Commit graph

1,447,459 commits

Author SHA1 Message Date
Wolfram Sang
5cad752e1e dt-bindings: i2c: mux-gpio: name correct maintainer
The YAML conversion added me as maintainer but I can't recall being
asked nor do I want to maintain it. Add Peter as maintainer for the
binding as he is maintainer of the driver.

Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Acked-by: Peter Korsgaard <peter.korsgaard@barco.com>
Acked-by: Conor Dooley <conor.dooley@microchip.com>
2026-06-12 16:58:38 +02:00
Wolfram Sang
9bffa2a615
MAINTAINERS: hand over I2C to Andi Shyti
After 13.5 years of maintaining I2C, it is finally time for me to move
to other areas. So, I hereby transfer I2C maintainership to Andi Shyti.
He has been taking care of the I2C host drivers for a while now and
kindly agreed to look after the whole subsystem. Thank you, Andi! I also
want to thank all contributors, reviewers, and fellow maintainers making
all these years a mostly smooth ride. Happy hacking, everyone!

Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
Link: https://lore.kernel.org/r/20260609091612.8228-4-wsa+renesas@sang-engineering.com
2026-06-12 11:11:58 +02:00
Dave Airlie
6fe5552f67 Merge tag 'drm-xe-fixes-2026-06-11' of https://gitlab.freedesktop.org/drm/xe/kernel into drm-fixes
UAPI Changes:

Cross-subsystem Changes:

Core Changes:

Driver Changes:
 - fix oops in suspend/shutdown without display (Jani)
 - RAS fixes (Raag)
 - Use HW_ERR prefix in log (Raag)
 - include all registered queues in TLB invalidation (Tangudu)
 - Fix refcount leak in xe_range_tree in error paths (Wentao)
 - fix job timeout recovery for unstarted jobs and kernel queues (Rodrigo)

Signed-off-by: Dave Airlie <airlied@redhat.com>
From: Matthew Brost <matthew.brost@intel.com>
Link: https://patch.msgid.link/aitt8ZkYmxIT9cdP@gsse-cloud1.jf.intel.com
2026-06-12 13:57:17 +10:00
Dave Airlie
c7be308858 Merge tag 'drm-intel-fixes-2026-06-11' of https://gitlab.freedesktop.org/drm/i915/kernel into drm-fixes
- Check supported link rates DPCD read [edp] (Nikita Zhandarovich)
- Fix phys BO pread/pwrite with offset [gem] (Joonas Lahtinen)

Signed-off-by: Dave Airlie <airlied@redhat.com>
From: Tvrtko Ursulin <tursulin@igalia.com>
Link: https://patch.msgid.link/aipkcUDnTlzre-8F@linux
2026-06-12 13:32:49 +10:00
Linus Torvalds
f51cae6603 dma-mapping fixes for Linux 7.1
Three more fixes for the DMA-mapping code, related to PCI P2PDMA, DMA
 debug and DMA link ranges API (Li RongQing and Jason Gunthorpe).
 -----BEGIN PGP SIGNATURE-----
 
 iHUEABYIAB0WIQSrngzkoBtlA8uaaJ+Jp1EFxbsSRAUCaisf2gAKCRCJp1EFxbsS
 RASLAP953EuMof1qqGoMSNpDMIYNO0392Tdqyiq+nm1BwnLWfgEA/Q0m9yVtxbR7
 zP/dxo+H95OforpTNJYdEWnXOBaAbwM=
 =o0ql
 -----END PGP SIGNATURE-----

Merge tag 'dma-mapping-7.1-2026-06-11' of git://git.kernel.org/pub/scm/linux/kernel/git/mszyprowski/linux

Pull dma-mapping fix from Marek Szyprowski:
 "Three more fixes for the DMA-mapping code, related to PCI P2PDMA, DMA
  debug and DMA link ranges API (Li RongQing and Jason Gunthorpe)"

* tag 'dma-mapping-7.1-2026-06-11' of git://git.kernel.org/pub/scm/linux/kernel/git/mszyprowski/linux:
  iommu/dma: Do not try to iommu_map a 0 length region in swiotlb
  dma-debug: fix physical address retrieval in debug_dma_sync_sg_for_device
  dma-mapping: direct: fix missing mapping for THRU_HOST_BRIDGE segments
2026-06-11 14:22:26 -07:00
Takashi Iwai
b0d1553d51 ASoC: Fixes for v7.1
A few more fixes for this release, some smaller driver specific ones
 plus a final quirk.
 -----BEGIN PGP SIGNATURE-----
 
 iQEzBAABCgAdFiEEreZoqmdXGLWf4p/qJNaLcl1Uh9AFAmoq+TEACgkQJNaLcl1U
 h9Dh6Af/UsCFmuhthu0qJ6kDXkr5rtetUsv3NI1ek0VrBj5MXFzPBJ664IeoExjm
 9EIcBEOkMewzZWo8KuG0GZV1MO60P5z3xRBAsidwxEfzLKnLKHNtQM5lrh1RTgBJ
 NU21OpEwgRQtPxFQVsCHY2TV7IxHwvlEdZ9SeikBAlBXpU1tbnm9HQN+LT3kO8m0
 +vKYlfHN/q/HucmZVzOmottYSjBS3oxVXU2/QFvui6ThhyaXc9t7oU6sYYFzaYBg
 WoZT+ZEoEbyKR1WBIh3FwVGpxB2wuwIefo/E22/WDUtVQ0ZxMiNxEwhjqgh+7Uo0
 BVbzFBYyBSrtTqWp3AEPSStLKnPs7A==
 =0BRq
 -----END PGP SIGNATURE-----

Merge tag 'asoc-fix-v7.1-rc7' of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus

ASoC: Fixes for v7.1

A few more fixes for this release, some smaller driver specific ones
plus a final quirk.
2026-06-11 21:29:47 +02:00
Linus Torvalds
2b414a95b8 s390 fixes for final 7.1
- s390 selects GENERIC_LOCKBREAK when PREEMPT is enabled to tackle
   an old compile error that no longer exists. Since recently PREEMPT
   is always enabled, which causes massive performance regressions.
   Remove GENERIC_LOCKBREAK from s390 Kconfig to fix the degradation.
 -----BEGIN PGP SIGNATURE-----
 
 iI0EABYKADUWIQQrtrZiYVkVzKQcYivNdxKlNrRb8AUCaiq9bRccYWdvcmRlZXZA
 bGludXguaWJtLmNvbQAKCRDNdxKlNrRb8FCuAQDlvObouwyTRvY5xZVKCw4LChA1
 DlVeSwoEw/y9VPqShgD8DXviQZNlPxD5gDQU+vptYeK0RlL/U3oHpmUxNnWDDgM=
 =QmVH
 -----END PGP SIGNATURE-----

Merge tag 's390-7.1-5' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux

Pull s390 fix from Alexander Gordeev:

 - s390 selects GENERIC_LOCKBREAK when PREEMPT is enabled to tackle an
   old compile error that no longer exists. Since recently PREEMPT is
   always enabled, this LOCKBREAK config causes massive performance
   regressions.

   Remove GENERIC_LOCKBREAK from s390 Kconfig to fix the degradation.

* tag 's390-7.1-5' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
  s390: Remove GENERIC_LOCKBREAK Kconfig option
2026-06-11 10:30:37 -07:00
Linus Torvalds
22e2036479 Including fixes from IPsec and netfilter.
This is relatively small, mostly because we are a bit behind our PW
 queue. I'm not aware of any pending regression.
 
 Current release - regressions:
 
   - netfilter: nf_tables_offload: drop device refcount on error
 
 Previous releases - regressions:
 
   - core: add pskb_may_pull() to skb_gro_receive_list()
 
   - xfrm: iptfs: preserve shared-frag marker in iptfs_consume_frags()
 
   - ipv6: fix a potential NPD in cleanup_prefix_route()
 
   - ipv4: fix use-after-free caused by the fqdir_pre_exit() flush
 
   - eth: bnxt_en: fix NULL pointer dereference
 
   - eth: emac: fix use-after-free during device removal
 
   - eth: octeontx2-af: fix memory leak in rvu_setup_hw_resources()
 
   - eth: tun: zero the whole vnet header in tun_put_user()
 
   - eth: sit: reload inner IPv6 header after GSO offloads
 
 Previous releases - always broken:
 
   - core: fix double-free in netdev_nl_bind_rx_doit()
 
   - netfilter: nf_log: validate MAC header was set before dumping it
 
   - xfrm: iptfs: fix ABBA deadlock in iptfs_destroy_state()
 
   - tcp: restrict SO_ATTACH_FILTER to priv users
 
   - mctp: usb: fix race between urb completion and rx_retry cancellation
 
   - eth: mlx5: fix slab-out-of-bounds in mlx5_query_nic_vport_mac_list
 
   - eth: mvpp2: sync RX data at the hardware packet offset
 
 Signed-off-by: Paolo Abeni <pabeni@redhat.com>
 -----BEGIN PGP SIGNATURE-----
 
 iQJGBAABCgAwFiEEg1AjqC77wbdLX2LbKSR5jcyPE6QFAmoqtzwSHHBhYmVuaUBy
 ZWRoYXQuY29tAAoJECkkeY3MjxOkoocP/jvEqlK2vp2BDrNR2GHz/mTMkarRaYnB
 Q6TSmTqRFtfjQYgVhIsNgmzcdUq7B+Y8glhpDmWx5FPS0crK/gS3J91hGzmJOIK4
 qXn7DLyKT/uxW7jEDFSMaetxH3PvSa/PQXi4RdSaM2mN9ZXIG6IqlrClOQ/MAYGK
 W8/OoKV2XmjasqmKPbl36fk4q5+EKxaoZZ8OibzYk00pCSxxa5iDdX05gpTgBQ9t
 Vu14Qmc9bvnQAmhSnsQhUE0dhqS66iHztcPo27AK5ovBdcx9+BgaXnAlITslgM6H
 OyIxtK3gTnpdo6PkVJU2BNazYVBWyJl2nlUgGAS3AsdjYL86UEugRHVQevO0cnrO
 t4dMgOrLjNmjf9HUlqfeIed9BC0Erdg/yrIYuXPhCouF1DVyX6bZwA/nGaBOGVBF
 wIpgArLfUhqG1O2jXNG6HTM/HeeBIZmu9BHPtGSF7mab1018f3Bd3ZPhxLYC6lru
 sg1fV8ECXoHgUIxtv6+ZeH2MZN9yUxubisH6MvMQVlSZRxISnejMNCYWfwf5V1RF
 052wEi4aPNJ5Gf5jrq3e1Xk7pNl+nupYziBoE9gGTfj6OmCSIK3ySm0U5dpAgAo+
 kpSDjU6zj15QG+GTe07YRgt2n/aeeXJ2Sm1y/qvx6+4tOvlsgjaKRkfxhKKCrxZJ
 Z7q4cBFLoDdT
 =xvWb
 -----END PGP SIGNATURE-----

Merge tag 'net-7.1-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net

Pull networking fixes from Paolo Abeni:
 "Including fixes from IPsec and netfilter.

  This is relatively small, mostly because we are a bit behind our PW
  queue. I'm not aware of any pending regression.

  Current release - regressions:

   - netfilter: nf_tables_offload: drop device refcount on error

  Previous releases - regressions:

   - core: add pskb_may_pull() to skb_gro_receive_list()

   - xfrm: iptfs: preserve shared-frag marker in iptfs_consume_frags()

   - ipv6: fix a potential NPD in cleanup_prefix_route()

   - ipv4: fix use-after-free caused by the fqdir_pre_exit() flush

   - eth:
      - bnxt_en: fix NULL pointer dereference
      - emac: fix use-after-free during device removal
      - octeontx2-af: fix memory leak in rvu_setup_hw_resources()
      - tun: zero the whole vnet header in tun_put_user()
      - sit: reload inner IPv6 header after GSO offloads

  Previous releases - always broken:

   - core: fix double-free in netdev_nl_bind_rx_doit()

   - netfilter: nf_log: validate MAC header was set before dumping it

   - xfrm: iptfs: fix ABBA deadlock in iptfs_destroy_state()

   - tcp: restrict SO_ATTACH_FILTER to priv users

   - mctp: usb: fix race between urb completion and rx_retry
     cancellation

   - eth:
      - mlx5: fix slab-out-of-bounds in mlx5_query_nic_vport_mac_list
      - mvpp2: sync RX data at the hardware packet offset"

* tag 'net-7.1-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (64 commits)
  octeontx2-af: fix IP fragment flag corruption on custom KPU profile load
  ipv6: Fix a potential NPD in cleanup_prefix_route()
  net: txgbe: initialize PHY interface to 0
  net: txgbe: distinguish module types by checking identifier
  net: txgbe: initialize module info buffer
  net: mvpp2: build skb from XDP-adjusted data on XDP_PASS
  net: mvpp2: refill RX buffers before XDP or skb use
  net: mvpp2: limit XDP frame size to the RX buffer
  net: mvpp2: sync RX data at the hardware packet offset
  netfilter: nft_meta_bridge: fix stale stack leak via IIFHWADDR register
  netfilter: nft_fib: fix stale stack leak via the OIFNAME register
  netfilter: nft_exthdr: fix register tracking for F_PRESENT flag
  netfilter: nf_log: validate MAC header was set before dumping it
  netfilter: x_tables: avoid leaking percpu counter pointers
  netfilter: nf_conntrack: destroy stale expectfn expectations on unregister
  netfilter: nf_tables_offload: drop device refcount on error
  netfilter: revalidate bridge ports
  rds: mark snapshot pages dirty in rds_info_getsockopt()
  ip6_vti: fix incorrect tunnel matching in vti6_tnl_lookup()
  ptp: ocp: fix resource freeing order
  ...
2026-06-11 10:17:49 -07:00
Linus Torvalds
79f2670da8 pmdomain providers:
- imx: Fix OF node refcount
  - ti: Fix wakeup configuration for parent devices of wakeup sources
 -----BEGIN PGP SIGNATURE-----
 
 iQJEBAABCgAuFiEEugLDXPmKSktSkQsV/iaEJXNYjCkFAmoqk98QHHVsZmhAa2Vy
 bmVsLm9yZwAKCRD+JoQlc1iMKYu3EADMgGONH+8wEuLwr5NkNQwFZ5ZFOv8IR5Ss
 MeWXgk5xAnUXJFs11cvgyuW2s3f3gHEayZetffpRYEAp+PPk1tIP3x7Q6QR8RQd6
 THPezoGMlG/G3Dm3F8ekF8+igW8awlS5xyQemt4WMLgC62fHMaLsrXqSu383EUy3
 GwGEzU+UXBxBBpntdqD1n3ZkUkJZBSMZA9OezfD885mrpJMZvLUsNO+CrsRXS9W/
 Cv0WzZveRMYOR7MSQYfou2yVb8QzcgQ9UgGjDUVvFNBrS9EaZuFzWJupUS48XCkg
 49herg41k9MF6zVPWOBCEI84jFhvtR+90DSU/P+DpyU9NNWkRmYJ3T72ufbCB++Q
 VmCyGedKkwsO9FJzzljH0aFFDxBZ8FqBUodm0KSreru7Ft/aGmnq14iGH7avIAp+
 DnHQ2q2e3oSwtD+To8JnRuqMUW+EBdEzqzw0CgtrtjkzNakJH4OwzD0Hstl2RdM3
 xdgxPFFhEYTmzT6Z9+yVJG+PLWGwHu4sy+Eb7QCddvjnHNNwOMtWPVZQtE31pRMY
 QqQMcsR1GzUHE4TCti3NpOmCecKnp/c4LAX3gS+xsdybh9QqcSsRMYIn3/adF2I1
 2uxrkdXkjga8JAwS5/lotnbbZEC3ZalWMmWj9gwwzZauaFM5GwnX7DewwJ3qmNc+
 VBkVefSIDg==
 =dR2j
 -----END PGP SIGNATURE-----

Merge tag 'pmdomain-v7.1-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/linux-pm

Pull pmdomain fixes from Ulf Hansson:

 - imx: Fix OF node refcount

 - ti: Fix wakeup configuration for parent devices of wakeup sources

* tag 'pmdomain-v7.1-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/linux-pm:
  pmdomain: imx: fix OF node refcount
  pmdomain: ti_sci: add wakeup constraint to parent devices of wakeup source
2026-06-11 09:54:51 -07:00
Lizhi Hou
2f41af638c accel/amdxdna: Fix mm_struct reference leak in aie2_populate_range()
aie2_populate_range() jumps back to the again label without calling
mmput(mm), leaking a reference to the mm_struct.

Add the missing mmput() before jumping to again.

Fixes: e486147c91 ("accel/amdxdna: Add BO import and export")
Reviewed-by: Mario Limonciello (AMD) <superm1@kernel.org>
Signed-off-by: Lizhi Hou <lizhi.hou@amd.com>
Link: https://patch.msgid.link/20260610151127.2994185-1-lizhi.hou@amd.com
2026-06-11 09:50:07 -07:00
Linus Torvalds
6e9e0dfc7f gpio fixes for v7.1
- fix NULL pointer dereference in gpio-mvebu
 - fix runtime PM leak in remove path in gpio-zynq
 - reject invalid module params in gpio-mockup
 - fix generic IRQ chip leak in remove parh in gpio-rockchip
 - fix resource leaks in GPIO chip cleanup path on hog failure
 - fix a regression in how GPIO hogging code handles multiple GPIO chips
   reusing the same OF node
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEkeUTLeW1Rh17omX8BZ0uy/82hMMFAmoqZbYACgkQBZ0uy/82
 hMN+DhAAqntOaHqRks5PqwZlE8jRCFtx1EkvABTnnNHW5t+HXVF+GpBvzRw43aQG
 uppIsusTVnxIojDeuBAzueC6UYjhos5/u2UY8jfaE3HQ7bEksUKS5Ba7b+MzlPo4
 AsPIZey0zuoj1EJNTUZekii7xDcApFu9l+CV9xKqEH+MIySelREJj5sqprJbdF9y
 9hpraeVAn+x333o4zrhWm/mauX/DnFrveqU3nSF+dYQtLwNEJyYntoQZUxrf6I0g
 AHTWRpUMXeUk3aMfmeuaNXrXnfQksanPDYIWT5LmvWoOWkka+iqX0nbUeA51myhZ
 soGzfQ7flYQTZRalu4tqjz7YnVpZC1u9xmgaQlOIwVmEyeW1YPOI6yDjIPWZwUFi
 3DupOvBf98wpIU8wCLVUN/vul496dLw793S4TOnaSGlaMQnz9mop0Qq6Ffb0hgS+
 V5M3cRA2K/aivjtU7r5921M/0NamozIPRadl+1L8USvL1pw8atHjndFIVXgxygln
 Qi3nxEiqWNRk+45YYM7HFdxGZB4bJefq5qwiB9l4Bmz2FczrpMgFMgvdO/jp6HAN
 e3YKhfoDrQBd2tf2V3WodmMHhmkR+SLjLfCPZ9rZiueh1NuU/GOzRwN2sD/tABac
 rV7DSamrrRZzsagHKpyCxTi/Dd0shDh5kVWCtcLggaEO8m7sFEQ=
 =ov9g
 -----END PGP SIGNATURE-----

Merge tag 'gpio-fixes-for-v7.1' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux

Pull gpio fixes from Bartosz Golaszewski:

 - fix NULL pointer dereference in gpio-mvebu

 - fix runtime PM leak in remove path in gpio-zynq

 - reject invalid module params in gpio-mockup

 - fix generic IRQ chip leak in remove parh in gpio-rockchip

 - fix resource leaks in GPIO chip cleanup path on hog failure

 - fix a regression in how GPIO hogging code handles multiple GPIO chips
   reusing the same OF node

* tag 'gpio-fixes-for-v7.1' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux:
  gpiolib: handle gpio-hogs only once
  gpio: fix cleanup path on hog failure
  gpio: rockchip: fix generic IRQ chip leak on remove
  gpio: mockup: reject invalid gpio_mockup_ranges widths
  gpio: zynq: fix runtime PM leak on remove
  gpio: mvebu: fix NULL pointer dereference in suspend/resume
2026-06-11 09:15:57 -07:00
Kean Ren
e4c60a1d4b
ASoC: SDCA: fix NULL pointer dereference in sdca_dev_unregister_functions
sdca_dev_unregister_functions() iterates over all SDCA function
descriptors and calls sdca_dev_unregister() on each func_dev without
checking for NULL. When a function registration has failed partway
through, or the device cleanup races with probe deferral, func_dev
entries may be NULL, leading to a kernel oops:

  BUG: kernel NULL pointer dereference, address: 0000000000000040
  RIP: 0010:device_del+0x1e/0x3e0
  Call Trace:
   sdca_dev_unregister_functions+0x37/0x60 [snd_soc_sdca]
   release_nodes+0x35/0xb0
   devres_release_all+0x90/0x100
   device_unbind_cleanup+0xe/0x80
   device_release_driver_internal+0x1c1/0x200
   bus_remove_device+0xc6/0x130
   device_del+0x161/0x3e0
   device_unregister+0x17/0x60
   sdw_delete_slave+0xb6/0xd0 [soundwire_bus]
   sdw_bus_master_delete+0x1e/0x50 [soundwire_bus]
   ...
   sof_probe_work+0x19/0x30 [snd_sof]

This was observed on a Lenovo ThinkPad X1 Carbon G14 (Panther Lake)
with the SOF audio driver probe failing due to missing Panther Lake
firmware, causing the subsequent cleanup of SoundWire devices to
trigger the crash.

Fix this with three changes:

1) Add a NULL guard in sdca_dev_unregister() so that callers do not
   need to pre-validate the pointer (defense in depth).

2) In sdca_dev_unregister_functions(), skip NULL func_dev entries
   and clear func_dev to NULL after unregistration, making the
   function idempotent and safe against double-invocation.

3) In sdca_dev_register_functions(), roll back all previously
   registered functions when a later one fails, so the function
   array is never left in a partially-populated state.

Fixes: 4496d1c65b ("ASoC: SDCA: add function devices")
Signed-off-by: Kean Ren <rh_king@163.com>
Reviewed-by: Charles Keepax <ckeepax@opensource.cirrus.com>
Link: https://patch.msgid.link/20260611023757.1553960-1-rh_king@163.com
Signed-off-by: Mark Brown <broonie@kernel.org>
2026-06-11 15:55:23 +01:00
Florian Fainelli
009b6c6486 ARM: 9476/1: mm: fix kexec and hibernation with CONFIG_CPU_TTBR0_PAN
Commit 7af5b901e8 ("ARM: 9358/2: Implement PAN for LPAE by TTBR0
page table walks disablement") implemented PAN for LPAE kernels by
setting TTBCR.EPD0 on every kernel entry, disabling TTBR0 page-table
walks while running in kernel mode. The commit correctly updated
cpu_suspend() in arch/arm/kernel/suspend.c, but missed two other code
paths that switch the CPU to the identity mapping before jumping to
low-PA (TTBR0-range) physical addresses:

1. setup_mm_for_reboot() in arch/arm/mm/idmap.c, used by the kexec
   reboot path. With TTBCR.EPD0 still set, the subsequent branch to
   the identity-mapped cpu_v7_reset causes a PrefetchAbort because the
   TTBR0 page-table walk needed to resolve the identity-mapped address
   is disabled. This manifests as a hard hang or "bad PC value" panic
   on LPAE kernels booted on CPUs that strictly enforce EPD0 for
   instruction fetch (e.g. Cortex-A53 in AArch32 mode) while the same
   image may accidentally work on Cortex-A15 due to microarchitectural
   differences in EPD0 enforcement.

2. arch_restore_image() in arch/arm/kernel/hibernate.c, which calls
   cpu_switch_mm(idmap_pgd, &init_mm) directly without going through
   setup_mm_for_reboot(), leaving TTBCR.EPD0 set while the identity
   mapping is active.

Fix both sites by calling uaccess_save_and_enable() before switching
to the identity mapping, mirroring what the original commit did for
cpu_suspend().

Assisted-by: Cursor:claude-sonnet-4.6

Fixes: 7af5b901e8 ("ARM: 9358/2: Implement PAN for LPAE by TTBR0 page table walks disablement")
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Linus Walleij <linus.walleij@linaro.org>
Reviewed-by: Linus Walleij <linusw@kernel.org>
Signed-off-by: Florian Fainelli <florian.fainelli@broadcom.com>
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
2026-06-11 14:52:03 +01:00
Karl Mehltretter
77a1f6883d ARM: 9475/1: entry: use byte load for KASAN VMAP stack shadow
Commit 44e9a3bb76 ("ARM: 9430/1: entry: Do a dummy read from
VMAP shadow") added a dummy read from the KASAN VMAP stack shadow in
__switch_to(). The read uses ldr, but the KASAN shadow address is
byte-granular and is not guaranteed to be word aligned.

ARMv5 faults unaligned word loads. With CONFIG_KASAN_VMALLOC and
CONFIG_VMAP_STACK enabled, ARM926/VersatilePB crashes in __switch_to()
with an alignment exception before reaching init.

Use ldrb for the dummy shadow access. The code only needs to fault in the
shadow mapping if the stack shadow is missing, so a byte load is sufficient
and matches the granularity of KASAN shadow memory.

Fixes: 44e9a3bb76 ("ARM: 9430/1: entry: Do a dummy read from VMAP shadow")
Cc: stable@vger.kernel.org # v6.13+
Signed-off-by: Karl Mehltretter <kmehltretter@gmail.com>
Reviewed-by: Linus Walleij <linusw@kernel.org>
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
2026-06-11 14:52:01 +01:00
Karl Mehltretter
d59ed80371 ARM: 9474/1: io: avoid KASAN instrumentation of raw halfword I/O
For CPUs before ARMv6, __raw_readw() and __raw_writew() are implemented
as C volatile halfword accesses so the compiler can generate an access
sequence that is safe for those machines. With KASAN enabled, those C
accesses are instrumented as normal memory accesses.

That is not valid for MMIO. On ARM926/VersatilePB with KASAN enabled,
PL011 probing traps in __asan_store2() while registering the UART, because
the instrumented writew() tries to check KASAN shadow for an MMIO address.

Keep the existing volatile halfword access, but move the ARMv5 definitions
into __no_kasan_or_inline functions so raw MMIO halfword accesses are not
instrumented by KASAN. The ARMv6-and-newer inline assembly path is
unchanged.

Fixes: 421015713b ("ARM: 9017/2: Enable KASan for ARM")
Cc: stable@vger.kernel.org # v5.11+
Signed-off-by: Karl Mehltretter <kmehltretter@gmail.com>
Reviewed-by: Linus Walleij <linusw@kernel.org>
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
2026-06-11 14:52:00 +01:00
Rodrigo Vivi
347ccc0453 drm/xe: fix job timeout recovery for unstarted jobs and kernel queues
A job that GuC never scheduled (never started) indicates a GuC
scheduling failure; previously such jobs were silently errored out
instead of triggering a GT reset to recover. Trigger a GT reset and
resubmit them, but only when the queue was not already killed or banned:
an unstarted job on an already banned queue is the ban working as
intended and must neither clear the ban nor kick off a reset, otherwise
a banned userspace queue could be resurrected and spam GT resets.

Kernel queues are always recovered this way and wedge the device once
recovery attempts are exhausted, since kernel work must not silently
fail. A started job that times out on a userspace VM bind queue stays
banned rather than being reset and retried.

The queue is banned early in the timeout handler to signal the G2H
scheduling-done handler so it wakes the disable-scheduling waiter;
without it the waiter sleeps the full 5s timeout. When a reset is
warranted the ban is cleared before rearming so that
guc_exec_queue_start() can resubmit jobs after the GT reset - a
still-banned queue would block resubmission and cause an infinite TDR
loop. The already-banned case is gated out before this point via
skip_timeout_check, so it is unaffected.

v2: (Himal) Do it for any queue type, not just kernel/migration
v3: - (Sashiko and Sanjay): don't clear the ban / GT reset for already
      killed/banned queues on unstarted-job timeout
    - Update commit message
    - (Matt) Add Fixes tag

Fixes: fe05cee4d9 ("drm/xe: Don't short circuit TDR on jobs not started")
Cc: Matthew Auld <matthew.auld@intel.com>
Cc: Matthew Brost <matthew.brost@intel.com>
Cc: Sanjay Yadav <sanjay.kumar.yadav@intel.com>
Cc: Himal Prasad Ghimiray <himal.prasad.ghimiray@intel.com>
Assisted-by: GitHub-Copilot:claude-sonnet-4.6
Assisted-by: GitHub-Copilot:claude-opus-4.8
Tested-by: Sanjay Yadav <sanjay.kumar.yadav@intel.com>
Reviewed-by: Sanjay Yadav <sanjay.kumar.yadav@intel.com>
Reviewed-by: Matthew Brost <matthew.brost@intel.com>
Reviewed-by: Himal Prasad Ghimiray <himal.prasad.ghimiray@intel.com>
Link: https://patch.msgid.link/20260610152548.404575-3-rodrigo.vivi@intel.com
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
(cherry picked from commit b1107d085e7e8ed15ba6f80c102528a9c8a6cb0e)
Signed-off-by: Matthew Brost <matthew.brost@intel.com>
2026-06-11 06:39:43 -07:00
Wentao Liang
ba36786b21 drm/xe: fix refcount leak in xe_range_fence_insert()
xe_range_fence_insert() acquires a reference on fence via
dma_fence_get() and stores it in rfence->fence.  It then calls
dma_fence_add_callback() and handles two cases: when the callback
is successfully registered (err == 0) the fence is transferred to
the tree for later cleanup; when the fence is already signaled
(err == -ENOENT) it manually drops the extra reference with
dma_fence_put(fence).

However, dma_fence_add_callback() can fail with other errors
(e.g. -EINVAL) and in that case the code falls through to the free:
label without releasing the acquired reference, leaking it.

Fix the leak by adding an else branch that calls dma_fence_put()
before jumping to free: for any error other than -ENOENT.

Fixes: 845f64bdbf ("drm/xe: Introduce a range-fence utility")
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
Reviewed-by: Matthew Brost <matthew.brost@intel.com>
Signed-off-by: Matthew Brost <matthew.brost@intel.com>
Link: https://patch.msgid.link/20260610172705.3450560-1-matthew.brost@intel.com
(cherry picked from commit 98c4a4201290823c2c5c7ba21692bd9a64b61021)
Signed-off-by: Matthew Brost <matthew.brost@intel.com>
2026-06-11 06:39:40 -07:00
Kiran Kumar K
7360b96099 octeontx2-af: fix IP fragment flag corruption on custom KPU profile load
npc_cn20k_apply_custom_kpu() overwrites KPU profile entries with custom
firmware values and then calls npc_cn20k_update_action_entries_n_flags()
over all entries.  Since the same function already ran during default
profile initialisation, entries not overridden by the custom firmware
get their flags translated twice, corrupting the CN20K-specific values.

Fix this by extracting the per-entry translation into a helper
npc_cn20k_translate_action_flags() and calling it as each custom entry
is loaded, removing the redundant batch call at the end.

Fixes: ef992a0f12 ("octeontx2-af: npc: cn20k: MKEX profile support")
Cc: Suman Ghosh <sumang@marvell.com>
Signed-off-by: Kiran Kumar K <kirankumark@marvell.com>
Signed-off-by: Nitin Shetty J <nshettyj@marvell.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260608095455.1499203-1-nshettyj@marvell.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
2026-06-11 12:59:34 +02:00
Paolo Abeni
64ced6c088 netfilter pull request 26-06-10
-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEjF9xRqF1emXiQiqU1w0aZmrPKyEFAmopiokACgkQ1w0aZmrP
 KyGBoA//W6EXg8MCgQGojXZ4+41fPpJ6opw7t65e26/CIwTBgtOiX/no4WOJcOk/
 J6WBk2sHIg+RgPPzzOLfzAeyVf7MfbnXvBnEMselFGOtd1o5LeikdcskuMIQ2GP/
 v7a3C49Xueyp5ChjdArTbYcaREnAFVnmPGdsaE90D64SHNlmuiyIsRtEut+XUfuz
 Tl+JNCV2RCdSAl36MqnwAF8sBpj9ndnekNz8E5UONwgA7sowPM6KsGbYqCJrQXxa
 qDqbj9fme8BmLWc8gwQ37yD5iBGxc7LdVlyavIJ9uSi2Gp/jnDSsuyUm5WDo84wm
 R65jYmkXh9ZHr8OU/qYg5Mb0LBsSfNRzcE4WZIqb71WQ45IqA53kXam/2W0CuflN
 g9tPfAqboI9A11Mq3LSwwFWfa3L2xJIi1LFpzGThNTZa9vFoqhXZG0PCqXBKiDdo
 KsEmU4vtMFqga8tOFDJMgKHAxr/jPWhEZp1ZgIy3xAM2s9xC56Qe1g8mwcBFeZR7
 n/YEFGpWFa83EnXGow1gdhUQHu+PYbiwQQy1tSVaZ+kg5WhA3ahnJfIopS2qIrHq
 NN1RP8m85YjSZGzF/gvq+BEuuYZsebeaFxYLDha0zrhqXA3vlRZvVxoySlJtW/bk
 m/05GsIb7ySpAyOjejJ9fokymzjD1op+0o69AnEqvg1IXUmE0oM=
 =Rg2q
 -----END PGP SIGNATURE-----

Merge tag 'nf-26-06-10' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf

Pablo Neira Ayuso says:

====================
Netfilter fixes for net

The following patchset contains Netfilter fixes for net:

1) Revalidate bridge ports, add missing NULL checks to fetch the bridge
   device by the port. From Florian Westphal.

2) Fix netdevice refcount leak in the error path of nft_fwd hardware
   offload function, also from Florian.

3) Unregister helper expectfn callback on conntrack helper module
   removal, otherwise dangling pointer remains in place,
   from Weiming Shi.

4) Fix possible pointer infoleak in getsockopt() IPT_SO_GET_ENTRIES,
   From Kyle Zeng.

5) Validate that device MAC header is present before nf_syslog
   accesses it. From Xiang Mei.

6-8) Three patches to address a possible infoleak of stale stack
     data in three nf_tables expressions, due to mismatch in the
     _init() and _eval() function which is possible since 14fb07130c.
     From Davide Ornaghi and Florian Westphal.

netfilter pull request 26-06-10

* tag 'nf-26-06-10' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf:
  netfilter: nft_meta_bridge: fix stale stack leak via IIFHWADDR register
  netfilter: nft_fib: fix stale stack leak via the OIFNAME register
  netfilter: nft_exthdr: fix register tracking for F_PRESENT flag
  netfilter: nf_log: validate MAC header was set before dumping it
  netfilter: x_tables: avoid leaking percpu counter pointers
  netfilter: nf_conntrack: destroy stale expectfn expectations on unregister
  netfilter: nf_tables_offload: drop device refcount on error
  netfilter: revalidate bridge ports
====================

Link: https://patch.msgid.link/20260610161629.214092-1-pablo@netfilter.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
2026-06-11 12:30:00 +02:00
Li Jun
6ad3914e06
ASoC: loongson: Fix invalid position error in ls_pcm_pointer
The "invalid position" error occurred when the DMA position descriptor
returned an invalid address value (e.g., pos = -1048838144). This happened
because the `bytes_to_frames()` function returns a signed value, but when
`addr < runtime->dma_addr`, the subtraction produces a negative result that
gets interpreted as a large unsigned integer in comparisons.
when the addr is abnormal, for example,the DMA controller is abnormal in
hardware,x=0 should not be a point(x == runtime->buffer_size),but a range,
which includes the addr address being less than runtime ->dma1-adr, and
the addr exceeding the DMA address range.the value of pos should not better
a negative,return 0, maybe better.

[   32.834431][ 2]  soc-audio soc-audio: invalid position: , pos = -1048838144
[   32.845019][ 2]  soc-audio soc-audio: invalid position: , pos = -1048838144
[   32.855588][ 2]  soc-audio soc-audio: invalid position: , pos = -1048838144
[   32.866145][ 2]  soc-audio soc-audio: invalid position: , pos = -1048838144
[   32.995394][ 2]  soc-audio soc-audio: invalid position: , pos = -1048838144
[   33.006025][ 2]  soc-audio soc-audio: invalid position: , pos = -1048838144
[   33.016748][ 2]  soc-audio soc-audio: invalid position: , pos = -1048838144

Signed-off-by: Li Jun <lijun01@kylinos.cn>
[Remove XRUN reporting I'd mistakenly avised adding on prior review -- broonie]
Link: https://patch.msgid.link/20260611010045.3668574-1-lijun01@kylinos.cn
Signed-off-by: Mark Brown <broonie@kernel.org>
2026-06-11 11:21:24 +01:00
Paolo Abeni
29899ec61a ipsec-2026-06-10
-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEH7ZpcWbFyOOp6OJbrB3Eaf9PW7cFAmopbrsACgkQrB3Eaf9P
 W7cGkg//ZWSTsofbJTwxfGpS5/bkDplup/5evevcbBBJWXfPVM1ImK+oJ3M/hisF
 /Xx7PDwaw13qdDeH/ZCWRnKAWuEPkt8Y5j51R5QDJKhk3V7h8jAG1sRyQtnE2Z9M
 JyKmNFJB2cyCYQnpMHfRDW+TMtgCeriKL+rxxRlSB9bbEC/64pLWAeQc9SliSjUj
 M6I3jHHEkQVG2PzqzViIk8B2GATSTVEyHZMHlPAVAEgaIfNeTX1TzaIbyuaM2yoP
 /hYPPTsNvaTmXS+4kLg7zEoLEeOdYdhSD538L7GWnkijUbSIkyd+dpKSfoNMy8An
 /JjY+2GAW1+y2VpS6YbQzE0Q2Bs9ZPU6B5RCETC1drgpxQDBDas5HxwmNA/aKJ/j
 brMQDL412K8oZrEls/t3wDuP1sdHDZQNP/Zn2OysJX2Hi2rIObE6Xm/tRTyMkrio
 CU2EX+fXHuLsz+2Hh2Pw3X4G+JgNrPmEJhHRn/Bv0Sl5/fzNP6Jp1vQg6oC/7uoa
 2h/hxSmeJObBcg79sLmVfrpjzFoJ6fqQ4Z7JIj6qtIxnMvI74DxRJFJHk54XL7Qk
 6cLZlwXnea0Eqa71mu18sCO0MAep9Cui+A0+CH5OplHm6sdzufWEuoQx9BpGV7ce
 X14GM7KpWzo1LHCXYg4IOcf9JJdV8+YULubWy7SC/9xHjW7ETQY=
 =vhay
 -----END PGP SIGNATURE-----

Merge tag 'ipsec-2026-06-10' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec

Steffen Klassert says:

====================
pull request (net): ipsec 2026-06-10

1) xfrm: iptfs: preserve shared-frag marker in iptfs_consume_frags()
   Propagate SKBFL_SHARED_FRAG when paged fragments are moved between
   skbs so ESP can decide whether in-place crypto is safe.

2) xfrm: iptfs: fix use-after-free on first_skb in __input_process_payload
   Replace the unlocked read of xtfs->ra_newskb with a local flag so a
   concurrent reassembly can no longer free first_skb between
   spin_unlock and the post-loop check.

3) xfrm: policy: fix use-after-free on inexact bin in xfrm_policy_bysel_ctx()
   Prune the inexact bin under xfrm_policy_lock so a concurrent
   xfrm_hash_rebuild() can no longer free it before xfrm_policy_kill()
   dereferences it.

4) xfrm: iptfs: fix ABBA deadlock in iptfs_destroy_state()
   Move hrtimer_cancel() for the output and drop timers ahead of their
   spinlocks, breaking the softirq/lock cycle that could deadlock
   against the timer callbacks on SMP.

5) xfrm: espintcp: do not reuse an in-progress partial send
   Fail a new send when espintcp_push_msgs() returns with emsg->len
   still set, so a blocking caller can no longer overwrite ctx->partial
   while a previous transfer still owns it.

6) esp: fix page frag reference leak on skb_to_sgvec failure
   Add a flag to esp_ssg_unref() to unconditionally unref the source
   scatterlist, releasing the old page references that are otherwise
   leaked when the second skb_to_sgvec() in esp_output_tail() fails.

Please pull or let me know if there are problems.

ipsec-2026-06-10

* tag 'ipsec-2026-06-10' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec:
  esp: fix page frag reference leak on skb_to_sgvec failure
  xfrm: espintcp: do not reuse an in-progress partial send
  xfrm: iptfs: fix ABBA deadlock in iptfs_destroy_state()
  xfrm: policy: fix use-after-free on inexact bin in xfrm_policy_bysel_ctx()
  xfrm: iptfs: fix use-after-free on first_skb in __input_process_payload
  xfrm: iptfs: preserve shared-frag marker in iptfs_consume_frags()
====================

Link: https://patch.msgid.link/20260610140800.2562818-1-steffen.klassert@secunet.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
2026-06-11 12:00:49 +02:00
Ido Schimmel
b70c687b7c ipv6: Fix a potential NPD in cleanup_prefix_route()
addrconf_get_prefix_route() can return the fib6_null_entry sentinel
entry which has a NULL fib6_table pointer. Therefore, before setting the
route's expiration time, check that we are not working with this entry,
as otherwise a NPD will be triggered [1].

Note that the other callers of addrconf_get_prefix_route() are not
susceptible to this bug:

1. addrconf_prefix_rcv(): Requests a route with the 'RTF_ADDRCONF |
   RTF_PREFIX_RT' flags which are not set on fib6_null_entry.

2. modify_prefix_route(): Fixed by commit a747e02430 ("ipv6: avoid
   possible NULL deref in modify_prefix_route()").

3. __ipv6_ifa_notify(): Calls ip6_del_rt() which specifically checks for
   fib6_null_entry and returns an error.

[1]
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]
[...]
Call Trace:
<TASK>
__kasan_check_byte (mm/kasan/common.c:573)
lock_acquire.part.0 (kernel/locking/lockdep.c:5842 (discriminator 1))
_raw_spin_lock_bh (kernel/locking/spinlock.c:182 (discriminator 1))
cleanup_prefix_route (net/ipv6/addrconf.c:1280)
ipv6_del_addr (net/ipv6/addrconf.c:1342)
inet6_addr_del.isra.0 (net/ipv6/addrconf.c:3119)
inet6_rtm_deladdr (net/ipv6/addrconf.c:4812)
rtnetlink_rcv_msg (net/core/rtnetlink.c:6997)
netlink_rcv_skb (net/netlink/af_netlink.c:2555)
netlink_unicast (net/netlink/af_netlink.c:1344)
netlink_sendmsg (net/netlink/af_netlink.c:1899)
__sock_sendmsg (net/socket.c:802 (discriminator 4))
____sys_sendmsg (net/socket.c:2698)
___sys_sendmsg (net/socket.c:2752)
__sys_sendmsg (net/socket.c:2784)
do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121)

Fixes: 5eb902b8e7 ("net/ipv6: Remove expired routes with a separated list of routes.")
Reported-by: Ji'an Zhou <eilaimemedsnaimel@gmail.com>
Reviewed-by: David Ahern <dahern@nvidia.com>
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Link: https://patch.msgid.link/20260609145448.768318-1-idosch@nvidia.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
2026-06-11 11:57:11 +02:00
Paolo Abeni
0068940907 Merge branch 'net-txgbe-fix-module-identification'
Jiawen Wu says:

====================
net: txgbe: fix module identification

For AML devices, there are some issues where the wrong module
indentified then configure PHY failed.

The module info buffers should be initialized to 0 before the firmware
returns information. And DECLARE_PHY_INTERFACE_MASK() does not guarantee
zeroed contents, so explicitly clear the temporary interface masks before
setting supported interfaces.

Rework txgbe_identify_module() to validate module identifiers through
explicit type checks instead of relying on transceiver_type heuristics.
When using the SFP module, transceiver_type could be a random value,
because it was read from an invalid register.
====================

Link: https://patch.msgid.link/20260608070842.36504-1-jiawenwu@trustnetic.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
2026-06-11 10:55:16 +02:00
Jiawen Wu
47f848aac4 net: txgbe: initialize PHY interface to 0
DECLARE_PHY_INTERFACE_MASK() does not guarantee zeroed contents. Add a
new macro DECLARE_PHY_INTERFACE_MASK_ZERO(), make the stack variable to
be zeroed before setting supported interfaces.

Fixes: 57d39faed4 ("net: txgbe: improve functions of AML 40G devices")
Signed-off-by: Jiawen Wu <jiawenwu@trustnetic.com>
Link: https://patch.msgid.link/20260608070842.36504-4-jiawenwu@trustnetic.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
2026-06-11 10:55:14 +02:00
Jiawen Wu
f2df54ddbf net: txgbe: distinguish module types by checking identifier
Rework txgbe_identify_module() to validate module identifiers through
explicit type checks instead of relying on transceiver_type heuristics.
When using the SFP module, transceiver_type could be a random value,
because it was read from an invalid register.

Fixes: 57d39faed4 ("net: txgbe: improve functions of AML 40G devices")
Signed-off-by: Jiawen Wu <jiawenwu@trustnetic.com>
Link: https://patch.msgid.link/20260608070842.36504-3-jiawenwu@trustnetic.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
2026-06-11 10:55:14 +02:00
Jiawen Wu
0487cfca46 net: txgbe: initialize module info buffer
The module info buffer should be initialized to 0 before the firmware
returns information. Otherwise, there is a risk that the buffer field
not filled by the firmware is random value.

Fixes: 343929799a ("net: txgbe: Support to handle GPIO IRQs for AML devices")
Signed-off-by: Jiawen Wu <jiawenwu@trustnetic.com>
Link: https://patch.msgid.link/20260608070842.36504-2-jiawenwu@trustnetic.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
2026-06-11 10:55:14 +02:00
Paolo Abeni
b59873c9c4 Merge branch 'net-mvpp2-fix-xdp-rx-buffer-handling'
Til Kaiser says:

====================
net: mvpp2: fix XDP RX buffer handling

This is v5 of the earlier XDP_PASS fix. The XDP_PASS change is
retained, and the series also fixes related RX/XDP buffer handling
issues found during review.

Tested with tools/testing/selftests/drivers/net/xdp.py on mvpp2
hardware.
====================

Link: https://patch.msgid.link/20260607134943.21996-1-mail@tk154.de
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
2026-06-11 09:57:33 +02:00
Til Kaiser
77a6b90ce5 net: mvpp2: build skb from XDP-adjusted data on XDP_PASS
When an XDP program uses bpf_xdp_adjust_head() or bpf_xdp_adjust_tail()
and then returns XDP_PASS, mvpp2 still builds the skb from fixed offsets
derived from the original RX descriptor. Packet geometry changes made by
the XDP program are therefore discarded before the skb reaches the stack.

Update rx_offset and rx_bytes from xdp.data and xdp.data_end for
XDP_PASS. This makes skb_reserve() and skb_put() reflect the packet seen
by XDP, and makes RX byte accounting for XDP_PASS follow the length of the
skb passed to the network stack.

Keep a separate rx_sync_size for page-pool recycling on skb allocation
failure, which must stay tied to the received buffer range.

Non-PASS verdicts continue to account the descriptor length because no skb
is passed up in those cases.

Fixes: 07dd0a7aae ("mvpp2: add basic XDP support")
Signed-off-by: Til Kaiser <mail@tk154.de>
Link: https://patch.msgid.link/20260607134943.21996-5-mail@tk154.de
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
2026-06-11 09:57:31 +02:00
Til Kaiser
5e8e2a9624 net: mvpp2: refill RX buffers before XDP or skb use
The RX error path returns the current descriptor buffer to the hardware
BM pool. That is only valid while the driver still owns the buffer.

mvpp2_rx_refill() can fail after the current buffer has been handed to
XDP or attached to an skb. In those cases mvpp2_run_xdp() may have
recycled, redirected, or queued the page for XDP_TX, and an skb free also
retires the data buffer. Returning such a buffer to BM lets hardware DMA
into memory that is no longer owned by the RX ring.

Refill the BM pool before handing the current buffer to XDP or to the
skb. If the allocation fails there, drop the packet and return the
still-owned current buffer to BM, preserving the pool depth. Once the
refill succeeds, later local drops retire/free the current buffer instead
of returning it to BM.

Fixes: 07dd0a7aae ("mvpp2: add basic XDP support")
Fixes: d6526926de ("net: mvpp2: fix memory leak in mvpp2_rx")
Signed-off-by: Til Kaiser <mail@tk154.de>
Link: https://patch.msgid.link/20260607134943.21996-4-mail@tk154.de
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
2026-06-11 09:57:31 +02:00
Til Kaiser
f3c6aa0789 net: mvpp2: limit XDP frame size to the RX buffer
mvpp2 has short and long BM pools, and short pool buffers can be smaller
than PAGE_SIZE. The XDP path nevertheless initializes every xdp_buff with
PAGE_SIZE as frame size.

XDP helpers use frame_sz to validate tail growth and to derive the hard
end of the data area. Advertising PAGE_SIZE for short buffers can let
bpf_xdp_adjust_tail() grow a packet past the real allocation, corrupting
memory or later tripping skb tailroom checks.

Initialize the XDP buffer with bm_pool->frag_size so XDP tailroom matches
the actual buffer backing the packet.

Fixes: 07dd0a7aae ("mvpp2: add basic XDP support")
Signed-off-by: Til Kaiser <mail@tk154.de>
Link: https://patch.msgid.link/20260607134943.21996-3-mail@tk154.de
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
2026-06-11 09:57:31 +02:00
Til Kaiser
1802356009 net: mvpp2: sync RX data at the hardware packet offset
mvpp2 programs the RX queue packet offset, so hardware writes received
data at dma_addr + MVPP2_SKB_HEADROOM. The current CPU sync starts at
dma_addr and only covers rx_bytes + MVPP2_MH_SIZE bytes, which syncs the
unused headroom and misses the same number of bytes at the packet tail.

On non-coherent DMA systems this can leave the CPU reading stale cache
contents for the end of the received frame.

Use dma_sync_single_range_for_cpu() with MVPP2_SKB_HEADROOM as the range
offset so the sync covers the Marvell header and packet data actually
written by hardware.

Fixes: e1921168bb ("mvpp2: sync only the received frame")
Signed-off-by: Til Kaiser <mail@tk154.de>
Link: https://patch.msgid.link/20260607134943.21996-2-mail@tk154.de
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
2026-06-11 09:57:31 +02:00
Linus Torvalds
9716c086c8 Power management fixes for final 7.1
- Restore allowing writing EPP of 0 when in performance mode in the
    amd-pstate driver which was unnecessarily disallowed by one of the
    recent updates (Mario Limonciello)
 
  - Remove stale documentation of the epp_cached field in struct
    amd_cpudata that has been dropped recently (Zhan Xusheng)
 -----BEGIN PGP SIGNATURE-----
 
 iQFGBAABCAAwFiEEcM8Aw/RY0dgsiRUR7l+9nS/U47UFAmopns8SHHJqd0Byand5
 c29ja2kubmV0AAoJEO5fvZ0v1OO1nuQH/1WWr4Rm9BV07e+sqK0X62fzV7+TpM8N
 Ap7PveJ3qh7LEh2Mh4CiCyycSR4XfAZrKE0FGi7YGbxhcTsG93nlpyzz0dCPyYzM
 qJ4lpbLUqt9gu4BknmTAYAIBResZSjYyA1bB7eghcKQzuAXj447PkNvG5Pbij5KS
 wLuBPnV1eLtzpdXitg9OHFitu5KBKe/DH8hlsomJkkXN/8rAKIFsfihHw+52r/Hh
 fwxt4QPj8e72kZbeAC+YELY40J3Cg8pW7w4G6NbGPFU64FZWwO42a2j+j1PW5unP
 lYjNlf0PCQ4Ebi6Z2j24LIlp038fPJcYjV2BJ24PlY4fiN1OYoKZnLo=
 =QUn3
 -----END PGP SIGNATURE-----

Merge tag 'pm-7.1-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm

Pull power management fixes from Rafael Wysocki:
 "These address some remaining fallout after introducing dynamic EPP
  support in the amd-pstate driver during the current development cycle:

   - Restore allowing writing EPP of 0 when in performance mode in the
     amd-pstate driver which was unnecessarily disallowed by one of the
     recent updates (Mario Limonciello)

   - Remove stale documentation of the epp_cached field in struct
     amd_cpudata that has been dropped recently (Zhan Xusheng)"

* tag 'pm-7.1-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
  cpufreq/amd-pstate: Fix setting EPP in performance mode
  cpufreq/amd-pstate: drop stale @epp_cached kdoc
2026-06-10 11:53:55 -07:00
Tangudu Tilak Tirumalesh
e4aaac4659 drm/xe: include all registered queues in TLB invalidation
Context-based TLB invalidation currently selects only scheduling-active
exec queues via q->ops->active(). During rebind flows, queues may be
suspended (or transitioning through resume) while still owning valid
translations, causing them to be skipped from invalidation and leading
to missed TLB invalidations on LR rebinds.

The underlying issue is a TOCTOU: q->guc->state bits are flipped lock-free
from enable_scheduling(), disable_scheduling{,_deregister}(), the
suspend/resume sched-msg handlers, handle_sched_done(), and
guc_exec_queue_stop(); nothing in send_tlb_inval_ctx_ppgtt() serializes
against them, so any state-based predicate can race.

Include all the registered queues so that TLB invalidations are not
missed. This is race-free because list membership on vm->exec_queues.list
is stable under vm->exec_queues.lock held by the caller. The performance
impact is expected to be minimal and harmless. If it does turn out to be
a concern, we can come back with a race-safe solution to ignore certain
queues.

Fixes: 6cdaa5346d ("drm/xe: Add context-based invalidation to GuC TLB invalidation backend")
Assisted-by: Claude:claude-opus-4.6
Suggested-by: Thomas Hellstrom <thomas.hellstrom@linux.intel.com>
Signed-off-by: Tangudu Tilak Tirumalesh <tilak.tirumalesh.tangudu@intel.com>
Reviewed-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
Reviewed-by: Matthew Brost <matthew.brost@intel.com>
Link: https://patch.msgid.link/20260608162745.338725-2-tilak.tirumalesh.tangudu@intel.com
Signed-off-by: Shuicheng Lin <shuicheng.lin@intel.com>
(cherry picked from commit aa625e1e9f0710e424fe4f0e3f032807df81b5b0)
Signed-off-by: Matthew Brost <matthew.brost@intel.com>
2026-06-10 09:33:29 -07:00
Raag Jadav
381b3576a8 drm/xe/hw_error: Use HW_ERR prefix in log
Hardware errors should be logged with HW_ERR prefix. Make them
consistent with existing logs.

Fixes: 01aab7e1c9 ("drm/xe/xe_hw_error: Add support for PVC SoC errors")
Signed-off-by: Raag Jadav <raag.jadav@intel.com>
Reviewed-by: Riana Tauro <riana.tauro@intel.com>
Link: https://patch.msgid.link/20260602044919.702209-5-raag.jadav@intel.com
Signed-off-by: Matt Roper <matthew.d.roper@intel.com>
(cherry picked from commit ad60a618c49fef07d1860bfb1091140d29f5eddb)
Signed-off-by: Matthew Brost <matthew.brost@intel.com>
2026-06-10 09:33:25 -07:00
Raag Jadav
3e3f5b0c5a drm/xe/drm_ras: Add per node cleanup action
cleanup_node_param() is not registered for previous node in case of counter
allocation failure, which results in stale memory of previous node that
isn't cleaned up on unwind. Add per node cleanup action which guarantees
cleanup on unwind and also simplifies the cleanup logic.

Fixes: b40db12b54 ("drm/xe/xe_drm_ras: Add support for XE DRM RAS")
Signed-off-by: Raag Jadav <raag.jadav@intel.com>
Reviewed-by: Riana Tauro <riana.tauro@intel.com>
Link: https://patch.msgid.link/20260602044919.702209-4-raag.jadav@intel.com
Signed-off-by: Matt Roper <matthew.d.roper@intel.com>
(cherry picked from commit 67fc5543d8274b2fcbef87734fad0469358f4478)
Signed-off-by: Matthew Brost <matthew.brost@intel.com>
2026-06-10 09:33:22 -07:00
Raag Jadav
4dcfcdc9fb drm/xe/drm_ras: Make counter allocation drm managed
cleanup_node_param() is not registered for previous node in case of counter
allocation failure, which results in stale memory of previous node that
isn't cleaned up on unwind. Fix this using drm managed allocation, which is
guaranteed to be cleaned up on unwind.

Fixes: b40db12b54 ("drm/xe/xe_drm_ras: Add support for XE DRM RAS")
Signed-off-by: Raag Jadav <raag.jadav@intel.com>
Reviewed-by: Riana Tauro <riana.tauro@intel.com>
Link: https://patch.msgid.link/20260602044919.702209-3-raag.jadav@intel.com
Signed-off-by: Matt Roper <matthew.d.roper@intel.com>
(cherry picked from commit 58d77c77ea0c5cb2b755ebe23e973c8272acd896)
Signed-off-by: Matthew Brost <matthew.brost@intel.com>
2026-06-10 09:33:18 -07:00
Jani Nikula
68938cc08e drm/xe/display: fix oops in suspend/shutdown without display
The xe driver keeps track of whether to probe display, and whether
display hardware is there, using xe->info.probe_display. It gets set to
false if there's no display after intel_display_device_probe(). However,
the display may also be disabled via fuses, detected at a later time in
intel_display_device_info_runtime_init().

In this case, the xe driver does for_each_intel_crtc() on uninitialized
mode config in xe_display_flush_cleanup_work(), leading to a NULL
pointer dereference, and generally calls display code with display info
cleared.

Check for intel_display_device_present() after
intel_display_device_info_runtime_init(), and reset
xe->info.probe_display as necessary. Also do unset_display_features()
for completeness, although display runtime init has already done
that. This will need to be unified across all cases later.

Move intel_display_device_info_runtime_init() call slightly earlier,
similar to i915, to avoid a bunch of unnecessary setup for no display
cases.

Note #1: The xe driver has no business doing low level display plumbing
like for_each_intel_crtc() to begin with. It all needs to happen in
display code.

Note #2: The actual bug is present already in commit 44e694958b
("drm/xe/display: Implement display support"), but the oops was likely
introduced later at commit ddf6492e0e ("drm/xe/display: Make display
suspend/resume work on discrete").

Fixes: 44e694958b ("drm/xe/display: Implement display support")
Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/work_items/7904
Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/work_items/6150
Cc: stable@vger.kernel.org # v6.8+
Reviewed-by: Suraj Kandpal <suraj.kandpal@intel.com>
Link: https://patch.msgid.link/20260515160920.1082842-1-jani.nikula@intel.com
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
(cherry picked from commit 7c3eb9f47533220888a67266448185fd0775d4da)
Signed-off-by: Matthew Brost <matthew.brost@intel.com>
2026-06-10 09:33:09 -07:00
Davide Ornaghi
c7d573551f netfilter: nft_meta_bridge: fix stale stack leak via IIFHWADDR register
NFT_META_BRI_IIFHWADDR declares its destination register with
len = ETH_ALEN (6 bytes), which the register-init tracking rounds up to
two 32-bit registers (8 bytes). nft_meta_bridge_get_eval() then does
memcpy(dest, br_dev->dev_addr, ETH_ALEN), writing only 6 bytes and
leaving the upper 2 bytes of the second register as uninitialised
nft_do_chain() stack. A downstream load of that register span leaks
those stale bytes to userspace.

Zero the second register before the memcpy so the full declared span is
written.

Fixes: cbd2257dc9 ("netfilter: nft_meta_bridge: introduce NFT_META_BRI_IIFHWADDR support")
Cc: stable@vger.kernel.org
Signed-off-by: Davide Ornaghi <d.ornaghi97@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2026-06-10 18:00:32 +02:00
Davide Ornaghi
ab185e0c4f netfilter: nft_fib: fix stale stack leak via the OIFNAME register
For NFT_FIB_RESULT_OIFNAME the destination register is declared with
len = IFNAMSIZ (four 32-bit registers), but on the lookup-fail,
RTN_LOCAL and oif-mismatch paths nft_fib{4,6}_eval() only writes one
register via "*dest = 0". The remaining three registers are left as
whatever was on the stack in nft_do_chain()'s struct nft_regs, and a
downstream expression that loads the register span can leak that
uninitialised kernel stack to userspace.

The NFTA_FIB_F_PRESENT existence check has the same shape: it is only
meaningful for NFT_FIB_RESULT_OIF, yet it was accepted for any result type
while the eval stores a single byte via nft_reg_store8(), leaving the rest
of the declared span stale.

Fix both:

 - replace the bare "*dest = 0" in the eval with nft_fib_store_result(),
   which strscpy_pad()s the whole IFNAMSIZ for OIFNAME (and is already
   used on the other early-return path), and

 - restrict NFTA_FIB_F_PRESENT to NFT_FIB_RESULT_OIF and declare its
   destination as a single u8, so the marked span matches the one byte
   the eval writes.

Fixes: f6d0cbcf09 ("netfilter: nf_tables: add fib expression")
Suggested-by: Florian Westphal <fw@strlen.de>
Cc: stable@vger.kernel.org
Signed-off-by: Davide Ornaghi <d.ornaghi97@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2026-06-10 18:00:19 +02:00
Florian Westphal
772cecf198 netfilter: nft_exthdr: fix register tracking for F_PRESENT flag
nft_exthdr_init() passes user-controlled priv->len to
nft_parse_register_store(), which marks that many bytes in the
register bitmap as initialized.  However, when NFT_EXTHDR_F_PRESENT
is set, the eval paths write only 1 byte (nft_reg_store8) or
4 bytes (*dest = 0 on TCP/DCCP error path).  When len > 4,
registers beyond the first are never written, retaining
uninitialized stack data from nft_regs.

Bail out if userspace requests too much data when F_PRESENT is set.

Reported-by: Ji'an Zhou <eilaimemedsnaimel@gmail.com>
Fixes: c078ca3b0c ("netfilter: nft_exthdr: Add support for existence check")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2026-06-10 18:00:12 +02:00
Xiang Mei
a84b6fedbc netfilter: nf_log: validate MAC header was set before dumping it
The fallback path of dump_mac_header() guards the MAC header access
only with "skb->mac_header != skb->network_header", without checking
skb_mac_header_was_set(). When the MAC header is unset, mac_header is
0xffff, so the test passes and skb_mac_header(skb) returns
skb->head + 0xffff, ~64 KiB past the buffer; the loop then reads
dev->hard_header_len bytes out of bounds into the kernel log.

This is reachable via the netdev logger: nf_log_unknown_packet() calls
dump_mac_header() unconditionally, and an skb sent through AF_PACKET
with PACKET_QDISC_BYPASS reaches the egress hook with mac_header still
unset (__dev_queue_xmit(), which would reset it, is bypassed).

Add the skb_mac_header_was_set() check the ARPHRD_ETHER path already
uses, and replace the open-coded MAC header length test with
skb_mac_header_len(). Only skbs with an unset MAC header are affected;
valid ones are dumped as before.

 BUG: KASAN: slab-out-of-bounds in dump_mac_header (net/netfilter/nf_log_syslog.c:831)
 Read of size 1 at addr ffff88800ea49d3f by task exploit/148
 Call Trace:
  kasan_report (mm/kasan/report.c:595)
  dump_mac_header (net/netfilter/nf_log_syslog.c:831)
  nf_log_netdev_packet (net/netfilter/nf_log_syslog.c:938 net/netfilter/nf_log_syslog.c:963)
  nf_log_packet (net/netfilter/nf_log.c:260)
  nft_log_eval (net/netfilter/nft_log.c:60)
  nft_do_chain (net/netfilter/nf_tables_core.c:285)
  nft_do_chain_netdev (net/netfilter/nft_chain_filter.c:307)
  nf_hook_slow (net/netfilter/core.c:619)
  nf_hook_direct_egress (net/packet/af_packet.c:257)
  packet_xmit (net/packet/af_packet.c:280)
  packet_sendmsg (net/packet/af_packet.c:3114)
  __sys_sendto (net/socket.c:2265)

Fixes: 7eb9282cd0 ("netfilter: ipt_LOG/ip6t_LOG: add option to print decoded MAC header")
Reported-by: Weiming Shi <bestswngs@gmail.com>
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Xiang Mei <xmei5@asu.edu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2026-06-10 18:00:01 +02:00
Kyle Zeng
f7f2fbb0e8 netfilter: x_tables: avoid leaking percpu counter pointers
The native and compat get-entries paths copy the fixed rule entry header
from the kernelized rule blob to userspace before overwriting the entry's
counter fields with a sanitized counter snapshot.

On SMP kernels, entry->counters.pcnt contains the percpu allocation
address used by x_tables rule counters. A caller can provide a userspace
buffer that faults during the initial fixed-header copy after pcnt has
been copied but before the later sanitized counter copy runs. The syscall
then returns -EFAULT while leaving the raw percpu pointer in userspace.

Copy only the fixed entry prefix before counters from the kernelized rule
blob, then copy the sanitized counter snapshot into the counter field.
Apply this ordering to the IPv4, IPv6, and ARP native and compat
get-entries implementations so a fault cannot expose the internal percpu
counter pointer.

Fixes: 71ae0dff02 ("netfilter: xtables: use percpu rule counters")
Signed-off-by: Kyle Zeng <kylebot@openai.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2026-06-10 17:59:01 +02:00
Weiming Shi
c3009418f9 netfilter: nf_conntrack: destroy stale expectfn expectations on unregister
NAT helpers such as nf_nat_h323 store a raw pointer to module text in
exp->expectfn (e.g. ip_nat_q931_expect). nf_ct_helper_expectfn_unregister()
only unlinks the callback descriptor and never walks the expectation table,
so an expectation pending at module removal survives with a dangling
exp->expectfn into freed module text.

When the expected connection arrives, init_conntrack() invokes
exp->expectfn(), now a stale pointer into the unloaded module. Reproduced
on a KASAN build by loading the H.323 helpers, creating a Q.931
expectation, unloading nf_nat_h323, then connecting to the expected port:

 Oops: int3: 0000 [#1] SMP KASAN NOPTI
 RIP: 0010:0xffffffffa06102d1
  init_conntrack.isra.0 (net/netfilter/nf_conntrack_core.c:1862)
  nf_conntrack_in (net/netfilter/nf_conntrack_core.c:2049)
  ipv4_conntrack_local (net/netfilter/nf_conntrack_proto.c:223)
  nf_hook_slow (net/netfilter/core.c:619)
  __ip_local_out (net/ipv4/ip_output.c:120)
  __tcp_transmit_skb (net/ipv4/tcp_output.c:1715)
  tcp_connect (net/ipv4/tcp_output.c:4374)
  tcp_v4_connect (net/ipv4/tcp_ipv4.c:345)
  __sys_connect (net/socket.c:2167)
 Modules linked in: nf_conntrack_h323 [last unloaded: nf_nat_h323]

Reaching the dangling state requires CAP_SYS_MODULE in the initial user
namespace to remove a NAT helper that still has live expectations, so this
is a robustness fix; leaving an expectation pointing at freed text is wrong
regardless.

Add nf_ct_helper_expectfn_destroy(), which walks the expectation table and
drops every expectation whose ->expectfn matches the descriptor being torn
down. Call it from each NAT helper's exit path after the existing RCU grace
period, so no expectation outlives the code it points at and no extra
synchronize_rcu() is introduced. With the fix, the same reproducer runs to
completion without the Oops.

Fixes: f587de0e2f ("[NETFILTER]: nf_conntrack/nf_nat: add H.323 helper port")
Reported-by: Xiang Mei <xmei5@asu.edu>
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2026-06-10 17:58:39 +02:00
Florian Westphal
efc5425617 netfilter: nf_tables_offload: drop device refcount on error
Reported by sashiko:
If nft_flow_action_entry_next() returns NULL, dev reference leaks.

Fixes: c6f8557758 ("netfilter: nf_tables_offload: add nft_flow_action_entry_next() and use it")
Reported-by: Juri Lelli <juri.lelli@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2026-06-10 17:58:29 +02:00
Florian Westphal
ccb9fd4b87 netfilter: revalidate bridge ports
ebt_redirect_tg() dereferences br_port_get_rcu() return without a
NULL check, causing a kernel panic when the bridge port has been
removed between the original hook invocation and an NFQUEUE
reinject.

A mere NULL check isn't sufficient, however.  As sashiko review
points out userspace can not only remove the port from the bridge,
it could also place the device in a different virtual device, e.g.
macvlan.

If this happens, we must drop the packet, there is no way for us to
reinject it into the bridge path.

Switch to _upper API, we don't need the bridge port structure.
Also, this fix keeps another bug intact:

Both nfnetlink_log and nfnetlink_queue use CONFIG_BRIDGE_NETFILTER
too aggressive, which prevents certain logging features when queueing
in bridge family: NETFILTER_FAMILY_BRIDGE can be enabled while the old
CONFIG_BRIDGE_NETFILTER cruft is off.

Fixes tag is a common ancestor, this was always broken.

Fixes: f350a0a873 ("bridge: use rx_handler_data pointer to store net_bridge_port pointer")
Reported-by: Ji'an Zhou <eilaimemedsnaimel@gmail.com>
Assisted-by: Claude:claude-sonnet-4-6
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2026-06-10 17:58:20 +02:00
Felix Gu
310628484e
spi: rzv2h-rspi: Fix SPDR read access width for 16-bit RX
The RZ/V2H hardware manual (section 7.5.2.2.1) specifies that read access
size for the SPI Data Register (SPDR) are fixed at 32 bits. The
RZV2H_RSPI_RX macro for the 16-bit data path used readw(), violating
this requirement.

Switch to readl() for the 16-bit RX path to conform to the hardware
specification.

Fixes: 8b61c8919d ("spi: Add driver for the RZ/V2H(P) RSPI IP")
Suggested-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Felix Gu <ustc.gu@gmail.com>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Reviewed-by: Fabrizio Castro <fabrizio.castro.jz@renesas.com>
Link: https://patch.msgid.link/20260610-rzv2h-rspi-v2-1-40c80b4a2c90@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
2026-06-10 16:39:13 +01:00
Breno Leitao
512db8267b rds: mark snapshot pages dirty in rds_info_getsockopt()
rds_info_getsockopt() pins the destination user pages with FOLL_WRITE and
the RDS_INFO_* producers memcpy the snapshot into them through
kmap_atomic(). Because that copy goes through the kernel direct map, the
dirty bit on the user PTE is never set, so unpin_user_pages() releases the
pages without marking them dirty. A file-backed destination page can then
be reclaimed without writeback, silently discarding the copied data.

Use unpin_user_pages_dirty_lock() with make_dirty=true so the modified
pages are marked dirty before they are unpinned.

Fixes: a8c879a7ee ("RDS: Info and stats")
Signed-off-by: Breno Leitao <leitao@debian.org>
Reviewed-by: Allison Henderson <achender@kernel.org>
Link: https://patch.msgid.link/20260608-rds_fix-v1-1-006c88543408@debian.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-10 08:18:16 -07:00
Eric Dumazet
a5c0359f5c ip6_vti: fix incorrect tunnel matching in vti6_tnl_lookup()
In vti6_tnl_lookup(), when an exact match for a tunnel fails,
the code falls back to searching for wildcard tunnels:

- Tunnels matching the packet's local address, with any remote address
  wildcard remote).

- Tunnels matching the packet's remote address, with any local address
  (wildcard local).

However, vti6 stores all these different types of tunnels in the same
hash table (ip6n->tnls_r_l) prone to hash collisions.

The bug is that the fallback search loops in vti6_tnl_lookup() were
missing checks to ensure that the candidate tunnel actually has
a wildcard address.

Fixes: fbe68ee875 ("vti6: Add a lookup method for tunnels with wildcard endpoints.")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Reviewed-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Link: https://patch.msgid.link/20260608164613.933023-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-10 08:16:07 -07:00
Linus Torvalds
767622308a RISC-V updates for v7.1-rc8
- Fix the implementation of the CFI branch landing pad control
   prctl()s to return -EINVAL if unknown control bits are set, rather
   than silently ignoring the request; and add a kselftest for this
   case
 
 - Fix unaligned access performance testing to happen earlier in boot,
   which fixes a performance regression in the lib/checksum code
 
 - Fix a binfmt_elf warning when dumping core (due to missing
   .core_note_name for CFI registers)
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEElRDoIDdEz9/svf2Kx4+xDQu9KksFAmopaGkACgkQx4+xDQu9
 KkvBng/+LAQwSRM5fRJVEzHq5PvVvElGCcdWoBnRGF/OX3WG9h+HErMCyfz3uKnr
 sqjlfs8GZTg1ABTIqBOu2eUj0SzsJfXE8Ehc2l5D34VSG2BsPh7CJABxqZtLdWoT
 K/DlmlDwWZ3Pu4HQKtQeFCRAT1MFhXfgvaomrR4qCmigQyJYeLatuTuvGd0RXL6U
 CHx9yPJY9++rC1mV+h5IKw/Ml8gQJCdCvYF9zZsRlFxhQi/QL0jz588yCK10qXx4
 hFntomFtscnPW3DU57+OpHyKuHG0IyqOmgr093JCFKMr4jDbfxFI1UjEbcfk28Uy
 YN+RHXXrzvfVlLhZCYk4nlu+YwMBkgZEvwxGFrFIunkVLHI01GB02HNcRGukLRnA
 zjevjQFK78cvg7LbY3tlqdmOs/RqjpHJd5LwU9FUgj+jXbt5wBviarV6VPAAL2za
 8ZgNjxBCO3aT1ec5sIjhu7HrZxgcbv6x7GipmlrKmmSBvE2+Gzcz4jCIIWT9GjOt
 lGNX/B25ew5sK8zoDsGoTW4dCCHOMHD/vGsXww3IxSrWOQX4Ew9Ffcxks82AYqId
 C9DttPDZLcN82VeVymgrVZl9JJBkudeLO6fDl1mRgCY11qp1tJG3GaosfA601qiE
 PYlfsqMlNZKPUO7JXR3l70LbRocNKqJl3Yo7u+KstHV26E99twk=
 =yfQt
 -----END PGP SIGNATURE-----

Merge tag 'riscv-for-linux-7.1-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux

Pull RISC-V fixes from Paul Walmsley:

 - Fix the implementation of the CFI branch landing pad control prctl()s
   to return -EINVAL if unknown control bits are set, rather than
   silently ignoring the request; and add a kselftest for this case

 - Fix unaligned access performance testing to happen earlier in boot,
   which fixes a performance regression in the lib/checksum code

 - Fix a binfmt_elf warning when dumping core (due to missing
   .core_note_name for CFI registers)

* tag 'riscv-for-linux-7.1-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux:
  riscv: cfi: reject unknown flags in PR_SET_CFI
  riscv: Fix fast_unaligned_access_speed_key not getting initialized
  riscv/ptrace: Use USER_REGSET_NOTE_TYPE for REGSET_CFI
2026-06-10 07:18:32 -07:00
Jann Horn
805d5a2b79 namespace: restrict OPEN_TREE_NAMESPACE/FSMOUNT_NAMESPACE to directories
open_tree(..., OPEN_TREE_NAMESPACE) and
fsmount(..., FSMOUNT_NAMESPACE, ...) currently work on non-directories,
like regular files. That's bad for two reasons:

 - It ends up mounting a regular file over the inherited namespace root,
   which is a directory; mounting a non-directory over a directory is
   normally explicitly forbidden, see for example do_move_mount()

 - It causes setns() on the new namespace to set the cwd to a regular
   file, which the rest of VFS does not expect

Fix it by restricting create_new_namespace() (which is used by both of
these flags) to directories.

Leave the behavior for OPEN_TREE_CLONE as-is, that seems unproblematic.

Fixes: 9b8a0ba682 ("mount: add OPEN_TREE_NAMESPACE")
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Jan Kara <jack@suse.cz>
Cc: stable@kernel.org
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2026-06-10 07:09:20 -07:00