Linux/linux d96fcfeDocumentation/arch/arm64 cpu-hotplug.rst, arch/arm64/include/asm tlbflush.h

Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux

Pull arm64 fixes from Will Deacon:

 - Fix crash when using SMT hotplug on ACPI systems in conjunction with
   maxcpus=

 - Fix 30% kswapd performance regression introduced by C1-Pro SME
   erratum workaround

 - Fix TLB over-invalidation regression during memory hotplug

 - Fix incorrect encoding of FEAT_BWE2 value in ID_AA64DFR2_EL1.BWE

 - Typo fixes in the arm64 selftests

* tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
  selftests/arm64: fix spelling errors in comments
  arm64/sysreg: Fix BWE field encoding in ID_AA64DFR2_EL1

    [4 lines not shown]
DeltaFile
+8-41arch/arm64/include/asm/tlbflush.h
+0-35arch/arm64/kernel/process.c
+16-12Documentation/arch/arm64/cpu-hotplug.rst
+14-14arch/arm64/kernel/smp.c
+9-2arch/arm64/mm/mmu.c
+7-3arch/arm64/kernel/fpsimd.c
+54-1075 files not shown
+61-11811 files

Linux/linux 1f0fe32drivers/platform/x86 asus-armoury.h bitland-mifs-wmi.c, drivers/platform/x86/amd/pmc pmc.c

Merge tag 'platform-drivers-x86-v7.2-2' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86

Pull x86 platform driver fixes from Ilpo Järvinen:

 - amd/pmc:
    - Use correct IP block table for AMD 1Ah M80H SoC
    - Avoid logging "(null)" for missing DMI values

 - asus-armoury: update power limits for G614PR

 - bitland-mifs-wmi: Fix NULL pointer dereference during suspend/resume

* tag 'platform-drivers-x86-v7.2-2' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86:
  platform/x86: amd-pmc: Use correct IP block table for AMD 1Ah M80H SoC
  platform/x86: asus-armoury: update power limits for G614PR
  platform/x86: bitland-mifs-wmi: Fix NULL pointer dereference during suspend/resume
  platform/x86/amd/pmc: Avoid logging "(null)" for DMI values
DeltaFile
+29-7drivers/platform/x86/amd/pmc/pmc.c
+5-5drivers/platform/x86/asus-armoury.h
+8-0drivers/platform/x86/bitland-mifs-wmi.c
+42-123 files

Linux/linux f827c27drivers/gpio gpio-dwapb.c gpio-shared-proxy.c, tools/testing/selftests/gpio .gitignore

Merge tag 'gpio-fixes-for-v7.2-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux

Pull gpio fixes from Bartosz Golaszewski:

 - provide the missing .get_direction() callback in gpio-palmas

 - fix interrupt handling in gpio-dwapb

 - add a GPIO self-test program binary to .gitignore

 - fix a resource leak in gpio-mvebu

 - make the GPIO sharing heuristic more adaptable

* tag 'gpio-fixes-for-v7.2-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux:
  gpio: mvebu: free generic chips on unbind
  selftests: gpio: add gpio-cdev-uaf to .gitignore
  gpio: dwapb: Mask interrupts at hardware initialization
  gpio: dwapb: Defer clock gating until noirq

    [2 lines not shown]
DeltaFile
+86-14drivers/gpio/gpio-dwapb.c
+32-34drivers/gpio/gpio-shared-proxy.c
+19-0drivers/gpio/gpio-palmas.c
+2-1drivers/gpio/gpiolib-shared.h
+1-0drivers/gpio/gpio-mvebu.c
+1-0tools/testing/selftests/gpio/.gitignore
+141-496 files

Linux/linux 8f964d9drivers/ata libata-core.c

Merge tag 'ata-7.2-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/libata/linux

Pull ata fixes from Damien Le Moal:

 - Fix handling of security locked drive revalidation. This prevents
   such drives from being dropped when locked on resume (Terrence)

* tag 'ata-7.2-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/libata/linux:
  ata: libata-core: Allow capacity transition to zero for locked drives
  ata: libata-core: Skip HPA resize for locked drives
DeltaFile
+2-2drivers/ata/libata-core.c
+2-21 files

Linux/linux ba0b7c6drivers/accel/amdxdna amdxdna_ctx.c amdxdna_gem.c, drivers/gpu buddy.c

Merge tag 'drm-fixes-2026-07-10' of https://gitlab.freedesktop.org/drm/kernel

Pull drm fixes from Dave Airlie:
 "Weekly fixes pull for drm, amdgpu, amdxdna, xe leading the way, some
  small core fixes and a nouveau stability fix along with some minor
  changes in other drivers.

  Seems to be a bit quiter than last week at least.

  fb-helper:
   - Sync on first active crtc in fb_dirty, rather than first crtc

  drm_exec:
   - Use direct label in drm_exec

  buddy:
   - Rework try_harder in the buddy allocator

  i915:

    [65 lines not shown]
DeltaFile
+91-1drivers/gpu/drm/drm_fb_helper.c
+46-21drivers/gpu/buddy.c
+43-13drivers/accel/amdxdna/amdxdna_ctx.c
+36-14drivers/accel/amdxdna/amdxdna_gem.c
+22-15drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c
+18-16include/drm/drm_exec.h
+256-8036 files not shown
+486-20442 files

Linux/linux 6763a0adrivers/gpu/drm/nouveau/nvkm/subdev/mmu vmm.c

nouveau/vmm: fix another SPT/LPT race

We've had an unknown Turing issue for a while with page faults since
large pages and compression.

I've got a patch series that syncs all our L2 handling with ogkm and it
made this fault happen more.

After writing a bunch of debugging patches, I spotted an invalid LPT
entry where there should have been a valid one.

A 64K MAP succeeds on a range, but a subsequent SPT put drops SPT refs
across multiple ranges,

We shouldn't assume all ranges where SPTEs go away will have the same
sparse/invalid/valid state, just iterate over each instead and do the
right thing.

Cc: stable at vger.kernel.org

    [7 lines not shown]
DeltaFile
+14-17drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c
+14-171 files

Linux/linux 695255cdrivers/gpu/drm/xe xe_exec.c xe_pt.c, drivers/gpu/drm/xe/tests xe_pci.c

Merge tag 'drm-xe-fixes-2026-07-09' of https://gitlab.freedesktop.org/drm/xe/kernel into drm-fixes

Driver Changes:
- Fix PTE index in xe_vm_populate_pgtable for chunked binds (Matt Brost)
- Wait on external BO kernel fences in exec IOCTL (Matt Brost)
- Remove duplicate include (Anas Khan)
- Free madvise VMA array on L2 flush failure (Guangshuo Li)
- Stub notifier_lock helpers when DRM_GPUSVM=n (Shuicheng Lin)

Signed-off-by: Dave Airlie <airlied at redhat.com>

From: Thomas Hellstrom <thomas.hellstrom at linux.intel.com>
Link: https://patch.msgid.link/alASIbW318Rl-HTv@fedora
DeltaFile
+16-6drivers/gpu/drm/xe/xe_exec.c
+17-2drivers/gpu/drm/xe/xe_pt.c
+1-1drivers/gpu/drm/xe/xe_vm_madvise.c
+0-1drivers/gpu/drm/xe/tests/xe_pci.c
+34-104 files

Linux/linux ff17ec8drivers/gpu/drm/amd/amdgpu amdgpu_vm.c amdgpu_userq.c, drivers/gpu/drm/amd/amdkfd kfd_process_queue_manager.c kfd_device_queue_manager.c

Merge tag 'amd-drm-fixes-7.2-2026-07-09' of https://gitlab.freedesktop.org/agd5f/linux into drm-fixes

amd-drm-fixes-7.2-2026-07-09:

amdgpu:
- PSP 15.0.9 update
- SMU 15.0.9 update
- VCN 5.3 fix
- VI ASPM fix
- Userq fix
- lifetime fix for amdgpu_vm_get_task_info_pasid()
- Gfx10 fix
- SMU 14 fix

amdkfd:
- CRIU bounds checking fixes
- secondary context id fix
- Event bounds checking fix


    [4 lines not shown]
DeltaFile
+22-15drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c
+16-12drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c
+10-15drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c
+9-0drivers/gpu/drm/amd/amdgpu/amdgpu_userq.c
+9-0drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c
+6-0drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c
+72-4211 files not shown
+94-5017 files

Linux/linux 7978a34drivers/accel/amdxdna amdxdna_ctx.c amdxdna_gem.c, drivers/gpu buddy.c

Merge tag 'drm-misc-fixes-2026-07-09' of https://gitlab.freedesktop.org/drm/misc/kernel into drm-fixes

drm-misc-fixes for v7.2-rc3:
- Fix uaf in amdxdna mmap failure path.
- A lot of deadlocks, access races and return value fixes in amdxdna.
- Fix analogix_dp bitshifts during link training.
- Use direct label in drm_exec.
- Fix absent indirect bo handling in v3d.
- Sync on first active crtc in fb_dirty, rather than first crtc.
- Rework try_harder in the buddy allocator.
- Make imagination function static to solve compiler warning.
- Fix imagination error checking.

Signed-off-by: Dave Airlie <airlied at redhat.com>
From: Maarten Lankhorst <maarten.lankhorst at linux.intel.com>
Link: https://patch.msgid.link/71e5b48b-307f-47f5-8fd5-b60ea43e4196@linux.intel.com
DeltaFile
+91-1drivers/gpu/drm/drm_fb_helper.c
+46-21drivers/gpu/buddy.c
+43-13drivers/accel/amdxdna/amdxdna_ctx.c
+36-14drivers/accel/amdxdna/amdxdna_gem.c
+18-16include/drm/drm_exec.h
+18-10drivers/gpu/drm/tests/drm_exec_test.c
+252-7510 files not shown
+311-10016 files

Linux/linux 58570efdrivers/gpu/drm/i915/display intel_dp.c intel_lt_phy.c, drivers/gpu/drm/i915/gem i915_gem_context.c

Merge tag 'drm-intel-fixes-2026-07-09' of https://gitlab.freedesktop.org/drm/i915/kernel into drm-fixes

Fix underrun regressions on Panther Lake by reverting the recent
SCL=0 enablement for always-on VRR timing. It also includes a fix
display LT PHY SSC programming and a small set of i915 fixes
addressing NULL pointer dereferences, memory leaks and bound checks.

Signed-off-by: Dave Airlie <airlied at redhat.com>

From: Rodrigo Vivi <rodrigo.vivi at intel.com>
Link: https://patch.msgid.link/ak-xZPqluaXVJGtP@intel.com
DeltaFile
+15-9drivers/gpu/drm/i915/gem/i915_gem_context.c
+10-9drivers/gpu/drm/i915/gt/intel_execlists_submission.c
+7-1drivers/gpu/drm/i915/display/intel_dp.c
+1-5drivers/gpu/drm/i915/display/intel_lt_phy.c
+0-3drivers/gpu/drm/i915/display/intel_psr.c
+33-275 files

Linux/linux a635d67fs/smb/server smb2pdu.c auth.c, fs/smb/server/mgmt user_session.c

Merge tag 'v7.2-rc2-smb3-server-fixes' of git://git.samba.org/ksmbd

Pull smb server fixes from Steve French:
 "This contains a set of SMB server fixes mostly around session setup,
  multichannel/session binding, and protocol-compatible error reporting:

   - Fix SID-to-id mapping so only SIDs with a valid local Unix
     representation are translated, while preserving other Windows
     SIDs in NT ACL xattrs

   - Fix SMB3 multichannel binding across multi-round authentication,
     keep the derived channel key separate from the established session
     key, and enforce the 32-channel session limit

   - Match Windows-compatible close timestamp behavior by coalescing
     automatic write time updates smaller than 15ms

   - Return STATUS_DISK_FULL for SET_INFO allocation failures caused
     by ENOSPC or EFBIG

    [22 lines not shown]
DeltaFile
+151-54fs/smb/server/smb2pdu.c
+28-21fs/smb/server/auth.c
+17-4fs/smb/server/smbacl.c
+14-2fs/smb/server/server.c
+4-3fs/smb/server/auth.h
+2-2fs/smb/server/mgmt/user_session.c
+216-862 files not shown
+218-868 files

Linux/linux 2c7c88adrivers/bluetooth btintel_pcie.c, net/bluetooth l2cap_core.c hci_sync.c

Merge tag 'net-7.2-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net

Pull networking fixes from Paolo Abeni:
 "Including fixes from netfilter, Bluetooth and batman-adv.

  Current release - regressions:

   - bluetooth: fix using chan->conn as indication to no remote netdev

  Current release - new code bugs:

   - netfilter: cap to maximum number of expectation per master on
     updates

  Previous releases - regressions:

   - bluetooth:
      - fix UAF of hci_conn_params in add_device_complete
      - fix null ptr deref in hci_abort_conn()

    [53 lines not shown]
DeltaFile
+109-31net/bluetooth/l2cap_core.c
+121-16net/bluetooth/hci_sync.c
+51-56net/bluetooth/l2cap_sock.c
+52-50drivers/bluetooth/btintel_pcie.c
+56-29net/netfilter/ipset/ip_set_hash_gen.h
+23-61net/bluetooth/6lowpan.c
+412-243106 files not shown
+1,407-745112 files

Linux/linux cf385cfdrivers/gpu/drm/imagination pvr_context.c

drm/imagination: fix error checking of pvr_vm_context_lookup()

Since pvr_vm_context_lookup() returns either NULL or a pointer, then stop
using IS_ERR() for checking the return value.

Using IS_ERR() leads to the kernel oops reported below. It can be
reproduced by passing an invalid VM context handle from userspace to the
DRM_IOCTL_PVR_CREATE_CONTEXT ioctl.

[   92.733119] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000148
[   92.742042] Mem abort info:
[   92.744890]   ESR = 0x0000000096000004
[   92.748686]   EC = 0x25: DABT (current EL), IL = 32 bits
[   92.754020]   SET = 0, FnV = 0
[   92.757154]   EA = 0, S1PTW = 0
[   92.760337]   FSC = 0x04: level 0 translation fault
[   92.765243] Data abort info:
[   92.768129]   ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
[   92.773626]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0

    [43 lines not shown]
DeltaFile
+2-2drivers/gpu/drm/imagination/pvr_context.c
+2-21 files

Linux/linux c804aaddrivers/gpu/drm/imagination pvr_fw_trace.c

drm/imagination: make pvr_fw_trace_init_mask_ops static

The pvr_fw_trace_init_mask_ops is not used outside pvr_fw_trace.c
so make it static to avoid the following sparse warning:

drivers/gpu/drm/imagination/pvr_fw_trace.c:74:31: warning: symbol 'pvr_fw_trace_init_mask_ops' was not declared. Should it be static?

Fixes: c6978643ea1c ("drm/imagination: Validate fw trace group_mask")
Reviewed-by: Alessio Belle <alessio.belle at imgtec.com>
Signed-off-by: Ben Dooks <ben.dooks at codethink.co.uk>
Link: https://patch.msgid.link/20260703162338.2848039-1-ben.dooks@codethink.co.uk
Signed-off-by: Alessio Belle <alessio.belle at imgtec.com>
DeltaFile
+1-1drivers/gpu/drm/imagination/pvr_fw_trace.c
+1-11 files

Linux/linux 56bc638drivers/gpu buddy.c

gpu/buddy: bail out of try_harder when alignment cannot be honoured

The try_harder contiguous fallback could return a range whose start
offset did not match the caller's min_block_size. When a candidate's
start is misaligned, realign it: free the misaligned run and reallocate
exactly @size at the next lower min_block_size boundary. This keeps the
returned size unchanged with no surplus to trim, and rejects the request
only when no aligned candidate fits.

v2: align misaligned candidates down to min_block_size instead of
    bailing out, for both the RHS and LHS paths (Matthew).

Fixes: 0a1844bf0b53 ("drm/buddy: Improve contiguous memory allocation")
Suggested-by: Christian König <christian.koenig at amd.com>
Cc: Matthew Auld <matthew.auld at intel.com>
Cc: Christian König <christian.koenig at amd.com>
Cc: Timur Kristóf <timur.kristof at gmail.com>
Cc: stable at vger.kernel.org
Reviewed-by: Matthew Auld <matthew.auld at intel.com>

    [3 lines not shown]
DeltaFile
+46-21drivers/gpu/buddy.c
+46-211 files

Linux/linux f508900drivers/net macsec.c

macsec: don't read an unset MAC header in macsec_encrypt()

macsec_encrypt() reads the Ethernet header via eth_hdr(skb)
(skb->head + skb->mac_header) to memmove() the 12 source/destination MAC
bytes forward and make room for the SecTAG.

On the AF_PACKET SOCK_RAW + PACKET_QDISC_BYPASS transmit path the skb
reaches the macsec ndo_start_xmit() with the MAC header unset, so
eth_hdr(skb) resolves to skb->head + (u16)~0 and the read is out of
bounds: a 12-byte heap over-read that is also emitted on the wire as the
frame's outer source/destination MAC. KASAN reports a slab-out-of-bounds
read in macsec_start_xmit() on 6.0; on current mainline a CONFIG_DEBUG_NET
build flags it as an unset mac header in skb_mac_header().

On the TX path the L2 header is at skb->data, so use skb_eth_hdr(), added
by commit 96cc4b69581d ("macvlan: do not assume mac_header is set in
macvlan_broadcast()") for exactly this purpose.

Fixes: c09440f7dcb3 ("macsec: introduce IEEE 802.1AE driver")

    [5 lines not shown]
DeltaFile
+1-1drivers/net/macsec.c
+1-11 files

Linux/linux 78237e3drivers/dibs dibs_loopback.c

dibs: loopback: validate offset and size in move_data()

The loopback move_data() performs a memcpy into the registered DMB
without checking whether offset + size exceeds the DMB length.  Unlike
real ISM hardware, which enforces memory region bounds natively, the
software loopback has no such protection.

A peer-supplied out-of-bounds offset or oversized write would result in
an OOB write past the allocated kernel buffer.  Add an explicit bounds
check before the memcpy to reject such requests with -EINVAL.

Fixes: f7a22071dbf3 ("net/smc: implement DMB-related operations of loopback-ism")
Cc: stable at vger.kernel.org
Reported-by: Federico Kirschbaum <federico.kirschbaum at xbow.com>
Signed-off-by: Dust Li <dust.li at linux.alibaba.com>
Reported-by: Baul Lee <baul.lee at xbow.com>
Link: https://patch.msgid.link/20260707074318.1448662-1-dust.li@linux.alibaba.com
Signed-off-by: Paolo Abeni <pabeni at redhat.com>
DeltaFile
+5-0drivers/dibs/dibs_loopback.c
+5-01 files

Linux/linux f5ef65adrivers/gpu/drm/xe xe_pt.c

drm/xe/userptr: Stub notifier_lock helpers when DRM_GPUSVM=n

When CONFIG_DRM_GPUSVM=n (e.g. um-allyesconfig), the only caller of
xe_pt_svm_userptr_notifier_lock() is compiled out, triggering:

  drivers/gpu/drm/xe/xe_pt.c:1418:13: warning:
    'xe_pt_svm_userptr_notifier_lock' defined but not used
    [-Wunused-function]

The helpers cannot simply be removed in this case: the matching
xe_pt_svm_userptr_notifier_unlock() is also referenced from
xe_pt_update_ops_run(), which lives outside any DRM_GPUSVM ifdef and is
gated only at runtime by pt_update_ops->needs_svm_lock. The symbol must
exist in all builds.

Provide empty static inline stubs for !DRM_GPUSVM, matching the pattern
used by xe_svm_notifier_lock()/_unlock() in xe_svm.h.

Fixes: dca6e08c923a ("drm/xe/userptr: Hold notifier_lock for write on inject test path")

    [7 lines not shown]
DeltaFile
+5-0drivers/gpu/drm/xe/xe_pt.c
+5-01 files

Linux/linux 14abbeddrivers/gpu/drm/xe xe_vm_madvise.c

drm/xe: free madvise VMA array on L2 flush failure

xe_vm_madvise_ioctl() allocates madvise_range.vmas in get_vmas().
After get_vmas() succeeds with at least one VMA, error paths must go
through free_vmas so the array is released before the madvise details are
destroyed.

The L2 flush validation path added for PAT madvise rejects some
SVM/userptr ranges after get_vmas() has succeeded, but jumps directly to
madv_fini. This skips kfree(madvise_range.vmas), leaking the VMA array on
each failed ioctl.

Jump to free_vmas instead, matching the other validation failure paths
after get_vmas() has succeeded.

Fixes: 4f39a194d41e ("drm/xe/xe3p_lpg: Restrict UAPI to enable L2 flush optimization")
Signed-off-by: Guangshuo Li <lgs201920130244 at gmail.com>
Reviewed-by: Rodrigo Vivi <rodrigo.vivi at intel.com>
Link: https://patch.msgid.link/20260708073422.725186-1-lgs201920130244@gmail.com

    [3 lines not shown]
DeltaFile
+1-1drivers/gpu/drm/xe/xe_vm_madvise.c
+1-11 files

Linux/linux 91426cedrivers/gpu/drm/xe/tests xe_pci.c

drm/xe: remove duplicate <kunit/test-bug.h> include

xe_pci.c includes <kunit/test-bug.h> twice, separated only by the
<kunit/test.h> include. Drop the redundant second include; this is a
non-functional cleanup flagged by scripts/checkincludes.pl.

Fixes: 6cad22853cb8 ("drm/xe/kunit: Add stub to read_gmdid")
Signed-off-by: Anas Khan <anxkhn28 at gmail.com>
Link: https://patch.msgid.link/20260702112820.34675-1-anxkhn28@gmail.com
Signed-off-by: Rodrigo Vivi <rodrigo.vivi at intel.com>
(cherry picked from commit 84ed5b0a925721aaf069d36e18a99db966ff4e80)
Signed-off-by: Thomas Hellström <thomas.hellstrom at linux.intel.com>
DeltaFile
+0-1drivers/gpu/drm/xe/tests/xe_pci.c
+0-11 files

Linux/linux af80e2bdrivers/gpu/drm/xe xe_exec.c

drm/xe: Wait on external BO kernel fences in exec IOCTL

Before arming a user job, xe_exec_ioctl() only added the VM's
dma-resv KERNEL slot as a dependency. That slot covers rebinds and
the kernel operations of the VM's private BOs, but not external BOs
(bo->vm == NULL), which carry their kernel operations (evictions,
moves, ...) in their own dma-resv KERNEL slot.

The DMA_RESV_USAGE_KERNEL slot is the cross-driver contract for
memory management operations that must complete before the BO or its
backing store may be used: any accessor is required to wait on the
KERNEL fences before touching the resv. By skipping the external BOs'
KERNEL slots, the exec path violated that contract and could schedule
a user job while a kernel operation on an external BO mapped by the VM
was still in flight, racing against it and potentially reading or
writing memory that was being moved.

Replace the VM-only dependency with an iteration over every object
locked by the exec, adding each object's KERNEL slot as a job

    [13 lines not shown]
DeltaFile
+16-6drivers/gpu/drm/xe/xe_exec.c
+16-61 files

Linux/linux 34a4dd4drivers/gpu/drm/xe xe_pt.c

drm/xe: Fix PTE index in xe_vm_populate_pgtable() for chunked binds

xe_vm_populate_pgtable() indexed the source PTE array (update->pt_entries)
by the per-call loop counter, assuming each call starts at the first entry
of the update. That holds for the CPU bind path
(xe_migrate_update_pgtables_cpu), which populates a whole update in a single
call, but not for the GPU bind path: write_pgtable() splits an update into
MAX_PTE_PER_SDI (510) sized MI_STORE_DATA_IMM chunks, invoking the populate
callback once per chunk with an advancing qword_ofs but a fresh command-
buffer destination pointer.

As a result, every chunk after the first re-read pt_entries from index 0
instead of from its true offset, so PTEs beyond the first 510 entries of a
single update were programmed with the wrong physical pages, shifting the
mapping by exactly MAX_PTE_PER_SDI pages.

This stayed latent because a single update only exceeds 510 qwords when a
large (e.g. 2M) region is bound as individual 4K PTEs rather than a single
huge-page entry, which happens when the backing store is sufficiently

    [15 lines not shown]
DeltaFile
+12-2drivers/gpu/drm/xe/xe_pt.c
+12-21 files

Linux/linux fabb881drivers/net/ethernet/marvell/octeontx2/af rvu_nix.c

octeontx2-af: fix VF bringup affecting PF promiscuous state

Mbox handling of nix_set_rx_mode for a VF with promiscuous and
all_multi flags set to false causes deletion of the PF's promiscuous
and allmulti MCAM rules. This occurs because the APIs that
enable/disable these rules operate only on the PF, even when the
mbox request is made via a VF interface.

Guard both rvu_npc_enable_allmulti_entry() and
rvu_npc_enable_promisc_entry() disable paths with an is_vf() check so
that a VF bringing up or tearing down its interface cannot inadvertently
clear the PF's MCAM rules.

Fixes: 967db3529eca ("octeontx2-af: add support for multicast/promisc packet replication feature")
Signed-off-by: Harman Kalra <hkalra at marvell.com>
Signed-off-by: Nitin Shetty J <nshettyj at marvell.com>
Link: https://patch.msgid.link/20260702045616.3002773-2-nshettyj@marvell.com
Signed-off-by: Paolo Abeni <pabeni at redhat.com>
DeltaFile
+2-2drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c
+2-21 files

Linux/linux 24c4c88net/netfilter nfnetlink_log.c nf_flow_table_offload.c, net/netfilter/ipset ip_set_hash_gen.h

Merge tag 'nf-26-07-08' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf

Florian Westphal says:

====================
netfilter: updates for net

The following patchset contains Netfilter fixes for *net*.

Most of these are LLM fixes for old issues flagged by sashiko/LLMs.

Many of these trigger drive-by-findings in sashiko. In particular:

- many load/store tearing and missing memory barriers, races
  etc. in ipset, esp. with GC and resizing.
  Keeping the proposed patches spinning for yet-another-iteration
  keeps legit fixes back, so I prefer to add these now and follow
  up with other reports later.
- flowtable work queue still has possible races with teardown,

    [78 lines not shown]
DeltaFile
+56-29net/netfilter/ipset/ip_set_hash_gen.h
+20-11net/netfilter/ipvs/ip_vs_core.c
+17-9net/netfilter/nfnetlink_log.c
+20-2net/netfilter/nf_flow_table_offload.c
+12-9net/netfilter/nf_flow_table_ip.c
+11-8net/netfilter/nf_flow_table_core.c
+136-6810 files not shown
+196-10916 files

Linux/linux b62869anet/ethtool netlink.h rss.c

ethtool: rss: Fix hfunc and input_xfrm parsing on big endian

ETHTOOL_A_RSS_HFUNC and ETHTOOL_A_RSS_INPUT_XFRM are NLA_U32 attributes,
but ethnl_rss_set() and ethnl_rss_create_doit() parse them with
ethnl_update_u8(), which reads a single byte.

On little endian this happens to read the least significant byte and
works as long as the value fits in a byte. On big endian it reads the
most significant byte, so the requested value is parsed incorrectly.

The destination fields in struct ethtool_rxfh_param are u8, so the
attribute can't be read directly with ethnl_update_u32().
Cap the hfunc policy at U8_MAX so an out of range value is rejected
instead of being silently truncated into the u8 field, and add
ethnl_update_u8_u32() to read the full u32 and narrow it into the u8
destination.

Fixes: 82ae67cbc423 ("ethtool: rss: support setting hfunc via Netlink")
Fixes: d3e2c7bab124 ("ethtool: rss: support setting input-xfrm via Netlink")

    [6 lines not shown]
DeltaFile
+28-0net/ethtool/netlink.h
+8-6net/ethtool/rss.c
+36-62 files

Linux/linux c914307drivers/net/ethernet/mellanox/mlx5/core/lib port_tun.c

net/mlx5: Fix L3 tunnel entropy refcount leak

mlx5_tun_entropy_refcount_inc() counts both VXLAN and L2-to-L3
tunnel reformat entries as entropy-enabling users. The matching
decrement path only handled VXLAN, leaving L2-to-L3 tunnel entries
counted after release.

Handle MLX5_REFORMAT_TYPE_L2_TO_L3_TUNNEL in
mlx5_tun_entropy_refcount_dec() as well so the enabling entry
refcount remains balanced.

Fixes: f828ca6a2fb6 ("net/mlx5e: Add support for hw encapsulation of MPLS over UDP")
Signed-off-by: Li RongQing <lirongqing at baidu.com>
Reviewed-by: Simon Horman <horms at kernel.org>
Reviewed-by: Tariq Toukan <tariqt at nvidia.com>
Link: https://patch.msgid.link/20260703141423.1723-1-lirongqing@baidu.com
Signed-off-by: Paolo Abeni <pabeni at redhat.com>
DeltaFile
+2-1drivers/net/ethernet/mellanox/mlx5/core/lib/port_tun.c
+2-11 files

Linux/linux 604e959net/batman-adv mesh-interface.c main.c

Merge tag 'batadv-net-pullrequest-20260708' of https://git.open-mesh.org/batadv

Simon Wunderlich says:

====================
Here are some batman-adv bugfixes, all by Sven Eckelmann:

 - ensure minimal ethernet header on TX

 - fix VLAN priority offset

 - clean untagged VLAN on netdev registration failure

 - tt: avoid request storms during pending request

 - tt: prevent TVLV OOB check overflow

 - frag: free unfragmentable packet


    [20 lines not shown]
DeltaFile
+5-11net/batman-adv/mesh-interface.c
+9-1net/batman-adv/main.c
+5-3net/batman-adv/fragmentation.c
+3-4net/batman-adv/multicast_forw.c
+3-2net/batman-adv/translation-table.c
+1-1net/batman-adv/distributed-arp-table.c
+26-221 files not shown
+28-227 files

Linux/linux 27f5758drivers/net/ethernet/cadence macb_main.c

net: macb: drop in-flight Tx SKBs on close

The MACB driver has since forever leaked the outgoing SKBs that
have not yet been marked as completed. They live in queue->tx_skb
which gets freed without remorse nor checking.

macb_free_consistent() gets called in a few codepaths, but only close will
trigger the added expressions. In macb_open() and macb_alloc_consistent()
failure cases, queues' tx_skb just got allocated and are empty.

Fixes: 89e5785fc8a6 ("[PATCH] Atmel MACB ethernet driver")
Cc: stable at vger.kernel.org
Reviewed-by: Nicolai Buchwitz <nb at tipi-net.de>
Signed-off-by: Théo Lebrun <theo.lebrun at bootlin.com>
Link: https://patch.msgid.link/20260702-macb-drop-tx-v4-1-1c833eebdbc8@bootlin.com
Signed-off-by: Paolo Abeni <pabeni at redhat.com>
DeltaFile
+19-2drivers/net/ethernet/cadence/macb_main.c
+19-21 files

Linux/linux c26c33edrivers/net/ethernet/microsoft/mana mana_en.c, include/net/mana mana.h

Merge branch 'fix-mana-rx-with-bounce-buffering'

Dexuan Cui says:

====================
Fix MANA RX with bounce buffering

With swiotlb=force, the MANA NIC fails to work properly due to commit
730ff06d3f5c ("net: mana: Use page pool fragments for RX buffers instead
of full pages to improve memory efficiency.").

This happens because, with the standard MTU=1500, the aforementioned
commit uses page pool frags with PP_FLAG_DMA_MAP, but fails to call
page_pool_dma_sync_for_cpu() to sync the received packet for CPU acces
before handing the RX buffer to the stack.

Here patch #2 adds the required page_pool_dma_sync_for_cpu().

Patch #1 validates the packet length reported by the NIC. With patch #2,

    [14 lines not shown]
DeltaFile
+50-11drivers/net/ethernet/microsoft/mana/mana_en.c
+8-0include/net/mana/mana.h
+58-112 files

Linux/linux c72a0f0drivers/net/ethernet/microsoft/mana mana_en.c, include/net/mana mana.h

net: mana: Sync page pool RX frags for CPU

MANA allocates RX buffers from page pool fragments when frag_count is
greater than 1. In that case the buffers remain DMA mapped by page pool
and the RX completion path does not call dma_unmap_single(). As a result,
the implicit sync-for-CPU normally performed by dma_unmap_single() is
missing before the packet data is passed to the networking stack.

This breaks RX on configurations which require explicit DMA syncing, for
example when booted with swiotlb=force.

Fix this by recording the page pool page and DMA sync offset when the RX
buffer is allocated, and syncing the received packet range for CPU access
before handing the RX buffer to the stack.

Fixes: 730ff06d3f5c ("net: mana: Use page pool fragments for RX buffers instead of full pages to improve memory efficiency.")
Cc: stable at vger.kernel.org
Reviewed-by: Haiyang Zhang <haiyangz at microsoft.com>
Signed-off-by: Dexuan Cui <decui at microsoft.com>

    [2 lines not shown]
DeltaFile
+33-7drivers/net/ethernet/microsoft/mana/mana_en.c
+8-0include/net/mana/mana.h
+41-72 files