Linux/linux cbf457cblock ioctl.c, drivers/block ublk_drv.c

Merge tag 'block-7.1-20260508' of git://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux

Pull block fixes from Jens Axboe:

 - Fix for ublk not doing an actual issue from the task_work fallback
   path. Any request hitting that should be canceled automatically

 - Fix for uring_cmd prep side handling, for the block side uring_cmd
   discard handling

 - Fix for missing validation of the io and physical block size shifts

 - Fix for a use-after-free in ublk's cancel command handling

* tag 'block-7.1-20260508' of git://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux:
  ublk: fix use-after-free in ublk_cancel_cmd()
  ublk: validate physical_bs_shift, io_min_shift and io_opt_shift
  block: only read from sqe on initial invocation of blkdev_uring_cmd()
  ublk: don't issue uring_cmd from fallback task work
DeltaFile
+35-7drivers/block/ublk_drv.c
+15-9block/ioctl.c
+50-162 files

Linux/linux 8be01e1io_uring timeout.c napi.c

Merge tag 'io_uring-7.1-20260508' of git://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux

Pull io_uring fixes from Jens Axboe:

 - Ensure that the absolute timeouts for both the command side and the
   waiting side honor the callers time namespace

 - Ensure tracked NAPI entries are cleared at unregistration time, as
   the NAPI polling loop checks the list state rather than the general
   NAPI state. This can lead to NAPI polling even after unregistration
   has been done. If unregistered, all NAPI polling should be disabled

 - Fix for eventfd recursive invocation handling

* tag 'io_uring-7.1-20260508' of git://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux:
  io_uring/wait: honour caller's time namespace for IORING_ENTER_ABS_TIMER
  io_uring/timeout: honour caller's time namespace for IORING_TIMEOUT_ABS
  io_uring/eventfd: reset deferred signal state
  io_uring/napi: clear tracked NAPI entries on unregister
DeltaFile
+22-13io_uring/timeout.c
+20-7io_uring/napi.c
+5-3io_uring/napi.h
+5-1io_uring/wait.c
+1-0io_uring/eventfd.c
+53-245 files

Linux/linux 81d6f78fs/smb/client cifsacl.c smb2transport.c

Merge tag 'v7.1-rc3-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6

Pull smb client fixes from Steve French:

 - Fix for two ACL issues (security fix to validate dacloffset better
   and chmod fix)

 - Fix out of bounds reads (in check_wsl_eas and smb2_check_msg for
   symlinks)

 - Two Kerberos fixes including an important one when AES-256 encryption
   chosen

 - Fix open_cached_dir problem when directory leases disabled

* tag 'v7.1-rc3-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6:
  smb: client: validate dacloffset before building DACL pointers
  smb/client: fix out-of-bounds read in smb2_compound_op()
  smb/client: fix out-of-bounds read in symlink_data()

    [4 lines not shown]
DeltaFile
+33-4fs/smb/client/cifsacl.c
+26-9fs/smb/client/smb2transport.c
+18-5fs/smb/client/smb2pdu.c
+8-4fs/smb/client/smb2inode.c
+8-0fs/smb/client/cached_dir.c
+2-1fs/smb/client/smb2misc.c
+95-231 files not shown
+96-247 files

Linux/linux 8bb4457drivers/spi spi-microchip-core-qspi.c spi-imx.c

Merge tag 'spi-fix-v7.1-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi

Pull spi fixes from Mark Brown:
 "There's two main series here, fixing issues that came up in the
  Microchip QSPI and Freescale i.MX drivers. Both of those could result
  in some quite noticable issues if they were encountered in production.
  We also have one minor documentation fix in the ch341 driver"

* tag 'spi-fix-v7.1-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi:
  spi: ch341: correct company name in MODULE_DESCRIPTION
  spi: microchip-core-qspi: remove some inline markings
  spi: microchip-core-qspi: don't attempt to transmit during emulated read-only dual/quad operations
  spi: microchip-core-qspi: control built-in cs manually
  spi: imx: Propagate prepare_transfer() error from spi_imx_setupxfer()
  spi: imx: Fix UAF on package-1 prepare failure in spi_imx_dma_data_prepare()
  spi: imx: Fix precedence bug in spi_imx_dma_max_wml_find()
DeltaFile
+79-20drivers/spi/spi-microchip-core-qspi.c
+3-4drivers/spi/spi-imx.c
+1-1drivers/spi/spi-ch341.c
+83-253 files

Linux/linux 4bdbce4drivers/regulator qcom-rpmh-regulator.c

Merge tag 'regulator-fix-v7.1-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator

Pull regulator fix from Mark Brown:
 "A straightforward fix for an incorrect description of one of the
  regulators on the Qualcomm PMH0101"

* tag 'regulator-fix-v7.1-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator:
  regulator: qcom-rpmh: Fix index for pmh0101 ldo16
DeltaFile
+1-1drivers/regulator/qcom-rpmh-regulator.c
+1-11 files

Linux/linux 51d2484drivers/accel/ivpu ivpu_drv.c, drivers/gpu/drm drm_gem.c

Merge tag 'drm-fixes-2026-05-08-1' of https://gitlab.freedesktop.org/drm/kernel

Pull drm fixes from Dave Airlie:
 "Weekly fixes, lots of them but all pretty small, amdgpu and xe are the
  usual but then a large amount of fixes all over.

  core:
   - fix race condition in handle change ioctl

  fb-helper:
   - fix clipping

  rust:
   - fix unsound initialization
   - fix GEM state cleanup
   - fix wrong ARef import

  ttm:
   - update GPU MM stats on pool shrinking

    [83 lines not shown]
DeltaFile
+38-59drivers/gpu/drm/amd/amdgpu/mes_userqueue.c
+1-32drivers/gpu/drm/amd/amdkfd/kfd_device.c
+4-24drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c
+24-1drivers/gpu/drm/drm_gem.c
+16-6rust/kernel/drm/device.rs
+21-0drivers/accel/ivpu/ivpu_drv.c
+104-12238 files not shown
+254-24744 files

Linux/linux fa7431edrivers/iommu iommu-pages.h, drivers/iommu/amd init.c amd_iommu_types.h

Merge tag 'iommu-fixes-v7.1-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/iommu/linux

Pull iommu fixes from Joerg Roedel:
 "Core:
   - Cache-flushing fix for non-x86 platforms

  AMD-Vi:
   - Security fix when SEV-SNP is enabled
   - Operator precedence fix in DTE setting"

* tag 'iommu-fixes-v7.1-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/iommu/linux:
  iommu/amd: Fix precedence order in set_dte_passthrough()
  iommu/pages: Fix iommu_pages_flush_incoherent() for non-x86
  iommu/amd: Use maximum PPR log buffer size when SNP is enabled on Family 0x19
  iommu/amd: Use maximum Event log buffer size when SNP is enabled on Family 0x19
DeltaFile
+93-40drivers/iommu/amd/init.c
+13-8drivers/iommu/amd/amd_iommu_types.h
+5-3drivers/iommu/amd/ppr.c
+3-2drivers/iommu/amd/iommu.c
+3-0drivers/iommu/amd/amd_iommu.h
+1-1drivers/iommu/iommu-pages.h
+118-546 files

Linux/linux f7700a4drivers/block ublk_drv.c

ublk: fix use-after-free in ublk_cancel_cmd()

When ublk_reset_ch_dev() clears io->cmd via ublk_queue_reinit()
concurrently with ublk_cancel_cmd(), ublk_cancel_cmd() can read a
stale pointer and pass it to io_uring_cmd_done(), causing a
use-after-free.

Fix by synchronizing the two paths with ubq->cancel_lock:

- ublk_cancel_cmd(): read and clear io->cmd under cancel_lock,
  then call io_uring_cmd_done() on the saved local copy outside
  the lock.

- ublk_reset_ch_dev(): hold cancel_lock across ublk_queue_reinit()
  so that io->cmd and io->flags are cleared atomically with respect
  to ublk_cancel_cmd().

Fixes: 216c8f5ef0f2 ("ublk: replace monitor with cancelable uring_cmd")
Signed-off-by: Ming Lei <tom.leiming at gmail.com>

    [2 lines not shown]
DeltaFile
+15-5drivers/block/ublk_drv.c
+15-51 files

Linux/linux 5e28b7bdrivers/gpu/drm drm_gem.c

drm: Set old handle to NULL before prime swap in change_handle

There was a potential race condition in change_handle. The ioctl
briefly had a single object with two idr entries; a concurrent
gem_close could delete the object and remove one of the handles
while leaving the other one dangling, which could subsequently
be dereferenced for a use-after-free.

To fix this, do the same dance that gem_close itself does.
(f6cd7daecff5 drm: Release driver references to handle before making it available again)
First idr_replace the old handle to NULL. Later, if the prime
operations are successful, actually close it.

create_tail required a similar dance to avoid a similar problem.
(bd46cece51a3 drm/gem: Fix race in drm_gem_handle_create_tail())
It idr_allocs the new handle with NULL, then swaps in the correct
object later to avoid races. We don't need to do that here, since
the only operations that could race are drm_prime, and
change_handle holds the prime lock for the entire duration.

    [12 lines not shown]
DeltaFile
+24-1drivers/gpu/drm/drm_gem.c
+24-11 files

Linux/linux d8a7029drivers/gpu/drm/amd/amdgpu mes_userqueue.c amdgpu_userq_fence.c, drivers/gpu/drm/amd/amdkfd kfd_device.c

Merge tag 'amd-drm-fixes-7.1-2026-05-06' of https://gitlab.freedesktop.org/agd5f/linux into drm-fixes

amd-drm-fixes-7.1-2026-05-06:

amdgpu:
- GFX9 fixes
- Hawaii SMU fixes
- SDMA4 fix
- GART fix
- Userq fixes

amdkfd:
- GPUVM TLB flush fix
- Hotplug fix

radeon:
- Hawaii SMU fixes

Signed-off-by: Dave Airlie <airlied at redhat.com>

    [3 lines not shown]
DeltaFile
+38-59drivers/gpu/drm/amd/amdgpu/mes_userqueue.c
+1-32drivers/gpu/drm/amd/amdkfd/kfd_device.c
+4-24drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c
+7-6drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c
+3-10drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
+10-3drivers/gpu/drm/amd/amdgpu/amdgpu_gart.c
+63-1348 files not shown
+81-15514 files

Linux/linux 765e717drivers/accel/ivpu ivpu_drv.c, drivers/gpu/drm/etnaviv etnaviv_sched.c

Merge tag 'drm-misc-fixes-2026-05-07' of https://gitlab.freedesktop.org/drm/misc/kernel into drm-fixes

Short summary of fixes pull:

bochs:
- fix managed cleanup

bridge:
- tda998x: fix sparse warnings on type correctness

etnaviv:
- schedule armed jobs

exynos:
- managed bridge cleanup

fb-helper:
- fix clipping


    [29 lines not shown]
DeltaFile
+21-0drivers/accel/ivpu/ivpu_drv.c
+12-6drivers/gpu/drm/ttm/ttm_pool.c
+5-13drivers/gpu/drm/nouveau/nvkm/subdev/gsp/tu102.c
+9-7drivers/gpu/drm/etnaviv/etnaviv_sched.c
+9-2drivers/gpu/drm/nouveau/nvkm/engine/device/base.c
+3-7drivers/gpu/drm/tiny/bochs.c
+59-3512 files not shown
+87-5618 files

Linux/linux 917719cDocumentation/ABI/obsolete sysfs-selinux-user, Documentation/ABI/removed sysfs-selinux-user

Merge tag 'selinux-pr-20260507' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux

Pull selinux fixes from Paul Moore:

 - Allow for multiple opens of /sys/fs/selinux/policy

   Prevent a single process from blocking others from reading the
   SELinux policy loaded in the kernel. This does have the side effect
   of potentially allowing userspace to trigger additional kernel memory
   allocations as part of the open/read operation, but this is mitigated
   by requiring the SELinux security/read_policy permission.

 - Reduce the critical sections where the SELinux policy mutex is held

   This includes the patch to the policy loader code where we move the
   permission checks and an allocation outside the mutex as well as the
   the patch to checkreqprot which drops the code/lock entirely.

   While the checkreqprot code had effectively been dropped in an

    [24 lines not shown]
DeltaFile
+31-165security/selinux/selinuxfs.c
+0-125security/selinux/ss/services.c
+0-12Documentation/ABI/obsolete/sysfs-selinux-user
+12-0Documentation/ABI/removed/sysfs-selinux-user
+0-2security/selinux/include/security.h
+43-3045 files

Linux/linux 22e170edrivers/gpu/drm/xe xe_lrc.c xe_gt_sriov_pf_migration.c, drivers/gpu/drm/xe/display xe_hdcp_gsc.c

Merge tag 'drm-xe-fixes-2026-05-07' of https://gitlab.freedesktop.org/drm/xe/kernel into drm-fixes

UAPI Changes:

Cross-subsystem Changes:

Core Changes:

Driver Changes:
- Add NULL check for media_gt in intel_hdcp_gsc_check_status (Gustavo)
- Fix EAGAIN sign in pf_migration_consume (Shuicheng)
- Fix MMIO access using PF view instead of VF view during migration (Shuicheng)
- Exclude indirect ring state page from ADS engine state size (Satya)

Signed-off-by: Dave Airlie <airlied at redhat.com>
From: Matthew Brost <matthew.brost at intel.com>
Link: https://patch.msgid.link/afw5lsrjE4pStEml@gsse-cloud1.jf.intel.com
DeltaFile
+10-2drivers/gpu/drm/xe/display/xe_hdcp_gsc.c
+9-2drivers/gpu/drm/xe/xe_lrc.c
+4-4drivers/gpu/drm/xe/xe_gt_sriov_pf_migration.c
+4-3drivers/gpu/drm/xe/xe_sriov_pf_migration.c
+1-4drivers/gpu/drm/xe/xe_guc_ads.c
+1-1drivers/gpu/drm/xe/xe_lrc.h
+29-166 files

Linux/linux 17dd4d4. MAINTAINERS, rust/kernel/drm device.rs

Merge tag 'drm-rust-fixes-2026-05-07' of https://gitlab.freedesktop.org/drm/rust/kernel into drm-fixes

DRM Rust fixes for v7.1-rc3

- Fix unsound initialization in drm::Device::new(); if pinned
  initialization of drm::Device::Data fails, make sure
  drm::Device::release() isn't called, so we don't run the data's
  destructor

- Fix missing GEM state cleanup in the init failure case; call
  drm_gem_private_object_fini() if drm_gem_object_init() fails

- Fix wrong ARef import in the DRM shmem GEM helper abstraction

- Replace the nouveau mailing list with the new nova-gpu mailing list
  for both nova-core and nova-drm, and remove unused patchwork entries

Signed-off-by: Dave Airlie <airlied at redhat.com>


    [2 lines not shown]
DeltaFile
+16-6rust/kernel/drm/device.rs
+11-2rust/kernel/drm/gem/mod.rs
+2-4MAINTAINERS
+2-4rust/kernel/drm/gem/shmem.rs
+31-164 files

Linux/linux 2c5d5ecdrivers/gpu/drm/i915 i915_driver.c

Merge tag 'drm-intel-fixes-2026-05-06' of https://gitlab.freedesktop.org/drm/i915/kernel into drm-fixes

- Re-enable ccs modifiers on dg2 (Juha-Pekka Heikkila)

Signed-off-by: Dave Airlie <airlied at redhat.com>
From: Tvrtko Ursulin <tursulin at igalia.com>
Link: https://patch.msgid.link/aftSjG1D0-hKISDy@linux
DeltaFile
+2-3drivers/gpu/drm/i915/i915_driver.c
+2-31 files

Linux/linux f98b481fs/smb/client cifsacl.c

smb: client: validate dacloffset before building DACL pointers

parse_sec_desc(), build_sec_desc(), and the chown path in
id_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd
before proving a DACL header fits inside the returned security
descriptor.

On 32-bit builds a malicious server can return dacloffset near
U32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip
past the later pointer-based bounds checks. build_sec_desc() and
id_mode_to_cifs_acl() can then dereference DACL fields from the wrapped
pointer in the chmod/chown rewrite paths.

Validate dacloffset numerically before building any DACL pointer and
reuse the same helper at the three DACL entry points.

Fixes: bc3e9dd9d104 ("cifs: Change SIDs in ACEs while transferring file ownership.")
Cc: stable at vger.kernel.org
Assisted-by: Claude:claude-opus-4-6

    [2 lines not shown]
DeltaFile
+32-3fs/smb/client/cifsacl.c
+32-31 files

Linux/linux 8d09328fs/smb/client smb2inode.c

smb/client: fix out-of-bounds read in smb2_compound_op()

If a server sends a truncated response but a large OutputBufferLength, and
terminates the EA list early, check_wsl_eas() returns success without
validating that the entire OutputBufferLength fits within iov_len.

Then smb2_compound_op() does:
    memcpy(idata->wsl.eas, data[0], size[0]);

Where size[0] is OutputBufferLength. If iov_len is smaller than size[0],
memcpy can read beyond the end of the rsp_iov allocation and leak adjacent
kernel heap memory.

Link: https://lore.kernel.org/linux-cifs/d998240c-aca9-420d-9dbd-f5ba24af19e0@chenxiaosong.com/
Fixes: ea41367b2a60 ("smb: client: introduce SMB2_OP_QUERY_WSL_EA")
Cc: stable at vger.kernel.org
Signed-off-by: Zisen Ye <zisenye at stu.xidian.edu.cn>
Reviewed-by: ChenXiaoSong <chenxiaosong at kylinos.cn>
Signed-off-by: Steve French <stfrench at microsoft.com>
DeltaFile
+8-4fs/smb/client/smb2inode.c
+8-41 files

Linux/linux d62b8d2fs/smb/client smb2misc.c

smb/client: fix out-of-bounds read in symlink_data()

Since smb2_check_message() returns success without length validation for
the symlink error response, in symlink_data() it is possible for
iov->iov_len to be smaller than sizeof(struct smb2_err_rsp). If the buffer
only contains the base SMB2 header (64 bytes), accessing
err->ErrorContextCount (at offset 66) or err->ByteCount later in
symlink_data() will cause an out-of-bounds read.

Link: https://lore.kernel.org/linux-cifs/297d8d9b-adf7-42fd-a1c2-5b1f230032bc@chenxiaosong.com/
Fixes: 76894f3e2f71 ("cifs: improve symlink handling for smb2+")
Cc: Stable at vger.kernel.org
Signed-off-by: Zisen Ye <zisenye at stu.xidian.edu.cn>
Reviewed-by: ChenXiaoSong <chenxiaosong at kylinos.cn>
Signed-off-by: Steve French <stfrench at microsoft.com>
DeltaFile
+2-1fs/smb/client/smb2misc.c
+2-11 files

Linux/linux 8cb6fc3fs/smb/client smb2pdu.c

smb: client: Zero-pad short GSS session keys per MS-SMB2

Per MS-SMB2 section 3.2.5.3, Session.SessionKey is the first 16 bytes
of the GSS cryptographic key, right-padded with zero bytes if the key
is shorter than 16 bytes.

SMB2_auth_kerberos() copies the GSS session key from the cifs.upcall
response using kmemdup(msg->data, msg->sesskey_len, ...) and stores
the GSS-reported length verbatim in ses->auth_key.len. generate_key()
reads SMB2_NTLMV2_SESSKEY_SIZE bytes from this buffer when feeding the
HMAC-SHA256 KDF for signing key derivation. If a GSS mechanism returns
a session key shorter than 16 bytes (e.g. a deprecated single-DES
Kerberos enctype with an 8-byte session key), the KDF call performs an
out-of-bounds slab read and derives keys that do not match the server,
which pads per the spec.

Modern KDCs disable short-key enctypes by default, so this is latent
rather than reachable in production, but it is still a kernel heap
over-read.

    [17 lines not shown]
DeltaFile
+18-5fs/smb/client/smb2pdu.c
+18-51 files

Linux/linux 5be7a0cfs/smb/client smb2transport.c ioctl.c

smb: client: Use FullSessionKey for AES-256 encryption key derivation

When Kerberos authentication is used with AES-256 encryption (AES-256-CCM
or AES-256-GCM), the SMB3 encryption and decryption keys must be derived
using the full session key (Session.FullSessionKey) rather than just the
first 16 bytes (Session.SessionKey).

Per MS-SMB2 section 3.2.5.3.1, when Connection.Dialect is "3.1.1" and
Connection.CipherId is AES-256-CCM or AES-256-GCM, Session.FullSessionKey
must be set to the full cryptographic key from the GSS authentication
context. The encryption and decryption key derivation (SMBC2SCipherKey,
SMBS2CCipherKey) must use this FullSessionKey as the KDF input. The
signing key derivation continues to use Session.SessionKey (first 16
bytes) in all cases.

Previously, generate_key() hardcoded SMB2_NTLMV2_SESSKEY_SIZE (16) as the
HMAC-SHA256 key input length for all derivations. When Kerberos with
AES-256 provides a 32-byte session key, the KDF for encryption/decryption
was using only the first 16 bytes, producing keys that did not match the

    [16 lines not shown]
DeltaFile
+26-9fs/smb/client/smb2transport.c
+1-1fs/smb/client/ioctl.c
+27-102 files

Linux/linux fcee7d8drivers/net/ethernet/marvell/octeontx2/af rvu_npc.c, drivers/net/ethernet/marvell/octeontx2/af/cn20k npc.c

Merge tag 'net-7.1-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net

Pull networking fixes from Jakub Kicinski:
 "Including fixes from Netfilter, IPsec, Bluetooth and WiFi.

  Current release - fix to a fix:

   - ipmr: add __rcu to netns_ipv4.mrt, make sure we hold the RCU lock
     in all relevant places

  Current release - new code bugs:

   - fixes for the recently added resizable hash tables

   - ipv6: make sure we default IPv6 tunnel drivers to =m now that IPv6
     itself is built in

   - drv: octeontx2-af: fixes for parser/CAM fixes


    [59 lines not shown]
DeltaFile
+255-129drivers/net/ethernet/marvell/octeontx2/af/cn20k/npc.c
+199-32drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c
+216-0tools/testing/selftests/net/tcp_ecmp_failover.sh
+204-0tools/testing/selftests/drivers/net/hw/ipsec_vxlan.py
+119-45net/netfilter/ipvs/ip_vs_ctl.c
+82-71net/sched/sch_cake.c
+1,075-277183 files not shown
+3,486-1,161189 files

Linux/linux 41ae140drivers/net/ethernet/microchip/sparx5 sparx5_port.c

net: sparx5: configure serdes for 1000BASE-X in sparx5_port_init()

sparx5_port_init() only invokes sparx5_serdes_set() and the associated
shadow-device enable and low-speed device switch for SGMII and QSGMII.
On any port with a high-speed primary device (DEV5G/DEV10G/DEV25G)
configured for 1000BASE-X the serdes is therefore left uninitialized,
the DEV2G5 shadow is never enabled, and the port stays pointed at its
high-speed device rather than the DEV2G5. The PCS1G block looks
healthy in isolation, but no frames reach the link partner.

Add 1000BASE-X to the check so the same three steps run.

Note: the same issue might apply to 2500BASE-X, but that will,
eventually, be addressed in a separate commit.

Reported-by: Andrew Lunn <andrew at lunn.ch>
Fixes: 946e7fd5053a ("net: sparx5: add port module support")
Signed-off-by: Daniel Machon <daniel.machon at microchip.com>
Link: https://patch.msgid.link/20260506-misc-fixes-sparx5-lan969x-v2-4-fb236aa96908@microchip.com
Signed-off-by: Jakub Kicinski <kuba at kernel.org>
DeltaFile
+2-1drivers/net/ethernet/microchip/sparx5/sparx5_port.c
+2-11 files

Linux/linux b131dc9drivers/net/ethernet/microchip/sparx5 sparx5_main.h

net: sparx5: fix wrong chip ids for TSN SKUs

The TSN SKUs in enum spx5_target_chiptype have incorrect IDs:

  SPX5_TARGET_CT_7546TSN    = 0x47546,
  SPX5_TARGET_CT_7549TSN    = 0x47549,
  SPX5_TARGET_CT_7552TSN    = 0x47552,
  SPX5_TARGET_CT_7556TSN    = 0x47556,
  SPX5_TARGET_CT_7558TSN    = 0x47558,

The value read back from the chip is GCB_CHIP_ID_PART_ID, which is a
GENMASK(27, 12) field, i.e. at most 16 bits wide. It can never match
these IDs, so probing a TSN part fails with a "Target not supported"
error.

Fix the enum to use the actual 16-bit part IDs returned by the
hardware: 0x0546, 0x0549, 0x0552, 0x0556 and 0x0558.

Reported-by: Andrew Lunn <andrew at lunn.ch>

    [4 lines not shown]
DeltaFile
+5-5drivers/net/ethernet/microchip/sparx5/sparx5_main.h
+5-51 files

Linux/linux 19cbc75sound/hda/codecs/realtek alc269.c, sound/soc/amd/yc acp6x-mach.c

Merge tag 'sound-7.1-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound

Pull sound fixes from Takashi Iwai:
 "Again a collection of small fixes, mostly for device-specific ones.

  The only big LOC is about the removal of pretty old dead code in
  ab8500 codec driver, while the rest all nice small changes.

  Core / API:
   - Fix race in deferred fasync state checks
   - Fix UMP group filtering in sequencer

  ASoC:
   - cs35l56: fixes for driver cleanup and error paths
   - tas2764/2770: workaround for bogus temperature readings
   - wm_adsp: fixes for firmware unit tests
   - amd-yc: more DMI quirks for laptops
   - Minor fixes for fsl_xcvr and spacemit


    [33 lines not shown]
DeltaFile
+3-301sound/soc/codecs/ab8500-codec.c
+47-10sound/soc/codecs/wm_adsp_fw_find_test.c
+52-1sound/hda/codecs/realtek/alc269.c
+27-8sound/soc/codecs/tas2764.c
+22-1sound/soc/codecs/tas2770.c
+21-0sound/soc/amd/yc/acp6x-mach.c
+172-32115 files not shown
+243-35321 files

Linux/linux 1e38f88drivers/platform/wmi core.c, drivers/platform/x86/hp hp-wmi.c

Merge tag 'platform-drivers-x86-v7.1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86

Pull x86 platform driver fixes from Ilpo Järvinen:

 - Silence unknown board warning for 8D41 (hp-wmi)

 - Fix uninitialized variable in fan RPM handling (lenovo/wmi-other)

 - Check min_size also when ACPI does not return an out object (wmi)

* tag 'platform-drivers-x86-v7.1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86:
  platform/x86: lenovo: wmi-other: Fix uninitialized variable in lwmi_om_hwmon_write()
  platform/x86: hp-wmi: silence unknown board warning for 8D41
  platform/wmi: Fix unchecked min_size in wmidev_invoke_method()
DeltaFile
+3-0drivers/platform/wmi/core.c
+1-1drivers/platform/x86/hp/hp-wmi.c
+2-0drivers/platform/x86/lenovo/wmi-other.c
+6-13 files

Linux/linux b3737eadrivers/pmdomain core.c, drivers/pmdomain/mediatek mtk-pm-domains.c

Merge tag 'pmdomain-v7.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/linux-pm

Pull pmdomain fixes from Ulf Hansson:

 - Fix detach procedure for virtual devices in genpd

 - mediatek: Fix use-after-free in scpsys_get_bus_protection_legacy()

* tag 'pmdomain-v7.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/linux-pm:
  pmdomain: mediatek: fix use-after-free in scpsys_get_bus_protection_legacy()
  pmdomain: core: Fix detach procedure for virtual devices in genpd
DeltaFile
+9-1drivers/pmdomain/core.c
+7-3drivers/pmdomain/mediatek/mtk-pm-domains.c
+16-42 files

Linux/linux dedf6c9drivers/net/ethernet/stmicro/stmmac dwmac-nuvoton.c

net: stmmac: dwmac-nuvoton: fix NULL pointer dereference in nvt_set_phy_intf_sel()

priv->dev was never initialized after devm_kzalloc() allocates the
private data structure. When nvt_set_phy_intf_sel() is later invoked
via the phylink interface_select callback, it calls
nvt_gmac_get_delay(priv->dev, ...) which dereferences the NULL pointer.

Fix this by assigning priv->dev = dev immediately after allocation.

Fixes: 4d7c557f58ef ("net: stmmac: dwmac-nuvoton: Add dwmac glue for Nuvoton MA35 family")
Signed-off-by: Joey Lu <a0987203069 at gmail.com>
Link: https://patch.msgid.link/20260506084614.192894-2-a0987203069@gmail.com
Signed-off-by: Jakub Kicinski <kuba at kernel.org>
DeltaFile
+2-0drivers/net/ethernet/stmicro/stmmac/dwmac-nuvoton.c
+2-01 files

Linux/linux ecddc52net/ipv6 tcp_ipv6.c

tcp: Fix dst leak in tcp_v6_connect().

If a socket is bound to a wildcard address, tcp_v[46]_connect()
updates it with a non-wildcard address based on the route lookup.

After bhash2 was introduced in the cited commit, we must call
inet_bhash2_update_saddr() to update the bhash2 entry as well.

If inet_bhash2_update_saddr() fails, we must release the refcount
for dst by ip_route_connect() or ip6_dst_lookup_flow().

While tcp_v4_connect() calls ip_rt_put() in the error path,
tcp_v6_connect() does not call dst_release().

Let's call dst_release() when inet_bhash2_update_saddr() fails
in tcp_v6_connect().

Fixes: 28044fc1d495 ("net: Add a bhash2 table hashed by port and address")
Reported-by: Damiano Melotti <melotti at google.com>

    [4 lines not shown]
DeltaFile
+3-1net/ipv6/tcp_ipv6.c
+3-11 files

Linux/linux 019c892net/ipv4 ipmr.c

ipmr: Call ipmr_fib_lookup() under RCU.

Yi Lai reported RCU splat in reg_vif_xmit() below. [0]

When CONFIG_IP_MROUTE_MULTIPLE_TABLES=n, ipmr_fib_lookup()
uses rcu_dereference() without explicit rcu_read_lock().

Although rcu_read_lock_bh() is already held by the caller
__dev_queue_xmit(), lockdep requires explicit rcu_read_lock()
for rcu_dereference().

Let's move up rcu_read_lock() in reg_vif_xmit() to
cover ipmr_fib_lookup().

[0]:
WARNING: suspicious RCU usage
7.1.0-rc2-next-20260504-9d0d467c3572 #1 Not tainted
 -----------------------------
net/ipv4/ipmr.c:329 suspicious rcu_dereference_check() usage!

    [63 lines not shown]
DeltaFile
+2-1net/ipv4/ipmr.c
+2-11 files

Linux/linux 32cd651drivers/net/phy bcm7xxx.c bcm-phy-lib.c

net: phy: broadcom: Save PHY counters during suspend

The PHY counters can be lost if the PHY is reset during suspend. We
need to save the values into the shadow counters or the accounting
will be incorrect over multiple suspend and resume cycles.

Fixes: 820ee17b8d3b ("net: phy: broadcom: Add support code for reading PHY counters")
Signed-off-by: Justin Chen <justin.chen at broadcom.com>
Reviewed-by: Florian Fainelli <florian.fainelli at broadcom.com>
Link: https://patch.msgid.link/20260505173926.2870069-1-justin.chen@broadcom.com
Signed-off-by: Jakub Kicinski <kuba at kernel.org>
DeltaFile
+14-0drivers/net/phy/bcm7xxx.c
+9-0drivers/net/phy/bcm-phy-lib.c
+5-0drivers/net/phy/broadcom.c
+1-0drivers/net/phy/bcm-phy-lib.h
+29-04 files