summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2026-06-21mm/page_alloc: only update NUMA min ratios on sysctl writeJianlin Shi
The sysctl handlers for min_unmapped_ratio and min_slab_ratio invoke setup_min_unmapped_ratio() and setup_min_slab_ratio() unconditionally after proc_dointvec_minmax(), even for read operations. These setup functions first zero all per-NUMA node thresholds (min_unmapped_pages and min_slab_pages) before recalculating them. Reading /proc sysctl entries therefore temporarily resets node reclaim thresholds to zero, which may disturb the behavior of __node_reclaim() and node_reclaim() during the recomputation. Fix this by only calling the setup functions when the sysctl is actually written (write == 1), matching the behavior of existing sysctl handlers like min_free_kbytes and watermark_scale_factor. This only affects systems with CONFIG_NUMA. Link: https://lore.kernel.org/tencent_5891052AF9A4C2D490A62F478D446F74AB09@qq.com Signed-off-by: Jianlin Shi <shijianlin11@foxmail.com> Cc: Brendan Jackman <jackmanb@google.com> Cc: Johannes Weiner <hannes@cmpxchg.org> Cc: Michal Hocko <mhocko@suse.com> Cc: Suren Baghdasaryan <surenb@google.com> Cc: Vlastimil Babka <vbabka@kernel.org> Cc: Zi Yan <ziy@nvidia.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2026-06-21zsmalloc: simplify data output in zs_stats_size_show()Markus Elfring
Move the specification for a line break from a seq_puts() call to a seq_printf() call. The source code was transformed by using the Coccinelle software. Link: https://lore.kernel.org/126a924b-6f68-43bf-ae5a-449fb93e527b@web.de Signed-off-by: Markus Elfring <elfring@users.sourceforge.net> Reviewed-by: Sergey Senozhatsky <senozhatsky@chromium.org> Cc: Minchan Kim <minchan@kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2026-06-21lib: split codetag_lock_module_list()Bart Van Assche
Letting a function argument indicate whether a lock or unlock operation should be performed is incompatible with compile-time analysis of locking operations by sparse and Clang. Hence, split codetag_lock_module_list() into two functions: a function that locks cttype->mod_lock and another function that unlocks cttype->mod_lock. No functionality has been changed. See also commit 916cc5167cc6 ("lib: code tagging framework"). Link: https://lore.kernel.org/20260324214226.3684605-1-bvanassche@acm.org Signed-off-by: Bart Van Assche <bvanassche@acm.org> Acked-by: Suren Baghdasaryan <surenb@google.com> Cc: Kent Overstreet <kent.overstreet@linux.dev> Cc: Nathan Chancellor <nathan@kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2026-06-21alloc_tag: fix use-after-free in /proc/allocinfo after module unloadHao Ge
allocinfo_start() only reinitializes the codetag iterator at position 0. For subsequent reads (position > 0), it reuses cached iterator state from the previous batch. allocinfo_stop() drops mod_lock between read batches, which allows module unload to complete and free the module memory that the cached iterator still references: CPU0 (read) CPU1 (rmmod) ---- ---- allocinfo_start(pos=0) down_read(mod_lock) allocinfo_show() ... allocinfo_stop() up_read(mod_lock) codetag_unload_module() kfree(cmod) release_module_tags() ... free_mod_mem() allocinfo_start(pos=N) down_read(mod_lock) // reuses cached iter, skips re-init allocinfo_show() ct->filename <-- UAF After free_mod_mem() frees the module's .rodata, allocinfo_show() dereferences ct->filename, ct->function which point there. Save the iterator state in allocinfo_next() and resume from it in allocinfo_start() with codetag_next_ct(), which detects module removal via idr_find() returning NULL and skips to the next module. Link: https://lore.kernel.org/20260604065938.105991-1-hao.ge@linux.dev Fixes: 9f44df50fee4 ("alloc_tag: keep codetag iterator active between read()") Signed-off-by: Hao Ge <hao.ge@linux.dev> Suggested-by: Suren Baghdasaryan <surenb@google.com> Acked-by: Suren Baghdasaryan <surenb@google.com> Cc: Kent Overstreet <kent.overstreet@linux.dev> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2026-06-21mm/alloc_tag: replace fixed-size early PFN array with dynamic linked listHao Ge
Pages allocated before page_ext is available have their codetag left uninitialized. Track these early PFNs and clear their codetag in clear_early_alloc_pfn_tag_refs() to avoid "alloc_tag was not set" warnings when they are freed later. Currently a fixed-size array of 8192 entries is used, with a warning if the limit is exceeded. However, the number of early allocations depends on the number of CPUs and can be larger than 8192. Replace the fixed-size array with a dynamically allocated linked list of pfn_pool structs. Each node is allocated via alloc_page() and mapped to a pfn_pool containing a next pointer, an atomic slot counter, and a PFN array that fills the remainder of the page. The tracking pages themselves are allocated via alloc_page(), which would trigger __pgalloc_tag_add() -> alloc_tag_add_early_pfn() and recurse indefinitely. Introduce __GFP_NO_CODETAG (reuses the %__GFP_NO_OBJ_EXT bit) and pass gfp_flags through pgalloc_tag_add() so that the early path can skip recording allocations that carry this flag. Link: https://lore.kernel.org/20260604024008.46592-1-hao.ge@linux.dev Signed-off-by: Hao Ge <hao.ge@linux.dev> Suggested-by: Suren Baghdasaryan <surenb@google.com> Acked-by: Suren Baghdasaryan <surenb@google.com> Cc: Kent Overstreet <kent.overstreet@linux.dev> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2026-06-21Merge tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsiLinus Torvalds
Pull SCSI updates from James Bottomley: "Only ufs driver updates this time, apart from which this is just an assortment of bug fixes and AI assisted changes. The biggest other change is the reversion of the sas_user_scan patch which supported a mpi3mr NVME behaviour but caused major issues for other sas controllers. The next biggest is the removal of target reset in tcm_loop.c" * tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi: (56 commits) scsi: target: Remove tcm_loop target reset handling scsi: lpfc: Fix spelling mistakes in comments scsi: ufs: ufs-pci: Add AMD device ID support scsi: ufs: core: Handle PM commands timeout before SCSI EH scsi: devinfo: Broaden Promise VTrak E310/E610 identification scsi: target: Use constant-time crypto_memneq() for CHAP digests scsi: target: Fix hexadecimal CHAP_I handling scsi: scsi_debug: Fix one-partition tape setup bounds scsi: ufs: qcom: dt-bindings: Document the Hawi UFS controller scsi: mailmap: Update Avri Altman's email address scsi: ufs: Remove redundant vops NULL check and trivial wrapper scsi: ufs: Remove unnecessary return in void vops wrappers scsi: ufs: Fix wrong value printed in unexpected UPIU response case scsi: ufs: core: Fix NULL pointer dereference in scsi_cmd_priv() calls scsi: megaraid_mbox: Avoid double kfree() scsi: pm8001: Fix error code in non_fatal_log_show() scsi: lpfc: Turn lpfc_queue q_pgs into a flexible array scsi: ufs: core: Skip link param validation when lanes_per_direction is unset scsi: sas: Skip opt_sectors when DMA reports no real optimization hint scsi: Revert "scsi: Fix sas_user_scan() to handle wildcard and multi-channel scans" ...
2026-06-21Merge tag '9p-for-7.2-rc1' of https://github.com/martinetd/linuxLinus Torvalds
Pull 9p updates from Dominique Martinet: "Asides of the avalanche of LLM-driven fixes, there are a couple of big changes this cycle: - negative dentry and symlink cache - a way out of the unkillable "io_wait_event_killable" (because it looped around waiting for the request flush to come back from server; this has been bugging syzcaller folks since forever): I'm still not 100% sure about this patch, but I think it's as good as we'll ever get, and will keep testing a bit further in the coming weeks The rest is more noisy than usual, but shouldn't cause any trouble" * tag '9p-for-7.2-rc1' of https://github.com/martinetd/linux: 9p: Add missing read barrier in virtio zero-copy path net/9p: Replace strlen() strcpy() pair with strscpy() 9p: skip nlink update in cacheless mode to fix WARN_ON net/9p: fix race condition on rdma->state in trans_rdma.c 9p: v9fs_file_do_lock: replace WARN_ONCE with p9_debug 9p: Enable symlink caching in page cache 9p: Set default negative dentry retention time for cache=loose 9p: Add mount option for negative dentry cache retention 9p: Cache negative dentries for lookup performance 9p: avoid returning ERR_PTR(0) from mkdir operations 9p: avoid putting oldfid in p9_client_walk() error path net/9p: fix infinite loop in p9_client_rpc on fatal signal docs/filesystems/9p: fix broken external links 9p: invalidate readdir buffer on seek 9p: use kvzalloc for readdir buffer net/9p/usbg: Constify struct configfs_item_operations
2026-06-21Merge tag 'firewire-updates-7.2' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394 Pull firewire updates from Takashi Sakamoto: - firewire drivers have been able to assign an arbitrary value in the mod_device entry, which is typed as kernel_ulong_t. While storing the pointer value is legitimate, conversion back to a pointer has been performed without preserving the const qualifier. Uwe Kleine-König introduced an union to provide safer and more robust conversions, as part of the ongoing CHERI enhancement work for ARM and RISC-V architectures. This includes changes to the sound subsystem, since the conversion pattern is widely used in ALSA firewire stack. - Userspace applications can request the core function to perform isochronous resource management procedures. Dingsoul reported a reference-count leak when these procedures are processed in workqueue contexts. This refactors the relevant code paths following a divide and conquer approach. Consequently, it became clear that the issue still remain in the path when userspace applications delegate automatic resource reallocation after bus resets to the core. In practice, the leak is rarely triggered, and a complete fix is still in progress. * tag 'firewire-updates-7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394: firewire: core: Open-code topology list walk firewire: core: cancel using delayed work for iso_resource_once management firewire: core: rename member name for channel mask of isoc resource firewire: core: minor code refactoring for case-dependent parameters of iso resources management ALSA: firewire: Make use of ieee1394's .driver_data_ptr firewire: Simplify storing pointers in device id struct firewire: core: move allocation/reallocation paths into specific branch after isoc resource management in cdev firewire: core: refactor notification type determination after isoc resource management in cdev firewire: core: use switch statement for post-processing of isoc resource management in cdev firewire: core: reduce critical section duration in pre-processing of isoc resource management in cdev firewire: core: code cleanup for iso resource auto creation firewire: core: append _auto suffix for non-once iso resource operations firewire: core: code cleanup to remove old implementations for once operation firewire: core: split functions for iso_resource once operation firewire: core: code refactoring for helper function to fill iso_resource parameters firewire: core: code refactoring to queue work item for iso_resource firewire: core: code refactoring for early return at client resource allocation
2026-06-21Merge tag 'liveupdate-v7.2-rc1' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/liveupdate/linux Pull liveupdate updates from Mike Rapoport: "Kexec Handover (KHO): - make memory preservation compatible with deferred initialization of the memory map Live Update Orchestrator (LUO): - add LIVEUPDATE_SESSION_GET_NAME ioctl and parameter verification for LIVEUPDATE_IOCTL_CREATE_SESSION ioctl - documentation updates for liveupdate=on command line option, systemd support and the current compatibility status - remove the fixed limits on the number of files that can be preserved within a single session, and the total number of sessions managed by the LUO Misc fixes: - reference count incoming File-Lifecycle-Bound (FLB) data so it cannot be freed while a subsystem is still using it - fixes for a TOCTOU race in luo_session_retrieve(), a use- after-free in the file finish and unpreserve paths, concurrent session mutations during reboot and serialization on preserve_context kexec - make sure ioctls for incoming LUO sessions are blocked for outgoing sessions and vice versa - make sure KHO scratch size is always aligned by CMA_MIN_ALIGNMENT_BYTES - fix memblock tests build issue introduced by KHO changes" * tag 'liveupdate-v7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/liveupdate/linux: (36 commits) liveupdate: Document that retrieve failure is permanent docs: memfd_preservation: fix rendering of ABI documentation selftests/liveupdate: Add stress-files kexec test selftests/liveupdate: Add stress-sessions kexec test selftests/liveupdate: Test session and file limit removal liveupdate: Remove limit on the number of files per session liveupdate: Remove limit on the number of sessions liveupdate: defer session block allocation and physical address setting kho: add support for linked-block serialization liveupdate: Extract luo_session_deserialize_one helper liveupdate: Extract luo_file_deserialize_one helper liveupdate: register luo_ser as KHO subtree liveupdate: centralize state management into struct luo_ser liveupdate: avoid mixing cleanup guards with goto in luo_session_retrieve_fd liveupdate: change file_set->count type to u64 for type safety liveupdate: Remove unused ser field from struct luo_session liveupdate: fix u-a-f in luo_file_unpreserve_files() and luo_file_finish() liveupdate: block session mutations during reboot liveupdate: fix TOCTOU race in luo_session_retrieve() liveupdate: skip serialization for context-preserving kexec ...
2026-06-21Merge tag 'for-linus' of https://github.com/openrisc/linuxLinus Torvalds
Pull OpenRISC updates from Stafford Horne: "A few fixes for text patching related code: - Update the section of map_page used in text patching. It was left with __init when text patching was introduced to OpenRISC - Add fix to invalidate remote SMP core i-caches after text is patched" * tag 'for-linus' of https://github.com/openrisc/linux: openrisc: Fix jump_label smp syncing openrisc: Add full instruction cache invalidate functions openrisc: Cache invalidation cleanup openrisc: mm: Fix section mismatch between map_page and __set_fixmap
2026-06-21Merge tag 'nand/for-7.2' into mtd/nextMiquel Raynal
* Extend SPI NAND continuous read to Winbond devices, which requires numerous changes in the spi-{mem,nand} layers such as the need for a secondary read operation template. * Continuous reads in general have also been enhanced/fixed for avoiding potential issues at probe time and at block boundaries. Plus, there is the usual load of misc fixes and improvements.
2026-06-21Merge tag 'spi-nor/for-7.2' into mtd/nextMiquel Raynal
SPI NOR changes for 7.2 Notable changes: - Big set of cleanups and improvements to the locking support. This series contains some cleanups and bug fixes for code and documentation around write protection. Then support is added for complement locking, which allows finer grained configuration of what is considered locked and unlocked. Then complement locking is enabled on a bunch of Winbond W25 flashes. - Fix die erase support on Spansion flashes. Die erase is only supported on multi-die flashes, but the die erase opcode was set for all. When the opcode is set, it overrides the default chip erase opcode which should be used for single-die flashes. Only set the opcode on multi-die flashes. Also, the opcode was not set on multi-die s28hx-t flashes. Set it so they can use die-erase correctly.
2026-06-21drm/nouveau: fix reversed error cleanup order in ucopy functionsJunrui Luo
nouveau_uvmm_vm_bind_ucopy() and nouveau_exec_ucopy() place their error cleanup labels in allocation order rather than reverse allocation order. On a u_memcpya() failure for in_sync.s, the goto to err_free_ops (or err_free_pushs) frees the first allocation and then falls through to err_free_ins, which calls u_free() on args->in_sync.s. Since args->in_sync.s still holds the ERR_PTR returned by the failed u_memcpya(), and ERR_PTR values are not caught by ZERO_OR_NULL_PTR(), kvfree() proceeds to dereference it, which can result in a kernel oops. A failure for out_sync.s instead jumps to err_free_ins and skips freeing the first allocation, leading to a memory leak. Fix by swapping the cleanup label order so resources are freed in the correct reverse allocation sequence. Fixes: b88baab82871 ("drm/nouveau: implement new VM_BIND uAPI") Reported-by: Yuhao Jiang <danisjiang@gmail.com> Cc: stable@vger.kernel.org Signed-off-by: Junrui Luo <moonafterrain@outlook.com> Link: https://patch.msgid.link/SYBPR01MB7881484D91A6F80271415F71AF1A2@SYBPR01MB7881.ausprd01.prod.outlook.com Signed-off-by: Danilo Krummrich <dakr@kernel.org>
2026-06-21drm/nouveau/acr: fix missing nvkm_done() in error path of nvkm_acr_oneinit()Wentao Liang
In nvkm_acr_oneinit(), nvkm_kmap(acr->wpr) is invoked unconditionally at line 309 to obtain a mapping reference. Additionally, when both acr->wpr_fw and acr->wpr_comp are present, a second nvkm_kmap() is called inside the conditional block. Both mappings are expected to be released by nvkm_done(acr->wpr) at line 320 before the function returns successfully. However, when a mismatch is detected during the loop within the conditional block, the function returns -EINVAL at line 318 without calling nvkm_done(). This results in a leak of the kmap reference(s) acquired earlier. Fix the issue by invoking nvkm_done(acr->wpr) prior to the early return to ensure proper release of the mapping references. Fixes: 22dcda45a3d1 ("drm/nouveau/acr: implement new subdev to replace "secure boot"") Cc: stable@vger.kernel.org Signed-off-by: Wentao Liang <vulab@iscas.ac.cn> Link: https://patch.msgid.link/20260606155606.77593-1-vulab@iscas.ac.cn Signed-off-by: Danilo Krummrich <dakr@kernel.org>
2026-06-21irqchip/crossbar: Fix parent domain resource leakBhargav Joshi
irq_domain_alloc_irqs_parent() is called in allocate_gic_irq() but irq_domain_free_irqs_parent() is never called which causes a resource leak. Fix this by calling irq_domain_free_irqs_parent() in crossbar_domain_free(). Fixes: 783d31863fb82 ("irqchip: crossbar: Convert dra7 crossbar to stacked domains") Signed-off-by: Bhargav Joshi <j.bhargav.u@gmail.com> Signed-off-by: Thomas Gleixner <tglx@kernel.org> Link: https://patch.msgid.link/20260620-irq-crossbar-fix-v2-2-b8e8499f468a@gmail.com
2026-06-21irqchip/crossbar: Use correct index in crossbar_domain_free()Bhargav Joshi
crossbar_domain_free() resets the domain data and then uses the nulled out irq_data->hwirq member as index to reset the irq_map[] entry and to write the relevant crossbar register with a safe entry. That means it never frees the correct index and keeps the crossbar register connection to the source interrupt active. If it would not reset the domain data, then this would be even worse as irq_data->hwirq holds the source interrupt number, but both the map and register index need the corresponding GIC SPI number and not the source interrupt number. This might even result in an out of bounds access as the source interrupt number can be higher than the maximal index space. Fix this by using the GIC SPI index from the parent domain's irq_data. Fixes: 783d31863fb82 ("irqchip: crossbar: Convert dra7 crossbar to stacked domains") Signed-off-by: Bhargav Joshi <j.bhargav.u@gmail.com> Signed-off-by: Thomas Gleixner <tglx@kernel.org> Cc: stable@vger.kernel.org Link: https://patch.msgid.link/20260620-irq-crossbar-fix-v2-1-b8e8499f468a@gmail.com
2026-06-21locking/rt: Fix the incorrect RCU protection in rt_spin_unlock()Thomas Gleixner
rt_spin_unlock() releases the RCU protection before unlocking the lock. That opens the door for the following UAF scenario: T1 T2 spin_lock(&p->lock); rcu_read_lock(); invalidate(p); p = rcu_dereference(ptr); rcu_assign_pointer(ptr, NULL); if (!p) return; spin_unlock(&p->lock); spin_lock(&p->lock) lock(&lock->lock); rcu_read_lock(); kfree_rcu(p); rcu_read_unlock(); .... spin_unlock(&p->lock) rcu_read_unlock(); // Ends grace period rcu_do_batch() kfree(p); UAF -> rt_mutex_cmpxchg_release(&lock->lock...) Regular spinlocks keep preemption disabled accross the unlock operation, which provides full RCU protection, but the RT substitution fails to resemble that. Same applies for the rwlock substitution. Move the rcu_read_unlock() invocation past the unlock operations to match the non-RT semantics. This makes it asymmetric vs. rt_xxx_lock(), but that's harmless as the caller needs to hold RCU read lock across the lock operation. The migrate_enable() call stays before the unlock operation because there is no per CPU operation in the unlock path which would require migration to be kept disabled. Fixes: 0f383b6dc96e ("locking/spinlock: Provide RT variant") Reported-by: syzbot+000c800a02097aaa10ed@syzkaller.appspotmail.com Decoded-by: Jann Horn <jannh@google.com> Signed-off-by: Thomas Gleixner <tglx@kernel.org> Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de> Acked-by: Al Viro <viro@zeniv.linux.org.uk> Cc: stable@vger.kernel.org Link: https://patch.msgid.link/87jyrud75z.ffs@fw13
2026-06-20Merge tag 'hwlock-v7.2' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/remoteproc/linux Pull hwspinlock update from Bjorn Andersson: - Avoid uninitialized struct members in the Qualcomm hwspinlock driver * tag 'hwlock-v7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/remoteproc/linux: hwspinlock: qcom: avoid uninitialized struct members
2026-06-20Merge tag 'rpmsg-v7.2' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/remoteproc/linux Pull rpmsg update from Bjorn Andersson: - Fix use-after-free in rpmsg-char driver * tag 'rpmsg-v7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/remoteproc/linux: rpmsg: char: Fix use-after-free on probe error path
2026-06-20Merge tag 'rproc-v7.2' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/remoteproc/linux Pull remoteproc updates from Bjorn Andersson: - Add i.MX94 support to the i.MX remoteproc driver, covering the Cortex-M7 and Cortex-M33 Sync cores. This also fixes programming of non-zero System Manager CPU/LMM reset vectors. - Move the remoteproc resource table definitions to a separate header, so they can be used by clients that do not otherwise depend on remoteproc. Switch the firmware resource handling over to the common iterator. - Update the Xilinx R5F remoteproc driver to check the remote core state before attaching, drop a binding header dependency, and add firmware-name based auto boot support. - Add Qualcomm Hawi ADSP/CDSP bindings, together with Shikra RPM bindings and CDSP, LPAICP, and MPSS PAS support. Fix a Qualcomm minidump leak, clean up PAS and WCSS reset handling, and make the user-visible Qualcomm naming consistent. - Remove a duplicate STM32_RPROC Kconfig dependency and make i.MX remoteproc instances use the device node name so multiple processors can be distinguished in sysfs. * tag 'rproc-v7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/remoteproc/linux: remoteproc: qcom: pas: Drop start/stop completion from struct qcom_pas remoteproc: qcom: pas: Add Shikra remoteproc support dt-bindings: remoteproc: qcom,shikra-pas: Document Shikra PAS remoteprocs dt-bindings: remoteproc: Add Shikra RPM processor compatible remoteproc: qcom: Unify user-visible "Qualcomm" name remoteproc: qcom: Fix leak when custom dump_segments addition fails remoteproc: qcom_q6v5_wcss: drop redundant wcss_q6_bcr_reset dt-bindings: remoteproc: qcom,sm8550-pas: Add Hawi CDSP compatible dt-bindings: remoteproc: qcom,sm8550-pas: Add Hawi ADSP compatible remoteproc: xlnx: Enable auto boot feature dt-bindings: remoteproc: xlnx: Add firmware-name property remoteproc: xlnx: Remove binding header dependency remoteproc: imx_rproc: Use device node name as processor name remoteproc: use rsc_table_for_each_entry() in rproc_handle_resources() remoteproc: Move resource table data structure to its own header remoteproc: xlnx: Check remote core state remoteproc: imx_rproc: Add support for i.MX94 remoteproc: imx_rproc: Program non-zero SM CPU/LMM reset vector dt-bindings: remoteproc: imx-rproc: Support i.MX94 remoteproc: Dead code cleanup in Kconfig for STM32_RPROC
2026-06-219p: Add missing read barrier in virtio zero-copy pathGui-Dong Han
Commit 2b6e72ed747f ("9P: Add memory barriers to protect request fields over cb/rpc threads handoff") added a read barrier after p9_client_rpc() waits for req->status, pairing with the write barrier in p9_client_cb(). The virtio zero-copy wait path was missed. Add the same read barrier after the zero-copy wait before reading the completed request. Fixes: 2b6e72ed747f ("9P: Add memory barriers to protect request fields over cb/rpc threads handoff") Signed-off-by: Gui-Dong Han <hanguidong02@gmail.com> Message-ID: <20260529075441.233369-1-hanguidong02@gmail.com> Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>
2026-06-21net/9p: Replace strlen() strcpy() pair with strscpy()David Laight
Use the result of strscpy() for the overflow check. Signed-off-by: David Laight <david.laight.linux@gmail.com> Message-ID: <20260606202744.5113-3-david.laight.linux@gmail.com> Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>
2026-06-219p: skip nlink update in cacheless mode to fix WARN_ONBreno Leitao
v9fs_dec_count() unconditionally calls drop_nlink() on regular files, even when the inode's nlink is already zero. In cacheless mode the client refetches inode metadata from the server (the source of truth) on every operation, so by the time v9fs_remove() returns, the locally cached nlink may already reflect the post-unlink value: 1. Client initiates unlink, server processes it and sets nlink to 0 2. Client refetches inode metadata (nlink=0) before unlink returns 3. Client's v9fs_remove() completes successfully 4. Client calls v9fs_dec_count() which calls drop_nlink() on nlink=0 This race is easily triggered under heavy unlink workloads, such as stress-ng's unlink stressor, producing the following warning: WARNING: fs/inode.c:417 at drop_nlink+0x4c/0xc8 Call trace: drop_nlink+0x4c/0xc8 v9fs_remove+0x1e0/0x250 [9p] v9fs_vfs_unlink+0x20/0x38 [9p] vfs_unlink+0x13c/0x258 ... In cacheless mode the server is authoritative and the inode is on its way out, so locally adjusting nlink buys nothing. Skip v9fs_dec_count() entirely when neither CACHE_META nor CACHE_LOOSE is set, which both avoids the warning and removes a class of nlink races (two concurrent unlinkers observing nlink > 0 and both calling drop_nlink()) that an nlink == 0 guard alone would only narrow rather than close. Fixes: ac89b2ef9b55 ("9p: don't maintain dir i_nlink if the exported fs doesn't either") Cc: stable@vger.kernel.org Suggested-by: Dominique Martinet <asmadeus@codewreck.org> Signed-off-by: Breno Leitao <leitao@debian.org> Message-ID: <20260421-9p-v2-1-48762d294fad@debian.org> Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>
2026-06-21net/9p: fix race condition on rdma->state in trans_rdma.cYizhou Zhao
The rdma->state field is modified without holding req_lock in both recv_done() and p9_cm_event_handler(), while rdma_request() accesses the same field under the req_lock spinlock. This inconsistent locking creates a race condition: - recv_done() running in softirq completion context sets rdma->state = P9_RDMA_FLUSHING without acquiring req_lock - p9_cm_event_handler() modifies rdma->state at multiple points (ADDR_RESOLVED, ROUTE_RESOLVED, ESTABLISHED, CLOSED) without req_lock - rdma_request() uses spin_lock_irqsave(&rdma->req_lock, flags) to protect the read-modify-write of rdma->state The race can cause lost state transitions: recv_done() or the CM event handler could set state to FLUSHING/CLOSED while rdma_request() is concurrently checking or modifying state under the lock, leading to the FLUSHING transition being silently overwritten by CLOSING. This corrupts the connection state machine and can cause use-after-free on RDMA request objects during teardown. Fix by adding req_lock protection to all rdma->state modifications in recv_done() and p9_cm_event_handler(), matching the pattern already used in rdma_request(). Use spin_lock_irqsave/spin_unlock_irqrestore in the CM event handler since it can race with recv_done() which runs in softirq context. Tested with a kernel module that races two threads (simulating rdma_request and recv_done/CM handler) on rdma->state with proper locking: 5.5M+ FLUSHING writes over 27M iterations with 0 lost transitions. Fixes: 473c7dd1d7b5 ("9p/rdma: remove useless check in cm_event_handler") Reported-by: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn> Reported-by: Yuxiang Yang <yangyx22@mails.tsinghua.edu.cn> Reported-by: Ao Wang <wangao@seu.edu.cn> Reported-by: Xuewei Feng <fengxw06@126.com> Reported-by: Qi Li <qli01@tsinghua.edu.cn> Reported-by: Ke Xu <xuke@tsinghua.edu.cn> Assisted-by: GLM:GLM-5.1 Signed-off-by: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn> Message-ID: <20260529073933.77315-1-zhaoyz24@mails.tsinghua.edu.cn> Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>
2026-06-219p: v9fs_file_do_lock: replace WARN_ONCE with p9_debugDominique Martinet
This warning depends on server-provided data, we should not use WARN here Reported-by: Yifei Chu <yifeichu24@gmail.com> Closes: https://lore.kernel.org/r/CAPJnbgJ7ZK7DCjCfG56hd_iKGePmAzudb4hOWd4=9r32nM+KcA@mail.gmail.com Signed-off-by: Dominique Martinet <asmadeus@codewreck.org> Message-ID: <20260529-lock-warn-v1-1-20c29580d61d@codewreck.org>
2026-06-219p: Enable symlink caching in page cacheRemi Pommarel
Currently, when cache=loose is enabled, file reads are cached in the page cache, but symlink reads are not. This patch allows the results of p9_client_readlink() to be stored in the page cache, eliminating the need for repeated 9P transactions on subsequent symlink accesses. This change improves performance for workloads that involve frequent symlink resolution. Signed-off-by: Remi Pommarel <repk@triplefau.lt> Message-ID: <982462d17c0c0d2856763266a25eb04d080c1dbb.1779355927.git.repk@triplefau.lt> Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>
2026-06-219p: Set default negative dentry retention time for cache=looseRemi Pommarel
For cache=loose mounts, set the default negative dentry cache retention time to 24 hours. Signed-off-by: Remi Pommarel <repk@triplefau.lt> Message-ID: <b5beca3e70890ab8a4f0b9e99bd69cb97f5cb9eb.1779355927.git.repk@triplefau.lt> Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>
2026-06-219p: Add mount option for negative dentry cache retentionRemi Pommarel
Introduce a new mount option, negtimeout, for v9fs that allows users to specify how long negative dentries are retained in the cache. The retention time can be set in milliseconds (e.g. negtimeout=10000 for a 10secs retention time) or a negative value (e.g. negtimeout=-1) to keep negative entries until the buffer cache management removes them. For consistency reasons, this option should only be used in exclusive or read-only mount scenarios, aligning with the cache=loose usage. Signed-off-by: Remi Pommarel <repk@triplefau.lt> Message-ID: <b2d66500aa5a2f6540347c4aa46a4be10dd01bc6.1779355927.git.repk@triplefau.lt> Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>
2026-06-219p: Cache negative dentries for lookup performanceRemi Pommarel
Not caching negative dentries can result in poor performance for workloads that repeatedly look up non-existent paths. Each such lookup triggers a full 9P transaction with the server, adding unnecessary overhead. A typical example is source compilation, where multiple cc1 processes are spawned and repeatedly search for the same missing header files over and over again. This change enables caching of negative dentries, so that lookups for known non-existent paths do not require a full 9P transaction. The cached negative dentries are retained for a configurable duration (expressed in milliseconds), as specified by the ndentry_timeout field in struct v9fs_session_info. If set to -1, negative dentries are cached indefinitely. This optimization reduces lookup overhead and improves performance for workloads involving frequent access to non-existent paths. Signed-off-by: Remi Pommarel <repk@triplefau.lt> Message-ID: <e542317dd03bbadb5249abd3ea6aecfdca692c19.1779355927.git.repk@triplefau.lt> Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>
2026-06-219p: avoid returning ERR_PTR(0) from mkdir operationsHongling Zeng
When mkdir succeeds, v9fs_vfs_mkdir_dotl() and v9fs_vfs_mkdir() return ERR_PTR(0) which is incorrect. They should return NULL instead for success and ERR_PTR() only with negative error codes for failure. Return NULL instead of passing to ERR_PTR while err is zero Fixes smatch warnings: fs/9p/vfs_inode_dotl.c:420 v9fs_vfs_mkdir_dotl() warn: passing zero to 'ERR_PTR' fs/9p/vfs_inode.c:695 v9fs_vfs_mkdir() warn: passing zero to 'ERR_PTR' The v9fs_vfs_mkdir() code was further simplified because v9fs_create() can never return NULL, so we do not need to check for fid being set separately, and the error path can be a simple return immediately after v9fs_create() failure. There is no intended functional change. Fixes: 88d5baf69082 ("Change inode_operations.mkdir to return struct dentry *") Suggested-by: David Laight <david.laight.linux@gmail.com> Acked-by: Christian Schoenebeck <linux_oss@crudebyte.com> Signed-off-by: Hongling Zeng <zenghongling@kylinos.cn> Message-ID: <20260520022650.14217-1-zenghongling@kylinos.cn> Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>
2026-06-219p: avoid putting oldfid in p9_client_walk() error pathYizhou Zhao
When p9_client_walk() is called with clone set to false, fid aliases oldfid. If the walk subsequently fails after the request has been sent, the error path jumps to clunk_fid, which currently calls p9_fid_put(fid) unconditionally. This drops a reference to oldfid even though ownership of oldfid remains with the caller. If this is the last reference, oldfid can be clunked and destroyed while the caller still expects it to be valid. A later use or put of oldfid can then trigger a use-after-free or refcount underflow. Fix this by only putting fid in the clunk_fid error path when it does not alias oldfid, matching the existing guard in the error path below. This can be triggered when a multi-component walk is split into multiple p9_client_walk() calls and a later non-cloning walk fails. A reproducer and refcount warning logs are available on request. Fixes: b48dbb998d70 ("9p fid refcount: add p9_fid_get/put wrappers") Cc: stable@vger.kernel.org Reported-by: Yuxiang Yang <yangyx22@mails.tsinghua.edu.cn> Reported-by: Ao Wang <wangao@seu.edu.cn> Reported-by: Xuewei Feng <fengxw06@126.com> Reported-by: Qi Li <qli01@tsinghua.edu.cn> Reported-by: Ke Xu <xuke@tsinghua.edu.cn> Assisted-by: GLM 5.1 Signed-off-by: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn> Message-ID: <20260528053918.53550-1-zhaoyz24@mails.tsinghua.edu.cn> Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>
2026-06-20mailbox: imx: Don't force-thread the primary handlerSebastian Andrzej Siewior
The primary interrupt handler (imx_mu_isr()) no longer invokes any callbacks it only masks the interrupt source and returns. In a forced-threaded environment the IRQ-core will force-thread the primary handler which can be avoided. The primary handler uses a spinlock_t to protect the RMW operation in imx_mu_xcr_rmw() - nothing that may introduce long latencies. The lock can be turned into a raw_spinlock_t and then the primary handler can run in hardirq context even on PREEMPT_RT skipping one thread. Make struct imx_mu_priv::xcr_lock a raw_spinlock_t and skip force-threading the primrary handler by marking it IRQF_NO_THREAD. Reviewed-by: Peng Fan <peng.fan@nxp.com> Reviewed-by: Mathieu Poirier <mathieu.poirier@linaro.org> Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de> Signed-off-by: Jassi Brar <jassisinghbrar@gmail.com>
2026-06-20mailbox: imx: Move the RXDB part of the mailbox into the threaded handlerSebastian Andrzej Siewior
Move RXDB callback handling into the threaded handler. This similar to the RX side and since the imx_mu_dcfg::rxdb callback can return an error, the interrupt is only enabled on success. Move RXDB callback handling into the threaded handler. Reviewed-by: Peng Fan <peng.fan@nxp.com> Reviewed-by: Mathieu Poirier <mathieu.poirier@linaro.org> Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de> Signed-off-by: Jassi Brar <jassisinghbrar@gmail.com>
2026-06-20mailbox: imx: Move the RX part of the mailbox into the threaded handlerSebastian Andrzej Siewior
Move RX callback handling into the threaded handler. This is similar to the TX side except that we explicitly mask the source interrupt in the primary handler and unmask it in the threaded handler again after success. This was done automatically in the TX part. The masking/ unmasking can be removed from imx_mu_specific_rx() since it already happens in the primary/ threaded handler before invoking the channel specific callback. Move RX channel handling into threaded handler. Reviewed-by: Peng Fan <peng.fan@nxp.com> Reviewed-by: Mathieu Poirier <mathieu.poirier@linaro.org> Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de> Signed-off-by: Jassi Brar <jassisinghbrar@gmail.com>
2026-06-20mailbox: imx: Start splitting the IRQ handler in primary and threaded handlerSebastian Andrzej Siewior
Split the mailbox irq handling into a primary handler (imx_mu_isr()) and a threaded handler (imx_mu_isr_th()). The primary handler masks the interrupt event so the threaded handler can run without raising the interrupt again. The goal here is to invoke the mailbox core functions (such as mbox_chan_received_data(), mbox_chan_txdone()) in preemptible context which is made possible by using an threaded interrupt handler. This in turn means that mailbox's client callbacks are invoked in preemptible context, too. This then allows the mailbox client callback to skip an indirection via a workqueue if it requries preemptible callback. As a first step, prepare the logic and move TX handling part. Reviewed-by: Peng Fan <peng.fan@nxp.com> Reviewed-by: Mathieu Poirier <mathieu.poirier@linaro.org> Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de> Signed-off-by: Jassi Brar <jassisinghbrar@gmail.com>
2026-06-20mailbox: imx: Use channel index instead of zero in imx_mu_specific_rx()Sebastian Andrzej Siewior
imx_mu_specific_rx() masks channel 0 and unmasks it again at the end of the function. Given that at startup the channel index got unmasked it should do the right job. This here either unmasks the actual channel or another one but should have no impact given that it reverses its doing at the end. Peng Fan commented here: | For specific rx channel, whether it is i.MX8 SCU or i.MX ELE, actually there is | only 1 channel as of now, but it seems better to use cp->idx in case more | channels in future. Use the channel index instead of zero. Reviewed-by: Peng Fan <peng.fan@nxp.com> Reviewed-by: Mathieu Poirier <mathieu.poirier@linaro.org> Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de> Signed-off-by: Jassi Brar <jassisinghbrar@gmail.com>
2026-06-20mailbox: imx: use devm_of_platform_populate()Sebastian Andrzej Siewior
The driver uses of_platform_populate() but does not remove the added devices on removal. This can lead to "double devices" on module removal followed by adding the module again. Use devm_of_platform_populate() to remove the populated devices once the parent device is removed. Reviewed-by: Peng Fan <peng.fan@nxp.com> Reviewed-by: Mathieu Poirier <mathieu.poirier@linaro.org> Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de> Signed-off-by: Jassi Brar <jassisinghbrar@gmail.com>
2026-06-20mailbox: imx: Use devm_pm_runtime_enable()Sebastian Andrzej Siewior
sashiko complained about early usage of the device while probe isn't completed. This can be mitigated by delaying the pm_runtime_enable() into the removal path instead doing it early. This ensures that in an error case the device is removed (and imx_mu_shutdown()) before pm_runtime_disable() so we don't have to do this manually. For the order to work, lets move devm_mbox_controller_register() until after the pm-runtime part. So the reverse order will be mbox-controller removal followed by disabling pm runtime. Use devm_pm_runtime_enable(), remove manual pm_runtime_disable() invocations and move the pm_runtime handling in probe before devm_mbox_controller_register(). Reviewed-by: Peng Fan <peng.fan@nxp.com> Reviewed-by: Mathieu Poirier <mathieu.poirier@linaro.org> Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de> Signed-off-by: Jassi Brar <jassisinghbrar@gmail.com>
2026-06-20mailbox: imx: Add a channel shutdown fieldSebastian Andrzej Siewior
sashiko complained about possible teardown problem. The scenario CPU 0 CPU 1 imx_mu_isr() imx_mu_shutdown() imx_mu_xcr_rmw(priv, IMX_MU_RCR, 0, IMX_MU_xCR_RIEn(priv->dcfg->type, cp->idx)); imx_mu_specific_rx() imx_mu_xcr_rmw(priv, IMX_MU_RCR, IMX_MU_xCR_RIEn(priv->dcfg->type, 0), 0); free_irq() The RX event remains enabled because in this short window the RX event was disabled in ->shutdown() while the interrupt was active and then enabled again by the ISR while ->shutdown waited in free_irq(). This race requires timing and if happens can be problematic on shared handlers if the "removed" channel triggers an interrupt. In this case the irq-core will shutdown the interrupt with the "nobody cared" message. Introduce imx_mu_con_priv::shutdown to signal that the channel is shutting down. This flag is set with the lock held (by imx_mu_xcr_clr_shut()). The unmask side uses imx_mu_xcr_set_act() which only enables the event if the channel has not been shutdown and serialises on the same lock. Reviewed-by: Peng Fan <peng.fan@nxp.com> Reviewed-by: Mathieu Poirier <mathieu.poirier@linaro.org> Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de> Signed-off-by: Jassi Brar <jassisinghbrar@gmail.com>
2026-06-20mailbox: imx: Forward the timeout/ error in imx_mu_generic_tx()Sebastian Andrzej Siewior
imx_mu_generic_tx() for the IMX_MU_TYPE_TXDB_V2 type polls on a register which may timeout and is recognized as an error. This error is siltently dropped and not dropped to the caller. Forward the error to the caller. Fixes: b5ef17917f3a7 ("mailbox: imx: fix TXDB_V2 channel race condition") Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de> Signed-off-by: Jassi Brar <jassisinghbrar@gmail.com>
2026-06-21tpm: fix event_size output in tpm1_binary_bios_measurements_showThorsten Blum
Commit 186d124f07da ("tpm_eventlog.c: fix binary_bios_measurements") split the output to write the endian-converted event header first and then the variable-length event data. However, the split was at sizeof(struct tcpa_event) - 1, even though event_data was a zero-length array, and later a flexible array member, both of which already excluded the event data. Therefore, the current code writes the first three bytes of event_size from the endian-converted header and then the last byte from the raw header, which can emit a corrupted event_size on PPC64, where do_endian_conversion() maps to be32_to_cpu(). Split one byte later to write the full endian-converted header first, followed by the variable-length event->event_data. Fixes: 186d124f07da ("tpm_eventlog.c: fix binary_bios_measurements") Cc: stable@vger.kernel.org # v5.10+ Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
2026-06-21tpm: tpm_crb_ffa: revert defered_probed when tpm_crb_ffa is built-inYeoreum Yun
commit 746d9e9f62a6 ("tpm: tpm_crb_ffa: try to probe tpm_crb_ffa when it's built-in") probe tpm_crb_ffa forcefully when it's built-in to integrate with IMA. However, IMA now provides the IMA_INIT_LATE_SYNC build option, which initialises IMA at the late_initcall_sync level, so this change is no longer required. Signed-off-by: Yeoreum Yun <yeoreum.yun@arm.com> Link: https://git.kernel.org/pub/scm/linux/kernel/git/sudeep.holla/linux.git/commit/?h=for-next/ffa/updates&id=cc7e8f21b9f0c229d68cf19a837cba82b5ac2d87 [0] Link: https://git.kernel.org/pub/scm/linux/kernel/git/sudeep.holla/linux.git/commit/?h=for-next/ffa/updates&id=e659fc8e537c7a21d5d693d6f30d8852f2fa8d91 [1] Link: https://lore.kernel.org/r/20260605144325.434436-5-yeoreum.yun@arm.com Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
2026-06-21tpm: tpm2-sessions: wait for async KPP completion in tpm_buf_append_saltMichael Bommarito
tpm_buf_append_salt() in drivers/char/tpm/tpm2-sessions.c calls crypto_kpp_generate_public_key() and crypto_kpp_compute_shared_secret() without installing a completion callback, discards both return values, and immediately frees the kpp_request via kpp_request_free(). When the resolved ecdh-nist-p256 KPP backend is asynchronous (atmel-ecc, HPRE, keembay-ocs), either operation returns -EINPROGRESS and the deferred completion worker dereferences the freed request. The path fires automatically from the hwrng_fillfn kernel thread via tpm_get_random -> tpm2_get_random -> tpm2_start_auth_session -> tpm_buf_append_salt on every entropy poll, without any userland action. Install crypto_req_done as the completion callback, wrap both KPP operations in crypto_wait_req(), and propagate errors to the caller. The wait is a no-op for synchronous backends. Fixes: 1085b8276bb4 ("tpm: Add the rest of the session HMAC API") Cc: stable@vger.kernel.org # v6.10+ Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com> Assisted-by: Claude:claude-opus-4-7 Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
2026-06-21tpm: tpm_tis: Add settle time for some TPMsJim Broadus
Some TPMs fail to grant locality when requested immediately after being relinquished. In this case, the TPM_ACCESS_REQUEST_USE bit of the TPM_ACCESS register is cleared immediately without setting TPM_ACCESS_ACTIVE_LOCALITY. This issue can be seen at boot since tpm_chip_start, called right after locality is relinquished, will fail. This causes the probe to fail: tpm_tis MSFT0101:00: probe with driver tpm_tis failed with error -1 This occurs on some older Dell Latitudes. For the Nuvoton TPM used in these machines, add a delay after locality is relinquished. Signed-off-by: Jim Broadus <jbroadus@gmail.com> Link: https://lore.kernel.org/r/20260526232245.5409-3-jbroadus@gmail.com Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
2026-06-21tpm: tpm_tis: store entire did_vidJim Broadus
The entire 32 bit did_vid is read from the device, but only the 16 bit vendor id portion was stored in the tpm_tis_data structure. Storing the entire value allows the device id to be used to handle quirks. Printing the vid and did in the error case also helps identify problem devices. Signed-off-by: Jim Broadus <jbroadus@gmail.com> Link: https://lore.kernel.org/r/20260526232245.5409-2-jbroadus@gmail.com Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
2026-06-21tpm_crb: Check ACPI_COMPANION() against NULL during probeRafael J. Wysocki
Every platform driver can be forced to match a device that doesn't match its list of device IDs because of device_match_driver_override(), so platform drivers that rely on the existence of a device's ACPI companion object need to verify its presence. Accordingly, add a requisite ACPI_COMPANION() check against NULL to the tpm_crb driver. Fixes: 48fe2cddc85c ("tpm_crb: Convert ACPI driver to a platform one") Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> Link: https://lore.kernel.org/r/2848144.mvXUDI8C0e@rafael.j.wysocki Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
2026-06-21tpm: tpm_tis_spi: Use wait_woken() in wait_for_tmp_stat()Jarkko Sakkinen
wait_event_interruptible_timeout() evaluates its condition after setting the current task state to TASK_INTERRUPTIBLE. With CONFIG_DEBUG_ATOMIC_SLEEP this triggers a warning when the IRQ wait path is used: tpm_tis_status() tpm_tis_spi_read_bytes() tpm_tis_spi_transfer_full() spi_bus_lock() mutex_lock() Address this with the following measures: 1. Call wait_tpm_stat_cond() only while tasking is running. 2. Use wait_woken() to wait for changes. Cc: stable@vger.kernel.org # v4.19+ Cc: Linus Walleij <linusw@kernel.org> Reported-by: Stefan Wahren <wahrenst@gmx.net> Closes: https://lore.kernel.org/linux-integrity/6964bec7-3dbb-453b-89ef-9b990217a8b9@gmx.net/ Fixes: 1a339b658d9d ("tpm_tis_spi: Pass the SPI IRQ down to the driver") Reviewed-by: Linus Walleij <linusw@kernel.org> Tested-by: Stefan Wahren <wahrenst@gmx.net> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
2026-06-21tpm: Initialize name_size_alg for non-NULL name in tpm_buf_append_name()Gunnar Kudrjavets
tpm_buf_append_name() supports callers passing a pre-computed name for handles. When name is non-NULL, the code skips the tpm2_read_public() path but leaves name_size_alg uninitialized before it is used as the memcpy size argument. No current in-tree caller passes a non-NULL name, but future use cases such as name caching would exercise this path. Initialize name_size_alg by calling name_size() on the caller-provided name, sharing the error check and assignment with the existing tpm2_read_public() path. This prevents unmasking a latent bug when the non-NULL name path is eventually used. Assisted-by: Kiro:claude-opus-4.6 Reviewed-by: Justinien Bouron <jbouron@amazon.com> Reviewed-by: Muhammad Hammad Ijaz <mhijaz@amazon.com> Signed-off-by: Gunnar Kudrjavets <gunnarku@amazon.com> Link: https://lore.kernel.org/r/20260510171152.4607-1-gunnarku@amazon.com Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
2026-06-21tpm: restore timeout for key creation commandsBaoli Zhang
Commit 207696b17f38 ("tpm: use a map for tpm2_calc_ordinal_duration()") inadvertently reduced the timeout for TPM2 key creation commands (`CREATE_PRIMARY`, `CREATE`, `CREATE_LOADED`) from 300 seconds to 30 seconds. This causes intermittent timeout failures, with several failures observed across hundreds of test runs on some Intel platforms using Infineon SLB9670 and SLB9672 TPM modules. Restore the timeout to 300 seconds to avoid spurious failures. Cc: stable@vger.kernel.org # v6.18+ Fixes: 207696b17f38 ("tpm: use a map for tpm2_calc_ordinal_duration()") Co-developed-by: Lili Li <lili.li@intel.com> Signed-off-by: Lili Li <lili.li@intel.com> Signed-off-by: Baoli Zhang <baoli.zhang@linux.intel.com> Link: https://lore.kernel.org/r/20260421005021.13765-1-baoli.zhang@linux.intel.com Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
2026-06-21tpm: svsm: constify tpm_chip_opsDavid Windsor
Constify the SVSM vTPM ops. It is statically initialized and never written to, so let's store it in .rodata. Every other tpm_class_ops instance in drivers/char/tpm/ is already const. Signed-off-by: David Windsor <dwindsor@gmail.com> Reviewed-by: Stefano Garzarella <sgarzare@redhat.com> Link: https://lore.kernel.org/r/20260505202738.145800-1-dwindsor@gmail.com Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>