Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v7.1-rc6 2026-05-31T15:52:16+00:00 2026-05-31T15:52:16+00:00 Linus Torvalds torvalds@linux-foundation.org 2026-05-31T15:52:16+00:00 urn:sha1:968966c2823a4b426a1c71101cb682faa0982892 Pull x86 fixes from Ingo Molnar: - Make the clearcpuid= boot parameter less prominent and warn about its dangers & caveats (Borislav Petkov) - Do not access the (new) PLATFORM_ID MSR when running as a guest (Borislav Petkov) - x86 ftrace: Relocate %rip-relative percpu refs in dynamic trampolines, to fix crash when using such trampolines (Alexis Lothoré) - Fix x86-64 CFI build error (Peter Zijlstra) - Revert FPU signal return magic number check optimization, because it broke CRIU and gVisor in certain FPU configurations (Andrei Vagin) * tag 'x86-urgent-2026-05-31' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: Revert "x86/fpu: Refine and simplify the magic number check during signal return" x86/kvm/vmx: Fix x86_64 CFI build x86/ftrace: Relocate %rip-relative percpu refs in dynamic trampolines x86/microcode: Do not access MSR_IA32_PLATFORM_ID when running as a guest Documentation/arch/x86: Hide clearcpuid= 2026-05-30T15:34:03+00:00 Linus Torvalds torvalds@linux-foundation.org 2026-05-30T15:34:03+00:00 urn:sha1:495fb8dd7f1da991c5325f4a0a50d0b042f19523 Pull tty/serial driver fixes from Greg KH: "Here are some small serial driver fixes for 7.1-rc6. Included in here are: - mips serial driver fixes to resolve some long-standing issues with how they interacted with the console. That's the "majority" of the changes in this merge request - sh-sci driver regression fix - 8250 driver regression fixes - other small serial driver fixes for reported problems. All of these have been in linux-next for over a week with no reported issues" * tag 'tty-7.1-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty: serial: dz: Enable modular build serial: zs: Convert to use a platform device serial: dz: Convert to use a platform device serial: zs: Switch to using channel reset serial: zs: Fix bootconsole handover lockup serial: dz: Fix bootconsole handover lockup serial: dz: Fix bootconsole message clobbering at chip reset serial: 8250_dw: dispatch SysRq character in dw8250_handle_irq() serial: 8250: dispatch SysRq character in serial8250_handle_irq() serial: core: introduce guard(uart_port_lock_check_sysrq_irqsave) tty: serial: samsung: Remove redundant port lock acquisition in rx helpers serial: altera_jtaguart: handle uart_add_one_port() failures serial: qcom_geni: fix kfifo underflow when flush precedes DMA completion IRQ serial: fsl_lpuart: fix rx buffer and DMA map leaks in start_rx_dma tty: add missing tty_driver include to tty_port.h serial: qcom-geni: fix UART_RX_PAR_EN bit position serial: sh-sci: fix memory region release in error path tty: serial: pch_uart: add check for dma_alloc_coherent() serial: zs: Fix swapped RI/DSR modem line transition counting 2026-05-29T22:17:53+00:00 Linus Torvalds torvalds@linux-foundation.org 2026-05-29T22:17:53+00:00 urn:sha1:77590cacabb3bffba7e2e95c359889bc44241b68 Pull clang build fix from Nathan Chancellor: "A small fix to disable -Wattribute-alias for clang in the few places it is already disabled for GCC, now that tip of tree clang has implemented -Wattribute-alias as GCC has" * tag 'clang-fixes-7.1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/nathan/linux: Disable -Wattribute-alias for clang-23 and newer 2026-05-29T22:05:30+00:00 Andrei Vagin avagin@google.com 2026-05-26T20:50:43+00:00 urn:sha1:44eeff9bc467bc7d1fec34fc3f6001f385fe462c This reverts dc8aa31a7ac2 ("x86/fpu: Refine and simplify the magic number check during signal return"). The aforementioned commit broke applications that construct signal frames in userspace (such as CRIU and gVisor) if the frame's xstate size is smaller than the kernel's fpstate->user_size. Furthermore, this introduces a critical issue for checkpoint/restore tools like CRIU. If a process is checkpointed while inside a signal handler, its stack contains a signal frame formatted according to the source host's xstate capabilities. If that process is later restored on a destination host with larger xstate capabilities (e.g., a newer CPU with more features enabled, resulting in a larger fpstate->user_size), the kernel will look for FP_XSTATE_MAGIC2 at the destination host's larger user_size offset instead of the offset encoded in the frame's fx_sw->xstate_size. This causes the magic2 check to fail, forcing sigreturn to silently fall back to "FX-only" mode. Upon return from the signal handler, the process's extended state is reset to initial values instead of being restored, leading to silent data corruption. The aforementioned commit cited d877550eaf2d ("x86/fpu: Stop relying on userspace for info to fault in xsave buffer") as justification to stop relying on userspace for the magic number check. However, these two changes are fundamentally different. The last one only changed how much memory the kernel ensures is paged-in before running XRSTOR to prevent an infinite loop. It did not change the signal frame format or how the layout is validated. Reverting this change restores the use of fx_sw->xstate_size for locating magic2 and restores the necessary sanity checks, ensuring that the signal frame remains self-describing and portable. [ bp: Massage commit message. ] Fixes: dc8aa31a7ac2 ("x86/fpu: Refine and simplify the magic number check during signal return") Signed-off-by: Andrei Vagin <avagin@google.com> Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de> Acked-by: Chang S. Bae <chang.seok.bae@intel.com> Cc: stable@vger.kernel.org Link: https://lore.kernel.org/all/20260429000623.3356606-1-avagin@google.com 2026-05-29T18:25:59+00:00 Paolo Bonzini pbonzini@redhat.com 2026-05-29T18:25:59+00:00 urn:sha1:713074d53be5c8684cb31fa7a8f09ffb679338d9 2026-05-29T18:25:29+00:00 Sean Christopherson seanjc@google.com 2026-05-01T20:22:35+00:00 urn:sha1:c8cc238093ca6c99267032f6cfe78f59389f3157 Use READ_ONCE() when reading entries/indices from the guest-accessible Page State Change buffer to defend against TOCTOU bugs. Don't bother with READ_ONCE()/WRITE_ONCE() for cases where KVM is writing (and not consuming the result!), as the guest isn't supposed to touch the buffer while it's being processed. I.e. using READ_ONCE() is all about protecting against misbehaving guests. Fixes: 9b54e248d264 ("KVM: SEV: Add support to handle Page State Change VMGEXIT") Cc: stable@vger.kernel.org Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com> Signed-off-by: Sean Christopherson <seanjc@google.com> Message-ID: <20260501202250.2115252-11-seanjc@google.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> 2026-05-29T18:25:29+00:00 Sean Christopherson seanjc@google.com 2026-05-01T20:22:34+00:00 urn:sha1:121d88de56bc5c0ba0ce2f6381af67f948a7e7c1 When processing Page State Change (PSC) requests, validate the PSC buffer against the effective size of the scratch area, which could be less than the maximum size if the guest provided a pointer that isn't exactly at the start of the GHCB shared buffer. Fixes: 9b54e248d264 ("KVM: SEV: Add support to handle Page State Change VMGEXIT") Cc: stable@vger.kernel.org Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com> Reviewed-by: Michael Roth <michael.roth@amd.com> Signed-off-by: Sean Christopherson <seanjc@google.com> Message-ID: <20260501202250.2115252-10-seanjc@google.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> 2026-05-29T18:25:28+00:00 Sean Christopherson seanjc@google.com 2026-05-01T20:22:33+00:00 urn:sha1:ebe4b2dc9cfbfb2d8f665667c4d08f4c6c9bec05 Stop explicitly passing the PSC buffer to snp_begin_psc(): it *must* be the scratch area. This will allow fixing a variety of bugs without further complicating the code. No functional change intended. Cc: stable@vger.kernel.org Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com> Reviewed-by: Michael Roth <michael.roth@amd.com> Signed-off-by: Sean Christopherson <seanjc@google.com> Message-ID: <20260501202250.2115252-9-seanjc@google.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> 2026-05-29T18:25:28+00:00 Sean Christopherson seanjc@google.com 2026-05-01T20:22:32+00:00 urn:sha1:f185e05dce6f170f83c4ba602e969b1c3c7a22e6 Now that all paths in KVM properly validate the length needed for the scratch area, and are guaranteed to pass in a non-zero length, WARN if KVM attempts to configured the scratch area with min_len==0 to guard against future bugs. Cc: stable@vger.kernel.org Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com> Reviewed-by: Michael Roth <michael.roth@amd.com> Signed-off-by: Sean Christopherson <seanjc@google.com> Message-ID: <20260501202250.2115252-8-seanjc@google.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> 2026-05-29T18:25:28+00:00 Sean Christopherson seanjc@google.com 2026-05-01T20:22:31+00:00 urn:sha1:5867d7e202e09f037cefe77f7af4413c7c0fa088 When setting the length of the GHCB scratch area, and the area is in the GHCB shared buffer, set the effective length of the scratch area to the max possible size given the start of the guest-provided pointer, and the end of the shared buffer. The code was "fine" when first introduced, as KVM doesn't consult the length of the buffer when emulating MMIO, because the passed in @len always specifies the *max* size required. But for PSC requests, the incoming @len is just the minimum length (to process the header), and KVM needs to know the full size of the scratch area to avoid buffer overflows (spoiler alert). Opportunistically rename @len => @min_len to better reflect its role. Fixes: 9b54e248d264 ("KVM: SEV: Add support to handle Page State Change VMGEXIT") Cc: stable@vger.kernel.org Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com> Reviewed-by: Michael Roth <michael.roth@amd.com> Signed-off-by: Sean Christopherson <seanjc@google.com> Message-ID: <20260501202250.2115252-7-seanjc@google.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>