Merge tag 'bpf-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf
Pull bpf fixes from Kumar Kartikeya Dwivedi:
- Fix a UAF in socket clone early bailout paths (Matt Bobrowski)
- Reject unhashed UDP sockets on sockmap update to prevent refcount
leaks (Michal Luczaj)
- Account for receive queue data in FIONREAD on sockmap sockets without
a verdict program (Mattia Meleleo)
- Reject negative constant offsets for verifier buffer pointers (Sun
Jian)
- Fix for tracing of kfuncs with implicit arguments (Ihor Solodrai)
* tag 'bpf-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf:
selftests/bpf: Cover tracing implicit kfunc args
[10 lines not shown]
Merge tag 'selinux-pr-20260717' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux
Pull selinux fix from Paul Moore:
"A single SELinux patch to correct a problem with the overlayfs mmap()
and mprotect() fixes from earlier this year where we inadvertenly
included an additional SELinux execmem permission check on some
operations"
* tag 'selinux-pr-20260717' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux:
selinux: fix incorrect execmem checks on overlayfs
Merge tag 'libcrypto-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/linux
Pull crypto library fixes from Eric Biggers:
- Fix a build error in certain configurations
- Clarify some parts of the documentation
- Remove unused code that I forgot to remove in commit cf52058dcdd9
("lib/crypto: powerpc/md5: Drop powerpc optimized MD5 code")
* tag 'libcrypto-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/linux:
crypto: aes - Fix conditions for selecting MAC dependencies
lib/crypto: docs: Improve introduction sentence
lib/crypto: docs: Fix some sentence fragments
lib/crypto: md5: Remove support for md5_mod_init_arch()
Merge tag 'net-7.2-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
Pull networking fixes from Paolo Abeni:
"Including fixes from Wireless, IPsec, Netfilter and Bluetooth.
Current release - new code bugs:
- netfilter: flowtable: use correct direction to set up tunnel route
Previous releases - regressions:
- wifi:
- mac80211:
- free AP_VLAN bc_buf SKBs outside IRQ lock
- defer link RX stats percpu free to RCU
- fix double free on alloc failure
- cfg80211: convert pmsr_free_wk to wiphy_work to fix deadlock
- ipv4: free fib_alias with kfree_rcu() on insert error path
[55 lines not shown]
Merge tag 'mtd/fixes-for-7.2-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux
Pull mtd fixes from Miquel Raynal:
"Among the most important fixes that we have here, there are:
- the revert of the uclinux map driver which was presumed to
be no longer used but in fact was
- the use of SPI match data to get chip capabilities in the
mchp23k256 driver
- several fixes addressing the newly introduced virt-concat
support
- a missing build dependency on ndfc
as well as the usual load (if not actually bigger than usual) of
uninitialized variables, leaks, double free, and AI fuzzed issues
being fixed"
[21 lines not shown]
Merge tag 'mmc-v7.2-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc
Pull MMC fixes from Ulf Hansson:
"MMC core:
- Fix RPMB device unregister ordering
- Fix __counted_by handling in mmc_test
MMC host:
- mtk-sd: Document missing clocks for MT8189
- sdhci-esdhc-imx: Fix the support for system suspend/resume for SDIO
- sdhci-of-dwcmshc: Fix error handling for clock prepare/enable
- vub300:
- Fix lockdep issue for the cmd_mutex
- Fix use-after-free on probe failure
MEMSTICK:
- Reject a card that reports too many blocks"
* tag 'mmc-v7.2-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc:
[15 lines not shown]
Merge tag 'soc-fixes-7.2-1' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc
Pull SoC fixes from Arnd Bergmann:
"There are only three devicetree fixes this time: one critical memory
corruption fix for Renesas and three minor corrections for Tegra.
The MAINTAINERS file is updated for a new maintainer of the CIX
platform and two address changes.
The rest is all driver fixes, mostly firmware:
- multiple runtime issues in ARM SCMI and FF-A firmware code, dealing
with error handling for corner cases in firmware.
- multiple fixes for reset drivers, dealing with individual platform
specific mistakes and more error handling
- minor build and runtime fixes for the Tegra SoC drivers"
[21 lines not shown]
Merge tag 'powerpc-7.2-2' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux
Pull powerpc fixes from Madhavan Srinivasan:
- Enable CONFIG_VPA_PMU to be used with KVM
- Initialize starttime at boot for native accounting
- Set CPU_FTR_P11_PVR for Power11 and later processors
- fix memory leak on krealloc failure in papr_init
- Misc fixes and cleanups
Thanks to Amit Machhiwal, Christophe Leroy (CS GROUP), Ethan
Nelson-Moore, Gautam Menghani, Harsh Prateek Bora, Junrui Luo, Mukesh
Kumar Chaurasiya (IBM), Ritesh Harjani (IBM), Rosen Penev, Shrikanth
Hegde, Thorsten Blum, and Yuhao Jiang
[9 lines not shown]
mpls: fix NULL deref in mpls_valid_fib_dump_req() on CONFIG_INET=n
On CONFIG_INET=n builds, mpls_valid_fib_dump_req() walks the parsed
attribute table itself instead of calling ip_valid_fib_dump_req(). The
RTA_OIF arm passes tb[RTA_OIF] to nla_get_u32() without checking it is
present, so an RTM_GETROUTE dump for AF_MPLS with strict checking and no
RTA_OIF hits a NULL dereference.
RTM_GETROUTE is RTNL_KIND_GET, which rtnetlink_rcv_msg() permits without
CAP_NET_ADMIN, so an unprivileged user can trigger it.
Oops: general protection fault, probably for non-canonical address
0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
RIP: 0010:mpls_valid_fib_dump_req (net/mpls/af_mpls.c:2189)
Call Trace:
mpls_dump_routes (net/mpls/af_mpls.c:2236)
netlink_dump (net/netlink/af_netlink.c:2331)
__netlink_dump_start (net/netlink/af_netlink.c:2446)
[20 lines not shown]
llc: fix SAP refcount leak when creating incoming sockets
llc_sap_add_socket() takes a SAP reference for each socket added to a SAP,
and llc_sap_remove_socket() releases it. llc_create_incoming_sock() takes
an additional SAP reference after adding the child socket.
This extra reference was balanced by an explicit llc_sap_put() in
llc_ui_release() until commit 3100aa9d74db ("llc: fix SAP reference
counting w.r.t. socket handling") removed that put. The corresponding hold
in the accept path was left behind.
When such a child socket is removed, only the reference taken by
llc_sap_add_socket() is released. The extra reference keeps the SAP alive
after its last socket is removed. Remove the obsolete hold.
Fixes: 3100aa9d74db ("llc: fix SAP reference counting w.r.t. socket handling")
Cc: stable at vger.kernel.org
Signed-off-by: Xuanqiang Luo <luoxuanqiang at kylinos.cn>
Link: https://patch.msgid.link/20260712130343.518797-1-xuanqiang.luo@linux.dev
Signed-off-by: Paolo Abeni <pabeni at redhat.com>
selftests: netconsole: only restore MAC when it changed on resume
The "mac" bind mode reactivation downs the interface, restores the saved
MAC and renames it to trigger a target resume. This assumes the recreated
interface comes back with a different MAC, which is true under
MACAddressPolicy=none (as on the Netdev CI) but not when MACs are
persistent. In the persistent case netconsole resumes the target on its
own, and the down/restore/rename flow instead drops it and fails the test.
Guard the block on the MAC having actually changed so the test passes
under both policies.
Fixes: 6ecc08329bab ("selftests: netconsole: validate target resume")
Reported-by: Matthieu Baerts (NGI0) <matttbe at kernel.org>
Closes: https://lore.kernel.org/netdev/f398373e-2cb4-4649-a491-9763df94d98b@kernel.org/
Signed-off-by: Andre Carvalho <asantostc at gmail.com>
Tested-by: Matthieu Baerts (NGI0) <matttbe at kernel.org>
Reviewed-by: Breno Leitao <leitao at debian.org>
Link: https://patch.msgid.link/20260710-netcons-mac-reload-v1-1-3fb1bcc70b4a@gmail.com
Signed-off-by: Paolo Abeni <pabeni at redhat.com>
bnxt_en: Handle partially initialized auxiliary devices
bnxt_aux_devices_init() calls auxiliary_device_init() before all fields
used by bnxt_aux_dev_release() are initialized. After
auxiliary_device_init() succeeds, later errors must unwind with
auxiliary_device_uninit(), which invokes the release callback.
The release callback assumes that aux_priv->id, aux_priv->edev,
edev->net and edev->ulp_tbl are all populated. If allocation fails
after auxiliary_device_init(), the release path can otherwise dereference
or clear partially initialized state.
Allocate and attach the bnxt_en_dev and ULP table before calling
auxiliary_device_init(), so the release callback only sees a fully
initialized auxiliary private object. If auxiliary_device_init() itself
fails, free those allocations directly because device_initialize() has not
run and the release callback will not be invoked.
This issue was found by a static analysis checker and confirmed by manual
[7 lines not shown]
sctp: fix auth_hmacs array size in struct sctp_cookie
The auth_hmacs array in struct sctp_cookie is supposed to store a complete
SCTP_AUTH_HMAC_ALGO parameter, which consists of a struct sctp_paramhdr
followed by N HMAC identifiers.
However, the array size was calculated using an extra 2 bytes instead of
sizeof(struct sctp_paramhdr), which is 4 bytes. When four HMAC identifiers
are configured, the HMAC-ALGO parameter stored in the endpoint is larger
than the auth_hmacs buffer in the cookie.
As a result, sctp_association_init() copies beyond the end of auth_hmacs
when initializing the association, corrupting the adjacent auth_chunks
field. This can lead to an invalid HMAC identifier being accepted and later
cause an out-of-bounds read in sctp_auth_get_hmac().
Fix the array size calculation by including the full SCTP parameter header
size.
[8 lines not shown]
net/sched: act_tunnel_key: Defer dst_release to RCU callback
Fix a race-condition use-after-free in tunnel_key_release_params().
The function releases the metadata_dst of the old params synchronously
via dst_release() while deferring the params struct free with
kfree_rcu(). A concurrent tunnel_key_act() reader on the datapath may
still hold the old params pointer (under rcu_read_lock_bh) and proceed
to call dst_clone(¶ms->tcft_enc_metadata->dst) after the writer's
dst_release has already pushed the dst's rcuref to RCUREF_DEAD.
zdi-disclosures at trendmicro.com produced a poc which i (and Victor) verified
that KASAN reports:
==================================================================
BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:112
BUG: KASAN: slab-use-after-free in atomic_sub_return_release include/linux/atomic/atomic-instrumented.h:326
BUG: KASAN: slab-use-after-free in __rcuref_put include/linux/rcuref.h:109
BUG: KASAN: slab-use-after-free in rcuref_put include/linux/rcuref.h:173
[113 lines not shown]
dpll: fix NULL pointer dereference in dpll_msg_add_pin_ref_sync()
When a dpll_pin is shared across multiple dpll_device instances and
those devices are being unregistered (e.g. during driver module removal),
a NULL pointer dereference can occur in dpll_msg_add_pin_ref_sync().
This happens under the following conditions:
- A pin is registered with two or more dpll devices (dpll_A, dpll_B)
- The pin has ref_sync pairs with other pins
- During unregistration of dpll_A's pins, a ref_sync partner pin is
unregistered first, removing it from dpll_A->pin_refs
- But since the partner pin is still registered with dpll_B, its
dpll_refs is not empty, so dpll_pin_ref_sync_pair_del() does NOT
run and the partner stays in the pin's ref_sync_pins xarray
- When the pin itself is then unregistered from dpll_A, the delete
notification calls dpll_msg_add_pin_ref_sync() which finds the
partner in ref_sync_pins, passes dpll_pin_available() (partner is
still registered with dpll_B), but dpll_pin_on_dpll_priv(dpll_A,
partner) returns NULL because partner was already removed from
[23 lines not shown]
tcp: fix TIME_WAIT socket reference leak on PSP policy failure
Release the TIME_WAIT socket reference and jump to discard_it
upon PSP policy failure in both IPv4 and IPv6 receive paths.
This prevents a memory leak of tcp_tw_bucket structures.
Fixes: 659a2899a57d ("tcp: add datapath logic for PSP with inline key exchange")
Signed-off-by: Eric Dumazet <edumazet at google.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu at google.com>
Reviewed-by: Daniel Zahka <daniel.zahka at gmail.com>
Link: https://patch.msgid.link/20260710181317.4060230-1-edumazet@google.com
Signed-off-by: Paolo Abeni <pabeni at redhat.com>
net/mlx5: free mlx5_st_idx_data on final dealloc
Workloads that repeatedly allocate and release mkeys carrying TPH
steering-tag hints (e.g. churning RDMA MRs) leak one
struct mlx5_st_idx_data per cycle; kmemleak flags it as unreferenced
and the kmalloc slab grows over time.
When the last reference to an ST table entry is dropped,
mlx5_st_dealloc_index() removed the entry from idx_xa but the backing
mlx5_st_idx_data allocation was never freed.
Free idx_data after the xa_erase() so the lifetime of the bookkeeping
struct matches the lifetime of the ST entry it tracks.
Cc: stable at vger.kernel.org
Fixes: 888a7776f4fb ("net/mlx5: Add support for device steering tag")
Reviewed-by: Michael Gur <michaelgur at nvidia.com>
Signed-off-by: Zhiping Zhang <zhipingz at meta.com>
Reviewed-by: Leon Romanovsky <leonro at nvidia.com>
[3 lines not shown]
Merge tag 'linux-can-fixes-for-7.2-20260716' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can
Marc Kleine-Budde says:
====================
pull-request: can 2026-07-16
this is a pull request of 19 patches for net/main.
The first patch is by Alexander Hölzl and fixes the Kconfig
description of the vxcan driver.
Next patch by Fan Wu fixes the tear down order in the esd_usb driver.
Followed by a patch by Oliver Hartkopp that adds missing locking for
the raw flags in the CAN_RAW protocol.
Shuhao Fu's patch for the j1939 protocol fix lockless
local-destination check.
[37 lines not shown]
Merge tag 'for-net-2026-07-13' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth
Luiz Augusto von Dentz says:
====================
bluetooth pull request for net:
- hci_sync: hold hdev->lock for hci_conn_params lookups
- hci_sync: extend conn_hash lookup critical sections
- hci_qca: Clear memdump state on invalid dump size
- MGMT: revalidate LOAD_CONN_PARAM queued update
- MGMT: Translate HCI reason in Device Disconnected event
- MGMT: fix locking in unpair_device/disconnect_sync
- MGMT: hold reference for hci_conn in mgmt_pending_cmds
- btrtl: validate firmware patch bounds
- qca: fix NVM tag length underflow in TLV parser
* tag 'for-net-2026-07-13' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth:
Bluetooth: mgmt: Translate HCI reason in Device Disconnected event
[12 lines not shown]
Merge tag 'nf-26-07-10' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf
Florian Westphal says:
====================
netfilter: updates for net
The following patchset contains Netfilter fixes for *net*.
These are fixes for bugs except patches 6 and 9 which fix issues added in
last PR and 7.1-rc1.
1) Reject unsupported target families in xt_nat_checkentry().
From Wyatt Feng.
2) Fix inverted time_after() check in ecache_work_evict_list().
Causes pointless work rescheds and thus way longer time to
clear the pending event backlog. From Yizhou Zhao.
3) Fix a use-after-free in br_ip6_fragment() caused by a dangling prevhdr
[38 lines not shown]
Merge tag 'v7.2-rc3-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6
Pull smb client fixes from Steve French:
- fallocate fixes
- unit test fixes
- fix allocation size after duplicate extents
- fix check for overlapping data areas
* tag 'v7.2-rc3-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6:
smb/client: flush dirty data before punching a hole
smb/client: Use EXPORT_SYMBOL_IF_KUNIT() to export symbols in SMB2
smb/client: Use EXPORT_SYMBOL_IF_KUNIT() to export symbols
smb: client: reject overlapping data areas in SMB2 responses
smb/client: refresh allocation after EOF-extending fallocate
smb/client: emulate small EOF-extending mode 0 fallocate ranges
[4 lines not shown]
Merge branch 'bpf-fix-tracing-of-kfuncs-with-implicit-args'
Ihor Solodrai says:
====================
bpf: Fix tracing of kfuncs with implicit args
Tejun reported an issue where a BPF program tracing a kfunc with
KF_IMPLICIT_ARGS can crash the kernel [1]. This is caused by a bug in
bpf_check_attach_target(): the btf_func_model for such a kfunc is
computed from a wrong BTF prototype. For more details see the commit
message of patch #1.
The second patch adds a selftest that can catch this situation.
The fix is a candidate for 7.1 backport.
[1] https://github.com/sched-ext/scx/issues/3687#issuecomment-4906694106
---
[21 lines not shown]
selftests/bpf: Cover tracing implicit kfunc args
KF_IMPLICIT_ARGS kfuncs have a BPF-call prototype and a real kernel
target prototype. Add a tracing selftest that attaches fentry and fexit
programs to bpf_kfunc_implicit_arg(), runs a syscall BPF program that
calls it, and checks that the tracing context exposes both the explicit
argument and the implicit prog aux pointer.
Co-developed-by: Ihor Solodrai <ihor.solodrai at linux.dev>
Signed-off-by: Kumar Kartikeya Dwivedi <memxor at gmail.com>
Signed-off-by: Ihor Solodrai <ihor.solodrai at linux.dev>
Link: https://patch.msgid.link/20260713235223.1639022-3-ihor.solodrai@linux.dev
Signed-off-by: Eduard Zingerman <eddyz87 at gmail.com>
bpf: Fix tracing of kfuncs with implicit args
A kfunc marked with KF_IMPLICIT_ARGS flag takes implicit arguments
(such as bpf_prog_aux) that the verifier injects at load time.
resolve_btfids strips those from the kfunc's BTF-visible prototype and
keeps the real kernel ABI in a counterpart _impl prototype [1].
fentry/fexit/fmod_ret/fsession programs may attach to the BPF kernel
functions, including those with implicit args. However
bpf_check_attach_target() and bpf_check_attach_btf_id_multi() extract
the struct btf_func_model from the wrong BTF prototype of the
kfunc. The btf_func_model is later read to construct the trampoline,
which then causes the injected implicit argument to be clobbered and
the kfunc dereferencing garbage.
Add btf_attach_func_proto() to resolve the real ABI prototype of the
kfunc the way the call site does: by looking up the _impl prototype
for a KF_IMPLICIT_ARGS kfunc. Use it at both attach-target model
construction sites.
[30 lines not shown]
Merge tag 'landlock-7.2-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux
Pull landlock fix from Mickaël Salaün:
"This fixes TCP Fast Open support, specific test environments, and doc
warnings"
* tag 'landlock-7.2-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux:
selftests/landlock: Skip scoped_signal subtest with MSG_OOB if not available
selftests/landlock: Fix screwed up pointers in the scoped_signal_test
landlock: Update formatting
landlock: Fix kernel-doc for the nested quiet layer flag
selftests/landlock: Add test for TCP fast open
landlock: Fix TCP Fast Open connection bypass
Merge tag 'xfs-fixes-7.2-rc4' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux
Pull xfs fixes from Carlos Maiolino:
"This contains mostly a series of bug fixes found by different LLM
models"
* tag 'xfs-fixes-7.2-rc4' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux: (21 commits)
xfs: don't zap bmbt forks if they are MAXLEVELS tall
xfs: clamp timestamp nanoseconds correctly
xfs: fully check the parent handle when it points to the rootdir
xfs: handle non-inode owners for rtrmap record checking
xfs: fix off-by-one error when calling xchk_xref_has_rt_owner
xfs: set xfarray killable sort correctly
xfs: grab rtrmap btree when checking rgsuper
xfs: write the rg superblock when fixing it
xfs: use the rt version of the cow staging checker
xfs: use rtrefcount btree cursor in xchk_xref_is_rt_cow_staging
xfs: don't wrap around quota ids in dqiterate
xfs: move cow_replace_mapping to xfs_bmap_util.c
[9 lines not shown]
Merge tag 'erofs-for-7.2-rc4-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs
Pull erofs fixes from Gao Xiang:
- Fix sanity checks for ztailpacking tail pclusters to avoid
false corruption reports
- Use more informative s_id for file-backed mounts
- Hide the meaningless "cache_strategy=" mount option on plain
(uncompressed) filesystems
- Remove the unneeded erofs_is_ishare_inode() helper
* tag 'erofs-for-7.2-rc4-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs:
erofs: hide "cache_strategy=" for plain filesystems
erofs: get rid of erofs_is_ishare_inode() helper
erofs: relax sanity check for tail pclusters due to ztailpacking
erofs: use more informative s_id for file-backed mounts
Merge tag 'pm-7.2-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm
Pull power management fixes from Rafael Wysocki:
"These fix two cpufreq issues, one in the intel_pstate driver and one
in the core:
- Make cpufreq_update_pressure() use cpuinfo.max_freq as the default
reference frequency when arch_scale_freq_ref() returns 0 to allow
the scheduler to still take CPU frequency caps into account in
those cases (Rafael Wysocki)
- Use the HWP guaranteed performance level as the full capacity
performance in intel_pstate on hybrid systems when turbo
frequencies are not allowed to be used to make scale-invariance
work as expected in those cases (Rafael Wysocki)"
* tag 'pm-7.2-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
cpufreq: Make cpufreq_update_pressure() fall back to cpuinfo.max_freq
cpufreq: intel_pstate: Set non-turbo capacity to HWP_GUARANTEED_PERF()
Merge tag 'pmdomain-v7.2-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/linux-pm
Pull pmdomain fixes from Ulf Hansson:
"imx:
- Assign child domains for imx93 to prevent power off when in use
- Fix i.MX8MP power up sequences
mediatek:
- Fix possible nullptr in HWV cleanup/on-check"
* tag 'pmdomain-v7.2-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/linux-pm:
pmdomain: mediatek: Fix possible nullptr KP in HWV cleanup/on-check
pmdomain: imx: Fix i.MX8MP VC8000E power up sequence
pmdomain: imx: Fix i.MX8MP power notifier
pmdomain: imx93-blk-ctrl: Extract PHY as shared domain for DSI/CSI
dt-bindings: power: imx93: Add MIPI PHY power domain
Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm
Pull kvm fixes from Paolo Bonzini:
"arm64:
- Fix an accounting buglet when reclaiming pages from a protected
guest
- Fix a bunch of architectural compliance issues when injecting a
synthesised exception, most of which were missing the PSTATE.IL bit
indicating a 32bit-wide instruction
- Another set of fixes addressing issues with translation of
VNCR_EL2, including corner cases where the guest point that
register at a RO page...
- Don't warn when trapping accesses to ZCR_EL2 from an L2 guest, as
that's not unexpected at all
[76 lines not shown]