Oliver White [Thu, 9 Apr 2026 03:43:47 +0000 (15:43 +1200)]
platform/surface: aggregator_registry: omit battery & AC nodes on Surface Laptop 7
Surface Laptop 7 exposes battery and AC status via Qualcomm PMIC GLINK
qcom_battmgr. Registering the standard SSAM battery and AC client
devices on this platform causes duplicate power-supply devices to
appear.
Drop the SSAM battery and AC nodes from the Surface Laptop 7 registry
group so that only the qcom_battmgr power supplies are instantiated.
Fixes: b27622f13172 ("platform/surface: Add OF support") Signed-off-by: Oliver White <oliverjwhite07@gmail.com> Link: https://patch.msgid.link/20260409034347.17381-1-oliverjwhite07@gmail.com Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Jie Gan [Mon, 11 May 2026 04:19:18 +0000 (12:19 +0800)]
coresight: platform: defer connection counter increment until alloc succeeds
coresight_add_out_conn() increments nr_outconns before calling
devm_krealloc_array() and again before devm_kmalloc(). If either
allocation fails, the counter is already bumped while the corresponding
array entry is NULL or uninitialized garbage.
coresight_add_in_conn() has the same problem with nr_inconns and
devm_krealloc_array().
In both cases the probe returns -ENOMEM, which causes
coresight_get_platform_data() to call coresight_release_platform_data()
for cleanup. That function iterates up to nr_outconns (or nr_inconns)
entries and dereferences each pointer unconditionally, hitting the NULL
or garbage entry and panicking instead of failing gracefully.
Fix by moving the counter increments to after all allocations succeed,
so the struct is always consistent on any error path.
Fixes: 3d4ff657e454 ("coresight: Dynamically add connections") Fixes: e3f4e68797a9 ("coresight: Store in-connections as well as out-connections") Signed-off-by: Jie Gan <jie.gan@oss.qualcomm.com> Reviewed-by: James Clark <james.clark@linaro.org> Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com> Link: https://lore.kernel.org/r/20260511-fix-ref-count-issue-v1-1-99d647810d3c@oss.qualcomm.com
dt-bindings: arm-smmu: Constrain clocks for newer Qualcomm variants
Many of SMMU on Qualcomm SoCs come in two flavors using the same front
compatible but a bit different fallback:
1. For application processor, usually without any controllable
clocks,
2. For the Adreno GPU, with some controllable clock(s) and using
additionally qcom,adreno-smmu fallback compatible.
Add missing constraints for Glymur SMMU on Adreno GPU and several other
Qualcomm SMMUs for application processors, to restrict the clocks
property to a specific length.
Acked-by: Rob Herring (Arm) <robh@kernel.org> Reviewed-by: Shawn Guo <shengchao.guo@oss.qualcomm.com> Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com> Signed-off-by: Will Deacon <will@kernel.org>
Chenguang Zhao [Fri, 15 May 2026 03:25:50 +0000 (11:25 +0800)]
net/ethtool: drop duplicate TSCONFIG HWTSTAMP BUILD_BUG_ON from SET handler
BUILD_BUG_ON() is evaluated at compile time. The same three checks
for __HWTSTAMP_TX_CNT, __HWTSTAMP_FILTER_CNT and __HWTSTAMP_FLAG_CNT
are already present earlier in this file (tsconfig_reply_size()).
Repeating them at the start of ethnl_set_tsconfig() does not
strengthen the guarantee; remove the redundant block there and
keep a single occurrence.
Add tracepoints to the Qualcomm GENI (Generic Interface) SPI driver.
These trace events enable runtime debugging and performance analysis
of SPI operations.
The trace events capture SPI clock configuration, setup parameters,
transfer details, interrupt status.
Praveen Talari [Mon, 18 May 2026 17:00:52 +0000 (22:30 +0530)]
spi: qcom-geni: Add trace events for Qualcomm GENI SPI driver
Add tracepoints to the Qualcomm GENI (Generic Interface) SPI driver.
These trace events enable runtime debugging and performance analysis
of SPI operations.
The trace events capture SPI clock configuration, setup parameters,
transfer details, interrupt status.
Praveen Talari [Mon, 18 May 2026 17:00:51 +0000 (22:30 +0530)]
spi: qcom-geni: trace: Add trace events for Qualcomm GENI SPI
Add tracepoint support to the Qualcomm GENI SPI driver to provide
runtime visibility into driver behavior without requiring invasive debug
patches.
The trace events cover clock and setup parameter configuration,
transfer metadata, interrupt status to be making it easier to diagnose
communication issues in the field..
Mark Brown [Mon, 18 May 2026 15:07:29 +0000 (16:07 +0100)]
arm64/cpufeature: Define hwcaps for 2025 dpISA features
The features added by the 2025 dpISA are all straightforward instruction
only features so there is no state to manage, we can just expose hwcaps to
let userspace know they are available.
F16MM is slightly odd in that the feature is FEAT_F16MM but it is discovered
via ID_AA64FPFR0_EL1.F16MM2. We follow the feature name.
Signed-off-by: Mark Brown <broonie@kernel.org> Signed-off-by: Will Deacon <will@kernel.org>
Michał Grzelak [Thu, 16 Apr 2026 16:37:44 +0000 (18:37 +0200)]
drm/i915/aux: use polling when irqs are unavailable
PTL with physically disconnected display was observed to have 40s longer
execution time when testing xe_fault_injection@xe_guc_mmio_send_recv.
The issue has not been seen when reverting commit 40a9f77a28fa ("Revert
"drm/i915/dp: change aux_ctl reg read to polling read"").
Apparently the configuration suffers from not having AUX enabled when
using interrupts. One probable cause can be xe enabling interrupts too
late: interrupts need memory allocations which currently can't be done
before the display FB takeover is done.
As for now, use polling for AUX in case interrupts are unavailable.
Fixes: 40a9f77a28fa ("Revert "drm/i915/dp: change aux_ctl reg read to polling read"") Suggested-by: Ville Syrjälä <ville.syrjala@linux.intel.com> Signed-off-by: Michał Grzelak <michal.grzelak@intel.com> Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com> Link: https://patch.msgid.link/20260416163744.288107-1-michal.grzelak@intel.com
Mika Westerberg [Tue, 12 Aug 2025 10:56:30 +0000 (13:56 +0300)]
thunderbolt: Add support for USB4STREAM
Introduce USB4STREAM protocol and Linux implementation. This allows two
(or more) hosts to transfer data directly over Thunderbolt/USB4 cable
through a character device without need to go through the network stack.
Any application that supports read(2) and write(2) in some form should
be able to use the device without changes. The data is sent out to the
other side over a tunnel inside Thunderbolt/USB4 fabric. The character
device is called /dev/tbstreamX where X is the minor number starting
from 0.
All stream devices need to be configured first. This is done through
ConfigFS interface. There can be multiple streams at the same time (this
depends on number of DMA rings and available HopIDs) and a single stream
supports traffic in both directions. For example there could be an
application that uses one stream as control channel and another one as
bi-directional data channel.
A real use-case for this is to take a backup as a part of recovery
initramfs tooling (no need to setup networking or have ssh or similar
tooling as part of the initramfs). Say we want to backup the disk of
host1 to host2. First Thunderbolt/USB4 cable is connected between the
hosts (there can be devices in the middle too) then the receiving side
configures the stream:
We use automatic HopID allocation (writing -1 to HopIDs) for simplicity.
From this point forward the /dev/tbstream0 can be used pretty much as
regular file:
Here we take advantage of the fact that host2 also announces the active
streams through XDomain properties so the name "backup" gives us the
HopIDs. It is also possible to configure them manually in the same way
we did for host2.
Then it is just a matter of copying the data over:
Once the streams are no longer needed they can be removed:
host1 # cd /sys/kernel/config/thunderbolt/stream/
host1 # rmdir -p 0-503.0/backup
host2 # cd /sys/kernel/config/thunderbolt/stream
host2 # rmdir -p 0-1.0/backup
Co-developed-by: Alan Borzeszkowski <alan.borzeszkowski@linux.intel.com> Signed-off-by: Alan Borzeszkowski <alan.borzeszkowski@linux.intel.com> Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Mika Westerberg [Tue, 12 Aug 2025 10:53:49 +0000 (13:53 +0300)]
thunderbolt: Add support for ConfigFS
This adds ConfigFS support to USB4/Thunderbolt bus. By itself this just
creates the subsystem but it exposes functions that can be used to
register groups under it.
Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Mika Westerberg [Tue, 23 Sep 2025 09:51:27 +0000 (12:51 +0300)]
thunderbolt: Allow service drivers to specify their own properties
The XDomain properties can be useful for service drivers, for example to
implement a registry for the services they expose. So far there has been
no need for service drivers to specify these but with the USB4STREAM
driver that we are going to use them.
This adds remote and local side properties that the service drivers have
access to. Remote side is read-only but the local side can be changed by
a service driver. Also provide a mechanism to notify the remote side
that there are changes.
Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Akhil P Oommen [Tue, 12 May 2026 19:21:20 +0000 (00:51 +0530)]
dt-bindings: arm-smmu: Update the description for Glymur GPU SMMU
Add the interconnects property to the common SMMU properties and extend
the sm8750 clock description section to also cover Glymur since it uses
the same single "hlos" vote clock.
Signed-off-by: Akhil P Oommen <akhilpo@oss.qualcomm.com> Acked-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com> Signed-off-by: Will Deacon <will@kernel.org>
Zeng Heng [Fri, 8 May 2026 16:23:41 +0000 (17:23 +0100)]
arm_mpam: Update architecture version check for MPAM MSC
In addition to updating the CPU MPAM version check, the MPAM MSC version
check also need to be updated. mpam_msc_check_aidr() is added to check
the MSC AIDR register, ensuring that both the major and minor version
numbers fall within the supported range of the MPAM architecture version.
Signed-off-by: Zeng Heng <zengheng4@huawei.com>
[ morse: changed mpam_msc_check_aidr() to accept versions like v1.2 ] Signed-off-by: James Morse <james.morse@arm.com> Reviewed-by: Ben Horgan <ben.horgan@arm.com> Signed-off-by: Will Deacon <will@kernel.org>
Zeng Heng [Fri, 8 May 2026 16:23:40 +0000 (17:23 +0100)]
arm64: cpufeature: Add support for the MPAM v0.1 architecture version
According to the MPAM spec [1], the supported architecture versions are
v1.0, v1.1 and v0.1. MPAM versions v0.1 and v1.1 are functionally
identical, but v0.1 additionally supports the FORCE_NS feature.
ID_AA64PR | ID_AA64PR | MPAM Extension | Notes
F0_EL1. | F1_EL1. | Architecture |
MPAM | MPAM_frac | version |
---------------------------------------------------------------------------
0b0000 | 0b0001 | v0.1 | MPAM v0.1 is implemented.
| | | MPAM v0.1 is the same as MPAM v1.1
| | | with FORCE_NS which is
| | | incompatible with MPAM v1.0.
---------------------------------------------------------------------------
0b0001 | 0b0000 | v1.0 | MPAM v1.0 is implemented.
---------------------------------------------------------------------------
0b0001 | 0b0001 | v1.1 | MPAM v1.1 is implemented.
| | | MPAM v1.1 includes all features of
| | | MPAM v1.0.
| | | It must not include FORCE_NS.
FORCE_NS is a feature that operates in EL3 mode. Consequently, the current
Linux MPAM driver is also compatible with MPAM v0.1. To support v0.1, the
existing driver which only checks ID_AA64PFR0_EL1.MPAM for the major
version needs to examine ID_AA64PFR1_EL1.MPAM_frac for the minor version
as well.
In particular, the address of a label is only expected to be used with a
computed goto.
While the generic version more or less works today, it is known to be
brittle and may break with current and future optimizations. For
example, Clang -O2 always returns 1 when this function is inlined:
Fix it by overriding _THIS_IP_ in <asm/linkage.h> (which is included by
<linux/instruction_pointer.h>) using an architecture-specific inline asm
version. Additionally, avoiding taking the address of a label prevents
compilers from emitting spurious indirect branch targets (e.g. ENDBR or
BTI) under control-flow integrity schemes.
Pierre Barre [Tue, 12 May 2026 13:20:32 +0000 (13:20 +0000)]
9p: invalidate readdir buffer on seek
The per-fid readdir buffer (fid->rdir) is populated lazily and only
refilled when fully drained (rdir->head == rdir->tail). userspace
lseek() on a directory fd updates file->f_pos via generic_file_llseek()
but does not touch the cached buffer, so the next getdents() iterates
the stale cache and emits entries from the previous position instead
of the one the caller asked for.
Track the file position the cached data corresponds to in
struct p9_rdir, and drop the cache on entry to iterate_shared when it
no longer matches ctx->pos. The 9p protocol's Tread/Treaddir already
take an arbitrary offset on every request, so a refill at the new
position is always legal; no .llseek override or seek restriction is
needed.
Pierre Barre [Tue, 12 May 2026 13:20:31 +0000 (13:20 +0000)]
9p: use kvzalloc for readdir buffer
The readdir buffer is sized to msize, so kzalloc() can fail under
fragmentation with a page allocation failure in v9fs_alloc_rdir_buf()
/ v9fs_dir_readdir_dotl().
The buffer is only a response sink and is never pack_sg_list()'d,
so kvzalloc() is safe for all transports, unlike the fcall buffers
fixed in e21d451a82f3 ("9p: Use kvmalloc for message buffers on
supported transports").
Signed-off-by: Pierre Barre <pierre@barre.sh>
Message-ID: <20260512132032.369281-1-pierre@barre.sh> Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>
'struct configfs_item_operations' is not modified in this driver.
Constifying this structure moves some data to a read-only section, so
increases overall security, especially when the structure holds some
function pointers.
On a x86_64, with allmodconfig:
Before:
======
text data bss dec hex filename
25167 9336 256 34759 87c7 net/9p/trans_usbg.o
After:
=====
text data bss dec hex filename
25231 9272 256 34759 87c7 net/9p/trans_usbg.o
dt-bindings: arm-smmu: qcom: Add compatible for Qualcomm Shikra SoC
Qualcomm Shikra SoC includes an apps SMMU that implements arm,mmu-500,
which is used to translate device-visible virtual addresses to physical
addresses. Add compatible for it.
Signed-off-by: Komal Bajaj <komal.bajaj@oss.qualcomm.com> Acked-by: Rob Herring (Arm) <robh@kernel.org> Signed-off-by: Will Deacon <will@kernel.org>
Paolo Abeni [Tue, 19 May 2026 11:51:08 +0000 (13:51 +0200)]
Merge tag 'ovpn-net-20260514' of https://github.com/OpenVPN/ovpn-net-next
Antonio Quartulli says:
====================
Included fixes:
* fix TCP selftest failures by reducing number of attempted pings
* fix RCU ptr deref outside of RCU read section
* fix UAF in case of TCP peer failed to be added to hashtable
* fix race condition between iface teardown and new peer being added
* ensure dstats are updated with BH disabled to avoid concurrency
* tag 'ovpn-net-20260514' of https://github.com/OpenVPN/ovpn-net-next:
ovpn: disable BHs when updating device stats
ovpn: fix race between deleting interface and adding new peer
ovpn: respect peer refcount in CMD_NEW_PEER error path
ovpn: tcp - use cached peer pointer in ovpn_tcp_close()
selftests: ovpn: reduce remaining ping flood counts
====================
Arnd Bergmann [Fri, 15 May 2026 09:12:06 +0000 (11:12 +0200)]
media: platform: amd: add DRM_AMDGPU dependency
With DRM_AMDGPU=m and DRM_AMD_ISP=y, it is possible to configura
VIDEO_AMD_ISP4_CAPTURE as built-in, but that fails to link:
aarch64-linux-ld: drivers/media/platform/amd/isp4/isp4_interface.o: in function `isp4if_gpu_mem_alloc.isra.0':
isp4_interface.c:(.text+0x1d0): undefined reference to `isp_kernel_buffer_alloc'
aarch64-linux-ld: drivers/media/platform/amd/isp4/isp4_interface.o: in function `isp4if_dealloc_fw_gpumem':
isp4_interface.c:(.text+0x26c): undefined reference to `isp_kernel_buffer_free'
Add a dependency on the tristate DRM_AMDGPU symbol in addition to
the boolean DRM_AMD_ISP=y, so this can only be built-in if
the ISP driver is also linked into the kernel itself.
Fixes: 9a54c285630c ("media: platform: amd: Introduce amd isp4 capture driver") Signed-off-by: Arnd Bergmann <arnd@arndb.de> Reviewed-by: Bin Du <Bin.Du@amd.com> Tested-by: Bin Du <Bin.Du@amd.com> Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Bin Du [Tue, 12 May 2026 03:21:14 +0000 (11:21 +0800)]
media: platform: amd: isp4: drop stale list reinit before free
Newer Smatch snapshots no longer report the false positive around
isp4if_send_fw_cmd(), so the extra list reinitialization before kfree()
is no longer needed.
Drop the stale list reinit and keep the cleanup path simpler.
Signed-off-by: Bin Du <Bin.Du@amd.com> Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Arun T [Fri, 15 May 2026 17:45:12 +0000 (23:15 +0530)]
media: ov13b10: Support multiple regulators
The OV13B10 sensor driver currently handles a single regulator called
avdd, however the sensor can be supplied by up to three regulators.
Update the driver to handle all of them together using the regulator
bulk API.
Signed-off-by: Arun T <arun.t@intel.com> Reviewed-by: Hans de Goede <johannes.goede@oss.qualcomm.com> Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Arun T [Fri, 15 May 2026 17:45:11 +0000 (23:15 +0530)]
platform/x86: int3472: Add TPS68470 board data for intel nvl
The Intel NVL platform uses IPU8 powered by a TPS68470 PMIC,
requiring board data to configure the GPIOs and regulators for
proper camera sensor operation.
Signed-off-by: Arun T <arun.t@intel.com> Reviewed-by: Daniel Scally <dan.scally@ideasonboard.com> Reviewed-by: Hans de Goede <johannes.goede@oss.qualcomm.com> Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Arun T [Fri, 15 May 2026 17:45:10 +0000 (23:15 +0530)]
platform/x86: int3472: Rename daisy-chain GPIO props to generic
Rename the MSI-specific daisy-chain GPIO properties and software node
to generic names so they can be reused by other platforms that also
require daisy-chain GPIO configuration for TPS68470.
Signed-off-by: Arun T <arun.t@intel.com> Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Dapeng Mi [Fri, 15 May 2026 06:11:43 +0000 (14:11 +0800)]
perf/x86/intel: Update event constraints and cache_extra_regsfor CWF
Update perf hard-coded event constraints and cache_extra_regs[] for
Clearwater Forest according to the latest CWF perfmon events (V1.02).
An important difference is that CWF introduce new extra register values
for the L3 cache OCR events, so define darkmont specific
dkt_hw_cache_extra_regs[] array.
Dapeng Mi [Fri, 15 May 2026 06:11:41 +0000 (14:11 +0800)]
perf/x86/intel: Update event constraints and cache_extra_regsfor NVL
Update perf hard-coded event constraints and cache_extra_regs[] for
Novalake according to the latest NVL perfmon events.
The 4 PRECISE_OMR events (0xd4) are broken on Arcticwolf and would be
removed from upcoming released event list, so delete them from event
constraints and extra_regs array accordingly.
Dapeng Mi [Fri, 15 May 2026 06:11:40 +0000 (14:11 +0800)]
perf/x86/intel: Update event constraints for PTL
Update perf hard-coded event constraints for Pantherlake according to
the latest PTL perfmon events (V1.05).
PTL has almost same perf event list as LNL except some PEBS event
constraints of E-core (exactly same on P-core). Define
intel_dkt_pebs_event_constraints[] to reflect the PTL E-core specific
PEBS event constraints.
Dapeng Mi [Fri, 15 May 2026 06:11:39 +0000 (14:11 +0800)]
perf/x86/intel: Update event constraints and cache_extra_regsfor ARL
Update perf hard-coded event constraints and cache_extra_regs[] for
Arrowlake according to the latest ARL perfmon events (V1.17).
ARL shares almost same event constraints and extra MSR configuration
with LNL except 2 differences.
- ARL P-core has different extra MSR value for OCR.DEMAND_DATA_RD.L3_MISS
and OCR.DEMAND_RFO.L3_MISS. So introduce arl_lnc_hw_cache_extra_regs[]
to reflect the difference.
- ARL-H has extra LPE cores which use crestmont architectures. Add
crestmont specific event constraints and hw_cache_extra_regs[] for LPE
cores.
Dapeng Mi [Fri, 15 May 2026 06:11:38 +0000 (14:11 +0800)]
perf/x86/intel: Update event constraints and cache_extra_regsfor LNL
Update perf hard-coded event constraints and cache_extra_regs[] for
Lunarlake according to the latest LNL perfmon events (V1.22).
LNL introduces new extra register values for the OCR L3 cache events,
so introduce lnc_hw_cache_extra_regs[] and skt_hw_cache_extra_regs[] to
reflect the changes.
Dapeng Mi [Fri, 15 May 2026 06:11:37 +0000 (14:11 +0800)]
perf/x86/intel: Update event constraints and cache_extra_regsfor MTL
Update perf hard-coded event constraints and cache_extra_regs[] for
Meteor Lake according to the latest MTL perfmon events (V1.21).
MTL P-core (redwoodcove) inherits same perf events list from previous
generation (Goldencove), but the E-core (Crestmont) brings some
difference on the perf event list comparing with Gracemont. So apply
the changes for Crestmont core.
Dapeng Mi [Fri, 15 May 2026 06:11:36 +0000 (14:11 +0800)]
perf/x86/intel: Update event constraints and cache_extra_regsfor ADL
Update perf hard-coded event constraints and cache_extra_regs[] for
Alderlake according to the latest ADL perfmon events (V1.39).
One important note is that ADL has differences on the L3/node related
OCR events although it shares same uarch with SPR server, e.g.,
ADL has different extra MSR values and no node events. So some variants
of structures and functions are introduced to reflect these
differences, like adl_glc_hw_cache_event_ids[],
adl_glc_hw_cache_extra_regs[] and intel_pmu_init_glc_hybrid(), etc.
Please note these changes would temporarily impact other platforms like
MTL/ARL-U which shares hard-coded event structures, but it would be
fixed soon in subsequent patches.
Dapeng Mi [Fri, 15 May 2026 06:11:34 +0000 (14:11 +0800)]
perf/x86/intel: Update event constraints and cache_extra_regsfor SPR
Update perf hard-coded event constraints and cache_extra_regs[] for
Sapphire rapids according to the latest SPR perfmon events (v1.39).
Emerald Rapids (EMR) and Granite Rapids (GNR) share exactly same event
constraints and extra MSR values with SPR. No extra changes are needed
for EMR and GNR.
Please note the change could temporarily impact other platforms which
share the hard coded data structures, but it would be fixed in
subsequent patches soon.
Dapeng Mi [Fri, 15 May 2026 06:11:33 +0000 (14:11 +0800)]
perf/x86/intel: Update event constraints and cache_extra_regsfor ICX
Update perf hard-coded event constraints and cache_extra_regs[] for
Icelake server according to the latest ICX perfmon events (v1.30).
Since the value of cache extra registers differs with previous
generations, introduce new snc_hw_cache_extra_regs[] to represent the
value of extra registers on ICX.
Bart Van Assche [Fri, 8 May 2026 17:45:16 +0000 (10:45 -0700)]
locking/rtmutex: Annotate API and implementation
Enable context analysis for struct rt_mutex and annotate all functions that
accept a struct rt_mutex pointer. In the __rt_mutex_lock_common() callers,
instead of adding the __no_context_analysis annotation, emit a runtime
warning if the __rt_mutex_lock_common() return value is not zero and add an
__acquire() statement.
Alexandru Dadu [Wed, 13 May 2026 12:00:45 +0000 (15:00 +0300)]
drm/imagination: Add support for trace points
Add support for workload submission trace points.
Co-developed-by: Donald Robson <donald.robson@imgtec.com> Signed-off-by: Donald Robson <donald.robson@imgtec.com> Signed-off-by: Alexandru Dadu <alexandru.dadu@imgtec.com> Reviewed-by: Matt Coster <matt.coster@imgtec.com> Link: https://patch.msgid.link/20260513-b4-pvr-trace-points-v1-1-81222d1a4c99@imgtec.com Signed-off-by: Matt Coster <matt.coster@imgtec.com>
Anna Maniscalco [Thu, 7 May 2026 15:43:15 +0000 (17:43 +0200)]
iommu: arm-smmu-qcom: Ensure smmu is powered up in set_ttbr0_cfg
arm_smmu_write_context_bank() assumes it is being called with RPM
active, but it turns out that is not guaranteed in the path from
qcom_adreno_smmu_set_ttbr0_cfg(), so it's possible for the register
writes to get lost when configuring the context bank while the GPU is
idle, leading to page faults later.
Add the RPM calls here to make sure the SMMU is active before we touch
it.
Signed-off-by: Anna Maniscalco <anna.maniscalco2000@gmail.com> Reviewed-by: Rob Clark <rob.clark@oss.qualcomm.com> Reviewed-by: Robin Murphy <robin.murphy@arm.com> Signed-off-by: Will Deacon <will@kernel.org>
Brajesh Gupta [Tue, 19 May 2026 08:25:29 +0000 (13:55 +0530)]
drm/imagination: Access FW initialised state with READ/WRITE_ONCE
Update FW initialised state shared resource access with READ/WRITE_ONCE
to prevent following:
- Non-atomic access to variable in multi-thread/CPU case.
- Merge successive loads from the same variable.
Brajesh Gupta [Tue, 19 May 2026 08:25:28 +0000 (13:55 +0530)]
drm/imagination: Rename FW booted to FW initialised
Rename the variable from 'booted' to 'initialised' to align with the
driver's expectations and state, indicating that FW boot initialisation
is complete and the firmware is fully initialised.
K Prateek Nayak [Tue, 19 May 2026 05:14:23 +0000 (05:14 +0000)]
sched/topology: Allow multiple domains to claim sched_domain_shared
Recent optimizations of sd->shared assignment moved to allocating a
single instance of per-CPU sched_domain_shared objects per s_data.
Recent optimizations to select_idle_capacity() moved the sd->shared
assignments to "sd_asym" domain when ASYM_CPUCAPACITY is detected but
cache-aware scheduling mandates the presence of "sd_llc_shared" to
compute and cache per-LLC statistics.
Use an "alloc_flags" union in sched_domain_shared to claim a
sched_domain_shared object per sched_domain. Allocation starts searching
for an available / matching sched_domain_shared instance from the first
CPU of sched_domain_span(sd) (sd can be sd_llc, or sd_asym). If the
shared object is claimed by another domain, the instance corresponding
to next CPU in the domain span is explored until a matching / available
instance is found.
In case of a single CPU in sched_domain_span(), the domain will be
degenerated and a temporary overlap of ->shared objects across different
domains is acceptable.
"alloc_flags" forms a union with "nr_idle_scan" and the stale flags are
left as is when the sd->shared is published. The expectation is for the
first load balancing instance to correct the value just like the current
behavior, except the initial value is no longer 0.
Originally-by: Peter Zijlstra <peterz@infradead.org> Signed-off-by: K Prateek Nayak <kprateek.nayak@amd.com> Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> Tested-by: Andrea Righi <arighi@nvidia.com>
The retry count was initially set to 10, which with the 5 second
timeouts give 55 seconds to fail a message.
The IPMI spec specifies the 5 second timeout, and it specifies retries
for KCS but does not specify a number. 55 seconds is a long time, so
reduce retries to 2. It matches the default in the BT state machine.
This is 15 seconds, then, which is still a long time, but more
reasonable.
Migration testing in i915 assumes current task's address space
to allocate new userspace mapping and uses it without
registering real user for that address space in mm_struct.
On single NUMA node setups PCI probe executes in the same
context as userspace process calling the test (i915_selftest
from IGT), but when multiple nodes are available, the PCI code
puts probe into a kernel workqueue. This switches execution to
a kworker, which does not have its own address space in
userspace and must borrow such memory from another process, so
"current->active_mm" is unknown at the start of the test.
It was observed that mm->mm_users would occasionally be 0
or drop to 0 during the test due to short delay between
scheduling and executing work in forked process, which reaped
userspace mappings, further leading to failures upon reading
from userland memory.
Prevent this by adding a PID parameter to a trusted task, so its
mm_struct may be used if needed.
Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/14204 Signed-off-by: Krzysztof Karas <krzysztof.karas@intel.com> Reviewed-by: Michał Grzelak <michal.grzelak@intel.com> Reviewed-by: Andi Shyti <andi.shyti@linux.intel.com> Reviewed-by: Sebastian Brzezinka <sebastian.brzezinka@intel.com> Reviewed-by: Janusz Krzysztofik <janusz.krzysztofik@linux.intel.com> Signed-off-by: Andi Shyti <andi.shyti@linux.intel.com> Link: https://lore.kernel.org/r/20260508080214.1979686-2-krzysztof.karas@intel.com
Osama Abdelkader [Thu, 26 Mar 2026 22:57:52 +0000 (23:57 +0100)]
arm64: panic from init_IRQ if IRQ handler stacks cannot be allocated
init_irq_stacks() and init_irq_scs() may fail when arch_alloc_vmap_stack
or scs_alloc return NULL. Return -ENOMEM from both and call panic() once
from init_IRQ(), covering per-CPU IRQ stacks and shadow IRQ stacks
consistently.
Signed-off-by: Osama Abdelkader <osama.abdelkader@gmail.com> Signed-off-by: Will Deacon <will@kernel.org>
Pengjie Zhang [Wed, 6 May 2026 09:08:51 +0000 (17:08 +0800)]
arm64: smp: Do not mark secondary CPUs possible under nosmp
Under nosmp (maxcpus=0), arm64 never brings up secondary CPUs.
smp_prepare_cpus() already treats this as a UP-mandated boot and returns
before marking secondary CPUs present. However, smp_init_cpus() may still
enumerate firmware-described secondary CPUs and mark them possible before
that point.
Avoid marking secondary CPUs possible when nosmp/maxcpus=0 is in effect,
so that cpu_possible_mask reflects the nosmp boot policy for this boot.
net: mana: Fix TOCTOU double-fetch of hwc_msg_id from DMA buffer
In mana_hwc_rx_event_handler(), resp->response.hwc_msg_id is read from
DMA-coherent memory and bounds-checked, then mana_hwc_handle_resp()
re-reads the same field from the same DMA buffer for test_bit() and
pointer arithmetic.
DMA-coherent memory is mapped uncacheable on x86 and is shared,
unencrypted, in Confidential VMs (SEV-SNP/TDX), so each load goes
directly to host-visible memory. A H/W can modify the value
between the check and the use, bypassing the bounds validation.
Fix this by reading hwc_msg_id exactly once using READ_ONCE() into a
stack-local variable in mana_hwc_rx_event_handler(), and passing the
validated value as a parameter to mana_hwc_handle_resp().
Lokanadha M R [Tue, 28 Apr 2026 09:43:50 +0000 (15:13 +0530)]
iommu/arm-smmu-qcom: Add glymur MDSS to ACTLR client table
Add qcom,glymur-mdss to the qcom_smmu_actlr_client_of_match[]
table to configure the SMMU-500 context bank for the display
subsystem (MDSS) on the Glymur platform.
The settings disable the next-page prefetcher while keeping
macro TLB caching enabled. Without this entry,
qcom_smmu_set_actlr_dev() finds no match for the glymur MDSS
device and leaves the context bank ACTLR at its reset value.
Signed-off-by: Lokanadha M R <lokanadha.r@oss.qualcomm.com> Reviewed-by: Pankaj Patil <pankaj.patil@oss.qualcomm.com> Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com> Signed-off-by: Will Deacon <will@kernel.org>
Robin Murphy [Fri, 1 May 2026 17:52:28 +0000 (18:52 +0100)]
arm64: errata: Reformat table for IDs
We have some inconsistency where multiple errata for the same component
share the same Kconfig workaround; some are one ID per line, some are
smooshed together, and some are entirely separate entries. Standardise
on the single entry, one ID per line format so that things render nice
and consistently in the HTML docs, and it's simple and clear to add new
IDs to existing workarounds without churning the table too much.
Acked-by: Catalin Marinas <catalin.marinas@arm.com> Signed-off-by: Robin Murphy <robin.murphy@arm.com> Tested-by: Randy Dunlap <rdunlap@infradead.org> Signed-off-by: Will Deacon <will@kernel.org>
Kevin Brodsky [Mon, 27 Apr 2026 12:03:37 +0000 (13:03 +0100)]
kselftest/arm64: Add tests for POR_EL0 save/reset/restore
POR_EL0 is expected to be:
- Saved in the poe_context record
- Reset to POR_EL0_INIT when invoking the signal handler
- Restored from poe_context when returning from the signal handler
Add a new test, poe_restore, to check that the save/reset/restore
mechanism is working as intended. See commit 2e8a1acea859 ("arm64:
signal: Improve POR_EL0 handling to avoid uaccess failures") for
more details.
This commit did not handle the case where poe_context is missing
correctly. This was recently fixed; add a new test,
poe_missing_poe_context, to check this case.
Note: td->pass is only set to true at the very end, as an unexpected
signal may occur in case of failure (especially in
poe_missing_poe_context if POR_EL0 is restored to an invalid value).
Failures are tracked with a global, failed_check.
Signed-off-by: Kevin Brodsky <kevin.brodsky@arm.com> Signed-off-by: Will Deacon <will@kernel.org>
Kevin Brodsky [Mon, 27 Apr 2026 12:03:34 +0000 (13:03 +0100)]
selftests/mm: Fix resv_sz when parsing arm64 signal frame
get_header() wants the size of the reserved area in struct
sigcontext, but instead we pass it the size of the entire struct.
This could in theory result in an out-of-bounds read (if the signal
frame is malformed).
Fix this using one of the existing macros from
tools/testing/selftests/arm64/signal/testcases/testcases.h.
This issue was reported by Sashiko on a patch that copied this
portion of the code.
Laurent Pinchart [Tue, 19 May 2026 08:22:53 +0000 (10:22 +0200)]
MAINTAINERS: Hand over phy-zynqmp to Tomi Valkeinen
I volunteered to maintain the phy-zynqmp driver as part of my work on
the ZynqMP DPSUB driver. Now that Tomi has taken over the DPSUB, it
makes sense for him to handle the phy-zynqmp driver as well.
Wenwen Wang [Sat, 5 May 2018 12:57:10 +0000 (07:57 -0500)]
i2c: smbus: fix a potential uninitialization bug
In i2c_smbus_xfer_emulated(), there are two buffers: msgbuf0 and
msgbuf1, which are used to save a series of messages, as mentioned in
the comment. According to the value of the variable 'size', msgbuf0 is
initialized to various values. In contrast, msgbuf1 is left
uninitialized until the function i2c_transfer() is invoked. However,
msgbuf1 is not always initialized on all possible execution paths
(implementation) of i2c_transfer(). Thus, it is possible that msgbuf1
may still be uninitialized even after the invocation of the function
i2c_transfer(), especially when the return value of i2c_transfer() is
not checked properly. In the following execution, the uninitialized
msgbuf1 will be used, such as for security checks. Since uninitialized
values can be random and arbitrary, this will cause undefined behaviors
or even check bypass. For example, it is expected that if the value of
'size' is I2C_SMBUS_BLOCK_PROC_CALL, the value of data->block[0] should
not be larger than I2C_SMBUS_BLOCK_MAX. This patch initializes the first
byte of msgbuf1 with 0 to avoid such undefined behaviors or security
issues.
Signed-off-by: Wenwen Wang <wang6495@umn.edu>
[wsa: reworded commit message a little] Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
platform/x86/amd: hfi: Support for ranking table versions
Add changes to support new ranking table version. Version 2 of the
heterogeneous ranking table provides static CPU rankings. Version 3 adds
dynamic ranking table support on newer AMD platforms. These changes ensure
that platforms still reporting version 2 continue to function with the
existing static ranking path, avoiding regressions on older hardware
that does not supply a dynamic ranking table.
Signed-off-by: Krishnamoorthi M <krishnamoorthi.m@amd.com> Reviewed-by: Mario Limonciello (AMD) <superm1@kernel.org> Reviewed-by: Shyam Sundar S K <Shyam-sundar.S-k@amd.com> Link: https://patch.msgid.link/20260507190926.1211726-1-krishnamoorthi.m@amd.com Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
dt-bindings: arm-smmu: qcom: Add Hawi compatible for Application processor
Commit 5e8323c3d528 ("dt-bindings: arm-smmu: qcom: Add compatible for
Hawi SoC") was intended for the APSS SMMU but was mistakenly placed
under the Adreno GPU SMMU section. Since that compatible is also valid
for the Hawi GPU SMMU, keep that commit as-is and add proper
documentation for the Hawi APSS SMMU here.
Signed-off-by: Mukesh Ojha <mukesh.ojha@oss.qualcomm.com> Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com> Signed-off-by: Will Deacon <will@kernel.org>
A batch of small, independent fixes for the MediaTek MT7530 family DSA
driver, addressing long-standing correctness issues that surface on
hardware with bridge VLAN filtering enabled, on link-local frame
reception, and during bridge join/leave transitions.
====================
Edward Parker [Thu, 14 May 2026 14:05:12 +0000 (15:05 +0100)]
net: dsa: mt7530: untag VLAN-aware bridge PVID
With bridge VLAN filtering enabled on a port configured as untagged
member of the bridge PVID, ingress untagged frames do not reach the
corresponding bridge VLAN upper interface (br-lan.<vid>). ARP and
similar traffic is visible on the physical port but not delivered
to the VLAN sub-interface.
The MT7530/MT7531 forwards frames to the CPU port with the user
port's PVID tag applied even when the frame ingressed untagged on
the wire, because the CPU port is set to MT7530_VLAN_EG_CONSISTENT
and is a tagged member of the VLAN entry created for the bridge
VLAN. The DSA core then sees a hwaccel-tagged frame whose VID
matches the port's PVID, which the bridge does not treat as the
untagged-on-the-wire frame that the user expects.
Set ds->untag_vlan_aware_bridge_pvid in the mt7530 and mt7531
setup paths so the DSA core strips that hwaccel tag in software
when the parsed VID matches the bridge port's PVID, restoring the
on-the-wire frame as the bridge expects to see it.
Daniel Golle [Thu, 14 May 2026 14:04:50 +0000 (15:04 +0100)]
net: dsa: mt7530: fix CPU port VLAN not being reset to unaware
After a VLAN-aware bridge is destroyed, creating any VLAN-unaware
bridge loses all connectivity. The VID 0 VLAN table entry used by
VLAN-unaware ports in FALLBACK mode gets corrupted during VLAN-aware
operation: mt7530_hw_vlan_add() overwrites its EG_CON flag with
VTAG_EN and bridge teardown removes ports from its PORT_MEM.
The cleanup code that should restore it never runs because the current
port's dp->vlan_filtering flag is still true when checked (DSA updates
it only after the driver callback returns). Even when restored, the
deferred VLAN deletion events from the switchdev workqueue can corrupt
VID 0 again after the restoration.
Skip the current port in the all_user_ports_removed check, call
mt7530_setup_vlan0() to restore the VID 0 entry, and protect VID 0
from being modified by bridge VLAN operations in port_vlan_add and
port_vlan_del since it is managed exclusively by mt7530_setup_vlan0().
Remove the CPU port PCR and PVC register writes which were clobbering
PORT_VLAN mode and VLAN_ATTR with wrong values.
Daniel Golle [Thu, 14 May 2026 14:04:35 +0000 (15:04 +0100)]
net: dsa: mt7530: preserve VLAN tags on trapped link-local frames
The BPC, RGAC1 and RGAC2 registers control the handling of link-local
frames with reserved MAC DAs (01:80:C2:00:00:0x). These frames are
correctly trapped to the CPU port, but the egress VLAN tag attribute was
set to MT7530_VLAN_EG_UNTAGGED which causes the switch to strip any
VLAN tags from trapped frames before they reach the CPU.
This causes VLAN-tagged link-local frames (STP BPDUs, LLDP, PTP Peer
Delay Requests) to arrive at the CPU without their VLAN tag, so they
are delivered to the base network interface instead of the VLAN
sub-interface. The DSA local_termination selftest confirms this: all
link-local protocol tests on VLAN upper interfaces fail.
Set the EG_TAG attribute to MT7530_VLAN_EG_DISABLED (system default)
so that the switch does not modify VLAN tags in trapped frames. This
way VLAN-tagged frames retain their original tag and are delivered to
the correct VLAN sub-interface, matching the behavior of non-trapped
frames which pass through without VLAN tag modification.
Daniel Golle [Thu, 14 May 2026 14:04:21 +0000 (15:04 +0100)]
net: dsa: mt7530: fix FDB entries not aging out with short timeout
The DSA forwarding selftests bridge_vlan_aware.sh and
bridge_vlan_unaware.sh configure the bridge with ageing_time set to
LOW_AGEING_TIME (1000 centiseconds, i.e. 10 seconds) and then run
learning_test() in lib.sh, which expects a learned FDB entry to be
removed after ageing_time + 10 seconds. On MT7530/MT7531 the entry
persisted past the deadline and the "Found FDB record when should
not" assertion failed.
With msecs=10000, the algorithm in mt7530_set_ageing_time() finds
AGE_CNT=0 and AGE_UNIT=9 as the first exact match (starting the
search from tmp_age_count=0). The per-entry aging counter is
initialized to AGE_CNT when a MAC address is learned, so with
AGE_CNT=0 new entries start with a counter value of 0, which the
hardware treats as "already aged" and never removes, effectively
disabling aging.
Fix this by starting the search from tmp_age_count=1 to ensure
entries always have a non-zero initial aging counter. For a
10-second ageing time this yields AGE_CNT=1 and AGE_UNIT=4 instead:
the timer ticks every 5 seconds and entries are removed after 2
ticks.
Starting the search at AGE_CNT=1 raises the minimum representable
ageing time from 1 to 2 seconds. Without bounds, a stale ageing_time
of 1 second would now make the loop fall through without setting
age_count and age_unit, leaving them uninitialized when written to
the MT7530_AAC hardware register. Set ds->ageing_time_min and
ds->ageing_time_max so the DSA core validates the range before the
callback is invoked, and drop the now-redundant range check from
mt7530_set_ageing_time().
Ioana Ciornei [Mon, 18 May 2026 14:20:26 +0000 (17:20 +0300)]
phy: ti: add PHY driver for TI DS125DF111 Dual-Channel Retimer
Add a generic PHY driver for the TI DS125DF111 Multi-Protocol
Dual-Channel Retimer. The driver currently supports only 10G and 1G link
speeds but it can easily extended to also cover other usecases.
Since the available datasheet (https://www.ti.com/lit/gpn/DS125DF111)
does not name the registers, the name for the macros were determined by
their usage pattern.
A PHY device is created for each of the two channels present on the
retimer. This allows for independent configuration of the two channels.
This capability is especially important on retimers which have more than
2 channels that can be, depending on the board design, connected in
multiple different ways to the SerDes lanes.
Various names for Qualcomm as a company are used in user-visible config
options: QCOM, Qualcomm and Qualcomm Technologies. Switch to unified
"Qualcomm" so it will be easier for users to identify the options when
for example running menuconfig.
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com> Signed-off-by: Will Deacon <will@kernel.org>
The PCIe SSC configuration for the RK3588 and RK3576 SoCs required
additional tuning which is missing. When adding these same SSC
configurations for both of these two SoCs, as well as upcoming
platforms, it's obvious the SSC setup code was largely duplicated
across the platform-specific configuration functions. This becomes
harder to maintain as more platforms are added.
So extract the common SSC logic into a shared helper function,
rk_combphy_common_cfg_ssc(). This cleans up the per-platform drivers
and centralizes the standard configuration as possible.
eillon [Wed, 25 Feb 2026 04:04:17 +0000 (12:04 +0800)]
arm64/sysreg: Add HDBSS related register information
The ARM architecture added the HDBSS feature and descriptions of
related registers (HDBSSBR/HDBSSPROD) in the DDI0601(ID121123) version,
add them to Linux.
kbuild: pacman-pkg: make "rc" releases adhere to pacman versioning scheme
The package versioning scheme does not enable smooth upgrades from "rc"
releases to the corresponding stable releases (e.g. 7.0.0-rc7 -> 7.0.0)
because pacman considers that a downgrade due to the underscore in
pkgver (e.g. 7.0.0_rc7), see e.g. vercmp(8) for an explanation of the
package version comparison used by pacman. Package versions which are
derived from said releases (e.g. built from git revisions) are
similarly affected. Fix this by modifying pkgver in order to remove the
hyphen from kernel versions containing "-rcN", where N is a
non-negative integer.
Acked-by: Thomas Weißschuh <linux@weissschuh.net> Signed-off-by: Viktor Jägersküpper <viktor_jaegerskuepper@freenet.de> Reviewed-by: Nathan Chancellor <nathan@kernel.org> Tested-by: Nathan Chancellor <nathan@kernel.org> Link: https://patch.msgid.link/20260515215913.92481-1-viktor_jaegerskuepper@freenet.de Fixes: c8578539deba ("kbuild: add script and target to generate pacman package") Signed-off-by: Nicolas Schier <nsc@kernel.org>
This pattern is unbounded and silently corrupts the stack when the
formatted output exceeds the destination size. Two functions in this
file are realistically reachable with input that overflows their
buffer:
1. do_input_entry() appends across nine bitmap classes
(evbit/keybit/relbit/absbit/mscbit/ledbit/sndbit/ffbit/swbit). The
keybit case alone scans bits from INPUT_DEVICE_ID_KEY_MIN_INTERESTING
(0x71) to INPUT_DEVICE_ID_KEY_MAX (0x2ff), 655 iterations; if a
MODULE_DEVICE_TABLE(input, ...) populates keybit[] densely, the
emission reaches ~3132 bytes — overflowing the 256-byte buffer by
about 12x. include/linux/mod_devicetable.h declares storage for the
full bit range ("keybit[INPUT_DEVICE_ID_KEY_MAX / BITS_PER_LONG + 1]"),
so the worst case is reachable per the ABI.
2. do_dmi_entry() emits one ":<prefix>*<filtered_substr>*" segment per
matched DMI field, up to 4 matches per dmi_system_id. Each substr
is sized as char[79] in struct dmi_strmatch (mod_devicetable.h:584),
and dmi_ascii_filter() copies it verbatim into the alias buffer
without bounds. Worst case: 4 × (1 + 3 + 1 + 79 + 1) = 336 bytes
into alias[256], an 80-byte overflow.
No driver in the current tree triggers either case — every in-tree
INPUT_DEVICE_ID_MATCH_KEYBIT user populates keybit[] very sparsely
(1-3 bits), and no in-tree dmi_system_id has four maximally-long
matches. The concern is defense-in-depth: both unbounded sprintf
chains are silent stack-corruption primitives in a host build tool,
and the buffer sizes have not been revisited since the corresponding
code was first introduced.
The other do_*_entry() handlers in this file (do_usb_entry,
do_cpu_entry, do_typec_entry, ...) were audited and are bounded by
their input field sizes (uint16 IDs, fixed-length keys); their alias
buffers do not need this treatment.
Reproduced under AddressSanitizer with a stand-alone harness mirroring
do_input on a fully-populated keybit:
==18319==ERROR: AddressSanitizer: stack-buffer-overflow
WRITE of size 2 at offset 288 in frame [32, 288) 'alias'
#6 do_input poc.c:44
Stack-canary build:
Abort trap: 6 (strlen(alias)=3134, cap was 256-1)
Add a small alias_append() helper around vsnprintf with a remaining-
space check and call fatal() on overflow, matching the modpost style
for unrecoverable build conditions. do_input() takes the buffer size
as a new parameter; do_input_entry() and do_dmi_entry() pass
sizeof(alias) at every call site. dmi_ascii_filter() takes the
remaining buffer size as well and aborts on truncation. This bounds
every write into the on-stack buffers and turns the latent overflow
into a clean build error if it is ever reached.
Fixes: 1d8f430c15b3 ("[PATCH] Input: add modalias support") Reviewed-by: Randy Dunlap <rdunlap@infradead.org> Tested-by: Randy Dunlap <rdunlap@infradead.org> Signed-off-by: Hasan Basbunar <basbunarhasan@gmail.com> Link: https://patch.msgid.link/20260505161102.44087-1-basbunarhasan@gmail.com Signed-off-by: Nicolas Schier <nsc@kernel.org>
usb: typec: ucsi: validate connector number in ucsi_connector_change()
The connector number in a UCSI CCI notification is a 7-bit field
supplied by the PPM. ucsi_connector_change() uses it to index the
ucsi->connector[] array without checking it against the number of
connectors the PPM reported at init time, so a buggy or malicious PPM
(EC firmware, or an I2C-attached UCSI controller on the ccg / stm32g0 /
glink transports) can drive schedule_work() on memory past the end of
the array.
Reject connector numbers that are zero or exceed cap.num_connectors
before dereferencing the array.
Assisted-by: gkh_clanker_t1000 Cc: Heikki Krogerus <heikki.krogerus@linux.intel.com> Cc: Benson Leung <bleung@chromium.org> Cc: Jameson Thies <jthies@google.com> Cc: Nathan Rebello <nathan.c.rebello@gmail.com> Cc: Johan Hovold <johan@kernel.org> Cc: Pooja Katiyar <pooja.katiyar@intel.com> Cc: Hsin-Te Yuan <yuanhsinte@chromium.org> Cc: Abel Vesa <abelvesa@kernel.org> Cc: stable <stable@kernel.org> Reviewed-by: Abel Vesa <abel.vesa@oss.qualcomm.com> Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com> Reviewed-by: Benson Leung <bleung@chromium.org> Link: https://patch.msgid.link/2026051351-truck-steadfast-df48@gregkh Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usb: typec: ucsi: displayport: NAK DP_CMD_CONFIGURE without a payload VDO
ucsi_displayport_vdm() handles a DP_CMD_CONFIGURE by copying the first
payload VDO from data[], but unlike the equivalent handler in
altmodes/displayport.c it does not check that count covers a VDO beyond
the header. A header-only Configure VDM (count == 1) would read one u32
past the caller's array.
In the normal UCSI path the caller controls count, so this is hardening
for non-standard delivery paths. NAK and bail when no configuration VDO
is present, matching the generic DP altmode driver's existing guard.
usb: typec: tcpm: bound altmode_desc[] per iteration in svdm_consume_modes()
svdm_consume_modes() checks pmdata->altmodes against the array size once
before the loop over the count, but forgot to check the bound at every
point in the loop.
In the well-behaved SVDM discovery flow this is harmless because each of
at most SVID_DISCOVERY_MAX SVIDs contributes at most MODE_DISCOVERY_MAX
modes, exactly filling altmode_desc[ALTMODE_DISCOVERY_MAX]. But the
CMDT_RSP_ACK handler in tcpm_pd_svdm() does not correlate an incoming
ACK with any request the port actually sent. Once port->partner is set,
an unsolicited Discover Modes ACK is consumed unconditionally. A broken
or malicious port partner can therefore drive altmodes to
ALTMODE_DISCOVERY_MAX - 1 via the normal flow, and then send one extra
Discover Modes ACK with seven VDOs. Because the pre-loop check passes,
the loop could then writes up to five entries past altmode_desc[]. For
mode_data_prime the next field in struct tcpm_port is the
partner_altmode[] pointer array, which then receives partner-chosen
SVID/VDO bytes.
Move the bound check inside the loop so the array can never be indexed
past ALTMODE_DISCOVERY_MAX regardless of how many VDOs the partner
supplies or how the function was reached.
Properly validate the count passed from a device when calling
svdm_consume_identity() or svdm_consume_identity_sop_prime() as the
device-controlled value could index off of the static arrays, which
could leak data.
usb: typec: tcpm/tcpci_maxim: validate header NDO against RX_BYTE_CNT
A broken/malicious port can transmit a CRC-valid frame whose header
advertises up to seven data objects but whose body carries fewer than
that. Check for this, and rightfully reject the message, instead of
reading from uninitialized stack memory.
usb: typec: altmodes/displayport: validate count before reading Status Update VDO
A broken/malicious device can send the incorrect count for a status
update VDO, which will cause the kernel to read uninitialized stack data
and send it off elsewhere.
Fix this up by correctly verifying the count for the update object.
usb: typec: wcove: don't write past struct pd_message in wcove_read_rx_buffer()
wcove_read_rx_buffer() copies the PD RX FIFO into the caller's
struct pd_message with
for (i = 0; i < USBC_RXINFO_RXBYTES(info); i++)
regmap_read(wcove->regmap, USBC_RX_DATA + i, msg + i);
which has two problems:
USBC_RXINFO_RXBYTES() is a 5-bit field (max 31) while struct pd_message
is 30 bytes (__le16 header + __le32 payload[PD_MAX_PAYLOAD], packed).
The byte count latched in RXINFO is the number of bytes the port partner
put on the wire, so a malicious partner that transmits a 31-byte frame
can drive the loop one byte past the destination if the WCOVE BMC
receiver does not enforce the PD object-count limit in hardware. The
existing FIXME flagged this as unverified.
Independently, regmap_read() takes an unsigned int * and stores a full
unsigned int at the destination. Passing the byte pointer msg + i means
each iteration writes four bytes; the high three are zero (val_bits is
8) and are normally overwritten by the next iteration, but the final
iteration's high bytes are not. With RXBYTES == 30 the i == 29 iteration
already writes three zero bytes past msg, which sits on the IRQ thread's
stack in wcove_typec_irq().
Clamp the loop to sizeof(struct pd_message) and read each register into
a local before storing only its low byte, so the copy can never exceed
the destination regardless of what RXINFO reports.
Merge tag 'thunderbolt-for-v7.1-rc5' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/westeri/thunderbolt into usb-linus
Mika writes:
thunderbolt: Fixes for v7.1-rc5
This includes three patches that harden the XDomain property parser
against possible malicious hosts.
All these have been in linux-next with no reported issues.
* tag 'thunderbolt-for-v7.1-rc5' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/westeri/thunderbolt:
thunderbolt: property: Cap recursion depth in __tb_property_parse_dir()
thunderbolt: property: Reject dir_len < 4 to prevent size_t underflow
thunderbolt: property: Reject u32 wrap in tb_property_entry_valid()
projects / thirdparty / kernel / linux.git / log
