Merge tag 'probes-fixes-v7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace
Pull probes fixes from Masami Hiramatsu:
"fprobe fixes and spelling typos:
- Fix NULL pointer dereference in fprobe_fgraph_entry(). Prevent
general protection faults by checking shadow-stack reservation
bounds. Skip mid-flight registered fprobes that were not counted
during sizing.
eprobe: fix string pointer extraction
- Correct the casting of string pointers read from the ringbuffer to
prevent truncation of base event pointer variables when
dereferencing FILTER_PTR_STRING fields.
tracing/probes: clean up argument parsing and BTF helper logic
- Make the $ prefix mandatory for comm access: Require the $ prefix
[28 lines not shown]
tracing/probes: Make the $ prefix mandatory for comm access
Since $comm or $COMM are not event field but special fetcharg
variables to access current->comm, It should not be accessed
without '$' prefix even with typecast.
Link: https://lore.kernel.org/all/178231209724.732967.12049805699091810641.stgit@devnote2/
Fixes: 69efd863a785 ("tracing/eprobes: Allow use of BTF names to dereference pointers")
Signed-off-by: Masami Hiramatsu (Google) <mhiramat at kernel.org>
tracing/probes: Fix double addition of offset for @+FOFFSET
Since commit 533059281ee5 ("tracing: probeevent: Introduce new argument
fetching code") wrongly use @offset local variable during the parsing,
the offset value is added twice when dereferencing.
Reset the @offset after setting it in FETCH_OP_FOFFS.
Link: https://lore.kernel.org/all/178217905962.643090.1978577464942171332.stgit@devnote2/
Fixes: 533059281ee5 ("tracing: probeevent: Introduce new argument fetching code")
Signed-off-by: Masami Hiramatsu (Google) <mhiramat at kernel.org>
Cc: stable at vger.kernel.org
tracing/fprobe: Fix NULL pointer dereference in fprobe_fgraph_entry()
fprobe_fgraph_entry() sizes a shadow-stack reservation in one walk of
the per-ip fprobe list and fills it in a second walk, both under
rcu_read_lock() only. A fprobe registered on an already-live ip can
become visible between the two walks, so the fill walk processes an
exit_handler the sizing walk did not count and used runs past
reserved_words. If the sizing walk counted nothing, fgraph_data is NULL
and the first write_fprobe_header() faults:
Oops: general protection fault, probably for non-canonical address ...
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
RIP: 0010:fprobe_fgraph_entry+0xa38/0xf10 kernel/trace/fprobe.c:167
Call Trace:
<TASK>
function_graph_enter_regs+0x44c/0xa10 kernel/trace/fgraph.c:677
ftrace_graph_func+0xc5/0x140 arch/x86/kernel/ftrace.c:671
__kernel_text_address+0x9/0x40 kernel/extable.c:78
arch_stack_walk+0x117/0x170 arch/x86/kernel/stacktrace.c:26
[13 lines not shown]
tracing: eprobe: read the complete FILTER_PTR_STRING pointer
For a char * element in an event, the FILTER_PTR_STRING filter type is
used. When the event occurs, a pointer is stored in the ringbuffer.
If an eprobe references such a char * element of a "base event", the
stored pointer is truncated when it's read from the ringbuffer.
$ cd /sys/kernel/tracing
$ echo 'e rcu.rcu_utilization $s:x64 $s:string' > dynamic_events
$ echo 1 > tracing_on
$ echo 1 > events/eprobes/enable
$ sleep 1
$ echo 0 > events/eprobes/enable
$ cat trace
<idle>-0 ...: (rcu.rcu_utilization) arg1=0x4f arg2=(fault)
<idle>-0 ...: (rcu.rcu_utilization) arg1=0x2 arg2=(fault)
The problem is in get_event_field
[17 lines not shown]
Merge tag 'ntb-7.2' of https://github.com/jonmason/ntb
Pull NTB updates from Jon Mason:
"An EPF bug fix to prevent an invalid unmap during device removal,
along with documentation fixes and minor AMD driver cleanups"
* tag 'ntb-7.2' of https://github.com/jonmason/ntb:
ntb: amd: Use named initializer for pci_device_id::driver_data
NTB: fix kernel-doc warnings in ntb.h
NTB: epf: Avoid pci_iounmap() with offset when PEER_SPAD and CONFIG share BAR
ntb_hw_amd: Fix incorrect debug message in link disable path
Merge tag 'input-for-v7.2-rc0-2' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input
Pull more input updates from Dmitry Torokhov:
- Updates to Synaptics RMI4 driver to fix potential OOB accesses in F30
and F3A keymap handling
- A workaround in Synaptics RMI4 to tolerate buggy firmware on some
touchpads (e.g. ThinkPad T14 Gen 1) that report incomplete register
descriptor structures, preventing probe failures
- A revert of an incorrect register descriptor address calculation in
Synaptics RMI4 driver
- A fix for a regression in HP GSC PS/2 (gscps2) driver where the
receive buffer write index was not advanced, leaving keyboard and
mouse unusable.
* tag 'input-for-v7.2-rc0-2' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
[5 lines not shown]
Merge tag 'pwm/for-7.2-rc1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/ukleinek/linux
Pull pwm fixes from Uwe Kleine-König:
"Two more fixes that I managed to put into the public branch merged
into next before my first pull request but missed to include them in
it.
The first change is a relevant change that fixes misconfigurations due
to a variable overflow. The second is only cosmetic but very obviously
an improvement"
* tag 'pwm/for-7.2-rc1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/ukleinek/linux:
pwm: rzg2l-gpt: Add missing newlines to dev_err_probe() messages
pwm: rzg2l-gpt: Fix period_ticks type from u32 to u64
Merge tag 'fbdev-for-7.2-rc1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/linux-fbdev
Pull more fbdev updates from Helge Deller:
"Fixes for generic fbdev & fbcon code for the handling of modelists
and preventing a potential NULL ptr dereference in the console code.
Fix missed cleanups in the error path of various fbdev drivers.
And Uwe Kleine-König contributed a cleanup patch to use named
initializers in the vga16fb driver"
* tag 'fbdev-for-7.2-rc1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/linux-fbdev:
fbdev: Fix fb_new_modelist to prevent null-ptr-deref in fb_videomode_to_var
fbcon: fix NULL pointer dereference for a console without vc_data
fbdev: fix use-after-free in store_modes()
fbdev: viafb: return an error when DMA copy times out
fbdev: goldfishfb: fail pan display on base-update timeout
fbdev: fbcon: fix out-of-bounds read in err_out of fbcon_do_set_font()
fbdev: pm2fb: unwind WC setup on probe failure
fbdev: vga16fb: Drop unused assignment of platform_device_id driver data
Merge tag 'sound-fix-7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound
Pull sound fixes from Takashi Iwai:
"A collection of small bug fixes accumulated over the last week.
Most are device-specific fixes while there are a few core fixes as
well.
Here are the highlights:
ALSA Core:
- A fix for an uninitialised heap leak in ALSA sequencer core
- A fix for error handling/resource leak in compress-offload API
USB-audio:
- A teardown-ordering fix in USB MIDI 2.0 to prevent use-after-free
- Bounds and length checks for packet data in Native Instruments
caiaq / Traktor Kontrol input parsers
- Avoidance of expensive kobject path lookups in DualSense controller
matches
[46 lines not shown]
Merge tag 'i2c-fixes-7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/andi.shyti/linux
Pull i2c fixes from Andi Shyti:
- i801: fix error path in smbus transfer
- mpc: fix timeout calculation
* tag 'i2c-fixes-7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/andi.shyti/linux:
i2c: i801: fix hardware state machine corruption in error path
i2c: mpc: Fix timeout calculations
Merge tag 'rtc-7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/abelloni/linux
Pull RTC updates from Alexandre Belloni:
"Most of the work and improvements are for features of the m41t93.
The ds1307 also gets support for OSF (Oscillator Stop Flag) for
new variants.
The pcap driver is being removed as the Motorola EZX support was
removed a while ago.
Subsystem:
- add rtc_read_next_alarm() to read next expiring timer
Drivers:
- ds1307: handle OSF for ds1337/ds1339/ds3231, add clock provider for
ds1307, fix wday for rx8130
- m41t93: DT support, alarm, clock provider, watchdog support
- mv: add suspend/resume support for wakeup
[25 lines not shown]
Merge tag 'fscrypt-for-linus' of git://git.kernel.org/pub/scm/fs/fscrypt/linux
Pull fscrypt fixes from Eric Biggers:
- Fix a bug where in a specific edge case, file contents en/decryption
could be done with the wrong data unit size
- Fix the data structure used for keeping track of users that have
added an fscrypt key to be a simple list instead of a 'struct key'
keyring
This fixes issues such as a lockdep report found by syzbot and
possible unintended interactions with the keyctl() system calls
* tag 'fscrypt-for-linus' of git://git.kernel.org/pub/scm/fs/fscrypt/linux:
fscrypt: Replace mk_users keyring with simple list
fscrypt: Fix key setup in edge case with multiple data unit sizes
Input: gscps2 - advance receive buffer write index
Commit 44f920069911 ("Input: gscps2 - use guard notation when
acquiring spinlock") moved the receive loop into gscps2_read_data()
and gscps2_report_data().
While moving the code, it preserved the writes to
buffer[ps2port->append], but omitted the following producer index
update from the original loop:
ps2port->append = (ps2port->append + 1) & BUFFER_SIZE;
As a result, append never advances. Since gscps2_report_data() only
reports bytes while act != append, the receive buffer always appears
empty and no keyboard or mouse data reaches the serio core.
Restore the omitted index update.
Fixes: 44f920069911 ("Input: gscps2 - use guard notation when acquiring spinlock")
[4 lines not shown]
Input: rmi4 - tolerate short register descriptor structure
Some touchpads (e.g. ThinkPad T14 Gen 1) have buggy firmware that reports
a register descriptor structure size that is too small for the number of
registers it claims to have in the presence map. The remaining bytes in
the structure are 0, which with the new strict bounds checking causes the
parser to fail with -EIO, aborting the device probe.
Tolerate such short reads by dropping the remaining (unparseable or
0-size) registers from the list instead of failing the probe,
preventing the driver from trying to use them.
Fixes: 0adb483fbf2d ("Input: rmi4 - refactor register descriptor parsing")
Reported-by: Barry K. Nathan <barryn at pobox.com>
Tested-by: Barry K. Nathan <barryn at pobox.com>
Cc: stable at vger.kernel.org
Assisted-by: Antigravity:gemini-3.5-flash
Signed-off-by: Dmitry Torokhov <dmitry.torokhov at gmail.com>
Revert "Input: rmi4 - fix register descriptor address calculation"
The register descriptor presence register is a packet register, which
means its bytes share a single RMI address. It does not occupy
consecutive addresses, and the register structure that follows it
is located at the next RMI address (presence_address + 1), not
(presence_address + presence_size).
Revert the incorrect address calculation introduced in commit
a98518e72439.
Reported-by: "Barry K. Nathan" <barryn at pobox.com>
Tested-by: "Barry K. Nathan" <barryn at pobox.com>
Cc: stable at vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov at gmail.com>
ntb: amd: Use named initializer for pci_device_id::driver_data
The current list initialisation depends on the well hidden two zeros in
the PCI_VDEVICE macro. Instead use a named initialisation that is more
robust and easier to understand.
Signed-off-by: Uwe Kleine-König (The Capable Hub) <u.kleine-koenig at baylibre.com>
Reviewed-by: Dave Jiang <dave.jiang at intel.com>
Signed-off-by: Jon Mason <jdmason at kudzu.us>
NTB: fix kernel-doc warnings in ntb.h
Correct a function name and function parameter name to avoid
kernel-doc warnings:
Warning: include/linux/ntb.h:575 expecting prototype for
ntb_default_port_count(). Prototype was for ntb_default_peer_port_count()
instead
Warning: include/linux/ntb.h:590 function parameter 'pidx' not
described in 'ntb_default_peer_port_number'
Signed-off-by: Randy Dunlap <rdunlap at infradead.org>
Acked-by: Dave Jiang <dave.jiang at intel.com>
Signed-off-by: Jon Mason <jdmason at kudzu.us>
NTB: epf: Avoid pci_iounmap() with offset when PEER_SPAD and CONFIG share BAR
When BAR_PEER_SPAD and BAR_CONFIG share one PCI BAR, the module teardown
path ends up calling pci_iounmap() on the same iomem with some offset,
which is unnecessary and triggers a kernel warning like the following:
Trying to vunmap() nonexistent vm area (0000000069a5ffe8)
WARNING: mm/vmalloc.c:3470 at vunmap+0x58/0x68, CPU#5: modprobe/2937
[...]
Call trace:
vunmap+0x58/0x68 (P)
iounmap+0x34/0x48
pci_iounmap+0x2c/0x40
ntb_epf_pci_remove+0x44/0x80 [ntb_hw_epf]
pci_device_remove+0x48/0xf8
device_remove+0x50/0x88
device_release_driver_internal+0x1c8/0x228
driver_detach+0x50/0xb0
bus_remove_driver+0x74/0x100
[13 lines not shown]
ntb_hw_amd: Fix incorrect debug message in link disable path
amd_ntb_link_disable() prints "Enabling Link" which is misleading.
Update the message to reflect that the link is being disabled.
Signed-off-by: Alok Tiwari <alok.a.tiwari at oracle.com>
Reviewed-by: Dave Jiang <dave.jiang at intel.com>
Signed-off-by: Jon Mason <jdmason at kudzu.us>
Merge tag 'drm-fixes-2026-06-27' of https://gitlab.freedesktop.org/drm/kernel
Pull drm fixes from Dave Airlie:
"These are just the fixes from our fixes branch, all pretty small and
scattered.
sysfb:
- drm/sysfb truncation and alignment fixes
edid:
- fix edid OOB read in tile parsing
- increase displayid topology id to correct size
nouveau:
- fix error handling paths in nouveau
amdxdna:
- get_bo_info fix
[14 lines not shown]
Merge tag 'drm-next-2026-06-27' of https://gitlab.freedesktop.org/drm/kernel
Pull drm merge window fixes from Dave Airlie:
"This is the merge window fixes from our next tree, i915/xe and amdgpu
make up all of it.
I've got a separate fixes pull from our fixes branch arriving after
this.
i915:
- Fix corrupted display output on GLK, #16209
- Add missing Spectre mitigation for parallel submit IOCTL
- MTL+ fix for DP resume
- clear CRTC blobs after dropping refs
- fix sharpness filter on DP MST
xe:
- Set TTM beneficial order to 9 in Xe
- Several error path cleanups
[55 lines not shown]
Merge tag 'ceph-for-7.2-rc1' of https://github.com/ceph/ceph-client
Pull ceph updates from Ilya Dryomov:
"This adds support for manual client session reset in CephFS, allowing
operators to get out of tricky livelock situations involving caps and
file locks without evicting the problematic client instance on the MDS
side or rebooting the client node both of which can be disruptive"
* tag 'ceph-for-7.2-rc1' of https://github.com/ceph/ceph-client:
ceph: add manual reset debugfs control and tracepoints
ceph: add client reset state machine and session teardown
ceph: add diagnostic timeout loop to wait_caps_flush()
ceph: harden send_mds_reconnect and handle active-MDS peer reset
ceph: use proper endian conversion for flock_len in reconnect
ceph: convert inode flags to named bit positions and atomic bitops
rbd: switch to dynamic root device
Merge tag 'thermal-7.2-rc1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm
Pull thermal control fixes from Rafael Wysocki:
"These fix a failure path in an Intel thermal driver and prevent
thermal testing module code from being executed after it has been
freed:
- Fix dangling resources on thermal_throttle_online() failure in the
Intel thermal_throttle driver (Ricardo Neri)
- Eliminate a possibility of running thermal testing module code
after that module has been removed (Rafael Wysocki)"
* tag 'thermal-7.2-rc1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
thermal: testing: zone: Flush work items during cleanup
thermal: intel: Fix dangling resources on thermal_throttle_online() failure
Merge tag 'pm-7.2-rc1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm
Pull power management fixes from Rafael Wysocki:
"These fix the schedutil cpufreq governor and drop a bogus warning
from the cpuidle core:
- Remove a misguided warning along with an inaccurate comment
next to it from the cpuidle core (Rafael Wysocki)
- Clear need_freq_update as appropriate in the .adjust_perf()
path of the schedutil cpufreq governor to avoid calling
cpufreq_driver_adjust_perf() unnecessarily on every scheduler
utilization update (Zhongqiu Han)"
* tag 'pm-7.2-rc1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
cpuidle: Allow exit latency to exceed target residency
cpufreq: schedutil: Fix uncleared need_freq_update on the .adjust_perf() path
Merge tag 'acpi-7.2-rc1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm
Pull ACPI support fixes and cleanups from Rafael Wysocki:
"These fix assorted issues and do cleanups in the ACPI support code,
which includes a fix for tools build breakage related to strncpy()
removal:
- Unbreak ACPICA tools builds after switching over to using
strscpy_pad() that is kernel-specific (Rafael Wysocki)
- Fix module parameter file paths in comments in the ACPI code
managing the general sysfs attributes (Zenghui Yu)
- Update kerneldoc comments in the ACPI resource management code to
follow the common style (Andy Shevchenko)
- Fix inverted interface check in ipmi_bmc_gone() that may cause ACPI
IPMI interfaces to be mishandled (Xu Rao)
[9 lines not shown]