Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v7.1 2026-06-12T16:00:28+00:00 2026-06-12T16:00:28+00:00 Linus Torvalds torvalds@linux-foundation.org 2026-06-12T16:00:28+00:00 urn:sha1:9a837eff9032ca0e047b068ff101d2183eb0afa1 Pull char/misc driver fixes from Greg KH: "Here are some small driver fixes for 7.1-final to resolve some reported issues. Included in here are: - slimbus qcom driver bugfixes - nvmem driver bugfixes - fastrpc driver bugfixes - stratix10 firmware driver bugfixes All of these have been in linux-next for over a week with no reported issues" * tag 'char-misc-7.1-final' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc: misc: fastrpc: fix use-after-free race in fastrpc_map_create misc: fastrpc: Fix NULL pointer dereference in rpmsg callback misc: fastrpc: fix DMA address corruption due to find_vma misuse misc: fastrpc: fix use-after-free of fastrpc_user in workqueue context slimbus: qcom-ngd-ctrl: Avoid ABBA on tx_lock/ctrl->lock slimbus: qcom-ngd-ctrl: Balance pm_runtime enablement for NGD slimbus: qcom-ngd-ctrl: Initialize controller resources in controller slimbus: qcom-ngd-ctrl: Register callbacks after creating the ngd slimbus: qcom-ngd-ctrl: Correct PDR and SSR cleanup ownership slimbus: qcom-ngd-ctrl: Fix probe error path ordering slimbus: qcom-ngd-ctrl: Fix up platform_driver registration slimbus: qcom-ngd-ctrl: fix OF node refcount nvmem: core: fix use-after-free bugs in error paths nvmem: layouts: onie-tlv: fix hang on unknown types firmware: stratix10-rsu: Fix NULL deref on rsu_send_msg() timeout in probe firmware: stratix10-svc: Don't fail probe when async ops unsupported firmware: stratix10-svc: Return -EOPNOTSUPP when ATF async unsupported 2026-06-05T15:17:30+00:00 Greg Kroah-Hartman gregkh@linuxfoundation.org 2026-06-05T15:17:30+00:00 urn:sha1:b5277b3a6f5024cd175c25455bda342cab342553 Dinh writes: firmware: stratix10-svc and stratix10-rsu: fixes for v7.1 - Return -EOPNOTSUPP when ATF async is not supported - Fix SVC driver from loading entirely when asynchronous ops is not supported in older ATF. - Fix a NULL pointer dereference on a timeout in rsu_send_msg() * tag 'svc_fixes_for_v7.1' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/dinguyen/linux: firmware: stratix10-rsu: Fix NULL deref on rsu_send_msg() timeout in probe firmware: stratix10-svc: Don't fail probe when async ops unsupported firmware: stratix10-svc: Return -EOPNOTSUPP when ATF async unsupported 2026-06-02T17:54:11+00:00 Linus Torvalds torvalds@linux-foundation.org 2026-06-02T17:54:11+00:00 urn:sha1:ba3e43a9e601636f5edb54e259a74f96ca3b8fd8 Pull SoC fixes from Arnd Bergmann: "Following the previous set of fixes, this addresses another significant number of small issues found in firmware drivers (tee, optee, qcomtee, qcom ice, exynos acpm) drivers through various tools. This is about error handling, resource leaks, concurrency and a use-after-free bug. The fixes for the Qualcomm ICE driver also introduce interface changes in the UFS and MMC drivers using it. Outside of firmware drivers, there are a few fixes across the tree: - Minor driver code mistakes in the Atmel EBI memory controller, the i.MX soc ID driver and socfpga boot logic - A defconfig change to avoid a boot time regression on multiple qualcomm boards - Device tree fixes for qualcomm, at91 and gemini, addressing mostly minor configuration mistakes" * tag 'soc-fixes-7.1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc: (28 commits) firmware: samsung: acpm: Fix infinite loop on sequence number exhaustion firmware: samsung: acpm: Fix missing LKMM barriers in sequence allocator firmware: samsung: acpm: Fix false timeouts and Use-After-Free in polling ARM: dts: gemini: Fix partition offsets ARM: socfpga: Fix OF node refcount leak in SMP setup soc: qcom: ice: Fix the error code when 'qcom,ice' property is not found arm64: dts: qcom: eliza: Add power-domain and iface clk for ice node arm64: dts: qcom: milos: Add power-domain and iface clk for ice node tee: qcomtee: add missing va_end in early return qcomtee_object_user_init() tee: fix params_from_user() error path in tee_ioctl_supp_recv tee: shm: fix shm leak in register_shm_helper() tee: fix tee_ioctl_object_invoke_arg padding arm64: defconfig: Enable PCI M.2 power sequencing driver scsi: ufs: ufs-qcom: Remove NULL check from devm_of_qcom_ice_get() mmc: sdhci-msm: Remove NULL check from devm_of_qcom_ice_get() soc: qcom: ice: Return proper error codes from devm_of_qcom_ice_get() instead of NULL soc: qcom: ice: Return -ENODEV if the ICE platform device is not found soc: qcom: ice: Fix race between qcom_ice_probe() and of_qcom_ice_get() ARM: dts: microchip: sam9x7: fix GMAC clock configuration firmware: samsung: acpm: Fix mailbox channel leak on probe error ... 2026-05-29T12:11:23+00:00 Tudor Ambarus tudor.ambarus@linaro.org 2026-05-05T13:13:04+00:00 urn:sha1:7fe40c32a33905302341797b5d12c541729dd08d Sashiko identified a possible infinite loop [1]. ACPM IPC sequence numbers are tracked via a 64-bit bitmap. Previously, acpm_prepare_xfer() used a do...while loop to search for a free sequence number. If all 63 available sequence numbers are leaked due to transient hardware timeouts or mailbox failures, the bitmap becomes full. The next call to acpm_prepare_xfer() would enter an infinite loop. Fix this by utilizing the kernel's optimized bitmap search functions (find_next_zero_bit / find_first_zero_bit). If the pool is completely exhausted, log the failure and return -EBUSY to allow the kernel to fail gracefully instead of hanging. Furthermore, drop the allocation loop entirely. Because acpm_prepare_xfer() is strictly called under the 'tx_lock' mutex, sequence number allocations are perfectly serialized. If find_next_zero_bit() locates a free bit, a single test_and_set_bit_lock() is mathematically guaranteed to succeed. To enforce this locking invariant, wrap the allocation in a WARN_ON_ONCE. If the atomic set fails, it indicates the driver's mutex serialization is fundamentally broken. The warning generates a stack trace for debugging, while returning -EIO immediately aborts the transfer to prevent silent payload corruption. Cc: stable@vger.kernel.org Fixes: a88927b534ba ("firmware: add Exynos ACPM protocol driver") Closes: https://sashiko.dev/#/patchset/20260420-acpm-tmu-v3-0-3dc8e93f0b26%40linaro.org [1] Signed-off-by: Tudor Ambarus <tudor.ambarus@linaro.org> Link: https://patch.msgid.link/20260505-acpm-fixes-sashiko-reports-v5-7-43b5ee7f1674@linaro.org Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org> 2026-05-29T12:11:22+00:00 Tudor Ambarus tudor.ambarus@linaro.org 2026-05-05T13:13:03+00:00 urn:sha1:bf296f83a3ddab1ab875edc4e8862cb10553064f Sashiko identified memory ordering races in [1]. The ACPM driver uses a globally shared 'bitmap_seqnum' to track available sequence numbers. Even though threads now strictly free their own sequence numbers, the allocation and freeing of these bits across concurrent threads are effectively lockless operations and require explicit LKMM memory barriers. Previously, the driver used plain bitwise operators (test_bit, set_bit, clear_bit), which lack ordering guarantees. This creates two race conditions on weakly ordered architectures like ARM64: 1. Polling Release Violation: The polling thread copies its payload and calls clear_bit(). Without a release barrier, the CPU can reorder the memory operations, making the cleared bit globally visible before the payload reads have fully completed. 2. TX Acquire Violation: The TX thread loops on test_bit(), calls set_bit(), and then wipes the payload buffer via memset(). Without an acquire barrier, the CPU can speculatively execute the memset() before the bit is safely and formally claimed. If these reorderings overlap, a new TX thread can claim the sequence number and overwrite the buffer while the original polling thread is still actively reading from it. Fix this by upgrading the bitwise operators. Wrap the TX allocation in test_and_set_bit_lock() to establish formal LKMM Acquire semantics, and pair it with clear_bit_unlock() in the polling path to enforce Release semantics. Cc: stable@vger.kernel.org Fixes: a88927b534ba ("firmware: add Exynos ACPM protocol driver") Closes: https://sashiko.dev/#/patchset/20260423-acpm-fixes-sashiko-reports-v1-0-2217b790925e%40linaro.org [1] Signed-off-by: Tudor Ambarus <tudor.ambarus@linaro.org> Link: https://patch.msgid.link/20260505-acpm-fixes-sashiko-reports-v5-6-43b5ee7f1674@linaro.org Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org> 2026-05-29T12:11:22+00:00 Tudor Ambarus tudor.ambarus@linaro.org 2026-05-05T13:13:02+00:00 urn:sha1:c889b146478885344a220dd468e5a08de088cbc5 Sashiko identified severe races in the polling state machine [1]. In the ACPM driver's polling mode, threads waited for responses by monitoring the globally shared 'bitmap_seqnum'. This caused false timeouts because if a thread processed its response and freed the sequence number, a concurrent TX thread could immediately reallocate it before the polling thread woke up. Additionally, the driver suffered from a cross-thread Use-After-Free (UAF) preemption race. Previously, acpm_get_rx() cleared the sequence number of whichever RX message it drained from the hardware queue. This meant Thread A could globally free Thread B's sequence slot while Thread B was asleep. A new Thread C could then steal the slot, overwrite the buffer, and leave Thread B to wake up to corrupted state or a timeout. Fix this by rewriting the polling state machine: 1. Decouple polling from the global allocator by introducing a per-slot 'completed' flag, synchronized via smp_store_release() and smp_load_acquire(). 2. Strip acpm_get_saved_rx() out of acpm_get_rx() to make it a pure queue-draining function. Introduce a 'native_match' boolean argument which evaluates to true only if the thread natively processed its own sequence number during the call. This explicitly informs the polling loop whether it must retrieve its payload from the cross-thread cache. 3. Centralize the cache fallback and sequence number free (clear_bit) inside the polling loop. Crucially, the free operation now strictly targets the thread's own TX sequence number (xfer->txd[0]), rather than the drained RX sequence number. This enforces strict ownership: a thread only ever frees its own allocated sequence slot, and only at the exact moment it completes its poll, eliminating the UAF window. Furthermore, explicitly guard the 'native_match' assignment with an if (rx_seqnum == tx_seqnum) check, even for zero-length (no payload) responses. While an unguarded assignment wouldn't crash (because the cache fallback acpm_get_saved_rx() safely returns early on zero-length transfers) doing so would "lie" to the state machine. If a thread drained the queue and found another thread's zero-length message, setting native_match = true would falsely convince the polling loop that it natively handled its own response. Maintaining a rigorous state machine requires that native_match is only set when a thread explicitly processes its own sequence number. Cc: stable@vger.kernel.org Fixes: a88927b534ba ("firmware: add Exynos ACPM protocol driver") Closes: https://sashiko.dev/#/patchset/20260429-acpm-fixes-sashiko-reports-v3-0-47cf74ab09ad%40linaro.org [1] Signed-off-by: Tudor Ambarus <tudor.ambarus@linaro.org> Link: https://patch.msgid.link/20260505-acpm-fixes-sashiko-reports-v5-5-43b5ee7f1674@linaro.org Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org> 2026-05-28T18:34:07+00:00 Dinh Nguyen dinguyen@kernel.org 2026-05-21T02:54:57+00:00 urn:sha1:bfd2eb9bba548a8f63c3339bb1fb9a2031a42d86 rsu_send_msg() can return -ETIMEDOUT when wait_for_completion_interruptible_timeout() fires while the SMC call is still pending. In stratix10_rsu_probe(), the error paths for COMMAND_RSU_DCMF_VERSION, COMMAND_RSU_DCMF_STATUS, COMMAND_RSU_MAX_RETRY and COMMAND_RSU_GET_SPT_TABLE call stratix10_svc_free_channel() - which sets chan->scl to NULL - but then fall through and queue the next request on the same channel. The next svc kthread that runs will dereference pdata->chan->scl in its receive callback path, triggering a NULL pointer dereference identical to the one fixed by commit c45f7263100c ("firmware: stratix10-rsu: Fix NULL pointer dereference when RSU is disabled") for the COMMAND_RSU_STATUS path. Apply the same cleanup pattern to the remaining failure paths: remove the async client, free the channel, and return early so no further messages are queued on a channel whose scl has been cleared. While at it, clean up stratix10_rsu_probe() in two ways without changing behavior: - Drop redundant zero-initialization of fields already cleared by devm_kzalloc(): client.receive_cb, status.* and spt0/1_address (INVALID_SPT_ADDRESS is 0x0). - Replace five identical 3-line error-cleanup blocks (stratix10_svc_remove_async_client() + stratix10_svc_free_channel() + return ret) with goto labels (remove_async_client, free_channel), matching the standard kernel resource-unwinding pattern and making it easier to extend the probe sequence without forgetting matching cleanup. Also move init_completion() next to mutex_init() so sync-primitive initialization is grouped before anything that could trigger a callback. Fixes: 15847537b623 ("firmware: stratix10-rsu: Migrate RSU driver to use stratix10 asynchronous framework.") Cc: stable@kernel.org Assisted-by: Claude:claude-4.7-opus-high Cursor Signed-off-by: Dinh Nguyen <dinguyen@kernel.org> --- v2: Add a minor clean-up of the function stratix10_rsu_probe() to have a centralize exit for all the rsu_send_async_msg() and rsu_send_msg(). 2026-05-28T18:34:07+00:00 Muhammad Amirul Asyraf Mohamad Jamian muhammad.amirul.asyraf.mohamad.jamian@altera.com 2026-04-16T07:22:07+00:00 urn:sha1:371aa062219a0af108fb8992f0759d1bac1e8c91 When the ATF version is too old to support SIP SVC v3 asynchronous operations (e.g. ATF 2.5), stratix10_svc_async_init() returns -EOPNOTSUPP. The probe function currently treats any non-zero return as fatal and aborts, logging: stratix10-svc firmware:svc: Intel Service Layer Driver: ATF version \ is not compatible for async operation stratix10-svc firmware:svc: probe with driver stratix10-svc failed \ with error -95 This prevents the SVC driver from loading entirely, causing all dependent client drivers (hwmon, RSU, FCS) to also fail to probe even though they can operate correctly via the synchronous V1 SMC path. Fix this by treating -EOPNOTSUPP from stratix10_svc_async_init() as a non-fatal degraded condition. The driver loads in sync-only mode and logs: stratix10-svc firmware:svc: Intel Service Layer Driver Initialized \ (sync-only mode) Fixes: bcb9f4f07061 ("firmware: stratix10-svc: Add support for async communication") Cc: stable@vger.kernel.org Signed-off-by: Muhammad Amirul Asyraf Mohamad Jamian <muhammad.amirul.asyraf.mohamad.jamian@altera.com> Signed-off-by: Dinh Nguyen <dinguyen@kernel.org> 2026-05-28T18:34:06+00:00 Muhammad Amirul Asyraf Mohamad Jamian muhammad.amirul.asyraf.mohamad.jamian@altera.com 2026-04-16T07:22:06+00:00 urn:sha1:3e529f57931417120fab700afeef6e49553250d5 Add a 'supported' flag to struct stratix10_async_ctrl to indicate whether the secure firmware supports SIP SVC v3 asynchronous communication. When the ATF version check in stratix10_svc_async_init() fails, set supported=false and return -EOPNOTSUPP instead of -EINVAL. This allows callers to distinguish between "async not supported by this ATF version" (-EOPNOTSUPP) and "programming error / bad argument" (-EINVAL), and take appropriate action (e.g. fall back to synchronous V1 SMC path) rather than treating both as fatal. Also update stratix10_svc_add_async_client() to return -EOPNOTSUPP immediately when async is not supported, rather than -EINVAL from the !actrl->initialized check, so client drivers receive a consistent and meaningful error code. This patch is a prerequisite for the following fix and must be applied together with it to correctly restore functionality on old ATF versions. Fixes: bcb9f4f07061 ("firmware: stratix10-svc: Add support for async communication") Cc: stable@vger.kernel.org Suggested-by: Anders Hedlund <anders.hedlund@windriver.com> Signed-off-by: Mahesh Rao <mahesh.rao@altera.com> Signed-off-by: Muhammad Amirul Asyraf Mohamad Jamian <muhammad.amirul.asyraf.mohamad.jamian@altera.com> Signed-off-by: Dinh Nguyen <dinguyen@kernel.org> 2026-05-23T16:13:00+00:00 Linus Torvalds torvalds@linux-foundation.org 2026-05-23T16:13:00+00:00 urn:sha1:95e6d3ba0571330df866911da9dedd83e05417ca Pull LoongArch fixes from Huacai Chen: "Rework KASLR to avoid initrd overlap, remove some unused code to avoid a build warning, fix some bugs in kprobes and KVM" * tag 'loongarch-fixes-7.1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/chenhuacai/linux-loongson: LoongArch: KVM: Move some variable declarations to paravirt.h LoongArch: kprobes: Fix handling of fatal unrecoverable recursions LoongArch: kprobes: Use larch_insn_text_copy() to patch instructions LoongArch: Remove unused code to avoid build warning LoongArch: Avoid initrd overlap during kernel relocation LoongArch: Skip relocation-time KASLR if already applied efi/loongarch: Randomize kernel preferred address for KASLR