summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
4 daysMAINTAINERS: Camera sensor and Intel IPU driver changesDave Hansen
Tian Shu Qiu and Bingbu Cao are maintainers and reviewers of a bunch of media drivers (7 and 9 respectively). Bingbu's e-mail address has changed and Tian Shu's is bouncing. Update Bingbu's e-mail address, remove Bingbu as a maintainer from Intel specific drivers and remove Tian Shu as maintainer. Also add Dave Stevenson as a maintainer and David Heidelberg as a reviewer for the imx355 driver. Also add Bingbu and Tian Shu to CREDITS. Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com> Cc: Yong Zhi <yong.zhi@intel.com> Cc: Dan Scally <dan.scally@ideasonboard.com> Cc: Mauro Carvalho Chehab <mchehab@kernel.org> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: Lixu Zhang <lixu.zhang@intel.com> Cc: linux-media@vger.kernel.org Cc: linux-kernel@vger.kernel.org Cc: linux-staging@lists.linux.dev Co-developed-by: Sakari Ailus <sakari.ailus@linux.intel.com> Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com> Acked-by: Dave Stevenson <dave.stevenson@raspberrypi.com> Acked-by: David Heidelberg <david@ixit.cz> Reviewed-by: Bingbu Cao <bingbu.cao@amd.com>
4 daysmedia: em28xx: requeue buffers if start_streaming failsHans Verkuil
If start_streaming fails, then all queued buffers must be returned to vb2 in state QUEUED. Otherwise it will trigger a WARN_ON. Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org> Tested-by: Hans Verkuil <hverkuil+cisco@kernel.org> Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
4 daysmedia: em28xx: dev_info->pr_info since dev has been freedHans Verkuil
In em28xx_free_device() dev_info passed &dev->intf->dev, but that device can be freed already. Just use pr_info instead. Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org> Tested-by: Hans Verkuil <hverkuil+cisco@kernel.org> Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
4 daysmedia: em28xx: use vb2_video_unregister_deviceHans Verkuil
Use vb2_video_unregister_device instead of video_unregister_device to ensure any streaming is correctly stopped at unregister time. Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org> Tested-by: Hans Verkuil <hverkuil+cisco@kernel.org> Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
4 daysmedia: em28xx: drop 'users' fieldHans Verkuil
Drop the em28xx_v4l2 'users' field, use v4l2_fh_is_singular_file() instead. Assisted-by: Claude:claude-opus-4-7 Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org> Tested-by: Hans Verkuil <hverkuil+cisco@kernel.org> Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
4 daysmedia: em28xx: use v4l2_device release callbackHans Verkuil
The em28xx driver creates a lot of video devices, but life-time management is really bad. Instead use the struct v4l2_device release() callback to have a single place where memory can be freed once the last user has gone. Assisted-by: Claude:claude-opus-4-7 Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org> Tested-by: Hans Verkuil <hverkuil+cisco@kernel.org> Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
4 daysmedia: v4l2-async: Unregister sub-device if asc_list is emptyHans Verkuil
When my em28xx USB device that uses the i2c tvp5150 driver is disconnected, it crashes. The cause is that the tvp5150 i2c module uses v4l2_async, but the em28xx driver does not since it predates v4l2_async. In that corner case sd->asc_list is empty, so v4l2_async_unregister_subdev() never calls v4l2_device_unregister_subdev(). Modify the code so that, if sd->asc_list is empty, v4l2_device_unregister_subdev() is still called. Fixes: 28a1295795d8 ("media: v4l: async: Allow multiple connections between entities") Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org> Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com> Tested-by: Hans Verkuil <hverkuil+cisco@kernel.org> Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
4 daysrust: drm: Fix typo in FEAT_RENDER documentationYounes Akhouayri
Correct the spelling of "privilege" in the DRIVER_RENDER Rustdoc. Signed-off-by: Younes Akhouayri <git@younes.io> Reviewed-by: Alice Ryhl <aliceryhl@google.com> Link: https://patch.msgid.link/20260712-docs-drm-feat-render-rustdoc-typo-v1-1-c9df1cbbce4b@younes.io Signed-off-by: Danilo Krummrich <dakr@kernel.org>
4 daysdrm/virtio: Don't detach GEM from a non-created contextJason Macnak
Applies the same treatment as commit 7cf6dd467e87 ("drm/virtio: Don't attach GEM to a non-created context in gem_object_open()") to virtio_gpu_gem_object_close() to avoid trying to detach a resource that was never attached due to a context never being created when context_init is supported. Fixes: 086b9f27f0ab ("drm/virtio: Don't create a context with default param if context_init is supported") Cc: <stable@vger.kernel.org> # v6.14+ Signed-off-by: Jason Macnak <natsu@google.com> Signed-off-by: Dmitry Osipenko <dmitry.osipenko@collabora.com> Link: https://patch.msgid.link/20260625170828.3335431-1-natsu@google.com
4 dayssoc: imx9: devm_kasprintf error handlingGriffin Kroah-Hartman
Add error handling to devm_kasprintf functions in imx9_soc_probe(). Assisted-by: gkh_clanker_2000 Cc: Frank Li <Frank.Li@nxp.com> Cc: Sascha Hauer <s.hauer@pengutronix.de> Cc: Pengutronix Kernel Team <kernel@pengutronix.de> Cc: Fabio Estevam <festevam@gmail.com> Cc: Peng Fan <peng.fan@nxp.com> Cc: Shawn Guo <shawnguo@kernel.org> Cc: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com> Signed-off-by: Griffin Kroah-Hartman <griffin@kroah.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Frank Li <Frank.Li@nxp.com>
4 daysrust: drm: gpuvm: implement Send and Sync for GpuVaAlloc and GpuVmBoSami Tolvanen
Moving a GpuVaAlloc or GpuVmBo between threads currently forces drivers to write their own unsafe Send and Sync impls. Provide the markers in the abstraction instead. GpuVaAlloc wraps only uninitialised memory and exposes none of it. GpuVmBo hands out the driver data and GEM object by shared reference and drops them in its deferred put; the DriverGpuVm trait already guarantees both are Send + Sync, so both impls are unconditional. Signed-off-by: Sami Tolvanen <samitolvanen@google.com> Link: https://patch.msgid.link/20260611-gpuvm-sync-send-v4-2-6c7f4ab2778a@google.com Signed-off-by: Alice Ryhl <aliceryhl@google.com>
4 daysrust: drm: gpuvm: require Send + Sync for the driver's associated dataSami Tolvanen
DriverGpuVm permitted !Send/!Sync associated data on an abstraction whose handles are shared and dropped across threads: obtain() runs from many threads and the VA API performs deferred cross-thread drops. That is unsound. Require Send + Sync on the trait and its associated data so the GpuVm and UniqueRefGpuVm handle impls need no per-impl bounds. Fixes: 82b78182eacf ("rust: drm: add base GPUVM immediate mode abstraction") Signed-off-by: Sami Tolvanen <samitolvanen@google.com> Link: https://patch.msgid.link/20260611-gpuvm-sync-send-v4-1-6c7f4ab2778a@google.com Signed-off-by: Alice Ryhl <aliceryhl@google.com>
4 daysiommufd/selftest: Fix dmabuf leak in iommufd_test_dmabuf_get()yeeli
When dma_buf_export() succeeds but dma_buf_fd() fails (e.g. -EMFILE from fd exhaustion), the dmabuf is leaked with no dma_buf_put() called. Reproducer: exhaust fd table near RLIMIT_NOFILE, then repeatedly call IOMMU_TEST_OP_DMABUF_GET — htop shows unbounded memory growth. Fix by calling dma_buf_put(dmabuf) on error and returning directly. Fixes: d2041f1f11dd ("iommufd/selftest: Add some tests for the dmabuf flow") Link: https://patch.msgid.link/r/20260707030635.221577-1-seven.yi.lee@gmail.com Signed-off-by: yeeli <seven.yi.lee@gmail.com> Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
4 daysMerge tag 'nfsd-7.2-1' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux Pull nfsd fix from Chuck Lever: - Fix a use-after-free when unlocking a filesystem * tag 'nfsd-7.2-1' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux: NFSD: Prevent post-shutdown use-after-free in NFSD_CMD_UNLOCK_FILESYSTEM
4 dayssmb: client: reject overlapping data areas in SMB2 responsesShoichiro Miyamoto
Commit 53b7c271f06b ("smb: client: restrict implied bcc[0] exemption to responses without data area") restricted the implied bcc[0] length exception to responses without a data area. However, the overlap handling in __smb2_calc_size() clears data_length, which can make an invalid response appear to have no data area and so qualify for the exception. Track data area overlap separately and reject such responses before applying the length compatibility exceptions. Fixes: 53b7c271f06b ("smb: client: restrict implied bcc[0] exemption to responses without data area") Cc: stable@vger.kernel.org Signed-off-by: Shoichiro Miyamoto <shoichiro.miyamoto@gmail.com> Signed-off-by: Steve French <stfrench@microsoft.com>
4 dayssmb/client: refresh allocation after EOF-extending fallocateHuiwen He
Before this change, xfstests generic/496 was not supported on ksmbd: generic/496 ... [not run] fallocated swap not supported here ksmbd handles SetEOF as truncate, so EOF extension alone does not allocate backing blocks. A fallocated swapfile can therefore still look sparse to swapon. Request allocation for EOF-extending fallocate ranges that can be represented by FILE_ALLOCATION_INFORMATION, and refresh the allocation state afterwards. With this change, xfstests generic/496 and generic/701 pass on ksmbd. However, Samba "strict allocate = no" now exposes the real generic/701 failure: the old pass came from inflated local i_blocks, not from server allocation. generic/213 also fails in that case because an oversized allocation request may not return ENOSPC. Signed-off-by: Huiwen He <hehuiwen@kylinos.cn> Reviewed-by: ChenXiaoSong <chenxiaosong@kylinos.cn> Signed-off-by: Steve French <stfrench@microsoft.com>
4 dayssmb/client: emulate small EOF-extending mode 0 fallocate rangesHuiwen He
When a mode 0 fallocate extends EOF from 1G to 2G + 1M, the client currently sends SetEOF for 2G + 1M. This can make fallocate return success without allocating the requested range, or allocate extra space before that range. For example, on a fresh file: xfs_io -f \ -c "falloc 0 1G" \ -c "falloc 2G 1M" \ -c "truncate 3G" test The second fallocate should allocate [2G, 2G + 1M), leaving [1G, 2G) as a hole. Before this change, the result depended on the server allocation policy. With Samba "strict allocate = no", SetEOF could return success without allocating [2G, 2G + 1M). With "strict allocate = yes": # filefrag -v test [0, 1G) allocated [1G, 2G) allocated unexpectedly [2G, 2G + 1M) allocated SMB cannot allocate that arbitrary range, so write zeroes to small EOF-extending ranges instead. Limit this to 1 MiB to bound the client-side I/O cost. With "strict allocate = no", the requested range [2G, 2G + 1M) is allocated by the writes. With "strict allocate = yes": # filefrag -v test [0, 1G) allocated [1G, 2G) hole [2G, 2G + 1M) allocated This fixes the small EOF-extending range case exercised by generic/213. Signed-off-by: Huiwen He <hehuiwen@kylinos.cn> Reviewed-by: ChenXiaoSong <chenxiaosong@kylinos.cn> Signed-off-by: Steve French <stfrench@microsoft.com>
4 dayssmb/client: reduce fallocate zero buffer allocationHuiwen He
The fallocate emulation allocates a 1 MiB zero-filled buffer even though each SMB2_write request is limited to SMB2_MAX_BUFFER_SIZE, which is 64 KiB. A high-order 1 MiB allocation is more likely to fail on a fragmented system. Allocate only the smaller of the requested range and SMB2_MAX_BUFFER_SIZE, and reuse that zero-filled buffer for every write request. Also reject a successful write that makes no progress to avoid looping indefinitely. This reduces the contiguous allocation required by fallocate emulation without changing the written data or range semantics. Signed-off-by: Huiwen He <hehuiwen@kylinos.cn> Reviewed-by: ChenXiaoSong <chenxiaosong@kylinos.cn> Signed-off-by: Steve French <stfrench@microsoft.com>
4 dayssmb/client: handle overlapping allocated ranges in fallocateHuiwen He
smb3_simple_fallocate_range() can skip holes when an allocated range returned by the server starts before the current fallocate offset. The skipped hole is not zero-filled, but fallocate still returns success. A later write to that hole may therefore fail with ENOSPC. The function queries allocated ranges so that it can preserve existing contents and write zeroes only into holes. However, the server may return a range that starts before the current fallocate offset. For example, assume the fallocate request is [100, 400) and the only allocated range returned by the server is [0, 200): Request: [100, 400) Server range: [ 0, 200) allocated Correct: [100, 200) allocated data, skip [200, 400) hole, zero-fill Current: [100, 300) skipped [300, 400) zero-filled afterwards The current code adds the full server range length, 200, to the current offset 100 and moves to 300. As a result, the hole in [200, 300) is skipped without being zero-filled. Fix this by advancing only over the part of the allocated range that overlaps the current fallocate offset. Ignore ranges that end before the current offset and reject ranges whose end offset overflows. This also prevents a malformed range length from causing an out-of-bounds zero-buffer read. Fixes: 966a3cb7c7db ("cifs: improve fallocate emulation") Signed-off-by: Huiwen He <hehuiwen@kylinos.cn> Reviewed-by: ChenXiaoSong <chenxiaosong@kylinos.cn> Signed-off-by: Steve French <stfrench@microsoft.com>
4 dayssmb/client: refresh allocation size after duplicate extentsHuiwen He
FSCTL_DUPLICATE_EXTENTS_TO_FILE changes the target file extents on the server, but the client does not refresh the target AllocationSize/i_blocks. Callers can observe or use the wrong st_blocks value immediately after the clone, before a later attribute revalidation corrects it. For example, create a reflinked file with a leading hole: xfs_io -f -c "pwrite -S 0x61 0 64k" src touch dst chmod 600 dst xfs_io -c "reflink src 0 1m 64k" dst mkswap dst swapon dst The file still has a hole after mkswap: /mnt/scratch/dst: [0..7]: allocated [8..2047]: hole [2048..2175]: allocated The server also reports only the allocated ranges: server dst size=1114112 blocks=144 but the client reported EOF-derived blocks: client dst size=1114112 blocks=2176 and swapon succeeded: swapon_result=success /mnt/scratch/dst 1.1M 0B -1 So EOF-derived i_blocks can let a sparse reflinked file pass the CIFS swapfile hole check. Fix this by querying FILE_ALL_INFORMATION on the target handle after a successful duplicate extents request. Update i_blocks from AllocationSize and keep the refreshed target inode attributes valid so a following stat does not immediately revalidate again. If the query fails, mark the cached inode attributes stale so a later getattr can refresh them. This also fixes the xfstests generic/370 regression introduced by the i_blocks accounting change, as tested on a Samba "vfs objects = btrfs" share. Fixes: 99cd0a6eeb6c ("smb/client: do not account EOF extension as allocation") Signed-off-by: Huiwen He <hehuiwen@kylinos.cn> Reviewed-by: ChenXiaoSong <chenxiaosong@kylinos.cn> Signed-off-by: Steve French <stfrench@microsoft.com>
4 dayssmb: client: use kvzalloc() for megabyte buffer in simple fallocateFredric Cover
Currently in smb3_simple_fallocate_range(), a 1 MB buffer is allocated using kzalloc(). Under heavy memory fragmentation, a contiguous 1 MB block of physical memory (an order-8 allocation) may not be available, causing the allocation to fail. This failure was observed during xfstests generic/013 on a 4GB RAM test machine running fsstress: fsstress: page allocation failure: order:8, mode:0x40dc0(GFP_KERNEL|__GFP_ZERO|__GFP_COMP), nodemask=(null),cpuset=/,mems_allowed=0 Call Trace: <TASK> dump_stack_lvl+0x5d/0x80 warn_alloc+0x163/0x190 __alloc_pages_slowpath.constprop.0+0x71b/0x12f0 __alloc_frozen_pages_noprof+0x2f6/0x340 alloc_pages_mpol+0xb6/0x170 ___kmalloc_large_node+0xb3/0xd0 __kmalloc_large_noprof+0x1e/0xc0 smb3_simple_falloc.isra.0+0x62b/0x960 cifs_fallocate+0xed/0x180 vfs_fallocate+0x165/0x3c0 __x64_sys_fallocate+0x48/0xa0 do_syscall_64+0xe1/0x640 entry_SYSCALL_64_after_hwframe+0x76/0x7e </TASK> Node 0 Normal: 3375*4kB ... 7*128kB 0*256kB 0*512kB 0*1024kB 0*2048kB 0*4096kB Since this scratch buffer does not require physically contiguous memory, switch the allocation to kvzalloc(). This retains the performance benefits of kmalloc() under normal conditions, while gracefully falling back to virtually contiguous memory when physical allocation fails. Fixes: 966a3cb7c7db ("cifs: improve fallocate emulation") Cc: stable@vger.kernel.org Signed-off-by: Fredric Cover <fredric.cover.lkernel@gmail.com> Tested-by: Fredric Cover <fredric.cover.lkernel@gmail.com> Signed-off-by: Steve French <stfrench@microsoft.com>
4 daysarm64: dts: s32g3: Correct indentationKrzysztof Kozlowski
Correct spaces or mix of tabs+spaces into proper tab-indented lines. No functional impact (same DTB). Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com> Reviewed-by: Ghennadi Procopciuc <ghennadi.procopciuc@oss.nxp.com> Signed-off-by: Frank Li <Frank.Li@nxp.com>
4 daysarm64: dts: imx8: Correct indentation and whitespaceKrzysztof Kozlowski
Correct spaces or mix of tabs+spaces into proper tab-indented lines and remove other whitespace violations. No functional impact (same DTB). Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com> Acked-by: Peng Fan <peng.fan@nxp.com> Signed-off-by: Frank Li <Frank.Li@nxp.com>
4 daysksmbd: Do not skip lock checks for single-byte rangesGuangshuo Li
check_lock_range() uses inclusive ranges. Its callers pass the end offset as start + length - 1, so start == end represents a valid single-byte range rather than an empty range. The start == end shortcut therefore skips mandatory byte-range lock checks for one-byte reads, writes, copychunk operations and one-byte truncate ranges. A conflicting lock covering that byte is not checked and the operation is allowed to proceed. Remove the shortcut. The truncate size == inode->i_size case is already handled by only calling check_lock_range() when the new size differs from the current file size. Fixes: 5d510ac31626 ("ksmbd: skip lock-range check on equal size to avoid size==0 underflow") Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
4 daysksmbd: return buffer overflow for partial filesystem infoNamjae Jeon
The query-info buffer check returns STATUS_INFO_LENGTH_MISMATCH for every output buffer smaller than the complete response. Variable-length filesystem information instead requires STATUS_BUFFER_OVERFLOW when the fixed portion fits but the complete data does not. Pass the fixed size for each filesystem information class to the buffer checker. Keep INFO_LENGTH_MISMATCH for buffers below that size, and return BUFFER_OVERFLOW with a response truncated to the requested length for larger partial buffers. This fixes smb2.getinfo.qfs_buffercheck. Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
4 daysksmbd: allow I/O on directory named streamsNamjae Jeon
Named streams are stored as extended attributes on the base inode. The VFS read and write helpers reject directory inodes before or together with checking whether the handle represents a stream. Permit read and write operations when a directory-backed handle is a named stream. Continue rejecting direct I/O on ordinary directory handles. This fixes creation of the directory stream in smb2.getinfo.complex. Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
4 daysksmbd: protect private extended attributesNamjae Jeon
SMB clients can currently create an EA named NTACL because SMB EAs are mapped into the user namespace while the ksmbd security descriptor is stored as security.NTACL. Allowing the reserved logical name makes the server-private ACL metadata appear writable through the SMB EA API. Reject NTACL, DOSATTRIB, and DosStream-prefixed EA names without regard to case. Filter the same private names from EA query results so stale or externally-created user namespace attributes cannot be exposed. This fixes smb2.ea.acl_xattr when acl_xattr_name is configured as NTACL. Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
4 daysksmbd: reject delete-on-close for read-only filesNamjae Jeon
DELETE_ON_CLOSE is currently accepted for files carrying the read-only DOS attribute. The server consequently creates or opens the file and marks it for deletion instead of returning STATUS_CANNOT_DELETE. Reject creation of a new read-only file with DELETE_ON_CLOSE. For an existing file, load the stored DOS attributes before accepting the create option. Also reject FileDispositionInformation when the opened file has the read-only attribute. Preserve the explicit STATUS_CANNOT_DELETE value while unwinding the CREATE request. This fixes smb2.delete-on-close-perms.READONLY. Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
4 daysksmbd: honor owner rights ACEs in maximal accessNamjae Jeon
The SMB2 create maximal-access context is currently calculated from POSIX mode bits when the client does not request MAXIMUM_ALLOWED. This overwrites the access granted by a stored Windows DACL. Calculate the create-context result with the DACL permission checker. Recognize the S-1-3-4 Owner Rights SID as applying to the object owner and process its allow and deny ACEs in ACL order. When an Owner Rights ACE is present, do not add the owner implicit READ_CONTROL and WRITE_DAC rights. The Owner Rights ACE replaces those implicit grants as required by Windows access-check semantics. Without an Owner Rights ACE, preserve the existing implicit owner grants, including FILE_READ_ATTRIBUTES and DELETE. This fixes smb2.acls.OWNER-RIGHTS and its deny variants without regressing smb2.acls.GENERIC. Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
4 daysksmbd: support access-based directory enumerationNamjae Jeon
SMB shares can advertise access-based directory enumeration. ksmbd does not currently provide a share option or filter inaccessible directory entries. Add a hide-unreadable share flag and advertise SMB2_SHAREFLAG_ACCESS_BASED_DIRECTORY_ENUM when it is enabled. During QUERY_DIRECTORY, omit entries unless the connected user has FILE_READ_DATA, FILE_READ_EA, and FILE_READ_ATTRIBUTES access according to the Windows ACL. Keep the existing implicit access allowances for normal CREATE permission checks while using strict access-mask matching for directory enumeration. Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
4 daysksmbd: fix maximum allowed access checksNamjae Jeon
The DACL permission check looks for an ACE matching the current user and falls back to the Everyone ACE. It does not consider an Authenticated Users ACE, even though an authenticated session is a member of that well-known group. As a result, opening a file whose access is granted through S-1-5-11 can incorrectly fail with STATUS_ACCESS_DENIED. Treat an Authenticated Users ACE as a fallback entry alongside Everyone. The maximal access calculation also combines access masks from every ACE, regardless of whether its SID applies to the current user. This can grant rights belonging to an unrelated principal. Process only ACEs applying to the user, Everyone, or Authenticated Users, and accumulate allowed and denied masks in ACL order. Preserve explicitly requested access bits so they are validated against the resulting maximal mask. When ACCESS_SYSTEM_SECURITY is denied, report STATUS_PRIVILEGE_NOT_HELD instead of the generic STATUS_ACCESS_DENIED. Access to the system ACL requires a security privilege that ksmbd does not grant. For regular files, include FILE_EXECUTE in maximal access when the client requested GENERIC_EXECUTE and the DACL grants the complete file-read set. Keep a direct FILE_EXECUTE request subject to the explicit DACL bit. This matches the POSIX file ACL mapping without broadening specific execute requests. Do not replace rights from an applicable NT ACE with a POSIX ACL entry. The POSIX ACL is only a fallback when no user, Everyone, or Authenticated Users ACE applies; otherwise it can incorrectly broaden the stored DACL. This fixes smb2.maximum_allowed.maximum_allowed. Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
4 daysksmbd: validate SMB2 write offsetsNamjae Jeon
An SMB2 WRITE request with a negative offset returns -EINVAL directly from smb2_write(). This bypasses the common error response path, leaving the client waiting until the request times out. ksmbd also allows nonempty writes at or beyond MAXFILESIZE as defined by [MS-FSA]. Writes beyond the limit must fail with STATUS_INVALID_PARAMETER. Writes ending at the limit fail with STATUS_DISK_FULL, while a zero-length write remains valid. Route negative offsets through the common error path and validate the end offset of nonempty writes against MAXFILESIZE. This fixes smb2.rw.invalid. Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
4 daysksmbd: reject SMB3.1.1 binding with mismatched cipherNamjae Jeon
SMB3.1.1 multichannel connections belonging to the same session must use the same negotiated encryption cipher. ksmbd validates the dialect and client GUID during session binding, but does not compare the cipher negotiated by the new connection with the cipher used by the existing session channels. This allows a channel negotiated with AES-128-CCM to bind to a session using AES-128-GCM. Compare the new connection's cipher with an existing session channel and return STATUS_INVALID_PARAMETER when they differ. This fixes smb2.session.bind_negative_smb3encGtoCs. Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
4 daysksmbd: reject undersized decompressed SMB2 requestsNamjae Jeon
ksmbd_decompress_request() bounds the decompressed size only against the maximum request size. A compression transform can therefore produce a buffer smaller than an SMB2 PDU and install it as conn->request_buf. The receive path subsequently calls ksmbd_smb_request(), which reads the protocol ID before the normal SMB2 minimum-size check. If the decompressed output is too short, that read can access beyond the request allocation. Require the decompressed output to contain at least a complete minimum SMB2 PDU before allocating and installing the replacement request buffer. Fixes: a08de24c2b85 ("ksmbd: negotiate and decode SMB2 compression") Cc: stable@vger.kernel.org Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
4 daysksmbd: validate minimum PDU size for transform requestsNamjae Jeon
The receive path applies the minimum SMB2 PDU size check only when ProtocolId is SMB2_PROTO_NUMBER. A packet carrying SMB2_TRANSFORM_PROTO_NUM bypasses the check even when the negotiated dialect does not provide transform handling. On an SMB 2.1 connection, a short transform packet therefore reaches init_smb2_rsp_hdr(), which interprets the request as a full SMB2 header and reads beyond the request allocation. The copied fields can then be returned to the unauthenticated client. Compression transforms are converted to ordinary SMB2 messages before protocol validation. After that conversion, validate ordinary SMB2 requests against SMB2_MIN_SUPPORTED_PDU_SIZE and require encryption transform requests to contain both a transform header and an SMB2 header. This rejects truncated requests before work allocation. Fixes: 368ba06881c3 ("ksmbd: check the validation of pdu_size in ksmbd_conn_handler_loop") Cc: stable@vger.kernel.org Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-31063 Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
4 daysksmbd: defer destroy_previous_session() until after NTLM authenticationJames Montgomery
In ntlm_authenticate(), destroy_previous_session() is called using a user pointer resolved from the client-supplied NTLM blob username field before the NTLMv2 response is validated. An authenticated attacker can set the NTLM blob username to match a victim account and set PreviousSessionId to the victim's session ID; destroy_previous_session() destroys the victim's session while ksmbd_decode_ntlmssp_auth_blob() subsequently rejects the request with -EPERM. Move destroy_previous_session() and the prev_id assignment to after ksmbd_decode_ntlmssp_auth_blob() returns success and use sess->user rather than the pre-authentication lookup result. This matches the ordering already used by krb5_authenticate(), where destroy_previous_session() is called only after ksmbd_krb5_authenticate() returns success. Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") Cc: stable@vger.kernel.org Link: https://lore.kernel.org/linux-cifs/20260702155449.3639773-1-james_montgomery@disroot.org/ Signed-off-by: James Montgomery <james_montgomery@disroot.org> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
4 daysksmbd: validate ACE size against SID sub-authoritiesNamjae Jeon
set_ntacl_dacl() validates sid.num_subauth before copying an ACE, but does not verify that the declared ACE size contains all sub-authorities described by that field. An undersized ACE can therefore be copied and later make the POSIX ACL deduplication walk inspect data beyond the copied ACE boundary. The existing initial bound check is also too small. It only ensures that the ACE size field is accessible before set_ntacl_dacl() reads sid.num_subauth farther into the input buffer. Require enough input for the fixed SID header before accessing num_subauth, reject ACEs smaller than that header, and skip ACEs whose declared size cannot contain the complete SID. This makes the validation consistent with the other ACE walk paths. Reported-by: LocalHost <localhost.detect@gmail.com> Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
4 daysksmbd: restore DACL size on check_add_overflow() to avoid malformed ACLWentao Guan
check_add_overflow() unconditionally writes the truncated sum into *d even on overflow, per its contract in include/linux/overflow.h. The four check_add_overflow() guards in set_posix_acl_entries_dacl() and set_ntacl_dacl() break out of the ACE-building loops on overflow, but the truncated *size is then consumed downstream at the end of set_ntacl_dacl(): pndacl->size = cpu_to_le16(le16_to_cpu(pndacl->size) + size); This produces an on-wire NT ACL whose pndacl->size under-reports the bytes actually written by the preceding fill_ace_for_sid()/memcpy() calls, yielding a malformed ACL that can trigger out-of-bounds reads when re-parsed by clients or ksmbd itself. Restore *size to its pre-addition value on each overflow branch (via `*size -= ace_sz` / `size -= nt_ace_size`) so that after the break, *size once again holds the cumulative size of the successfully-written ACEs. The committed ACL is then truncated-but-self-consistent rather than malformed. The ksmbd DACL builders are the only check_add_overflow() sites found where an overflow path breaks out of a loop and the destination value is consumed afterward. The other nearby break-style cases either return -EINVAL on overflow (transport_ipc.c) or break without consuming the overflowed destination value afterward (buildid.c). Fixes: 299f962c0b02 ("ksmbd: use check_add_overflow() to prevent u16 DACL size overflow") Assisted-by: atomcode:glm-5.2 Assisted-by: Codex:gpt-5.5 Cc: stable@vger.kernel.org Signed-off-by: Wentao Guan <guanwentao@uniontech.com> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
4 daysksmbd: bound DACL dedup walk to copied ACEsNamjae Jeon
set_ntacl_dacl() can stop copying ACEs before consuming the full input DACL when size accounting overflows. When that happens, num_aces reflects only the ACEs that were actually copied into the output DACL, but set_posix_acl_entries_dacl() still receives nt_num_aces and uses it to walk the existing ACE array during dedup. That makes the dedup walk scan past the copied ACE array and inspect buffer tail that does not contain valid ACEs. Split the two meanings currently carried by the NT ACE count. Pass the number of copied NT ACEs to bound the dedup walk, and preserve the original "input DACL had NT ACEs" state separately for the Everyone/default ACL fallback. This keeps the dedup walk aligned with the ACEs that are actually present in the rebuilt DACL. Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
4 daysALSA: usb-audio: Add delay quirk for iBasso DC-EliteLianqin Hu
Audio control requests that sets sampling frequency sometimes fail on this card. Adding delay between control messages eliminates that problem. usb 1-1: New USB device found, idVendor=2fc6, idProduct=f0b5 usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 usb 1-1: Product: iBasso DC-Elite usb 1-1: Manufacturer: iBasso usb 1-1: SerialNumber: CTUA171130B Signed-off-by: Lianqin Hu <hulianqin@vivo.com> Signed-off-by: Takashi Iwai <tiwai@suse.de> Link: https://patch.msgid.link/TYUPR06MB6217D8FF419F24378196FCEFD2FA2@TYUPR06MB6217.apcprd06.prod.outlook.com
4 daysALSA: hda: conexant: Remove mic bias threshold overrideZhang Heng
Remove the mic bias current comparator threshold override (NID 0x1c, verb 0x320, value 0x010) from Conexant codec driver. This override was originally intended to support volume up/down controls on headsets with inline remote controls, but it causes microphone detection failures on some headsets with impedance less than 1k ohm. After consulting with the vendor's engineers, it was confirmed that this setting is board-specific and should be handled by BIOS/firmware rather than the generic codec driver, especially since inline remote support is not currently implemented. Fixes: 7aeb25908648 ("ALSA: hda/conexant: Fix headset auto detect fail in cx8070 and SN6140") Cc: stable@vger.kernel.org Signed-off-by: Zhang Heng <zhangheng@kylinos.cn> Link: https://patch.msgid.link/20260713100329.306892-1-zhangheng@kylinos.cn Signed-off-by: Takashi Iwai <tiwai@suse.de>
4 daysarm64: dts: freescale: imx9-var-dart-sonata: fix Ethernet PHY configurationStefano Radaelli
Fix the Ethernet PHY description on the DART-MX9 Sonata boards. The GPIO previously described as the PHY reset line is actually a board-level enable signal required by the PHY. Model it accordingly and remove the incorrect reset GPIO description from the PHY nodes. On i.MX91 and i.MX93 the signal is described as a fixed regulator, whereas the existing regulator description on i.MX95 is reused. Keeping the PHY enable asserted during boot ensures that Ethernet initialization completes successfully. Signed-off-by: Stefano Radaelli <stefano.r@variscite.com> Signed-off-by: Frank Li <Frank.Li@nxp.com>
4 daysARM: dts: imx6qdl-tqma6: add nvmem-layoutMax Merchel
TQMa6x has board-information located in EEPROM at offset 0x20. Add necessary nodes and properties for nvmem cell. Signed-off-by: Max Merchel <Max.Merchel@ew.tq-group.com> Signed-off-by: Frank Li <Frank.Li@nxp.com>
4 daysMerge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdmaLinus Torvalds
Pull rdma fixes from Jason Gunthorpe: "More bug fixes, many found by tools: - Protect from a possible DOS with certain RMPP traffic patterns - Correct mac address comparison so CMA works properly on IB - Some crashes in irdma around memory registration - Uninitialized value in erdma and mana - Wrong order setting up a QP in SIW allowed a network packet to reach an unready QP struct - Catch math overflows in hns and irdma" * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma: RDMA/irdma: Prevent overflows in memory contiguity checks RDMA/siw: publish QP after initialization RDMA/hns: Fix potential integer overflow in mhop hem cleanup RDMA/core: Fix memory leak in __ib_create_cq() on invalid cqe RDMA/mana_ib: initialize err for empty send WR lists RDMA/erdma: initialize ret for empty receive WR lists RDMA/irdma: Prevent user-triggered null deref on QP create RDMA/irdma: Prevent rereg_mr for non-mem regions RDMA/cma: Fix hardware address comparison length in netevent callback RDMa/mlx5: Avoid frame overflow warning IB/mad: Drop unmatched RMPP responses before reassembly
4 daysfirmware: qcom: scm: Add minidump SRAM supportMukesh Ojha
On most Qualcomm SoCs where minidump is supported, a word in always-on SRAM is shared between the operating system (OS) and boot firmware. Before DDR is initialized on the warm reset following a crash, firmware reads this word to decide if minidump is enabled and collect a minidump, and where to deliver it (USB upload to a host, or save to local storage). The OS is expected to select one of the destinations. The SRAM region is described by a 'sram' phandle on the SCM DT node. If the property is absent the feature is silently disabled, keeping existing SoCs unaffected. Expose a 'minidump_dest' module parameter (default: usb) so the user can select the destination. Only the string names "usb" or "storage" are accepted. Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com> Signed-off-by: Mukesh Ojha <mukesh.ojha@oss.qualcomm.com> Link: https://lore.kernel.org/r/20260624190830.3131112-6-mukesh.ojha@oss.qualcomm.com Signed-off-by: Bjorn Andersson <andersson@kernel.org>
4 daysfirmware: qcom: scm: use dev_err_probe() for dload address failureMukesh Ojha
Replace the bare `return ret` after qcom_scm_find_dload_address() with dev_err_probe() to produce a consistent, deferred-probe-aware error message when the download-mode address cannot be resolved. Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com> Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com> Signed-off-by: Mukesh Ojha <mukesh.ojha@oss.qualcomm.com> Link: https://lore.kernel.org/r/20260624190830.3131112-5-mukesh.ojha@oss.qualcomm.com Signed-off-by: Bjorn Andersson <andersson@kernel.org>
4 daysfirmware: qcom: scm: Fix missing smp_load_acquire()Mukesh Ojha
__scm is published in qcom_scm_probe() with smp_store_release() but qcom_scm_set_download_mode() reads it directly without smp_load_acquire(), creating a potential ordering violation where a CPU could observe a stale or partially initialised __scm pointer. Use smp_load_acquire() to acquire __scm in the qcom_scm_set_download_mode() function. Signed-off-by: Mukesh Ojha <mukesh.ojha@oss.qualcomm.com> Link: https://lore.kernel.org/r/20260624190830.3131112-4-mukesh.ojha@oss.qualcomm.com Signed-off-by: Bjorn Andersson <andersson@kernel.org>
4 daysdt-bindings: firmware: qcom,scm: Add minidump SRAM propertyMukesh Ojha
On Qualcomm SoCs that support minidump, a word in always-on SRAM is shared between the Operating System(HLOS) and boot firmware. OS is expected to select the minidump download destination either USB upload to a host PC or save to on-device storage. Boot firmware will reads this word before DDR is initialized on the warm reset following a crash to decide where to deliver the minidump. Add a 'sram' property to the SCM binding to allow the OS to identify this SRAM region via a phandle. Signed-off-by: Mukesh Ojha <mukesh.ojha@oss.qualcomm.com> Acked-by: Rob Herring (Arm) <robh@kernel.org> Link: https://lore.kernel.org/r/20260624190830.3131112-2-mukesh.ojha@oss.qualcomm.com Signed-off-by: Bjorn Andersson <andersson@kernel.org>
4 daysdrm/msm: Switch to generic PAS TZ APIsSumit Garg
Switch drm/msm client drivers over to generic PAS TZ APIs. Generic PAS TZ service allows to support multiple TZ implementation backends like QTEE based SCM PAS service, OP-TEE based PAS service and any further future TZ backend service. Acked-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com> Reviewed-by: Mukesh Ojha <mukesh.ojha@oss.qualcomm.com> Tested-by: Mukesh Ojha <mukesh.ojha@oss.qualcomm.com> # Lemans Signed-off-by: Sumit Garg <sumit.garg@oss.qualcomm.com> Link: https://lore.kernel.org/r/20260702115835.167602-9-sumit.garg@kernel.org Signed-off-by: Bjorn Andersson <andersson@kernel.org>
4 daysARM: dts: imx6ul-tqma6ul: add nvmem-layoutMax Merchel
TQMa6UL has board-information located in EEPROM at offset 0x20. Add necessary nodes and properties for nvmem cell. Signed-off-by: Max Merchel <Max.Merchel@ew.tq-group.com> Signed-off-by: Frank Li <Frank.Li@nxp.com>