Commit graph

1,447,459 commits

Author SHA1 Message Date
Luca Weiss
986853f5bf FROMGIT dt-bindings: display: msm: document the Milos Mobile Display Subsystem
Document the Mobile Display Subsystem (MDSS) on the Milos SoC.

Signed-off-by: Luca Weiss <luca.weiss@fairphone.com>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
Patchwork: https://patchwork.freedesktop.org/patch/722315/
Link: https://lore.kernel.org/r/20260501-milos-mdss-v3-4-58bfc58c0e13@fairphone.com
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
2026-06-30 15:48:19 +02:00
Luca Weiss
e42c591813 FROMGIT dt-bindings: display: msm: document the Milos DPU
Document the DPU Display Controller on the Milos Platform.

Acked-by: Rob Herring (Arm) <robh@kernel.org>
Signed-off-by: Luca Weiss <luca.weiss@fairphone.com>
Patchwork: https://patchwork.freedesktop.org/patch/722313/
Link: https://lore.kernel.org/r/20260501-milos-mdss-v3-3-58bfc58c0e13@fairphone.com
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
2026-06-30 15:48:18 +02:00
Luca Weiss
1c34285ac5 FROMGIT dt-bindings: display: msm-dsi-controller-main: document the Milos DSI Controller
Document the DSI Controller on the Milos Platform.

Acked-by: Rob Herring (Arm) <robh@kernel.org>
Signed-off-by: Luca Weiss <luca.weiss@fairphone.com>
Patchwork: https://patchwork.freedesktop.org/patch/722310/
Link: https://lore.kernel.org/r/20260501-milos-mdss-v3-2-58bfc58c0e13@fairphone.com
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
2026-06-30 15:48:18 +02:00
Luca Weiss
78aea2df1e FROMGIT dt-bindings: display: msm-dsi-phy-7nm: document the Milos DSI PHY
Document the DSI PHY on the Milos Platform.

Acked-by: Rob Herring (Arm) <robh@kernel.org>
Signed-off-by: Luca Weiss <luca.weiss@fairphone.com>
Patchwork: https://patchwork.freedesktop.org/patch/722309/
Link: https://lore.kernel.org/r/20260501-milos-mdss-v3-1-58bfc58c0e13@fairphone.com
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
2026-06-30 15:48:18 +02:00
Luca Weiss
3fd968bee8 FROMGIT clk: qcom: Add support for GXCLK for Milos
GXCLKCTL (Graphics GX Clock Controller) is a block dedicated to managing
clocks for the GPU subsystem on GX power domain. The GX clock controller
driver manages only the GX GDSC and the rest of the resources of the
controller are managed by the firmware.

We can use the existing kaanapali driver for Milos as well since the
GX_CLKCTL_GX_GDSC supported by the Linux driver requires the same
configuration.

Reviewed-by: Jagadeesh Kona <jagadeesh.kona@oss.qualcomm.com>
Reviewed-by: Taniya Das <taniya.das@oss.qualcomm.com>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Signed-off-by: Luca Weiss <luca.weiss@fairphone.com>
Link: https://lore.kernel.org/r/20260417-milos-gxclkctl-v3-2-08f5988c43a2@fairphone.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
2026-06-30 15:48:17 +02:00
Luca Weiss
4f97a83abe FROMGIT dt-bindings: clock: qcom: document the Milos GX clock controller
Qualcomm GX(graphics) is a clock controller which has PLLs, clocks and
Power domains (GDSC), but the requirement from the SW driver is to use
the GDSC power domain from the clock controller to recover the GPU
firmware in case of any failure/hangs. The rest of the resources of the
clock controller are being used by the firmware of GPU. This module
exposes the GDSC power domains which helps the recovery of Graphics
subsystem.

Milos can reuse the qcom,kaanapali-gxclkctl.h header due to similarity
of the hardware block, and also reuse of the Linux driver.

Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
Signed-off-by: Luca Weiss <luca.weiss@fairphone.com>
Link: https://lore.kernel.org/r/20260417-milos-gxclkctl-v3-1-08f5988c43a2@fairphone.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
2026-06-30 15:48:17 +02:00
Greg Kroah-Hartman
03e2778d1f Linux 7.1.2
Link: https://lore.kernel.org/r/20260625125613.243729608@linuxfoundation.org
Tested-by: Florian Fainelli <florian.fainelli@broadcom.com>
Tested-by: Ronald Warsow <rwarsow@gmx.de>
Tested-by: Brett A C Sheffield <bacs@librecast.net>
Tested-by: Justin M. Forbes <jforbes@fedoraproject.org>
Tested-by: Peter Schneider <pschneider1968@googlemail.com>
Tested-by: Shuah Khan <skhan@linuxfoundation.org>
Tested-by: Ron Economos <re@w6rz.net>
Tested-by: Miguel Ojeda <ojeda@kernel.org>
Tested-by: Dileep Malepu <dileep.debian@gmail.com>
Tested-by: Takeshi Ogasawara <takeshi.ogasawara@futuring-girl.com>
Tested-by: Mark Brown <broonie@kernel.org>
Tested-by: Jeffrin Jose T <jeffrin@rajagiritech.edu.in>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2026-06-27 11:08:18 +01:00
Miklos Szeredi
e09412a714 virtiofs: fix UAF on submount umount
commit 06b41351779e9289e8785694ade9042ae85e41ea upstream.

iput() called from fuse_release_end() can Oops if the super block has
already been destroyed.  Normally this is prevented by waiting for
num_waiting to go down to zero before commencing with super block shutdown.

This only works, however, for the last submount instance, as the wait
counter is per connection, not per superblock.

Revert to using synchronous release requests for the auto_submounts case,
which is virtiofs only at this time.

Reported-by: Aurélien Bombo <abombo@microsoft.com>
Reported-by: Zhihao Cheng <chengzhihao1@huawei.com>
Cc: Greg Kurz <gkurz@redhat.com>
Closes: https://github.com/kata-containers/kata-containers/issues/12589
Fixes: 26e5c67deb ("fuse: fix livelock in synchronous file put from fuseblk workers")
Cc: stable@vger.kernel.org
Reviewed-by: Greg Kurz <gkurz@redhat.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2026-06-27 11:08:18 +01:00
Ruslan Valiyev
232e4b313e media: vidtv: fix NULL pointer dereference in vidtv_mux_push_si
commit 7d8bf3d8f91073f4db347ed3aa6302b56107499c upstream.

syzbot reported a general protection fault in
vidtv_psi_ts_psi_write_into [1].

vidtv_mux_get_pid_ctx() can return NULL, but vidtv_mux_push_si() does
not check for this before dereferencing the returned pointer to access
the continuity counter. This leads to a general protection fault when
accessing a near-NULL address.

The root cause is that vidtv_mux_pid_ctx_init() does not check the
return value of vidtv_mux_create_pid_ctx_once() for PMT section PIDs.
If the allocation fails, the PID context is never created, but init
returns success. The subsequent vidtv_mux_push_si() call then gets
NULL from vidtv_mux_get_pid_ctx() and crashes.

Fix both the root cause (add error check in vidtv_mux_pid_ctx_init
for PMT PIDs) and add defensive NULL checks in vidtv_mux_push_si for
all vidtv_mux_get_pid_ctx() calls.

[1]
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
Workqueue: events vidtv_mux_tick
RIP: 0010:vidtv_psi_ts_psi_write_into+0x54a/0xbc0 drivers/media/test-drivers/vidtv/vidtv_psi.c:197
Call Trace:
 <TASK>
 vidtv_psi_table_header_write_into drivers/media/test-drivers/vidtv/vidtv_psi.c:799 [inline]
 vidtv_psi_pmt_write_into+0x3b2/0xa70 drivers/media/test-drivers/vidtv/vidtv_psi.c:1231
 vidtv_mux_push_si+0x932/0xe80 drivers/media/test-drivers/vidtv/vidtv_mux.c:196
 vidtv_mux_tick+0xe9b/0x1480 drivers/media/test-drivers/vidtv/vidtv_mux.c:408

Fixes: f90cf6079b ("media: vidtv: add a bridge driver")
Cc: stable@vger.kernel.org
Reported-by: syzbot+814c351d094f4f1a1b86@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=814c351d094f4f1a1b86
Signed-off-by: Ruslan Valiyev <linuxoid@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2026-06-27 11:08:18 +01:00
Gil Portnoy
5f983b864d ksmbd: reject non-VALID session in compound request branch
commit 609ca17d869d04ba249e32cdcbf13c0b1c66f43c upstream.

smb2_check_user_session() takes a shortcut for any operation that is not
the first in a COMPOUND request: it reuses work->sess (the session bound by
the first operation) and validates only the SessionId, then returns
"valid". It never re-checks work->sess->state == SMB2_SESSION_VALID, and a
SessionId of 0xFFFFFFFFFFFFFFFF (ULLONG_MAX, the MS-SMB2 related-operation
value) skips even the id comparison. The standalone path
(ksmbd_session_lookup_all() plus the SESSION_SETUP state machine) does
enforce the VALID state; the compound branch bypasses all of it.

A SESSION_SETUP carrying only an NTLM Type-1 (NtLmNegotiate) blob publishes
a fresh SMB2_SESSION_IN_PROGRESS session whose sess->user is still NULL
(->user is assigned later, by ntlm_authenticate()). Used as operation 1 of
a COMPOUND with operation 2 = TREE_CONNECT (related, SessionId=ULLONG_MAX,
\\host\IPC$), the tree-connect then runs on that IN_PROGRESS session and
reaches ksmbd_ipc_tree_connect_request(), which dereferences
user_name(sess->user) with sess->user == NULL (transport_ipc.c:687/701/704)
-> remote NULL-pointer dereference and a kernel Oops that wedges the ksmbd
worker for all clients.

Reject any non-first compound operation that lands on a session which is
not SMB2_SESSION_VALID, mirroring the validity the standalone lookup path
enforces. SESSION_SETUP itself legitimately runs on an IN_PROGRESS session,
but it is never carried as a non-first compound operation, so multi-leg
authentication is unaffected by this check.

Fixes: 5005bcb421 ("ksmbd: validate session id and tree id in the compound request")
Cc: stable@vger.kernel.org
Signed-off-by: Gil Portnoy <dddhkts1@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2026-06-27 11:08:17 +01:00
Georgi Djakov
059ac6252a drivers/base/memory: set mem->altmap after successful device registration
commit a2b8d7827f48ee54a686cb80e4a1d0ff954ec42a upstream.

If __add_memory_block() fails at xa_store() (under memory pressure for
example), device_unregister() is called, which eventually triggers
memory_block_release() with mem->altmap still set, causing a
WARN_ON(mem->altmap).  This was triggered by modifying virtio-mem driver.

Fix this by delaying the assignment of mem->altmap until after
__add_memory_block() has succeeded.

Link: https://lore.kernel.org/20260514092657.3057141-1-georgi.djakov@oss.qualcomm.com
Fixes: 1a8c64e110 ("mm/memory_hotplug: embed vmem_altmap details in memory block")
Signed-off-by: Georgi Djakov <georgi.djakov@oss.qualcomm.com>
Acked-by: Oscar Salvador (SUSE) <osalvador@kernel.org>
Cc: Vishal Verma <vishal.l.verma@intel.com>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: Richard Cheng <icheng@nvidia.com>
Cc: David Hildenbrand <david@kernel.org>
Cc: Georgi Djakov <djakov@kernel.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: "Rafael J. Wysocki" <rafael@kernel.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2026-06-27 11:08:17 +01:00
Stepan Ionichev
778b9dda4b serial: 8250_dw: unregister 8250 port if clk_notifier_register() fails
commit 10fc708b4de7f86002d2d735a2dbf3b5b7f65692 upstream.

dw8250_probe() registers the 8250 port via serial8250_register_8250_port()
and then, if the device has a clock, registers a clock notifier. If
clk_notifier_register() fails, probe returns the error but leaves the
8250 port registered. The matching serial8250_unregister_port() lives
in dw8250_remove(), which is not called when probe fails, so the port
slot stays occupied until the device is rebound or the system is
rebooted. The devm-allocated driver data is freed while the port still
references it (via the saved private_data and serial_in/serial_out
callbacks), so any access to that port slot before a rebind is a
use-after-free hazard.

Unregister the port on the clk_notifier_register() error path.

Fixes: cc816969d7 ("serial: 8250_dw: Fix common clocks usage race condition")
Cc: stable@vger.kernel.org
Signed-off-by: Stepan Ionichev <sozdayvek@gmail.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Link: https://patch.msgid.link/20260514143746.23671-2-sozdayvek@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2026-06-27 11:08:17 +01:00
Viken Dadhaniya
ee6754f583 serial: qcom_geni: Fix RX DMA stall when SE_DMA_RX_LEN_IN is zero
commit b93062b6d8a1b2d9bad235cac25558a909819026 upstream.

In qcom_geni_serial_handle_rx_dma(), geni_se_rx_dma_unprep() clears
port->rx_dma_addr before SE_DMA_RX_LEN_IN is read. If the register is zero,
for example when the RX stale counter fires on an idle line, the handler
returns without calling geni_se_rx_dma_prep().

The next RX DMA interrupt then hits the !port->rx_dma_addr guard and
returns immediately, so the RX DMA buffer is never rearmed and later input
is lost.

Keep the handler on the rearm path when rx_in is zero. Warn about the
unexpected zero-length DMA completion, skip received-data handling, and
always call geni_se_rx_dma_prep().

Fixes: 2aaa43c707 ("tty: serial: qcom-geni-serial: add support for serial engine DMA")
Cc: stable@vger.kernel.org
Reviewed-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Signed-off-by: Viken Dadhaniya <viken.dadhaniya@oss.qualcomm.com>
Link: https://patch.msgid.link/20260528-serial-rx-0-byte-fix-v2-1-b4195cfe342f@oss.qualcomm.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2026-06-27 11:08:17 +01:00
Yi Yang
09a43e8127 vc_screen: fix null-ptr-deref in vcs_notifier() during concurrent vcs_write
commit a287620312dc6dcb9a093417a0e589bf30fcf38a upstream.

A KASAN null-ptr-deref was observed in vcs_notifier():

BUG: KASAN: null-ptr-deref in vcs_notifier+0x98/0x130
Read of size 2 at addr qmp_cmd_name: qmp_capabilities, arguments: {}

The issue is a race condition in vcs_write(). When the console_lock is
temporarily dropped (to copy data from userspace), the vc_data pointer
obtained from vcs_vc() may become stale. After re-acquiring the lock,
vcs_vc() is called again to re-validate the pointer. If the vc has been
deallocated in the meantime, vcs_vc() returns NULL, and the while loop
breaks (with written > 0). However, after the loop, vcs_scr_updated(vc)
is still called with the now-NULL vc pointer, leading to a null pointer
dereference in the notifier chain (vcs_notifier dereferences param->vc).

Fix this by adding a NULL check for vc before calling vcs_scr_updated().

Fixes: 8fb9ea65c9 ("vc_screen: reload load of struct vc_data pointer in vcs_write() to avoid UAF")
Cc: stable@vger.kernel.org
Signed-off-by: Yi Yang <yiyang13@huawei.com>
Reviewed-by: Jiri Slaby <jirislaby@kernel.org>
Link: https://patch.msgid.link/20260604060734.2914976-1-yiyang13@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2026-06-27 11:08:17 +01:00
Giovanni Cabiddu
3ae49dd04d crypto: qat - remove unused character device and IOCTLs
commit d237230728c567297f2f98b425d63156ab2ed17f upstream.

The QAT driver exposes a character device (qat_adf_ctl) with IOCTLs
for device configuration, start, stop, status query and enumeration.
These IOCTLs are not part of any public uAPI header and have no known
in-tree or out-of-tree users. Device lifecycle is already managed via
sysfs.

The ioctl interface also increases the attack surface and is the
subject of a number of bug reports.

Remove the character device, the IOCTL definitions, and the related
data structures (adf_dev_status_info, adf_user_cfg_key_val,
adf_user_cfg_section, adf_user_cfg_ctl_data). Drop the now-unused
adf_cfg_user.h header and strip adf_ctl_drv.c down to the minimal
module_init/module_exit hooks for workqueue, AER, and crypto/compression
algorithm registration.

Clean up leftover dead code that was only reachable from the removed
IOCTL paths: adf_cfg_del_all(), adf_devmgr_verify_id(),
adf_devmgr_get_num_dev(), adf_devmgr_get_dev_by_id(),
adf_get_vf_real_id() and the unused ADF_CFG macros.

Additionally, drop the entry associated to QAT IOCTLs in
ioctl-number.rst.

Cc: stable@vger.kernel.org
Fixes: d8cba25d2c ("crypto: qat - Intel(R) QAT driver framework")
Reported-by: Zhi Wang <wangzhi@stu.xidian.edu.cn>
Reported-by: Bin Yu <byu@xidian.edu.cn>
Reported-by: MingYu Wang <w15303746062@163.com>
Closes: https://lore.kernel.org/all/61d6d499.ab89.19b9b7f3186.Coremail.wangzhi_xd@stu.xidian.edu.cn/
Link: https://lore.kernel.org/all/20260508034841.256794-1-w15303746062@163.com/
Link: https://lore.kernel.org/all/20260508023542.256299-1-w15303746062@163.com/
Link: https://lore.kernel.org/all/20260504025120.98242-1-w15303746062@163.com/
Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Reviewed-by: Ahsan Atta <ahsan.atta@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2026-06-27 11:08:17 +01:00
Sam Daly
abd776ded3 iio: adc: ti-ads1298: add bounds check to pga_settings index
commit 95e8a48d7a85d4226934020e57815a3316d3a14b upstream.

ads1298_pga_settings has 7 elements but ADS1298_MASK_CH_PGA can yield
values 0-7. If it yields a value >= 7, this causes an out-of-bounds
array access. Add a bounds check and return -EINVAL if the index
is out of range.

Note that the remaining value b111 is reserved so should not be seen
in a correctly functioning system.

Assisted-by: gkh_clanker_2000
Cc: stable <stable@kernel.org>
Cc: Jonathan Cameron <jic23@kernel.org>
Cc: David Lechner <dlechner@baylibre.com>
Cc: "Nuno Sá" <nuno.sa@analog.com>
Cc: Andy Shevchenko <andy@kernel.org>
Signed-off-by: Sam Daly <sam@samdaly.ie>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2026-06-27 11:08:17 +01:00
Sam Daly
e545936e06 iio: light: veml6075: add bounds check to veml6075_it_ms index
commit 307dc4240bd41852d9e0912921e298160db1c109 upstream.

veml6075_it_ms has 5 elements but VEML6075_CONF_IT can yield values 0-7.
If it returns a value >= 5, this causes an out-of-bounds array access.
Add a bounds check and return -EINVAL if the index is out of range.

The problem values are reserved so should never be read from the
register. Hence this is hardening against fault device, missprogramming
or bus corruption.

Assisted-by: gkh_clanker_2000
Cc: stable <stable@kernel.org>
Signed-off-by: Sam Daly <sam@samdaly.ie>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Reviewed-by: Javier Carrasco <javier.carrasco.cruz@gmail.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2026-06-27 11:08:17 +01:00
Mingyu Wang
cefe535a60 agp/amd64: Fix broken error propagation in agp_amd64_probe()
commit b08472db93b1ccff84a7adec5779d47f0e9d3a30 upstream.

A NULL pointer dereference was observed in the AMD64 AGP driver when
running in a virtualized environment (e.g. qemu/kvm) without a physical
AMD northbridge. The crash occurs in amd64_fetch_size() when attempting
to dereference the pointer returned by node_to_amd_nb(0).

The root cause of this crash is broken error propagation in
agp_amd64_probe(): When no AMD northbridges are found, cache_nbs()
correctly returns -ENODEV. However, the probe function erroneously
checks the return value against exactly -1, rather than < 0.

As a result, the hardware absence error is masked, allowing the driver
to improperly proceed with initialization. It eventually calls
agp_add_bridge(), which invokes amd64_fetch_size(). Since the hardware
does not exist, node_to_amd_nb(0) returns NULL, leading to a General
Protection Fault (GPF) when accessing its ->misc member.

Fix the issue by correcting the error check in agp_amd64_probe() to
abort properly when cache_nbs() returns any negative error code. This
prevents the driver from erroneously proceeding without hardware, thereby
avoiding the subsequent NULL pointer dereference at its source.

Fixes: a32073bffc ("[PATCH] x86_64: Clean and enhance up K8 northbridge access code")
Signed-off-by: Mingyu Wang <25181214217@stu.xidian.edu.cn>
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Reviewed-by: Lukas Wunner <lukas@wunner.de>
Cc: stable@vger.kernel.org # v2.6.18+
Link: https://patch.msgid.link/20260504074823.99377-1-w15303746062@163.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2026-06-27 11:08:17 +01:00
Yang Erkun
613257f919 Revert "NFSD: Defer sub-object cleanup in export put callbacks"
commit 516403d4d85607fdef3ca41d4a56b54e5566fa9a upstream.

This reverts commit 48db892356.

Commit 48db892356 ("NFSD: Defer sub-object cleanup in export
put callbacks") moved path_put() and auth_domain_put() out of
svc_export_put() and expkey_put() and behind queue_rcu_work() to
close a claimed use-after-free in e_show() and c_show() against
ex_path and ex_client->name. Discussion in [1] shows neither
the diagnosis nor the remedy survives review.

The downstream teardown of both sub-objects is already RCU-deferred.
auth_domain_put() reaches svcauth_unix_domain_release(), which frees
the unix_domain and its ->name through call_rcu(). path_put()
reaches dentry_free(), which frees the dentry through call_rcu(),
and prepend_path() is already structured to tolerate concurrent
dentry teardown. A reader in cache_seq_start_rcu() therefore
observes both sub-objects through the next grace period regardless
of whether svc_export_put() runs synchronously, so the synchronous
form was never unsafe.

The crash signature in the report cited by commit 48db892356
("NFSD: Defer sub-object cleanup in export put callbacks") has a
different root cause: a /proc/net/rpc cache file held open across
network-namespace exit lets cache_destroy_net() free cd->hash_table
while a reader is still walking it. The correct fix pins cd->net for
the open fd's lifetime and does not require any deferral inside
svc_export_put().

Meanwhile, deferring path_put() out of svc_export_put() reintroduces
the regression that commit 69d803c40e ("nfsd: Revert "nfsd:
release svc_expkey/svc_export with rcu_work"") repaired: after
"exportfs -r" drops the last cache reference, the mount reference
held through ex_path lingers in the workqueue, so a subsequent
umount fails with EBUSY.

Restore the synchronous path_put() and auth_domain_put() in
svc_export_put() and expkey_put() and the call_rcu()/kfree_rcu()
free of the containing structures. The unrelated fix for
ex_uuid/ex_stats from commit 2530766492 ("nfsd: fix UAF when
access ex_uuid or ex_stats") is preserved.

Link: https://lore.kernel.org/all/10019b42-4589-4f9f-8d5b-d8197db1ce3c@huawei.com/ [1]
Fixes: 48db892356 ("NFSD: Defer sub-object cleanup in export put callbacks")
Cc: stable@vger.kernel.org
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Tested-by: Alexandr Alexandrov <alexandr.alexandrov@oracle.com>
Signed-off-by: Yang Erkun <yangerkun@huawei.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2026-06-27 11:08:17 +01:00
Joanne Koong
e28db6ac47 fuse: re-lock request before replacing page cache folio
commit a078484921052d0badd827fcc2770b5cfc1d4120 upstream.

fuse_try_move_folio() unlocks the request on entry but does not
re-lock it on the success path. This means fuse_chan_abort() can end the
request and free the fuse_io_args (eg fuse_readpages_end()) while the
subsequent copy chain logic after fuse_try_move_folio() accesses the
fuse_io_args, leading to use-after-free issues.

Fix this by calling lock_request() before replace_page_cache_folio().
This ensures the request is locked on the success path which will
prevent the fuse_io_args from being freed while the later copying logic
runs, and also ensures that the ap->folios[i]->mapping is never null
since ap->folios[i] will always point to the newfolio after
replace_page_cache_folio().

Fixes: ce534fb052 ("fuse: allow splice to move pages")
Cc: stable@vger.kernel.org
Reported-by: Lei Lu <llfamsec@gmail.com>
Signed-off-by: Joanne Koong <joannelkoong@gmail.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2026-06-27 11:08:17 +01:00
Gabriel Krisman Bertazi
7e00cafa33 io_uring/net: Avoid msghdr on op_connect/op_bind async data
[ Upstream commit 3979840cd858f30f43ea9f4e7f7f1f56de82d698 ]
This fixes a memory leak due to the lack of the cleanup hook for the
iovec.  The stable backport differs from upstream by dropping the
io_connect_bpf_populate hunk, which didn't exist at the time and by
fixing the merge conflict due to the introduction of
io_bind_file_create.

Both IORING_OP_CONNECT and IORING_OP_BIND reuse the msghdr object just
to store the sockaddr. Beyond allocating a much larger object than
needed, msghdr can also wrap an iovec, which will be recycled
unnecessarily. This uses the sockaddr directly.

Cc: stable@vger.kernel.org
Signed-off-by: Gabriel Krisman Bertazi <krisman@suse.de>
Link: https://patch.msgid.link/20260602215327.1885109-2-krisman@suse.de
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Gabriel Krisman Bertazi <krisman@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2026-06-27 11:08:17 +01:00
Greg Kroah-Hartman
c9acdc466e Linux 7.1.1
Link: https://lore.kernel.org/r/20260616145523.335696673@linuxfoundation.org
Tested-by: Brett A C Sheffield <bacs@librecast.net>
Tested-by: Salvatore Bonaccorso <carnil@debian.org>
Tested-by: Barry K. Nathan <barryn@pobox.com>
Tested-by: Takeshi Ogasawara <takeshi.ogasawara@futuring-girl.com>
Tested-by: Miguel Ojeda <ojeda@kernel.org>
Tested-by: Mark Brown <broonie@kernel.org>
Tested-by: Shuah Khan <skhan@linuxfoundation.org>
Tested-by: Peter Schneider <pschneider1968@googlemail.com>
Tested-by: Luna Jernberg <droidbittin@gmail.com>
Tested-by: Ron Economos <re@w6rz.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2026-06-19 13:50:58 +02:00
Honglei Huang
ce3fb4b971 drm/amdgpu: drop retry loop in amdgpu_hmm_range_get_pages
commit 342981fff32802a819d6fc7cf3c9fedf9f3d9d60 upstream.

Since commit c08972f55594 ("drm/amdgpu: fix amdgpu_hmm_range_get_pages")
moved mmu_interval_read_begin() out of the per-chunk loop, the
captured notifier_seq is no longer refreshed across retries. As a
result, the existing -EBUSY retry path can never make progress:

  hmm_range_fault() returns -EBUSY only when
  mmu_interval_check_retry(notifier, notifier_seq) reports that the
  sequence is stale. Once the sequence has advanced, the stored seq
  will never match again, so every subsequent call within the same
  invocation returns -EBUSY immediately.

The "goto retry" therefore degenerates into a busy spin that simply
burns CPU for the full HMM_RANGE_DEFAULT_TIMEOUT (~1s) window before
finally bailing out with -EAGAIN. This is pure latency with no chance
of recovery, and it actively hurts the KFD userptr stack: the caller
ends up blocked for a second while holding mmap_lock, only to return
-EAGAIN to the restore worker (or to userspace) which would have
re-driven the operation immediately anyway.

Drop the retry/timeout entirely and let -EBUSY propagate straight to
out_free_pfns, where it is already translated to -EAGAIN. Recovery is
handled at a higher level: the KFD restore_userptr_worker reschedules
itself, and the userptr ioctl path returns -EAGAIN to userspace.

No functional regression: the previous behaviour on -EBUSY was already
to fail with -EAGAIN after a 1s stall; we just skip the stall.

Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Honglei Huang <honghuan@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2026-06-19 13:50:58 +02:00
Rafael Passos
b15b03d691 HID: Input: Add battery list cleanup with devm action
commit 426e5846eba75feaf1c9c6c119cb153610192da1 upstream.

The batteries list (hdev->batteries) is not cleaned up during
hidinput_disconnect(), but struct hid_battery entries are allocated
with devm_kzalloc.
When a driver is unbound (e.g. during devicereprobe), devm frees those
entries while their list_head nodesremain dangling in hdev->batteries,
which persists across rebinds.

Link: https://lore.kernel.org/all/20260602011949.2825852-1-rafael@rcpassos.me/
Fixes: 4a58ae85c3 ("HID: input: Add support for multiple batteries per device")
Signed-off-by: Rafael Passos <rafael@rcpassos.me>
Acked-by: Lucas Zampieri <lcasmz54@gmail.com>
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2026-06-19 13:50:58 +02:00
Will Deacon
fc10eff5a2 arm64: errata: Mitigate TLBI errata on Microsoft Azure Cobalt 100 CPU
commit 1940e70a8144bf75e6df26bf6f600862ea7f7ea1 upstream.

Commit fb091ff394 ("arm64: Subscribe Microsoft Azure Cobalt 100 to ARM
Neoverse N2 errata") states that Microsoft Azure Cobalt 100 CPU "is a
Microsoft implemented CPU based on r0p0 of the ARM Neoverse N2 CPU, and
therefore suffers from all the same errata.".

So enable the workaround for the latest broadcast TLB invalidation bug
on these parts.

Signed-off-by: Will Deacon <will@kernel.org>
[Mark: backport to v7.1.y]
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2026-06-19 13:50:58 +02:00
Shanker Donthineni
845c842eb2 arm64: errata: Mitigate TLBI errata on NVIDIA Olympus CPU
commit ec7216f92e4ebd485b1c6dc6aa3f6064b71a5768 upstream.

NVIDIA Olympus cores are affected by the TLBI completion issue tracked as
CVE-2025-10263. The existing ARM64_ERRATUM_4118414 handling already uses
ARM64_WORKAROUND_REPEAT_TLBI to issue an additional broadcast TLBI;DSB
sequence and ensure affected memory write effects are globally observed.

Add MIDR_NVIDIA_OLYMPUS to the repeat-TLBI match list so the same
mitigation is enabled on affected Olympus systems. Also document the
NVIDIA Olympus erratum in the arm64 silicon errata table and list it in
the Kconfig help text.

Signed-off-by: Shanker Donthineni <sdonthineni@nvidia.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will@kernel.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Acked-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Will Deacon <will@kernel.org>
[Mark: backport to v7.1.y]
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2026-06-19 13:50:58 +02:00
Mark Rutland
1268c64e2b arm64: errata: Mitigate TLBI errata on various Arm CPUs
commit cfd391e74134db664feb499d43af286380b10ba8 upstream.

A number of CPUs developed by Arm suffer from errata whereby a broadcast
TLBI;DSB sequence may complete before the global observation of writes
which are translated by an affected TLB entry.

These errata ONLY affect the completion of memory accesses which have
been translated by an invalidated TLB entry, and these errata DO NOT
affect the actual invalidation of TLB entries. TLB entries are removed
correctly.

This issue has been assigned CVE ID CVE-2025-10263.

To mitigate this issue, Arm recommends that software follows any
affected TLBI;DSB sequence with an additional TLBI;DSB, which will
ensure that all memory write effects affected by the first TLBI have
been globally observed. The additional TLBI can use any operation that
is broadcast to affected CPUs, and the additional DSB can use any option
that is sufficient to complete the additional TLBI.

The ARM64_WORKAROUND_REPEAT_TLBI workaround is sufficient to mitigate
the issue. Enable this workaround for affected CPUs, and update the
silicon errata documentation accordingly.

Note that due to the manner in which Arm develops IP and tracks errata,
some CPUs share a common erratum number.

Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will@kernel.org>
Signed-off-by: Will Deacon <will@kernel.org>
[Mark: backport to v7.1.y]
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2026-06-19 13:50:58 +02:00
Mark Rutland
f93c6eee26 arm64: cputype: Add C1-Premium definitions
commit d28413bfc5a255957241f1df5d7fd0c2cd74fe18 upstream.

Add cputype definitions for C1-Premium. These will be used for errata
detection in subsequent patches.

These values can be found in the C1-Premium TRM:

  https://developer.arm.com/documentation/109416/0100/

... in section A.5.1 ("MIDR_EL1, Main ID Register").

Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will@kernel.org>
Signed-off-by: Will Deacon <will@kernel.org>
[Mark: backport to v7.1.y]
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2026-06-19 13:50:58 +02:00
Mark Rutland
83d5c3cf35 arm64: cputype: Add C1-Ultra definitions
commit 60349e64a6c65f9f0aa118af711b3c7e137f07ff upstream.

Add cputype definitions for C1-Ultra. These will be used for errata
detection in subsequent patches.

These values can be found in the C1-Ultra TRM:

  https://developer.arm.com/documentation/108014/0100/

... in section A.5.1 ("MIDR_EL1, Main ID Register").

Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will@kernel.org>
Signed-off-by: Will Deacon <will@kernel.org>
[Mark: backport to v7.1.y]
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2026-06-19 13:50:58 +02:00
Johan Hovold
cb5dcab199 driver core: reject devices with unregistered buses
commit 36f35b8df6972167102a1c3d4361e0afb6a84534 upstream.

Trying to register a device on a bus which has not yet been registered
used to trigger a NULL-pointer dereference, but since the const bus
structure rework registration instead succeeds without the device being
added to the bus.

This specifically means that the device will never bind to a driver and
that the bus sysfs attributes are not created (i.e. as if the device had
no bus).

Reject devices with unregistered buses to catch any callers that get
the ordering wrong and to handle bus registration failures more
gracefully.

Fixes: 5221b82d46 ("driver core: bus: bus_add/probe/remove_device() cleanups")
Cc: stable@vger.kernel.org	# 6.3
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260430091718.230228-1-johan@kernel.org
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2026-06-19 13:50:57 +02:00
Johan Hovold
89b7ef0625 driver core: faux: fix root device registration
commit 580a795105dae2ef1622df72a27a8fb0605e2f6b upstream.

A recent change made the faux bus root device be allocated dynamically
but failed to provide a release function to free the memory when the
last reference is dropped (on theoretical failure to register the device
or bus).

Fix this by using root_device_register() instead of open coding.

Also add the missing sanity check when registering faux devices to avoid
use-after-free if the bus failed to register (which would previously
have triggered a bunch of use-after-free warnings).

Fixes: 61b76d07d2 ("driver core: faux: stop using static struct device")
Cc: stable@vger.kernel.org	# 7.0
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260424153127.2647405-2-johan@kernel.org
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2026-06-19 13:50:57 +02:00
Mingyu Wang
36c1b57b2e fs/fcntl: fix SOFTIRQ-unsafe lock order in fasync signaling
commit 00633c4683828acd5256fa8d5163f440d74bbe71 upstream.

A SOFTIRQ-safe to SOFTIRQ-unsafe lock order deadlock can occur in
send_sigio() and send_sigurg() when a process group receives a signal.

When FASYNC is configured for a process group (PIDTYPE_PGID), both
functions use read_lock(&tasklist_lock) to traverse the task list.
However, they are frequently called from softirq context:
- send_sigio() via input_inject_event -> kill_fasync
- send_sigurg() via tcp_check_urg -> sk_send_sigurg (NET_RX_SOFTIRQ)

The deadlock is caused by the rwlock writer fairness mechanism:
1. CPU 0 (process context) holds read_lock(&tasklist_lock) in do_wait().
2. CPU 1 (process context) attempts write_lock(&tasklist_lock) in
   fork() or exit() and spins, which blocks all new readers.
3. CPU 0 is interrupted by a softirq (e.g., TCP URG packet reception).
4. The softirq calls send_sigurg() and attempts to acquire
   read_lock(&tasklist_lock), deadlocking because CPU 1 is waiting.

Since PID hashing and do_each_pid_task() traversals are already
RCU-protected, the read_lock on tasklist_lock is no longer strictly
required for safe traversal. Fix this by replacing tasklist_lock with
rcu_read_lock(), aligning the process group signaling path with the
single-PID path. This also mitigates a potential remote denial of
service vector via TCP URG packets.

Lockdep splat:
=====================================================
WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected
[...]
Chain exists of:
  &dev->event_lock --> &f_owner->lock --> tasklist_lock

Possible interrupt unsafe locking scenario:
       CPU0                    CPU1
       ----                    ----
  lock(tasklist_lock);
                           local_irq_disable();
                           lock(&dev->event_lock);
                           lock(&f_owner->lock);
  <Interrupt>
    lock(&dev->event_lock);

*** DEADLOCK ***

Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Mingyu Wang <25181214217@stu.xidian.edu.cn>
Link: https://patch.msgid.link/20260523135210.590928-1-w15303746062@163.com
Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2026-06-19 13:50:57 +02:00
Linus Torvalds
8cd9520d35 Linux 7.1 2026-06-14 15:58:38 +01:00
Linus Torvalds
4242809533 ARM fixes for 7.1
Three fixes:
 - Avoid KASAN instrumentation of half-word IO
 - Use a byte load for KASAN shadow stack
 - Fix kexec and hibernation with PAN
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEuNNh8scc2k/wOAE+9OeQG+StrGQFAmousPYACgkQ9OeQG+St
 rGREqQ/+OdeNlX8q7h7Hv5kOXsrjsD/UMjsunzP/RKeZUYskF0zxJyK+qc6BjW1g
 +5zxSikZ+cZZT0rrGma5gOBpNG0FtJSF02CyCSjlKyb6nu09wc1aMZ/DiAMQkZ/u
 wunswFeR3pO97YT6QxJMcv2MVabH4FvWg7aym5KmJycWwRYzDwd1id0b/aEDyP6n
 bEnspk1RnAgp12mC4IjK+dKlsd9wgbrCNBXCyGw35cqEuqaVG021Jkprwxk3jdK/
 sunFPQVZebewiQFQOTQP6jNudYOfV6Uf+7wu67C7inLdffe7r+OW+Z2aFuHXJmXo
 lbpQvmgzHMzpFq5nNQaMFO3cwe6HwPwwDJbXf6eDWvbKPaaU6AQf+Ywcbj/P6Aj6
 7+ellXuSkErTKZSVrJ/wdLB2I1CGHkWbMX6VSXizuZJ5H07E40urkEqIALyw3Q4z
 +8RxnOrfsrlVeE1m+rm5FpOSxokD8kbSn66fP2EwIG1lRbbmFw402nj51a7Vuc8e
 RcSqPt3Y8L9vHCh9c2hxc/IzYTyE21wKeWWP9qPsvR79xyJLLgPbAwvk6sxGLDEY
 Fcourk96GROJ1RQxNXLzjgexrVCVBgZgW+qeOwVcxzejWZbkx7i/9UFCokTHO0bg
 4UrMJ6+XWH49PwDTlxjHBn+HFgAwLlZyFNIbee6fQNqxvYgxo68=
 =aiHy
 -----END PGP SIGNATURE-----

Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rmk/linux

Pull ARM fixes from Russell King:

 - Avoid KASAN instrumentation of half-word IO

 - Use a byte load for KASAN shadow stack

 - Fix kexec and hibernation with PAN

* tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rmk/linux:
  ARM: 9476/1: mm: fix kexec and hibernation with CONFIG_CPU_TTBR0_PAN
  ARM: 9475/1: entry: use byte load for KASAN VMAP stack shadow
  ARM: 9474/1: io: avoid KASAN instrumentation of raw halfword I/O
2026-06-14 15:37:39 +01:00
Linus Torvalds
e21ee273e6 Fixes for the Qualcomm and Google GS101 clk drivers:
- Skip parking clks on some Qualcomm platforms so that the
    recovery console keeps working
  - Fix Google GS101 resume by using the correct div register
 -----BEGIN PGP SIGNATURE-----
 
 iQJIBAABCAAyFiEE9L57QeeUxqYDyoaDrQKIl8bklSUFAmot41oUHHN3Ym95ZEBj
 aHJvbWl1bS5vcmcACgkQrQKIl8bklSXsPQ/+O2tv2vLffz8c5ULgVUB9LUNgyYrS
 eHAifuUIFGunZfjVwOB/5xNGhwXDlCP3OiLRNsyVPhLQ5EuDKME8H0rNn5Iwrxyu
 KWHm4Rd3wsQ0PGLFRvW40QpFEug91SIWl3xVb+a0W7TLdiO6jk6yhzXeSmWWDXWJ
 zyh3m9hKmZKiMcS7SKU7AQNXCfOks3kEwuLRnP9fLWNd3XVXxxqalpDC23h3/pPb
 t96gs/8yC4Aw14krgwkvDsQRdkEQnRm+hCIcjw42UQY3XuzAvrzHYBdNlB+l15z8
 wT/VdsOuk2rqiwkgglU/SCVe0hJkKjK3NYOo+uehCIzFLioGevM6CbDQ33yC1Y+c
 duy5iPjrvGsWSG6jAReNUmQLK0mONWzK079LpZnJM6HgDFoq6Ap8P8N4P1o+lbxI
 p3YseKmeiEdxRxd4k4ysv5WfIpgRgbPF0bXSW9BhtrwoEdlg8jaqdZw8SEOQVGWw
 fqqPQCEhFyiAERZrXpCAL0Dn81znXTy2uAaUe/VffuuN3tWi8lmT4x+1eyJV3MbL
 g/Bd+XqeGAJnjsCcO9oZPNT1knczTmVnjVPFJNZ10Y2ymL1HpvR4pLKEoN6uMgmK
 Cf7o/J0i/BwJGysh86wVpnYOaDmbQ4Pitp1OdvqeyIjziYfRX0jMF4GrA3ivJZGl
 +XwAqGCR33M7H5A=
 =UYw5
 -----END PGP SIGNATURE-----

Merge tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux

Pull clk fixes from Stephen Boyd:
 "Fixes for the Qualcomm and Google GS101 clk drivers:

   - Skip parking clks on some Qualcomm platforms so that the recovery
     console keeps working

   - Fix Google GS101 resume by using the correct div register"

* tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux:
  clk: qcom: dispcc-sc8280xp: Don't park mdp_clk_src at registration time
  clk: samsung: gs101: Fix missing USI7_USI DIV clock in peric0_clk_regs
  clk: qcom: x1e80100-dispcc: Stop disp_cc_mdss_mdp_clk_src from getting parked
2026-06-13 18:21:44 -07:00
Linus Torvalds
2b07ea76fd - Fix potential debugobjects deadlock on PREEMPT_RT kernels
(Waiman Long)
 
 Signed-off-by: Ingo Molnar <mingo@kernel.org>
 -----BEGIN PGP SIGNATURE-----
 
 iQJFBAABCgAvFiEEBpT5eoXrXCwVQwEKEnMQ0APhK1gFAmotM34RHG1pbmdvQGtl
 cm5lbC5vcmcACgkQEnMQ0APhK1iY7BAAmlH54KzSFAtKfeIYb7Vc0Yc8JSHicJ0I
 VExAapEODhFyQkOyZCz60a0lqCL0ZaieQ2zIMSr0GtomYBIRoESzxfuN51KBEQ77
 FM8MslGzpOk+u35AY/9WqcKPdu6QQt5cn/uOOaNNXnDtJbkMorcz1hTrZrYVl6XB
 4EnWR2U1f3aN4zz+IM/HpH4/HUOREJi3AXjNvh9aUCWn/yRN4TK1FfKQbMTrCGuq
 wq000+tN16LusLw3QwpFvO9rcuYgqnhHvUOpxrANRYQFUwoaVQsoQ9prvlwNzH8I
 V4ygYVFAQjlteeLWx0O1sk0KSztg9+AIPGC6iiBKu45QjDLDLCIJA764D7gZrw9s
 wUBxlJyyiIzEa2WJ28KPEiJ22wOfhhc2YS80sK2oIP2rjdbYlvcFyvaLATDu5OxG
 M9BZyx5144pVkXkIqqyZOrtGxebJEqsPOb/eKFFvW3G9IUElhcjRh2c/NmGDquNH
 zZz1Oulhc7z8hMtUTNdllXdc0hoYLTO+8xN/WKsMCvpgXnwH9tjo7CySwuWhG2G9
 iYaO7EMBGPGRA+uhj8b/HoOHMF8fq2FtpFg2na3ftVCyfMwmcuUcfpcpMvbuOWql
 9MnCUVEoFXeSr1/zP+II6kC/aQzKN1oddQEX0PcE1lakEpN2f67U5osESkzSuXxl
 WwngN0Rgslc=
 =4bdE
 -----END PGP SIGNATURE-----

Merge tag 'core-urgent-2026-06-13' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip

Pull debugobjects fix from Ingo Molnar:

 - Fix potential debugobjects deadlock on PREEMPT_RT kernels (Waiman
   Long)

* tag 'core-urgent-2026-06-13' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  debugobjects: Don't call fill_pool() in early boot hardirq context
2026-06-13 08:23:36 -07:00
Linus Torvalds
a5e98d1679 i2c-for-7.1-rc8
- rust: fix I2cAdapter refcount double increment
 - MAINTAINERS: minor updates
 - imx: keep clock and pinctrl states consistent in runtime PM
 - imx-lpi2c: fix DMA resource leaks on PIO fallback
 - qcom-cci: fix NULL pointer dereference on remove
 - riic: fix reset refcount leak on resume_noirq error path
 - stm32f7: account for analog filter in timing computation
 - tegra: fix suspend/resume handling in NOIRQ phase
 - tegra: update Tegra410 I2C timings to match hardware specs
 - MAINTAINERS: hand over I2C maintainership to Andi
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEOZGx6rniZ1Gk92RdFA3kzBSgKbYFAmotKAIACgkQFA3kzBSg
 KbZ50Q//W+08GJo35DzVDBJ6s2laaI3RQNI7IKan0uI/QMPKT/blALsMxGfBWo5A
 zIKQ/YRahI/n3tZq6vQ+K8eGHIf3qa/97dCja+9IGQGXS0vShNeBiUuxSsZ/BR6f
 8Soz/ULtPHMLmumhb1lfJBypgLgt8itZUQ2Xgr3KrJZrRE4vM8GS/BeEvWM+AMn7
 M8KMulMvuP+j5YsfAtE04mwaLrBT+scgGXRuy5+UkEt13Of2QfuadFjE73WU6O02
 y/0+xtVlyD+JbBLLeGjk36gwX69I/6GSJvCvPbMr1p/UKNW61xTpL0NkBooJm4sD
 pmRlRLJd4Y4R+L6wWRronXGHmKIw6QhjkTlL1CPsHUyGQ4lUOp9zAmhJSbf+HYzZ
 obPweHfORUt++FaaKfZ7vQP4ZRab7JJ0yk7fv4GUnSTvB88ATNC2Hm/BvG9W51lB
 PhgUjgye0DkaY394taRDJP0T8CSmGxyFpt5F2g89itlg73D7yXgV/iscZq6e9oPG
 RQxde5KV+SldlduPpj0w4f/L4SyeHAk1fHwlD2S/sERDlpoCZyUqbNQf/w4fYAl0
 D7fTvPAgN0j+baDSESqCyg/E8kiq4VRrP1bhQapLkmSYMmZUNq9t55np4l+80dT1
 y//Bdu+AkfdAxRfB66aTnVVRRNvV8yzmzKKCBtDDMe82DSje130=
 =K2oD
 -----END PGP SIGNATURE-----

Merge tag 'i2c-for-7.1-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux

Pull i2c fixes from Wolfram Sang:
 "The biggest news here is that this is my last pull request as I2C
  maintainer after 13.5 years. Starting with the 7.2 cycle, Andi Shyti
  is taking over who helped me greatly maintaining the host drivers for
  a while now. Thank you, Andi, and good luck with the subsystem. I'll
  be around for help, of course.

  Technically, there are two patches which might be a tad large for this
  late cycle, but most of them is explaining comments, so I think they
  are suitable.

   - MAINTAINERS:
      - hand over I2C maintainership to Andi
      - minor updates

   - rust: fix I2cAdapter refcount double increment

   - imx: keep clock and pinctrl states consistent in runtime PM

   - imx-lpi2c: fix DMA resource leaks on PIO fallback

   - qcom-cci: fix NULL pointer dereference on remove

   - riic: fix reset refcount leak on resume_noirq error path

   - stm32f7: account for analog filter in timing computation

   - tegra:
      - fix suspend/resume handling in NOIRQ phase
      - update Tegra410 I2C timings to match hardware specs"

* tag 'i2c-for-7.1-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
  dt-bindings: i2c: mux-gpio: name correct maintainer
  MAINTAINERS: hand over I2C to Andi Shyti
  i2c: imx-lpi2c: fix resource leaks switching to devm_dma_request_chan()
  MAINTAINERS: i2c: designware: Remove inactive reviewer
  i2c: tegra: Fix NOIRQ suspend/resume
  i2c: tegra: Update Tegra410 I2C timing parameters
  i2c: qcom-cci: Fix NULL pointer dereference in cci_remove()
  i2c: stm32f7: fix timing computation ignoring i2c-analog-filter
  i2c: imx: fix clock and pinctrl state inconsistency in runtime PM
  i2c: riic: fix refcount leak in riic_i2c_resume_noirq()
  rust: i2c: fix I2cAdapter refcounts double increment
2026-06-13 08:14:17 -07:00
Linus Torvalds
062871f137 Pin control fixes for v7.1:
- Two fixes for the mcp23s08 driver.
 
 - Revert an earlier fix to the AMD pin controller that was
   all wrong. A proper fix is being developed.
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEElDRnuGcz/wPCXQWMQRCzN7AZXXMFAmosQ2gACgkQQRCzN7AZ
 XXMYEA/8Dw4lppKbkEOFzsFeCLa6eTu+xb7+cJU1T8xIEk9WA2Ipy/4C+ZceOp3H
 jxs8jsNG7K/flFPOoiMbP1w5ApLyH8n94kyhhyk4NzXj33+Dd189Gx47w/gUX5Pz
 pZICo+Cocfnh/gHsAX5yplf+Ga/k+C+B/Hssw1a+5Zhu37DVMrWK8XvBHNll8J0V
 SDqcFO1kG/fYPyU2DqNZwhdGIaO6jUA/s1xbQs4hCVUNVtMoDS87fFYGPHRNvPjt
 vP+WAA2aM52BXXiZytrZO4RmcCR4xEi0uxrBBPNiX0RFoP3g9xoc4q8nS57vRUJA
 EqLtO7y6nkBZLflzOZYkFU/TVnCKFPkIpwRlgRWzCqznehryg5Ab6+ynS0FEJk6b
 kEvbO0RrpQMjehBtXOZHirjg2BhGjenSiN0jS26LvLQNH+vP0/C7YT8GrwqDu+qV
 l3ZxdpL/GnYnyykvxGDxJ4A9xHuRaBNxVAfNguQYZrbspXeX1BtckSiKWkDCfqkj
 qyLp2ylcU3XmaQEXXZcpO0JtAzpug7EmE/yF5JeHUnlnZ/vgRnlWJCov6a+vN3bf
 bZcIOydFV+29e6DhlbgcCycu62EJn7TPBfgcPTv1hnNe8pYjRxqG8UmsMprcw2U5
 4uwqaVP+/5cI/g6qFEDMdIal1KKImI+AWACUI9lu2D8D5hpDeCk=
 =h1rZ
 -----END PGP SIGNATURE-----

Merge tag 'pinctrl-v7.1-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl

Pull pin control fixes from Linus Walleij:

 - Two fixes for the mcp23s08 driver.

 - Revert an earlier fix to the AMD pin controller that was all wrong. A
   proper fix is being developed.

* tag 'pinctrl-v7.1-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl:
  Revert "pinctrl-amd: enable IRQ for WACF2200 touchscreen on Lenovo Yoga 7 14AGP11"
  pinctrl: mcp23s08: Read spi-present-mask as u8 not u32
  pinctrl: mcp23s08: Initialize mcp->dev and mcp->addr before regmap init
2026-06-12 17:23:05 -07:00
Linus Torvalds
4fa048ed72 drm fixes for 7.1-rc8/final
colorop:
 - make lut interpolation mutable
 - track colorop updates correctly
 
 amdgpu:
 - UserQ fix
 - Userptr fix
 - MCCS freesync fix
 - track colorop changes correctly
 
 amdkfd:
 - Fix an event information leak
 - Events bounds check fix
 - Trap cleanup fix
 
 i915:
 - Check supported link rates DPCD read
 - Fix phys BO pread/pwrite with offset
 
 xe:
 - fix oops in suspend/shutdown without display
 - RAS fixes
 - Use HW_ERR prefix in log
 - include all registered queues in TLB invalidation
 - Fix refcount leak in xe_range_tree in error paths
 - fix job timeout recovery for unstarted jobs and kernel queues
 
 amdxdna:
 - fix possible leak of mm_struct
 
 ivpu:
 - fix integer truncation
 
 vc4:
 - fix leak in krealloc() error handling
 
 virtio:
 - fix dma_fence ref-count leak
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEEKbZHaGwW9KfbeusDHTzWXnEhr4FAmoshK4ACgkQDHTzWXnE
 hr4Smg/9FUfVrM81DM17+sdtWwj2NVVAqdaR9YfD836qKNJDGcStRfpxxwgrSLnL
 3XHKfieQD/AMTPnhJsz364Ei8XHgqGreTYf3kFl9q3ooDYtRTIILRliSl/e/YaLV
 RFmGVWDYQDhHdRGQiEZ+Nnyg8NzbBa6B0uNGqKX/sq68m3oOKrdffBVlGp5IpmDd
 FM5GLV757UVJMG076GvwqsW/lC8Cm3M4k6/njIEGYggF4fdid1O/hTk8HLx5u9vJ
 IkAf0jwedKRdPQC5L4nSHmTxQHIeiO7Le7zl/uegdZNEWdEIyUMdcXffUZSgrp+Y
 /3vhenjRwDrlmbf6xjCWyn9V1ozgY6B84HOwdutM0cXBuo5tixe1amECyHTcRH/q
 oxNsBBzeo6GYgcZeh8Pt25BFz6o11HqAV2PXOtTvfKqJX5UaNl5yf65nkcqsbCx/
 5AxET2PLsEdaxbBOo4tqXdIo1uyRDfcdt/p06eOLqBPt9iDqNFobzsSIK0UleO62
 zP1XSkR/e4jLVORrW9lSfEXfgtrqxngRHMRp78UxYlKb+dJU3CH2tfkvn+VW+NNB
 rlCb+OdHxDfHYBPO6CM4Qv3XtEjus95HW7DiVLhwdhZfkZZJ0/OSY8YlkVTvXC8E
 Z56vsuyC6fYBVzrjJyhtR+APrG8hDJwWgEC621XLmxo/1PNa22s=
 =gAFg
 -----END PGP SIGNATURE-----

Merge tag 'drm-fixes-2026-06-13' of https://gitlab.freedesktop.org/drm/kernel

Pull drm fixes from Dave Airlie:
 "Looks like it's settled down a bit more thankfully. Small changes
  across the board, amdgpu/xe leading with some colorop changes in the
  core/amd. Otherwise some misc driver fixes.

  colorop:
   - make lut interpolation mutable
   - track colorop updates correctly

  amdgpu:
   - UserQ fix
   - Userptr fix
   - MCCS freesync fix
   - track colorop changes correctly

  amdkfd:
   - Fix an event information leak
   - Events bounds check fix
   - Trap cleanup fix

  i915:
   - Check supported link rates DPCD read
   - Fix phys BO pread/pwrite with offset

  xe:
   - fix oops in suspend/shutdown without display
   - RAS fixes
   - Use HW_ERR prefix in log
   - include all registered queues in TLB invalidation
   - Fix refcount leak in xe_range_tree in error paths
   - fix job timeout recovery for unstarted jobs and kernel queues

  amdxdna:
   - fix possible leak of mm_struct

  ivpu:
   - fix integer truncation

  vc4:
   - fix leak in krealloc() error handling

  virtio:
   - fix dma_fence ref-count leak"

* tag 'drm-fixes-2026-06-13' of https://gitlab.freedesktop.org/drm/kernel: (24 commits)
  accel/amdxdna: Fix mm_struct reference leak in aie2_populate_range()
  drm/xe: fix job timeout recovery for unstarted jobs and kernel queues
  drm/xe: fix refcount leak in xe_range_fence_insert()
  drm/xe: include all registered queues in TLB invalidation
  drm/xe/hw_error: Use HW_ERR prefix in log
  drm/xe/drm_ras: Add per node cleanup action
  drm/xe/drm_ras: Make counter allocation drm managed
  drm/xe/display: fix oops in suspend/shutdown without display
  drm/amd/display: use plane color_mgmt_changed to track colorop changes
  drm/atomic: track individual colorop updates
  drm/colorop: make lut(1/3)d_interpolation props correctly behave as mutable
  drm/colorop: Remove read-only comments from interpolation fields
  drm/i915/gem: Fix phys BO pread/pwrite with offset
  drm/vc4: fix krealloc() memory leak
  drm/virtio: Fix driver removal with disabled KMS
  drm/i915/edp: Check supported link rates DPCD read
  accel/ivpu: Fix signed integer truncation in IPC receive
  drm/virtio: fix dma_fence refcount leak on error in virtio_gpu_dma_fence_wait()
  drm/amd/display: Consult MCCS FreeSync cap only if requested & supported
  drm/amdkfd: Unwind debug trap enable on copy_to_user failure
  ...
2026-06-12 15:51:16 -07:00
Dave Airlie
7c62657a10 Short summary of fixes pull:
amd:
 - track colorop changes correctly
 
 amdxdna:
 - fix possible leak of mm_struct
 
 colorop:
 - make lut interpolation mutable
 - track colorop updates correctly
 
 ivpu:
 - fix integer truncation
 
 vc4:
 - fix leak in krealloc() error handling
 
 virtio:
 - fix dma_fence ref-count leak
 -----BEGIN PGP SIGNATURE-----
 
 iQFPBAABCgA5FiEEchf7rIzpz2NEoWjlaA3BHVMLeiMFAmorv5QbFIAAAAAABAAO
 bWFudTIsMi41KzEuMTIsMiwyAAoJEGgNwR1TC3ojwYMH/iwAK01HiLXYmevOHphW
 bWcxEg4b1vvNUgDZJLP3Edob+OW+81CyO+/VE9jzB+BJ/eN1v7El6EBnrVXh2Bk+
 vuywPmqpqADLtHS8cNuUa12Q0nIi5A3yR9G5r1xvcuzhQgjJcEN7v7MjhvEKUjwI
 Bs8xmplGdO8wpHoxNSTmiluDN34ekf2QK2zk68hDie4z3hhyVgV/E6swfbr6jXR+
 7BjhwV8nF3kB0awvRcQwScmGEqTq653SPI2Fco6oXFmlTBc4tR0qcNyUENCoam4n
 BGpi7VPoqeKrKkQ6qdVUBxtztpMZwoffCWlfCAyr2oWUtYKMwdyyFaj5xrQGDlZl
 iBQ=
 =GN7d
 -----END PGP SIGNATURE-----

Merge tag 'drm-misc-fixes-2026-06-12' of https://gitlab.freedesktop.org/drm/misc/kernel into drm-fixes

Short summary of fixes pull:

amd:
- track colorop changes correctly

amdxdna:
- fix possible leak of mm_struct

colorop:
- make lut interpolation mutable
- track colorop updates correctly

ivpu:
- fix integer truncation

vc4:
- fix leak in krealloc() error handling

virtio:
- fix dma_fence ref-count leak

Signed-off-by: Dave Airlie <airlied@redhat.com>

From: Thomas Zimmermann <tzimmermann@suse.de>
Link: https://patch.msgid.link/20260612081418.GA17001@2a02-2455-9062-2500-e496-5a17-62ba-545e.dyn6.pyur.net
2026-06-13 07:52:40 +10:00
Linus Torvalds
2a2974b514 pci-v7.1-fixes-3
-----BEGIN PGP SIGNATURE-----
 
 iQJIBAABCgAyFiEEgMe7l+5h9hnxdsnuWYigwDrT+vwFAmosbh0UHGJoZWxnYWFz
 QGdvb2dsZS5jb20ACgkQWYigwDrT+vzXoQ//Ssd9XRvwx8eMqk6xoYBSD7EmPNpI
 4kKOo10Ilkz5WiKGkFJGjmgEVhxejNPICCatVXwC/O4y7tVk7lInKzUJPJZHP7vx
 CZyL/g2PoXCUojmKfbeWfLN6f9hHtTS13h1PJlTgYMz9OkAzWJXVVkOK55p66HQb
 P+3Li5a4q5LJxs5V22vhxaXF+FV6wJZ7YisyDb6jFnml2AI4+WTAbropCYxcD3Pj
 EmWD1TqLt7cGF6y5BVeSnGW76/WoC+zjXOlZIpEEFDRaZre+JNj/kTpR6f6Jb2er
 ic0G90h/0hK9tR62bOfQ0/5u1AveYeI0OrrEQDoOGg9EV+4J/n3lO20/EtRuVCAT
 tjRuDh49/hWIelndll+TlLMVND4P3P2YJVdCcmL/cDs/XcTTQOZFotaeexH3vvlS
 Z9HPHM6XXahCsQ8QcRmK3VK/rS588avccePIMoFYIxUzj/5mmuLrrzuFSk42DBS7
 Tuky/MiS6J8ja7HgHj9EcwfB5fkQ7MIM+Q1kKuQQv0um0PDdsV5VVitHVEgznZX+
 AIHn8B2m2LOIekH+KMPwKoOPHJ8Nzg0GHJUx+k6QlUueISZz/eeJoLkvhYqQU/2r
 GuvJ94uOV0oCJLGWTUTja5YrOEYKR42zWHZZRnUeL7yXePfhoczg8aj6nTSrAWj9
 I1pW7wWlmYkujOk=
 =/21W
 -----END PGP SIGNATURE-----

Merge tag 'pci-v7.1-fixes-3' of git://git.kernel.org/pub/scm/linux/kernel/git/pci/pci

Pull pci fix from Bjorn Helgaas:

 - Add Frank Li as PCI endpoint reviewer (Frank Li)

* tag 'pci-v7.1-fixes-3' of git://git.kernel.org/pub/scm/linux/kernel/git/pci/pci:
  MAINTAINERS: Add Frank Li as PCI endpoint reviewer
2026-06-12 13:49:45 -07:00
Frank Li
d898796a8e MAINTAINERS: Add Frank Li as PCI endpoint reviewer
I have volunteered to review PCI endpoint-related changes.  Add myself as a
reviewer to be notified when related patches are posted.

Signed-off-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
Link: https://patch.msgid.link/20260611210007.529205-1-Frank.Li@oss.nxp.com
2026-06-12 15:15:38 -05:00
Linus Torvalds
2860828361 spi: Fixes for v7.1
A couple of driver specific fixes for v7.1, a small targetted fix for
 hardware error handling on DesignWare controllers and another for
 handling of custom chip select managmenet on Qualcomm GENI controllers.
 -----BEGIN PGP SIGNATURE-----
 
 iQEzBAABCgAdFiEEreZoqmdXGLWf4p/qJNaLcl1Uh9AFAmosRy4ACgkQJNaLcl1U
 h9DIigf8CYkVGrJ/PRXvWUcF4xwiwyO1GsM15cDN3LVUC6dD2P2DzHjxVvr5KvzI
 J+ZS7Dyh/TDTZxdCS1foHsQWALtwNfLMqVQHk/YdJDH7ELVQkHzyxUwVa9RJtexM
 d7HHtCoYivANp3CQugJVXux11cRinRCU8aCBvcj7/o26tRxFmvoRT9U7jsAJULyG
 7Mb03RCsOlxi2cOGRSTq3a4b2GanoxD+z7zKde99jTI5haA7oWR3XLEgLSBf5REl
 PUEwTkrPopTqESELOZe+YinGwLhVljAkSX+f6yAAVbk33aW2hSmveNpb5wK40dRF
 E3NmCpAxjcAxo0iIBfVjUHGXIK8now==
 =8A3s
 -----END PGP SIGNATURE-----

Merge tag 'spi-fix-v7.1-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi

Pull spi fixes from Mark Brown:
 "A couple of driver specific fixes: a small targeted fix for hardware
  error handling on DesignWare controllers and another for handling of
  custom chip select management on Qualcomm GENI controllers"

* tag 'spi-fix-v7.1-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi:
  spi: dw: fix race between IRQ handler and error handler on SMP
  spi: qcom-geni: Fix cs_change handling on the last transfer
2026-06-12 11:06:16 -07:00
Linus Torvalds
880b719ca0 io_uring-7.1-20260611
-----BEGIN PGP SIGNATURE-----
 
 iQJEBAABCAAuFiEEwPw5LcreJtl1+l5K99NY+ylx4KYFAmorP5QQHGF4Ym9lQGtl
 cm5lbC5kawAKCRD301j7KXHgpvLwEAC2LpbRdv9oclx2l1zhM8RvnRcSMcMrcNzB
 HpDXBe8ljMg/9Omv90FFTjtfmrUvu9McnkxCsvd7j2xLBz1WUOadD1M9qDeDtzSC
 u7BqrL8XnpCrEds5N6nMyXaFnT50HXI5WO2LVGW7Hk3gVO6L6po2aBlXgOJ6K2a+
 BLQ2DN05rNbD4dTbO73wUObSCqEwVrCZp7jnPWL/Z7ff/04HATPOtaEPVtjCyVW9
 v+gFb9DDXzAGVp4MKTeT3rUQQI3wKj/REmI/4hTMHWofcif6rvuSDQg9ktMu/3SW
 Weg7fmbjubeYiKLSsjx+abJ2hefyHOZrXZoaPtx0Moxou6K3RnxFUSCgod+QsBUF
 u1MoDAWhXJx9lDoPjYOjaL8gEv/rwNZoS15OCY3eUWLWtPG6XhYSUQNaIV6Y66eM
 7QzajFfZ50QMPNXSN8jyedOeiXIMu8sjcFdmGiL7ALtGfqdZApVyYZIxXOJ31q6D
 R+ucSQgUXeDF1VsUmLIGkFsbRvPPpoxn+tPZUSVt2me4V2aWWtzdN+ciXaknrKj/
 z1lmEL8eiHBacVIlSnJcUMEChmC59K6M6+YFPJUUQbzLeiYyw5qxdk093OLrfeC/
 ZMw0OpSbjI7antbqHA8UvDlrUGCg89+96sbt5fDfed0dk0j/kjOOfTQEvQO4dOcn
 qlksyQnguQ==
 =cim5
 -----END PGP SIGNATURE-----

Merge tag 'io_uring-7.1-20260611' of git://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux

Pull io_uring fixes from Jens Axboe:

 - Tweak for an off-by-one in the CQ ring accounting for the min wait
   support.

 - Don't truncate end buffer length for a bundle, as the transfer might
   not happen. It's not required in the first place, as the completion
   side handles this condition already.

* tag 'io_uring-7.1-20260611' of git://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux:
  io_uring/wait: fix min_timeout behavior
  io_uring/kbuf: don't truncate end buffer for bundles
2026-06-12 10:49:59 -07:00
Linus Torvalds
2e04e0961e USB/Thunderbolt fixes for 7.1-final
Here are some small bugfixes for USB serial and Thunderbolt drivers for
 some reported and found issues.  Included in here are:
   - usb serial overflow bugs fixed
   - new usb serial device id
   - thunderbolt validation fixes for reported issues
 
 All of these have been in linux-next this week with no reported issues.
 
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 -----BEGIN PGP SIGNATURE-----
 
 iG0EABECAC0WIQT0tgzFv3jCIUoxPcsxR9QN2y37KQUCaivU8w8cZ3JlZ0Brcm9h
 aC5jb20ACgkQMUfUDdst+ylkDQCgl/tr857mpCkfWSX+GxFnp5BJhqYAn26ISsqK
 HujT9oSMn1j9W4iR3PEm
 =4zy7
 -----END PGP SIGNATURE-----

Merge tag 'usb-7.1-final' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb

Pull USB / Thunderbolt fixes from Greg KH:
 "Here are some small bugfixes for USB serial and Thunderbolt drivers
  for some reported and found issues. Included in here are:

   - usb serial overflow bugs fixed

   - new usb serial device id

   - thunderbolt validation fixes for reported issues

  All of these have been in linux-next this week with no reported
  issues"

* tag 'usb-7.1-final' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
  USB: serial: kl5kusb105: fix bulk-out buffer overflow
  USB: serial: option: add usb-id for Dell Wireless DW5826e-m
  USB: serial: io_ti: fix heap overflow in build_i2c_fw_hdr()
  USB: serial: io_ti: fix heap overflow in get_manuf_info()
  thunderbolt: Limit XDomain response copy to actual frame size
  thunderbolt: Validate XDomain request packet size before type cast
  thunderbolt: Clamp XDomain response data copy to allocation size
  thunderbolt: Bound root directory content to block size
  thunderbolt: Reject zero-length property entries in validator
2026-06-12 10:29:06 -07:00
Linus Torvalds
c133f0433a Staging driver fixes for 7.1-final
Here are two small bugfixes for a staging driver to fix a
 much-reported issue.  The fixes are for the rtl8723bs driver and it's
 something that many scanning tools keep tripping over in convoluted ways
 (and seems to be able to be triggered by network traffic.)  These fixes
 have been in linux-next for many weeks with no reported issues, sorry
 for the delay in getting them to you.
 
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 -----BEGIN PGP SIGNATURE-----
 
 iG0EABECAC0WIQT0tgzFv3jCIUoxPcsxR9QN2y37KQUCaivZug8cZ3JlZ0Brcm9h
 aC5jb20ACgkQMUfUDdst+ykZ3gCfYVW4wCYm4ZpkkYly3bO75AMaFmIAoMfIB0qD
 tUDe4wHd9gPN2JYTJfxf
 =zdW9
 -----END PGP SIGNATURE-----

Merge tag 'staging-7.1-final' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging

Pull staging driver fixes from Greg KH:
 "Here are two small bugfixes for a staging driver to fix a
  much-reported issue.

  The fixes are for the rtl8723bs driver and it's something that many
  scanning tools keep tripping over in convoluted ways (and seems to be
  able to be triggered by network traffic)

  These fixes have been in linux-next for many weeks with no reported
  issues, sorry for the delay in getting them to you"

* tag 'staging-7.1-final' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging:
  staging: rtl8723bs: rtw_mlme: add bounds checks before ie_length subtraction
  staging: rtl8723bs: fix buffer over-read in rtw_update_protection
2026-06-12 10:10:12 -07:00
Linus Torvalds
9a837eff90 Char/Misc driver fixes for 7.1-final
Here are some small driver fixes for 7.1-final to resolve some reported
 issues.  Included in here are:
   - slimbus qcom driver bugfixes
   - nvmem driver bugfixes
   - fastrpc driver bugfixes
   - stratix10 firmware driver bugfixes
 
 All of these have been in linux-next for over a week with no reported
 issues.
 
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 -----BEGIN PGP SIGNATURE-----
 
 iG0EABECAC0WIQT0tgzFv3jCIUoxPcsxR9QN2y37KQUCaivfhg8cZ3JlZ0Brcm9h
 aC5jb20ACgkQMUfUDdst+yldawCfXjPDG6TDV7MbIQd5PyhlUZ+WEJgAoMznv7Lx
 Pi2sdZhJ4pfYBgwC/VAj
 =rn/r
 -----END PGP SIGNATURE-----

Merge tag 'char-misc-7.1-final' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc

Pull char/misc driver fixes from Greg KH:
 "Here are some small driver fixes for 7.1-final to resolve some
  reported issues. Included in here are:

   - slimbus qcom driver bugfixes

   - nvmem driver bugfixes

   - fastrpc driver bugfixes

   - stratix10 firmware driver bugfixes

  All of these have been in linux-next for over a week with no
  reported issues"

* tag 'char-misc-7.1-final' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc:
  misc: fastrpc: fix use-after-free race in fastrpc_map_create
  misc: fastrpc: Fix NULL pointer dereference in rpmsg callback
  misc: fastrpc: fix DMA address corruption due to find_vma misuse
  misc: fastrpc: fix use-after-free of fastrpc_user in workqueue context
  slimbus: qcom-ngd-ctrl: Avoid ABBA on tx_lock/ctrl->lock
  slimbus: qcom-ngd-ctrl: Balance pm_runtime enablement for NGD
  slimbus: qcom-ngd-ctrl: Initialize controller resources in controller
  slimbus: qcom-ngd-ctrl: Register callbacks after creating the ngd
  slimbus: qcom-ngd-ctrl: Correct PDR and SSR cleanup ownership
  slimbus: qcom-ngd-ctrl: Fix probe error path ordering
  slimbus: qcom-ngd-ctrl: Fix up platform_driver registration
  slimbus: qcom-ngd-ctrl: fix OF node refcount
  nvmem: core: fix use-after-free bugs in error paths
  nvmem: layouts: onie-tlv: fix hang on unknown types
  firmware: stratix10-rsu: Fix NULL deref on rsu_send_msg() timeout in probe
  firmware: stratix10-svc: Don't fail probe when async ops unsupported
  firmware: stratix10-svc: Return -EOPNOTSUPP when ATF async unsupported
2026-06-12 09:00:28 -07:00
Linus Torvalds
1dadb7e7eb sound fixes for 7.1
A few small fixes for the last spurt.  All changes are small, mostly
 consisting of driver-specific fixes, along with two UAF fixes for the
 ALSA timer core.
 
 * Core:
   - Two UAF fixes in ALSA timer core
 
 * ASoC:
   - SDCA: Fix NULL pointer dereference
   - amd / yc: Add DMI quirk for ASUS ExpertBook PM1403CDA
   - SOF amd: Fix garbage/spurious warnings
   - wm_adsp: Fix potential NULL dereference when removing firmware
     controls
   - loongson: Fix negative position calculation
   - spi-rzv2h-rspi: Fix SPDR read access width on 16-bit RX path
 -----BEGIN PGP SIGNATURE-----
 
 iQJCBAABCAAsFiEEIXTw5fNLNI7mMiVaLtJE4w1nLE8FAmor0GIOHHRpd2FpQHN1
 c2UuZGUACgkQLtJE4w1nLE/1uQ/9GlsBaHMjMiAu/CFEVq2NWRpt1bJPoOhJoQpZ
 dSfKF+RdhaxR076Kh968GNcVy/crZiHjKVCSz4Vt3qpazca2Bu3DVpyQ0gaoLu9L
 G0+f14E8FVvRw5akTl83CNPQPi8vlz9fbUvUzAAReXYNwlIztZHLQoo/gSok4S5H
 4PpvduVOu69E46LTvquOA0v0BTNWQ2UaMs6gaW1kRoAWupyggEbunyQKxw7riyuu
 TlWvwaLh2TiEKNGsZiZRzdLFFyKpzIE8EvNgP9AauQapXX3sIqXrwVSY6wLM6+1Q
 3ZCIWrgToRd9McZwW3LmOUUIIRMgq9sgjFRpzSDNFuIkYtabZpBfJOWRGVEyfVOY
 pHvgYqs5kuot4Du4Kie5ObAcbz+iOyIy3TBP61M5uzC81Iy20XbNnYgwmHJAqCmZ
 Wpjga6d6Tu45xQRk2RBXtutWDFKOYDQOKFvKZnLBfu5cbrsIzYkTQiR+QaAbNC92
 LRgKXmMAcdIcpWFPEuRD0gNH2U6bs0oeXx6E8Rxr1wAzIzIau6JUEwPDHmR+JPFT
 nAGxh4vy3aDyhyImK8DTmC7G8XmHwQyhbAYoMCrB0SvKaEKO32Ewrfa8oDXARxYQ
 ooNJ90h2EO4nCJOOXzF2QZksfHQMpU27iJnHy+JUqKkp5FqskSStFKb0KXz/oYd+
 3vNB6FQ=
 =a42R
 -----END PGP SIGNATURE-----

Merge tag 'sound-7.1' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound

Pull sound fixes from Takashi Iwai:
 "A few small fixes for the last spurt. All changes are small, mostly
  consisting of driver-specific fixes, along with two UAF fixes for the
  ALSA timer core.

  Core:
   - Two UAF fixes in ALSA timer core

  ASoC:
   - SDCA: Fix NULL pointer dereference
   - amd / yc: Add DMI quirk for ASUS ExpertBook PM1403CDA
   - SOF amd: Fix garbage/spurious warnings
   - wm_adsp: Fix potential NULL dereference when removing firmware
     controls
   - loongson: Fix negative position calculation
   - spi-rzv2h-rspi: Fix SPDR read access width on 16-bit RX path"

* tag 'sound-7.1' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
  ASoC: SDCA: fix NULL pointer dereference in sdca_dev_unregister_functions
  ASoC: loongson: Fix invalid position error in ls_pcm_pointer
  spi: rzv2h-rspi: Fix SPDR read access width for 16-bit RX
  ASoC: amd: yc: Add DMI quirk for ASUS EXPERTBOOK PM1403CDA
  ASoC: SOF: amd: set ipc flags to zero
  ASoC: SOF: amd: fix for ipc flags check
  ASoC: wm_adsp: Fix NULL dereference when removing firmware controls
  ALSA: timer: Fix UAF at snd_timer_user_params()
  ALSA: timer: Forcibly close timer instances at closing
2026-06-12 08:52:10 -07:00
Linus Torvalds
fd41dc46db soc: fixes for 7.3, part 3
Two more small fixes came in, both addressing corner cases in platform
 specific code: the microchip mpfs system controller probe and the CPU
 power management on 32-bit rockchips SoCs.
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEo6/YBQwIrVS28WGKmmx57+YAGNkFAmorLtUACgkQmmx57+YA
 GNm00xAAsYhcrY71KndI6OCLG/j8/WXd544Ghu/18JTVAzBiSug4KRtBfPaMCzAK
 ZyPX/G5SqihSYOTZ8ETMUSFasde7AyHE7UphB5TMH5uesPjjKdToGMVWnhjVpY7y
 3ECYSsbkWw0p8FHwh//utRxThwSaK0wnJrb2Q465Wf9URktBrQ5jGltfOow8+jji
 nLMZ5UpQ21tqQP0qkPkusIDqQKabfcFzjjzuj+2e0BCFZcxLChZXO+xxfTYjkMjt
 eOzVuN75QIbRK1QVc9aHo+xs7pFqR969tNK7889aSXLUi2UzyFy+32pPxeZQVyWB
 vTHsx5/RqhIvu9BwSHPNTOSYhjS6EmYR5PPOyB74uhMnhwCtjfHEiP28K9J5ROfC
 FVBIAJvb7w4aLoBcxQoI3wroCzv22RV4wiy+FPvUX8RT0kZ1D4aj0N0x1SDxoJ1I
 mak2Cf5m4vRfJ1PIQroxX3hn0M36ayp4Z7kKX8CAol8fc8fUanXRy+6VN34IByiC
 c54Hlt6xNaOBVm7xC1tuONgvRRmoTI8RvtRK9uvOAyiqx5hjNDuTuhXGwG/WApYL
 PTC7Yzmqb5Hj6FhuCsG0IO32DzHY6E2lBCsnpYjPDDo41oYDM+ALFJ4w67d6rfgf
 Ns9phfPVzgNJF2i/r1rU26auN+zg4IgzI+hMbkzxsVNLJ4giBoU=
 =4BDQ
 -----END PGP SIGNATURE-----

Merge tag 'soc-fixes-7.1-3' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc

Pull SoC fixes from Arnd Bergmann:
 "Two more small fixes came in, both addressing corner cases in platform
  specific code: the microchip mpfs system controller probe and the CPU
  power management on 32-bit rockchips SoCs"

* tag 'soc-fixes-7.1-3' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc:
  ARM: rockchip: keep reset control around
  soc: microchip: mpfs-sys-controller: fix resource leak on probe error
2026-06-12 08:44:56 -07:00
Wolfram Sang
35ebcfcc9e i2c-host-fixes for v7.1-rc8
- imx: keep clock and pinctrl states consistent in runtime PM
 - imx-lpi2c: fix DMA resource leaks on PIO fallback
 - qcom-cci: fix NULL pointer dereference on remove
 - riic: fix reset refcount leak on resume_noirq error path
 - stm32f7: account for analog filter in timing computation
 - tegra: fix suspend/resume handling in NOIRQ phase
 - tegra: update Tegra410 I2C timings to match hardware specs
 - MAINTAINERS: hand over I2C maintainership to Andi
 -----BEGIN PGP SIGNATURE-----
 
 iHQEABYKAB0WIQScDfrjQa34uOld1VLaeAVmJtMtbgUCaivYkgAKCRDaeAVmJtMt
 bq6BAQDIi1pJu3mcfXZagsn/DWVqM55a6H8pvYHkpdIQFcchXQD4lgbiopNoKusj
 I5qIKtRs2KD/FLAhWYl0vhEoY4PkBw==
 =LfKo
 -----END PGP SIGNATURE-----

Merge tag 'i2c-host-fixes-7.1-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/andi.shyti/linux into i2c/for-current

i2c-host-fixes for v7.1-rc8

- imx: keep clock and pinctrl states consistent in runtime PM
- imx-lpi2c: fix DMA resource leaks on PIO fallback
- qcom-cci: fix NULL pointer dereference on remove
- riic: fix reset refcount leak on resume_noirq error path
- stm32f7: account for analog filter in timing computation
- tegra: fix suspend/resume handling in NOIRQ phase
- tegra: update Tegra410 I2C timings to match hardware specs
- MAINTAINERS: hand over I2C maintainership to Andi
2026-06-12 17:05:44 +02:00