Linux/linux 44696aadrivers/input/joystick maplecontrol.c, drivers/input/keyboard maple_keyb.c

Merge tag 'input-for-v7.2-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input

Pull input fixes from Dmitry Torokhov:

 - fix MELFAS MMS114 touchscreen driver to reject invalid touch IDs and
   avoid multi-touch slot corruption

 - fix a crash in the Sega Dreamcast (Maple) mouse driver when opening
   the device, caused by missing driver data

 - fixes for Maple drivers (keyboard, mouse, joystick) to properly order
   setting driver data and device registration to avoid races

* tag 'input-for-v7.2-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
  Input: mms114 - fix multi-touch slot corruption
  Input: maple_keyb - set driver data before registering input device
  Input: maplecontrol - set driver data before registering input device
  Input: maplemouse - set driver data before registering input device
  Input: maplemouse - fix NULL pointer dereference in open()
DeltaFile
+6-3drivers/input/mouse/maplemouse.c
+2-2drivers/input/keyboard/maple_keyb.c
+2-1drivers/input/joystick/maplecontrol.c
+1-1drivers/input/touchscreen/mms114.c
+11-74 files

Linux/linux 59dee6ddrivers/md dm-thin-metadata.c dm-integrity.c

Merge tag 'for-7.2/dm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm

Pull device mapper fixes from Mikulas Patocka:

 - dm-log: fix overflow on 32-bit machines

 - dm-era: fix out of bounds memory access; fix crashes on invalid args

 - dm-verity: fix buffer overflow in forward error correction

 - dm-thin: fix misbehavior on I/O failures

 - dm-pcache: fix NULL pointer dereference on invalid arguments

 - dm-inlinecrypt: fix memory leak on error handling

 - dm-integrity: fix ignoring the 'fix_hmac' option on device open

 - dm: don't store the keyring in memory for a long term

    [25 lines not shown]
DeltaFile
+21-46drivers/md/dm-thin-metadata.c
+18-8drivers/md/dm-integrity.c
+10-6drivers/md/dm-verity-target.c
+10-6drivers/md/dm-era-target.c
+10-1drivers/md/dm.c
+4-6drivers/md/dm-stats.c
+73-739 files not shown
+97-8215 files

Linux/linux cab9e33arch/x86/events/amd core.c brs.c, kernel/events core.c

Merge tag 'perf-urgent-2026-07-11' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip

Pull perf events fixes from Ingo Molnar:

 - Fix SVM #GP on AMD CPUs that LBR but not BRS (Sandipan Das)

 - Fix UAF bug in the perf AUX code (Lee Jia Jie)

 - Fix address leakage in the AMD LBR code (Sandipan Das)

 - Fix address leakage in the AMD BRS code (Sandipan Das)

* tag 'perf-urgent-2026-07-11' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  perf/x86/amd/brs: Fix kernel address leakage
  perf/x86/amd/lbr: Fix kernel address leakage
  perf/aux: Fix page UAF in map_range()
  perf/x86/amd/core: Avoid enabling BRS from the SVM reload path
DeltaFile
+8-4arch/x86/events/amd/core.c
+5-5arch/x86/events/amd/brs.c
+2-1arch/x86/events/amd/lbr.c
+2-0kernel/events/core.c
+17-104 files

Linux/linux b37fa0darch/x86/video video-common.c, arch/x86/virt/svm sev.c

Merge tag 'x86-urgent-2026-07-11' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip

Pull x86 fixes from Ingo Molnar:

 - Fix resctrl resource leak (Tony Luck)

 - Fix resctrl umount race (Tony Luck)

 - Fix resctrl double-free (Reinette Chatre)

 - Fix x86 VGA display fallback logic during bootup on
   certain multi-GPU systems (Mario Limonciello)

 - Re-add a WBINVD call to the SNP bootstrap path to
   fix an SNP regression (Tycho Andersen)

* tag 'x86-urgent-2026-07-11' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  x86/virt/sev: Revert "Drop WBINVD before setting MSR_AMD64_SYSCFG_SNP_EN"
  x86/video: Only fall back to vga_default_device() without screen info

    [3 lines not shown]
DeltaFile
+26-7fs/resctrl/rdtgroup.c
+14-9arch/x86/video/video-common.c
+2-0arch/x86/virt/svm/sev.c
+42-163 files

Linux/linux 767707akernel signal.c exit.c, kernel/time posix-cpu-timers.c

Merge tag 'timers-urgent-2026-07-11' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip

Pull timer fix from Ingo Molnar:

 - Fix a subtle posix-cpu-timers vs. exec() race, which
   unearthed other races in the area (Thomas Gleixner)

* tag 'timers-urgent-2026-07-11' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  posix-cpu-timers: Prevent UAF caused by non-leader exec() race
DeltaFile
+115-58kernel/time/posix-cpu-timers.c
+9-1kernel/signal.c
+6-1kernel/exit.c
+130-603 files

Linux/linux 64d9ca4block blk-zoned.c blk-wbt.c, drivers/block ublk_drv.c xen-blkfront.c

Merge tag 'block-7.2-20260710' of git://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux

Pull block fixes from Jens Axboe:

 - Limit blk_hctx_poll() to one jiffy. Prevents buggy drivers from
   spinning for too long, hence triggering a stalled RCU read section
   warning

 - Avoid a potential deadlock on zone revalidation failure, which could
   otherwise trigger a lockdep circular locking splat during a SCSI disk
   rescan

 - Remove a redundant GD_NEED_PART_SCAN set in add_disk_final()

 - Make writes to queue/wbt_lat_usec honor the WBT enable state

 - ublk fix to snapshot the batch commands before preparing IO, so that
   userspace can't change an already processed tag and trip the
   WARN_ON_ONCE() in the rollback path

    [13 lines not shown]
DeltaFile
+28-14block/blk-zoned.c
+20-1block/blk-wbt.c
+12-1drivers/block/ublk_drv.c
+9-0drivers/block/xen-blkfront.c
+1-5block/genhd.c
+5-0drivers/block/drbd/drbd_receiver.c
+75-212 files not shown
+79-248 files

Linux/linux 596d603io_uring msg_ring.c tw.c

Merge tag 'io_uring-7.2-20260710' of git://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux

Pull io_uring fixes from Jens Axboe:

 - Restore full RCU read section in io_req_local_work_add(), which was
   mistakenly dropped with the DEFER_TASKRUN rework in this merge
   window. Revert the commit that grabbed the RCU read lock in
   io_ctx_mark_taskrun(), as that's no longer required with the previous
   fix.

 - Fix a dangling iovec after a provided-buffer bundle grow failure,
   also an issue introduced in this merge window.

 - Reject IORING_CQE_F_32 flag pass-through in MSG_RING to rings that
   weren't setup with CQE32 or CQE_MIXED.

 - Return -EINVAL rather than -ENOMEM from get_unmapped_area() when mmap
   validation fails, matching io_uring_mmap().


    [7 lines not shown]
DeltaFile
+27-7io_uring/msg_ring.c
+7-4io_uring/tw.c
+3-2io_uring/kbuf.c
+2-2io_uring/uring_cmd.c
+1-1io_uring/memmap.c
+40-165 files

Linux/linux 4b22d08drivers/md dm-thin-metadata.c

dm thin metadata: fix superblock refcount leak on snapshot shadow failure

__reserve_metadata_snap() increments THIN_SUPERBLOCK_LOCATION in the
metadata space map before shadowing it. When dm_tm_shadow_block()
fails, a reference is leaked in the metadata space map.

Fix by adding the missing dm_sm_dec_block().

Signed-off-by: Genjian Zhang <zhanggenjian at kylinos.cn>
Signed-off-by: Mikulas Patocka <mpatocka at redhat.com>
Fixes: cc8394d86f04 ("dm thin: provide userspace access to pool metadata")
Cc: stable at vger.kernel.org
DeltaFile
+3-1drivers/md/dm-thin-metadata.c
+3-11 files

Linux/linux 47915e8arch/x86/events/amd brs.c

perf/x86/amd/brs: Fix kernel address leakage

A user-only branch stack can contain branches that originate from
the kernel. As a result, kernel addresses are exposed to user space
even when PERF_SAMPLE_BRANCH_USER is requested. On AMD processors
supporting X86_FEATURE_BRS (Zen 3 only), perf can still report entries
such as SYSRET/interrupt returns for which the branch-from addresses
are in the kernel.

E.g.

  $ perf record -j any,u -c 4000 -e branch-brs -o - -- \
        perf bench syscall basic --loop 1000 | \
        perf script -i - -F brstack|tr ' ' '\n'| \
        grep -E '0x[89a-f][0-9a-f]{15}'

  ...
  0xffffffff810001c4/0x72e2e32955eb/-/-/-/0//-
  0xffffffff810001c4/0x72e2d94a9821/-/-/-/0//-

    [21 lines not shown]
DeltaFile
+5-5arch/x86/events/amd/brs.c
+5-51 files

Linux/linux adea84edrivers/input/touchscreen mms114.c

Input: mms114 - fix multi-touch slot corruption

If the touchscreen controller reports a touch ID of 0, the driver
calculates the slot ID as touch->id - 1, which underflows to UINT_MAX.
This is passed to input_mt_slot() as -1.

Since the input core ignores negative slot values, the active slot remains
unchanged. The driver then reports the touch coordinates for the previously
active slot, corrupting its state.

Fix this by rejecting touch reports with ID 0.

Fixes: 07b8481d4aff ("Input: add MELFAS mms114 touchscreen driver")
Cc: stable at vger.kernel.org
Reported-by: sashiko-bot at kernel.org
Assisted-by: Antigravity:gemini-3.5-flash
Link: https://patch.msgid.link/20260704060115.353049-1-dmitry.torokhov@gmail.com
Signed-off-by: Dmitry Torokhov <dmitry.torokhov at gmail.com>
DeltaFile
+1-1drivers/input/touchscreen/mms114.c
+1-11 files

Linux/linux dd3210cdrivers/regulator core.c mt6316-regulator.c

Merge tag 'regulator-fix-v7.2-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator

Pull regulator fixes from Mark Brown:
 "A couple of straightforward fixes for device loading, plus a fix for
  the core support for keeping multiple regulators with voltages close
  to each other that was sadly introduced due to one of the more
  beautiful corners of our API design"

* tag 'regulator-fix-v7.2-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator:
  regulator: core: regulator_lock_two() should test for EDEADLK not EDEADLOCK
  regulator: mt6363: add missing MODULE_DEVICE_TABLE()
  regulator: mt6316: add missing MODULE_DEVICE_TABLE()
DeltaFile
+2-2drivers/regulator/core.c
+1-0drivers/regulator/mt6316-regulator.c
+1-0drivers/regulator/mt6363-regulator.c
+4-23 files

Linux/linux bf124bakernel audit.c

Merge tag 'audit-pr-20260710' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit

Pull audit fixes from Paul Moore:
 "Two relatively small audit patches to fix potential data races with
  the main audit backlog queue as well as possible integer overflows
  when logging data as hex strings"

* tag 'audit-pr-20260710' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit:
  audit: fix potential integer overflow in audit_log_n_hex()
  audit: Fix data races of skb_queue_len() readers on audit_queue
DeltaFile
+14-7kernel/audit.c
+14-71 files

Linux/linux ccce5f6security/selinux hooks.c

Merge tag 'selinux-pr-20260710' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux

Pull selinux fixes from Paul Moore:
 "Two small SELinux patches to fix a missing permission check for TCP
  Fast Open operations and fix a socket lookup issue with SCTP ASCONF
  operations"

* tag 'selinux-pr-20260710' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux:
  selinux: avoid sk_socket dereference in selinux_sctp_bind_connect()
  selinux: check connect-related permissions on TCP Fast Open
DeltaFile
+28-10security/selinux/hooks.c
+28-101 files

Linux/linux 61c03dffs/ntfs namei.c attrib.c

Merge tag 'ntfs-for-7.2-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/linkinjeon/ntfs

Pull ntfs fixes from Namjae Jeon:

 - fix stale runlist element dereferences in MFT writeback and fallocate

 - fix mrec_lock ABBA deadlock in rename

 - prevent userspace modification of NTFS system files

 - avoid inode eviction/writeback self-deadlocks

 - reject malformed resident attributes in non-resident runlist mapping

 - avoid post_write_mst_fixup() on invalid index blocks

 - fix a hole runlist leak in insert-range error handling

 - sanitize directory lookup MFT references from disk

    [15 lines not shown]
DeltaFile
+31-31fs/ntfs/namei.c
+24-12fs/ntfs/attrib.c
+16-1fs/ntfs/aops.c
+11-4fs/ntfs/dir.c
+9-0fs/ntfs/inode.c
+9-0fs/ntfs/attrlist.c
+100-482 files not shown
+110-518 files

Linux/linux 58d9f84fs/nfs write.c internal.h, net/sunrpc clnt.c xprtsock.c

Merge tag 'nfs-for-7.2-2' of git://git.linux-nfs.org/projects/anna/linux-nfs

Pull NFS client fixes from Anna Schumaker:

 - SUNRPC:
    - Release lower rpc_clnt if killed waiting for XPRT_LOCKED
    - Pin upper rpc_clnt across the TLS connect_worker

 - NFS:
    - Include MAY_WRITE in open permission mask for O_TRUNC
    - Charge unstable writes by request size, not folio size

* tag 'nfs-for-7.2-2' of git://git.linux-nfs.org/projects/anna/linux-nfs:
  NFS: Charge unstable writes by request size, not folio size
  NFSv4: include MAY_WRITE in open permission mask for O_TRUNC
  SUNRPC: pin upper rpc_clnt across the TLS connect_worker
  SUNRPC: release lower rpc_clnt if killed waiting for XPRT_LOCKED
DeltaFile
+17-2net/sunrpc/clnt.c
+14-2net/sunrpc/xprtsock.c
+8-6fs/nfs/write.c
+7-5fs/nfs/internal.h
+1-1fs/nfs/pnfs_nfs.c
+2-0fs/nfs/dir.c
+49-161 files not shown
+50-167 files

Linux/linux 8eae393fs/smb/client cifssmb.c smb2misc.c

Merge tag 'v7.2-rc2-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6

Pull smb client fixes from Steve French:
 - DFS cache allocation fix
 - DFS referral bounds check fix
 - Fix absolute symlinks when mounting with POSIX extensions
 - Fixes for incorrect nlink returned by fstat
 - Fix atime in read completion
 - Fix busy dentry on umount
 - ioctl_query_info buffer overflow fix
 - Two fixes for creating special files with SFU
 - Fix mode mask in parse_dacl
 - SMB1 is_path_accessible wildcard fix and minor SMB1 cleanup
 - smb2_check_message fix
 - Debug message improvement
 - Minor cleanup

* tag 'v7.2-rc2-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6:
  cifs: Remove CIFSSMBSetPathInfoFB() fallback function

    [17 lines not shown]
DeltaFile
+0-36fs/smb/client/cifssmb.c
+26-6fs/smb/client/smb2misc.c
+17-11fs/smb/client/smb1ops.c
+14-12fs/smb/client/smb2pdu.c
+8-11fs/smb/client/smb2ops.c
+8-11fs/smb/client/smb2file.c
+73-8714 files not shown
+146-12120 files

Linux/linux d96fcfeDocumentation/arch/arm64 cpu-hotplug.rst, arch/arm64/include/asm tlbflush.h

Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux

Pull arm64 fixes from Will Deacon:

 - Fix crash when using SMT hotplug on ACPI systems in conjunction with
   maxcpus=

 - Fix 30% kswapd performance regression introduced by C1-Pro SME
   erratum workaround

 - Fix TLB over-invalidation regression during memory hotplug

 - Fix incorrect encoding of FEAT_BWE2 value in ID_AA64DFR2_EL1.BWE

 - Typo fixes in the arm64 selftests

* tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
  selftests/arm64: fix spelling errors in comments
  arm64/sysreg: Fix BWE field encoding in ID_AA64DFR2_EL1

    [4 lines not shown]
DeltaFile
+8-41arch/arm64/include/asm/tlbflush.h
+0-35arch/arm64/kernel/process.c
+14-14arch/arm64/kernel/smp.c
+16-12Documentation/arch/arm64/cpu-hotplug.rst
+9-2arch/arm64/mm/mmu.c
+7-3arch/arm64/kernel/fpsimd.c
+54-1075 files not shown
+61-11811 files

Linux/linux 1f0fe32drivers/platform/x86 asus-armoury.h bitland-mifs-wmi.c, drivers/platform/x86/amd/pmc pmc.c

Merge tag 'platform-drivers-x86-v7.2-2' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86

Pull x86 platform driver fixes from Ilpo Järvinen:

 - amd/pmc:
    - Use correct IP block table for AMD 1Ah M80H SoC
    - Avoid logging "(null)" for missing DMI values

 - asus-armoury: update power limits for G614PR

 - bitland-mifs-wmi: Fix NULL pointer dereference during suspend/resume

* tag 'platform-drivers-x86-v7.2-2' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86:
  platform/x86: amd-pmc: Use correct IP block table for AMD 1Ah M80H SoC
  platform/x86: asus-armoury: update power limits for G614PR
  platform/x86: bitland-mifs-wmi: Fix NULL pointer dereference during suspend/resume
  platform/x86/amd/pmc: Avoid logging "(null)" for DMI values
DeltaFile
+29-7drivers/platform/x86/amd/pmc/pmc.c
+5-5drivers/platform/x86/asus-armoury.h
+8-0drivers/platform/x86/bitland-mifs-wmi.c
+42-123 files

Linux/linux 386df1adrivers/md dm-stats.c

dm-stats: fix dm_jiffies_to_msec64

There were wrong calculations in dm_jiffies_to_msec64 that produced
incorrect output when HZ was different from 1000. This commit fixes them.

Signed-off-by: Mikulas Patocka <mpatocka at redhat.com>
Assisted-by: Claude:claude-opus-4-6
Fixes: fd2ed4d25270 ("dm: add statistics support")
Cc: stable at vger.kernel.org
DeltaFile
+2-2drivers/md/dm-stats.c
+2-21 files

Linux/linux 1917eb2drivers/md dm-stats.c

dm-stats: fix merge accounting

There were wrong parentheses when setting stats_aux->merged, so that
merging was never properly accounted. This commit fixes it.

Signed-off-by: Mikulas Patocka <mpatocka at redhat.com>
Assisted-by: Claude:claude-opus-4-6
Fixes: fd2ed4d25270 ("dm: add statistics support")
Cc: stable at vger.kernel.org
DeltaFile
+2-4drivers/md/dm-stats.c
+2-41 files

Linux/linux 422f1d4drivers/md dm-bufio.c

dm-bufio: fix wrong count calculation in dm_bufio_issue_discard

block_to_sector converts a block number to a sector number and adds
c->start to the result. It is inappropriate to use this function for
converting the number of blocks to a number to sectors because c->start
would be incorrectly added to the result.

Luckily, the only target that uses dm_bufio_issue_discard is dm-ebs,
which sets c->start to 0, so this bug is latent.

Signed-off-by: Mikulas Patocka <mpatocka at redhat.com>
Assisted-by: Claude:claude-opus-4-6
Fixes: 6fbeb0048e6b ("dm bufio: implement discard")
Cc: stable at vger.kernel.org
DeltaFile
+3-1drivers/md/dm-bufio.c
+3-11 files

Linux/linux f827c27drivers/gpio gpio-dwapb.c gpio-shared-proxy.c, tools/testing/selftests/gpio .gitignore

Merge tag 'gpio-fixes-for-v7.2-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux

Pull gpio fixes from Bartosz Golaszewski:

 - provide the missing .get_direction() callback in gpio-palmas

 - fix interrupt handling in gpio-dwapb

 - add a GPIO self-test program binary to .gitignore

 - fix a resource leak in gpio-mvebu

 - make the GPIO sharing heuristic more adaptable

* tag 'gpio-fixes-for-v7.2-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux:
  gpio: mvebu: free generic chips on unbind
  selftests: gpio: add gpio-cdev-uaf to .gitignore
  gpio: dwapb: Mask interrupts at hardware initialization
  gpio: dwapb: Defer clock gating until noirq

    [2 lines not shown]
DeltaFile
+86-14drivers/gpio/gpio-dwapb.c
+32-34drivers/gpio/gpio-shared-proxy.c
+19-0drivers/gpio/gpio-palmas.c
+2-1drivers/gpio/gpiolib-shared.h
+1-0drivers/gpio/gpio-mvebu.c
+1-0tools/testing/selftests/gpio/.gitignore
+141-496 files

Linux/linux 8f964d9drivers/ata libata-core.c

Merge tag 'ata-7.2-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/libata/linux

Pull ata fixes from Damien Le Moal:

 - Fix handling of security locked drive revalidation. This prevents
   such drives from being dropped when locked on resume (Terrence)

* tag 'ata-7.2-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/libata/linux:
  ata: libata-core: Allow capacity transition to zero for locked drives
  ata: libata-core: Skip HPA resize for locked drives
DeltaFile
+2-2drivers/ata/libata-core.c
+2-21 files

Linux/linux ba0b7c6drivers/accel/amdxdna amdxdna_ctx.c amdxdna_gem.c, drivers/gpu buddy.c

Merge tag 'drm-fixes-2026-07-10' of https://gitlab.freedesktop.org/drm/kernel

Pull drm fixes from Dave Airlie:
 "Weekly fixes pull for drm, amdgpu, amdxdna, xe leading the way, some
  small core fixes and a nouveau stability fix along with some minor
  changes in other drivers.

  Seems to be a bit quiter than last week at least.

  fb-helper:
   - Sync on first active crtc in fb_dirty, rather than first crtc

  drm_exec:
   - Use direct label in drm_exec

  buddy:
   - Rework try_harder in the buddy allocator

  i915:

    [65 lines not shown]
DeltaFile
+91-1drivers/gpu/drm/drm_fb_helper.c
+46-21drivers/gpu/buddy.c
+43-13drivers/accel/amdxdna/amdxdna_ctx.c
+36-14drivers/accel/amdxdna/amdxdna_gem.c
+22-15drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c
+18-16include/drm/drm_exec.h
+256-8036 files not shown
+486-20442 files

Linux/linux 181bb9cblock genhd.c

block: remove redundant GD_NEED_PART_SCAN in add_disk_final()

add_disk_final() sets GD_NEED_PART_SCAN before calling bdev_add(),
then calls disk_scan_partitions() which sets the flag itself. The
early set is redundant and introduces a race.

Between bdev_add() and disk_scan_partitions(), concurrent openers
(multipathd, blkid, LVM) see the flag in blkdev_get_whole() and
trigger bdev_disk_changed(). When disk_scan_partitions() then runs,
it calls bdev_disk_changed() again, dropping the partitions the
concurrent opener already created before re-adding them, which can
result in transient partition disappearances.

The race is observable by inserting an msleep() between bdev_add()
and disk_scan_partitions() while running concurrent open() calls
during device bind. Without artificial delay, it manifests under
scheduling pressure during boot on systems with aggressive device
scanners (multipathd, systemd-udevd).


    [17 lines not shown]
DeltaFile
+0-4block/genhd.c
+0-41 files

Linux/linux 2a89229arch/x86/events/amd lbr.c

perf/x86/amd/lbr: Fix kernel address leakage

A user-only branch stack can contain branches that originate from
the kernel. As a result, kernel addresses are exposed to user space
even when PERF_SAMPLE_BRANCH_USER is requested. On AMD processors
supporting X86_FEATURE_AMD_LBR_V2, perf can still report SYSRET/ERET
entries for which the branch-from addresses are in the kernel.

E.g.

  $ perf record -e cycles -o - -j any,save_type,u -- \
        perf bench syscall basic --loop 1000 | \
        perf script -i - -F brstack|tr ' ' '\n'| \
        grep -E '0x[89a-f][0-9a-f]{15}'

  ...
  0xffffffff81001268/0x717a90a38f1a/M/-/-/0/ERET/NON_SPEC_CORRECT_PATH
  0xffffffff81001268/0x717a90a39157/M/-/-/0/ERET/NON_SPEC_CORRECT_PATH
  0xffffffff81001268/0x717a90a2c628/M/-/-/0/ERET/NON_SPEC_CORRECT_PATH

    [20 lines not shown]
DeltaFile
+2-1arch/x86/events/amd/lbr.c
+2-11 files

Linux/linux bd910a7drivers/block/drbd drbd_receiver.c

drbd: reject data replies with an out-of-range payload size

recv_dless_read() receives a P_DATA_REPLY from a peer into the bio of an
outstanding read request. The peer-supplied payload length reaches it as
the signed int data_size, and two peer-controlled inputs can make it
negative. With a negotiated data-integrity-alg the digest length is
subtracted first, so a reply whose payload is smaller than the digest
underflows data_size. With no integrity algorithm (the default) data_size
is assigned from the unsigned h95/h100 wire length and drbdd() never
bounds it for a payload-carrying command, so a length above INT_MAX casts
it negative; this path needs no non-default feature. The bio receive loop
then computes expect = min_t(int, data_size, bv_len), which is negative,
and drbd_recv_all_warn(mapped, expect) receives with a size_t of SIZE_MAX
into the first mapped page.

The sibling receive path read_in_block() is not affected: it uses an
unsigned size and rejects it against DRBD_MAX_BIO_SIZE before receiving.
Reject a data reply whose size is negative after the optional digest
subtraction, covering both triggers.

    [15 lines not shown]
DeltaFile
+5-0drivers/block/drbd/drbd_receiver.c
+5-01 files

Linux/linux 8ec4d9cdrivers/md dm-verity-target.c dm-verity.h

dm-verity: make error counter atomic

The error counter "v->corrupted_errs" was not atomic, thus it could be
subject to race conditions. The call to
dm_audit_log_target("max-corrupted-errors") may be skipped due to the
races.

Signed-off-by: Mikulas Patocka <mpatocka at redhat.com>
Assisted-by: Claude:claude-opus-4.6
Fixes: 65ff5b7ddf05 ("dm verity: add error handling modes for corrupted blocks")
Cc: stable at vger.kernel.org
DeltaFile
+7-5drivers/md/dm-verity-target.c
+1-1drivers/md/dm-verity.h
+8-62 files

Linux/linux 88dd117drivers/md dm-verity-target.c

dm-verity: increase sprintf buffer size

The prefix "DM_VERITY_ERR_BLOCK_NR" is 22 chars. Add '=', one digit for
type, ',', up to 20 digits for a u64 block number, and a NUL terminator:
that's 46 bytes. The buffer is 42 bytes. For block numbers >= 16 decimal
digits (devices larger than ~16 EB with 4K blocks), snprintf silently
truncates the uevent environment variable.

Signed-off-by: Mikulas Patocka <mpatocka at redhat.com>
Assisted-by: Claude:claude-opus-4.6
Fixes: 65ff5b7ddf05 ("dm verity: add error handling modes for corrupted blocks")
Cc: stable at vger.kernel.org
DeltaFile
+1-1drivers/md/dm-verity-target.c
+1-11 files

Linux/linux e72b793drivers/md dm-verity-loadpin.c

dm-verity: fix a possible NULL pointer dereference

Fix a possible NULL pointer dereference dm_verity_loadpin_is_bdev_trusted
if the device has no table.

Signed-off-by: Mikulas Patocka <mpatocka at redhat.com>
Assisted-by: Claude:claude-opus-4-6
Fixes: b6c1c5745ccc ("dm: Add verity helpers for LoadPin")
Cc: stable at vger.kernel.org
DeltaFile
+1-1drivers/md/dm-verity-loadpin.c
+1-11 files