linux.git/drivers/misc, branch master Linux kernel source tree Merge tag 'hardening-v7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux 2026-06-16T03:51:01+00:00 Linus Torvalds torvalds@linux-foundation.org 2026-06-16T03:51:01+00:00 481329ec5b31d2c48ac6b8b703c8008133884c7e Pull hardening updates from Kees Cook: - lkdtm: - Add case to provoke a crash in EFI runtime services (Ard Biesheuvel) - add PPC_RADIX_TLBIEL test and missed isync (Sayali Patil) - stddef: Document designated initializer semantics for __TRAILING_OVERLAP() (Gustavo A. R. Silva) - strarray: drop redundant allocation, add __counted_by_ptr (Thorsten Blum) * tag 'hardening-v7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux: lkdtm/powerpc: add PPC_RADIX_TLBIEL test for radix MCE validation lkdtm/powerpc: add isync after slbmte to enforce SLB update ordering lkdtm: Add case to provoke a crash in EFI runtime services lib/string_helpers: annotate struct strarray with __counted_by_ptr lib/string_helpers: drop redundant allocation in kasprintf_strarray MAINTAINERS: add kernel hardening keyword __counted_by_ptr stddef: Document designated initializer semantics for __TRAILING_OVERLAP() 
Pull hardening updates from Kees Cook:

 - lkdtm:
     - Add case to provoke a crash in EFI runtime services (Ard Biesheuvel)
     - add PPC_RADIX_TLBIEL test and missed isync (Sayali Patil)

 - stddef: Document designated initializer semantics for
   __TRAILING_OVERLAP() (Gustavo A. R. Silva)

 - strarray: drop redundant allocation, add __counted_by_ptr (Thorsten
   Blum)

* tag 'hardening-v7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
  lkdtm/powerpc: add PPC_RADIX_TLBIEL test for radix MCE validation
  lkdtm/powerpc: add isync after slbmte to enforce SLB update ordering
  lkdtm: Add case to provoke a crash in EFI runtime services
  lib/string_helpers: annotate struct strarray with __counted_by_ptr
  lib/string_helpers: drop redundant allocation in kasprintf_strarray
  MAINTAINERS: add kernel hardening keyword __counted_by_ptr
  stddef: Document designated initializer semantics for __TRAILING_OVERLAP()
Merge tag 'mmc-v7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc 2026-06-16T02:46:55+00:00 Linus Torvalds torvalds@linux-foundation.org 2026-06-16T02:46:55+00:00 464e2f089ecb81139433666496ecaeece421b314 Pull MMC updates from Ulf Hansson: "MMC core: - Validate host's max_segs to fail gracefully MMC host: - davinci: - Avoid potential NULL dereference in the IRQ handler - Call mmc_add_host() in the correct order during probe - dw_mmc-exynos: - Increase DMA threshold for exynos7870 - renesas_sdhi: - Add support for RZ/G2E, RZ/G2N and R-Car M3Le variants - sdhci-msm: - Add support for Hawi, Eliza and Shikra variants - sdhci-of-k1: - Add support for SD UHS-I modes - Add support for tuning for eMMC HS200 and SD UHS-I" * tag 'mmc-v7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc: (24 commits) mmc: dw_mmc: Add desc_num field for clarity dt-bindings: mmc: sdhci-msm: Rename the binding to include 'qcom' prefix mmc: sdhci-of-dwcmshc: use dev_err_probe() to simplify error paths mmc: sdhci-of-dwcmshc: remove redundant IS_ERR() check dt-bindings: mmc: sdhci-msm: qcom: Add Hawi compatible mmc: renesas_sdhi: Add OF entry for RZ/G2E SoC mmc: renesas_sdhi: Add OF entry for RZ/G2N SoC dt-bindings: mmc: sdhci-msm: Add Eliza compatible mmc: davinci: fix mmc_add_host order in probe dt-bindings: mmc: sdhci-msm: Document the Shikra compatible mmc: sdhci-of-k1: add comprehensive SDR tuning support mmc: sdhci-of-k1: add regulator and pinctrl voltage switching support mmc: sdhci-of-k1: enable essential clock infrastructure for SD operation dt-bindings: mmc: spacemit,sdhci: add pinctrl support for voltage switching mmc: via-sdmmc: Simplify initialisation of pci_device_id array mmc: davinci: avoid NULL deref of host->data in IRQ handler memstick: Constify the driver id_table mmc: host: Move MODULE_DEVICE_TABLE next to the table itself mmc: renesas_sdhi: add R-Car M3Le compatibility string dt-bindings: mmc: renesas,sdhi: Document R-Car M3Le support ... 
Pull MMC updates from Ulf Hansson:
 "MMC core:
   - Validate host's max_segs to fail gracefully

  MMC host:
   - davinci:
       - Avoid potential NULL dereference in the IRQ handler
       - Call mmc_add_host() in the correct order during probe
   - dw_mmc-exynos:
       - Increase DMA threshold for exynos7870
   - renesas_sdhi:
       - Add support for RZ/G2E, RZ/G2N and R-Car M3Le variants
   - sdhci-msm:
       - Add support for Hawi, Eliza and Shikra variants
   - sdhci-of-k1:
       - Add support for SD UHS-I modes
       - Add support for tuning for eMMC HS200 and SD UHS-I"

* tag 'mmc-v7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc: (24 commits)
  mmc: dw_mmc: Add desc_num field for clarity
  dt-bindings: mmc: sdhci-msm: Rename the binding to include 'qcom' prefix
  mmc: sdhci-of-dwcmshc: use dev_err_probe() to simplify error paths
  mmc: sdhci-of-dwcmshc: remove redundant IS_ERR() check
  dt-bindings: mmc: sdhci-msm: qcom: Add Hawi compatible
  mmc: renesas_sdhi: Add OF entry for RZ/G2E SoC
  mmc: renesas_sdhi: Add OF entry for RZ/G2N SoC
  dt-bindings: mmc: sdhci-msm: Add Eliza compatible
  mmc: davinci: fix mmc_add_host order in probe
  dt-bindings: mmc: sdhci-msm: Document the Shikra compatible
  mmc: sdhci-of-k1: add comprehensive SDR tuning support
  mmc: sdhci-of-k1: add regulator and pinctrl voltage switching support
  mmc: sdhci-of-k1: enable essential clock infrastructure for SD operation
  dt-bindings: mmc: spacemit,sdhci: add pinctrl support for voltage switching
  mmc: via-sdmmc: Simplify initialisation of pci_device_id array
  mmc: davinci: avoid NULL deref of host->data in IRQ handler
  memstick: Constify the driver id_table
  mmc: host: Move MODULE_DEVICE_TABLE next to the table itself
  mmc: renesas_sdhi: add R-Car M3Le compatibility string
  dt-bindings: mmc: renesas,sdhi: Document R-Car M3Le support
  ...
Merge tag 'i2c-7.2-part1' of git://git.kernel.org/pub/scm/linux/kernel/git/andi.shyti/linux 2026-06-16T02:13:29+00:00 Linus Torvalds torvalds@linux-foundation.org 2026-06-16T02:13:29+00:00 2779759c090ea0e78109a0cad0a81d869adfb459 Pull i2c updates from Andi Shyti: "This pull request is mostly made of cleanups and small infrastructure improvements across the I2C core, drivers and bindings. It also adds support for three drivers and a few new compatibles. Two major cleanup across drivers and core code: - use named initializers in device ID tables - replace dev_err() with dev_err_probe() Drivers: - at24: use named initializers for arrays of i2c_device_data - at91: add MCHP_LAN966X_PCI dependency - cadence: add shutdown callback - k1: enable by default on SpacemiT - mxs: improve documentation - qcom-geni: use pm_runtime_force_suspend/resume for system sleep - tegra: - disable fair arbitration on non-MCTP buses - allocate DMA buffers from the correct DMA device - designware: - handle active target shutdown cleanly - add shutdown callbacks for platform and PCI drivers - adopt the new PM_RUNTIME_ACQUIRE() helpers DT bindings: - convert davinci bindings to DT schema Core and muxes: - acpi: report missing I2C resources as -ENOENT - gpiolib: add gpiod_is_single_ended() helper for I2C GPIO users - i2c-mux-reg: add generic firmware node support - a set of 10 patches from Johan Hovold fixing adapter registration races, cleanup paths and resource management issues New support: - DesignWare LECA0003 (ACPI ID) - Loongson LS2K0300 I2C controller (new driver) - Qualcomm CCI Glymur and Shikra compatibles" * tag 'i2c-7.2-part1' of git://git.kernel.org/pub/scm/linux/kernel/git/andi.shyti/linux: (46 commits) i2c: mxs: add missing kernel-doc for struct mxs_i2c_dev members i2c: qcom-geni: Use pm_runtime_force_{suspend,resume} helpers dt-bindings: i2c: qcom-cci: Document Glymur compatible dt-bindings: i2c: qcom-cci: Document Shikra compatible i2c: mux: reg: use device property accessors i2c: acpi: Return -ENOENT when no resources found in i2c_acpi_client_count() i2c: at91: Add MCHP_LAN966X_PCI dependency i2c: eg20t: Consistently define pci_device_ids using named initializers i2c: designware-pcidrv: Consistently define pci_device_ids using named initializers i2c: bcm-kona: fix spelling mistake in timeout-check comment i2c: cadence: Add shutdown handler i2c: tegra: Disable fair arbitration for non-MCTP buses i2c: tegra: use dmaengine_get_dma_device() for DMA buffer allocation i2c: busses: make K1 driver default for SpacemiT platforms i2c: Use named initializers for arrays of i2c_device_data i2c: core: clean up adapter registration error label i2c: core: clean up bus id allocation i2c: core: fix adapter deregistration race i2c: core: fix adapter registration race i2c: core: disable runtime PM on adapter registration failure ... 
Pull i2c updates from Andi Shyti:
 "This pull request is mostly made of cleanups and small infrastructure
  improvements across the I2C core, drivers and bindings. It also adds
  support for three drivers and a few new compatibles.

  Two major cleanup across drivers and core code:
   - use named initializers in device ID tables
   - replace dev_err() with dev_err_probe()

  Drivers:
   - at24: use named initializers for arrays of i2c_device_data
   - at91: add MCHP_LAN966X_PCI dependency
   - cadence: add shutdown callback
   - k1: enable by default on SpacemiT
   - mxs: improve documentation
   - qcom-geni: use pm_runtime_force_suspend/resume for system sleep
   - tegra:
       - disable fair arbitration on non-MCTP buses
       - allocate DMA buffers from the correct DMA device
   - designware:
       - handle active target shutdown cleanly
       - add shutdown callbacks for platform and PCI drivers
       - adopt the new PM_RUNTIME_ACQUIRE() helpers

  DT bindings:
   - convert davinci bindings to DT schema

  Core and muxes:
   - acpi: report missing I2C resources as -ENOENT
   - gpiolib: add gpiod_is_single_ended() helper for I2C GPIO users
   - i2c-mux-reg: add generic firmware node support
   - a set of 10 patches from Johan Hovold fixing adapter registration
     races, cleanup paths and resource management issues

  New support:
   - DesignWare LECA0003 (ACPI ID)
   - Loongson LS2K0300 I2C controller (new driver)
   - Qualcomm CCI Glymur and Shikra compatibles"

* tag 'i2c-7.2-part1' of git://git.kernel.org/pub/scm/linux/kernel/git/andi.shyti/linux: (46 commits)
  i2c: mxs: add missing kernel-doc for struct mxs_i2c_dev members
  i2c: qcom-geni: Use pm_runtime_force_{suspend,resume} helpers
  dt-bindings: i2c: qcom-cci: Document Glymur compatible
  dt-bindings: i2c: qcom-cci: Document Shikra compatible
  i2c: mux: reg: use device property accessors
  i2c: acpi: Return -ENOENT when no resources found in i2c_acpi_client_count()
  i2c: at91: Add MCHP_LAN966X_PCI dependency
  i2c: eg20t: Consistently define pci_device_ids using named initializers
  i2c: designware-pcidrv: Consistently define pci_device_ids using named initializers
  i2c: bcm-kona: fix spelling mistake in timeout-check comment
  i2c: cadence: Add shutdown handler
  i2c: tegra: Disable fair arbitration for non-MCTP buses
  i2c: tegra: use dmaengine_get_dma_device() for DMA buffer allocation
  i2c: busses: make K1 driver default for SpacemiT platforms
  i2c: Use named initializers for arrays of i2c_device_data
  i2c: core: clean up adapter registration error label
  i2c: core: clean up bus id allocation
  i2c: core: fix adapter deregistration race
  i2c: core: fix adapter registration race
  i2c: core: disable runtime PM on adapter registration failure
  ...
Merge tag 'timers-core-2026-06-13' of gitolite.kernel.org:pub/scm/linux/kernel/git/tip/tip 2026-06-15T08:09:12+00:00 Linus Torvalds torvalds@linux-foundation.org 2026-06-15T08:09:12+00:00 a60ce761d99ff2d9eefe33374c5f20726465a140 Pull timer core updates from Thomas Gleixner: "Updates for the time/timer core subsystem: - Harden the user space controllable hrtimer interfaces further to protect against unpriviledged DoS attempts by arming timers in the past. - Add per-capacity hierarchies to the timer migration code to prevent timer migration accross different capacity domains. This code has been disabled last minute as there is a pathological problem with SoCs which advertise a larger number of capacity domains. The problem is under investigation and the code won't be active before v7.3, but that turned out to be less intrusive than a full revert as it preserves the preparatory steps and allows people to work on the final resolution - Export time namespace functionality as a recent user can be built as a module. - Initialize the jiffies clocksource before using it. The recent hardening against time moving backward requires that the related members of struct clocksource have been initialized, otherwise it clamps the readout to 0, which makes time stand sill and causes boot delays. - Fix a more than twenty year old PID reference count leak in an error path of the POSIX CPU timer code. - The usual small fixes, improvements and cleanups all over the place" * tag 'timers-core-2026-06-13' of gitolite.kernel.org:pub/scm/linux/kernel/git/tip/tip: (31 commits) posix-cpu-timers: Fix pid refcount leak in do_cpu_nanosleep() error path time/jiffies: Register jiffies clocksource before usage timers/migration: Temporarily disable per capacity hierarchies timers/migration: Turn tmigr_hierarchy level_list into a flexible array timers/migration: Deactivate per-capacity hierarchies under nohz_full timers/migration: Fix hotplug migrator selection target on asymetric capacity machines ntsync: Honour caller's time namespace for absolute MONOTONIC timeouts time/namespace: Export init_time_ns and do_timens_ktime_to_host() timers/migration: Update stale @online doc to @available timers: Fix flseep() typo in kernel-doc comment hrtimer: Fix the bogus return type of __hrtimer_start_range_ns() hrtimer: Return ktime_t from hrtimer_get_next_event()/hrtimer_next_event_without() clocksource: Clean up clocksource_update_freq() functions alarmtimer: Remove stale return description from alarm_handle_timer() selftests/posix_timers: Use CLOCK_THREAD_CPUTIME_ID for ITIMER_PROF measurements scripts/timers: Add timer_migration_tree.py timers/migration: Handle capacity in connect tracepoints timers/migration: Split per-capacity hierarchies timers/migration: Track CPUs in a hierarchy timers/migration: Abstract out hierarchy to prepare for CPU capacity awareness ... 
Pull timer core updates from Thomas Gleixner:
 "Updates for the time/timer core subsystem:

   - Harden the user space controllable hrtimer interfaces further to
     protect against unpriviledged DoS attempts by arming timers in the
     past.

   - Add per-capacity hierarchies to the timer migration code to prevent
     timer migration accross different capacity domains. This code has
     been disabled last minute as there is a pathological problem with
     SoCs which advertise a larger number of capacity domains. The
     problem is under investigation and the code won't be active before
     v7.3, but that turned out to be less intrusive than a full revert
     as it preserves the preparatory steps and allows people to work on
     the final resolution

   - Export time namespace functionality as a recent user can be built
     as a module.

   - Initialize the jiffies clocksource before using it. The recent
     hardening against time moving backward requires that the related
     members of struct clocksource have been initialized, otherwise it
     clamps the readout to 0, which makes time stand sill and causes
     boot delays.

   - Fix a more than twenty year old PID reference count leak in an
     error path of the POSIX CPU timer code.

   - The usual small fixes, improvements and cleanups all over the
     place"

* tag 'timers-core-2026-06-13' of gitolite.kernel.org:pub/scm/linux/kernel/git/tip/tip: (31 commits)
  posix-cpu-timers: Fix pid refcount leak in do_cpu_nanosleep() error path
  time/jiffies: Register jiffies clocksource before usage
  timers/migration: Temporarily disable per capacity hierarchies
  timers/migration: Turn tmigr_hierarchy level_list into a flexible array
  timers/migration: Deactivate per-capacity hierarchies under nohz_full
  timers/migration: Fix hotplug migrator selection target on asymetric capacity machines
  ntsync: Honour caller's time namespace for absolute MONOTONIC timeouts
  time/namespace: Export init_time_ns and do_timens_ktime_to_host()
  timers/migration: Update stale @online doc to @available
  timers: Fix flseep() typo in kernel-doc comment
  hrtimer: Fix the bogus return type of __hrtimer_start_range_ns()
  hrtimer: Return ktime_t from hrtimer_get_next_event()/hrtimer_next_event_without()
  clocksource: Clean up clocksource_update_freq() functions
  alarmtimer: Remove stale return description from alarm_handle_timer()
  selftests/posix_timers: Use CLOCK_THREAD_CPUTIME_ID for ITIMER_PROF measurements
  scripts/timers: Add timer_migration_tree.py
  timers/migration: Handle capacity in connect tracepoints
  timers/migration: Split per-capacity hierarchies
  timers/migration: Track CPUs in a hierarchy
  timers/migration: Abstract out hierarchy to prepare for CPU capacity awareness
  ...
misc: fastrpc: fix use-after-free race in fastrpc_map_create 2026-06-05T15:20:51+00:00 Zhenghang Xiao kipreyyy@gmail.com 2026-05-30T20:45:28+00:00 07ebe87915d8accdaba20c4f88c5ae430fe62fbb fastrpc_map_lookup returns a raw pointer after releasing fl->lock. The caller fastrpc_map_create then calls fastrpc_map_get (kref_get_unless_zero) on this unprotected pointer. A concurrent MEM_UNMAP can free the map between the lock release and the kref operation, resulting in a use-after-free on the freed slab object. Restore the take_ref parameter to fastrpc_map_lookup so the reference is acquired atomically under fl->lock before the pointer is exposed to the caller. Fixes: 10df039834f8 ("misc: fastrpc: Skip reference for DMA handles") Cc: stable@vger.kernel.org Signed-off-by: Zhenghang Xiao <kipreyyy@gmail.com> Signed-off-by: Srinivas Kandagatla <srini@kernel.org> Link: https://patch.msgid.link/20260530204528.116920-5-srini@kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
fastrpc_map_lookup returns a raw pointer after releasing fl->lock. The
caller fastrpc_map_create then calls fastrpc_map_get (kref_get_unless_zero)
on this unprotected pointer. A concurrent MEM_UNMAP can free the map
between the lock release and the kref operation, resulting in a
use-after-free on the freed slab object.

Restore the take_ref parameter to fastrpc_map_lookup so the reference
is acquired atomically under fl->lock before the pointer is exposed to
the caller.

Fixes: 10df039834f8 ("misc: fastrpc: Skip reference for DMA handles")
Cc: stable@vger.kernel.org
Signed-off-by: Zhenghang Xiao <kipreyyy@gmail.com>
Signed-off-by: Srinivas Kandagatla <srini@kernel.org>
Link: https://patch.msgid.link/20260530204528.116920-5-srini@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
misc: fastrpc: Fix NULL pointer dereference in rpmsg callback 2026-06-05T15:20:51+00:00 Mukesh Ojha mukesh.ojha@oss.qualcomm.com 2026-05-30T20:45:27+00:00 5401fb4fe10fac6134c308495df18ed74aebb9c4 A NULL pointer dereference was observed on Hawi at boot when the DSP sends a glink message before fastrpc_rpmsg_probe() has completed initialization: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000178 pc : _raw_spin_lock_irqsave+0x34/0x8c lr : fastrpc_rpmsg_callback+0x3c/0xcc [fastrpc] ... Call trace: _raw_spin_lock_irqsave+0x34/0x8c (P) fastrpc_rpmsg_callback+0x3c/0xcc [fastrpc] qcom_glink_native_rx+0x538/0x6a4 qcom_glink_smem_intr+0x14/0x24 [qcom_glink_smem] The faulting address 0x178 corresponds to the lock variable inside struct fastrpc_channel_ctx, confirming that cctx is NULL when fastrpc_rpmsg_callback() attempts to take the spinlock. There are two issues here. First, dev_set_drvdata() is called before spin_lock_init() and idr_init(), leaving a window where the callback can retrieve a valid cctx pointer but operate on an uninitialized spinlock. Second, the rpmsg channel becomes live as soon as the driver is bound, so fastrpc_rpmsg_callback() can fire before dev_set_drvdata() is called at all, resulting in dev_get_drvdata() returning NULL. Fix both issues by moving all cctx initialization ahead of dev_set_drvdata() so the structure is fully initialized before it becomes visible to the callback, and add a NULL check in fastrpc_rpmsg_callback() as a guard against any remaining window. Fixes: f6f9279f2bf0 ("misc: fastrpc: Add Qualcomm fastrpc basic driver model") Cc: stable@vger.kernel.org Signed-off-by: Mukesh Ojha <mukesh.ojha@oss.qualcomm.com> Reviewed-by: Bjorn Andersson <andersson@kernel.org> Signed-off-by: Srinivas Kandagatla <srini@kernel.org> Link: https://patch.msgid.link/20260530204528.116920-4-srini@kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
A NULL pointer dereference was observed on Hawi at boot when the DSP
sends a glink message before fastrpc_rpmsg_probe() has completed
initialization:

  Unable to handle kernel NULL pointer dereference at virtual address 0000000000000178
  pc : _raw_spin_lock_irqsave+0x34/0x8c
  lr : fastrpc_rpmsg_callback+0x3c/0xcc [fastrpc]
  ...
  Call trace:
   _raw_spin_lock_irqsave+0x34/0x8c (P)
   fastrpc_rpmsg_callback+0x3c/0xcc [fastrpc]
   qcom_glink_native_rx+0x538/0x6a4
   qcom_glink_smem_intr+0x14/0x24 [qcom_glink_smem]

The faulting address 0x178 corresponds to the lock variable inside
struct fastrpc_channel_ctx, confirming that cctx is NULL when
fastrpc_rpmsg_callback() attempts to take the spinlock.

There are two issues here. First, dev_set_drvdata() is called before
spin_lock_init() and idr_init(), leaving a window where the callback
can retrieve a valid cctx pointer but operate on an uninitialized
spinlock. Second, the rpmsg channel becomes live as soon as the driver
is bound, so fastrpc_rpmsg_callback() can fire before dev_set_drvdata()
is called at all, resulting in dev_get_drvdata() returning NULL.

Fix both issues by moving all cctx initialization ahead of
dev_set_drvdata() so the structure is fully initialized before it
becomes visible to the callback, and add a NULL check in
fastrpc_rpmsg_callback() as a guard against any remaining window.

Fixes: f6f9279f2bf0 ("misc: fastrpc: Add Qualcomm fastrpc basic driver model")
Cc: stable@vger.kernel.org
Signed-off-by: Mukesh Ojha <mukesh.ojha@oss.qualcomm.com>
Reviewed-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Srinivas Kandagatla <srini@kernel.org>
Link: https://patch.msgid.link/20260530204528.116920-4-srini@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
misc: fastrpc: fix DMA address corruption due to find_vma misuse 2026-06-05T15:20:50+00:00 Junrui Luo moonafterrain@outlook.com 2026-05-30T20:45:26+00:00 464c6ad2aa16e1e1df9d559289199356493d1e00 fastrpc_get_args() uses find_vma() to look up the VMA for a user-provided pointer and compute a DMA address offset. When the address falls in a gap before the returned VMA, (ptr & PAGE_MASK) - vma->vm_start underflows, corrupting the DMA address sent to the DSP. Replace find_vma() with vma_lookup(), which returns NULL when the address is not contained within any VMA. Cc: stable@vger.kernel.org Fixes: 80f3afd72bd4 ("misc: fastrpc: consider address offset before sending to DSP") Reported-by: Yuhao Jiang <danisjiang@gmail.com> Signed-off-by: Junrui Luo <moonafterrain@outlook.com> Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com> Signed-off-by: Srinivas Kandagatla <srini@kernel.org> Link: https://patch.msgid.link/20260530204528.116920-3-srini@kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
fastrpc_get_args() uses find_vma() to look up the VMA for a user-provided
pointer and compute a DMA address offset. When the address falls in a gap
before the returned VMA, (ptr & PAGE_MASK) - vma->vm_start underflows,
corrupting the DMA address sent to the DSP.

Replace find_vma() with vma_lookup(), which returns NULL when the address
is not contained within any VMA.

Cc: stable@vger.kernel.org
Fixes: 80f3afd72bd4 ("misc: fastrpc: consider address offset before sending to DSP")
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Signed-off-by: Srinivas Kandagatla <srini@kernel.org>
Link: https://patch.msgid.link/20260530204528.116920-3-srini@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
misc: fastrpc: fix use-after-free of fastrpc_user in workqueue context 2026-06-05T15:20:50+00:00 Anandu Krishnan E anandu.e@oss.qualcomm.com 2026-05-30T20:45:25+00:00 e85eb5feca8e254905ffa6c57a3c99c89a674a0f There is a race between fastrpc_device_release() and the workqueue that processes DSP responses. When the user closes the file descriptor, fastrpc_device_release() frees the fastrpc_user structure. Concurrently, an in-flight DSP invocation can complete and fastrpc_rpmsg_callback() schedules context cleanup via schedule_work(&ctx->put_work). If the workqueue runs fastrpc_context_free() in parallel with or after fastrpc_device_release() has freed the user structure, it dereferences the freed fastrpc_user. Depending on the state of the context at the time of the race, any one of the following accesses can be hit: 1. fastrpc_buf_free() calls fastrpc_ipa_to_dma_addr(buf->fl->cctx, ...) to strip the SID bits from the stored IOVA before passing the physical address to dma_free_coherent(). 2. fastrpc_free_map() reads map->fl->cctx->vmperms[0].vmid to reconstruct the source permission bitmask needed for the qcom_scm_assign_mem() call that returns memory from the DSP VM back to HLOS. 3. fastrpc_free_map() acquires map->fl->lock to safely remove the map node from the fl->maps list. The resulting use-after-free manifests as: pc : fastrpc_buf_free+0x38/0x80 [fastrpc] lr : fastrpc_context_free+0xa8/0x1b0 [fastrpc] fastrpc_context_free+0xa8/0x1b0 [fastrpc] fastrpc_context_put_wq+0x78/0xa0 [fastrpc] process_one_work+0x180/0x450 worker_thread+0x26c/0x388 Add kref-based reference counting to fastrpc_user. Have each invoke context take a reference on the user at allocation time and release it when the context is freed. Release the initial reference in fastrpc_device_release() at file close. Move the teardown of the user structure — freeing pending contexts, maps, mmaps, and the channel context reference — into the kref release callback fastrpc_user_free(), so that it runs only when the last reference is dropped, regardless of whether that happens at device close or after the final in-flight context completes. Fixes: 6cffd79504ce ("misc: fastrpc: Add support for dmabuf exporter") Cc: stable@kernel.org Signed-off-by: Anandu Krishnan E <anandu.e@oss.qualcomm.com> Signed-off-by: Srinivas Kandagatla <srini@kernel.org> Link: https://patch.msgid.link/20260530204528.116920-2-srini@kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
There is a race between fastrpc_device_release() and the workqueue
that processes DSP responses. When the user closes the file descriptor,
fastrpc_device_release() frees the fastrpc_user structure. Concurrently,
an in-flight DSP invocation can complete and fastrpc_rpmsg_callback()
schedules context cleanup via schedule_work(&ctx->put_work). If the
workqueue runs fastrpc_context_free() in parallel with or after
fastrpc_device_release() has freed the user structure, it dereferences
the freed fastrpc_user. Depending on the state of the context at the
time of the race, any one of the following accesses can be hit:

 1. fastrpc_buf_free() calls fastrpc_ipa_to_dma_addr(buf->fl->cctx, ...)
    to strip the SID bits from the stored IOVA before passing the
    physical address to dma_free_coherent().

 2. fastrpc_free_map() reads map->fl->cctx->vmperms[0].vmid to
    reconstruct the source permission bitmask needed for the
    qcom_scm_assign_mem() call that returns memory from the DSP VM
    back to HLOS.

 3. fastrpc_free_map() acquires map->fl->lock to safely remove the
    map node from the fl->maps list.

The resulting use-after-free manifests as:

  pc : fastrpc_buf_free+0x38/0x80 [fastrpc]
  lr : fastrpc_context_free+0xa8/0x1b0 [fastrpc]
  fastrpc_context_free+0xa8/0x1b0 [fastrpc]
  fastrpc_context_put_wq+0x78/0xa0 [fastrpc]
  process_one_work+0x180/0x450
  worker_thread+0x26c/0x388

Add kref-based reference counting to fastrpc_user. Have each invoke
context take a reference on the user at allocation time and release it
when the context is freed. Release the initial reference in
fastrpc_device_release() at file close. Move the teardown of the user
structure — freeing pending contexts, maps, mmaps, and the channel
context reference — into the kref release callback fastrpc_user_free(),
so that it runs only when the last reference is dropped, regardless of
whether that happens at device close or after the final in-flight
context completes.

Fixes: 6cffd79504ce ("misc: fastrpc: Add support for dmabuf exporter")
Cc: stable@kernel.org
Signed-off-by: Anandu Krishnan E <anandu.e@oss.qualcomm.com>
Signed-off-by: Srinivas Kandagatla <srini@kernel.org>
Link: https://patch.msgid.link/20260530204528.116920-2-srini@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
ntsync: Honour caller's time namespace for absolute MONOTONIC timeouts 2026-06-02T19:05:36+00:00 Maoyi Xie maoyixie.tju@gmail.com 2026-05-28T06:33:11+00:00 180a232ea78003d1dc869b217b4e49106fd58e8f ntsync_schedule() takes the absolute timeout from userspace and hands it to schedule_hrtimeout_range_clock() with HRTIMER_MODE_ABS. For the default CLOCK_MONOTONIC path, it does not call timens_ktime_to_host() first. A process inside a CLOCK_MONOTONIC time namespace computes the absolute timeout in its own clock view. The kernel reads the same value against the host clock. The two differ by the namespace offset. The timeout then fires too early or too late. Other users of absolute timeouts run the ktime through timens_ktime_to_host() before starting the hrtimer. ntsync was added later and missed that step. /dev/ntsync is mode 0666. Any user inside a time namespace that can open it is affected. The visible effect is wrong timeout behaviour for Wine in a container that sets a CLOCK_MONOTONIC offset. Reproducer: unshare --user --time, set the monotonic offset to -10s, issue NTSYNC_IOC_WAIT_ANY with a 100 ms absolute MONOTONIC timeout. The baseline run elapses about 100 ms. The run inside the namespace elapses about 0 ms. Apply timens_ktime_to_host() to the parsed timeout when the caller did not set NTSYNC_WAIT_REALTIME. The helper does nothing in the initial time namespace, so the fast path is unchanged. Fixes: b4a7b5fe3f51 ("ntsync: Introduce NTSYNC_IOC_WAIT_ANY.") Signed-off-by: Maoyi Xie <maoyixie.tju@gmail.com> Signed-off-by: Thomas Gleixner <tglx@kernel.org> Reviewed-by: Elizabeth Figura <zfigura@codeweavers.com> Link: https://patch.msgid.link/20260528063311.3300393-3-maoyixie.tju@gmail.com 
ntsync_schedule() takes the absolute timeout from userspace and hands it to
schedule_hrtimeout_range_clock() with HRTIMER_MODE_ABS. For the default
CLOCK_MONOTONIC path, it does not call timens_ktime_to_host() first.

A process inside a CLOCK_MONOTONIC time namespace computes the absolute
timeout in its own clock view. The kernel reads the same value against the
host clock. The two differ by the namespace offset.  The timeout then fires
too early or too late.

Other users of absolute timeouts run the ktime through
timens_ktime_to_host() before starting the hrtimer. ntsync was added later
and missed that step.

/dev/ntsync is mode 0666. Any user inside a time namespace that can
open it is affected. The visible effect is wrong timeout behaviour
for Wine in a container that sets a CLOCK_MONOTONIC offset.

Reproducer: unshare --user --time, set the monotonic offset to -10s,
issue NTSYNC_IOC_WAIT_ANY with a 100 ms absolute MONOTONIC timeout.
The baseline run elapses about 100 ms. The run inside the namespace
elapses about 0 ms.

Apply timens_ktime_to_host() to the parsed timeout when the caller
did not set NTSYNC_WAIT_REALTIME. The helper does nothing in the
initial time namespace, so the fast path is unchanged.

Fixes: b4a7b5fe3f51 ("ntsync: Introduce NTSYNC_IOC_WAIT_ANY.")
Signed-off-by: Maoyi Xie <maoyixie.tju@gmail.com>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Reviewed-by: Elizabeth Figura <zfigura@codeweavers.com>
Link: https://patch.msgid.link/20260528063311.3300393-3-maoyixie.tju@gmail.com
misc: rp1: Send IACK on IRQ activate to fix kdump/kexec 2026-05-22T10:19:02+00:00 Xiaolei Wang xiaolei.wang@windriver.com 2026-05-18T07:34:05+00:00 36770417153644bc88281c7284730ef1d14d8d3c After a kexec/kdump reboot, the macb Ethernet controller fails to receive any packets, causing DHCP to hang indefinitely and the network interface to be unusable despite link being up. The root cause is that RP1's level-triggered MSI-X interrupt sources (such as macb on hwirq 6) may have their internal state machines stuck in the "waiting for IACK" state. This happens because the previous kernel crashed before sending the acknowledgment for a pending level interrupt. In this stuck state, RP1 will not generate new MSI-X writes even though the interrupt source remains asserted. Since no new MSI-X is sent, the GIC never sees a new edge, the chained IRQ handler is never invoked, and the interrupt is permanently lost. Fix this by sending MSIX_CFG_IACK in rp1_irq_activate(). This unconditionally resets the MSI-X state machine back to idle when a child device requests its interrupt. If the interrupt source is still asserted, RP1 will immediately issue a new MSI-X with the freshly configured msg_addr/msg_data, and normal interrupt delivery resumes. Writing IACK when the state machine is already idle (i.e., on a normal cold boot) is harmless — it has no effect. Fixes: 49d63971f963 ("misc: rp1: RaspberryPi RP1 misc driver") Cc: stable <stable@kernel.org> Signed-off-by: Xiaolei Wang <xiaolei.wang@windriver.com> Link: https://patch.msgid.link/20260518073405.2115003-1-xiaolei.wang@windriver.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
After a kexec/kdump reboot, the macb Ethernet controller fails to
receive any packets, causing DHCP to hang indefinitely and the network
interface to be unusable despite link being up.

The root cause is that RP1's level-triggered MSI-X interrupt sources
(such as macb on hwirq 6) may have their internal state machines stuck
in the "waiting for IACK" state. This happens because the previous
kernel crashed before sending the acknowledgment for a pending level
interrupt.

In this stuck state, RP1 will not generate new MSI-X writes even though
the interrupt source remains asserted. Since no new MSI-X is sent, the
GIC never sees a new edge, the chained IRQ handler is never invoked,
and the interrupt is permanently lost.

Fix this by sending MSIX_CFG_IACK in rp1_irq_activate(). This
unconditionally resets the MSI-X state machine back to idle when a
child device requests its interrupt. If the interrupt source is still
asserted, RP1 will immediately issue a new MSI-X with the freshly
configured msg_addr/msg_data, and normal interrupt delivery resumes.

Writing IACK when the state machine is already idle (i.e., on a normal
cold boot) is harmless — it has no effect.

Fixes: 49d63971f963 ("misc: rp1: RaspberryPi RP1 misc driver")
Cc: stable <stable@kernel.org>
Signed-off-by: Xiaolei Wang <xiaolei.wang@windriver.com>
Link: https://patch.msgid.link/20260518073405.2115003-1-xiaolei.wang@windriver.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>