Linux/linux 94515f3kernel/bpf verifier.c, tools/testing/selftests/bpf/prog_tests raw_tp_writable_reject_bad_access.c sockmap_basic.c

Merge tag 'bpf-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf

Pull bpf fixes from Kumar Kartikeya Dwivedi:

 - Fix a UAF in socket clone early bailout paths (Matt Bobrowski)

 - Reject unhashed UDP sockets on sockmap update to prevent refcount
   leaks (Michal Luczaj)

 - Account for receive queue data in FIONREAD on sockmap sockets without
   a verdict program (Mattia Meleleo)

 - Reject negative constant offsets for verifier buffer pointers (Sun
   Jian)

 - Fix for tracing of kfuncs with implicit arguments (Ihor Solodrai)

* tag 'bpf-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf:
  selftests/bpf: Cover tracing implicit kfunc args

    [10 lines not shown]
DeltaFile
+72-25kernel/bpf/verifier.c
+77-0tools/testing/selftests/bpf/progs/kfunc_implicit_args_tracing.c
+57-0tools/testing/selftests/bpf/prog_tests/raw_tp_writable_reject_bad_access.c
+42-3tools/testing/selftests/bpf/prog_tests/sockmap_basic.c
+0-43tools/testing/selftests/bpf/prog_tests/raw_tp_writable_reject_nbd_invalid.c
+36-0tools/testing/selftests/bpf/prog_tests/kfunc_implicit_args_tracing.c
+284-7112 files not shown
+397-10518 files

Linux/linux 8fc5743security/selinux hooks.c

Merge tag 'selinux-pr-20260717' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux

Pull selinux fix from Paul Moore:
 "A single SELinux patch to correct a problem with the overlayfs mmap()
  and mprotect() fixes from earlier this year where we inadvertenly
  included an additional SELinux execmem permission check on some
  operations"

* tag 'selinux-pr-20260717' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux:
  selinux: fix incorrect execmem checks on overlayfs
DeltaFile
+24-18security/selinux/hooks.c
+24-181 files

Linux/linux 0dde292Documentation/crypto libcrypto-hash.rst libcrypto-blockcipher.rst, crypto Kconfig

Merge tag 'libcrypto-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/linux

Pull crypto library fixes from Eric Biggers:

 - Fix a build error in certain configurations

 - Clarify some parts of the documentation

 - Remove unused code that I forgot to remove in commit cf52058dcdd9
   ("lib/crypto: powerpc/md5: Drop powerpc optimized MD5 code")

* tag 'libcrypto-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/linux:
  crypto: aes - Fix conditions for selecting MAC dependencies
  lib/crypto: docs: Improve introduction sentence
  lib/crypto: docs: Fix some sentence fragments
  lib/crypto: md5: Remove support for md5_mod_init_arch()
DeltaFile
+20-18Documentation/crypto/libcrypto-hash.rst
+0-14lib/crypto/md5.c
+3-3Documentation/crypto/libcrypto-blockcipher.rst
+3-2Documentation/crypto/libcrypto.rst
+2-2crypto/Kconfig
+1-2lib/crypto/Kconfig
+29-411 files not shown
+30-427 files

Linux/linux e13caf1net/bluetooth mgmt.c hci_sync.c, net/can bcm.c isotp.c

Merge tag 'net-7.2-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net

Pull networking fixes from Paolo Abeni:
 "Including fixes from Wireless, IPsec, Netfilter and Bluetooth.

  Current release - new code bugs:

    - netfilter: flowtable: use correct direction to set up tunnel route

  Previous releases - regressions:

    - wifi:
       - mac80211:
          - free AP_VLAN bc_buf SKBs outside IRQ lock
          - defer link RX stats percpu free to RCU
          - fix double free on alloc failure
       - cfg80211: convert pmsr_free_wk to wiphy_work to fix deadlock

    - ipv4: free fib_alias with kfree_rcu() on insert error path

    [55 lines not shown]
DeltaFile
+497-157net/can/bcm.c
+227-71net/can/isotp.c
+157-44net/openvswitch/flow_netlink.c
+74-31net/wireless/mlme.c
+91-14net/bluetooth/mgmt.c
+60-8net/bluetooth/hci_sync.c
+1,106-32592 files not shown
+1,688-60898 files

Linux/linux af5e34adrivers/mtd mtdcore.c, drivers/mtd/maps uclinux.c

Merge tag 'mtd/fixes-for-7.2-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux

Pull mtd fixes from Miquel Raynal:
 "Among the most important fixes that we have here, there are:

   - the revert of the uclinux map driver which was presumed to
     be no longer used but in fact was

   - the use of SPI match data to get chip capabilities in the
     mchp23k256 driver

   - several fixes addressing the newly introduced virt-concat
     support

   - a missing build dependency on ndfc

  as well as the usual load (if not actually bigger than usual) of
  uninitialized variables, leaks, double free, and AI fuzzed issues
  being fixed"

    [21 lines not shown]
DeltaFile
+118-0drivers/mtd/maps/uclinux.c
+19-5drivers/mtd/nand/ecc-mtk.c
+19-4drivers/mtd/mtdcore.c
+10-2drivers/mtd/nand/raw/lpc32xx_slc.c
+10-2drivers/mtd/nand/raw/lpc32xx_mlc.c
+8-1drivers/mtd/nand/raw/fsl_ifc_nand.c
+184-1411 files not shown
+224-2317 files

Linux/linux 45419d0Documentation/devicetree/bindings/mmc mtk-sd.yaml, drivers/memstick/core ms_block.c

Merge tag 'mmc-v7.2-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc

Pull MMC fixes from Ulf Hansson:
 "MMC core:
   - Fix RPMB device unregister ordering
   - Fix __counted_by handling in mmc_test

  MMC host:
   - mtk-sd: Document missing clocks for MT8189
   - sdhci-esdhc-imx: Fix the support for system suspend/resume for SDIO
   - sdhci-of-dwcmshc: Fix error handling for clock prepare/enable
   - vub300:
       - Fix lockdep issue for the cmd_mutex
       - Fix use-after-free on probe failure

  MEMSTICK:
   - Reject a card that reports too many blocks"

* tag 'mmc-v7.2-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc:

    [15 lines not shown]
DeltaFile
+58-33drivers/mmc/host/sdhci-esdhc-imx.c
+24-12drivers/mmc/host/vub300.c
+28-1Documentation/devicetree/bindings/mmc/mtk-sd.yaml
+11-7drivers/mmc/core/mmc_test.c
+9-5drivers/mmc/host/sdhci-of-dwcmshc.c
+4-0drivers/memstick/core/ms_block.c
+134-581 files not shown
+135-607 files

Linux/linux 111e7b2. MAINTAINERS, arch/arm64/boot/dts/nvidia tegra234.dtsi

Merge tag 'soc-fixes-7.2-1' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc

Pull SoC fixes from Arnd Bergmann:
 "There are only three devicetree fixes this time: one critical memory
  corruption fix for Renesas and three minor corrections for Tegra.

  The MAINTAINERS file is updated for a new maintainer of the CIX
  platform and two address changes.

  The rest is all driver fixes, mostly firmware:

   - multiple runtime issues in ARM SCMI and FF-A firmware code, dealing
     with error handling for corner cases in firmware.

   - multiple fixes for reset drivers, dealing with individual platform
     specific mistakes and more error handling

   - minor build and runtime fixes for the Tegra SoC drivers"


    [21 lines not shown]
DeltaFile
+41-0arch/arm64/boot/dts/renesas/r8a78000-ironhide.dts
+21-8drivers/firmware/arm_ffa/driver.c
+12-12arch/arm64/boot/dts/nvidia/tegra234.dtsi
+8-5drivers/firmware/arm_scmi/clock.c
+6-6MAINTAINERS
+6-0drivers/reset/reset-imx7.c
+94-3112 files not shown
+114-5118 files

Linux/linux 6917aa7arch/powerpc/include/asm preempt.h, arch/powerpc/kernel dt_cpu_ftrs.c time.c

Merge tag 'powerpc-7.2-2' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux

Pull powerpc fixes from Madhavan Srinivasan:

 - Enable CONFIG_VPA_PMU to be used with KVM

 - Initialize starttime at boot for native accounting

 - Set CPU_FTR_P11_PVR for Power11 and later processors

 - fix memory leak on krealloc failure in papr_init

 - Misc fixes and cleanups

Thanks to Amit Machhiwal, Christophe Leroy (CS GROUP), Ethan
Nelson-Moore, Gautam Menghani, Harsh Prateek Bora, Junrui Luo, Mukesh
Kumar Chaurasiya (IBM), Ritesh Harjani (IBM), Rosen Penev, Shrikanth
Hegde, Thorsten Blum, and Yuhao Jiang


    [9 lines not shown]
DeltaFile
+0-16arch/powerpc/include/asm/preempt.h
+9-0arch/powerpc/kernel/dt_cpu_ftrs.c
+3-5arch/powerpc/platforms/pseries/papr_platform_attributes.c
+4-2arch/powerpc/platforms/cell/spufs/file.c
+3-1arch/powerpc/kernel/time.c
+1-1arch/powerpc/lib/vmx-helper.c
+20-253 files not shown
+24-269 files

Linux/linux 56d96fenet/mpls af_mpls.c

mpls: fix NULL deref in mpls_valid_fib_dump_req() on CONFIG_INET=n

On CONFIG_INET=n builds, mpls_valid_fib_dump_req() walks the parsed
attribute table itself instead of calling ip_valid_fib_dump_req(). The
RTA_OIF arm passes tb[RTA_OIF] to nla_get_u32() without checking it is
present, so an RTM_GETROUTE dump for AF_MPLS with strict checking and no
RTA_OIF hits a NULL dereference.

RTM_GETROUTE is RTNL_KIND_GET, which rtnetlink_rcv_msg() permits without
CAP_NET_ADMIN, so an unprivileged user can trigger it.

  Oops: general protection fault, probably for non-canonical address
        0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI
  KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
  RIP: 0010:mpls_valid_fib_dump_req (net/mpls/af_mpls.c:2189)
  Call Trace:
   mpls_dump_routes (net/mpls/af_mpls.c:2236)
   netlink_dump (net/netlink/af_netlink.c:2331)
   __netlink_dump_start (net/netlink/af_netlink.c:2446)

    [20 lines not shown]
DeltaFile
+3-0net/mpls/af_mpls.c
+3-01 files

Linux/linux 2c72eb6net/llc llc_conn.c

llc: fix SAP refcount leak when creating incoming sockets

llc_sap_add_socket() takes a SAP reference for each socket added to a SAP,
and llc_sap_remove_socket() releases it. llc_create_incoming_sock() takes
an additional SAP reference after adding the child socket.

This extra reference was balanced by an explicit llc_sap_put() in
llc_ui_release() until commit 3100aa9d74db ("llc: fix SAP reference
counting w.r.t. socket handling") removed that put. The corresponding hold
in the accept path was left behind.

When such a child socket is removed, only the reference taken by
llc_sap_add_socket() is released. The extra reference keeps the SAP alive
after its last socket is removed. Remove the obsolete hold.

Fixes: 3100aa9d74db ("llc: fix SAP reference counting w.r.t. socket handling")
Cc: stable at vger.kernel.org
Signed-off-by: Xuanqiang Luo <luoxuanqiang at kylinos.cn>
Link: https://patch.msgid.link/20260712130343.518797-1-xuanqiang.luo@linux.dev
Signed-off-by: Paolo Abeni <pabeni at redhat.com>
DeltaFile
+0-1net/llc/llc_conn.c
+0-11 files

Linux/linux 04aeddftools/testing/selftests/drivers/net/netconsole netcons_resume.sh

selftests: netconsole: only restore MAC when it changed on resume

The "mac" bind mode reactivation downs the interface, restores the saved
MAC and renames it to trigger a target resume. This assumes the recreated
interface comes back with a different MAC, which is true under
MACAddressPolicy=none (as on the Netdev CI) but not when MACs are
persistent. In the persistent case netconsole resumes the target on its
own, and the down/restore/rename flow instead drops it and fails the test.

Guard the block on the MAC having actually changed so the test passes
under both policies.

Fixes: 6ecc08329bab ("selftests: netconsole: validate target resume")
Reported-by: Matthieu Baerts (NGI0) <matttbe at kernel.org>
Closes: https://lore.kernel.org/netdev/f398373e-2cb4-4649-a491-9763df94d98b@kernel.org/
Signed-off-by: Andre Carvalho <asantostc at gmail.com>
Tested-by: Matthieu Baerts (NGI0) <matttbe at kernel.org>
Reviewed-by: Breno Leitao <leitao at debian.org>
Link: https://patch.msgid.link/20260710-netcons-mac-reload-v1-1-3fb1bcc70b4a@gmail.com
Signed-off-by: Paolo Abeni <pabeni at redhat.com>
DeltaFile
+2-1tools/testing/selftests/drivers/net/netconsole/netcons_resume.sh
+2-11 files

Linux/linux 1cb8553drivers/net/ethernet/broadcom/bnxt bnxt_ulp.c

bnxt_en: Handle partially initialized auxiliary devices

bnxt_aux_devices_init() calls auxiliary_device_init() before all fields
used by bnxt_aux_dev_release() are initialized.  After
auxiliary_device_init() succeeds, later errors must unwind with
auxiliary_device_uninit(), which invokes the release callback.

The release callback assumes that aux_priv->id, aux_priv->edev,
edev->net and edev->ulp_tbl are all populated.  If allocation fails
after auxiliary_device_init(), the release path can otherwise dereference
or clear partially initialized state.

Allocate and attach the bnxt_en_dev and ULP table before calling
auxiliary_device_init(), so the release callback only sees a fully
initialized auxiliary private object.  If auxiliary_device_init() itself
fails, free those allocations directly because device_initialize() has not
run and the release callback will not be invoked.

This issue was found by a static analysis checker and confirmed by manual

    [7 lines not shown]
DeltaFile
+20-19drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c
+20-191 files

Linux/linux e0b5252include/net/sctp structs.h

sctp: fix auth_hmacs array size in struct sctp_cookie

The auth_hmacs array in struct sctp_cookie is supposed to store a complete
SCTP_AUTH_HMAC_ALGO parameter, which consists of a struct sctp_paramhdr
followed by N HMAC identifiers.

However, the array size was calculated using an extra 2 bytes instead of
sizeof(struct sctp_paramhdr), which is 4 bytes. When four HMAC identifiers
are configured, the HMAC-ALGO parameter stored in the endpoint is larger
than the auth_hmacs buffer in the cookie.

As a result, sctp_association_init() copies beyond the end of auth_hmacs
when initializing the association, corrupting the adjacent auth_chunks
field. This can lead to an invalid HMAC identifier being accepted and later
cause an out-of-bounds read in sctp_auth_get_hmac().

Fix the array size calculation by including the full SCTP parameter header
size.


    [8 lines not shown]
DeltaFile
+2-1include/net/sctp/structs.h
+2-11 files

Linux/linux f1f5c8anet/sched act_tunnel_key.c

net/sched: act_tunnel_key: Defer dst_release to RCU callback

Fix a race-condition use-after-free in tunnel_key_release_params().

The function releases the metadata_dst of the old params synchronously
via dst_release() while deferring the params struct free with
kfree_rcu(). A concurrent tunnel_key_act() reader on the datapath may
still hold the old params pointer (under rcu_read_lock_bh) and proceed
to call dst_clone(&params->tcft_enc_metadata->dst) after the writer's
dst_release has already pushed the dst's rcuref to RCUREF_DEAD.

zdi-disclosures at trendmicro.com produced a poc which i (and Victor) verified
that KASAN reports:

==================================================================
BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:112
BUG: KASAN: slab-use-after-free in atomic_sub_return_release include/linux/atomic/atomic-instrumented.h:326
BUG: KASAN: slab-use-after-free in __rcuref_put include/linux/rcuref.h:109
BUG: KASAN: slab-use-after-free in rcuref_put include/linux/rcuref.h:173

    [113 lines not shown]
DeltaFile
+10-4net/sched/act_tunnel_key.c
+10-41 files

Linux/linux d2e914adrivers/dpll dpll_netlink.c

dpll: fix NULL pointer dereference in dpll_msg_add_pin_ref_sync()

When a dpll_pin is shared across multiple dpll_device instances and
those devices are being unregistered (e.g. during driver module removal),
a NULL pointer dereference can occur in dpll_msg_add_pin_ref_sync().

This happens under the following conditions:
 - A pin is registered with two or more dpll devices (dpll_A, dpll_B)
 - The pin has ref_sync pairs with other pins
 - During unregistration of dpll_A's pins, a ref_sync partner pin is
   unregistered first, removing it from dpll_A->pin_refs
 - But since the partner pin is still registered with dpll_B, its
   dpll_refs is not empty, so dpll_pin_ref_sync_pair_del() does NOT
   run and the partner stays in the pin's ref_sync_pins xarray
 - When the pin itself is then unregistered from dpll_A, the delete
   notification calls dpll_msg_add_pin_ref_sync() which finds the
   partner in ref_sync_pins, passes dpll_pin_available() (partner is
   still registered with dpll_B), but dpll_pin_on_dpll_priv(dpll_A,
   partner) returns NULL because partner was already removed from

    [23 lines not shown]
DeltaFile
+3-0drivers/dpll/dpll_netlink.c
+3-01 files

Linux/linux 2c1931anet/ipv4 tcp_ipv4.c, net/ipv6 tcp_ipv6.c

tcp: fix TIME_WAIT socket reference leak on PSP policy failure

Release the TIME_WAIT socket reference and jump to discard_it
upon PSP policy failure in both IPv4 and IPv6 receive paths.
This prevents a memory leak of tcp_tw_bucket structures.

Fixes: 659a2899a57d ("tcp: add datapath logic for PSP with inline key exchange")
Signed-off-by: Eric Dumazet <edumazet at google.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu at google.com>
Reviewed-by: Daniel Zahka <daniel.zahka at gmail.com>
Link: https://patch.msgid.link/20260710181317.4060230-1-edumazet@google.com
Signed-off-by: Paolo Abeni <pabeni at redhat.com>
DeltaFile
+4-2net/ipv6/tcp_ipv6.c
+4-2net/ipv4/tcp_ipv4.c
+8-42 files

Linux/linux df6134bdrivers/net/ethernet/mellanox/mlx5/core/lib st.c

net/mlx5: free mlx5_st_idx_data on final dealloc

Workloads that repeatedly allocate and release mkeys carrying TPH
steering-tag hints (e.g. churning RDMA MRs) leak one
struct mlx5_st_idx_data per cycle; kmemleak flags it as unreferenced
and the kmalloc slab grows over time.

When the last reference to an ST table entry is dropped,
mlx5_st_dealloc_index() removed the entry from idx_xa but the backing
mlx5_st_idx_data allocation was never freed.

Free idx_data after the xa_erase() so the lifetime of the bookkeeping
struct matches the lifetime of the ST entry it tracks.

Cc: stable at vger.kernel.org
Fixes: 888a7776f4fb ("net/mlx5: Add support for device steering tag")
Reviewed-by: Michael Gur <michaelgur at nvidia.com>
Signed-off-by: Zhiping Zhang <zhipingz at meta.com>
Reviewed-by: Leon Romanovsky <leonro at nvidia.com>

    [3 lines not shown]
DeltaFile
+1-0drivers/net/ethernet/mellanox/mlx5/core/lib/st.c
+1-01 files

Linux/linux 892d308drivers/net/can Kconfig, drivers/net/can/usb esd_usb.c

Merge tag 'linux-can-fixes-for-7.2-20260716' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can

Marc Kleine-Budde says:

====================
pull-request: can 2026-07-16

this is a pull request of 19 patches for net/main.

The first patch is by Alexander Hölzl and fixes the Kconfig
description of the vxcan driver.

Next patch by Fan Wu fixes the tear down order in the esd_usb driver.

Followed by a patch by Oliver Hartkopp that adds missing locking for
the raw flags in the CAN_RAW protocol.

Shuhao Fu's patch for the j1939 protocol fix lockless
local-destination check.

    [37 lines not shown]
DeltaFile
+497-157net/can/bcm.c
+227-71net/can/isotp.c
+30-36net/can/raw.c
+14-4net/can/j1939/transport.c
+2-5drivers/net/can/Kconfig
+4-1drivers/net/can/usb/esd_usb.c
+774-27413 files not shown
+792-29219 files

Linux/linux 78d24e7drivers/bluetooth btrtl.c hci_qca.c, net/bluetooth mgmt.c hci_sync.c

Merge tag 'for-net-2026-07-13' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth

Luiz Augusto von Dentz says:

====================
bluetooth pull request for net:

 - hci_sync: hold hdev->lock for hci_conn_params lookups
 - hci_sync: extend conn_hash lookup critical sections
 - hci_qca: Clear memdump state on invalid dump size
 - MGMT: revalidate LOAD_CONN_PARAM queued update
 - MGMT: Translate HCI reason in Device Disconnected event
 - MGMT: fix locking in unpair_device/disconnect_sync
 - MGMT: hold reference for hci_conn in mgmt_pending_cmds
 - btrtl: validate firmware patch bounds
 - qca: fix NVM tag length underflow in TLV parser

* tag 'for-net-2026-07-13' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth:
  Bluetooth: mgmt: Translate HCI reason in Device Disconnected event

    [12 lines not shown]
DeltaFile
+91-14net/bluetooth/mgmt.c
+60-8net/bluetooth/hci_sync.c
+1-17net/bluetooth/hci_event.c
+3-2drivers/bluetooth/btrtl.c
+4-0drivers/bluetooth/hci_qca.c
+1-1drivers/bluetooth/btqca.c
+160-421 files not shown
+161-427 files

Linux/linux bc72917net/netfilter xt_nat.c nf_conncount.c, net/netfilter/ipvs ip_vs_app.c ip_vs_xmit.c

Merge tag 'nf-26-07-10' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf

Florian Westphal says:

====================
netfilter: updates for net

The following patchset contains Netfilter fixes for *net*.
These are fixes for bugs except patches 6 and 9 which fix issues added in
last PR and 7.1-rc1.

1) Reject unsupported target families in xt_nat_checkentry().
From Wyatt Feng.

2) Fix inverted time_after() check in ecache_work_evict_list().
Causes pointless work rescheds and thus way longer time to
clear the pending event backlog. From Yizhou Zhao.

3) Fix a use-after-free in br_ip6_fragment() caused by a dangling prevhdr

    [38 lines not shown]
DeltaFile
+55-0tools/testing/selftests/net/netfilter/nft_flowtable.sh
+4-6net/netfilter/ipvs/ip_vs_app.c
+9-0net/netfilter/xt_nat.c
+2-4net/netfilter/ipvs/ip_vs_xmit.c
+3-3net/netfilter/nf_conncount.c
+3-3net/netfilter/nf_flow_table_core.c
+76-164 files not shown
+81-2510 files

Linux/linux fce2dfafs/smb/client smb2ops.c smb2misc.c

Merge tag 'v7.2-rc3-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6

Pull smb client fixes from Steve French:

 - fallocate fixes

 - unit test fixes

 - fix allocation size after duplicate extents

 - fix check for overlapping data areas

* tag 'v7.2-rc3-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6:
  smb/client: flush dirty data before punching a hole
  smb/client: Use EXPORT_SYMBOL_IF_KUNIT() to export symbols in SMB2
  smb/client: Use EXPORT_SYMBOL_IF_KUNIT() to export symbols
  smb: client: reject overlapping data areas in SMB2 responses
  smb/client: refresh allocation after EOF-extending fallocate
  smb/client: emulate small EOF-extending mode 0 fallocate ranges

    [4 lines not shown]
DeltaFile
+161-22fs/smb/client/smb2ops.c
+25-9fs/smb/client/smb2misc.c
+12-12fs/smb/client/smb1maperror.c
+19-0fs/smb/client/smb2pdu.c
+6-6fs/smb/client/smb2maperror.c
+7-3fs/smb/client/cifsfs.c
+230-525 files not shown
+240-5611 files

Linux/linux 3d84d67include/linux btf.h, kernel/bpf verifier.c btf.c

Merge branch 'bpf-fix-tracing-of-kfuncs-with-implicit-args'

Ihor Solodrai says:

====================
bpf: Fix tracing of kfuncs with implicit args

Tejun reported an issue where a BPF program tracing a kfunc with
KF_IMPLICIT_ARGS can crash the kernel [1]. This is caused by a bug in
bpf_check_attach_target(): the btf_func_model for such a kfunc is
computed from a wrong BTF prototype. For more details see the commit
message of patch #1.

The second patch adds a selftest that can catch this situation.

The fix is a candidate for 7.1 backport.

[1] https://github.com/sched-ext/scx/issues/3687#issuecomment-4906694106
---

    [21 lines not shown]
DeltaFile
+77-0tools/testing/selftests/bpf/progs/kfunc_implicit_args_tracing.c
+53-13kernel/bpf/verifier.c
+36-0tools/testing/selftests/bpf/prog_tests/kfunc_implicit_args_tracing.c
+29-0kernel/bpf/btf.c
+1-0include/linux/btf.h
+196-135 files

Linux/linux 0af15f3tools/testing/selftests/bpf/prog_tests kfunc_implicit_args_tracing.c, tools/testing/selftests/bpf/progs kfunc_implicit_args_tracing.c

selftests/bpf: Cover tracing implicit kfunc args

KF_IMPLICIT_ARGS kfuncs have a BPF-call prototype and a real kernel
target prototype. Add a tracing selftest that attaches fentry and fexit
programs to bpf_kfunc_implicit_arg(), runs a syscall BPF program that
calls it, and checks that the tracing context exposes both the explicit
argument and the implicit prog aux pointer.

Co-developed-by: Ihor Solodrai <ihor.solodrai at linux.dev>
Signed-off-by: Kumar Kartikeya Dwivedi <memxor at gmail.com>
Signed-off-by: Ihor Solodrai <ihor.solodrai at linux.dev>
Link: https://patch.msgid.link/20260713235223.1639022-3-ihor.solodrai@linux.dev
Signed-off-by: Eduard Zingerman <eddyz87 at gmail.com>
DeltaFile
+77-0tools/testing/selftests/bpf/progs/kfunc_implicit_args_tracing.c
+36-0tools/testing/selftests/bpf/prog_tests/kfunc_implicit_args_tracing.c
+113-02 files

Linux/linux 3917b10include/linux btf.h, kernel/bpf verifier.c btf.c

bpf: Fix tracing of kfuncs with implicit args

A kfunc marked with KF_IMPLICIT_ARGS flag takes implicit arguments
(such as bpf_prog_aux) that the verifier injects at load time.
resolve_btfids strips those from the kfunc's BTF-visible prototype and
keeps the real kernel ABI in a counterpart _impl prototype [1].

fentry/fexit/fmod_ret/fsession programs may attach to the BPF kernel
functions, including those with implicit args. However
bpf_check_attach_target() and bpf_check_attach_btf_id_multi() extract
the struct btf_func_model from the wrong BTF prototype of the
kfunc. The btf_func_model is later read to construct the trampoline,
which then causes the injected implicit argument to be clobbered and
the kfunc dereferencing garbage.

Add btf_attach_func_proto() to resolve the real ABI prototype of the
kfunc the way the call site does: by looking up the _impl prototype
for a KF_IMPLICIT_ARGS kfunc. Use it at both attach-target model
construction sites.

    [30 lines not shown]
DeltaFile
+53-13kernel/bpf/verifier.c
+29-0kernel/bpf/btf.c
+1-0include/linux/btf.h
+83-133 files

Linux/linux 481ed5dsecurity/landlock task.c net.c, tools/testing/selftests/landlock net_test.c scoped_signal_test.c

Merge tag 'landlock-7.2-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux

Pull landlock fix from Mickaël Salaün:
 "This fixes TCP Fast Open support, specific test environments, and doc
  warnings"

* tag 'landlock-7.2-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux:
  selftests/landlock: Skip scoped_signal subtest with MSG_OOB if not available
  selftests/landlock: Fix screwed up pointers in the scoped_signal_test
  landlock: Update formatting
  landlock: Fix kernel-doc for the nested quiet layer flag
  selftests/landlock: Add test for TCP fast open
  landlock: Fix TCP Fast Open connection bypass
DeltaFile
+97-0tools/testing/selftests/landlock/net_test.c
+44-23tools/testing/selftests/landlock/scoped_signal_test.c
+3-6security/landlock/task.c
+8-0security/landlock/net.c
+2-2security/landlock/ruleset.h
+154-315 files

Linux/linux e22254efs/xfs xfs_bmap_util.c xfs_trace.h, fs/xfs/scrub cow_repair.c trace.h

Merge tag 'xfs-fixes-7.2-rc4' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux

Pull xfs fixes from Carlos Maiolino:
 "This contains mostly a series of bug fixes found by different LLM
  models"

* tag 'xfs-fixes-7.2-rc4' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux: (21 commits)
  xfs: don't zap bmbt forks if they are MAXLEVELS tall
  xfs: clamp timestamp nanoseconds correctly
  xfs: fully check the parent handle when it points to the rootdir
  xfs: handle non-inode owners for rtrmap record checking
  xfs: fix off-by-one error when calling xchk_xref_has_rt_owner
  xfs: set xfarray killable sort correctly
  xfs: grab rtrmap btree when checking rgsuper
  xfs: write the rg superblock when fixing it
  xfs: use the rt version of the cow staging checker
  xfs: use rtrefcount btree cursor in xchk_xref_is_rt_cow_staging
  xfs: don't wrap around quota ids in dqiterate
  xfs: move cow_replace_mapping to xfs_bmap_util.c

    [9 lines not shown]
DeltaFile
+86-93fs/xfs/scrub/cow_repair.c
+89-0fs/xfs/xfs_bmap_util.c
+41-0fs/xfs/xfs_trace.h
+36-0fs/xfs/xfs_reflink.c
+0-35fs/xfs/scrub/trace.h
+17-11fs/xfs/xfs_sysfs.c
+269-13915 files not shown
+340-16921 files

Linux/linux 133fc7afs/erofs super.c ishare.c

Merge tag 'erofs-for-7.2-rc4-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs

Pull erofs fixes from Gao Xiang:

 - Fix sanity checks for ztailpacking tail pclusters to avoid
   false corruption reports

 - Use more informative s_id for file-backed mounts

 - Hide the meaningless "cache_strategy=" mount option on plain
   (uncompressed) filesystems

 - Remove the unneeded erofs_is_ishare_inode() helper

* tag 'erofs-for-7.2-rc4-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs:
  erofs: hide "cache_strategy=" for plain filesystems
  erofs: get rid of erofs_is_ishare_inode() helper
  erofs: relax sanity check for tail pclusters due to ztailpacking
  erofs: use more informative s_id for file-backed mounts
DeltaFile
+5-14fs/erofs/super.c
+1-7fs/erofs/ishare.c
+2-1fs/erofs/zmap.c
+8-223 files

Linux/linux 6f5156ddrivers/cpufreq intel_pstate.c cpufreq.c

Merge tag 'pm-7.2-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm

Pull power management fixes from Rafael Wysocki:
 "These fix two cpufreq issues, one in the intel_pstate driver and one
  in the core:

   - Make cpufreq_update_pressure() use cpuinfo.max_freq as the default
     reference frequency when arch_scale_freq_ref() returns 0 to allow
     the scheduler to still take CPU frequency caps into account in
     those cases (Rafael Wysocki)

   - Use the HWP guaranteed performance level as the full capacity
     performance in intel_pstate on hybrid systems when turbo
     frequencies are not allowed to be used to make scale-invariance
     work as expected in those cases (Rafael Wysocki)"

* tag 'pm-7.2-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
  cpufreq: Make cpufreq_update_pressure() fall back to cpuinfo.max_freq
  cpufreq: intel_pstate: Set non-turbo capacity to HWP_GUARANTEED_PERF()
DeltaFile
+4-2drivers/cpufreq/intel_pstate.c
+3-0drivers/cpufreq/cpufreq.c
+7-22 files

Linux/linux 4302c35drivers/pmdomain/imx imx93-blk-ctrl.c imx8m-blk-ctrl.c, drivers/pmdomain/mediatek mtk-pm-domains.c

Merge tag 'pmdomain-v7.2-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/linux-pm

Pull pmdomain fixes from Ulf Hansson:
 "imx:
   - Assign child domains for imx93 to prevent power off when in use
   - Fix i.MX8MP power up sequences

  mediatek:
   - Fix possible nullptr in HWV cleanup/on-check"

* tag 'pmdomain-v7.2-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/linux-pm:
  pmdomain: mediatek: Fix possible nullptr KP in HWV cleanup/on-check
  pmdomain: imx: Fix i.MX8MP VC8000E power up sequence
  pmdomain: imx: Fix i.MX8MP power notifier
  pmdomain: imx93-blk-ctrl: Extract PHY as shared domain for DSI/CSI
  dt-bindings: power: imx93: Add MIPI PHY power domain
DeltaFile
+58-2drivers/pmdomain/imx/imx93-blk-ctrl.c
+44-2drivers/pmdomain/imx/imx8m-blk-ctrl.c
+33-7drivers/pmdomain/mediatek/mtk-pm-domains.c
+1-0include/dt-bindings/power/fsl,imx93-power.h
+136-114 files

Linux/linux c270a42arch/arm64/kvm nested.c emulate-nested.c, arch/arm64/kvm/hyp/nvhe ffa.c

Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm

Pull kvm fixes from Paolo Bonzini:
 "arm64:

   - Fix an accounting buglet when reclaiming pages from a protected
     guest

   - Fix a bunch of architectural compliance issues when injecting a
     synthesised exception, most of which were missing the PSTATE.IL bit
     indicating a 32bit-wide instruction

   - Another set of fixes addressing issues with translation of
     VNCR_EL2, including corner cases where the guest point that
     register at a RO page...

   - Don't warn when trapping accesses to ZCR_EL2 from an L2 guest, as
     that's not unexpected at all


    [76 lines not shown]
DeltaFile
+255-0tools/testing/selftests/kvm/arm64/mmio_sign_ext.c
+83-81arch/arm64/kvm/nested.c
+39-50arch/x86/kvm/vmx/nested.c
+47-0tools/testing/selftests/kvm/x86/sev_migrate_tests.c
+30-14arch/arm64/kvm/hyp/nvhe/ffa.c
+29-12arch/arm64/kvm/emulate-nested.c
+483-15727 files not shown
+621-23533 files