summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
4 dayswifi: carl9170: fix buffer overflow in rx_stream failover pathTristan Madani
The failover continuation in carl9170_rx_stream() copies the full tlen from the second USB transfer instead of capping at rx_failover_missing bytes. When both transfers are near maximum size, the total exceeds the 65535-byte failover SKB, triggering skb_over_panic. Limit the copy size to the missing byte count. Fixes: a84fab3cbfdc ("carl9170: 802.11 rx/tx processing and usb backend") Signed-off-by: Tristan Madani <tristan@talencesecurity.com> Acked-by: Christian Lamparter <chunkeey@gmail.com> Closes: https://syzkaller.appspot.com/bug?extid=5c1ca6ccaa1215781cac Link: https://patch.msgid.link/20260421134929.325662-4-tristmd@gmail.com [Fix checkpatch CHECK:PARENTHESIS_ALIGNMENT] Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
4 dayswifi: carl9170: fix OOB read from off-by-two in TX status handlerTristan Madani
The bounds check in carl9170_tx_process_status() uses `i > ((cmd->hdr.len / 2) + 1)` which is off by two, allowing 2 extra iterations past valid _tx_status entries when the firmware- controlled hdr.ext exceeds hdr.len/2. Fix by using the correct comparison `i >= (cmd->hdr.len / 2)`. Fixes: a84fab3cbfdc ("carl9170: 802.11 rx/tx processing and usb backend") Signed-off-by: Tristan Madani <tristan@talencesecurity.com> Acked-by: Christian Lamparter <chunkeey@gmail.com> Closes: https://syzkaller.appspot.com/bug?extid=5c1ca6ccaa1215781cac Link: https://patch.msgid.link/20260421134929.325662-3-tristmd@gmail.com Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
4 dayswifi: carl9170: bound memcpy length in cmd callback to prevent OOB readTristan Madani
When the firmware sends a command response with a length mismatch, carl9170_cmd_callback() logs the mismatch and calls carl9170_restart() but then falls through to memcpy(ar->readbuf, buffer + 4, len - 4). Since len comes from the firmware and can exceed ar->readlen, this copies more data than the readbuf was allocated for. Bound the memcpy to min(len - 4, ar->readlen) so that the response is still completed -- avoiding repeated restarts from queued garbage -- while preventing an overread past the response buffer. Fixes: a84fab3cbfdc ("carl9170: 802.11 rx/tx processing and usb backend") Signed-off-by: Tristan Madani <tristan@talencesecurity.com> Acked-by: Christian Lamparter <chunkeey@gmail.com> Closes: https://syzkaller.appspot.com/bug?extid=5c1ca6ccaa1215781cac Link: https://patch.msgid.link/20260421134929.325662-2-tristmd@gmail.com Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
4 dayswifi: ath6kl: fix OOB read from firmware IE lengths in connect eventTristan Madani
The firmware-controlled beacon_ie_len, assoc_req_len, and assoc_resp_len fields in ath6kl_wmi_connect_event_rx() are not validated against the buffer length. Their sum (up to 765) can exceed the actual WMI event data, causing out-of-bounds reads during IE parsing and state corruption of wmi->is_wmm_enabled. Add a check that the total IE length fits within the buffer. Fixes: bdcd81707973 ("Add ath6kl cleaned up driver") Signed-off-by: Tristan Madani <tristan@talencesecurity.com> Reviewed-by: Vasanthakumar Thiagarajan <vasanthakumar.thiagarajan@oss.qualcomm.com> Link: https://patch.msgid.link/20260421135009.348084-3-tristmd@gmail.com Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
4 dayswifi: ath6kl: fix OOB read from firmware num_msg in TX complete handlerTristan Madani
The firmware-controlled num_msg field (u8, 0-255) drives the loop in ath6kl_wmi_tx_complete_event_rx() without validation against the buffer length. This allows out-of-bounds reads of up to 1020 bytes past the WMI event buffer when the firmware sends an inflated num_msg. Add a check that the buffer is large enough to hold the fixed struct and the num_msg variable-length entries. Fixes: bdcd81707973 ("Add ath6kl cleaned up driver") Signed-off-by: Tristan Madani <tristan@talencesecurity.com> Link: https://patch.msgid.link/20260625232907.3620746-1-tristmd@gmail.com Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
4 dayswifi: ath6kl: fix OOB access from firmware ADDBA window sizeTristan Madani
aggr_recv_addba_req_evt() logs a debug message when the firmware-supplied win_sz is outside [AGGR_WIN_SZ_MIN, AGGR_WIN_SZ_MAX] but does not return. The out-of-range win_sz is then used in TID_WINDOW_SZ() to compute a kzalloc size and stored in rxtid->hold_q_sz, leading to zero-size or overflowed allocations and subsequent out-of-bounds access. Clean up any previously active aggregation session for the TID first, then return early when win_sz is out of the valid range, instead of proceeding with a broken allocation size. Fixes: bdcd81707973 ("Add ath6kl cleaned up driver") Cc: stable@vger.kernel.org Reviewed-by: Vasanthakumar Thiagarajan <vasanthakumar.thiagarajan@oss.qualcomm.com> Signed-off-by: Tristan Madani <tristan@talencesecurity.com> Link: https://patch.msgid.link/20260702005020.708717-1-tristmd@gmail.com Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
4 dayswifi: ath12k: fix NULL pointer dereference in rhash table destroyJose Ignacio Tornos Martinez
When unbinding the ath12k driver, kernel NULL pointer dereferences occur in irq_work_sync() called from rhashtable_destroy(). Two hash tables are affected: 1. ath12k_link_sta hash table in ath12k_base 2. ath12k_dp_link_peer hash table in ath12k_dp The issue happens because the destroy functions are called unconditionally in cleanup paths, but the hash tables are only initialized late in their respective init functions. If the device was never fully started or if the init functions failed before initializing the hash tables, the pointers will be NULL. The issues are always reproducible from a VM because the MSI addressing initialization is failing. Call trace for ath12k_link_sta_rhash_tbl_destroy: RIP: irq_work_sync+0x1e/0x70 rhashtable_destroy+0x12/0x60 ath12k_link_sta_rhash_tbl_destroy+0x19/0x40 [ath12k] ath12k_core_stop+0xe/0x80 [ath12k] ath12k_core_hw_group_cleanup+0x6b/0xb0 [ath12k] ath12k_pci_remove+0x60/0x110 [ath12k] Call trace for ath12k_dp_link_peer_rhash_tbl_destroy: RIP: irq_work_sync+0x1e/0x70 rhashtable_destroy+0x12/0x60 ath12k_dp_link_peer_rhash_tbl_destroy+0x29/0x50 [ath12k] ath12k_dp_cmn_device_deinit+0x21/0x140 [ath12k] ath12k_core_hw_group_cleanup+0x6b/0xb0 [ath12k] ath12k_pci_remove+0x60/0x110 [ath12k] Fix this by adding NULL checks before calling rhashtable_destroy() in both destroy functions. The NULL check approach was chosen because the rhashtable pointer serves as the initialization state indicator. The init can fail at various points, leaving some components uninitialized. Checking the pointer directly is simpler than adding separate state flags that would need synchronization. Fixes: 57ccca410237 ("wifi: ath12k: Add hash table for ath12k_link_sta in ath12k_base") Fixes: a88cf5f71adf ("wifi: ath12k: Add hash table for ath12k_dp_link_peer") Cc: stable@vger.kernel.org Signed-off-by: Jose Ignacio Tornos Martinez <jtornosm@redhat.com> Reviewed-by: Vasanthakumar Thiagarajan <vasanthakumar.thiagarajan@oss.qualcomm.com> Link: https://patch.msgid.link/20260615112103.601982-1-jtornosm@redhat.com Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
4 dayswifi: ath12k: Fix low MLO RX throughput on WCN7850Yingying Tang
Commit [1] introduced a regression causing severely degraded MLO RX throughput on WCN7850. On WCN7850, there is only a single ar instance, but MLO uses two link IDs. ath12k_dp_peer->hw_links[] is indexed using ar->hw_link_id, which causes both MLO link IDs to be stored at the same index. As a result, an incorrect link ID is assigned to MSDUs in ath12k_dp_rx_deliver_msdu(), leading to severe MLO RX throughput loss. Different chipsets identify the per-MSDU link differently: - On QCN9274 / IPQ5332, the host owns multiple ar instances and the per-MSDU hw_link_id from the RX descriptor maps cleanly through dp_peer->hw_links[hw_link_id] to the IEEE link_id. - On single-ar chipsets like WCN7850 / QCC2072, there is only one ar instance for both MLO links, so dp_peer->hw_links[] has just one valid slot and cannot be used to distinguish the two links. To resolve the link, walk dp_peer->link_peers[] and match by rxcb->peer_id, which on the link_peer side identifies the link peer for the MSDU. Add a new hw_op set_rx_link_id() so each chipset resolves the link on the RX fast path using whatever signal it actually has, and let the op itself decide whether to populate rx_status::link_valid and rx_status::link_id: QCN9274 / IPQ5332 : always derive link_id from dp_peer->hw_links[rxcb->hw_link_id] and set link_valid. WCN7850 / QCC2072 : walk the link_peers[] of dp_peer to find the link_peer whose peer_id matches rxcb->peer_id, and set link_valid only when a match is found. Otherwise leave link_valid clear so that mac80211 can fall back to its own link resolution path (via addr2 / deflink). For WCN7850 / QCC2072, walking dp_peer->link_peers[] is bounded by the number of links actually populated, so introduce a link_peers_map bitmap (unsigned long) in struct ath12k_dp_peer that tracks populated slots and use for_each_set_bit() to iterate. Non-MLO clients hit one slot, current MLO clients hit two; the full ATH12K_NUM_MAX_LINKS array is never scanned. The bitmap is maintained with WRITE_ONCE() on the write side (under dp_hw->peer_lock) paired with READ_ONCE() on both the lockless RX read side and the write-side RMW for KCSAN correctness. Also guard the dp_peer dereference in ath12k_mac_peer_cleanup_all() with a NULL check, since peer->dp_peer can be NULL for self-peers or peers not yet fully assigned, the pre-existing rcu_assign_pointer() call there had the same latent issue. This restores the correct link ID on WCN7850 without changing the QCN9274 / IPQ5332 data path, which keeps its O(1) hw_links[] indexing. Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.1.c5-00302-QCAHMTSWPL_V1.0_V2.0_SILICONZ-1.115823.3 Fixes: 11157e0910fd ("wifi: ath12k: Use ath12k_dp_peer in per packet Tx & Rx paths") # [1] Signed-off-by: Yingying Tang <yingying.tang@oss.qualcomm.com> Reviewed-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com> Reviewed-by: Rameshkumar Sundaram <rameshkumar.sundaram@oss.qualcomm.com> Link: https://patch.msgid.link/20260610053315.2249912-1-yingying.tang@oss.qualcomm.com Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
4 daysmm/slub: add comment explaining intentional kobject handling in sysfs_slab_addHongling Zeng
Add a comment to clarify why we don't call kobject_put() when kobject_init_and_add() fails in sysfs_slab_add(). Per commit 2420baa8e046 ("mm/slab: Allow cache creation to proceed even if sysfs registration fails"), sysfs failures are treated as non-fatal and the cache continues to be used. Calling kobject_put() would trigger slab_kmem_cache_release() which frees the entire cache structure, so we intentionally skip it. Suggested-by: Harry Yoo <harry@kernel.org> Signed-off-by: Hongling Zeng <zenghongling@kylinos.cn> Acked-by: Harry Yoo (Oracle) <harry@kernel.org> Link: https://patch.msgid.link/20260713070024.153552-1-zenghongling@kylinos.cn Signed-off-by: Vlastimil Babka (SUSE) <vbabka@kernel.org>
4 daysiommufd/selftest: Avoid selftest dirty bitmap size wrapSamuel Moelius
IOMMU_TEST_OP_DIRTY sizes its temporary dirty bitmap from length / page_size. Very large selftest ranges can make the DIV_ROUND_UP() additions wrap before allocation, producing a zero-length allocation while the later test_bit() loop still walks the original number of bits. The selftest helper does not need to support unbounded dirty bitmap sizes. Reject requests that would allocate more than SZ_16M for the temporary buffer. Fixes: 79ea4a496ab5 ("iommufd/selftest: Fix buffer read overrrun in the dirty test") Link: https://patch.msgid.link/r/20260628152331.82122.408afd7b466c.iommufd-test-dirty-bitmap-size-wrap@trailofbits.com Assisted-by: Codex:gpt-5.5-cyber-preview Signed-off-by: Samuel Moelius <sam.moelius@trailofbits.com> Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
4 daysKVM: x86: Fix null pointer deref due to dummy array in trace_kvm_inj_exception()Daniel Paziyski
The trace_kvm_inj_exception tracepoint takes as arguments the exception vector, whether the exception has an error code (and subsequently, the error code), and whether it is being reinjected. Because '0' is a valid error code, KVM uses __print_symbolic() to format the error code as a string to avoid printing the error code entirely if the exception doesn't have an error code (see commit 21d4c575eb4a ("KVM: x86: Print error code in exception injection tracepoint iff valid"). KVM's abuse of __print_symbolic() was all fine and dandy, until commit 754e38d2d1ae ("tracing: Use explicit array size instead of sentinel elements in symbol printing") reworked the printing to avoid terminating the arrays with NULL/0 values, and missed KVM's clever use of not-quite empty array of symbols. BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP CPU: 20 UID: 0 PID: 791 Comm: less Not tainted 7.2.0-rc2 #401 PREEMPT Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 RIP: 0010:strlen+0x0/0x20 Call Trace: <TASK> trace_seq_puts+0x18/0x80 trace_print_symbols_seq+0x68/0xa0 trace_raw_output_kvm_inj_exception+0x64/0xf0 [kvm] s_show+0x47/0x110 seq_read_iter+0x2a5/0x4c0 seq_read+0xfd/0x130 vfs_read+0xb6/0x330 ? vfs_write+0x2f2/0x3f0 ksys_read+0x61/0xd0 do_syscall_64+0xb7/0x570 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7ff283714862 </TASK> Simply drop the dummy array entirely, so that __print_symbolic() generates a truly empty array. Signed-off-by: Daniel Paziyski <danielpaziyski@gmail.com> Fixes: 754e38d2d1ae ("tracing: Use explicit array size instead of sentinel elements in symbol printing") Reviewed-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de> Link: https://patch.msgid.link/20260710134055.16432-1-danielpaziyski@gmail.com [sean: massage changelog, add splat, add Fixes, cc stable] Signed-off-by: Sean Christopherson <seanjc@google.com>
4 daysscripts: headers_install.sh: Normalize __ASSEMBLER__ to __ASSEMBLY__Thomas Weißschuh
There is an ongoing effort to replace the usage of __ASSEMBLY__ with __ASSEMBLER__ throughout the kernel tree, see for example commit 287d163322b7 ("arm64: Replace __ASSEMBLY__ with __ASSEMBLER__ in non-uapi headers"). The latter is automatically provided by all compilers and preprocessors supported by the kernel, so the explicit definitions of __ASSEMBLY__ can be removed. However the UAPI headers might be used with non-GCC-compatible compilers, which do not define __ASSEMBLER__ automatically. So this migration may break users. Also during the migration phase, the UAPI headers will use a mix of *both* __ASSEMBLY__ and __ASSEMBLER__ at the same time, which is ugly and inconsistent. For now make sure that the exported UAPI headers consistently use __ASSEMBLY__ as before. Link: https://lore.kernel.org/lkml/164baf81-2824-4943-bbc1-4ae8a160c0cc@t-8ch.de/ Signed-off-by: Thomas Weißschuh <linux@weissschuh.net> Acked-by: Nick Huang <sef1548@gmail.com> Reviewed-by: Nicolas Schier <n.schier@fritz.com> Tested-by: Nicolas Schier <n.schier@fritz.com> Link: https://patch.msgid.link/20260630-uapi-assembly-v2-1-8e7bee2fe816@weissschuh.net Signed-off-by: Nicolas Schier <nsc@kernel.org>
4 daysRISC-V: KVM: Zicbo[m|z|p] block sizes should be always present in ONE_REGAnup Patel
All config and core registers of the KVM RISC-V ONE_REG interface are expected to be always available to the KVM user-space and the KVM get-reg-list selftest assumes these registers to be as base registers. Currently, the Zicbo[m|z|p] block size config registers are only available when corresponding ISA extension is present on the host which breaks the above expectation. In fact, KVM get-reg-list selftest fails when any of the Zicbo[m|z|p] ISA extension is not present on host. To address this issue, drop the ISA extension checks from kvm_riscv_vcpu_get/set_reg_config() and copy_config_reg_indices() functions. Fixes: 031f9efafc08 ("KVM: riscv: Add KVM_GET_REG_LIST API support") Fixes: a044ef71043e ("RISC-V: KVM: use ENOENT in *_one_reg() when extension is unavailable") Fixes: 48e2febcda74 ("RISC-V: KVM: Provide UAPI for Zicbop block size") Fixes: cf05b059d59f ("RISC-V: KVM: Introduce common kvm_riscv_isa_check_host()") Signed-off-by: Anup Patel <anup.patel@oss.qualcomm.com> Link: https://lore.kernel.org/r/20260706181522.2003922-1-anup.patel@oss.qualcomm.com Signed-off-by: Anup Patel <anup@brainfault.org>
4 daysima: measure userspace policy writes before parsingEnrico Bravi
When a signed policy is not mandatory, userspace can write IMA policy rules directly to the securityfs policy file: echo -e "measure func=BPRM_CHECK mask=MAY_EXEC\n" \ "audit func=BPRM_CHECK mask=MAY_EXEC\n" \ > /sys/kernel/security/ima/policy or by cat'ing the entire IMA custom policy file: cat ima-policy-file > /sys/kernel/security/ima/policy Because these rules originate from userspace and cross the userspace/kernel trust boundary, measure the raw write buffer before parsing, regardless of whether the new policy will be accepted or not. This can be caught when 'measure func=POLICY_CHECK' is enabled (e.g., ima_policy=tcb). The measurement template is forced to ima-buf. This follows the "measure & load" paradigm, exposing potential bugs in the policy code and detecting attempts to corrupt IMA. It also completes the POLICY_CHECK hook, which already measures partial policy load by file. To verify the template data hash value, convert the buffer policy data to binary: grep "ima_policy_written" \ /sys/kernel/security/integrity/ima/ascii_runtime_measurements | \ tail -1 | cut -d' ' -f 6 | xxd -r -p | sha256sum Suggested-by: Roberto Sassu <roberto.sassu@huawei.com> Signed-off-by: Enrico Bravi <enrico.bravi@polito.it> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
4 daysima: add critical data measurement for loaded policyEnrico Bravi
IMA policy can be written multiple times in the securityfs policy file at runtime if CONFIG_IMA_WRITE_POLICY=y. When IMA_APPRAISE_POLICY is required, the policy needs to be signed to be loaded, writing the absolute path of the file containing the new policy: echo /path/of/custom_ima_policy > /sys/kernel/security/ima/policy When this is not required, policy can be written directly, rule by rule: echo -e "measure func=BPRM_CHECK mask=MAY_EXEC\n" \ "audit func=BPRM_CHECK mask=MAY_EXEC\n" \ > /sys/kernel/security/ima/policy In this case, a new policy can be loaded without being measured or appraised. Add a new critical data record to measure the textual policy representation when it becomes effective. Include in the architecture-specific policy the new critical data record only when it is not mandatory to load a signed policy. Additionally, enable the policy serialization code even when CONFIG_IMA_READ_POLICY=n. To verify the template data hash value, convert the buffer policy data to binary: grep "ima_policy_loaded" \ /sys/kernel/security/integrity/ima/ascii_runtime_measurements | \ tail -1 | cut -d' ' -f 6 | xxd -r -p | sha256sum Signed-off-by: Enrico Bravi <enrico.bravi@polito.it> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
4 daysriscv: kvm: Skip TLB flush when G-stage PTE becomes valid with SvvptcDylan.Wu
The gstage_tlb_flush() in the kvm_riscv_gstage_set_pte() is not needed when an invalid G-stage PTE becomes valid and Svvptc extension is available because new valid PTEs become visible to the page-table walker within a bounded time. Assisted-by: YuanSheng: deepseek-v4-pro Co-developed-by: Quan Zhou <zhouquan@iscas.ac.cn> Signed-off-by: Quan Zhou <zhouquan@iscas.ac.cn> Signed-off-by: Dylan.Wu <fredwudi0305@gmail.com> Reviewed-by: Anup Patel <anup@brainfault.org> Link: https://lore.kernel.org/r/20260701075239.95542-1-fredwudi0305@gmail.com Signed-off-by: Anup Patel <anup@brainfault.org>
4 daysKVM: riscv: PMU: Bound counter mask scan to BITS_PER_LONGShengwen Cheng
The PMU SBI handler passes the guest argument registers directly to the PMU start/stop helpers: kvm_riscv_vcpu_pmu_ctr_start(vcpu, cp->a0, cp->a1, cp->a2, ...) kvm_riscv_vcpu_pmu_ctr_stop(vcpu, cp->a0, cp->a1, cp->a2, ...) which map to: unsigned long ctr_base unsigned long ctr_mask unsigned long flags Thus cp->a1 is a single unsigned long ctr_mask, not a bitmap array sized for RISCV_MAX_COUNTERS. On RV32, RISCV_MAX_COUNTERS is 64 while BITS_PER_LONG is 32. Using for_each_set_bit() with RISCV_MAX_COUNTERS can therefore make find_next_bit() access bits beyond the storage of ctr_mask on RV32. Limit the scan to BITS_PER_LONG. The requested counter range is already validated by kvm_pmu_validate_counter_mask(), so this preserves RV64 behavior and avoids an out-of-bounds bitmap read on RV32. Fixes: 0cb74b65d2e5 ("RISC-V: KVM: Implement perf support without sampling") Signed-off-by: Shengwen Cheng <shengwen1997.tw@gmail.com> Reviewed-by: Anup Patel <anup@brainfault.org> Link: https://lore.kernel.org/r/20260626054051.3360865-1-shengwen1997.tw@gmail.com Signed-off-by: Anup Patel <anup@brainfault.org>
4 daysPull isofs compressed block offset fix.Jan Kara
4 daysASoC: fsl_sai: Fix spurious BCLK on resume by clearing BYPChancel Liu
When the BCLK divider ratio is 1:1, fsl_sai_set_bclk() enables bypass mode by setting BYP, but never clears the bit. The BYP=1 value remains in the regcache, and is restored by regcache_sync() on the next runtime resume. Since BYP=1 combined with BCD=1 immediately outputs the ungated MCLK as BCLK without waiting for BCE/TE/RE to be enabled, the clock is driven prematurely before the stream is fully configured, causing noise on some codecs. Fix this by clearing BYP and BCI in fsl_sai_hw_free() taking into account sync mode and the opposite stream's state, so that the regcache holds BYP=0 before runtime suspend and regcache_sync() on resume will not restore bypass mode prematurely. Fixes: a50b7926d015 ("ASoC: fsl_sai: implement 1:1 bclk:mclk ratio support") Cc: stable@vger.kernel.org Signed-off-by: Chancel Liu <chancel.liu@nxp.com> Reviewed-by: Shengjiu Wang <shengjiu.wang@gmail.com> Link: https://patch.msgid.link/20260710070835.3749817-1-chancel.liu@oss.nxp.com Signed-off-by: Mark Brown <broonie@kernel.org>
4 daysisofs: fix out-of-bounds page array access on empty zisofs blockXiang Mei
zisofs_uncompress_block()'s empty-block fast path returns pcount << PAGE_SHIFT, ignoring the incoming poffset, unlike the decompression path which returns bytes produced relative to poffset. zisofs_fill_pages() uses that return to advance its page cursor, so when the zisofs block size is below PAGE_SIZE and a sub-page block leaves poffset partway into a page, a following empty block over-counts and advances pages[] one element past its end, after which "if (poffset && *pages)" reads pages[1] out of bounds. rock.c only rejects a block-size shift > 17, so a crafted "ZF" Rock Ridge record can set it below PAGE_SHIFT; the bug is reached by an ordinary read() of a compressed file on such a mounted ISO9660 image. Return the byte count relative to poffset and zero only [poffset, PAGE_SIZE) of the first page, matching the decompression path. The page-aligned case (poffset == 0) is unaffected. BUG: KASAN: slab-out-of-bounds in zisofs_read_folio (fs/isofs/compress.c:290) Read of size 8 at addr ffff88800f5eac48 by task exploit/142 zisofs_read_folio (fs/isofs/compress.c:290) read_pages (mm/readahead.c:184) ... filemap_read (mm/filemap.c:2814) vfs_read (fs/read_write.c:574) __x64_sys_pread64 (fs/read_write.c:769) do_syscall_64 (arch/x86/entry/syscall_64.c:94) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121) The buggy address is located 0 bytes to the right of the allocated 8-byte region in the kmalloc-8 cache Fixes: 59bc055211b8 ("zisofs: Implement reading of compressed files when PAGE_CACHE_SIZE > compress block size") Reported-by: Weiming Shi <bestswngs@gmail.com> Assisted-by: Claude:claude-opus-4-8 Signed-off-by: Xiang Mei <xmei5@asu.edu> Link: https://patch.msgid.link/20260712234150.3213467-1-xmei5@asu.edu Signed-off-by: Jan Kara <jack@suse.cz>
4 daysASoC: apple: mca: support simultaneous I2S capture on the frontendMark Brown
James Calligeros <jcalligeros99@gmail.com> says: This series introduces a number of changes to the ASoC driver for the Apple MCA peripheral to enable support for bidirectional I2S. This is achieved by allowing frontends to act as clock consumers and logically ORing data input lines when multiple backends are linked to a frontend. This allows the Texas Instruments speaker amps used on Apple Silicon Macs (Apple-specific revisions of TAS2764 and TAS2770) to send their IVSENSE data back to the SoC. Since these amps do not have any sort of integrated speaker protection logic, we must use the IVSENSE data and the Thiele/Small Parameters of the attached speaker(s) to implement our own in software. Link: https://patch.msgid.link/20260711-apple-audio-redux-v4-0-2994d87c2f24@gmail.com
4 daysASoC: apple: mca: Add delay after configuring clockHector Martin
Right after the early FE setup, ADMAC gets told to start the DMA. This can end up in a weird "slip" state with the channels transposed. Waiting a bit fixes this; presumably this allows the clock to stabilize. Signed-off-by: Hector Martin <marcan@marcan.st> Signed-off-by: James Calligeros <jcalligeros99@gmail.com> Link: https://patch.msgid.link/20260711-apple-audio-redux-v4-7-2994d87c2f24@gmail.com Signed-off-by: Mark Brown <broonie@kernel.org>
4 daysASoC: apple: mca: Do not mark clocks in use for non-providersHector Martin
On the speakers PCM, this sequence: 1. Open playback 2. Open sense 3. Close playback 4. Close sense would result in the sense FE being marked as clocks in use at (2), since there is a clock provider (playback FE). Then at (4) this would WARN since there is no driver any more when closing the in use clocks. If (1) and (2) are reversed this does not happen, since the sense PCM is not marked as using the clocks when there is no provider yet. So, check explicitly whether the substream FE is a clock provider in be_prepare, and skip everything if it isn't. Signed-off-by: Hector Martin <marcan@marcan.st> Signed-off-by: James Calligeros <jcalligeros99@gmail.com> Link: https://patch.msgid.link/20260711-apple-audio-redux-v4-6-2994d87c2f24@gmail.com Signed-off-by: Mark Brown <broonie@kernel.org>
4 daysASoC: apple: mca: Support capture on multiples BEsMartin Povišer
When multiple BEs are linked to a FE, the former behavior was to source the data line from the DIN pin of the first BE only. Change this to ORing the DIN inputs of all linked BEs. As long as the unused slots on each BE's line are zeroed out and the slots on the BEs don't overlap, this will work out well. Signed-off-by: Martin Povišer <povik+lin@cutebit.org> Signed-off-by: James Calligeros <jcalligeros99@gmail.com> Link: https://patch.msgid.link/20260711-apple-audio-redux-v4-5-2994d87c2f24@gmail.com Signed-off-by: Mark Brown <broonie@kernel.org>
4 daysASoC: apple: mca: Support FEs being clock consumersMartin Povišer
Support FEs being I2S clock consumers. This does not mean we support accepting clocks from outside the SoC (although it paves the way for that support in the future), but it means multiple FEs can attach to one BE, one being clock producer and the rest clock consumers. This is useful for grabbing I/V sense data on some machines, since in such a scenario the format of the sense data on the I2S bus differs from that of the audio data (the two formats differing in slot width). With two FEs attached to the bus, we can split the responsibilities and command different slot widths to the two. Signed-off-by: Martin Povišer <povik+lin@cutebit.org> Signed-off-by: James Calligeros <jcalligeros99@gmail.com> Link: https://patch.msgid.link/20260711-apple-audio-redux-v4-4-2994d87c2f24@gmail.com Signed-off-by: Mark Brown <broonie@kernel.org>
4 daysASoC: apple: mca: Factor out mca_be_get_feMartin Povišer
This is a function that we also want to use from within mca_be_shutdown, so factor it out. Signed-off-by: Martin Povišer <povik+lin@cutebit.org> Signed-off-by: James Calligeros <jcalligeros99@gmail.com> Link: https://patch.msgid.link/20260711-apple-audio-redux-v4-3-2994d87c2f24@gmail.com Signed-off-by: Mark Brown <broonie@kernel.org>
4 daysASoC: apple: mca: Separate data & clock port setupMartin Povišer
Up until now FEs were always the clock providers -- feeding the clocks on any ports (BEs) they are attached to. This will soon change and FEs will be allowed to be clock consumers. Once that happens, the routing of clocks and data will to some degree decouple. In advance of the change, make preparations: * Narrow down semantics of what was formerly the 'port_driver' field to refer to clocks only. * On 'startup' of BEs, separate the clock and data aspects of the port setup. Signed-off-by: Martin Povišer <povik+lin@cutebit.org> Signed-off-by: James Calligeros <jcalligeros99@gmail.com> Link: https://patch.msgid.link/20260711-apple-audio-redux-v4-2-2994d87c2f24@gmail.com Signed-off-by: Mark Brown <broonie@kernel.org>
4 daysASoC: apple: mca: increase SERDES reset delayJames Calligeros
The SERDES clusters in this peripheral take a long time to warm up. We tried polling the reset bit until cleared, however this is not a reliable signal of readiness to be configured. Only waiting ~25 us to give the cluster a chance to settle makes it work reliably. Increase the 2 us delay to 25 us and hope we never have to do this again. Fixes: d8b3e396088d ("ASoC: apple: mca: Fix SERDES reset sequence") Signed-off-by: James Calligeros <jcalligeros99@gmail.com> Link: https://patch.msgid.link/20260711-apple-audio-redux-v4-1-2994d87c2f24@gmail.com Signed-off-by: Mark Brown <broonie@kernel.org>
4 daysscripts: kconfig: merge_config.sh: keep temp file in the output dirGustavo Luiz Duarte
merge_config.sh currently creates a temporary file in the current directory. Create it under $OUTPUT instead, which allows running the script against a read-only source tree. The default behavior is unchanged: $OUTPUT is "." so the file stays in the cwd. Reviewed-by: Breno Leitao <leitao@debian.org> Signed-off-by: Gustavo Luiz Duarte <gustavold@gmail.com> Reviewed-by: Nicolas Schier <n.schier@fritz.com> Tested-by: Nicolas Schier <n.schier@fritz.com> Link: https://patch.msgid.link/20260710-merge_config_output-v2-1-8be3de601612@gmail.com Signed-off-by: Nicolas Schier <nsc@kernel.org>
4 daysclk: r9a08g045: Add clocks and resets for CAN-FDClaudiu Beznea
Renesas RZ/G3S SoC has a CAN-FD IP. Add clocks and resets for it. Reviewed-by: Biju Das <biju.das.jz@bp.renesas.com> Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be> Signed-off-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com> Link: https://patch.msgid.link/20260709182332.876408-2-claudiu.beznea+renesas@tuxon.dev Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
4 daysRDMA/hfi1: Align probe error unwinding with device removalLeon Romanovsky
init_one() defers handling errors from hfi1_init() and hfi1_register_ib_device() to a combined block. This allows IB registration to run after device initialization has failed. Cleanup then depends on two unrelated error values. The late probe failure path also differs from the common teardown in remove_one(), even though both release the same initialized hardware and driver resources. Maintaining separate sequences obscures ownership and allows the paths to drift whenever initialization changes. Unwind at each failing stage and keep late probe teardown ordered like remove_one(), so partial initialization releases exactly the resources it owns and normal removal remains the reference cleanup flow. Link: https://patch.msgid.link/20260708-clean-init-one-hfi1-v1-13-b9e9641268a5@nvidia.com Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
4 daysRDMA/hfi1: Initialize debugfs after probe completesLeon Romanovsky
Commit ed6f653fe430 ("staging/rdma/hfi1: Fix debugfs access race") moved debugfs creation after device initialization and IB registration so users cannot access the files before the driver is ready. However, init_one() still creates them before character device creation and SDMA startup finish. Move hfi1_dbg_ibdev_init() to the end of the successful probe path, matching hfi1_dbg_ibdev_exit() as the first action in remove_one(). Fixes: ed6f653fe430 ("staging/rdma/hfi1: Fix debugfs access race") Link: https://patch.msgid.link/20260708-clean-init-one-hfi1-v1-12-b9e9641268a5@nvidia.com Reviewed-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com> Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
4 daysRDMA/hfi1: Defer device creation until probe succeedsLeon Romanovsky
init_one() creates the character device before checking whether generic or IB initialization failed, only to remove it immediately while unwinding. Moreover, user_add() already calls user_remove() when device creation fails. Move hfi1_device_create() after the initialization failure path, immediately before starting SDMA. The failure path then has no character device to remove, and hfi1_device_create() continues to unwind its own failures. Link: https://patch.msgid.link/20260708-clean-init-one-hfi1-v1-11-b9e9641268a5@nvidia.com Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
4 daysRDMA/hfi1: Stop flushing the global IB workqueueLeon Romanovsky
hfi1 does not queue work on ib_wq. QSFP and link work run on the per-port link_wq, while the remaining device work uses hfi1_wq or dedicated queues. The probe failure path destroys both per-port workqueues, and normal device removal flushes them in shutdown_device() before destroying them. Remove the flushes of the core-owned global workqueue. Waiting for unrelated core or other device work is not part of hfi1 teardown. Fixes: 71d47008ca1b ("IB/hfi1: Create workqueue for link events") Link: https://patch.msgid.link/20260708-clean-init-one-hfi1-v1-10-b9e9641268a5@nvidia.com Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
4 daysRDMA/hfi1: Remove redundant NULL checks in create_workqueues()Leon Romanovsky
create_workqueues() is called only from init_one(), immediately after hfi1_alloc_devdata() returns a zero-initialized hfi1_devdata. As a result, the per-port hfi1_wq and link_wq pointers are always NULL on entry, and nothing modifies them between allocation and this call. Link: https://patch.msgid.link/20260708-clean-init-one-hfi1-v1-9-b9e9641268a5@nvidia.com Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
4 daysRDMA/hfi1: Allocate device data after PCI initializationLeon Romanovsky
After the preceding changes, module parameter validation and common PCI setup no longer need hfi1_devdata. init_one() nevertheless allocates it first, so failures in those early steps return without releasing it. Move the allocation after hfi1_pcie_init() and return directly when no resources are held. Use dev_err() and pci_info() for diagnostics emitted before allocation so they retain the adapter BDF. Once PCI setup succeeds, unwind allocation failures through hfi1_pcie_cleanup() to disable the device and release its regions. Some PCI error delivery paths are not serialized against probe. Keep their diagnostics based on pci_dev and skip resume while driver data is absent, preventing recovery from dereferencing a missing hfi1_devdata. Fixes: 57f97e96625f ("IB/hfi1: Get the hfi1_devdata structure as early as possible") Reported-by: Dawei Feng <dawei.feng@seu.edu.cn> Closes: https://lore.kernel.org/all/20260627060159.2543686-1-dawei.feng@seu.edu.cn/ Link: https://patch.msgid.link/20260708-clean-init-one-hfi1-v1-8-b9e9641268a5@nvidia.com Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
4 daysRDMA/hfi1: Free RX data on late probe failureLeon Romanovsky
hfi1_init_dd() allocates the shared AIP/VNIC RX support before returning. If hfi1_init() or hfi1_register_ib_device() later fails, init_one() tears down the device data without calling hfi1_free_rx(). This leaks netdev_rx and its dummy netdev. Free the RX support after IB unregistration and before postinit_cleanup(), as done on normal device removal. Fixes: 4730f4a6c6b2 ("IB/hfi1: Activate the dummy netdev") Link: https://patch.msgid.link/20260708-clean-init-one-hfi1-v1-7-b9e9641268a5@nvidia.com Reviewed-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com> Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
4 daysRDMA/hfi1: Create workqueues before device initializationLeon Romanovsky
create_workqueues() only needs fields set up by hfi1_alloc_devdata(). Call it before hfi1_init_dd() so a workqueue allocation failure happens before chip resources are initialized. To keep the reordered error paths safe, make init_one() own hfi1_devdata. hfi1_init_dd() unwinds its partial setup but leaves the allocation for the caller to free. If device initialization fails, destroy the workqueues before freeing the device data. Link: https://patch.msgid.link/20260708-clean-init-one-hfi1-v1-6-b9e9641268a5@nvidia.com Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
4 daysRDMA/hfi1: Drop device data from hfi1_validate_rcvhdrcnt()Leon Romanovsky
hfi1_validate_rcvhdrcnt() only needs hfi1_devdata to identify the adapter in error messages. Requiring the full device data prevents module parameter validation from running before hfi1_devdata is allocated. Pass pci_dev instead and use dev_err(), allowing validation to move earlier without losing the PCI BDF needed on multi-device systems. Use %u for the unsigned count while changing the messages. Link: https://patch.msgid.link/20260708-clean-init-one-hfi1-v1-5-b9e9641268a5@nvidia.com Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
4 daysRDMA/hfi1: Pass PCI device to hfi1_pcie_init()Leon Romanovsky
hfi1_pcie_init() only needs hfi1_devdata to reach the PCI device. This unnecessary dependency prevents common PCI setup from running before hfi1_devdata is allocated. Pass pci_dev directly and report failures with dev_err(), preserving the device BDF needed to identify the failing adapter on multi-device systems. Use %pe while changing the messages so errno values are decoded. Link: https://patch.msgid.link/20260708-clean-init-one-hfi1-v1-4-b9e9641268a5@nvidia.com Reviewed-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com> Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
4 daysRDMA/hfi1: Remove redundant PCI device ID validationLeon Romanovsky
The PCI core calls init_one() only after pci_match_device() has selected an ID. For normal probing, hfi1_pci_tbl already restricts matches to the two supported Intel device IDs. Dynamic IDs and driver_override are explicit requests to attempt binding, so the probe should not second-guess the PCI core's decision. Remove the redundant check. Link: https://patch.msgid.link/20260708-clean-init-one-hfi1-v1-3-b9e9641268a5@nvidia.com Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
4 daysRDMA/hfi1: Preserve unit 0 on allocation failureLeon Romanovsky
hfi1_free_devdata() assumes that the device was inserted into the unit table and unconditionally erases dd->unit. If xa_alloc_irq() fails, the zero-initialized unit remains zero, so full cleanup can remove an unrelated device from index 0. Release only the rdmavt allocation and return immediately while the unit table has not acquired the device. Fixes: 03b92789e5cf ("hfi1: Convert hfi1_unit_table to XArray") Link: https://patch.msgid.link/20260708-clean-init-one-hfi1-v1-2-b9e9641268a5@nvidia.com Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
4 daysRDMA/rvt: Return NULL after port allocation failureLeon Romanovsky
rvt_alloc_device() deallocates the IB device when its port array cannot be allocated but then returns the pointer to the released allocation. Callers treat any non-NULL value as valid and dereference it, resulting in a use-after-free. Return NULL immediately after deallocation so callers can propagate the allocation failure. Fixes: ff6acd69518e ("IB/rdmavt: Add device structure allocation") Link: https://patch.msgid.link/20260708-clean-init-one-hfi1-v1-1-b9e9641268a5@nvidia.com Reviewed-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com> Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
4 daysdt-bindings: mmc: rockchip-dw-mshc: Add RV1106 compatibleSimon Glass
Add the compatible for the MMC controllers of the Rockchip RV1106, which are compatible with the RK3288 variant. Unlike the newer controller in the RV1103B, which uses the RK3576 fallback, the RV1106 controller is the older IP whose drive and sample phases are set through clocks provided by the GRF, so the RK3288 fallback is the correct one here. Signed-off-by: Simon Glass <sjg@chromium.org> Signed-off-by: Ulf Hansson <ulfh@kernel.org>
4 daysmmc: rtsx_usb_sdmmc: suppress false CD after init timeoutSean Rhodes
Some Realtek USB SD readers with a tray keep raw SD_CD asserted when an empty tray is inserted. The MMC core then repeatedly tries to initialize non-existent media, sees command timeouts, calls ->get_cd() again, and starts the same detect cycle over. Do not qualify media by open-coding MMC commands in ->get_cd(). Instead, let the normal MMC rescan path probe the card. If an initialization command times out before a card has been attached, suppress the raw SD_CD signal so the host can settle and the USB parent can autosuspend. Clear the suppression only when raw SD_CD drops. On the affected tray reader, changing media requires removing and reinserting the tray, so a low CD transition is the signal that a new insertion attempt can be trusted again. Signed-off-by: Sean Rhodes <sean@starlabs.systems> Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Ulf Hansson <ulfh@kernel.org>
4 daysmisc: rtsx_usb: avoid USB I/O in runtime autosuspendSean Rhodes
The runtime autosuspend callback currently queries card status and clears OCP by issuing USB register accesses. This can run from the USB runtime-PM path itself, which is the wrong place to start more device I/O. Keep a cached copy of the card-status bits from normal status reads instead. During runtime autosuspend, use that cached value only to preserve the existing Memory Stick autosuspend deferral. Do not treat raw SD_CD as an autosuspend blocker, because tray-based SD readers can assert SD_CD with an empty tray. A real SD card is protected by the SD/MMC child runtime-PM usage once powered. Also stop clearing OCP from the runtime autosuspend callback, so the callback does not issue USB commands. Fixes: bb400d2120bd ("mfd: rtsx_usb: Defer autosuspend while card exists") Signed-off-by: Sean Rhodes <sean@starlabs.systems> Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Ulf Hansson <ulfh@kernel.org>
4 daysrust: pin-init: make `[pin_]chain` unwind safeMirko Adzic
Add a drop guard before the call to the chained closure so that the value initialized by the first stage is dropped if the closure errors or panics; `mem::forget` the guard on success. The previous code only ran cleanup on the explicit error path, leaking the first-stage value if the chained closure panicked. Reported-by: Gary Guo <gary@garyguo.net> Closes: https://github.com/Rust-for-Linux/pin-init/issues/136 Suggested-by: Gary Guo <gary@garyguo.net> Signed-off-by: Mirko Adzic <adzicmirko97@gmail.com> Link: https://patch.msgid.link/20260710-pin-init-sync-v1-7-8fa16cde87ae@garyguo.net [ Fix Clippy missing safety comment false positive when `slot` and `guard` creation are merged in a single line. - Gary ] Signed-off-by: Gary Guo <gary@garyguo.net>
4 daysrust: pin-init: make `[pin_]init_array_from_fn` unwind safeMirko Adzic
The previous code only ran cleanup on the explicit error path. If the per- element initializer panicked partway through, the elements already written into the array would be leaked: their `Drop` impls would never run. This violates the pinning requirement. Fix the unwind safety issue by adding a guard type that drops element on both error and panic path. To avoid having to duplicate code between `pin_init_array_from_fn` and the non-pin variant, extract the code to a shared `ArrayInit` type; this type is internal and not visible via API. Reported-by: Gary Guo <gary@garyguo.net> Closes: https://github.com/Rust-for-Linux/pin-init/issues/136 Signed-off-by: Mirko Adzic <adzicmirko97@gmail.com> Link: https://patch.msgid.link/20260710-pin-init-sync-v1-6-8fa16cde87ae@garyguo.net [ Split guard type and the initializer type, move the guard type to be within __pinned_init. - Gary ] Co-developed-by: Gary Guo <gary@garyguo.net> Signed-off-by: Gary Guo <gary@garyguo.net>
4 daysrust: pin-init: internal: generate brace in macro for init code blocksGary Guo
`init!` support interleaving code execution and initialization, and code execution is done using `_: { ... }` syntax. If the code inside block is a single statement, Rust may add a lint about unused braces, but the suggestion will be incorrect as block is required by pin-init. Currently we use `unused_brace` to suppress this, but this affect everything nested inside as well. Use an alternative approach by generating the block from the macro, then rustc will know to not emit the lint. Reviewed-by: Benno Lossin <lossin@kernel.org> Link: https://patch.msgid.link/20260710-pin-init-sync-v1-5-8fa16cde87ae@garyguo.net Signed-off-by: Gary Guo <gary@garyguo.net>
4 daysrust: pin-init: internal: remove `allow` and `expect`s that don't fireGary Guo
Most warnings are suppressed from external macro expansions by default. Thus remove `allow` and `expect`s for them. Note that `unfulfilled_lint_expectations` is one of them too. This means that all of our `expect`s inside macros do nothing, and actually mislead people to the lints would be actually emitted without them. Reviewed-by: Benno Lossin <lossin@kernel.org> Link: https://patch.msgid.link/20260710-pin-init-sync-v1-4-8fa16cde87ae@garyguo.net Signed-off-by: Gary Guo <gary@garyguo.net>