- Fix incomplete activation of multiple inactive works when unplugging a
pool_workqueue, where the pending_pwqs list wasn't being updated for
subsequent works.
-----BEGIN PGP SIGNATURE-----
iIQEABYKACwWIQTfIjM1kS57o3GsC/uxYfJx3gVYGQUCadvRzg4cdGpAa2VybmVs
Lm9yZwAKCRCxYfJx3gVYGeLdAP9SZN3b4QRE79fnP/1dzf2RR/XWlFq7x49Wv1nP
mmpwjQEAx/B6YabLNp98bdxaoygUkdz3zBDnL7oaWx/G0p9T/QA=
=80oo
-----END PGP SIGNATURE-----
Merge tag 'wq-for-7.0-rc7-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq
Pull workqueue fix from Tejun Heo:
"This is a fix for a stall which triggers on ordered workqueues when
there are multiple inactive work items during workqueue property
changes through sysfs, which doesn't happen that frequently.
While really late, the fix is very low risk as it just repeats an
operation which is already being performed:
- Fix incomplete activation of multiple inactive works when
unplugging a pool_workqueue, where the pending_pwqs list
wasn't being updated for subsequent works"
* tag 'wq-for-7.0-rc7-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq:
workqueue: Add pool_workqueue to pending_pwqs list when unplugging multiple inactive works
- Invert the inverted fastpath decision in check_tick_dependency(), which
prevents NOHZ full to stop the tick. That's a regression introduced in
the 7.0 merge window.
- Prevent a unpriviledged DoS in the clockevents code, where user space
can starve the timer interrupt by arming a timerfd or posix interval
timer in a tight loop with an absolute expiry time in the past. The
fix turned out to be incomplete and was was amended yesterday to make
it work on some 20 years old AMD machines as well. All issues with it
have been confirmed to be resolved by various reporters.
-----BEGIN PGP SIGNATURE-----
iQJEBAABCgAuFiEEQp8+kY+LLUocC4bMphj1TA10mKEFAmnboPYQHHRnbHhAa2Vy
bmVsLm9yZwAKCRCmGPVMDXSYocEDD/4+aEut3QsitcZliE5KTpD4QFVo70Ky5MMe
XvQgOJyvSJeUBjOW3UVROEZvBWxpb0bYRbXGTs37pCKK4DwjOmodAaY6OI5W/atb
13lnVWSiCKkZoRLs3+G+PCxCD3WuS2HhZc27fiFJmXNyLGfaLBVC2trNnheEBmUs
m3DleuJYiuL3tNbQqlKJ2nIXJFp9qpHSkZ241gxinTvFhBz6QhhAkegMbq9DmHTR
dps4xc3dtNm1poEcTKFeZesfpqlgJaX5LoDydtOFtDomKbXX2SzD82nvCBritUty
ICcd99kIpAgREEn+aer7hokV8X3eAOBRrzPe8tqWl2mc55jcjQJHxD8dE3zIAv5a
AkcnIsiItfHLCPB3iP95inUQoeBCvAX7jCWaLFH8EZCz8QfLALSetjn6HSbWeN/6
ANqFsWlKhK7b1+VcdSL8LVdPtEsE2ILEIHR8dF9GqkVXzs1OPEJJHQoqQxUfDhpa
BdAahPCybY+7lcvZko+WJYJ2Xj0TPRbvav9Ol1o8c8xLF3itFDTCL+E2VMoLdpUn
F8SRDo2FUwysO4NVjHzR7YRTBhlF1pC3MgvPCL2kCekPv2TDUgacHjygnd/QGQ8m
cEOZlD/FlCVE+MNSaLYOUFYJ2a7QwO4qCXOhjy6OFMtO3ezJnol9plqCRCJfhkgy
towg2pGIaQ==
=cnPC
-----END PGP SIGNATURE-----
Merge tag 'timers-urgent-2026-04-12' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull timer fixes from Thomas Gleixner:
"Two fixes for the time/timers subsystem:
- Invert the inverted fastpath decision in check_tick_dependency(),
which prevents NOHZ full to stop the tick. That's a regression
introduced in the 7.0 merge window.
- Prevent a unpriviledged DoS in the clockevents code, where user
space can starve the timer interrupt by arming a timerfd or posix
interval timer in a tight loop with an absolute expiry time in the
past. The fix turned out to be incomplete and was was amended
yesterday to make it work on some 20 years old AMD machines as
well. All issues with it have been confirmed to be resolved by
various reporters"
* tag 'timers-urgent-2026-04-12' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
clockevents: Prevent timer interrupt starvation
tick/nohz: Fix inverted return value in check_tick_dependency() fast path
The check for the minimum receive buffer size did not take the
tag size into account during decryption. Fix this by adding the
required extra length.
Reported-by: syzbot+aa11561819dc42ebbc7c@syzkaller.appspotmail.com
Reported-by: Daniel Pouzzner <douzzer@mega.nu>
Fixes: d887c52d6a ("crypto: algif_aead - overhaul memory management")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Leo reports an out-of-bounds access when parsing a certificate with
empty Basic Constraints or Key Usage extension because the first byte of
the extension is read before checking its length. Fix it.
The bug can be triggered by an unprivileged user by submitting a
specially crafted certificate to the kernel through the keyrings(7) API.
Leo has demonstrated this with a proof-of-concept program responsibly
disclosed off-list.
Fixes: 30eae2b037 ("KEYS: X.509: Parse Basic Constraints for CA")
Fixes: 567671281a ("KEYS: X.509: Parse Key Usage")
Reported-by: Leo Lin <leo@depthfirst.com> # off-list
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Reviewed-by: Ignat Korchagin <ignat@linux.win>
Cc: stable@vger.kernel.org # v6.4+
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
When page reassignment was added to af_alg_pull_tsgl the original
loop wasn't updated so it may try to reassign one more page than
necessary.
Add the check to the reassignment so that this does not happen.
Also update the comment which still refers to the obsolete offset
argument.
Reported-by: syzbot+d23888375c2737c17ba5@syzkaller.appspotmail.com
Fixes: e870456d8e ("crypto: algif_skcipher - overhaul memory management")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
imx: set dma_slave_config to 0 and avoid uninitialized fields
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEOZGx6rniZ1Gk92RdFA3kzBSgKbYFAmnaumsACgkQFA3kzBSg
KbZ4rw/9GS9rHHX2P+8xtiHVYLZwhua2aCFC/PCDGrxj20ijr5VGjifGzP6pKqtJ
rBUxlz8V264UcOxaLKlZsQSxd/kQEYcMJzCfspsUaKhxvgch5PGDI6WIeIjBrc/4
HXQxNy9LadNXS1KdcfQd1BLv44T3A5VANUdNBWxEy+E4WHRSpoN2kCSdW1xIC4mO
iopoF0MC9w52BfI7wJLjkX3PPOykd4GWGxKwPqbZeaK/JivyOEaLXr3D5h2tKG3Q
pawJzDDbpYwIzYUwECVR+VKrJVAnRT/lmVvust4HdNLmGU5Lz2BnsRsL8S4tu6Nn
xJP7rqXR59E+T3cyqPttLZ8B2/kYBTS9XG6wQlAIh/Wyn3RBXkEGQmV5WpeTvJgU
zF4D4nmY/zXC0sRAu1in9AgyVHkvVLsZu8785UjuVn4L6vP81oCs1eJCjXtYue5V
mQvJU7N/nrm3Bd38ZMlrRHG1cIEnyGgfPh0z+ff+HCBZLEJGLGSDp6D0gNNdmdSX
FYCSVMU+yOL5i8wXny09FyIQUeGrOZcuJ9PkS1RD54Rw+OFflqY+rBinQ2avCOaF
Dg4FgIWhAKF5iYy1SDDTJc6N97OGDJjpLMp+e2KG9nuhEEIue3PqwtqbqXH3Mc9O
sYk1eqyXqBn3qh3W8pxcW+5G1TFrviN6d10/o8zVWZR4YTQu/0E=
=sqdX
-----END PGP SIGNATURE-----
Merge tag 'i2c-for-7.0-final' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux
Pull i2c fix from Wolfram Sang:
- imx: set dma_slave_config to 0 and avoid uninitialized fields
* tag 'i2c-for-7.0-final' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
i2c: imx: zero-initialize dma_slave_config for eDMA
A couple of changes here, one update to MAINTAINERS for the AMD
controller and a chnage from Pei Xiao which in spite of the changelog is
actually a fix - previously the zynq-qspi driver leaked a clock enable
for every flash operation it did which isn't good, these extra enables
were removed when doing the enable cleanup which are probably a good
idea anyway.
-----BEGIN PGP SIGNATURE-----
iQEzBAABCgAdFiEEreZoqmdXGLWf4p/qJNaLcl1Uh9AFAmnan/YACgkQJNaLcl1U
h9BQLQf9FyBF84+tdZmpjbpo4AUFPkoViQYJH5u8cjkyek+Nsloy3uPtrsJVU0br
94+ImyTmJwaQyLQXmsm05K0GJ1ieo36JlGQNCoLYjlSSSgOU3CUkaIz5Y7QwpCF5
CGnuMErhl4EqhEV/T47Y4ehcrd8NOgoDMXMuThXcIYTN02W7C+rqOELDJ+bUOiWB
c1SDyWYDv+xsK2eqxFHi8u/P3/z+Jth5poX7qeKHeNM1GF40+2/zGTTsqlHC/g9A
GSaSnoPNCgproko5pLQqabvLA444FbaMjUJskv1qvpXJt1cex8e/RbBOe4JGHaWI
z27Bu0jaiGW+B9OT9JTkPfbeTWTQRA==
=PqQH
-----END PGP SIGNATURE-----
Merge tag 'spi-fix-v7.0-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi
Pull spi fixes from Mark Brown:
"A couple of changes here, one update to MAINTAINERS for the AMD
controller and a chnage from Pei Xiao which in spite of the changelog
is actually a fix - previously the zynq-qspi driver leaked a clock
enable for every flash operation it did which isn't good, these extra
enables were removed when doing the enable cleanup which are probably
a good idea anyway"
* tag 'spi-fix-v7.0-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi:
MAINTAINERS: Update AMD SPI driver maintainers
spi: zynq-qspi: Simplify clock handling with devm_clk_get_enabled()
One last fix for v7.0, the BD72720 incorrectly described which DCDC is
tied to the LDO for it's LDON-HEAD mode which automates using the DCDC
to more efficiently drop a supply for delivery via the LDO.
-----BEGIN PGP SIGNATURE-----
iQEzBAABCgAdFiEEreZoqmdXGLWf4p/qJNaLcl1Uh9AFAmnanvQACgkQJNaLcl1U
h9AWWgf9HlWXVqG7M/tFqKoa1Xyza2EkUiyQWNW1dkiXGipxOg+MOa/yeFtyE6gD
RClIkujt4Tt9dwI91FJ+HfWJ8O+Ux1XKRzCxsAe01gyhf68I4hQ2tl35yVzkuuyl
VXdLHlek1dVGNl94IZQDPHYeICrvGCnk/OC7nf+V8bZU1YgfJTMYvNHrArPy2+zH
SY4iZcJcR+vJwgWnZHeBTwzWPCWurYYz+XAEj7RseAJKqE8G3Idlqd/yIupM5mbo
MhWnl1fP8xjv0tq6xhrwXPowxUt08OU9kARg+Siqy1kKN81tb0uocofUHAVGtBel
y14mFWeRbYwh19yAG72guXSfUfyudw==
=e5bj
-----END PGP SIGNATURE-----
Merge tag 'regulator-fix-v7.0-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator
Pull regulator fix from Mark Brown:
"One last fix for v7.0, the BD72720 incorrectly described which DCDC is
tied to the LDO for its LDON-HEAD mode which automates using the DCDC
to more efficiently drop a supply for delivery via the LDO"
* tag 'regulator-fix-v7.0-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator:
regulator: bd71828-regulator.c: Fix LDON-HEAD mode
* KVM: s390: vsie: Fix races with partial gmap invalidations
x86:
* KVM: x86: Use __DECLARE_FLEX_ARRAY() for UAPI structures with VLAs
-----BEGIN PGP SIGNATURE-----
iQFIBAABCgAyFiEE8TM4V0tmI4mGbHaCv/vSX3jHroMFAmnaOrgUHHBib256aW5p
QHJlZGhhdC5jb20ACgkQv/vSX3jHroPTOwf8DW6BXYgHdDOWiiQQETD+D/JWbceG
9fKMdNjt48It3hKWc9oJ2eZU2avRHf7d8hAIUIhOeiUbeVf4QrLUfQXzP9j/9P+T
vRpMlDf5Ampv3m8LxTBGESgwrlRHtWDGUFsE+CcVAIWEQfCsXnbwkeo3L9aCLTgA
ekrnHqsx+Oh/n2+siEp0Nz0n8gT0hCtbqAqJlVcuHpJvzRzeDvcnukvHxjIydR65
uIFY5dahzheGqbPhplGKKAdPCHD+/S6QB+ShqKrT92zeZvhPZrt1XHV4Bt/sKSkP
9uAeuJ+JtbZvMG7n8fCg5ebwqJrw15uddZcV8l3qIuxHzyZ/XzKYhQm4oA==
=7zjP
-----END PGP SIGNATURE-----
Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm
Pull kvm fixes from Paolo Bonzini:
"s390:
- vsie: Fix races with partial gmap invalidations
x86:
- Use __DECLARE_FLEX_ARRAY() for UAPI structures with VLAs"
* tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
KVM: s390: vsie: Fix races with partial gmap invalidations
KVM: x86: Use __DECLARE_FLEX_ARRAY() for UAPI structures with VLAs
- tracing/probe: reject non-closed empty immediate strings
Fixed a buffer index underflow bug that occurred when passing an
non-closed empty immediate string to the probe event.
-----BEGIN PGP SIGNATURE-----
iQFPBAABCgA5FiEEh7BulGwFlgAOi5DV2/sHvwUrPxsFAmnaJr8bHG1hc2FtaS5o
aXJhbWF0c3VAZ21haWwuY29tAAoJENv7B78FKz8b4PcH/29I02lnjYf4IJ6oiANa
K5+RU+Xq0z+Tn079GapHI9vmF8d9M89bI76fqKAVBGHosk+QTdYPLwupbowY72Fq
5uZPpkMXD+cvNJz0qGEq2WOPeB+VGxq8zR/lnZjhZLupJP0DfBp6SpXS0lFx4d0Q
x+bw6keG7Guq0ocq2mFNWPo2U8bxlh78UrX+pYoIHyjeO+LVNC7X7Ld3aRDebMck
uDnS5oLNMojd4Vi5WYuP1GzGzIUJ0cXDDXnSVqHP5zdt7VV83eZNlfWOKe1YyHEq
FoVTrb3dRFFWn2EdXOJB+DjQXWZeZtUsfJTxWm4UgPgV1DmLmBFurfB8Kk0JmX7S
0XU=
=vHwk
-----END PGP SIGNATURE-----
Merge tag 'probes-fixes-v7.0-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace
Pull tracing probe fix from Masami Hiramatsu:
"Reject non-closed empty immediate strings
Fix a buffer index underflow bug that occurred when passing an
non-closed empty immediate string to the probe event"
* tag 'probes-fixes-v7.0-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace:
tracing/probe: reject non-closed empty immediate strings
Here is a single USB fix for a reported regression in a recent USB typec
patch for 7.0-final. Sorry for the late submission, but it does fix a
problem that people have been seeing with 7.0-rc7 and the stable kernels
(due to a backported fix from there.)
This has been in linux-next this week with no reported issues, and the
reporter (Takashi), has said it resolves the problem they were seeing.
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-----BEGIN PGP SIGNATURE-----
iG0EABECAC0WIQT0tgzFv3jCIUoxPcsxR9QN2y37KQUCadofdQ8cZ3JlZ0Brcm9h
aC5jb20ACgkQMUfUDdst+ynZ2QCfURKY6dXrKRPZT5L5GXa+wMNKdlMAnRz+9K0L
NEuwv8+EEEDmXKYmngTM
=ZiC/
-----END PGP SIGNATURE-----
Merge tag 'usb-7.0-final' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb
Pull USB fix from Greg KH:
"Here is a single USB fix for a reported regression in a recent USB
typec patch for 7.0-final. Sorry for the late submission, but it does
fix a problem that people have been seeing with 7.0-rc7 and the stable
kernels (due to a backported fix from there.)
This has been in linux-next this week with no reported issues, and the
reporter (Takashi), has said it resolves the problem they were seeing"
* tag 'usb-7.0-final' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
usb: typec: ucsi: skip connector validation before init
- a fix for circular locking dependency in uinput
- a fix for potential corruption of uinput event queue
-----BEGIN PGP SIGNATURE-----
iHUEABYKAB0WIQST2eWILY88ieB2DOtAj56VGEWXnAUCadnMIgAKCRBAj56VGEWX
nIq2AP9KokKsXT2JwF6E/V9/eQiCXUija5lVu0eUUmjc5CpbvwEA8OTkbCgkHt62
Vux7F+drj4w5p13Fxj0+pgztZW1pfQc=
=KHyc
-----END PGP SIGNATURE-----
Merge tag 'input-for-v7.0-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input
Pull input fixes from Dmitry Torokhov:
"Two fixes for force feedback handling in uinput driver:
- fix circular locking dependency in uinput
- fix potential corruption of uinput event queue"
* tag 'input-for-v7.0-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
Input: uinput - take event lock when submitting FF request "event"
Input: uinput - fix circular locking dependency with ff-core
Fix one more gmap-rewrite issue: races with partial gmap invalidations.
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEoWuZBM6M3lCBSfTnuARItAMU6BMFAmnVLyYACgkQuARItAMU
6BOlFBAAycmLpPZlezQfBZ7BUFLYVlZjxE1aeT+s09U9i6OtKblGfEaMtM8ivbtq
gcQALX8KbNJM1tkQRJGyE15+AhofCXcjbEiWxCJ3PzktoMhSU1If10EbpRenPxlB
gqylMolWJ3wHuq3swlmHNCSFBKGci/jDJfed01QxSda7ngQ2uEqS7iF9ud/zyZgt
IcTlsmIR0jT5vcq1eyaHw5NQ8bvMgJrzp85SwY7uTZIV2NDyUKIdsW6aYvI9jGCH
Y39OgK/Nz7oKJgguMKiJetXYWhPPg/3sqRhKSseD9URypxaAvWOmPOrwxa2QtrCS
sv1p2kGTKikep9wxTnvdXwxQOFDVQFyMcT77DDwGl7kWkKHRSZtbGskdesmdvni/
QEW5IqgO/f7jfTbuPmmgNf93QzTWiGSBLsjOjSY3IcqGrhwe6/JAdu21Ge+Oi+kA
0FWE1Q97tHZRuSGHIiWlFgziCAl0EKzaRenPaLX7j3s7TuaGoOGE7WEC8zPldnpi
MUNfts8MIxOr+CEz5wM6duIym+YC2ZKJn87TOo5tJ3xM7JbPhflNTossnkYSkVuS
WZNhArK+NrlP6NF1dTy7RBePOHHLH7RCxoYSoZ/dMYwr9sMcxAp0ULnMwQxVwx23
1OXqGQwS/rkhy/Gw77MhNdyUa8hxsK4nOWDebhJVxTjEVLbd9vE=
=UmKD
-----END PGP SIGNATURE-----
Merge tag 'kvm-s390-master-7.0-4' of https://git.kernel.org/pub/scm/linux/kernel/git/kvms390/linux into HEAD
KVM: s390: One very last second fix
Fix one more gmap-rewrite issue: races with partial gmap invalidations.
Declare flexible arrays in uAPI structures using __DECLARE_FLEX_ARRAY() so
that KVM's uAPI headers can be included in C++ projects.
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEKTobbabEP7vbhhN9OlYIJqCjN/0FAmnZHqsACgkQOlYIJqCj
N/331BAApsvBOvcKxeHM598wAsZTtBIUiMWrm/hybB2zhXxbcC9BDPN5NrYP9eJX
khlLm9YRDI2Hvk8QNuwPXV/mHU5U0HNJ48BUToL6H5x6792dnRCbL046rYCyRZbi
bUjMcUjTWtv7g+UEoYOsMpmYQlTlf4krCbw2ixn6/4c2Ab76TRmrISU+tknoal+b
KGXEJWhsEiueUD8xpjR84P0h3d6x+EHc2oyDk/k+aFZAcbjWFz/8aLjOSVc00V36
DqYKbMGO/22CNkWSLk9Dr6mitn6HmG151HNAvUvHlPMFQLrP9jpk13u1IHZsR7H4
4yykj4tm5+02775IFqfPLNZ4Ipk70WO50ndl3plh7G7187ckYsfl+oQu2c4oIveB
sPfnEHqteGKw+GLOM9Xu4MVCAvy7FFGlgGIkZpULA7cLNyIayfmKuZTF7/UEh9Wy
fL2UAypzJjCIgLFyoio4CHqLJ4vuUneyHyoJczS/Wd9kuL0kHrLEw771gLGjwslB
Nk0900qPlxEWx47G6MadzSh+JexjT9KrSCgaACNWKJpzQMkcw6gwDSIGq9F/f0Ac
Zl7XFbQ2KKm/Z8CWCTg5XdxI6zz0NCzlcYoepk7CfHgs0xZjWqu5AReLcQnffx2/
c5YKoOffkicokffWQju64kjE/VYpdAITHONa1r7hv73/bfYfUGg=
=VJsI
-----END PGP SIGNATURE-----
Merge tag 'kvm-x86-fixes-7.1' of https://github.com/kvm-x86/linux into HEAD
KVM x86 fixes for 7.1
Declare flexible arrays in uAPI structures using __DECLARE_FLEX_ARRAY() so
that KVM's uAPI headers can be included in C++ projects.
Before v7.0 is released, fix a few issues with the CFI patchset,
merged earlier in v7.0-rc, that primarily affect interfaces to
non-kernel code:
- Improve the prctl() interface for per-task indirect branch landing
pad control to expand abbreviations and to resemble the speculation
control prctl() interface
- Expand the "LP" and "SS" abbreviations in the ptrace uapi header
file to "branch landing pad" and "shadow stack", to improve
readability
- Fix a typo in a CFI-related macro name in the ptrace uapi header
file
- Ensure that the indirect branch tracking state and shadow stack
state are unlocked immediately after an exec() on the new task so
that libc subsequently can control it
- While working in this area, clean up the kernel-internal,
cross-architecture prctl() function names by expanding the
abbreviations mentioned above
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEElRDoIDdEz9/svf2Kx4+xDQu9KksFAmnYP5YACgkQx4+xDQu9
KkuoPQ//Yye5D+35EqfA12yP96Vrtg0QCKiqMotz3yLo0T7zh5KosAs/QIE5eQi7
vWRnCld5PsFa0ZS2822oPfQo8pKVO1y7M2ecFWSwaOWq865Xs82M/puqEQF3GFCS
219cg1dTVBGvvKSf4MINUBRprfZmZRT9pzhSk79qHEbHKzwCDk7uah51iUdyPJyd
KX3hshYMLq3rooTHR2wD/ChTpV+pCrt2rSUVbW8+sTUWDfv2sTLauHmemKw7LpdW
C0SulXvcYkGyiqsB5AXW9x2ttJ5hX9diPb73XS6eBCU0CaMl9BVZWNKeqhEMJxKR
wmqIadD8pelf7Jh7wGAbNW4hWqTsO3xRpZH38Y/cGLdhs3cqvKjEmT3fOFWUP9bP
hWv5027gVXVSOmvxhPiUJs7D5WWAz4Q64JZfdJSmDdEWVXcI0v/hzdukuPw4iiT6
DaqOyClTcwc+j1jawFTICXTF7wXfvZT5sjulrmPk1HX4nZ5padKpfQ77AdKHF9Q6
9pC25QHQk42h/R4ynA4lm15YnCOfYvjP25hU7K64gQnqO6qBrolfrA4kJOmdYv/g
1IXsA2YZafJbcXwyFZjWy50uu5gaCM5JhRRFdUrjmB6j3gv9HfBlWJXQywReUjPo
Kq4tnFppxzFVm23COj9j5kyjsFjUhZ8KCft3+n7lrndeOCk5Z3E=
=5/Ct
-----END PGP SIGNATURE-----
Merge tag 'riscv-for-linus-v7.0-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux
Pull RISC-V updates from Paul Walmsley:
"Before v7.0 is released, fix a few issues with the CFI patchset,
merged earlier in v7.0-rc, that primarily affect interfaces to
non-kernel code:
- Improve the prctl() interface for per-task indirect branch landing
pad control to expand abbreviations and to resemble the speculation
control prctl() interface
- Expand the "LP" and "SS" abbreviations in the ptrace uapi header
file to "branch landing pad" and "shadow stack", to improve
readability
- Fix a typo in a CFI-related macro name in the ptrace uapi header
file
- Ensure that the indirect branch tracking state and shadow stack
state are unlocked immediately after an exec() on the new task so
that libc subsequently can control it
- While working in this area, clean up the kernel-internal,
cross-architecture prctl() function names by expanding the
abbreviations mentioned above"
* tag 'riscv-for-linus-v7.0-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux:
prctl: cfi: change the branch landing pad prctl()s to be more descriptive
riscv: ptrace: cfi: expand "SS" references to "shadow stack" in uapi headers
prctl: rename branch landing pad implementation functions to be more explicit
riscv: ptrace: expand "LP" references to "branch landing pads" in uapi headers
riscv: cfi: clear CFI lock status in start_thread()
riscv: ptrace: cfi: fix "PRACE" typo in uapi header
xe:
- Fix HW engine idleness unit conversion
i915:
- Drop check for changed VM in EXECBUF
- Fix refcount underflow race in intel_engine_park_heartbeat
- Do not use pipe_src as borders for SU area in PSR
vc4:
- runtime pm reference fix
- memory leak fixes
- locking fix
ethosu:
- make ARM only
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEEKbZHaGwW9KfbeusDHTzWXnEhr4FAmnZbwYACgkQDHTzWXnE
hr6peA/+J7OdSuUJYwNQ59chQWD3q2jVVjlGWfUyYtE2Z1iYyt4uAkvKtZ5PFQnH
WdluAtUdg/bc15QbBMeoKEWOBniJyjAgs/4o/oFsQNZL87trxCoaiL/akWdv7QiV
lx51a3R26WvhsDJDgBklMNvPydTDxM2jdqX4juwXjIE324/WyPTE1ytYQQkJAbAx
zo82XDx1Ucog+N1XtO13ORwC0Qaug2AU5JPi1ZbjwyzLX/3fFmCb3SmcdLyGlwbY
mCyoivvs4e0PgpE2RprrVpazW+yZE2n6pj1Xi3FwNHx/8VUmTzECbaw+2nasaONY
t8tri/etOkNl6w4VvNXoZXZiCU577nMjMDd9KXBmI3daRvq8zUqbiBIcFY2TCtbV
NyL52vgn01SVXejASrm/x3r/FIL3UETbu1qKpOrF8gUEoMtlFPKCNGRIZt+PWDT9
jGzug6d6XXKfhf/nOQr42TOXKbA3dO2I3QB0BosZJxwfwushEHqzw3rNCtRfahlx
l++Upc//w9FkPO57UCtfcdymXA0NOiwsqTM2gS9r2dGt5cf6WJkR3tylUzZuwgqv
WvpjjwHL3Zun4pBLL+ELpdfnGXVbGFD0vfown+hIrY0RDKVEgUPRfpmyMX1ZV3k7
6IugM3HSZmQZMdCeWKCMKL210E5Wo1AwPj+YrTFX/REYJeLlZCw=
=jot2
-----END PGP SIGNATURE-----
Merge tag 'drm-fixes-2026-04-11' of https://gitlab.freedesktop.org/drm/kernel
Pull drm fixes from Dave Airlie:
"Last set of fixes, a few vc4, and i915, one xe and one ethosu Kconfig
fix.
xe:
- Fix HW engine idleness unit conversion
i915:
- Drop check for changed VM in EXECBUF
- Fix refcount underflow race in intel_engine_park_heartbeat
- Do not use pipe_src as borders for SU area in PSR
vc4:
- runtime pm reference fix
- memory leak fixes
- locking fix
ethosu:
- make ARM only"
* tag 'drm-fixes-2026-04-11' of https://gitlab.freedesktop.org/drm/kernel:
drm/i915/gem: Drop check for changed VM in EXECBUF
drm/i915/gt: fix refcount underflow in intel_engine_park_heartbeat
drm/xe: Fix bug in idledly unit conversion
drm/i915/psr: Do not use pipe_src as borders for SU area
accel: ethosu: Add hardware dependency hint
drm/vc4: Protect madv read in vc4_gem_object_mmap() with madv_lock
drm/vc4: Fix a memory leak in hang state error path
drm/vc4: Fix memory leak of BO array in hang state
drm/vc4: Release runtime PM reference after binding V3D
- Drop check for changed VM in EXECBUF
- Fix refcount underflow race in intel_engine_park_heartbeat
- Do not use pipe_src as borders for SU area in PSR
Signed-off-by: Dave Airlie <airlied@redhat.com>
From: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Link: https://patch.msgid.link/add6fPHRC7Bc8Uri@jlahtine-mobl
Calvin reported an odd NMI watchdog lockup which claims that the CPU locked
up in user space. He provided a reproducer, which sets up a timerfd based
timer and then rearms it in a loop with an absolute expiry time of 1ns.
As the expiry time is in the past, the timer ends up as the first expiring
timer in the per CPU hrtimer base and the clockevent device is programmed
with the minimum delta value. If the machine is fast enough, this ends up
in a endless loop of programming the delta value to the minimum value
defined by the clock event device, before the timer interrupt can fire,
which starves the interrupt and consequently triggers the lockup detector
because the hrtimer callback of the lockup mechanism is never invoked.
As a first step to prevent this, avoid reprogramming the clock event device
when:
- a forced minimum delta event is pending
- the new expiry delta is less then or equal to the minimum delta
Thanks to Calvin for providing the reproducer and to Borislav for testing
and providing data from his Zen5 machine.
The problem is not limited to Zen5, but depending on the underlying
clock event device (e.g. TSC deadline timer on Intel) and the CPU speed
not necessarily observable.
This change serves only as the last resort and further changes will be made
to prevent this scenario earlier in the call chain as far as possible.
[ tglx: Updated to restore the old behaviour vs. !force and delta <= 0 and
fixed up the tick-broadcast handlers as pointed out by Borislav ]
Fixes: d316c57ff6 ("[PATCH] clockevents: add core functionality")
Reported-by: Calvin Owens <calvin@wbinvd.org>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Tested-by: Calvin Owens <calvin@wbinvd.org>
Tested-by: Borislav Petkov <bp@alien8.de>
Link: https://lore.kernel.org/lkml/acMe-QZUel-bBYUh@mozart.vkv.me/
Link: https://patch.msgid.link/20260407083247.562657657@kernel.org
Please consider pulling these changes from the signed vfs-7.0-rc8.fixes tag.
Thanks!
Christian
-----BEGIN PGP SIGNATURE-----
iHUEABYKAB0WIQRAhzRXHqcMeLMyaSiRxhvAZXjcogUCadjZCgAKCRCRxhvAZXjc
om/TAQDsAIxYiJ4hR7rNrKuyL+FP7kuN8WX9DmjU+45Pt/SZNwEA2pSH0y7osa2+
xRGkN0pPQTu6JIlx0rCXlY9PYnXCPQg=
=RHx5
-----END PGP SIGNATURE-----
Merge tag 'vfs-7.0-rc8.fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs
Pull vfs fixes from Christian Brauner:
"The kernfs rbtree is keyed by (hash, ns, name) where the hash
is seeded with the raw namespace pointer via init_name_hash(ns).
The resulting hash values are exposed to userspace through
readdir seek positions, and the pointer-based ordering in
kernfs_name_compare() is observable through entry order.
Switch from raw pointers to ns_common::ns_id for both hashing
and comparison.
A preparatory commit first replaces all const void * namespace
parameters with const struct ns_common * throughout kernfs, sysfs,
and kobject so the code can access ns->ns_id. Also compare the
ns_id when hashes match in the rbtree to handle crafted collisions.
Also fix eventpoll RCU grace period issue and a cachefiles refcount
problem"
* tag 'vfs-7.0-rc8.fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs:
kernfs: make directory seek namespace-aware
kernfs: use namespace id instead of pointer for hashing and comparison
kernfs: pass struct ns_common instead of const void * for namespace tags
eventpoll: defer struct eventpoll free to RCU grace period
cachefiles: fix incorrect dentry refcount in cachefiles_cull()
Fix a memory allocation issue that could corrupt output values or SEGV
Fix a perf initilization issue that could exit on some HW + kernels.
Minor fixes.
-----BEGIN PGP SIGNATURE-----
iQJIBAABCgAyFiEE67dNfPFP+XUaA73mB9BFOha3NhcFAmnY/PkUHGxlbi5icm93
bkBpbnRlbC5jb20ACgkQB9BFOha3NhcTIA//QsbmJV7qddOe/kOhS7izRyVjuaLQ
QIyIrSLSa5+49oT4uRhZxuzDm6N6zVykFf+yxK5E2TSf+JfvzfwjZJQEgUPqHtkt
vietoJheI4voMgmDQk39oxQmYyxmXuD3TRgvY+EN+QEIuWFA3/J9YaOulQMICrRy
TX3juoZ3mxUpO8LC6+t3Yd8Kl1JEl3cKj3LdX7cMIchLM2cSTlbVFGSP0y5f0mu/
m54+JLSeSCFyqfin8rkgLYar8+AIIrHVak57rQ3qKBUOfoJlMaJEgXC4/sKdEzAW
zKld2cFfzzXd2LnShN9Su7L9VCF09POKpD7P9bk9rDcp/MfsOmlKRctRvnY4T7Bq
si+AflAYzYtHlq0LQbw2tHsKLFnqIJziDzz+YHl9UxcK0X17Gkp32NSQOX7Djvdu
g/HDMHudnyoq0dAObieQgevYAWYmfKTNeQpJk+d+27X9HTzNXCDe70D774+DhM73
ViDU5zPrFBc1Z9ScQmgbe4z2N3MvzWGkodJRseb1v44ClH+Z6sCG4RYxYpxj0Zyu
0rR5GBb6ymuDUAQYEVuk2/F05bgmp3oXhoaddC+bO115XGEfe9sR7PBk3p9LYSM5
KirznZsjE8qI8GUXdL4EztTtIUJ5sx9CWb5FqP6k7XovrPCoMhSsbbo0vUbLCK4C
eh0+iPh3sAf0NZs=
=xJLy
-----END PGP SIGNATURE-----
Merge tag 'turbostat-fixes-for-7.0' of git://git.kernel.org/pub/scm/linux/kernel/git/lenb/linux
Pull turbostat fixes from Len Brown:
- Fix a memory allocation issue that could corrupt output values or
SEGV
- Fix a perf initilization issue that could exit on some HW + kernels
- Minor fixes
* tag 'turbostat-fixes-for-7.0' of git://git.kernel.org/pub/scm/linux/kernel/git/lenb/linux:
tools/power turbostat: Allow execution to continue after perf_l2_init() failure
tools/power turbostat: Fix delimiter bug in print functions
tools/power turbostat: Fix --show/--hide for individual cpuidle counters
tools/power turbostat: Fix incorrect format variable
tools/power turbostat: Consistently use print_float_value()
tools/power/turbostat: Fix microcode patch level output for AMD/Hygon
tools/power turbostat: Eliminate unnecessary data structure allocation
tools/power turbostat: Fix swidle header vs data display
tools/power turbostat: Fix illegal memory access when SMT is present and disabled
- Three fixes for the Intel pin control driver fixing the feature
set for the new silicon.
- One fix for an IRQ storm in the MCP23S08 pin controller/GPIO
expander.
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEElDRnuGcz/wPCXQWMQRCzN7AZXXMFAmnYob4ACgkQQRCzN7AZ
XXME3A//QZAEsAOPr/YJ9yHINKPySSvOR14TbK04nZECqYObY7jxR+clKJp/2r4A
ZdNAjIkoochI1mKloOnNvLsixpsFVpNW0aOhc0o/ynLIX/Syxur2gjHEytLUyr1D
At+6eZ4sOkRcjPIhDUdZ6I6jny8P8ELpgKuQ/VMXiOFvqpUZcciYJkZhaE9WRiuj
ymO9ALmepWDyqMn7cK/lhqNwAaBhYyKGRogeajYiM5txomkzpl1oiHt28ScA03ac
f2fN8DikRn5/QAETzWIuBHGZp3d96gMZVsoVo2rWtvCaUhK60kNE4ZtbXMAjkJZX
47KshfVjF/gucruhxIXYj3f6uET+uDIAbHsaP7Xxwf0MnGnihvrDh+FLptUB3MZA
fgaKbiF8oDkNAqO2AT+KfA/NUE7TYnUnH0M+k2EwT2YNl8hSuFmCq7mWSRsl/Rlw
W9AEmqGPqga2og4REOBEn3S02GUVonjGq72pfXzQgdvpBuDPlrB35wz6t/4Mo6qZ
wkbOCS4M3ACOyMxQu7SPtTAqTegHms8gzQguYHtem9RM9UlLo2RzGrOrSzVN9mEC
fK2/jZUzNCphUVXnfbZTfVacRVvBLDnAfNTYLppkcLFBNMCxm3X8NG1/BwmKVZbj
cK9NJPhGulKjEcTYPegRSMlF7CRL0Kq7ATjTLSFuo/UbUAM9PiI=
=WxTb
-----END PGP SIGNATURE-----
Merge tag 'pinctrl-v7.0-4' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl
Pull pin control fixes from Linus Walleij:
"Some late pin control fixes. I'm not happy to have bugs so late in the
kernel cycle, but they are all driver specifics so I guess it's how it
is.
- Three fixes for the Intel pin control driver fixing the feature set
for the new silicon
- One fix for an IRQ storm in the MCP23S08 pin controller/GPIO
expander"
* tag 'pinctrl-v7.0-4' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl:
pinctrl: mcp23s08: Disable all pin interrupts during probe
pinctrl: intel: Enable 3-bit PAD_OWN feature
pinctrl: intel: Fix the revision for new features (1kOhm PD, HW debouncer)
pinctrl: intel: Improve capability support
Currently, if perf_l2_init() fails turbostat exits after issuing the
following error (which was encountered on AlderLake):
turbostat: perf_l2_init(cpu0, 0x0, 0xff24) REFS: Invalid argument
This occurs because perf_l2_init() calls err(). However, the code has been
written in such a manner that it is able to perform cleanup and continue.
Therefore, this issue can be addressed by changing the appropriate calls
to err() to warnx().
Additionally, correct the PMU type arguments passed to the warning strings
in the ecore and lcore blocks so the logs accurately reflect the failing
counter type.
Signed-off-by: David Arcari <darcari@redhat.com>
Signed-off-by: Len Brown <len.brown@intel.com>
devm_kzalloc() failure in tegra_gpio_probe() returns -ENODEV, which
indicates "no such device". The correct error code for a memory
allocation failure is -ENOMEM.
Signed-off-by: Samasth Norway Ananda <samasth.norway.ananda@oracle.com>
Link: https://patch.msgid.link/20260409185853.2163034-1-samasth.norway.ananda@oracle.com
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Kconfig improvement for ethosu.
-----BEGIN PGP SIGNATURE-----
iJUEABMJAB0WIQTkHFbLp4ejekA/qfgnX84Zoj2+dgUCaddf9AAKCRAnX84Zoj2+
dvihAYCtQsSwH6VCpDf9bknrlqXpiUu+JlU2tSrK5plyTioCfFmdE1EhZmy7RJRo
EAFpb4ABf16BBat7a3SJ/8KYeNtoYggURn4JvNKKPMF1lSYa9PNmKQsJsfMGmHt5
IIKRgFYQXw==
=/nuD
-----END PGP SIGNATURE-----
Merge tag 'drm-misc-fixes-2026-04-09' of https://gitlab.freedesktop.org/drm/misc/kernel into drm-fixes
Several fixes for v3d about memory leak, runtime PM, and locking, and a
Kconfig improvement for ethosu.
Signed-off-by: Dave Airlie <airlied@redhat.com>
From: Maxime Ripard <mripard@redhat.com>
Link: https://patch.msgid.link/20260409-omniscient-tomato-coucal-edbadc@penduick
- Make modules-cpio-pkg respect INSTALL_MOD_PATH so that it can be used
with distribution initramfs files that have a merged /usr, such as
Fedora.
- Silence an instance of -Wunused-but-set-global, a strengthening of
-Wunused-but-set-variable in tip of tree Clang, in modpost, as the
variable for extra warnings is currently unused.
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
-----BEGIN PGP SIGNATURE-----
iHUEABYKAB0WIQR74yXHMTGczQHYypIdayaRccAalgUCadgzeAAKCRAdayaRccAa
lgwUAP9DR/KRuVYPGl32xPNpNGgZm/k1TFZhISk9iVzQctDoIQD/ZMfWz/6tAWcj
K1L0xTi8tzAhV16YOa/uYtr1bWEDrAI=
=ejUS
-----END PGP SIGNATURE-----
Merge tag 'kbuild-fixes-7.0-4' of git://git.kernel.org/pub/scm/linux/kernel/git/kbuild/linux
Pull Kbuild fixes from Nathan Chancellor:
- Make modules-cpio-pkg respect INSTALL_MOD_PATH so that it can be
used with distribution initramfs files that have a merged /usr,
such as Fedora
- Silence an instance of -Wunused-but-set-global, a strengthening
of -Wunused-but-set-variable in tip of tree Clang, in modpost,
as the variable for extra warnings is currently unused
* tag 'kbuild-fixes-7.0-4' of git://git.kernel.org/pub/scm/linux/kernel/git/kbuild/linux:
modpost: Declare extra_warn with unused attribute
kbuild: modules-cpio-pkg: Respect INSTALL_MOD_PATH
Fix an incorrect preprocessor conditional that may result in duplicate
instances of sysfb_primary_display on x86.
-----BEGIN PGP SIGNATURE-----
iHUEABYKAB0WIQQQm/3uucuRGn1Dmh0wbglWLn0tXAUCadZiLQAKCRAwbglWLn0t
XKBoAQD8WHlhikRyQ/8ZdshOHGkRTgRISXlPTjf7g/uuR7t4TQEA9Zt1AFUMD2+d
UGtN5hGMEcLUGNn1vKNX86YpWMShuAs=
=djeh
-----END PGP SIGNATURE-----
Merge tag 'efi-fixes-for-v7.0-4' of git://git.kernel.org/pub/scm/linux/kernel/git/efi/efi
Pull EFI fix from Ard Biesheuvel:
"Fix an incorrect preprocessor conditional that may result in duplicate
instances of sysfb_primary_display on x86"
* tag 'efi-fixes-for-v7.0-4' of git://git.kernel.org/pub/scm/linux/kernel/git/efi/efi:
firmware: efi: Never declare sysfb_primary_display on x86
Still a bit higher amount than wished, but nothing looks really scary,
and all changes are about nice and smooth device-specific fixes.
- HD-audio quirks, one revert for a regression and another oneliner
- AMD ACP quirks
- Fixes for SDCA interrupt handling
- A few Intel SOF, avs and NVL fixes
- Fixes for TAS2552 DT, NAU8325, and STM32
-----BEGIN PGP SIGNATURE-----
iQJCBAABCAAsFiEEIXTw5fNLNI7mMiVaLtJE4w1nLE8FAmnXw6IOHHRpd2FpQHN1
c2UuZGUACgkQLtJE4w1nLE8wXRAAwvJic7rPrAGoUaCqEFt7f/ytXVh96plCggzW
0GFxqm3gKd0/1d8ebGqyKEdHqiDVv4qoTZKNtgCk0puMNj4GuBPU1Qiu2yIJkL1b
/tziS4nLzTtHgpwfOgb2UEStX0BuY1igeowRg2H2v4c6e/CeMpfz77sUNepUlHj6
a3eSSguDp0VMAwoulnOcblSnHiY+m8ddkSFV/S0tB7dojiIox+fbrpj8ynN8pU1A
9fW3gF9cOVKoqR3I5jIXy2l1LdALS9c7HlksAhBc5zK3NQnZv3kEjzx9ddsHW3O+
8Ygjl94xp4njuQqM+raE1CgMKzqaGAN+kqCmbMNK1ADCdTH2CB+TsfIP4KeD6/5K
990NIQsdkd6GlMQv3N7WabxPBMmK815GBpqm72R7CUTMt1zT7xVr5RXACTZG4VEv
lSDLN7W3kYo37Tlda3Zc187sTvIS+YIuf4fWsgREVX+hI304C+GY+dW3F2LVVxd+
FmUe7PKzVM8M9KK3WCdMte4w7toq0gdVPFL7v23wA91a01sj9UScNZgCHk9puwAm
v+Ms9BzNhnUPbr+JiFrCQcB01n3cZiFexk6DH1393dfVV86+q29VAC90IbLy1sJL
ClM/LMy6n1rG+T0OC8NyVnfrzztoLInq5NZ98ZmaLjA67sC5M0+tdujMlwrrCZ5B
mUnMZWk=
=h9zn
-----END PGP SIGNATURE-----
Merge tag 'sound-7.0' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound
Pull sound fixes from Takashi Iwai:
"Still a bit higher amount than wished, but nothing looks really scary,
and all changes are about nice and smooth device-specific fixes.
- HD-audio quirks, one revert for a regression and another oneliner
- AMD ACP quirks
- Fixes for SDCA interrupt handling
- A few Intel SOF, avs and NVL fixes
- Fixes for TAS2552 DT, NAU8325, and STM32"
* tag 'sound-7.0' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
ASoC: amd: acp: update DMI quirk and add ACP DMIC for Lenovo platforms
ASoC: SDCA: Unregister IRQ handlers on module remove
ASoC: SDCA: mask Function_Status value
ASoC: SDCA: Fix overwritten var within for loop
ASoC: stm32_sai: fix incorrect BCLK polarity for DSP_A/B, LEFT_J
ASoC: SOF: Intel: hda: modify period size constraints for ACE4
ALSA: hda/intel: enforce stricter period-size alignment for Intel NVL
ASoC: nau8325: Add software reset during probe
Revert "ALSA: hda/realtek: Add quirk for Gigabyte Technology to fix headphone"
ASoC: Intel: avs: Fix memory leak in avs_register_i2s_test_boards()
ASoC: SOF: Intel: fix iteration in is_endpoint_present()
ASoC: SOF: Intel: Fix endpoint index if endpoints are missing
ASoC: SDCA: Fix errors in IRQ cleanup
ASoC: amd: acp: add Lenovo P16s G5 AMD quirk for legacy SDW machine
ASoC: dt-bindings: ti,tas2552: Add sound-dai-cells
ALSA: hda/realtek: Add quirk for Lenovo Yoga Pro 7 14IAH10
- imx: Prevent hang at power down for imx8mp-blk-ctrl
firmware:
- thead: Fix buffer overflow for TH1520 AON driver
MAINTAINERS, mailmap:
- Change Ulf Hansson's email
-----BEGIN PGP SIGNATURE-----
iQJLBAABCgA1FiEEugLDXPmKSktSkQsV/iaEJXNYjCkFAmnWKzsXHHVsZi5oYW5z
c29uQGxpbmFyby5vcmcACgkQ/iaEJXNYjClhgRAAm+BLKRpRlsYGJ6/C9XCSxs29
ISIooRQdXMD6Lwf94dBYc2K1jn8xIBb3F/QJLZGyMmldug8bjvOEW33XMaXLnLIe
+Mga6HTq5Hpg5gizv9+2Lo1EtOFBhhorTfnTY1Dc/lQ5dew1WLdP5Y3qSikT3xe9
ixKvp2Ne38VdSs7vvYULtgW7fJub4h0+Vwx1VJbdlTWNEafMnEDE5Euqktwghvgo
0GHL5OVzwBWGm3nV7chnY+Xn6bYdMjEtFT7ijnxAF9cmqU/R2OtvNgpn4b9Gs989
XqkeEo5hu7bg+R8UFnbuIc72tqc6ZXunvQReo7xeqrGob0sT29zrmKFFfwij7tLu
8i6gb7dHw0lcrsAQMUPaApcIOnf2Owf5d6g2cV7v2V1x5JEcCcEs1bkZ6TiAhYXe
SS5aRFtYV8Za1L1eivYmZFT/mCZkolgQR1zYsIHc/XXEMkHy1mIY2wm31hAwuiUx
dOv23FAARKvnD7W/OtW4gmST6254+PyipmJ+7gjmgvN7CfkhZaI46zqXXIUSlqqd
FFsKYucB7YjPazvCtiJvb4D+N3Lo0DwdOS4Zd3EkhGy7gPQsuNgAnqyuJkgZ+dwG
dldvQOV+Hv0TXS/OqwemRam4afmVNS/3+yyJGhhGjO2zBtSdprYYL/81tJ5/Tqgg
70VwM8GDKwi1dr7FKL0=
=FVg1
-----END PGP SIGNATURE-----
Merge tag 'pmdomain-v7.0-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/linux-pm
Pull pmdomain fixes from Ulf Hansson:
- imx: Prevent hang at power down for imx8mp-blk-ctrl
- thead: Fix buffer overflow for TH1520 AON driver
- Change Ulf Hansson's email
* tag 'pmdomain-v7.0-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/linux-pm:
MAINTAINERS, mailmap: Change Ulf Hansson's email
pmdomain: imx8mp-blk-ctrl: Keep the NOC_HDCP clock enabled
firmware: thead: Fix buffer overflow and use standard endian macros
A fix for DMA-mapping subsystem, which hides annoying, false-positive
warnings from DMA-API debug on coherent platforms like x86_64 (Mikhail
Gavrilov).
-----BEGIN PGP SIGNATURE-----
iHUEABYIAB0WIQSrngzkoBtlA8uaaJ+Jp1EFxbsSRAUCadfSDQAKCRCJp1EFxbsS
RPtKAQCzfZRx2zC6ACG5opRZqqsUAah5lko9ROJZ1CK2yrfvAwEA7tGeQ8YgSUxT
Xu5BHh7Ff/jk0ph001/6j7OSBZtuKAY=
=xdCr
-----END PGP SIGNATURE-----
Merge tag 'dma-mapping-7.0-2026-04-09' of git://git.kernel.org/pub/scm/linux/kernel/git/mszyprowski/linux
Pull dma-mapping fix from Marek Szyprowski:
"A fix for DMA-mapping subsystem, which hides annoying, false-positive
warnings from DMA-API debug on coherent platforms like x86_64 (Mikhail
Gavrilov)"
* tag 'dma-mapping-7.0-2026-04-09' of git://git.kernel.org/pub/scm/linux/kernel/git/mszyprowski/linux:
dma-debug: suppress cacheline overlap warning when arch has no DMA alignment requirement
- Fix regression introduced by the empty MMU gather fix in -rc7, where
the ->iotlb_sync() callback can be elided incorrectly, resulting in
boot failures (hangs), crashes and potential memory corruption.
-----BEGIN PGP SIGNATURE-----
iQFEBAABCgAuFiEEPxTL6PPUbjXGY88ct6xw3ITBYzQFAmnXoB0QHHdpbGxAa2Vy
bmVsLm9yZwAKCRC3rHDchMFjNEYPB/9PODAbRMPNDY71T4WgY4lQigu/EtZmYJLF
xce6+BZOcfwWooQp74VlyB35C3NjtYGD/k+UenmSHtYIR65TOPzXoCtDRAt2XEN5
OxlA3vaCcx4EegG7RDUlzWk3w2WpjKwE7Q1GHZ3fWEb7Avz8sCNVZ1ofpVLTtGOw
P+JEjrp0AsryfcxNmtnMPscHXnJURlx366UqbiElBAeYtWonVJ5o0shOynn8W4cN
phy1b/GWsD7506n2LRuCBdEitf2x8TlSsfojVqhdvrJNS8ca9K7RE3omm9sg3QG4
rC3X29W5B1iyMH0GaPAr9RzCpOz49LVHgS3iNROflNTLAgtHHXqq
=5vWz
-----END PGP SIGNATURE-----
Merge tag 'iommu-fixes-v7.0-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/iommu/linux
Pull IOMMU fix from Will Deacon:
- Fix regression introduced by the empty MMU gather fix in -rc7, where
the ->iotlb_sync() callback can be elided incorrectly, resulting in
boot failures (hangs), crashes and potential memory corruption.
* tag 'iommu-fixes-v7.0-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/iommu/linux:
iommu: Ensure .iotlb_sync is called correctly
New HW Support and Fixes:
- amd/pmc: Add Thinkpad L14 Gen3 to quirk_s2idle_bug
- asus-armoury: Add support for FA607NU, GU605MU, and GV302XU.
- intel-uncore-freq: Handle autonomous UFS status bit
- ISST: Handle cases with less than max buckets correctly
- intel-uncore-freq & ISST: Mark minor version 3 supported (no additional
driver changes required)
The following is an automated shortlog grouped by driver:
amd: pmc:
- Add Thinkpad L14 Gen3 to quirk_s2idle_bug
asus-armoury:
- add support for FA607NU
- add support for GU605MU
- add support for GV302XU
intel-uncore-freq:
- Handle autonomous UFS status bit
- Increase minor version
ISST:
- Increase minor version
- Reset core count to 0
-----BEGIN PGP SIGNATURE-----
iHUEABYIAB0WIQSCSUwRdwTNL2MhaBlZrE9hU+XOMQUCadeRLQAKCRBZrE9hU+XO
MUZcAP4zQhma28s27tvEW1vgiwXN+DkasYw2ujLpvbYuRIGAawEAnPnAlQD27btE
mN1VbuaQ0NTXpfURaHFW9M8n4u56hAE=
=KAhE
-----END PGP SIGNATURE-----
Merge tag 'platform-drivers-x86-v7.0-4' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86
Pull x86 platform drivers fixes from Ilpo Järvinen:
- amd/pmc: Add Thinkpad L14 Gen3 to quirk_s2idle_bug
- asus-armoury: Add support for FA607NU, GU605MU, and GV302XU.
- intel-uncore-freq: Handle autonomous UFS status bit
- ISST: Handle cases with less than max buckets correctly
- intel-uncore-freq & ISST: Mark minor version 3 supported (no
additional driver changes required)
* tag 'platform-drivers-x86-v7.0-4' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86:
platform/x86: asus-armoury: add support for GU605MU
platform/x86: asus-armoury: add support for FA607NU
platform/x86: asus-armoury: add support for GV302XU
platform/x86/amd: pmc: Add Thinkpad L14 Gen3 to quirk_s2idle_bug
platform/x86/intel-uncore-freq: Increase minor version
platform/x86: ISST: Increase minor version
platform/x86/intel-uncore-freq: Handle autonomous UFS status bit
platform/x86: ISST: Reset core count to 0
David Carlier says:
====================
net: lan966x: fix page_pool error handling and error paths
This series fixes error handling around the lan966x page pool:
1/3 adds the missing IS_ERR check after page_pool_create(), preventing
a kernel oops when the error pointer flows into
xdp_rxq_info_reg_mem_model().
2/3 plugs page pool leaks in the lan966x_fdma_rx_alloc() and
lan966x_fdma_init() error paths, now reachable after 1/3.
3/3 fixes a use-after-free and page pool leak in the
lan966x_fdma_reload() restore path, where the hardware could
resume DMA into pages already returned to the page pool.
====================
Link: https://patch.msgid.link/20260405055241.35767-1-devnexen@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
When lan966x_fdma_reload() fails to allocate new RX buffers, the restore
path restarts DMA using old descriptors whose pages were already freed
via lan966x_fdma_rx_free_pages(). Since page_pool_put_full_page() can
release pages back to the buddy allocator, the hardware may DMA into
memory now owned by other kernel subsystems.
Additionally, on the restore path, the newly created page pool (if
allocation partially succeeded) is overwritten without being destroyed,
leaking it.
Fix both issues by deferring the release of old pages until after the
new allocation succeeds. Save the old page array before the allocation
so old pages can be freed on the success path. On the failure path, the
old descriptors, pages and page pool are all still valid, making the
restore safe. Also ensure the restore path re-enables NAPI and wakes
the netdev, matching the success path.
Fixes: 89ba464fcf ("net: lan966x: refactor buffer reload function")
Cc: stable@vger.kernel.org
Signed-off-by: David Carlier <devnexen@gmail.com>
Link: https://patch.msgid.link/20260405055241.35767-4-devnexen@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
lan966x_fdma_rx_alloc() creates a page pool but does not destroy it if
the subsequent fdma_alloc_coherent() call fails, leaking the pool.
Similarly, lan966x_fdma_init() frees the coherent DMA memory when
lan966x_fdma_tx_alloc() fails but does not destroy the page pool that
was successfully created by lan966x_fdma_rx_alloc(), leaking it.
Add the missing page_pool_destroy() calls in both error paths.
Fixes: 11871aba19 ("net: lan96x: Use page_pool API")
Cc: stable@vger.kernel.org
Signed-off-by: David Carlier <devnexen@gmail.com>
Link: https://patch.msgid.link/20260405055241.35767-3-devnexen@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
page_pool_create() can return an ERR_PTR on failure. The return value
is used unconditionally in the loop that follows, passing the error
pointer through xdp_rxq_info_reg_mem_model() into page_pool_use_xdp_mem(),
which dereferences it, causing a kernel oops.
Add an IS_ERR check after page_pool_create() to return early on failure.
Fixes: 11871aba19 ("net: lan96x: Use page_pool API")
Cc: stable@vger.kernel.org
Signed-off-by: David Carlier <devnexen@gmail.com>
Link: https://patch.msgid.link/20260405055241.35767-2-devnexen@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
The rbtree backing kernfs directories is ordered by (hash, ns_id, name)
but kernfs_dir_pos() only searches by hash when seeking to a position
during readdir. When two nodes from different namespaces share the same
hash value, the binary search can land on a node in the wrong namespace.
The subsequent skip-forward loop walks rb_next() and may overshoot the
correct node, silently dropping an entry from the readdir results.
With the recent switch from raw namespace pointers to public namespace
ids as hash seeds, computing hash collisions became an offline operation.
An unprivileged user could unshare into a new network namespace, create
a single interface whose name-hash collides with a target entry in
init_net, and cause a victim's seekdir/readdir on /sys/class/net to miss
that entry.
Fix this by extending the rbtree search in kernfs_dir_pos() to also
compare namespace ids when hashes match. Since the rbtree is already
ordered by (hash, ns_id, name), this makes the seek land directly in the
correct namespace's range, eliminating the wrong-namespace overshoot.
Signed-off-by: Christian Brauner <brauner@kernel.org>
kernfs uses the namespace tag as both a hash seed (via init_name_hash())
and a comparison key in the rbtree. The resulting hash values are exposed
to userspace through directory seek positions (ctx->pos), and the raw
pointer comparisons in kernfs_name_compare() encode kernel pointer
ordering into the rbtree layout.
This constitutes a KASLR information leak since the hash and ordering
derived from kernel pointers can be observed from userspace.
Fix this by using the 64-bit namespace id (ns_common::ns_id) instead of
the raw pointer value for both hashing and comparison. The namespace id
is a stable, non-secret identifier that is already exposed to userspace
through other interfaces (e.g., /proc/pid/ns/, ioctl NS_GET_NSID).
Introduce kernfs_ns_id() as a helper that extracts the namespace id from
a potentially-NULL ns_common pointer, returning 0 for the no-namespace
case.
All namespace equality checks in the directory iteration and dentry
revalidation paths are also switched from pointer comparison to ns_id
comparison for consistency.
Signed-off-by: Christian Brauner <brauner@kernel.org>
kernfs has historically used const void * to pass around namespace tags
used for directory-level namespace filtering. The only current user of
this is sysfs network namespace tagging where struct net pointers are
cast to void *.
Replace all const void * namespace parameters with const struct
ns_common * throughout the kernfs, sysfs, and kobject namespace layers.
This includes the kobj_ns_type_operations callbacks, kobject_namespace(),
and all sysfs/kernfs APIs that accept or return namespace tags.
Passing struct ns_common is needed because various codepaths require
access to the underlying namespace. A struct ns_common can always be
converted back to the concrete namespace type (e.g., struct net) via
container_of() or to_ns_common() in the reverse direction.
This is a preparatory change for switching to ns_id-based directory
iteration to prevent a KASLR pointer leak through the current use of
raw namespace pointers as hash seeds and comparison keys.
Signed-off-by: Christian Brauner <brauner@kernel.org>
Many drivers have no reason to use the iotlb_gather mechanism, but do
still depend on .iotlb_sync being called to properly complete an unmap.
Since the core code is now relying on the gather to detect when there
is legitimately something to sync, it should also take care of encoding
a successful unmap when the driver does not touch the gather itself.
Fixes: 90c5def10b ("iommu: Do not call drivers for empty gathers")
Reported-by: Jon Hunter <jonathanh@nvidia.com>
Closes: https://lore.kernel.org/r/8800a38b-8515-4bbe-af15-0dae81274bf7@nvidia.com
Signed-off-by: Robin Murphy <robin.murphy@arm.com>
Tested-by: Jon Hunter <jonathanh@nvidia.com>
Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
Tested-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
Signed-off-by: Will Deacon <will@kernel.org>
pn532_receive_buf() reports the number of accepted bytes to the serdev
core. The current code consumes bytes into recv_skb and may already hand
a complete frame to pn533_recv_frame() before allocating a fresh receive
buffer.
If that alloc_skb() fails, the callback returns 0 even though it has
already consumed bytes, and it leaves recv_skb as NULL for the next
receive callback. That breaks the receive_buf() accounting contract and
can also lead to a NULL dereference on the next skb_put_u8().
Allocate the receive skb lazily before consuming the next byte instead.
If allocation fails, return the number of bytes already accepted.
Fixes: c656aa4c27 ("nfc: pn533: add UART phy driver")
Cc: stable@vger.kernel.org
Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
Link: https://patch.msgid.link/20260405094003.3-pn533-v2-pengpeng@iscas.ac.cn
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Since the introduction of d4433c7600 ("drm/i915/gem: Use the proto-context
to handle create parameters (v5)") it has not been possible for VM to change
after context creation so the check will never fail.
Sima's analysis:
This check was added in f7ce8639f6 ("drm/i915/gem: Split the context's
obj:vma lut into its own mutex") but without any hint in the commit
message as to why. In another hunk of that commit there's a hint though in
__eb_add_lut:
/* user racing with ctx set-vm */
This would mean that this bug was introduced in e0695db729 ("drm/i915:
Create/destroy VM (ppGTT) for use with contexts"), which allowed to change
the gem_ctx->vm at runtime, opening up the race that was partially fixed
in the earlier referenced commit about a year later.
But it cannot be exploited anymore in anything remotely recent because
with the introduction of proto-contexts we've made gem_ctx->vm invariant
again, exactly to preemptively close all these potential issues.
Specifically d4433c7600 ("drm/i915/gem: Use the proto-context to handle
create parameters (v5)") is the vm specific part of the proto-context
work.
v3:
- Include Sima's analysis and WARN_ON_ONCE
v4:
- Focus only on latest mainline codebase
References: https://lore.kernel.org/all/20260324151741.29338-1-sosohero200@gmail.com/
Reported-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Cc: Linus Torvalds <torvalds@linuxfoundation.org>
Cc: Simona Vetter <simona.vetter@ffwll.ch>
Cc: Tvrtko Ursulin <tursulin@ursulin.net>
Cc: Andi Shyti <andi.shyti@kernel.org>
Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Reviewed-by: Tvrtko Ursulin <tvrtko.ursulin@igalia.com>
Link: https://patch.msgid.link/20260409053111.8914-1-joonas.lahtinen@linux.intel.com
(cherry picked from commit f6d4afc9ec6a0bc326151b35a7a3369369180079)
Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
