM blackbox read with pmbus_lock\n hwmon: (pmbus/adm1266) serialize GPIO PMBus accesses with pmbus_lock\n hwmon: (pmbus/adm1266) register the nvmem device after pmbus_do_probe()\n hwmon: (pmbus/adm1266) register the gpio_chip after pmbus_do_probe()\n hwmon: (pmbus/adm1266) reject short block-read responses in the GPIO accessors\n hwmon: (pmbus/adm1266) don\u0027t clobber GPIO bits before PDIO read in get_multiple\n hwmon: (pmbus/adm1266) cap PDIO scan in get_multiple at ADM1266_PDIO_NR\n hwmon: (pmbus/adm1266) bounce blackbox records through a protocol-sized buffer\n hwmon: (pmbus/adm1266) include adapter number in GPIO line label\n hwmon: (pmbus/adm1266) include PEC byte in pmbus_block_xfer read buffer\n hwmon: (pmbus/adm1266) reject implausible blackbox record_count\n hwmon: (pmbus/adm1266) widen blackbox-info buffer to I2C_SMBUS_BLOCK_MAX\n hwmon: (pmbus/adm1266) seed timestamp from the real-time clock\n hwmon: (lenovo-ec-sensors): Fix EC \"MCHP\" signature validation logic\n hwmon: (lenovo-ec-sensors): Convert to devm_request_region()\n" }, { "commit": "53676e4d44d6b38c8a0d9bff331f170ae2e41bbe", "tree": "47b6871f3557fa8dfe2c0d508f07fe64078aa004", "parents": [ "f0e77c598ebbb1ae055b156aaa33b7433ae45e51" ], "author": { "name": "Nathan Chancellor", "email": "nathan@kernel.org", "time": "Mon May 18 15:17:14 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sun May 24 10:31:24 2026 -0700" }, "message": "drm/msm: Restore second parameter name in purge() and evict()\n\nAfter commit 3392291fc509 (\"drm/msm: Fix shrinker deadlock\"), all\nsupported versions of clang warn (or error with CONFIG_WERROR\u003dy):\n\n drivers/gpu/drm/msm/msm_gem_shrinker.c:105:58: error: omitting the parameter name in a function definition is a C23 extension [-Werror,-Wc23-extensions]\n 105 | purge(struct drm_gem_object *obj, struct ww_acquire_ctx *)\n | ^\n drivers/gpu/drm/msm/msm_gem_shrinker.c:117:58: error: omitting the parameter name in a function definition is a C23 extension [-Werror,-Wc23-extensions]\n 117 | evict(struct drm_gem_object *obj, struct ww_acquire_ctx *)\n | ^\n 2 errors generated.\n\nWith older but supported versions of GCC, this is an unconditional hard error:\n\n drivers/gpu/drm/msm/msm_gem_shrinker.c: In function \u0027purge\u0027:\n drivers/gpu/drm/msm/msm_gem_shrinker.c:105:35: error: parameter name omitted\n purge(struct drm_gem_object *obj, struct ww_acquire_ctx *)\n ^~~~~~~~~~~~~~~~~~~~~~~\n drivers/gpu/drm/msm/msm_gem_shrinker.c: In function \u0027evict\u0027:\n drivers/gpu/drm/msm/msm_gem_shrinker.c:117:35: error: parameter name omitted\n evict(struct drm_gem_object *obj, struct ww_acquire_ctx *)\n ^~~~~~~~~~~~~~~~~~~~~~~\n\nRestore the parameter name to clear up the warnings, renaming it\n\"unused\" to make it clear it is only needed to satisfy the prototype of\ndrm_gem_lru_scan().\n\nCc: stable@vger.kernel.org\nFixes: 3392291fc509 (\"drm/msm: Fix shrinker deadlock\")\nSigned-off-by: Nathan Chancellor \u003cnathan@kernel.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "f0e77c598ebbb1ae055b156aaa33b7433ae45e51", "tree": "101355b4a44c992e2d7d2b7938b0517428a259a4", "parents": [ "4cbfe4502e3d4bda48eb4b83dfad8d7da3b22e90", "7dd62566e0d108d29034bcff8503b827f8763320" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sun May 24 09:53:17 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sun May 24 09:53:17 2026 -0700" }, "message": "Merge tag \u0027bpf-fixes\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf\n\nPull bpf fixes from Alexei Starovoitov:\n\n - Fix bpf_throw() and global subprog combination (Kumar Kartikeya\n Dwivedi)\n\n - Fix out of bounds access in BPF interpreter (Yazhou Tang)\n\n - Fix potential out of bounds access in inner per-cpu array map\n (Guannan Wang)\n\n - Reject NULL data/sig in bpf_verify_pkcs7_signature (KP Singh)\n\n* tag \u0027bpf-fixes\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf:\n libbpf: fix off-by-one in emit_signature_match jump offset\n bpf: Reject NULL data/sig in bpf_verify_pkcs7_signature\n selftests/bpf: Cover global subprog exception leaks\n bpf: Check global subprog exception paths\n bpf: make bpf_session_is_return() reference optional\n bpf: Use array_map_meta_equal for percpu array inner map replacement\n selftests/bpf: Add test for large offset bpf-to-bpf call\n bpf: Fix s16 truncation for large bpf-to-bpf call offsets\n bpf: Fix out-of-bounds read in bpf_patch_call_args()\n" }, { "commit": "4cbfe4502e3d4bda48eb4b83dfad8d7da3b22e90", "tree": "f1d70b1952fe86d8b72a765506b7a5663919bf04", "parents": [ "400544639d2a11a9c1e276a912a9dff8fe4107dc", "4ec9c8e023c79f613fe4d5ad8cc737112efb2e44" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sat May 23 16:59:02 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sat May 23 16:59:02 2026 -0700" }, "message": "Merge tag \u0027v7.1-rc5-ksmbd-server-fixes\u0027 of git://git.samba.org/ksmbd\n\nPull smb server fixes from Steve French:\n\n - fix for creating tmpfiles\n\n - fix durable reconnect error path\n\n - validate SID in security descriptor when inheriting DACL\n\n* tag \u0027v7.1-rc5-ksmbd-server-fixes\u0027 of git://git.samba.org/ksmbd:\n smb/server: promote S_DEL_ON_CLS to S_DEL_PENDING when close\n ksmbd: validate SID in parent security descriptor during ACL inheritance\n ksmbd: fix durable reconnect error path file lifetime\n" }, { "commit": "400544639d2a11a9c1e276a912a9dff8fe4107dc", "tree": "587237ffcddde9bdde29ec58d8e182d12046fb7e", "parents": [ "f83ef5bca211a1bdc1ea661c11543712f96a6cea", "f13342e15deafb7538a7a8577ed5f4c33c56f64e" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sat May 23 16:54:48 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sat May 23 16:54:48 2026 -0700" }, "message": "Merge tag \u0027for-7.1-rc4-tag\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux\n\nPull btrfs fixes from David Sterba:\n \"A batch of fixes to simple quotas:\n\n - add conditional rescheduling point not dependent on the lock during\n inode iterations to avoid delays with PREEMPT_NONE enabled\n\n - fix subvolume deletion so it does not break the squota invariants\n\n - properly handle enabling squota, tracking extents in the initial\n transaction\n\n - catch and warn about underflows, clamp to zero to avoid further\n problems\n\n And one fix to inode size handling:\n\n - fix handling of preallocated extents beyond i_size when not using\n the no-holes feature\"\n\n* tag \u0027for-7.1-rc4-tag\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:\n btrfs: swallow btrfs_record_squota_delta() ENOENT\n btrfs: clamp to avoid squota underflow\n btrfs: fix squota accounting during enable generation\n btrfs: check for subvolume before deleting squota qgroup\n btrfs: always drop root-\u003einodes lock before cond_resched()\n btrfs: mark file extent range dirty after converting prealloc extents\n" }, { "commit": "f83ef5bca211a1bdc1ea661c11543712f96a6cea", "tree": "fa9f7b0ff70d88e7ccbed16200f44e8dd5a62e26", "parents": [ "eed108edc1170404bbef9e7d0189d18a3cc354f5", "8339dd0e5090f092c525c5e04b2a75ec5e5305a6" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sat May 23 16:51:22 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sat May 23 16:51:22 2026 -0700" }, "message": "Merge tag \u0027xfs-fixes-7.1-rc5\u0027 of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux\n\nPull xfs fix from Carlos Maiolino:\n \"A single fix for a race in xfs buffer cache which may lead to\n filesystem shutdown due to inconsistent metadata if the buffer\n lookup happens to find an old dead buffer still in the cache\"\n\n* tag \u0027xfs-fixes-7.1-rc5\u0027 of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux:\n xfs: fix a buffer lookup against removal race\n" }, { "commit": "eed108edc1170404bbef9e7d0189d18a3cc354f5", "tree": "b719bfa55f4f4394d3e017c5b9dc99f074a64311", "parents": [ "95e6d3ba0571330df866911da9dedd83e05417ca", "e90ef85ada857819313000cc50c6edfcddec6850" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sat May 23 09:21:08 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sat May 23 09:21:08 2026 -0700" }, "message": "Merge tag \u0027nios2_updates_for_v7.2\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/dinguyen/linux\n\nPull nios2 fixes from Dinh Nguyen:\n\n - Implement _THIS_IP_ for inline asm\n\n - Add Simon Schuster as a maintainer and mark the NIOS2 as Supported\n\n* tag \u0027nios2_updates_for_v7.2\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/dinguyen/linux:\n nios2: Implement _THIS_IP_ using inline asm\n MAINTAINERS: arch/nios2: Add Simon Schuster as co-maintainer\n" }, { "commit": "95e6d3ba0571330df866911da9dedd83e05417ca", "tree": "10f93942d6fb2daa7fc91edc87a41376f06aa822", "parents": [ "c8561c73b4a8669bb13c57a5853318cd02655f9b", "4a09f4a23a3003d31f8545dd0770f2b3b0f54d8b" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sat May 23 09:13:00 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sat May 23 09:13:00 2026 -0700" }, "message": "Merge tag \u0027loongarch-fixes-7.1-2\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/chenhuacai/linux-loongson\n\nPull LoongArch fixes from Huacai Chen:\n \"Rework KASLR to avoid initrd overlap, remove some unused code to avoid\n a build warning, fix some bugs in kprobes and KVM\"\n\n* tag \u0027loongarch-fixes-7.1-2\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/chenhuacai/linux-loongson:\n LoongArch: KVM: Move some variable declarations to paravirt.h\n LoongArch: kprobes: Fix handling of fatal unrecoverable recursions\n LoongArch: kprobes: Use larch_insn_text_copy() to patch instructions\n LoongArch: Remove unused code to avoid build warning\n LoongArch: Avoid initrd overlap during kernel relocation\n LoongArch: Skip relocation-time KASLR if already applied\n efi/loongarch: Randomize kernel preferred address for KASLR\n" }, { "commit": "7dd62566e0d108d29034bcff8503b827f8763320", "tree": "38c0df3e5d603d41840f6c66b46e15625c111d7a", "parents": [ "49b18315be4eecfc36b75f4aecb4d40a87d68a20" ], "author": { "name": "KP Singh", "email": "kpsingh@kernel.org", "time": "Fri May 22 23:53:36 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Sat May 23 07:49:22 2026 -0700" }, "message": "libbpf: fix off-by-one in emit_signature_match jump offset\n\nThe offset for the cleanup-label jump is computed before the MOV R7\ninstruction is emitted, but the JMP lands after it. Account for the\nextra insn in the offset calculation (-2 instead of -1). Drop the\nredundant self-loop in the else branch; gen-\u003eerror \u003d -ERANGE already\nmarks the generation as failed.\n\nFixes: fb2b0e290147 (\"libbpf: Update light skeleton for signing\")\nSigned-off-by: KP Singh \u003ckpsingh@kernel.org\u003e\nLink: https://lore.kernel.org/r/20260522215337.662271-2-kpsingh@kernel.org\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n\n" }, { "commit": "c8561c73b4a8669bb13c57a5853318cd02655f9b", "tree": "a9ac004283e3930c47a717576756b8d4a44857dd", "parents": [ "3f264650ca7d2a2d6de86234d919f305211632cd", "215c90ee656114f5e8c32408228d97082f8e0eef" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sat May 23 07:49:05 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sat May 23 07:49:05 2026 -0700" }, "message": "Merge tag \u0027driver-core-7.1-rc5\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/driver-core/driver-core\n\nPull driver core fixes from Danilo Krummrich:\n\n - Remove the software node on platform device release(); without this,\n the software node remains registered after the device is gone and a\n subsequent platform_device_register_full() reusing the same node\n fails with -EBUSY\n\n - In sysfs_update_group(), do not remove a pre-existing directory when\n create_files() fails; the previous code would silently destroy a\n sysfs group that the caller did not create\n\n - Set fwnode-\u003esecondary to NULL in fwnode_init() to avoid dereferencing\n uninitialized memory (e.g. in dev_to_swnode()) when the firmware node\n is allocated on the stack or via a non-zeroing allocator\n\n* tag \u0027driver-core-7.1-rc5\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/driver-core/driver-core:\n device property: set fwnode-\u003esecondary to NULL in fwnode_init()\n sysfs: don\u0027t remove existing directory on update failure\n driver core: platform: remove software node on release()\n" }, { "commit": "3f264650ca7d2a2d6de86234d919f305211632cd", "tree": "b440c7d62949730c6772d1698dafbba3152da9fe", "parents": [ "ab868c10971c5d2cd27b3709d11225941eabe78e", "023453cb7eb0f53c5dc36babed8e706c1b0b0187" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sat May 23 07:32:39 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sat May 23 07:32:39 2026 -0700" }, "message": "Merge tag \u0027i2c-for-7.1-rc5\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux\n\nPull i2c fixes from Wolfram Sang:\n \"Core:\n - smbus: fix a potential uninitialization bug\n\n Tegra:\n - drop runtime PM reference when exiting on mutex_lock failure\n - preserve transfer errors when releasing the mutex\"\n\n* tag \u0027i2c-for-7.1-rc5\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:\n i2c: smbus: fix a potential uninitialization bug\n i2c: tegra: make tegra_i2c_mutex_unlock() return void\n i2c: tegra: fix pm_runtime leak on mutex_lock failure\n" }, { "commit": "ab868c10971c5d2cd27b3709d11225941eabe78e", "tree": "78b438df7cde483d4aa05f28acc6004447e2df17", "parents": [ "f53a244224ec0304209917e3f4d68dc83b1967db", "5b74373390113fba798a76b483837029ab010fef" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sat May 23 07:17:27 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sat May 23 07:17:27 2026 -0700" }, "message": "Merge tag \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma\n\nPull rdma fixes from Jason Gunthorpe:\n\n - syzbot triggred crash in rxe due to concurrent plug/unplug\n\n - Possible non-zero\u0027d memory exposed to userspace in bnxt_re\n\n - Malicous \u0027magic packet\u0027 with SIW causes a buffer overflow\n\n - Tighten the new uAPI validation code to not crash in debugging prints\n and have the right module dependencies in drivers\n\n - mana was missing the max_msg_sz report to userspace\n\n - UAF in rtrs on an error path\n\n* tag \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma:\n RDMA/rtrs: Fix use-after-free in path file creation cleanup\n RDMA/mana_ib: Report max_msg_sz in mana_ib_query_port\n RDMA/core: Do not read wild stack memory in uverbs_get_handler_fn()\n RDMA/core: Move the _ib_copy_validate_udata* functions to ib_core_uverbs\n RDMA/siw: Reject MPA FPDU length underflow before signed receive math\n RDMA/bnxt_re: zero shared page before exposing to userspace\n selftests/rdma: explicitly skip tests when required modules are missing\n RDMA/nldev: Add mutual exclusion in nldev_dellink()\n" }, { "commit": "8339dd0e5090f092c525c5e04b2a75ec5e5305a6", "tree": "85f3a7a35a37edd40803494b5789707e6a87ce82", "parents": [ "79bd2dded182b1d458b18e62684b7f82ffc682e5", "c69439a891ccb37ede5d68539636337c6bd92fab" ], "author": { "name": "Carlos Maiolino", "email": "cem@kernel.org", "time": "Sat May 23 16:15:18 2026 +0200" }, "committer": { "name": "Carlos Maiolino", "email": "cem@kernel.org", "time": "Sat May 23 16:15:18 2026 +0200" }, "message": "Merge tag \u0027xfs-fixes-7.1-rc5\u0027 of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux into test_merge\n\nxfs: fixes for v7.1-rc5\n\nSigned-off-by: Carlos Maiolino \u003ccem@kernel.org\u003e\n Lines starting with \u0027#\u0027 will be ignored.\n" }, { "commit": "f53a244224ec0304209917e3f4d68dc83b1967db", "tree": "fe19f266c5edbf2ce37ef1adef2188add9c8d32b", "parents": [ "79bd2dded182b1d458b18e62684b7f82ffc682e5", "e7537735028c3ad4b0bfc02ff8fa2a1a28aa04fe" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sat May 23 07:13:06 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sat May 23 07:13:06 2026 -0700" }, "message": "Merge tag \u0027for-linus-fwctl\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/fwctl/fwctl\n\nPull fwctl fix from Jason Gunthorpe:\n\n - Buffer overflow due to missing input validation in pds\n\n* tag \u0027for-linus-fwctl\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/fwctl/fwctl:\n fwctl: pds: Validate RPC input size before parsing\n" }, { "commit": "53cc12a2dc88c2c6f62f507548640885a70a56a8", "tree": "9ea0152b3649e09ec1f7759b607af3b59fa8ec16", "parents": [ "7c48a28c1bbe26e272bc978a42adb757fc6aa639" ], "author": { "name": "Tejun Heo", "email": "tj@kernel.org", "time": "Fri May 22 07:22:16 2026 -1000" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Sat May 23 01:50:33 2026 -0700" }, "message": "bpf/arena: Add bpf_arena_map_kern_vm_start() and bpf_prog_arena()\n\nstruct bpf_arena is opaque to callers outside arena.c. Add two helpers\nfor struct_ops subsystems that need to reach into an arena:\n\n bpf_arena_map_kern_vm_start(struct bpf_map *map)\n returns @map\u0027s kern_vm_start. A sched_ext follow-up needs this\n to translate kern_va \u003c-\u003e uaddr.\n\n bpf_prog_arena(struct bpf_prog *prog)\n returns the bpf_map of the arena referenced by @prog (NULL if\n @prog references no arena). The verifier enforces at most one\n arena per program. Used by struct_ops callers that auto-discover\n an arena from a member prog and need to take a map reference.\n\nSuggested-by: Kumar Kartikeya Dwivedi \u003cmemxor@gmail.com\u003e\nSigned-off-by: Tejun Heo \u003ctj@kernel.org\u003e\nReviewed-by: Emil Tsalapatis \u003cemil@etsalapatis.com\u003e\nLink: https://lore.kernel.org/r/20260522172219.1423324-6-tj@kernel.org\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "7c48a28c1bbe26e272bc978a42adb757fc6aa639", "tree": "ae527453c7b040a88660940fdb891bde2e4a06d8", "parents": [ "f211c81ddc368e5cc6ad69d171bca0fa52e71ad7" ], "author": { "name": "Tejun Heo", "email": "tj@kernel.org", "time": "Fri May 22 07:22:15 2026 -1000" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Sat May 23 01:50:33 2026 -0700" }, "message": "bpf: Add bpf_struct_ops_for_each_prog()\n\nAdd a helper that walks the member progs of the struct_ops map\ncontaining a given @kdata vmtable. struct_ops -\u003ereg() callbacks (and\nsimilar) sometimes need to inspect the loaded BPF programs, e.g. to\ndiscover maps they reference via prog-\u003eaux-\u003eused_maps.\n\nThe implementation mirrors bpf_struct_ops_id(): container_of @kdata\nto recover the bpf_struct_ops_map, then iterate st_map-\u003elinks[i]-\u003eprog\nfor i in [0, funcs_cnt). Same access pattern, no new locking - by the\ntime -\u003ereg() fires st_map is fully populated and stable.\n\nA sched_ext follow-up walks the member progs of a cid-form scheduler\u0027s\nstruct_ops map, reads prog-\u003eaux-\u003earena directly, and requires all member\nprogs to reference exactly one arena, without requiring the BPF program\nto call a registration kfunc.\n\nSigned-off-by: Tejun Heo \u003ctj@kernel.org\u003e\nReviewed-by: Emil Tsalapatis \u003cemil@etsalapatis.com\u003e\nLink: https://lore.kernel.org/r/20260522172219.1423324-5-tj@kernel.org\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "f211c81ddc368e5cc6ad69d171bca0fa52e71ad7", "tree": "88725b232c2d6915422a67f27b17303f642241b7", "parents": [ "dc11a4dba2464e5144c318ffaf7fb16b1a5c74d6" ], "author": { "name": "Tejun Heo", "email": "tj@kernel.org", "time": "Fri May 22 07:22:14 2026 -1000" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Sat May 23 01:50:33 2026 -0700" }, "message": "bpf: Add sleepable variant of bpf_arena_alloc_pages for kernel callers\n\nThe existing kernel-side export of bpf_arena_alloc_pages is _non_sleepable\nonly - it\u0027s used by the verifier to inline the kfunc when the call site is\nnon-sleepable. There is no sleepable equivalent for kernel callers. The\nkfunc bpf_arena_alloc_pages itself is BPF-only.\n\nsched_ext needs sleepable kernel-side allocs for its arena pool init/grow\npaths. Add bpf_arena_alloc_pages_sleepable() mirroring the _non_sleepable\nwrapper but passing sleepable\u003dtrue to arena_alloc_pages().\n\nSigned-off-by: Tejun Heo \u003ctj@kernel.org\u003e\nReviewed-by: Emil Tsalapatis \u003cemil@etsalapatis.com\u003e\nLink: https://lore.kernel.org/r/20260522172219.1423324-4-tj@kernel.org\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "dc11a4dba2464e5144c318ffaf7fb16b1a5c74d6", "tree": "17ae5c752a827d9e25b839e030db0be5d890fc2d", "parents": [ "258df8fce42fecc23cd04242de3d39f1fe836433" ], "author": { "name": "Kumar Kartikeya Dwivedi", "email": "memxor@gmail.com", "time": "Fri May 22 07:22:13 2026 -1000" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Sat May 23 01:50:33 2026 -0700" }, "message": "bpf: Recover arena kernel faults with scratch page\n\nBPF arena usage is becoming more prevalent, but kernel \u003c-\u003e BPF communication\nover arena memory is awkward today. Data has to be staged through a trusted\nkernel pointer with extra code and copying on the BPF side. While reads\nthrough arena pointers can use a fault-safe helper, writes don\u0027t have a good\nsolution. The in-line alternative would need instruction emulation or asm\nfixup labels.\n\nEnable direct kernel-side reads and writes within GUARD_SZ / 2 of any\nhanded-in arena pointer, without bounds checking. A per-arena scratch page\nis installed by the arch fault path into empty arena kernel PTEs - x86 from\npage_fault_oops() for not-present faults, arm64 from __do_kernel_fault() for\ntranslation faults, both after the existing exception-table and KFENCE\nhandling. The faulting instruction retries and the access is also reported\nthrough the program\u0027s BPF stream, preserving error reporting.\n\nbpf_prog_find_from_stack() resolves the current BPF program (and its arena)\nfrom the kernel stack - no new bpf_run_ctx state is added. Recovery covers\nthe 4 GiB arena plus the upper half-guard (GUARD_SZ / 2). The lower\nhalf-guard is excluded because well-behaved kfuncs only access forward from\narena pointers. The kfunc-author contract - access at most GUARD_SZ / 2 past\na handed-in pointer - is documented in Documentation/bpf/kfuncs.rst.\n\nThe install is lock-free via ptep_try_set(). On race-loss the winning\ninstaller\u0027s PTE is already valid, so the access retry succeeds. The arena\nclear path uses ptep_get_and_clear() so installer and clearer race through\natomic accessors. No flush_tlb_kernel_range() afterwards. Stale \"not mapped\"\nentries just cause one extra re-fault, cheaper than a global IPI on every\ninstall.\n\nScratch exists only to keep the kernel from oopsing on an in-line arena\naccess. Its presence at a PTE means the BPF program has already\nmalfunctioned, and the violation is reported through the program\u0027s BPF\nstream. The only requirement for behavior on a scratched PTE is that the\nkernel doesn\u0027t crash. In particular, any user-side access through such a PTE\nmay segfault. The shared scratch page is freed once during map destruction.\n\nBPF instruction faults continue to use the existing JIT exception-table\npath. This patch changes only the kernel-text fault path. No UAPI flag is\nadded. The new behavior is the default.\n\nv2: Use ptep_get_and_clear() in apply_range_clear_cb(). (David)\nv3: Stub bpf_arena_handle_page_fault() for !CONFIG_BPF_SYSCALL. (lkp)\n\nSuggested-by: Alexei Starovoitov \u003cast@kernel.org\u003e\nSigned-off-by: Kumar Kartikeya Dwivedi \u003cmemxor@gmail.com\u003e\nSigned-off-by: Tejun Heo \u003ctj@kernel.org\u003e\nReviewed-by: Emil Tsalapatis \u003cemil@etsalapatis.com\u003e\nCc: David Hildenbrand \u003cdavid@kernel.org\u003e\nLink: https://lore.kernel.org/r/20260522172219.1423324-3-tj@kernel.org\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "258df8fce42fecc23cd04242de3d39f1fe836433", "tree": "de83f8bd79032ce6c8f8230d07089c88752e6625", "parents": [ "5200f5f493f79f14bbdc349e402a40dfb32f23c8" ], "author": { "name": "Tejun Heo", "email": "tj@kernel.org", "time": "Fri May 22 07:22:12 2026 -1000" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Sat May 23 01:50:32 2026 -0700" }, "message": "mm: Add ptep_try_set() for lockless empty-slot installs\n\nAdd ptep_try_set(ptep, new_pte): atomically set *ptep to new_pte iff it is\ncurrently pte_none(). Returns true on success, false if the slot was already\npopulated or the arch has no implementation.\n\nThe intended caller is the upcoming bpf_arena kernel-side fault recovery\npath. The install runs from a page fault that can be nested under locks\nheld by the faulting kernel caller (e.g. a BPF program holding\nraw_res_spin_lock_irqsave on its arena\u0027s spinlock), so trylock-and-retry\nwould A-A deadlock. Lock-free cmpxchg is the only viable option, which\nconstrains this helper to special kernel page tables where concurrent\nwriters cooperate via atomic accessors.\n\nThe generic version in \u003clinux/pgtable.h\u003e returns false. x86 and arm64\noverride with try_cmpxchg-based implementations on the underlying pteval.\nOther architectures get the false stub - the callers there already fall\nthrough to oops.\n\nv2: Rename to ptep_try_set(). Tighten kerneldoc. (David, Alexei)\nv3: Note that strict-zero cmpxchg is narrower than pte_none(). (Andrea)\n\nSuggested-by: Kumar Kartikeya Dwivedi \u003cmemxor@gmail.com\u003e\nSuggested-by: Alexei Starovoitov \u003cast@kernel.org\u003e\nSigned-off-by: Tejun Heo \u003ctj@kernel.org\u003e\nReviewed-by: Andrea Righi \u003carighi@nvidia.com\u003e\nCc: David Hildenbrand \u003cdavid@kernel.org\u003e\nAcked-by: David Hildenbrand (arm) \u003cdavid@kernel.org\u003e\nLink: https://lore.kernel.org/r/20260522172219.1423324-2-tj@kernel.org\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "9a12fa5213cfc391e0eed63902d3be98f0913765", "tree": "bef8dcc25a2efd9153e7da972121b8becd710978", "parents": [ "d9c41dc531b0e8feb046ee3d31ce37657101b137" ], "author": { "name": "Tina Zhang", "email": "zhang_wei@open-hieco.net", "time": "Fri May 22 12:00:14 2026 +0800" }, "committer": { "name": "Paolo Bonzini", "email": "pbonzini@redhat.com", "time": "Sat May 23 10:09:04 2026 +0200" }, "message": "KVM: SVM: Disable AVIC IPI virtualization on Hygon Family 18h (erratum #1235)\n\nHygon Family 18h CPUs are derived from AMD Family 17h (Zen1) silicon and\nshare the same erratum #1235: hardware may read a stale IsRunning\u003d1 bit\nduring ICR write emulation and silently fail to generate an\nAVIC_IPI_FAILURE_TARGET_NOT_RUNNING VM-Exit on the sending vCPU.\n\nThe absence of the VM-Exit causes KVM to miss the required wakeup of\nblocking target vCPUs, leading to hung vCPUs and unbounded delays in\nguest execution.\n\nExtend the existing AMD Family 17h erratum #1235 workaround to also cover\nHygon Family 18h. With IPI virtualization disabled, KVM never sets\nIsRunning\u003d1 in the Physical ID table, so every non-self IPI generates a\nVM-Exit and is correctly emulated.\n\nFixes: 8de4a1c8164e (\"KVM: SVM: Disable (x2)AVIC IPI virtualization if CPU has erratum #1235\")\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Tina Zhang \u003czhang_wei@open-hieco.net\u003e\nMessage-ID: \u003c20260522040014.3380201-1-zhang_wei@open-hieco.net\u003e\n" }, { "commit": "d9c41dc531b0e8feb046ee3d31ce37657101b137", "tree": "932e0126afef4181c6d03f316a8deb8c987a4614", "parents": [ "86e2de10eb14446a49019791bd0674faa5fae088" ], "author": { "name": "Sean Christopherson", "email": "seanjc@google.com", "time": "Fri May 22 10:35:26 2026 -0700" }, "committer": { "name": "Paolo Bonzini", "email": "pbonzini@redhat.com", "time": "Sat May 23 10:07:40 2026 +0200" }, "message": "KVM: selftests: Verify that KVM returns the configured APIC cycle length\n\nAdd checks in the APIC bus clock test to verify that querying\nKVM_CAP_X86_APIC_BUS_CYCLES_NS on the VM after changing the frequency\nreturns the VM\u0027s actual APIC cycle length, not KVM\u0027s default. For\ngiggles, verify that KVM still returns its default frequency for the\nsystem-scoped check.\n\nSigned-off-by: Sean Christopherson \u003cseanjc@google.com\u003e\nMessage-ID: \u003c20260522173526.3539407-3-seanjc@google.com\u003e\nSigned-off-by: Paolo Bonzini \u003cpbonzini@redhat.com\u003e\n" }, { "commit": "86e2de10eb14446a49019791bd0674faa5fae088", "tree": "9dbaaf7db2147410080b986cd88125ea943dc305", "parents": [ "2d42c7cf1a2dad694db0c518b0e004502859f11c" ], "author": { "name": "Sean Christopherson", "email": "seanjc@google.com", "time": "Fri May 22 10:35:25 2026 -0700" }, "committer": { "name": "Paolo Bonzini", "email": "pbonzini@redhat.com", "time": "Sat May 23 10:07:29 2026 +0200" }, "message": "KVM: x86: Return the VM\u0027s configured APIC bus frequency when queried\n\nWhen KVM_CAP_X86_APIC_BUS_CYCLES_NS is queried on a specific VM, return the\nVM\u0027s configured APIC bus frequency, not KVM\u0027s default. Aside from the fact\nthat returning the default frequency is blatantly wrong if userspace has\nchanged the frequency, returning the configured frequency means userspace\ncan blindly trust the result, e.g. when filling PV CPUID information that\ncommunicates the APIC bus frequency to the guest.\n\nFixes: 6fef518594bc (\"KVM: x86: Add a capability to configure bus frequency for APIC timer\")\nReported-by: David Woodhouse \u003cdwmw2@infradead.org\u003e\nCloses: https://lore.kernel.org/all/ab84153e33fbe7c25667f595c56b310d4d5a93ef.camel@infradead.org\nSigned-off-by: Sean Christopherson \u003cseanjc@google.com\u003e\nMessage-ID: \u003c20260522173526.3539407-2-seanjc@google.com\u003e\nSigned-off-by: Paolo Bonzini \u003cpbonzini@redhat.com\u003e\n" }, { "commit": "2d42c7cf1a2dad694db0c518b0e004502859f11c", "tree": "f470008de25117373a234b8e43133c61be891b4e", "parents": [ "06c4f99526784938663a5e82b1ea1b67a4794491" ], "author": { "name": "Hisam Mehboob", "email": "hisamshar@gmail.com", "time": "Thu Apr 09 21:40:22 2026 +0500" }, "committer": { "name": "Paolo Bonzini", "email": "pbonzini@redhat.com", "time": "Sat May 23 10:05:26 2026 +0200" }, "message": "KVM: selftests: elf: Include \u003cendian.h\u003e instead of \u003cbits/endian.h\u003e\n\n\u003cbits/endian.h\u003e is a glibc-internal header that explicitly states it\nshould never be included directly:\n\n #error \"Never use \u003cbits/endian.h\u003e directly; include \u003cendian.h\u003e instead.\"\n\nReplace it with the correct public header \u003cendian.h\u003e which works on\nall C libraries including musl. Building KVM selftests with musl-gcc\nfails with:\n\n lib/elf.c:10:10: fatal error: bits/endian.h: No such file or directory\n\nFixes: 6089ae0bd5e1 (\"kvm: selftests: add sync_regs_test\")\nSigned-off-by: Hisam Mehboob \u003chisamshar@gmail.com\u003e\nMessage-ID: \u003c20260409164020.1575176-4-hisamshar@gmail.com\u003e\nSigned-off-by: Paolo Bonzini \u003cpbonzini@redhat.com\u003e\n" }, { "commit": "06c4f99526784938663a5e82b1ea1b67a4794491", "tree": "d3ed6cdcceb83d01ecdf641585fb814fd0043ab0", "parents": [ "37f32d5ab83968d63cfba6092ecaae3e582db964", "c7832534a8160276cccb9a8cc8cafb5614c579d0" ], "author": { "name": "Paolo Bonzini", "email": "pbonzini@redhat.com", "time": "Sat May 23 10:04:35 2026 +0200" }, "committer": { "name": "Paolo Bonzini", "email": "pbonzini@redhat.com", "time": "Sat May 23 10:04:35 2026 +0200" }, "message": "Merge tag \u0027kvm-riscv-fixes-7.1-1\u0027 of https://github.com/kvm-riscv/linux into HEAD\n\nKVM/riscv fixes for 7.1, take #1\n\n- Fix invalid HVA warning in steal-time recording\n- Return SBI_ERR_FAILURE to guest upon OOM in pmu_event_info()\n and pmu_snapshot_set_shmem()\n- Fix NULL pointer dereference in SBI v0.1 SEND_IPI handler\n- Fix sign extension of value for MMIO loads\n" }, { "commit": "37f32d5ab83968d63cfba6092ecaae3e582db964", "tree": "89302eb3515325d10aa669e592c3d1fe0ca29c95", "parents": [ "e23844b2ddbdd004285f14bdc672b4d854ad4c4e", "9029496abfae3c208336855ae6f3e1f5f881ef76" ], "author": { "name": "Paolo Bonzini", "email": "pbonzini@redhat.com", "time": "Sat May 23 10:03:58 2026 +0200" }, "committer": { "name": "Paolo Bonzini", "email": "pbonzini@redhat.com", "time": "Sat May 23 10:03:58 2026 +0200" }, "message": "Merge tag \u0027kvm-s390-master-7.1-2\u0027 of https://git.kernel.org/pub/scm/linux/kernel/git/kvms390/linux into HEAD\n\nKVM: s390: some vSIE and UCONTROL fixes\n\nFix some memory issues and some hangs in vSIE.\n" }, { "commit": "e23844b2ddbdd004285f14bdc672b4d854ad4c4e", "tree": "3456738aee9bc04f692ddcf4ae338bb6ece7229c", "parents": [ "5200f5f493f79f14bbdc349e402a40dfb32f23c8", "1702da76e017ae0fbe1a92b07bc332972c293e89" ], "author": { "name": "Paolo Bonzini", "email": "pbonzini@redhat.com", "time": "Sat May 23 10:03:10 2026 +0200" }, "committer": { "name": "Paolo Bonzini", "email": "pbonzini@redhat.com", "time": "Sat May 23 10:03:10 2026 +0200" }, "message": "Merge tag \u0027kvmarm-fixes-7.1-3\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/kvmarm/kvmarm into HEAD\n\nKVM/arm64 fixes for 7.1, take #3\n\n- Fix ITS EventID sanitisation when restoring an interrupt translation\n table.\n\n- Fix PPI memory leak when failing to initialise a vcpu.\n\n- Correctly return an error when the validation of a hypervisor trace\n descriptor fails, and limit this validation to protected mode only.\n" }, { "commit": "79bd2dded182b1d458b18e62684b7f82ffc682e5", "tree": "e11cab84e200dac97bef26a2c880d1fea8caf36d", "parents": [ "de37e502a315677138009d2965f87e2c0721e76f", "0c1a9dce208b4dc265925898e5da98934f7f9266" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri May 22 16:43:33 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri May 22 16:43:33 2026 -0700" }, "message": "Merge tag \u0027sched_ext-for-7.1-rc4-fixes\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/tj/sched_ext\n\nPull sched_ext fixes from Tejun Heo:\n\n - Spurious WARN in ops_dequeue() racing with concurrent dispatch\n\n - Self-deadlock between scheduler disable and a concurrent sub-sched\n enable\n\n* tag \u0027sched_ext-for-7.1-rc4-fixes\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/tj/sched_ext:\n sched_ext: Fix spurious WARN on stale ops_state in ops_dequeue()\n sched_ext: Fix deadlock between scx_root_disable() and concurrent forks\n" }, { "commit": "de37e502a315677138009d2965f87e2c0721e76f", "tree": "0012bea881280a202ccb1a3c6620ed1493a0e202", "parents": [ "4a5860ea6098bc6c0a966bb415d5dfe96adb4a86", "22572dbcd3486e6c4dced877125bbf50e4e24edf" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri May 22 16:28:47 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri May 22 16:28:47 2026 -0700" }, "message": "Merge tag \u0027cgroup-for-7.1-rc4-fixes\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup\n\nPull cgroup fixes from Tejun Heo:\n \"Two rstat fixes:\n\n - Out-of-bounds access in the css_rstat_updated() BPF kfunc when\n called with an unchecked user-supplied cpu\n\n - Over-strict NMI guard after the recent switch to try_cmpxchg left\n sparc and ppc64 unable to queue rstat updates from NMI\"\n\n* tag \u0027cgroup-for-7.1-rc4-fixes\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup:\n cgroup: rstat: relax NMI guard after switch to try_cmpxchg\n cgroup/rstat: validate cpu before css_rstat_cpu() access\n" }, { "commit": "4a5860ea6098bc6c0a966bb415d5dfe96adb4a86", "tree": "f06a88c6b9511d40464a6cd5ef9f7c2062bed8db", "parents": [ "0e6582a51610ee1efb1a3acae96d2960490b6f4b", "84335a9985867c1a6cd28c693ffbedc4ef1caa39" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri May 22 16:15:32 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri May 22 16:15:32 2026 -0700" }, "message": "Merge tag \u0027drm-fixes-2026-05-23\u0027 of https://gitlab.freedesktop.org/drm/kernel\n\nPull drm fixes from Dave Airlie:\n \"Regular fixes pull, amdgpu/xe being the usual, with bonus msm content\n to bulk things out, otherwise it has the usual scattered changes, with\n amdxdna dropping a badly thought out userspace api.\n\n gem:\n - clean up LRU locking\n\n msm:\n - Core:\n - Fixed bindings for SM8650, SM8750 and Eliza\n - Don\u0027t use UTS_RELEASE directly\n - Fix typo in clock-names property\n - DPU:\n - Fixed CWB description on Kaanapali\n - Fixed scanline strides for YUV UBWC formats\n - Stopped DSI register dumping to access past the end of region\n - DSI:\n - Fix dumping unaligned regions\n - GPU:\n - Fix GMEM_BASE for a6xx gen3\n - Fix userspace reachable crash on a2xx-a4xx\n - Fix sysprof_active for counter collection with IFPC enabled GPUs\n - Fix shrinker lockdep\n\n amdgpu:\n - Userq fixes\n - VPE fix\n - SMU 15 fix\n - Misc fixes\n - VCE fixes\n - DC bios parsing fixes\n - DC aux fix\n - Mode1 reset fix\n - RAS fixes\n\n amdkfd:\n - Misc fixes\n\n radeon:\n - CS parser fix\n\n xe:\n - SRIOV related fixes\n - Fix leak and double-free\n - Multi-cast register fixes\n - Multi-queue fix\n\n i915:\n - Fix joiner color pipeline selection [display]\n - Fix readback for target_rr in Adaptive Sync SDP [dp]\n - Apply Intel DPCD workaround when SDP on prior line used [psr]\n\n amdxdna:\n - remove mmap and export for ubuf\n\n bridge:\n - chipone-icn6211: managed bridge cleanup\n - lt66121: acquire reset GPIO\n - megachips: fix clean up on failed IRQ requests\n\n v3d:\n - fix UAF in error code paths\n - release GEM-object ref on free\u0027d jobs\n\n virtio:\n - use uninterruptible resv locking in plane updates\n\n mediatek:\n - fix sparse warnings\"\n\n* tag \u0027drm-fixes-2026-05-23\u0027 of https://gitlab.freedesktop.org/drm/kernel: (78 commits)\n drm/xe/oa: Fix exec_queue leak on width check in stream open\n drm/virtio: use uninterruptible resv lock for plane updates\n drm/amdgpu: fix handling in amdgpu_userq_create\n drm/radeon/evergreen_cs: Add missing NULL prefix check in surface check\n drm/amdgpu: userq_va_mapped should remain true once done\n drm/amdgpu: avoid integer overflow in VA range check\n drm/amd/ras: Fix UMC error address allocation leak\n drm/amdgpu: unmap all user mappings of framebuffer and doorbell before mode1 reset\n drm/amd/display: Validate payload length and link_index in dc_process_dmub_aux_transfer_async\n drm/amd/display: Validate GPIO pin LUT table size before iterating\n drm/amd/display: Fix integer overflow in bios_get_image()\n drm/amdkfd: Check bounds for allocate_sdma_queue restore_sdma_id\n drm/amdgpu: use atomic operation to achieve lockless serialization\n drm/amdkfd: Check bounds on allocate_doorbell\n drm/amdgpu/vce3: Fix VCE 3 firmware size and offsets\n drm/amdgpu/vce2: Fix VCE 2 firmware size and offsets\n drm/amdgpu/vce1: Stop using amdgpu_vce_resume\n drm/amdgpu/vce1: Fix VCE 1 firmware size and offsets\n drm/amdgpu/vce1: Don\u0027t repeat GTT MGR node allocation\n drm/amdgpu/vce1: Check if VRAM address is lower than GART.\n ...\n" }, { "commit": "0e6582a51610ee1efb1a3acae96d2960490b6f4b", "tree": "2be0879a817e091f8e6c9cf24e1d0158de4490eb", "parents": [ "59825bc9ce06281224c15c51ec535bf339112d8c", "b71cb088b2e3427924a470fc43e7aedb8a40d2e3" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri May 22 16:08:06 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri May 22 16:08:06 2026 -0700" }, "message": "Merge tag \u0027scsi-fixes\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi\n\nPull SCSI fixes from James Bottomley:\n \"Small fixes, two in drivers and the remaining a sign conversion probem\n in sd with no user visible consequences (non-zero is error)\"\n\n* tag \u0027scsi-fixes\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:\n scsi: target: tcm_loop: Fix NULL ptr dereference\n scsi: isci: Fix use-after-free in device removal path\n scsi: sd: Fix return code handling in sd_spinup_disk()\n" }, { "commit": "59825bc9ce06281224c15c51ec535bf339112d8c", "tree": "6098b6c20171c7bff75d2e8d1e543b389e25d681", "parents": [ "cca95436be15d00ddac02d73054b612649485495", "654ddf855bebd8d45a6e707f5dc2344921f5e0cf" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri May 22 15:45:26 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri May 22 15:45:26 2026 -0700" }, "message": "Merge tag \u0027platform-drivers-x86-v7.1-4\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86\n\nPull x86 platform driver fixes from\n\n - Add ACPI_HANDLE()/ACPI_COMPANION() NULL checks (many drivers) to\n handle match overrides gracefully\n\n - asus-armoury:\n - Fix mini-LED mode get/set\n - Add support for FA401EA, FX607VU, G614FR, and GU605CP\n\n - bitland-mifs-wmi:\n - Add CONFIG_LEDS_CLASS dependency\n\n - hp-wmi:\n - Add thermal support for Omen 16-c0xxx (board 8902)\n\n - intel/vsec:\n - Fix enable_cnt imbalance due to PCIe error recovery\n\n - surface/aggregator_registry:\n - Remove battery \u0026 AC nodes on Surface Laptop 7 to avoid duplicated\n devices\n\n - uniwill-laptop:\n - Handle uninitialized and invalid charging threshold values\n - Accept charging threshold of 0 through power supply sysfs ABI and\n clamp it to 1\n - Make \u0027force\u0027 parameter to work also when device descriptor is\n found\n - Do not enable charging limit despite the \u0027force\u0027 parameter to\n avoid permanent damage to battery\n\n* tag \u0027platform-drivers-x86-v7.1-4\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86: (35 commits)\n platform/x86: bitland-mifs-wmi: add CONFIG_LEDS_CLASS dependency\n platform/x86: wireless-hotkey: Check ACPI_COMPANION() against NULL\n platform/x86: toshiba_haps: Check ACPI_COMPANION() against NULL\n platform/x86: toshiba_bluetooth: Check ACPI_COMPANION() against NULL\n platform/x86: toshiba_acpi: Check ACPI_COMPANION() against NULL\n platform/x86: system76: Check ACPI_COMPANION() against NULL\n platform/x86: sony-laptop: Check ACPI_COMPANION() against NULL\n platform/x86: panasonic-laptop: Check ACPI_COMPANION() against NULL\n platform/x86: lg-laptop: Check ACPI_COMPANION() against NULL\n platform/x86: intel/smartconnect: Check ACPI_HANDLE() against NULL\n platform/x86: intel/rst: Check ACPI_COMPANION() against NULL\n platform/x86: fujitsu-tablet: Check ACPI_COMPANION() against NULL\n platform/x86: fujitsu: Check ACPI_COMPANION() against NULL\n platform/x86: eeepc-laptop: Check ACPI_COMPANION() against NULL\n platform/x86: dell/dell-rbtn: Check ACPI_COMPANION() against NULL\n platform/x86: asus-laptop: Check ACPI_COMPANION() against NULL\n platform/x86: acer-wireless: Check ACPI_COMPANION() against NULL\n platform/x86: asus-armoury: add support for GU605CP\n platform/x86: asus-armoury: add support for FA401EA\n platform/x86: asus-armoury: add support for G614FR\n ...\n" }, { "commit": "84335a9985867c1a6cd28c693ffbedc4ef1caa39", "tree": "aef06d4fb220a4eca0c01cbb5087201e640ba8f2", "parents": [ "4378a4116567887066011b8e0cd443241609e467", "4d25342543c01310fc4e0cba7cb17c775e2421e2" ], "author": { "name": "Dave Airlie", "email": "airlied@redhat.com", "time": "Sat May 23 07:50:49 2026 +1000" }, "committer": { "name": "Dave Airlie", "email": "airlied@redhat.com", "time": "Sat May 23 07:57:08 2026 +1000" }, "message": "Merge tag \u0027drm-xe-fixes-2026-05-21\u0027 of https://gitlab.freedesktop.org/drm/xe/kernel into drm-fixes\n\n- SRIOV related fixes (Wajdeczko, Mohanram)\n- Fix leak and double-free (Lin)\n- Multi-cast register fixes (Gustavo)\n- Multi-queue fix (Niranjana)\n\nSigned-off-by: Dave Airlie \u003cairlied@redhat.com\u003e\n\nFrom: Rodrigo Vivi \u003crodrigo.vivi@intel.com\u003e\nLink: https://patch.msgid.link/ag9rR5VwCdkA0lzI@intel.com\n" } ], "next": "cca95436be15d00ddac02d73054b612649485495" }