Linux/linux 1bfaee9fs/overlayfs util.c

Merge tag 'fsverity-for-linus' of git://git.kernel.org/pub/scm/fs/fsverity/linux

Pull fsverity fix from Eric Biggers:
 "Fix a regression in overlayfs caused by an fsverity API change"

* tag 'fsverity-for-linus' of git://git.kernel.org/pub/scm/fs/fsverity/linux:
  ovl: fix verity lazy-load guard broken by fsverity_active() semantic change
DeltaFile
+1-1fs/overlayfs/util.c
+1-11 files

Linux/linux e92b287. Makefile, drivers/android/binder/range_alloc array.rs

Merge tag 'rust-fixes-7.1' of git://git.kernel.org/pub/scm/linux/kernel/git/ojeda/linux

Pull Rust fixes from Miguel Ojeda:
 "Toolchain and infrastructure:

    - Add 'bindgen' target to make UML 32-bit builds work with GCC

    - Disable two Clippy warnings ('collapsible_{if,match}')

  'pin-init' crate:

    - Fix unsoundness issue that created &'static references"

* tag 'rust-fixes-7.1' of git://git.kernel.org/pub/scm/linux/kernel/git/ojeda/linux:
  rust: allow `clippy::collapsible_if` globally
  rust: allow `clippy::collapsible_match` globally
  rust: pin-init: fix incorrect accessor reference lifetime
  rust: pin-init: internal: move alignment check to `make_field_check`
  rust: arch: um: Fix building 32-bit UML with GCC
DeltaFile
+84-100rust/pin-init/internal/src/init.rs
+19-9rust/pin-init/src/__internal.rs
+2-0rust/Makefile
+2-0Makefile
+0-1drivers/android/binder/range_alloc/array.rs
+107-1105 files

Linux/linux ec89572Documentation/hwmon yogafan.rst, drivers/hwmon ltc2992.c lm63.c

Merge tag 'hwmon-for-v7.1-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging

Pull hwmon fixes from Guenter Roeck:

 - ads7871: Fix endianness bug in 16-bit register reads

 - lm75: Fix configuration register writes and AS6200/TMP112 setup and
   alarm handling

 - lm63: Fix TOCTOU problems

 - corsair-psu: Close HID device on probe errors

 - ltc2992: Fix overflow and threshold range

 - Documentation: fix link to ideapad-laptop.c file

 - Remove stale CONFIG_SENSORS_SBRMI Makefile reference


    [10 lines not shown]
DeltaFile
+32-9drivers/hwmon/ltc2992.c
+30-9drivers/hwmon/lm63.c
+5-5drivers/hwmon/lm75.c
+5-1drivers/hwmon/ads7871.c
+2-2drivers/hwmon/corsair-psu.c
+1-1Documentation/hwmon/yogafan.rst
+75-271 files not shown
+75-287 files

Linux/linux 234d72adrivers/staging/rtl8723bs/os_dep osdep_service.c, drivers/staging/vme_user vme_fake.c

Merge tag 'staging-7.1-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging

Pull staging driver fixes from Greg KH:
 "Here are two small staging driver fixes for 7.1-rc3.  They are:

   - vme_user root device leak fix

   - NULL dereference bugfix in the rtl8723bs driver

  Both of these have been in linux-next all this week with no reported
  issues"

* tag 'staging-7.1-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging:
  staging: rtl8723bs: os_dep: avoid NULL pointer dereference in rtw_cbuf_alloc
  staging: vme_user: fix root device leak on init failure
DeltaFile
+2-1drivers/staging/rtl8723bs/os_dep/osdep_service.c
+2-0drivers/staging/vme_user/vme_fake.c
+4-12 files

Linux/linux fe3e5bcdrivers/usb/class usblp.c, drivers/usb/common ulpi.c

Merge tag 'usb-7.1-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb

Pull USB driver fixes from Greg KH:
 "Here are some small USB driver fixes for 7.1-rc3 to resolve some
  reported issues, and a new device id. These are:

   - usblp driver heap leak fixes

   - ulpi driver memory leak fix

   - typec driver fixes

   - dwc3 driver fix

   - omap dma driver fix

   - new option driver device id addition

  All of these have been in linux-next for over a week with no reported

    [11 lines not shown]
DeltaFile
+18-9drivers/usb/typec/tcpm/tcpm.c
+6-6drivers/usb/dwc3/core.c
+4-1drivers/usb/common/ulpi.c
+0-4drivers/usb/gadget/udc/omap_udc.c
+4-0drivers/usb/serial/option.c
+2-1drivers/usb/class/usblp.c
+34-216 files

Linux/linux 656a95c. MAINTAINERS, Documentation/devicetree/bindings/i2c amlogic,meson6-i2c.yaml

Merge tag 'i2c-for-7.1-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux

Pull i2c fixes from Wolfram Sang:

 - sanitize more input parameters in the core (found by syzkaller)

 - usual set of driver fixes (proper completion handling, applying
   quirks, correct workqueue selection...)

 - ID additions to simplify dependency handling

 - new email address for Peter Rosin

* tag 'i2c-for-7.1-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
  i2c: smbus: reject oversized block transfers in the common path
  MAINTAINERS: Update mail for Peter Rosin
  i2c: stub: Reject I2C block transfers with invalid length
  i2c: Compare the return value of gpiod_get_direction against GPIO_LINE_DIRECTION_OUT
  i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl

    [5 lines not shown]
DeltaFile
+11-13MAINTAINERS
+9-4Documentation/devicetree/bindings/i2c/amlogic,meson6-i2c.yaml
+12-0drivers/i2c/i2c-core-smbus.c
+5-4drivers/i2c/i2c-dev.c
+3-3drivers/i2c/busses/i2c-stm32f7.c
+5-0drivers/i2c/i2c-stub.c
+45-245 files not shown
+53-2911 files

Linux/linux bf0e022arch/powerpc/kernel/vdso Makefile, arch/powerpc/lib vmx-helper.c

Merge tag 'powerpc-7.1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux

Pull powerpc fixes from Madhavan Srinivasan:

 - Fix KASAN sanitization flag for core_$(BITS).o

 - Fixes for handling offset values in pseries htmdump

 - Fix interrupt mask in cpm1_gpiochip_add16()

 - ps3/pasemi fixes to drop redundant result assignment

 - Fixes in papr-hvpipe code path

 - powerpc/perf: Update check for PERF_SAMPLE_DATA_SRC marked events

Thanks to Aboorva Devarajan, Athira Rajeev, Christophe Leroy (CS GROUP),
Geert Uytterhoeven, Haren Myneni, Krzysztof Kozlowski, Mukesh Kumar
Chaurasiya (IBM), Nathan Chancellor, Ritesh Harjani (IBM), Shivani

    [24 lines not shown]
DeltaFile
+97-84arch/powerpc/platforms/pseries/papr-hvpipe.c
+116-17arch/powerpc/platforms/pseries/htmdump.c
+8-1arch/powerpc/lib/vmx-helper.c
+6-0arch/powerpc/kernel/vdso/Makefile
+3-2arch/powerpc/perf/core-book3s.c
+1-3arch/powerpc/platforms/ps3/device-init.c
+231-10712 files not shown
+235-12118 files

Linux/linux 7039050arch/x86/kernel e820.c, arch/x86/xen setup.c

Merge tag 'x86-urgent-2026-05-09' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip

Pull x86 fixes from Ingo Molnar:

 - Fix memory map enumeration bug in the Xen e820 parsing code (Juergen
   Gross)

 - Re-enable e820 BIOS fallback if e820 table is empty (David Gow)

* tag 'x86-urgent-2026-05-09' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  x86/boot/e820: Re-enable BIOS fallback if e820 table is empty
  x86/xen: Fix a potential problem in xen_e820_resolve_conflicts()
DeltaFile
+9-4arch/x86/xen/setup.c
+5-1arch/x86/kernel/e820.c
+14-52 files

Linux/linux 6e1e5a3kernel/time timer_migration.c

Merge tag 'timers-urgent-2026-05-09' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip

Pull timer fix from Ingo Molnar:
 "Fix CPU hotplug activation race in the timer migration code, by
  Frederic Weisbecker"

* tag 'timers-urgent-2026-05-09' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  timers/migration: Fix another hotplug activation race
DeltaFile
+29-11kernel/time/timer_migration.c
+29-111 files

Linux/linux 7f00232Documentation/userspace-api rseq.rst, include/linux rseq_entry.h

Merge tag 'sched-urgent-2026-05-09' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip

Pull scheduler fixes from Ingo Molnar:

 - Fix spurious failures in rseq self-tests (Mark Brown)

 - Fix rseq rseq::cpu_id_start ABI regression due to TCMalloc's creative
   use of the supposedly read-only field

   The fix is to introduce a new ABI variant based on a new (larger)
   rseq area registration size, to keep the TCMalloc use of rseq
   backwards compatible on new kernels (Thomas Gleixner)

 - Fix wakeup_preempt_fair() for not waking up task (Vincent Guittot)

 - Fix s64 mult overflow in vruntime_eligible() (Zhan Xusheng)

* tag 'sched-urgent-2026-05-09' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  sched/fair: Fix wakeup_preempt_fair() for not waking up task

    [12 lines not shown]
DeltaFile
+132-82kernel/rseq.c
+59-63include/linux/rseq_entry.h
+93-1Documentation/userspace-api/rseq.rst
+65-0tools/testing/selftests/rseq/legacy_check.c
+37-7kernel/sched/fair.c
+39-0tools/testing/selftests/rseq/run_param_test.sh
+425-15313 files not shown
+580-21119 files

Linux/linux e5cf026arch/x86/events core.c perf_event.h, arch/x86/events/intel core.c

Merge tag 'perf-urgent-2026-05-09' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip

Pull perf events fixes from Ingo Molnar:

 - Fix deadlock in the perf_mmap() failure path (Peter Zijlstra)

 - Intel ACR (Auto Counter Reload) fixes (Dapeng Mi):
     - Fix validation and configuration of ACR masks
     - Fix ACR rescheduling bug causing stale masks
     - Disable the PMI on ACR-enabled hardware
     - Enable ACR on Panther Cover uarch too

* tag 'perf-urgent-2026-05-09' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  perf/x86/intel: Enable auto counter reload for DMR
  perf/x86/intel: Disable PMI for self-reloaded ACR events
  perf/x86/intel: Always reprogram ACR events to prevent stale masks
  perf/x86/intel: Improve validation and configuration of ACR masks
  perf/core: Fix deadlock in perf_mmap() failure path
DeltaFile
+55-15kernel/events/core.c
+39-11arch/x86/events/intel/core.c
+8-5arch/x86/events/core.c
+10-0arch/x86/events/perf_event.h
+2-0kernel/events/ring_buffer.c
+1-0kernel/events/internal.h
+115-316 files

Linux/linux 27a26ccarch/arm64/kernel ptrace.c

Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux

Pull arm64 fix from Catalin Marinas:

 - ptrace(PTRACE_SETREGSET) fix to zero the target's fpsimd_state rather
   than the tracer's

* tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
  arm64/fpsimd: ptrace: zero target's fpsimd_state, not the tracer's
DeltaFile
+2-2arch/arm64/kernel/ptrace.c
+2-21 files

Linux/linux 678ede8. MAINTAINERS, drivers/pci pci-driver.c pci.c

Merge tag 'pci-v7.1-fixes-1' of git://git.kernel.org/pub/scm/linux/kernel/git/pci/pci

Pull PCI fixes from Bjorn Helgaas:

 - Don't fallback to bus reset after failed slot reset; a bus reset
   isn't safe if the .reset_slot() callback is implemented (Keith Busch)

 - Update saved_config_space upon resource assignment to fix passthrough
   regressions when x86 pcibios_assign_resources() updates BARs (Lukas
   Wunner)

 - Initialize a temporary pci_dev->dev in sysfs 'new_id' attribute to
   fix a lockdep regression after driver_override was moved from PCI to
   device core (Samiullah Khawaja)

 - Update MAINTAINERS email addresses (Marek Vasut, Hans Zhang)

 - Add MAINTAINERS reviewer for PCIe Cadence IP (Aksh Garg)


    [7 lines not shown]
DeltaFile
+8-1drivers/pci/pci-driver.c
+4-5drivers/pci/pci.c
+4-3MAINTAINERS
+2-0drivers/pci/setup-res.c
+18-94 files

Linux/linux 9ef40a0. MAINTAINERS

MAINTAINERS: Add Aksh Garg as PCIe CADENCE reviewer

I wish to contribute to the review process for Cadence PCIe IP drivers,
hence add myself as a reviewer.

Signed-off-by: Aksh Garg <a-garg7 at ti.com>
Signed-off-by: Bjorn Helgaas <bhelgaas at google.com>
Link: https://patch.msgid.link/20260508060951.840233-1-a-garg7@ti.com
DeltaFile
+2-1MAINTAINERS
+2-11 files

Linux/linux 909f7bfdrivers/pci setup-res.c

PCI: Update saved_config_space upon resource assignment

Bernd reports passthrough failure of a Digital Devices Cine S2 V6 DVB
adapter plugged into an ASRock X570S PG Riptide board with BIOS version
P5.41 (09/07/2023):

  ddbridge 0000:05:00.0: detected Digital Devices Cine S2 V6 DVB adapter
  ddbridge 0000:05:00.0: cannot read registers
  ddbridge 0000:05:00.0: fail

BIOS assigns an incorrect BAR to the DVB adapter which doesn't fit into the
upstream bridge window.  The kernel corrects the BAR assignment:

  pci 0000:07:00.0: BAR 0 [mem 0xfffffffffc500000-0xfffffffffc50ffff 64bit]: can't claim; no compatible bridge window
  pci 0000:07:00.0: BAR 0 [mem 0xfc500000-0xfc50ffff 64bit]: assigned

Correction of the BAR assignment happens in an x86-specific fs_initcall,
pcibios_assign_resources(), after device enumeration in a subsys_initcall.
This order was introduced at the behest of Linus in 2004:

    [48 lines not shown]
DeltaFile
+2-0drivers/pci/setup-res.c
+2-01 files

Linux/linux bf5421b. MAINTAINERS

MAINTAINERS: Update Marek Vasut email for PCIe R-Car

Use up to date address. No functional change.

Signed-off-by: Marek Vasut <marek.vasut+renesas at mailbox.org>
Signed-off-by: Bjorn Helgaas <bhelgaas at google.com>
Link: https://patch.msgid.link/20260428052030.51101-1-marek.vasut+renesas@mailbox.org
DeltaFile
+1-1MAINTAINERS
+1-11 files

Linux/linux f45a49adrivers/pci pci-driver.c

PCI: Initialize temporary device in new_id_store()

When setting new_id of a PCI device driver using sysfs a lockdep splat
occurs. This is because new_id_store() builds a temporary pci_dev for
pci_match_device(), which calls device_match_driver_override().  That
depends on the driver_override.lock added by cb3d1049f4ea ("driver core:
generalize driver_override in struct device").

The new driver_override.lock was not initialized in the temporary pci_dev,
resulting in this lockdep splat.

Initialize the temporary pci_dev to fix this.

Repro:

  Build with CONFIG_LOCKDEP=y, boot with QEMU, and add a new ID:

  # echo "8086 10f5" > /sys/bus/pci/drivers/e1000e/new_id


    [25 lines not shown]
DeltaFile
+8-1drivers/pci/pci-driver.c
+8-11 files

Linux/linux 78e115d. MAINTAINERS

MAINTAINERS: Update Hans Zhang email for PCIe CIX Sky1

Update my email address as my work email account is no longer in use.

Signed-off-by: Hans Zhang <18255117159 at 163.com>
Signed-off-by: Bjorn Helgaas <bhelgaas at google.com>
Link: https://patch.msgid.link/20260508023006.1787674-1-18255117159@163.com
DeltaFile
+1-1MAINTAINERS
+1-11 files

Linux/linux cbf457cblock ioctl.c, drivers/block ublk_drv.c

Merge tag 'block-7.1-20260508' of git://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux

Pull block fixes from Jens Axboe:

 - Fix for ublk not doing an actual issue from the task_work fallback
   path. Any request hitting that should be canceled automatically

 - Fix for uring_cmd prep side handling, for the block side uring_cmd
   discard handling

 - Fix for missing validation of the io and physical block size shifts

 - Fix for a use-after-free in ublk's cancel command handling

* tag 'block-7.1-20260508' of git://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux:
  ublk: fix use-after-free in ublk_cancel_cmd()
  ublk: validate physical_bs_shift, io_min_shift and io_opt_shift
  block: only read from sqe on initial invocation of blkdev_uring_cmd()
  ublk: don't issue uring_cmd from fallback task work
DeltaFile
+35-7drivers/block/ublk_drv.c
+15-9block/ioctl.c
+50-162 files

Linux/linux 8be01e1io_uring timeout.c napi.c

Merge tag 'io_uring-7.1-20260508' of git://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux

Pull io_uring fixes from Jens Axboe:

 - Ensure that the absolute timeouts for both the command side and the
   waiting side honor the callers time namespace

 - Ensure tracked NAPI entries are cleared at unregistration time, as
   the NAPI polling loop checks the list state rather than the general
   NAPI state. This can lead to NAPI polling even after unregistration
   has been done. If unregistered, all NAPI polling should be disabled

 - Fix for eventfd recursive invocation handling

* tag 'io_uring-7.1-20260508' of git://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux:
  io_uring/wait: honour caller's time namespace for IORING_ENTER_ABS_TIMER
  io_uring/timeout: honour caller's time namespace for IORING_TIMEOUT_ABS
  io_uring/eventfd: reset deferred signal state
  io_uring/napi: clear tracked NAPI entries on unregister
DeltaFile
+22-13io_uring/timeout.c
+20-7io_uring/napi.c
+5-3io_uring/napi.h
+5-1io_uring/wait.c
+1-0io_uring/eventfd.c
+53-245 files

Linux/linux 81d6f78fs/smb/client cifsacl.c smb2transport.c

Merge tag 'v7.1-rc3-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6

Pull smb client fixes from Steve French:

 - Fix for two ACL issues (security fix to validate dacloffset better
   and chmod fix)

 - Fix out of bounds reads (in check_wsl_eas and smb2_check_msg for
   symlinks)

 - Two Kerberos fixes including an important one when AES-256 encryption
   chosen

 - Fix open_cached_dir problem when directory leases disabled

* tag 'v7.1-rc3-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6:
  smb: client: validate dacloffset before building DACL pointers
  smb/client: fix out-of-bounds read in smb2_compound_op()
  smb/client: fix out-of-bounds read in symlink_data()

    [4 lines not shown]
DeltaFile
+33-4fs/smb/client/cifsacl.c
+26-9fs/smb/client/smb2transport.c
+18-5fs/smb/client/smb2pdu.c
+8-4fs/smb/client/smb2inode.c
+8-0fs/smb/client/cached_dir.c
+2-1fs/smb/client/smb2misc.c
+95-231 files not shown
+96-247 files

Linux/linux 8bb4457drivers/spi spi-microchip-core-qspi.c spi-imx.c

Merge tag 'spi-fix-v7.1-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi

Pull spi fixes from Mark Brown:
 "There's two main series here, fixing issues that came up in the
  Microchip QSPI and Freescale i.MX drivers. Both of those could result
  in some quite noticable issues if they were encountered in production.
  We also have one minor documentation fix in the ch341 driver"

* tag 'spi-fix-v7.1-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi:
  spi: ch341: correct company name in MODULE_DESCRIPTION
  spi: microchip-core-qspi: remove some inline markings
  spi: microchip-core-qspi: don't attempt to transmit during emulated read-only dual/quad operations
  spi: microchip-core-qspi: control built-in cs manually
  spi: imx: Propagate prepare_transfer() error from spi_imx_setupxfer()
  spi: imx: Fix UAF on package-1 prepare failure in spi_imx_dma_data_prepare()
  spi: imx: Fix precedence bug in spi_imx_dma_max_wml_find()
DeltaFile
+79-20drivers/spi/spi-microchip-core-qspi.c
+3-4drivers/spi/spi-imx.c
+1-1drivers/spi/spi-ch341.c
+83-253 files

Linux/linux 4bdbce4drivers/regulator qcom-rpmh-regulator.c

Merge tag 'regulator-fix-v7.1-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator

Pull regulator fix from Mark Brown:
 "A straightforward fix for an incorrect description of one of the
  regulators on the Qualcomm PMH0101"

* tag 'regulator-fix-v7.1-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator:
  regulator: qcom-rpmh: Fix index for pmh0101 ldo16
DeltaFile
+1-1drivers/regulator/qcom-rpmh-regulator.c
+1-11 files

Linux/linux 51d2484drivers/accel/ivpu ivpu_drv.c, drivers/gpu/drm drm_gem.c

Merge tag 'drm-fixes-2026-05-08-1' of https://gitlab.freedesktop.org/drm/kernel

Pull drm fixes from Dave Airlie:
 "Weekly fixes, lots of them but all pretty small, amdgpu and xe are the
  usual but then a large amount of fixes all over.

  core:
   - fix race condition in handle change ioctl

  fb-helper:
   - fix clipping

  rust:
   - fix unsound initialization
   - fix GEM state cleanup
   - fix wrong ARef import

  ttm:
   - update GPU MM stats on pool shrinking

    [83 lines not shown]
DeltaFile
+38-59drivers/gpu/drm/amd/amdgpu/mes_userqueue.c
+1-32drivers/gpu/drm/amd/amdkfd/kfd_device.c
+4-24drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c
+24-1drivers/gpu/drm/drm_gem.c
+16-6rust/kernel/drm/device.rs
+21-0drivers/accel/ivpu/ivpu_drv.c
+104-12238 files not shown
+254-24744 files

Linux/linux 4fd44d4drivers/usb/serial option.c

Merge tag 'usb-serial-7.1-rc3' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/johan/usb-serial into usb-linus

Johan writes:

USB serial device ids for 7.1-rc3

Here are some new modem device ids.

This one has been in linux-next with no reported issues.

* tag 'usb-serial-7.1-rc3' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/johan/usb-serial:
  USB: serial: option: add Telit Cinterion LE910Cx compositions
DeltaFile
+4-0drivers/usb/serial/option.c
+4-01 files

Linux/linux fa7431edrivers/iommu iommu-pages.h, drivers/iommu/amd init.c amd_iommu_types.h

Merge tag 'iommu-fixes-v7.1-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/iommu/linux

Pull iommu fixes from Joerg Roedel:
 "Core:
   - Cache-flushing fix for non-x86 platforms

  AMD-Vi:
   - Security fix when SEV-SNP is enabled
   - Operator precedence fix in DTE setting"

* tag 'iommu-fixes-v7.1-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/iommu/linux:
  iommu/amd: Fix precedence order in set_dte_passthrough()
  iommu/pages: Fix iommu_pages_flush_incoherent() for non-x86
  iommu/amd: Use maximum PPR log buffer size when SNP is enabled on Family 0x19
  iommu/amd: Use maximum Event log buffer size when SNP is enabled on Family 0x19
DeltaFile
+93-40drivers/iommu/amd/init.c
+13-8drivers/iommu/amd/amd_iommu_types.h
+5-3drivers/iommu/amd/ppr.c
+3-2drivers/iommu/amd/iommu.c
+3-0drivers/iommu/amd/amd_iommu.h
+1-1drivers/iommu/iommu-pages.h
+118-546 files

Linux/linux f7700a4drivers/block ublk_drv.c

ublk: fix use-after-free in ublk_cancel_cmd()

When ublk_reset_ch_dev() clears io->cmd via ublk_queue_reinit()
concurrently with ublk_cancel_cmd(), ublk_cancel_cmd() can read a
stale pointer and pass it to io_uring_cmd_done(), causing a
use-after-free.

Fix by synchronizing the two paths with ubq->cancel_lock:

- ublk_cancel_cmd(): read and clear io->cmd under cancel_lock,
  then call io_uring_cmd_done() on the saved local copy outside
  the lock.

- ublk_reset_ch_dev(): hold cancel_lock across ublk_queue_reinit()
  so that io->cmd and io->flags are cleared atomically with respect
  to ublk_cancel_cmd().

Fixes: 216c8f5ef0f2 ("ublk: replace monitor with cancelable uring_cmd")
Signed-off-by: Ming Lei <tom.leiming at gmail.com>

    [2 lines not shown]
DeltaFile
+15-5drivers/block/ublk_drv.c
+15-51 files

Linux/linux 5e28b7bdrivers/gpu/drm drm_gem.c

drm: Set old handle to NULL before prime swap in change_handle

There was a potential race condition in change_handle. The ioctl
briefly had a single object with two idr entries; a concurrent
gem_close could delete the object and remove one of the handles
while leaving the other one dangling, which could subsequently
be dereferenced for a use-after-free.

To fix this, do the same dance that gem_close itself does.
(f6cd7daecff5 drm: Release driver references to handle before making it available again)
First idr_replace the old handle to NULL. Later, if the prime
operations are successful, actually close it.

create_tail required a similar dance to avoid a similar problem.
(bd46cece51a3 drm/gem: Fix race in drm_gem_handle_create_tail())
It idr_allocs the new handle with NULL, then swaps in the correct
object later to avoid races. We don't need to do that here, since
the only operations that could race are drm_prime, and
change_handle holds the prime lock for the entire duration.

    [12 lines not shown]
DeltaFile
+24-1drivers/gpu/drm/drm_gem.c
+24-11 files

Linux/linux d8a7029drivers/gpu/drm/amd/amdgpu mes_userqueue.c amdgpu_userq_fence.c, drivers/gpu/drm/amd/amdkfd kfd_device.c

Merge tag 'amd-drm-fixes-7.1-2026-05-06' of https://gitlab.freedesktop.org/agd5f/linux into drm-fixes

amd-drm-fixes-7.1-2026-05-06:

amdgpu:
- GFX9 fixes
- Hawaii SMU fixes
- SDMA4 fix
- GART fix
- Userq fixes

amdkfd:
- GPUVM TLB flush fix
- Hotplug fix

radeon:
- Hawaii SMU fixes

Signed-off-by: Dave Airlie <airlied at redhat.com>

    [3 lines not shown]
DeltaFile
+38-59drivers/gpu/drm/amd/amdgpu/mes_userqueue.c
+1-32drivers/gpu/drm/amd/amdkfd/kfd_device.c
+4-24drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c
+7-6drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c
+10-3drivers/gpu/drm/amd/amdgpu/amdgpu_gart.c
+3-10drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
+63-1348 files not shown
+81-15514 files

Linux/linux 765e717drivers/accel/ivpu ivpu_drv.c, drivers/gpu/drm/etnaviv etnaviv_sched.c

Merge tag 'drm-misc-fixes-2026-05-07' of https://gitlab.freedesktop.org/drm/misc/kernel into drm-fixes

Short summary of fixes pull:

bochs:
- fix managed cleanup

bridge:
- tda998x: fix sparse warnings on type correctness

etnaviv:
- schedule armed jobs

exynos:
- managed bridge cleanup

fb-helper:
- fix clipping


    [29 lines not shown]
DeltaFile
+21-0drivers/accel/ivpu/ivpu_drv.c
+12-6drivers/gpu/drm/ttm/ttm_pool.c
+5-13drivers/gpu/drm/nouveau/nvkm/subdev/gsp/tu102.c
+9-7drivers/gpu/drm/etnaviv/etnaviv_sched.c
+9-2drivers/gpu/drm/nouveau/nvkm/engine/device/base.c
+3-7drivers/gpu/drm/tiny/bochs.c
+59-3512 files not shown
+87-5618 files