afs: Fix uninit var in afs_alloc_anon_key()
Fix an uninitialised variable (key) in afs_alloc_anon_key() by setting it
to cell->anonymous_key. Without this change, the error check may return a
false failure with a bad error number.
Most of the time this is unlikely to happen because the first encounter
with afs_alloc_anon_key() will usually be from (auto)mount, for which all
subsequent operations must wait - apart from other (auto)mounts. Once the
call->anonymous_key is allocated, all further calls to afs_request_key()
will skip the call to afs_alloc_anon_key() for that cell.
Fixes: d27c71257825 ("afs: Fix delayed allocation of a cell's anonymous key")
Reported-by: Paulo Alcantra <pc at manguebit.org>
Signed-off-by: David Howells <dhowells at redhat.com>
Reviewed-by: Paulo Alcantara <pc at manguebit.org>
cc: Marc Dionne <marc.dionne at auristor.com>
cc: syzbot+41c68824eefb67cdf00c at syzkaller.appspotmail.com
cc: linux-afs at lists.infradead.org
[2 lines not shown]
Merge tag 'spi-fix-v6.18-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi
Pull spi fixes from Mark Brown:
"A disappointingly large set of device specific fixes that have built
up since I've been a bit tardy with sending a pull requests as people
kept sending me new new fixes.
The bcm63xx and lpspi issues could lead to corruption so the fixes are
fairly important for the affected parts, the other issues should all
be relatively minor"
* tag 'spi-fix-v6.18-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi:
spi: nxp-fspi: Propagate fwnode in ACPI case as well
spi: tegra114: remove Kconfig dependency on TEGRA20_APB_DMA
spi: amlogic-spifc-a1: Handle devm_pm_runtime_enable() errors
spi: spi-fsl-lpspi: fix watermark truncation caused by type cast
spi: cadence-quadspi: Fix cqspi_probe() error handling for runtime pm
spi: bcm63xx: fix premature CS deassertion on RX-only transactions
spi: spi-cadence-quadspi: Remove duplicate pm_runtime_put_autosuspend() call
spi: spi-cadence-quadspi: Enable pm runtime earlier to avoid imbalance
Merge tag 'regulator-fix-v6.18-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator
Pull regulator fixes from Mark Brown:
"A couple of fixes for incorrect device descriptions in the rtq2208
driver"
* tag 'regulator-fix-v6.18-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator:
regulator: rtq2208: Correct LDO2 logic judgment bits
regulator: rtq2208: Correct buck group2 phase mapping logic
Merge tag 'io_uring-6.18-20251128' of git://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux
Pull io_uring fixes from Jens Axboe:
- Ensure that vectored registered buffer imports ties the lifetime of
those to the zero-copy send notification, not the parent request
- Fix a bug introduced in this merge window, with the introduction of
mixed sized CQE support
* tag 'io_uring-6.18-20251128' of git://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux:
io_uring: fix mixed cqe overflow handling
io_uring/net: ensure vectored buffer node import is tied to notification
Merge tag 'vfs-6.18-rc8.fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs
Pull vfs fixes from Christian Brauner:
- afs: Fix delayed allocation of a cell's anonymous key
The allocation of a cell's anonymous key is done in a background
thread along with other cell setup such as doing a DNS upcall. The
normal key lookup tries to use the key description on the anonymous
authentication key as the reference for request_key() - but it may
not yet be set, causing an oops
- ovl: fail ovl_lock_rename_workdir() if either target is unhashed
As well as checking that the parent hasn't changed after getting the
lock, the code needs to check that the dentry hasn't been unhashed.
Otherwise overlayfs might try to rename something that has been
removed
[9 lines not shown]
Merge tag 'soc-fixes-6.18-4' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc
Pull SoC fixes from Arnd Bergmann:
"A few last minute fixes came in this week:
- interrupt and gpio numbers in foud separate i.MX8 specific
devicetree files were wrong
- The vector length property in the C906 CPU description used the
wrong unit
- Two bugs with uninitialized stack variables in the tee subsystem
- Alexander Stein now maintains additional devicetree files"
* tag 'soc-fixes-6.18-4' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc:
riscv: dts: allwinner: d1: fix vlenb property
MAINTAINERS: Add entry for TQ-Systems AM335 device trees
tee: qcomtee: initialize result before use in release worker
[5 lines not shown]
Merge tag 'char-misc-6.18-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc
Pull char / misc / IIO fixes from Greg KH:
"Here are some much-delayed char/misc/iio driver fixes for 6.18-rc8.
Fixes in here include:
- lots of iio driver bugfixes for reported issues.
- counter driver bugfix
- slimbus driver bugfix
- mei tiny bugfix
- nvmem layout uevent bugfix
All of these have been in linux-next for a while, but due to travel on
my side, I haven't had a chance to get them to you"
[23 lines not shown]
Merge tag 'tty-6.18-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty
Pull serial driver fixes from Greg KH:
"Here are two serial driver fixes for reported issues for 6.18-rc8.
These are:
- fix for a much reported symbol build loop that broke the build for
some kernel configurations
- amba-pl011 driver bugfix for a reported issue
Both have been in linux next (the last for weeks, the first for a
shorter amount of time), with no reported issues"
* tag 'tty-6.18-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty:
serial: 8250: Fix 8250_rsa symbol loop
serial: amba-pl011: prefer dma_mapping_error() over explicit address checking
Merge tag 'usb-6.18-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb
Pull USB/Thunderbolt fixes from Greg KH:
"Here are some last-minutes USB and Thunderbolt driver fixes and new
device ids for 6.18-rc8. Included in here are:
- usb storage quirk fixup
- xhci driver fixes for reported issues
- usb gadget driver fixes
- dwc3 driver fixes
- UAS driver fixup
- thunderbolt new device ids
- usb-serial driver new ids
[26 lines not shown]
Merge tag 'omap-for-v6.19/maintainers-signed' of git://git.kernel.org/pub/scm/linux/kernel/git/khilman/linux-omap into arm/fixes
MAINTAINERS: Add entry for TQ-Systems AM335 device trees
* tag 'omap-for-v6.19/maintainers-signed' of git://git.kernel.org/pub/scm/linux/kernel/git/khilman/linux-omap:
MAINTAINERS: Add entry for TQ-Systems AM335 device trees
Merge tag 'mmc-v6.18-rc2-2' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc
Pull MMC fix from Ulf Hansson:
- sdhci-of-dwcmshc: Fix reset handling for some variants
* tag 'mmc-v6.18-rc2-2' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc:
mmc: sdhci-of-dwcmshc: Promote the th1520 reset handling to ip level
Merge tag 'pmdomain-v6.18-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/linux-pm
Pull pmdomain fixes from Ulf Hansson:
- mediatek: Fix spinlock recursion in probe
- tegra: Use GENPD_FLAG_NO_STAY_ON to restore old behaviour
* tag 'pmdomain-v6.18-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/linux-pm:
pmdomain: tegra: Add GENPD_FLAG_NO_STAY_ON flag
pmdomains: mtk-pm-domains: Fix spinlock recursion in probe
mailbox: th1520: fix clock imbalance on probe failure
The purpose of the devm_add_action_or_reset() helper is to call the
action function in case adding an action ever fails so drop the clock
disable from the error path to avoid disabling the clocks twice.
Fixes: 5d4d263e1c6b ("mailbox: Introduce support for T-head TH1520 Mailbox driver")
Cc: Michal Wilczynski <m.wilczynski at samsung.com>
Signed-off-by: Johan Hovold <johan at kernel.org>
Reviewed-by: Michal Wilczynski <m.wilczynski at samsung.com>
Signed-off-by: Jassi Brar <jassisinghbrar at gmail.com>
mailbox: pcc: don't zero error register
The error status mask for a type 3/4 subspace is used for reading the
error status, and the bitwise inverse is used for clearing the error
with the intent being to preserve any of the non-error bits. However,
we were previously applying the mask to extract the status and then
applying the inverse to the result which ended up clearing all bits.
Instead, store the inverse mask in the preserve mask and then use that
on the original value read from the error status so that only the error
is cleared.
Fixes: c45ded7e1135 ("mailbox: pcc: Add support for PCCT extended PCC subspaces(type 3/4)")
Signed-off-by: Jamie Iles <jamie.iles at oss.qualcomm.com>
Signed-off-by: Punit Agrawal <punit.agrawal at oss.qualcomm.com>
Signed-off-by: Jassi Brar <jassisinghbrar at gmail.com>
mailbox: mtk-gpueb: Add missing 'static' to mailbox ops struct
mtk_gpueb_mbox_ops should be declared static. However, due to its const
nature, this specifier was missed, as it compiled fine without it and
with no warning by the compiler.
arc-linux-gcc (GCC) 12.5.0 doesn't seem to like it however, so add the
static to fix that.
Reported-by: kernel test robot <lkp at intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202510100629.3nGvrhEU-lkp@intel.com/
Fixes: dbca0eabb821 ("mailbox: add MediaTek GPUEB IPI mailbox")
Signed-off-by: Nicolas Frattaroli <nicolas.frattaroli at collabora.com>
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno at collabora.com>
Signed-off-by: Jassi Brar <jassisinghbrar at gmail.com>
mailbox: mtk-cmdq: Refine DMA address handling for the command buffer
GCE can only fetch the command buffer address from a 32-bit register.
Some SoCs support a 35-bit command buffer address for GCE, which
requires a right shift of 3 bits before setting the address into
the 32-bit register. A comment has been added to the header of
cmdq_get_shift_pa() to explain this requirement.
To prevent the GCE command buffer address from being DMA mapped beyond
its supported bit range, the DMA bit mask for the device is set during
initialization.
Additionally, to ensure the correct shift is applied when setting or
reading the register that stores the GCE command buffer address,
new APIs, cmdq_convert_gce_addr() and cmdq_revert_gce_addr(), have
been introduced for consistent operations on this register.
The variable type for the command buffer address has been standardized
to dma_addr_t to prevent handling issues caused by type mismatches.
[5 lines not shown]
mailbox: mailbox-test: Fix debugfs_create_dir error checking
The debugfs_create_dir() function returns ERR_PTR() on error, not NULL.
The current null-check fails to catch errors.
Use IS_ERR() to correctly check for errors.
Fixes: 8ea4484d0c2b ("mailbox: Add generic mechanism for testing Mailbox Controllers")
Signed-off-by: Haotian Zhang <vulab at iscas.ac.cn>
Signed-off-by: Jassi Brar <jassisinghbrar at gmail.com>
mailbox: omap-mailbox: Check for pending msgs only when mbox is exclusive
On TI K3 devices, the mailbox resides in the Always-On power domain
(LPSC_main_alwayson) and is shared among multiple processors. The
mailbox is not solely exclusive to Linux.
Currently, the suspend path checks all FIFO queues for pending messages
and blocks suspend if any are present. This behavior is unnecessary for
K3 devices, since some of the FIFOs are used for RTOS<->RTOS
communication and are independent of Linux.
For FIFOs used in Linux<->RTOS communication, any pending message would
trigger an interrupt, which naturally prevents suspend from completing.
Hence, there is no need for the mailbox driver to explicitly check for
pending messages on K3 platforms.
Introduce a device match flag to indicate whether the mailbox instance
is exclusive to Linux, and skip the pending message check for
non-exclusive instances (such as in K3).
[7 lines not shown]
afs: Fix delayed allocation of a cell's anonymous key
The allocation of a cell's anonymous key is done in a background thread
along with other cell setup such as doing a DNS upcall. In the reported
bug, this is triggered by afs_parse_source() parsing the device name given
to mount() and calling afs_lookup_cell() with the name of the cell.
The normal key lookup then tries to use the key description on the
anonymous authentication key as the reference for request_key() - but it
may not yet be set and so an oops can happen.
This has been made more likely to happen by the fix for dynamic lookup
failure.
Fix this by firstly allocating a reference name and attaching it to the
afs_cell record when the record is created. It can share the memory
allocation with the cell name (unfortunately it can't just overlap the cell
name by prepending it with "afs@" as the cell name already has a '.'
prepended for other purposes). This reference name is then passed to
[22 lines not shown]
ovl: fail ovl_lock_rename_workdir() if either target is unhashed
As well as checking that the parent hasn't changed after getting the
lock we need to check that the dentry hasn't been unhashed.
Otherwise we might try to rename something that has been removed.
Reported-by: syzbot+bfc9a0ccf0de47d04e8c at syzkaller.appspotmail.com
Fixes: d2c995581c7c ("ovl: Call ovl_create_temp() without lock held.")
Signed-off-by: NeilBrown <neil at brown.name>
Link: https://patch.msgid.link/176429295510.634289.1552337113663461690@noble.neil.brown.name
Tested-by: syzbot+bfc9a0ccf0de47d04e8c at syzkaller.appspotmail.com
Reviewed-by: Amir Goldstein <amir73il at gmail.com>
Signed-off-by: Christian Brauner <brauner at kernel.org>
Merge tag 'drm-fixes-2025-11-28' of https://gitlab.freedesktop.org/drm/kernel
Pull drm fixes from Dave Airlie:
"Last one for this round hopefully, mostly the usual suspects,
xe/amdgpu, with some single fixes otherwise.
There is one amdgpu HDMI blackscreen bug that came in late in the
cycle, but it was bisected and the revert is in here.
i915:
- Reject async flips when PSR's selective fetch is enabled
xe:
- Fix resource leak in xe_guc_ct_init_noalloc()'s error path
- Fix stack_depot usage without STACKDEPOT_ALWAYS_INIT
- Fix overflow in conversion from clock tics to msec
amdgpu:
- Unified MES fix
[35 lines not shown]
Merge tag 'dma-mapping-6.18-2025-11-27' of git://git.kernel.org/pub/scm/linux/kernel/git/mszyprowski/linux
Pull dma-mapping fixes from Marek Szyprowski:
"Two last minute fixes for the recently modified DMA API infrastructure:
- proper handling of DMA_ATTR_MMIO in dma_iova_unlink() function (me)
- regression fix for the code refactoring related to P2PDMA (Pranjal
Shrivastava)"
* tag 'dma-mapping-6.18-2025-11-27' of git://git.kernel.org/pub/scm/linux/kernel/git/mszyprowski/linux:
dma-direct: Fix missing sg_dma_len assignment in P2PDMA bus mappings
iommu/dma: add missing support for DMA_ATTR_MMIO for dma_iova_unlink()
Merge tag 'acpi-6.18-rc8-2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm
Pull ACPI fix from Rafael Wysocki:
"One more urgent ACPI support fix for 6.18
There is one more commit that needs to be reverted after reverting
problematic commit 7a8c994cbb2d ("ACPI: processor: idle: Optimize ACPI
idle driver registration"), so revert it"
* tag 'acpi-6.18-rc8-2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
Revert "ACPI: processor: Update cpuidle driver check in __acpi_processor_start()"
