summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2026-06-14cifs: remove all cifs files before kill superJian Zhang
Cifs files may be put into fileinfo_put_wq during umounting cifs. After umount done, cifsFileInfo_put_final is called, which cause following BUG: BUG: kernel NULL pointer dereference, address: 0000000000000000 ... [ 134.222152] list_lru_add+0x64/0x1a0 [ 134.222399] ? cifs_put_tcon+0x171/0x340 [cifs] [ 134.222772] d_lru_add+0x44/0x60 [ 134.222997] dput+0x1fc/0x210 [ 134.223213] cifsFileInfo_put_final+0x11a/0x140 [cifs] [ 134.223576] process_one_work+0x17c/0x320 [ 134.223843] worker_thread+0x188/0x280 [ 134.224084] ? __pfx_worker_thread+0x10/0x10 [ 134.224366] kthread+0xcc/0x100 [ 134.224576] ? __pfx_kthread+0x10/0x10 [ 134.224827] ret_from_fork+0x30/0x50 [ 134.225063] ? __pfx_kthread+0x10/0x10 [ 134.225328] ret_from_fork_asm+0x1b/0x30 This can be reproduce by following: unshare -n bash -c " mkdir -p ${CIFS_MNT} ip netns attach root 1 ip link add eth0 type veth peer veth0 netns root ip link set eth0 up ip -n root link set veth0 up ip addr add 192.168.0.2/24 dev eth0 ip -n root addr add 192.168.0.1/24 dev veth0 ip route add default via 192.168.0.1 dev eth0 ip netns exec root sysctl net.ipv4.ip_forward=1 ip netns exec root iptables -t nat -A POSTROUTING -s 192.168.0.2 -o ${DEV} -j MASQUERADE mount -t cifs ${CIFS_PATH} ${CIFS_MNT} -o vers=3.0,sec=ntlmssp,credentials=${CIFS_CRED},rsize=65536,wsize=65536,cache=none,echo_interval=1 touch ${CIFS_MNT}/a.txt ip netns exec root iptables -t nat -D POSTROUTING -s 192.168.0.2 -o ${DEV} -j MASQUERADE " umount ${CIFS_MNT} Fixes: 340cea84f691 ("cifs: open files should not hold ref on superblock") Signed-off-by: Jian Zhang <zhangjian496@huawei.com> Signed-off-by: Steve French <stfrench@microsoft.com>
2026-06-14smb: client: fix conflicting option validation for new mount APIHenrique Carvalho
Apply conflicting option validation consistently across all the new mount API paths, for both mount and remount. Some checks were only applied during initial mount validation, while others were handled during option parsing, causing mount and remount/reconfigure to behave differently. Move the conflicting option checks into smb3_handle_conflicting_options() and call it from the common validation paths, including for multichannel/max_channels handling. Fixes: 24e0a1eff9e2 ("cifs: switch to new mount api") Signed-off-by: Henrique Carvalho <henrique.carvalho@suse.com> Signed-off-by: Steve French <stfrench@microsoft.com>
2026-06-14cifs: invalidate cfid on unlink/rename/rmdirShyam Prasad N
Today we do not invalidate the cached_dirent or the entire parent cfid when a dentry in a dir has been removed/moved. This change invalidates the parent cfid so that we don't serve directory contents from the cache. Cc: <stable@vger.kernel.org> Signed-off-by: Shyam Prasad N <sprasad@microsoft.com> Signed-off-by: Steve French <stfrench@microsoft.com>
2026-06-14i3c: master: Reconcile dynamic addresses after DAAAdrian Hunter
After Dynamic Address Assignment (DAA), there may be cases where devices have been assigned dynamic addresses on the bus, but are not successfully registered in the device model. This can happen, for example, if errors occur during device addition, leaving the bus state and software state inconsistent. Introduce a reconciliation step to resolve such inconsistencies. Scan all address slots marked as I3C devices by the bus, and compare them against the set of devices currently registered. For any dynamic address that is marked occupied but has no corresponding i3c_dev_desc, probe for device presence using a GETSTATUS CCC. Retry the probe (with exponential backoff delay) to handle transient NACK conditions. If a device responds, register it via i3c_master_add_i3c_dev_locked(). Otherwise, free the address slot so it may be reused in future DAA operations. Note, i3c_master_add_i3c_dev_locked() may fail (again), in which case the dynamic address remains marked as occupied. A future DAA will try again. This also handles a corner case where a device is assigned a dynamic address but not successfully added, and subsequently loses that address (e.g. due to power management). If DAA is run again, the device may receive a new dynamic address while the old one remains marked as occupied. Repeated occurrences of this scenario could eventually exhaust the dynamic address space. The reconciliation step ensures that stale addresses are detected and freed, preventing address leakage. Signed-off-by: Adrian Hunter <adrian.hunter@intel.com> Reviewed-by: Frank Li <Frank.Li@nxp.com> Link: https://patch.msgid.link/20260612080107.11606-8-adrian.hunter@intel.com Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
2026-06-14i3c: master: Move DAA API functions after i3c_master_add_i3c_dev_locked()Adrian Hunter
Relocate i3c_master_do_daa_ext() and i3c_master_do_daa() so they appear after i3c_master_add_i3c_dev_locked(). This ordering is required for upcoming changes where the DAA flow will (indirectly) rely on i3c_master_add_i3c_dev_locked() functionality. Reordering avoids forward dependency issues and keeps related code paths logically arranged. No functional change. Signed-off-by: Adrian Hunter <adrian.hunter@intel.com> Reviewed-by: Frank Li <Frank.Li@nxp.com> Link: https://patch.msgid.link/20260612080107.11606-7-adrian.hunter@intel.com Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
2026-06-14i3c: master: Make i3c_master_add_i3c_dev_locked() return voidAdrian Hunter
The return value of i3c_master_add_i3c_dev_locked() is not used by any caller, and callers are not in a position to recover from failures in this path. Change the function to return void. Amend the kernel-doc accordingly, fix some grammar and remove a stale paragraph. Signed-off-by: Adrian Hunter <adrian.hunter@intel.com> Reviewed-by: Frank Li <Frank.Li@nxp.com> Link: https://patch.msgid.link/20260612080107.11606-6-adrian.hunter@intel.com Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
2026-06-14i3c: mipi-i3c-hci: Tolerate i3c_master_add_i3c_dev_locked() failures in DAAAdrian Hunter
i3c_master_add_i3c_dev_locked() no longer leaves the address marked as free on failure, so aborting the DAA sequence on its error is unnecessary. Failure to register a discovered device does not invalidate the entire Dynamic Address Assignment (DAA) procedure. Align with the behavior of other I3C master drivers by ignoring errors from i3c_master_add_i3c_dev_locked() and continuing enumeration. Signed-off-by: Adrian Hunter <adrian.hunter@intel.com> Reviewed-by: Frank Li <Frank.Li@nxp.com> Link: https://patch.msgid.link/20260612080107.11606-5-adrian.hunter@intel.com Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
2026-06-14i3c: master: Prevent reuse of dynamic address on device add failureAdrian Hunter
i3c_master_add_i3c_dev_locked() is called after a device has already been assigned a dynamic address. If the function fails, the address remains marked as free and may be reallocated to another device, leading to address conflicts on the bus. Ensure the address is not marked as free on failure, by updating the address slot state to prevent the address from being re-used. Emit an error message to inform of the failure. Opportunistically remove the !master check because it is impossible. Note, directly resetting the device's dynamic address is no longer an option, since Direct RSTDAA was deprecated from I3C starting from version 1.1 and v1.1 (or later) target devices are meant to NACK it. Fixes: 3a379bbcea0af ("i3c: Add core I3C infrastructure") Signed-off-by: Adrian Hunter <adrian.hunter@intel.com> Reviewed-by: Frank Li <Frank.Li@nxp.com> Link: https://patch.msgid.link/20260612080107.11606-4-adrian.hunter@intel.com Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
2026-06-14i3c: mipi-i3c-hci: Ignore DISEC failures when disabling IBIsAdrian Hunter
Disabling IBIs currently returns the result of the DISEC CCC, causing i3c_hci_disable_ibi() to fail if the transfer errors out. However, the controller has already been programmed to reject IBIs by setting DAT_0_SIR_REJECT, so the target’s IBIs are effectively disabled from the host side regardless of the outcome of the DISEC command. At this point, teardown of the IBI infrastructure can safely proceed even if DISEC fails. Note, from then on, the MIPI I3C HCI not only NACKs the target's IBI but automatically sends another DISEC command. Make i3c_hci_disable_ibi() resilient by ignoring the return value of i3c_master_disec_locked() and always returning success. Signed-off-by: Adrian Hunter <adrian.hunter@intel.com> Reviewed-by: Frank Li <Frank.Li@nxp.com> Link: https://patch.msgid.link/20260612080107.11606-3-adrian.hunter@intel.com Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
2026-06-14i3c: mipi-i3c-hci: Fix race in i3c_hci_addr_to_dev()Adrian Hunter
i3c_hci_addr_to_dev() walks bus->devs.i3c, which is protected by bus.lock (rwsem). However, it is invoked from the MIPI I3C HCI IRQ handler, which cannot take bus.lock. This allows concurrent device addition/removal in the I3C core to modify the list while it is being traversed, potentially leading to use-after-free or crashes. Remove the dependency on the bus device list and introduce a dedicated lookup table. Add an ibi_devs[] array indexed by DAT entry, maintained under hci->lock. Update the array when IBIs are enabled or disabled, so that it always reflects the set of devices allowed to generate IBIs. Also update when IBIs are freed, to cover the corner case when an IBI is freed without first being disabled (e.g. oldedev in i3c_master_add_i3c_dev_locked()). Move i3c_hci_addr_to_dev() into core.c, reimplement it using the new array, and add a lockdep assertion to enforce that hci->lock is held by callers. Demote a message in PIO and DMA IBI handling, from an error to a debug message, because there is a race window when the condition can arise normally. Fixes: 9ad9a52cce282 ("i3c/master: introduce the mipi-i3c-hci driver") Signed-off-by: Adrian Hunter <adrian.hunter@intel.com> Reviewed-by: Frank Li <Frank.Li@nxp.com> Link: https://patch.msgid.link/20260612080107.11606-2-adrian.hunter@intel.com Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
2026-06-14i3c: mipi-i3c-hci: Add Hot-Join supportAdrian Hunter
Wire the MIPI I3C HCI driver into the I3C core Hot-Join framework to allow targets to dynamically join the bus after initial DAA. HCI hardware ACKs or NACKs Hot-Join requests based on HC_CONTROL.HOT_JOIN_CTRL. This was previously left in the NACK-and-DISEC state, effectively preventing Hot-Join. Implement the ->enable_hotjoin() and ->disable_hotjoin() master operations so the core and user space can control this policy at runtime. Also issue broadcast ENEC HJ when enabling Hot-Join. This is required because the controller may have previously DISEC'ed the Hot-Join event, causing targets that were NACKed once to never retry. Acknowledged Hot-Join requests are delivered as IBIs on the reserved address 0x02. Update both the DMA and PIO IBI paths to recognise this address and forward the event to i3c_master_queue_hotjoin(). To make Hot-Join usable by default, enable it once after the initial DAA. This is gated by rpm_ibi_allowed, since otherwise keeping Hot-Join enabled prevents runtime suspend. A new hj_init_done flag ensures this one-time enablement is not repeated on subsequent DAAs. Signed-off-by: Adrian Hunter <adrian.hunter@intel.com> Reviewed-by: Frank Li <Frank.Li@nxp.com> Link: https://patch.msgid.link/20260608054312.10604-9-adrian.hunter@intel.com Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
2026-06-14i3c: master: Export i3c_master_enec_disec_locked()Adrian Hunter
The existing i3c_master_enec_locked() wrapper always treats a NACKed ENEC CCC as a failure (M2 error). However, broadcasting ENEC to enable Hot-Join is legitimately useful even when no I3C devices are currently present on the bus, in which case the broadcast will be NACKed and should not be reported as an error. The underlying helper i3c_master_enec_disec_locked() already accepts a suppress_m2 flag that lets callers ignore such NACKs. Expose it so that a subsequent patch enabling Hot-Join events can issue ENEC with M2 suppression. Signed-off-by: Adrian Hunter <adrian.hunter@intel.com> Reviewed-by: Frank Li <Frank.Li@nxp.com> Link: https://patch.msgid.link/20260608054312.10604-8-adrian.hunter@intel.com Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
2026-06-14i3c: master: Defer new-device registration out of DAA caller contextAdrian Hunter
Master drivers may invoke i3c_master_do_daa_ext() during resume to re-run Dynamic Address Assignment. As well as assigning addresses to any newly arrived devices, this restores the dynamic address of devices that lost it across system suspend, so it has to run as part of the controller's resume path. A side effect of i3c_master_do_daa_ext() today is that it also registers any newly discovered I3C devices with the driver model inline, via i3c_master_register_new_i3c_devs(). Doing that from the resume path is problematic: a hot-join-capable device may join the bus during this same DAA, and registering it immediately would push driver model work (probing, sysfs, etc.) into the controller's resume context, where the rest of the system is not yet fully resumed and the controller driver is still partway through its own resume sequence. Decouple discovery from registration: add a reg_work work item to struct i3c_master_controller and have i3c_master_do_daa_ext() queue it on master->wq (the freezable workqueue) instead of calling i3c_master_register_new_i3c_devs() directly. The worker performs the registration only when the controller is not shutting_down, and is cancelled alongside hj_work in i3c_master_shutdown(). Because wq is freezable, any newly observed devices end up being registered after the system has finished resuming. i3c_master_register() also routes its initial post-bus-init registration through reg_work, using flush_work() to keep probe-time behavior synchronous. This keeps a single registration code path and ensures the worker is the only writer of desc->dev. Fixes: 3a379bbcea0af ("i3c: Add core I3C infrastructure") Signed-off-by: Adrian Hunter <adrian.hunter@intel.com> Reviewed-by: Frank Li <Frank.Li@nxp.com> Link: https://patch.msgid.link/20260608054312.10604-7-adrian.hunter@intel.com Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
2026-06-14i3c: dw: Drop redundant Hot-Join cancel_work_sync() in shutdownAdrian Hunter
The I3C core now installs an i3c_bus_type shutdown callback that flushes master->hj_work (via i3c_master_shutdown()) before any driver's platform shutdown hook runs. The explicit cancel_work_sync() in dw_i3c_shutdown() is therefore redundant: by the time it executes, the Hot-Join worker has already been cancelled, and the shutting_down gate makes a new worker a no-op. Remove the now-unneeded call. No functional change. Signed-off-by: Adrian Hunter <adrian.hunter@intel.com> Reviewed-by: Frank Li <Frank.Li@nxp.com> Link: https://patch.msgid.link/20260608054312.10604-6-adrian.hunter@intel.com Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
2026-06-14i3c: master: Ensure Hot-Join operations are stopped on shutdownAdrian Hunter
System shutdown invokes each device's bus shutdown callback to quiesce hardware, but the I3C bus type does not currently implement one. As a result, on shutdown the controller's Hot-Join work and any in-flight i3c_master_do_daa() can keep running (or be newly triggered) while the rest of the system is being torn down. A similar window exists at i3c_master_unregister() time: cancel_work_sync() on hj_work prevents queued work from completing, but does not stop a fresh Hot-Join IBI from re-queueing the worker, nor a concurrent sysfs writer from toggling Hot-Join via i3c_set_hotjoin(). Introduce a single "shutting down" gate in the I3C core, set under the bus maintenance lock so it is observed by any in-progress DAA path before pending work is cancelled. Install an i3c_bus_type shutdown callback that engages this gate for master devices during system shutdown, and use the same gate in i3c_master_unregister() so both paths get identical guarantees. Once the gate is engaged, the Hot-Join worker, i3c_master_do_daa_ext() and i3c_set_hotjoin() all bail out cleanly, so Hot-Join IBIs that race with shutdown become no-ops, direct DAA callers see -ENODEV, and sysfs writers can no longer re-enable Hot-Join through ops->enable_hotjoin() while the controller is going away. No functional change for the steady-state runtime path; the new checks only take effect once the controller has been marked as shutting down. Note, this patch depends on patch "i3c: master: Consolidate Hot-Join DAA work in the core". Fixes: 3a379bbcea0af ("i3c: Add core I3C infrastructure") Signed-off-by: Adrian Hunter <adrian.hunter@intel.com> Reviewed-by: Frank Li <Frank.Li@nxp.com> Link: https://patch.msgid.link/20260608054312.10604-5-adrian.hunter@intel.com Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
2026-06-14i3c: master: Consolidate Hot-Join DAA work in the coreAdrian Hunter
Three master drivers (dw-i3c-master, i3c-master-cdns, svc-i3c-master) each carry an essentially identical Hot-Join handler: a struct work_struct embedded in their private state, a work function that just calls i3c_master_do_daa() on the embedded i3c_master_controller, plus matching INIT_WORK()/cancel_work_sync() boilerplate in probe/remove (and shutdown for dw-i3c). The IBI/ISR paths then queue that work onto master->wq, which already lives in the core. Move this pattern into the I3C core: - Add struct work_struct hj_work to struct i3c_master_controller and initialise it in i3c_master_register() with a core-provided handler i3c_master_hj_work_fn() that performs i3c_master_do_daa(). - Cancel the work in i3c_master_unregister() so all controllers get correct teardown ordering against the workqueue for free. - Export i3c_master_queue_hotjoin() as the single entry point drivers call from their Hot-Join IBI handler. Convert the three existing users to the new API: drop their private hj_work fields, work functions, INIT_WORK() and cancel_work_sync() calls, and replace the queue_work(master->wq, &drv->hj_work) call sites with i3c_master_queue_hotjoin(&drv->base). The dw-i3c shutdown path still needs to flush pending Hot-Join work before tearing down the hardware, so it is updated to cancel master->base.hj_work directly. No functional change intended: the work is still queued on the same master->wq, runs the same i3c_master_do_daa(), and is cancelled at controller teardown. Future Hot-Join improvements now only need to be made in one place. Signed-off-by: Adrian Hunter <adrian.hunter@intel.com> Reviewed-by: Frank Li <Frank.Li@nxp.com> Link: https://patch.msgid.link/20260608054312.10604-4-adrian.hunter@intel.com Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
2026-06-14i3c: master: Serialize i3c_set_hotjoin() with the maintenance lockAdrian Hunter
i3c_set_hotjoin() dispatches the controller's enable_hotjoin() or disable_hotjoin() op and updates master->hotjoin under i3c_bus_normaluse_lock(). That lock is a read-side acquisition of bus->lock (down_read()), so it does not exclude concurrent callers. The hotjoin sysfs attribute can be opened multiple times, and writes through different opens are not serialized. Two concurrent writers to "hotjoin" can therefore race in i3c_set_hotjoin(), with the controller op and the master->hotjoin store from one call interleaving with the other. The hardware enable/disable state and the value reported by hotjoin_show() can end up out of sync. Take i3c_bus_maintenance_lock() instead. Toggling Hot Join enable changes bus state and is conceptually a maintenance operation, so the write-side acquisition of bus->lock is the appropriate lock and serializes concurrent callers against each other and against other maintenance operations. Fixes: 317bacf960a48 ("i3c: master: add enable(disable) hot join in sys entry") Signed-off-by: Adrian Hunter <adrian.hunter@intel.com> Reviewed-by: Frank Li <Frank.Li@nxp.com> Link: https://patch.msgid.link/20260608054312.10604-3-adrian.hunter@intel.com Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
2026-06-14i3c: master: Make hot-join workqueue freezable to block hot-join during suspendAdrian Hunter
The I3C master workqueue (master->wq) is used to defer work that needs thread context and the bus maintenance lock, most notably Hot Join processing (which calls i3c_master_do_daa() to assign dynamic addresses to newly joined devices). Currently the workqueue keeps running across system suspend, which can race with the suspend path: - do_daa() may execute after the controller has been suspended, issuing bus transactions on a powered-down or otherwise unusable controller. - New I3C devices can be enumerated and added to the bus mid-suspend, registering driver model objects at a point where the I3C subsystem and its consumers are not prepared to handle them. Mark the workqueue WQ_FREEZABLE so its workers are frozen for the duration of system suspend/hibernate and resumed afterwards. This naturally defers any pending or newly queued Hot Join work until the system (and the controller) is fully resumed, closing both races without adding explicit suspend/resume synchronization in the master drivers. Update the kerneldoc for struct i3c_master_controller::wq to reflect that the workqueue is freezable. Fixes: 3a379bbcea0af ("i3c: Add core I3C infrastructure") Signed-off-by: Adrian Hunter <adrian.hunter@intel.com> Reviewed-by: Frank Li <Frank.Li@nxp.com> Link: https://patch.msgid.link/20260608054312.10604-2-adrian.hunter@intel.com Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
2026-06-14selftests/landlock: Add tests for invalid use of quiet flagTingmao Wang
Make sure that these calls return EINVAL. Test coverage for security/landlock is 91.6% of 2347 lines according to LLVM 22. Assisted-by: GitHub-Copilot:claude-opus-4.8 Signed-off-by: Tingmao Wang <m@maowtm.org> Link: https://patch.msgid.link/9401d5c6468675863d944d6c26640d97db1a1f31.1781228815.git.m@maowtm.org [mic: Add test coverage] Signed-off-by: Mickaël Salaün <mic@digikod.net>
2026-06-14selftests/landlock: Add tests for quiet flag with scopeTingmao Wang
Enhance scoped_audit.connect_to_child and audit_flags.signal to test interaction with various quiet flag settings. Signed-off-by: Tingmao Wang <m@maowtm.org> Link: https://patch.msgid.link/032849ca97bd45b2e14f96192b61537ed9405a0d.1781228815.git.m@maowtm.org [mic: Fix comment formatting] Signed-off-by: Mickaël Salaün <mic@digikod.net>
2026-06-14selftests/landlock: Add tests for quiet flag with net rulesTingmao Wang
Tests that: - Quiet flag works on network rules - Quiet flag applied to unrelated ports has no effect - Denied access not in quiet_access_net is still logged This is not as thorough as the fs tests, but given the shared logic it should be sufficient. There is also no "optional" access for network rules. Signed-off-by: Tingmao Wang <m@maowtm.org> Assisted-by: GitHub-Copilot:claude-opus-4.7 copilot-review Link: https://patch.msgid.link/364fbd08081318d64bc23049d3a7721f0a3a3624.1781228815.git.m@maowtm.org Signed-off-by: Mickaël Salaün <mic@digikod.net>
2026-06-14selftests/landlock: Add tests for quiet flag with fs rulesTingmao Wang
Test various interactions of the quiet flag with filesystem rules: - Non-optional access (tested with open and rename). - Optional access (tested with truncate and ioctl). - Behaviour around mounts matches with normal Landlock rules. - Behaviour around disconnected directories matches with normal Landlock rules (test expected behaviour of 9a868cdbe66a ("landlock: Fix handling of disconnected directories") applied to the collected quiet flag). - Multiple layers works as expected. Assisted-by: GitHub-Copilot:claude-opus-4.6 copilot-review Signed-off-by: Tingmao Wang <m@maowtm.org> Link: https://patch.msgid.link/0f304507dd3ebccc753e1580456bdfc909012357.1781228815.git.m@maowtm.org [mic: Fix comment formatting] Signed-off-by: Mickaël Salaün <mic@digikod.net>
2026-06-14selftests/landlock: Replace hard-coded 16 with a constantTingmao Wang
The next commit will reuse this number. Make it a shared constant to future-proof changes. Signed-off-by: Tingmao Wang <m@maowtm.org> Link: https://patch.msgid.link/eff35caa9b4ac51aa83a88d67c4dd67f4f8b3a4a.1781228815.git.m@maowtm.org Signed-off-by: Mickaël Salaün <mic@digikod.net>
2026-06-14samples/landlock: Add quiet flag support to sandboxerTingmao Wang
Adds ability to set which access bits to quiet via LL_*_QUIET_ACCESS (FS, NET or SCOPED), and attach quiet flags to individual objects via LL_*_QUIET for FS and NET. Assisted-by: GitHub-Copilot:claude-opus-4.8 copilot-reviepickw Signed-off-by: Tingmao Wang <m@maowtm.org> Link: https://patch.msgid.link/59b94997565032bc9870044f021214a2ed6df213.1781228815.git.m@maowtm.org [mic: Fix comment formatting] Signed-off-by: Mickaël Salaün <mic@digikod.net>
2026-06-14landlock: Suppress logging when quiet flag is presentTingmao Wang
The quietness behaviour is as documented in the previous patch. For optional accesses, since the existing deny_masks can only store 2x4bit of layer index, with no way to represent "no layer", we need to either expand it or have another field to correctly handle quieting of those. This commit uses the latter approach - we add another field to store which optional access (of the 2) are covered by quiet rules in their respective layers as stored in deny_masks. Assisted-by: GitHub-Copilot:claude-opus-4.8 copilot-review Signed-off-by: Tingmao Wang <m@maowtm.org> Link: https://patch.msgid.link/2510a357a94183683eefc49917dcb2240d67be96.1781228815.git.m@maowtm.org [mic: Cosmetic fixes] Signed-off-by: Mickaël Salaün <mic@digikod.net>
2026-06-14landlock: Add API support and docs for the quiet flagsTingmao Wang
Adds the UAPI for the quiet flags feature (but not the implementation yet). Even though currently LANDLOCK_ADD_RULE_QUIET only affects audit logging, in the future this can also be used as part of a supervisor mechanism, where it will also suppress denial notifications on a per-object basis. Thus the name is deliberately generic, as opposed to e.g. LANDLOCK_ADD_RULE_LOG_QUIET. According to pahole, even after adding the struct access_masks quiet_masks in struct landlock_hierarchy, the u32 log_* bitfield still only has a size of 2 bytes, so there's minimal wasted space. Assisted-by: GitHub-Copilot:claude-opus-4.8 Signed-off-by: Tingmao Wang <m@maowtm.org> [mic: Update date, fix comment formatting] Link: https://patch.msgid.link/031184748a8e74c0bb02f1fa13d7a3f10918c627.1781228815.git.m@maowtm.org Signed-off-by: Mickaël Salaün <mic@digikod.net>
2026-06-14landlock: Add a place for flags to layer rulesTingmao Wang
To avoid unnecessarily increasing the size of struct landlock_layer, we make the layer level a u8 and use the space to store the flags struct. struct layer_access_masks is renamed to struct layer_masks, and a new field is added to track whether a quiet flag rule is seen for each layer. Through use of bitfields, this does not increase the size of the struct. Cc: Justin Suess <utilityemal77@gmail.com> Assisted-by: GitHub-Copilot:claude-opus-4.8 copilot-review Signed-off-by: Tingmao Wang <m@maowtm.org> Co-developed-by: Justin Suess <utilityemal77@gmail.com> Signed-off-by: Justin Suess <utilityemal77@gmail.com> Tested-by: Justin Suess <utilityemal77@gmail.com> Link: https://patch.msgid.link/be3fec3927bc9faaacd4ce0e7f0d1ff5474e2210.1781228815.git.m@maowtm.org [mic: Fix comment formatting] Signed-off-by: Mickaël Salaün <mic@digikod.net>
2026-06-14landlock: Add documentation for UDP supportMatthieu Buffet
Add example of UDP usage, without detailing the two access right. Slightly change the example used in code blocks: build a ruleset for a DNS client, so that it uses both TCP and UDP. Test coverage for security/landlock is 91.3% of 2245 lines according to LLVM 22. Signed-off-by: Matthieu Buffet <matthieu@buffet.re> Link: https://patch.msgid.link/20260611162107.49278-7-matthieu@buffet.re [mic: Fix doc formatting, update audit doc, add test coverage] Signed-off-by: Mickaël Salaün <mic@digikod.net>
2026-06-14ALSA: timer: Fix racy timeri->timer changes with rwlockTakashi Iwai
Although we've covered the races around the timer object assignment and release for timer instances, there are still races at starting or stopping the timer instance. They refer to timeri->timer without lock, hence they can still trigger UAFs. For addressing it, this patch changes the existing slave_active_lock spinlock to timeri_lock rwlock. It's a global rwlock applied as read-lock when snd_timer_start() & co are called as well as snd_timeri_timer_get() is called. In turn, the places where timeri->timer is assigned or released are covered by the write-lock. The patch replaces spinlock_irqsave with spinlock in a couple of spaces because they are now already protected by timeri_lock, too. Reported-by: Kyle Zeng <kylebot@openai.com> Link: https://patch.msgid.link/20260614090714.773216-1-tiwai@suse.de Signed-off-by: Takashi Iwai <tiwai@suse.de>
2026-06-14ALSA: core: Fix unintuitive behavior of snd_power_ref_and_wait()Takashi Iwai
snd_power_ref_and_wait() takes the power refcount and doesn't leave it no matter whether it returns an error or not. However, the majority of callers don't expect but just returns without unreferencing in the caller side upon errors. For addressing the potential refcount unbalance, rather correct the behavior of snd_power_ref_wait() to unreference upon returning an error. Note that the problem above is likely negligible; the function returns an error only when the sound card is being shutdown, hence it doesn't matter about the power refcount any longer at such a state. Fixes: e94fdbd7b25d ("ALSA: control: Track in-flight control read/write/tlv accesses") Reported-by: WenTao Liang <vulab@iscas.ac.cn> Closes: https://lore.kernel.org/20260612022121.14329-1-vulab@iscas.ac.cn Link: https://patch.msgid.link/20260614090507.772540-1-tiwai@suse.de Signed-off-by: Takashi Iwai <tiwai@suse.de>
2026-06-14i3c: mipi-i3c-hci: Increase DMA transfer ring size to maximumAdrian Hunter
The DMA transfer ring is currently limited to 16 entries, despite the MIPI I3C HCI supporting up to 32 devices. When the ring lacks space for a new transfer list, the driver returns -EBUSY, which can be unexpected for clients. Increase the DMA transfer ring size to the maximum supported value of 255 entries. This effectively eliminates ring-space exhaustion in practice and avoids the complexity of adding secondary queuing mechanisms. Even at the maximum size, the memory overhead remains small (approximately 24 bytes per entry by default). Signed-off-by: Adrian Hunter <adrian.hunter@intel.com> Reviewed-by: Frank Li <Frank.Li@nxp.com> Link: https://patch.msgid.link/20260603090754.16252-18-adrian.hunter@intel.com Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
2026-06-14i3c: mipi-i3c-hci: Consolidate DMA ring allocationAdrian Hunter
dma_alloc_coherent() allocates memory in whole pages, which can waste space when command and response queues are allocated separately. Allocate the DMA command and response queues from a single coherent allocation instead, while preserving the required 4-byte alignment. This reduces memory overhead without changing behavior. Signed-off-by: Adrian Hunter <adrian.hunter@intel.com> Reviewed-by: Frank Li <Frank.Li@nxp.com> Link: https://patch.msgid.link/20260603090754.16252-17-adrian.hunter@intel.com Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
2026-06-14i3c: mipi-i3c-hci: Base timeouts on actual transfer start timeAdrian Hunter
Transfer timeouts are currently measured from the point where a transfer list is queued to the controller. This can cause transfers to time out before they have actually started, if earlier queued transfers consume the timeout interval. Fix this by recording when a transfer reaches the head of the queue and adjusting the timeout calculation to start from that point. The existing low-overhead completion-based timeout mechanism is preserved, but care is taken to ensure the transfer start time is consistently recorded for both PIO and DMA paths. This prevents premature timeouts while retaining efficient timeout handling. Signed-off-by: Adrian Hunter <adrian.hunter@intel.com> Reviewed-by: Frank Li <Frank.Li@nxp.com> Link: https://patch.msgid.link/20260603090754.16252-16-adrian.hunter@intel.com Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
2026-06-14i3c: mipi-i3c-hci: Wait for NoOp commands to completeAdrian Hunter
When a transfer list is only partially completed due to an error, hci_dma_dequeue_xfer() overwrites the remaining DMA ring entries with NoOp commands and restarts the ring to flush them out. While NoOp commands are expected to complete successfully, they may still fail to complete if the DMA ring is stuck. Explicitly wait for the NoOp commands to finish, and trigger controller recovery if they do not complete or report an error. This ensures that partially completed transfer lists are reliably resolved and that a stuck ring is recovered promptly. Signed-off-by: Adrian Hunter <adrian.hunter@intel.com> Reviewed-by: Frank Li <Frank.Li@nxp.com> Link: https://patch.msgid.link/20260603090754.16252-15-adrian.hunter@intel.com Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
2026-06-14i3c: mipi-i3c-hci: Add DMA-mode recovery for internal controller errorsAdrian Hunter
Handle internal I3C HCI errors when operating in DMA mode by adding a simple recovery mechanism. On detection of an internal controller error, mark recovery as needed and attempt to restore operation by performing a software reset followed by state restore. To keep recovery straightforward on this unlikely error path, all currently queued transfers are terminated and completed with an error. This allows the controller to resume operation after internal failures rather than remaining permanently stuck. Note, internal errors indicated by INTR_HC_INTERNAL_ERR, cause the controller to stop. Signed-off-by: Adrian Hunter <adrian.hunter@intel.com> Reviewed-by: Frank Li <Frank.Li@nxp.com> Link: https://patch.msgid.link/20260603090754.16252-14-adrian.hunter@intel.com Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
2026-06-14i3c: mipi-i3c-hci: Factor out reset-and-restore helperAdrian Hunter
Factor the reset-and-restore sequence out of i3c_hci_rpm_resume() into a separate helper. This allows the same logic to be reused for recovery paths in subsequent changes without duplicating suspend/resume handling. No functional change. Signed-off-by: Adrian Hunter <adrian.hunter@intel.com> Reviewed-by: Frank Li <Frank.Li@nxp.com> Link: https://patch.msgid.link/20260603090754.16252-13-adrian.hunter@intel.com Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
2026-06-14i3c: mipi-i3c-hci: Add DMA ring abort quirk for Intel controllersAdrian Hunter
DMA rings can be aborted either per-ring via RING_CONTROL or globally via HC_CONTROL_ABORT. The driver currently relies on the per-ring mechanism. Some Intel I3C HCI controllers require HC_CONTROL_ABORT to be asserted before a DMA ring abort is effective. This behavior is non-standard. Introduce a controller quirk to select the required abort method and enable it for Intel LPSS I3C controllers. Signed-off-by: Adrian Hunter <adrian.hunter@intel.com> Reviewed-by: Frank Li <Frank.Li@nxp.com> Link: https://patch.msgid.link/20260603090754.16252-12-adrian.hunter@intel.com Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
2026-06-14i3c: mipi-i3c-hci: Factor out hci_dma_abort()Adrian Hunter
Factor out hci_dma_abort() from hci_dma_dequeue_xfer() in preparation for further changes. Signed-off-by: Adrian Hunter <adrian.hunter@intel.com> Reviewed-by: Frank Li <Frank.Li@nxp.com> Link: https://patch.msgid.link/20260603090754.16252-11-adrian.hunter@intel.com Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
2026-06-14i3c: mipi-i3c-hci: Add DMA ring abort/reset quirk for Intel controllersAdrian Hunter
Some Intel I3C HCI controllers cannot reliably restart a DMA ring after an ABORT. Additional queue resets are required to recover, and must be performed using PIO reset bits even while operating in DMA mode. This behavior is non-standard. Introduce a controller quirk to opt into the required PIO queue resets after a DMA ring abort, and enable it for Intel LPSS I3C controllers. Signed-off-by: Adrian Hunter <adrian.hunter@intel.com> Reviewed-by: Frank Li <Frank.Li@nxp.com> Link: https://patch.msgid.link/20260603090754.16252-10-adrian.hunter@intel.com Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
2026-06-14i3c: mipi-i3c-hci: Avoid restarting DMA ring after aborting wrong transferAdrian Hunter
Software ABORT of the DMA ring is used to recover from transfer list timeouts, but it is inherently racy. The intended transfer list may complete just before the ABORT takes effect, causing the subsequent transfer list to be aborted instead. In this case, an incomplete transfer list may remain in the ring and has not yet been processed by hci_dma_dequeue_xfer(). Restarting the DMA ring at that point can lead to unpredictable results. Detect when the next queued transfer is not the first entry of a transfer list and does not belong to the list currently being dequeued. In that case, skip restarting the DMA ring and defer recovery until a subsequent call to hci_dma_dequeue_xfer(), which will safely restart the ring once the incomplete list is handled. Signed-off-by: Adrian Hunter <adrian.hunter@intel.com> Reviewed-by: Frank Li <Frank.Li@nxp.com> Link: https://patch.msgid.link/20260603090754.16252-9-adrian.hunter@intel.com Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
2026-06-14i3c: mipi-i3c-hci: Complete transfer lists immediately on errorAdrian Hunter
In DMA mode, transfer lists are currently completed only when the final transfer in the list completes. If an earlier transfer fails, the list is left incomplete and callers wait until timeout. There is no need to wait for a timeout, as the completion path in i3c_hci_process_xfer() already checks for error status. Complete the transfer list as soon as any transfer in the list reports an error. This avoids unnecessary delays and spurious timeouts on error. Complete a transfer list completion immediately there is an error. Signed-off-by: Adrian Hunter <adrian.hunter@intel.com> Reviewed-by: Frank Li <Frank.Li@nxp.com> Link: https://patch.msgid.link/20260603090754.16252-8-adrian.hunter@intel.com Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
2026-06-14i3c: mipi-i3c-hci: Call hci_dma_xfer_done() from dequeue pathAdrian Hunter
hci_dma_dequeue_xfer() relies on state normally updated by the DMA interrupt handler. Ensure that state is current by explicitly invoking hci_dma_xfer_done() from the dequeue path. This handles cases where the interrupt handler has not (yet) run. Signed-off-by: Adrian Hunter <adrian.hunter@intel.com> Reviewed-by: Frank Li <Frank.Li@nxp.com> Link: https://patch.msgid.link/20260603090754.16252-7-adrian.hunter@intel.com Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
2026-06-14i3c: mipi-i3c-hci: Move hci_dma_xfer_done() definitionAdrian Hunter
Move hci_dma_xfer_done() earlier in the file to avoid a forward declaration needed by a subsequent change. No functional change. Signed-off-by: Adrian Hunter <adrian.hunter@intel.com> Reviewed-by: Frank Li <Frank.Li@nxp.com> Link: https://patch.msgid.link/20260603090754.16252-6-adrian.hunter@intel.com Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
2026-06-14i3c: mipi-i3c-hci: Wait for DMA ring restart to completeAdrian Hunter
Although hci_dma_dequeue_xfer() is serialized against itself via control_mutex, this does not guarantee that a DMA ring restart triggered by a previous invocation has fully completed. When the function is called again in rapid succession, the DMA ring may still be transitioning back to the running state, which may confound or disrupt further state changes. Address this by waiting for the DMA ring restart to complete before continuing. Signed-off-by: Adrian Hunter <adrian.hunter@intel.com> Reviewed-by: Frank Li <Frank.Li@nxp.com> Link: https://patch.msgid.link/20260603090754.16252-5-adrian.hunter@intel.com Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
2026-06-14i3c: mipi-i3c-hci: Prevent DMA enqueue while ring is aborting or in errorAdrian Hunter
Block the DMA enqueue path while a Ring abort is in progress or after an error condition has been detected. Previously, new transfers could be enqueued while the DMA Ring was being aborted or while error handling was underway. This allowed enqueue and error-recovery paths to run concurrently, potentially interfering with each other and corrupting Ring state. Introduce explicit enqueue blocking and a wait queue to serialize access: enqueue operations now wait until abort or error handling has completed before proceeding. Enqueue is unblocked once the Ring is safely restarted. Note, there is only 1 ring bundle configured, and a transfer error causes the controller to halt ring (bundle) operation, so there is only ever 1 outstanding error at a time. Furthermore, a later patch ensures that only the currently active transfer list can time out. Consequently, the DMA queue will not be unblocked while there are outstanding transfer errors or timeouts. Signed-off-by: Adrian Hunter <adrian.hunter@intel.com> Reviewed-by: Frank Li <Frank.Li@nxp.com> Link: https://patch.msgid.link/20260603090754.16252-4-adrian.hunter@intel.com Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
2026-06-14i3c: mipi-i3c-hci: Preserve RUN bit when aborting DMA ringAdrian Hunter
The MIPI I3C HCI specification does not require the DMA ring RUN bit (RUN_STOP) to be cleared when issuing an ABORT. That allows the DMA ring to continue to receive IBIs, although an IBI is anyway not lost because it can be received once the ring restarts if the I3C device has not given up. Note, currently ABORT is only used on a timeout error path so the change has very little effect in practice. In the more common case of a transfer error, the ring (bundle) operation is halted by the controller anyway. Adjust the RING_CONTROL handling to set ABORT without clearing RUN_STOP, bringing the driver into alignment with the specification. Fixes: b795e68bf3073 ("i3c: mipi-i3c-hci: Correct RING_CTRL_ABORT handling in DMA dequeue") Signed-off-by: Adrian Hunter <adrian.hunter@intel.com> Reviewed-by: Frank Li <Frank.Li@nxp.com> Link: https://patch.msgid.link/20260603090754.16252-3-adrian.hunter@intel.com Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
2026-06-14i3c: mipi-i3c-hci: Fix suspend behavior when bus disable falls back to ↵Adrian Hunter
software reset Software reset was introduced as a fallback if bus disable failed. The change was made in 2 places: the cleanup path and the suspend path. For the cleanup path (i3c_hci_bus_cleanup()), after software reset the function continues to do cleanup for the current I/O mode. For the suspend path (i3c_hci_rpm_suspend()), after software reset the function returns early. However software reset does not reset any Ring Headers in the Host Controller, so returning early is not the right thing to do. Instead, continue to call suspend for the current I/O mode, which for DMA mode will reset any Ring Headers. Note, although Ring Headers should not be active at this stage, performing this reset follows the procedure defined by the specification and keeps the suspend path consistent with the cleanup path. Note also, i3c_hci_sync_irq_inactive() is still called via the PIO and DMA hci->io->suspend() callbacks. Always return 0 because the device is quiesced as much as possible and returning a negative error code would unnecessarily prevent system suspend. Fixes: 9a258d1336f7 ("i3c: mipi-i3c-hci: Fallback to software reset when bus disable fails") Signed-off-by: Adrian Hunter <adrian.hunter@intel.com> Reviewed-by: Frank Li <Frank.Li@nxp.com> Link: https://patch.msgid.link/20260603090754.16252-2-adrian.hunter@intel.com Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
2026-06-14Linux 7.1v7.1Linus Torvalds
2026-06-14Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rmk/linuxLinus Torvalds
Pull ARM fixes from Russell King: - Avoid KASAN instrumentation of half-word IO - Use a byte load for KASAN shadow stack - Fix kexec and hibernation with PAN * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rmk/linux: ARM: 9476/1: mm: fix kexec and hibernation with CONFIG_CPU_TTBR0_PAN ARM: 9475/1: entry: use byte load for KASAN VMAP stack shadow ARM: 9474/1: io: avoid KASAN instrumentation of raw halfword I/O
2026-06-14geneve: Fix off-by-one comparing with GRO_LEGACY_MAX_SIZEAlice Mikityanska
GRO_LEGACY_MAX_SIZE = 65536; total_len being 65536 is too big to fit into a u16. As can be seen in skb_gro_receive, packets bigger or equal to gro_max_size (or GRO_LEGACY_MAX_SIZE) are dropped with -E2BIG. Apply the same boundary to geneve_post_decap_hint to avoid writing 65536 to a 16-bit iph->tot_len field with an overflow. Fixes: fd0dd796576e ("geneve: use GRO hint option in the RX path") Signed-off-by: Alice Mikityanska <alice@isovalent.com> Reviewed-by: Willem de Bruijn <willemb@google.com> Link: https://patch.msgid.link/20260611192955.604661-3-alice.kernel@fastmail.im Signed-off-by: Paolo Abeni <pabeni@redhat.com>