summaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)AuthorLines
2026-04-13Merge tag 'hfs-v7.1-tag1' of ↵Linus Torvalds-182/+682
git://git.kernel.org/pub/scm/linux/kernel/git/vdubeyko/hfs Pull hfsplus updates from Viacheslav Dubeyko: "This contains several fixes of syzbot reported issues and HFS+ fixes of xfstests failures. - Fix a syzbot reported issue of a KMSAN uninit-value in hfsplus_strcasecmp(). The root cause was that hfs_brec_read() doesn't validate that the on-disk record size matches the expected size for the record type being read. The fix introduced hfsplus_brec_read_cat() wrapper that validates the record size based on the type field and returns -EIO if size doesn't match (Deepanshu Kartikey) - Fix a syzbot reported issue of processing corrupted HFS+ images where the b-tree allocation bitmap indicates that the header node (Node 0) is free. Node 0 must always be allocated. Violating this invariant leads to allocator corruption, which cascades into kernel panics or undefined behavior. Prevent trusting a corrupted allocator state by adding a validation check during hfs_btree_open(). If corruption is detected, print a warning identifying the specific corrupted tree and force the filesystem to mount read-only (SB_RDONLY). This prevents kernel panics from corrupted images while enabling data recovery (Shardul Bankar) - Fix a potential deadlock in hfsplus_fill_super(). hfsplus_fill_super() calls hfs_find_init() to initialize a search structure, which acquires tree->tree_lock. If the subsequent call to hfsplus_cat_build_key() fails, the function jumps to the out_put_root error label without releasing the lock. Fix this by adding the missing hfs_find_exit(&fd) call before jumping to the out_put_root error label. This ensures that tree->tree_lock is properly released on the error path (Zilin Guan) - Update a files ctime after rename in hfsplus_rename() (Yangtao Li) The rest of the patches introduce the HFS+ fixes for the case of generic/348, generic/728, generic/533, generic/523, and generic/642 test-cases of xfstests suite" * tag 'hfs-v7.1-tag1' of git://git.kernel.org/pub/scm/linux/kernel/git/vdubeyko/hfs: hfsplus: fix generic/642 failure hfsplus: rework logic of map nodes creation in xattr b-tree hfsplus: fix logic of alloc/free b-tree node hfsplus: fix error processing issue in hfs_bmap_free() hfsplus: fix potential race conditions in b-tree functionality hfsplus: extract hidden directory search into a helper function hfsplus: fix held lock freed on hfsplus_fill_super() hfsplus: fix generic/523 test-case failure hfsplus: validate b-tree node 0 bitmap at mount time hfsplus: refactor b-tree map page access and add node-type validation hfsplus: fix to update ctime after rename hfsplus: fix generic/533 test-case failure hfsplus: set ctime after setxattr and removexattr hfsplus: fix uninit-value by validating catalog record size hfsplus: fix potential Allocation File corruption after fsync
2026-04-13sctp: disable BH before calling udp_tunnel_xmit_skb()Xin Long-0/+4
udp_tunnel_xmit_skb() / udp_tunnel6_xmit_skb() are expected to run with BH disabled. After commit 6f1a9140ecda ("add xmit recursion limit to tunnel xmit functions"), on the path: udp(6)_tunnel_xmit_skb() -> ip(6)tunnel_xmit() dev_xmit_recursion_inc()/dec() must stay balanced on the same CPU. Without local_bh_disable(), the context may move between CPUs, which can break the inc/dec pairing. This may lead to incorrect recursion level detection and cause packets to be dropped in ip(6)_tunnel_xmit() or __dev_queue_xmit(). Fix it by disabling BH around both IPv4 and IPv6 SCTP UDP xmit paths. In my testing, after enabling the SCTP over UDP: # ip net exec ha sysctl -w net.sctp.udp_port=9899 # ip net exec ha sysctl -w net.sctp.encap_port=9899 # ip net exec hb sysctl -w net.sctp.udp_port=9899 # ip net exec hb sysctl -w net.sctp.encap_port=9899 # ip net exec ha iperf3 -s - without this patch: # ip net exec hb iperf3 -c 192.168.0.1 --sctp [ 5] 0.00-10.00 sec 37.2 MBytes 31.2 Mbits/sec sender [ 5] 0.00-10.00 sec 37.1 MBytes 31.1 Mbits/sec receiver - with this patch: # ip net exec hb iperf3 -c 192.168.0.1 --sctp [ 5] 0.00-10.00 sec 3.14 GBytes 2.69 Gbits/sec sender [ 5] 0.00-10.00 sec 3.14 GBytes 2.69 Gbits/sec receiver Fixes: 6f1a9140ecda ("net: add xmit recursion limit to tunnel xmit functions") Fixes: 046c052b475e ("sctp: enable udp tunneling socks") Signed-off-by: Xin Long <lucien.xin@gmail.com> Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> Link: https://patch.msgid.link/c874a8548221dcd56ff03c65ba75a74e6cf99119.1776017727.git.lucien.xin@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-04-13sctp: fix missing encap_port propagation for GSO fragmentsXin Long-0/+1
encap_port in SCTP_INPUT_CB(skb) is used by sctp_vtag_verify() for SCTP-over-UDP processing. In the GSO case, it is only set on the head skb, while fragment skbs leave it 0. This results in fragment skbs seeing encap_port == 0, breaking SCTP-over-UDP connections. Fix it by propagating encap_port from the head skb cb when initializing fragment skbs in sctp_inq_pop(). Fixes: 046c052b475e ("sctp: enable udp tunneling socks") Signed-off-by: Xin Long <lucien.xin@gmail.com> Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> Link: https://patch.msgid.link/ea65ed61b3598d8b4940f0170b9aa1762307e6c3.1776017631.git.lucien.xin@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-04-13Merge branch ↵Jakub Kicinski-42/+43
'net-airoha-preliminary-series-to-support-multiple-net_devices-connected-to-the-same-gdm-port' Lorenzo Bianconi says: ==================== net: airoha: Preliminary series to support multiple net_devices connected to the same GDM port EN7581 or AN7583 SoCs support connecting multiple external SerDes (e.g. Ethernet or USB SerDes) to GDM3 or GDM4 ports via a hw arbiter that manages the traffic in a TDM manner. This series introduces some preliminary changes necessary to introduce support for multiple net_devices connected to the same Frame Engine (FE) GDM port (GDM3 or GDM4). ==================== Link: https://patch.msgid.link/20260412-airoha-multi-serdes-preliminary-patch-v1-0-08d5b670ca8f@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-04-13net: airoha: Rely on net_device pointer in ETS callbacksLorenzo Bianconi-16/+14
Remove airoha_gdm_port dependency in ETS tc callback signatures and rely on net_device pointer instead. Please note this patch does not introduce any logical change and it is a preliminary patch in order to support multiple net_devices connected to the same GDM3 or GDM4 port via an external hw arbiter. Tested-by: Xuegang Lu <xuegang.lu@airoha.com> Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org> Link: https://patch.msgid.link/20260412-airoha-multi-serdes-preliminary-patch-v1-3-08d5b670ca8f@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-04-13net: airoha: Rely on net_device pointer in HTB callbacksLorenzo Bianconi-21/+24
Remove airoha_gdm_port dependency in HTB tc callback signatures and rely on net_device pointer instead. Please note this patch does not introduce any logical change and it is a preliminary patch in order to support multiple net_devices connected to the same GDM3 or GDM4 port via an external hw arbiter. Tested-by: Xuegang Lu <xuegang.lu@airoha.com> Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org> Link: https://patch.msgid.link/20260412-airoha-multi-serdes-preliminary-patch-v1-2-08d5b670ca8f@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-04-13net: airoha: Rely on net_device pointer in airoha_dev_setup_tc_block signatureLorenzo Bianconi-5/+5
Remove airoha_gdm_port dependency in airoha_dev_setup_tc_block routine signature and rely on net_device pointer instead. Please note this patch does not introduce any logical change and it is a preliminary patch to support multiple net_devices connected to the GDM3 or GDM4 ports via an external hw arbiter. Tested-by: Xuegang Lu <xuegang.lu@airoha.com> Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org> Link: https://patch.msgid.link/20260412-airoha-multi-serdes-preliminary-patch-v1-1-08d5b670ca8f@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-04-13Merge branch 'net-dsa-mxl862xx-add-statistics-support'Jakub Kicinski-7/+588
Daniel Golle says: ==================== net: dsa: mxl862xx: add statistics support Add per-port RMON statistics support for the MxL862xx DSA driver, covering hardware-specific ethtool -S counters, standard IEEE 802.3 MAC/ctrl/pause statistics, and rtnl_link_stats64 via polled 64-bit accumulation. ==================== Link: https://patch.msgid.link/cover.1775951347.git.daniel@makrotopia.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-04-13net: dsa: mxl862xx: implement .get_stats64Daniel Golle-7/+270
Poll free-running firmware RMON counters every 2 seconds and accumulate deltas into 64-bit per-port statistics. 32-bit packet counters wrap in ~220s at 10 Gbps line rate with minimum-size frames; the 2s polling interval provides a comfortable margin. The .get_stats64 callback forces a fresh poll so that counters are always up to date when queried. Signed-off-by: Daniel Golle <daniel@makrotopia.org> Link: https://patch.msgid.link/fa38548ba05866879e8912721edc91947ce4ff12.1775951347.git.daniel@makrotopia.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-04-13net: dsa: mxl862xx: add ethtool statistics supportDaniel Golle-0/+318
The MxL862xx firmware exposes per-port RMON counters through the RMON_PORT_GET command, covering standard IEEE 802.3 MAC statistics (unicast/multicast/broadcast packet and byte counts, collision counters, pause frames) as well as hardware-specific counters such as extended VLAN discard and MTU exceed events. Add the RMON counter firmware API structures and command definitions. Implement .get_strings, .get_sset_count, and .get_ethtool_stats for legacy ethtool -S support. Implement .get_eth_mac_stats, .get_eth_ctrl_stats, and .get_pause_stats for the standardized IEEE 802.3 statistics interface. Signed-off-by: Daniel Golle <daniel@makrotopia.org> Link: https://patch.msgid.link/480be14d5ed51f3db7b1681b298044dbf8e87494.1775951347.git.daniel@makrotopia.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-04-13Merge tag 'affs-for-7.1-tag' of ↵Linus Torvalds-0/+2
git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux Pull AFFS fix from David Sterba: "There's a potential out-of-bounds read in the directory hash table during readdir" * tag 'affs-for-7.1-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux: affs: bound hash_pos before table lookup in affs_readdir
2026-04-13net: phy: realtek: use LEDCR page number define on RTL8211FAleksander Jan Bajkowski-2/+3
Replace the magic number with an existing define for the LEDCR register page number on the RTL8211F. Signed-off-by: Aleksander Jan Bajkowski <olek2@wp.pl> Reviewed-by: Daniel Golle <daniel@makrotopia.org> Link: https://patch.msgid.link/20260411105150.184577-1-olek2@wp.pl Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-04-13Merge tag 'for-7.1-tag' of ↵Linus Torvalds-1078/+2558
git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux Pull btrfs updates from David Sterba: "User visible changes: - move shutdown ioctl support out of experimental features, a forced stop of filesystem operation until the next unmount; additionally there's a super block operation to forcibly remove a device from under the filesystem that could lead to a shutdown or not if the redundancy allows that - report filesystem shutdown using fserror mechanism - tree-checker updates: - verify free space info, extent and bitmap items - verify remap-tree items and related data in block group items Performance improvements: - speed up clearing first extent in the tracked range (+10% throughput on sample workload) - reduce COW rewrites of extent buffers during the same transaction - avoid taking big device lock to update device stats during transaction commit - fix unnecessary flush on close when truncating empty files (observed in practice on a backup application) - prevent direct reclaim during compressed readahead to avoid stalls under memory pressure Notable fixes: - fix chunk allocation strategy on RAID1-like block groups with disproportionate device sizes, this could lead to ENOSPC due to skewed reservation estimates - adjust metadata reservation overcommit ratio to be less aggressive and also try to flush if possible, this avoids ENOSPC and potential transaction aborts in some edge cases (that are otherwise hard to reproduce) - fix silent IO error in encoded writes and ordered extent split in zoned mode, the error was not correctly propagated to the address space and could lead to zeroed ranges - don't mark inline files NOCOMPRESS unexpectedly, the intent was to do that for single block writes of regular files - fix deadlock between reflink and transaction commit when using flushoncommit - fix overly strict item check of a running dev-replace operation Core: - zoned mode space reservation fixes: - cap delayed refs metadata reservation to avoid overcommit - update logic to reclaim partially unusable zones - add another state to flush and reclaim partially used zone - limit number of zones reclaimed in one go to avoid blocking other operations - don't let log trees consume global reserve on overcommit and fall back to transaction commit - revalidate extent buffer when checking its up-to-date status - add self tests for zoned mode block group specifics - reduce atomic allocations in some qgroup paths - avoid unnecessary root node COW during snapshotting - start new transaction in block group relocation conditionally - faster check of NOCOW files on currently snapshotted root - change how compressed bio size is tracked from bio and reduce the structure size - new tracepoint for search slot restart tracking - checksum list manipulation improvements - type, parameter cleanups, refactoring - error handling improvements, transaction abort call adjustments" * tag 'for-7.1-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux: (116 commits) btrfs: btrfs_log_dev_io_error() on all bio errors btrfs: fix silent IO error loss in encoded writes and zoned split btrfs: skip clearing EXTENT_DEFRAG for NOCOW ordered extents btrfs: use BTRFS_FS_UPDATE_UUID_TREE_GEN flag for UUID tree rescan check btrfs: remove duplicate journal_info reset on failure to commit transaction btrfs: tag as unlikely if statements that check for fs in error state btrfs: fix double free in create_space_info() error path btrfs: fix double free in create_space_info_sub_group() error path btrfs: do not reject a valid running dev-replace btrfs: only invalidate btree inode pages after all ebs are released btrfs: prevent direct reclaim during compressed readahead btrfs: replace BUG_ON() with error return in cache_save_setup() btrfs: zstd: don't cache sectorsize in a local variable btrfs: zlib: don't cache sectorsize in a local variable btrfs: zlib: drop redundant folio address variable btrfs: lzo: inline read/write length helpers btrfs: use common eb range validation in read_extent_buffer_to_user_nofault() btrfs: read eb folio index right before loops btrfs: rename local variable for offset in folio btrfs: unify types for binary search variables ...
2026-04-13Merge tag 'for-7.1/io_uring-20260411' of ↵Linus Torvalds-618/+1185
git://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux Pull io_uring updates from Jens Axboe: - Add a callback driven main loop for io_uring, and BPF struct_ops on top to allow implementing custom event loop logic - Decouple IOPOLL from being a ring-wide all-or-nothing setting, allowing IOPOLL use cases to also issue certain white listed non-polled opcodes - Timeout improvements. Migrate internal timeout storage from timespec64 to ktime_t for simpler arithmetic and avoid copying of timespec data - Zero-copy receive (zcrx) updates: - Add a device-less mode (ZCRX_REG_NODEV) for testing and experimentation where data flows through the copy fallback path - Fix two-step unregistration regression, DMA length calculations, xarray mark usage, and a potential 32-bit overflow in id shifting - Refactoring toward multi-area support: dedicated refill queue struct, consolidated DMA syncing, netmem array refilling format, and guard-based locking - Zero-copy transmit (zctx) cleanup: - Unify io_send_zc() and io_sendmsg_zc() into a single function - Add vectorized registered buffer send for IORING_OP_SEND_ZC - Add separate notification user_data via sqe->addr3 so notification and completion CQEs can be distinguished without extra reference counting - Switch struct io_ring_ctx internal bitfields to explicit flag bits with atomic-safe accessors, and annotate the known harmless races on those flags - Various optimizations caching ctx and other request fields in local variables to avoid repeated loads, and cleanups for tctx setup, ring fd registration, and read path early returns * tag 'for-7.1/io_uring-20260411' of git://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux: (58 commits) io_uring: unify getting ctx from passed in file descriptor io_uring/register: don't get a reference to the registered ring fd io_uring/tctx: clean up __io_uring_add_tctx_node() error handling io_uring/tctx: have io_uring_alloc_task_context() return tctx io_uring/timeout: use 'ctx' consistently io_uring/rw: clean up __io_read() obsolete comment and early returns io_uring/zcrx: use correct mmap off constants io_uring/zcrx: use dma_len for chunk size calculation io_uring/zcrx: don't clear not allocated niovs io_uring/zcrx: don't use mark0 for allocating xarray io_uring: cast id to u64 before shifting in io_allocate_rbuf_ring() io_uring/zcrx: reject REG_NODEV with large rx_buf_size io_uring/cancel: validate opcode for IORING_ASYNC_CANCEL_OP io_uring/rsrc: use io_cache_free() to free node io_uring/zcrx: rename zcrx [un]register functions io_uring/zcrx: check ctrl op payload struct sizes io_uring/zcrx: cache fallback availability in zcrx ctx io_uring/zcrx: warn on a repeated area append io_uring/zcrx: consolidate dma syncing io_uring/zcrx: netmem array as refiling format ...
2026-04-13bnge: return after auxiliary_device_uninit() in error pathGreg Kroah-Hartman-0/+1
When auxiliary_device_add() fails, the error block calls auxiliary_device_uninit() but does not return. The uninit drops the last reference and synchronously runs bnge_aux_dev_release(), which sets bd->auxr_dev = NULL and frees the underlying object. The subsequent bd->auxr_dev->net = bd->netdev then dereferences NULL, which is not a good thing to have happen when trying to clean up from an error. Add the missing return, as the auxiliary bus documentation states is a requirement (seems that LLM tools read documentation better than humans do...) Cc: Vikas Gupta <vikas.gupta@broadcom.com> Cc: Andrew Lunn <andrew+netdev@lunn.ch> Fixes: 8ac050ec3b1c ("bng_en: Add RoCE aux device support") Cc: stable <stable@kernel.org> Assisted-by: gregkh_clanker_t1000 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Link: https://patch.msgid.link/2026041124-banshee-molecular-0f70@gregkh Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-04-13docs: security: ipe: fix typos and grammarEvan Ducas-5/+5
Fix several spelling and grammar mistakes in the IPE documentation. No functional change. Signed-off-by: Evan Ducas <evan.j.ducas@gmail.com> Acked-by: Bagas Sanjaya <bagasdotme@gmail.com> Acked-by: Randy Dunlap <rdunlap@infradead.org> Signed-off-by: Fan Wu <wufan@kernel.org>
2026-04-13tcp: Don't set treq->req_usec_ts in cookie_tcp_reqsk_init().Kuniyuki Iwashima-1/+1
Commit de5626b95e13 ("tcp: Factorise cookie-independent fields initialisation in cookie_v[46]_check().") miscategorised tcp_rsk(req)->req_usec_ts init to cookie_tcp_reqsk_init(), which is used by both BPF/non-BPF SYN cookie reqsk. Rather, it should have been moved to cookie_tcp_reqsk_alloc() by commit 8e7bab6b9652 ("tcp: Factorise cookie-dependent fields initialisation in cookie_v[46]_check()") so that only non-BPF SYN cookie sets tcp_rsk(req)->req_usec_ts to false. Let's move the initialisation to cookie_tcp_reqsk_alloc() to respect bpf_tcp_req_attrs.usec_ts_ok. Fixes: e472f88891ab ("bpf: tcp: Support arbitrary SYN Cookie.") Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com> Link: https://patch.msgid.link/20260410235328.1773449-1-kuniyu@google.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-04-13f2fs: fix uninitialized kobject put in f2fs_init_sysfs()Guangshuo Li-4/+6
In f2fs_init_sysfs(), all failure paths after kset_register() jump to put_kobject, which unconditionally releases both f2fs_tune and f2fs_feat. If kobject_init_and_add(&f2fs_feat, ...) fails, f2fs_tune has not been initialized yet, so calling kobject_put(&f2fs_tune) is invalid. Fix this by splitting the unwind path so each error path only releases objects that were successfully initialized. Fixes: a907f3a68ee26ba4 ("f2fs: add a sysfs entry to reclaim POSIX_FADV_NOREUSE pages") Cc: stable@vger.kernel.org Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com> Reviewed-by: Chao Yu <chao@kernel.org> Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
2026-04-13f2fs: protect extension_list reading with sb_lock in f2fs_sbi_show()Yongpeng Yang-2/+5
In f2fs_sbi_show(), the extension_list, extension_count and hot_ext_count are read without holding sbi->sb_lock. If a concurrent sysfs store modifies the extension list via f2fs_update_extension_list(), the show path may read inconsistent count and array contents, potentially leading to out-of-bounds access or displaying stale data. Fix this by holding sb_lock around the entire extension list read and format operation. Fixes: b6a06cbbb5f7 ("f2fs: support hot file extension") Signed-off-by: Yongpeng Yang <yangyongpeng@xiaomi.com> Reviewed-by: Chao Yu <chao@kernel.org> Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
2026-04-13f2fs: disallow setting an extension to both cold and hotYongpeng Yang-0/+15
An extension should not exist in both the cold and hot extension lists simultaneously. When adding a hot extension, check whether it already exists in the cold list, and vice versa. Reject the operation with -EINVAL if a conflict is found. Signed-off-by: Yongpeng Yang <yangyongpeng@xiaomi.com> Reviewed-by: Chao Yu <chao@kernel.org> Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
2026-04-13Merge tag 'for-7.1/block-20260411' of ↵Linus Torvalds-3088/+5468
git://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux Pull block updates from Jens Axboe: - Add shared memory zero-copy I/O support for ublk, bypassing per-I/O copies between kernel and userspace by matching registered buffer PFNs at I/O time. Includes selftests. - Refactor bio integrity to support filesystem initiated integrity operations and arbitrary buffer alignment. - Clean up bio allocation, splitting bio_alloc_bioset() into clear fast and slow paths. Add bio_await() and bio_submit_or_kill() helpers, unify synchronous bi_end_io callbacks. - Fix zone write plug refcount handling and plug removal races. Add support for serializing zone writes at QD=1 for rotational zoned devices, yielding significant throughput improvements. - Add SED-OPAL ioctls for Single User Mode management and a STACK_RESET command. - Add io_uring passthrough (uring_cmd) support to the BSG layer. - Replace pp_buf in partition scanning with struct seq_buf. - zloop improvements and cleanups. - drbd genl cleanup, switching to pre_doit/post_doit. - NVMe pull request via Keith: - Fabrics authentication updates - Enhanced block queue limits support - Workqueue usage updates - A new write zeroes device quirk - Tagset cleanup fix for loop device - MD pull requests via Yu Kuai: - Fix raid5 soft lockup in retry_aligned_read() - Fix raid10 deadlock with check operation and nowait requests - Fix raid1 overlapping writes on writemostly disks - Fix sysfs deadlock on array_state=clear - Proactive RAID-5 parity building with llbitmap, with write_zeroes_unmap optimization for initial sync - Fix llbitmap barrier ordering, rdev skipping, and bitmap_ops version mismatch fallback - Fix bcache use-after-free and uninitialized closure - Validate raid5 journal metadata payload size - Various cleanups - Various other fixes, improvements, and cleanups * tag 'for-7.1/block-20260411' of git://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux: (146 commits) ublk: fix tautological comparison warning in ublk_ctrl_reg_buf scsi: bsg: fix buffer overflow in scsi_bsg_uring_cmd() block: refactor blkdev_zone_mgmt_ioctl MAINTAINERS: update ublk driver maintainer email Documentation: ublk: address review comments for SHMEM_ZC docs ublk: allow buffer registration before device is started ublk: replace xarray with IDA for shmem buffer index allocation ublk: simplify PFN range loop in __ublk_ctrl_reg_buf ublk: verify all pages in multi-page bvec fall within registered range ublk: widen ublk_shmem_buf_reg.len to __u64 for 4GB buffer support xfs: use bio_await in xfs_zone_gc_reset_sync block: add a bio_submit_or_kill helper block: factor out a bio_await helper block: unify the synchronous bi_end_io callbacks xfs: fix number of GC bvecs selftests/ublk: add read-only buffer registration test selftests/ublk: add filesystem fio verify test for shmem_zc selftests/ublk: add hugetlbfs shmem_zc test for loop target selftests/ublk: add shared memory zero-copy test selftests/ublk: add UBLK_F_SHMEM_ZC support for loop target ...
2026-04-13f2fs: fix node_cnt race between extent node destroy and writebackYongpeng Yang-7/+10
f2fs_destroy_extent_node() does not set FI_NO_EXTENT before clearing extent nodes. When called from f2fs_drop_inode() with I_SYNC set, concurrent kworker writeback can insert new extent nodes into the same extent tree, racing with the destroy and triggering f2fs_bug_on() in __destroy_extent_node(). The scenario is as follows: drop inode writeback - iput - f2fs_drop_inode // I_SYNC set - f2fs_destroy_extent_node - __destroy_extent_node - while (node_cnt) { write_lock(&et->lock) __free_extent_tree write_unlock(&et->lock) - __writeback_single_inode - f2fs_outplace_write_data - f2fs_update_read_extent_cache - __update_extent_tree_range // FI_NO_EXTENT not set, // insert new extent node } // node_cnt == 0, exit while - f2fs_bug_on(node_cnt) // node_cnt > 0 Additionally, __update_extent_tree_range() only checks FI_NO_EXTENT for EX_READ type, leaving EX_BLOCK_AGE updates completely unprotected. This patch set FI_NO_EXTENT under et->lock in __destroy_extent_node(), consistent with other callers (__update_extent_tree_range and __drop_extent_tree) and check FI_NO_EXTENT for both EX_READ and EX_BLOCK_AGE tree. Fixes: 3fc5d5a182f6 ("f2fs: fix to shrink read extent node in batches") Cc: stable@vger.kernel.org Signed-off-by: Yongpeng Yang <yangyongpeng@xiaomi.com> Reviewed-by: Chao Yu <chao@kernel.org> Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
2026-04-13f2fs: allow empty mount string for Opt_usr|grp|projjquotaJaegeuk Kim-12/+15
The fsparam_string_empty() gives an error when mounting without string, since its type is set to fsparam_flag in VFS. So, let's allow the flag as well. This addresses xfstests/f2fs/015 and f2fs/021. Fixes: d18535132523 ("f2fs: separate the options parsing and options checking") Reviewed-by: Daeho Jeong <daehojeong@google.com> Reviewed-by: Chao Yu <chao@kernel.org> Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
2026-04-13udp: Force compute_score to always inlineGabriel Krisman Bertazi-12/+13
Back in 2024 I reported a 7-12% regression on an iperf3 UDP loopback thoughput test that we traced to the extra overhead of calling compute_score on two places, introduced by commit f0ea27e7bfe1 ("udp: re-score reuseport groups when connected sockets are present"). At the time, I pointed out the overhead was caused by the multiple calls, associated with cpu-specific mitigations, and merged commit 50aee97d1511 ("udp: Avoid call to compute_score on multiple sites") to jump back explicitly, to force the rescore call in a single place. Recently though, we got another regression report against a newer distro version, which a team colleague traced back to the same root-cause. Turns out that once we updated to gcc-13, the compiler got smart enough to unroll the loop, undoing my previous mitigation. Let's bite the bullet and __always_inline compute_score on both ipv4 and ipv6 to prevent gcc from de-optimizing it again in the future. These functions are only called in two places each, udpX_lib_lookup1 and udpX_lib_lookup2, so the extra size shouldn't be a problem and it is hot enough to be very visible in profilings. In fact, with gcc13, forcing the inline will prevent gcc from unrolling the fix from commit 50aee97d1511, so we don't end up increasing udpX_lib_lookup2 at all. I haven't recollected the results myself, as I don't have access to the machine at the moment. But the same colleague reported 4.67% inprovement with this patch in the loopback benchmark, solving the regression report within noise margins. Eric Dumazet reported no size change to vmlinux when built with clang. I report the same also with gcc-13: scripts/bloat-o-meter vmlinux vmlinux-inline add/remove: 0/2 grow/shrink: 4/0 up/down: 616/-416 (200) Function old new delta udp6_lib_lookup2 762 949 +187 __udp6_lib_lookup 810 975 +165 udp4_lib_lookup2 757 906 +149 __udp4_lib_lookup 871 986 +115 __pfx_compute_score 32 - -32 compute_score 384 - -384 Total: Before=35011784, After=35011984, chg +0.00% Fixes: 50aee97d1511 ("udp: Avoid call to compute_score on multiple sites") Reviewed-by: Eric Dumazet <edumazet@google.com> Acked-by: Willem de Bruijn <willemb@google.com> Signed-off-by: Gabriel Krisman Bertazi <krisman@suse.de> Link: https://patch.msgid.link/20260410155936.654915-1-krisman@suse.de Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-04-13Merge tag 'landlock-7.1-rc1' of ↵Linus Torvalds-794/+1650
git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux Pull Landlock update from Mickaël Salaün: "This adds a new Landlock access right for pathname UNIX domain sockets thanks to a new LSM hook, and a few fixes" * tag 'landlock-7.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux: (23 commits) landlock: Document fallocate(2) as another truncation corner case landlock: Document FS access right for pathname UNIX sockets selftests/landlock: Simplify ruleset creation and enforcement in fs_test selftests/landlock: Check that coredump sockets stay unrestricted selftests/landlock: Audit test for LANDLOCK_ACCESS_FS_RESOLVE_UNIX selftests/landlock: Test LANDLOCK_ACCESS_FS_RESOLVE_UNIX selftests/landlock: Replace access_fs_16 with ACCESS_ALL in fs_test samples/landlock: Add support for named UNIX domain socket restrictions landlock: Clarify BUILD_BUG_ON check in scoping logic landlock: Control pathname UNIX domain socket resolution by path landlock: Use mem_is_zero() in is_layer_masks_allowed() lsm: Add LSM hook security_unix_find landlock: Fix kernel-doc warning for pointer-to-array parameters landlock: Fix formatting in tsync.c landlock: Improve kernel-doc "Return:" section consistency landlock: Add missing kernel-doc "Return:" sections selftests/landlock: Fix format warning for __u64 in net_test selftests/landlock: Skip stale records in audit_match_record() selftests/landlock: Drain stale audit records on init selftests/landlock: Fix socket file descriptor leaks in audit helpers ...
2026-04-13Merge branch 'octeon_ep_vf-fix-napi_build_skb-null-dereference'Jakub Kicinski-11/+36
David Carlier says: ==================== octeon_ep_vf: fix napi_build_skb() NULL dereference napi_build_skb() can return NULL on allocation failure. In __octep_vf_oq_process_rx(), the result is used directly without a NULL check in both the single-buffer and multi-fragment paths, leading to a NULL pointer dereference. Patch 1 introduces a helper to deduplicate the ring index advance pattern, patch 2 adds the actual NULL checks. ==================== Link: https://patch.msgid.link/20260409184009.930359-1-devnexen@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-04-13octeon_ep_vf: add NULL check for napi_build_skb()David Carlier-2/+28
napi_build_skb() can return NULL on allocation failure. In __octep_vf_oq_process_rx(), the result is used directly without a NULL check in both the single-buffer and multi-fragment paths, leading to a NULL pointer dereference. Add NULL checks after both napi_build_skb() calls, properly advancing descriptors and consuming remaining fragments on failure. Fixes: 1cd3b407977c ("octeon_ep_vf: add Tx/Rx processing and interrupt support") Cc: stable@vger.kernel.org Signed-off-by: David Carlier <devnexen@gmail.com> Link: https://patch.msgid.link/20260409184009.930359-3-devnexen@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-04-13octeon_ep_vf: introduce octep_vf_oq_next_idx() helperDavid Carlier-9/+8
Introduce octep_vf_oq_next_idx() to consolidate the repeated ring index advance and wraparound pattern in __octep_vf_oq_process_rx(). No functional change intended. Signed-off-by: David Carlier <devnexen@gmail.com> Link: https://patch.msgid.link/20260409184009.930359-2-devnexen@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-04-13Merge tag 'selinux-pr-20260410' of ↵Linus Torvalds-1/+2
git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux Pull selinux update from Paul Moore: - Annotate a known race condition to soothe KCSAN * tag 'selinux-pr-20260410' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux: selinux: annotate intentional data race in inode_doinit_with_dentry()
2026-04-13Merge branch 'net-qrtr-ns-a-bunch-of-fixs'Jakub Kicinski-10/+69
Manivannan Sadhasivam says: ==================== net: qrtr: ns: A bunch of fixs This series fixes a bunch of possible memory exhaustion issues in the QRTR nameserver. ==================== Link: https://patch.msgid.link/20260409-qrtr-fix-v3-0-00a8a5ff2b51@oss.qualcomm.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-04-13net: qrtr: ns: Fix use-after-free in driver remove()Manivannan Sadhasivam-0/+11
In the remove callback, if a packet arrives after destroy_workqueue() is called, but before sock_release(), the qrtr_ns_data_ready() callback will try to queue the work, causing use-after-free issue. Fix this issue by saving the default 'sk_data_ready' callback during qrtr_ns_init() and use it to replace the qrtr_ns_data_ready() callback at the start of remove(). This ensures that even if a packet arrives after destroy_workqueue(), the work struct will not be dereferenced. Note that it is also required to ensure that the RX threads are completed before destroying the workqueue, because the threads could be using the qrtr_ns_data_ready() callback. Cc: stable@vger.kernel.org Fixes: 0c2204a4ad71 ("net: qrtr: Migrate nameservice to kernel from userspace") Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com> Link: https://patch.msgid.link/20260409-qrtr-fix-v3-5-00a8a5ff2b51@oss.qualcomm.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-04-13net: qrtr: ns: Limit the total number of nodesManivannan Sadhasivam-2/+14
Currently, the nameserver doesn't limit the number of nodes it handles. This can be an attack vector if a malicious client starts registering random nodes, leading to memory exhaustion. Hence, limit the maximum number of nodes to 64. Note that, limit of 64 is chosen based on the current platform requirements. If requirement changes in the future, this limit can be increased. Cc: stable@vger.kernel.org Fixes: 0c2204a4ad71 ("net: qrtr: Migrate nameservice to kernel from userspace") Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com> Link: https://patch.msgid.link/20260409-qrtr-fix-v3-4-00a8a5ff2b51@oss.qualcomm.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-04-13net: qrtr: ns: Free the node during ctrl_cmd_bye()Manivannan Sadhasivam-5/+15
A node sends the BYE packet when it is about to go down. So the nameserver should advertise the removal of the node to all remote and local observers and free the node finally. But currently, the nameserver doesn't free the node memory even after processing the BYE packet. This causes the node memory to leak. Hence, remove the node from Xarray list and free the node memory during both success and failure case of ctrl_cmd_bye(). Cc: stable@vger.kernel.org Fixes: 0c2204a4ad71 ("net: qrtr: Migrate nameservice to kernel from userspace") Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com> Link: https://patch.msgid.link/20260409-qrtr-fix-v3-3-00a8a5ff2b51@oss.qualcomm.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-04-13net: qrtr: ns: Limit the maximum number of lookupsManivannan Sadhasivam-2/+12
Current code does no bound checking on the number of lookups a client can perform. Though the code restricts the lookups to local clients, there is still a possibility of a malicious local client sending a flood of NEW_LOOKUP messages over the same socket. Fix this issue by limiting the maximum number of lookups to 64 globally. Since the nameserver allows only atmost one local observer, this global lookup count will ensure that the lookups stay within the limit. Note that, limit of 64 is chosen based on the current platform requirements. If requirement changes in the future, this limit can be increased. Cc: stable@vger.kernel.org Fixes: 0c2204a4ad71 ("net: qrtr: Migrate nameservice to kernel from userspace") Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com> Link: https://patch.msgid.link/20260409-qrtr-fix-v3-2-00a8a5ff2b51@oss.qualcomm.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-04-13net: qrtr: ns: Limit the maximum server registration per nodeManivannan Sadhasivam-5/+21
Current code does no bound checking on the number of servers added per node. A malicious client can flood NEW_SERVER messages and exhaust memory. Fix this issue by limiting the maximum number of server registrations to 256 per node. If the NEW_SERVER message is received for an old port, then don't restrict it as it will get replaced. While at it, also rate limit the error messages in the failure path of qrtr_ns_worker(). Note that the limit of 256 is chosen based on the current platform requirements. If requirement changes in the future, this limit can be increased. Cc: stable@vger.kernel.org Fixes: 0c2204a4ad71 ("net: qrtr: Migrate nameservice to kernel from userspace") Reported-by: Yiming Qian <yimingqian591@gmail.com> Reviewed-by: Simon Horman <horms@kernel.org> Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com> Link: https://patch.msgid.link/20260409-qrtr-fix-v3-1-00a8a5ff2b51@oss.qualcomm.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-04-13Merge tag 'lsm-pr-20260410' of ↵Linus Torvalds-88/+424
git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm Pull LSM updates from Paul Moore: "We only have five patches in the LSM tree, but three of the five are for an important bugfix relating to overlayfs and the mmap() and mprotect() access controls for LSMs. Highlights below: - Fix problems with the mmap() and mprotect() LSM hooks on overlayfs As we are dealing with problems both in mmap() and mprotect() there are essentially two components to this fix, spread across three patches with all marked for stable. The simplest portion of the fix is the creation of a new LSM hook, security_mmap_backing_file(), that is used to enforce LSM mmap() access controls on backing files in the stacked/overlayfs case. The existing security_mmap_file() does not have visibility past the user file. You can see from the associated SELinux hook callback the code is fairly straightforward. The mprotect() fix is a bit more complicated as there is no way in the mprotect() code path to inspect both the user and backing files, and bolting on a second file reference to vm_area_struct wasn't really an option. The solution taken here adds a LSM security blob and associated hooks to the backing_file struct that LSMs can use to capture and store relevant information from the user file. While the necessary SELinux information is relatively small, a single u32, I expect other LSMs to require more than that, and a dedicated backing_file LSM blob provides a storage mechanism without negatively impacting other filesystems. I want to note that other LSMs beyond SELinux have been involved in the discussion of the fixes presented here and they are working on their own related changes using these new hooks, but due to other issues those patches will be coming at a later date. - Use kstrdup_const()/kfree_const() for securityfs symlink targets - Resolve a handful of kernel-doc warnings in cred.h" * tag 'lsm-pr-20260410' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm: selinux: fix overlayfs mmap() and mprotect() access checks lsm: add backing_file LSM hooks fs: prepare for adding LSM blob to backing_file securityfs: use kstrdup_const() to manage symlink targets cred: fix kernel-doc warnings in cred.h
2026-04-13Merge tag 'audit-pr-20260410' of ↵Linus Torvalds-10/+20
git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit Pull audit updates from Paul Moore: - Improved handling of unknown status requests from userspace The current kernel code ignores unknown/unused request bits sent from userspace and returns an error code based on the results of the request(s) it does understand. The patch from Ricardo fixes this so that unknown requests return an -EINVAL to userspace, making compatibility a bit easier moving forward. - A number of small style and formatting cleanups * tag 'audit-pr-20260410' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit: audit: handle unknown status requests in audit_receive_msg() audit: fix coding style issues audit: remove redundant initialization of static variables to 0 audit: fix whitespace alignment in include/uapi/linux/audit.h
2026-04-13Merge branch 'net-move-getsockopt-away-from-__user-buffers'Jakub Kicinski-26/+94
Breno Leitao says: ==================== net: move .getsockopt away from __user buffers Currently, the .getsockopt callback requires __user pointers: int (*getsockopt)(struct socket *sock, int level, int optname, char __user *optval, int __user *optlen); This prevents kernel callers (io_uring, BPF) from using getsockopt on levels other than SOL_SOCKET, since they pass kernel pointers. Following Linus' suggestion [0], this series introduces sockopt_t, a type-safe wrapper around iov_iter, and a getsockopt_iter callback that works with both user and kernel buffers. AF_PACKET and CAN raw are converted as initial users, with selftests covering the trickiest conversion patterns. [0] https://lore.kernel.org/all/CAHk-=whmzrO-BMU=uSVXbuoLi-3tJsO=0kHj1BCPBE3F2kVhTA@mail.gmail.com/ ==================== Link: https://patch.msgid.link/20260408-getsockopt-v3-0-061bb9cb355d@debian.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-04-13can: raw: convert to getsockopt_iterBreno Leitao-15/+13
Convert CAN raw socket's getsockopt implementation to use the new getsockopt_iter callback with sockopt_t. Key changes: - Replace (char __user *optval, int __user *optlen) with sockopt_t *opt - Use opt->optlen for buffer length (input) and returned size (output) - Use copy_to_iter() instead of copy_to_user() - For CAN_RAW_FILTER and CAN_RAW_XL_VCID_OPTS: on -ERANGE, set opt->optlen to the required buffer size. The wrapper writes this back to userspace even on error, preserving the existing API that lets userspace discover the needed allocation size. Signed-off-by: Breno Leitao <leitao@debian.org> Acked-by: Stanislav Fomichev <sdf@fomichev.me> Link: https://patch.msgid.link/20260408-getsockopt-v3-4-061bb9cb355d@debian.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-04-13af_packet: convert to getsockopt_iterBreno Leitao-8/+7
Convert AF_PACKET's getsockopt implementation to use the new getsockopt_iter callback with sockopt_t. Key changes: - Replace (char __user *optval, int __user *optlen) with sockopt_t *opt - Use opt->optlen for buffer length (input) and returned size (output) - Use copy_to_iter() instead of put_user()/copy_to_user() - For PACKET_HDRLEN which reads from optval: use opt->iter_in with copy_from_iter() for the input read, then the common opt->iter_out copy_to_iter() epilogue handles the output Signed-off-by: Breno Leitao <leitao@debian.org> Acked-by: Stanislav Fomichev <sdf@fomichev.me> Link: https://patch.msgid.link/20260408-getsockopt-v3-3-061bb9cb355d@debian.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-04-13net: call getsockopt_iter if availableBreno Leitao-3/+51
Update do_sock_getsockopt() to use the new getsockopt_iter callback when available. Add do_sock_getsockopt_iter() helper that: 1. Reads optlen from user/kernel space 2. Initializes a sockopt_t with the appropriate iov_iter (kvec for kernel, ubuf for user buffers) and sets opt.optlen 3. Calls the protocol's getsockopt_iter callback 4. Writes opt.optlen back to user/kernel space The optlen is always written back, even on failure. Some protocols (e.g. CAN raw) return -ERANGE and set optlen to the required buffer size so userspace knows how much to allocate. The callback is responsible for setting opt.optlen to indicate the returned data size. Important to say that iov_out does not need to be copied back in do_sock_getsockopt(). When optval is not kernel (the userspace path), sockptr_to_sockopt() sets up opt->iter_out as a ITER_DEST ubuf iterator pointing directly at the userspace buffer (optval.user). So when getsockopt_iter implementations call copy_to_iter(..., &opt->iter_out), the data is written directly to userspace — no intermediate kernel buffer is involved. When optval.is_kernel is true (the in-kernel path, e.g. from io_uring), the kvec points at the already-provided kernel buffer (optval.kernel), so the data lands in the caller's buffer directly via the kvec-backed iterator. In both cases the iterator writes to the final destination in-place at protocol callback. There's nothing to copy back — only optlen needs to be written back. Signed-off-by: Breno Leitao <leitao@debian.org> Acked-by: Stanislav Fomichev <sdf@fomichev.me> Link: https://patch.msgid.link/20260408-getsockopt-v3-2-061bb9cb355d@debian.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-04-13net: add getsockopt_iter callback to proto_opsBreno Leitao-0/+23
Add a new getsockopt_iter callback to struct proto_ops that uses sockopt_t, a type-safe wrapper around iov_iter. This provides a clean interface for socket option operations that works with both user and kernel buffers. The sockopt_t type encapsulates an iov_iter and an optlen field. The optlen field, although not suggested by Linus, serves as both input (buffer size) and output (returned data size), allowing callbacks to return random values independent of the bytes written via copy_to_iter(), so, keep it separated from iov_iter.count. This is preparatory work for removing the SOL_SOCKET level restriction from io_uring getsockopt operations. Keep in mind that both iter_out and iter_in always point to the same data at all times, and we just have two of them to make the callback implementation sane. Suggested-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Breno Leitao <leitao@debian.org> Acked-by: Stanislav Fomichev <sdf@fomichev.me> Link: https://patch.msgid.link/20260408-getsockopt-v3-1-061bb9cb355d@debian.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-04-13NFSv4.1: Apply session size limits on clone pathTushar Sariya-2/+7
nfs4_clone_server() builds a child nfs_server for same-server automounted submounts but never calls nfs4_session_limit_rwsize() or nfs4_session_limit_xasize() after nfs_clone_server(). This means the child mount can end up with rsize/wsize values that exceed the negotiated session channel limits, causing NFS4ERR_REQ_TOO_BIG and EIO on servers that enforce tight max_request_size budgets. Top-level mounts go through nfs4_server_common_setup() which calls these limiters after nfs_probe_server(). Apply the same clamping on the clone path for consistency. Fixes: 2b092175f5e3 ("NFS: Fix inheritance of the block sizes when automounting") Cc: stable@vger.kernel.org Signed-off-by: Tushar Sariya <tushar.97@hotmail.com> Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
2026-04-13NFSv4: retry GETATTR if GET_DIR_DELEGATION failedOlga Kornievskaia-0/+8
Currently, getting a directory delegation is opportinistic and gets added to an existing GETATTR that's trying to retrieve some needed attributes. However, GET_DIRDELEGATION can fail and that currently causes a GETATTR to fail and an error is propagated to the user. Instead, the original GETATTR should be retried without requesting a directory delegation. Also, now chosing to clear asking for the direct delegation for this specific inode. Fixes: 156b09482933 ("NFS: Request a directory delegation on ACCESS, CREATE, and UNLINK") Signed-off-by: Olga Kornievskaia <okorniev@redhat.com> Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
2026-04-13NFS: fix RENAME attr in presence of directory delegationsOlga Kornievskaia-1/+3
Since commit 6f9bda2337f8 ("NFS: Fix directory delegation verifier checks") xfstest generic/309 is failing because after the rename (mv) operation, client's mtime/ctime is the same. Update the delegated mtime when directory delegations are present in rename. Fixes: 6f9bda2337f8 ("NFS: Fix directory delegation verifier checks") Signed-off-by: Olga Kornievskaia <okorniev@redhat.com> Reviewed-by: Benjamin Coddington <bcodding@hammerspace.com> Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
2026-04-13net: phy: qcom: at803x: Use the correct bit to disable extended next pageMaxime Chevallier-2/+3
As noted in the blamed commit, the AR8035 and other PHYs from this family advertise the Extended Next Page support by default, which may be understood by some partners as this PHY being multi-gig capable. The fix is to disable XNP advertising, which is done by setting bit 12 of the Auto-Negotiation Advertisement Register (MII_ADVERTISE). The blamed commit incorrectly uses MDIO_AN_CTRL1_XNP, which is bit 13 as per 802.3 : 45.2.7.1 AN control register (Register 7.0) BIT 12 in MII_ADVERTISE is wrapped by ADVERTISE_RESV, used by some drivers such as the aquantia one. 802.3 Clause 28 defines bit 12 as Extended Next Page ability, at least in recent versions of the standard. Let's add a define for it and use it in the at803x driver. Fixes: 3c51fa5d2afe ("net: phy: ar803x: disable extended next page bit") Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com> Reviewed-by: Andrew Lunn <andrew@lunn.ch> Link: https://patch.msgid.link/20260410171021.1277138-1-maxime.chevallier@bootlin.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-04-13net: stmmac: enable RPS and RBU interruptsRussell King (Oracle)-0/+6
Enable receive process stopped and receive buffer unavailable interrupts, so that the statistic counters can be updated. Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk> Link: https://patch.msgid.link/E1wBBaR-0000000GZHR-1dbM@rmk-PC.armlinux.org.uk Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-04-13Merge tag 'for-net-next-2026-04-13' of ↵Jakub Kicinski-241/+476
git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next Luiz Augusto von Dentz says: ==================== bluetooth-next pull request for net-next: core: - hci_core: Rate limit the logging of invalid ISO handle - hci_sync: make hci_cmd_sync_run_once return -EEXIST if exists - hci_event: fix locking in hci_conn_request_evt() with HCI_PROTO_DEFER - hci_event: fix potential UAF in SSP passkey handlers - HCI: Avoid a couple -Wflex-array-member-not-at-end warnings - L2CAP: CoC: Disconnect if received packet size exceeds MPS - L2CAP: Add missing chan lock in l2cap_ecred_reconf_rsp - L2CAP: Fix printing wrong information if SDU length exceeds MTU - SCO: check for codecs->num_codecs == 1 before assigning to sco_pi(sk)->codec drivers: - btusb: MT7922: Add VID/PID 0489/e174 - btusb: Add Lite-On 04ca:3807 for MediaTek MT7921 - btusb: Add MT7927 IDs ASUS ROG Crosshair X870E Hero, Lenovo Legion Pro 7 16ARX9, Gigabyte Z790 AORUS MASTER X, MSI X870E Ace Max, TP-Link Archer TBE550E, ASUS X870E / ProArt X870E-Creator. - btusb: Add MT7902 IDs 13d3/3579, 13d3/3580, 13d3/3594, 13d3/3596, 0e8d/1ede - btusb: Add MT7902 IDs 13d3/3579, 13d3/3580, 13d3/3594, 13d3/3596, 0e8d/1ede - btusb: MediaTek MT7922: Add VID 0489 & PID e11d - btintel: Add support for Scorpious Peak2 support - btintel: Add support for Scorpious Peak2F support - btintel_pcie: Add device id of Scorpius Peak2, Nova Lake-PCD-H - btintel_pcie: Add device id of Scorpious2, Nova Lake-PCD-S - btmtk: Add reset mechanism if downloading firmware failed - btmtk: Add MT6639 (MT7927) Bluetooth support - btmtk: fix ISO interface setup for single alt setting - btmtk: add MT7902 SDIO support - Bluetooth: btmtk: add MT7902 MCU support - btbcm: Add entry for BCM4343A2 UART Bluetooth - qca: enable pwrseq support for wcn39xx devices - hci_qca: Fix BT not getting powered-off on rmmod - hci_qca: disable power control for WCN7850 when bt_en is not defined - hci_qca: Fix missing wakeup during SSR memdump handling - hci_ldisc: Clear HCI_UART_PROTO_INIT on error - mmc: sdio: add MediaTek MT7902 SDIO device ID - hci_ll: Enable BROKEN_ENHANCED_SETUP_SYNC_CONN for WL183x * tag 'for-net-next-2026-04-13' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next: (59 commits) Bluetooth: hci_qca: Fix missing wakeup during SSR memdump handling Bluetooth: btintel_pcie: use strscpy to copy plain strings Bluetooth: hci_event: fix potential UAF in SSP passkey handlers Bluetooth: hci.h: Avoid a couple -Wflex-array-member-not-at-end warnings Bluetooth: SCO: check for codecs->num_codecs == 1 before assigning to sco_pi(sk)->codec Bluetooth: btintel_pcie: Align shared DMA memory to 128 bytes Bluetooth: l2cap: Add missing chan lock in l2cap_ecred_reconf_rsp Bluetooth: hci_ll: Enable BROKEN_ENHANCED_SETUP_SYNC_CONN for WL183x Bluetooth: btusb: MediaTek MT7922: Add VID 0489 & PID e11d Bluetooth: btmtk: hide unused btmtk_mt6639_devs[] array Bluetooth: btusb: Add MT7927 ID for ASUS X870E / ProArt X870E-Creator Bluetooth: btusb: Add MT7927 ID for TP-Link Archer TBE550E Bluetooth: btusb: Add MT7927 ID for MSI X870E Ace Max Bluetooth: btusb: Add MT7927 ID for Gigabyte Z790 AORUS MASTER X Bluetooth: btusb: Add MT7927 ID for Lenovo Legion Pro 7 16ARX9 Bluetooth: btusb: Add MT7927 ID for ASUS ROG Crosshair X870E Hero Bluetooth: btmtk: fix ISO interface setup for single alt setting Bluetooth: btmtk: Add MT6639 (MT7927) Bluetooth support Bluetooth: fix locking in hci_conn_request_evt() with HCI_PROTO_DEFER Bluetooth: btmtk: refactor endpoint lookup ... ==================== Link: https://patch.msgid.link/20260413132247.320961-1-luiz.dentz@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-04-13Merge tag 'vfs-7.1-rc1.misc' of ↵Linus Torvalds-252/+225
git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs Pull misc vfs updates from Christian Brauner: "Features: - coredump: add tracepoint for coredump events - fs: hide file and bfile caches behind runtime const machinery Fixes: - fix architecture-specific compat_ftruncate64 implementations - dcache: Limit the minimal number of bucket to two - fs/omfs: reject s_sys_blocksize smaller than OMFS_DIR_START - fs/mbcache: cancel shrink work before destroying the cache - dcache: permit dynamic_dname()s up to NAME_MAX Cleanups: - remove or unexport unused fs_context infrastructure - trivial ->setattr cleanups - selftests/filesystems: Assume that TIOCGPTPEER is defined - writeback: fix kernel-doc function name mismatch for wb_put_many() - autofs: replace manual symlink buffer allocation in autofs_dir_symlink - init/initramfs.c: trivial fix: FSM -> Finite-state machine - fs: remove stale and duplicate forward declarations - readdir: Introduce dirent_size() - fs: Replace user_access_{begin/end} by scoped user access - kernel: acct: fix duplicate word in comment - fs: write a better comment in step_into() concerning .mnt assignment - fs: attr: fix comment formatting and spelling issues" * tag 'vfs-7.1-rc1.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs: (28 commits) dcache: permit dynamic_dname()s up to NAME_MAX fs: attr: fix comment formatting and spelling issues fs: hide file and bfile caches behind runtime const machinery fs: write a better comment in step_into() concerning .mnt assignment proc: rename proc_notify_change to proc_setattr proc: rename proc_setattr to proc_nochmod_setattr affs: rename affs_notify_change to affs_setattr adfs: rename adfs_notify_change to adfs_setattr hfs: update comments on hfs_inode_setattr kernel: acct: fix duplicate word in comment fs: Replace user_access_{begin/end} by scoped user access readdir: Introduce dirent_size() coredump: add tracepoint for coredump events fs: remove do_sys_truncate fs: pass on FTRUNCATE_* flags to do_truncate fs: fix archiecture-specific compat_ftruncate64 fs: remove stale and duplicate forward declarations init/initramfs.c: trivial fix: FSM -> Finite-state machine autofs: replace manual symlink buffer allocation in autofs_dir_symlink fs/mbcache: cancel shrink work before destroying the cache ...
2026-04-13vfio/xe: Add a missing vfio_pci_core_release_dev()Michał Winiarski-0/+1
The driver is implementing its own .release(), which means that it needs to call vfio_pci_core_release_dev(). Add the missing call. Fixes: 1f5556ec8b9ef ("vfio/xe: Add device specific vfio_pci driver variant for Intel graphics") Reported-by: Niklas Schnelle <schnelle@linux.ibm.com> Closes: https://lore.kernel.org/kvm/408e262c507e8fd628a71e39904fedd99fa0ee8e.camel@linux.ibm.com/ Cc: stable@vger.kernel.org Signed-off-by: Michał Winiarski <michal.winiarski@intel.com> Reviewed-by: Niklas Schnelle <schnelle@linux.ibm.com> Reviewed-by: Kevin Tian <kevin.tian@intel.com> Link: https://lore.kernel.org/r/20260410224948.900550-2-michal.winiarski@intel.com Signed-off-by: Alex Williamson <alex@shazbot.org>