Merge tag 'x86-urgent-2026-05-09' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull x86 fixes from Ingo Molnar:
- Fix memory map enumeration bug in the Xen e820 parsing code (Juergen
Gross)
- Re-enable e820 BIOS fallback if e820 table is empty (David Gow)
* tag 'x86-urgent-2026-05-09' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
x86/boot/e820: Re-enable BIOS fallback if e820 table is empty
x86/xen: Fix a potential problem in xen_e820_resolve_conflicts()
[AMDGPU] Support atomic load and store for vector float types (v2f16, v2i16, v4i16, v4f16, v2f32) (#192904)
Add support for atomic load and store on <2 x half>, <4 x half>, and
<2 x float> vector types in the AMDGPU backend.
These types are promoted to equivalently sized integer types before
instruction selection:
<2 x half> -> i32
<4 x half> -> i64
<2 x i16> -> i32
<4 x i16> -> i64
<2 x float> -> i64
Merge tag 'timers-urgent-2026-05-09' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull timer fix from Ingo Molnar:
"Fix CPU hotplug activation race in the timer migration code, by
Frederic Weisbecker"
* tag 'timers-urgent-2026-05-09' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
timers/migration: Fix another hotplug activation race
[lldb] Fix CommandObjects that don't set a return status (#196588)
Several CommandObject subclasses had DoExecute paths that returned
without ever calling SetStatus on the CommandReturnObject. The status
was silently left at its initial eReturnStatusStarted value, which made
Succeeded() report false for what were really successful commands and
left CommandReturnObject in an undefined state.
Merge tag 'sched-urgent-2026-05-09' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull scheduler fixes from Ingo Molnar:
- Fix spurious failures in rseq self-tests (Mark Brown)
- Fix rseq rseq::cpu_id_start ABI regression due to TCMalloc's creative
use of the supposedly read-only field
The fix is to introduce a new ABI variant based on a new (larger)
rseq area registration size, to keep the TCMalloc use of rseq
backwards compatible on new kernels (Thomas Gleixner)
- Fix wakeup_preempt_fair() for not waking up task (Vincent Guittot)
- Fix s64 mult overflow in vruntime_eligible() (Zhan Xusheng)
* tag 'sched-urgent-2026-05-09' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
sched/fair: Fix wakeup_preempt_fair() for not waking up task
[12 lines not shown]
Merge tag 'perf-urgent-2026-05-09' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull perf events fixes from Ingo Molnar:
- Fix deadlock in the perf_mmap() failure path (Peter Zijlstra)
- Intel ACR (Auto Counter Reload) fixes (Dapeng Mi):
- Fix validation and configuration of ACR masks
- Fix ACR rescheduling bug causing stale masks
- Disable the PMI on ACR-enabled hardware
- Enable ACR on Panther Cover uarch too
* tag 'perf-urgent-2026-05-09' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
perf/x86/intel: Enable auto counter reload for DMR
perf/x86/intel: Disable PMI for self-reloaded ACR events
perf/x86/intel: Always reprogram ACR events to prevent stale masks
perf/x86/intel: Improve validation and configuration of ACR masks
perf/core: Fix deadlock in perf_mmap() failure path
Avoid recursive cleanup in getrrsetbyname()
Instead of freeing struct dns_query and struct dns_rr by walking the
linked lists recursively, use a simple loop. This avoids a possible
stack exhaustion unlikely to be reachable with the limits modern
resolvers impose.
From Dhiraj Mishra
ok djm
avoid leaking memory when mbuf chain allocations fail in tun_dev_write()
the mbufs built by tun_dev_write used to be limited to a single
mbuf and cluster, but has grown in complexity now that it supports
tun_hdr and tso, which required building mbuf chains. some of the
error handling when allocating mbuf bits wasnt adapted to free the
preceding chain when later allocaitons failed, resulting in a memory
leak.
reported by frank denis
rpki-client: fix ip_addr_check_overlap()
There is an off-by-one in the ip_addr_check_overlap() logic which allows
a newly added interval to overlap in a common end point with an interval
already in the list. Disallow equality in the two memcmp to avoid this.
This bug dates back to the initial import of rpki-client where malformed
certificates would be accepted. In modern rpki-client, the impact of this
has been minimal ever since we started requiring that libcrypto support
the RFC 3779 extensions in early 2022 by disallowing unknown critical
extensions (rpki-client 7.6):
For certificates this duplicates a check in the X.509 verifier (where it
is correct). For TA constraints we have a canonicalization procedure that
ensures the absence of overlaps. For ROAs no such check can be made since
standards historically haven't required that addresses are canonical and
still don't. The only remaining use of this API is from rsc.c where the
overlap condition is indeed a small problem.
[3 lines not shown]
u4b: Sync usbdevs and quirs with FreeBSD
* Keep a few our additions in usbdevs and usb_quirk.h.
* Fix usb_quirk_str[] to include new quirks added for uvc(4).
* Remove a few duplicate from usbdevs.
* Fix serial/u3g.c and serial/uftdi.c to use the new product defines.
cam: Fix xpt_bus_register()/xpt_bus_deregister() to return errno
xpt_bus_register and xpt_bus_deregister returns a hybrid error that's
neither a cam_status, nor an errno, but a mix of both. Update
xpt_bus_register and xpt_bus_deregister to return an errno. The vast
majority of current users compare against zero, which can also be
spelled CAM_SUCCESS. Nobody uses CAM_FAILURE, so remove that symbol
to prevent comfusion (nothing returns it either).
Where the return value is saved, ensure that the variable 'error' is
used to store an errno and 'status' is used to store a cam_status where
it makes the code clearer (usually just in functions that already mix
and match). Where the return value isn't used at all, avoid storing it
at all.
Obtained-from: FreeBSD (commit 30f8afd0270e0bb70e1e0df1cf8de7a841797a30)
cam: Fix cam_sim_alloc() to avoid a potential memory leak
When both 'lock' and 'queue' were passed as NULL, the internally
allocated 'queue' would become leaked memory.
Simply assert 'lock' cannot be NULL to fix the bug.
u4b/umass: Sync with FreeBSD
FreeBSD's change in commit 7520b88860d7a79432e12ffcc47056844518bb62
(usb(4): Automagically apply all quirks for USB mass storage devices)
is deliberately ignored, because that function is buggy and has been
disabled by default in commit d41600e59c3f13419066e9dd771a03328c44624f
(usb: Make autoquirk code optional and opt out).
rpki-client: fix shortlist and skiplist checks
Ensure that each le->fqdn is fully matched. If the the host in the SIA
is short and matches a prefix of an FQDN in the shortlist or skiplist,
the current checks in queue_add_from_cert() will incorrectly trigger.
Compute the host length once and by checking it against the length of
each le->fqdn ensure that it is an exact case sensitive match, rather
than only a prefix.
Found by Frank Denis
ok claudio job
[CodeGen] Use unique_ptr for FunctionInfo to prevent memory leaks (#196603)
Raw pointer return from `FunctionInfo::create` caused leaks in callers
like `computeABIInfoUsingLib`, breaking BPF tests on ASan bots.
Using `std::unique_ptr` enforces automatic cleanup.
Fixes leak from #194460.
Buildbot: https://lab.llvm.org/buildbot/#/builders/52/builds/17090
Assisted-by: Gemini
[mlir][tensor] Enhance pattern to fold extract_slice(insert_slice) (#195045)
Extend the DropRedundantRankExpansionOnExtractSliceOfInsertSlice pattern
to support cases where the expanded dimensions are a subset of the
dropped dimensions, rather than requiring them to be exactly equal.
For example:
```
%inserted_slice = tensor.insert_slice %src into %dest[0, 0, 0, 0] [1, 1, 128, 480] [1, 1, 1, 1] :
tensor<128x480xf32> into tensor<1x1x128x480xf32>
%extracted_slice = tensor.extract_slice %inserted_slice[0, 0, 0, 0] [1, 1, 123, 1] [1, 1, 1, 1] :
tensor<1x1x128x480xf32> to tensor<123xf32>
```
can be folded into:
```
%extracted_slice = tensor.extract_slice %src[0, 0] [123, 1] [1, 1] :
tensor<128x480xf32> to tensor<123xf32>
```
Revert "[BOLT] Fix EH data encoding checks in relocateEHFrameSection (#195691)" (#196672)
This reverts commit 7ab26d7c3a160e1dc166f2673644baa396703ee5.
There is test failure in bolt-tests::exceptions-split-strip.test.
detect out of bound reads from an int overflow in the bpf_mem backends.
frank denis reported a problem in bpf_mem_ldw where a large indirect
load offset could have the end of buffer calculation land at UINT_MAX
and wrap, allowing a read of memory outside the buffer.
this change tweaks the buffer checks by checking if the load offset
is in range, taking that away from the buffer length, and then
checking if the size of the load is in the remaining buffer length.
this is the pattern that the bpf_mbuf_ops backend uses.
this problem also exists in bpf_mem_ldh, so this code is factored
out and used in all the bpf_mem_ops load backends.
note that this issue is specific to the bpf_mem_ops backend used
for running bpf filters against a vanilla memory buffer. this backend
is largely unused in the kernel, which almost always uses the
bpf_mbuf_ops backend to run filters against network packets in
mbufs. the bpf_mem_ops are only used by ppp(4) for the "active-filter"
[8 lines not shown]
