aboutsummaryrefslogtreecommitdiffstatshomepage
path: root/drivers
AgeCommit message (Collapse)AuthorFilesLines
2026-04-09spi: atcspi200: enable compile testingJohan Hovold1-1/+1
There seems to be nothing preventing this driver from being compile tested so enable that for wider build coverage. Signed-off-by: Johan Hovold <johan@kernel.org> Link: https://patch.msgid.link/20260409145618.466701-1-johan@kernel.org Signed-off-by: Mark Brown <broonie@kernel.org>
2026-04-09PCI: sg2042: Avoid L0s and L1 on Sophgo 2042 PCIe Root PortsYao Zi1-0/+2
Since commit f3ac2ff14834 ("PCI/ASPM: Enable all ClockPM and ASPM states for devicetree platforms") force enables ASPM on all device tree platforms, the SG2042 Root Ports are breaking as they advertise L0s and L1 capabilities without supporting them. Set ASPM quirks to disable the L0s and L1 capabilities for the Root Ports so that these broken link states won't be enabled. Fixes: 4e27aca4881a ("riscv: sophgo: dts: add PCIe controllers for SG2042") Co-developed-by: Inochi Amaoto <inochiama@gmail.com> Signed-off-by: Inochi Amaoto <inochiama@gmail.com> Signed-off-by: Yao Zi <me@ziyao.cc> [mani: commit log] Signed-off-by: Manivannan Sadhasivam <mani@kernel.org> Signed-off-by: Bjorn Helgaas <bhelgaas@google.com> Tested-by: Han Gao <gaohan@iscas.ac.cn> Tested-by: Chen Wang <unicorn_wang@outlook.com> # Pioneerbox Reviewed-by: Chen Wang <unicorn_wang@outlook.com> Link: https://patch.msgid.link/20260405154154.46829-3-me@ziyao.cc
2026-04-09PCI: cadence: Add flags for disabling ASPM capability for broken Root PortsYao Zi2-0/+26
Add flags for disabling the ASPM L0s/L1 capability for broken Root Ports by clearing the corresponding bits in Link Capabilities Register through the local management bus. This allows ASPM to be disabled on platforms which don't support it. Signed-off-by: Yao Zi <me@ziyao.cc> Signed-off-by: Manivannan Sadhasivam <mani@kernel.org> Signed-off-by: Bjorn Helgaas <bhelgaas@google.com> Tested-by: Han Gao <gaohan@iscas.ac.cn> Tested-by: Chen Wang <unicorn_wang@outlook.com> # Pioneerbox Reviewed-by: Chen Wang <unicorn_wang@outlook.com> Link: https://patch.msgid.link/20260405154154.46829-2-me@ziyao.cc
2026-04-09Merge tag 'efi-fixes-for-v7.0-4' of git://git.kernel.org/pub/scm/linux/kernel/git/efi/efiLinus Torvalds1-1/+1
Pull EFI fix from Ard Biesheuvel: "Fix an incorrect preprocessor conditional that may result in duplicate instances of sysfb_primary_display on x86" * tag 'efi-fixes-for-v7.0-4' of git://git.kernel.org/pub/scm/linux/kernel/git/efi/efi: firmware: efi: Never declare sysfb_primary_display on x86
2026-04-09Merge tag 'mmc-v7.0-rc1-3' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmcLinus Torvalds1-7/+12
Pull MMC fixes from Ulf Hansson: - vub300: Fix use-after-free and NULL-deref on disconnect * tag 'mmc-v7.0-rc1-3' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc: mmc: vub300: fix use-after-free on disconnect mmc: vub300: fix NULL-deref on disconnect
2026-04-09Merge tag 'pmdomain-v7.0-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/linux-pmLinus Torvalds2-11/+4
Pull pmdomain fixes from Ulf Hansson: - imx: Prevent hang at power down for imx8mp-blk-ctrl - thead: Fix buffer overflow for TH1520 AON driver - Change Ulf Hansson's email * tag 'pmdomain-v7.0-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/linux-pm: MAINTAINERS, mailmap: Change Ulf Hansson's email pmdomain: imx8mp-blk-ctrl: Keep the NOC_HDCP clock enabled firmware: thead: Fix buffer overflow and use standard endian macros
2026-04-09thermal: intel: switch cpumask_get() to using cpumask_print_to_pagebuf()Yury Norov1-2/+1
The function opencodes cpumask_print_to_pagebuf() with more generic bitmap_print_to_pagebuf(). Switch to using the proper API. Signed-off-by: Yury Norov <ynorov@nvidia.com>
2026-04-09coresight: don't use bitmap_print_to_pagebuf()Yury Norov1-18/+14
Switch the driver to using the proper sysfs_emit("%*pbl") where appropriate. Suggested-by: Thomas Weißschuh <linux@weissschuh.net> Signed-off-by: Yury Norov <ynorov@nvidia.com>
2026-04-09drm/xe: switch xe_pagefault_queue_init() to using bitmap_weighted_or()Yury Norov1-2/+1
The function calls bitmap_or() immediately followed by bitmap_weight(). Switch to using the dedicated bitmap_weighted_or() and save one bitmap traverse. Reviewed-by: Matthew Brost <matthew.brost@intel.com> Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com> Reviewed-by: Jacob Keller <jacob.e.keller@intel.com> Signed-off-by: Yury Norov <ynorov@nvidia.com>
2026-04-09ice: use bitmap_empty() in ice_vf_has_no_qs_enaYury Norov1-2/+2
bitmap_empty() is more verbose and efficient, as it stops traversing {r,t}xq_ena as soon as the 1st set bit found. Tested-by: Rafal Romanowski <rafal.romanowski@intel.com> Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com> Reviewed-by: Jacob Keller <jacob.e.keller@intel.com> Signed-off-by: Yury Norov <ynorov@nvidia.com>
2026-04-09ice: use bitmap_weighted_xor() in ice_find_free_recp_res_idx()Yury Norov1-3/+1
Use the right helper and save one bitmaps traverse. Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com> Reviewed-by: Jacob Keller <jacob.e.keller@intel.com> Tested-by: Rinitha S <sx.rinitha@intel.com> (A Contingent worker at Intel) Signed-off-by: Yury Norov <ynorov@nvidia.com>
2026-04-09HID: logitech-hidpp: fix race condition when accessing stale stack pointerBenoît Sevens1-7/+17
The driver uses hidpp->send_receive_buf to point to a stack-allocated buffer in the synchronous command path (__do_hidpp_send_message_sync). However, this pointer is not cleared when the function returns. If an event is processed (e.g. by a different thread) while the send_mutex is held by a new command, but before that command has updated send_receive_buf, the handler (hidpp_raw_hidpp_event) will observe that the mutex is locked and dereference the stale pointer. This results in an out-of-bounds access on a different thread's kernel stack (or a NULL pointer dereference on the very first command). Fix this by: 1. Clearing hidpp->send_receive_buf to NULL before releasing the mutex in the synchronous command path. 2. Moving the assignment of the local 'question' and 'answer' pointers inside the mutex_is_locked() block in the handler, and adding a NULL check before dereferencing. Signed-off-by: Benoît Sevens <bsevens@google.com> Signed-off-by: Jiri Kosina <jkosina@suse.com>
2026-04-09i2c: spacemit: introduce pio for k1Troy Mitchell1-70/+226
This patch introduces I2C PIO functionality for the Spacemit K1 SoC, enabling the use of I2C in atomic context. When i2c xfer_atomic is invoked, use_pio is set accordingly. Since an atomic context is required, all interrupts are disabled when operating in PIO mode. Even with interrupts disabled, the bits in the ISR (Interrupt Status Register) will still be set, so error handling can be performed by polling the relevant status bits in the ISR. Signed-off-by: Troy Mitchell <troy.mitchell@linux.spacemit.com> Tested-by: Aurelien Jarno <aurelien@aurel32.net> Reviewed-by: Aurelien Jarno <aurelien@aurel32.net> Signed-off-by: Andi Shyti <andi.shyti@kernel.org> Link: https://lore.kernel.org/r/20260207-b4-k3-i2c-pio-v7-2-626942d94d91@linux.spacemit.com
2026-04-09i2c: spacemit: move i2c_xfer_msg()Troy Mitchell1-31/+31
The upcoming PIO support requires a wait_pio_xfer() helper, which is invoked from xfer_msg(). Since wait_pio_xfer() depends on err_check(), move the definition of xfer_msg() after err_check() to avoid a forward declaration of err_check(). Reviewed-by: Aurelien Jarno <aurelien@aurel32.net> Reviewed-by: Alex Elder <elder@riscstar.com> Signed-off-by: Troy Mitchell <troy.mitchell@linux.spacemit.com> Tested-by: Aurelien Jarno <aurelien@aurel32.net> Signed-off-by: Andi Shyti <andi.shyti@kernel.org> Link: https://lore.kernel.org/r/20260207-b4-k3-i2c-pio-v7-1-626942d94d91@linux.spacemit.com
2026-04-09can: ucan: fix devres lifetimeJohan Hovold1-1/+1
USB drivers bind to USB interfaces and any device managed resources should have their lifetime tied to the interface rather than parent USB device. This avoids issues like memory leaks when drivers are unbound without their devices being physically disconnected (e.g. on probe deferral or configuration changes). Fix the control message buffer lifetime so that it is released on driver unbind. Fixes: 9f2d3eae88d2 ("can: ucan: add driver for Theobroma Systems UCAN devices") Cc: stable@vger.kernel.org # 4.19 Cc: Jakob Unterwurzacher <jakob.unterwurzacher@theobroma-systems.com> Signed-off-by: Johan Hovold <johan@kernel.org> Link: https://patch.msgid.link/20260327104520.1310158-1-johan@kernel.org Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
2026-04-09HID: winwing: Enable rumble effectsIvan Gorinov1-14/+182
Enable rumble motor control on TGRIP-15E and TGRIP-15EX throttle grips by sending haptic feedback commands (EV_FF events) to the input device. Signed-off-by: Ivan Gorinov <linux-kernel@altimeter.info> Signed-off-by: Jiri Kosina <jkosina@suse.com>
2026-04-09HID: core: do not allow parsing 0-sized reportsDmitry Torokhov1-0/+5
Commit d7db259bd6df ("HID: core: factor out hid_parse_collections()") reworked collection parsing code and inadvertently allowed returning "success" when parsing 0-sized reports where old code returned -EINVAL. Restore the original behavior by doing an explicit check. Note that the error message now differs from the generic "item fetching failed at offset %u/%u" that is now used only for non-empty descriptors. Fixes: d7db259bd6df ("HID: core: factor out hid_parse_collections()") Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> Signed-off-by: Jiri Kosina <jkosina@suse.com>
2026-04-09HID: usbhid: refactor endpoint lookupJohan Hovold1-5/+3
Use the common USB helper for looking up interrupt-in endpoints instead of open coding. Signed-off-by: Johan Hovold <johan@kernel.org> Signed-off-by: Jiri Kosina <jkosina@suse.com>
2026-04-09HID: huawei: fix CD30 keyboard report descriptor issueMiao Li4-0/+93
When the Huawei CD30 USB keyboard undergoes 500 reboot cycles, initialization may fail due to a report descriptor problem. The error log is as follows: [pid:175,cpu0,kworker/0:1,6]usb 1-1.2.2: new low-speed USB device number 6 using xhci-hcd [pid:175,cpu0,kworker/0:1,9]usb 1-1.2.2: New USB device found, idVendor=12d1, idProduct=109b, bcdDevice= 1.03 [pid:175,cpu0,kworker/0:1,0]usb 1-1.2.2: New USB device strings: Mfr=1, Product=2, SerialNumber=0 [pid:175,cpu0,kworker/0:1,1]usb 1-1.2.2: Product: HUAWEI USB Wired Keyboard [pid:175,cpu0,kworker/0:1,2]usb 1-1.2.2: Manufacturer: HUAWEI [pid:175,cpu0,kworker/0:1,4]input: HUAWEI HUAWEI USB Wired Keyboard as /devices/platform/efc00000.hisi_usb/efc00000.dwc3/xhci-hcd.1.auto/usb1/1-1/1-1.2/1-1.2.2/1-1.2.2:1.0/0003:12D1:109B.0002/input/input6 [pid:175,cpu0,kworker/0:1,5]hid-generic 0003:12D1:109B.0002: input,hidraw1: USB HID v1.10 Keyboard [HUAWEI HUAWEI USB Wired Keyboard] on usb-xhci-hcd.1.auto-1.2.2/input0 [pid:175,cpu0,kworker/0:1,9]hid-generic 0003:12D1:109B.0003: collection stack underflow [pid:175,cpu0,kworker/0:1,0]hid-generic 0003:12D1:109B.0003: item 0 0 0 12 parsing failed [pid:175,cpu0,kworker/0:1,1]hid-generic: probe of 0003:12D1:109B.0003 failed with error -22 ... When encountering such a situation, fix it with the correct report descriptor. Signed-off-by: Miao Li <limiao@kylinos.cn> Signed-off-by: Jiri Kosina <jkosina@suse.com>
2026-04-09HID: playstation: validate num_touch_reports in DualShock 4 reportsBenoît Sevens1-0/+12
The DualShock 4 HID driver fails to validate the num_touch_reports field received from the device in both USB and Bluetooth input reports. A malicious device could set this field to a value larger than the allocated size of the touch_reports array (3 for USB, 4 for Bluetooth), leading to an out-of-bounds read in dualshock4_parse_report(). This can result in kernel memory disclosure when processing malicious HID reports. Validate num_touch_reports against the array size for the respective connection types before processing the touch data. Signed-off-by: Benoît Sevens <bsevens@google.com> Signed-off-by: Jiri Kosina <jkosina@suse.com>
2026-04-09HID: drop 'default !EXPERT' from tristate symbolsThomas Weißschuh1-13/+0
There is no reason to build random drivers for obscure hardware into the core kernel by default. The usages of 'default !EXPERT' for the HID_PICOLCD suboptions are kept, as these make some sense, although they probably should use 'default y'. Signed-off-by: Thomas Weißschuh <linux@weissschuh.net> Signed-off-by: Jiri Kosina <jkosina@suse.com>
2026-04-09mmc: sdhci-of-dwcmshc: Disable clock before DLL configurationShawn Lin1-3/+16
According to the ASIC design recommendations, the clock must be disabled before operating the DLL to prevent glitches that could affect the internal digital logic. In extreme cases, failing to do so may cause the controller to malfunction completely. Adds a step to disable the clock before DLL configuration and re-enables it at the end. Fixes: 08f3dff799d4 ("mmc: sdhci-of-dwcmshc: add rockchip platform support") Cc: stable@vger.kernel.org Signed-off-by: Shawn Lin <shawn.lin@rock-chips.com> Acked-by: Adrian Hunter <adrian.hunter@intel.com> Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
2026-04-09mmc: core: Simplify with scoped for each OF child loopHans Zhang1-7/+2
Use scoped for-each loop when iterating over device nodes to simplify the code, but also to ensure the device node reference is automatically released when the loop scope ends. Signed-off-by: Hans Zhang <18255117159@163.com> Reviewed-by: Shawn Lin <shawn.lin@linux.dev> Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
2026-04-09mmc: core: Optimize size of struct mmc_queue_reqBin Liu1-3/+3
ioc_count won't be more than MMC_IOC_MAX_CMDS (255), retries won't be more than MMC_NO_RETRIES (6), flags is newly introduced and uses only 1 bit. Therefore let's change them all to become u8. Signed-off-by: Bin Liu <b-liu@ti.com> Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
2026-04-09HID: usbhid: fix deadlock in hid_post_reset()Oliver Neukum1-1/+1
You can build a USB device that includes a HID component and a storage or UAS component. The components can be reset only together. That means that hid_pre_reset() and hid_post_reset() are in the block IO error handling. Hence no memory allocation used in them may do block IO because the IO can deadlock on the mutex held while resetting a device and calling the interface drivers. Use GFP_NOIO for all allocations in them. Fixes: dc3c78e434690 ("HID: usbhid: Check HID report descriptor contents after device reset") Signed-off-by: Oliver Neukum <oneukum@suse.com> Signed-off-by: Jiri Kosina <jkosina@suse.com>
2026-04-09RDMA/ionic: bound node_desc sysfs read with %.64sKai Zen1-1/+1
node_desc[64] in struct ib_device is not guaranteed to be NUL- terminated. The core IB sysfs handler uses "%.64s" for exactly this reason (drivers/infiniband/core/sysfs.c:1307), since node_desc_store() performs a raw memcpy of up to IB_DEVICE_NODE_DESC_MAX bytes with no NUL termination: memcpy(desc.node_desc, buf, min_t(int, count, IB_DEVICE_NODE_DESC_MAX)); If exactly 64 bytes are written via the node_desc sysfs file, the array contains no NUL byte. The ionic hca_type_show() handler uses unbounded "%s" and will read past the end of node_desc into adjacent fields of struct ib_device until it encounters a NUL. ionic supports IB_DEVICE_MODIFY_NODE_DESC, so this is triggerable by userspace. Match the core handler and bound the format specifier. Cc: stable@vger.kernel.org Fixes: 2075bbe8ef03 ("RDMA/ionic: Register device ops for miscellaneous functionality") Link: https://patch.msgid.link/r/CALynFi7NAbhDCt1tdaDbf6TnLvAqbaHa6-Wqf6OkzREbA_PAfg@mail.gmail.com Signed-off-by: Kai Aizen <kai.aizen.dev@gmail.com> Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
2026-04-09HID: apple: ensure the keyboard backlight is off if suspendingAditya Garg1-0/+2
Some users reported that upon suspending their keyboard backlight remained on. Fix this by adding the missing LED_CORE_SUSPENDRESUME flag. Cc: stable@vger.kernel.org Fixes: 394ba612f941 ("HID: apple: Add support for magic keyboard backlight on T2 Macs") Fixes: 9018eacbe623 ("HID: apple: Add support for keyboard backlight on certain T2 Macs.") Reported-by: André Eikmeyer <andre.eikmeyer@gmail.com> Tested-by: André Eikmeyer <andre.eikmeyer@gmail.com> Signed-off-by: Aditya Garg <gargaditya08@live.com> Signed-off-by: Jiri Kosina <jkosina@suse.com>
2026-04-09HID: quirks: Set ALWAYS_POLL for LOGITECH_BOLT_RECEIVERNícolas F. R. A. Prado1-0/+1
The Logitech Bolt receiver once connected to a wireless device will generate data on interface 2. If this data isn't polled, when the USB port it is connected to gets suspended (and if that happens within 5 minutes of the last input from the wireless device), it will trigger a remote wakeup 3 seconds later, which will result in a spurious system wakeup if the port was suspended as part of system sleep. Set the ALWAYS_POLL quirk for this device to ensure interface 2 is always polled and this spurious wakeup never happens. With this change in place the system can be suspended with the receiver plugged in and the system can be woken up when an input is sent from the wireless device. Signed-off-by: Nícolas F. R. A. Prado <nfraprado@collabora.com> Signed-off-by: Jiri Kosina <jkosina@suse.com>
2026-04-09Merge tag 'net-7.0-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/netLinus Torvalds29-71/+183
Pull networking fixes from Paolo Abeni: "Including fixes from netfilter, IPsec and wireless. This is again considerably bigger than the old average. No known outstanding regressions. Current release - regressions: - net: increase IP_TUNNEL_RECURSION_LIMIT to 5 - eth: ice: fix PTP timestamping broken by SyncE code on E825C Current release - new code bugs: - eth: stmmac: dwmac-motorcomm: fix eFUSE MAC address read failure Previous releases - regressions: - core: fix cross-cache free of KFENCE-allocated skb head - sched: act_csum: validate nested VLAN headers - rxrpc: fix call removal to use RCU safe deletion - xfrm: - wait for RCU readers during policy netns exit - fix refcount leak in xfrm_migrate_policy_find - wifi: rt2x00usb: fix devres lifetime - mptcp: fix slab-use-after-free in __inet_lookup_established - ipvs: fix NULL deref in ip_vs_add_service error path - eth: - airoha: fix memory leak in airoha_qdma_rx_process() - lan966x: fix use-after-free and leak in lan966x_fdma_reload() Previous releases - always broken: - ipv6: ioam: fix potential NULL dereferences in __ioam6_fill_trace_data() - ipv4: nexthop: avoid duplicate NHA_HW_STATS_ENABLE on nexthop group dump - bridge: guard local VLAN-0 FDB helpers against NULL vlan group - xsk: tailroom reservation and MTU validation - rxrpc: - fix to request an ack if window is limited - fix RESPONSE authenticator parser OOB read - netfilter: nft_ct: fix use-after-free in timeout object destroy - batman-adv: hold claim backbone gateways by reference - eth: - stmmac: fix PTP ref clock for Tegra234 - idpf: fix PREEMPT_RT raw/bh spinlock nesting for async VC handling - ipa: fix GENERIC_CMD register field masks for IPA v5.0+" * tag 'net-7.0-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (104 commits) net: lan966x: fix use-after-free and leak in lan966x_fdma_reload() net: lan966x: fix page pool leak in error paths net: lan966x: fix page_pool error handling in lan966x_fdma_rx_alloc_page_pool() nfc: pn533: allocate rx skb before consuming bytes l2tp: Drop large packets with UDP encap net: ipa: fix event ring index not programmed for IPA v5.0+ net: ipa: fix GENERIC_CMD register field masks for IPA v5.0+ MAINTAINERS: Add Prashanth as additional maintainer for amd-xgbe driver devlink: Fix incorrect skb socket family dumping af_unix: read UNIX_DIAG_VFS data under unix_state_lock Revert "mptcp: add needs_id for netlink appending addr" mptcp: fix slab-use-after-free in __inet_lookup_established net: txgbe: leave space for null terminators on property_entry net: ioam6: fix OOB and missing lock rxrpc: proc: size address buffers for %pISpc output rxrpc: only handle RESPONSE during service challenge rxrpc: Fix buffer overread in rxgk_do_verify_authenticator() rxrpc: Fix leak of rxgk context in rxgk_verify_response() rxrpc: Fix integer overflow in rxgk_verify_response() rxrpc: Fix missing error checks for rxkad encryption/decryption failure ...
2026-04-09HID: alps: fix NULL pointer dereference in alps_raw_event()Greg Kroah-Hartman1-0/+3
Commit ecfa6f34492c ("HID: Add HID_CLAIMED_INPUT guards in raw_event callbacks missing them") attempted to fix up the HID drivers that had missed the previous fix that was done in 2ff5baa9b527 ("HID: appleir: Fix potential NULL dereference at raw event handle"), but the alps driver was missed. Fix this up by properly checking in the hid-alps driver that it had been claimed correctly before attempting to process the raw event. Fixes: 73196ebe134d ("HID: alps: add support for Alps T4 Touchpad device") Cc: stable <stable@kernel.org> Cc: Jiri Kosina <jikos@kernel.org> Cc: Benjamin Tissoires <bentiss@kernel.org> Cc: Masaki Ota <masaki.ota@jp.alps.com> Cc: linux-input@vger.kernel.org Assisted-by: gregkh_clanker_t1000 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Jiri Kosina <jkosina@suse.com>
2026-04-09Merge tag 'iommu-fixes-v7.0-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/iommu/linuxLinus Torvalds1-0/+6
Pull IOMMU fix from Will Deacon: - Fix regression introduced by the empty MMU gather fix in -rc7, where the ->iotlb_sync() callback can be elided incorrectly, resulting in boot failures (hangs), crashes and potential memory corruption. * tag 'iommu-fixes-v7.0-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/iommu/linux: iommu: Ensure .iotlb_sync is called correctly
2026-04-09HID: logitech-dj: Prevent REPORT_ID_DJ_SHORT related user initiated OOB writeLee Jones1-0/+10
logi_dj_recv_send_report() assumes that all incoming REPORT_ID_DJ_SHORT reports are 14 Bytes (DJREPORT_SHORT_LENGTH - 1) long. It uses that assumption to load the associated field's 'value' array with 14 Bytes of data. However, if a malicious user only sends say 1 Byte of data, 'report_count' will be 1 and only 1 Byte of memory will be allocated to the 'value' Byte array. When we come to populate 'value[1-13]' we will experience an OOB write. Signed-off-by: Lee Jones <lee@kernel.org> Signed-off-by: Jiri Kosina <jkosina@suse.com>
2026-04-09HID: logitech-dj: Standardise hid_report_enum variable nomenclatureLee Jones1-6/+6
Since we will need to differentiate between the two report_enum types soon, let's unify the naming conventions now to save confusion and/or unnecessary/unrelated changes in upcoming commits. {input,output}_report_enum is used in other places to let's conform. Signed-off-by: Lee Jones <lee@kernel.org> Signed-off-by: Jiri Kosina <jkosina@suse.com>
2026-04-09Merge tag 'platform-drivers-x86-v7.0-4' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86Linus Torvalds4-3/+106
Pull x86 platform drivers fixes from Ilpo Järvinen: - amd/pmc: Add Thinkpad L14 Gen3 to quirk_s2idle_bug - asus-armoury: Add support for FA607NU, GU605MU, and GV302XU. - intel-uncore-freq: Handle autonomous UFS status bit - ISST: Handle cases with less than max buckets correctly - intel-uncore-freq & ISST: Mark minor version 3 supported (no additional driver changes required) * tag 'platform-drivers-x86-v7.0-4' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86: platform/x86: asus-armoury: add support for GU605MU platform/x86: asus-armoury: add support for FA607NU platform/x86: asus-armoury: add support for GV302XU platform/x86/amd: pmc: Add Thinkpad L14 Gen3 to quirk_s2idle_bug platform/x86/intel-uncore-freq: Increase minor version platform/x86: ISST: Increase minor version platform/x86/intel-uncore-freq: Handle autonomous UFS status bit platform/x86: ISST: Reset core count to 0
2026-04-09HID: sony: update module descriptionRosalie Wanders2-7/+9
This commit updates the hid-sony module description to make it correct with the recent hid-sony changes alongside making it more consistent. Signed-off-by: Rosalie Wanders <rosalie@mailbox.org> Signed-off-by: Jiri Kosina <jkosina@suse.com>
2026-04-09HID: logitech-hidpp: Check bounds when deleting force-feedback effectsGünther Noack1-6/+9
Without this bounds check, this might otherwise overwrite index -1. Triggering this condition requires action both from the USB device and from userspace, which reduces the scenarios in which it can be exploited. Cc: Lee Jones <lee@kernel.org> Signed-off-by: Günther Noack <gnoack@google.com> Reviewed-by: Lee Jones <lee@kernel.org> Signed-off-by: Jiri Kosina <jkosina@suse.com>
2026-04-09IB/core: Fix zero dmac race in neighbor resolutionChen Zhao1-0/+3
dst_fetch_ha() checks nud_state without holding the neighbor lock, then copies ha under the seqlock. A race in __neigh_update() where nud_state is set to NUD_REACHABLE before ha is written allows dst_fetch_ha() to read a zero MAC address while the seqlock reports no concurrent writer. netevent_callback amplifies this by waking ALL pending addr_req workers when ANY neighbor becomes NUD_VALID. At scale (N peers resolving ARP concurrently), the hit probability scales as N^2, making it near-certain for large RDMA workloads. N(A): neigh_update(A) W(A): addr_resolve(A) | [sleep] | write_lock_bh(&A->lock) | | A->nud_state = NUD_REACHABLE | | // A->ha is still 0 | | [woken by netevent_cb() of | another neighbour] | | dst_fetch_ha(A) | | A->nud_state & NUD_VALID | | read_seqbegin(&A->ha_lock) | | snapshot = A->ha /* 0 */ | | read_seqretry(&A->ha_lock) | | return snapshot | seqlock(&A->ha_lock) | A->ha = mac_A /* too late */ | sequnlock(&A->ha_lock) | write_unlock_bh(&A->lock) The incorrect/zero mac is read and programmed in the device QP while it was not yet updated. This causes silent packet loss and eventual RETRY_EXC_ERR. Fix by holding the neighbor read lock across the nud_state check and ha copy in dst_fetch_ha(), ensuring it synchronizes with __neigh_update() which is updating while holding the write lock. Cc: stable@vger.kernel.org Fixes: 92ebb6a0a13a ("IB/cm: Remove now useless rcu_lock in dst_fetch_ha") Link: https://patch.msgid.link/r/20260405-fix-dmac-race-v1-1-cfa1ec2ce54a@nvidia.com Signed-off-by: Chen Zhao <chezhao@nvidia.com> Reviewed-by: Parav Pandit <parav@nvidia.com> Signed-off-by: Leon Romanovsky <leonro@nvidia.com> Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
2026-04-09efi: Tag memblock reservations of boot services regions as RSRV_KERNArd Biesheuvel1-1/+3
By definition, EFI memory regions of type boot services code or data have no special significance to the firmware at runtime, only to the OS. In some cases, the firmware will allocate tables and other assets that are passed in memory in regions of this type, and leave it up to the OS to decide whether or not to treat the allocation as special, or simply consume the contents at boot and recycle the RAM for ordinary use. The reason for this approach is that it avoids needless memory reservations for assets that the OS knows nothing about, and therefore doesn't know how to free either. This means that any memblock reservations covering such regions can be marked as MEMBLOCK_RSRV_KERN - this is a better match semantically, and is useful on x86 to distinguish true reservations from temporary reservations that are only needed to work around firmware bugs. Acked-by: Mike Rapoport (Microsoft) <rppt@kernel.org> Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
2026-04-09efi/memattr: Fix thinko in table size sanity checkArd Biesheuvel1-9/+28
While it is true that each PE/COFF runtime driver in memory can generally be split into 3 different regions (the header, the code/rodata region and the data/bss region), each with different permissions, it does not mean that 3x the size of the memory map is a suitable upper bound. This is due to the fact that all runtime drivers could be coalesced into a single EFI runtime code region by the firmware, and if the firmware does a good job of keeping the fragmentation down, it is conceivable that the memory attributes table has more entries than the EFI memory map itself. So instead, base the sanity check on whether the descriptor size matches the EFI memory map's descriptor size closely enough (which is not mandated by the spec but extremely unlikely to differ in practice), and whether the size of the whole table does not exceed 64k entries. Reviewed-by: Breno Leitao <leitao@debian.org> Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
2026-04-09RDMA/mana_ib: Support memory windowsKonstantin Taranov3-1/+64
Implement .alloc_mw() and .dealloc_mw() for mana device. This is just the basic infrastructure, MW is not practically usable until additional kernel support for allowing user space to submit MW work requests is completed. Link: https://patch.msgid.link/r/20260331090851.2276205-1-kotaranov@linux.microsoft.com Signed-off-by: Konstantin Taranov <kotaranov@microsoft.com> Reviewed-by: Long Li <longli@microsoft.com> Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
2026-04-09nvme-multipath: drop head pointer check in nvme_mpath_clear_current_path()John Garry1-4/+0
A NS will always have a head pointer, so drop the check. As proof in practice, all the nvme_mpath_clear_current_path() callers also dereference ns->head. This check has endured since the original changes to support multipath. Reviewed-by: Christoph Hellwig <hch@lst.de> Signed-off-by: John Garry <john.g.garry@oracle.com> Signed-off-by: Keith Busch <kbusch@kernel.org>
2026-04-09nvme: add quirk NVME_QUIRK_IGNORE_DEV_SUBNQN for 144d:a808 (Samsung PM981/983/970 EVO Plus )Alan Cui1-0/+2
The firmware for Samsung 970 Evo Plus / PM981 / PM983 does not support SUBNQN. Make quirks to suppress warnings. # nvme id-ctrl /dev/nvme1n1 NVME Identify Controller: vid : 0x144d ssvid : 0x144d sn : *** mn : Samsung SSD 970 EVO Plus 500GB fr : 2B2QEXM7 mcdqpc : 0 subnqn : ioccsz : 0 Signed-off-by: Alan Cui <me@alancui.cc> Signed-off-by: Keith Busch <kbusch@kernel.org>
2026-04-09nvmet-tcp: fix race between ICReq handling and queue teardownChaitanya Kulkarni1-0/+26
nvmet_tcp_handle_icreq() updates queue->state after sending an Initialization Connection Response (ICResp), but it does so without serializing against target-side queue teardown. If an NVMe/TCP host sends an Initialization Connection Request (ICReq) and immediately closes the connection, target-side teardown may start in softirq context before io_work drains the already buffered ICReq. In that case, nvmet_tcp_schedule_release_queue() sets queue->state to NVMET_TCP_Q_DISCONNECTING and drops the queue reference under state_lock. If io_work later processes that ICReq, nvmet_tcp_handle_icreq() can still overwrite the state back to NVMET_TCP_Q_LIVE. That defeats the DISCONNECTING-state guard in nvmet_tcp_schedule_release_queue() and allows a later socket state change to re-enter teardown and issue a second kref_put() on an already released queue. The ICResp send failure path has the same problem. If teardown has already moved the queue to DISCONNECTING, a send error can still overwrite the state with NVMET_TCP_Q_FAILED, again reopening the window for a second teardown path to drop the queue reference. Fix this by serializing both post-send state transitions with state_lock and bailing out if teardown has already started. Use -ESHUTDOWN as an internal sentinel for that bail-out path rather than propagating it as a transport error like -ECONNRESET. Keep nvmet_tcp_socket_error() setting rcv_state to NVMET_TCP_RECV_ERR before honoring that sentinel so receive-side parsing stays quiesced until the existing release path completes. Fixes: c46a6465bac2 ("nvmet-tcp: add NVMe over TCP target driver") Cc: stable@vger.kernel.org Reported-by: Shivam Kumar <skumar47@syr.edu> Tested-by: Shivam Kumar <kumar.shivam43666@gmail.com> Signed-off-by: Chaitanya Kulkarni <kch@nvidia.com> Signed-off-by: Keith Busch <kbusch@kernel.org>
2026-04-09RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcvhkbinbin1-1/+2
rxe_rcv() currently checks only that the incoming packet is at least header_size(pkt) bytes long before payload_size() is used. However, payload_size() subtracts both the attacker-controlled BTH pad field and RXE_ICRC_SIZE from pkt->paylen: payload_size = pkt->paylen - offset[RXE_PAYLOAD] - bth_pad(pkt) - RXE_ICRC_SIZE This means a short packet can still make payload_size() underflow even if it includes enough bytes for the fixed headers. Simply requiring header_size(pkt) + RXE_ICRC_SIZE is not sufficient either, because a packet with a forged non-zero BTH pad can still leave payload_size() negative and pass an underflowed value to later receive-path users. Fix this by validating pkt->paylen against the full minimum length required by payload_size(): header_size(pkt) + bth_pad(pkt) + RXE_ICRC_SIZE. Cc: stable@vger.kernel.org Fixes: 8700e3e7c485 ("Soft RoCE driver") Link: https://patch.msgid.link/r/20260401121907.1468366-1-hkbinbinbin@gmail.com Signed-off-by: hkbinbin <hkbinbinbin@gmail.com> Reviewed-by: Zhu Yanjun <yanjun.zhu@linux.dev> Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
2026-04-09gpio: swnode: defer probe on references to unregistered software nodesBartosz Golaszewski1-0/+8
fwnode_property_get_reference_args() now returns -ENOTCONN when called on a software node referencing another software node which has not yet been registered as a firmware node. It makes sense to defer probe in this situation as the node will most likely be registered later on and we'll be able to resolve the reference eventually. Change the behavior of swnode_find_gpio() to return -EPROBE_DEFER if the software node reference resolution returns -ENOTCONN. Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com> Link: https://patch.msgid.link/20260407-swnode-unreg-retcode-v4-2-1b2f0725eb9c@oss.qualcomm.com Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
2026-04-09RDMA/core: Prefer NLA_NUL_STRINGFlorian Westphal1-3/+3
These attributes are evaluated as c-string (passed to strcmp), but NLA_STRING doesn't check for the presence of a \0 terminator. Either this needs to switch to nla_strcmp() and needs to adjust printf fmt specifier to not use plain %s, or this needs to use NLA_NUL_STRING. As the code has been this way for long time, it seems to me that userspace does include the terminating nul, even tough its not enforced so far, and thus NLA_NUL_STRING use is the simpler solution. Fixes: 30dc5e63d6a5 ("RDMA/core: Add support for iWARP Port Mapper user space service") Link: https://patch.msgid.link/r/20260330122742.13315-1-fw@strlen.de Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
2026-04-09net: lan966x: fix use-after-free and leak in lan966x_fdma_reload()David Carlier1-3/+18
When lan966x_fdma_reload() fails to allocate new RX buffers, the restore path restarts DMA using old descriptors whose pages were already freed via lan966x_fdma_rx_free_pages(). Since page_pool_put_full_page() can release pages back to the buddy allocator, the hardware may DMA into memory now owned by other kernel subsystems. Additionally, on the restore path, the newly created page pool (if allocation partially succeeded) is overwritten without being destroyed, leaking it. Fix both issues by deferring the release of old pages until after the new allocation succeeds. Save the old page array before the allocation so old pages can be freed on the success path. On the failure path, the old descriptors, pages and page pool are all still valid, making the restore safe. Also ensure the restore path re-enables NAPI and wakes the netdev, matching the success path. Fixes: 89ba464fcf54 ("net: lan966x: refactor buffer reload function") Cc: stable@vger.kernel.org Signed-off-by: David Carlier <devnexen@gmail.com> Link: https://patch.msgid.link/20260405055241.35767-4-devnexen@gmail.com Signed-off-by: Paolo Abeni <pabeni@redhat.com>
2026-04-09net: lan966x: fix page pool leak in error pathsDavid Carlier1-1/+4
lan966x_fdma_rx_alloc() creates a page pool but does not destroy it if the subsequent fdma_alloc_coherent() call fails, leaking the pool. Similarly, lan966x_fdma_init() frees the coherent DMA memory when lan966x_fdma_tx_alloc() fails but does not destroy the page pool that was successfully created by lan966x_fdma_rx_alloc(), leaking it. Add the missing page_pool_destroy() calls in both error paths. Fixes: 11871aba1974 ("net: lan96x: Use page_pool API") Cc: stable@vger.kernel.org Signed-off-by: David Carlier <devnexen@gmail.com> Link: https://patch.msgid.link/20260405055241.35767-3-devnexen@gmail.com Signed-off-by: Paolo Abeni <pabeni@redhat.com>
2026-04-09net: lan966x: fix page_pool error handling in lan966x_fdma_rx_alloc_page_pool()David Carlier1-0/+2
page_pool_create() can return an ERR_PTR on failure. The return value is used unconditionally in the loop that follows, passing the error pointer through xdp_rxq_info_reg_mem_model() into page_pool_use_xdp_mem(), which dereferences it, causing a kernel oops. Add an IS_ERR check after page_pool_create() to return early on failure. Fixes: 11871aba1974 ("net: lan96x: Use page_pool API") Cc: stable@vger.kernel.org Signed-off-by: David Carlier <devnexen@gmail.com> Link: https://patch.msgid.link/20260405055241.35767-2-devnexen@gmail.com Signed-off-by: Paolo Abeni <pabeni@redhat.com>
2026-04-09drm/atomic: Increase timeout in drm_atomic_helper_wait_for_vblanks()Thomas Zimmermann1-1/+1
Increase the timeout for vblank events from 100 ms to 1000 ms. This is the same fix as in commit f050da08a4ed ("drm/vblank: Increase timeout in drm_wait_one_vblank()") for another vblank timeout. After merging generic DRM vblank timers [1] and converting several DRM drivers for virtual hardware, these drivers synchronize their vblank events to the display refresh rate. This can trigger timeouts within the DRM framework. Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de> Link: https://lore.kernel.org/dri-devel/20250904145806.430568-1-tzimmermann@suse.de/ # [1] Reported-by: syzbot+fcede535e7eb57cf5b43@syzkaller.appspotmail.com Closes: https://lore.kernel.org/dri-devel/69381d6c.050a0220.4004e.0017.GAE@google.com/ Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com> Fixes: 74afeb812850 ("drm/vblank: Add vblank timer") Link: https://patch.msgid.link/20251209143325.102056-1-tzimmermann@suse.de