mirror of https://github.com/torvalds/linux.git
1398773 Commits
| Author | SHA1 | Message | Date |
|---|---|---|---|
Linus Torvalds
|
7d0a66e4bb | Linux 6.18 | |
|
Linus Torvalds
|
e69c7c1751 |
- Have timekeeping aux clocks sysfs interface setup function return an
error code on failure instead of success -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEzv7L6UO9uDPlPSfHEsHwGGHeVUoFAmksJ6kACgkQEsHwGGHe VUqxARAAqEqj33/ErgPpytnpRkuJwGCGeSO879MMAoLTFpmALmoQZlqhA+WF1xYw T5QF7nGlBeW/GwFAVlm1riqI6iPk2iUZWczS9bq0wjtR0XNHReCqLGdRe+4DHEjb PtyXMrrQgq5FuvHaIkuSUxBKtyHn+KMObldxp2azpO8nfUubDSCCgw9aQfm2osHi JIldKOPdFKRv8uLnBBbI2A+6cFrqXr/ptAzx8C3hov7sN0jBODOitb7fNerEb+T4 U5awKzpK3WzcilyrlEZMCFXRV5e3naTgnUDd8/7t9m0SA10K5oSIM1zggVLRWN8Z AA7XMpbRAl1S23GUVjSAM/vOMmaJJAuIMJ4ZXIKoTFVQJ3kenzY4GtDdObh05ID4 971y0hXrko74Qq42oME4UHSKexcR4vIBwXC0J9g04EbtKQ/sm6uhoUlb2Xb/UfxR CPxzDqy1pFkjuMG49yu3JE2fUHOryiRcNUUgas2PBKjKG0KyZPcJWa/fRsk5LlLy oeUXx/hXOq6Nw0ydyzI7iJgAM5SbM4A5p/hxlWmQnfXJ2EQdmkORTmMkloaUvB7u vWaOd9I+D3iSzNaw4zP0kzgPRX70PCRn1qakT3zQ340c9vNT/lYQjRelK7gfYZF6 HOBID2Pl3+pqUTfli6qxbXsgqH4hbCWSomDbY9t2AFK6h6K2l8Q= =CFYj -----END PGP SIGNATURE----- Merge tag 'timers_urgent_for_v6.18_rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull timer fix from Borislav Petkov: - Have timekeeping aux clocks sysfs interface setup function return an error code on failure instead of success * tag 'timers_urgent_for_v6.18_rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: timekeeping: Fix error code in tk_aux_sysfs_init() |
|
|
Linus Torvalds
|
6bda50f433 |
Fix TLB unification for cores with more than 64 TLB entries
-----BEGIN PGP SIGNATURE----- iQJOBAABCAA4FiEEbt46xwy6kEcDOXoUeZbBVTGwZHAFAmkrXGMaHHRzYm9nZW5k QGFscGhhLmZyYW5rZW4uZGUACgkQeZbBVTGwZHAZ3w/5Adn6Wb0zk1MAtreYjumI VzERvDnfCqJE4SjJf11Fhe1TvT7RLElIUU612ILdPh5OCL0zyPT0PtvX6LlvLCzQ YRTCXXFtybi57rvPtlDIBh0bXcsQskAoGPExMzBJ6Re5oeeyI7qM5P9BV4eYsQD4 tEM0RZKB0oPeUZ0p7Hq7F2xo1ZcJqFn14zAbf6ADHp+Xj1Kdal0FStTcLDMNdaKV QSZqxD26DZ7dCO9fEbDOO7Y/gdpLhPrN8q6rAexGlNwSFAqWWZ/1bY1a2b+oxcVN IyRqxhWwX6HTAzSab7VO/orT6HRCH3X50K7rXwEMGFhAjnyEcqRBhOiRDYtEJg87 AamDQ2IPCkzeIi8UVnzoWDtszcSPs5eFW5LTBdhDCLCkt+UTnU0bi34jS/K6LCpJ HiQ7BbjM36nwqo8goe5Udz9KOcwZLW1+5DaSPT0yazZyxbUqp2lrKrk8Ie6SDIxt QLzDxAlN56lrxfd8MVDOWIrtf9LYcfdxwHsrT937Fwl/eCg+OdicTsGBfTlHHBDE pxTYDIu74lluAyyk1TqSBoeO/qqXLBIs4EIu5IjEqZ/SQmAPxFvP5l5mj38Uz3uP f99jxtUSsc2dttmkAMrTtrdouYoYaaA2XbGFkE0JJYVGWLO8oyrEagGn5OClfdqQ 7jct1es16BKK85NWr8aUvu0= =8cjZ -----END PGP SIGNATURE----- Merge tag 'mips-fixes_6.18_2' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux Pull MIPS fix from Thomas Bogendoerfer: "Fix TLB unification for cores with more than 64 TLB entries" * tag 'mips-fixes_6.18_2' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux: MIPS: mm: kmalloc tlb_vpn array to avoid stack overflow |
|
Thomas Bogendoerfer
|
841ecc979b |
MIPS: mm: kmalloc tlb_vpn array to avoid stack overflow
Owing to Config4.MMUSizeExt and VTLB/FTLB MMU features later MIPSr2+
cores can have more than 64 TLB entries. Therefore allocate an array
for uniquification instead of placing too an small array on the stack.
Fixes:
|
|
David Howells
|
19eef1d98e |
afs: Fix uninit var in afs_alloc_anon_key()
Fix an uninitialised variable (key) in afs_alloc_anon_key() by setting it
to cell->anonymous_key. Without this change, the error check may return a
false failure with a bad error number.
Most of the time this is unlikely to happen because the first encounter
with afs_alloc_anon_key() will usually be from (auto)mount, for which all
subsequent operations must wait - apart from other (auto)mounts. Once the
call->anonymous_key is allocated, all further calls to afs_request_key()
will skip the call to afs_alloc_anon_key() for that cell.
Fixes:
|
|
|
Linus Torvalds
|
e664048784 |
spi: Fixes for v6.18
A disappointingly large set of device specific fixes that have built up since I've been a bit tardy with sending a pull requests as people kept sending me new new fixes. The bcm63xx and lpspi issues could lead to corruption so the fixes are fairly important for the affected parts, the other issues should all be relatively minor. -----BEGIN PGP SIGNATURE----- iQEzBAABCgAdFiEEreZoqmdXGLWf4p/qJNaLcl1Uh9AFAmkqFaIACgkQJNaLcl1U h9Cx4Af+N+WonkDRzn5iOEzu4dOFz4idB0mV2LkFwWgKaTXZ2G0YKwJqvWE9Yw1Z bxOYOmJYaZAms4qOPJJVbPm38NrkjEnRdca9+zBsyu3nuvo8QLCefgLbzgwfUFcF cy/9JPVdcOaI9yQsw0nfVa59NiddlnxWZM8iEbiUWkdG+Y6e6vkvs/iS0GutP39e XDrCLLyfzK70Pl7PwjNtSvVAQSxIuIB6Y08Q5/ck3tdQYW48Nvf48e5NIhKp/dO1 ulIrtEYp9//pec/VRUAyNBT2JE/suDjHs+C3xeT9BLpzUlJEUq6e0yec8vtkrTiu S2a9nMpexxTPlu9kH31PecS/seRyHg== =8IkW -----END PGP SIGNATURE----- Merge tag 'spi-fix-v6.18-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi Pull spi fixes from Mark Brown: "A disappointingly large set of device specific fixes that have built up since I've been a bit tardy with sending a pull requests as people kept sending me new new fixes. The bcm63xx and lpspi issues could lead to corruption so the fixes are fairly important for the affected parts, the other issues should all be relatively minor" * tag 'spi-fix-v6.18-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi: spi: nxp-fspi: Propagate fwnode in ACPI case as well spi: tegra114: remove Kconfig dependency on TEGRA20_APB_DMA spi: amlogic-spifc-a1: Handle devm_pm_runtime_enable() errors spi: spi-fsl-lpspi: fix watermark truncation caused by type cast spi: cadence-quadspi: Fix cqspi_probe() error handling for runtime pm spi: bcm63xx: fix premature CS deassertion on RX-only transactions spi: spi-cadence-quadspi: Remove duplicate pm_runtime_put_autosuspend() call spi: spi-cadence-quadspi: Enable pm runtime earlier to avoid imbalance |
|
|
Linus Torvalds
|
82ebd4e320 |
regulator: Fixes for v6.18
A couple of fixes for incorrect device descriptions in the rtq2208 driver. -----BEGIN PGP SIGNATURE----- iQEzBAABCgAdFiEEreZoqmdXGLWf4p/qJNaLcl1Uh9AFAmkqE5oACgkQJNaLcl1U h9ByEQf/elFORcnRnri/ZOd+QqtAsO/aUtWeooGtavmayLiQEGESqjs/n0Zjb3fQ Ajo1eUD2h11C+gEY4GTQr2iRG+/wksT5ogRB9B3TlOJ+MiQDkJsoZ4idv2UTeuqV zZueCTBV1Kt5oGVMgMC/4atRLNLackr5xqUkl8AZ2+szDK9MTA/VGhDmU5ao6dTd xgmXbEVGQTvOM8E+jXHEsnnHqyMIbuwXLUoDLVXvoiYww+yMqqvZCMdIqXT8Ue7W vtc0WZmXAZ8h4EUtD/WxVH0aq5qPJEYHy9lWNPRJs9KPdmxZ1O1eAsqEygTs0+fa zCdEKwIANV4cvkegX5Blf2qcv4L6Fg== =/5ra -----END PGP SIGNATURE----- Merge tag 'regulator-fix-v6.18-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator Pull regulator fixes from Mark Brown: "A couple of fixes for incorrect device descriptions in the rtq2208 driver" * tag 'regulator-fix-v6.18-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator: regulator: rtq2208: Correct LDO2 logic judgment bits regulator: rtq2208: Correct buck group2 phase mapping logic |
|
|
Linus Torvalds
|
9917bf8e7f |
io_uring-6.18-20251128
-----BEGIN PGP SIGNATURE----- iQJEBAABCAAuFiEEwPw5LcreJtl1+l5K99NY+ylx4KYFAmkp+HsQHGF4Ym9lQGtl cm5lbC5kawAKCRD301j7KXHgphABEADEyBUKJZCpLX/l+Gx69QLtJ4lmBAQgSyPz RDHi6bUkH8UcsQXHHf04CDOuoUOCIbnM7EWS0zQZwX7Gq0o17POyumLvuqUsE4sA m+ma3RVGG0ZliF3/dGY4Nj+soUOiojuHQ4W2puB1uS5ebIgklbEfKH2/L7xyBOVD BqfIenjD6mIEnnFLCcsZsSXUbGhAuO4W8HILjrhYOloLVI045kSRiKGZqWih2Ixd d6CtNSuGbVWWeBHL746/XMyJqvo03lWYs9t/oh/FWRmfYvU8h4r91Iwwc/mgC1NY ArGa1iogdlwWZs4DlkREladeF70IbO9X/3CXOQUtRDNgu/5NSSFL4by+zPTopJV3 VcDaiiCCcSM49V3lO574PWSgsXuFBtxL2MOQwoAI2PHVe2OBcNcfirfG/day8D5d ViW/OAoFnK2g7SsQsgwCTavNAxOrw1xyh7TRshdaX4RObekNTZpuVMue+hseazGl nuuBoWxQow0V26oUuCwWZh4CEbvAgykmDSMAH9ZqoB/NXfy22REtYaitPSWW/GNg NhtmRXc4zRL/ll7K21spOJkOqOpAVFwghQfys8mACZGOf5XYCQskZlUCJeAYRFzW 5qTEaJJ20W9tw/xoLFWLdaWtYw4sU5zbAqtMYDHtG7E0vNBI5SxSkulLCBlw/iAS eE2BpBRZ4Q== =uvkM -----END PGP SIGNATURE----- Merge tag 'io_uring-6.18-20251128' of git://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux Pull io_uring fixes from Jens Axboe: - Ensure that vectored registered buffer imports ties the lifetime of those to the zero-copy send notification, not the parent request - Fix a bug introduced in this merge window, with the introduction of mixed sized CQE support * tag 'io_uring-6.18-20251128' of git://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux: io_uring: fix mixed cqe overflow handling io_uring/net: ensure vectored buffer node import is tied to notification |
|
|
Linus Torvalds
|
f3b17337b9 |
vfs-6.18-rc8.fixes
-----BEGIN PGP SIGNATURE----- iHUEABYKAB0WIQRAhzRXHqcMeLMyaSiRxhvAZXjcogUCaSmOegAKCRCRxhvAZXjc olHrAPwICALbFRDg/oj0kOFXEpUP2OrlCeKaZEMoxrKj1gZCUAEAzCATecAvZHZs ks1d77a0z9qMvQXxISws8ByNPueTMAA= =GH+q -----END PGP SIGNATURE----- Merge tag 'vfs-6.18-rc8.fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs Pull vfs fixes from Christian Brauner: - afs: Fix delayed allocation of a cell's anonymous key The allocation of a cell's anonymous key is done in a background thread along with other cell setup such as doing a DNS upcall. The normal key lookup tries to use the key description on the anonymous authentication key as the reference for request_key() - but it may not yet be set, causing an oops - ovl: fail ovl_lock_rename_workdir() if either target is unhashed As well as checking that the parent hasn't changed after getting the lock, the code needs to check that the dentry hasn't been unhashed. Otherwise overlayfs might try to rename something that has been removed - namespace: fix a reference leak in grab_requested_mnt_ns lookup_mnt_ns() already takes a reference on mnt_ns, and so grab_requested_mnt_ns() doesn't need to take an extra reference * tag 'vfs-6.18-rc8.fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs: afs: Fix delayed allocation of a cell's anonymous key ovl: fail ovl_lock_rename_workdir() if either target is unhashed fs/namespace: fix reference leak in grab_requested_mnt_ns |
|
|
Linus Torvalds
|
7fa0d7744c |
soc: fixes for 6.18, part 4
A few last minute fixes came in this week:
- interrupt and gpio numbers in foud separate i.MX8 specific
devicetree files were wrong.
- The vector length property in the C906 CPU description
used the wrong unit.
- Two bugs with uninitialized stack variables in the tee
subsystem.
- Alexander Stein now maintains additional devicetree files.
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEo6/YBQwIrVS28WGKmmx57+YAGNkFAmkp0T4ACgkQmmx57+YA
GNlCyRAAkjpZqOwlAyx4w40U2GqlDQfE943/RG9/X8vASwgzIAvQ+0bhn+z2rR5R
A2gtnKZwrKSaChEAUviDFbswdctyi1cuqwInSHEISUww8qW9Rvw3BZ1sieh5V3Ja
r353W1feevroXqU0KO7ifkV86kB8rXnVB3o1v15/Ars2B0VJh+C9Wvpx/bvpF2QW
SGRqRzJESoYh2E7LDjnzvas/WMkkv30CQPGV7A5OuVxJJQ1OgwSmg0yAUTCZlrxi
evj74jCkMCEByTF2ExhEdIgJ/oWUyfiwkbMHW6FhmSRMVRV7pabnV2eoE1h2awgM
e7Mi8T1ZjhkbKvmocHD29D5LA/CBXShMDy4omGBL59TEwHlkOzxBNFa5RKss/G6i
BuEvH8Ko8146S5dXLXIFf9+wW5oTMVkSABr0DoAgC12NvQOkA4mtCaIApbKi8cKQ
/GnLjdH5m1lmSVrNfJS1fgtOpd0p33aXsZbkh+vY5+qCqfpdPNb8KdHjRa4Lq1I0
wcPNU0b2ZxolTa9+RiFJh2Chz0DytidmsoGDk5yJHVbg1ZtfWtp6gPz6iS6urcck
bax8+Fh5n/k4lK3h4CDSo+DerBl0fnL6HB3vWwt6uqWiEoF2qq4lGTEhMWIP+NK+
Xcz2LHzk4sfUdn51gqESLXuId/tSYpBQy+o6fgkWI0zY9DNo98Y=
=D1Mu
-----END PGP SIGNATURE-----
Merge tag 'soc-fixes-6.18-4' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc
Pull SoC fixes from Arnd Bergmann:
"A few last minute fixes came in this week:
- interrupt and gpio numbers in foud separate i.MX8 specific
devicetree files were wrong
- The vector length property in the C906 CPU description used the
wrong unit
- Two bugs with uninitialized stack variables in the tee subsystem
- Alexander Stein now maintains additional devicetree files"
* tag 'soc-fixes-6.18-4' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc:
riscv: dts: allwinner: d1: fix vlenb property
MAINTAINERS: Add entry for TQ-Systems AM335 device trees
tee: qcomtee: initialize result before use in release worker
arm64: dts: imx8qm-mek: fix mux-controller select/enable-gpios polarity
tee: qcomtee: fix uninitialized pointers with free attribute
ARM: dts: nxp: imx6ul: correct SAI3 interrupt line
arm64: dts: imx8dxl-ss-conn: swap interrupts number of eqos
arm64: dts: imx8dxl: Correct pcie-ep interrupt number
|
|
|
Linus Torvalds
|
6cf62f0174 |
Char/Misc/IIO fixes for 6.18-rc8
Here are some much-delayed char/misc/iio driver fixes for 6.18-rc8. Fixes in here include: - lots of iio driver bugfixes for reported issues. - counter driver bugfix - slimbus driver bugfix - mei tiny bugfix - nvmem layout uevent bugfix All of these have been in linux-next for a while, but due to travel on my side, I haven't had a chance to get them to you. Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> -----BEGIN PGP SIGNATURE----- iG0EABECAC0WIQT0tgzFv3jCIUoxPcsxR9QN2y37KQUCaSnL1g8cZ3JlZ0Brcm9h aC5jb20ACgkQMUfUDdst+ymUpACfaPn4EMLwg1fF60cmYoW0mr0RGg4An1xj6YB3 evzxFzdPf6HwPPkxSOmx =3lRL -----END PGP SIGNATURE----- Merge tag 'char-misc-6.18-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc Pull char / misc / IIO fixes from Greg KH: "Here are some much-delayed char/misc/iio driver fixes for 6.18-rc8. Fixes in here include: - lots of iio driver bugfixes for reported issues. - counter driver bugfix - slimbus driver bugfix - mei tiny bugfix - nvmem layout uevent bugfix All of these have been in linux-next for a while, but due to travel on my side, I haven't had a chance to get them to you" * tag 'char-misc-6.18-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc: (23 commits) nvmem: layouts: fix nvmem_layout_bus_uevent iio: accel: bmc150: Fix irq assumption regression most: usb: fix double free on late probe failure slimbus: ngd: Fix reference count leak in qcom_slim_ngd_notify_slaves firmware: stratix10-svc: fix bug in saving controller data mei: fix error flow in probe iio: st_lsm6dsx: Fixed calibrated timestamp calculation iio: humditiy: hdc3020: fix units for thresholds and hysteresis iio: humditiy: hdc3020: fix units for temperature and humidity measurement iio: imu: st_lsm6dsx: fix array size for st_lsm6dsx_settings fields iio: accel: fix ADXL355 startup race condition iio: adc: ad7124: fix temperature channel iio:common:ssp_sensors: Fix an error handling path ssp_probe() iio: adc: ad7280a: fix ad7280_store_balance_timer() iio: buffer-dmaengine: enable .get_dma_dev() iio: buffer-dma: support getting the DMA channel iio: buffer: support getting dma channel from the buffer iio: pressure: bmp280: correct meas_time_us calculation iio: adc: stm32-dfsdm: fix st,adc-alt-channel property handling iio: adc: ad7380: fix SPI offload trigger rate ... |
|
|
Linus Torvalds
|
dabf127d64 |
Serial driver fixes for 6.18-rc8
Here are 2 serial driver fixes for reported issues for 6.18-rc8.
These are:
- fix for a much reported symbol build loop that broke the build for
some kernel configurations.
- amba-pl011 driver bugfix for a reported issue
Both have been in linux next (the last for weeks, the first for a
shorter amount of time), with no reported issues.
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-----BEGIN PGP SIGNATURE-----
iG0EABECAC0WIQT0tgzFv3jCIUoxPcsxR9QN2y37KQUCaSnMaw8cZ3JlZ0Brcm9h
aC5jb20ACgkQMUfUDdst+ymg5QCfeiPTQKjBjgltevx4QCaxVMyoo54AmwTVgjub
iXAdo7xLL3tvpG1ubqgt
=y3e3
-----END PGP SIGNATURE-----
Merge tag 'tty-6.18-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty
Pull serial driver fixes from Greg KH:
"Here are two serial driver fixes for reported issues for 6.18-rc8.
These are:
- fix for a much reported symbol build loop that broke the build for
some kernel configurations
- amba-pl011 driver bugfix for a reported issue
Both have been in linux next (the last for weeks, the first for a
shorter amount of time), with no reported issues"
* tag 'tty-6.18-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty:
serial: 8250: Fix 8250_rsa symbol loop
serial: amba-pl011: prefer dma_mapping_error() over explicit address checking
|
|
|
Linus Torvalds
|
5d324e5159 |
USB/Thunderbolt fixes for 6.18-rc8
Here are some last-minutes USB and Thunderbolt driver fixes and new device ids for 6.18-rc8. Included in here are: - usb storage quirk fixup - xhci driver fixes for reported issues - usb gadget driver fixes - dwc3 driver fixes - UAS driver fixup - thunderbolt new device ids - usb-serial driver new ids All of these have been in linux-next with no reported issues, many for many weeks. Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> -----BEGIN PGP SIGNATURE----- iG0EABECAC0WIQT0tgzFv3jCIUoxPcsxR9QN2y37KQUCaSnO0w8cZ3JlZ0Brcm9h aC5jb20ACgkQMUfUDdst+ymqyACgvNvTnpfj8lx0L9aESj6Hra0UZ20AoKlYRFW1 gAVcF4Wafnu7ehjAITXL =cH0/ -----END PGP SIGNATURE----- Merge tag 'usb-6.18-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb Pull USB/Thunderbolt fixes from Greg KH: "Here are some last-minutes USB and Thunderbolt driver fixes and new device ids for 6.18-rc8. Included in here are: - usb storage quirk fixup - xhci driver fixes for reported issues - usb gadget driver fixes - dwc3 driver fixes - UAS driver fixup - thunderbolt new device ids - usb-serial driver new ids All of these have been in linux-next with no reported issues, many for many weeks" * tag 'usb-6.18-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: (21 commits) usb: gadget: renesas_usbf: Handle devm_pm_runtime_enable() errors USB: storage: Remove subclass and protocol overrides from Novatek quirk usb: uas: fix urb unmapping issue when the uas device is remove during ongoing data transfer usb: dwc3: Fix race condition between concurrent dwc3_remove_requests() call paths xhci: dbgtty: fix device unregister usb: storage: sddr55: Reject out-of-bound new_pba USB: serial: option: add support for Rolling RW101R-GL usb: typec: ucsi: psy: Set max current to zero when disconnected usb: gadget: f_eem: Fix memory leak in eem_unwrap usb: dwc3: pci: Sort out the Intel device IDs usb: dwc3: pci: add support for the Intel Nova Lake -S drivers/usb/dwc3: fix PCI parent check usb: storage: Fix memory leak in USB bulk transport xhci: sideband: Fix race condition in sideband unregister xhci: dbgtty: Fix data corruption when transmitting data form DbC to host xhci: fix stale flag preventig URBs after link state error is cleared USB: serial: ftdi_sio: add support for u-blox EVK-M101 usb: cdns3: Fix double resource release in cdns3_pci_probe usb: gadget: udc: fix use-after-free in usb_gadget_state_work usb: renesas_usbhs: Fix synchronous external abort on unbind ... |
|
|
Linus Torvalds
|
24a84ea4ee |
omap: check for pending msgs only when mbox is exclusive
mailbox-test: debugfs_create_dir error checking
mtk: cmdq: fix DMA address handling
gpueb: Add missing 'static' to mailbox ops struct
pcc: don't zero error register
th1520: fix clock imbalance on probe failure
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEE6EwehDt/SOnwFyTyf9lkf8eYP5UFAmkpxWMACgkQf9lkf8eY
P5UUdhAAmIWRSr8U16HdYYHZ32TCqsEn/cm38RRR9NyrYYTTTUIWwlh8S8ff0Ldh
zuBWYzZuo4EocQOE1YVbKUM3hspgobcIJNg7hBVeMT8l6cD/Hmk0FKm4zDssyvWk
XHC6AB3MLAVH8/n8c0NQn1mou0mOSEIFsOjnzikkkaDhKIJM14pnX5gIL8hG3kyV
/B60QIkUCz7+3/OCQF42kQlG/l6D8m/FncK02rZcOyvPFbyiA3F/GhIrQ61dqKEm
8iMP4+srLCek5UmL0LReFaiq69KJvKxqdaWD70o8mcC1a51MSnZAmwZSdSuFablf
hOspEdBpxH2rBeMG/7bEvDZPpKRSvf6S9eI2d2oDK/9NusIjnmx4ryxanp+dknHS
weEKI04VOEiFgByxBUbmB+xMman5q6AF98Mz+N/trp1yU/rxUFLvsUDO7jy2uQVn
zXGNLPC+vW5SoLEYru6zdnJW+m0N/CWVEdz8+2ne+MHkRa+2IDHdfNDuTrFmd0J0
/iWrAQXdMJ6BDkuYJNy16d4GLjkM2lp0K9w07ltezI7pHAQd3EPcMGXzB5BXAe+h
CWh5oTicoAAaxKP0Ya8jYEI5c/vRbVLXdepOn/izcEy0+mE2ACqlQMrUbN4omgal
t6c5L5/yJQsD8whS6Fio9cFLEj5esNFep38T7BuGrX9PSgVJFlc=
=8o7Y
-----END PGP SIGNATURE-----
Merge tag 'mailbox-fixes-v6.18-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/jassibrar/mailbox
Pull mailbox fixes from Jassi Brar:
- omap: check for pending msgs only when mbox is exclusive
- mailbox-test: debugfs_create_dir error checking
- mtk:
- cmdq: fix DMA address handling
- gpueb: Add missing 'static' to mailbox ops struct
- pcc: don't zero error register
- th1520: fix clock imbalance on probe failure
* tag 'mailbox-fixes-v6.18-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/jassibrar/mailbox:
mailbox: th1520: fix clock imbalance on probe failure
mailbox: pcc: don't zero error register
mailbox: mtk-gpueb: Add missing 'static' to mailbox ops struct
mailbox: mtk-cmdq: Refine DMA address handling for the command buffer
mailbox: mailbox-test: Fix debugfs_create_dir error checking
mailbox: omap-mailbox: Check for pending msgs only when mbox is exclusive
|
|
Arnd Bergmann
|
3ecfcf34f0 |
Allwinner fixes for 6.18
Just one fix to correct the "thead,vlenb" property for the RISC-V based D1 SoC family. -----BEGIN PGP SIGNATURE----- iQJEBAABCgAuFiEE2nN1m/hhnkhOWjtHOJpUIZwPJDAFAmkluhoQHHdlbnNAa2Vy bmVsLm9yZwAKCRA4mlQhnA8kMAxAD/9mJbDwjSEg2ouGk6tXxXdnj8NS1qkmhbNu 3Nwc882eMroH9CQ7uj63TadXH1UxtE/f/ZOERmnDaVjB5VFWRPuvrVYrF1XChkLF 03D9PxDuFL2AghnWTYLiS3aAYEi65bphkBfbDFz4y0jZ1TZbzM1ePOf3K6Pq3QCq AC+HXxvvZw8QMRSOabHruGMTieTdJj6k5lTYKV04ZVEmgKMtp2Wz/IvYMFC9N7Nu PwX5+++ppP63Y/VdwLlpMJFRGcIWzC9uVdz5fYH9sHJyK/xlR11sE+n54DzvzlYl /JpEdgSspkJ0V4hbM5N2iTiVBZ3ufjrniyrQHVYOzOVEv6dtIVewOP+cuCxD60fa mpeCqaib5PZY+cLlhJTWzD9+s9hGsM6le99LLVM7nT96OKRsaKXm0zKjDN3YqZr/ DCJMo0Ykz86z8AnOCDfb/HdYxRV4pizUP1BWFifom4OC4OybSe+6sQXDgddrWK48 qVIEaFcd06RGw7dy2t+GmwSDxJThojKN7ayeuezhHQ99P4akapV/5rZAw4vezPdO b8EVyV40JsDltVcI/UHhhtcYIk3O1AxGGzK4hOUEMosb5JztS2ROGHHeTVn0A2w1 IP99IlTNfyIaeEkopFAIMUNJXvzk5rd5fb0FmLZXpMtu2NtBdNM2+4SDripoxXB+ X1XNyLZADg== =OqKr -----END PGP SIGNATURE----- Merge tag 'sunxi-fixes-for-6.18' of https://git.kernel.org/pub/scm/linux/kernel/git/sunxi/linux into arm/fixes Allwinner fixes for 6.18 Just one fix to correct the "thead,vlenb" property for the RISC-V based D1 SoC family. * tag 'sunxi-fixes-for-6.18' of https://git.kernel.org/pub/scm/linux/kernel/git/sunxi/linux: riscv: dts: allwinner: d1: fix vlenb property |
|
|
Arnd Bergmann
|
a6737fe620 |
MAINTAINERS: Add entry for TQ-Systems AM335 device trees
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEe4dGDhaSf6n1v/EMWTcYmtP7xmUFAmkbWfwACgkQWTcYmtP7 xmWF6A//ZxSOyanVt8NqIKqFmdOI7Duo7TgxGzXB7u4bTHHgG0rtGxPXBOcmZCZS 0nT24q/VIZnyiS3zKC3PhUBf8oeOVdiHuKKgRhMgf/wYRWyUOOb6i6o+LdFlwqZz Y3LfWJbzEl0YihHzvqs5+/6viLCFKGapjWyowiIZmAGTIWCGhItLZCv+T6r8Ud/U q4+NmbUPtNP88PMuehQFkKbGtz6yPzY5UdHduKv9DazbcUi4it1EAFctn854NqKx dgkkqNRlKVXkZMoIS0kjymf2CiUtyImHmayPtd0nbEjCc8diGTX2NB5mZxR90FGz 0LClAesX/urXo7AvT+Ho/Q6lTEnBbLB9hJRehvKHtOPbwvVNsnJSxrw7E5OkctDR VrwkBJnhLqdfoKUXicVIerMWph0GP/Qmvv6g/4LZFTIlOJKzp5pQZzykjg1wM7sx 45oEdrmOB7vyj7GUqH8hp2ai4/TcZdTe8roXee4hCvW/C2PQe54TShL0hckrme/Q WO5efdHKOt352Q+iqwZREWmUDLRfEQE7MeqZihIYSITukXdLj/OJ0H+Pzd7mwNdL 73QVyfa95Ki+rJMZlRlhpvIDhLRsOPS1Jj8M7ccvG4+AZTHZ8i79coQfD4uP4Dsw rMkFuHyyFl/ixLaKEOyeTPhryYQp1CNAxSqHJXQbvmHl+8+5PR0= =j5Wf -----END PGP SIGNATURE----- gpgsig -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEo6/YBQwIrVS28WGKmmx57+YAGNkFAmkpz6UACgkQmmx57+YA GNkUXBAAvsEa60LEtUxWJ7rBtnE416Xyf44UTbRd5yZwZEGTaewW9uqmjRp18V76 lTtujB97UO6HVmKUnz2dHCsEvm1XntWoKHqzDv0/dKifZGczX1BVmcewxeg8jQVB Dk7GW/d2NMwwAwBuhH/fGj/AUW83IDC8GP8j/EIQWMJIxA+Jhw1oFtvwGGTrTy84 R0QWISl3AQ2BiFemR44Y+UxKghellu368acaWeAnmvDNmLWrMKw9l4aWp9d48GJ9 ZQ7UWEK8uvGnmxkn0SmLRqIYzz1Zw7RPyyAuLjOKB985sZ7WjiyMnIabnitof2Ah wfM0TrJQnl2VEDQ3PoHhmvo9+MCrV5Xmf1t829nkIwhy1EBNVPhIFdSPVZuzllHC nrSVlfp+u4G/ISstGSelzdeGAaH7J506jDcDhzIFw1jGX8CxjqS1j158gSK5tbsA pQzqRahS2hGr5l53CEWZFVL48yqclY+BqkDuTUCLhUni/uBghSpPZHhzgIddH4Ji 7XTCXNLR3qLxTjfnuFE7ffMdsL/g5gUkmSf+7Wvrcz/uyPu+1gzas74gFQrmKmUM EIyKpimP1WPKjf9oO6h44S/ucQP4KZ+R1hTlOee9X0nyjggZg9KAJ3sj6VI5zZrx SajIonmQF78IjtPCcj2IyTTTO4jnLxqWhd4TrwL9x9qDpMxcJHY= =2aXH -----END PGP SIGNATURE----- Merge tag 'omap-for-v6.19/maintainers-signed' of git://git.kernel.org/pub/scm/linux/kernel/git/khilman/linux-omap into arm/fixes MAINTAINERS: Add entry for TQ-Systems AM335 device trees * tag 'omap-for-v6.19/maintainers-signed' of git://git.kernel.org/pub/scm/linux/kernel/git/khilman/linux-omap: MAINTAINERS: Add entry for TQ-Systems AM335 device trees |
|
|
Linus Torvalds
|
4331989728 |
MMC host:
- sdhci-of-dwcmshc: Fix reset handling for some variants -----BEGIN PGP SIGNATURE----- iQJLBAABCgA1FiEEugLDXPmKSktSkQsV/iaEJXNYjCkFAmkpoDEXHHVsZi5oYW5z c29uQGxpbmFyby5vcmcACgkQ/iaEJXNYjCma5Q/+IGd/TkBnzOeoaCBGX5xP9xWl oxowO9O5DvQe8xkjgQSR50SktRfV5A/jfNUqyiursdMothKNistjlnkUrBpl2R/f dHw71tKWcY4qtLi/mp8+9k4pTuym33mHVXexm9UWUE8HCG32xR2jbXGwengq/YCc bNLtSVgnaSSGCEs6iCSjHlIvwqdJ9tbXQljBPy1lXtpOiU6goELsCGo13rdyOU0t TWCmY3obNhGJCSSKzVlF6VF2nfxca41zeJKukcPiKi1Il7wIfEe+nG8PP0SLRtlQ bXJc2xKRjNC/SXyCC8T5Wn2/KOiuf0Fw1PmT7tPAdR8j2sO+4TPeCGmAy1eOtocI k4v+V3t37RGTQeO4T8N6e0VDND0swrBetG1KESyd5VmE8r4RZYybIuXNcopaCM92 wsqlgQMJyuksuv3sfuf73g7V7Bbg4HpS4FqoVb2QHBDXOh8NrSD9Jb7zu47k0Oyw xHsFuw5qTzTnt/wDYKKT1vzvwKWB1EwkvvbF3unXc7mAaZIiZeyH+F7Z6gG0Iudo T92NMzObM2ndtSCVUKW2NEi29/A5mi3ibP+5XZpS3HfjIuIqaPckH1Ed6jmwFZ7V RwSgcpfaExYQTLVz/MWZVSoRLutUo7e0yxcLvum81i3u7/sw01NVzYBFNCjk3NL7 5dtoGjSciapQk4FNGro= =5jmV -----END PGP SIGNATURE----- Merge tag 'mmc-v6.18-rc2-2' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc Pull MMC fix from Ulf Hansson: - sdhci-of-dwcmshc: Fix reset handling for some variants * tag 'mmc-v6.18-rc2-2' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc: mmc: sdhci-of-dwcmshc: Promote the th1520 reset handling to ip level |
|
|
Linus Torvalds
|
f849f26f77 |
pmdomain providers:
- mediatek: Fix spinlock recursion in probe - tegra: Use GENPD_FLAG_NO_STAY_ON to restore old behaviour -----BEGIN PGP SIGNATURE----- iQJLBAABCgA1FiEEugLDXPmKSktSkQsV/iaEJXNYjCkFAmkpnnwXHHVsZi5oYW5z c29uQGxpbmFyby5vcmcACgkQ/iaEJXNYjCmftBAAuVW8S8J+qHDsc7HPGAoGd9F8 bzNLcXaBh1MeEcFBCtBsk1MWkBYqSufK+qZWBeTVrfE8dKKj61HQXGN3i+NGh0mE DLyscaD7E43DLMGNLRwRW04cuQjRTxOLfXGzSMp/SeDQXxmwvDvL4qIAGOkvQ93s WcNz7ThVFqpClYwaCPq+eC+oAVRucGQzFhIJrWAJD4pNeu97uFoHX+JQDUEuMhWO jSsno8eGIkzW5tahSZEvmI+M/VLjnLp48J5H+XdH6VHmgkw6F3TqQLfKh48zVQDh ACwyUr+lWMkcoZjZfjZ2kaePZ+9zQ7RqGrcxSUlX0kY0ZMEEpMEKAYndrPU5Engx 7Y/XqLiamjhBvgSAN6NYnlQSyqLoWILoK7ivaVa3iakjaC4Hto4XopHbHOTp1Zsq ASRK9F4bLxwNeGQSiE1X0OngthvqOLBwancuUg71epq+YNZheWZi3ra8tALcSO1D SDQYAqD+yWEF2g1r0ZPdRvy2SzPnQhPu1QILsSNi1+XP+XGQySXZvFGB39+wqGZP ZZytlhLhWWhHvecVQc+6CLyc7COW7tvcsnk/8x/9oubUjCXMYXVzmlJoz9JThHhY DeZp77svDr7hy2WZ5Jn0v8ZdCXUoJxXKmKRuSXEts/wOPvNSWHJm+XPNO25RQSzn g+xxidSJf/oPiRX1/9I= =CrJQ -----END PGP SIGNATURE----- Merge tag 'pmdomain-v6.18-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/linux-pm Pull pmdomain fixes from Ulf Hansson: - mediatek: Fix spinlock recursion in probe - tegra: Use GENPD_FLAG_NO_STAY_ON to restore old behaviour * tag 'pmdomain-v6.18-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/linux-pm: pmdomain: tegra: Add GENPD_FLAG_NO_STAY_ON flag pmdomains: mtk-pm-domains: Fix spinlock recursion in probe |
|
Johan Hovold
|
e3cee98f2f |
mailbox: th1520: fix clock imbalance on probe failure
The purpose of the devm_add_action_or_reset() helper is to call the
action function in case adding an action ever fails so drop the clock
disable from the error path to avoid disabling the clocks twice.
Fixes:
|
|
Jamie Iles
|
ff0e4d4c97 |
mailbox: pcc: don't zero error register
The error status mask for a type 3/4 subspace is used for reading the
error status, and the bitwise inverse is used for clearing the error
with the intent being to preserve any of the non-error bits. However,
we were previously applying the mask to extract the status and then
applying the inverse to the result which ended up clearing all bits.
Instead, store the inverse mask in the preserve mask and then use that
on the original value read from the error status so that only the error
is cleared.
Fixes:
|
|
Nicolas Frattaroli
|
094b53ecaa |
mailbox: mtk-gpueb: Add missing 'static' to mailbox ops struct
mtk_gpueb_mbox_ops should be declared static. However, due to its const
nature, this specifier was missed, as it compiled fine without it and
with no warning by the compiler.
arc-linux-gcc (GCC) 12.5.0 doesn't seem to like it however, so add the
static to fix that.
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202510100629.3nGvrhEU-lkp@intel.com/
Fixes:
|
|
Jason-JH Lin
|
a195c7ccfb |
mailbox: mtk-cmdq: Refine DMA address handling for the command buffer
GCE can only fetch the command buffer address from a 32-bit register.
Some SoCs support a 35-bit command buffer address for GCE, which
requires a right shift of 3 bits before setting the address into
the 32-bit register. A comment has been added to the header of
cmdq_get_shift_pa() to explain this requirement.
To prevent the GCE command buffer address from being DMA mapped beyond
its supported bit range, the DMA bit mask for the device is set during
initialization.
Additionally, to ensure the correct shift is applied when setting or
reading the register that stores the GCE command buffer address,
new APIs, cmdq_convert_gce_addr() and cmdq_revert_gce_addr(), have
been introduced for consistent operations on this register.
The variable type for the command buffer address has been standardized
to dma_addr_t to prevent handling issues caused by type mismatches.
Fixes:
|
|
Haotian Zhang
|
3acf1028f5 |
mailbox: mailbox-test: Fix debugfs_create_dir error checking
The debugfs_create_dir() function returns ERR_PTR() on error, not NULL.
The current null-check fails to catch errors.
Use IS_ERR() to correctly check for errors.
Fixes:
|
|
Beleswar Padhi
|
060e4e835f |
mailbox: omap-mailbox: Check for pending msgs only when mbox is exclusive
On TI K3 devices, the mailbox resides in the Always-On power domain
(LPSC_main_alwayson) and is shared among multiple processors. The
mailbox is not solely exclusive to Linux.
Currently, the suspend path checks all FIFO queues for pending messages
and blocks suspend if any are present. This behavior is unnecessary for
K3 devices, since some of the FIFOs are used for RTOS<->RTOS
communication and are independent of Linux.
For FIFOs used in Linux<->RTOS communication, any pending message would
trigger an interrupt, which naturally prevents suspend from completing.
Hence, there is no need for the mailbox driver to explicitly check for
pending messages on K3 platforms.
Introduce a device match flag to indicate whether the mailbox instance
is exclusive to Linux, and skip the pending message check for
non-exclusive instances (such as in K3).
Fixes:
|
|
|
David Howells
|
d27c712578
|
afs: Fix delayed allocation of a cell's anonymous key
The allocation of a cell's anonymous key is done in a background thread
along with other cell setup such as doing a DNS upcall. In the reported
bug, this is triggered by afs_parse_source() parsing the device name given
to mount() and calling afs_lookup_cell() with the name of the cell.
The normal key lookup then tries to use the key description on the
anonymous authentication key as the reference for request_key() - but it
may not yet be set and so an oops can happen.
This has been made more likely to happen by the fix for dynamic lookup
failure.
Fix this by firstly allocating a reference name and attaching it to the
afs_cell record when the record is created. It can share the memory
allocation with the cell name (unfortunately it can't just overlap the cell
name by prepending it with "afs@" as the cell name already has a '.'
prepended for other purposes). This reference name is then passed to
request_key().
Secondly, the anon key is now allocated on demand at the point a key is
requested in afs_request_key() if it is not already allocated. A mutex is
used to prevent multiple allocation for a cell.
Thirdly, make afs_request_key_rcu() return NULL if the anonymous key isn't
yet allocated (if we need it) and then the caller can return -ECHILD to
drop out of RCU-mode and afs_request_key() can be called.
Note that the anonymous key is kind of necessary to make the key lookup
cache work as that doesn't currently cache a negative lookup, but it's
probably worth some investigation to see if NULL can be used instead.
Fixes:
|
|
NeilBrown
|
e9c70084a6
|
ovl: fail ovl_lock_rename_workdir() if either target is unhashed
As well as checking that the parent hasn't changed after getting the
lock we need to check that the dentry hasn't been unhashed.
Otherwise we might try to rename something that has been removed.
Reported-by: syzbot+bfc9a0ccf0de47d04e8c@syzkaller.appspotmail.com
Fixes:
|
|
|
Linus Torvalds
|
e538109ac7 |
drm fixes for 6.18 final
i915: - Reject async flips when PSR's selective fetch is enabled xe: - Fix resource leak in xe_guc_ct_init_noalloc()'s error path - Fix stack_depot usage without STACKDEPOT_ALWAYS_INIT - Fix overflow in conversion from clock tics to msec amdgpu: - Unified MES fix - HDMI fix - Cursor fix - Bightness fix - EDID reading improvement - UserQ fix - Cyan Skillfish IP discovery fix bridge: - sil902x: Fix HDMI detection imagination: - Update documentation sti: - Fix leaks in probe vga_switcheroo: - Avoid race condition during fbcon initialization -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEEKbZHaGwW9KfbeusDHTzWXnEhr4FAmkpH74ACgkQDHTzWXnE hr47/xAAjPXx0uopgvf3arcu0qhPE5jeZbFiVZ9//kyuaG/UujjYLrA9ftgAlCSQ 6iIQVsOfXeuM4VzNmHWg+CFiKVn8shFjvpYb3Fms6RuLhw3O3+8JGZKHinfVtpv4 vakF56T1DuS9PvV6HEs6rDT266IbwUWAr6waraRDwsolsqsWXtnof8V7I1Px5MA4 wQ49clDRN76tvP6K3fUdsaxla+Whdi80XMIs9/Cldr16JQr+NV7bo8zUK/cw0NsK lVcQq7i7LqkY2nUTVLBelw5N5dW0VwZBVoQbwjBYI6DKOCtwcRFyEJ8pluUu+TOw jhQj0zlTf8BsiIwvKcbr8RkCpLLepzY7iYitOCZ4nAQ1yEdMrz0960cUDhBhydFQ WqrXakR7EngI/ulMHj+Uw0bqHf6qNgcH41VD8Z1rsQKL5kzrZoGbwA3oOmav76bP QtVdhAFimZSsQnNr1ur0TTFjXSOqWLImXjBnbFZGibFOpwc8px5KgzeBi8E4hmKl +GhyO69hQcwnvwA2jMkr8sTZQ2Lom3o02K14uY3TvoPeclW6vVkLYODzG5Y/l1UU pn1O5U4O84VnwhlkULAoPSFmdSye3NUvaA2XTUqDFWOalZ9LmPYk1ggayC9PkffE yk/kvDpR3A9dVxZnWhEMW8MyItg0PSxYIa9+0syqsILGENBTf7s= =plBx -----END PGP SIGNATURE----- Merge tag 'drm-fixes-2025-11-28' of https://gitlab.freedesktop.org/drm/kernel Pull drm fixes from Dave Airlie: "Last one for this round hopefully, mostly the usual suspects, xe/amdgpu, with some single fixes otherwise. There is one amdgpu HDMI blackscreen bug that came in late in the cycle, but it was bisected and the revert is in here. i915: - Reject async flips when PSR's selective fetch is enabled xe: - Fix resource leak in xe_guc_ct_init_noalloc()'s error path - Fix stack_depot usage without STACKDEPOT_ALWAYS_INIT - Fix overflow in conversion from clock tics to msec amdgpu: - Unified MES fix - HDMI fix - Cursor fix - Bightness fix - EDID reading improvement - UserQ fix - Cyan Skillfish IP discovery fix bridge: - sil902x: Fix HDMI detection imagination: - Update documentation sti: - Fix leaks in probe vga_switcheroo: - Avoid race condition during fbcon initialization" * tag 'drm-fixes-2025-11-28' of https://gitlab.freedesktop.org/drm/kernel: drm/amdgpu: fix cyan_skillfish2 gpu info fw handling drm/amdgpu: attach tlb fence to the PTs update drm/amd/display: Increase EDID read retries drm/amd/display: Don't change brightness for disabled connectors drm/amd/display: Check NULL before accessing Revert "drm/amd/display: Move setup_stream_attribute" drm/xe: Fix conversion from clock ticks to milliseconds drm/xe/guc: Fix stack_depot usage drm/xe/guc: Fix resource leak in xe_guc_ct_init_noalloc() drm/i915/psr: Reject async flips when selective fetch is enabled drm, fbcon, vga_switcheroo: Avoid race condition in fbcon setup drm/amd/amdgpu: reserve vm invalidation engine for uni_mes drm: sti: fix device leaks at component probe drm/imagination: Document pvr_device.power member drm/bridge: sii902x: Fix HDMI detection with DRM_BRIDGE_ATTACH_NO_CONNECTOR |
|
Dave Airlie
|
6dbcb801e1 |
Driver Changes:
- Fix resource leak in xe_guc_ct_init_noalloc()'s error path (Shuicheng Lin) - Fix stack_depot usage without STACKDEPOT_ALWAYS_INIT (Lucas) - Fix overflow in conversion from clock tics to msec (Harish Chegondi) -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEE6rM8lpABPHM5FqyDm6KlpjDL6lMFAmko6kgACgkQm6KlpjDL 6lO84A/6ArsDA9pMeWtk/GHQTL20ABV8LiSfrlC2VMum1agafXdIFZ2ookpyoKI8 9nzNiFGQJT7V55psamWs25DI+LF//7vq4btNdYunzUk5p+LZOvYtx72MPhdCS4/F AfET4NXVtpcOTd+4Lro4zjfUZGB/qObMWRHQKAKXcr5vFhDUHpk1wQgnApKoL8uZ 4G+GAVpDxW4bhagrNgQD0i6ZrwUWA1mJAyrTbwuYrQp1kZPCfZ7LIQEot+8rcNaB ZFKDjr2w2DIt/ue5yx3SLbVIuqZS8GOQMdVH7b6RVgpjEgqBcTQM3vKSt0KFC+71 8wBs8D6SR+ZR5Guw2qvhobPfea/0pya7WP+8Nv678QnoIcAylMBG9bs5oyR9RoSB GNonR/WA69nhH20OEU6h5zjbvdsfo0ICFrBiUHH0njwpFDb9TdJ/LAzVCurvl29p gwUcc4v04YrG+Do/NSAH3esGDP2k5e//XD6bgkcZgGpO/Mx4AMHO1dmdtQav1PbY m8roRI2fo6TV+LHggLSp2zCP7CRq8t0h03g3Ufx1xDwg5oZ7PLz3ZHSz2LZCoavg i3AZtsHszJ3r/uXJePpvJK3qV1F3cv3QdwBl7M3rlrQgTymDsps0d4z8TrTeeI2w AUWd9pFunZvFvvQvKzbgfUr3Eq7/22jw4FQpyEpbi/vD1tU1b14= =ue6Q -----END PGP SIGNATURE----- Merge tag 'drm-xe-fixes-2025-11-27' of https://gitlab.freedesktop.org/drm/xe/kernel into drm-fixes Driver Changes: - Fix resource leak in xe_guc_ct_init_noalloc()'s error path (Shuicheng Lin) - Fix stack_depot usage without STACKDEPOT_ALWAYS_INIT (Lucas) - Fix overflow in conversion from clock tics to msec (Harish Chegondi) Signed-off-by: Dave Airlie <airlied@redhat.com> From: Lucas De Marchi <lucas.demarchi@intel.com> Link: https://patch.msgid.link/7ejiqjgthpqybg5svmkind2pszk4fqadxuq7rngchaaw76iept@5pn6sngqj6lk |
|
|
Dave Airlie
|
26c7a181fd |
Short summary of fixes pull:
bridge: - sil902x: Fix HDMI detection imagination: - Update documentation sti: - Fix leaks in probe vga_switcheroo: - Avoid race condition during fbcon initialization -----BEGIN PGP SIGNATURE----- iQFPBAABCgA5FiEEchf7rIzpz2NEoWjlaA3BHVMLeiMFAmkoBzEbFIAAAAAABAAO bWFudTIsMi41KzEuMTEsMiwyAAoJEGgNwR1TC3ojpPMIAKbDq6ttGcyskNpClupJ Owpq8wC8Qzy1fCKgrx2dj2bw2cfgtJTYZtbYo9/dFXnPrdQfo4LlLe3wI0inDe4V jvTkFm9SDARC4GGIpVnNgK/XYmp9DA+yJEzopojCnsToVJjvDrGKAsHnXBLK6gX2 nL/fToNii8Lcae34HKmThg0Lq3o90Y1Aqfr2e3TyuxfctGYGcZ867NlpNOeUJEAe nJr+WXxlHL3497Y8d3rAlLrzOUYWT37Bq7y6p0SE3X7QCBtragKN+6AVSXUgfiCR tru+WuXdv2BMaBCO5rff1t2rYA7weVDNApcsMRlsFOkFBElogvaagRmOpZI2U2an YsE= =Jxlj -----END PGP SIGNATURE----- Merge tag 'drm-misc-fixes-2025-11-27' of https://gitlab.freedesktop.org/drm/misc/kernel into drm-fixes Short summary of fixes pull: bridge: - sil902x: Fix HDMI detection imagination: - Update documentation sti: - Fix leaks in probe vga_switcheroo: - Avoid race condition during fbcon initialization Signed-off-by: Dave Airlie <airlied@redhat.com> From: Thomas Zimmermann <tzimmermann@suse.de> Link: https://patch.msgid.link/20251127081007.GA13578@2a02-2454-fd5e-fd00-689d-32c0-780c-bb87.dyn6.pyur.net |
|
|
Dave Airlie
|
4fc3ad63dd |
amd-drm-fixes-6.18-2025-11-26:
amdgpu: - Unified MES fix - HDMI fix - Cursor fix - Bightness fix - EDID reading improvement - UserQ fix - Cyan Skillfish IP discovery fix -----BEGIN PGP SIGNATURE----- iHUEABYKAB0WIQQgO5Idg2tXNTSZAr293/aFa7yZ2AUCaSdnEQAKCRC93/aFa7yZ 2PbnAQCC2OddQOW3jcV0Y9a8qPZfJ+Wf9gWMs8D1x0KLfh0BmwD/e9X8CyVOABmH ymScHIJZhvAIKinOrnCcIF9Dij5/xgI= =pRN6 -----END PGP SIGNATURE----- Merge tag 'amd-drm-fixes-6.18-2025-11-26' of https://gitlab.freedesktop.org/agd5f/linux into drm-fixes amd-drm-fixes-6.18-2025-11-26: amdgpu: - Unified MES fix - HDMI fix - Cursor fix - Bightness fix - EDID reading improvement - UserQ fix - Cyan Skillfish IP discovery fix Signed-off-by: Dave Airlie <airlied@redhat.com> From: Alex Deucher <alexander.deucher@amd.com> Link: https://patch.msgid.link/20251126204925.3316684-1-alexander.deucher@amd.com |
|
|
Linus Torvalds
|
aa7243aaf1 |
dma-mapping fixes for Linux 6.18
- two last minute fixes for the recently modified DMA API infrastructure:
a proper handling of DMA_ATTR_MMIO in dma_iova_unlink() function (me) and
a regression fix for the code refactoring related to P2PDMA (Pranjal
Shrivastava)
-----BEGIN PGP SIGNATURE-----
iHUEABYIAB0WIQSrngzkoBtlA8uaaJ+Jp1EFxbsSRAUCaSh6UAAKCRCJp1EFxbsS
RCYGAP94GdoTEBmQL1dXLooASbHHAyB5xrd8Di1H/Aqd7maCvAEAgT2+BRPyEtf+
wiz4mwKMG1RrF9Cj4XqPqJ2NDU1zdQ8=
=ngH/
-----END PGP SIGNATURE-----
Merge tag 'dma-mapping-6.18-2025-11-27' of git://git.kernel.org/pub/scm/linux/kernel/git/mszyprowski/linux
Pull dma-mapping fixes from Marek Szyprowski:
"Two last minute fixes for the recently modified DMA API infrastructure:
- proper handling of DMA_ATTR_MMIO in dma_iova_unlink() function (me)
- regression fix for the code refactoring related to P2PDMA (Pranjal
Shrivastava)"
* tag 'dma-mapping-6.18-2025-11-27' of git://git.kernel.org/pub/scm/linux/kernel/git/mszyprowski/linux:
dma-direct: Fix missing sg_dma_len assignment in P2PDMA bus mappings
iommu/dma: add missing support for DMA_ATTR_MMIO for dma_iova_unlink()
|
|
|
Linus Torvalds
|
3fa77874b4 |
One more urgent ACPI support fix for 6.18
There is one more commit that needs to be reverted after reverting problematic commit |
|
|
Dave Airlie
|
b31e2e3bb7 |
- Reject async flips when PSR's selective fetch is enabled (Ville)
-----BEGIN PGP SIGNATURE----- iQEzBAABCgAdFiEEbSBwaO7dZQkcLOKj+mJfZA7rE8oFAmknIDwACgkQ+mJfZA7r E8qZkQgAsLGliDOMLEw1hFrs+QSDy0uEXaKiIKSjnJ5xrJxFFtQB0a5MWPCEuzRb fgkCdIThW0JrCN8c00ayPS5lT9HbeTqcOMnh1PKchbfWrCSkVDns5A9rGQACgvpr r5IsgP7eRnyvkfykYXcCkAXk2EHrmn1N620MLsiOp88HnR5YPji3Fetho5Ba9Cx9 KJfATrjJqn6hcRvhRydZJQ4dhdkMYjXtYMcHF3rkwiowRKReW7LpRgeONqIKfTeL 40vYVvut1/XK5p82vELc8aZUxzdCQN+SEsezF7ycA5z5f/MJV5UPtw6Z+cB4bm0f dpQvqYpp2Lw+3NU633uPoN6IprDBgg== =j1e/ -----END PGP SIGNATURE----- Merge tag 'drm-intel-fixes-2025-11-26' of https://gitlab.freedesktop.org/drm/i915/kernel into drm-fixes - Reject async flips when PSR's selective fetch is enabled (Ville) Signed-off-by: Dave Airlie <airlied@redhat.com> From: Rodrigo Vivi <rodrigo.vivi@intel.com> Link: https://patch.msgid.link/aScgY8QMjmyJRBX2@intel.com |
|
Rafael J. Wysocki
|
fbf04215d9 |
Revert "ACPI: processor: Update cpuidle driver check in __acpi_processor_start()"
Revert commit |
|
|
Linus Torvalds
|
e1afacb685 |
A patch to make sparse read handling work in msgr2 secure mode from
Slava and a couple of fixes from Ziming and myself to avoid operating on potentially invalid memory, all marked for stable. -----BEGIN PGP SIGNATURE----- iQFHBAABCAAxFiEEydHwtzie9C7TfviiSn/eOAIR84sFAmkomw8THGlkcnlvbW92 QGdtYWlsLmNvbQAKCRBKf944AhHzi7inB/4kGwlnraCx43Lw4UG4K/Z6RKypQ8zD WxwFvszq9jHJL7uUvXLx97sZApeK+AG6Kql/jnpEUUkFlG1h3013OwKJgRINrOdn 5wJaWwi73akCWt3FDgcpc+gnxQ3s7gbD3cPbNeEhoHTjUrHk59ZgT37zbnUIrFK3 NqnSBO7+7EPZtWwmC7mtki+lRLr3z47TqeqLqLQhw6GoenRo/9ZrUynvneCWKXfT bZRZ5MDJGg/ZMR1agPmUojgHkkZAD5xc21fK5mmYeMr9JbNB4Vw9BO48XW+WCA3o TH5en6HZhJuoxkp21mG7BZjnkAVTPCpo3pMt2IqlAIWCkODtXlThWGQN =cZYx -----END PGP SIGNATURE----- Merge tag 'ceph-for-6.18-rc8' of https://github.com/ceph/ceph-client Pull ceph fixes from Ilya Dryomov: "A patch to make sparse read handling work in msgr2 secure mode from Slava and a couple of fixes from Ziming and myself to avoid operating on potentially invalid memory, all marked for stable" * tag 'ceph-for-6.18-rc8' of https://github.com/ceph/ceph-client: libceph: prevent potential out-of-bounds writes in handle_auth_session_key() libceph: replace BUG_ON with bounds check for map->max_osd ceph: fix crash in process_v2_sparse_read() for encrypted directories libceph: drop started parameter of __ceph_open_session() libceph: fix potential use-after-free in have_mon_and_osd_map() |
|
|
Linus Torvalds
|
1f5e808aa6 |
Including fixes from bluetooth and CAN. No known outstanding
regressions.
Current release - regressions:
- mptcp: initialize rcv_mss before calling tcp_send_active_reset()
- eth: mlx5e: fix validation logic in rate limiting
Previous releases - regressions:
- xsk: avoid data corruption on cq descriptor number
- bluetooth:
- prevent race in socket write iter and sock bind
- fix not generating mackey and ltk when repairing
- can:
- kvaser_usb: fix potential infinite loop in command parsers
- rcar_canfd: fix CAN-FD mode as default
- eth: veth: reduce XDP no_direct return section to fix race
- eth: virtio-net: avoid unnecessary checksum calculation on guest RX
Previous releases - always broken:
- sched: fix TCF_LAYER_TRANSPORT handling in tcf_get_base_ptr()
- bluetooth: mediatek: fix kernel crash when releasing iso interface
- vhost: rewind next_avail_head while discarding descriptors
- eth: r8169: fix RTL8127 hang on suspend/shutdown
- eth: aquantia: add missing descriptor cache invalidation on ATL2
- dsa: microchip: fix resource releases in error path
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
-----BEGIN PGP SIGNATURE-----
iQJGBAABCgAwFiEEg1AjqC77wbdLX2LbKSR5jcyPE6QFAmkoYU0SHHBhYmVuaUBy
ZWRoYXQuY29tAAoJECkkeY3MjxOkKXoQALd11FrsOuRQ9VH7pv5gtOkvPvdAq/q0
ZSrqaK+/sIEAm8X4OtmuzZCMM0cjsbptZ7Lcs84SlqarHj86I7O0NgRzHrE5oy5u
kK/aWcK8FNMt0h/EMPpm9sZbEjbCjT1T6k5+lpvJja5LD+aJXG2BnYxEPBFxyx/z
Au1fq8PxJTmQIAEVVlgRbCW56zaoYsic45YdQJstIfVDLi34tjm76hz97m2bUEj5
wnCrEN5Ghmn8tcuTsTv5OHEkIKXSBUpuctsviOqIgMTDquOrMa/4niSVp7N116tJ
3oOTRer38MEoI7uMAuQFP4NmaMWQcAs/ky3gFdepX81iiIXEIP/PEHucXVWCTU6N
m13TmCN7gFRNPOvFgVlWIPEMJDOkblnEvL8Mw7ux0sd235Cf8BzLiPU+XaeGo4JN
wfRit/7tzTAtP5Ft9nqT/7Cl9gshD+9/jG6binKoY1JG2aMHovYC1LmdVPYvkp25
hMGFaryZuCcGmVnWbHzwn00JWArdy5TZTEfGZvqUQsoHyPHkPrt5STpNpl3WWrzV
yjp0RxVeVF7VThm/4m2Jq17Fo7RUimo/EIosbbaqWFYZTJBM7gU6VvYca9Q0kKdW
SjzZ8Eq3G0eqWYhk1ZFvlEcZkkZNpCpb8YzWibscDCEj1Ugv6fiNXswlz5IZb+jF
UuXeTpCOEgQY
=0MuR
-----END PGP SIGNATURE-----
Merge tag 'net-6.18-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
Pull networking fixes from Paolo Abeni:
"Including fixes from bluetooth and CAN. No known outstanding
regressions.
Current release - regressions:
- mptcp: initialize rcv_mss before calling tcp_send_active_reset()
- eth: mlx5e: fix validation logic in rate limiting
Previous releases - regressions:
- xsk: avoid data corruption on cq descriptor number
- bluetooth:
- prevent race in socket write iter and sock bind
- fix not generating mackey and ltk when repairing
- can:
- kvaser_usb: fix potential infinite loop in command parsers
- rcar_canfd: fix CAN-FD mode as default
- eth:
- veth: reduce XDP no_direct return section to fix race
- virtio-net: avoid unnecessary checksum calculation on guest RX
Previous releases - always broken:
- sched: fix TCF_LAYER_TRANSPORT handling in tcf_get_base_ptr()
- bluetooth: mediatek: fix kernel crash when releasing iso interface
- vhost: rewind next_avail_head while discarding descriptors
- eth:
- r8169: fix RTL8127 hang on suspend/shutdown
- aquantia: add missing descriptor cache invalidation on ATL2
- dsa: microchip: fix resource releases in error path"
* tag 'net-6.18-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (47 commits)
mptcp: Initialise rcv_mss before calling tcp_send_active_reset() in mptcp_do_fastclose().
net: fec: do not register PPS event for PEROUT
net: fec: do not allow enabling PPS and PEROUT simultaneously
net: fec: do not update PEROUT if it is enabled
net: fec: cancel perout_timer when PEROUT is disabled
net: mctp: unconditionally set skb->dev on dst output
net: atlantic: fix fragment overflow handling in RX path
MAINTAINERS: separate VIRTIO NET DRIVER and add netdev
virtio-net: avoid unnecessary checksum calculation on guest RX
eth: fbnic: Fix counter roll-over issue
mptcp: clear scheduled subflows on retransmit
net: dsa: sja1105: fix SGMII linking at 10M or 100M but not passing traffic
s390/net: list Aswin Karuvally as maintainer
net: wwan: mhi: Keep modem name match with Foxconn T99W640
vhost: rewind next_avail_head while discarding descriptors
net/sched: em_canid: fix uninit-value in em_canid_match
can: rcar_canfd: Fix CAN-FD mode as default
xsk: avoid data corruption on cq descriptor number
r8169: fix RTL8127 hang on suspend/shutdown
net: sxgbe: fix potential NULL dereference in sxgbe_rx()
...
|
|
|
Linus Torvalds
|
a76dce0e54 |
platform-drivers-x86 for v6.18-5
Fixes:
- arm64/thinkpad-t14s-ec:
- Fix IRQ race condition
- Sleep after EC access
- intel/punit_ipc: Fix memory corruption
The following is an automated shortlog grouped by driver:
arm64: thinkpad-t14s-ec:
- fix IRQ race condition
- sleep after EC access
intel: punit_ipc:
- fix memory corruption
-----BEGIN PGP SIGNATURE-----
iHUEABYIAB0WIQSCSUwRdwTNL2MhaBlZrE9hU+XOMQUCaSgbXwAKCRBZrE9hU+XO
Mf1jAP4keEVLT+WwwyY8rkrGClS/tDb+HVJBVGFo1WnMvIL5/QD/QfaPhZf1jjQs
YMCURKqB4jknkFTRWyeGKA/jEZuKdQw=
=eczG
-----END PGP SIGNATURE-----
Merge tag 'platform-drivers-x86-v6.18-5' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86
Pull platform driver fixes from Ilpo Järvinen:
- arm64/thinkpad-t14s-ec:
- Fix IRQ race condition
- Sleep after EC access
- intel/punit_ipc: Fix memory corruption
* tag 'platform-drivers-x86-v6.18-5' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86:
platform/x86: intel: punit_ipc: fix memory corruption
platform: arm64: thinkpad-t14s-ec: sleep after EC access
platform: arm64: thinkpad-t14s-ec: fix IRQ race condition
|
|
Kuniyuki Iwashima
|
f07f4ea53e |
mptcp: Initialise rcv_mss before calling tcp_send_active_reset() in mptcp_do_fastclose().
syzbot reported divide-by-zero in __tcp_select_window() by MPTCP socket. [0] We had a similar issue for the bare TCP and fixed in commit |
|
Andy Shevchenko
|
40ad64ac25
|
spi: nxp-fspi: Propagate fwnode in ACPI case as well
Propagate fwnode of the ACPI device to the SPI controller Linux device.
Currently only OF case propagates fwnode to the controller.
While at it, replace several calls to dev_fwnode() with a single one
cached in a local variable, and unify checks for fwnode type by using
is_*_node() APIs.
Fixes:
|
|
ChiYuan Huang
|
8684229e19
|
regulator: rtq2208: Correct LDO2 logic judgment bits
The LDO2 judgement bit position should be 7, not 6.
Cc: stable@vger.kernel.org
Reported-by: Yoon Dong Min <dm.youn@telechips.com>
Fixes:
|
|
|
ChiYuan Huang
|
45cc214152
|
regulator: rtq2208: Correct buck group2 phase mapping logic
Correct buck group2 H and F mapping logic.
Cc: stable@vger.kernel.org
Reported-by: Yoon Dong Min <dm.youn@telechips.com>
Fixes:
|
|
Paolo Abeni
|
36d7478664 |
Merge branch 'net-fec-fix-some-ptp-related-issues'
Wei Fang says:
====================
net: fec: fix some PTP related issues
There are some issues which were introduced by the commit
|
|
Wei Fang
|
9a060d0fac |
net: fec: do not register PPS event for PEROUT
There are currently two situations that can trigger the PTP interrupt,
one is the PPS event, the other is the PEROUT event. However, the irq
handler fec_pps_interrupt() does not check the irq event type and
directly registers a PPS event into the system, but the event may be
a PEROUT event. This is incorrect because PEROUT is an output signal,
while PPS is the input of the kernel PPS system. Therefore, add a check
for the event type, if pps_enable is true, it means that the current
event is a PPS event, and then the PPS event is registered.
Fixes:
|
|
|
Wei Fang
|
c0a1f3d7e1 |
net: fec: do not allow enabling PPS and PEROUT simultaneously
In the current driver, PPS and PEROUT use the same channel to generate
the events, so they cannot be enabled at the same time. Otherwise, the
later configuration will overwrite the earlier configuration. Therefore,
when configuring PPS, the driver will check whether PEROUT is enabled.
Similarly, when configuring PEROUT, the driver will check whether PPS
is enabled.
Fixes:
|
|
|
Wei Fang
|
e97faa0c20 |
net: fec: do not update PEROUT if it is enabled
If the previously set PEROUT is already active, updating it will cause
the new PEROUT to start immediately instead of at the specified time.
This is because fep->reload_period is updated whithout check whether
the PEROUT is enabled, and the old PEROUT is not disabled. Therefore,
the pulse period will be updated immediately in the pulse interrupt
handler fec_pps_interrupt().
Currently, the driver does not support directly updating PEROUT and it
will make the logic be more complicated. To fix the current issue, add
a check before enabling the PEROUT, the driver will return an error if
PEROUT is enabled. If users wants to update a new PEROUT, they should
disable the old PEROUT first.
Fixes:
|
|
|
Wei Fang
|
50caa74468 |
net: fec: cancel perout_timer when PEROUT is disabled
The PEROUT allows the user to set a specified future time to output the
periodic signal. If the future time is far from the current time, the FEC
driver will use hrtimer to configure PEROUT one second before the future
time. However, the hrtimer will not be canceled if the PEROUT is disabled
before the hrtimer expires. So the PEROUT will be configured when the
hrtimer expires, which is not as expected. Therefore, cancel the hrtimer
in fec_ptp_pps_disable() to fix this issue.
Fixes:
|
|
Jeremy Kerr
|
b3e528a581 |
net: mctp: unconditionally set skb->dev on dst output
On transmit, we are currently relying on skb->dev being set by
mctp_local_output() when we first set up the skb destination fields.
However, forwarded skbs do not use the local_output path, so will retain
their incoming netdev as their ->dev on tx. This does not work when
we're forwarding between interfaces.
Set skb->dev unconditionally in the transmit path, to allow for proper
forwarding.
We keep the skb->dev initialisation in mctp_local_output(), as we use it
for fragmentation.
Fixes:
|
|
ziming zhang
|
7fce830ecd |
libceph: prevent potential out-of-bounds writes in handle_auth_session_key()
The len field originates from untrusted network packets. Boundary checks have been added to prevent potential out-of-bounds writes when decrypting the connection secret or processing service tickets. [ idryomov: changelog ] Cc: stable@vger.kernel.org Signed-off-by: ziming zhang <ezrakiez@gmail.com> Reviewed-by: Ilya Dryomov <idryomov@gmail.com> Signed-off-by: Ilya Dryomov <idryomov@gmail.com> |
|
|
ziming zhang
|
ec3797f043 |
libceph: replace BUG_ON with bounds check for map->max_osd
OSD indexes come from untrusted network packets. Boundary checks are added to validate these against map->max_osd. [ idryomov: drop BUG_ON in ceph_get_primary_affinity(), minor cosmetic edits ] Cc: stable@vger.kernel.org Signed-off-by: ziming zhang <ezrakiez@gmail.com> Reviewed-by: Ilya Dryomov <idryomov@gmail.com> Signed-off-by: Ilya Dryomov <idryomov@gmail.com> |
|
Viacheslav Dubeyko
|
43962db4a6 |
ceph: fix crash in process_v2_sparse_read() for encrypted directories
The crash in process_v2_sparse_read() for fscrypt-encrypted directories has been reported. Issue takes place for Ceph msgr2 protocol in secure mode. It can be reproduced by the steps: sudo mount -t ceph :/ /mnt/cephfs/ -o name=admin,fs=cephfs,ms_mode=secure (1) mkdir /mnt/cephfs/fscrypt-test-3 (2) cp area_decrypted.tar /mnt/cephfs/fscrypt-test-3 (3) fscrypt encrypt --source=raw_key --key=./my.key /mnt/cephfs/fscrypt-test-3 (4) fscrypt lock /mnt/cephfs/fscrypt-test-3 (5) fscrypt unlock --key=my.key /mnt/cephfs/fscrypt-test-3 (6) cat /mnt/cephfs/fscrypt-test-3/area_decrypted.tar (7) Issue has been triggered [ 408.072247] ------------[ cut here ]------------ [ 408.072251] WARNING: CPU: 1 PID: 392 at net/ceph/messenger_v2.c:865 ceph_con_v2_try_read+0x4b39/0x72f0 [ 408.072267] Modules linked in: intel_rapl_msr intel_rapl_common intel_uncore_frequency_common intel_pmc_core pmt_telemetry pmt_discovery pmt_class intel_pmc_ssram_telemetry intel_vsec kvm_intel joydev kvm irqbypass polyval_clmulni ghash_clmulni_intel aesni_intel rapl input_leds psmouse serio_raw i2c_piix4 vga16fb bochs vgastate i2c_smbus floppy mac_hid qemu_fw_cfg pata_acpi sch_fq_codel rbd msr parport_pc ppdev lp parport efi_pstore [ 408.072304] CPU: 1 UID: 0 PID: 392 Comm: kworker/1:3 Not tainted 6.17.0-rc7+ [ 408.072307] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-5.fc42 04/01/2014 [ 408.072310] Workqueue: ceph-msgr ceph_con_workfn [ 408.072314] RIP: 0010:ceph_con_v2_try_read+0x4b39/0x72f0 [ 408.072317] Code: c7 c1 20 f0 d4 ae 50 31 d2 48 c7 c6 60 27 d5 ae 48 c7 c7 f8 8e 6f b0 68 60 38 d5 ae e8 00 47 61 fe 48 83 c4 18 e9 ac fc ff ff <0f> 0b e9 06 fe ff ff 4c 8b 9d 98 fd ff ff 0f 84 64 e7 ff ff 89 85 [ 408.072319] RSP: 0018:ffff88811c3e7a30 EFLAGS: 00010246 [ 408.072322] RAX: ffffed1024874c6f RBX: ffffea00042c2b40 RCX: 0000000000000f38 [ 408.072324] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 408.072325] RBP: ffff88811c3e7ca8 R08: 0000000000000000 R09: 00000000000000c8 [ 408.072326] R10: 00000000000000c8 R11: 0000000000000000 R12: 00000000000000c8 [ 408.072327] R13: dffffc0000000000 R14: ffff8881243a6030 R15: 0000000000003000 [ 408.072329] FS: 0000000000000000(0000) GS:ffff88823eadf000(0000) knlGS:0000000000000000 [ 408.072331] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 408.072332] CR2: 000000c0003c6000 CR3: 000000010c106005 CR4: 0000000000772ef0 [ 408.072336] PKRU: 55555554 [ 408.072337] Call Trace: [ 408.072338] <TASK> [ 408.072340] ? sched_clock_noinstr+0x9/0x10 [ 408.072344] ? __pfx_ceph_con_v2_try_read+0x10/0x10 [ 408.072347] ? _raw_spin_unlock+0xe/0x40 [ 408.072349] ? finish_task_switch.isra.0+0x15d/0x830 [ 408.072353] ? __kasan_check_write+0x14/0x30 [ 408.072357] ? mutex_lock+0x84/0xe0 [ 408.072359] ? __pfx_mutex_lock+0x10/0x10 [ 408.072361] ceph_con_workfn+0x27e/0x10e0 [ 408.072364] ? metric_delayed_work+0x311/0x2c50 [ 408.072367] process_one_work+0x611/0xe20 [ 408.072371] ? __kasan_check_write+0x14/0x30 [ 408.072373] worker_thread+0x7e3/0x1580 [ 408.072375] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ 408.072378] ? __pfx_worker_thread+0x10/0x10 [ 408.072381] kthread+0x381/0x7a0 [ 408.072383] ? __pfx__raw_spin_lock_irq+0x10/0x10 [ 408.072385] ? __pfx_kthread+0x10/0x10 [ 408.072387] ? __kasan_check_write+0x14/0x30 [ 408.072389] ? recalc_sigpending+0x160/0x220 [ 408.072392] ? _raw_spin_unlock_irq+0xe/0x50 [ 408.072394] ? calculate_sigpending+0x78/0xb0 [ 408.072395] ? __pfx_kthread+0x10/0x10 [ 408.072397] ret_from_fork+0x2b6/0x380 [ 408.072400] ? __pfx_kthread+0x10/0x10 [ 408.072402] ret_from_fork_asm+0x1a/0x30 [ 408.072406] </TASK> [ 408.072407] ---[ end trace 0000000000000000 ]--- [ 408.072418] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI [ 408.072984] KASAN: null-ptr-deref in range [0x0000000000000000- 0x0000000000000007] [ 408.073350] CPU: 1 UID: 0 PID: 392 Comm: kworker/1:3 Tainted: G W 6.17.0-rc7+ #1 PREEMPT(voluntary) [ 408.073886] Tainted: [W]=WARN [ 408.074042] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-5.fc42 04/01/2014 [ 408.074468] Workqueue: ceph-msgr ceph_con_workfn [ 408.074694] RIP: 0010:ceph_msg_data_advance+0x79/0x1a80 [ 408.074976] Code: fc ff df 49 8d 77 08 48 c1 ee 03 80 3c 16 00 0f 85 07 11 00 00 48 ba 00 00 00 00 00 fc ff df 49 8b 5f 08 48 89 de 48 c1 ee 03 <0f> b6 14 16 84 d2 74 09 80 fa 03 0f 8e 0f 0e 00 00 8b 13 83 fa 03 [ 408.075884] RSP: 0018:ffff88811c3e7990 EFLAGS: 00010246 [ 408.076305] RAX: ffff8881243a6388 RBX: 0000000000000000 RCX: 0000000000000000 [ 408.076909] RDX: dffffc0000000000 RSI: 0000000000000000 RDI: ffff8881243a6378 [ 408.077466] RBP: ffff88811c3e7a20 R08: 0000000000000000 R09: 00000000000000c8 [ 408.078034] R10: ffff8881243a6388 R11: 0000000000000000 R12: ffffed1024874c71 [ 408.078575] R13: dffffc0000000000 R14: ffff8881243a6030 R15: ffff8881243a6378 [ 408.079159] FS: 0000000000000000(0000) GS:ffff88823eadf000(0000) knlGS:0000000000000000 [ 408.079736] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 408.080039] CR2: 000000c0003c6000 CR3: 000000010c106005 CR4: 0000000000772ef0 [ 408.080376] PKRU: 55555554 [ 408.080513] Call Trace: [ 408.080630] <TASK> [ 408.080729] ceph_con_v2_try_read+0x49b9/0x72f0 [ 408.081115] ? __pfx_ceph_con_v2_try_read+0x10/0x10 [ 408.081348] ? _raw_spin_unlock+0xe/0x40 [ 408.081538] ? finish_task_switch.isra.0+0x15d/0x830 [ 408.081768] ? __kasan_check_write+0x14/0x30 [ 408.081986] ? mutex_lock+0x84/0xe0 [ 408.082160] ? __pfx_mutex_lock+0x10/0x10 [ 408.082343] ceph_con_workfn+0x27e/0x10e0 [ 408.082529] ? metric_delayed_work+0x311/0x2c50 [ 408.082737] process_one_work+0x611/0xe20 [ 408.082948] ? __kasan_check_write+0x14/0x30 [ 408.083156] worker_thread+0x7e3/0x1580 [ 408.083331] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ 408.083557] ? __pfx_worker_thread+0x10/0x10 [ 408.083751] kthread+0x381/0x7a0 [ 408.083922] ? __pfx__raw_spin_lock_irq+0x10/0x10 [ 408.084139] ? __pfx_kthread+0x10/0x10 [ 408.084310] ? __kasan_check_write+0x14/0x30 [ 408.084510] ? recalc_sigpending+0x160/0x220 [ 408.084708] ? _raw_spin_unlock_irq+0xe/0x50 [ 408.084917] ? calculate_sigpending+0x78/0xb0 [ 408.085138] ? __pfx_kthread+0x10/0x10 [ 408.085335] ret_from_fork+0x2b6/0x380 [ 408.085525] ? __pfx_kthread+0x10/0x10 [ 408.085720] ret_from_fork_asm+0x1a/0x30 [ 408.085922] </TASK> [ 408.086036] Modules linked in: intel_rapl_msr intel_rapl_common intel_uncore_frequency_common intel_pmc_core pmt_telemetry pmt_discovery pmt_class intel_pmc_ssram_telemetry intel_vsec kvm_intel joydev kvm irqbypass polyval_clmulni ghash_clmulni_intel aesni_intel rapl input_leds psmouse serio_raw i2c_piix4 vga16fb bochs vgastate i2c_smbus floppy mac_hid qemu_fw_cfg pata_acpi sch_fq_codel rbd msr parport_pc ppdev lp parport efi_pstore [ 408.087778] ---[ end trace 0000000000000000 ]--- [ 408.088007] RIP: 0010:ceph_msg_data_advance+0x79/0x1a80 [ 408.088260] Code: fc ff df 49 8d 77 08 48 c1 ee 03 80 3c 16 00 0f 85 07 11 00 00 48 ba 00 00 00 00 00 fc ff df 49 8b 5f 08 48 89 de 48 c1 ee 03 <0f> b6 14 16 84 d2 74 09 80 fa 03 0f 8e 0f 0e 00 00 8b 13 83 fa 03 [ 408.089118] RSP: 0018:ffff88811c3e7990 EFLAGS: 00010246 [ 408.089357] RAX: ffff8881243a6388 RBX: 0000000000000000 RCX: 0000000000000000 [ 408.089678] RDX: dffffc0000000000 RSI: 0000000000000000 RDI: ffff8881243a6378 [ 408.090020] RBP: ffff88811c3e7a20 R08: 0000000000000000 R09: 00000000000000c8 [ 408.090360] R10: ffff8881243a6388 R11: 0000000000000000 R12: ffffed1024874c71 [ 408.090687] R13: dffffc0000000000 R14: ffff8881243a6030 R15: ffff8881243a6378 [ 408.091035] FS: 0000000000000000(0000) GS:ffff88823eadf000(0000) knlGS:0000000000000000 [ 408.091452] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 408.092015] CR2: 000000c0003c6000 CR3: 000000010c106005 CR4: 0000000000772ef0 [ 408.092530] PKRU: 55555554 [ 417.112915] ================================================================== [ 417.113491] BUG: KASAN: slab-use-after-free in __mutex_lock.constprop.0+0x1522/0x1610 [ 417.114014] Read of size 4 at addr ffff888124870034 by task kworker/2:0/4951 [ 417.114587] CPU: 2 UID: 0 PID: 4951 Comm: kworker/2:0 Tainted: G D W 6.17.0-rc7+ #1 PREEMPT(voluntary) [ 417.114592] Tainted: [D]=DIE, [W]=WARN [ 417.114593] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-5.fc42 04/01/2014 [ 417.114596] Workqueue: events handle_timeout [ 417.114601] Call Trace: [ 417.114602] <TASK> [ 417.114604] dump_stack_lvl+0x5c/0x90 [ 417.114610] print_report+0x171/0x4dc [ 417.114613] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ 417.114617] ? kasan_complete_mode_report_info+0x80/0x220 [ 417.114621] kasan_report+0xbd/0x100 [ 417.114625] ? __mutex_lock.constprop.0+0x1522/0x1610 [ 417.114628] ? __mutex_lock.constprop.0+0x1522/0x1610 [ 417.114630] __asan_report_load4_noabort+0x14/0x30 [ 417.114633] __mutex_lock.constprop.0+0x1522/0x1610 [ 417.114635] ? queue_con_delay+0x8d/0x200 [ 417.114638] ? __pfx___mutex_lock.constprop.0+0x10/0x10 [ 417.114641] ? __send_subscribe+0x529/0xb20 [ 417.114644] __mutex_lock_slowpath+0x13/0x20 [ 417.114646] mutex_lock+0xd4/0xe0 [ 417.114649] ? __pfx_mutex_lock+0x10/0x10 [ 417.114652] ? ceph_monc_renew_subs+0x2a/0x40 [ 417.114654] ceph_con_keepalive+0x22/0x110 [ 417.114656] handle_timeout+0x6b3/0x11d0 [ 417.114659] ? _raw_spin_unlock_irq+0xe/0x50 [ 417.114662] ? __pfx_handle_timeout+0x10/0x10 [ 417.114664] ? queue_delayed_work_on+0x8e/0xa0 [ 417.114669] process_one_work+0x611/0xe20 [ 417.114672] ? __kasan_check_write+0x14/0x30 [ 417.114676] worker_thread+0x7e3/0x1580 [ 417.114678] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ 417.114682] ? __pfx_sched_setscheduler_nocheck+0x10/0x10 [ 417.114687] ? __pfx_worker_thread+0x10/0x10 [ 417.114689] kthread+0x381/0x7a0 [ 417.114692] ? __pfx__raw_spin_lock_irq+0x10/0x10 [ 417.114694] ? __pfx_kthread+0x10/0x10 [ 417.114697] ? __kasan_check_write+0x14/0x30 [ 417.114699] ? recalc_sigpending+0x160/0x220 [ 417.114703] ? _raw_spin_unlock_irq+0xe/0x50 [ 417.114705] ? calculate_sigpending+0x78/0xb0 [ 417.114707] ? __pfx_kthread+0x10/0x10 [ 417.114710] ret_from_fork+0x2b6/0x380 [ 417.114713] ? __pfx_kthread+0x10/0x10 [ 417.114715] ret_from_fork_asm+0x1a/0x30 [ 417.114720] </TASK> [ 417.125171] Allocated by task 2: [ 417.125333] kasan_save_stack+0x26/0x60 [ 417.125522] kasan_save_track+0x14/0x40 [ 417.125742] kasan_save_alloc_info+0x39/0x60 [ 417.125945] __kasan_slab_alloc+0x8b/0xb0 [ 417.126133] kmem_cache_alloc_node_noprof+0x13b/0x460 [ 417.126381] copy_process+0x320/0x6250 [ 417.126595] kernel_clone+0xb7/0x840 [ 417.126792] kernel_thread+0xd6/0x120 [ 417.126995] kthreadd+0x85c/0xbe0 [ 417.127176] ret_from_fork+0x2b6/0x380 [ 417.127378] ret_from_fork_asm+0x1a/0x30 [ 417.127692] Freed by task 0: [ 417.127851] kasan_save_stack+0x26/0x60 [ 417.128057] kasan_save_track+0x14/0x40 [ 417.128267] kasan_save_free_info+0x3b/0x60 [ 417.128491] __kasan_slab_free+0x6c/0xa0 [ 417.128708] kmem_cache_free+0x182/0x550 [ 417.128906] free_task+0xeb/0x140 [ 417.129070] __put_task_struct+0x1d2/0x4f0 [ 417.129259] __put_task_struct_rcu_cb+0x15/0x20 [ 417.129480] rcu_do_batch+0x3d3/0xe70 [ 417.129681] rcu_core+0x549/0xb30 [ 417.129839] rcu_core_si+0xe/0x20 [ 417.130005] handle_softirqs+0x160/0x570 [ 417.130190] __irq_exit_rcu+0x189/0x1e0 [ 417.130369] irq_exit_rcu+0xe/0x20 [ 417.130531] sysvec_apic_timer_interrupt+0x9f/0xd0 [ 417.130768] asm_sysvec_apic_timer_interrupt+0x1b/0x20 [ 417.131082] Last potentially related work creation: [ 417.131305] kasan_save_stack+0x26/0x60 [ 417.131484] kasan_record_aux_stack+0xae/0xd0 [ 417.131695] __call_rcu_common+0xcd/0x14b0 [ 417.131909] call_rcu+0x31/0x50 [ 417.132071] delayed_put_task_struct+0x128/0x190 [ 417.132295] rcu_do_batch+0x3d3/0xe70 [ 417.132478] rcu_core+0x549/0xb30 [ 417.132658] rcu_core_si+0xe/0x20 [ 417.132808] handle_softirqs+0x160/0x570 [ 417.132993] __irq_exit_rcu+0x189/0x1e0 [ 417.133181] irq_exit_rcu+0xe/0x20 [ 417.133353] sysvec_apic_timer_interrupt+0x9f/0xd0 [ 417.133584] asm_sysvec_apic_timer_interrupt+0x1b/0x20 [ 417.133921] Second to last potentially related work creation: [ 417.134183] kasan_save_stack+0x26/0x60 [ 417.134362] kasan_record_aux_stack+0xae/0xd0 [ 417.134566] __call_rcu_common+0xcd/0x14b0 [ 417.134782] call_rcu+0x31/0x50 [ 417.134929] put_task_struct_rcu_user+0x58/0xb0 [ 417.135143] finish_task_switch.isra.0+0x5d3/0x830 [ 417.135366] __schedule+0xd30/0x5100 [ 417.135534] schedule_idle+0x5a/0x90 [ 417.135712] do_idle+0x25f/0x410 [ 417.135871] cpu_startup_entry+0x53/0x70 [ 417.136053] start_secondary+0x216/0x2c0 [ 417.136233] common_startup_64+0x13e/0x141 [ 417.136894] The buggy address belongs to the object at ffff888124870000 which belongs to the cache task_struct of size 10504 [ 417.138122] The buggy address is located 52 bytes inside of freed 10504-byte region [ffff888124870000, ffff888124872908) [ 417.139465] The buggy address belongs to the physical page: [ 417.140016] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x124870 [ 417.140789] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 417.141519] memcg:ffff88811aa20e01 [ 417.141874] anon flags: 0x17ffffc0000040(head|node=0|zone=2|lastcpupid=0x1fffff) [ 417.142600] page_type: f5(slab) [ 417.142922] raw: 0017ffffc0000040 ffff88810094f040 0000000000000000 dead000000000001 [ 417.143554] raw: 0000000000000000 0000000000030003 00000000f5000000 ffff88811aa20e01 [ 417.143954] head: 0017ffffc0000040 ffff88810094f040 0000000000000000 dead000000000001 [ 417.144329] head: 0000000000000000 0000000000030003 00000000f5000000 ffff88811aa20e01 [ 417.144710] head: 0017ffffc0000003 ffffea0004921c01 00000000ffffffff 00000000ffffffff [ 417.145106] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 [ 417.145485] page dumped because: kasan: bad access detected [ 417.145859] Memory state around the buggy address: [ 417.146094] ffff88812486ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 417.146439] ffff88812486ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 417.146791] >ffff888124870000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 417.147145] ^ [ 417.147387] ffff888124870080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 417.147751] ffff888124870100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 417.148123] ================================================================== First of all, we have warning in get_bvec_at() because cursor->total_resid contains zero value. And, finally, we have crash in ceph_msg_data_advance() because cursor->data is NULL. It means that get_bvec_at() receives not initialized ceph_msg_data_cursor structure because data is NULL and total_resid contains zero. Moreover, we don't have likewise issue for the case of Ceph msgr1 protocol because ceph_msg_data_cursor_init() has been called before reading sparse data. This patch adds calling of ceph_msg_data_cursor_init() in the beginning of process_v2_sparse_read() with the goal to guarantee that logic of reading sparse data works correctly for the case of Ceph msgr2 protocol. Cc: stable@vger.kernel.org Link: https://tracker.ceph.com/issues/73152 Signed-off-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com> Reviewed-by: Ilya Dryomov <idryomov@gmail.com> Signed-off-by: Ilya Dryomov <idryomov@gmail.com> |