tpm: Make the TPM character devices non-seekable
The TPM character devices expose a sequential command/response
interface, but their open handlers leave FMODE_PREAD and FMODE_PWRITE
enabled.
After a command leaves a response pending, pread(fd, buf, 16, 0x1400)
passes 0x1400 as *off to tpm_common_read(). The transfer length is
bounded by response_length, but the offset is used unchecked when
forming data_buffer + *off. A sufficiently large offset therefore causes
an out-of-bounds heap read through copy_to_user() and, if the copy
succeeds, an out-of-bounds zero-write through the following memset().
Positional I/O does not provide coherent semantics for this interface.
An arbitrary pread offset cannot represent how much of a response has
been consumed sequentially. The write callback always stores a command
at the start of data_buffer, while pwrite() does not update file->f_pos
and can leave the sequential read cursor stale.
[21 lines not shown]
Merge tag 'staging-7.2-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging
Pull staging driver fixes from Greg KH:
"Here are some staging driver fixes for 7.2-rc3 for some reported bugs
in the vme_user and rtl8723bs drivers. These include:
- many rtl8723bs OOB fixes for when connecting to "bad" wifi hosts
- vme_user bugfixes to correctly validate some user-provided data
All of these have been in linux-next for a while with no reported
issues"
* tag 'staging-7.2-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging:
staging: rtl8723bs: fix OOB reads in rtw_get_sec_ie(), rtw_get_wapi_ie(), and rtw_get_wps_attr()
staging: rtl8723bs: fix OOB reads in is_ap_in_tkip() IE loop
staging: rtl8723bs: fix OOB read in OnAssocRsp() IE loop
staging: rtl8723bs: fix OOB write in HT_caps_handler()
staging: rtl8723bs: fix heap buffer overflow in rtw_cfg80211_set_wpa_ie()
[7 lines not shown]
Merge tag 'char-misc-7.2-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc
Pull Android/IIO fixes from Greg KH:
"Here is a set of bugfixes for 7.2-rc3 that resolve a bunch of reported
issues in just the binder and iio codebases. Included in here are:
- binder driver bugfixes for both the rust and c versions for
reported problems
- lots and lots of iio driver bugfixes for lots of reported issues
(including a hid sensor driver bugfix)
Full details are in the shortlog, all of these have been in linux-next
with no reported issues"
* tag 'char-misc-7.2-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc: (36 commits)
iio: event: Fix event FIFO reset race
iio: imu: inv_icm42600: fix timestamp clock period by using lower value
iio: light: al3010: fix incorrect scale for the highest gain range
[18 lines not shown]
Merge tag 'tty-7.2-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty
Pull tty/serial fixes from Greg KH:
"Here are some small tty/serial/vt fixes for 7.2-rc3 that resolve some
reported problems. Included in here are:
- vt spurious modifier issue that showed up in -rc1 (reported a
bunch)
- 8250 driver bugfixes
- msm serial driver bugfix
- max310x serial driver bugfix
All of these have been in linux-next with no reported issues"
* tag 'tty-7.2-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty:
serial: 8250: Ignore flow control on suspend/resume with no_console_suspend
[5 lines not shown]
Merge tag 'usb-7.2-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb
Pull USB fixes from Greg KH:
"Here are a number of small USB driver fixes for many reported issues.
Included in here are:
- usb serial driver corruption and use-after-free fixes
- usb gadget rndis bugfixes for malicious/buggy host connections
- typec driver fixes for a load of different tiny reported issues
- typec mux driver revert for a broken patch in -rc1
- usb gadget driver fixes for many different reported problems
- new usb device quirks added
- usbip tool fixes and some core usbip fixes as well
[31 lines not shown]
Merge tag 's390-7.2-4' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux
Pull s390 fixes from Vasily Gorbik:
- Fix missing array_index_nospec() call in diag310 memory topology code
to prevent speculative execution with a user controlled array index
- Fix get_align_mask() return type to match vm_unmapped_area_info
align_mask, avoiding possible truncation for future larger masks
- Remove empty zcrypt CEX2 files left over after CEX2 and CEX3 driver
removal
- Add build salt to the vDSO so it gets a unique build id, similar to
the kernel and modules
* tag 's390-7.2-4' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
s390: Add build salt to the vDSO
s390/zcrypt: Remove the empty file
[2 lines not shown]
Merge tag 'riscv-for-linus-7.2-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux
Pull RISC-V fixes from Paul Walmsley:
"The most notable change involves the rseq kselftest common Makefile
(as it is not RISC-V-specific). The basic approach in the patch
appears similar to one used in the KVM and S390 selftests (grep for
LINUX_TOOL_ARCH_INCLUDE and SUBARCH), and the rseq kselftests pass a
quick build test on x86 after this.
- Avoid a null pointer deference in machine_kexec_prepare() that the
IMA subsystem can trigger
- Bypass libc in part of the ptrace_v_not_enabled kselftest to avoid
noise from child atfork handlers that libc might run
- Include Kconfig support for UltraRISC SoCs, already referenced by
some device drivers; and enable it in our defconfig
- Fix the build of the rseq kselftest for RISC-V by borrowing a
[17 lines not shown]
Merge tag 'm68knommu-fixes-on-top-off-7.2-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gerg/m68knommu
Pull m68knommu fix from Greg Ungerer:
"Fix incorrectly updated local SoC IO access function names.
Testing didn't pick them up because there was no specific defconfig
for these particular SoC parts. New defconfigs will be introduced in
the next merge cycle to remedy that"
* tag 'm68knommu-fixes-on-top-off-7.2-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gerg/m68knommu:
m68k: coldfire: fix breakage of missed IO access updates
Merge tag 'trace-v7.2-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace
Pull tracing fixes from Steven Rostedt:
- Free field in error path of synthetic event parse
In __create_synth_event() the field was allocated but was not freed
in the error path
- Fix ring_buffer_event_length() on 8 byte aligned architectures
On architectures with CONFIG_HAVE_64BIT_ALIGNED_ACCESS set to y, the
ring_buffer_event_length() may return the wrong size. This is because
archs with that config set will always use the "big event meta
header" as that is 8 bytes keeping the payload 8 bytes aligned, even
when a 4 byte header could hold the size of the event
But ring_buffer_event_length() doesn't take this into account and
only subtracts 4 bytes for the meta header in the length when it
[142 lines not shown]
Merge tag 'input-for-v7.2-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input
Pull input fixes from Dmitry Torokhov:
- fix MELFAS MMS114 touchscreen driver to reject invalid touch IDs and
avoid multi-touch slot corruption
- fix a crash in the Sega Dreamcast (Maple) mouse driver when opening
the device, caused by missing driver data
- fixes for Maple drivers (keyboard, mouse, joystick) to properly order
setting driver data and device registration to avoid races
* tag 'input-for-v7.2-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
Input: mms114 - fix multi-touch slot corruption
Input: maple_keyb - set driver data before registering input device
Input: maplecontrol - set driver data before registering input device
Input: maplemouse - set driver data before registering input device
Input: maplemouse - fix NULL pointer dereference in open()
Merge tag 'for-7.2/dm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm
Pull device mapper fixes from Mikulas Patocka:
- dm-log: fix overflow on 32-bit machines
- dm-era: fix out of bounds memory access; fix crashes on invalid args
- dm-verity: fix buffer overflow in forward error correction
- dm-thin: fix misbehavior on I/O failures
- dm-pcache: fix NULL pointer dereference on invalid arguments
- dm-inlinecrypt: fix memory leak on error handling
- dm-integrity: fix ignoring the 'fix_hmac' option on device open
- dm: don't store the keyring in memory for a long term
[25 lines not shown]
Merge tag 'perf-urgent-2026-07-11' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull perf events fixes from Ingo Molnar:
- Fix SVM #GP on AMD CPUs that LBR but not BRS (Sandipan Das)
- Fix UAF bug in the perf AUX code (Lee Jia Jie)
- Fix address leakage in the AMD LBR code (Sandipan Das)
- Fix address leakage in the AMD BRS code (Sandipan Das)
* tag 'perf-urgent-2026-07-11' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
perf/x86/amd/brs: Fix kernel address leakage
perf/x86/amd/lbr: Fix kernel address leakage
perf/aux: Fix page UAF in map_range()
perf/x86/amd/core: Avoid enabling BRS from the SVM reload path
Merge tag 'x86-urgent-2026-07-11' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull x86 fixes from Ingo Molnar:
- Fix resctrl resource leak (Tony Luck)
- Fix resctrl umount race (Tony Luck)
- Fix resctrl double-free (Reinette Chatre)
- Fix x86 VGA display fallback logic during bootup on
certain multi-GPU systems (Mario Limonciello)
- Re-add a WBINVD call to the SNP bootstrap path to
fix an SNP regression (Tycho Andersen)
* tag 'x86-urgent-2026-07-11' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
x86/virt/sev: Revert "Drop WBINVD before setting MSR_AMD64_SYSCFG_SNP_EN"
x86/video: Only fall back to vga_default_device() without screen info
[3 lines not shown]
Merge tag 'timers-urgent-2026-07-11' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull timer fix from Ingo Molnar:
- Fix a subtle posix-cpu-timers vs. exec() race, which
unearthed other races in the area (Thomas Gleixner)
* tag 'timers-urgent-2026-07-11' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
posix-cpu-timers: Prevent UAF caused by non-leader exec() race
Merge tag 'block-7.2-20260710' of git://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux
Pull block fixes from Jens Axboe:
- Limit blk_hctx_poll() to one jiffy. Prevents buggy drivers from
spinning for too long, hence triggering a stalled RCU read section
warning
- Avoid a potential deadlock on zone revalidation failure, which could
otherwise trigger a lockdep circular locking splat during a SCSI disk
rescan
- Remove a redundant GD_NEED_PART_SCAN set in add_disk_final()
- Make writes to queue/wbt_lat_usec honor the WBT enable state
- ublk fix to snapshot the batch commands before preparing IO, so that
userspace can't change an already processed tag and trip the
WARN_ON_ONCE() in the rollback path
[13 lines not shown]
Merge tag 'io_uring-7.2-20260710' of git://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux
Pull io_uring fixes from Jens Axboe:
- Restore full RCU read section in io_req_local_work_add(), which was
mistakenly dropped with the DEFER_TASKRUN rework in this merge
window. Revert the commit that grabbed the RCU read lock in
io_ctx_mark_taskrun(), as that's no longer required with the previous
fix.
- Fix a dangling iovec after a provided-buffer bundle grow failure,
also an issue introduced in this merge window.
- Reject IORING_CQE_F_32 flag pass-through in MSG_RING to rings that
weren't setup with CQE32 or CQE_MIXED.
- Return -EINVAL rather than -ENOMEM from get_unmapped_area() when mmap
validation fails, matching io_uring_mmap().
[7 lines not shown]
dm thin metadata: fix superblock refcount leak on snapshot shadow failure
__reserve_metadata_snap() increments THIN_SUPERBLOCK_LOCATION in the
metadata space map before shadowing it. When dm_tm_shadow_block()
fails, a reference is leaked in the metadata space map.
Fix by adding the missing dm_sm_dec_block().
Signed-off-by: Genjian Zhang <zhanggenjian at kylinos.cn>
Signed-off-by: Mikulas Patocka <mpatocka at redhat.com>
Fixes: cc8394d86f04 ("dm thin: provide userspace access to pool metadata")
Cc: stable at vger.kernel.org
perf/x86/amd/brs: Fix kernel address leakage
A user-only branch stack can contain branches that originate from
the kernel. As a result, kernel addresses are exposed to user space
even when PERF_SAMPLE_BRANCH_USER is requested. On AMD processors
supporting X86_FEATURE_BRS (Zen 3 only), perf can still report entries
such as SYSRET/interrupt returns for which the branch-from addresses
are in the kernel.
E.g.
$ perf record -j any,u -c 4000 -e branch-brs -o - -- \
perf bench syscall basic --loop 1000 | \
perf script -i - -F brstack|tr ' ' '\n'| \
grep -E '0x[89a-f][0-9a-f]{15}'
...
0xffffffff810001c4/0x72e2e32955eb/-/-/-/0//-
0xffffffff810001c4/0x72e2d94a9821/-/-/-/0//-
[21 lines not shown]
Input: mms114 - fix multi-touch slot corruption
If the touchscreen controller reports a touch ID of 0, the driver
calculates the slot ID as touch->id - 1, which underflows to UINT_MAX.
This is passed to input_mt_slot() as -1.
Since the input core ignores negative slot values, the active slot remains
unchanged. The driver then reports the touch coordinates for the previously
active slot, corrupting its state.
Fix this by rejecting touch reports with ID 0.
Fixes: 07b8481d4aff ("Input: add MELFAS mms114 touchscreen driver")
Cc: stable at vger.kernel.org
Reported-by: sashiko-bot at kernel.org
Assisted-by: Antigravity:gemini-3.5-flash
Link: https://patch.msgid.link/20260704060115.353049-1-dmitry.torokhov@gmail.com
Signed-off-by: Dmitry Torokhov <dmitry.torokhov at gmail.com>
Merge tag 'regulator-fix-v7.2-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator
Pull regulator fixes from Mark Brown:
"A couple of straightforward fixes for device loading, plus a fix for
the core support for keeping multiple regulators with voltages close
to each other that was sadly introduced due to one of the more
beautiful corners of our API design"
* tag 'regulator-fix-v7.2-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator:
regulator: core: regulator_lock_two() should test for EDEADLK not EDEADLOCK
regulator: mt6363: add missing MODULE_DEVICE_TABLE()
regulator: mt6316: add missing MODULE_DEVICE_TABLE()
Merge tag 'audit-pr-20260710' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit
Pull audit fixes from Paul Moore:
"Two relatively small audit patches to fix potential data races with
the main audit backlog queue as well as possible integer overflows
when logging data as hex strings"
* tag 'audit-pr-20260710' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit:
audit: fix potential integer overflow in audit_log_n_hex()
audit: Fix data races of skb_queue_len() readers on audit_queue
Merge tag 'selinux-pr-20260710' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux
Pull selinux fixes from Paul Moore:
"Two small SELinux patches to fix a missing permission check for TCP
Fast Open operations and fix a socket lookup issue with SCTP ASCONF
operations"
* tag 'selinux-pr-20260710' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux:
selinux: avoid sk_socket dereference in selinux_sctp_bind_connect()
selinux: check connect-related permissions on TCP Fast Open
Merge tag 'ntfs-for-7.2-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/linkinjeon/ntfs
Pull ntfs fixes from Namjae Jeon:
- fix stale runlist element dereferences in MFT writeback and fallocate
- fix mrec_lock ABBA deadlock in rename
- prevent userspace modification of NTFS system files
- avoid inode eviction/writeback self-deadlocks
- reject malformed resident attributes in non-resident runlist mapping
- avoid post_write_mst_fixup() on invalid index blocks
- fix a hole runlist leak in insert-range error handling
- sanitize directory lookup MFT references from disk
[15 lines not shown]
Merge tag 'nfs-for-7.2-2' of git://git.linux-nfs.org/projects/anna/linux-nfs
Pull NFS client fixes from Anna Schumaker:
- SUNRPC:
- Release lower rpc_clnt if killed waiting for XPRT_LOCKED
- Pin upper rpc_clnt across the TLS connect_worker
- NFS:
- Include MAY_WRITE in open permission mask for O_TRUNC
- Charge unstable writes by request size, not folio size
* tag 'nfs-for-7.2-2' of git://git.linux-nfs.org/projects/anna/linux-nfs:
NFS: Charge unstable writes by request size, not folio size
NFSv4: include MAY_WRITE in open permission mask for O_TRUNC
SUNRPC: pin upper rpc_clnt across the TLS connect_worker
SUNRPC: release lower rpc_clnt if killed waiting for XPRT_LOCKED
Merge tag 'v7.2-rc2-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6
Pull smb client fixes from Steve French:
- DFS cache allocation fix
- DFS referral bounds check fix
- Fix absolute symlinks when mounting with POSIX extensions
- Fixes for incorrect nlink returned by fstat
- Fix atime in read completion
- Fix busy dentry on umount
- ioctl_query_info buffer overflow fix
- Two fixes for creating special files with SFU
- Fix mode mask in parse_dacl
- SMB1 is_path_accessible wildcard fix and minor SMB1 cleanup
- smb2_check_message fix
- Debug message improvement
- Minor cleanup
* tag 'v7.2-rc2-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6:
cifs: Remove CIFSSMBSetPathInfoFB() fallback function
[17 lines not shown]
tracing/remotes: Fix leak in trace_remote_alloc_buffer() error path
If page allocation fails in trace_remote_alloc_buffer(), desc->nr_cpus
is not yet incremented for the current CPU. As a consequence, on error,
half-allocated rb_desc will not be freed in trace_remote_free_buffer().
Increment desc->nr_cpus as soon as the first allocation for the current
CPU has succeeded.
Link: https://patch.msgid.link/20260709160017.1729517-2-vdonnefort@google.com
Fixes: 96e43537af54 ("tracing: Introduce trace remotes")
Reported-by: Sashiko <sashiko-bot at kernel.org>
Signed-off-by: Vincent Donnefort <vdonnefort at google.com>
Signed-off-by: Steven Rostedt <rostedt at goodmis.org>
ring-buffer: Allow sparse CPU masks in ring_buffer_desc()
No user currently relies on sparse CPU masks, but the descriptor logic already
supports them via linear fallback. Remove the arbitrary limitation.
Link: https://patch.msgid.link/20260709160017.1729517-4-vdonnefort@google.com
Fixes: 2e67fabd8b77 ("ring-buffer: Introduce ring-buffer remotes")
Reported-by: Sashiko <sashiko-bot at kernel.org>
Signed-off-by: Vincent Donnefort <vdonnefort at google.com>
Signed-off-by: Steven Rostedt <rostedt at goodmis.org>
tracing/remotes: Fix struct_len in trace_remote_alloc_buffer()
Pre-calculate desc->struct_len up-front in trace_remote_alloc_buffer()
with trace_buffer_desc_size() to fix double-counting.
While at it, use the accessor __first_ring_buffer_desc().
Link: https://patch.msgid.link/20260709160017.1729517-3-vdonnefort@google.com
Fixes: 96e43537af54 ("tracing: Introduce trace remotes")
Reported-by: Sashiko <sashiko-bot at kernel.org>
Signed-off-by: Vincent Donnefort <vdonnefort at google.com>
Signed-off-by: Steven Rostedt <rostedt at goodmis.org>
Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux
Pull arm64 fixes from Will Deacon:
- Fix crash when using SMT hotplug on ACPI systems in conjunction with
maxcpus=
- Fix 30% kswapd performance regression introduced by C1-Pro SME
erratum workaround
- Fix TLB over-invalidation regression during memory hotplug
- Fix incorrect encoding of FEAT_BWE2 value in ID_AA64DFR2_EL1.BWE
- Typo fixes in the arm64 selftests
* tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
selftests/arm64: fix spelling errors in comments
arm64/sysreg: Fix BWE field encoding in ID_AA64DFR2_EL1
[4 lines not shown]