)]}' { "log": [ { "commit": "70eda68668d1476b459b64e69b8f36659fa9dfa8", "tree": "26fe996ae3fd74753bac73ea6f08e724b4f604a9", "parents": [ "48f76a12713253f3abaa39c4ff7606d6fed05a7e", "64ffa2e5e02ff54b23221d0282155f37283fabea" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu May 14 14:30:01 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu May 14 14:30:01 2026 -0700" }, "message": "Merge tag \u0027hid-for-linus-2026051401\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid\n\nPull HID fixes from Jiri Kosina:\n\n - fixes for a few OOB/UAF in several HID drivers (Florian Pradines, Lee\n Jones, Michael Zaidman, Rosalie Wanders, Sangyun Kim and Tomasz\n Pakuła)\n\n - more general sanitation of input data, dealing with potentially\n malicious hardware in hid-core (Benjamin Tissoires)\n\n - a few device-specific quirks and fixups\n\n* tag \u0027hid-for-linus-2026051401\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid: (22 commits)\n HID: logitech-hidpp: Add support for newer Bluetooth keyboards\n HID: pidff: Fix integer overflow in pidff_rescale\n HID: i2c-hid: add reset quirk for BLTP7853 touchpad\n HID: core: introduce hid_safe_input_report()\n HID: pass the buffer size to hid_report_raw_event\n HID: google: hammer: stop hardware on devres action failure\n HID: appletb-kbd: run inactivity autodim from workqueues\n HID: appletb-kbd: fix UAF in inactivity-timer cleanup path\n HID: playstation: Clamp num_touch_reports\n HID: magicmouse: Prevent out-of-bounds (OOB) read during DOUBLE_REPORT_ID\n HID: mcp2221: fix OOB write in mcp2221_raw_event()\n HID: quirks: really enable the intended work around for appledisplay\n HID: hid-sjoy: race between init and usage\n HID: uclogic: Fix regression of input name assignment\n HID: intel-thc-hid: Intel-quickspi: Fix some error codes\n HID: hid-lenovo-go-s: restore OS_TYPE after resume from s2idle\n HID: elan: Add support for ELAN SB974D touchpad\n HID: sony: add missing size validation for Rock Band 3 Pro instruments\n HID: sony: add missing size validation for SMK-Link remotes\n HID: sony: remove unneeded WARN_ON() in sony_leds_init()\n ...\n" }, { "commit": "48f76a12713253f3abaa39c4ff7606d6fed05a7e", "tree": "a08ad3f86cce228139b48afd9c89e3687f3ddb05", "parents": [ "66182ca873a4e87b3496eca79d57f86b76d7f52d", "af149b667b9472bf981591a6d27efdecd331005a" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu May 14 14:06:31 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu May 14 14:06:31 2026 -0700" }, "message": "Merge tag \u0027acpi-7.1-rc4\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm\n\nPull ACPI support fixes from Rafael Wysocki:\n \"These fix several platform drivers that use the ACPI companion of the\n given platform device without checking its presence, which may lead to\n a NULL pointer dereference or other kind of malfunction if the driver\n is forced to match a device without an ACPI companion via driver\n override, and restore debug log level for some messages in the ACPI\n CPPC library:\n\n - Check ACPI_COMPANION() against NULL during probe in several core\n ACPI device drivers (Rafael Wysocki)\n\n - Restore log level of messages in amd_set_max_freq_ratio() (Mario\n Limonciello)\"\n\n* tag \u0027acpi-7.1-rc4\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:\n ACPI: PAD: xen: Check ACPI_COMPANION() against NULL\n ACPI: driver: Check ACPI_COMPANION() against NULL during probe\n Revert \"ACPI: CPPC: Adjust debug messages in amd_set_max_freq_ratio() to warn\"\n" }, { "commit": "af149b667b9472bf981591a6d27efdecd331005a", "tree": "1ae11e0cd72fabc406be2a77e0325b774ead66f9", "parents": [ "b7cdd59de5ae8062d2cb0121c429a271eb70daec", "db5dadb562cabb6da49959b473ed0d9645b6f2da" ], "author": { "name": "Rafael J. Wysocki", "email": "rafael.j.wysocki@intel.com", "time": "Thu May 14 22:46:33 2026 +0200" }, "committer": { "name": "Rafael J. Wysocki", "email": "rafael.j.wysocki@intel.com", "time": "Thu May 14 22:46:33 2026 +0200" }, "message": "Merge branch \u0027acpi-cppc\u0027\n\nMerge a revert of an ACPI CPPC commit that increased the log level of\nsome debug messages which turned out to be a bad idea:\n\n - Restore log level of messages in amd_set_max_freq_ratio() (Mario\n Limonciello)\n\n* acpi-cppc:\n Revert \"ACPI: CPPC: Adjust debug messages in amd_set_max_freq_ratio() to warn\"\n" }, { "commit": "66182ca873a4e87b3496eca79d57f86b76d7f52d", "tree": "de7036ccfa0347ce8a6476132497d401b1bbdf42", "parents": [ "eb5441518fba295bd97b59dc54914f89dfaa107d", "c78bdba7b9666020c0832150a4fc4c0aebc7c6ac" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu May 14 08:57:43 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu May 14 08:57:43 2026 -0700" }, "message": "Merge tag \u0027net-7.1-rc4\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net\n\nPull networking fixes from Paolo Abeni:\n \"Including fixes from netfilter.\n\n Previous releases - regressions:\n\n - ethtool: fix NULL pointer dereference in phy_reply_size\n\n - netfilter:\n - allocate hook ops while under mutex\n - close dangling table module init race\n - restore nf_conntrack helper propagation via expectation\n\n - tcp:\n - fix potential UAF in reqsk_timer_handler().\n - fix out-of-bounds access for twsk in tcp_ao_established_key().\n\n - vsock: fix empty payload in tap skb for non-linear buffers\n\n - hsr: fix NULL pointer dereference in hsr_get_node_data()\n\n - eth:\n - cortina: fix RX drop accounting\n - ice: fix locking in ice_dcb_rebuild()\n\n Previous releases - always broken:\n\n - napi: avoid gro timer misfiring at end of busypoll\n\n - sched:\n - dualpi2: initialize timer earlier in dualpi2_init()\n - sch_cbs: Call qdisc_reset for child qdisc\n\n - shaper:\n - fix ordering issue in net_shaper_commit()\n - reject handle IDs exceeding internal bit-width\n\n - ipv6: flowlabel: enforce per-netns limit for unprivileged callers\n\n - tls: fix off-by-one in sg_chain entry count for wrapped sk_msg ring\n\n - smc: avoid NULL deref of conn-\u003elnk in smc_msg_event tracepoint\n\n - sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL\n\n - batman-adv:\n - reject new tp_meter sessions during teardown\n - purge non-released claims\n\n - eth:\n - i40e: cleanup PTP registration on probe failure\n - idpf: fix double free and use-after-free in aux device error paths\n - ena: fix potential use-after-free in get_timestamp\"\n\n* tag \u0027net-7.1-rc4\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (88 commits)\n net: phy: DP83TC811: add reading of abilities\n net: tls: prevent chain-after-chain in plain text SG\n net: tls: fix off-by-one in sg_chain entry count for wrapped sk_msg ring\n net/smc: reject CHID-0 ACCEPT that matches an empty ism_dev slot\n macsec: use rcu_work to defer TX SA crypto cleanup out of softirq\n macsec: use rcu_work to defer RX SA crypto cleanup out of softirq\n macsec: introduce dedicated workqueue for SA crypto cleanup\n net: net_failover: Fix the deadlock in slave register\n MAINTAINERS: update atlantic driver maintainer\n selftests/tc-testing: Add QFQ/CBS qlen underflow test\n net/sched: sch_cbs: Call qdisc_reset for child qdisc\n FDDI: defza: Sanitise the reset safety timer\n net: ethernet: ravb: Do not check URAM suspension when WoL is active\n ethtool: fix ethnl_bitmap32_not_zero() bit interval semantics\n net/smc: avoid NULL deref of conn-\u003elnk in smc_msg_event tracepoint\n net/smc: fix sleep-inside-lock in __smc_setsockopt() causing local DoS\n net: atm: fix skb leak in sigd_send() default branch\n net: ethtool: phy: avoid NULL deref when PHY driver is unbound\n net: atlantic: preserve PCI wake-from-D3 on shutdown when WOL enabled\n net: shaper: reject QUEUE scope handle with missing id\n ...\n" }, { "commit": "eb5441518fba295bd97b59dc54914f89dfaa107d", "tree": "b4460e2c9613bb470f58c8f5d7e7a13bc9c96bfb", "parents": [ "31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a", "f9e1c1324b4d98d591a6f7568fdebf5cf456dfc2" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu May 14 08:53:24 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu May 14 08:53:24 2026 -0700" }, "message": "Merge tag \u0027audit-pr-20260513\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit\n\nPull audit fixes from Paul Moore:\n\n - Correctly log the inheritable capabilities\n\n - Honor AUDIT_LOCKED in the AUDIT_TRIM and AUDIT_MAKE_EQUIV commands\n\n* tag \u0027audit-pr-20260513\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit:\n audit: enforce AUDIT_LOCKED for AUDIT_TRIM and AUDIT_MAKE_EQUIV\n audit: fix incorrect inheritable capability in CAPSET records\n" }, { "commit": "31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a", "tree": "f8805677487dadc415fb6008d8f995023f7b94cb", "parents": [ "59a62ea4583e0f740bb3576ec210b23f39754327" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed May 13 11:37:18 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu May 14 08:32:11 2026 -0700" }, "message": "ptrace: slightly saner \u0027get_dumpable()\u0027 logic\n\nThe \u0027dumpability\u0027 of a task is fundamentally about the memory image of\nthe task - the concept comes from whether it can core dump or not - and\nmakes no sense when you don\u0027t have an associated mm.\n\nAnd almost all users do in fact use it only for the case where the task\nhas a mm pointer.\n\nBut we have one odd special case: ptrace_may_access() uses \u0027dumpable\u0027 to\ncheck various other things entirely independently of the MM (typically\nexplicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for\nthreads that no longer have a VM (and maybe never did, like most kernel\nthreads).\n\nIt\u0027s not what this flag was designed for, but it is what it is.\n\nThe ptrace code does check that the uid/gid matches, so you do have to\nbe uid-0 to see kernel thread details, but this means that the\ntraditional \"drop capabilities\" model doesn\u0027t make any difference for\nthis all.\n\nMake it all make a *bit* more sense by saying that if you don\u0027t have a\nMM pointer, we\u0027ll use a cached \"last dumpability\" flag if the thread\never had a MM (it will be zero for kernel threads since it is never\nset), and require a proper CAP_SYS_PTRACE capability to override.\n\nReported-by: Qualys Security Advisory \u003cqsa@qualys.com\u003e\nCc: Oleg Nesterov \u003coleg@redhat.com\u003e\nCc: Kees Cook \u003ckees@kernel.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "c78bdba7b9666020c0832150a4fc4c0aebc7c6ac", "tree": "66343406f27a0f62aa7c29fc8259ad8ea5d5ba58", "parents": [ "ff26a0e8377dec07e4a7230db7675bed1b9a6d03" ], "author": { "name": "Sven Schuchmann", "email": "schuchmann@schleissheimer.de", "time": "Tue May 12 09:19:47 2026 +0200" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Thu May 14 15:17:12 2026 +0200" }, "message": "net: phy: DP83TC811: add reading of abilities\n\nAt this time the driver is not listing any speeds\nit supports. This should be ETHTOOL_LINK_MODE_100baseT1_Full_BIT\nfor DP83TC811. Add the missing call for phylib to read the abilities.\n\nFixes: b753a9faaf9a (\"net: phy: DP83TC811: Introduce support for the DP83TC811 phy\")\nSuggested-by: Andrew Lunn \u003candrew@lunn.ch\u003e\nSigned-off-by: Sven Schuchmann \u003cschuchmann@schleissheimer.de\u003e\nReviewed-by: Andrew Lunn \u003candrew@lunn.ch\u003e\nLink: https://patch.msgid.link/20260512071949.6218-1-schuchmann@schleissheimer.de\n[pabeni@redhat.com: dropped revision history]\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "ff26a0e8377dec07e4a7230db7675bed1b9a6d03", "tree": "8bc0a138c709db67d13e3eb65d879562f666ad75", "parents": [ "285943c6e7ca309bbea84b253745154241d9788a" ], "author": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Mon May 11 10:49:18 2026 -0700" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Thu May 14 13:18:40 2026 +0200" }, "message": "net: tls: prevent chain-after-chain in plain text SG\n\nSashiko points out that if end \u003d 0 (start !\u003d 0) the current\ncode will create a chain link to content type right after\nthe wrap link:\n\n This would create a chain where the wrap link points directly\n to another chain link. The scatterlist API sg_next iterator\n does not recursively resolve consecutive chain links.\n\nmeaning this is illegal input to crypto.\n\nThe wrapping link is unnecessary if end \u003d 0. end is the entry after\nthe last one used so end \u003d 0 means there\u0027s nothing pushed after\nthe wrap:\n\n end start i\n v v v\n [ ]...[ ][ d ][ d ][ d ][ d ][rsv for wrap]\n\nSkip the wrapping in this case.\n\nTLS 1.3 can use the \"wrapping slot\" for it\u0027s chaining if end \u003d 0.\nThis avoids the chain-after-chain.\n\nMove the wrap chaining before marking END and chaining off content\ntype, that feels like more logical ordering to me, but should not\nmatter from functional perspective.\n\nReported-by: Sashiko \u003csashiko-bot@kernel.org\u003e\nFixes: 9aaaa56845a0 (\"bpf: Sockmap/tls, skmsg can have wrapped skmsg that needs extra chaining\")\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\nLink: https://patch.msgid.link/20260511174920.433155-3-kuba@kernel.org\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "285943c6e7ca309bbea84b253745154241d9788a", "tree": "4d4a71303844868517814ad5ad802316bb062b2c", "parents": [ "277740023def559a4a2ddc3e8e784ee37a0f16a9" ], "author": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Mon May 11 10:49:17 2026 -0700" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Thu May 14 13:18:40 2026 +0200" }, "message": "net: tls: fix off-by-one in sg_chain entry count for wrapped sk_msg ring\n\nWhen an sk_msg scatterlist ring wraps (sg.end \u003c sg.start),\ntls_push_record() chains the tail portion of the ring to the head\nusing sg_chain(). An extra entry in the sg array is reserved for\nthis:\n\n struct sk_msg_sg {\n [...]\n /* The extra two elements:\n * 1) used for chaining the front and sections when the list becomes\n * partitioned (e.g. end \u003c start). The crypto APIs require the\n * chaining;\n * 2) to chain tailer SG entries after the message.\n */\n struct scatterlist data[MAX_MSG_FRAGS + 2];\n\nThe current code uses MAX_SKB_FRAGS + 1 as the ring size:\n\n sg_chain(\u0026msg_pl-\u003esg.data[msg_pl-\u003esg.start],\n MAX_SKB_FRAGS - msg_pl-\u003esg.start + 1,\n msg_pl-\u003esg.data);\n\nThis places the chain pointer at\n\n sg_chain(data[start], (MAX_SKB_FRAGS - msg_start + 1) .. \u003d\n \u0026data[start] + (MAX_SKB_FRAGS - msg_start + 1) - 1 \u003d\n data[start + (MAX_SKB_FRAGS - start + 1) - 1] \u003d\n data[MAX_SKB_FRAGS]\n\ninstead of the true last entry. This is likely due to a \"race\" of\nthe commit under Fixes landing close to\ncommit 031097d9e079 (\"bpf: sk_msg, zap ingress queue on psock down\")\n\nConvert to ARRAY_SIZE and drop the data[start] / - start (as suggested\nby Sabrina).\n\nReported-by: 钱一铭 \u003cyimingqian591@gmail.com\u003e\nFixes: 9aaaa56845a0 (\"bpf: Sockmap/tls, skmsg can have wrapped skmsg that needs extra chaining\")\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\nReviewed-by: Sabrina Dubroca \u003csd@queasysnail.net\u003e\nLink: https://patch.msgid.link/20260511174920.433155-2-kuba@kernel.org\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "277740023def559a4a2ddc3e8e784ee37a0f16a9", "tree": "9e2e4bf311a892c0ffd4446de5aec748e3361e19", "parents": [ "cc21150cdea8813fc9677ff61a3cbe9995801aa0" ], "author": { "name": "Xiang Mei", "email": "xmei5@asu.edu", "time": "Sun May 10 23:21:38 2026 -0700" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Thu May 14 12:20:06 2026 +0200" }, "message": "net/smc: reject CHID-0 ACCEPT that matches an empty ism_dev slot\n\nOn the SMC-D client, slot 0 of ini-\u003eism_dev[]/ini-\u003eism_chid[] is\nreserved for an SMC-Dv1 device. smc_find_ism_v2_device_clnt()\npopulates V2 entries starting at index 1, so when no V1 device is\nselected slot 0 is left in its kzalloc()\u0027ed state with ism_dev[0] \u003d\u003d\nNULL and ism_chid[0] \u003d\u003d 0.\n\nsmc_v2_determine_accepted_chid() then matches the peer\u0027s CHID against\nthe array starting from index 0 using the CHID alone. A malicious\npeer replying to a SMC-Dv2-only proposal with d1.chid \u003d\u003d 0 matches\nthe empty slot, ini-\u003eism_selected becomes 0, and the subsequent\nism_dev[0]-\u003elgr_lock dereference in smc_conn_create() faults at\noffsetof(struct smcd_dev, lgr_lock) \u003d\u003d 0x68:\n\n BUG: KASAN: null-ptr-deref in _raw_spin_lock_bh+0x79/0xe0\n Write of size 4 at addr 0000000000000068 by task exploit/144\n Call Trace:\n _raw_spin_lock_bh\n smc_conn_create (net/smc/smc_core.c:1997)\n __smc_connect (net/smc/af_smc.c:1447)\n smc_connect (net/smc/af_smc.c:1720)\n __sys_connect\n __x64_sys_connect\n do_syscall_64\n\nRequire ism_dev[i] to be non-NULL before accepting a CHID match.\n\nFixes: a7c9c5f4af7f (\"net/smc: CLC accept / confirm V2\")\nReported-by: Weiming Shi \u003cbestswngs@gmail.com\u003e\nAssisted-by: Claude:claude-opus-4-7\nSigned-off-by: Xiang Mei \u003cxmei5@asu.edu\u003e\nLink: https://patch.msgid.link/20260511062138.2839584-1-xmei5@asu.edu\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "cc21150cdea8813fc9677ff61a3cbe9995801aa0", "tree": "873d43259e428b340f6dd02e6538323674bae4c2", "parents": [ "b84c5632c7b31f8910167075a8128cfb9e50fcfe", "552cc2306c3d87632f44a655737d1d367c2a3295" ], "author": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed May 13 19:03:07 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed May 13 19:03:07 2026 -0700" }, "message": "Merge branch \u0027macsec-use-rcu_work-to-fix-crypto-cleanup-in-softirq-context\u0027\n\nJinliang Zheng says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nmacsec: use rcu_work to fix crypto cleanup in softirq context\n\nFrom: Jinliang Zheng \u003calexjlzheng@tencent.com\u003e\n\ncrypto_free_aead() can internally call vunmap() (e.g. via dma_free_attrs()\nin hardware crypto drivers like hisi_sec2), which must not be invoked from\nsoftirq context. Both free_rxsa() and free_txsa() are RCU callbacks that\nrun in softirq, causing a kernel crash on affected hardware.\n\nThis series fixes the issue by deferring the actual cleanup to a workqueue\nusing rcu_work, which combines the RCU grace period and workqueue dispatch\ninto a single primitive.\n\nTwo design decisions worth noting:\n\n1. rcu_work instead of schedule_work() + synchronize_rcu()\n\n An alternative would be to call schedule_work() directly from\n macsec_rxsa_put()/macsec_txsa_put(), then call synchronize_rcu() at\n the start of the work handler to replace the grace period previously\n provided by call_rcu(). However, synchronize_rcu() blocks the worker\n thread for the duration of a full RCU grace period. Under high SA\n churn (e.g. tearing down an interface with many SAs), each SA would\n occupy a worker thread while waiting, and multiple concurrent calls\n cannot share the same grace period — leading to unnecessary latency\n and resource waste.\n\n rcu_work uses call_rcu_hurry() internally, which is fully asynchronous:\n the worker thread is only dispatched after the grace period has elapsed,\n and multiple concurrent queue_rcu_work() calls naturally batch under the\n same grace period via the RCU subsystem\u0027s existing coalescing mechanism.\n\n2. Dedicated workqueue instead of system_wq\n\n Using a dedicated workqueue (macsec_wq) allows macsec_exit() to drain\n exactly the work items belonging to this module — by calling\n destroy_workqueue() after rcu_barrier(). If system_wq were used,\n flush_scheduled_work() would drain all pending work items across the\n entire system, creating unnecessary coupling with unrelated subsystems\n and potentially causing unexpected delays. The dedicated workqueue\n provides a clean, contained teardown path.\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260511153102.2640368-1-alexjlzheng@tencent.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "552cc2306c3d87632f44a655737d1d367c2a3295", "tree": "873d43259e428b340f6dd02e6538323674bae4c2", "parents": [ "6624bba469a325ecd699feae400b77cd11c76b98" ], "author": { "name": "Jinliang Zheng", "email": "alexjlzheng@tencent.com", "time": "Mon May 11 23:31:00 2026 +0800" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed May 13 19:03:05 2026 -0700" }, "message": "macsec: use rcu_work to defer TX SA crypto cleanup out of softirq\n\nfree_txsa() is an RCU callback running in softirq context, but calls\ncrypto_free_aead() which can invoke vunmap() internally on hardware\ncrypto drivers (e.g. hisi_sec2), triggering a kernel crash.\n\nUse rcu_work to defer the cleanup to a workqueue, for the same reasons\nas the analogous fix to free_rxsa() in the previous patch.\n\nFixes: c09440f7dcb3 (\"macsec: introduce IEEE 802.1AE driver\")\nSigned-off-by: Jinliang Zheng \u003calexjlzheng@tencent.com\u003e\nReviewed-by: Sabrina Dubroca \u003csd@queasysnail.net\u003e\nLink: https://patch.msgid.link/20260511153102.2640368-4-alexjlzheng@tencent.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "6624bba469a325ecd699feae400b77cd11c76b98", "tree": "65ce055ca2419c650ac1d1201243cff9c2464013", "parents": [ "c6690a9030d784d3f099850800b6d5323771ca37" ], "author": { "name": "Jinliang Zheng", "email": "alexjlzheng@tencent.com", "time": "Mon May 11 23:30:59 2026 +0800" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed May 13 19:03:05 2026 -0700" }, "message": "macsec: use rcu_work to defer RX SA crypto cleanup out of softirq\n\ncrypto_free_aead() can internally invoke vunmap() (e.g. via\ndma_free_attrs() in hardware crypto drivers such as hisi_sec2).\nvunmap() must not be called from softirq context, but free_rxsa()\nis an RCU callback that runs in softirq, leading to a kernel crash:\n\n vunmap+0x4c/0x70\n __iommu_dma_free+0xd0/0x138\n dma_free_attrs+0xf4/0x100\n sec_aead_exit+0x64/0xb8 [hisi_sec2]\n crypto_destroy_tfm+0x98/0x110\n free_rxsa+0x28/0x50 [macsec]\n rcu_do_batch+0x184/0x460\n rcu_core+0xf4/0x1f8\n handle_softirqs+0x118/0x330\n\nUse rcu_work to defer the cleanup to a workqueue. rcu_work dispatches\nthe worker asynchronously after the RCU grace period, so no thread\nblocks waiting, and concurrent releases of multiple SAs naturally\nshare the same grace period.\n\nFixes: c09440f7dcb3 (\"macsec: introduce IEEE 802.1AE driver\")\nSigned-off-by: Jinliang Zheng \u003calexjlzheng@tencent.com\u003e\nReviewed-by: Sabrina Dubroca \u003csd@queasysnail.net\u003e\nLink: https://patch.msgid.link/20260511153102.2640368-3-alexjlzheng@tencent.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "c6690a9030d784d3f099850800b6d5323771ca37", "tree": "3bdf79bdbcbad14264828a7680b1a2822155fa63", "parents": [ "b84c5632c7b31f8910167075a8128cfb9e50fcfe" ], "author": { "name": "Jinliang Zheng", "email": "alexjlzheng@tencent.com", "time": "Mon May 11 23:30:58 2026 +0800" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed May 13 19:03:05 2026 -0700" }, "message": "macsec: introduce dedicated workqueue for SA crypto cleanup\n\nIntroduce a dedicated ordered workqueue, macsec_wq, which will be used\nby subsequent patches to defer SA crypto cleanup (crypto_free_aead and\nrelated teardown) out of softirq context.\n\nUsing a dedicated workqueue instead of system_wq allows macsec_exit()\nto drain exactly the work items belonging to this module via\ndestroy_workqueue(), without interfering with unrelated work items on\nsystem_wq or causing unexpected delays elsewhere.\n\nrcu_barrier() in macsec_exit() ensures all in-flight rcu_work callbacks\nhave enqueued their work items before destroy_workqueue() drains and\ndestroys the queue, making the two-step teardown correct and complete.\nThe same sequence is kept in the error path of macsec_init() as a\nprecaution, to mirror macsec_exit() and stay safe if work ever becomes\nqueueable before this point in the future.\n\nWhile at it, rename the error labels in macsec_init() from the\nresource-named style (rtnl:, notifier:, wq:) to the err_xxx: style\n(err_rtnl:, err_notifier:, err_destroy_wq:) to align with the broader\nkernel convention.\n\nSigned-off-by: Jinliang Zheng \u003calexjlzheng@tencent.com\u003e\nReviewed-by: Sabrina Dubroca \u003csd@queasysnail.net\u003e\nLink: https://patch.msgid.link/20260511153102.2640368-2-alexjlzheng@tencent.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "b84c5632c7b31f8910167075a8128cfb9e50fcfe", "tree": "93f8348aed93e8d2921a14468aeed5b511d6eb33", "parents": [ "9a390d34d55cb4ecbca4981c660dd95440827c70" ], "author": { "name": "Faicker Mo", "email": "faicker.mo@gmail.com", "time": "Mon May 11 22:05:51 2026 +0800" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed May 13 19:01:03 2026 -0700" }, "message": "net: net_failover: Fix the deadlock in slave register\n\nThere is netdev_lock_ops() before the NETDEV_REGISTER notifier\nin register_netdevice(), so use the non-locking functions\nin net_failover_slave_register().\nfailover_slave_register() in failover_existing_slave_register() adds lock\nand unlock ops too.\n\nCall Trace:\n \u003cTASK\u003e\n __schedule+0x30d/0x7a0\n schedule+0x27/0x90\n schedule_preempt_disabled+0x15/0x30\n __mutex_lock.constprop.0+0x538/0x9e0\n __mutex_lock_slowpath+0x13/0x20\n mutex_lock+0x3b/0x50\n dev_set_mtu+0x40/0xe0\n net_failover_slave_register+0x24/0x280\n failover_slave_register+0x103/0x1b0\n failover_event+0x15e/0x210\n ? dropmon_net_event+0xac/0xe0\n notifier_call_chain+0x5e/0xe0\n raw_notifier_call_chain+0x16/0x30\n call_netdevice_notifiers_info+0x52/0xa0\n register_netdevice+0x5f4/0x7c0\n register_netdev+0x1e/0x40\n _mlx5e_probe+0xe2/0x370 [mlx5_core]\n mlx5e_probe+0x59/0x70 [mlx5_core]\n ? __pfx_mlx5e_probe+0x10/0x10 [mlx5_core]\n\nFixes: 4c975fd70002 (\"net: hold instance lock during NETDEV_REGISTER/UP\")\nSigned-off-by: Faicker Mo \u003cfaicker.mo@gmail.com\u003e\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "9a390d34d55cb4ecbca4981c660dd95440827c70", "tree": "d2746e8321cea714cdbf23a26d829930600b3bfb", "parents": [ "59afae20080a9681014bdc87897cbfd30bedd261" ], "author": { "name": "Sukhdeep Singh", "email": "sukhdeeps@marvell.com", "time": "Tue May 12 18:27:11 2026 +0530" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed May 13 18:09:52 2026 -0700" }, "message": "MAINTAINERS: update atlantic driver maintainer\n\nIgor Russkikh and Egor Pomozov have left Marvell.\nTake over maintenance of the atlantic driver and its PTP subsystem.\n\nSigned-off-by: Sukhdeep Singh \u003csukhdeeps@marvell.com\u003e\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "59afae20080a9681014bdc87897cbfd30bedd261", "tree": "c0a384bd7062f7c0d78868f35bb51277c3a4d9cb", "parents": [ "320fb29ea23cfa1aeef32563da8748247db896ea" ], "author": { "name": "Victor Nogueira", "email": "victor@mojatatu.com", "time": "Mon May 11 14:30:58 2026 -0400" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed May 13 17:53:39 2026 -0700" }, "message": "selftests/tc-testing: Add QFQ/CBS qlen underflow test\n\nSince CBS was not calling reset for its child qdisc, there are scenarios\nwhere it could cause an underflow on its parent\u0027s qlen/backlog. When the\nparent is QFQ, a null-ptr deref could occur.\n\nAdd a test case that reproduces the underflow followed by a null-ptr\nderef scenario.\n\nAcked-by: Jamal Hadi Salim \u003cjhs@mojatatu.com\u003e\nSigned-off-by: Victor Nogueira \u003cvictor@mojatatu.com\u003e\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "320fb29ea23cfa1aeef32563da8748247db896ea", "tree": "1c6a24c1cc7373397a9da3e1baeb041a036c8b3c", "parents": [ "4694efc4164123580f19467141cdcfb73f7a740a" ], "author": { "name": "Jamal Hadi Salim", "email": "jhs@mojatatu.com", "time": "Mon May 11 14:30:57 2026 -0400" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed May 13 17:53:39 2026 -0700" }, "message": "net/sched: sch_cbs: Call qdisc_reset for child qdisc\n\nDuring a reset, CBS is not calling reset on its child qdisc, which\nmight cause qlen/backlog accounting issues. For example, if we have CBS\nwith a QFQ parent and a netem child with delay, we can create a scenario\nwhere the parent\u0027s qlen underflows. QFQ, specifically, uses qlen to\ncheck whether it should deference a pointer, so this scenario may cause\na null-ptr deref in QFQ:\n\n[ 43.875639][ T319] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000009: 0000 [#1] SMP KASAN NOPTI\n[ 43.876124][ T319] KASAN: null-ptr-deref in range [0x0000000000000048-0x000000000000004f]\n[ 43.876417][ T319] CPU: 10 UID: 0 PID: 319 Comm: ping Not tainted 7.0.0-13039-ge728258debd5 #773 PREEMPT(full)\n[ 43.876751][ T319] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011\n[ 43.876949][ T319] RIP: 0010:qfq_dequeue+0x35c/0x1650\n[ 43.877123][ T319] Code: 00 fc ff df 80 3c 02 00 0f 85 17 0e 00 00 4c 8d 73 48 48 89 9d b8 02 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 f2 48 c1 ea 03 \u003c80\u003e 3c 02 00 0f 85 76 0c 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b\n[ 43.877648][ T319] RSP: 0018:ffff8881017ef4f0 EFLAGS: 00010216\n[ 43.877845][ T319] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: dffffc0000000000\n[ 43.878073][ T319] RDX: 0000000000000009 RSI: 0000000c40000000 RDI: ffff88810eef02b0\n[ 43.878306][ T319] RBP: ffff88810eef0000 R08: ffff88810eef0280 R09: 1ffff1102120fd63\n[ 43.878523][ T319] R10: 1ffff1102120fd66 R11: 1ffff1102120fd67 R12: 0000000c40000000\n[ 43.878742][ T319] R13: ffff88810eef02b8 R14: 0000000000000048 R15: 0000000020000000\n[ 43.878959][ T319] FS: 00007f9c51c47c40(0000) GS:ffff88817a0be000(0000) knlGS:0000000000000000\n[ 43.879214][ T319] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 43.879403][ T319] CR2: 000055e69a2230a8 CR3: 000000010c07a000 CR4: 0000000000750ef0\n[ 43.879621][ T319] PKRU: 55555554\n[ 43.879735][ T319] Call Trace:\n[ 43.879844][ T319] \u003cTASK\u003e\n[ 43.879924][ T319] __qdisc_run+0x169/0x1900\n[ 43.880075][ T319] ? dev_qdisc_enqueue+0x8b/0x210\n[ 43.880222][ T319] __dev_queue_xmit+0x2346/0x37a0\n[ 43.880376][ T319] ? register_lock_class+0x3f/0x800\n[ 43.880531][ T319] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 43.880684][ T319] ? __pfx___dev_queue_xmit+0x10/0x10\n[ 43.880834][ T319] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 43.880977][ T319] ? __lock_acquire+0x819/0x1df0\n[ 43.881124][ T319] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 43.881275][ T319] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 43.881418][ T319] ? __asan_memcpy+0x3c/0x60\n[ 43.881563][ T319] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 43.881708][ T319] ? eth_header+0x165/0x1a0\n[ 43.881853][ T319] ? lockdep_hardirqs_on_prepare+0xdb/0x1a0\n[ 43.882031][ T319] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 43.882174][ T319] ? neigh_resolve_output+0x3cc/0x7e0\n[ 43.882325][ T319] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 43.882471][ T319] ip_finish_output2+0x6b6/0x1e10\n\nFix this by calling qdisc_reset for CBS\u0027 child qdisc.\nSashiko caught an issue which could result in a null ptr deref if\nqdisc_create_dflt() is invoked on an unitialised cbs qdisc which is exposed\nby this patch. We add an early return if the qdisc is null to address this.\nThis is a similar approach used by two other fixes[1][2].\n\nThe proper fix for this specific issue elucidated by sashiko is to remove\nthe call to qdisc_reset when qdisc_create_dflt fails. Since the dflt qdisc\nisn\u0027t attached anywhere yet at that point, calling the reset callback doesn\u0027t\nmake much sense (and as stated has been a source of two other bugs).\nWe plan on submitting this fix in a later patch.\n[1] https://lore.kernel.org/netdev/20221018063201.306474-2-shaozhengchao@huawei.com/\n[2] https://lore.kernel.org/netdev/20221018063201.306474-4-shaozhengchao@huawei.com/\n\nFixes: 585d763af09c (\"net/sched: Introduce Credit Based Shaper (CBS) qdisc\")\nReported-by: Junyoung Jang \u003cgraypanda.inzag@gmail.com\u003e\nTested-by: Junyoung Jang \u003cgraypanda.inzag@gmail.com\u003e\nTested-by: Victor Nogueira \u003cvictor@mojatatu.com\u003e\nAcked-by: Vinicius Costa Gomes \u003cvinicius.gomes@intel.com\u003e\nSigned-off-by: Jamal Hadi Salim \u003cjhs@mojatatu.com\u003e\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "4694efc4164123580f19467141cdcfb73f7a740a", "tree": "b6357916d39f9c6dd9bbb578f27654c3fecf937e", "parents": [ "f5b2772d14884f4be9e718644f1203d4d0e6f0d6" ], "author": { "name": "Maciej W. Rozycki", "email": "macro@orcam.me.uk", "time": "Sat May 09 22:04:50 2026 +0100" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed May 13 17:31:01 2026 -0700" }, "message": "FDDI: defza: Sanitise the reset safety timer\n\nThe reset actions of the DEFZA adapters are exceedingly slow, taking up\nto 30 seconds to complete by the device spec and typically in the range\nof 10 seconds in reality, as required for the device RTOS to boot, still\nquite a lot. Therefore a state machine is used that\u0027s interrupt driven,\nhowever a safety mechanism is required in case of adapter malfunction,\nso that if no state change interrupt has arrived in time, then the\nsituation is taken care of.\n\nThe safety mechanism depends on the origin of the reset. For regular\nadapter initialisation at the device probe time a sleep is requested.\nHowever a reset is also required by the device spec when the adapter has\ntransitioned into the halted state, such as in response to a PC Trace\nevent in the course of ring fault recovery, possibly a common network\nevent. In that case no sleep is possible as a device halt is reported\nat the hardirq level.\n\nA timer is therefore set up to ensure progress in case no adapter state\nchange interrupt has arrived in time, but as from commit 168f6b6ffbee\n(\"timers: Use del_timer_sync() even on UP\") a warning is issued as the\ntimer is deleted in the hardirq handler upon an expected state change:\n\n defza: v.1.1.4 Oct 6 2018 Maciej W. Rozycki\n tc2: DEC FDDIcontroller 700 or 700-C at 0x18000000, irq 4\n tc2: resetting the board...\n ------------[ cut here ]------------\n WARNING: kernel/time/timer.c:1611 at __timer_delete_sync+0x104/0x120, CPU#0: swapper/0/0\n Modules linked in:\n CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 7.0.0-dirty #2 VOLUNTARY\n Stack : 9800000002027d08 00000000140120e0 0000000000000000 ffffffff8089d468\n 0000000000000000 0000000000000000 ffffffff807ed6b8 ffffffff80897458\n ffffffff80897400 9800000002027b88 0000000000000000 7070617773203a6d\n 0000000000000000 9800000002027ba4 0000000000001000 6465746e69617420\n 0000000000000000 ffffffff807ed6b8 00000000140120e0 0000000000000009\n 000000000000064b ffffffff800dd14c 0000000000000036 9800000002184000\n 0000000000000000 0000000000000020 0000000000000000 ffffffff80910000\n ffffffff8085c000 9800000002027c70 0000000000000001 ffffffff80045fa0\n 0000000000000000 0000000000000000 0000000000000000 0000000000000009\n 000000000000064b ffffffff800502b8 ffffffff807ed6b8 ffffffff80045fa0\n ...\n Call Trace:\n [\u003cffffffff800502b8\u003e] show_stack+0x28/0xf0\n [\u003cffffffff80045fa0\u003e] dump_stack_lvl+0x48/0x7c\n [\u003cffffffff80068c98\u003e] __warn+0xa0/0x128\n [\u003cffffffff8004120c\u003e] warn_slowpath_fmt+0x64/0xa4\n [\u003cffffffff800dd14c\u003e] __timer_delete_sync+0x104/0x120\n [\u003cffffffff804934ac\u003e] fza_interrupt+0xc74/0xeb8\n [\u003cffffffff800c6390\u003e] __handle_irq_event_percpu+0x70/0x228\n [\u003cffffffff800c6560\u003e] handle_irq_event_percpu+0x18/0x78\n [\u003cffffffff800cc320\u003e] handle_percpu_irq+0x50/0x80\n [\u003cffffffff800c5970\u003e] generic_handle_irq+0x90/0xd0\n [\u003cffffffff806e956c\u003e] do_IRQ+0x1c/0x30\n [\u003cffffffff8004ad4c\u003e] handle_int+0x148/0x154\n [\u003cffffffff800ab7c0\u003e] do_idle+0x40/0x108\n [\u003cffffffff800abb0c\u003e] cpu_startup_entry+0x2c/0x38\n [\u003cffffffff806dfec8\u003e] kernel_init+0x0/0x108\n\n ---[ end trace 0000000000000000 ]---\n tc2: OK\n tc2: model 700 (DEFZA-AA), MMF PMD, address 08-00-2b-xx-xx-xx\n tc2: ROM rev. 1.0, firmware rev. 1.2, RMC rev. A, SMT ver. 1\n tc2: link unavailable\n ------------[ cut here ]------------\n WARNING: kernel/time/timer.c:1611 at __timer_delete_sync+0x104/0x120, CPU#0: swapper/0/0\n Modules linked in:\n CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G W 7.0.0-dirty #2 VOLUNTARY\n Tainted: [W]\u003dWARN\n Stack : 9800000002027d08 00000000140120e0 0000000000000000 ffffffff8089d468\n 0000000000000000 0000000000000000 ffffffff807ed6b8 ffffffff80897458\n ffffffff80897400 9800000002027b88 0000000000000000 0000000000000000\n 0000000000000000 9800000002027ba4 0000000000001000 0000000000000000\n 0000000000000000 ffffffff807ed6b8 00000000140120e0 0000000000000009\n 000000000000064b ffffffff800dd14c 0000000000000036 9800000002184000\n 0000000000000000 0000000000000020 0000000000000000 ffffffff80910000\n ffffffff8085c000 9800000002027c70 0000000000000001 ffffffff80045fa0\n 0000000000000000 0000000000000000 0000000000000000 0000000000000009\n 000000000000064b ffffffff800502b8 ffffffff807ed6b8 ffffffff80045fa0\n ...\n Call Trace:\n [\u003cffffffff800502b8\u003e] show_stack+0x28/0xf0\n [\u003cffffffff80045fa0\u003e] dump_stack_lvl+0x48/0x7c\n [\u003cffffffff80068c98\u003e] __warn+0xa0/0x128\n [\u003cffffffff8004120c\u003e] warn_slowpath_fmt+0x64/0xa4\n [\u003cffffffff800dd14c\u003e] __timer_delete_sync+0x104/0x120\n [\u003cffffffff804934ac\u003e] fza_interrupt+0xc74/0xeb8\n [\u003cffffffff800c6390\u003e] __handle_irq_event_percpu+0x70/0x228\n [\u003cffffffff800c6560\u003e] handle_irq_event_percpu+0x18/0x78\n [\u003cffffffff800cc320\u003e] handle_percpu_irq+0x50/0x80\n [\u003cffffffff800c5970\u003e] generic_handle_irq+0x90/0xd0\n [\u003cffffffff806e956c\u003e] do_IRQ+0x1c/0x30\n [\u003cffffffff8004ad4c\u003e] handle_int+0x148/0x154\n [\u003cffffffff806de8a4\u003e] arch_local_irq_disable+0x4/0x28\n [\u003cffffffff800ab7d0\u003e] do_idle+0x50/0x108\n [\u003cffffffff800abb0c\u003e] cpu_startup_entry+0x2c/0x38\n [\u003cffffffff806dfec8\u003e] kernel_init+0x0/0x108\n\n ---[ end trace 0000000000000000 ]---\n tc2: registered as fddi0\n\nThe immediate origin of the new warning is the switch away from aliasing\ndel_timer_sync() to del_timer() (timer_delete_sync() to timer_delete()\nin terms of current function names) for UP configurations, which however\nis the only choice for this driver anyway as no SMP hardware supports\nthe TURBOchannel bus this device interfaces to. Therefore there is a\nvery remote issue only this is a sign of.\n\nSpecifically if an adapter reset issued upon a transition to the halted\nstate times out and first triggers fza_reset_timer() for another reset\nassertion, which then schedules fza_reset_timer() for reset deassertion\nand then that second call is pre-empted after poking at the hardware,\nbut before the timer has been rearmed and owing to high system load\ncausing exceedingly high scheduling latency control is not handed back\nbefore a transition to the uninitialised state has caused the timer to\nbe deleted even before it has been started, then fza_reset_timer() will\nbe called yet again and issue another reset even though by then the\nadapter has already recovered.\n\nPrevent this situation from happening by switching to timer_delete() for\nthe transition to the halted state and protect the code region affected\nwith a spinlock, also to make sure add_timer() has not been called twice\nin a row due to an execution race between the interrupt handler and the\ntimer handler (though it could only happen on SMP, but let\u0027s keep the\ndriver clean). It\u0027s a very unlikely sequence of events to happen and\ntherefore there\u0027s no point in trying to be overly clever about it, such\nas by placing printk() calls outside the protection. For the transition\nto the uninitialised state switch to timer_delete_sync_try() instead, so\nthat a timer isn\u0027t deleted that\u0027s just been rearmed by the timer handler\nand needs to watch for the device to come out of reset again (again, an\nSMP scenario only).\n\nRetain timer_delete_sync() invocations outside the hardirq context for a\nstray timer not to fire once device structures have been released.\n\nFixes: 61414f5ec9834 (\"FDDI: defza: Add support for DEC FDDIcontroller 700 TURBOchannel adapter\")\nSigned-off-by: Maciej W. Rozycki \u003cmacro@orcam.me.uk\u003e\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "59a62ea4583e0f740bb3576ec210b23f39754327", "tree": "504e173e8e0ef5974eea3ca2f31a7ea59706f11f", "parents": [ "0913b580f8490caaaf08dd1591e0bc07ac2720cb", "6ae315d37924435516d697ea7dde0b799a5928e0" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed May 13 15:00:40 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed May 13 15:00:40 2026 -0700" }, "message": "Merge tag \u0027sched_ext-for-7.1-rc3-fixes\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/tj/sched_ext\n\nPull sched_ext fixes from Tejun Heo:\n \"The bulk of this is hardening of the new sub-scheduler infrastructure.\n\n - UAFs and lifecycle bugs on the sub-sched attach/detach paths:\n parent sub_kset freed under a racing child, list_del_rcu on an\n uninitialized list head, ops-\u003epriv stomped by concurrent\n attach/detach, and a UAF in the init-failure error path\n\n - Task state-machine reorg closing concurrent enable-vs-dead races: a\n task exiting during the unlocked init window could trip NULL ops\n derefs or skip exit_task() cleanup\n\n - A scx_link_sched() self-deadlock on scx_sched_lock\n\n - isolcpus: stop dereferencing the now-RCU-protected HK_TYPE_DOMAIN\n cpumask without RCU, and stop rejecting BPF schedulers when only\n cpuset isolated partitions are active\n\n - PREEMPT_RT: disable irq_work runs in hardirq context so dumps show\n the failing task rather than the irq_work kthread\n\n - Assorted !CONFIG_EXT_SUB_SCHED, randconfig, and selftest build\n fixes\"\n\n* tag \u0027sched_ext-for-7.1-rc3-fixes\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/tj/sched_ext:\n sched_ext: Use HK_TYPE_DOMAIN_BOOT to detect isolcpus\u003d domain isolation\n sched_ext: Defer sub_kset base put to scx_sched_free_rcu_work\n sched_ext: INIT_LIST_HEAD() \u0026sch-\u003eall in scx_alloc_and_add_sched()\n sched_ext: Drop NONE early return in scx_disable_and_exit_task()\n sched_ext: Avoid UAF in scx_root_enable_workfn() init failure path\n sched_ext: Clear ops-\u003epriv on scx_alloc_and_add_sched() error paths\n sched_ext: Fix ops-\u003epriv clobber on concurrent attach/detach\n selftests/sched_ext: Fix build error in dequeue selftest\n sched_ext: Handle SCX_TASK_NONE in disable/switched_from paths\n sched_ext: Close sub-sched init race with post-init DEAD recheck\n sched_ext: Close root-enable vs sched_ext_dead() race with SCX_TASK_INIT_BEGIN\n sched_ext: Replace SCX_TASK_OFF_TASKS flag with SCX_TASK_DEAD state\n sched_ext: Inline scx_init_task() and move RESET_RUNNABLE_AT into scx_set_task_state()\n sched_ext: Cleanups in preparation for the SCX_TASK_INIT_BEGIN/DEAD work\n sched_ext: Use IRQ_WORK_INIT_HARD() to initialize sch-\u003edisable_irq_work\n sched_ext: Fix !CONFIG_EXT_SUB_SCHED build warnings\n sched_ext: Drop unused scx_find_sub_sched() stub\n sched_ext: Move scx_error() out of scx_link_sched()\u0027s lock region\n" }, { "commit": "0913b580f8490caaaf08dd1591e0bc07ac2720cb", "tree": "aaee3cf066bad7320ee688f240d4a32d18d649d1", "parents": [ "50599e4c68eeea2cb635e763c9c5befa6dc9ab6d", "345f40166694e60db6d5cf02233814bb27ac5dec" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed May 13 14:56:31 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed May 13 14:56:31 2026 -0700" }, "message": "Merge tag \u0027cgroup-for-7.1-rc3-fixes\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup\n\nPull cgroup fixes from Tejun Heo:\n\n - cpuset fixes:\n - Partition invalidation could return CPUs still in use by sibling\n partitions, producing overlapping effective_cpus\n - cpuset_can_attach() over-reserved DL bandwidth on moves that\n stayed within the same root domain\n - Pending DL migration state leaked into later attaches when a\n later can_attach() check failed\n - Reorder PF_EXITING and __GFP_HARDWALL checks so dying tasks can\n allocate from any node and exit quickly\n\n - dmem: propagate -ENOMEM instead of spinning forever when the fallback\n pool allocation also fails\n\n - selftests/cgroup: percpu test error-path leak, bogus numeric\n comparison of cpuset strings, and a zero-length read() that silently\n passed OOM-kill tests\n\n* tag \u0027cgroup-for-7.1-rc3-fixes\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup:\n cgroup/cpuset: Return only actually allocated CPUs during partition invalidation\n selftests/cgroup: Fix error path leaks in test_percpu_basic\n cgroup/cpuset: Reserve DL bandwidth only for root-domain moves\n cgroup/cpuset: Reset DL migration state on can_attach() failure\n selftests/cgroup: Fix string comparison in write_test\n selftests/cgroup: Fix cg_read_strcmp() empty string comparison\n cgroup/dmem: Return -ENOMEM on failed pool preallocation\n cgroup/cpuset: move PF_EXITING check before __GFP_HARDWALL in cpuset_current_node_allowed()\n" }, { "commit": "50599e4c68eeea2cb635e763c9c5befa6dc9ab6d", "tree": "2104a318d8843b78c95273148850f4f11a0ededb", "parents": [ "e1914add2799225a87502051415fc5c32aeb02ae", "0143033dc22cdff912cfc13419f5db92fea3b4cb" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed May 13 14:49:13 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed May 13 14:49:13 2026 -0700" }, "message": "Merge tag \u0027wq-for-7.1-rc3-fixes\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq\n\nPull workqueue fixes from Tejun Heo:\n\n - Plug a wq-\u003ecpu_pwq leak on the WQ_UNBOUND allocation failure path\n\n - Fix a cancel_delayed_work_sync() livelock against drain_workqueue()\n caused by the drain/destroy reject path leaving WORK_STRUCT_PENDING\n set with no owner\n\n* tag \u0027wq-for-7.1-rc3-fixes\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq:\n workqueue: Fix wq-\u003ecpu_pwq leak in alloc_and_link_pwqs() WQ_UNBOUND path\n workqueue: Release PENDING in __queue_work() drain/destroy reject path\n" }, { "commit": "6ae315d37924435516d697ea7dde0b799a5928e0", "tree": "c73ac9805b64864cded6d8edb39e5b6024c4dea6", "parents": [ "cceb874eee46fe4b3d3c6c496f19125d9a3a9a8f" ], "author": { "name": "Andrea Righi", "email": "arighi@nvidia.com", "time": "Wed May 13 13:24:38 2026 +0200" }, "committer": { "name": "Tejun Heo", "email": "tj@kernel.org", "time": "Wed May 13 10:02:57 2026 -1000" }, "message": "sched_ext: Use HK_TYPE_DOMAIN_BOOT to detect isolcpus\u003d domain isolation\n\nscx_enable() refuses to attach a BPF scheduler when isolcpus\u003ddomain is\nin effect by comparing housekeeping_cpumask(HK_TYPE_DOMAIN) against\ncpu_possible_mask.\n\nSince commit 27c3a5967f05 (\"sched/isolation: Convert housekeeping\ncpumasks to rcu pointers\"), HK_TYPE_DOMAIN\u0027s cpumask is RCU protected\nand dereferencing it requires either RCU read lock, the cpu_hotplug\nwrite lock, or the cpuset lock; scx_enable() holds none of these, so\nbooting with isolcpus\u003ddomain and attaching any BPF scheduler triggers\nthe following lockdep splat:\n\n \u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n WARNING: suspicious RCU usage\n -----------------------------\n kernel/sched/isolation.c:60 suspicious rcu_dereference_check() usage!\n\n 1 lock held by scx_flash/281:\n #0: ffffffff8379fce0 (update_mutex){+.+.}-{4:4}, at:\n bpf_struct_ops_link_create+0x134/0x1c0\n\n Call Trace:\n dump_stack_lvl+0x6f/0xb0\n lockdep_rcu_suspicious.cold+0x37/0x70\n housekeeping_cpumask+0xcd/0xe0\n scx_enable.isra.0+0x17/0x120\n bpf_scx_reg+0x5e/0x80\n bpf_struct_ops_link_create+0x151/0x1c0\n __sys_bpf+0x1e4b/0x33c0\n __x64_sys_bpf+0x21/0x30\n do_syscall_64+0x117/0xf80\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nIn addition, commit 03ff73510169 (\"cpuset: Update HK_TYPE_DOMAIN cpumask\nfrom cpuset\") made HK_TYPE_DOMAIN include cpuset isolated partitions as\nwell, which means the current check also rejects BPF schedulers when a\ncpuset partition is active. That contradicts the original intent of\ncommit 9f391f94a173 (\"sched_ext: Disallow loading BPF scheduler if\nisolcpus\u003d domain isolation is in effect\"), which explicitly noted that\ncpuset partitions are honored through per-task cpumasks and should not\nbe rejected.\n\nSwitch to housekeeping_enabled(HK_TYPE_DOMAIN_BOOT), which reads only\nthe housekeeping flag bit (no RCU dereference) and reflects exactly the\nboot-time isolcpus\u003d configuration that the error message refers to.\n\nFixes: 27c3a5967f05 (\"sched/isolation: Convert housekeeping cpumasks to rcu pointers\")\nCc: stable@vger.kernel.org # v7.0+\nSigned-off-by: Andrea Righi \u003carighi@nvidia.com\u003e\nSigned-off-by: Tejun Heo \u003ctj@kernel.org\u003e\nAcked-by: Frederic Weisbecker \u003cfrederic@kernel.org\u003e\n" }, { "commit": "345f40166694e60db6d5cf02233814bb27ac5dec", "tree": "1fdc115462a7494afb6797ff5d8ab45571f04b01", "parents": [ "7d8f3158a51cb40fc710d2a781549141a139b796" ], "author": { "name": "sunshaojie", "email": "sunshaojie@kylinos.cn", "time": "Wed May 13 18:37:38 2026 +0800" }, "committer": { "name": "Tejun Heo", "email": "tj@kernel.org", "time": "Wed May 13 08:54:53 2026 -1000" }, "message": "cgroup/cpuset: Return only actually allocated CPUs during partition invalidation\n\nIn update_parent_effective_cpumask() with partcmd_invalidate, the CPUs\nto return to the parent are computed as:\n\n adding \u003d cpumask_and(tmp-\u003eaddmask, xcpus, parent-\u003eeffective_xcpus);\n\nwhere xcpus \u003d user_xcpus(cs) which returns cs-\u003eexclusive_cpus (if set)\nor cs-\u003ecpus_allowed. When exclusive_cpus is not set, user_xcpus(cs) can\ncontain CPUs that were never actually granted to the partition due to\nsibling exclusion in compute_excpus(). Consequently, the invalidation\nmay return CPUs to the parent that remain in use by sibling partitions,\ncausing overlapping effective_cpus and triggering the\nWARN_ON_ONCE(1) in generate_sched_domains().\n\nUse cs-\u003eeffective_xcpus instead, which reflects the CPUs actually\ngranted to this partition.\n\nReproducer (on a 4-CPU machine):\n\n cd /sys/fs/cgroup\n mkdir a1 b1\n\n # a1 becomes partition root with CPUs 0-1\n echo \"0-1\" \u003e a1/cpuset.cpus\n echo \"root\" \u003e a1/cpuset.cpus.partition\n\n # b1 becomes partition root with CPUs 1-2, but sibling exclusion\n # reduces its effective_xcpus to CPU 2 only\n echo \"1-2\" \u003e b1/cpuset.cpus\n echo \"root\" \u003e b1/cpuset.cpus.partition\n\n # b1 changes cpus_allowed to 0-1 -\u003e partition invalidation\n echo \"0-1\" \u003e b1/cpuset.cpus\n\n # Expected: CPUs 2-3 (only CPU 2 returned from b1)\n # Actual: CPUs 1-3 (CPU 0-1 returned, overlapping with a1)\n cat cpuset.cpus.effective\n\ndmesg will also show a WARNING from generate_sched_domains() reporting\noverlapping partition root effective_cpus.\n\nFixes: 2a3602030d80 (\"cgroup/cpuset: Don\u0027t invalidate sibling partitions on cpuset.cpus conflict\")\nCc: stable@vger.kernel.org # v7.0+\nSigned-off-by: sunshaojie \u003csunshaojie@kylinos.cn\u003e\nTested-by: Chen Ridong \u003cchenridong@huaweicloud.com\u003e\nReviewed-by: Chen Ridong \u003cchenridong@huaweicloud.com\u003e\nReviewed-by: Waiman Long \u003clongman@redhat.com\u003e\nSigned-off-by: Tejun Heo \u003ctj@kernel.org\u003e\n" }, { "commit": "e1914add2799225a87502051415fc5c32aeb02ae", "tree": "d7a14aed6faf4e13febde2ef037cff7e545ad4a4", "parents": [ "1f63dd8ca0dc05a8272bb8155f643c691d29bb11", "2d5d3fc593c9b7e41bee86175d7b9e11f470072e" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed May 13 11:53:51 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed May 13 11:53:51 2026 -0700" }, "message": "Merge tag \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/virt/kvm/kvm\n\nPull kvm fixes from Paolo Bonzini:\n \"arm64:\n\n - Add the pKVM side of the workaround for ARM\u0027s erratum 4193714,\n provided that the EL3 firmware does its part of the job. KVM will\n refuse to initialise otherwise\n\n - Correctly handle 52bit VAs for guest EL2 stage-1 translations when\n running under NV with E2H\u003d\u003d0\n\n - Correctly deal with permission faults in guest_memfd memslots\n\n - Fix the steal-time selftest after the infrastructure was reworked\n\n - Make sure the host cannot pass a non-sensical clock update to the\n EL2 tracing infrastructure\n\n - Appoint Steffen Eiden as a reviewer in anticipation of the KVM/s390\n ability to run arm64 guests, which will inevitably lead to arm64\n code being directly used on s390\n\n - Make sure that EL2 is configured with both exception entry and exit\n being Context Synchronization Events\n\n - Handle the current vcpu being NULL on EL2 panic\n\n - Fix the selftest_vcpu memcache being empty at the point of donation\n or sharing\n\n - Check that the memcache has enough capacity before engaging on the\n share/donate path\n\n - Fix __deactivate_fgt() to use its parameter rather than a variable\n in the macro context\n\n s390:\n\n - Fix array overrun with large amounts of PCI devices\n\n x86:\n\n - Never use L0\u0027s PAUSE loop exiting while L2 is running, since it\u0027s\n unlikely that a nested guest will help solving the hypervisor\u0027s\n spinlock contention\n\n - Fix emulation of MOVNTDQA\n\n - Fix typo in Xen hypercall tracepoint\n\n - Add back an optimization that was left behind when recently fixing\n a bug\n\n - Add module parameter to disable CET, whose implementation seems to\n have issues. For now it remains enabled by default\n\n Generic:\n\n - Reject offset causing an unsigned overflow in kvm_reset_dirty_gfn()\n\n Documentation:\n\n - Update stale links\n\n Selftests:\n\n - Fix guest_memfd_test with host page size \u003e guest page size\"\n\n* tag \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/virt/kvm/kvm: (22 commits)\n KVM: VMX: introduce module parameter to disable CET\n KVM: x86: Swap the dst and src operand for MOVNTDQA\n KVM: x86: use again the flush argument of __link_shadow_page()\n KVM: selftests: Ensure gmem file sizes are multiple of host page size\n Documentation: kvm: update links in the references section of AMD Memory Encryption\n KVM: nSVM: Never use L0\u0027s PAUSE loop exiting while L2 is running\n KVM: x86: Fix Xen hypercall tracepoint argument assignment\n KVM: Reject wrapped offset in kvm_reset_dirty_gfn()\n KVM: arm64: Pre-check vcpu memcache for host-\u003eguest donate\n KVM: arm64: Pre-check vcpu memcache for host-\u003eguest share\n KVM: arm64: Seed pkvm_ownership_selftest vcpu memcache\n KVM: arm64: Fix __deactivate_fgt macro parameter typo\n KVM: arm64: Guard against NULL vcpu on VHE hyp panic path\n KVM: arm64: Make EL2 exception entry and exit context-synchronization events\n MAINTAINERS: Add Steffen as reviewer for KVM/arm64\n KVM: arm64: Remove potential UB on nvhe tracing clock update\n KVM: selftests: arm64: Fix steal_time test after UAPI refactoring\n KVM: arm64: Handle permission faults with guest_memfd\n KVM: arm64: nv: Consider the DS bit when translating TCR_EL2\n KVM: arm64: Work around C1-Pro erratum 4193714 for protected guests\n ...\n" }, { "commit": "7d8f3158a51cb40fc710d2a781549141a139b796", "tree": "a11cee7e4edaf151928ca083230ab50ca0b3ce1e", "parents": [ "5dd74441cbf42c22e874450eb6a6bbb19390a216" ], "author": { "name": "Yu Miao", "email": "yumiao@kylinos.cn", "time": "Wed May 13 10:39:07 2026 +0800" }, "committer": { "name": "Tejun Heo", "email": "tj@kernel.org", "time": "Wed May 13 08:40:52 2026 -1000" }, "message": "selftests/cgroup: Fix error path leaks in test_percpu_basic\n\nWhen cg_name_indexed() returns NULL partway through the child creation\nloop, the code returned -1 without running cleanup_children and cleanup.\nThat left the `parent` pathname allocation unreleased and did not remove\nchild cgroup directories already created under the parent. Fix by jumping\nto cleanup_children instead of returning.\n\nWhen cg_create() fails, `child` (the pathname from cg_name_indexed())\nwas not freed before cleanup_children. Fix by freeing `child` before\nbranching to cleanup_children.\n\nFixes: 90631e1dea55 (\"kselftests: cgroup: add perpcu memory accounting test\")\nSigned-off-by: Yu Miao \u003cyumiao@kylinos.cn\u003e\nSigned-off-by: Tejun Heo \u003ctj@kernel.org\u003e\n" }, { "commit": "1f63dd8ca0dc05a8272bb8155f643c691d29bb11", "tree": "5d648c12ce19c8b1ad6fddcc99eed94ceb2db27c", "parents": [ "1d5dcaa3bd65f2e8c9baa14a393d3a2dc5db7524", "7b0b68b2b95606e65594958686833e53423f58f2" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed May 13 08:24:50 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed May 13 08:24:50 2026 -0700" }, "message": "Merge tag \u0027fixes-2026-05-13\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/liveupdate/linux\n\nPull liveupdate fixes from Mike Rapoport:\n \"A few fixes for kexec handover and liveupdate:\n\n - make sure KHO is skipped for crash kernel\n\n - fix error reporting in memfd preservation if it fails mid-loop\n\n - don\u0027t allow preserving memfds whose page count exceeds UINT_MAX\n\n - fix documentation of memfd seals preservation to match the code\"\n\n* tag \u0027fixes-2026-05-13\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/liveupdate/linux:\n mm/memfd_luo: document preservation of file seals\n mm/memfd_luo: reject memfds whose page count exceeds UINT_MAX\n mm/memfd_luo: report error when restoring a folio fails mid-loop\n kho: skip KHO for crash kernel\n" }, { "commit": "2d5d3fc593c9b7e41bee86175d7b9e11f470072e", "tree": "922f07d93ba736ab6c2a5d3af7c9b717420c505c", "parents": [ "ef7e0c51d9c4b029d2f9b20bee1a94ba1b3356d5" ], "author": { "name": "Paolo Bonzini", "email": "pbonzini@redhat.com", "time": "Tue May 12 16:58:48 2026 +0200" }, "committer": { "name": "Paolo Bonzini", "email": "pbonzini@redhat.com", "time": "Wed May 13 15:38:22 2026 +0200" }, "message": "KVM: VMX: introduce module parameter to disable CET\n\nThere have been reports of host hangs caused by CET virtualization.\nUntil these are analyzed further, introduce a module parameter that\nmakes it possible to easily disable it.\n\nLink: https://lore.kernel.org/all/85548beb-1486-40f9-beb4-632c78e3360b@proxmox.com/\nCc: David Riley \u003cd.riley@proxmox.com\u003e\nSigned-off-by: Paolo Bonzini \u003cpbonzini@redhat.com\u003e\n" }, { "commit": "f5b2772d14884f4be9e718644f1203d4d0e6f0d6", "tree": "b92bd687ae2d87cd8846301223d064bc8d41a618", "parents": [ "3d042592ebd4c7e44974d556de0b727cb7db4dab" ], "author": { "name": "Niklas Söderlund", "email": "niklas.soderlund+renesas@ragnatech.se", "time": "Sun May 10 12:30:17 2026 +0200" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Tue May 12 18:46:19 2026 -0700" }, "message": "net: ethernet: ravb: Do not check URAM suspension when WoL is active\n\nWhen updating the driver to match latest datasheet to suspend access to\nURAM when suspending DMA transfers a corner-case was missed, URAM access\nwill not be suspended if WoL is enabled. This lead to the error message\n(correctly) being triggered as URAM access is not suspended even tho\nit\u0027s requested as part of stopping DMA.\n\nAvoid checking if URAM access is suspended and printing the error\nmessage if WoL is enabled when we suspend the system, as we know it will\nnot be.\n\nReported-by: Geert Uytterhoeven \u003cgeert@linux-m68k.org\u003e\nCloses: https://lore.kernel.org/all/CAMuHMdWnjV%3DHGE1o08zLhUfTgOSene5fYx1J5GG10mB%2BToq8qg@mail.gmail.com/\nFixes: 353d8e7989b6 (\"net: ethernet: ravb: Suspend and resume the transmission flow\")\nSigned-off-by: Niklas Söderlund \u003cniklas.soderlund+renesas@ragnatech.se\u003e\nReviewed-by: Sai Krishna \u003csaikrishnag@marvell.com\u003e\nTested-by: Geert Uytterhoeven \u003cgeert+renesas@glider.be\u003e\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "3d042592ebd4c7e44974d556de0b727cb7db4dab", "tree": "001cb3d1c0cef83243e6db9b8afec16665c3e3d6", "parents": [ "7bf563badd37cb796df5477d2b78bb64148a1268" ], "author": { "name": "Chenguang Zhao", "email": "zhaochenguang@kylinos.cn", "time": "Mon May 11 09:43:43 2026 +0800" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Tue May 12 18:45:13 2026 -0700" }, "message": "ethtool: fix ethnl_bitmap32_not_zero() bit interval semantics\n\nethnl_bitmap32_not_zero() should return true if some bit in [start, end)\nis set:\n\n- Fix inverted memchr_inv() sense: return true when the scan finds a\n non-zero byte, not when the middle words are all zero.\n- Return false for an empty interval (end \u003c\u003d start).\n- When end is 32-bit aligned, indices in [start, end) do not include any\n bits from map[end_word]; return false after earlier checks found no\n non-zero data.\n\nFixes: 10b518d4e6dd (\"ethtool: netlink bitset handling\")\nSigned-off-by: Chenguang Zhao \u003czhaochenguang@kylinos.cn\u003e\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "7bf563badd37cb796df5477d2b78bb64148a1268", "tree": "ddeb63bc9a94340e7e15978473e57bc1f3596479", "parents": [ "a3fdd924d88c30b9f488636ce0e4696012cf5511" ], "author": { "name": "Xiang Mei", "email": "xmei5@asu.edu", "time": "Sun May 10 15:26:40 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Tue May 12 18:44:36 2026 -0700" }, "message": "net/smc: avoid NULL deref of conn-\u003elnk in smc_msg_event tracepoint\n\nThe smc_msg_event tracepoint class, shared by smc_tx_sendmsg and\nsmc_rx_recvmsg, unconditionally dereferences smc-\u003econn.lnk:\n\n\t__string(name, smc-\u003econn.lnk-\u003eibname)\n\nconn-\u003elnk is only set for SMC-R; for SMC-D it is NULL. Other code on\nthese paths already handles this (e.g. !conn-\u003elnk in\nSMC_STAT_RMB_TX_SIZE_SMALL()). With the tracepoint enabled, the first\nsendmsg()/recvmsg() on an SMC-D socket crashes:\n\n Oops: general protection fault, probably for non-canonical address\n KASAN: null-ptr-deref in range [...]\n RIP: 0010:strlen+0x1e/0xa0\n Call Trace:\n trace_event_raw_event_smc_msg_event (net/smc/smc_tracepoint.h:44)\n smc_rx_recvmsg (net/smc/smc_rx.c:515)\n smc_recvmsg (net/smc/af_smc.c:2859)\n __sys_recvfrom (net/socket.c:2315)\n __x64_sys_recvfrom (net/socket.c:2326)\n do_syscall_64\n\nThe faulting address 0x3e0 is offsetof(struct smc_link, ibname),\nconfirming the NULL -\u003elnk deref. Enabling the tracepoint requires\nroot, but the trigger itself is unprivileged: socket(AF_SMC, ...) has\nno capability check, and SMC-D negotiation needs no admin step on\ns390 or on x86 with the loopback ISM device loaded.\n\nLog an empty device name for SMC-D instead of dereferencing NULL.\n\nFixes: aff3083f10bf (\"net/smc: Introduce tracepoints for tx and rx msg\")\nReported-by: Weiming Shi \u003cbestswngs@gmail.com\u003e\nSigned-off-by: Xiang Mei \u003cxmei5@asu.edu\u003e\nReviewed-by: Dust Li \u003cdust.li@linux.alibaba.com\u003e\nReviewed-by: Sidraya Jayagond \u003csidraya@linux.ibm.com\u003e\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "a3fdd924d88c30b9f488636ce0e4696012cf5511", "tree": "039aa34e8b60ebc72f6b4ec82c209b616b2d3934", "parents": [ "f9e2342046ef1560d35bcd4a4b1197648ffd151d" ], "author": { "name": "Nicolò Coccia", "email": "n.coccia96@gmail.com", "time": "Sun May 10 12:34:13 2026 -0400" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Tue May 12 18:43:40 2026 -0700" }, "message": "net/smc: fix sleep-inside-lock in __smc_setsockopt() causing local DoS\n\nA logic flaw in __smc_setsockopt() allows a local unprivileged user to\ncause a Denial of Service (DoS) by holding the socket lock indefinitely.\n\nThe function __smc_setsockopt() calls copy_from_sockptr() while holding\nlock_sock(sk). By passing a userfaultfd-monitored memory page (or\nFUSE-backed memory on systems where unprivileged userfaultfd is disabled)\nas the optval, an attacker can halt execution during the copy operation,\nkeeping the lock held.\n\nCombined with asynchronous tear-down operations like shutdown(), this\nexhausts the kernel wq (kworkers) and triggers the hung task watchdog.\n\n[ 240.123456] INFO: task kworker/u8:2 blocked for more than 120 seconds.\n[ 240.123489] Call Trace:\n[ 240.123501] smc_shutdown+...\n[ 240.123512] lock_sock_nested+...\n\nThis patch moves the user-space copy outside the lock_sock() critical\nsection to prevent the issue.\n\nFixes: a6a6fe27bab4 (\"net/smc: Dynamic control handshake limitation by socket options\")\nSigned-off-by: Nicolò Coccia \u003cn.coccia96@gmail.com\u003e\nReviewed-by: Dust Li \u003cdust.li@linux.alibaba.com\u003e\nTested-by: Dust Li \u003cdust.li@linux.alibaba.com\u003e\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "f9e2342046ef1560d35bcd4a4b1197648ffd151d", "tree": "d0611a47ba8ec3ead320052a802108be1379aff2", "parents": [ "e3adf69f8eb121a9128c2b0029efd050d3649153" ], "author": { "name": "Wei Yang", "email": "albinwyang@tencent.com", "time": "Sat May 09 20:23:58 2026 +0800" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Tue May 12 18:07:02 2026 -0700" }, "message": "net: atm: fix skb leak in sigd_send() default branch\n\nThe default branch in sigd_send() calls sock_put() and returns -EINVAL\nwithout freeing the skb, while all other exit paths do so. Add the\nmissing dev_kfree_skb() before sock_put() to fix the leak.\n\nFixes: 1da177e4c3f4 (\"Linux-2.6.12-rc2\")\nSigned-off-by: Wei Yang \u003calbinwyang@tencent.com\u003e\nLink: https://patch.msgid.link/20260509122358.1102997-1-albin_yang@163.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "e3adf69f8eb121a9128c2b0029efd050d3649153", "tree": "dadebcb32307969bdb656452efb986db8c85c705", "parents": [ "2c308cf34284420963607d677d576a2b4124d8bd" ], "author": { "name": "David Carlier", "email": "devnexen@gmail.com", "time": "Sat May 09 22:50:46 2026 +0100" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Tue May 12 17:45:12 2026 -0700" }, "message": "net: ethtool: phy: avoid NULL deref when PHY driver is unbound\n\nphydev-\u003edrv can become NULL while the phy_device is still attached to\nits net_device, namely after the PHY driver is unbound via sysfs:\n\n\techo \u003cmdio_id\u003e \u003e /sys/bus/mdio_bus/drivers/\u003cphy_drv\u003e/unbind\n\nphy_remove() clears phydev-\u003edrv but doesn\u0027t call phy_detach(), so the\nphy_device stays in the link topology xarray and ethnl_req_get_phydev()\nstill hands it back. ETHTOOL_MSG_PHY_GET then oopses on:\n\n\trep_data-\u003edrvname \u003d kstrdup(phydev-\u003edrv-\u003ename, GFP_KERNEL);\n\ndrvname is already treated as optional by phy_reply_size(),\nphy_fill_reply() and phy_cleanup_data(), so just skip the allocation\nwhen there is no driver bound.\n\nFixes: 9dd2ad5e92b9 (\"net: ethtool: phy: Convert the PHY_GET command to generic phy dump\")\nCc: stable@vger.kernel.org # 6.13.x\nSigned-off-by: David Carlier \u003cdevnexen@gmail.com\u003e\nReviewed-by: Maxime Chevallier \u003cmaxime.chevallier@bootlin.com\u003e\nTested-by: Maxime Chevallier \u003cmaxime.chevallier@bootlin.com\u003e\nLink: https://patch.msgid.link/20260509215046.107157-1-devnexen@gmail.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "2c308cf34284420963607d677d576a2b4124d8bd", "tree": "57e2bba19752a919a9285246058349eda08edc8b", "parents": [ "9988931df99cf5d68af360e1f23b9c674a0b1b4f" ], "author": { "name": "Zoran Ilievski", "email": "goodboy@rexbytes.com", "time": "Mon May 11 08:40:02 2026 +0200" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Tue May 12 16:41:41 2026 -0700" }, "message": "net: atlantic: preserve PCI wake-from-D3 on shutdown when WOL enabled\n\nThe shutdown handler aq_pci_shutdown() unconditionally calls\npci_wake_from_d3(pdev, false), clearing the PCI PME_En bit even when\nwake-on-LAN has been configured. While aq_nic_shutdown() correctly\nprograms the NIC firmware via aq_nic_set_power() to listen for magic\npackets, the PCI subsystem will not propagate the resulting PME wake\nevent from D3, so the system never wakes after poweroff.\n\nWOL from suspend (S3) is unaffected because aq_suspend_common() does\nnot touch pci_wake_from_d3() and relies on the PM core\u0027s wake\nconfiguration via device_may_wakeup().\n\nThis affects all atlantic-supported NICs (AQC107/108/111/112/113);\nusers have reported that WOL works if the atlantic driver is never\nloaded, but breaks once it has run its shutdown path.\n\nPass the configured WOL state to pci_wake_from_d3() instead of a\nliteral false, so the PCI PME_En bit is preserved when the user has\narmed WOL via ethtool.\n\nFixes: 90869ddfefeb (\"net: aquantia: Implement pci shutdown callback\")\nCc: stable@vger.kernel.org\nSigned-off-by: Zoran Ilievski \u003cgoodboy@rexbytes.com\u003e\nReviewed-by: Sukhdeep Singh \u003csukhdeeps@marvell.com\u003e\nLink: https://patch.msgid.link/20260511064002.1857-1-goodboy@rexbytes.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "cceb874eee46fe4b3d3c6c496f19125d9a3a9a8f", "tree": "0e95ed7f1013afcc60734dd84ceac95ca84c8b6a", "parents": [ "b273b75b8d677aea06dd06d80b61b3bb06e94680" ], "author": { "name": "Tejun Heo", "email": "tj@kernel.org", "time": "Mon May 11 13:18:23 2026 -1000" }, "committer": { "name": "Tejun Heo", "email": "tj@kernel.org", "time": "Tue May 12 11:28:56 2026 -1000" }, "message": "sched_ext: Defer sub_kset base put to scx_sched_free_rcu_work\n\nscx_sub_enable_workfn() pins parent-\u003ekobj before dropping scx_sched_lock,\nbut that does not pin parent-\u003esub_kset. Concurrent disable can\nkset_unregister and free sub_kset before scx_alloc_and_add_sched()\ndereferences it.\n\nSplit sub_kset teardown: kobject_del() at disable keeps sysfs removal; defer\nkobject_put() to scx_sched_free_rcu_work so the memory survives. A racing\nchild sees state_in_sysfs\u003d0 with valid memory, sysfs_create_dir() fails, and\nthe existing exit_kind gate in scx_link_sched() turns it away with -ENOENT.\n\nFixes: 411d3ef1a705 (\"sched_ext: Unregister sub_kset on scheduler disable\")\nSigned-off-by: Tejun Heo \u003ctj@kernel.org\u003e\n" }, { "commit": "b273b75b8d677aea06dd06d80b61b3bb06e94680", "tree": "f74629178fcefc0be3f64b6ac2d1087b8f3bf371", "parents": [ "39e25a2100604320e8d9df54c6c31258f7a3df29" ], "author": { "name": "Tejun Heo", "email": "tj@kernel.org", "time": "Mon May 11 13:18:19 2026 -1000" }, "committer": { "name": "Tejun Heo", "email": "tj@kernel.org", "time": "Tue May 12 11:28:56 2026 -1000" }, "message": "sched_ext: INIT_LIST_HEAD() \u0026sch-\u003eall in scx_alloc_and_add_sched()\n\nOn scx_link_sched() error paths (parent disabled, hash insert failure),\n\u0026sch-\u003eall is never added to scx_sched_all. The cleanup path runs\nscx_unlink_sched() unconditionally, which calls list_del_rcu(\u0026sch-\u003eall) on a\nlist_head that was never initialized triggering a corruption warning.\n\nInitialize \u0026sch-\u003eall.\n\nFixes: 54be8de4236a (\"sched_ext: Factor out scx_link_sched() and scx_unlink_sched()\")\nSigned-off-by: Tejun Heo \u003ctj@kernel.org\u003e\n" }, { "commit": "ef7e0c51d9c4b029d2f9b20bee1a94ba1b3356d5", "tree": "c884b977c83a7b12db3f93611d5e3e571d4ab61d", "parents": [ "3098c076c83ea2913245cb915cdcba98eb24214c", "0cfe660559e857d7c00ab86c73e4510ce069086f" ], "author": { "name": "Paolo Bonzini", "email": "pbonzini@redhat.com", "time": "Tue May 12 23:15:29 2026 +0200" }, "committer": { "name": "Paolo Bonzini", "email": "pbonzini@redhat.com", "time": "Tue May 12 23:15:38 2026 +0200" }, "message": "Merge tag \u0027kvm-s390-master-7.1-1\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/kvms390/linux into HEAD\n\nKVM: s390: pci: fix array indexing\n\nFor large amounts of PCI devices its possible to overrun the arrays as\nthe index was miscalculated in 2 places.\n" }, { "commit": "39e25a2100604320e8d9df54c6c31258f7a3df29", "tree": "a409add59e45d775ae32e631319048ee2cc32f87", "parents": [ "9a415cc53711f2238e0f0ca8a6bcc796c003b127" ], "author": { "name": "Tejun Heo", "email": "tj@kernel.org", "time": "Tue May 12 10:30:00 2026 -1000" }, "committer": { "name": "Tejun Heo", "email": "tj@kernel.org", "time": "Tue May 12 11:13:58 2026 -1000" }, "message": "sched_ext: Drop NONE early return in scx_disable_and_exit_task()\n\nd3e73a0808dd (\"sched_ext: Handle SCX_TASK_NONE in disable/switched_from\npaths\") skipped the trailing scx_set_task_sched(p, NULL) on NONE tasks.\nAfter scx_fail_parent() parks a task at NONE/sched\u003dparent and the parent\nis later freed via queue_rcu_work() during root_disable, the preserved\np-\u003escx.sched dangles - print_scx_info() from sched_show_task() reads\nsch-\u003eops.name from freed memory.\n\nDrop the early return. __scx_disable_and_exit_task() already short-\ncircuits on NONE and the SUB_INIT block was cleared by\nscx_fail_parent()\u0027s earlier call, so clearing p-\u003escx.sched is the only\nwork left - and the one thing the path actually needs.\n\nv2: Extend the SUB_INIT block comment to note that the flag is only\n set on the sub-enable path, so it\u0027s always clear on the NONE\n re-entry (Andrea).\n\nFixes: d3e73a0808dd (\"sched_ext: Handle SCX_TASK_NONE in disable/switched_from paths\")\nSigned-off-by: Tejun Heo \u003ctj@kernel.org\u003e\nReviewed-by: Andrea Righi \u003carighi@nvidia.com\u003e\n" }, { "commit": "3098c076c83ea2913245cb915cdcba98eb24214c", "tree": "891c486690a34835d463186b025f1a5c4400785c", "parents": [ "6b72d0578ca6f77b835d773d7c77c2f872d3e924" ], "author": { "name": "Sean Christopherson", "email": "seanjc@google.com", "time": "Wed May 06 14:35:14 2026 -0700" }, "committer": { "name": "Paolo Bonzini", "email": "pbonzini@redhat.com", "time": "Tue May 12 23:12:32 2026 +0200" }, "message": "KVM: x86: Swap the dst and src operand for MOVNTDQA\n\nSwap the MOVNTDQA operands, as MOVNTDQA does NOT in fact have \"the same\ncharacteristics as 0F E7 (MOVNTDQ)\"; MOVNTDQA loads from memory and stores\nto registers, while MOVNTDQ loads from registers and stores to memory.\n\nPer the SDM:\n\n MOVNTDQ - Move packed integer values in xmm1 to m128 using non-temporal\n hint.\n\n MOVNTDQA - Move double quadword from m128 to xmm1 using non-temporal hint\n if WC memory type.\n\nReported-by: Josh Eads \u003cjosheads@google.com\u003e\nFixes: c57d9bafbd0b (\"KVM: x86: Add support for emulating MOVNTDQA\")\nCc: stable@vger.kernel.org\nSigned-off-by: Sean Christopherson \u003cseanjc@google.com\u003e\nMessage-ID: \u003c20260506213514.2781948-1-seanjc@google.com\u003e\nSigned-off-by: Paolo Bonzini \u003cpbonzini@redhat.com\u003e\n" }, { "commit": "6b72d0578ca6f77b835d773d7c77c2f872d3e924", "tree": "174003cc8729440860a05cfb8a6706cc1e93994a", "parents": [ "87c810160ed738cd983e4a65ebe9709927c702c9" ], "author": { "name": "Paolo Bonzini", "email": "pbonzini@redhat.com", "time": "Sun May 03 23:09:17 2026 +0200" }, "committer": { "name": "Paolo Bonzini", "email": "pbonzini@redhat.com", "time": "Tue May 12 23:12:31 2026 +0200" }, "message": "KVM: x86: use again the flush argument of __link_shadow_page()\n\nExcept in the case of parentless nested-TDP pages, mmu_page_zap_pte()\nclears the SPTE but leaves the invalid_list empty. In this case, using\nkvm_flush_remote_tlbs() as kvm_mmu_remote_flush_or_zap() does is overkill.\nAvoid flushing the entirety of the remote TLBs unless the invalid_list\nwas populated: instead, use a more efficient gfn-targeting flush (if\navailable) and skip it altogether if the caller guarantees that a TLB\nflush is not necessary.\n\nBased-on: \u003c20260503201029.106481-1-pbonzini@redhat.com\u003e\nSigned-off-by: Paolo Bonzini \u003cpbonzini@redhat.com\u003e\nMessage-ID: \u003c20260503210917.121840-1-pbonzini@redhat.com\u003e\nSigned-off-by: Paolo Bonzini \u003cpbonzini@redhat.com\u003e\n" }, { "commit": "87c810160ed738cd983e4a65ebe9709927c702c9", "tree": "c795494bb3d780a6d1b2be263d130ff019af9341", "parents": [ "4a9ee4fc795389d6919d52a0cce490f9712e4f8c" ], "author": { "name": "Sean Christopherson", "email": "seanjc@google.com", "time": "Tue May 12 08:56:34 2026 -0700" }, "committer": { "name": "Paolo Bonzini", "email": "pbonzini@redhat.com", "time": "Tue May 12 22:26:10 2026 +0200" }, "message": "KVM: selftests: Ensure gmem file sizes are multiple of host page size\n\nWhen creating a guest_memfd file and associated memslot to validate shared\nguest memory, size the file+memslot to the maximum of the host or guest\npage size. Attempting to allocate a single guest page will fail if the\nhost page size is greater than the guest page size, as KVM requires that\nthe size of memslots and guest_memfd files are a multiple of the host page\nsize.\n\nFor simplicity, verify the entire file can be shared between guest and host,\ne.g. instead of trying to validate \"partial\" mappings.\n\nFixes: 42188667be38 (\"KVM: selftests: Add guest_memfd testcase to fault-in on !mmap()\u0027d memory\")\nReported-by: Zenghui Yu \u003czenghui.yu@linux.dev\u003e\nCloses: https://lore.kernel.org/all/0064952b-048c-455d-ad89-e27e5cb82591@linux.dev\nSigned-off-by: Sean Christopherson \u003cseanjc@google.com\u003e\nMessage-ID: \u003c20260512155634.772602-1-seanjc@google.com\u003e\nSigned-off-by: Paolo Bonzini \u003cpbonzini@redhat.com\u003e\n" }, { "commit": "4a9ee4fc795389d6919d52a0cce490f9712e4f8c", "tree": "8f628ae05e9fae7395c5079031be0706c7524be1", "parents": [ "80f4a7b8ce7513c203562191426e4d4cc635b095", "effc0a39b8e0f30670fe24f51e44329d4324e566" ], "author": { "name": "Paolo Bonzini", "email": "pbonzini@redhat.com", "time": "Tue May 12 22:19:20 2026 +0200" }, "committer": { "name": "Paolo Bonzini", "email": "pbonzini@redhat.com", "time": "Tue May 12 22:19:20 2026 +0200" }, "message": "Merge tag \u0027kvmarm-fixes-7.1-2\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/kvmarm/kvmarm into HEAD\n\nKVM/arm64 fixes for 7.1, take #2\n\n- Add the pKVM side of the workaround for ARM\u0027s erratum 4193714, provided\n that the EL3 firmware does its part of the job. KVM will refuse to\n initialise otherwise.\n\n- Correctly handle 52bit VAs for guest EL2 stage-1 translations when\n running under NV with E2H\u003d\u003d0.\n\n- Correctly deal with permission faults in guest_memfd memslots.\n\n- Fix the steal-time selftest after the infrastructure was reworked.\n\n- Make sure the host cannot pass a non-sensical clock update to the\n EL2 tracing infrastructure.\n\n- Appoint Steffen Eiden as a reviewer in anticipation of the KVM/s390\n ability to run arm64 guests, which will inevitably lead to arm64\n code being directly used on s390.\n\n- Make sure that EL2 is configured with both exception entry and exit\n being Context Synchronization Events.\n\n- Handle the current vcpu being NULL on EL2 panic.\n\n- Fix the selftest_vcpu memcache being empty at the point of donation or\n sharing.\n\n- Check that the memcache has enough capacity before engaging on the\n share/donate path.\n\n- Fix __deactivate_fgt() to use its parameter rather than a variable\n in the macro context.\n" }, { "commit": "80f4a7b8ce7513c203562191426e4d4cc635b095", "tree": "93a17778170d61f76594846f9ade17a8c45b73c4", "parents": [ "5bd1ddb7911ba7e94b61cf429970963f1b22dd76" ], "author": { "name": "Ninad Naik", "email": "ninadnaik07@gmail.com", "time": "Mon May 11 23:13:02 2026 +0530" }, "committer": { "name": "Paolo Bonzini", "email": "pbonzini@redhat.com", "time": "Tue May 12 22:17:42 2026 +0200" }, "message": "Documentation: kvm: update links in the references section of AMD Memory Encryption\n\nReplace non-working links in the reference section with the working ones.\n\nSigned-off-by: Ninad Naik \u003cninadnaik07@gmail.com\u003e\nLink: https://patch.msgid.link/20260511174302.811918-1-ninadnaik07@gmail.com/\nReviewed-by: Liam Merwick \u003cliam.merwick@oracle.com\u003e\nSigned-off-by: Paolo Bonzini \u003cpbonzini@redhat.com\u003e\n" }, { "commit": "5bd1ddb7911ba7e94b61cf429970963f1b22dd76", "tree": "9e4d3a76eae1da504b67b561221f50fad805c291", "parents": [ "2b72f1674e427c56e3772c5ccf785fdda2138820" ], "author": { "name": "Sean Christopherson", "email": "seanjc@google.com", "time": "Fri May 08 14:33:21 2026 -0700" }, "committer": { "name": "Paolo Bonzini", "email": "pbonzini@redhat.com", "time": "Tue May 12 22:17:28 2026 +0200" }, "message": "KVM: nSVM: Never use L0\u0027s PAUSE loop exiting while L2 is running\n\nNever use L0\u0027s (KVM\u0027s) PAUSE loop exiting controls while L2 is running,\nand instead always configure vmcb02 according to L1\u0027s exact capabilities\nand desires.\n\nThe purpose of intercepting PAUSE after N attempts is to detect when the\nvCPU may be stuck waiting on a lock, so that KVM can schedule in a\ndifferent vCPU that may be holding said lock. Barring a very interesting\nsetup, L1 and L2 do not share locks, and it\u0027s extremely unlikely that an\nL1 vCPU would hold a spinlock while running L2. I.e. having a vCPU\nexecuting in L1 yield to a vCPU running in L2 will not allow the L1 vCPU\nto make forward progress, and vice versa.\n\nWhile teaching KVM\u0027s \"on spin\" logic to only yield to other vCPUs in L2 is\ndoable, in all likelihood it would do more harm than good for most setups.\nKVM has limited visibility into which L2 \"vCPUs\" belong to the same VM,\nand thus share a locking domain. And even if L2 vCPUs are in the same\nVM, KVM has no visilibity into L2 vCPU\u0027s that are scheduled out by the\nL1 hypervisor.\n\nFurthermore, KVM doesn\u0027t actually steal PAUSE exits from L1. If L1 is\nintercepting PAUSE, KVM will route PAUSE exits to L1, not L0, as\nnested_svm_intercept() gives priority to the vmcb12 intercept. As such,\noverriding the count/threshold fields in vmcb02 with vmcb01\u0027s values is\nnonsensical, as doing so clobbers all the training/learning that has been\ndone in L1.\n\nEven worse, if L1 is not intercepting PAUSE, i.e. KVM is handling PAUSE\nexits, then KVM will adjust the PLE knobs based on L2 behavior, which could\nvery well be detrimental to L1, e.g. due to essentially poisoning L1 PLE\ntraining with bad data.\n\nAnd copying the count from vmcb02 to vmcb01 on a nested VM-Exit makes even\nless sense, because again, the purpose of PLE is to detect spinning vCPUs.\nWhether or not a vCPU is spinning in L2 at the time of a nested VM-Exit\nhas no relevance as to the behavior of the vCPU when it executes in L1.\n\nThe only scenarios where any of this actually works is if at least one\nof KVM or L1 is NOT intercepting PAUSE for the guest. Per the original\nchangelog, those were the only scenarios considered to be supported.\nDisabling KVM\u0027s use of PLE makes it so the VM is always in a \"supported\"\nmode.\n\nLast, but certainly not least, using KVM\u0027s count/threshold instead of the\nvalues provided by L1 is a blatant violation of the SVM architecture.\n\nFixes: 74fd41ed16fd (\"KVM: x86: nSVM: support PAUSE filtering when L0 doesn\u0027t intercept PAUSE\")\nCc: Maxim Levitsky \u003cmlevitsk@redhat.com\u003e\nTested-by: David Kaplan \u003cdavid.kaplan@amd.com\u003e\nSigned-off-by: Sean Christopherson \u003cseanjc@google.com\u003e\nLink: https://patch.msgid.link/20260508213321.373309-1-seanjc@google.com/\nSigned-off-by: Paolo Bonzini \u003cpbonzini@redhat.com\u003e\n" }, { "commit": "2b72f1674e427c56e3772c5ccf785fdda2138820", "tree": "0b5b992e7fd183a5125f7ba2e8dc3fd826e81e47", "parents": [ "577a8d3bae0531f0e5ccfac919cd8192f920a804" ], "author": { "name": "Qiang Ma", "email": "maqianga@uniontech.com", "time": "Tue May 12 09:53:13 2026 +0800" }, "committer": { "name": "Paolo Bonzini", "email": "pbonzini@redhat.com", "time": "Tue May 12 22:16:26 2026 +0200" }, "message": "KVM: x86: Fix Xen hypercall tracepoint argument assignment\n\nTRACE_EVENT(kvm_xen_hypercall) stores a5 in __entry-\u003ea4 instead of\n__entry-\u003ea5.\n\nThat overwrites the recorded a4 argument and leaves a5 unset in the\ntrace entry. Fix the typo so both arguments are captured correctly.\n\nSigned-off-by: Qiang Ma \u003cmaqianga@uniontech.com\u003e\nLink: https://patch.msgid.link/20260512015313.1685784-1-maqianga@uniontech.com/\nCc: stable@vger.kernel.org\nSigned-off-by: Paolo Bonzini \u003cpbonzini@redhat.com\u003e\n" }, { "commit": "577a8d3bae0531f0e5ccfac919cd8192f920a804", "tree": "4ba75ee1723227e4bf2cf76d2fe241c4e7aa7f07", "parents": [ "6d35786de28116ecf78797a62b84e6bf3c45aa5a" ], "author": { "name": "Aaron Sacks", "email": "contact@xchglabs.com", "time": "Tue May 12 02:07:42 2026 -0400" }, "committer": { "name": "Paolo Bonzini", "email": "pbonzini@redhat.com", "time": "Tue May 12 22:16:16 2026 +0200" }, "message": "KVM: Reject wrapped offset in kvm_reset_dirty_gfn()\n\nkvm_reset_dirty_gfn() guards the gfn range with\n\n\tif (!memslot || (offset + __fls(mask)) \u003e\u003d memslot-\u003enpages)\n\t\treturn;\n\nbut offset is u64 and the addition is unchecked. The check can be\nsilently bypassed by a u64 wrap.\n\nThe dirty ring backing those entries is MAP_SHARED at\nKVM_DIRTY_LOG_PAGE_OFFSET of the vcpu fd, so the VMM can rewrite the\nslot and offset fields of any entry between when the kernel pushes\nthem and when KVM_RESET_DIRTY_RINGS consumes them. On reset,\nkvm_dirty_ring_reset() re-reads the values via READ_ONCE() and feeds\nthem straight back into this check; only the flags handshake is\ntreated as the handover, the slot/offset payload is taken on trust.\n\nCrafting two entries\n\n\tentry[i].offset \u003d 0xffffffffffffffc1\n\tentry[i+1].offset \u003d 0\n\nmakes the coalescing loop in kvm_dirty_ring_reset() compute\n\n\tdelta \u003d (s64)(0 - 0xffffffffffffffc1) \u003d 63\n\nwhich falls in [0, BITS_PER_LONG), so it folds entry[i+1] into the\nexisting mask by setting bit 63. The trailing kvm_reset_dirty_gfn()\ncall then sees offset \u003d 0xffffffffffffffc1 and __fls(mask) \u003d 63;\nthe sum is 0 in u64 and the bounds check passes.\n\nThat offset propagates into kvm_arch_mmu_enable_log_dirty_pt_masked()\nunchanged. On the legacy MMU path -- kvm_memslots_have_rmaps() \u003d\u003d\ntrue, i.e. shadow paging, any VM that has allocated shadow roots, or\na write-tracked slot -- it reaches gfn_to_rmap(), which indexes\nslot-\u003earch.rmap[0][] with a near-U64_MAX gfn. That is an\nout-of-bounds load of a kvm_rmap_head, followed by a conditional\nclear of PT_WRITABLE_MASK in whatever the loaded pointer points at.\nThe path is reachable from any process holding /dev/kvm.\n\nRange-check offset on its own first, so the addition cannot wrap.\nmemslot-\u003enpages is bounded well below U64_MAX, so once offset \u003c\nnpages holds, offset + __fls(mask) (with __fls(mask) \u003c BITS_PER_LONG)\nstays in range.\n\nFixes: fb04a1eddb1a (\"KVM: X86: Implement ring-based dirty memory tracking\")\nCc: stable@vger.kernel.org\nSigned-off-by: Aaron Sacks \u003ccontact@xchglabs.com\u003e\nLink: https://patch.msgid.link/20260512060742.1628959-1-contact@xchglabs.com/\nSigned-off-by: Paolo Bonzini \u003cpbonzini@redhat.com\u003e\n" }, { "commit": "f9e1c1324b4d98d591a6f7568fdebf5cf456dfc2", "tree": "f277375398036b8ed80313ac08bb76eea3c8082a", "parents": [ "e4a640475e43f406fdfd56d370b1f34b0cbbc18d" ], "author": { "name": "Sergio Correia", "email": "scorreia@redhat.com", "time": "Tue May 12 14:28:59 2026 +0100" }, "committer": { "name": "Paul Moore", "email": "paul@paul-moore.com", "time": "Tue May 12 16:10:38 2026 -0400" }, "message": "audit: enforce AUDIT_LOCKED for AUDIT_TRIM and AUDIT_MAKE_EQUIV\n\nAUDIT_ADD_RULE and AUDIT_DEL_RULE correctly check for AUDIT_LOCKED\nand return -EPERM, but AUDIT_TRIM and AUDIT_MAKE_EQUIV do not. This\nallows a process with CAP_AUDIT_CONTROL to modify directory tree\nwatches and equivalence mappings even when the audit configuration\nhas been locked, undermining the purpose of the lock.\n\nAdd AUDIT_LOCKED checks to both commands.\n\nCc: stable@vger.kernel.org\nReviewed-by: Ricardo Robaina \u003crrobaina@redhat.com\u003e\nAssisted-by: Claude:claude-opus-4-6\nSigned-off-by: Sergio Correia \u003cscorreia@redhat.com\u003e\nSigned-off-by: Paul Moore \u003cpaul@paul-moore.com\u003e\n" }, { "commit": "e4a640475e43f406fdfd56d370b1f34b0cbbc18d", "tree": "8e4395b0f8002c0b30b81c7554b949f5ca67a246", "parents": [ "254f49634ee16a731174d2ae34bc50bd5f45e731" ], "author": { "name": "Sergio Correia", "email": "scorreia@redhat.com", "time": "Tue May 12 14:28:33 2026 +0100" }, "committer": { "name": "Paul Moore", "email": "paul@paul-moore.com", "time": "Tue May 12 16:05:57 2026 -0400" }, "message": "audit: fix incorrect inheritable capability in CAPSET records\n\n__audit_log_capset() records the effective capability set into the\ninheritable field due to a copy-paste error. Every CAPSET audit\nrecord therefore reports cap_pi (process inheritable) with the value\nof cap_effective instead of cap_inheritable.\n\nThis silently corrupts audit data used for compliance and forensic\nanalysis: an attacker who modifies inheritable capabilities to\nprepare for a privilege-escalating exec would have the change masked\nin the audit trail.\n\nThe bug has been present since the original introduction of CAPSET\naudit records in 2008.\n\nCc: stable@vger.kernel.org\nFixes: e68b75a027bb (\"When the capset syscall is used it is not possible for audit to record the actual capbilities being added/removed. This patch adds a new record type which emits the target pid and the eff, inh, and perm cap sets.\")\nReviewed-by: Ricardo Robaina \u003crrobaina@redhat.com\u003e\nAssisted-by: Claude:claude-opus-4-6\nSigned-off-by: Sergio Correia \u003cscorreia@redhat.com\u003e\nSigned-off-by: Paul Moore \u003cpaul@paul-moore.com\u003e\n" }, { "commit": "1d5dcaa3bd65f2e8c9baa14a393d3a2dc5db7524", "tree": "6687682f05df72cf06dce720c27d24e9e40046c7", "parents": [ "c21b90f77687075115d989e53a8ec5e2bb427ab1", "657b594b2084b39a4bc6d8493aa2140cb00cea49" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue May 12 10:18:02 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue May 12 10:18:02 2026 -0700" }, "message": "Merge tag \u0027probes-fixes-v7.1-rc3\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace\n\nPull probes fixes from Masami Hiramatsu:\n\n - kprobes: skip non-symbol addresses in kprobe_add_ksym_blacklist()\n\n Since the ftrace adds its NOPs at .kprobes.text section (which stores\n an array), a wrong entry is added when loading a module which uses\n \"__kprobes\" attribute.\n\n To solve this, add \"notrace\" to __kprobes functions\n\n - test_kprobes: clear kprobes between test runs\n\n Clear all kprobes in the test program after running a test set,\n because Kunit test can run several times\n\n - fprobe: Fix unregister_fprobe() to wait for RCU grace period\n\n Since the fprobe data structure is removed with hlist_del_rcu(), it\n should wait for the RCU grace period. If the caller waits for RCU, we\n can use the async variant (e.g. eBPF)\n\n* tag \u0027probes-fixes-v7.1-rc3\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace:\n fprobe: Fix unregister_fprobe() to wait for RCU grace period\n test_kprobes: clear kprobes between test runs\n kprobes: skip non-symbol addresses in kprobe_add_ksym_blacklist()\n" }, { "commit": "b7cdd59de5ae8062d2cb0121c429a271eb70daec", "tree": "de2cd27c2d049d76b88a7d730749a09f45ac99a0", "parents": [ "e4865a56d013e86e46ea6acea15bb6eae01898ff" ], "author": { "name": "Rafael J. Wysocki", "email": "rafael.j.wysocki@intel.com", "time": "Tue May 12 18:25:17 2026 +0200" }, "committer": { "name": "Rafael J. Wysocki", "email": "rafael.j.wysocki@intel.com", "time": "Tue May 12 19:01:37 2026 +0200" }, "message": "ACPI: PAD: xen: Check ACPI_COMPANION() against NULL\n\nEvery platform driver can be forced to match a device that doesn\u0027t match\nits list of device IDs because of device_match_driver_override(), so\nplatform drivers that rely on the existence of a device\u0027s ACPI companion\nobject need to verify its presence.\n\nAccordingly, add a requisite ACPI_COMPANION() check against NULL to the\nXen variant of the ACPI processor aggregator device (PAD) driver.\n\nFixes: 112b2f978afe (\"ACPI: PAD: xen: Convert to a platform driver\")\nSigned-off-by: Rafael J. Wysocki \u003crafael.j.wysocki@intel.com\u003e\nAcked-by: Juergen Gross \u003cjgross@suse.com\u003e\nLink: https://patch.msgid.link/3427762.aeNJFYEL58@rafael.j.wysocki\n" }, { "commit": "64ffa2e5e02ff54b23221d0282155f37283fabea", "tree": "329059827a339b2713456d6b9c61fdc63d451d66", "parents": [ "48d1677779ad6816978ad4a4f7588aec5ec960fe" ], "author": { "name": "Alain Michaud", "email": "alainmichaud@google.com", "time": "Tue May 12 13:22:44 2026 +0000" }, "committer": { "name": "Jiri Kosina", "email": "jkosina@suse.com", "time": "Tue May 12 18:16:46 2026 +0200" }, "message": "HID: logitech-hidpp: Add support for newer Bluetooth keyboards\n\nAdd product IDs (PIDs) for several newer Logitech Bluetooth keyboards\nto the hidpp_devices matching table, enabling full HID++ support for\nthem.\n\nThe added keyboards are:\n- Logitech Signature K650 \u0026 B2B\n- Logitech Pebble Keys 2 K380S\n- Logitech Casa Pop-Up Desk \u0026 B2B\n- Logitech Wave Keys \u0026 B2B\n- Logitech Signature Slim K950 \u0026 B2B\n- Logitech MX Keys S \u0026 B2B\n- Logitech Keys-To-Go 2\n- Logitech Pop Icon Keys\n- Logitech MX Keys Mini \u0026 B2B\n- Logitech Signature Slim Solar+ K980 B2B\n- Logitech Bluetooth Keyboard K250/K251\n- Logitech Signature Comfort K880 \u0026 B2B\n\nSigned-off-by: Alain Michaud \u003calainmichaud@google.com\u003e\nReviewed-by: Olivier Gay \u003cogay@logitech.com\u003e\nSigned-off-by: Jiri Kosina \u003cjkosina@suse.com\u003e\n" }, { "commit": "48d1677779ad6816978ad4a4f7588aec5ec960fe", "tree": "d37cd01da4a5772bb3d1fc27a1de205d6074db73", "parents": [ "a991aa5e89365ba1959fae6847fd288125b209e5" ], "author": { "name": "Tomasz Pakuła", "email": "tomasz.pakula.oficjalny@gmail.com", "time": "Sun May 10 14:23:52 2026 +0200" }, "committer": { "name": "Jiri Kosina", "email": "jkosina@suse.com", "time": "Tue May 12 18:13:40 2026 +0200" }, "message": "HID: pidff: Fix integer overflow in pidff_rescale\n\nRescaling values close to the max (U16_MAX) temporarily creates values\nthat exceed the s32 range. This caused value overflow in case when, for\nexample, a periodic effect phase was higer than 180 degrees. In turn,\nrescale function could return values outised of the logical range of the\nHID field.\n\nFix by using 64 bit signed integer to store the value during calculation\nbut still return only 32 bit integer.\n\nCloses: https://github.com/JacKeTUs/universal-pidff/issues/116\nFixes: 224ee88fe395 (\"Input: add force feedback driver for PID devices\")\nCc: stable@vger.kernel.org\nSigned-off-by: Tomasz Pakuła \u003ctomasz.pakula.oficjalny@gmail.com\u003e\nSigned-off-by: Jiri Kosina \u003cjkosina@suse.com\u003e\n" }, { "commit": "a991aa5e89365ba1959fae6847fd288125b209e5", "tree": "043ece70a95dfb63728863bc322ef20c5f73eba1", "parents": [ "206342541fc887ae919774a43942dc883161fece" ], "author": { "name": "Xu Rao", "email": "raoxu@uniontech.com", "time": "Sat May 09 16:21:32 2026 +0800" }, "committer": { "name": "Jiri Kosina", "email": "jkosina@suse.com", "time": "Tue May 12 18:11:43 2026 +0200" }, "message": "HID: i2c-hid: add reset quirk for BLTP7853 touchpad\n\nThe BLTP7853 I2C HID touchpad may fail to probe after reboot or\nreprobe because reset completion is not signalled to the host. The\ndriver then waits for the reset-complete interrupt until it times out\nand the device probe fails:\n\n i2c_hid i2c-BLTP7853:00: failed to reset device.\n i2c_hid i2c-BLTP7853:00: can\u0027t add hid device: -61\n i2c_hid: probe of i2c-BLTP7853:00 failed with error -61\n\nAdd I2C_HID_QUIRK_NO_IRQ_AFTER_RESET for the device so i2c-hid does\nnot wait for a reset interrupt that may never arrive.\n\nSigned-off-by: Xu Rao \u003craoxu@uniontech.com\u003e\nSigned-off-by: Jiri Kosina \u003cjkosina@suse.com\u003e\n" }, { "commit": "206342541fc887ae919774a43942dc883161fece", "tree": "cd810e3f74b34c20bce0ffddc24afc0b4d5c47d6", "parents": [ "2c85c61d1332e1e16f020d76951baf167dcb6f7a" ], "author": { "name": "Benjamin Tissoires", "email": "bentiss@kernel.org", "time": "Mon May 04 10:47:23 2026 +0200" }, "committer": { "name": "Jiri Kosina", "email": "jkosina@suse.com", "time": "Tue May 12 18:03:58 2026 +0200" }, "message": "HID: core: introduce hid_safe_input_report()\n\nhid_input_report() is used in too many places to have a commit that\ndoesn\u0027t cross subsystem borders. Instead of changing the API, introduce\na new one when things matters in the transport layers:\n- usbhid\n- i2chid\n\nThis effectively revert to the old behavior for those two transport\nlayers.\n\nFixes: 0a3fe972a7cb (\"HID: core: Mitigate potential OOB by removing bogus memset()\")\nCc: stable@vger.kernel.org\nSigned-off-by: Benjamin Tissoires \u003cbentiss@kernel.org\u003e\nSigned-off-by: Jiri Kosina \u003cjkosina@suse.com\u003e\n" }, { "commit": "2c85c61d1332e1e16f020d76951baf167dcb6f7a", "tree": "e0d6bc40e0c36922e10bc72e2af8d1a136af1c4c", "parents": [ "b08665fe80fab0956e64741c07d9bbcec635c34d" ], "author": { "name": "Benjamin Tissoires", "email": "bentiss@kernel.org", "time": "Mon May 04 10:47:22 2026 +0200" }, "committer": { "name": "Jiri Kosina", "email": "jkosina@suse.com", "time": "Tue May 12 18:03:37 2026 +0200" }, "message": "HID: pass the buffer size to hid_report_raw_event\n\ncommit 0a3fe972a7cb (\"HID: core: Mitigate potential OOB by removing\nbogus memset()\") enforced the provided data to be at least the size of\nthe declared buffer in the report descriptor to prevent a buffer\noverflow. However, we can try to be smarter by providing both the buffer\nsize and the data size, meaning that hid_report_raw_event() can make\nbetter decision whether we should plaining reject the buffer (buffer\noverflow attempt) or if we can safely memset it to 0 and pass it to the\nrest of the stack.\n\nFixes: 0a3fe972a7cb (\"HID: core: Mitigate potential OOB by removing bogus memset()\")\nCc: stable@vger.kernel.org\nSigned-off-by: Benjamin Tissoires \u003cbentiss@kernel.org\u003e\nAcked-by: Johan Hovold \u003cjohan@kernel.org\u003e\nReviewed-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Jiri Kosina \u003cjkosina@suse.com\u003e\n" }, { "commit": "b08665fe80fab0956e64741c07d9bbcec635c34d", "tree": "5c8efc09d9e3f6cbe1d477b75a4eb4474e973d59", "parents": [ "1654e53349d4e657b331de354313461f401f5063" ], "author": { "name": "Myeonghun Pak", "email": "mhun512@gmail.com", "time": "Fri Apr 24 21:50:41 2026 +0900" }, "committer": { "name": "Jiri Kosina", "email": "jkosina@suse.com", "time": "Tue May 12 18:01:05 2026 +0200" }, "message": "HID: google: hammer: stop hardware on devres action failure\n\nhammer_probe() starts the HID hardware before registering the devres\naction that stops it. If devm_add_action() fails, probe returns an\nerror with the hardware still started because the cleanup action was\nnever registered and the driver\u0027s remove callback is not called after a\nfailed probe.\n\nUse devm_add_action_or_reset() so the stop action runs immediately on\nregistration failure while preserving the existing devres-managed cleanup\npath for later probe failures and remove.\n\nSigned-off-by: Myeonghun Pak \u003cmhun512@gmail.com\u003e\nSigned-off-by: Jiri Kosina \u003cjkosina@suse.com\u003e\n" }, { "commit": "1654e53349d4e657b331de354313461f401f5063", "tree": "7dd01f72e12a9d4324162eeb0247a0003d0543b1", "parents": [ "4db2af929279c799b5653a39eb0795c72baffca4" ], "author": { "name": "Sangyun Kim", "email": "sangyun.kim@snu.ac.kr", "time": "Mon Apr 20 14:13:18 2026 +0900" }, "committer": { "name": "Jiri Kosina", "email": "jkosina@suse.com", "time": "Tue May 12 17:57:35 2026 +0200" }, "message": "HID: appletb-kbd: run inactivity autodim from workqueues\n\nThe autodim code in hid-appletb-kbd takes backlight_device-\u003eops_lock\nvia backlight_device_set_brightness() -\u003e mutex_lock() from two\ndifferent atomic contexts:\n\n * appletb_inactivity_timer() is a struct timer_list callback, so it\n runs in softirq context. Every expiry triggers\n\n BUG: sleeping function called from invalid context at kernel/locking/mutex.c:591\n Call Trace:\n \u003cIRQ\u003e\n __might_resched\n __mutex_lock\n backlight_device_set_brightness\n appletb_inactivity_timer\n call_timer_fn\n run_timer_softirq\n\n * reset_inactivity_timer() is called from appletb_kbd_hid_event() and\n appletb_kbd_inp_event(). On real USB hardware these run in\n softirq/IRQ context (URB completion and input-event dispatch).\n When the Touch Bar has already been dimmed or turned off, the\n reset path calls backlight_device_set_brightness() directly to\n restore brightness, producing the same warning.\n\nBoth call sites hit the same mutex_lock()-from-atomic bug. Fix them\ntogether by moving the blocking work onto the system workqueue:\n\n * Convert the inactivity timer from struct timer_list to\n struct delayed_work; the callback (appletb_inactivity_work) now\n runs in process context where mutex_lock() is legal.\n * Add a dedicated struct work_struct restore_brightness_work and have\n reset_inactivity_timer() schedule it instead of calling\n backlight_device_set_brightness() directly.\n\nCancel both works synchronously during driver tear-down alongside the\nexisting backlight reference drop.\n\nThe semantics are unchanged (same delays, same state transitions on\ndim, turn-off and user activity); only the execution context of the\nsleeping call changes. The timer field and callback are renamed to\nmatch their new type; reset_inactivity_timer() keeps its name because\nit is invoked from input event paths that read naturally as \"reset\nthe inactivity timer\".\n\nFixes: 93a0fc489481 (\"HID: hid-appletb-kbd: add support for automatic brightness control while using the touchbar\")\nCc: stable@vger.kernel.org\nSigned-off-by: Sangyun Kim \u003csangyun.kim@snu.ac.kr\u003e\nSigned-off-by: Jiri Kosina \u003cjkosina@suse.com\u003e\n" }, { "commit": "4db2af929279c799b5653a39eb0795c72baffca4", "tree": "951bdcb7cf99e977b9e920f7bd2565e54e123b32", "parents": [ "cac61b58a3b6340c52afa06bb15eac033158db2f" ], "author": { "name": "Sangyun Kim", "email": "sangyun.kim@snu.ac.kr", "time": "Mon Apr 20 14:13:17 2026 +0900" }, "committer": { "name": "Jiri Kosina", "email": "jkosina@suse.com", "time": "Tue May 12 17:57:35 2026 +0200" }, "message": "HID: appletb-kbd: fix UAF in inactivity-timer cleanup path\n\nCommit 38224c472a03 (\"HID: appletb-kbd: fix slab use-after-free bug in\nappletb_kbd_probe\") added timer_delete_sync(\u0026kbd-\u003einactivity_timer) to\nboth the probe close_hw error path and appletb_kbd_remove(), but the\nway it was wired in left the inactivity timer reachable during driver\ntear-down via two distinct windows.\n\nWindow A -- put_device() before timer_delete_sync():\n\n\tput_device(\u0026kbd-\u003ebacklight_dev-\u003edev);\n\ttimer_delete_sync(\u0026kbd-\u003einactivity_timer);\n\nThe inactivity_timer softirq reads kbd-\u003ebacklight_dev and calls\nbacklight_device_set_brightness() -\u003e mutex_lock(\u0026ops_lock). If a\nconcurrent hid_appletb_bl unbind drops the last devm reference\nbetween these two calls, the backlight_device is freed and the\nmutex_lock() touches freed memory.\n\nWindow B -- backlight cleanup before hid_hw_stop():\n\n\tif (kbd-\u003ebacklight_dev) {\n\t\ttimer_delete_sync(...);\n\t\tput_device(...);\n\t}\n\thid_hw_close(hdev);\n\thid_hw_stop(hdev);\n\nEven after Window A is closed, hid_hw_close()/hid_hw_stop() still run\nafterwards, so a late \".event\" callback from the HID core (USB URB\ncompletion on real Apple hardware) can arrive after\ntimer_delete_sync() drained the softirq but before put_device() drops\nthe reference. That callback reaches reset_inactivity_timer(), which\ncalls mod_timer() and re-arms the timer. The freshly re-armed timer\ncan then fire on the about-to-be-freed backlight_device.\n\nBoth windows produce the same KASAN slab-use-after-free:\n\n BUG: KASAN: slab-use-after-free in __mutex_lock+0x1aab/0x21c0\n Read of size 8 at addr ffff88803ee9a108 by task swapper/0/0\n Call Trace:\n \u003cIRQ\u003e\n __mutex_lock\n backlight_device_set_brightness\n appletb_inactivity_timer\n call_timer_fn\n run_timer_softirq\n handle_softirqs\n Allocated by task N:\n devm_backlight_device_register\n appletb_bl_probe\n Freed by task M:\n (concurrent hid_appletb_bl unbind path)\n\nClose both windows at once by reworking the tear-down in\nappletb_kbd_remove() and in the probe close_hw error path so that\n\n 1) hid_hw_close()/hid_hw_stop() run before the backlight cleanup,\n guaranteeing no further .event callback can fire and re-arm the\n timer, and\n 2) inside the \"if (kbd-\u003ebacklight_dev)\" block, timer_delete_sync()\n runs before put_device(), so the softirq is drained before the\n final reference is dropped.\n\nFixes: 38224c472a03 (\"HID: appletb-kbd: fix slab use-after-free bug in appletb_kbd_probe\")\nCc: stable@vger.kernel.org\nSigned-off-by: Sangyun Kim \u003csangyun.kim@snu.ac.kr\u003e\nSigned-off-by: Jiri Kosina \u003cjkosina@suse.com\u003e\n" }, { "commit": "cac61b58a3b6340c52afa06bb15eac033158db2f", "tree": "2bec557459155ac42b475b50d09740e2337e1e01", "parents": [ "d93ba918a185aca2594da63e92fdc5495b559c0f" ], "author": { "name": "T.J. Mercier", "email": "tjmercier@google.com", "time": "Fri Apr 17 08:47:02 2026 -0700" }, "committer": { "name": "Jiri Kosina", "email": "jkosina@suse.com", "time": "Tue May 12 17:54:48 2026 +0200" }, "message": "HID: playstation: Clamp num_touch_reports\n\nA device would never lie about the number of touch reports would it?\n\nIf it does the loop in dualshock4_parse_report will read off the end of\nthe touch_reports array, up to about 2 KiB for the maximum number of 256\nloop iteraions. The data that is read is emitted via evdev if the\nDS4_TOUCH_POINT_INACTIVE bit happens to be set. Protect against this by\nclamping the num_touch_reports value provided by the device to the\nmaximum size of the touch_reports array.\n\nFixes: 752038248808 (\"HID: playstation: add DualShock4 touchpad support.\")\nCc: stable@vger.kernel.org\nReported-by: Xingyu Jin \u003cxingyuj@google.com\u003e\nSigned-off-by: T.J. Mercier \u003ctjmercier@google.com\u003e\nSigned-off-by: Jiri Kosina \u003cjkosina@suse.com\u003e\n" }, { "commit": "d93ba918a185aca2594da63e92fdc5495b559c0f", "tree": "bb308586c17be917320e118dfb75be562a7e1917", "parents": [ "f097d246677b03db814c5862f368cea341b76a00" ], "author": { "name": "Lee Jones", "email": "lee@kernel.org", "time": "Thu Apr 16 14:16:54 2026 +0100" }, "committer": { "name": "Jiri Kosina", "email": "jkosina@suse.com", "time": "Tue May 12 17:49:18 2026 +0200" }, "message": "HID: magicmouse: Prevent out-of-bounds (OOB) read during DOUBLE_REPORT_ID\n\nIt is currently possible for a malicious or misconfigured USB device to\ncause an out-of-bounds (OOB) read when submitting reports using\nDOUBLE_REPORT_ID by specifying a large report length and providing a\nsmaller one.\n\nLet\u0027s prevent that by comparing the specified report length with the\nactual size of the data read in from userspace. If the actual data\nlength ends up being smaller than specified, we\u0027ll politely warn the\nuser and prevent any further processing.\n\nSigned-off-by: Lee Jones \u003clee@kernel.org\u003e\nReviewed-by: Günther Noack \u003cgnoack@google.com\u003e\nSigned-off-by: Jiri Kosina \u003cjkosina@suse.com\u003e\n" }, { "commit": "f097d246677b03db814c5862f368cea341b76a00", "tree": "0c99ca034b43977c21004cdd662f93cdd5d530bb", "parents": [ "5f90dcfa8dc32a488581b78e575cdd7808ba5c78" ], "author": { "name": "Florian Pradines", "email": "florian.pradines@gmail.com", "time": "Sat May 09 09:45:17 2026 +0000" }, "committer": { "name": "Jiri Kosina", "email": "jkosina@suse.com", "time": "Tue May 12 17:48:16 2026 +0200" }, "message": "HID: mcp2221: fix OOB write in mcp2221_raw_event()\n\nmcp2221_raw_event() copies device-supplied data into mcp-\u003erxbuf at\noffset rxbuf_idx without checking that the copy fits within the\ndestination buffer. A device responding with up to 60 bytes to a\nsmall I2C/SMBus read can overflow the buffer.\n\nAdd a rxbuf_size field to struct mcp2221, set it alongside rxbuf in\nmcp_i2c_smbus_read(), and check rxbuf_idx + data[3] \u003c\u003d rxbuf_size\nbefore the memcpy.\n\nReported-by: Benoît Sevens \u003cbsevens@google.com\u003e\nSigned-off-by: Florian Pradines \u003cflorian.pradines@gmail.com\u003e\nSigned-off-by: Jiri Kosina \u003cjkosina@suse.com\u003e\n" }, { "commit": "5f90dcfa8dc32a488581b78e575cdd7808ba5c78", "tree": "323f04dfce2f4039b612ba0e223ac1c4ce6da1be", "parents": [ "17ee873dba04d05090dfc5b2b9e08cfc8e4f147f" ], "author": { "name": "Lukas Bulwahn", "email": "lukas.bulwahn@redhat.com", "time": "Thu Feb 05 09:11:31 2026 +0100" }, "committer": { "name": "Jiri Kosina", "email": "jkosina@suse.com", "time": "Tue May 12 17:23:59 2026 +0200" }, "message": "HID: quirks: really enable the intended work around for appledisplay\n\nCommit c7fabe4ad921 (\"HID: quirks: work around VID/PID conflict for\nappledisplay\") intends to add a quirk for kernels built with Apple Cinema\nDisplay support, but it refers to the non-existing config option\nCONFIG_APPLEDISPLAY, whereas the config option for Apple Cinema Display\nsupport is named CONFIG_USB_APPLEDISPLAY.\n\nRefer to the intended config option CONFIG_USB_APPLEDISPLAY in the ifdef\ndirective.\n\nFixes: c7fabe4ad921 (\"HID: quirks: work around VID/PID conflict for appledisplay\")\nSigned-off-by: Lukas Bulwahn \u003clukas.bulwahn@redhat.com\u003e\nSigned-off-by: Jiri Kosina \u003cjkosina@suse.com\u003e\n" }, { "commit": "17ee873dba04d05090dfc5b2b9e08cfc8e4f147f", "tree": "b622e709c002200001d7265f7169665af1d09586", "parents": [ "487359284509a6745e14b8c0518768bc277809b0" ], "author": { "name": "Oliver Neukum", "email": "oneukum@suse.com", "time": "Tue Mar 03 10:48:54 2026 +0100" }, "committer": { "name": "Jiri Kosina", "email": "jkosina@suse.com", "time": "Tue May 12 17:23:08 2026 +0200" }, "message": "HID: hid-sjoy: race between init and usage\n\nThe driver uses an initial IO to set the device to a default\nstate. That initialization is currently being done after the device\nnode has been created. That means that the single buffer used\nfor output can be altered while IO is in progress.\nMove the intialization before announcement to user space.\n\nFixes: fac733f029251 (\"HID: force feedback support for SmartJoy PLUS PS2/USB adapter\")\nSigned-off-by: Oliver Neukum \u003coneukum@suse.com\u003e\nSigned-off-by: Jiri Kosina \u003cjkosina@suse.com\u003e\n" }, { "commit": "9988931df99cf5d68af360e1f23b9c674a0b1b4f", "tree": "566478e30be01de48ad47efdc0adc6847ffa0a94", "parents": [ "36a8d04a8293afcb9304cf0cd3741f67698f2a1a", "ce372e869f9f492f3d5aa9a0ae75ed52c61d2d6f" ], "author": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Tue May 12 16:15:03 2026 +0200" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Tue May 12 16:15:04 2026 +0200" }, "message": "Merge branch \u0027net-shaper-fix-various-minor-bugs\u0027\n\nJakub Kicinski says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nnet: shaper: fix various minor bugs\n\nFix various minor bugs in the net shaper API.\n\nFirst 2 patches deal with ordering issues around inserting\nand publishing new shapers. Shapers are inserted \"tentatively\"\nand marked valid only after HW op succeeded, this used to\nbe slightly racy.\n\nOnly other patch of note is patch 8. We want to add a Netlink\npolicy check on the handle ID. This necessitates patch 7.\n\nThe rest are simple and self-explanatory.\n\nv1: https://lore.kernel.org/20260506000628.1501691-1-kuba@kernel.org\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260510192904.3987113-1-kuba@kernel.org\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "ce372e869f9f492f3d5aa9a0ae75ed52c61d2d6f", "tree": "566478e30be01de48ad47efdc0adc6847ffa0a94", "parents": [ "b62b29e6de6711f5918940aa6ff2bbab6d6af502" ], "author": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Sun May 10 12:29:04 2026 -0700" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Tue May 12 16:15:00 2026 +0200" }, "message": "net: shaper: reject QUEUE scope handle with missing id\n\nnet_shaper_parse_handle() does not enforce that the user provides\nthe handle ID. For NODE the ID defaults to UNSPEC for all other\ncases it defaults to 0.\n\nFor NETDEV 0 is the only option. For QUEUE defaulting to 0 makes\nless intuitive sense. Specifically because the behavior should\n(IMHO) be the same for all cases where there may be more than\none ID (QUEUE and NODE).\n\nWe should either document this as intentional or reject.\nI picked the latter with no strong conviction.\n\nFixes: 4b623f9f0f59 (\"net-shapers: implement NL get operation\")\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\nLink: https://patch.msgid.link/20260510192904.3987113-11-kuba@kernel.org\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "b62b29e6de6711f5918940aa6ff2bbab6d6af502", "tree": "edc4db4d9d4be41478deae42740dbf7db7c25a84", "parents": [ "8d5806c600fddb907ebe378f9c366d4b52ac3a39" ], "author": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Sun May 10 12:29:03 2026 -0700" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Tue May 12 16:15:00 2026 +0200" }, "message": "net: shaper: enforce singleton NETDEV scope with id 0\n\nThe NETDEV scope represents a singleton root shaper in the per-device\nhierarchy. All code assumes NETDEV shapers have id 0:\nnet_shaper_default_parent() hardcodes parent-\u003eid \u003d 0 when returning\nthe NETDEV parent for QUEUE/NODE children, and the UAPI documentation\ndescribes NETDEV scope as \"the main shaper\" (singular, not plural).\n\nMake sure we reject non-0 IDs.\n\nFixes: 4b623f9f0f59 (\"net-shapers: implement NL get operation\")\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\nLink: https://patch.msgid.link/20260510192904.3987113-10-kuba@kernel.org\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "8d5806c600fddb907ebe378f9c366d4b52ac3a39", "tree": "bcd14a27b4bb8a353790be06da07c43a4fcdf7e2", "parents": [ "fbf5df34a4dbcd09d433dd4f0916bf9b2ddb16de" ], "author": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Sun May 10 12:29:02 2026 -0700" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Tue May 12 16:15:00 2026 +0200" }, "message": "net: shaper: reject handle IDs exceeding internal bit-width\n\nnet_shaper_parse_handle() reads the user-supplied handle ID via\nnla_get_u32(), accepting the full u32 range. However, the xarray key\nis built by net_shaper_handle_to_index() using\nFIELD_PREP(NET_SHAPER_ID_MASK, handle-\u003eid), where NET_SHAPER_ID_MASK\nis GENMASK(25, 0) - only 26 bits wide. FIELD_PREP silently masks off\nthe upper bits at runtime. A user-supplied NODE id like 0x04000123\nbecomes id 0x123.\n\nAdditionally, a user-supplied id equal to NET_SHAPER_ID_UNSPEC\n(0x03FFFFFF, which is NET_SHAPER_ID_MASK itself) would collide with\nthe sentinel used internally by the group operation to signal\n\"allocate a new NODE id\".\n\nReject user-supplied IDs \u003e\u003d NET_SHAPER_ID_MASK (i.e., \u003e\u003d 0x03FFFFFF)\nin the policy.\n\nFixes: 4b623f9f0f59 (\"net-shapers: implement NL get operation\")\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\nLink: https://patch.msgid.link/20260510192904.3987113-9-kuba@kernel.org\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "fbf5df34a4dbcd09d433dd4f0916bf9b2ddb16de", "tree": "05448b9bfdbf6b791f4ae39231ee7ebbac290ca2", "parents": [ "0f9a857e34d0f8c018a3e4435c6f0e92e8d2f38c" ], "author": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Sun May 10 12:29:01 2026 -0700" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Tue May 12 16:15:00 2026 +0200" }, "message": "tools: ynl: add scope qualifier for definitions\n\nUsing definitions in kernel policies is awkward right now.\nOn one hand we want defines for max values and such.\nOn the other we don\u0027t have a way of adding kernel-only defines.\nAdding unnecessary defines to uAPI is a bad idea, we won\u0027t\nbe able to delete them. And when it comes to policy user\nspace should just query it via the policy dump, not use\nhard coded defines.\n\nAdd a \"scope\" property to definitions, which will let us tell\nthe codegen that a definition is for kernel use only. Support\nfollowing values:\n - uapi: render into the uAPI header (default, today\u0027s behavior)\n - kernel: render to kernel header only\n - user: same as kernel but for the user-side generated header\n\nDefinitions may have a header property (definition is \"external\",\nprovided by existing header). Extend the scope to headers, too.\nIf definition has both scope and header properties we will only\ngenerate the includes in the right scope.\n\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\nLink: https://patch.msgid.link/20260510192904.3987113-8-kuba@kernel.org\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "0f9a857e34d0f8c018a3e4435c6f0e92e8d2f38c", "tree": "3738c91b6ba7a2673ce6a8649c486bdf593dcf45", "parents": [ "8054f85b83f42a37d482fc77ea7c9ff06a9407d9" ], "author": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Sun May 10 12:29:00 2026 -0700" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Tue May 12 16:14:59 2026 +0200" }, "message": "net: shaper: fix undersized reply skb allocation in GROUP command\n\nnet_shaper_group_send_reply() writes both the NET_SHAPER_A_IFINDEX\nattribute (via net_shaper_fill_binding()) and the nested\nNET_SHAPER_A_HANDLE attribute (via net_shaper_fill_handle()), but\nthe reply skb at the call site in net_shaper_nl_group_doit() is\nallocated using net_shaper_handle_size(), which only accounts for\nthe nested handle.\n\nThe allocation is therefore short by nla_total_size(sizeof(u32))\n(8 bytes) for the IFINDEX attribute. In practice the slab allocator\nrounds up the small allocation so the bug is latent, but the size\naccounting is wrong and could bite if the reply grew further.\n\nIntroduce net_shaper_group_reply_size() that accounts for the full\nreply payload and use it both at the genlmsg_new() call site and in\nthe defensive WARN_ONCE message.\n\nFixes: 5d5d4700e75d (\"net-shapers: implement NL group operation\")\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\nLink: https://patch.msgid.link/20260510192904.3987113-7-kuba@kernel.org\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "8054f85b83f42a37d482fc77ea7c9ff06a9407d9", "tree": "641ca061e8366e96c1e3e7b6b74fd8e7b7ccb4da", "parents": [ "6e8ae9d805d4b9ecec49bb9e457d9bae0b21b540" ], "author": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Sun May 10 12:28:59 2026 -0700" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Tue May 12 16:14:59 2026 +0200" }, "message": "net: shaper: set ret to -ENOMEM when genlmsg_new() fails in group_doit\n\ngenlmsg_new() alloc failure path in net_shaper_nl_group_doit() forgets\nto set ret before jumping to error handling.\n\nFixes: 5d5d4700e75d (\"net-shapers: implement NL group operation\")\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\nLink: https://patch.msgid.link/20260510192904.3987113-6-kuba@kernel.org\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "6e8ae9d805d4b9ecec49bb9e457d9bae0b21b540", "tree": "be4881ff6acc89c2c4739b6b5a21c141144bad32", "parents": [ "a9a2fa1da619f276580b0d4c5d12efac89e8642b" ], "author": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Sun May 10 12:28:58 2026 -0700" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Tue May 12 16:14:59 2026 +0200" }, "message": "selftests: drv-net: add shaper test for duplicate leaves\n\nAdd test exercising duplicate leaves.\n\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\nLink: https://patch.msgid.link/20260510192904.3987113-5-kuba@kernel.org\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "a9a2fa1da619f276580b0d4c5d12efac89e8642b", "tree": "846614955192bad1fa256c499d7b35313486124f", "parents": [ "235fb5376139c3419f2218349f1fa2f06f24f7ad" ], "author": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Sun May 10 12:28:57 2026 -0700" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Tue May 12 16:14:59 2026 +0200" }, "message": "net: shaper: reject duplicate leaves in GROUP request\n\nnet_shaper_nl_group_doit() does not deduplicate NET_SHAPER_A_LEAVES\nentries. When userspace supplies the same leaf handle twice, the same\nold-parent pointer lands twice in old_nodes[]. The cleanup loop double\nfrees the parent. Of course the same parent may still be in old_nodes[]\ntwice if we are moving multiple of its leaves.\n\nNote that this patch also implicitly fixes the fact that the\ni \u003e\u003d leaves_count path forgets to set ret.\n\nFixes: 5d5d4700e75d (\"net-shapers: implement NL group operation\")\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\nLink: https://patch.msgid.link/20260510192904.3987113-4-kuba@kernel.org\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "235fb5376139c3419f2218349f1fa2f06f24f7ad", "tree": "4f7cb5298fc777b64b2a3fc33fa4a05f1065498f", "parents": [ "7cee43fcb0c3f71441d2faaa8c2202b6a88b6bef" ], "author": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Sun May 10 12:28:56 2026 -0700" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Tue May 12 16:14:59 2026 +0200" }, "message": "net: shaper: fix trivial ordering issue in net_shaper_commit()\n\nWe should update the entry before we mark it as valid.\n\nFixes: 93954b40f6a4 (\"net-shapers: implement NL set and delete operations\")\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\nLink: https://patch.msgid.link/20260510192904.3987113-3-kuba@kernel.org\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "7cee43fcb0c3f71441d2faaa8c2202b6a88b6bef", "tree": "90a109f2f21552dea94a3a3854bf6fffe8026172", "parents": [ "36a8d04a8293afcb9304cf0cd3741f67698f2a1a" ], "author": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Sun May 10 12:28:55 2026 -0700" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Tue May 12 16:14:59 2026 +0200" }, "message": "net: shaper: flip the polarity of the valid flag\n\nThe usual way of inserting entries which are not yet fully ready\ninto XArray is to have a VALID flag. The shaper code has a NOT_VALID\nflag. Since XArray code does not let us create entries with marks\nalready set - the creation of entries is currently not atomic.\n\nFlip the polarity of the VALID flag. This closes the tiny race\nin net_shaper_pre_insert() of entries being created without\nthe NOT_VALID flag.\n\nFixes: 93954b40f6a4 (\"net-shapers: implement NL set and delete operations\")\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\nLink: https://patch.msgid.link/20260510192904.3987113-2-kuba@kernel.org\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "36a8d04a8293afcb9304cf0cd3741f67698f2a1a", "tree": "83d96923a7a1b0471fec4e4b308b725f57545635", "parents": [ "2cc8f499713bee5d8053772fe5ebdee980727a3a" ], "author": { "name": "Ethan Nelson-Moore", "email": "enelsonmoore@gmail.com", "time": "Fri May 08 19:37:28 2026 -0700" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Tue May 12 15:28:22 2026 +0200" }, "message": "net: ethernet: cs89x0: remove stale CONFIG_MACH_MX31ADS reference\n\nThe legacy ARM board file for MACH_MX31ADS was removed in commit\nc93197b0041d (\"ARM: imx: Remove i.MX31 board files\"), but a reference\nto it remained in the cs89x0 driver. Drop this unused code.\n\nSigned-off-by: Ethan Nelson-Moore \u003cenelsonmoore@gmail.com\u003e\nFixes: c93197b0041d (\"ARM: imx: Remove i.MX31 board files\")\nLink: https://patch.msgid.link/20260509023732.42256-1-enelsonmoore@gmail.com\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "2cc8f499713bee5d8053772fe5ebdee980727a3a", "tree": "08dea3d43758a4b01092ff48059b2377c4be3578", "parents": [ "93d809adc13001e9d3a3ceb8d1e60fae2fb740d6", "ebd8ec2b309e3a447851b456ccaf8fb39f3661e7" ], "author": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Tue May 12 15:20:21 2026 +0200" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Tue May 12 15:20:21 2026 +0200" }, "message": "Merge branch \u0027net-ethernet-cortina-fix-various-rx-bugs\u0027\n\nLinus Walleij says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nnet: ethernet: cortina: Fix various RX bugs\n\nDuring review of a minor patch for a bug in the Cortina\nethernet driver, Sashiko jumped in and pointed out a number\nof nasty bugs.\n\nThis series hopefully fixes all of them.\n\nSigned-off-by: Linus Walleij \u003clinusw@kernel.org\u003e\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260509-gemini-ethernet-fixes-v1-0-6c5d20ddc35b@kernel.org\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "ebd8ec2b309e3a447851b456ccaf8fb39f3661e7", "tree": "08dea3d43758a4b01092ff48059b2377c4be3578", "parents": [ "06937db21ee311ed07eba47954447245041a982d" ], "author": { "name": "Linus Walleij", "email": "linusw@kernel.org", "time": "Sat May 09 00:13:38 2026 +0200" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Tue May 12 15:20:16 2026 +0200" }, "message": "net: ethernet: cortina: Carry over frag counter\n\nThe gmac_rx() NAPI poll function assembles packets in an\nSKB from a ring buffer.\n\nIf the ring buffer gets completely emptied during a poll cycle,\nwe exit gmac_rx(), but the packet is not yet completely\nassembled in the SKB, yet the fragment counter frag_nr is\nreset to zero on the next invocation.\n\nSolve this by making the RX fragment counter a part of the\nport struct, and carry it over between invocations.\n\nReset the fragment counter only right after calling\nnapi_gro_frags(), on error (after calling napi_free_frags())\nor if stopping the port.\n\nReset it in some place where not strictly necessary just to\nemphasize what is going on.\n\nThis was found by Sashiko during normal patch review.\n\nFixes: 4d5ae32f5e1e (\"net: ethernet: Add a driver for Gemini gigabit ethernet\")\nLink: https://sashiko.dev/#/patchset/20260505-gemini-ethernet-fix-v2-1-997c31d06079%40kernel.org\nSigned-off-by: Linus Walleij \u003clinusw@kernel.org\u003e\nLink: https://patch.msgid.link/20260509-gemini-ethernet-fixes-v1-3-6c5d20ddc35b@kernel.org\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "06937db21ee311ed07eba47954447245041a982d", "tree": "7705b669b95ec96fb404506905cfff3dbc1c1e86", "parents": [ "2cb156213093a62b80cf40b1ec71738e93491971" ], "author": { "name": "Linus Walleij", "email": "linusw@kernel.org", "time": "Sat May 09 00:13:37 2026 +0200" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Tue May 12 15:20:16 2026 +0200" }, "message": "net: ethernet: cortina: Make RX SKB per-port\n\nThe SKB used to assemble packets from fragments in gmac_rx()\nis static local, but the Gemini has two ethernet ports, meaning\nthere can be races between the ports on a bad day if a device\nis using both.\n\nMake the RX SKB a per-port variable and carry it over between\ninvocations in the port struct instead.\n\nZero the pointer once we call napi_gro_frags(), on error (after\ncalling napi_free_frags()) or if the port is stopped.\n\nZero it in some place where not strictly necessary just to\nemphasize what is going on.\n\nThis was found by Sashiko during normal patch review.\n\nFixes: 4d5ae32f5e1e (\"net: ethernet: Add a driver for Gemini gigabit ethernet\")\nLink: https://sashiko.dev/#/patchset/20260505-gemini-ethernet-fix-v2-1-997c31d06079%40kernel.org\nSigned-off-by: Linus Walleij \u003clinusw@kernel.org\u003e\nLink: https://patch.msgid.link/20260509-gemini-ethernet-fixes-v1-2-6c5d20ddc35b@kernel.org\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "2cb156213093a62b80cf40b1ec71738e93491971", "tree": "402fd96001622fd46e4077b2c6117b7615898e6d", "parents": [ "93d809adc13001e9d3a3ceb8d1e60fae2fb740d6" ], "author": { "name": "Linus Walleij", "email": "linusw@kernel.org", "time": "Sat May 09 00:13:36 2026 +0200" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Tue May 12 15:20:16 2026 +0200" }, "message": "net: ethernet: cortina: No mapping is a dropped rx\n\nIncrease stats.rx_dropped++ even if this is the first fragment\n(skb \u003d\u003d NULL) so we are doing proper accounting.\n\nFixes: b266bacba796 (\"net: ethernet: cortina: Drop half-assembled SKB\")\nLink: https://sashiko.dev/#/patchset/20260505-gemini-ethernet-fix-v2-1-997c31d06079%40kernel.org\nSigned-off-by: Linus Walleij \u003clinusw@kernel.org\u003e\nLink: https://patch.msgid.link/20260509-gemini-ethernet-fixes-v1-1-6c5d20ddc35b@kernel.org\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "93d809adc13001e9d3a3ceb8d1e60fae2fb740d6", "tree": "0b4ab751d0486fac74635d8a7013690076b1c0a4", "parents": [ "911f54771ca97947cfdca360e9e9b4147a330740", "3a3e3d90cbc79600544536723911657730759af3" ], "author": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Tue May 12 12:52:17 2026 +0200" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Tue May 12 12:52:18 2026 +0200" }, "message": "Merge branch \u0027vsock-virtio-fix-vsockmon-tap-skb-construction\u0027\n\nStefano Garzarella says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nvsock/virtio: fix vsockmon tap skb construction\n\nWhile reviewing the patch posted by Yiqi Sun [1] to fix an issue in\nvirtio_transport_build_skb(), I discovered another issue related to\nthe offset and length of the payload to be copied in the new skb.\nThis was introduced when we did the skb conversion, and fixed by\npatch 1.\n\nPatch 2 fixes the issue found by Yiqi Sun in a different way: using\niov_iter_kvec() to properly initialize all the iov_iter fields and\nremoving the linear vs non-linear split like we alredy do in\nvhost-vsock.\n\nIt could have been a single patch, but since there were two affected\ncommits, I decided to keep the fixes separate.\n\n[1] https://lore.kernel.org/netdev/20260430071110.380509-1-sunyiqixm@gmail.com/\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260508164411.261440-1-sgarzare@redhat.com\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "3a3e3d90cbc79600544536723911657730759af3", "tree": "0b4ab751d0486fac74635d8a7013690076b1c0a4", "parents": [ "5f344d809e015fba3709e5219428c00b8ac5d7df" ], "author": { "name": "Stefano Garzarella", "email": "sgarzare@redhat.com", "time": "Fri May 08 18:44:11 2026 +0200" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Tue May 12 12:52:15 2026 +0200" }, "message": "vsock/virtio: fix empty payload in tap skb for non-linear buffers\n\nFor non-linear skbs, virtio_transport_build_skb() goes through\nvirtio_transport_copy_nonlinear_skb() to copy the original payload\nin the new skb to be delivered to the vsockmon tap device.\nThis manually initializes an iov_iter but does not set iov_iter.count.\nSince the iov_iter is zero-initialized, the copy length is zero and no\npayload is actually copied to the monitor interface, leaving data\nun-initialized.\n\nFix this by removing the linear vs non-linear split and using\nskb_copy_datagram_iter() with iov_iter_kvec() for all cases, as\nvhost-vsock already does. This handles both linear and non-linear skbs,\nproperly initializes the iov_iter, and removes the now unused\nvirtio_transport_copy_nonlinear_skb().\n\nWhile touching this code, let\u0027s also check the return value of\nskb_copy_datagram_iter(), even though it\u0027s unlikely to fail.\n\nFixes: 4b0bf10eb077 (\"vsock/virtio: non-linear skb handling for tap\")\nReported-by: Yiqi Sun \u003csunyiqixm@gmail.com\u003e\nSigned-off-by: Stefano Garzarella \u003csgarzare@redhat.com\u003e\nReviewed-by: Bobby Eshleman \u003cbobbyeshleman@meta.com\u003e\nReviewed-by: Arseniy Krasnov \u003cavkrasnov@rulkc.org\u003e\nLink: https://patch.msgid.link/20260508164411.261440-3-sgarzare@redhat.com\nAcked-by: Michael S. Tsirkin \u003cmst@redhat.com\u003e\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "5f344d809e015fba3709e5219428c00b8ac5d7df", "tree": "b643ca18e8cd182eee4f7397f19e46e78012febc", "parents": [ "911f54771ca97947cfdca360e9e9b4147a330740" ], "author": { "name": "Stefano Garzarella", "email": "sgarzare@redhat.com", "time": "Fri May 08 18:44:10 2026 +0200" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Tue May 12 12:52:15 2026 +0200" }, "message": "vsock/virtio: fix length and offset in tap skb for split packets\n\nvirtio_transport_build_skb() builds a new skb to be delivered to the\nvsockmon tap device. To build the new skb, it uses the original skb\ndata length as payload length, but as the comment notes, the original\npacket stored in the skb may have been split in multiple packets, so we\nneed to use the length in the header, which is correctly updated before\nthe packet is delivered to the tap, and the offset for the data.\n\nThis was also similar to what we did before commit 71dc9ec9ac7d\n(\"virtio/vsock: replace virtio_vsock_pkt with sk_buff\") where we probably\nmissed something during the skb conversion.\n\nAlso update the comment above, which was left stale by the skb\nconversion and still mentioned a buffer pointer that no longer exists.\n\nFixes: 71dc9ec9ac7d (\"virtio/vsock: replace virtio_vsock_pkt with sk_buff\")\nSigned-off-by: Stefano Garzarella \u003csgarzare@redhat.com\u003e\nReviewed-by: Bobby Eshleman \u003cbobbyeshleman@meta.com\u003e\nReviewed-by: Arseniy Krasnov \u003cavkrasnov@rulkc.org\u003e\nLink: https://patch.msgid.link/20260508164411.261440-2-sgarzare@redhat.com\nAcked-by: Michael S. Tsirkin \u003cmst@redhat.com\u003e\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "911f54771ca97947cfdca360e9e9b4147a330740", "tree": "855c32c0e2d86d9612daa4666b78e801df43e5ae", "parents": [ "be48e5fe51a5864566307998286a699d6b986934" ], "author": { "name": "Quan Sun", "email": "2022090917019@std.uestc.edu.cn", "time": "Fri May 08 20:46:36 2026 +0800" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Tue May 12 12:28:34 2026 +0200" }, "message": "net: hsr: fix NULL pointer dereference in hsr_get_node_data()\n\nIn the HSR (High-availability Seamless Redundancy) protocol, node\ninformation is maintained in the node_db. When a supervision frame is\nreceived, node-\u003eaddr_B_port is updated to track the receiving port type\n(e.g., HSR_PT_SLAVE_B).\n\nIf the underlying physical interface associated with this slave port is\nremoved (e.g., via `ip link del`), hsr_del_port() frees the hsr_port\nobject. However, the stale node-\u003eaddr_B_port reference is kept in the\nnode_db until the node ages out.\n\nSubsequently, if userspace queries the node status via the Netlink\ncommand HSR_C_GET_NODE_STATUS, the kernel calls hsr_get_node_data().\nThis function unconditionally dereferences the pointer returned by\nhsr_port_get_hsr():\n\n if (node-\u003eaddr_B_port !\u003d HSR_PT_NONE) {\n port \u003d hsr_port_get_hsr(hsr, node-\u003eaddr_B_port);\n *addr_b_ifindex \u003d port-\u003edev-\u003eifindex; // \u003c-- NULL deref\n }\n\nIf the slave port has been deleted, hsr_port_get_hsr() returns NULL,\nresulting in a kernel panic.\n\nOops: general protection fault, probably for non-canonical address\nKASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]\nRIP: 0010:hsr_get_node_data+0x7b6/0x9e0\nCall Trace:\n \u003cTASK\u003e\n hsr_get_node_status+0x445/0xa40\n\nFix this by adding a proper NULL pointer check. If the port lookup fails\ndue to a stale port type, gracefully treat it as if no valid port exists\nand assign -1 to the interface index.\n\nSteps to reproduce:\n1. Create an HSR interface with two slave devices.\n2. Receive a supervision frame to populate node_db with\n addr_B_port assigned to SLAVE_B.\n3. Delete the underlying slave device B.\n4. Send an HSR_C_GET_NODE_STATUS Netlink message.\n\nFixes: c5a759117210 (\"net/hsr: Use list_head (and rcu) instead of array for slave devices.\")\nSigned-off-by: Quan Sun \u003c2022090917019@std.uestc.edu.cn\u003e\nLink: https://patch.msgid.link/20260508124636.1462346-1-2022090917019@std.uestc.edu.cn\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "c21b90f77687075115d989e53a8ec5e2bb427ab1", "tree": "60948ff6c7356965619aa814be82b4ad61a93515", "parents": [ "50897c955902c93ae71c38698abb910525ebdc89" ], "author": { "name": "Prathyushi Nangia", "email": "prathyushi.nangia@amd.com", "time": "Tue Dec 09 10:01:33 2025 -0600" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon May 11 20:06:36 2026 -0700" }, "message": "x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2\u0027s op cache\n\nMake sure resources are not improperly shared in the op cache and\ncause instruction corruption this way.\n\nSigned-off-by: Prathyushi Nangia \u003cprathyushi.nangia@amd.com\u003e\nCo-developed-by: Borislav Petkov (AMD) \u003cbp@alien8.de\u003e\nSigned-off-by: Borislav Petkov (AMD) \u003cbp@alien8.de\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "be48e5fe51a5864566307998286a699d6b986934", "tree": "a824723c4d3b775eb4ba3188db6b298220cd51fe", "parents": [ "f8e64e956a635b054227f56e9586a1997add0646" ], "author": { "name": "Evgenii Burenchev", "email": "evg28bur@yandex.ru", "time": "Thu May 07 17:55:17 2026 +0300" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Mon May 11 18:11:06 2026 -0700" }, "message": "qed: fix division by zero in qed_init_wfq_param when all vports are configured\n\nIn qed_init_wfq_param(), variable non_requested_count can become zero\nwhen the number of vports with the configured flag set (including the\ncurrent vport being configured) equals total num_vports. This happens\nwhen configuring the last unconfigured vport or when re-configuring\nan already configured vport.\n\nThe function then calculates left_rate_per_vp \u003d total_left_rate /\nnon_requested_count, which causes division by zero.\n\nFix this by skipping the division when non_requested_count is zero.\nIn that case, there is no remaining bandwidth to distribute, so just\nrecord the configuration for the current vport and return success.\n\nFixes: bcd197c81f63 (\"qed: Add vport WFQ configuration APIs\")\nSigned-off-by: Evgenii Burenchev \u003cevg28bur@yandex.ru\u003e\nLink: https://patch.msgid.link/20260507145520.23106-1-evg28bur@yandex.ru\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "f8e64e956a635b054227f56e9586a1997add0646", "tree": "6548d623a4cc80eccd3e66074ef534c2e87cd471", "parents": [ "03cb001ef87b3f8d859cf7f96329acf3d6235d29" ], "author": { "name": "Davide Caratti", "email": "dcaratti@redhat.com", "time": "Fri May 08 19:05:10 2026 +0200" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Mon May 11 18:03:16 2026 -0700" }, "message": "net/sched: dualpi2: initialize timer earlier in dualpi2_init()\n\n\u0027pi2_timer\u0027 needs to be initialized in all error paths of dualpi2_init():\notherwise, a failure in qdisc_create_dflt() causes the following crash in\ndualpi2_destroy():\n\n # tc qdisc add dev crash0 handle 1: root dualpi2\n BUG: kernel NULL pointer dereference, address: 0000000000000010\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: Oops: 0000 [#1] SMP PTI\n CPU: 4 UID: 0 PID: 471 Comm: tc Tainted: G E 7.1.0-rc1-virtme #2 PREEMPT(full)\n Tainted: [E]\u003dUNSIGNED_MODULE\n Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011\n RIP: 0010:hrtimer_active+0x39/0x60\n Code: f9 eb 23 0f b6 41 38 3c 01 0f 87 87 64 c0 ff 83 e0 01 75 33 48 39 4a 50 74 28 44 3b 42 10 75 06 48 3b 51 30 74 21 48 8b 51 30 \u003c44\u003e 8b 42 10 41 f6 c0 01 74 cf f3 90 44 8b 42 10 41 f6 c0 01 74 c3\n RSP: 0018:ffffd0db80b93620 EFLAGS: 00010282\n RAX: ffffffffc0400320 RBX: ffff8cf24a4c86b8 RCX: ffff8cf24a4c86b8\n RDX: 0000000000000000 RSI: ffff8cf2429c2ab0 RDI: ffff8cf24a4c86b8\n RBP: 00000000fffffff4 R08: 0000000000000003 R09: 0000000000000000\n R10: 0000000000000001 R11: ffff8cf24a39c500 R12: ffff8cf24822c000\n R13: ffffd0db80b936c0 R14: ffffffffc02cf360 R15: 00000000ffffffff\n FS: 00007fbc01706580(0000) GS:ffff8cf2dc759000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000010 CR3: 0000000008e02003 CR4: 0000000000172ef0\n Call Trace:\n \u003cTASK\u003e\n hrtimer_cancel+0x15/0x40\n dualpi2_destroy+0x20/0x40 [sch_dualpi2]\n qdisc_create+0x230/0x570\n tc_modify_qdisc+0x716/0xc10\n rtnetlink_rcv_msg+0x188/0x780\n netlink_rcv_skb+0xcd/0x150\n netlink_unicast+0x1ba/0x290\n netlink_sendmsg+0x242/0x4d0\n ____sys_sendmsg+0x39e/0x3e0\n ___sys_sendmsg+0xe1/0x130\n __sys_sendmsg+0xad/0x110\n do_syscall_64+0x14f/0xf80\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n RIP: 0033:0x7fbc0188b08e\n Code: 4d 89 d8 e8 94 bd 00 00 4c 8b 5d f8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 11 c9 c3 0f 1f 80 00 00 00 00 48 8b 45 10 0f 05 \u003cc9\u003e c3 83 e2 39 83 fa 08 75 e7 e8 03 ff ff ff 0f 1f 00 f3 0f 1e fa\n RSP: 002b:00007fff593260e0 EFLAGS: 00000202 ORIG_RAX: 000000000000002e\n RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fbc0188b08e\n RDX: 0000000000000000 RSI: 00007fff59326190 RDI: 0000000000000003\n RBP: 00007fff593260f0 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000202 R12: 000055f06124f260\n R13: 0000000069fca043 R14: 000055f061255640 R15: 000055f06124d3f8\n \u003c/TASK\u003e\n Modules linked in: sch_dualpi2(E)\n CR2: 0000000000000010\n\n[1] https://lore.kernel.org/netdev/2e78e01c504c633ebdff18d041833cf2e079a3a4.1607020450.git.dcaratti@redhat.com/\n[2] https://lore.kernel.org/netdev/20200725201707.16909-1-xiyou.wangcong@gmail.com/\n\nv2:\n - rebased on top of latest net.git\n\nFixes: 320d031ad6e4 (\"sched: Struct definition and parsing of dualpi2 qdisc\")\nSigned-off-by: Davide Caratti \u003cdcaratti@redhat.com\u003e\nReviewed-by: Eric Dumazet \u003cedumazet@google.com\u003e\nLink: https://patch.msgid.link/1faca91179702b31da5d87653e1e036543e32722.1778259798.git.dcaratti@redhat.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "03cb001ef87b3f8d859cf7f96329acf3d6235d29", "tree": "8a5b56e7154b733878d40c2a906c5fe440871547", "parents": [ "24a08d7d6218d60c033015cf4870b6096446e734" ], "author": { "name": "Kuniyuki Iwashima", "email": "kuniyu@google.com", "time": "Fri May 08 12:08:46 2026 +0000" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Mon May 11 17:50:15 2026 -0700" }, "message": "tcp: Fix out-of-bounds access for twsk in tcp_ao_established_key().\n\nlockdep_sock_is_held() was added in tcp_ao_established_key()\nby the cited commit.\n\nIt can be called from tcp_v[46]_timewait_ack() with twsk.\n\nSince it does not have sk-\u003esk_lock, the lockdep annotation\nresults in out-of-bound access.\n\n $ pahole -C tcp_timewait_sock vmlinux | grep size\n \t/* size: 288, cachelines: 5, members: 8 */\n $ pahole -C sock vmlinux | grep sk_lock\n \tsocket_lock_t sk_lock; /* 440 192 */\n\nLet\u0027s not use lockdep_sock_is_held() for TCP_TIME_WAIT.\n\nFixes: 6b2d11e2d8fc (\"net/tcp: Add missing lockdep annotations for TCP-AO hlist traversals\")\nReported-by: Damiano Melotti \u003cmelotti@google.com\u003e\nSigned-off-by: Kuniyuki Iwashima \u003ckuniyu@google.com\u003e\nReviewed-by: Eric Dumazet \u003cedumazet@google.com\u003e\nLink: https://patch.msgid.link/20260508120853.4098365-1-kuniyu@google.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "24a08d7d6218d60c033015cf4870b6096446e734", "tree": "afe575b984ea59952193c07ee28a4ae4426ae6cb", "parents": [ "e174929793195e0cd6a4adb0cad731b39f9019b4" ], "author": { "name": "Arthur Kiyanovski", "email": "akiyano@amazon.com", "time": "Thu May 07 00:35:15 2026 +0000" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Mon May 11 17:22:48 2026 -0700" }, "message": "net: ena: PHC: Check return code before setting timestamp output\n\nena_phc_gettimex64() is setting the output parameter regardless\nof whether ena_com_phc_get_timestamp() succeeded or failed.\n\nWhen ena_com_phc_get_timestamp() returns an error, the timestamp\nparameter may contain uninitialized stack memory (e.g., when PHC is\ndisabled or in blocked state) or invalid hardware values. Passing\nthese to userspace via the PTP ioctl is both a security issue\n(information leak) and a correctness bug.\n\nFix by checking the return code after releasing the lock and only\nsetting the output timestamp on success.\n\nFixes: e0ea34158ee8 (\"net: ena: Add PHC support in the ENA driver\")\nCc: stable@vger.kernel.org\nSigned-off-by: Arthur Kiyanovski \u003cakiyano@amazon.com\u003e\nReviewed-by: Vadim Fedorenko \u003cvadim.fedorenko@linux.dev\u003e\nLink: https://patch.msgid.link/20260507003518.22554-1-akiyano@amazon.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "e174929793195e0cd6a4adb0cad731b39f9019b4", "tree": "9980530ffee5f0c5a7c0c17b0f9b755388b0f5fd", "parents": [ "a450063ef86b9967234ca1f896c0d77400c74f11" ], "author": { "name": "Allison Henderson", "email": "achender@kernel.org", "time": "Tue May 05 16:43:36 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Mon May 11 17:20:02 2026 -0700" }, "message": "net/rds: reset op_nents when zerocopy page pin fails\n\nWhen iov_iter_get_pages2() fails in rds_message_zcopy_from_user(),\nthe pinned pages are released with put_page(), and\nrm-\u003edata.op_mmp_znotifier is cleared. But we fail to properly\nclear rm-\u003edata.op_nents.\n\nLater when rds_message_purge() is called from rds_sendmsg() the\ncleanup loop iterates over the incorrectly non zero number of\nop_nents and frees them again.\n\nFix this by properly resetting op_nents when it should be in\nrds_message_zcopy_from_user().\n\nFixes: 0cebaccef3ac (\"rds: zerocopy Tx support.\")\nSigned-off-by: Allison Henderson \u003cachender@kernel.org\u003e\nReviewed-by: Simon Horman \u003chorms@kernel.org\u003e\nLink: https://patch.msgid.link/20260505234336.2132721-1-achender@kernel.org\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "50897c955902c93ae71c38698abb910525ebdc89", "tree": "635dfb8e1e9d4d75855cc23eb28d35533f55b42f", "parents": [ "c1fa0bb633e4a6b11e83ffc57fa5abe8ebb87891", "8f80b5b227ef9ea422080487715c841856339aed" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon May 11 15:38:49 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon May 11 15:38:49 2026 -0700" }, "message": "Merge tag \u0027linux_kselftest-kunit-fixes-7.1-rc4\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest\n\nPull kunit fixes from Shuah Khan:\n \"Fix to decouple KUNIT_DEBUGFS and KUNIT_ALL_TESTS options and fix\n KUNIT_DEBUGFS dependencies so it depends on DEBUG_FS without which it\n will not be useful\"\n\n* tag \u0027linux_kselftest-kunit-fixes-7.1-rc4\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest:\n kunit: config: KUNIT_DEBUGFS should depend on DEBUG_FS\n kunit: config: Enable KUNIT_DEBUGFS by default\n" }, { "commit": "9a415cc53711f2238e0f0ca8a6bcc796c003b127", "tree": "01457067f3d0db705e447ca715917d56033ac764", "parents": [ "86ecb1c1a1f5c1bf4a45b91f54f8220c3121bd3b" ], "author": { "name": "Tejun Heo", "email": "tj@kernel.org", "time": "Mon May 11 12:05:48 2026 -1000" }, "committer": { "name": "Tejun Heo", "email": "tj@kernel.org", "time": "Mon May 11 12:05:48 2026 -1000" }, "message": "sched_ext: Avoid UAF in scx_root_enable_workfn() init failure path\n\nIn scx_root_enable_workfn(), put_task_struct(p) is called before scx_error()\ndereferences p-\u003ecomm and p-\u003epid. If the iterator\u0027s reference is the last\ndrop, the task is freed synchronously and the deref becomes a UAF.\n\nMove put_task_struct() past scx_error().\n\nReported-by: Sashiko \u003csashiko-bot@kernel.org\u003e\nCloses: https://lore.kernel.org/all/20260511214031.AF5E9C2BCB0@smtp.kernel.org/\nFixes: f0e1a0643a59 (\"sched_ext: Implement BPF extensible scheduler class\")\nCc: stable@vger.kernel.org # v6.12+\nSigned-off-by: Tejun Heo \u003ctj@kernel.org\u003e\n" }, { "commit": "5dd74441cbf42c22e874450eb6a6bbb19390a216", "tree": "31bc5f42d6ba5c41002bd389a152e75b6f6aacc7", "parents": [ "4a39eda5fdd867fc39f3c039714dd432cee00268" ], "author": { "name": "Guopeng Zhang", "email": "zhangguopeng@kylinos.cn", "time": "Sat May 09 18:20:31 2026 +0800" }, "committer": { "name": "Tejun Heo", "email": "tj@kernel.org", "time": "Mon May 11 10:27:14 2026 -1000" }, "message": "cgroup/cpuset: Reserve DL bandwidth only for root-domain moves\n\ncpuset_can_attach() currently adds the bandwidth of all migrating\nSCHED_DEADLINE tasks to sum_migrate_dl_bw. If the source and destination\ncpuset effective CPU masks do not overlap, the whole sum is then\nreserved in the destination root domain.\n\nset_cpus_allowed_dl(), however, subtracts bandwidth from the source\nroot domain only when the affinity change really moves the task between\nroot domains. A DL task can move between cpusets that are still in the\nsame root domain, so including that task in sum_migrate_dl_bw can reserve\ndestination bandwidth without a matching source-side subtraction.\n\nShare the root-domain move test with set_cpus_allowed_dl(). Keep\nnr_migrate_dl_tasks counting all migrating deadline tasks for cpuset DL\ntask accounting, but add to sum_migrate_dl_bw only for tasks that need a\nroot-domain bandwidth move. Keep using the destination cpuset effective\nCPU mask and leave the broader can_attach()/attach() transaction model\nunchanged.\n\nFixes: 2ef269ef1ac0 (\"cgroup/cpuset: Free DL BW in case can_attach() fails\")\nCc: stable@vger.kernel.org # v6.10+\nSigned-off-by: Guopeng Zhang \u003czhangguopeng@kylinos.cn\u003e\nReviewed-by: Waiman Long \u003clongman@redhat.com\u003e\nAcked-by: Juri Lelli \u003cjuri.lelli@redhat.com\u003e\nTested-by: Juri Lelli \u003cjuri.lelli@redhat.com\u003e\nSigned-off-by: Tejun Heo \u003ctj@kernel.org\u003e\n" }, { "commit": "e4865a56d013e86e46ea6acea15bb6eae01898ff", "tree": "7947b14d7a0b69f45abb717c296cf8d955d9d9db", "parents": [ "5d6919055dec134de3c40167a490f33c74c12581" ], "author": { "name": "Rafael J. Wysocki", "email": "rafael.j.wysocki@intel.com", "time": "Fri May 08 20:04:33 2026 +0200" }, "committer": { "name": "Rafael J. Wysocki", "email": "rafael.j.wysocki@intel.com", "time": "Mon May 11 18:50:06 2026 +0200" }, "message": "ACPI: driver: Check ACPI_COMPANION() against NULL during probe\n\nSince every platform driver can be forced to match a device that doesn\u0027t\nmatch its list of device IDs because of device_match_driver_override(),\nplatform drivers that rely on the existence of a device\u0027s ACPI companion\nobject should verify its presence.\n\nAccordingly, add requisite ACPI_COMPANION() or ACPI_HANDLE() checks\nagainst NULL to 13 platform drivers handling core ACPI devices.\n\nAlso change the value returned by the ACPI thermal zone driver when\nthe device\u0027s ACPI companion is not present to -ENODEV for consistency\nwith the other drivers.\n\nSigned-off-by: Rafael J. Wysocki \u003crafael.j.wysocki@intel.com\u003e\nReviewed-by: Hans de Goede \u003cjohannes.goede@oss.qualcomm.com\u003e\nReviewed-by: Andy Shevchenko \u003candriy.shevchenko@linux.intel.com\u003e\nLink: https://patch.msgid.link/4516068.ejJDZkT8p0@rafael.j.wysocki\nCc: 7.0+ \u003cstable@vger.kernel.org\u003e # 7.0+\n" }, { "commit": "c1fa0bb633e4a6b11e83ffc57fa5abe8ebb87891", "tree": "477cd51b4a91a61c009d26b026e856224eebb4c3", "parents": [ "5d6919055dec134de3c40167a490f33c74c12581" ], "author": { "name": "Jann Horn", "email": "jannh@google.com", "time": "Mon May 11 08:55:11 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon May 11 08:55:11 2026 -0700" }, "message": "exit: prevent preemption of oopsing TASK_DEAD task\n\nWhen an already-exiting task oopses, make_task_dead() currently calls\ndo_task_dead() with preemption enabled. That is forbidden:\ndo_task_dead() calls __schedule(), which has a comment saying \"WARNING:\nmust be called with preemption disabled!\".\n\nIf an oopsing task is preempted in do_task_dead(), between becoming\nTASK_DEAD and entering the scheduler explicitly, bad things happen:\nfinish_task_switch() assumes that once the scheduler has switched away\nfrom a TASK_DEAD task, the task can never run again and its stack is no\nlonger needed; but that assumption apparently doesn\u0027t hold if the dead\ntask was preempted (the SM_PREEMPT case).\n\nThis means that the scheduler ends up repeatedly dropping references on\nthe dead task\u0027s stack, which can lead to use-after-free or double-free\nof the entire task stack; in other words, two tasks can end up running\non the same stack, resulting in various kinds of memory corruption.\n\n(This does not just affect \"recursively oopsing\" tasks; it is enough to\noops once during task exit, for example in a file_operations::release\nhandler)\n\nFixes: 7f80a2fd7db9 (\"exit: Stop poorly open coding do_task_dead in make_task_dead\")\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \u003cjannh@google.com\u003e\nAcked-by: Peter Zijlstra \u003cpeterz@infradead.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "657b594b2084b39a4bc6d8493aa2140cb00cea49", "tree": "fbd93b60af268e2e7b67a507a7fdd33f412e9d14", "parents": [ "ef5581bb30efb939cc2bf093475c6cc85258e5cd" ], "author": { "name": "Masami Hiramatsu (Google)", "email": "mhiramat@kernel.org", "time": "Thu May 07 16:46:29 2026 +0900" }, "committer": { "name": "Masami Hiramatsu (Google)", "email": "mhiramat@kernel.org", "time": "Mon May 11 19:04:46 2026 +0900" }, "message": "fprobe: Fix unregister_fprobe() to wait for RCU grace period\n\nCommit 4346ba1604093 (\"fprobe: Rewrite fprobe on function-graph tracer\")\nchanged fprobe to register struct fprobe to an rcu-hlist, but it forgot\nto wait for RCU GP. Thus there can be use-after-free if the fprobe is\nreleased right after unregistering. This can be happened on fprobe\nevent and sample module code.\n\nTo fix this issue, add synchronize_rcu() in unregister_fprobe().\n\nNote that BPF is OK because fprobe is used as a part of\nbpf_kprobe_multi_link. This unregisters its fprobe in\nbpf_kprobe_multi_link_release() and it is deallocated via\nbpf_kprobe_multi_link_dealloc(), which is invoked from\nbpf_link_defer_dealloc_rcu_gp() RCU callback.\n\nFor BPF, this also introduced unregister_fprobe_async() which does\nNOT wait for RCU grace priod.\n\nLink: https://lore.kernel.org/all/177813998919.256460.2809243930741138224.stgit@mhiramat.tok.corp.google.com/\n\nFixes: 4346ba1604093 (\"fprobe: Rewrite fprobe on function-graph tracer\")\nSigned-off-by: Masami Hiramatsu (Google) \u003cmhiramat@kernel.org\u003e" }, { "commit": "86ecb1c1a1f5c1bf4a45b91f54f8220c3121bd3b", "tree": "04ee165a80bd153f7dc243330ef64fbd322f77d2", "parents": [ "bbf30b383cf6e87f2fe57c292fbd640b1d88b4c3" ], "author": { "name": "Andrea Righi", "email": "arighi@nvidia.com", "time": "Mon May 11 10:31:30 2026 +0200" }, "committer": { "name": "Tejun Heo", "email": "tj@kernel.org", "time": "Sun May 10 22:50:31 2026 -1000" }, "message": "sched_ext: Clear ops-\u003epriv on scx_alloc_and_add_sched() error paths\n\nscx_alloc_and_add_sched() can fail after @sch has been assigned to\nops-\u003epriv. In those cases @sch is torn down (either via kfree() through\nthe err_free_* chain or via kobject_put() -\u003e scx_kobj_release() -\u003e RCU\nwork), but @ops-\u003epriv is left pointing at the about-to-be-freed pointer.\n\nWith the recent -EBUSY gate in scx_root_enable_workfn() and\nscx_sub_enable_workfn() that rejects an attach when @ops-\u003epriv is still\nnon-NULL, see commit bbf30b383cf6 (\"sched_ext: Fix ops-\u003epriv clobber on\nconcurrent attach/detach\"), a dangling @ops-\u003epriv permanently locks the\nkdata out: every future attach attempt sees a stale binding and returns\n-EBUSY even though no scheduler is actually attached.\n\nClear @ops-\u003epriv on the post-assign failure paths so that the kdata\nreturns to its pre-attach state when the function returns ERR_PTR().\n\nFixes: bbf30b383cf6 (\"sched_ext: Fix ops-\u003epriv clobber on concurrent attach/detach\")\nSuggested-by: Tejun Heo \u003ctj@kernel.org\u003e\nSigned-off-by: Andrea Righi \u003carighi@nvidia.com\u003e\nSigned-off-by: Tejun Heo \u003ctj@kernel.org\u003e\n" }, { "commit": "4a39eda5fdd867fc39f3c039714dd432cee00268", "tree": "abad73590142a7b161096c13dc9384de85c4003b", "parents": [ "2a3d7256faf06d1a15bb5b07e851ac4e1680c26d" ], "author": { "name": "Guopeng Zhang", "email": "zhangguopeng@kylinos.cn", "time": "Sat May 09 18:20:30 2026 +0800" }, "committer": { "name": "Tejun Heo", "email": "tj@kernel.org", "time": "Sun May 10 22:14:49 2026 -1000" }, "message": "cgroup/cpuset: Reset DL migration state on can_attach() failure\n\ncpuset_can_attach() accumulates temporary SCHED_DEADLINE migration\nstate in the destination cpuset while walking the taskset.\n\nIf a later task_can_attach() or security_task_setscheduler() check\nfails, cgroup_migrate_execute() treats cpuset as the failing subsystem\nand does not call cpuset_cancel_attach() for it. The partially\naccumulated state is then left behind and can be consumed by a later\nattach, corrupting cpuset DL task accounting and pending DL bandwidth\naccounting.\n\nReset the pending DL migration state from the common error exit when\nret is non-zero. Successful can_attach() keeps the state for\ncpuset_attach() or cpuset_cancel_attach().\n\nFixes: 2ef269ef1ac0 (\"cgroup/cpuset: Free DL BW in case can_attach() fails\")\nCc: stable@vger.kernel.org # v6.10+\nSigned-off-by: Guopeng Zhang \u003czhangguopeng@kylinos.cn\u003e\nSigned-off-by: Tejun Heo \u003ctj@kernel.org\u003e\nReviewed-by: Chen Ridong \u003cchenridong@huaweicloud.com\u003e\nReviewed-by: Waiman Long \u003clongman@redhat.com\u003e\n" }, { "commit": "bbf30b383cf6e87f2fe57c292fbd640b1d88b4c3", "tree": "a72cae4440a56e13d74dde49ca56023bd17a1eee", "parents": [ "3788e32516530dee66cf9186f846480a16799b05" ], "author": { "name": "Andrea Righi", "email": "arighi@nvidia.com", "time": "Mon May 11 08:18:12 2026 +0200" }, "committer": { "name": "Tejun Heo", "email": "tj@kernel.org", "time": "Sun May 10 21:40:03 2026 -1000" }, "message": "sched_ext: Fix ops-\u003epriv clobber on concurrent attach/detach\n\nUnder heavy concurrent attach/detach operations, scx_claim_exit() can\ntrigger a NULL pointer dereference. This can be reproduced running the\nreload_loop kselftests inside a virtme-ng session:\n\n $ vng -v -- ./tools/testing/selftests/sched_ext/runner -t reload_loop\n ...\n BUG: kernel NULL pointer dereference, address: 0000000000000400\n RIP: 0010:scx_claim_exit+0x3b/0x120\n Call Trace:\n \u003cTASK\u003e\n bpf_scx_unreg+0x45/0xb0\n bpf_struct_ops_map_link_dealloc+0x39/0x50\n bpf_link_release+0x18/0x20\n __fput+0x10b/0x2e0\n __x64_sys_close+0x47/0xa0\n\nThe underlying race (diagnosed by Tejun Heo) is a stomp of @ops-\u003epriv,\nnot a missing NULL check:\n\n T2 unreg(K) T1 reg(K)\n ----------- ---------\n sch \u003d ops-\u003epriv \u003d sch_b800\n scx_disable; flush_disable_work\n [scx_root_disable: scx_root\u003dNULL,\n mutex_unlock, state\u003dDISABLED]\n mutex_lock; state ok\n scx_alloc_and_add_sched:\n ops-\u003epriv \u003d sch_a800\n scx_root \u003d sch_a800; init\u003d0\n state\u003dENABLED; mutex_unlock\n [flush returns]\n RCU_INIT_POINTER(ops-\u003epriv, NULL) \u003c-- clobbers sch_a800\n kobject_put(sch_b800)\n\nT1 acquires scx_enable_mutex inside scx_root_disable()\u0027s mutex_unlock\nwindow and starts a fresh attach on the same kdata, assigning sch_a800\nto @ops-\u003epriv. T2 then continues out of scx_disable()/flush_disable_work\nand clobbers @ops-\u003epriv to NULL, leaking sch_a800; the bpf_link is gone\nbut state stays SCX_ENABLED, so all future attaches fail with -EBUSY\npermanently. The next bpf_scx_unreg() on that kdata then reads NULL\n@ops-\u003epriv and dereferences it in scx_claim_exit().\n\nMake @ops-\u003epriv the lifecycle binding: in scx_root_enable_workfn() and\nscx_sub_enable_workfn(), after the existing state check and still under\nscx_enable_mutex, refuse with -EBUSY if @ops-\u003epriv is non-NULL. This\nrejects an attempt to reuse a kdata that is still bound to a previous\nscheduler instance, closing the race without changing the unreg side.\n\nFixes: 105dcd005be2 (\"sched_ext: Introduce scx_prog_sched()\")\nSuggested-by: Tejun Heo \u003ctj@kernel.org\u003e\nSigned-off-by: Andrea Righi \u003carighi@nvidia.com\u003e\nSigned-off-by: Tejun Heo \u003ctj@kernel.org\u003e\n" }, { "commit": "3788e32516530dee66cf9186f846480a16799b05", "tree": "1ee995aa65b72f39a9f758cdfc0d9bd1d733a2c1", "parents": [ "d3e73a0808ddfb91ac36cd548643cbbeb00ad4db" ], "author": { "name": "Andrea Righi", "email": "arighi@nvidia.com", "time": "Sun May 10 19:52:11 2026 +0200" }, "committer": { "name": "Tejun Heo", "email": "tj@kernel.org", "time": "Sun May 10 16:03:05 2026 -1000" }, "message": "selftests/sched_ext: Fix build error in dequeue selftest\n\nBuilding the dequeue selftest with newer compilers (e.g., gcc 16)\ntriggers the following error:\n\n dequeue.c:28:22: error: variable \u0027sum\u0027 set but not used\n\nThe \u0027volatile\u0027 qualifier prevents the writes from being optimized away,\nbut does not silence the unused variable \u0027sum\u0027 is indeed only written\nand never read.\n\nConsume \u0027sum\u0027 via an empty asm() with a register input constraint. This\nforces the compiler to keep the accumulated value (preserving the CPU\nstress loop) and avoiding the build error.\n\nFixes: 658ad2259b3e (\"selftests/sched_ext: Add test to validate ops.dequeue() semantics\")\nSigned-off-by: Andrea Righi \u003carighi@nvidia.com\u003e\nSigned-off-by: Tejun Heo \u003ctj@kernel.org\u003e\n" } ], "next": "2a3d7256faf06d1a15bb5b07e851ac4e1680c26d" }