The Perl localtime() function returns the month starting at 0 not 1. This
caused the date produced to create the directory for saving files of a
failed run to have the month off by one.
machine-test-useconfig-fail-20260314073628
The above happened in April, not March. The correct name should have been:
machine-test-useconfig-fail-20260414073628
This was somewhat confusing.
Cc: stable@vger.kernel.org
Cc: John 'Warthog9' Hawley <warthog9@kernel.org>
Link: https://patch.msgid.link/20260420142426.33ad0293@fedora
Fixes: 7faafbd696 ("ktest: Add open and close console and start stop monitor")
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Highlights:
- asus-wmi:
- Retain battery charge threshold during boot which avoids unsolicited
change to 100%. Return -ENODATA when the limit is not yet known
- Improve screenpad power/brightness handling consistency
- Fix screenpad brightness range
- barco-p50-gpio: Normalize gpio_get return values
- bitland-mifs-wmi: Add driver for Bitland laptops (supports platform
profile,hwmon, kbd backlight, gpu mode, hotkeys, and
fan boost)
- dell_rbu: Fix using uninitialized value in sysfs write function
- dell-wmi-sysman: Respect destination length when constructing enum
strings
- hp-wmi:
- Propagate fan setting apply failures and log an error
- Fix sysfs write vs work handler cancel_delayed_work_sync() deadlock
- Correct keepalive schedule_delayed_work() to mod_delayed_work()
- Fix u8 underflows in GPU delta calculation
- Use mutex to protect fan pwm/mode
- Ignore kbd backlight and FnLock key events that are handled by FW
- Fix fan table parsing (use correct field)
- Add support for Omen 14-fb0xxx, 16-n0xxx, 16-wf1xxx, and Omen MAX
16-ak0xxxx
- input: trackpoint & thinkpad_acpi: Enable doubletap by default and
add sysfs enable/disable
- int3472: Add support for GPIO type 0x02 (IR flood LED)
- intel-speed-select: (updated to v1.26)
- Avoid using current base frequency as maximum
- Fix CPU extended family ID decoding
- Fix exit code
- Improve error reporting
- intel/vsec: Refactor to support ACPI-enumerated PMT endpoints.
- pcengines-apuv2: Attach software node to the gpiochip
- uniwill:
- Refactor hwmon to smaller parts to accomodate HW diversity
- Support USB-C power/performance priority switch through sysfs
- Add another XMG Fusion 15 (L19) DMI vendor
- Enable fine-grained features to device lineup mapping
- wmi: Perform output size check within WMI core to allow simpler WMI
drivers
- acpi_driver -> platform driver conversions (a large number of changes
from Rafael J. Wysocki)
- Miscellaneous cleanups / refactoring / improvements
The following is an automated shortlog grouped by driver:
acer-wireless:
- Convert ACPI driver to a platform one
- Register ACPI notify handler directly
asus-laptop:
- Convert ACPI driver to a platform one
- Register ACPI notify handler directly
asus-wireless:
- Convert ACPI driver to a platform one
- Register ACPI notify handler directly
asus-wmi:
- adjust screenpad power/brightness handling
- do not enforce a battery charge threshold
- fix screenpad brightness range
barco-p50-gpio:
- convert to guard() notation
- normalize return value of gpio_get
bitland-mifs-wmi:
- Add new Bitland MIFS WMI driver
dell/dell-rbtn:
- Convert ACPI driver to a platform one
- Register ACPI notify handler directly
dell_rbu:
- avoid uninit value usage in packet_size_write()
dell-wmi-sysman:
- bound enumeration string aggregation
- Clean up security buffer helpers
- Fix typo in function comment
- Use standard kobj_sysfs_ops
- Use sysfs_emit{_at} in show functions
Documentation: laptops:
- Update documentation for uniwill laptops
Documentation:
- thinkpad-acpi - Document doubletap_enable attribute
eeepc-laptop:
- Convert ACPI driver to a platform one
- Register ACPI notify handler directly
fujitsu:
- Convert backlight driver to a platform one
- Convert laptop driver to a platform one
- Register ACPI notify handlers directly
- Reorder code to avoid forward declarations
fujitsu-tablet:
- Convert ACPI driver to a platform one
hp-wmi:
- add locking for concurrent hwmon access
- add Omen 14-fb0xxx (board 8C58) support
- Add support for Omen 16-n0xxx (8A44)
- Add support for Omen 16-wf1xxx (8C77)
- Add support for OMEN MAX 16-ak0xxx (8D87)
- avoid cancel_delayed_work_sync from work handler
- fix fan table parsing
- fix ignored return values in fan settings
- fix u8 underflow in gpu_delta calculation
- Ignore backlight and FnLock events
- use mod_delayed_work to reset keep-alive timer
input:
- trackpoint - Enable doubletap by default on capable devices
int3472:
- Add support for GPIO type 0x02 (IR flood LED)
- Parameterize LED con_id in registration
- Rename pled to led in LED registration code
- Use local variable for LED struct access
intel/rst:
- Convert ACPI driver to a platform one
intel/smartconnect:
- Convert ACPI driver to a platform one
intel/tpmi:
- Use 32 bit aligned address for debugfs mem write
intel/vsec:
- Decouple add/link helpers from PCI
- Make driver_data info const
- Plumb ACPI PMT discovery tables through vsec
- Refactor base_addr handling
- Return real error codes from registration path
- Switch exported helpers from pci_dev to device
lg-laptop:
- Convert ACPI driver to a platform one
- Drop debug-only ACPI notify handler
nvsw-sn2201:
- Drop unused include
panasonic-laptop:
- Convert ACPI driver to a platform one
- Fix OPTD notifier registration and cleanup
- Make pcc_register_optd_notifier() void
- Register ACPI notify handler directly
- Remove redundant checks from 3 functions
pcengines-apuv2:
- attach software node to the gpiochip
sony-laptop:
- Convert NC driver to a platform one
- Convert PIC driver to a platform one
- Register ACPI notify handler directly
surface: hotplug:
- Correct inclusion for GPIO APIs
surface: surfacepro3_button:
- Convert to a platform driver
- Drop wakeup source on remove
- Register ACPI notify handler
system76:
- Convert ACPI driver to a platform one
- Drop redundant devm_led_classdev_unregister()
- Register ACPI notify handler directly
thinkpad_acpi:
- Add sysfs control for TrackPoint double-tap
- Drop ACPI driver registration
- remove obsolete TODO comment
- use seq_puts() instead of seq_printf()
tools/power/x86/intel-speed-select:
- Avoid current base freq as maximum
- Fix cpu extended family ID decoding
- Fix output when running on unsupported CLX platforms
- Fix some program return value
- Print Version info when Incompatible API version is detected
- v1.26 release
topstar-laptop:
- Convert ACPI driver to a platform one
- Register ACPI notify handler directly
toshiba_acpi:
- Convert ACPI driver to a platform one
- Register ACPI notify handler directly
- Reorder code to avoid forward declaration
toshiba_bluetooth:
- Convert ACPI driver to a platform one
- Register ACPI notify handler directly
toshiba_haps:
- Convert ACPI driver to a platform one
- Register ACPI notify handler directly
uniwill-laptop:
- Apply features across all TUXEDO devices
- Fix signedness bug
- Fix XMG Fusion 15 (L19) entries
- Implement USB-C power priority setting
- Rework hwmon feature defines
wireless-hotkey:
- Convert ACPI driver to a platform one
- Register ACPI notify handler directly
wmi:
- Add wmidev_invoke_procedure()
- Convert drivers to use wmidev_invoke_procedure()
- Extend wmidev_invoke_method() to reject undersized data
- Extend wmidev_query_block() to reject undersized data
- Prepare to reject undersized unmarshalling results
- Replace .no_notify_data with .min_event_size
x86:
- remove unnecessary module_init/exit() functions
Merges:
- Merge branch 'intel-sst' of https://github.com/spandruvada/linux-kernel into review-ilpo-next
- Merge tag 'fixes' into 'for-next'
-----BEGIN PGP SIGNATURE-----
iHUEABYIAB0WIQSCSUwRdwTNL2MhaBlZrE9hU+XOMQUCaeYxSwAKCRBZrE9hU+XO
MRzTAQCPUKVOpSY/cjtPXVBn0uJbAo1MSvytv00Kv7dcatvrrwEA9lqmwOfl0kzr
CowEVVCD3om++W9vOsL65hachbAl1QA=
=1qkw
-----END PGP SIGNATURE-----
Merge tag 'platform-drivers-x86-v7.1-1' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86
Pull x86 platform driver updates from Ilpo Järvinen:
"asus-wmi:
- Retain battery charge threshold during boot which avoids
unsolicited change to 100%. Return -ENODATA when the limit
is not yet known
- Improve screenpad power/brightness handling consistency
- Fix screenpad brightness range
barco-p50-gpio:
- Normalize gpio_get return values
bitland-mifs-wmi:
- Add driver for Bitland laptops (supports platform profile,
hwmon, kbd backlight, gpu mode, hotkeys, and fan boost)
dell_rbu:
- Fix using uninitialized value in sysfs write function
dell-wmi-sysman:
- Respect destination length when constructing enum strings
hp-wmi:
- Propagate fan setting apply failures and log an error
- Fix sysfs write vs work handler cancel_delayed_work_sync() deadlock
- Correct keepalive schedule_delayed_work() to mod_delayed_work()
- Fix u8 underflows in GPU delta calculation
- Use mutex to protect fan pwm/mode
- Ignore kbd backlight and FnLock key events that are handled by FW
- Fix fan table parsing (use correct field)
- Add support for Omen 14-fb0xxx, 16-n0xxx, 16-wf1xxx, and
Omen MAX 16-ak0xxxx
input: trackpoint & thinkpad_acpi:
- Enable doubletap by default and add sysfs enable/disable
int3472:
- Add support for GPIO type 0x02 (IR flood LED)
intel-speed-select: (updated to v1.26)
- Avoid using current base frequency as maximum
- Fix CPU extended family ID decoding
- Fix exit code
- Improve error reporting
intel/vsec:
- Refactor to support ACPI-enumerated PMT endpoints.
pcengines-apuv2:
- Attach software node to the gpiochip
uniwill:
- Refactor hwmon to smaller parts to accomodate HW diversity
- Support USB-C power/performance priority switch through sysfs
- Add another XMG Fusion 15 (L19) DMI vendor
- Enable fine-grained features to device lineup mapping
wmi:
- Perform output size check within WMI core to allow simpler WMI
drivers
misc:
- acpi_driver -> platform driver conversions (a large number of
changes from Rafael J. Wysocki)
- cleanups / refactoring / improvements"
* tag 'platform-drivers-x86-v7.1-1' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86: (106 commits)
platform/x86: hp-wmi: Add support for Omen 16-wf1xxx (8C77)
platform/x86: hp-wmi: Add support for Omen 16-n0xxx (8A44)
platform/x86: hp-wmi: Add support for OMEN MAX 16-ak0xxx (8D87)
platform/x86: hp-wmi: fix fan table parsing
platform/x86: hp-wmi: add Omen 14-fb0xxx (board 8C58) support
platform/wmi: Replace .no_notify_data with .min_event_size
platform/wmi: Extend wmidev_query_block() to reject undersized data
platform/wmi: Extend wmidev_invoke_method() to reject undersized data
platform/wmi: Prepare to reject undersized unmarshalling results
platform/wmi: Convert drivers to use wmidev_invoke_procedure()
platform/wmi: Add wmidev_invoke_procedure()
platform/x86: int3472: Add support for GPIO type 0x02 (IR flood LED)
platform/x86: int3472: Parameterize LED con_id in registration
platform/x86: int3472: Rename pled to led in LED registration code
platform/x86: int3472: Use local variable for LED struct access
platform/x86: thinkpad_acpi: remove obsolete TODO comment
platform/x86: dell-wmi-sysman: bound enumeration string aggregation
platform/x86: hp-wmi: Ignore backlight and FnLock events
platform/x86: uniwill-laptop: Fix signedness bug
platform/x86: dell_rbu: avoid uninit value usage in packet_size_write()
...
* Skyworks SKY81452:
* Check the return value of `devm_gpiod_get_optional()` in `sky81452_bl_parse_dt()` to properly
handle GPIO acquisition errors
* Apple Backlight:
* Convert the Apple Backlight ACPI driver to a proper platform driver, aligning with current ACPI
binding practices
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEdrbJNaO+IJqU8IdIUa+KL4f8d2EFAmnl4KAACgkQUa+KL4f8
d2ERrA/+LQ+DSgUGb93Sl6o68yPc1lx1bsUHSYmyfZssTXHR08YSq3dMBgi6nT99
GJDEENhC5Df8WTf4GkX7rSiWTyJN4EoSKPs8Kp93bpqYHEXMFUo3e7qOatJAT1tM
IHOCtrO/X2Hvq6mH6RhxPpOnDJD6OzThtsN0xcxIiK3nCfcvZeZlLlGytjv2XGGG
Fs2lv0P5J0VhcrKv15cObuZLkOB7hzYQy4Bp47wqvpKK3NV/I2typN6n+ALciCcu
RtxAoxI2fXV4FrkPabogCYUbhPwtAlfAgbf2TNCPkRatbxA5rSwLzCjvz7dDWnU2
YHeObxHV46woolmL3Z3O9KpzzGB6UzaNRgIhb8PCTT+QsfvQQTcoU0rklYfy32sH
Y7nl5uMxa9O52JOFZEKG82wy4yHlUqqwi1SJ/og6yDNI0FLs0tNYS07N/5nKZGfz
nZEN6hqzgSPdX44fL0mXhiDT8bF76fgz8HdHs3SK+o1CyC6nbMfQ6ytvbkiH3am7
NBJnGYg6l3EJOO8wyDeNQQpf7mB1l0h/o+pJPJpQyZMAw0WGOEMSMT7EmF5SFgt0
/Uu7fWBqFG6Jv6cpzrD2M5EmqUCaCQyDkahnF0nZg3CaIQyW0pgStBUmAcpeVJx6
28rqSj7Krrkut6CJOXsfTTLGvsNmUC/UdFMs8xrOfcTU7POvwgo=
=Cbwz
-----END PGP SIGNATURE-----
Merge tag 'backlight-next-7.1' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/backlight
Pull backlight updates from Lee Jones:
"Apple Backlight:
- Convert the Apple Backlight ACPI driver to a proper platform
driver, aligning with current ACPI binding practices
Skyworks SKY81452:
- Check the return value of `devm_gpiod_get_optional()`
to properly handle GPIO acquisition errors"
* tag 'backlight-next-7.1' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/backlight:
backlight: apple_bl: Convert to a platform driver
backlight: sky81452-backlight: Check return value of devm_gpiod_get_optional() in sky81452_bl_parse_dt()
From the MCTP Base specification (DSP0236 v1.2.1), the first byte of
the MCTP header contains a 4 bit reserved field, and 4 bit version.
On our current receive path, we require those 4 reserved bits to be
zero, but the 9500-8i card is non-conformant, and may set these
reserved bits.
DSP0236 states that the reserved bits must be written as zero, and
ignored when read. While the device might not conform to the former,
we should accept these message to conform to the latter.
Relax our check on the MCTP version byte to allow non-zero bits in the
reserved field.
Fixes: 889b7da23a ("mctp: Add initial routing framework")
Signed-off-by: Yuan Zhaoming <yuanzm2@lenovo.com>
Cc: stable@vger.kernel.org
Acked-by: Jeremy Kerr <jk@codeconstruct.com.au>
Link: https://patch.msgid.link/20260417141340.5306-1-yuanzhaoming901030@126.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
gtp_genl_send_echo_req() runs as a generic netlink doit handler in
process context with BH not disabled. It calls udp_tunnel_xmit_skb(),
which eventually invokes iptunnel_xmit() — that uses __this_cpu_inc/dec
on softnet_data.xmit.recursion to track the tunnel xmit recursion level.
Without local_bh_disable(), the task may migrate between
dev_xmit_recursion_inc() and dev_xmit_recursion_dec(), breaking the
per-CPU counter pairing. The result is stale or negative recursion
levels that can later produce false-positive
SKB_DROP_REASON_RECURSION_LIMIT drops on either CPU.
The other udp_tunnel_xmit_skb() call sites in gtp.c are unaffected:
the data path runs under ndo_start_xmit and the echo response handlers
run from the UDP encap rx softirq, both with BH already disabled.
Fix it by disabling BH around the udp_tunnel_xmit_skb() call, mirroring
commit 2cd7e6971f ("sctp: disable BH before calling
udp_tunnel_xmit_skb()").
Fixes: 6f1a9140ec ("net: add xmit recursion limit to tunnel xmit functions")
Cc: stable@vger.kernel.org
Signed-off-by: David Carlier <devnexen@gmail.com>
Link: https://patch.msgid.link/20260417055408.4667-1-devnexen@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Commit f0c5827d07 unluckily causes a regression for the FIN packet,
and the final read syscall gets an error rather than 0.
Ideally, we would want to fix hvs_channel_readable_payload() so that it
could return 0 in the FIN scenario, but it's not good for the hv_sock
driver to use the VMBus ringbuffer's cached priv_read_index, which is
internal data in the VMBus driver.
Fix the regression in hv_sock by returning 0 rather than -EIO.
Fixes: f0c5827d07 ("hv_sock: Return the readable bytes in hvs_stream_has_data()")
Cc: stable@vger.kernel.org
Reported-by: Ben Hillis <Ben.Hillis@microsoft.com>
Reported-by: Mitchell Levy <levymitchell0@gmail.com>
Signed-off-by: Dexuan Cui <decui@microsoft.com>
Acked-by: Stefano Garzarella <sgarzare@redhat.com>
Link: https://patch.msgid.link/20260416191433.840637-1-decui@microsoft.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
* Core:
* Implement fallback to software node name for LED names
* Fix formatting issues in `led-core.c` reported by checkpatch.pl
* Make `led_remove_lookup()` NULL-aware
* Switch from `class_find_device_by_of_node()` to `class_find_device_by_fwnode()`
* LGM SSO:
* Fix a typo in the `GET_SRC_OFFSET` macro
* Multicolor:
* Fix a signedness error by changing the `intensity_value` type to `unsigned int`
* Qualcomm LPG:
* Prevent array overflow when selecting high-resolution values
* TI LP8860:
* Do not unconditionally program the EEPROM on probe
* Hold the mutex lock for the entirety of the EEPROM programming process
* Kinetic KTD2692:
* Make the `ktd2692_timing` variable static to resolve a sparse warning
* LGM SSO:
* Remove a duplicate assignment of `priv->mmap` in `intel_sso_led_probe()`
* TTY Trigger:
* Prefer `IS_ERR_OR_NULL()` over manual NULL checks
* TI LM3642:
* Use `guard(mutex)` to simplify locking and avoid manual `mutex_unlock()` calls
* TI LP5569:
* Use `sysfs_emit()` instead of `sprintf()` for sysfs outputs
* TI LP8860:
* Return directly from `lp8860_init()` instead of using empty `goto` statements
* Use a single regmap table and an access table instead of separate maps for normal and EEPROM registers
* Remove an unused read of the `STATUS` register during EEPROM programming
* Core:
* Drop the unneeded dependency on `OF_GPIO` from `LEDS_NETXBIG` in Kconfig
* Spreadtrum SC2731:
* Add a compatible string for the SC2730 PMIC LED controller
* TI LP5860:
* Add the `enable-gpios` property for the `VIO_EN` pin
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEdrbJNaO+IJqU8IdIUa+KL4f8d2EFAmnl4IMACgkQUa+KL4f8
d2E0XA//ezp2YldF5Vf1m+5vnhVBK1HAqoT+nVzFMrsxccz4fEmZBuSXdgUPs7xi
kxBgIPk90nAasANzxojBJJ4gU9Wss0s7VZ6dNklI8IzwmVJcU9aFhQSLP0iDmBIL
Mguh15Svej5vKbemo40XlTCVRyNoo4ciO9MdmHyQntCOaAfECnPeojV5VlekwDX8
uYyI5lZM3jK1+McwwJC8YglzWehKY1vGlM58KGZ+Dg5kUEjPVFh6bNTUaKdWCFee
AxGk70Aecnf9K8O8Ynz6jzDZRm9EHM4dF7NuMH1fGTY94993AEgGBOGTLfB/bJof
PUW4BlDlnGJwQKNI7eM3ZaahV5nkFgzE7gPX0Vd0T4OTdpqkQ6DE6mr6qknHJFzn
WLKpMHPaS/ogFKfVsMohiKjjTrhAYBR9NzoYBxTAzYfpFjtnc8nKxHgte3NKuzp1
pjIm4VYzCKzKetMdPg6EqvvA4nL8iI+NkKU3KzdJfzuiZHetIt4kpLQEMzl0IPRQ
rfQNU3jTsa0sw5J7LhZYpk/pOf0u0Opx7Xr7Zygv/Gl/fCZCT70AujnvoRiLJqky
STqVknCxfACUcoCpstW4XdBKYG4E74qU9h9lr3vYa80qPZaqOnqHKVJhfROSZHBY
mq/R4tcDJ40B4/jlTZbokDLsLxK6kVs9PSnMmiTST+vELxf1hDc=
=BGim
-----END PGP SIGNATURE-----
Merge tag 'leds-next-7.1' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/leds
Pull LED updates from Lee Jones:
Core:
- Implement fallback to software node name for LED names
- Fix formatting issues in `led-core.c` reported by checkpatch.pl
- Make `led_remove_lookup()` NULL-aware
- Switch from `class_find_device_by_of_node()` to
`class_find_device_by_fwnode()`
- Drop the unneeded dependency on `OF_GPIO` from `LEDS_NETXBIG`
in Kconfig
Kinetic KTD2692:
- Make the `ktd2692_timing` variable static to resolve a
sparse warning
LGM SSO:
- Fix a typo in the `GET_SRC_OFFSET` macro
- Remove a duplicate assignment of `priv->mmap` in
`intel_sso_led_probe()`
Multicolor:
- Fix a signedness error by changing the `intensity_value` type
to `unsigned int`
Qualcomm LPG:
- Prevent array overflow when selecting high-resolution values
Spreadtrum SC2731:
- Add a compatible string for the SC2730 PMIC LED controller
TI LM3642:
- Use `guard(mutex)` to simplify locking and avoid manual
`mutex_unlock()` calls
TI LP5569:
- Use `sysfs_emit()` instead of `sprintf()` for sysfs outputs
TI LP5860:
- Add the `enable-gpios` property for the `VIO_EN` pin"
TI LP8860:
- Do not unconditionally program the EEPROM on probe
- Hold the mutex lock for the entirety of the EEPROM programming
process
- Return directly from `lp8860_init()` instead of using empty `goto`
statements
- Use a single regmap table and an access table instead of separate
maps for normal and EEPROM registers
- Remove an unused read of the `STATUS` register during EEPROM
programming
TTY Trigger:
- Prefer `IS_ERR_OR_NULL()` over manual NULL checks"
* tag 'leds-next-7.1' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/leds:
leds: class: Make led_remove_lookup() NULL-aware
leds: led-class: Switch to using class_find_device_by_fwnode()
leds: Kconfig: Drop unneeded dependency on OF_GPIO
leds: lm3642: Use guard to simplify locking
leds: core: Fix formatting issues
leds: core: Implement fallback to software node name for LED names
leds: lgm-sso: Fix typo in macro for src offset
dt-bindings: leds: lp5860: add enable-gpio
leds: Prefer IS_ERR_OR_NULL over manual NULL check
dt-bindings: leds: sc2731: Add compatible for SC2730
leds: lp8860: Do not always program EEPROM on probe
leds: lp8860: Remove unused read of STATUS register
leds: lp8860: Hold lock for all of EEPROM programming
leds: lp8860: Return directly from lp8860_init
leds: lp8860: Use a single regmap table
leds: lgm-sso: Remove duplicate assignments for priv->mmap
leds: qcom-lpg: Check for array overflow when selecting the high resolution
leds: ktd2692: Make ktd2692_timing variable static
leds: lp5569: Use sysfs_emit instead of sprintf()
leds: multicolor: Change intensity_value to unsigned int
Since multiple net_device TX queues can share the same hw QDMA TX queue,
there is no guarantee we have inflight packets queued in hw belonging to a
net_device TX queue stopped in the xmit path because hw QDMA TX queue
can be full. In this corner case the net_device TX queue will never be
re-activated. In order to avoid any potential net_device TX queue stall,
we need to wake all the net_device TX queues feeding the same hw QDMA TX
queue in airoha_qdma_tx_napi_poll routine.
Fixes: 23020f0493 ("net: airoha: Introduce ethernet support for EN7581 SoC")
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260416-airoha-txq-potential-stall-v2-1-42c732074540@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
The vport netlink reply helpers allocate a fixed-size skb with
nlmsg_new(NLMSG_DEFAULT_SIZE, ...) but serialize the full upcall PID
array via ovs_vport_get_upcall_portids(). Since
ovs_vport_set_upcall_portids() accepts any non-zero multiple of
sizeof(u32) with no upper bound, a CAP_NET_ADMIN user can install a PID
array large enough to overflow the reply buffer, causing nla_put() to
fail with -EMSGSIZE and hitting BUG_ON(err < 0). On systems with
unprivileged user namespaces enabled (e.g., Ubuntu default), this is
reachable via unshare -Urn since OVS vport mutation operations use
GENL_UNS_ADMIN_PERM.
kernel BUG at net/openvswitch/datapath.c:2414!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
CPU: 1 UID: 0 PID: 65 Comm: poc Not tainted 7.0.0-rc7-00195-geb216e422044 #1
RIP: 0010:ovs_vport_cmd_set+0x34c/0x400
Call Trace:
<TASK>
genl_family_rcv_msg_doit (net/netlink/genetlink.c:1116)
genl_rcv_msg (net/netlink/genetlink.c:1194)
netlink_rcv_skb (net/netlink/af_netlink.c:2550)
genl_rcv (net/netlink/genetlink.c:1219)
netlink_unicast (net/netlink/af_netlink.c:1344)
netlink_sendmsg (net/netlink/af_netlink.c:1894)
__sys_sendto (net/socket.c:2206)
__x64_sys_sendto (net/socket.c:2209)
do_syscall_64 (arch/x86/entry/syscall_64.c:63)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
</TASK>
Kernel panic - not syncing: Fatal exception
Reject attempts to set more PIDs than nr_cpu_ids in
ovs_vport_set_upcall_portids(), and pre-compute the worst-case reply
size in ovs_vport_cmd_msg_size() based on that bound, similar to the
existing ovs_dp_cmd_msg_size(). nr_cpu_ids matches the cap already
used by the per-CPU dispatch configuration on the datapath side
(ovs_dp_cmd_fill_info() serialises at most nr_cpu_ids PIDs), so the
two sides stay consistent.
Fixes: 5cd667b0a4 ("openvswitch: Allow each vport to have an array of 'port_id's.")
Reported-by: Xiang Mei <xmei5@asu.edu>
Assisted-by: Claude:claude-opus-4-6
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
Reviewed-by: Ilya Maximets <i.maximets@ovn.org>
Link: https://patch.msgid.link/20260416024653.153456-2-bestswngs@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
RFC 2516 Section 7 states that Protocol Field Compression (PFC) is NOT
RECOMMENDED for PPPoE. In practice, pppd does not support negotiating
PFC for PPPoE sessions, and the current PPPoE driver assumes an
uncompressed (2-byte) protocol field. However, the generic PPP layer
function ppp_input() is not aware of the negotiation result, and still
accepts PFC frames.
If a peer with a broken implementation or an attacker sends a frame with
a compressed (1-byte) protocol field, the subsequent PPP payload is
shifted by one byte. This causes the network header to be 4-byte
misaligned, which may trigger unaligned access exceptions on some
architectures.
To reduce the attack surface, drop PPPoE PFC frames. Introduce
ppp_skb_is_compressed_proto() helper function to be used in both
ppp_generic.c and pppoe.c to avoid open-coding.
Fixes: 7fb1b8ca8f ("ppp: Move PFC decompression to PPP generic layer")
Signed-off-by: Qingfang Deng <qingfang.deng@linux.dev>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260415022456.141758-2-qingfang.deng@linux.dev
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
RFC 2516 Section 7 states that Protocol Field Compression (PFC) is NOT
RECOMMENDED for PPPoE. In practice, pppd does not support negotiating
PFC for PPPoE sessions, and the flow dissector driver has assumed an
uncompressed frame until the blamed commit.
During the review process of that commit [1], support for PFC is
suggested. However, having a compressed (1-byte) protocol field means
the subsequent PPP payload is shifted by one byte, causing 4-byte
misalignment for the network header and an unaligned access exception
on some architectures.
The exception can be reproduced by sending a PPPoE PFC frame to an
ethernet interface of a MIPS board, with RPS enabled, even if no PPPoE
session is active on that interface:
$ 0 : 00000000 80c40000 00000000 85144817
$ 4 : 00000008 00000100 80a75758 81dc9bb8
$ 8 : 00000010 8087ae2c 0000003d 00000000
$12 : 000000e0 00000039 00000000 00000000
$16 : 85043240 80a75758 81dc9bb8 00006488
$20 : 0000002f 00000007 85144810 80a70000
$24 : 81d1bda0 00000000
$28 : 81dc8000 81dc9aa8 00000000 805ead08
Hi : 00009d51
Lo : 2163358a
epc : 805e91f0 __skb_flow_dissect+0x1b0/0x1b50
ra : 805ead08 __skb_get_hash_net+0x74/0x12c
Status: 11000403 KERNEL EXL IE
Cause : 40800010 (ExcCode 04)
BadVA : 85144817
PrId : 0001992f (MIPS 1004Kc)
Call Trace:
[<805e91f0>] __skb_flow_dissect+0x1b0/0x1b50
[<805ead08>] __skb_get_hash_net+0x74/0x12c
[<805ef330>] get_rps_cpu+0x1b8/0x3fc
[<805fca70>] netif_receive_skb_list_internal+0x324/0x364
[<805fd120>] napi_complete_done+0x68/0x2a4
[<8058de5c>] mtk_napi_rx+0x228/0xfec
[<805fd398>] __napi_poll+0x3c/0x1c4
[<805fd754>] napi_threaded_poll_loop+0x234/0x29c
[<805fd848>] napi_threaded_poll+0x8c/0xb0
[<80053544>] kthread+0x104/0x12c
[<80002bd8>] ret_from_kernel_thread+0x14/0x1c
Code: 02d51821 1060045b 00000000 <8c640000> 3084000f 2c820005 144001a2 00042080 8e220000
To reduce the attack surface and maintain performance, do not process
PPPoE PFC frames.
[1] https://lore.kernel.org/r/20220630231016.GA392@debian.home
Fixes: 46126db9c8 ("flow_dissector: Add PPPoE dissectors")
Signed-off-by: Qingfang Deng <qingfang.deng@linux.dev>
Link: https://patch.msgid.link/20260415022456.141758-1-qingfang.deng@linux.dev
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
* Core:
* Add a resource-managed version of alloc_workqueue() (`devm_alloc_workqueue()`)
* Apple SMC:
* Wire up the Apple SMC power driver by adding a new MFD cell
* Broadcom BCM2835 PM:
* Add support for the BCM2712 power management device
* Introduce a hardware type identifier to distinguish SoC variants
* Intel LPSS:
* Add PCI IDs for the Intel Nova Lake-H platform
* Core:
* Preserve the Open Firmware (OF) node when an ACPI handle is present
* Atmel HLCDC:
* Fetch the LVDS PLL clock as a fallback if the generic sys_clk is unavailable
* EZX PCAP:
* Avoid rescheduling after destroying the workqueue by switching to a device-managed workqueue
* Freescale MC13xxx:
* Fix a memory leak in subdevice platform data allocation by using devm_kmemdup()
* Intel LPC ICH:
* Expose a software node for the GPIO controller cell to fix GPIO lookups
* MediaTek MT6397:
* Correct the hardware CIDs for the MT6328, MT6331, and MT6332 PMICs to allow proper driver
binding
* ROHM BD71828:
* Enable system wakeup via the power button
* STMicroelectronics STPMIC1:
* Attempt system shutdown a second time to handle transient I2C communication failures
* Congatec CGBC, KEMPLD, RSMU, Si476x:
* Fix various kernel-doc warnings and correct struct member names
* DLN2:
* Drop redundant USB device references and switch to managed resource allocations
* Update bare 'unsigned' types to 'unsigned int'
* ENE KB3930:
* Use the of_device_is_system_power_controller() wrapper
* EZX PCAP:
* Drop redundant memory allocation error messages
* Return directly instead of using empty goto statements
* Maxim MAX77705:
* Make the max77705_pm_ops variable static to resolve a sparse warning
* Viperboard:
* Drop redundant USB device references
* SpacemiT P1:
* Drop the deprecated "vin-supply" property from the devicetree bindings
* SpacemiT P1:
* Add individual regulator supply properties to match actual hardware topology
* Maxim MAX77620:
* Convert devicetree bindings from TXT to YAML format
* Document an optional I2C address for the MAX77663 RTC device
* ROHM BD72720:
* Add a new compatible string for the ROHM BD73900 PMIC
* Freescale i.MX25 TSADC:
* Convert devicetree bindings from TXT to YAML format
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEdrbJNaO+IJqU8IdIUa+KL4f8d2EFAmnl4F8ACgkQUa+KL4f8
d2HwnRAAjLNnENBowYZeXNsi7QXTyoZPUtJmVEqALKgHZ1SGtUtitw4eaKLn+KC/
qWUBuglp4YOmue0xf+HmJhEL+hnixzGH0XxbYDdlKPXyk9xxf2UEXushq3+DlwX8
QA4tznLqxjrHZNvMZoNODRZXkec6PHluYJdUuXZsfXFltR8nfsEmRcrtCgM07TGj
dBWfbuAIyUnWZss0IaZdWOjxE1LHCT+hBVY7eUkj3DhNKxLgonmCCMysAnlTQV/G
g9qQbAZtJXL5Km/DJTpRaPj0G0RMjnpi8KJEI7RVCLWT0mDpoSvvoF2xjEUDDVc5
4M3TI9SFgfNYNZ8IcAAZROVXTjNVEdW4OgbCc7T/GCuxnycGxZJelPJPwNCZQ5LN
xyKmj9zT6GdTc33l0fxURaFj3gq2NC1WZ018updjmSa7iOAU3zeEKMM3FA0TieMP
SbOzx661CjaH+6ZIDZ8aQzcGd5OAEy19jzOH7fT9lfkpRU95tU/VWud50PPe0jj0
1wXTXHHXJ+/k837h4aK+3WDcb/+SwUuUyLY7kZnfW9G+3m9j8VJyu7TjiEfmqRNW
r7SXFn/y5DEDQIk8ktGa3aAtHQK5bImfodeyw4wHCOa8MHSSfQxbdT+FIKvPSgFv
30FtCh9azwOQjcdK8bNgE+e+JTgYoM4DUiJ67V8HWaS9sFXBYLc=
=S0In
-----END PGP SIGNATURE-----
Merge tag 'mfd-next-7.1' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/mfd
Pull MFD updates from Lee Jones:
"Core:
- Add a resource-managed version of alloc_workqueue()
(`devm_alloc_workqueue()`)
- Preserve the Open Firmware (OF) node when an ACPI handle
is present
Apple SMC:
- Wire up the Apple SMC power driver by adding a new MFD cell
Atmel HLCDC:
- Fetch the LVDS PLL clock as a fallback if the generic sys_clk
is unavailable
Broadcom BCM2835 PM:
- Add support for the BCM2712 power management device
- Introduce a hardware type identifier to distinguish SoC variants
Congatec CGBC, KEMPLD, RSMU, Si476x:
- Fix various kernel-doc warnings and correct struct member names
DLN2:
- Drop redundant USB device references and switch to managed
resource allocations
- Update bare 'unsigned' types to 'unsigned int'
ENE KB3930:
- Use the of_device_is_system_power_controller() wrapper
EZX PCAP:
- Avoid rescheduling after destroying the workqueue by switching
to a device-managed workqueue
- Drop redundant memory allocation error messages
- Return directly instead of using empty goto statements
Freescale i.MX25 TSADC:
- Convert devicetree bindings from TXT to YAML format
Freescale MC13xxx:
- Fix a memory leak in subdevice platform data allocation by
using devm_kmemdup()
Intel LPC ICH:
- Expose a software node for the GPIO controller cell to fix
GPIO lookups
Intel LPSS:
- Add PCI IDs for the Intel Nova Lake-H platform
Maxim MAX77620:
- Convert devicetree bindings from TXT to YAML format
- Document an optional I2C address for the MAX77663 RTC device
Maxim MAX77705:
- Make the max77705_pm_ops variable static to resolve a
sparse warning
MediaTek MT6397:
- Correct the hardware CIDs for the MT6328, MT6331, and MT6332
PMICs to allow proper driver binding
ROHM BD71828:
- Enable system wakeup via the power button
ROHM BD72720:
- Add a new compatible string for the ROHM BD73900 PMIC
SpacemiT P1:
- Drop the deprecated "vin-supply" property from the devicetree
bindings
- Add individual regulator supply properties to match actual
hardware topology
STMicroelectronics STPMIC1:
- Attempt system shutdown a second time to handle transient I2C
communication failures
Viperboard:
- Drop redundant USB device references"
* tag 'mfd-next-7.1' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/mfd: (28 commits)
mfd: core: Preserve OF node when ACPI handle is present
mfd: ene-kb3930: Use of_device_is_system_power_controller() wrapper
mfd: intel-lpss: Add Intel Nova Lake-H PCI IDs
dt-bindings: mfd: max77620: Document optional RTC address for MAX77663
dt-bindings: mfd: max77620: Convert to DT schema
mfd: ezx-pcap: Avoid rescheduling after destroying workqueue
mfd: ezx-pcap: Return directly instead of empty gotos
mfd: ezx-pcap: Drop memory allocation error message
mfd: bcm2835-pm: Add BCM2712 PM device support
mfd: bcm2835-pm: Introduce SoC-specific type identifier
dt-bindings: mfd: bd72720: Add ROHM BD73900
mfd: si476x: Fix kernel-doc warnings
mfd: rsmu: Remove a empty kernel-doc line
mfd: kempld: Fix kernel-doc struct member names
mfd: congatec: Fix kernel-doc struct member names
dt-bindings: mfd: Convert fsl-imx25-tsadc.txt to yaml format
mfd: viperboard: Drop redundant device reference
mfd: dln2: Switch to managed resources and fix bare unsigned types
mfd: macsmc: Wire up Apple SMC power driver
mfd: mt6397: Properly fix CID of MT6328, MT6331 and MT6332
...
Usual collection of driver changes, more core infrastructure updates that
typical this cycle:
- Minor cleanups and kernel-doc fixes in bnxt_re, hns, rdmavt, efa, ocrdma,
erdma, rtrs, hfi1, ionic, and pvrdma
- New udata validation framework and driver updates
- Modernize CQ creation interface in mlx4 and mlx5, manage CQ umem in core
- Promote UMEM to a core component, split out DMA block iterator logic
- Introduce FRMR pools with aging, statistics, pinned handles, and netlink
control and use it in mlx5
- Add PCIe TLP emulation support in mlx5
- Extend umem to work with revocable pinned dmabuf's and use it in irdma
- More net namespace improvements for rxe
- GEN4 hardware support in irdma
- First steps to MW and UC support in mana_ib
- Support for CQ umem and doorbells in bnxt_re
- Drop opa_vnic driver from hfi1
- Fixes:
IB/core zero dmac neighbor resolution race
GID table memory free
rxe pad/ICRC validation and r_key async errors
mlx4 external umem for CQ
umem DMA attributes on unmap
mana_ib RX steering on RSS QP destroy
-----BEGIN PGP SIGNATURE-----
iHUEABYKAB0WIQRRRCHOFoQz/8F5bUaFwuHvBreFYQUCaeJyjAAKCRCFwuHvBreF
YXWOAQDZz7buqUgw45ufFMcClAfnIYeAIb0dlD5vnltvbIkUFgEAmOabYPZk0PHY
NlmfFBmWmIYXwgMHfYPlN1xYN/+Fjww=
=dd92
-----END PGP SIGNATURE-----
Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma
Pull rdma updates from Jason Gunthorpe:
"The usual collection of driver changes, more core infrastructure
updates that typical this cycle:
- Minor cleanups and kernel-doc fixes in bnxt_re, hns, rdmavt, efa,
ocrdma, erdma, rtrs, hfi1, ionic, and pvrdma
- New udata validation framework and driver updates
- Modernize CQ creation interface in mlx4 and mlx5, manage CQ umem in
core
- Promote UMEM to a core component, split out DMA block iterator
logic
- Introduce FRMR pools with aging, statistics, pinned handles, and
netlink control and use it in mlx5
- Add PCIe TLP emulation support in mlx5
- Extend umem to work with revocable pinned dmabuf's and use it in
irdma
- More net namespace improvements for rxe
- GEN4 hardware support in irdma
- First steps to MW and UC support in mana_ib
- Support for CQ umem and doorbells in bnxt_re
- Drop opa_vnic driver from hfi1
Fixes:
- IB/core zero dmac neighbor resolution race
- GID table memory free
- rxe pad/ICRC validation and r_key async errors
- mlx4 external umem for CQ
- umem DMA attributes on unmap
- mana_ib RX steering on RSS QP destroy"
* tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma: (116 commits)
RDMA/core: Fix user CQ creation for drivers without create_cq
RDMA/ionic: bound node_desc sysfs read with %.64s
IB/core: Fix zero dmac race in neighbor resolution
RDMA/mana_ib: Support memory windows
RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv
RDMA/core: Prefer NLA_NUL_STRING
RDMA/core: Fix memory free for GID table
RDMA/hns: Remove the duplicate calls to ib_copy_validate_udata_in()
RDMA: Remove redundant = {} for udata req structs
RDMA/irdma: Add missing comp_mask check in alloc_ucontext
RDMA/hns: Add missing comp_mask check in create_qp
RDMA/mlx5: Pull comp_mask validation into ib_copy_validate_udata_in_cm()
RDMA: Use ib_copy_validate_udata_in_cm() for zero comp_mask
RDMA/hns: Use ib_copy_validate_udata_in()
RDMA/mlx4: Use ib_copy_validate_udata_in() for QP
RDMA/mlx4: Use ib_copy_validate_udata_in()
RDMA/mlx5: Use ib_copy_validate_udata_in() for MW
RDMA/mlx5: Use ib_copy_validate_udata_in() for SRQ
RDMA/pvrdma: Use ib_copy_validate_udata_in() for srq
RDMA: Use ib_copy_validate_udata_in() for implicit full structs
...
Added:
reject inodes with zero non-DOS link count
return folios from ntfs_lock_new_page()
subset of W=1 warnings for stricter checks
work around -Wmaybe-uninitialized warnings
buffer boundary checks to run_unpack()
terminate the cached volume label after UTF-8 conversion
Fixed:
check return value of indx_find to avoid infinite loop
prevent uninitialized lcn caused by zero len
increase CLIENT_REC name field size to prevent buffer overflow
missing run load for vcn0 in attr_data_get_block_locked()
memory leak in indx_create_allocate()
OOB write in attr_wof_frame_info()
mount failure on volumes with fragmented MFT bitmap
integer overflow in run_unpack() volume boundary check
validate rec->used in journal-replay file record check
Changed:
resolve compare function in public index APIs
$LXDEV xattr lookup
potential double iput on d_make_root() failure
initialize err in ni_allocate_da_blocks_locked()
correct the pre_alloc condition in attr_allocate_clusters()
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEh0DEKNP0I9IjwfWEqbAzH4MkB7YFAmnmPm0ACgkQqbAzH4Mk
B7a0pxAAwqmZJ4vA4B7Yp7ysOBSvvQTR4wkIkfgLniJXqxHgIsFodSfB1/qI74q1
+Zg34q0sVF8HxrSDEdyA8rze0OYJu51eszpNvD6GTEph9TYZtWYRDW7bBqQBCW3z
4xLeh3Bn2SgoxqAQWa8tQEH9Z+JUf2zCD+gfeuf3/Vlinl3z32DrlVy0lqkc9+dW
LZPRMSV2Bsodn0TRyGlJX1MlY9vOJxhGMXnqZwdK0Q31FfZwL3VmfABHUGNMRP2y
QWkejLfow40Pd/iJW1/2HM4On2RUC9ozBwkGQvdHitK11VCa3FCM8owBgwyuG2cN
XycpqDgpE2MhBKP1bba5RIMj781cg3138wNIQDlt/5QWTs4K8CvJVhF22spjqN/A
mDwLIqHtstjjgTe9grlD4xwD6m/iA4GnICun+n+dqpsd8JjDrh9TCcGRFvdPhjC9
8S3V6hswssxrPTqZybpnwdiqXrPAwhD4oP7OrvHGF8hUrbL2SYwP2DDdJWlszLh2
kwSC4BfKZD7Ulc57ardTzPDEDut9RC4IIdJPcWlZu4RYcXKILIdxrIqq4LgZRwmt
KIbK2XdjKw5eAEWAX+S7s+DZOzaTkpv39NvzC3qzB4EN22X3ActY/JY+syX29ZOs
KzEFTRKbCoBS1cd16D2VaFwUQVRqsv4FQnpLftJE5/zol6VA7Ac=
=vZKA
-----END PGP SIGNATURE-----
Merge tag 'ntfs3_for_7.1' of https://github.com/Paragon-Software-Group/linux-ntfs3
Pull ntfs3 updates from Konstantin Komarov:
"New:
- reject inodes with zero non-DOS link count
- return folios from ntfs_lock_new_page()
- subset of W=1 warnings for stricter checks
- work around -Wmaybe-uninitialized warnings
- buffer boundary checks to run_unpack()
- terminate the cached volume label after UTF-8 conversion
Fixes:
- check return value of indx_find to avoid infinite loop
- prevent uninitialized lcn caused by zero len
- increase CLIENT_REC name field size to prevent buffer overflow
- missing run load for vcn0 in attr_data_get_block_locked()
- memory leak in indx_create_allocate()
- OOB write in attr_wof_frame_info()
- mount failure on volumes with fragmented MFT bitmap
- integer overflow in run_unpack() volume boundary check
- validate rec->used in journal-replay file record check
Updates:
- resolve compare function in public index APIs
- $LXDEV xattr lookup
- potential double iput on d_make_root() failure
- initialize err in ni_allocate_da_blocks_locked()
- correct the pre_alloc condition in attr_allocate_clusters()"
* tag 'ntfs3_for_7.1' of https://github.com/Paragon-Software-Group/linux-ntfs3:
fs/ntfs3: fix Smatch warnings
fs/ntfs3: validate rec->used in journal-replay file record check
fs/ntfs3: terminate the cached volume label after UTF-8 conversion
fs/ntfs3: fix potential double iput on d_make_root() failure
ntfs3: fix integer overflow in run_unpack() volume boundary check
ntfs3: add buffer boundary checks to run_unpack()
ntfs3: fix mount failure on volumes with fragmented MFT bitmap
fs/ntfs3: fix $LXDEV xattr lookup
ntfs3: fix OOB write in attr_wof_frame_info()
ntfs3: fix memory leak in indx_create_allocate()
ntfs3: work around false-postive -Wmaybe-uninitialized warnings
fs/ntfs3: fix missing run load for vcn0 in attr_data_get_block_locked()
fs/ntfs3: increase CLIENT_REC name field size
fs/ntfs3: prevent uninitialized lcn caused by zero len
fs/ntfs3: add a subset of W=1 warnings for stricter checks
fs/ntfs3: return folios from ntfs_lock_new_page()
fs/ntfs3: resolve compare function in public index APIs
ntfs3: reject inodes with zero non-DOS link count
Verify that the BPF verifier rejects a non-SCX struct_ops program
(tcp_congestion_ops) that attempts to call an SCX kfunc (scx_bpf_kick_cpu).
The test expects the load to fail with -EACCES from scx_kfunc_context_filter.
Signed-off-by: Cheng-Yang Chou <yphbchou0911@gmail.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
scx_kfunc_context_filter() currently allows non-SCX struct_ops programs
(e.g. tcp_congestion_ops) to call SCX unlocked kfuncs. This is wrong
for two reasons:
- It is semantically incorrect: a TCP congestion control program has no
business calling SCX kfuncs such as scx_bpf_kick_cpu().
- With CONFIG_EXT_SUB_SCHED=y, kfuncs like scx_bpf_kick_cpu() call
scx_prog_sched(aux), which invokes bpf_prog_get_assoc_struct_ops(aux)
and casts the result to struct sched_ext_ops * before reading ops->priv.
For a non-SCX struct_ops program the returned pointer is the kdata of
that struct_ops type, which is far smaller than sched_ext_ops, making
the read an out-of-bounds access (confirmed with KASAN).
Extend the filter to cover scx_kfunc_set_any and scx_kfunc_set_idle as
well, and deny all SCX kfuncs for any struct_ops program that is not the
SCX struct_ops. This addresses both issues: the semantic contract is
enforced at the verifier level, and the runtime out-of-bounds access
becomes unreachable.
Fixes: d1d3c1c6ae ("sched_ext: Add verifier-time kfunc context filter")
Suggested-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Cheng-Yang Chou <yphbchou0911@gmail.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
There's a bug in dm-thin in the function rebalance_children. If the
internal btree node has one entry, the code tries to copy all btree
entries from the node's child to the node itself and then decrement the
child's reference count.
If the child node is shared (it has reference count > 1), we won't free
it, so there would be two pointers to each of the grandchildren nodes.
But the reference counts of the grandchildren is not increased, thus the
reference count doesn't match the number of pointers that point to the
grandchildren. This results in "device mapper: space map common: unable
to decrement block" errors.
Fix this bug by incrementing reference counts on the grandchildren if the
btree node is shared.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Fixes: 3241b1d3e0 ("dm: add persistent data library")
Cc: stable@vger.kernel.org
The set of eCryptfs changes for the 7.1-rc1 merge window consists of:
- A fix to avoid unnecessary eCryptfs inode timestamp truncation by
re-using the lower filesystem's time granularity
- Various small code cleanups
- Reorganization of the setattr hook's handling of inode resizing to
improve style and readability, remove an unnecessary memory allocation
when shrinking, and to support an upcoming rework of the VFS
interfaces involved in truncation
The patches have all spent time in linux-next and they do not regress
the tests in the ecryptfs-utils tree. The inode timestamp fix returns
the "setattr-flush-dirty" test to passing state.
Signed-off-by: Tyler Hicks <code@tyhicks.com>
-----BEGIN PGP SIGNATURE-----
iQJFBAABCgAvFiEEKvuQkp28KvPJn/fVfL7QslYSS/0FAmnlw5YRHGNvZGVAdHlo
aWNrcy5jb20ACgkQfL7QslYSS/38Yg//ZTAxtS9P+LkrrDSgFhCBDW2Z6L+y7EFu
4cYRj37+u2d+V69aWBFcFbKC67WqLwAU9U6RpmUh9cIU6f1N0VU9C8EmGAe/am3W
oOS2TFwGnVvlTnaChgWEDk0UT6GwzGenHkH+umy+70ryOEq7HydJiynYbyjRqZ5J
Kea5ppLh23Dh7+fnelbDCYRr9iNld1r5mkqbKRHTpm/3o3ZYRWoytWS5/afkDCmW
0ewb3xuVjFmlRuc9Lqsl4uC5r7QLQC7d+087OBTSumxvQLXtN4hWI38orpE7LCQV
h8xNVLZrGSX5LhGSobhSC1Hrab6+S/kcHEqWg2KqUYx/kYHcUOMkLZ3vCGa1FmJ1
8hsu8lO1vy3waoNLeS11IIAMFd+aG9N7N6s2nWvMNoEFapAkWNXTTuJ0hPK7+XLA
WEDwYX9tV/NckTQO+/TQb8OYl1bLTzSxG/VP9hWhK7kmXxDpd2xdms/3PZZHPQV+
IxOC9yBS2w3J6OHfeqhxkU40woJapmcpIum9NtrXg/yEyW7+pIa4ZVWDxaiqiYTS
BkhxaYFDVHvrtn2dKLWf/Dklj7I6GMvyWFJKOYKIE2tZ8qBokyVhfNwyEDiLt2RA
QTXNCCZ4B4x1dvDLmKgDrFLy4CHlsKDNM4JtrJs0t4rv8DC6zeGzvRC6YJI+uLYs
wFhzjenKtac=
=iUz9
-----END PGP SIGNATURE-----
Merge tag 'ecryptfs-7.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tyhicks/ecryptfs
Pull eCryptfs updates from Tyler Hicks:
- avoid unnecessary eCryptfs inode timestamp truncation by re-using the
lower filesystem's time granularity
- various small code cleanups
- reorganize the setattr hook inode resizing to improve style and
readability, remove an unnecessary memory allocation when shrinking,
and to support an upcoming rework of the VFS interfaces involved in
truncation
* tag 'ecryptfs-7.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tyhicks/ecryptfs:
ecryptfs: keep the lower iattr contained in truncate_upper
ecryptfs: factor out a ecryptfs_iattr_to_lower helper
ecryptfs: merge ecryptfs_inode_newsize_ok into truncate_upper
ecryptfs: combine the two ATTR_SIZE blocks in ecryptfs_setattr
ecryptfs: use ZERO_PAGE instead of allocating zeroed memory in truncate_upper
ecryptfs: streamline truncate_upper
ecryptfs: cleanup ecryptfs_setattr
ecryptfs: Drop TODO comment in ecryptfs_derive_iv
ecryptfs: Fix typo in ecryptfs_derive_iv function comment
ecryptfs: Log function name only once in decode_and_decrypt_filename
ecryptfs: Remove redundant if checks in encrypt_and_encode_filename
ecryptfs: Fix tag number in encrypt_filename() error message
ecryptfs: Use struct_size to improve process_response + send_miscdev
ecryptfs: Replace memcpy + manual NUL termination with strscpy
ecryptfs: Set s_time_gran to get correct time granularity
Benjamin Coddington contributed filehandle signing to defend against
filehandle-guessing attacks. The server now appends a SipHash-2-4
MAC to each filehandle when the new "sign_fh" export option is
enabled. NFSD then verifies filehandles received from clients
against the expected MAC; mismatches return NFS error STALE.
Chuck Lever converted the entire NLMv4 server-side XDR layer from
hand-written C to xdrgen-generated code, spanning roughly thirty
patches. XDR functions are generally boilerplate code and are easy
to get wrong. The goals of this conversion are improved memory
safety, lower maintenance burden, and groundwork for eventual Rust
code generation for these functions.
Dai Ngo improved pNFS block/SCSI layout robustness with two related
changes. SCSI persistent reservation fencing is now tracked per
client and per device via an xarray, to avoid both redundant preempt
operations on devices already fenced and a potential NFSD deadlock
when all nfsd threads are waiting for a layout return.
The remaining patches deliver scalability and infrastructure
improvements. Sincere thanks to all contributors, reviewers,
testers, and bug reporters who participated in the v7.1 NFSD
development cycle.
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEKLLlsBKG3yQ88j7+M2qzM29mf5cFAmnlF50ACgkQM2qzM29m
f5dfHBAAi2o1i9/RA6fmxi2qSV7tkg79viuGFRj3c4cjiW8ZqQXos63zmy6BNMFG
joEoirdryUETkrrckXP81HKGSWBQqYjaXeklOw8dggQ8g72HGiqcoT3Ua7L9S7A8
/Db6IwZnJcehHO8XwHV4jSAfIZuvC0iiK02tVrVe/l/9GWcG+bS340GgE9Es2IAW
copBGlTwQah+eRvy2hP+Eo3vUTP8Rdebp9iYFI12xqx2x3LquFR01PpjCzotqAvV
AcvCPa/AGoSOjcL8idloL8F8mSaOCyx15YJH0lm3hRsPtS/VyXWjKvcejWUh/7PH
gHi+5VTsSKbUBj3PJQZU6rBQ67KnwVLZ33KkIF2ZNGllvK0yDGM0UfX/TuaEPjUV
6N0UkRprCHJdrULt9XMXmX3Ddnz1xbYT8CaeIDObw3Ix7SJKedvlLTjvsYCYtsQn
5pkHUuHmr/YAF4AQi/JI4ubZhZ+K3YytNS8YiMUkBWDbPoKzo2yrkzwjGjHdUp0y
l8LfEjePAcIpuFQZegERA9CnjIeKb66DJe8da0EwtreY+sejm/S8zbBUhMkXjo6u
QwdXXeLX3/zni6Op8vRA5JH//S5ovlQFnkUSvHRItSUrDBRVm+wXD7Vnp9bykKcN
leqbSvehnV4PIi0URMvN5ox1WNmsOFIZkv9nv8amyOX8PlRmLoA=
=iFl6
-----END PGP SIGNATURE-----
Merge tag 'nfsd-7.1' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux
Pull nfsd updates from Chuck Lever:
- filehandle signing to defend against filehandle-guessing attacks
(Benjamin Coddington)
The server now appends a SipHash-2-4 MAC to each filehandle when
the new "sign_fh" export option is enabled. NFSD then verifies
filehandles received from clients against the expected MAC;
mismatches return NFS error STALE
- convert the entire NLMv4 server-side XDR layer from hand-written C to
xdrgen-generated code, spanning roughly thirty patches (Chuck Lever)
XDR functions are generally boilerplate code and are easy to get
wrong. The goals of this conversion are improved memory safety, lower
maintenance burden, and groundwork for eventual Rust code generation
for these functions.
- improve pNFS block/SCSI layout robustness with two related changes
(Dai Ngo)
SCSI persistent reservation fencing is now tracked per client and
per device via an xarray, to avoid both redundant preempt operations
on devices already fenced and a potential NFSD deadlock when all nfsd
threads are waiting for a layout return.
- scalability and infrastructure improvements
Sincere thanks to all contributors, reviewers, testers, and bug
reporters who participated in the v7.1 NFSD development cycle.
* tag 'nfsd-7.1' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux: (83 commits)
NFSD: Docs: clean up pnfs server timeout docs
nfsd: fix comment typo in nfsxdr
nfsd: fix comment typo in nfs3xdr
NFSD: convert callback RPC program to per-net namespace
NFSD: use per-operation statidx for callback procedures
svcrdma: Use contiguous pages for RDMA Read sink buffers
SUNRPC: Add svc_rqst_page_release() helper
SUNRPC: xdr.h: fix all kernel-doc warnings
svcrdma: Factor out WR chain linking into helper
svcrdma: Add Write chunk WRs to the RPC's Send WR chain
svcrdma: Clean up use of rdma->sc_pd->device
svcrdma: Clean up use of rdma->sc_pd->device in Receive paths
svcrdma: Add fair queuing for Send Queue access
SUNRPC: Optimize rq_respages allocation in svc_alloc_arg
SUNRPC: Track consumed rq_pages entries
svcrdma: preserve rq_next_page in svc_rdma_save_io_pages
SUNRPC: Handle NULL entries in svc_rqst_release_pages
SUNRPC: Allocate a separate Reply page array
SUNRPC: Tighten bounds checking in svc_rqst_replace_page
NFSD: Sign filehandles
...
Charles Keepax <ckeepax@opensource.cirrus.com> says:
MIPI DisCo uses the unfortunate convention of allowing boolean
properties to be present but having a zero value. Opposed to the
normal convention of simply not specifying the property. Fix an
issue in the SDCA code where mipi-sdca-control-deferrable is not
parsed correctly.
However, we also have some shipping ACPIs where these properties
are not specified correctly. Update the MBQ regmap to attempt defers
albeit with a warning in the case where a control attempts to defer
but is not marked at such. There is little down side to this as if
defer is genuinely not supported then the control will just return
the same error again.
It is a fairly common DisCo issue to have the deferrability of controls
marked incorrectly and Windows seems very permissive in this regard. As
there isn't really any down side to trying a defer even if the control
isn't deferrable, allow this but add a warning message.
Signed-off-by: Charles Keepax <ckeepax@opensource.cirrus.com>
Link: https://patch.msgid.link/20260413124621.1345315-2-ckeepax@opensource.cirrus.com
Signed-off-by: Mark Brown <broonie@kernel.org>
fsnotify_recalc_mask() fails to handle the return value of
__fsnotify_recalc_mask(), which may return an inode pointer that needs
to be released via fsnotify_drop_object() when the connector's HAS_IREF
flag transitions from set to cleared.
This manifests as a hung task with the following call trace:
INFO: task umount:1234 blocked for more than 120 seconds.
Call Trace:
__schedule
schedule
fsnotify_sb_delete
generic_shutdown_super
kill_anon_super
cleanup_mnt
task_work_run
do_exit
do_group_exit
The race window that triggers the iref leak:
Thread A (adding mark) Thread B (removing mark)
────────────────────── ────────────────────────
fsnotify_add_mark_locked():
fsnotify_add_mark_list():
spin_lock(conn->lock)
add mark_B(evictable) to list
spin_unlock(conn->lock)
return
/* ---- gap: no lock held ---- */
fsnotify_detach_mark(mark_A):
spin_lock(mark_A->lock)
clear ATTACHED flag on mark_A
spin_unlock(mark_A->lock)
fsnotify_put_mark(mark_A)
fsnotify_recalc_mask():
spin_lock(conn->lock)
__fsnotify_recalc_mask():
/* mark_A skipped: ATTACHED cleared */
/* only mark_B(evictable) remains */
want_iref = false
has_iref = true /* not yet cleared */
-> HAS_IREF transitions true -> false
-> returns inode pointer
spin_unlock(conn->lock)
/* BUG: return value discarded!
* iput() and fsnotify_put_sb_watched_objects()
* are never called */
Fix this by deferring the transition true -> false of HAS_IREF flag from
fsnotify_recalc_mask() (Thread A) to fsnotify_put_mark() (thread B).
Fixes: c3638b5b13 ("fsnotify: allow adding an inode mark without pinning inode")
Signed-off-by: Xin Yin <yinxin.x@bytedance.com>
Signed-off-by: Amir Goldstein <amir73il@gmail.com>
Link: https://patch.msgid.link/CAOQ4uxiPsbHb0o5voUKyPFMvBsDkG914FYDcs4C5UpBMNm0Vcg@mail.gmail.com
Signed-off-by: Jan Kara <jack@suse.cz>
This reverts commit d1aa2b9aad.
Juan reported that the patch didn't work as expected at the later
check, failing to create PCM capture devices that has worked
beforehand. Drop the change again for addressing the regression,
and we'll continue developing a proper fix later.
Reported-by: Juan Pablo Fuentealba Bizama <jpfuentealbabizama@gmail.com>
Closes: https://lore.kernel.org/20260417150748.6684-1-jpfuentealbabizama@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
snd_als4000_capture_trigger() updates chip->mode under mixer_lock,
while snd_als4000_set_rate() and snd_als4000_playback_trigger()
serialize the same rate-lock state with reg_lock.
The PCM core serializes callbacks only per acted-on substream, or for an
explicitly linked group, so unlinked playback and capture streams can
run concurrently.
That leaves two races on ALS4000 rate-lock state:
- playback and capture trigger callbacks can concurrently update
chip->mode and lose one of the SB_RATE_LOCK bits
- snd_als4000_set_rate() can observe chip->mode without the capture
lock bit set and reprogram the shared sample rate while capture is
being started
Fix this by taking reg_lock as the outer lock in
snd_als4000_capture_trigger() and nesting mixer_lock only for the CR1E
write. This keeps chip->mode serialized with the rest of the ALS4000
rate-lock users while preserving the existing CR1E programming
sequence.
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260417-als4000-capture-trigger-race-v1-1-daeffc2feb67@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
In snd_fasync_work_fn(), which is the offload work for traversing and
processing the pending fasync list, the call of kill_fasync() is done
outside the snd_fasync_lock for avoiding deadlocks. The problem is
that its the references of fasync->on, fasync->signal and fasync->poll
are done there also outside the lock. Since these may be modified by
snd_kill_fasync() call concurrently from other process, inconsistent
values might be passed to kill_fasync(). Although there shouldn't be
critical UAF, it's still better to be addressed.
This patch moves the kill_fasync() argument evaluations inside the
snd_fasync_lock for avoiding the data races above. The handling in
fasync->on flag is optimized in the loop to skip directly.
Also, for more clarity, snd_fasync_free() takes the lock and unlink
the pending entry more directly instead of clearing fasync->on flag.
Reported-by: Jake Lamberson <lamberson.jake@gmail.com>
Fixes: ef34a0ae7a ("ALSA: core: Add async signal helpers")
Cc: <stable@vger.kernel.org>
Link: https://patch.msgid.link/20260420061721.3253644-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
In the SPI driver probe, the chip ID must be set to TAS2781. Without this
initialization, calibration data fails to load correctly, causing audio
abnormalities on some devices.
And update the register bulk read API to handle the distinct requirements
of SPI and I2C devices.
Fixes: 05ac3846ff ("ALSA: hda/tas2781: A workaround solution to lower-vol issue among lower calibrated-impedance micro-speaker on TAS2781")
Signed-off-by: Baojun Xu <baojun.xu@ti.com>
Link: https://patch.msgid.link/20260418055030.765-1-baojun.xu@ti.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Two commits without any functional changes that arrived just before the
merge window opened:
- Update Sasha's email address in all dt-bindings, MAINTAINERS and add
him to mailmap
- Fix a typo in spi1-nvram.dtsi
-----BEGIN PGP SIGNATURE-----
iHUEABYKAB0WIQS3vz815OHsEaWy0u9EEX0kKnUe6QUCad6g/QAKCRBEEX0kKnUe
6ZX4AQDAysBWxkippgK67EYf80dEQo5ov07emYfJAnN5WitwdgD+NyP/Zj1fapXR
gShGOEydVNrUz8zRmCKqceolpMmLuAQ=
=Gwn6
-----END PGP SIGNATURE-----
gpgsig -----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEo6/YBQwIrVS28WGKmmx57+YAGNkFAmnmRbgACgkQmmx57+YA
GNm6rw//evR8xgIfw1Z90w4ROsy4Gi24J8oZsnFp4P/72RG3I4nLzdtQDWICkZje
FYp0Kz6/3iRdibhnuKXye+bFeuI5aVibovDonGdufxp01px+PP3rkr4ToOMvoPoX
GcyiIpSLGK2bM6Xk+c4xbdmboYjweWIDcGwBBb2PU/Np6TQFkce28T3cKpPUOtUu
WyAbkC/9cngV7fgU0qXUlrjL591vbFWhJTk29ULPAE8r9ZKI9IBrj34/Qj8pD7cV
HEJoB/ODo2UCqnP2alG1qMXaS6EPtjDwN5lLapwzDXiBFz7j0OmMVpLny6RwPhHK
1N2uxmTS7uCwJiHbTUMzqpWEjZSomuT4wbBLUiCDSim+ZXtlGkhyXPnnGbUT1rOd
yAwxya4xJDh0YWzxFgq3ZzFI5UHV+u3wmp6xs3Miew1vrmvqJbvg/PHcl07C1h/H
A/BuSIQdN7EAVv/EAQgvlJX8gjgyf6/4xdt5dhIzOkomrZPr9mjCiPTzyWzwidVN
6HPINjk9vhUPhKNh36fZBAg6mYWTTusJzO6comhT/LZmHuY7/vXJcwYg98nCNeDS
HTNUlJHfT/MgGxgJwRfHn7Faph/Wj2KiSI5oAqHXKLjAv0r+16Bz2N9d+6C/glwR
FfLOiOWkhia/enI71hNtd/dj2Ima0Y2VXCAnURgH5XOln4sS/T0=
=zeV5
-----END PGP SIGNATURE-----
Merge tag 'apple-soc-fixes-7.0' of https://git.kernel.org/pub/scm/linux/kernel/git/sven/linux into soc/late2
Apple SoC fixes for 7.0
Two commits without any functional changes that arrived just before the
merge window opened:
- Update Sasha's email address in all dt-bindings, MAINTAINERS and add
him to mailmap
- Fix a typo in spi1-nvram.dtsi
* tag 'apple-soc-fixes-7.0' of https://git.kernel.org/pub/scm/linux/kernel/git/sven/linux:
arm64: dts: apple: Fix spelling error
dt-bindings: Update Sasha Finkelstein's email address
mailmap: Update Sasha Finkelstein's email address
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Common mistake in commit messages of patches on mailing list adding
CONFIG options to arm/multi_v7 or arm64/defconfig is saying what that
patch is doing, e.g. "Enable driver foo". That is obvious from the diff
part, thus explaining it does not bring any value. What brings value is
to understand why "driver foo" should be in a shared, upstream
defconfig, especially considering that distros have their own defconfigs
and we do not care about non-upstream trees.
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260413074401.27282-4-krzysztof.kozlowski@oss.qualcomm.com
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
It is obvious that one can ask DT maintainers of something, just like
one can ask anyone, so just drop the sentence. Concise documents with
rules have bigger chances of actually being read by people.
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260413074401.27282-3-krzysztof.kozlowski@oss.qualcomm.com
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
The netgear r8000 dts file limits the bus range for the first host
bridge to exclude bus 0, but the two devices on the first bus are
explicitly assigned to bus 0, causing a build time warning:
/home/arnd/arm-soc/arch/arm/boot/dts/broadcom/bcm4709-netgear-r8000.dts:142.3-27: Warning (pci_device_bus_num): /axi@18000000/pcie@13000/pcie@0/pcie@0,0/pcie@1,0:bus-range: PCI bus number 0 out of range, expected (1 - 255)
/home/arnd/arm-soc/arch/arm/boot/dts/broadcom/bcm4709-netgear-r8000.dts:142.3-27: Warning (pci_device_bus_num): /axi@18000000/pcie@13000/pcie@0/pcie@0,0/pcie@2,0:bus-range: PCI bus number 0 out of range, expected (1 - 255)
As Rosen mentioned, the bus-range property was a mistake, so just
remove it and keep the reg values pointing to bus 0, which is
allowed by the default bus range of the SoC.
Fixes: 893faf6743 ("ARM: dts: BCM5301X: add root pcie bridges")
Suggested-by: Rosen Penev <rosenp@gmail.com>
Link: https://lore.kernel.org/r/20260414064754.3129667-1-arnd@kernel.org
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
* arm/fixes:
arm64: dts: imx8mm-tqma8mqml: Correct PAD settings for PMIC_nINT
arm64: dts: imx8mn-tqma8mqnl: Correct PAD settings for PMIC_nINT
arm64: dts: imx8mm-emtop-som: Correct PAD settings for PMIC_nINT
reset: amlogic: t7: Fix null reset ops
arm64: dts: imx8mp-data-modul-edm-sbc: Correct PAD settings for PMIC_nINT
arm64: dts: imx8mp-dhcom-som: Correct PAD settings for PMIC_nINT
arm64: dts: imx8mp-ultra-mach-sbc: Correct PAD settings for PMIC_nINT
arm64: dts: imx8mp-sr-som: Correct PAD settings for PMIC_nINT
arm64: dts: imx8mp-nitrogen-som: Correct PAD settings for PMIC_nINT
arm64: dts: imx8mp-aristainetos3a-som-v1: Correct PAD settings for PMIC_nINT
arm64: dts: imx8mp-edm-g: Correct PAD settings for PMIC_nINT
arm64: dts: imx8mp-icore-mx8mp: Correct PAD settings for PMIC_nINT
arm64: dts: imx8mp-navqp: Correct PAD settings for PMIC_nINT
arm64: dts: imx8mp-debix-som-a: Correct PAD settings for PMIC_nINT
arm64: dts: imx8mp-debix-model-a: Correct PAD settings for PMIC_nINT
dt-bindings: arm64: add Marvell 7k COMe boards
isofs_fh_to_dentry() and isofs_fh_to_parent() pass an attacker-
controlled block number (ifid->block or ifid->parent_block) from
the NFS file handle to isofs_export_iget(), which only rejects
block == 0 before calling isofs_iget() and ultimately sb_bread().
A crafted file handle with fh_len sufficient to pass the check
added by commit 0405d4b63d ("isofs: Prevent the use of too small
fid") can still drive the server to read any in-range block on the
backing device as if it were an iso_directory_record. That earlier
fix was assigned CVE-2025-37780.
sb_bread() on an out-of-range block returns NULL cleanly via the
EIO path, so there is no memory-safety violation. For in-range
reads of adjacent-partition data on the same block device, the
unrelated bytes end up in iso_inode_info fields that reach the NFS
client as dentry metadata. The deployment surface (isofs exported
over NFS from loop-mounted images) is narrow and requires an
authenticated NFS peer, but the malformed-file-handle class is
reportable as hardening next to the existing CVE-2025-37780 fix.
Reject block >= ISOFS_SB(sb)->s_nzones in isofs_export_iget() so
the check covers both isofs_fh_to_dentry() and isofs_fh_to_parent()
call sites with a single line.
Fixes: 0405d4b63d ("isofs: Prevent the use of too small fid")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Link: https://patch.msgid.link/20260419212155.2169382-3-michael.bommarito@gmail.com
Signed-off-by: Jan Kara <jack@suse.cz>
rock_continue() reads rs->cont_extent verbatim from the Rock Ridge CE
record and passes it to sb_bread() without checking that the block
number is within the mounted ISO 9660 volume. commit e595447e17
("[PATCH] rock.c: handle corrupted directories") added cont_offset
and cont_size rejection for the CE continuation but did not validate
the extent block number itself. commit f54e18f1b8 ("isofs: Fix
infinite looping over CE entries") later capped the CE chain length
at RR_MAX_CE_ENTRIES = 32 but again left the block number unchecked.
With a crafted ISO mounted via udisks2 (desktop optical auto-mount)
or via CAP_SYS_ADMIN mount, rs->cont_extent can therefore point at
an out-of-range block or at blocks belonging to an adjacent
filesystem on the same block device. sb_bread() on an out-of-range
block returns NULL cleanly via the block layer EIO path, so there
is no memory-safety violation. For in-range reads of adjacent-
filesystem data, the CE buffer is parsed as Rock Ridge records and
only the text of SL sub-records reaches userspace through
readlink(), which makes the info-leak channel narrow and difficult
to exploit; still, rejecting the malformed CE outright matches the
rejection shape already present in the same function for
cont_offset and cont_size.
Add an ISOFS_SB(sb)->s_nzones bounds check to rock_continue() next
to the existing offset/size rejection, printing the same
corrupted-directory-entry notice.
Fixes: f54e18f1b8 ("isofs: Fix infinite looping over CE entries")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Link: https://patch.msgid.link/20260419212155.2169382-2-michael.bommarito@gmail.com
Signed-off-by: Jan Kara <jack@suse.cz>
To improve maintainability, split the maintainer information for the hibmc and
kirin drivers under the drivers/gpu/drm/hisilicon directory.
drivers/gpu/drm/hisilicon/hibmc driver has almost completed feature development
based on the new generation HiSilicon BMC chip. It was co-developed by
Yongbang Shi, Baihan Li and Lin He. Going forward, this module will be
maintained by Yongbang Shi.
Signed-off-by: Yongbang Shi <shiyongbang@huawei.com>
Acked-by: Tao Tian <tiantao6@hisilicon.com>
Acked-by: Xinliang Liu <xinliang.liu@linaro.org>
Acked-by: Thomas Zimmermann <tzimmermann@suse.de>
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Link: https://patch.msgid.link/20260319131132.722033-1-shiyongbang@huawei.com
* for-next/c1-pro-erratum-4193714:
: Work around C1-Pro erratum 4193714 (CVE-2026-0995)
arm64: errata: Work around early CME DVMSync acknowledgement
arm64: cputype: Add C1-Pro definitions
arm64: tlb: Pass the corresponding mm to __tlbi_sync_s1ish()
arm64: tlb: Introduce __tlbi_sync_s1ish_{kernel,batch}() for TLB maintenance
* for-next/misc:
: Miscellaneous cleanups/fixes
virt: arm-cca-guest: fix error check for RSI_INCOMPLETE
arm64/hwcap: Include kernel-hwcap.h in list of generated files
* for-next/mpam:
: Fix an unmount->remount problem with the CDP emulation, uninitialised
: variable and checker warnings
arm_mpam: resctrl: Make resctrl_mon_ctx_waiters static
arm_mpam: resctrl: Fix the check for no monitor components found
arm_mpam: resctrl: Fix MBA CDP alloc_capable handling on unmount
Give the driver a chance to flush its queue before releasing the DMA
buffers on driver unbind
Fixes: c37f3c2749 ("spi/topcliff_pch: DMA support")
Cc: stable@vger.kernel.org # 3.1
Cc: Tomoya MORINAGA <tomoya-linux@dsn.okisemi.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260414134319.978196-9-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Make sure to deregister the controller before disabling and releasing
underlying resources like interrupts and DMA during driver unbind.
Fixes: e8b17b5b3f ("spi/topcliff: Add topcliff platform controller hub (PCH) spi bus driver")
Cc: stable@vger.kernel.org # 2.6.37
Cc: Masayuki Ohtake <masa-korg@dsn.okisemi.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260414134319.978196-8-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
The state machine work is scheduled by the interrupt handler and
therefore needs to be cancelled after disabling interrupts to avoid a
potential use-after-free.
Fixes: 984836621a ("spi: mpc52xx: Add cancel_work_sync before module remove")
Cc: stable@vger.kernel.org
Cc: Pei Xiao <xiaopei01@kylinos.cn>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260414134319.978196-5-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Make sure to deregister the controller before disabling and releasing
underlying resources like interrupts and gpios during driver unbind.
Fixes: 42bbb70980 ("powerpc/5200: Add mpc5200-spi (non-PSC) device driver")
Fixes: b8d4e2ce60 ("mpc52xx_spi: add gpio chipselect")
Cc: stable@vger.kernel.org # 2.6.33
Cc: Grant Likely <grant.likely@secretlab.ca>
Cc: Luotao Fu <l.fu@pengutronix.de>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260414134319.978196-4-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
