Merge tag 'media/v7.1-4' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media
Pull media fixes from Mauro Carvalho Chehab:
- rc: igorplugusb: fix control request setup packet
- vsp1: revert a couple patches to fix regressions when setting DRM
pipelines
* tag 'media/v7.1-4' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media:
media: rc: igorplugusb: fix control request setup packet
Revert "media: renesas: vsp1: brx: Fix format propagation"
Revert "media: renesas: vsp1: Initialize format on all pads"
Merge tag 'x86-urgent-2026-05-31' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull x86 fixes from Ingo Molnar:
- Make the clearcpuid= boot parameter less prominent
and warn about its dangers & caveats (Borislav Petkov)
- Do not access the (new) PLATFORM_ID MSR when running
as a guest (Borislav Petkov)
- x86 ftrace: Relocate %rip-relative percpu refs in dynamic
trampolines, to fix crash when using such trampolines
(Alexis Lothoré)
- Fix x86-64 CFI build error (Peter Zijlstra)
- Revert FPU signal return magic number check optimization,
because it broke CRIU and gVisor in certain FPU configurations
(Andrei Vagin)
[7 lines not shown]
Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi
Pull SCSI fixes from James Bottomley:
"Two core changes, the only one of significance being the change to
kick queues in SDEV_CANCEL which had a small window for stuck
requests.
The major driver fixes are the one to the FC transport class to widen
the FPIN counter to counter a theoretical (and privileged) fabric
traffic injection attack and the other is an iscsi fix where a
malicious target could trick the kernel into an output buffer overrun.
Both the driver fixes were AI assisted"
* tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
scsi: target: iscsi: Validate CHAP_R length before base64 decode
scsi: target: iscsi: Bound iscsi_encode_text_output() appends to rsp_buf
scsi: target: iscsi: Fix CRC overread and double-free in iscsit_handle_text_cmd()
scsi: fcoe: Reject FIP descriptors with zero fip_dlen in CVL walker
[5 lines not shown]
Merge tag 'i2c-for-7.1-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux
Pull i2c fixes from Wolfram Sang:
- davinci: fix fallback bus frequency on missing clock-frequency
- virtio: mark device ready initially
* tag 'i2c-for-7.1-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
i2c: virtio: mark device ready before registering the adapter
i2c: davinci: fix division by zero on missing clock-frequency
Merge tag 'input-for-v7.1-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input
Pull input fixes from Dmitry Torokhov:
- updates to Elan I2C touchpad driver to handle a new IC type and to
validate size of supplied firmware to prevent OOB access
- updates to Xpad controller driver to recognize ASUS ROG RAIKIRI II
and "Nova 2 Lite" from GameSir controllers as well as a fix to
prevent a potential OOB access when handling "Share" button
- an update to Synaptics touchpad driver to use RMI mode for touchpad
in Thinkpad E490
- updates to Atmel MXT driver adding checks to prevent potential OOB
accesses
- a fix to IMS PCU driver to free correct amount of memory when tearing
it down
[19 lines not shown]
Merge tag 'v7.1-rc6-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6
Pull smb client fixes from Steve French:
- fix uninitialized variable in smb2_writev_callback()
- detect short folioq copy in cifs_copy_folioq_to_iter()
* tag 'v7.1-rc6-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6:
smb: client: fix uninitialized variable in smb2_writev_callback
smb: client: detect short folioq copy in cifs_copy_folioq_to_iter()
Merge tag 'liveupdate-fixes-2026-05-30' of git://git.kernel.org/pub/scm/linux/kernel/git/liveupdate/linux
Pull liveupdate fixes from Mike Rapoport:
"Two kexec handover regression fixes:
- fix order calculation for kho_unpreserve_pages() to make sure sure
that the order calculation in kho_unpreserve_pages() mathes the
order calculation in kho_preserve_pages().
- fix math in calculation of KHO_TREE_MAX_DEPTH to make it work with
16KB pages"
* tag 'liveupdate-fixes-2026-05-30' of git://git.kernel.org/pub/scm/linux/kernel/git/liveupdate/linux:
kho: fix order calculation for kho_unpreserve_pages()
kho: fix KHO_TREE_MAX_DEPTH for non-4KB page sizes
Merge tag 'fixes-2026-05-30' of git://git.kernel.org/pub/scm/linux/kernel/git/rppt/memblock
Pull memblock fix from Mike Rapoport:
"Fix regression from memblock_free_late() refactoring
After refactoring of memblock_free_late() and free_init_pages() it
became possible to call memblock_free() after memblock init data was
discarded.
Make sure memblock_free() does not touch memblock.reserved unless it
is called early enough or when ARCH_KEEP_MEMBLOCK is enabled"
* tag 'fixes-2026-05-30' of git://git.kernel.org/pub/scm/linux/kernel/git/rppt/memblock:
memblock: don't touch memblock arrays when memblock_free() is called late
media: rc: igorplugusb: fix control request setup packet
Commit eac69475b01f ("media: rc: igorplugusb: heed coherency
rules") changed the control request storage from an embedded struct to
an allocated pointer so it can obey DMA coherency rules.
However, the driver still passes &ir->request to usb_fill_control_urb().
That points the URB setup packet at the pointer field itself rather than
at the allocated struct usb_ctrlrequest.
USB core then interprets pointer bytes as the setup packet. This can
produce an invalid bRequestType and trigger the control direction warning
reported by syzbot:
usb 2-1: BOGUS control dir, pipe 80003580 doesn't match bRequestType 0
Pass ir->request itself as the setup packet.
Fixes: eac69475b01f ("media: rc: igorplugusb: heed coherency rules")
[8 lines not shown]
Merge tag 'usb-7.1-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb
Pull USB and Thunderbolt fixes from Greg KH:
"Here is a set of USB fixes and new device ids for 7.1-rc6. Nothing
major in here, just lots of tiny fixes for reported issues found by
users and some older patches found by some scanning tools. Included in
here are:
- typec fixes found by fuzzers that have decided to finally look at
that device interaction path (i.e. before a driver is bound to a
device)
- typec fixes for issues found by users
- thunderbolt driver fixes for reported problems
- cdns3 driver fixes
- dwc3 driver fixes
[32 lines not shown]
Merge tag 'tty-7.1-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty
Pull tty/serial driver fixes from Greg KH:
"Here are some small serial driver fixes for 7.1-rc6. Included in here
are:
- mips serial driver fixes to resolve some long-standing issues with
how they interacted with the console. That's the "majority" of the
changes in this merge request
- sh-sci driver regression fix
- 8250 driver regression fixes
- other small serial driver fixes for reported problems.
All of these have been in linux-next for over a week with no reported
issues"
[20 lines not shown]
Merge tag 'char-misc-7.1-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc
Pull char/misc/iio fixes from Greg KH:
"Here are some small char/misc/iio driver fixes for 7.1-rc6. Included
in here are:
- lots of small IIO driver fixes for reported problems.
- Android binder bugfixes for reported issues.
- small comedi test driver fixes
- counter driver fix
- parport driver fix (people still use this?)
- rpi driver fix
- uio driver fix
[26 lines not shown]
i2c: virtio: mark device ready before registering the adapter
virtio_i2c_probe() synchronously probes child i2c drivers on the bus,
but peripherals may use the bus at probe for tasks like reading a chip
id. The vhost-user-i2c backend stalls at such probes unless DRIVER_OK
is already set before the virtqueue is first kicked.
Set DRIVER_OK explicitly before i2c_add_adapter(), as done for the
same reason in commit f5866db64f34 ("virtio_console: enable VQs
early") and commit 71e4b8bf0482 ("virtio_rpmsg: set DRIVER_OK before
using device").
Signed-off-by: Alexis Bouzigues <BouziguesAlexis at JohnDeere.com>
Signed-off-by: Wolfram Sang <wsa+renesas at sang-engineering.com>
Merge tag 'i2c-host-fixes-7.1-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/andi.shyti/linux into i2c/for-current
i2c-host-fixes for v7.1-rc6
davinci: fix fallback bus frequency on missing clock-frequency
Merge tag 'v7.1-rc6-ksmbd-server-fixes' of git://git.samba.org/ksmbd
Pull smb server fixes from Steve French:
- security fix for FSCTL_SET_SPARSE
- fix leak in ksmbd_query_inode_status()
- fix OOB read in smb_check_perm_dacl()
* tag 'v7.1-rc6-ksmbd-server-fixes' of git://git.samba.org/ksmbd:
ksmbd: fix FSCTL permission bypass by adding a permission check for FSCTL_SET_SPARSE
ksmbd: release ksmbd_inode ref via ksmbd_inode_put on lookup paths
ksmbd: OOB read regression in smb_check_perm_dacl() ACE-walk loops
Merge tag 'drm-fixes-2026-05-30' of https://gitlab.freedesktop.org/drm/kernel
Pull drm fixes from Dave Airlie:
"Regular pull, doesn't seem too insane or AI owned, couple of UAF fixes
and another repair for an earlier fix, mostly amdgpu and i915 display
with xe/i915 accel, and misc core/driver fixes.
It might be a bit bigger than usual at this stage, but I'm not seeing
anything too scary here.
dumb-buffer:
- prevent overflows in dumb-buffer creation
dma-buf:
- fix UAF in dma_buf_fd() tracepoint
gem:
- fix for the fix for the fix for the change handle ioctl
[57 lines not shown]
Merge tag 'spi-fix-v7.1-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi
Pull spi fixes from Mark Brown:
"One substantive fix here, fixing corruption of the maximum frequency
for spi-mem operations which caused users to remember what should have
been a temporarily modified maximum frequency as the standard going
forward, potentially causing instability when the modification raised
rather than lowered the frequency.
We also have a trivial patch which just documents the correct way to
describe the Qualcomm IPQ5210 SNAND controller in the DT, there are no
code changes"
* tag 'spi-fix-v7.1-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi:
spi: spi-mem: avoid mutating op template in spi_mem_supports_op()
spi: dt-bindings: spi-qpic-snand: Add ipq5210 compatible
Merge tag 'regmap-fix-v7.1-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regmap
Pull regmap fix from Mark Brown:
"Some other fixing in an API user turned up the fact that we weren't
correctly applying cache only mode to volatile registers in
regmap_update_bits(), causing us to try to access hardware that was
powered off or otherwise not in a state to accept I/O. This fix
returns an error instead, avoiding more serious consequences"
* tag 'regmap-fix-v7.1-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regmap:
regmap: reject volatile update_bits() in cache-only mode
Merge tag 'net-7.1-rc6-2' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
Pull more networking fixes from Jakub Kicinski:
"Quick follow up, nothing super urgent here. Main reason I'm sending
this out is because the IPsec and Bluetooth PRs did not make it
yesterday. I don't want to have to send you all of this + whatever
comes next week, for rc7. The fixes under "Previous releases -
regressions" are for real user-reported regressions from v7.0.
Previous releases - regressions:
- Revert "ipv6: preserve insertion order for same-scope addresses"
- xfrm: move policy_bydst RCU sync, a fix which added a sync RCU on
netns exit got backported to stable and was causing serious
accumulation of dying netns's for real workloads
- pcs-mtk-lynxi: fix bpi-r3 serdes configuration
[28 lines not shown]
Merge tag 'clang-fixes-7.1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/nathan/linux
Pull clang build fix from Nathan Chancellor:
"A small fix to disable -Wattribute-alias for clang in the few places
it is already disabled for GCC, now that tip of tree clang has
implemented -Wattribute-alias as GCC has"
* tag 'clang-fixes-7.1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/nathan/linux:
Disable -Wattribute-alias for clang-23 and newer
Revert "x86/fpu: Refine and simplify the magic number check during signal return"
This reverts
dc8aa31a7ac2 ("x86/fpu: Refine and simplify the magic number check during signal return").
The aforementioned commit broke applications that construct signal frames in
userspace (such as CRIU and gVisor) if the frame's xstate size is smaller than
the kernel's fpstate->user_size.
Furthermore, this introduces a critical issue for checkpoint/restore tools
like CRIU. If a process is checkpointed while inside a signal handler, its
stack contains a signal frame formatted according to the source host's xstate
capabilities.
If that process is later restored on a destination host with larger xstate
capabilities (e.g., a newer CPU with more features enabled, resulting in
a larger fpstate->user_size), the kernel will look for FP_XSTATE_MAGIC2 at the
destination host's larger user_size offset instead of the offset encoded in
[30 lines not shown]
drm/gem: fix race between change_handle and handle_delete
drm_gem_change_handle_ioctl leaves the old handle live in the IDR
during the window between spin_unlock(table_lock) and the final
spin_lock(table_lock). A concurrent drm_gem_handle_delete on the old
handle succeeds in this window, decrements handle_count to 0, and frees
the GEM object while the new handle's IDR entry still references it.
NULL the old handle's IDR entry before dropping table_lock so that any
concurrent GEM_CLOSE on the old handle sees NULL and returns -EINVAL.
Restore the old entry on the prime-bookkeeping error path.
Fixes: 5e28b7b94408 ("drm: Set old handle to NULL before prime swap in change_handle")
Signed-off-by: Zhenghang Xiao <kipreyyy at gmail.com>
Cc: stable at vger.kernel.org
Signed-off-by: Dave Airlie <airlied at redhat.com>
Link: https://patch.msgid.link/20260526085313.26791-1-kipreyyy@gmail.com
Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm
Pull kvm fixes from Paolo Bonzini:
"arm64:
- Restore CONFIG_PKVM_DISABLE_STAGE2_ON_PANIC to its former glory by
making sure the config symbol is correctly spelled out in the code
- Don't reset the AArch32 view of the PMU counters to zero when the
guest is writing to them
- Fix an assorted collection of memory leaks in the newly added
tracing code
- Fix the capping of ZCR_EL2 which could be used in an unsanitised
way by an L2 guest
x86:
[58 lines not shown]
Merge tag 'drm-misc-fixes-2026-05-29' of https://gitlab.freedesktop.org/drm/misc/kernel into drm-fixes
Short summary of fixes pull:
amdxdna:
- require IOMMU on AIE2
dumb-buffer:
- prevent overflows in dumb-buffer creation
dma-buf:
- fix UAF in dma_buf_fd() tracepoint
hyperv:
- improve protocol validation
ivpu:
- test write offset in debugfs
[7 lines not shown]
Merge branch 'wireguard-fixes-for-7-1-rc6'
Jason A. Donenfeld says:
====================
WireGuard fixes for 7.1-rc6
Please find one small patch, fixing the order of adding padding onto a
packet, to ensure padding bytes get zeroed properly.
====================
Link: https://patch.msgid.link/20260529173134.3080773-1-Jason@zx2c4.com
Signed-off-by: Jakub Kicinski <kuba at kernel.org>
wireguard: send: append trailer after expanding head
With how this is currently written, we add the trailer, zero it out, and
then add the header space on. If that header space requires a
reallocation + copy, the zeros in the trailer aren't copied, because the
skb len hasn't actually been yet expanded to cover that. Instead add the
padding at the end of the process rather than at the beginning.
Fixes: e7096c131e51 ("net: WireGuard secure network tunnel")
Cc: stable at vger.kernel.org
Signed-off-by: Jason A. Donenfeld <Jason at zx2c4.com>
Link: https://patch.msgid.link/20260529173134.3080773-2-Jason@zx2c4.com
Signed-off-by: Jakub Kicinski <kuba at kernel.org>
Revert "ipv6: preserve insertion order for same-scope addresses"
Chris Adams reported that preserving insertion order for same-scope
addresses is causing SSH connections to be dropped after stopping a VM
while running NetworkManager.
NetworkManager caches the IPv6 address configuration, when a RA arrives,
it determines the list of addresses to configure and checks if the
addresses are already in the right order in the kernel. If they aren't,
NetworkManager removes and re-adds them to achieve the desired order.
As the order changes, NetworkManager is confused and reconfigures the
addresses on every update. In addition, this would also affect to cloud
tooling that relies on IPv6 addresses order to identify primary and
secondaries addresses.
This reverts commit cb3de96eea66f5e4a580086c6a1be46e765f97f4.
Fixes: cb3de96eea66 ("ipv6: preserve insertion order for same-scope addresses")
[5 lines not shown]
Merge tag 'ipsec-2026-05-29' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec
Steffen Klassert says:
====================
pull request (net): ipsec 2026-05-29
1) xfrm: route MIGRATE notifications to caller's netns
Thread the caller's netns through km_migrate() so that
MIGRATE notifications go to the issuing netns, fixing both the
init_net listener leak and MOBIKE notifications inside
non-init netns. From Maoyi Xie.
2) xfrm: ipcomp: Free destination pages on acomp errors
Move the out_free_req label up so that allocated destination
pages are released on decompression errors, not only on success.
From Herbert Xu.
3) xfrm: Check for underflow in xfrm_state_mtu
[53 lines not shown]
net: skbuff: fix pskb_carve leaking zcopy pages
When SKBFL_MANAGED_FRAG_REFS is set, frag pages are not refcounted but
their lifetime is controlled by the attached ubuf_info. To make a copy
of the skb_shared_info, we either should clear the flag and reference
the frags, or keep the flag and have frags unreferenced.
pskb_carve_inside_header() and pskb_carve_inside_nonlinear() don't
follow the rule and thus can leak page references. Let's clear
SKBFL_MANAGED_FRAG_REFS from the original skb to fix it. It's the
simplest way to address it, but there are more performant ways to do
that if it ever becomes a problem.
Link: https://lore.kernel.org/all/20260523085809.26331-1-nvminh232@clc.fitus.edu.vn/
Fixes: 753f1ca4e1e50 ("net: introduce managed frags infrastructure")
Reported-by: Minh Nguyen <minhnguyen.080505 at gmail.com>
Reported-by: Willem de Bruijn <willemdebruijn.kernel at gmail.com>
Signed-off-by: Pavel Begunkov <asml.silence at gmail.com>
Reviewed-by: Willem de Bruijn <willemb at google.com>
[2 lines not shown]
