Linux/linux 979c294include/linux cfi.h

cfi: Include uaccess.h for get_kernel_nofault()

After commit 0652a3daa787 ("tracing: Fix CFI violation in probestub
being called by tprobes"), there are many build errors when building
ARCH=arm multi_v7_defconfig + CONFIG_CFI=y like:

  In file included from drivers/base/devres.c:17:
  In file included from drivers/base/trace.h:16:
  In file included from include/linux/tracepoint.h:23:
  include/linux/cfi.h:44:6: error: call to undeclared function 'get_kernel_nofault'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration]
     44 |         if (get_kernel_nofault(hash, func - cfi_get_offset()))
        |             ^
  1 error generated.

get_kernel_nofault() is called in the generic version of
cfi_get_func_hash() but nothing ensures uaccess.h is always included for
a proper expansion and prototype.  Include uaccess.h in cfi.h to clear
up the errors.


    [6 lines not shown]
DeltaFile
+1-0include/linux/cfi.h
+1-01 files

Linux/linux 6086121sound/core pcm_native.c, sound/core/seq seq_dummy.c

Merge tag 'sound-7.1-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound

Pull sound fixes from Takashi Iwai:
 "It's getting calmer, but we still came up with a handful of small
  fixes, including two core fixes. All look sane and safe.

  Core:
   - Fix wait queue list corruption in snd_pcm_drain() on linked streams
   - Fix UMP event stack overread in seq dummy driver

  USB-audio:
   - Add quirk for AB13X USB Audio
   - Fix the regression with sticky mixer volumes in 7.1-rc

  ASoC:
   - Fix 32-slot TDM breakage on Freescale SAI
   - Varioud DMI quirks for AMD ACP"

* tag 'sound-7.1-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:

    [9 lines not shown]
DeltaFile
+44-0sound/soc/amd/acp/amd-acp70-acpi-match.c
+29-4sound/usb/mixer.c
+9-6sound/core/seq/seq_dummy.c
+14-0sound/soc/amd/yc/acp6x-mach.c
+7-0sound/soc/amd/acp-config.c
+3-4sound/core/pcm_native.c
+106-142 files not shown
+109-158 files

Linux/linux d054796. Makefile, arch/arm64 Makefile

Merge tag 'rust-fixes-7.1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/ojeda/linux

Pull Rust fixes from Miguel Ojeda:
 "Toolchain and infrastructure:

   - Fix 'rustc-option' (the Makefile one) when cross-compiling that
     leads to build or boot failures in certain configs

   - Work around a Rust compiler bug (already fixed for Rust 1.98.0)
     thats lead to boot failures in certain configs due to missing
     'uwtable' LLVM module flags

   - Support a Rust compiler change (starting with Rust 1.98.0) in the
     unstable target specification JSON files

   - Forbid Rust + arm + KASAN configs, which do not build

  'kernel' crate:


    [8 lines not shown]
DeltaFile
+8-0arch/x86/Makefile.um
+6-2scripts/generate_rust_target.rs
+6-0rust/helpers/vmalloc.c
+4-0arch/x86/Makefile
+3-0arch/arm64/Makefile
+2-1Makefile
+29-32 files not shown
+31-58 files

Linux/linux 76351effs fhandle.c mount.h, fs/fuse dev.c

Merge tag 'vfs-7.1-rc7.fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs

Pull vfs fixes from Christian Brauner:

 - Fix error handling in ovl_cache_get()

 - Tighten access checks for exited tasks in pidfd_getfd()

 - Fix selftests leak in __wait_for_test()

 - Limit FUSE_NOTIFY_RETRIEVE to uptodate folios

 - Reject fuse_notify() pagecache ops on directories

 - Clear JOBCTL_PENDING_MASK for caller in zap_other_threads()

 - Fix failure to unlock in nfsd4_create_file()

 - Fix pointer arithmetic in qnx6 directory iteration

    [17 lines not shown]
DeltaFile
+14-2fs/fhandle.c
+12-1fs/fuse/dev.c
+5-5fs/iomap/buffered-io.c
+9-1fs/mount.h
+10-0fs/namei.c
+4-4fs/qnx6/dir.c
+54-135 files not shown
+67-2311 files

Linux/linux 8e65320drivers/accel/ethosu ethosu_gem.c, drivers/gpu/drm drm_gem.c

Merge tag 'drm-fixes-2026-06-06' of https://gitlab.freedesktop.org/drm/kernel

Pull drm fixes from Dave Airlie:
 "Weekly drm fixes, not contributing to things settling down
  unfortunately. Lots of driver fixes for various bounds checks, leaks
  and UAF type things, i915/xe probably the most sane, amdgpu has a mix
  of fixes all over, then ethosu has lots of small fixes.

  The problem of fixing thing in private has really hit us with the
  change handle ioctl, and "Sima was right" and we should have disabled
  the ioctl, since it was only introduced a couple of kernels ago and
  failed to upstream it's tests in time.

  The patch here fixes the problems Sima identified, but disables the
  ioctl as well, with a list of known problems in it and a request for
  proper tests to be written and upstreamed. It's a niche user ioctl
  designed for CRIU with AMD ROCm, so I think it's fine to just disable
  it.


    [77 lines not shown]
DeltaFile
+54-27drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c
+34-39drivers/gpu/drm/drm_gem.c
+8-54drivers/gpu/drm/xe/xe_guc_submit.c
+41-8drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v11.c
+26-16drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c
+26-9drivers/accel/ethosu/ethosu_gem.c
+189-15354 files not shown
+472-32360 files

Linux/linux 1a4f03ddrivers/gpu/drm drm_gem.c drm_ioctl.c

drm/gem: Try to fix change_handle ioctl, attempt 4

[airlied: just added some comments on how to reenable]
On-list because the cat is out of the bag and we're clearly not good
enough to figure this out in private. The story thus far:

5e28b7b94408 ("drm: Set old handle to NULL before prime swap in
change_handle") tried to fix a race condition between the gem_close and
gem_change_handle ioctls, but got a few things wrong:

- There's a confusion with the local variable handle, which is actually
  the new handle, and so the two-stage trick was actually applied to the
  wrong idr slot. 7164d78559b0 ("drm/gem: fix race between
  change_handle and handle_delete") tried to fix that by adding yet
  another code block, but forgot to add the error handling. Which meant
  we now have two paths, both kinda wrong.

- dc366607c41c ("drm: Replace old pointer to new idr") tried to apply
  another fix, but inconsistently, again because of the handle confusion

    [67 lines not shown]
DeltaFile
+34-39drivers/gpu/drm/drm_gem.c
+2-1drivers/gpu/drm/drm_ioctl.c
+36-402 files

Linux/linux 8ff3adcdrivers/gpu/drm/i915/display intel_plane.c intel_dp_aux_backlight.c

Merge tag 'drm-intel-fixes-2026-06-05' of https://gitlab.freedesktop.org/drm/i915/kernel into drm-fixes

- Fix color blob reference handling in intel_plane_state (Chaitanya Kumar Borah)
- Revert "drm/i915/backlight: Remove try_vesa_interface" [backlight] (Suraj Kandpal)

Signed-off-by: Dave Airlie <airlied at redhat.com>
From: Tvrtko Ursulin <tursulin at igalia.com>
Link: https://patch.msgid.link/aiKgmwz7VGOaFXIv@linux
DeltaFile
+27-0drivers/gpu/drm/i915/display/intel_plane.c
+12-7drivers/gpu/drm/i915/display/intel_dp_aux_backlight.c
+39-72 files

Linux/linux f80cbe5drivers/accel/ethosu ethosu_gem.c, drivers/accel/ivpu ivpu_fw.c ivpu_ms.c

Merge tag 'drm-misc-fixes-2026-06-05' of https://gitlab.freedesktop.org/drm/misc/kernel into drm-fixes

Short summary of fixes pull:

dumb-buffer:
- remove strict limits on buffer geometry

ethosu:
- reject unsupported NPU_OP_RESIZE
- fix index of IFM region
- fix weight index
- fix overflows in DMA-size calculations
- reject DMA commands with uninitialized length
- fix OOB write in ethosu_gem_cmdstream_copy_and_validate

imx:
- fix kernel-doc warnings

ivpu:

    [12 lines not shown]
DeltaFile
+26-9drivers/accel/ethosu/ethosu_gem.c
+19-5drivers/gpu/drm/v3d/v3d_perfmon.c
+14-3drivers/gpu/drm/v3d/v3d_sched.c
+16-0drivers/accel/ivpu/ivpu_fw.c
+8-0drivers/gpu/drm/v3d/v3d_gem.c
+7-0drivers/accel/ivpu/ivpu_ms.c
+90-173 files not shown
+98-249 files

Linux/linux c10130cio_uring net.c

Merge tag 'io_uring-7.1-20260605' of git://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux

Pull io_uring fix from Jens Axboe:
 "A single fix for a missing flag mask when multishot is used with
  an incrementally consumed buffer ring, potentially leading to
  application confusion because of lack of IORING_CQE_F_BUF_MORE
  consistency"

* tag 'io_uring-7.1-20260605' of git://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux:
  io_uring/net: inherit IORING_CQE_F_BUF_MORE across bundle recv retries
DeltaFile
+2-1io_uring/net.c
+2-11 files

Linux/linux 06121e1scripts/kconfig/tests/err_repeated_inc expected_stderr

Merge tag 'kbuild-fixes-7.1-3' of git://git.kernel.org/pub/scm/linux/kernel/git/kbuild/linux

Pull Kbuild fix from Nicolas Schier:
 "A single simple commit that fixes the currently broken kconfig
  selftests"

* tag 'kbuild-fixes-7.1-3' of git://git.kernel.org/pub/scm/linux/kernel/git/kbuild/linux:
  kconfig: Fix repeated include selftest expectation
DeltaFile
+2-2scripts/kconfig/tests/err_repeated_inc/expected_stderr
+2-21 files

Linux/linux 95b7887arch/arm64/kvm nested.c, arch/s390/kvm kvm-s390.c faultin.c

Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm

Pull kvm fixes from Paolo Bonzini:
 "arm64:
   - Correctly drop the ITS translation cache reference when it actually
     gets invalidated

   - Take the SRCU lock for SW page table walks

   - Restore POR_EL0 access to host EL0, avoiding POR_EL0 becoming
     inaccessible from EL0 after running a guest

   - Reassign nested_mmus array behind mmu_lock, ensuring that vcpu init
     and MMU notifiers are mutually exclusive

   - Correctly handle FEAT_XNX at stage-2

  s390:
   - More fixes for the new page table management and nested

    [30 lines not shown]
DeltaFile
+129-109arch/x86/kvm/svm/sev.c
+70-58arch/s390/mm/gmap_helpers.c
+20-13arch/arm64/kvm/nested.c
+28-5arch/s390/kvm/kvm-s390.c
+15-15arch/s390/kvm/faultin.c
+20-1arch/s390/kvm/pv.c
+282-20112 files not shown
+337-22218 files

Linux/linux d1b0937kernel/trace trace_probe.c, tools/testing/selftests/ftrace/test.d/dynevent eprobes_syntax_errors.tc

Merge tag 'probes-fixes-v7.1-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace

Pull tracing/probes fix from Masami Hiramatsu:
 "Fix the eprobe event parser to point error position correctly"

* tag 'probes-fixes-v7.1-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace:
  tracing/probes: Point the error offset correctly for eprobe argument error
DeltaFile
+0-2kernel/trace/trace_probe.c
+1-1tools/testing/selftests/ftrace/test.d/dynevent/eprobes_syntax_errors.tc
+1-32 files

Linux/linux 65b09bfscripts/kconfig/tests/err_repeated_inc expected_stderr

kconfig: Fix repeated include selftest expectation

The err_repeated_inc test was added with an expected stderr fixture
that does not match the diagnostic printed by kconfig.

Running "make testconfig" currently fails in that test even though the
parser reports the duplicated include correctly:

  [stderr]
  Kconfig.inc1:4: error: repeated inclusion of Kconfig.inc3
  Kconfig.inc2:3: note: location of first inclusion of Kconfig.inc3

The fixture expects "Repeated" and "Location" with capital letters, but
the diagnostic emitted by scripts/kconfig/util.c uses lowercase words.
Update the fixture to match the real message.

Fixes: 102d712ded3e ("kconfig: Error out on duplicated kconfig inclusion")
Signed-off-by: Zhou Yuhang <zhouyuhang at kylinos.cn>
Tested-by: Nicolas Schier <nsc at kernel.org>

    [3 lines not shown]
DeltaFile
+2-2scripts/kconfig/tests/err_repeated_inc/expected_stderr
+2-21 files

Linux/linux 7ec0360arch/arm64/include/asm kvm_nested.h, arch/arm64/kvm nested.c at.c

Merge tag 'kvmarm-fixes-7.1-5' of git://git.kernel.org/pub/scm/linux/kernel/git/kvmarm/kvmarm into HEAD

KVM/arm64 fixes for 7.1, take #5

- Correctly drop the ITS translation cache reference when it actually
  gets invalidated

- Take the SRCU lock for SW page table walks

- Restore POR_EL0 access to host EL0, avoiding POR_EL0 becoming
  inaccessible from EL0 after running a guest

- Reassign nested_mmus array behind mmu_lock, ensuring that vcpu init
  and MMU notifiers are mutually exclusive

- Correctly handle FEAT_XNX at stage-2
DeltaFile
+20-13arch/arm64/kvm/nested.c
+4-2arch/arm64/kvm/vgic/vgic-its.c
+4-2arch/arm64/kvm/at.c
+2-2arch/arm64/include/asm/kvm_nested.h
+3-1arch/arm64/kvm/hyp/pgtable.c
+2-0arch/arm64/kvm/hyp/include/hyp/switch.h
+35-206 files

Linux/linux a8dc5f6fs/nfs write.c

Merge tag 'nfs-for-7.1-2' of git://git.linux-nfs.org/projects/trondmy/linux-nfs

Pull NFS client fix from Trond Myklebust:

 - Fix a use after free in nfs_write_completion

* tag 'nfs-for-7.1-2' of git://git.linux-nfs.org/projects/trondmy/linux-nfs:
  NFS: write_completion: dereference loop-local req, not hdr->req
DeltaFile
+1-1fs/nfs/write.c
+1-11 files

Linux/linux 6a53584fs/xfs xfs_ioctl.c xfs_reflink.c, fs/xfs/scrub cow_repair.c

Merge tag 'xfs-fixes-7.1-rc7' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux

Pull xfs fixes from Carlos Maiolino:
 "A collection of fixes mostly for the RT device, including a small
  refactor that has no functional change"

* tag 'xfs-fixes-7.1-rc7' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux:
  xfs: Remove mention of PageWriteback
  xfs: abort mount if xfs_fs_reserve_ag_blocks fails
  xfs: factor rtgroup geom write pointer reporting into a helper
  xfs: drop the RTG reference later in xfs_ioc_rtgroup_geometry
  xfs: fix rtgroup cleanup in CoW fork repair
  xfs: fix error returns in CoW fork repair
  xfs: fix overlapping extents returned for pNFS LAYOUTGET
  xfs: fix use of uninitialized imap in xfs_fs_map_blocks error path
  xfs: handle racing deletions in xfs_zone_gc_iter_irec
DeltaFile
+27-20fs/xfs/xfs_ioctl.c
+7-7fs/xfs/xfs_reflink.c
+3-9fs/xfs/scrub/cow_repair.c
+7-4fs/xfs/xfs_pnfs.c
+5-2fs/xfs/xfs_mount.c
+1-1fs/xfs/xfs_zone_gc.c
+50-436 files

Linux/linux 2b389a5fs/erofs zdata.c zmap.c

Merge tag 'erofs-for-7.1-rc7-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs

Pull erofs fixes from Gao Xiang:

 - Fix a UAF of sbi->sync_decompress when compressed I/Os
   race with unmount

 - Fix a regression introduced this development cycle that
   incorrectly rejects multiple-algorithm images

* tag 'erofs-for-7.1-rc7-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs:
  erofs: fix EFSCORRUPTED on multi-algorithm images in z_erofs_map_sanity_check()
  erofs: fix use-after-free on sbi->sync_decompress
DeltaFile
+3-3fs/erofs/zdata.c
+1-1fs/erofs/zmap.c
+4-42 files

Linux/linux e4a9638fs/smb/server oplock.c vfs_cache.c

Merge tag 'v7.1-rc7-ksmbd-server-fixes' of git://git.samba.org/ksmbd

Pull smb server fixes from Steve French:

 - Fix use after free in SMB2_CANCEL

 - Fix race in ksmbd_reopen_durable_fd

 - Fix oplock and lease break potential NULL-dref

* tag 'v7.1-rc7-ksmbd-server-fixes' of git://git.samba.org/ksmbd:
  ksmbd: fix use-after-free of a deferred file_lock on double SMB2_CANCEL
  ksmbd: fix durable reconnect double-bind race in ksmbd_reopen_durable_fd
  ksmbd: fix NULL-deref of opinfo->conn in oplock/lease break notifiers
DeltaFile
+12-3fs/smb/server/oplock.c
+9-3fs/smb/server/vfs_cache.c
+11-0fs/smb/server/smb2pdu.c
+32-63 files

Linux/linux 17f073farch/arm64/kvm/hyp pgtable.c

KVM: arm64: Correctly identify executable PTEs at stage-2

KVM invalidates the I-cache before installing an executable PTE on
implementations without DIC. Unfortunately, support for FEAT_XNX
broke this check as KVM_PTE_LEAF_ATTR_HI_S2_XN was expanded to a
bitfield.

Fix it by reusing kvm_pgtable_stage2_pte_prot() and testing the abstract
permission bits instead.

Fixes: 2608563b466b ("KVM: arm64: Add support for FEAT_XNX stage-2 permissions")
Reported-by: Sashiko (gemini/gemini-3.1-pro-preview)
Signed-off-by: Oliver Upton <oupton at kernel.org>
Reviewed-by: Wei-Lin Chang <weilin.chang at arm.com>
Link: https://patch.msgid.link/20260602165901.52800-3-oupton@kernel.org
Signed-off-by: Marc Zyngier <maz at kernel.org>
Cc: stable at vger.kernel.org
DeltaFile
+3-1arch/arm64/kvm/hyp/pgtable.c
+3-11 files

Linux/linux 49b32ddarch/arm64/include/asm kvm_nested.h

KVM: arm64: nv: Fix handling of XN[0] when !FEAT_XNX

XN has already been extracted from its bitfield position so using
FIELD_PREP() on the mask that clears XN[0] is completely broken, having
the effect of unconditionally granting execute permissions...

Fix the obvious mistake by manipulating the right bit.

Cc: stable at vger.kernel.org
Fixes: d93febe2ed2e ("KVM: arm64: nv: Forward FEAT_XNX permissions to the shadow stage-2")
Reviewed-by: Wei-Lin Chang <weilin.chang at arm.com>
Signed-off-by: Oliver Upton <oupton at kernel.org>
Link: https://patch.msgid.link/20260602165901.52800-2-oupton@kernel.org
Signed-off-by: Marc Zyngier <maz at kernel.org>
DeltaFile
+2-2arch/arm64/include/asm/kvm_nested.h
+2-21 files

Linux/linux ed46f39io_uring net.c

io_uring/net: inherit IORING_CQE_F_BUF_MORE across bundle recv retries

When a bundle recv retries inside io_recv_finish(), the merge logic OR
the saved cflags from the previous iteration with the cflags returned by
the new iteration:
  cflags = req->cqe.flags | (cflags & CQE_F_MASK);

Bits listed in CQE_F_MASK are inherited from the new iteration, and all
other bits (notably IORING_CQE_F_BUFFER and the buffer ID) come from the
saved cflags. Before this change CQE_F_MASK covered only
IORING_CQE_F_SOCK_NONEMPTY and IORING_CQE_F_MORE.

When using provided buffer rings (IOU_PBUF_RING_INC) with incremental
mode, and bundle recv, io_kbuf_inc_commit() can leave the head ring
entry partially consumed, __io_put_kbufs() then sets
IORING_CQE_F_BUF_MORE on the returned cflags so userspace knows the
buffer ID will be reused for subsequent completions.

Because IORING_CQE_F_BUF_MORE was not in CQE_F_MASK, the merge above

    [16 lines not shown]
DeltaFile
+2-1io_uring/net.c
+2-11 files

Linux/linux 7054335arch/arm64/kvm nested.c

KVM: arm64: Reassign nested_mmus array behind mmu_lock

kvm->arch.nested_mmus[] is walked under kvm->mmu_lock, including from the
MMU notifier path (kvm_unmap_gfn_range() -> kvm_nested_s2_unmap()), which
can run at any time. kvm_vcpu_init_nested() reallocates the array and frees
the old buffer while holding only kvm->arch.config_lock, so such a walker
can reference the freed array.

Allocate the new array outside of mmu_lock, as the allocation can sleep.
Under the lock, copy the existing entries, fix up the back pointers and
reassign the array. Free the old buffer after dropping the lock, as
kvfree() can sleep as well.

Fixes: 4f128f8e1aaac ("KVM: arm64: nv: Support multiple nested Stage-2 mmu structures")
Signed-off-by: Hyunwoo Kim <imv4bel at gmail.com>
Reviewed-by: Oliver Upton <oupton at kernel.org>
Link: https://patch.msgid.link/aiKIVVeIr1aAB1yp@v4bel
Signed-off-by: Marc Zyngier <maz at kernel.org>
Cc: stable at vger,kernel.org
DeltaFile
+20-13arch/arm64/kvm/nested.c
+20-131 files

Linux/linux cbaffe8arch/arm64/kvm/hyp/include/hyp switch.h

KVM: arm64: Restore POR_EL0 access to host EL0

CPTR_EL2.E0POE was being cleared in __deactivate_cptr_traps_vhe(), which meant
that any accesses to POR_EL0 from host EL0 would trap and be reported to
userspace as an Illegal instruction. This would happen after running any VM,
regardless if it used POE or not.

Signed-off-by: Joey Gouly <joey.gouly at arm.com>
Link: https://sashiko.dev/#/patchset/20260602155430.2088142-1-maz@kernel.org?part=1
Link: https://patch.msgid.link/20260604105434.2297268-1-joey.gouly@arm.com
Signed-off-by: Marc Zyngier <maz at kernel.org>
Cc: stable at vger,kernel.org
DeltaFile
+2-0arch/arm64/kvm/hyp/include/hyp/switch.h
+2-01 files

Linux/linux 2914709drivers/gpu/drm/i915/display intel_dp_aux_backlight.c

Revert "drm/i915/backlight: Remove try_vesa_interface"

This reverts commit 40d2f5820951dee818d05c14677277048bd85f9f.

Removing the try_vesa_interface gate caused a backlight regression on
panels whose VBT correctly reports INTEL_BACKLIGHT_DISPLAY_DDI and whose
PWM path is the actual backlight control, but whose DPCD optimistically
advertises DP_EDP_BACKLIGHT_AUX_ENABLE_CAP / _BRIGHTNESS_AUX_SET_CAP.
After the commit such panels silently bind to the VESA AUX backlight
funcs; AUX writes complete but the panel ignores them, leaving
brightness stuck (no-op backlight). Observed on at least KBL and TGL
eDP setups.

Signed-off-by: Suraj Kandpal <suraj.kandpal at intel.com>
Reviewed-by: Ankit Nautiyal <ankit.k.nautiyal at intel.com>
Link: https://patch.msgid.link/20260517024709.1016121-1-suraj.kandpal@intel.com
(cherry picked from commit f30fddb4402313aa5301a74d721638d343395269)
Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin at igalia.com>
DeltaFile
+12-7drivers/gpu/drm/i915/display/intel_dp_aux_backlight.c
+12-71 files

Linux/linux f2ca45barch/arm64/kvm at.c

KVM: arm64: Take the SRCU lock for page table walks in fault injection and AT emulation

walk_s1() and kvm_walk_nested_s2() expect to be called while holding
kvm->srcu to guard against memslot changes. While this is generally
the case, __kvm_at_s12() and __kvm_find_s1_desc_level() call into the
respective walkers without taking kvm->srcu.

Fix by acquiring kvm->srcu prior to the table walk in both instances.

Cc: stable at vger.kernel.org
Fixes: 50f77dc87f13 ("KVM: arm64: Populate level on S1PTW SEA injection")
Fixes: be04cebf3e78 ("KVM: arm64: nv: Add emulation of AT S12E{0,1}{R,W}")
Suggested-by: Oliver Upton <oupton at kernel.org>
Signed-off-by: Hyunwoo Kim <imv4bel at gmail.com>
Reviewed-by: Oliver Upton <oupton at kernel.org>
Link: https://patch.msgid.link/aiAZfdeyanIvP8SD@v4bel
Signed-off-by: Marc Zyngier <maz at kernel.org>
DeltaFile
+4-2arch/arm64/kvm/at.c
+4-21 files

Linux/linux 13031fbarch/arm64/kvm/vgic vgic-its.c

KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry

vgic_its_invalidate_cache() walks the per-ITS translation cache with
xa_for_each() and drops the cache's reference on each entry with
vgic_put_irq(). It puts the iterated pointer, though, rather than the
value returned by xa_erase().

The function is called from contexts that do not exclude one another: the
ITS command handlers hold its_lock, the GITS_CTLR write path holds
cmd_lock, and the path that clears EnableLPIs in a redistributor's
GICR_CTLR holds neither. Two or more of them can drain the same cache
concurrently, and if each one observes the same entry, erases it and then
puts it, the single reference the cache holds on that entry is dropped
more than once. The entry can then be freed while an ITE still maps it.

xa_erase() is atomic and returns the previous entry, so put only the entry
that this context actually removed. The cache reference is then dropped
exactly once per entry even when the invalidations run concurrently, and
the behavior is unchanged when only one context runs.

    [7 lines not shown]
DeltaFile
+4-2arch/arm64/kvm/vgic/vgic-its.c
+4-21 files

Linux/linux 2b5ff4dsound/core/seq seq_dummy.c

ALSA: seq: dummy: fix UMP event stack overread

The dummy sequencer port forwards events by copying an incoming
struct snd_seq_event into a stack temporary, rewriting source and
destination, and dispatching the temporary to subscribers. That legacy
event storage is smaller than struct snd_seq_ump_event.

When a UMP event reaches the dummy client, the copy leaves the UMP flag
set but only provides legacy-sized stack storage. The subscriber
delivery path then uses snd_seq_event_packet_size() and copies a
UMP-sized packet from that stack object, reading past the end of the
temporary.

Use the existing union __snd_seq_event storage and copy the packet size
reported for the incoming event before rewriting the common routing
fields. This preserves the full UMP packet for UMP events while keeping
legacy event handling unchanged.

Fixes: 32cb23a0f911 ("ALSA: seq: dummy: Allow UMP conversion")

    [3 lines not shown]
DeltaFile
+9-6sound/core/seq/seq_dummy.c
+9-61 files

Linux/linux c0837b9drivers/accel/ethosu ethosu_gem.c

accel/ethosu: fix OOB write in ethosu_gem_cmdstream_copy_and_validate()

The command stream parsing loop increments the index variable a second
time when a 64-bit command word is encountered (bit 14 set), but does
not re-check the loop bound before writing the second word:

    for (i = 0; i < size / 4; i++) {
        bocmds[i] = cmds[0];
        if (cmd & 0x4000) {
            i++;
            bocmds[i] = cmds[1];   /* unchecked */
        }
    }

The buffer bocmds is backed by a DMA allocation of exactly size bytes
from drm_gem_dma_create(ddev, size), giving valid indices [0, size/4-1].

When i == size/4 - 1 on entry to an iteration and bit 14 of cmds[0] is
set, bocmds[size/4-1] is written in bounds, i is then incremented to

    [15 lines not shown]
DeltaFile
+2-0drivers/accel/ethosu/ethosu_gem.c
+2-01 files

Linux/linux d9d0212drivers/accel/ethosu ethosu_gem.c

accel/ethosu: reject DMA commands with uninitialized length

cmd_state_init() initializes the command state with memset(0xff),
leaving dma->len at U64_MAX to signal missing setup. The only setter
is NPU_SET_DMA0_LEN; if userspace omits this command and issues
NPU_OP_DMA_START, dma->len remains U64_MAX.

In dma_length(), a positive stride added to U64_MAX wraps to a small
value. With size0 == 1, check_mul_overflow() does not trigger and
dma_length() returns 0 instead of U64_MAX. The caller's U64_MAX check
then passes, region_size[] stays 0, and the bounds check in
ethosu_job.c is bypassed, allowing hardware to execute DMA with stale
physical addresses.

Fix by checking for U64_MAX at the start of dma_length() before any
arithmetic, consistent with the sentinel value used throughout the
driver to detect uninitialized fields.

Fixes: 5a5e9c0228e6 ("accel: Add Arm Ethos-U NPU driver")

    [4 lines not shown]
DeltaFile
+3-0drivers/accel/ethosu/ethosu_gem.c
+3-01 files

Linux/linux ee6d9b6drivers/accel/ethosu ethosu_gem.c

accel/ethosu: fix arithmetic issues in dma_length()

dma_length() derives DMA region usage from command stream values and
updates region_size[]:

    len = ((len + stride[0]) * size0 + stride[1]) * size1
    region_size[region] = max(..., len + dma->offset)

Several arithmetic issues can corrupt the derived region size:

- signed stride values may underflow when added to len
- intermediate multiplications may overflow
- len + dma->offset may overflow during region_size updates
- dma_length() error returns were not validated by the caller

region_size[] is later used by ethosu_job.c to validate command stream
accesses against GEM buffer sizes. Arithmetic wraparound can therefore
under-report region usage and bypass the bounds validation.


    [9 lines not shown]
DeltaFile
+18-5drivers/accel/ethosu/ethosu_gem.c
+18-51 files