Linux/linux b0662befs/smb/client fs_context.c transport.c, fs/smb/common fscc.h smb2pdu.h

Merge tag 'v7.1-rc4-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6

Pull smb client fixes from Steve French:

 - Fix integer overflow in read

 - Fix smbdirect error cleanup

 - Multichannel reconnect fix

 - Add some missing defines and correct some references to protocol spec

 - Fix oob symlink read

* tag 'v7.1-rc4-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6:
  smbdirect: Fix error cleanup in smbdirect_map_sges_from_iter()
  smb: client: avoid integer overflow in SMB2 READ length check
  cifs: client: stage smb3_reconfigure() updates and restore ctx on failure
  smb/client: fix possible infinite loop and oob read in symlink_data()
  SMB3.1.1: add missing QUERY_DIR info levels
DeltaFile
+109-54fs/smb/client/fs_context.c
+9-6fs/smb/client/transport.c
+3-1fs/smb/client/smb2ops.c
+2-2fs/smb/common/fscc.h
+4-0fs/smb/common/smb2pdu.h
+3-0fs/smb/client/smb2file.c
+130-631 files not shown
+131-647 files

Linux/linux fcbf68dfs/ceph quota.c xattr.c, net/ceph osdmap.c auth_x.c

Merge tag 'ceph-for-7.1-rc4' of https://github.com/ceph/ceph-client

Pull ceph fixes from Ilya Dryomov:
 "An important patch from Hristo that squashes a folio reference leak
  that could lead to OOM kills in CephFS and a number of miscellaneous
  fixes from Raphael and Slava.

  All but two are marked for stable"

* tag 'ceph-for-7.1-rc4' of https://github.com/ceph/ceph-client:
  libceph: Fix potential null-ptr-deref in decode_choose_args()
  libceph: handle rbtree insertion error in decode_choose_args()
  libceph: Fix potential out-of-bounds access in osdmap_decode()
  ceph: put folios not suitable for writeback
  ceph: add ceph_has_realms_with_quotas() check to ceph_quota_update_statfs()
  libceph: Fix potential out-of-bounds access in __ceph_x_decrypt()
  ceph: fix BUG_ON in __ceph_build_xattrs_blob() due to stale blob size
  ceph: fix a buffer leak in __ceph_setxattr()
  libceph: Fix unnecessarily high ceph_decode_need() for uniform bucket
  libceph: Fix potential out-of-bounds access in crush_decode()
DeltaFile
+27-10fs/ceph/quota.c
+17-0fs/ceph/xattr.c
+12-5net/ceph/osdmap.c
+1-5net/ceph/crush/crush.c
+5-0net/ceph/auth_x.c
+2-0fs/ceph/addr.c
+64-206 files

Linux/linux a8b0b72fs/btrfs inode.c compression.c, include/trace/events btrfs.h

Merge tag 'for-7.1-rc3-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux

Pull btrfs fixes from David Sterba:

 - fixup warning when allocating memory for readahead, __GFP_NOWARN was
   accidentally dropped when setting mapping constraints

 - in tracepoint of file sync, fix sleeping in atomic context when
   handling dentries

 - harden initial loading of block group on crafted/fuzzed images,
   iterate all chunk mapping entries unconditionally

 - fix freeing pages of submitted io after checking for errors

 - fix incorrect inode size after remount when using fallocate KEEP_SIZE
   mode (also requires disabled 'no-holes' feature)

* tag 'for-7.1-rc3-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:

    [5 lines not shown]
DeltaFile
+28-0fs/btrfs/inode.c
+14-12fs/btrfs/compression.c
+8-15fs/btrfs/block-group.c
+4-5fs/btrfs/transaction.c
+1-3include/trace/events/btrfs.h
+1-0fs/btrfs/disk-io.c
+56-356 files

Linux/linux 663ea69fs/xfs xfs_trans.c xfs_inode.c, fs/xfs/libxfs xfs_dir2_data.c

Merge tag 'xfs-fixes-7.1-rc4' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux

Pull xfs fixes from Carlos Maiolino:
 "A few bug fixes, nothing really special stands out"

* tag 'xfs-fixes-7.1-rc4' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux:
  xfs: Fix typo in comment
  xfs: fix the "limiting open zones" message
  xfs: flush delalloc blocks on ENOSPC in xfs_trans_alloc_icreate
  xfs: check da node block pad field during scrub
  xfs: fix memory leak for data allocated by xfs_zone_gc_data_alloc()
  xfs: fix memory leak on error in xfs_alloc_zone_info()
  xfs: check directory data block header padding in scrub
  xfs: zero directory data block padding on write verification
  xfs: zero entire directory data block header region at init
  xfs: remove the meaningless XFS_ALLOC_FLAG_FREEING
DeltaFile
+11-7fs/xfs/libxfs/xfs_dir2_data.c
+11-0fs/xfs/xfs_trans.c
+11-0fs/xfs/scrub/common.c
+6-1fs/xfs/scrub/dabtree.c
+6-1fs/xfs/scrub/dir.c
+0-6fs/xfs/xfs_inode.c
+45-155 files not shown
+52-2111 files

Linux/linux 56ec2b6fs/nfsd nfs4state.c nfs4proc.c, net/sunrpc cache.c

Merge tag 'nfsd-7.1-1' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux

Pull nfsd fixes from Chuck Lever:
 "Fixes for this release:
   - Correctness fix for the new sunrpc cache netlink protocol

  Marked for stable:
   - Correctness fixes for delegated attributes
   - Prevent an infinite loop when revoking layouts"

* tag 'nfsd-7.1-1' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux:
  NFSD: Fix infinite loop in layout state revocation
  sunrpc: start cache request seqno at 1 to fix netlink GET_REQS
  nfsd: update mtime/ctime on COPY in presence of delegated attributes
  nfsd: update mtime/ctime on CLONE in presense of delegated attributes
  nfsd: fix file change detection in CB_GETATTR
  nfsd: fix GET_DIR_DELEGATION when VFS leases are disabled
DeltaFile
+44-20fs/nfsd/nfs4state.c
+13-5fs/nfsd/nfs4proc.c
+1-1net/sunrpc/cache.c
+1-0fs/nfsd/state.h
+1-0fs/nfsd/xdr4.h
+60-265 files

Linux/linux d458a24block blk-zoned.c bio.c, drivers/nvme/host ioctl.c

Merge tag 'block-7.1-20260515' of git://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux

Pull block fixes from Jens Axboe:

 - NVMe merge request via Keith:
     - Fix memory leak on a passthrough integrity mapping failure (Keith)
     - Hide secrets behind debug option (Hannes)
     - Fix pci use-after-free for host memory buffer (Chia-Lin Kao)
     - Fix tcp taregt use-after-free for data digest (Sagi)
     - Revert a mistaken quirk (Alan Cui)
     - Fix uevent and controller state race condition (Maurizio)
     - Fix apple submission queue re-initialization (Nick Chan)

 - Three fixes for blk-integrity, fixing an issue with the user data
   mapping and two problems with recomputing number of segments

 - Two fixes for the iov_iter bounce buffering

 - Fix for the handling of dead zoned write plugs

    [20 lines not shown]
DeltaFile
+27-5block/blk-zoned.c
+15-12block/bio.c
+18-1block/bio-integrity.c
+19-0block/blk-mq.c
+4-14drivers/nvme/host/ioctl.c
+8-5drivers/nvme/target/auth.c
+91-379 files not shown
+130-4515 files

Linux/linux ee7226bio_uring io_uring.c timeout.c

Merge tag 'io_uring-7.1-20260515' of git://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux

Pull io_uring fixes from Jens Axboe:

 - Small series sanitizing the locking done for either modifying or
   reading a chain of requests

 - If the application has a pid namespace, ensure that the sqthread pid
   is correctly printed in fdinfo

 - Fix for a hashing issue in the io-wq thread pool, which could lead to
   a use-after-free

 - Kill dead argument from io_prep_rw_pi()

 - Fix for a missed validation of the CQ ring head, affecting CQE refill

* tag 'io_uring-7.1-20260515' of git://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux:
  io_uring: validate user-controlled cq.head in io_cqe_cache_refill()

    [6 lines not shown]
DeltaFile
+23-6io_uring/io_uring.c
+14-2io_uring/timeout.c
+2-2io_uring/rw.c
+2-1io_uring/io-wq.c
+2-1io_uring/fdinfo.c
+1-1io_uring/cancel.c
+44-136 files

Linux/linux 78e8370scripts/gcc-plugins gcc-common.h

Merge tag 'hardening-v7.1-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux

Pull hardening fix from Kees Cook:

 - gcc-plugins: Fix GCC 16 removal of CONST_CAST macros

* tag 'hardening-v7.1-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
  gcc-plugins: Always define CONST_CAST_GIMPLE and CONST_CAST_TREE
DeltaFile
+3-1scripts/gcc-plugins/gcc-common.h
+3-11 files

Linux/linux 36d49bbDocumentation/process threat-model.rst security-bugs.rst

Merge tag 'docs-7.1-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/docs/linux

Pull documentation fixes from Jonathan Corbet:
 "This is Willy Tarreau's new document clarifying the definition and
  handling of security-related bugs, which we're trying to get out there
  quickly on the theory that some of the bug reporters might actually
  read and pay attention to it"

* tag 'docs-7.1-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/docs/linux:
  docs: threat-model: don't limit root capabilities to CAP_SYS_ADMIN
  docs: security-bugs: add a link to the threat-model documentation
  Documentation: security-bugs: clarify requirements for AI-assisted reports
  Documentation: security-bugs: explain what is and is not a security bug
  Documentation: security-bugs: do not systematically Cc the security team
DeltaFile
+235-0Documentation/process/threat-model.rst
+104-2Documentation/process/security-bugs.rst
+1-0Documentation/process/index.rst
+340-23 files

Linux/linux 4844e7carch/x86/xen mmu_pv.c setup.c, include/xen/arm interface.h

Merge tag 'for-linus-7.1b-rc4-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip

Pull xen fixes from Juergen Gross:

 - one simple cleanup

 - a fix for a corner case when running as Xen PV dom0

 - a fix of a regression for Xen PV guests, introduced in 7.0

* tag 'for-linus-7.1b-rc4-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip:
  x86/xen: Tolerate nested XEN_LAZY_MMU entering/leaving
  x86/xen: Fix xen_e820_swap_entry_with_ram()
  xen/arm: Replace __ASSEMBLY__ with __ASSEMBLER__ in interface.h
DeltaFile
+6-2arch/x86/xen/mmu_pv.c
+1-1arch/x86/xen/setup.c
+1-1include/xen/arm/interface.h
+8-43 files

Linux/linux 4c2cd91drivers/platform/x86 samsung-galaxybook.c, drivers/platform/x86/intel plr_tpmi.c vsec_tpmi.c

Merge tag 'platform-drivers-x86-v7.1-3' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86

Pull x86 platform driver fixes from Ilpo Järvinen:

 - asus-nb-wmi:
    - Use existing keyboard quirk for ASUS Zenbook Duo UX8407AA

 - hp-wmi:
    - Add support for Victus 16-r0xxx (8BC2)

 - intel/vsec_tpmi:
    - Move debugfs register before creating devices
    - Prevent fault during unbind

 - lenovo-wmi-*:
    - Fix memory leak in lwmi_dev_evaluate_int()
    - Balance IDA id allocation and free
    - Balance component bind and unbind
    - Prevent sending uninitialized WMI arguments to the device

    [24 lines not shown]
DeltaFile
+138-156drivers/platform/x86/lenovo/wmi-other.c
+103-2drivers/platform/x86/lenovo/wmi-helpers.c
+48-21drivers/platform/x86/samsung-galaxybook.c
+43-2drivers/platform/x86/intel/plr_tpmi.c
+25-4drivers/platform/x86/intel/vsec_tpmi.c
+21-0drivers/platform/x86/lenovo/wmi-helpers.h
+378-18510 files not shown
+424-23216 files

Linux/linux fd6b566include/linux slab.h, lib rhashtable.c

Merge tag 'v7.1-p4' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6

Pull crypto fixes from Herbert Xu:

 - Fix potential dead-lock in rhashtable when used by xattr

 - Avoid calling kvfree on atomic path in rhashtable

* tag 'v7.1-p4' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
  rhashtable: Add bucket_table_free_atomic() helper
  mm/slab: Add kvfree_atomic() helper
  rhashtable: drop ht->mutex in rhashtable_free_and_destroy()
DeltaFile
+26-7lib/rhashtable.c
+16-0mm/slub.c
+3-0include/linux/slab.h
+45-73 files

Linux/linux 4141f46drivers/nvme/host ioctl.c pci.c, drivers/nvme/target auth.c Kconfig

Merge tag 'nvme-7.1-2026-05-14' of git://git.infradead.org/nvme into block-7.1

Pull NVMe fixes from Keith:

"- Fix memory leak on a passthrough integrity mapping failure (Keith)
 - Hide secrets behind debug option (Hannes)
 - Fix pci use-after-free for host memory buffer (Chia-Lin Kao)
 - Fix tcp taregt use-after-free for data digest  (Sagi)
 - Revert a mistaken quirk (Alan Cui)
 - Fix uevent and controller state race condition (Maurizio)
 - Fix apple submission queue re-initialization (Nick Chan)"

* tag 'nvme-7.1-2026-05-14' of git://git.infradead.org/nvme:
  nvme-apple: Reset q->sq_tail during queue init
  nvme: fix race condition between connected uevent and STARTED_ONCE flag
  Revert "nvme: add quirk NVME_QUIRK_IGNORE_DEV_SUBNQN for 144d:a808"
  nvmet-tcp: Fix potential UAF when ddgst mismatch
  nvme-pci: fix use-after-free in nvme_free_host_mem()
  nvmet-auth: Do not print DH-HMAC-CHAP secrets

    [2 lines not shown]
DeltaFile
+4-14drivers/nvme/host/ioctl.c
+8-5drivers/nvme/target/auth.c
+9-0drivers/nvme/target/Kconfig
+4-4drivers/nvme/host/pci.c
+5-1drivers/nvme/host/core.c
+3-1drivers/nvme/target/tcp.c
+33-251 files not shown
+34-257 files

Linux/linux 70eda68drivers/hid hid-core.c hid-appletb-kbd.c

Merge tag 'hid-for-linus-2026051401' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid

Pull HID fixes from Jiri Kosina:

 - fixes for a few OOB/UAF in several HID drivers (Florian Pradines, Lee
   Jones, Michael Zaidman, Rosalie Wanders, Sangyun Kim and Tomasz
   Pakuła)

 - more general sanitation of input data, dealing with potentially
   malicious hardware in hid-core (Benjamin Tissoires)

 - a few device-specific quirks and fixups

* tag 'hid-for-linus-2026051401' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid: (22 commits)
  HID: logitech-hidpp: Add support for newer Bluetooth keyboards
  HID: pidff: Fix integer overflow in pidff_rescale
  HID: i2c-hid: add reset quirk for BLTP7853 touchpad
  HID: core: introduce hid_safe_input_report()
  HID: pass the buffer size to hid_report_raw_event

    [16 lines not shown]
DeltaFile
+53-14drivers/hid/hid-core.c
+37-21drivers/hid/hid-appletb-kbd.c
+44-0drivers/hid/hid-lenovo-go-s.c
+39-1drivers/hid/hid-logitech-hidpp.c
+16-0drivers/hid/hid-magicmouse.c
+14-2drivers/hid/hid-ft260.c
+203-3822 files not shown
+280-8928 files

Linux/linux 48f76a1drivers/acpi button.c ac.c

Merge tag 'acpi-7.1-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm

Pull ACPI support fixes from Rafael Wysocki:
 "These fix several platform drivers that use the ACPI companion of the
  given platform device without checking its presence, which may lead to
  a NULL pointer dereference or other kind of malfunction if the driver
  is forced to match a device without an ACPI companion via driver
  override, and restore debug log level for some messages in the ACPI
  CPPC library:

   - Check ACPI_COMPANION() against NULL during probe in several core
     ACPI device drivers (Rafael Wysocki)

   - Restore log level of messages in amd_set_max_freq_ratio() (Mario
     Limonciello)"

* tag 'acpi-7.1-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
  ACPI: PAD: xen: Check ACPI_COMPANION() against NULL
  ACPI: driver: Check ACPI_COMPANION() against NULL during probe
  Revert "ACPI: CPPC: Adjust debug messages in amd_set_max_freq_ratio() to warn"
DeltaFile
+7-2drivers/acpi/button.c
+5-1drivers/acpi/ac.c
+5-1drivers/acpi/acpi_pad.c
+5-1drivers/acpi/acpi_tad.c
+5-1drivers/acpi/battery.c
+5-1drivers/acpi/ec.c
+32-710 files not shown
+76-1916 files

Linux/linux af149b6arch/x86/kernel/acpi cppc.c

Merge branch 'acpi-cppc'

Merge a revert of an ACPI CPPC commit that increased the log level of
some debug messages which turned out to be a bad idea:

 - Restore log level of messages in amd_set_max_freq_ratio() (Mario
   Limonciello)

* acpi-cppc:
  Revert "ACPI: CPPC: Adjust debug messages in amd_set_max_freq_ratio() to warn"
DeltaFile
+3-3arch/x86/kernel/acpi/cppc.c
+3-31 files

Linux/linux c207f1dfs/smb/smbdirect connection.c

smbdirect: Fix error cleanup in smbdirect_map_sges_from_iter()

Fix smbdirect_map_sges_from_iter() to use pre-decrement, not post-decrement
so that it cleans up the correct slots.

Fixes: e5fbdde43017 ("cifs: Add a function to build an RDMA SGE list from an iterator")
Closes: https://sashiko.dev/#/patchset/20260326104544.509518-1-dhowells%40redhat.com
Signed-off-by: David Howells <dhowells at redhat.com>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
cc: Paulo Alcantara <pc at manguebit.org>
cc: Tom Talpey <tom at talpey.com>
cc: linux-cifs at vger.kernel.org
cc: linux-fsdevel at vger.kernel.org
Signed-off-by: Steve French <stfrench at microsoft.com>
DeltaFile
+1-1fs/smb/smbdirect/connection.c
+1-11 files

Linux/linux 4594437arch/x86/xen mmu_pv.c

x86/xen: Tolerate nested XEN_LAZY_MMU entering/leaving

With the support of nested lazy mmu sections it can happen that
arch_enter_lazy_mmu_mode() is being called twice without a call of
arch_leave_lazy_mmu_mode() in between, as the lazy_mmu_*() helpers
are not disabling preemption when checking for nested lazy mmu
sections.

This is a problem when running as a Xen PV guest, as
xen_enter_lazy_mmu() and xen_leave_lazy_mmu() don't tolerate this
case.

Fix that in xen_enter_lazy_mmu() and xen_leave_lazy_mmu() in order
not to hurt all other lazy mmu mode users.

Fixes: 291b3abed657 ("x86/xen: use lazy_mmu_state when context-switching")
Tested-by: Marek Marczykowski-Górecki <marmarek at invisiblethingslab.com>
Signed-off-by: Juergen Gross <jgross at suse.com>
Message-ID: <20260508143933.493013-1-jgross at suse.com>
DeltaFile
+6-2arch/x86/xen/mmu_pv.c
+6-21 files

Linux/linux 28e03f7arch/x86/xen setup.c

x86/xen: Fix xen_e820_swap_entry_with_ram()

When swapping a not page-aligned E820 map entry with RAM, the start
address of the modified entry is calculated wrong (the offset into the
page is subtracted instead of being added to the page address).

Fixes: be35d91c8880 ("xen: tolerate ACPI NVS memory overlapping with Xen allocated memory")
Reported-by: Jan Beulich <jbeulich at suse.com>
Reviewed-by: Jan Beulich <jbeulich at suse.com>
Signed-off-by: Juergen Gross <jgross at suse.com>
Message-ID: <20260505102417.208138-1-jgross at suse.com>
DeltaFile
+1-1arch/x86/xen/setup.c
+1-11 files

Linux/linux 905c559scripts/gcc-plugins gcc-common.h

gcc-plugins: Always define CONST_CAST_GIMPLE and CONST_CAST_TREE

For gcc-16, the CONST_CAST macro family was removed. Add back what
we were using in gcc-common.h, as they are simple wrappers.

See GCC commits:
  c3d96ff9e916c02584aa081f03ab999292efbb50
  458c7926d48959abcb2c1adaa22458e27459a551

Suggested-by: Ingo Saitz <ingo at hannover.ccc.de>
Link: https://lore.kernel.org/lkml/ab6OKoay0OWkywjK@spatz.zoo
Fixes: 6b90bd4ba40b ("GCC plugin infrastructure")
Tested-by: Ivan Bulatovic <combuster at archlinux.us>
Tested-by: Christopher Cradock <christopher at cradock.myzen.co.uk>
Signed-off-by: Kees Cook <kees at kernel.org>
DeltaFile
+3-1scripts/gcc-plugins/gcc-common.h
+3-11 files

Linux/linux 66182canet/batman-adv tp_meter.c bat_iv_ogm.c, net/bridge/netfilter ebtables.c

Merge tag 'net-7.1-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net

Pull networking fixes from Paolo Abeni:
 "Including fixes from netfilter.

  Previous releases - regressions:

   - ethtool: fix NULL pointer dereference in phy_reply_size

   - netfilter:
      - allocate hook ops while under mutex
      - close dangling table module init race
      - restore nf_conntrack helper propagation via expectation

   - tcp:
      - fix potential UAF in reqsk_timer_handler().
      - fix out-of-bounds access for twsk in tcp_ao_established_key().

   - vsock: fix empty payload in tap skb for non-linear buffers

    [58 lines not shown]
DeltaFile
+147-30net/netfilter/x_tables.c
+121-45net/shaper/shaper.c
+96-20net/batman-adv/tp_meter.c
+60-25net/batman-adv/bat_iv_ogm.c
+43-28net/bridge/netfilter/ebtables.c
+8-51net/ipv4/netfilter/ip_tables.c
+475-19991 files not shown
+1,181-61797 files

Linux/linux 81a8742fs/smb/client transport.c smb2ops.c

smb: client: avoid integer overflow in SMB2 READ length check

SMB2 READ response validation in cifs_readv_receive() and
handle_read_data() checks data_offset + data_len against the received
buffer length.  Both values are attacker-controlled fields from the
server response and are stored as unsigned int, so the addition can
wrap before the bounds check:

        fs/smb/client/transport.c:1259
                if (!use_rdma_mr && (data_offset + data_len > buflen))

        fs/smb/client/smb2ops.c:4839
                else if (buf_len >= data_offset + data_len)

A malicious SMB server can use this to bypass validation.  In the
non-encrypted receive path the client attempts an oversized socket
read and stalls for the SMB response timeout (180 seconds) before
reconnecting.  In the SMB3 encrypted path, runtime testing shows the
malformed length can reach copy_to_iter() in handle_read_data() with

    [9 lines not shown]
DeltaFile
+9-6fs/smb/client/transport.c
+3-1fs/smb/client/smb2ops.c
+12-72 files

Linux/linux eb54415kernel audit.c auditsc.c

Merge tag 'audit-pr-20260513' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit

Pull audit fixes from Paul Moore:

 - Correctly log the inheritable capabilities

 - Honor AUDIT_LOCKED in the AUDIT_TRIM and AUDIT_MAKE_EQUIV commands

* tag 'audit-pr-20260513' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit:
  audit: enforce AUDIT_LOCKED for AUDIT_TRIM and AUDIT_MAKE_EQUIV
  audit: fix incorrect inheritable capability in CAPSET records
DeltaFile
+4-0kernel/audit.c
+1-1kernel/auditsc.c
+5-12 files

Linux/linux 31e62c2include/linux sched.h, kernel ptrace.c exit.c

ptrace: slightly saner 'get_dumpable()' logic

The 'dumpability' of a task is fundamentally about the memory image of
the task - the concept comes from whether it can core dump or not - and
makes no sense when you don't have an associated mm.

And almost all users do in fact use it only for the case where the task
has a mm pointer.

But we have one odd special case: ptrace_may_access() uses 'dumpable' to
check various other things entirely independently of the MM (typically
explicitly using flags like PTRACE_MODE_READ_FSCREDS).  Including for
threads that no longer have a VM (and maybe never did, like most kernel
threads).

It's not what this flag was designed for, but it is what it is.

The ptrace code does check that the uid/gid matches, so you do have to
be uid-0 to see kernel thread details, but this means that the

    [12 lines not shown]
DeltaFile
+16-6kernel/ptrace.c
+3-0include/linux/sched.h
+1-0kernel/exit.c
+20-63 files

Linux/linux ab26dfefs/smb/client fs_context.c

cifs: client: stage smb3_reconfigure() updates and restore ctx on failure

smb3_reconfigure() moves strings out of cifs_sb->ctx before the
multichannel update, so a later failure can leave the live context
with NULL strings or options that do not match the session.

Stage the new ctx separately, commit it only on success, and restore
the snapshot on failure. Also make smb3_sync_session_ctx_passwords()
all-or-nothing.

Commit session passwords before channel updates so newly added channels
authenticate with the staged credentials.

Fixes: ef529f655a2c ("cifs: client: allow changing multichannel mount options on remount")
Reported-by: RAJASI MANDAL <rajasimandalos at gmail.com>
Closes: https://lore.kernel.org/lkml/CAEY6_V1+dzW3OD5zqXhsWyXwrDTrg5tAMGZ1AJ7_GAuRE+aevA@mail.gmail.com/
Link: https://lore.kernel.org/lkml/xkr2dlvgibq5j6gkcxd3yhhnj4atgxw2uy4eug2pxm7wy7nbms@iq6cf5taa65v/
Reviewed-by: Henrique Carvalho <henrique.carvalho at suse.com>
Signed-off-by: DaeMyung Kang <charsyam at gmail.com>
Signed-off-by: Steve French <stfrench at microsoft.com>
DeltaFile
+109-54fs/smb/client/fs_context.c
+109-541 files

Linux/linux a6ab756drivers/nvme/host apple.c

nvme-apple: Reset q->sq_tail during queue init

Fixes a "duplicate tag error for tag 0" firmware crash during controller
reset while setting up a  queue on Apple A11 / T8015 caused by stale
entries in the submission queue due to an invalid sq_tail offset after
reset.

Fixes: 04d8ecf37b5e ("nvme: apple: Add Apple A11 support")
Cc: stable at vger.kernel.org
Suggested-by: Yuriy Havrylyuk <yhavry at gmail.com>
Reviewed-by: Sven Peter <sven at kernel.org>
Signed-off-by: Nick Chan <towinchenmi at gmail.com>
Signed-off-by: Keith Busch <kbusch at kernel.org>
DeltaFile
+1-0drivers/nvme/host/apple.c
+1-01 files

Linux/linux 7d9a7f1fs/smb/client smb2file.c

smb/client: fix possible infinite loop and oob read in symlink_data()

On 32-bit architectures, the infinite loop is as follows:

  len = p->ErrorDataLength == 0xfffffff8
  u8 *next = p->ErrorContextData + len
  next == p

On 32-bit architectures, the out-of-bounds read is as follows:

  len = p->ErrorDataLength == 0xfffffff0
  u8 *next = p->ErrorContextData + len
  next == (u8 *)p - 8

Reported-by: ChenXiaoSong <chenxiaosong at kylinos.cn>
Fixes: 76894f3e2f71 ("cifs: improve symlink handling for smb2+")
Cc: stable at vger.kernel.org
Signed-off-by: Ye Bin <yebin10 at huawei.com>
Reviewed-by: ChenXiaoSong <chenxiaosong at kylinos.cn>
Signed-off-by: Steve French <stfrench at microsoft.com>
DeltaFile
+3-0fs/smb/client/smb2file.c
+3-01 files

Linux/linux c78bdbadrivers/net/phy dp83tc811.c

net: phy: DP83TC811: add reading of abilities

At this time the driver is not listing any speeds
it supports. This should be ETHTOOL_LINK_MODE_100baseT1_Full_BIT
for DP83TC811. Add the missing call for phylib to read the abilities.

Fixes: b753a9faaf9a ("net: phy: DP83TC811: Introduce support for the DP83TC811 phy")
Suggested-by: Andrew Lunn <andrew at lunn.ch>
Signed-off-by: Sven Schuchmann <schuchmann at schleissheimer.de>
Reviewed-by: Andrew Lunn <andrew at lunn.ch>
Link: https://patch.msgid.link/20260512071949.6218-1-schuchmann@schleissheimer.de
[pabeni at redhat.com: dropped revision history]
Signed-off-by: Paolo Abeni <pabeni at redhat.com>
DeltaFile
+1-0drivers/net/phy/dp83tc811.c
+1-01 files

Linux/linux f2e65e4Documentation/process threat-model.rst

docs: threat-model: don't limit root capabilities to CAP_SYS_ADMIN

The threat-model document says that only users with CAP_SYS_ADMIN can carry
out a number of admin-level tasks, but there are numerous capabilities that
can confer that sort of power.  Generalize the text slightly to make it
clear that CAP_SYS_ADMIN is not the only all-powerful capability.

Acked-by: Willy Tarreau <w at 1wt.eu>
Signed-off-by: Jonathan Corbet <corbet at lwn.net>
DeltaFile
+2-1Documentation/process/threat-model.rst
+2-11 files

Linux/linux 561458dDocumentation/process security-bugs.rst threat-model.rst

docs: security-bugs: add a link to the threat-model documentation

Rather than make readers search for this document, just a link to it where
it is referenced.

(While I was at it, I removed the unused and unneeded _threatmodel label
from the top of threat-model.rst).

Acked-by: Willy Tarreau <w at 1wt.eu>
Reviewed-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
Signed-off-by: Jonathan Corbet <corbet at lwn.net>
DeltaFile
+7-6Documentation/process/security-bugs.rst
+0-2Documentation/process/threat-model.rst
+7-82 files