summaryrefslogtreecommitdiff
path: root/drivers/crypto
AgeCommit message (Collapse)Author
20 hoursMerge branch 'next' of ↵Mark Brown
https://git.kernel.org/pub/scm/linux/kernel/git/vkoul/dmaengine.git
20 hoursMerge branch 'master' of ↵Mark Brown
https://git.kernel.org/pub/scm/linux/kernel/git/herbert/cryptodev-2.6.git
21 hoursMerge branch 'vfs.all' of ↵Mark Brown
https://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs.git
2 dayscrypto: keembay - Fix AEAD unregister count in error pathMyeonghun Pak
register_aes_algs() registers the AEAD algorithms before registering the skcipher algorithms. If skcipher registration fails, the function unwinds the earlier AEAD registration with crypto_engine_unregister_aeads(), but it passes ARRAY_SIZE(algs), which is the skcipher table size. Use ARRAY_SIZE(algs_aead) for the AEAD unwind path so the unregister helper iterates over the same table that was registered. Also clarify the nearby comment: the crypto registration helpers clean up algorithms registered within the same call, while this function must still unwind earlier successful registration steps. Fixes: 885743324513 ("crypto: keembay - Add support for Keem Bay OCS AES/SM4") Co-developed-by: Ijae Kim <ae878000@gmail.com> Signed-off-by: Ijae Kim <ae878000@gmail.com> Signed-off-by: Myeonghun Pak <mhun512@gmail.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 dayscrypto: rk3288 - fail ahash requests on HASH idle timeoutPengpeng Hou
rk_hash_run() waits for RK_CRYPTO_HASH_STS to become idle after the final DMA transfer, but ignores the poll result. If the hash engine never becomes idle, the driver still reads the digest registers and finalizes the request with the previous success value. Store the poll result and finalize the request with the timeout error before reading the digest registers. Fixes: 37bc22159c45 ("crypto: rockchip - use read_poll_timeout") Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 dayscrypto: qce - Remove unsafe/deprecated algorithmsBartosz Golaszewski
Remove algorithms that are either unsafe or deprecated and have no in-kernel users that cannot be served by the ARM CE implementations. AES-ECB reveals plaintext patterns (identical plaintext blocks produce identical ciphertext blocks) and should not be exposed as a hardware- accelerated primitive. DES, Triple DES and HMAC-SHA1 have been deprecated for years. Remove sha1, ecb(aes), ecb(des), cbc(des), ecb(des3_ede), cbc(des3_ede), hmac(sha1) and all AEAD variants built on these primitives as well as authenc(hmac(sha256),cbc(des)). Also clean up the - now dead - code, flags and constants. Cc: stable@vger.kernel.org Acked-by: Eric Biggers <ebiggers@kernel.org> Tested-by: Kuldeep Singh <kuldeep.singh@oss.qualcomm.com> Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 dayscrypto: mxs-dcp - fix source scatterlist length accessThorsten Blum
mxs_dcp_aes_block_crypt() uses sg_dma_len() without mapping the source scatterlist with dma_map_sg() first. Therefore, sg_dma_len() is invalid and could return zero or a stale DMA length, causing encryption and decryption to process the wrong number of bytes when CONFIG_NEED_SG_DMA_LENGTH=y. Use the original scatterlist length instead. Fixes: 15b59e7c3733 ("crypto: mxs - Add Freescale MXS DCP driver") Cc: stable@vger.kernel.org Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev> Reviewed-by: Frank Li <Frank.Li@nxp.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 dayscrypto: sa2ul - stop probe if context pool creation failsPengpeng Hou
sa_ul_probe() calls sa_init_mem() to create the DMA pool used for security context buffers, but ignores its return value. If pool creation fails, probe still continues with DMA setup, algorithm registration and child population even though later request setup depends on that pool. Stop probing when sa_init_mem() fails, and route that failure to the PM cleanup path without attempting to destroy an uncreated DMA pool. Fixes: 7694b6ca649f ("crypto: sa2ul - Add crypto driver") Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 dayscrypto: caam - Remove crypto_rng interfaceEric Biggers
Since the crypto_rng interface for hardware PRNGs is unused and is redundant with hwrng and the actual Linux RNG, it's being phased out. Most drivers for it were already removed. Go ahead and remove the CAAM support which is one of the only remaining ones. Note that the CAAM support for hwrng remains in place. That is the interface that actually matters. Note that this code also had several issues, including dlen > 65535 causing corruption of the CAAM descriptor. Cc: Gaurav Jain <gaurav.jain@nxp.com> Cc: Horia Geantă <horia.geanta@nxp.com> Cc: Pankaj Gupta <pankaj.gupta@nxp.com> Signed-off-by: Eric Biggers <ebiggers@kernel.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 dayscrypto: sun8i-ss - Remove crypto_rng interfaceEric Biggers
Since the crypto_rng interface for hardware PRNGs is unused and is redundant with hwrng and the actual Linux RNG, it's being phased out. Most drivers for it were already removed. Go ahead and remove the sun8i-ss support which is one of the only remaining ones. As usual for crypto_rng, this driver was also buggy: its ->generate() function had a use-after-free vulnerability due to using wait_for_completion_interruptible_timeout() without handling shutting down the DMA operation if a signal is sent. Also, it had a buffer overread bug in the line 'memcpy(ctx->seed, d + dlen, ctx->slen);'. There's no point in fixing these bugs separately only to remove the code anyway, so this commit is marked with Fixes and Cc stable. Fixes: ac2614d721de ("crypto: sun8i-ss - Add support for the PRNG") Cc: stable@vger.kernel.org Cc: Corentin Labbe <clabbe.montjoie@gmail.com> Signed-off-by: Eric Biggers <ebiggers@kernel.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 dayscrypto: sun8i-ce - Remove crypto_rng interfaceEric Biggers
Since the crypto_rng interface for hardware PRNGs is unused and is redundant with hwrng and the actual Linux RNG, it's being phased out. Most drivers for it were already removed. Go ahead and remove the sun8i-ce support which is one of the only remaining ones. Note that the sun8i-ce support for hwrng remains in place. That is the interface that actually matters. As usual for crypto_rng, this driver was also buggy: its ->generate() function had a use-after-free vulnerability due to using wait_for_completion_interruptible_timeout() without handling shutting down the DMA operation if a signal is sent. There's no point in fixing this separately only to remove the code anyway, so this commit is marked with Fixes and Cc stable. Fixes: 5eb7e9468884 ("crypto: sun8i-ce - Add support for the PRNG") Cc: stable@vger.kernel.org Cc: Corentin Labbe <clabbe.montjoie@gmail.com> Signed-off-by: Eric Biggers <ebiggers@kernel.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 dayscrypto: ccp - Introduce SNP_VERIFY_MITIGATION commandPratik R. Sampat
The SEV-SNP firmware provides the SNP_VERIFY_MITIGATION command, which can be used to query the status of currently supported vulnerability mitigations and to initiate mitigations within the firmware. This command is an explicit mechanism to ascertain if a firmware mitigation is applied without needing a full RMP re-build, which is most useful in a live firmware update scenario. The firmware supports two subcommands: STATUS and VERIFY. The STATUS subcommand is used to query the supported and verified mitigation bits. The VERIFY subcommand initiates the mitigation process within the FW for the specified vulnerability. Expose a userspace interface under: /sys/firmware/sev/vulnerabilities/ - supported_mitigations (read-only): supported mitigation vector mask - verified_mitigations (read/write): current verified mask; write a vector to request VERIFY for that bit The behavior of SNP_VERIFY_MITIGATION and the pre-requisites for using it are bug-specific. Information about supported mitigations and its corresponding vector is to be published as part of the AMD Security Bulletin. See SEV-SNP Firmware ABI specifications 1.58, SNP_VERIFY_MITIGATION for more details. Reviewed-by: Tycho Andersen (AMD) <tycho@kernel.org> Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com> Signed-off-by: Pratik R. Sampat <prsampat@amd.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 dayscrypto: qce - drop unused scatterlist traversal in qce_ahash_updateThorsten Blum
Commit df12ef60c87b ("crypto: qce/sha - Do not modify scatterlist passed along with request") removed the only use of sg_last, rendering the scatterlist traversal useless. Remove it and its local variables. Also remove the redundant hash_later check, inline the source offset, and assign the number of complete blocks directly to req->nbytes. Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev> Reviewed-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 dayscrypto: crypto4xx - move ioremapping upRosen Penev
There's no need for devm_platform_ioremap_resource() to be so far down. In fact, putting it up allows direct return instead of having to goto some branch. Also, remove the error message as the function complains loudly itself. No need to duplicate. Signed-off-by: Rosen Penev <rosenp@gmail.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 dayscrypto: atmel-sha204a - fix heap info leak on I2C transfer failureLothar Rubusch
The nonblocking RNG path allocates a work_data structure to track the state of an in-flight asynchronous I2C request. This pointer is stored in rng->priv and later consumed by the read path once the transaction completes. If the underlying I2C transfer fails, the completion callback is invoked with a non-zero status. In this case, the allocated work_data is not usable for producing RNG output and must not remain associated with the hwrng state. Previously, the failure path only logged a warning but left the pointer state uncleared, which can result in subsequent read attempts observing stale state and interpreting it as valid completion data. Fix this by freeing the pending work_data. The I2C transaction reports an error. This ensures that failed requests do not leave residual state behind that could be interpreted as valid RNG data on later reads. Clearing rng->priv is done at the subsequent call to nonblocking read. Fixes: da001fb651b0 ("crypto: atmel-i2c - add support for SHA204A random number generator") Signed-off-by: Lothar Rubusch <l.rubusch@gmail.com> Assisted-by: Gemini:1.5 Pro [google] Reviewed-by: Thorsten Blum <thorsten.blum@linux.dev> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 dayscrypto: atmel-ecc - reject hardware ECDH without a public keyThorsten Blum
The hardware ECDH path in atmel_ecdh_compute_shared_secret() uses the private key stored in the device. However, the public key is cached only after atmel_ecdh_set_secret() successfully generated that private key for the current tfm. atmel_ecdh_generate_public_key() already rejects requests when no public key is cached. Add the same check to atmel_ecdh_compute_shared_secret() to prevent the device from using a private key that was not generated for the current tfm. Fixes: 11105693fa05 ("crypto: atmel-ecc - introduce Microchip / Atmel ECC driver") Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 dayscrypto: atmel-ecc - drop unused curve id from atmel_ecdh_ctxThorsten Blum
->curve_id is only set once, but never used - remove it. Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 dayscrypto: atmel-tdes - use scatterlist length before DMA mappingThorsten Blum
Using sg_dma_len() is only valid after mapping the scatterlist with dma_map_sg(). However, atmel_tdes_crypt_start() uses it before mapping to compare input/output lengths and to compute the transfer count. Use the original scatterlist lengths before DMA mapping to avoid reading stale or uninitialized DMA lengths when CONFIG_NEED_SG_DMA_LENGTH=y. Drop the output scatterlist length in the fast path since it is equal to ->in_sg->length and does not change the transfer count. Fixes: 13802005d8f2 ("crypto: atmel - add Atmel DES/TDES driver") Fixes: 1f858040c2f7 ("crypto: atmel-tdes - add support for latest release of the IP (0x700)") Cc: stable@vger.kernel.org Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 dayscrypto: atmel-ecc - clean up and improve ECDH commentsThorsten Blum
Improve the kerneldoc for struct atmel_ecdh_ctx by removing the stale "unsupported curves" wording, since the device only supports a single curve (P-256), and move the set_secret() constraint to the description. In atmel_ecdh_set_secret(), clarify that the device generates the private key, and drop the redundant "only supports NIST P256" comment. In atmel_ecdh_done() and atmel_ecdh_generate_public_key(), clarify the truncation comments. Also note that a P-256 public key consists of two 32-byte coordinates in atmel_ecdh_compute_shared_secret(), and remove the unnecessary fall-through comment and other redundant comments. Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 dayscrypto: atmel-i2c - improve comment in atmel_i2c_init_ecdh_cmdThorsten Blum
Clarify that a P-256 public key is encoded as two 32-byte coordinates. Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 dayshwrng: qcom - Move qcom-rng.c into drivers/char/hw_random/Eric Biggers
Since this file just implements a hwrng driver, move it into drivers/char/hw_random/. Rename the kconfig option accordingly as well. Signed-off-by: Eric Biggers <ebiggers@kernel.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 dayscrypto: qcom-rng - Remove crypto_rng interfaceEric Biggers
qcom-rng.c exposes the same hardware through two completely separate interfaces, crypto_rng and hwrng. However, the implementation of this is buggy because it permits generation operations from these interfaces to run concurrently with each other, accessing the same registers. That is, qcom_rng_generate() synchronizes with itself but not with qcom_hwrng_read(). This results in potential repetition of output from the RNG, output of non-random values, etc. Fortunately, there's actually no point in hardware RNG drivers implementing the crypto_rng interface. It's not actually used by anything besides the "rng" algorithm type of AF_ALG, which in turn is not actually used in practice. Other crypto_rng hardware drivers are likewise being phased out, leaving just the hwrng support. Thus, remove it to simplify the code and avoid conflict (and confusion) with the hwrng interface which is the one that actually matters. Fixes: f29cd5bb64c2 ("crypto: qcom-rng - Add hw_random interface support") Cc: stable@vger.kernel.org Signed-off-by: Eric Biggers <ebiggers@kernel.org> Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 dayscrypto: qcom-rng - Allow zero as a random numberEric Biggers
Zero is a valid random number and needs to be allowed. Otherwise the output is distinguishable from random. Fixes: f29cd5bb64c2 ("crypto: qcom-rng - Add hw_random interface support") Cc: stable@vger.kernel.org Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com> Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com> Signed-off-by: Eric Biggers <ebiggers@kernel.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 dayscrypto: qcom-rng - Enable clock in hwrng caseEric Biggers
Fix qcom-rng.c to enable the clock before accessing the hardware. Fixes: f29cd5bb64c2 ("crypto: qcom-rng - Add hw_random interface support") Cc: stable@vger.kernel.org Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com> Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com> Signed-off-by: Eric Biggers <ebiggers@kernel.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 dayscrypto: qat - clear AES key schedule from stackGiovanni Cabiddu
qat_alg_xts_reverse_key() expands the forward XTS AES key on the stack. That schedule contains key material and can remain in the stack frame. Clear the temporary crypto_aes_ctx with memzero_explicit() after the copy. Fixes: 5106dfeaeabe ("crypto: qat - add AES-XTS support for QAT GEN4 devices") Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com> Reviewed-by: Ahsan Atta <ahsan.atta@intel.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 dayscrypto: qat - cancel work on re-enable SR-IOV timeoutGiovanni Cabiddu
The QAT reset worker queues SR-IOV reenable work using a work_struct and completion embedded in an on-stack adf_sriov_dev_data. If the completion wait times out, the reset worker can return while device_sriov_wq still holds or executes the stack-backed work item. Cancel the work on the device_sriov_wq on timeout before the stack frame unwinds. Fixes: 4469f9b23468 ("crypto: qat - re-enable sriov after pf reset") Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com> Reviewed-by: Ahsan Atta <ahsan.atta@intel.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 dayscrypto: octeontx - use 2-arg strscpy where destination size is knownThorsten Blum
To simplify the code, drop explicit and hard-coded size arguments from strscpy() where the destination buffer has a fixed size and strscpy() can automatically determine it using sizeof(). Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 dayscrypto: qat - use 2-arg strscpy where destination size is knownThorsten Blum
To simplify the code, drop explicit and hard-coded size arguments from strscpy() where the destination buffer has a fixed size and strscpy() can automatically determine it using sizeof(). Acked-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com> Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 dayscrypto: hisilicon - use 2-arg strscpy where destination size is knownThorsten Blum
To simplify the code, drop explicit and hard-coded size arguments from strscpy() where the destination buffer has a fixed size and strscpy() can automatically determine it using sizeof(). Reviewed-by: Longfang Liu <liulongfang@huawei.com> Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 dayscrypto: ccp - use 2-arg strscpy where destination size is knownThorsten Blum
To simplify the code, drop explicit and hard-coded size arguments from strscpy() where the destination buffer has a fixed size and strscpy() can automatically determine it using sizeof(). Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com> Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 dayscrypto: cavium - use 2-arg strscpy where destination size is knownThorsten Blum
To simplify the code, drop explicit and hard-coded size arguments from strscpy() where the destination buffer has a fixed size and strscpy() can automatically determine it using sizeof(). Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 daysReplace <linux/mod_devicetable.h> by more specific <linux/device-id/*.h> (c ↵Uwe Kleine-König (The Capable Hub)
files) Replace the #include of <linux/mod_devicetable.h> by the more specific <linux/device-id/*.h> where applicable. For most cases the include can be dropped completely, only a few drivers need one or two headers added. Acked-by: Danilo Krummrich <dakr@kernel.org> Acked-by: Takashi Sakamoto <o-takashi@sakamocchi.jp> Acked-by: Bjorn Helgaas <bhelgaas@google.com> Link: https://patch.msgid.link/1a3f2007c5c5dcf555c09a4035ce3ae8ef1b6c49.1782808461.git.u.kleine-koenig@baylibre.com Signed-off-by: Uwe Kleine-König (The Capable Hub) <u.kleine-koenig@baylibre.com>
7 dayscrypto: atmel: Use dmaengine_prep_config_sg() APIFrank Li
Using new API dmaengine_prep_config_sg() to simple code. dmaengine_prep_config_sg() does not distinguish between configuration failures and descriptor preparation failures, as both are reported through a NULL return value. Converting both cases to -ENOMEM is therefore acceptable and consistent with the helper's abstraction. In practice, most users only care whether the operation succeeds or fails, and do not depend on the exact errno value returned from this path. Tested-by: Niklas Cassel <cassel@kernel.org> Acked-by: Nicolas Ferre <nicolas.ferre@microchip.com> Signed-off-by: Frank Li <Frank.Li@nxp.com> Link: https://patch.msgid.link/20260521-dma_prep_config-v7-9-1f73f4899883@nxp.com Signed-off-by: Vinod Koul <vkoul@kernel.org>
8 dayscrypto: ccp: use scoped_with_init_fs() for SEV file accessChristian Brauner
Replace the manual init_task root retrieval with scoped_with_init_fs() to temporarily override current->fs. This allows using the simpler filp_open() instead of the init_root() + file_open_root() pattern. open_file_as_root() ← sev_read_init_ex_file() / sev_write_init_ex_file() ← sev_platform_init() ← __sev_guest_init() ← KVM ioctl — user process context Needs init's root because the SEV init_ex file path should resolve against the real root, not a KVM user's chroot. Link: https://patch.msgid.link/20260601-work-kthread-nullfs-v4-7-77ee053060e0@kernel.org Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>
13 daysMerge tag 'pci-v7.2-changes' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/pci/pci Pull pci updates from Bjorn Helgaas: "Enumeration: - Remove MPS/MRRS Kconfig settings (CONFIG_PCIE_BUS_*) that worked around a WiFi device defect; use a quirk or boot-time "pci=pcie_bus_tune_*" kernel parameter instead (Bjorn Helgaas) - Always lift 2.5GT/s restriction in PCIe failed link retraining to avoid clamping a link to 2.5GT/s after hot-plug changes the device (Maciej W. Rozycki) - Request bus reassignment when not probe-only to fix an enumeration regression on Marvell CN106XX and possibly other DT-based systems (Ratheesh Kannoth) - Fix procfs race between pci_proc_init() and pci_bus_add_device() that resulted in 'proc_dir_entry ... already registered' warnings and pointer corruption (Krzysztof Wilczyński) - Fix sysfs race that causes 'duplicate filename' warnings and boot panics by converting PCI resource files to static attributes (Krzysztof Wilczyński) - Expose sysfs 'resourceN_resize' attributes only on platforms with PCI mmap (Krzysztof Wilczyński) - Require CAP_SYS_ADMIN to write to sysfs 'resourceN_resize' attributes (Krzysztof Wilczyński) - Add security_locked_down(LOCKDOWN_PCI_ACCESS) to alpha PCI resource mmap path to match the generic path (Krzysztof Wilczyński) - Use kstrtobool() to parse the 'rom' attribute input to avoid the unexpected behavior of enabling the ROM when writing '0' with no trailing newline (Krzysztof Wilczyński) Resource management: - Improve resource claim logging for debuggability (Ilpo Järvinen) - Clean up several uses of const parameters (Ilpo Järvinen) - Check option ROM header signatures and lengths before accessing to avoid page faults and alignment faults (Guixin Liu) ASPM: - Don't reconfigure ASPM when entering low-power D-state; only do it when returning back to D0 (Carlos Bilbao) Power management: - During suspend, set power state to 'unknown' for all devices, not just those with drivers (Lukas Wunner) - Skip restoring Resizable BARs and VF Resizable BARs if device doesn't respond to config reads, to avoid invalid array accesses (Marco Nenciarini) - Add pci_suspend_retains_context() so drivers can tell whether devices retain internal state across suspend/resume, since some platforms reset devices on suspend; use this in nvme to avoid issues on Qcom RCs (Manivannan Sadhasivam) Power control: - Only to power on/off devices that actually support power control to avoid poking at incompatible devices mentioned in DT (Manivannan Sadhasivam) Virtualization and resets: - Log device readiness timeouts as errors, not warnings, because the device is likely unusable in this case (Bjorn Helgaas) - Wait for device readiness after soft reset (D3hot -> D0uninitialized transition), when the device may respond with Request Retry Status (RRS) if it needs more time to initialize (Bjorn Helgaas) - Drop unnecessary retries when restoring BARs because resets should now already include all required delays (Lukas Wunner) - Avoid FLR for MediaTek MT7925 WiFi, where FLR fails after a VM terminates uncleanly (Jose Ignacio Tornos Martinez) - Avoid SBR for Qualcomm WCN6855/WCN7850 WiFi, SDX62/SDX65 modems, which seem not to support it correctly (Jose Ignacio Tornos Martinez) Peer-to-peer DMA: - Prevent P2PDMA as well as CPU access to non-mappable BARs, e.g., s390 ISM BARs (Matt Evans) - Add Intel QAT, DSA, IAA devices to whitelist (Lukas Wunner) Endpoint framework: - Add endpoint controller APIs for use by function drivers to discover auxiliary blocks like DMA engines (Koichiro Den) - Remember DesignWare eDMA engine base/size and expose them via the EPC aux-resource API (Koichiro Den) - Add endpoint embedded doorbell fallback, used if MSI allocation fails (Koichiro Den) - Validate BAR index and remove dead BAR read in endpoint doorbell test (Carlos Bilbao) - Unwind MSI/MSI-X vectors if NTB initialization fails part-way through (Koichiro Den) - Cache sleepable pci_irq_vector() value at ISR setup to avoid calling it from hardirq context (Koichiro Den) - Call sleepable pci_epc_raise_irq() from a work item instead of atomic context, e.g., when setting bits in NTB peer doorbells in the ntb_peer_db_set() path (Koichiro Den) - Report 0-based vNTB doorbell vector to account for link event 0 and historically skipped slot 1 (Koichiro Den) - Prevent configfs writes to vNTB db_count and other values that are already in use after EPC attach (Koichiro Den) - Account for vNTB db_valid reserved slots (link event 0 and historically skipped slot 1) so they don't appear as valid doorbells (Koichiro Den) - Implement vNTB .db_vector_count()/mask() for doorbells so clients can use multiple vectors and avoid thundering herds (Koichiro Den) - Report 0-based NTB doorbell vector to account for link event 0 and historically skipped slot 1 (Koichiro Den) - Fix doorbell bitmask and IRQ vector handling to clear only specified bits, use the correct vector for non-contiguous Linux IRQ numbers, and validate incoming vectors (Koichiro Den) - Implement NTB .db_vector_count()/mask() for doorbells so clients can use multiple vectors (Koichiro Den) Native PCIe controller infrastructure: - Add pci_host_common_link_train_delay() for the mandatory delay after > 5GT/s Link training completes and use it for cadence HPA, j721e, LGA; dwc; aardvark, mediatek-gen3, rzg3s (Hans Zhang) - Protect root bus removal with rescan lock in altera, brcmstb, cadence, dwc, iproc, mediatek, plda, rockchip to prevent use-after-free or crashes when racing with sysfs rescan or hotplug (Hans Zhang) - Add pci_host_common_parse_ports() for use by any native driver to parse Root Port properties (per-Link features like width, speed, PHY, power and reset control, etc should be described in Root Port stanzas, not the host bridge; currently only reset GPIOs implemented) (Sherry Sun) New native PCIe controller drivers: - Add DT binding and driver for UltraRISC DP1000 PCIe controller (Xincheng Zhang, Jia Wang) Altera PCIe controller driver: - Do not dispose of the parent IRQ mapping, which belongs to the parent interrupt controller (Mahesh Vaidya) - Fix chained IRQ handler ordering issue and resource leaks on probe failure (Mahesh Vaidya) AMD MDB PCIe controller driver: - Assert PERST# on shutdown so any connected Endpoints are held in reset during shutdown (Sai Krishna Musham) Amlogic Meson PCIe controller driver: - Propagate devm_add_action_or_reset() failure to fix probe error path (Shuvam Pandey) - Add .remove() callback to deinitialize the host bridge and power off the PHY (Shuvam Pandey) Broadcom iProc PCIe controller driver: - Restore .map_irq() assignment; its removal broke INTx on the iproc platform bus driver (Mark Tomlinson) Broadcom STB PCIe controller driver: - No change, but products using certain WiFi devices may be affected by removal of CONFIG_PCIE_BUS_* (see above) Freescale i.MX6 PCIe controller driver: - Move IMX6SX_GPR12_PCIE_TEST_POWERDOWN handling into the core reset functions (Richard Zhu) - Assert PERST# before enabling regulators to ensure that even if power is enabled, endpoint stays inactive until REFCLK is stable (Sherry Sun) - Parse reset properties in Root Port nodes (falling back to host bridge) to help support Key E connectors and the pwrctrl framework (Sherry Sun) - Configure i.MX95 REF_USE_PAD before PHY reset (Richard Zhu) - Assert i.MX95 ref_clk_en after reference clock stabilizes (Richard Zhu) - Integrate new pwrctrl API for DTs with Root Port-level power supplies (Sherry Sun) Intel Gateway PCIe controller driver: - Enable clock before PHY init for correct ordering (Florian Eckert) - Add .start_link() callback so the driver works again (Florian Eckert) - Stop overwriting the ATU base address discovered by dw_pcie_get_resources() (Florian Eckert) - Add DT 'atu' region since this is hardware-specific, and fall back to driver default if lacking (Florian Eckert) Loongson PCIe controller driver: - Ignore downstream devices only on internal bridges to avoid Loongson hardware issue (Rong Zhang) - Quirk old Loongson-3C6000 bridges that advertise incorrect supported link speeds (Ziyao Li) Marvell MVEBU PCIe controller driver: - Use fixed-width interrupt masks to avoid truncation in 64-bit builds (Rosen Penev) MediaTek PCIe controller driver: - Use FIELD_PREP() to fix incorrect operator precedence in PCIE_FTS_NUM_L0 (Li RongQing) - Fix IRQ domain leak when port fails to enable (Manivannan Sadhasivam) - Use actual physical address for MSI message address instead of virt_to_phys() (Manivannan Sadhasivam) - Add EcoNet EN7528 to DT binding (Caleb James DeLisle) MediaTek PCIe Gen3 controller driver: - Deassert PCIE_PHY_RSTB so REFCLK is stable for at least 100ms (PCIE_T_PVPERL_MS) before deasserting PERST# (Jian Yang) - Add .shutdown() to assert PERST# before powering down device (Jian Yang) - Do full device power down on removal, including asserting PERST#, when removing driver (Chen-Yu Tsai) - Fix a 'failed to create pwrctrl devices' error message that was inadvertently skipped (Chen-Yu Tsai) NVIDIA Tegra194 PCIe controller driver: - Program the DesignWare PORT_AFR L1 entrance latency based on the 'aspm-l1-entry-delay-ns' DT property (Manikanta Maddireddy) Qualcomm PCIe controller driver: - Add Eliza SoC compatible in DT binding (Krishna Chaitanya Chundru) - Set max OPP during resume so DBI register accesses don't fail with NoC errors (Qiang Yu) - Add pci_host_common_d3cold_possible() to determine whether downstream devices are already in D3hot and wakeup-enabled devices are capable of generating PME from D3cold (Krishna Chaitanya Chundru) - Add .get_ltssm() callback to get the LTSSM status without DBI, since DBI may be inaccessible after PME_Turn_Off (Krishna Chaitanya Chundru) - Power down PHY via PARF_PHY_CTRL before disabling rails/clocks to avoid power leakage (Krishna Chaitanya Chundru) - Decide whether suspend should put the link in L2 and power down using pci_host_common_d3cold_possible() instead of checking whether ASPM L1 is enabled (Krishna Chaitanya Chundru) - Add qcom D3cold support to tear down interconnect bandwidth and OPP votes (Krishna Chaitanya Chundru) - Handle unsupported mixed PERST#/PHY DT configurations, e.g., PHY in RP node while PERST# is in the RC node, but warn about the DT issue (Qiang Yu) - Program T_POWER_ON based on DT 't-power-on-us' property in case hardware advertises incorrect values (Krishna Chaitanya Chundru) - Disable ASPM L0s for SA8775P (Shawn Guo) - Initialize DWC MSI lock for firmware-managed ECAM hosts, which don't use the dw_pcie_host_init() path that initializes the lock (Yadu M G) Renesas RZ/G3S PCIe controller driver: - Add RZ/V2N DT support (Lad Prabhakar) SOPHGO PCIe controller driver: - Add 'dma-coherent' DT property for sg2042-pcie driver (Han Gao) Synopsys DesignWare PCIe controller driver: - Apply ECRC TLP Digest workaround for all DesignWare cores prior to 5.10a, not just 4.90a and 5.00a (Manikanta Maddireddy) - Use common struct dw_pcie 'mode' rather than duplicating it in artpec6, dra7xx, dwc-pcie, and keembay driver structs (Hans Zhang) - Use DEFINE_SHOW_ATTRIBUTE for ltssm_status debugfs to reduce boilerplate and fix a seq_file memory leak by including a .release() callback (Hans Zhang) - Fix a signedness bug in fault injection test code (Dan Carpenter) - Avoid NULL pointer dereference when tearing down debugfs for controller that lacks RAS DES capability (Shuvam Pandey) MicroSemi Switchtec management driver: - Add Gen6 Device IDs (Ben Reed) Miscellaneous: - Remove unused gpio.h include from amd-mdb, designware-plat, fu740, visconti drivers (Andy Shevchenko) - Fix typos in documentation (josh ziegler) - Use FIELD_MODIFY() instead of open-coding it (Hans Zhang)" * tag 'pci-v7.2-changes' of git://git.kernel.org/pub/scm/linux/kernel/git/pci/pci: (168 commits) PCI/sysfs: Use kstrtobool() to parse the ROM attribute input PCI/sysfs: Limit BAR resize attribute scope to platforms with PCI mmap PCI/sysfs: Remove pci_create_legacy_files() and pci_sysfs_init() PCI/sysfs: Convert legacy I/O and memory attributes to static definitions PCI/sysfs: Add __weak pci_legacy_has_sparse() helper alpha/PCI: Compute legacy size in pci_mmap_legacy_page_range() PCI: Add macros for legacy I/O and memory address space sizes PCI/sysfs: Remove pci_{create,remove}_sysfs_dev_files() alpha/PCI: Convert resource files to static attributes alpha/PCI: Add static PCI resource attribute macros alpha/PCI: Remove WARN from __pci_mmap_fits() and __legacy_mmap_fits() alpha/PCI: Fix __pci_mmap_fits() overflow for zero-length BARs alpha/PCI: Use PCI resource accessor macros alpha/PCI: Use BAR index in sysfs attr->private instead of resource pointer alpha/PCI: Add security_locked_down() check to pci_mmap_resource() PCI/sysfs: Limit pci_sysfs_init() late_initcall compile scope PCI/sysfs: Add stubs for pci_{create,remove}_sysfs_dev_files() PCI/sysfs: Warn about BAR resize failure in __resource_resize_store() PCI/sysfs: Convert PCI resource files to static attributes PCI/proc: Fix race between pci_proc_init() and pci_bus_add_device() ...
2026-06-19Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvmLinus Torvalds
Pull kvm updates from Paolo Bonzini: "arm64: This is a bit of an odd merge window on the KVM/arm64 front. There is absolutely no new feature in the pull request. It is purely fixes, because it is simply becoming too hard to review new stuff when so many AI-fuelled fixes hit the list. - Significant cleanup of the vgic-v5 PPI support which was merged in 7.1. This makes the code more maintainable, and squashes a couple of bugs in the meantime - Set of fixes for the handling of the MMU in an NV context, particularly VNCR-triggered faults. S1POE support is fixed as well - Large set of pKVM fixes, mostly addressing recurring issues around hypervisor tracking of donated pages in obscure cases where the donation could fail and leave things in a bizarre state - Fixes for the so-called "lazy vgic init", which resulted in sleeping operations in non-preemptible sections. This turned out to be far more invasive than initially expected.. - Reduce the overhead of L1/L2 context switch by not touching the FP registers - Fix the way non-implemented page sizes are dealt with when a guest insist on using them for S2 translation - The usual set of low-impact fixes and cleanups all over the map Loongarch: - On a request for lazy FPU load, load all FPU state that the VM supports instead of enabling only the part (FPU, LSX or LASX) that caused the FPU load request - Some enhancements about interrupt injection - Some bug fixes and other small changes RISC-V: - Batch G-stage TLB flushes for GPA range based page table updates - Convert HGEI line management to fully per-HART - Fix missing CSR dirty marking when FWFT state updated via ONE_REG - Fix stale FWFT feature exposure to Guest/VM - Speed up dirty logging write faults using MMU rwlock and atomic PTE updates using cmpxchg() for permission-only changes - Use flexible array for APLIC IRQ state - Use kvm_slot_dirty_track_enabled() for logging enable check on a memslot - Avoid skipping valid pages in kvm_riscv_gstage_wp_range() - Avoid skipping valid pages in kvm_riscv_gstage_unmap_range() - Use endian-specific __lelong for NACL shared memory S390: - KVM_PRE_FAULT_MEMORY support - Support for 2G hugepages - Support for the ASTFLEIE 2 facility - Support for fast inject using kvm_arch_set_irq_inatomic - Fix potential leak of uninitialized bytes - A few more misc gmap fixes x86: - Generic support for the more granular permissions allowed by EPT, namely "read" (which was previously usurping the U bit) and separate execution bits for kernel and userspace - Do not assume that all page tables start with U=1/W=1/NX=0 at the root, as AMD GMET needs to have U=0 at the root - Introduce common assembly macros for use within Intel and AMD vendor-specific vmentry code. This touches the SPEC_CTRL handling, which is now entirely done in assembly for Intel (by reusing the AMD code that already existed), and register save/restore which uses some macro magic to compute the offsets in the struct. Both of these are preparatory changes for upcoming APX support - Clean up KVM's register tracking and storage, primarily to prepare for APX support, which expands the maximum number of GPRs from 16 to 32 - Keep a single copy of the PDPTRs rather than two, since architecturally there is just one - Handle EXIT_FASTPATH_EXIT_USERSPACE in vendor code to ensure vendor code gets a chance to handle things like reaping the PML buffer - Update KVM's view of PV async enabling if and only if the MSR write fully succeeds - Fix a variety of issues where the emulator doesn't honor guest-debug state, and clean up related code along the way - Synthesize EPT Violation and #NPF "error code" bits when injecting faults into L1 that didn't originate in hardware (in which case the VMCS/VMCB doesn't hold relevant information) - Add support for virtualizing (well, emulating) AMD's flavor of CPL>0 CPUID faulting - Clean up the GPR APIs so that KVM's use of "raw" is consistent, and fix a variety of minor bugs along the way - Fix an OOB memory access due to not checking the VP ID when handling a Hyper-V PV TLB flush for L2 - Fix a bug in the mediated PMU's handling of fixed counters that allowed the guest to bypass the PMU event filter - Allow userspace to return EAGAIN when handling SNP and TDX hypercalls, so the KVM can forward a "retry" status code to the guest, and reserve all unused error codes for future usage - Overhaul the TDP MMU => S-EPT code to move as much S-EPT specific logic as possible into the TDX code, and to funnel (almost) all S-EPT updates into a single chokepoint. The motivation is largely to prepare for upcoming Dynamic PAMT support, but the cleanups are nice to have on their own - Plug a hole in shadow page table handling, where KVM fails to recursively zap nested EPT/NPT shadow page tables when the nested hypervisor tears down its own EPT/NPT page tables from the bottom up x86 (Intel): - Support for nested MBEC (Mode-Based Execute Control), see above in the generic section; also run with MBEC enabled even for non-nested mode - Use the kernel's "enum pg_level" in the TDX APIs instead of the TDX-Module's level definitions (which are 0-based) - Rework the TDX memory APIs to not require/assume that guest memory is backed by "struct page" (in prepartion for guest_memfd hugepage support) - Fix a largely benign bug where KVM TDX would incorrectly state it could emulate several x2APIC MSRs - Use the "safe" WRMSR API when proxying LBR MSR writes as the to-be-written value is guest controlled and completely unvalidated x86 (AMD): - Support for nested GMET (Guest Mode Execution Trap), see above in the generic section; also run with GMET enabled even for non-nested mode - Fixes and minor cleanups to GHCB handling, on top of the earlier work already merged into 7.1-rc - Ensure KVM's copy of CR0 and CR3 are up-to-date prior to invoking fastpath handlers - Add support for virtualizing gPAT (KVM previously just used L1's PAT when running L2) - Fix goofs where KVM mishandles side effects (e.g. single-step and PMC updates) when emulating VMRUN - Fix a variety of bugs in AVIC's handling of x2APIC MSR interception, most notably where KVM didn't disable interception of IRR, ISR, and TMR regs - Add support for virtualizing Host-Only/Guest-Only bits in the mediated PMU - Don't advertise support for unusable VM types, and account for VM types that are disabled by firmware, e.g. to mitigate security vulnerabilities - Rewrite the SEV {en,de}crypt debug ioctls as they were riddle with bugs and unnecessarily complicated, and add comprehensive tests - Clean up and deduplicate the SEV page pinning code - Fix minor goofs related to writing back CPUID information after firmware rejects a CPUID page for an SNP vCPU Generic: - Rename invalidate_begin() to invalidate_start() throughout KVM to follow the kernel's nomenclature, e.g. for mmu_notifiers - Use guard() to cleanup up various KVM+VFIO flows - Minor cleanups guest_memfd: - Return -EEXIST instead of -EINVAL if userspace attempts to bind a gmem range to multiple memslots, and fix the test that was supposed to ensure KVM returns -EEXIST - Treat memslot binding offsets and sizes as unsigned values to fix a bug where KVM interprets a large "offset + size" as a negative value and allows a nonsensical offset - Use the inode number instead of the page offset for the NUMA interleaving index to fix a bug where the effective index would jump by two for consecutive pages (the caller also adds in the page offset) Selftests: - Randomize the dirty log test's delay when reaping the bitmap on the first pass, as always waiting only 1ms hid a KVM RISC-V bug as the test reaped the bitmap before KVM could build up enough state to hit the bug - A pile of one-off fixes and cleanups" * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm: (326 commits) KVM: x86/mmu: Ensure hugepage is in by slot before checking max mapping level KVM: x86: Fix shadow paging use-after-free due to unexpected role KVM: s390: Introducing kvm_arch_set_irq_inatomic fast inject KVM: s390: Enable adapter_indicators_set to use mapped pages KVM: s390: Add map/unmap ioctl and clean mappings post-guest riscv: kvm: Use endian-specific __lelong for NACL shared memory KVM: selftests: access_tracking_perf_test: bump number of NUMA nodes to 32 KVM: s390: vsie: Implement ASTFLEIE facility 2 KVM: s390: vsie: Refactor handle_stfle s390/sclp: Detect ASTFLEIE 2 facility KVM: s390: Minor refactor of base/ext facility lists KVM: x86/mmu: move pdptrs out of the MMU KVM: x86: check that kvm_handle_invpcid is only invoked with shadow paging KVM: nSVM: invalidate cached PDPTRs across nested NPT transitions KVM: nVMX: remove unnecessary code in prepare_vmcs02_rare KVM: x86: remove nested_mmu from mmu_is_nested() KVM: arm64: vgic-its: Make ABI commit helpers return void KVM: s390: Initialize KVM_S390_GET_CMMA_BITS memory LoongArch: KVM: Add missing slots_lock for device register/unregister LoongArch: KVM: Validate irqchip index in irqfd routing ...
2026-06-16Merge tag 'v7.2-p1' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 Pull crypto updates from Herbert Xu: "API: - Drop support for off-CPU cryptography in af_alg - Document that af_alg is *always* slower - Document the deprecation of af_alg - Remove zero-copy support from skcipher and aead in af_alg - Cap AEAD AD length to 0x80000000 in af_alg - Free default RNG on module exit Algorithms: - Fix vli multiplication carry overflow in ecc - Drop unused cipher_null crypto_alg - Remove unused variants of drbg - Use lib/crypto in drbg - Use memcpy_from/to_sglist in authencesn - Allow authenc(hmac(sha{256,384}),cts(cbc(aes))) in FIPS mode - Disallow RSA PKCS#1 SHA-1 sig algs in FIPS mode - Filter out async aead implementations at alloc in krb5 - Fix non-parallel fallback by rstoring callback in pcrypt - Validate poly1305 template argument in chacha20poly1305 Drivers: - Add sysfs PCI reset support to qat - Add KPT support for GEN6 devices to qat - Remove unused character device and ioctls from qat - Add support for hw access via SMCC to mtk - Remove prng support from crypto4xx - Remove prng support from hisi-trng - Remove prng support from sun4i-ss - Remove prng support from xilinx-trng - Remove loongson-rng - Remove exynos-rng Others: - Remove support for AIO on sockets" * tag 'v7.2-p1' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: (196 commits) crypto: tegra - fix refcount leak in tegra_se_host1x_submit() crypto: rng - Free default RNG on module exit crypto: testmgr - allow authenc(hmac(sha{256,384}),cts(cbc(aes))) in FIPS mode hwrng: jh7110 - fix refcount leak in starfive_trng_read() crypto: atmel-ecc - drop dead code in atmel_ecdh_max_size crypto: cavium/cpt - fix DMA cleanup using wrong loop index crypto: marvell/octeontx - fix DMA cleanup using wrong loop index MAINTAINERS: make myself the maintainer of the Qualcomm QCE driver crypto: amcc - convert irq_of_parse_and_map to platform_get_irq crypto: sun4i-ss - Remove insecure and unused rng_alg hwrng: xilinx - Move xilinx-rng into drivers/char/hw_random/ crypto: xilinx-trng - Replace crypto_drbg_ctr_df() with HMAC-SHA512 crypto: xilinx-trng - Fix return value of xtrng_hwrng_trng_read() crypto: xilinx-trng - Remove crypto_rng interface crypto: exynos-rng - Remove exynos-rng driver hwrng: hisi-trng - Move hisi-trng into drivers/char/hw_random/ crypto: hisi-trng - Remove crypto_rng interface crypto: loongson - Remove broken and unused loongson-rng crypto: crypto4xx - Remove insecure and unused rng_alg crypto: qat - validate RSA CRT component lengths ...
2026-06-12crypto: tegra - fix refcount leak in tegra_se_host1x_submit()Wentao Liang
The timeout error path in tegra_se_host1x_submit() returns without calling host1x_job_put(), while all other paths (success, submit error, pin error) properly release the job reference through the job_put label. Since host1x_job_alloc() initializes the reference count and host1x_job_put() is required to drop it, omitting it on timeout causes a permanent refcount leak. Fix this by redirecting the timeout return to the existing job_put label, ensuring the job reference and any associated syncpt references are consistently released. Cc: stable@vger.kernel.org Fixes: 0880bb3b00c8 ("crypto: tegra - Add Tegra Security Engine driver") Signed-off-by: Wentao Liang <vulab@iscas.ac.cn> Reviewed-by: Akhil R <akhilrajeev@nvidia.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2026-06-12crypto: atmel-ecc - drop dead code in atmel_ecdh_max_sizeThorsten Blum
atmel_ecdh_init_tfm() always allocates ctx->fallback, so it is never NULL in atmel_ecdh_max_size(). Remove the dead code and return crypto_kpp_maxsize() directly. Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2026-06-12crypto: cavium/cpt - fix DMA cleanup using wrong loop indexFelix Gu
The sg_cleanup error path used list[i] instead of list[j] when unmapping DMA buffers, leaking successfully mapped entries and repeatedly unmapping the failed one. Fixes: c694b233295b ("crypto: cavium - Add the Virtual Function driver for CPT") Signed-off-by: Felix Gu <ustc.gu@gmail.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2026-06-12crypto: marvell/octeontx - fix DMA cleanup using wrong loop indexFelix Gu
The sg_cleanup path used list[i] instead of list[j] when unmapping DMA buffers, leaking successfully mapped entries and repeatedly unmapping the failed one. Fixes: 10b4f09491bf ("crypto: marvell - add the Virtual Function driver for CPT") Signed-off-by: Felix Gu <ustc.gu@gmail.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2026-06-12crypto: amcc - convert irq_of_parse_and_map to platform_get_irqRosen Penev
Replace the deprecated irq_of_parse_and_map() call with the modern platform_get_irq() in the probe function. This also improves error handling: platform_get_irq() returns a negative errno on failure, whereas irq_of_parse_and_map() returned 0. Change the irq field in struct crypto4xx_core_device from u32 to int to match the return type of platform_get_irq(). Assisted-by: opencode:big-pickle Signed-off-by: Rosen Penev <rosenp@gmail.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2026-06-12crypto: sun4i-ss - Remove insecure and unused rng_algEric Biggers
Remove sun4i_ss_rng, as it is insecure and unused: - It has multiple vulnerabilities. sun4i_ss_prng_seed() is missing locking and has a buffer overflow. sun4i_ss_prng_generate() fails to fill the entire buffer with cryptographic random bytes, because it rounds the destination length down and also doesn't actually wait for the hardware to be ready before pulling bytes from it. - No user of this code is known. It's usable only theoretically via the "rng" algorithm type of AF_ALG. But userspace actually just uses the actual Linux RNG (/dev/random etc) instead. And rng_algs don't contribute entropy to the actual Linux RNG either. (This may have been confused with hwrng, which does contribute entropy.) The sun4i_ss_prng_seed() buffer overflow was reported by Tianchu Chen and discovered by Atuin - Automated Vulnerability Discovery Engine There's no point in fixing all these vulnerabilities individually when this is unused code, so let's just remove it. Fixes: b8ae5c7387ad ("crypto: sun4i-ss - support the Security System PRNG") Cc: stable@vger.kernel.org Reported-by: Tianchu Chen <flynnnchen@tencent.com> Closes: https://lore.kernel.org/r/af749a8447bd7f0e9dd26ca6c87e9c6afecb09d9@linux.dev/ Acked-by: Corentin LABBE <clabbe.montjoie@gmail.com> Signed-off-by: Eric Biggers <ebiggers@kernel.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2026-06-12hwrng: xilinx - Move xilinx-rng into drivers/char/hw_random/Eric Biggers
Since this file just implements a hwrng driver, move it into drivers/char/hw_random/. Rename the kconfig option accordingly as well. Signed-off-by: Eric Biggers <ebiggers@kernel.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2026-06-11crypto: xilinx-trng - Replace crypto_drbg_ctr_df() with HMAC-SHA512Eric Biggers
This code is just trying to condition 48 bytes of random data. This can be done easily using HKDF-SHA512-Extract, saving 300 lines of code. This commit also fixes forward security (in this particular case) by clearing the entropy from memory after it's used. Signed-off-by: Eric Biggers <ebiggers@kernel.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2026-06-11crypto: xilinx-trng - Fix return value of xtrng_hwrng_trng_read()Eric Biggers
Implementations of hwrng::read are expected to return the number of bytes generated. Update xtrng_hwrng_trng_read() to match that. Fixes: 8979744aca80 ("crypto: xilinx - Add TRNG driver for Versal") Cc: stable@vger.kernel.org Signed-off-by: Eric Biggers <ebiggers@kernel.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2026-06-11crypto: xilinx-trng - Remove crypto_rng interfaceEric Biggers
Implementing the crypto_rng interface has no purpose, as it isn't used in practice. It's being removed from other drivers too. Just remove it. This leaves hwrng, which is actually used. Tagging with 'Cc stable' due to the bugs that this removes: - xtrng_trng_generate() sometimes returned success even when it didn't fill in all the bytes. - It was possible for xtrng_trng_generate() and xtrng_hwrng_trng_read() to run concurrently and interfere with each other, as the locking code in xtrng_hwrng_trng_read() was broken. Fixes: 8979744aca80 ("crypto: xilinx - Add TRNG driver for Versal") Cc: stable@vger.kernel.org Signed-off-by: Eric Biggers <ebiggers@kernel.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2026-06-11crypto: exynos-rng - Remove exynos-rng driverEric Biggers
This driver has no purpose. It doesn't feed into the Linux RNG, nor does it implement the hwrng interface. It is accessible only via the "rng" algorithm type of AF_ALG, which isn't used in practice. Everyone uses either the Linux RNG, or rarely /dev/hwrng. Moreover, this is a PRNG whose only source of entropy is the 160-bit seed the user passes in. So this can be used only by a user who already has a source of cryptographically secure random numbers, such as /dev/random. Which they can, and do, just use in the first place. Just remove this driver. There's no need to keep useless code around. Note that the other crypto_rng drivers in drivers/crypto/ are similarly unused and are being removed too. This commit just handles exynos-rng. Signed-off-by: Eric Biggers <ebiggers@kernel.org> Acked-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2026-06-11hwrng: hisi-trng - Move hisi-trng into drivers/char/hw_random/Eric Biggers
Since this file just implements a hwrng driver, move it into drivers/char/hw_random/. Rename the kconfig option accordingly as well. Note that this moves the file back to its original location. Signed-off-by: Eric Biggers <ebiggers@kernel.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2026-06-11crypto: hisi-trng - Remove crypto_rng interfaceEric Biggers
drivers/crypto/hisilicon/trng/trng.c exposes the same hardware through two completely separate interfaces, crypto_rng and hwrng. However, the implementation of this is buggy because it permits generation operations from these interfaces to run concurrently with each other, accessing the same registers. That is, hisi_trng_generate() synchronizes with itself but not with hisi_trng_read(). This results in potential repetition of output from the RNG, output of non-random values, etc. Fortunately, there's actually no point in hardware RNG drivers implementing the crypto_rng interface. It's not actually used by anything besides the "rng" algorithm type of AF_ALG, which in turn is not actually used in practice. Other crypto_rng hardware drivers are likewise being phased out, leaving just the hwrng support. Thus, remove it to simplify the code and avoid conflict (and confusion) with the hwrng interface which is the one that actually matters. Fixes: e4d9d10ef4be ("crypto: hisilicon/trng - add support for PRNG") Cc: stable@vger.kernel.org Signed-off-by: Eric Biggers <ebiggers@kernel.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>