- Lower the minimum rate for the A523 audio PLL to support
frequencies required by audio devices
- Mark a couple clks critical on A523 so that Linux doesn't turn
them off when they're used by other code like TF-A
-----BEGIN PGP SIGNATURE-----
iQJIBAABCAAyFiEE9L57QeeUxqYDyoaDrQKIl8bklSUFAmkjV3AUHHN3Ym95ZEBj
aHJvbWl1bS5vcmcACgkQrQKIl8bklSUPzw/+JyChC42SYjZAAbzT/aBE7STbjlWT
EnY4RcES5AJ9xav9wXI6UbI9941xJWfhpijqJ5UOuXiHP9pGOzrElI+iyevL5iDu
AL6qijUsE+3NL505LqwLo1IvrnCtdOy5o8JVI+A84QLs0SQCXGjFewxo1vSOCm/o
va6zyFNW11Vk4dfMw1dS3bna9yhCXkZh0nzvelsYc0KyZODd6qk838Qjnq80A3tC
5kXNFWFTuz9CLqc3emzACF3uRxT296gTLX92evyi1Pq+d69QaAdaVJQHSOJiMfT2
tbiGpOyZHGm+vlZ8O2awE71ODgqOvSXcbewCm9DA7xp3TEAf0Kdy5zz8Jl6qmVuG
PvYnhJe+B1SUm6iTwrzJTeyOD468Xi7yICbg+HKIrr1efpL4NzSIKypAJH9bv+DY
t7wySo3Yql/9LOQQKE/TG8JGi8mozYNZSTiMrBtdUw9ev2kOW0zwaM9V7SEH1WK2
urerDjloOPZ+Nf7eIN8dZfhFDi3sEO5/YcBev1FiQ+iIZtIZwltFnbvAHzrcLStb
VttJla6lN05kUdPMkTBg1oNu2FLnS47eJWHCjDysOjsGnKx+Mjm+RB+p7wjqLc3e
y0IRzlj7w2+PZFI7Q4KRfDT5srHP2TqBE2y6xAdQsU8xWx/tKSvVYgO0Vmu7AbJh
8L77KUw2tQPaFbo=
=A1l6
-----END PGP SIGNATURE-----
Merge tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux
Pull clk fixes from Stephen Boyd:
"Fixes for the Allwinner A523 clk driver:
- Lower the minimum rate for the A523 audio PLL to support
frequencies required by audio devices
- Mark a couple clks critical on A523 so that Linux doesn't turn them
off when they're used by other code like TF-A"
* tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux:
clk: sunxi-ng: sun55i-a523-ccu: Lower audio0 pll minimum rate
clk: sunxi-ng: sun55i-a523-r-ccu: Mark bus-r-dma as critical
clk: sunxi-ng: Mark A523 bus-r-cpucfg clock as critical
- Fix a race in timer->function clearing in timer_shutdown_sync()
- Fix a timekeeper sysfs-setup resource leak in error paths
- Fix the NOHZ report_idle_softirq() syslog rate-limiting
logic to have no side effects on the return value
Signed-off-by: Ingo Molnar <mingo@kernel.org>
-----BEGIN PGP SIGNATURE-----
iQJFBAABCgAvFiEEBpT5eoXrXCwVQwEKEnMQ0APhK1gFAmkivgERHG1pbmdvQGtl
cm5lbC5vcmcACgkQEnMQ0APhK1i/0g/+ODFR6NF7cNcsZPhKdRt/A9Il72qmjteG
Fqzacev1rzaQpPSaRpOnEAnqDRmfnFLZ0I4WA36QJxfApHHg9kI8GzEaa7WDvQOc
kOL317i3vsme+tolI0fwazvMRnwgSipHVvXp76eyaEKXHM97i81XUpJYynxl+j9R
0le8wpcBQKMUnpvYWN4J7u0AOO0vXCdaKSM2r9bgecXGyaqgzdyLYqGhgPLd0tYC
Tn3pSrQIffORZQed3hKjXmC4DSs+tsdQr1npphxrzHy3Q8rXbt3eEj96IYyHdz1f
/3eetSWRcd0jnZYIjuA9xG7xMSBBitkPBzSQMaZMdzV2d03oPU2WVvoKLSPnFNxz
JQIErExLJH2AOrYNLmx+6DJ0Ql8398KdISJnb6HdX1cZcljRKmqlo9BIaPorQDqf
WFm8WvhthBXHwEbWx/ecaPkV2aBQpXTTH7AkCebBLF+YTxtHUVGjwlBQ/CltABk3
a4U93M/Zdyaxys/9YpIeWAsg0y3b54r6aFbReyt8CiMVe+gKqTOnT3Jy4hqFZPnB
x+AHtooGsN7CIV4q9NIB6EmvJ5J1HFkmGQrWo1y/OHbZp2mDJy/1sQ+rj7NXdBZA
ibrUHIWzTtZ6WpuR1ABD3wubhb7/BF3Gwh4v27AUtLFKW/cZq7ovMODVrp+Svt6X
3EOg/YofAy0=
=JVik
-----END PGP SIGNATURE-----
Merge tag 'timers-urgent-2025-11-23' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull timer fixes from Ingo Molnar:
- Fix a race in timer->function clearing in timer_shutdown_sync()
- Fix a timekeeper sysfs-setup resource leak in error paths
- Fix the NOHZ report_idle_softirq() syslog rate-limiting
logic to have no side effects on the return value
* tag 'timers-urgent-2025-11-23' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
timers: Fix NULL function pointer race in timer_shutdown_sync()
timekeeping: Fix resource leak in tk_aux_sysfs_init() error paths
tick/sched: Fix bogus condition in report_idle_softirq()
There is a race condition between timer_shutdown_sync() and timer
expiration that can lead to hitting a WARN_ON in expire_timers().
The issue occurs when timer_shutdown_sync() clears the timer function
to NULL while the timer is still running on another CPU. The race
scenario looks like this:
CPU0 CPU1
<SOFTIRQ>
lock_timer_base()
expire_timers()
base->running_timer = timer;
unlock_timer_base()
[call_timer_fn enter]
mod_timer()
...
timer_shutdown_sync()
lock_timer_base()
// For now, will not detach the timer but only clear its function to NULL
if (base->running_timer != timer)
ret = detach_if_pending(timer, base, true);
if (shutdown)
timer->function = NULL;
unlock_timer_base()
[call_timer_fn exit]
lock_timer_base()
base->running_timer = NULL;
unlock_timer_base()
...
// Now timer is pending while its function set to NULL.
// next timer trigger
<SOFTIRQ>
expire_timers()
WARN_ON_ONCE(!fn) // hit
...
lock_timer_base()
// Now timer will detach
if (base->running_timer != timer)
ret = detach_if_pending(timer, base, true);
if (shutdown)
timer->function = NULL;
unlock_timer_base()
The problem is that timer_shutdown_sync() clears the timer function
regardless of whether the timer is currently running. This can leave a
pending timer with a NULL function pointer, which triggers the
WARN_ON_ONCE(!fn) check in expire_timers().
Fix this by only clearing the timer function when actually detaching the
timer. If the timer is running, leave the function pointer intact, which is
safe because the timer will be properly detached when it finishes running.
Fixes: 0cc04e80458a ("timers: Add shutdown mechanism to the internal functions")
Signed-off-by: Yipeng Zou <zouyipeng@huawei.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20251122093942.301559-1-zouyipeng@huawei.com
- Fix for Malta PCI MMIO breakage for SOC-it
- Fix TLB shutdown caused by iniital uniquification
- Fix random seg faults
-----BEGIN PGP SIGNATURE-----
iQJOBAABCAA4FiEEbt46xwy6kEcDOXoUeZbBVTGwZHAFAmkiIKQaHHRzYm9nZW5k
QGFscGhhLmZyYW5rZW4uZGUACgkQeZbBVTGwZHA+4A//VBaGVDaIbqwE1xzBdeUQ
j5yK4l9wbD4LO67DTN4eElouct/o48I1UbQSK3vBaBRlGKLEFK/2Pu1amh6VGWr9
SyI14AYlj0vX7C6nqSrGKL+/+1mA9pCQmpz4yshn+qnwoAqHjqs+enX3BiBh+L0j
1JJRyr8qGzQ8Xma80Bx5Jvst61a5AgQZvVf70nr/0LdoqjBkS6dqVKRHtA7VOqWd
SqX1/y7FeLt6oPmzRYCy7Kp7RNDJ9sIht7ZklznV1tUBdDTRpA8eUqeSSyUEe0/7
x79jj3/On7vg84shs3u+JU8jjrVuyXQcSJq2YRw9kEm0lJ2nd2YFS13SpnT4ZMNQ
qCyzfTELLQ+NvRNaiUWWj5RXdiSo2LrZNq/Qu2EsNaSz2YYkkmrAurGOd8rOcfka
59lKvoQ18Vt3Ok5EeaatAWANJhXpEodvScuGdzBocaJ8/mSBwUzd6Vit9fma6eJ2
o1evxG7rqhXo+fT3pfjkW9ueAzCwJvF+tXV47Ga3PLssZfBvGo90LhaMf8C+VQA+
WoSAHhHlhrjhpo0/8/Z5577LV0IyRhwcnoivphBAwuCNe6SQrkKDrnx6xbemwbM1
biCbMaknli72c/KfptoOtBJYyZdEkgCigsB9unBHFXtExreoCo0PEAoJIv0GZs4M
3y7EIgkwib7OZCU2cA4/hkA=
=caJE
-----END PGP SIGNATURE-----
Merge tag 'mips-fixes_6.18_1' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux
Pull MIPS fixes from Thomas Bogendoerfer:
- Fix CPU type in DT for econet
- Fix for Malta PCI MMIO breakage for SOC-it
- Fix TLB shutdown caused by iniital uniquification
- Fix random seg faults due to missed vdso storage requirement
* tag 'mips-fixes_6.18_1' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux:
MIPS: kernel: Fix random segmentation faults
MIPS: mm: Prevent a TLB shutdown on initial uniquification
mips: dts: econet: fix EN751221 core type
MIPS: Malta: Fix !EVA SOC-it PCI MMIO
Fix another KMSAN warning that made it in while KMSAN wasn't working
reliably.
-----BEGIN PGP SIGNATURE-----
iIoEABYIADIWIQSacvsUNc7UX4ntmEPzXCl4vpKOKwUCaSITwxQcZWJpZ2dlcnNA
a2VybmVsLm9yZwAKCRDzXCl4vpKOK898AQCZFgPxQxVrkSaZuDXJ1V5ZpH/PcQVe
RWsmR6TtVE84QQD/a/mteTNxeB0xDFCrhgYG4TmF1g/RhPTTdBTmhubSdwo=
=VNQT
-----END PGP SIGNATURE-----
Merge tag 'libcrypto-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/linux
Pull crypto library fix from Eric Biggers:
"Fix another KMSAN warning that made it in while KMSAN wasn't working
reliably"
* tag 'libcrypto-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/linux:
lib/crypto: tests: Fix KMSAN warning in test_sha256_finup_2x()
Signed-off-by: Carlos Maiolino <cem@kernel.org>
-----BEGIN PGP SIGNATURE-----
iJUEABMJAB0WIQSmtYVZ/MfVMGUq1GNcsMJ8RxYuYwUCaSGL+QAKCRBcsMJ8RxYu
YyvcAXsECiSerKCBGTXpRTLlxB59UWhjRkz2pKhMYLd4czYsukPqTmEergwkQeVN
Ebb5rlMBegJoUfeL//wDZ3D/w/T4E2bEMhlcVH04vEE+yBkuqKqcfNDftQl5MCoD
/1JI9xbKAQ==
=3pbL
-----END PGP SIGNATURE-----
Merge tag 'xfs-fixes-6.18-rc7' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux
Pull xfs fix from Carlos Maiolino:
"A single out-of-bounds fix, nothing special"
* tag 'xfs-fixes-6.18-rc7' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux:
xfs: fix out of bounds memory read error in symlink repair
One target driver fix and one scsi-generic one. The latter is 10
lines because the problem lock has to be dropped and re-taken around
the call causing the sleep in atomic.
Signed-off-by: James E.J. Bottomley <James.Bottomley@HansenPartnership.com>
-----BEGIN PGP SIGNATURE-----
iLgEABMIAGAWIQTnYEDbdso9F2cI+arnQslM7pishQUCaSHVghsUgAAAAAAEAA5t
YW51MiwyLjUrMS4xMSwyLDImHGphbWVzLmJvdHRvbWxleUBoYW5zZW5wYXJ0bmVy
c2hpcC5jb20ACgkQ50LJTO6YrIW+xQEAx4Sfjb+NTZ4qcDX2wjAosFUnuu5RUnn6
YG1OSrzHHP4A/RQQIxerooZPSD67LxIFVsxCV3yu6S88+n4P3emAec3V
=qUHX
-----END PGP SIGNATURE-----
Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi
Pull SCSI fixes from James Bottomley:
"One target driver fix and one scsi-generic one. The latter is 10 lines
because the problem lock has to be dropped and re-taken around the
call causing the sleep in atomic"
* tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
scsi: sg: Do not sleep in atomic context
scsi: target: tcm_loop: Fix segfault in tcm_loop_tpg_address_show()
- INPUT_PROP_HAPTIC_TOUCHPAD definition added early in 6.18 cycle has
been renamed to INPUT_PROP_PRESSUREPAD to better reflect the kind of
devices it is supposed to be set for
- a new ID for a touchscreen found in Ayaneo Flip DS in Goodix driver
- Goodix driver no longer tries to set reset pin as "input" as it causes
issues when there is no pull up resistor installed on the board
- fixes for cros_ec_keyb, imx_sc_key, and pegasus-notetaker drivers to
deal with potential out-of-bounds access and memory corruption issues
-----BEGIN PGP SIGNATURE-----
iHUEABYKAB0WIQST2eWILY88ieB2DOtAj56VGEWXnAUCaSFbUAAKCRBAj56VGEWX
nC+zAQCmxIsTcA4GEPgelW0dRaaKCcCnr++0RQVW5hFJ+0VgTgD6AlzkMtdy5O30
91gz5ooMKSz5SMsgb97N2GlayGKezA0=
=dMey
-----END PGP SIGNATURE-----
Merge tag 'input-for-v6.18-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input
Pull input fixes from Dmitry Torokhov:
- INPUT_PROP_HAPTIC_TOUCHPAD definition added early in 6.18 cycle has
been renamed to INPUT_PROP_PRESSUREPAD to better reflect the kind of
devices it is supposed to be set for
- a new ID for a touchscreen found in Ayaneo Flip DS in Goodix driver
- Goodix driver no longer tries to set reset pin as "input" as it
causes issues when there is no pull up resistor installed on the
board
- fixes for cros_ec_keyb, imx_sc_key, and pegasus-notetaker drivers to
deal with potential out-of-bounds access and memory corruption issues
* tag 'input-for-v6.18-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
Input: rename INPUT_PROP_HAPTIC_TOUCHPAD to INPUT_PROP_PRESSUREPAD
Input: cros_ec_keyb - fix an invalid memory access
Input: imx_sc_key - fix memory corruption on unload
Input: pegasus-notetaker - fix potential out-of-bounds access
Input: goodix - remove setting of RST pin to input
Input: goodix - add support for ACPI ID GDIX1003
- Correct the MIPS RISC-V/JEDEC vendor ID.
- Fix the system shutdown behavior in the legacy case where
CONFIG_RISCV_SBI_V01 is set, but the firmware implementation doesn't
support the older v0.1 system shutdown method.
- Align some tools/ macro definitions with the corresponding kernel headers.
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEElRDoIDdEz9/svf2Kx4+xDQu9KksFAmkhEkIACgkQx4+xDQu9
Kkvwzw//argWbOhLtXyoLxPlsyeQaBh5tiJgXJJTIlqhpNb0c1JR3dG+7sSAPVCl
Hrq6blvP0ADUajdlSxuvSaBglqydFaqU689kkG79/hWcAQiRsuJz830RRlQKwnzd
FIRv+m8kN2JoFLLiCvpm2r1PNaWQBpwmphVCrfnqvJ2fqPpmC8DVk9iDP6w67Hcj
U1lSofEWxKcDaGOHuA1xU9NFAydtAd0/Jefci5C2hz0bTyJ5sAgAwJrvMoxX4n1x
Y/yUWe88sOIj8SMg2bJJSm6Ny1apOc6IuYd+GxGpN954tcjJCQ/PBLywM2FT1hx4
65I3yJv0VEDmmLSodYPrmN38bu5n7gKrbRTjBvjVRat5hvLV6iej4UHdyScc7eXV
6BxR982BYtG0Mo1W9lm1NbH1ubcyuJxDfwPffeGFYP2RhaVQgneOeczWmcyW6KKA
GB8zvLBEwDgQoSWtFGvotQhnzM9oqDYYmQ2AeMuTHqB2D+AIqoejoB8S7i95MPaB
m8zepRgN2VS0v+glOZ9tDlsbURR0Yu0SO4k/bIJ2/Surtt7G0BKcenfTNquaOW+/
evr8uS1fbQPLyyqnUmHh/FYRivQs0JcB/6yBdFYM1YZfW84PC03KdFrO+fhyna+V
wMQzEhIYxLi5gyP1KZ1s4DWynXoUdBjovsjWNjQGe0pF+uQps40=
=aw1W
-----END PGP SIGNATURE-----
Merge tag 'riscv-for-linus-6.18-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux
Pull RISC-V fixes from Paul Walmsley:
- Correct the MIPS RISC-V/JEDEC vendor ID
- Fix the system shutdown behavior in the legacy case where
CONFIG_RISCV_SBI_V01 is set, but the firmware implementation
doesn't support the older v0.1 system shutdown method
- Align some tools/ macro definitions with the corresponding
kernel headers
* tag 'riscv-for-linus-6.18-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux:
tools: riscv: Fixed misalignment of CSR related definitions
riscv: sbi: Prefer SRST shutdown over legacy
riscv: Update MIPS vendor id to 0x127
-----BEGIN PGP SIGNATURE-----
iQJIBAABCgAyFiEES0KozwfymdVUl37v6iDy2pc3iXMFAmkgxTMUHHBhdWxAcGF1
bC1tb29yZS5jb20ACgkQ6iDy2pc3iXMaFw//ceP1tRSZcpCEkgkks3hkSxANfqdZ
WbuSlI/bzEJjmmM/FAA1KM1+5b/FrO5gzrkfi1eEJ5DlI9Biy0Qa1qgi+21JbOGO
yC0f7poMwDtDZFl9OLtI6yJ8XyO/HP8+HIc7LqJgSjUvF4S0m8MVHS2acRvOuEGU
adw80uwnW64pBX+mgZOsf3GAZLpNFMlFwLQ2s2ERd0Hl4X1hmOgkejCTjS4BhAVE
BSOxRyNLiEjmrjypP+pmjZoedsnq5LaUZD5tj+0IieQ0SYCg//2GSwh8fpfNjRCx
C8rnBOT632VTKkUdIkHHOe8PzDN8L+WJYtiCiSyuCm+ExdElfibN+/N0jwhck/bF
pXHwtIaXbxMaWDbfJyrjblBZQwlfMwUzQtoNCeKtuVANCQqz77aDMsMxGXw/FXYm
c5Wut0FDGPnoITJu1b2hwA6XWPwBFB/lI+7M8l54ofssC27M4wp6xw5z1vVGz4bb
x3ypzOxoa0VkZrbXjb7o2FMOqsHdb/J23tXN2YRnVTeUGdK48KFBcrvMwQKZV+rD
AYmdJkzMLiFX0NLpviYqJT61tEQviWLVmeB2ACm8RbxN7+aE6ecZz6QvrtCsPqz9
iKeSNfSqwdHPQPe935pzfa/LcLDdvpEhSzuAcQICPhY3M33J4xc8y/0ZXkH6katL
nU75VPpt6EVU5XI=
=32VE
-----END PGP SIGNATURE-----
Merge tag 'selinux-pr-20251121' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux
Pull selinux fixes from Paul Moore:
"Three SELinux patches for v6.18 to fix issues around accessing the
per-task decision cache that we introduced in v6.16 to help reduce
SELinux overhead on path walks. The problem was that despite the cache
being located in the SELinux "task_security_struct", the parent struct
wasn't actually tied to the task, it was tied to a cred.
Historically SELinux did locate the task_security_struct in the
task_struct's security blob, but it was later relocated to the cred
struct when the cred work happened, as it made the most sense at the
time.
Unfortunately we never did the task_security_struct to
cred_security_struct rename work (avoid code churn maybe? who knows)
because it didn't really matter at the time. However, it suddenly
became a problem when we added a per-task cache to a per-cred object
and didn't notice because of the old, no-longer-correct struct naming.
Thanks to KCSAN for flagging this, as the silly humans running things
forgot that the task_security_struct was a big lie.
This contains three patches, only one of which actually fixes the
problem described above and moves the SELinux decision cache from the
per-cred struct to a newly (re)created per-task struct.
The other two patches, which form the bulk of the diffstat, take care
of the associated renaming tasks so we can hopefully avoid making the
same stupid mistake in the future.
For the record, I did contemplate sending just a fix for the cache,
leaving the renaming patches for the upcoming merge window, but the
type/variable naming ended up being pretty awful and would have made
v6.18 an outlier stuck between the "old" names and the "new" names in
v6.19. The renaming patches are also fairly mechanical/trivial and
shouldn't pose much risk despite their size.
TLDR; naming things may be hard, but if you mess it up bad things
happen"
* tag 'selinux-pr-20251121' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux:
selinux: rename the cred_security_struct variables to "crsec"
selinux: move avdcache to per-task security struct
selinux: rename task_security_struct to cred_security_struct
-----BEGIN PGP SIGNATURE-----
iQJKBAABCAA0FiEEzOlt8mkP+tbeiYy5AoYrw/LiJnoFAmkgH58WHGNoZW5odWFj
YWlAa2VybmVsLm9yZwAKCRAChivD8uImetIQD/90qm0rkEhYnciXeSR+yuqSKk1e
YDyXkNiVjwazAUGBo0vdTvCkLa9xs2rbxXbA4cUsRYKB8lW0fRWlNlj+DxOxAroQ
0rVsgWvp5ZHzB6ppIdNEY2PF2bwk7vTdffQXlwYKoTDt95MAqxKercQX5isPe17t
S4N23hIMiNzqM9kshxi5xxm27PvJvEpdRYRoFh9zmZBrW98pLhhc668JEGautzra
dAjm7uzdeDb/f5AQFdiB+NGlYt2fRr24EPmEqyqXJAHtL9wI2t1HHUs4lb+FUILf
ZiUfJHmYbz1v6GInPbPB3Xqi5EJrrSa0+8SmnqlUr3trEQ6whqjGoV2n5v38Ppr6
PTL+fv7ACEDbr+APgWajsLCjbSzu6LDUay+vVFLLDJSxl7eYjWMZwFS5Rzr+pAc3
UJHCG8sNXyLqiwxbwRMPR/w/YTxCaULHfBuCmxQpnhU6qHsjIzpFdztycpgcuF3B
YcvZ0rAGbq+Q3glhqIe19WhswDUB94j4+Nrz80pXqJgumK42xtIbx5K4WLYFdHFo
Wxi6mW9VGPDZVysbDry2aFVVoymlYpv7p3N/txOrYuxmrr6YUyEeued3mW+99Zjj
FbdPfCOJU1sTBZcg8AiSG3nUuStKKLFu56e8oaW5kzOOAxjHsFqo3vL0JdjjeJX/
+1pRdJ/1i9k9la4/rQ==
=rVXC
-----END PGP SIGNATURE-----
Merge tag 'loongarch-fixes-6.18-2' of git://git.kernel.org/pub/scm/linux/kernel/git/chenhuacai/linux-loongson
Pull LoongArch fixes from Huacai Chen:
"Use UAPI types in ptrace UAPI header to fix nolibc ptrace.
Fix CPU name display, NUMA node parsing, kexec/kdump, PCI init and BPF
trampoline"
* tag 'loongarch-fixes-6.18-2' of git://git.kernel.org/pub/scm/linux/kernel/git/chenhuacai/linux-loongson:
LoongArch: BPF: Disable trampoline for kernel module function trace
LoongArch: Don't panic if no valid cache info for PCI
LoongArch: Mask all interrupts during kexec/kdump
LoongArch: Fix NUMA node parsing with numa_memblks
LoongArch: Consolidate CPU names in /proc/cpuinfo
LoongArch: Use UAPI types in ptrace UAPI header
-----BEGIN PGP SIGNATURE-----
iQJDBAABCAAuFiEEwPw5LcreJtl1+l5K99NY+ylx4KYFAmkfngUQHGF4Ym9lQGtl
cm5lbC5kawAKCRD301j7KXHgppNrD/iFobqiPSgoIO703YfN2aS74itKMuKuJfJL
7gmLwwNYx1F78l7mfvQz5vOetHcIM2xZzRENvlgeh5UBz0537zDcaXeWjILUCdSw
UxaQgnyHjJN8a5C07FfAXVTLT38133iMVCWT9OjOffPGVFtaVE4JsNI7YLziCGBc
3W69b/uob1KBzSpcWYMl1mA8ZAIoNXk0//qUdcrYuJVeeR5Gp9Cwf09g+axERYYw
OCVf0ykWeIr6B7qhKcoV95a+BsbSwKnO8n3o5bo8/nJ/dexr+ofHbf5YhtJaPhbr
o8/CZIYcfdDaYXC2z9KVZrePjinYXYiEwZkvzfoAgbE6Kd88v62ZgHbC8LcYboQ+
w+caLJ1TuEt7aHrLJAN/HbzpAEvMgmZ8Msr26RkKEp1XkiShjAmA+MEqD6zwbZ2i
DgYMetXgQm03Iso0ZseOE3nbnimI2oWWNIyFG2Wx8etmLKR6jAwP72OZumlKZweX
ZXuEWp3Kxoy6buERnR6hWM6MbMK7dIVMVXvKAjbhgbCN2Biy32nbPhW/xj6W3Foa
/0ixGv9pPp6gBA90JmVm5CxuL35wAdScnCIlrAuaBmLlJfeciwXOH5+3ymRvqe2D
k+r8Ng6rqiv6kIoje7bZvuq+i6ZvWnMtpfTanECBnFIQtCjPQyuUJqyhqiL/6puQ
hjn50LHg
=CgZ0
-----END PGP SIGNATURE-----
Merge tag 'io_uring-6.18-20251120' of git://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux
Pull io_uring fix from Jens Axboe:
"Just a single fix for a mixup of arguments for the skb_queue_splice()
call, in the io_uring timestamp retrieval code"
* tag 'io_uring-6.18-20251120' of git://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux:
io_uring/cmd_net: fix wrong argument types for skb_queue_splice()
- Add a missing refcount decrement in ata_scsi_dev_rescan() when
the device or its queue is not running. In the case where the
device is running, the recount is already decremented properly
(Yihang Li)
- Generate the proper sense code for a Security locked device.
There was a regression caused by a recent change of how sense
data is generated for commands that did not provide any sense
data. This broke system suspend for Security locked devices.
Generate the sense data that the SCSI disk driver expects for
a Security locked device so that system supend works again
(me)
- Set capacity to zero for a Security locked device.
All I/O commands will be aborted by a Security locked device.
Thus, the block layer disk partition scanning will result in
a bunch of, for the user, confusing I/O errors in dmesg during
boot. Since a Security locked device is unusable anyway, set
the capacity to zero, to avoid the disk partition scanning
during boot. We still create the block device in /dev such
that the user may unlock the device using e.g. hdparm (me)
-----BEGIN PGP SIGNATURE-----
iHUEABYKAB0WIQRN+ES/c4tHlMch3DzJZDGjmcZNcgUCaSB/+AAKCRDJZDGjmcZN
cswtAP4l1Ui8d6PwHnxVvOlv1cWO/K+7XboiGZNFphf7QDZhPQD+J41BG/YNyNcB
Ma716tdF1UVayUB2OItsX0gSmmz9KgI=
=0b5E
-----END PGP SIGNATURE-----
Merge tag 'ata-6.18-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/libata/linux
Pull ata fixes from Niklas Cassel:
- Add a missing refcount decrement in ata_scsi_dev_rescan() when
the device or its queue is not running.
In the case where the device is running, the recount is already
decremented properly (Yihang Li)
- Generate the proper sense code for a Security locked device.
There was a regression caused by a recent change of how sense
data is generated for commands that did not provide any sense
data. This broke system suspend for Security locked devices.
Generate the sense data that the SCSI disk driver expects for a
Security locked device so that system suspend works again (me)
- Set capacity to zero for a Security locked device.
All I/O commands will be aborted by a Security locked device.
Thus, the block layer disk partition scanning will result in
a bunch of, for the user, confusing I/O errors in dmesg during
boot.
Since a Security locked device is unusable anyway, set the capacity
to zero, to avoid the disk partition scanning during boot. We still
create the block device in /dev such that the user may unlock the
device using e.g. hdparm (me)
* tag 'ata-6.18-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/libata/linux:
ata: libata-core: Set capacity to zero for a security locked drive
ata: libata-scsi: Fix system suspend for a security locked drive
ata: libata-scsi: Add missing scsi_device_put() in ata_scsi_dev_rescan()
- Fix register naming in the Mediatek mt8189 driver.
- Select REGMAP_MMIO for the Realtek RTD driver.
- Fix the number of items in groups in the Toshiba
Visconti driver.
- Fix a memory leak in the Cirrus CS42L43 driver.
- Fix a deadlock (!) in Qualcomm pinmux configuration.
- Fix use of uninitialized memory and list initialization
in the S32CC pin controller.
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEElDRnuGcz/wPCXQWMQRCzN7AZXXMFAmkgkXUACgkQQRCzN7AZ
XXNxZxAAn7JgQd+ec2G8NtCXDd9CklEgnj8nrAp5k2DxdIfgmumrUWnuk0sFg5gR
r9bHZXTucbFEhSXzZklMsYY3fIBDAFc4pcZe3+T3dwvLuP9eNT9WAKCxKrZol8b4
5x/D6nqfOMbYPBGwoR/tK1QUbbWxyC/LgjgUXr7GV5jKFZSDponWqOE50JdG3g8K
ykJZFTZb++NLoBCW5IKPoKR+p2z5eyO0oiSrsgsFJvHsNy3ID6/L1lab9udJ1VdD
TNLtnGuB3FEpUOUycx/Y4OyuMoVe2ySr2mqsSAVEWXB8+reAIZF3v5Y1uYYkn7j3
TwJ4qUTm7DtOlcCuH0GfyPuA0NLwFteTBVQl1w43i2Zcuy2prpZ0sYjMLPmwZTbX
YiZgjo7lz2CxhGKkhOlcgrvxhoembEhD9Z8YL7CLn04dykjjnzTD7O1Hr2NA+ZwD
ttbc5+2adyfaewIbo1zJNwP81x1wBVzPCDQVS+/h4lQB5AAxZpcYC8pz/zx84fTO
Qg+nRk9hSjWjGqi9JGpsJRtNR04Q58qThDg3xuumq+17TtYUPTE7BCzpuV2jyodE
UV1cHwjULp9e/f3dumDG15V733xUUtHEGNkk9AFD+F5X+QtChK1uDSbYlybsr/qc
UbhoYHA+jQz5L3I4MIuU41ekVdVYlH5PKzDI5jTJOQUra9M/sag=
=dfY2
-----END PGP SIGNATURE-----
Merge tag 'pinctrl-v6.18-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl
Pull pin control fixes from Linus Walleij:
- Fix register naming in the Mediatek mt8189 driver
- Select REGMAP_MMIO for the Realtek RTD driver
- Fix the number of items in groups in the Toshiba Visconti driver
- Fix a memory leak in the Cirrus CS42L43 driver
- Fix a deadlock (!) in Qualcomm pinmux configuration
- Fix use of uninitialized memory and list initialization in the S32CC
pin controller
* tag 'pinctrl-v6.18-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl:
dt-bindings: pinctrl: xlnx,versal-pinctrl: Add missing unevaluatedProperties on '^conf' nodes
pinctrl: s32cc: initialize gpio_pin_config::list after kmalloc()
pinctrl: s32cc: fix uninitialized memory in s32_pinctrl_desc
pinctrl: qcom: msm: Fix deadlock in pinmux configuration
pinctrl: cirrus: Fix fwnode leak in cs42l43_pin_probe()
dt-bindings: pinctrl: toshiba,visconti: Fix number of items in groups
pinctrl: realtek: Select REGMAP_MMIO for RTD driver
pinctrl: mediatek: mt8189: align register base names to dt-bindings ones
pinctrl: mediatek: mt8196: align register base names to dt-bindings ones
- fix a use-after-free bug in GPIO character device code
- update MAINTAINERS
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEkeUTLeW1Rh17omX8BZ0uy/82hMMFAmkgdpIACgkQBZ0uy/82
hMMt3Q/9E7I9oc89DFy9yZ6YXM8k2EpiIWvfygTMdVEx91i16L2591XFlrc6oQjQ
c7Aaw6CWDVe20VlrWNMYxUQH2TUmROeQr3DJol8DUBRshLeVOEpWU6G0hvdFSucl
lrDCS2ZkhNUswf0PLT+787OvdUhIvXGbvZv+Rcd5N+P7wxUwZkMStArl7PaAHVKt
pNlUE6R0BtwPDWhi0wgag/RAmGo8TEdBcSinak9Ph9rdQg3GSPA1AsssFPqd1a13
j2MdcWJQAEUKm6ecEcBSFeBR62LhhgIEo7iybHAtLml/qiGzz5sAj3gOBG4filLi
YLhTLxKOiGzkpg+MqYioj42JCpCobEhIkPV+/W9jmZePFH2pyKEdHnI4dF0xcp/8
+1WQo6xaZtTwADkyG3d0ardJdgZ0fc4AxQcSck29O+1NG0hd1Z+dL1cffdyJ8fxi
OHucAlO/P/k7/T83eSZhRZaxdTWXCieWEJ1VzgwOsu/DnNvIcwhbyKGeFuS7z3Xj
Gs1AFfh6GpFkK6ueZDz0ipBvtHqQTdzu1IwvosWMhmmPz/QdcxOywNK+UArvt6lg
P5Tj6Wes0/ymZTKiPHicSx8UaqC8MliMKpJAWybePox6KieirXiht+a/qJvEXsbm
ekPXH3RwsHNBlzB+dP+fa3aJWvd0F/2YVnug4T6a/QEVuNvJx7U=
=nTA4
-----END PGP SIGNATURE-----
Merge tag 'gpio-fixes-for-v6.18-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux
Pull gpio fixes from Bartosz Golaszewski:
- fix a use-after-free bug in GPIO character device code
- update MAINTAINERS
* tag 'gpio-fixes-for-v6.18-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux:
MAINTAINERS: update my email address
gpio: cdev: make sure the cdev fd is still active before emitting events
Fully initialize *ctx, including the buf field which sha256_init()
doesn't initialize, to avoid a KMSAN warning when comparing *ctx to
orig_ctx. This KMSAN warning slipped in while KMSAN was not working
reliably due to a stackdepot bug, which has now been fixed.
Fixes: 6733968be7cb ("lib/crypto: tests: Add tests and benchmark for sha256_finup_2x()")
Acked-by: Ard Biesheuvel <ardb@kernel.org>
Link: https://lore.kernel.org/r/20251121033431.34406-1-ebiggers@kernel.org
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
Apparently as of version 2.42, glibc headers define AT_RENAME_NOREPLACE
and some of the other flags for renameat2() and friends in <stdio.h>.
Which would all be fine, except for inexplicable reasons glibc decided
to define them _differently_ from the kernel definitions, which then
makes some of our sample code that includes both kernel headers and user
space headers unhappy, because the compiler will (correctly) complain
about redefining things.
Now, mixing kernel headers and user space headers is always a somewhat
iffy proposition due to namespacing issues, but it's kind of inevitable
in our sample and selftest code. And this is just glibc being stupid.
Those defines come from the kernel, glibc is exposing the kernel
interfaces, and glibc shouldn't make up some random new expressions for
these values.
It's not like glibc headers changed the actual result values, but they
arbitrarily just decided to use a different expression to describe those
values. The kernel just does
#define AT_RENAME_NOREPLACE 0x0001
while glibc does
# define RENAME_NOREPLACE (1 << 0)
# define AT_RENAME_NOREPLACE RENAME_NOREPLACE
instead. Same value in the end, but very different macro definition.
For absolutely no reason.
This has since been fixed in the glibc development tree, so eventually
we'll end up with the canonical expressions and no clashes. But in the
meantime the broken headers are in the glibc-2.42 release and have made
it out into distributions.
Do a minimal work-around to make the samples build cleanly by just
undefining the affected macros in between the user space header include
and the kernel header includes.
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Commit 69896119dc9d ("MIPS: vdso: Switch to generic storage
implementation") switches to a generic vdso storage, which increases
the number of data pages from 1 to 4. But there is only one page
reserved, which causes segementation faults depending where the VDSO
area is randomized to. To fix this use the same size of reservation
and allocation of the VDSO data pages.
Fixes: 69896119dc9d ("MIPS: vdso: Switch to generic storage implementation")
Reviewed-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
Reviewed-by: Huacai Chen <chenhuacai@loongson.cn>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Depending on the particular CPU implementation a TLB shutdown may occur
if multiple matching entries are detected upon the execution of a TLBP
or the TLBWI/TLBWR instructions. Given that we don't know what entries
we have been handed we need to be very careful with the initial TLB
setup and avoid all these instructions.
Therefore read all the TLB entries one by one with the TLBR instruction,
bypassing the content addressing logic, and truncate any large pages in
place so as to avoid a case in the second step where an incoming entry
for a large page at a lower address overlaps with a replacement entry
chosen at another index. Then preinitialize the TLB using addresses
outside our usual unique range and avoiding clashes with any entries
received, before making the usual call to local_flush_tlb_all().
This fixes (at least) R4x00 cores if TLBP hits multiple matching TLB
entries (SGI IP22 PROM for examples sets up all TLBs to the same virtual
address).
Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
Fixes: 35ad7e181541 ("MIPS: mm: tlb-r4k: Uniquify TLB entries on init")
Cc: stable@vger.kernel.org
Reviewed-by: Jiaxun Yang <jiaxun.yang@flygoat.com>
Tested-by: Jiaxun Yang <jiaxun.yang@flygoat.com> # Boston I6400, M5150 sim
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Along with the renaming from task_security_struct to cred_security_struct,
rename the local variables to "crsec" from "tsec". This both fits with
existing conventions and helps distinguish between task and cred related
variables.
No functional changes.
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
The avdcache is meant to be per-task; move it to a new
task_security_struct that is duplicated per-task.
Cc: stable@vger.kernel.org
Fixes: 5d7ddc59b3d89b724a5aa8f30d0db94ff8d2d93f ("selinux: reduce path walk overhead")
Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
[PM: line length fixes]
Signed-off-by: Paul Moore <paul@paul-moore.com>
Before Linux had cred structures, the SELinux task_security_struct was
per-task and although the structure was switched to being per-cred
long ago, the name was never updated. This change renames it to
cred_security_struct to avoid confusion and pave the way for the
introduction of an actual per-task security structure for SELinux. No
functional change.
Cc: stable@vger.kernel.org
Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
A crash was observed when the sched_ext selftests runner was
terminated with Ctrl+\ while test 15 was running:
NIP [c00000000028fa58] scx_enable.constprop.0+0x358/0x12b0
LR [c00000000028fa2c] scx_enable.constprop.0+0x32c/0x12b0
Call Trace:
scx_enable.constprop.0+0x32c/0x12b0 (unreliable)
bpf_struct_ops_link_create+0x18c/0x22c
__sys_bpf+0x23f8/0x3044
sys_bpf+0x2c/0x6c
system_call_exception+0x124/0x320
system_call_vectored_common+0x15c/0x2ec
kthread_run_worker() returns an ERR_PTR() on failure rather than NULL,
but the current code in scx_alloc_and_add_sched() only checks for a NULL
helper. Incase of failure on SIGQUIT, the error is not handled in
scx_alloc_and_add_sched() and scx_enable() ends up dereferencing an
error pointer.
Error handling is fixed in scx_alloc_and_add_sched() to propagate
PTR_ERR() into ret, so that scx_enable() jumps to the existing error
path, avoiding random dereference on failure.
Fixes: bff3b5aec1b7 ("sched_ext: Move disable machinery into scx_sched")
Cc: stable@vger.kernel.org # v6.16+
Reported-and-tested-by: Samir Mulani <samir@linux.ibm.com>
Signed-off-by: Saket Kumar Bhaskar <skb99@linux.ibm.com>
Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com>
Reviewed-by: Andrea Righi <arighi@nvidia.com>
Reviewed-by: Vishal Chourasia <vishalc@linux.ibm.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
If timestamp retriving needs to be retried and the local list of
SKB's already has entries, then it's spliced back into the socket
queue. However, the arguments for the splice helper are transposed,
causing exactly the wrong direction of splicing into the on-stack
list. Fix that up.
Cc: stable@vger.kernel.org
Reported-by: Google Big Sleep <big-sleep-vuln-reports+bigsleep-462435176@google.com>
Fixes: 9e4ed359b8ef ("io_uring/netcmd: add tx timestamping cmd support")
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Fix a regression introduced during the 6.16 development cycle that
may cause runtime PM to be enabled by mistake for devices that do not
support it (which may lead to some serious trouble) if there is a
system wakeup event during the "late suspend" phase of system suspend.
-----BEGIN PGP SIGNATURE-----
iQFGBAABCAAwFiEEcM8Aw/RY0dgsiRUR7l+9nS/U47UFAmkfS9ASHHJqd0Byand5
c29ja2kubmV0AAoJEO5fvZ0v1OO1cKQH/RbZZcC/4q3lUgMfk0+C/6Y+4Nv7MxDR
jT4fxYinFVSAVpcAIomB838C4PBuIilNKu2JUR62Rw2Pa5PSvVMZcpIHWMdb/QXn
7V5f0CQIGeWdzOBuXlzMWzko6D3CBBBHQMOBPFWD1w5DeT04DRDBAyqW+Osb6NEU
aywA+qFkSSg+m+IzkNZGiIgKW9y6oponKetGTuB5b4C0c6WhMg9abc+isKC4yLXY
NufuHokqSRn19RoKpzz1IBnHDE6yVoy9/O9QNY8yfKvLOr8MCRN6rbPwbMF3tcSk
RQ+jASuIlEgExe0fsP+K1KTPh++EUOottirM9b1B6rj4UwHN+Yq95dk=
=7MZg
-----END PGP SIGNATURE-----
Merge tag 'pm-6.18-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm
Pull power management fix from Rafael Wysocki:
"Fix a regression introduced during the 6.16 development cycle that may
cause runtime PM to be enabled by mistake for devices that do not
support it (which may lead to some serious trouble) if there is a
system wakeup event during the "late suspend" phase of system suspend"
* tag 'pm-6.18-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
PM: sleep: core: Fix runtime PM enabling in device_resume_early()
This fixes EINJV2 support introduced during the 6.17 cycle by unbreaking
the initialization broken by a previous attempted fix, adding sanity
checks for data coming from the platform firmware, and updating the code
to handle injecting legacy error types on an EINJV2 capable systems
properly (Tony Luck).
-----BEGIN PGP SIGNATURE-----
iQFGBAABCAAwFiEEcM8Aw/RY0dgsiRUR7l+9nS/U47UFAmkfTbkSHHJqd0Byand5
c29ja2kubmV0AAoJEO5fvZ0v1OO1sW0H/1hrZXwWMnevTKSrjEgcfCu7Bj2JHTNl
DqkjMOgU4uX+F6cO/Vitfs3j2N4FM6DCQpEvXBFso8jPkUjp0Ekw/zYoePcecdTd
JPD/IIOcJJBrmbHMkEHwHNiaXEqNxKlvAYvdsVLGPZxut+ysiOqYYRjtYDwSFcjr
F9FliIDn0HUDBYwV3ItiIZupUjkmficmiLO7AFAZddbugtCSEcdtQw207iq5NSN3
zfdVyGv0DOVwub3KEcRQOmMr8orUho5Z62/ms4RUl6b8jpIo8S57Yoxp9/J9cfDt
1eU2q8XnkKy/GbhEGehvRt3D/pTUUGdrgfEM40FUgROR1hI+b5MFE1w=
=NauX
-----END PGP SIGNATURE-----
Merge tag 'acpi-6.18-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm
Pull ACPI fix from Rafael Wysocki:
"This fixes EINJV2 support introduced during the 6.17 cycle by
unbreaking the initialization broken by a previous attempted fix,
adding sanity checks for data coming from the platform firmware, and
updating the code to handle injecting legacy error types on an EINJV2
capable systems properly (Tony Luck)"
* tag 'acpi-6.18-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
ACPI: APEI: EINJ: Fix EINJV2 initialization and injection
Fixes
- acer-wmi: Ignore backlight event
- alienware-wmi-wmax: Fix quirk match table order & drop redundant entries
- amd/pmc:
- Add Xbox Ally to spurious 8042 quirk list
- Quirk list Lenovo Legion Go 2 NVMe resume
- msi-wmi-platform:
- Correct GUID to uppercase
- GUID is uncleverly copy-pasted from an example so add a DMI whitelist
- intel/speed_select_if: PCIBIOS_* return code conversion
- intel-uncore-freq & ISST: Fix kernel doc warnings
New HW support
- alienware-wmi-wmax:
- Alienware 16 Aurora support
- Alienware M support
- Alienware X support
- Dell G support
- amd/pmc:
- ROG Xbox Ally (non-X) support
- huaway-wmi: HONOR MagicBoox X16/X14 PrintScreen & YOYO keys
- hp-wmi:
- Omen 16-wf1xxx fan support
- Omen MAX 16-ah0xx fan + thermal profile support
- Victus 16-r0 and 16-s0 fan + thermal profile support
- intel/hid: Intel Nova Lake support
- intel-uncore-freq:
- Intel Panther Lake support
- Intel Wildcat Lake support
- Intel Nova Lake support
The following is an automated shortlog grouped by driver:
acer-wmi:
- Ignore backlight event
alienware-wmi-wmax:
- Add AWCC support to Alienware 16 Aurora
- Add support for the whole "G" family
- Add support for the whole "M" family
- Add support for the whole "X" family
- Drop redundant DMI entries
- Fix "Alienware m16 R1 AMD" quirk order
amd: pmc:
- Add Lenovo Legion Go 2 to pmc quirk list
amd/pmc:
- Add spurious_8042 to Xbox Ally
- Add support for Van Gogh SoC
hp-wmi:
- Add Omen 16-wf1xxx fan support
- Add Omen MAX 16-ah0xx fan support and thermal profile
- mark Victus 16-r0 and 16-s0 for victus_s fan and thermal profile support
huawei-wmi:
- add keys for HONOR models
intel/hid:
- Add Nova Lake support
intel/speed_select_if:
- Convert PCIBIOS_* return codes to errnos
intel-uncore-freq:
- Add additional client processors
- fix all header kernel-doc warnings
ISST: isst_if.h:
- fix all kernel-doc warnings
msi-wmi-platform:
- Fix typo in WMI GUID
- Only load on MSI devices
-----BEGIN PGP SIGNATURE-----
iHUEABYIAB0WIQSCSUwRdwTNL2MhaBlZrE9hU+XOMQUCaR9GsgAKCRBZrE9hU+XO
MU2qAQD8C75ebO/ltd9LZ4oTzfe0P6kmV+28z0D97tFsFmt0hwEA/fZHU/bV1+3c
+gRnoLCl4yPh214OgWnmsciPhW3iyAM=
=AtKC
-----END PGP SIGNATURE-----
Merge tag 'platform-drivers-x86-v6.18-4' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86
Pull x86 platform driver fixes from Ilpo Järvinen:
"This one has lots of new HW entries which adds to the size in diffstat
but the individual changes are simple.
Fixes
- acer-wmi: Ignore backlight event
- alienware-wmi-wmax: Fix quirk match table order & drop redundant
entries
- amd/pmc:
- Add Xbox Ally to spurious 8042 quirk list
- Quirk list Lenovo Legion Go 2 NVMe resume
- msi-wmi-platform:
- Correct GUID to uppercase
- GUID is uncleverly copy-pasted from an example so add a DMI
whitelist
- intel/speed_select_if: PCIBIOS_* return code conversion
- intel-uncore-freq & ISST: Fix kernel doc warnings
New HW support
- alienware-wmi-wmax:
- Alienware 16 Aurora support
- Alienware M support
- Alienware X support
- Dell G support
- amd/pmc:
- ROG Xbox Ally (non-X) support
- huaway-wmi: HONOR MagicBoox X16/X14 PrintScreen & YOYO keys
- hp-wmi:
- Omen 16-wf1xxx fan support
- Omen MAX 16-ah0xx fan + thermal profile support
- Victus 16-r0 and 16-s0 fan + thermal profile support
- intel/hid: Intel Nova Lake support
- intel-uncore-freq:
- Intel Panther Lake support
- Intel Wildcat Lake support
- Intel Nova Lake support"
* tag 'platform-drivers-x86-v6.18-4' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86: (21 commits)
platform/x86: intel-uncore-freq: fix all header kernel-doc warnings
platform/x86: acer-wmi: Ignore backlight event
platform/x86/intel/speed_select_if: Convert PCIBIOS_* return codes to errnos
platform/x86/intel/hid: Add Nova Lake support
platform/x86: alienware-wmi-wmax: Add AWCC support to Alienware 16 Aurora
platform/x86: hp-wmi: Add Omen MAX 16-ah0xx fan support and thermal profile
platform/x86: msi-wmi-platform: Fix typo in WMI GUID
platform/x86: msi-wmi-platform: Only load on MSI devices
platform/x86/amd: pmc: Add Lenovo Legion Go 2 to pmc quirk list
platform/x86/amd/pmc: Add spurious_8042 to Xbox Ally
platform/x86/amd/pmc: Add support for Van Gogh SoC
platform/x86: alienware-wmi-wmax: Add support for the whole "G" family
platform/x86: alienware-wmi-wmax: Add support for the whole "X" family
platform/x86: alienware-wmi-wmax: Add support for the whole "M" family
platform/x86: alienware-wmi-wmax: Drop redundant DMI entries
platform/x86: alienware-wmi-wmax: Fix "Alienware m16 R1 AMD" quirk order
platform/x86: ISST: isst_if.h: fix all kernel-doc warnings
platform/x86: intel-uncore-freq: Add additional client processors
platform/x86: hp-wmi: Add Omen 16-wf1xxx fan support
platform/x86: huawei-wmi: add keys for HONOR models
...
Previous releases - regressions:
- prevent NULL deref in generic_hwtstamp_ioctl_lower(),
newer APIs don't populate all the pointers in the request
- phylink: add missing supported link modes for the fixed-link
- mptcp: fix false positive warning in mptcp_pm_nl_rm_addr
Previous releases - always broken:
- openvswitch: remove never-working support for setting NSH fields
- xfrm: number of fixes for error paths of xfrm_state creation/
modification/deletion
- xfrm: fixes for offload
- fix the determination of the protocol of the inner packet
- don't push locally generated packets directly to L2 tunnel
mode offloading, they still need processing from the standard
xfrm path
- mptcp: fix a couple of corner cases in fallback and fastclose
handling
- wifi: rtw89: hw_scan: prevent connections from getting stuck,
work around apparent bug in FW by tweaking messages we send
- af_unix: fix duplicate data if PEEK w/ peek_offset needs to wait
- veth: more robust handing of race to avoid txq getting stuck
- eth: ps3_gelic_net: handle skb allocation failures
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEE6jPA+I1ugmIBA4hXMUZtbf5SIrsFAmkfQv8ACgkQMUZtbf5S
IruptQ//aa3wFISt/xfCxaygNnQAL1gxWbKg15cLnv88S5r5wrh+Mf/r+qHkT0IG
qaxPToztcTKNGzRqMI/7x/OEXjCdfEmJtNcb5JfYRxGkYVcje81bhHrxZN+nLLcj
jx1xD7rXCjfFNDVFSl+OzQkoTZtfGphX+JgCTKLPZ8t4qR/UhU1IwYgpoaiK0uCT
gitXJPHrDGJLHud0ilaXbn+q0ZH9ZU08QSRhsaAq7C6YPafUseEr2fuQYgFr1kkp
mtzFm84bEnRSneQ5+noVzoc5llbu3vf3Wd9Y5tr5sBaBjh5OpH/kK0kuPy6Lzhvd
8y05jl8kyASMtRBoTvmpYOdi3xUNbge5AwJN3FIo4KPCmyr1bQoNoQVIivUpoiGz
Zvv7QcceP7E5057CRuhi06krld/QaScHkmhUododbqJKmL8NWaSoXLRO7oYjB4kU
1MuAwOJWVpsqnTUEbMw7dHJPZFTqRkLYv6oAmIqb/AWzTcqg9OXjLEc+OzUqWEl6
mHv/SonSjAM81m3GxCxtNtH2ErKwdMIgI/ado39+KvksKTH1bhN9ZpmuyyktzpCj
PBn9FVdd7zyct92u5xXtsKVkDWKGyD419Z2lFHC0FaAsNQmPrSqzi+U50pAtie5M
JWABm8hsSdia4dTDrdldMgM50dzuBd5nSceY7XCqPA8nZ5+Af/8=
=89Xl
-----END PGP SIGNATURE-----
Merge tag 'net-6.18-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
Pull networking fixes from Jakub Kicinski:
"Including fixes from IPsec and wireless.
Previous releases - regressions:
- prevent NULL deref in generic_hwtstamp_ioctl_lower(),
newer APIs don't populate all the pointers in the request
- phylink: add missing supported link modes for the fixed-link
- mptcp: fix false positive warning in mptcp_pm_nl_rm_addr
Previous releases - always broken:
- openvswitch: remove never-working support for setting NSH fields
- xfrm: number of fixes for error paths of xfrm_state creation/
modification/deletion
- xfrm: fixes for offload
- fix the determination of the protocol of the inner packet
- don't push locally generated packets directly to L2 tunnel
mode offloading, they still need processing from the standard
xfrm path
- mptcp: fix a couple of corner cases in fallback and fastclose
handling
- wifi: rtw89: hw_scan: prevent connections from getting stuck,
work around apparent bug in FW by tweaking messages we send
- af_unix: fix duplicate data if PEEK w/ peek_offset needs to wait
- veth: more robust handing of race to avoid txq getting stuck
- eth: ps3_gelic_net: handle skb allocation failures"
* tag 'net-6.18-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (47 commits)
vsock: Ignore signal/timeout on connect() if already established
be2net: pass wrb_params in case of OS2BMC
l2tp: reset skb control buffer on xmit
net: dsa: microchip: lan937x: Fix RGMII delay tuning
selftests: mptcp: add a check for 'add_addr_accepted'
mptcp: fix address removal logic in mptcp_pm_nl_rm_addr
selftests: mptcp: join: userspace: longer timeout
selftests: mptcp: join: endpoints: longer timeout
selftests: mptcp: join: fastclose: remove flaky marks
mptcp: fix duplicate reset on fastclose
mptcp: decouple mptcp fastclose from tcp close
mptcp: do not fallback when OoO is present
mptcp: fix premature close in case of fallback
mptcp: avoid unneeded subflow-level drops
mptcp: fix ack generation for fallback msk
wifi: rtw89: hw_scan: Don't let the operating channel be last
net: phylink: add missing supported link modes for the fixed-link
selftest: af_unix: Add test for SO_PEEK_OFF.
af_unix: Read sk_peek_offset() again after sleeping in unix_stream_read_generic().
net/mlx5: Clean up only new IRQ glue on request_irq() failure
...
tk_aux_sysfs_init() returns immediately on error during the auxiliary clock
initialization loop without cleaning up previously allocated kobjects and
sysfs groups.
If kobject_create_and_add() or sysfs_create_group() fails during loop
iteration, the parent kobjects (tko and auxo) and any previously created
child kobjects are leaked.
Fix this by adding proper error handling with goto labels to ensure all
allocated resources are cleaned up on failure. kobject_put() on the
parent kobjects will handle cleanup of their children.
Fixes: 7b95663a3d96 ("timekeeping: Provide interface to control auxiliary clocks")
Signed-off-by: Malaya Kumar Rout <mrout@redhat.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Link: https://patch.msgid.link/20251120150213.246777-1-mrout@redhat.com
During connect(), acting on a signal/timeout by disconnecting an already
established socket leads to several issues:
1. connect() invoking vsock_transport_cancel_pkt() ->
virtio_transport_purge_skbs() may race with sendmsg() invoking
virtio_transport_get_credit(). This results in a permanently elevated
`vvs->bytes_unsent`. Which, in turn, confuses the SOCK_LINGER handling.
2. connect() resetting a connected socket's state may race with socket
being placed in a sockmap. A disconnected socket remaining in a sockmap
breaks sockmap's assumptions. And gives rise to WARNs.
3. connect() transitioning SS_CONNECTED -> SS_UNCONNECTED allows for a
transport change/drop after TCP_ESTABLISHED. Which poses a problem for
any simultaneous sendmsg() or connect() and may result in a
use-after-free/null-ptr-deref.
Do not disconnect socket on signal/timeout. Keep the logic for unconnected
sockets: they don't linger, can't be placed in a sockmap, are rejected by
sendmsg().
[1]: https://lore.kernel.org/netdev/e07fd95c-9a38-4eea-9638-133e38c2ec9b@rbox.co/
[2]: https://lore.kernel.org/netdev/20250317-vsock-trans-signal-race-v4-0-fc8837f3f1d4@rbox.co/
[3]: https://lore.kernel.org/netdev/60f1b7db-3099-4f6a-875e-af9f6ef194f6@rbox.co/
Fixes: d021c344051a ("VSOCK: Introduce VM Sockets")
Signed-off-by: Michal Luczaj <mhal@rbox.co>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Link: https://patch.msgid.link/20251119-vsock-interrupted-connect-v2-1-70734cf1233f@rbox.co
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
be_insert_vlan_in_pkt() is called with the wrb_params argument being NULL
at be_send_pkt_to_bmc() call site. This may lead to dereferencing a NULL
pointer when processing a workaround for specific packet, as commit
bc0c3405abbb ("be2net: fix a Tx stall bug caused by a specific ipv6
packet") states.
The correct way would be to pass the wrb_params from be_xmit().
Fixes: 760c295e0e8d ("be2net: Support for OS2BMC.")
Cc: stable@vger.kernel.org
Signed-off-by: Andrey Vatoropin <a.vatoropin@crpt.ru>
Link: https://patch.msgid.link/20251119105015.194501-1-a.vatoropin@crpt.ru
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
For Security locked drives (drives that have Security enabled, and have
not been Security unlocked by boot firmware), the automatic partition
scanning will result in the user being spammed with errors such as:
ata5.00: failed command: READ DMA
ata5.00: cmd c8/00:08:00:00:00/00:00:00:00:00/e0 tag 7 dma 4096 in
res 51/04:08:00:00:00/00:00:00:00:00/e0 Emask 0x1 (device error)
ata5.00: status: { DRDY ERR }
ata5.00: error: { ABRT }
sd 4:0:0:0: [sda] tag#7 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_OK cmd_age=0s
sd 4:0:0:0: [sda] tag#7 Sense Key : Aborted Command [current]
sd 4:0:0:0: [sda] tag#7 Add. Sense: No additional sense information
during boot, because most commands except for IDENTIFY will be aborted by
a Security locked drive.
For a Security locked drive, set capacity to zero, so that no automatic
partition scanning will happen.
If the user later unlocks the drive using e.g. hdparm, the close() by the
user space application should trigger a revalidation of the drive.
Reviewed-by: Hannes Reinecke <hare@suse.de>
Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
Signed-off-by: Niklas Cassel <cassel@kernel.org>
Commit cf3fc037623c ("ata: libata-scsi: Fix ata_to_sense_error() status
handling") fixed ata_to_sense_error() to properly generate sense key
ABORTED COMMAND (without any additional sense code), instead of the
previous bogus sense key ILLEGAL REQUEST with the additional sense code
UNALIGNED WRITE COMMAND, for a failed command.
However, this broke suspend for Security locked drives (drives that have
Security enabled, and have not been Security unlocked by boot firmware).
The reason for this is that the SCSI disk driver, for the Synchronize
Cache command only, treats any sense data with sense key ILLEGAL REQUEST
as a successful command (regardless of ASC / ASCQ).
After commit cf3fc037623c ("ata: libata-scsi: Fix ata_to_sense_error()
status handling") the code that treats any sense data with sense key
ILLEGAL REQUEST as a successful command is no longer applicable, so the
command fails, which causes the system suspend to be aborted:
sd 1:0:0:0: PM: dpm_run_callback(): scsi_bus_suspend returns -5
sd 1:0:0:0: PM: failed to suspend async: error -5
PM: Some devices failed to suspend, or early wake event detected
To make suspend work once again, for a Security locked device only,
return sense data LOGICAL UNIT ACCESS NOT AUTHORIZED, the actual sense
data which a real SCSI device would have returned if locked.
The SCSI disk driver treats this sense data as a successful command.
Cc: stable@vger.kernel.org
Reported-by: Ilia Baryshnikov <qwelias@gmail.com>
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220704
Fixes: cf3fc037623c ("ata: libata-scsi: Fix ata_to_sense_error() status handling")
Reviewed-by: Hannes Reinecke <hare@suse.de>
Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
Signed-off-by: Niklas Cassel <cassel@kernel.org>
Call scsi_device_put() in ata_scsi_dev_rescan() if the device or its
queue are not running.
Fixes: 0c76106cb975 ("scsi: sd: Fix TCG OPAL unlock on system resume")
Cc: stable@vger.kernel.org
Signed-off-by: Yihang Li <liyihang9@h-partners.com>
Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
Signed-off-by: Niklas Cassel <cassel@kernel.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEpeA8sTs3M8SN2hR410qiO8sPaAAFAmke1ccACgkQ10qiO8sP
aAC5pg/9FI7YeMa8/wguZp8avQ0w48/GIaJ5qk7vpDoFuAoj9JSeIqCdlX7Kuo8L
NulrCswFdVvpFhYqwnhYtstgaXTSxmx9Tt0VlQ4UUBevWwvgbScpB60KzpMssCW8
sXkqqT6dWHhuj9y2W4yZJahp5is5Yt/I6B5BsOst/VRtUyr2uN29HNjIFEJ4WHvg
h/wNd3kGuBpwnDeIcwpeekpoSnD0C+JXDvIIMN2E2lGzF37oxMEmUDZsq4UmFLFP
/Ntlce4CyTk4qv/cESGykaTPKA5LHLtBJnRP7//suLldwuLbkCvLwFNqy78QamRB
pgx2Vn4eTayUFjFUojnlgFR8LnmoeSa9RQspx4KPqbFCxpJ49G14D7ZIDfDD1EW6
WjIUEqIcR6d2sdPFIGvKcAqadH0/qN8z5OSwKXl+8VYopintfMc3oYz1Zx1Q8/F8
jIWEKLHvCntrNuUEdhZToiqklA6I8StoLan3LvZVFXloSecxsrZ6kq/bTblmq7S9
iI6WeaFmzbhAHWKorD8u0K6kRJnMcftGPpGD0zgqbx1rb7T9DFWa11O/DS/EsXAE
GssVtqu1+G7PqsDsHmtExm/YuCF/mBKfDSmV5AaQzD333uedthN+OehcmAtFoxzL
Ipjhog0hCwryNQ7rPASRRCWjxHEqPc4Yk84HIB8e2XHEvCLONhY=
=5p6s
-----END PGP SIGNATURE-----
Merge tag 'wireless-2025-11-20' of https://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless
Johannes Berg says:
====================
wireless-2025-11-20
A single fix for scanning on some rtw89 devices.
* tag 'wireless-2025-11-20' of https://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless:
wifi: rtw89: hw_scan: Don't let the operating channel be last
====================
Link: https://patch.msgid.link/20251120085433.8601-3-johannes@sipsolutions.net
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
The L2TP stack did not reset the skb control buffer before sending the
encapsulated package.
In a setup with an ath10k radio and batman-adv over an L2TP tunnel
massive fragmentations happen sporadically if the L2TP tunnel is
established over IPv4.
L2TP might reset some of the fields in the IP control buffer, but L2TP
assumes the type of the control buffer to be of an IPv4 packet.
In case the L2TP interface is used as a batadv hardif or the packet is
an IPv6 packet, this assumption breaks.
Clear the entire control buffer to avoid such mishaps altogether.
Fixes: f77ae9390438 ("[PPPOL2TP]: Reset meta-data in xmit function")
Signed-off-by: David Bauer <mail@david-bauer.net>
Link: https://patch.msgid.link/20251118001619.242107-1-mail@david-bauer.net
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Correct RGMII delay application logic in lan937x_set_tune_adj().
The function was missing `data16 &= ~PORT_TUNE_ADJ` before setting the
new delay value. This caused the new value to be bitwise-OR'd with the
existing PORT_TUNE_ADJ field instead of replacing it.
For example, when setting the RGMII 2 TX delay on port 4, the
intended TUNE_ADJUST value of 0 (RGMII_2_TX_DELAY_2NS) was
incorrectly OR'd with the default 0x1B (from register value 0xDA3),
leaving the delay at the wrong setting.
This patch adds the missing mask to clear the field, ensuring the
correct delay value is written. Physical measurements on the RGMII TX
lines confirm the fix, showing the delay changing from ~1ns (before
change) to ~2ns.
While testing on i.MX 8MP showed this was within the platform's timing
tolerance, it did not match the intended hardware-characterized value.
Fixes: b19ac41faa3f ("net: dsa: microchip: apply rgmii tx and rx delay in phylink mac config")
Cc: stable@vger.kernel.org
Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
Link: https://patch.msgid.link/20251114090951.4057261-1-o.rempel@pengutronix.de
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
xfs/286 produced this report on my test fleet:
==================================================================
BUG: KFENCE: out-of-bounds read in memcpy_orig+0x54/0x110
Out-of-bounds read at 0xffff88843fe9e038 (184B right of kfence-#184):
memcpy_orig+0x54/0x110
xrep_symlink_salvage_inline+0xb3/0xf0 [xfs]
xrep_symlink_salvage+0x100/0x110 [xfs]
xrep_symlink+0x2e/0x80 [xfs]
xrep_attempt+0x61/0x1f0 [xfs]
xfs_scrub_metadata+0x34f/0x5c0 [xfs]
xfs_ioc_scrubv_metadata+0x387/0x560 [xfs]
xfs_file_ioctl+0xe23/0x10e0 [xfs]
__x64_sys_ioctl+0x76/0xc0
do_syscall_64+0x4e/0x1e0
entry_SYSCALL_64_after_hwframe+0x4b/0x53
kfence-#184: 0xffff88843fe9df80-0xffff88843fe9dfea, size=107, cache=kmalloc-128
allocated by task 3470 on cpu 1 at 263329.131592s (192823.508886s ago):
xfs_init_local_fork+0x79/0xe0 [xfs]
xfs_iformat_local+0xa4/0x170 [xfs]
xfs_iformat_data_fork+0x148/0x180 [xfs]
xfs_inode_from_disk+0x2cd/0x480 [xfs]
xfs_iget+0x450/0xd60 [xfs]
xfs_bulkstat_one_int+0x6b/0x510 [xfs]
xfs_bulkstat_iwalk+0x1e/0x30 [xfs]
xfs_iwalk_ag_recs+0xdf/0x150 [xfs]
xfs_iwalk_run_callbacks+0xb9/0x190 [xfs]
xfs_iwalk_ag+0x1dc/0x2f0 [xfs]
xfs_iwalk_args.constprop.0+0x6a/0x120 [xfs]
xfs_iwalk+0xa4/0xd0 [xfs]
xfs_bulkstat+0xfa/0x170 [xfs]
xfs_ioc_fsbulkstat.isra.0+0x13a/0x230 [xfs]
xfs_file_ioctl+0xbf2/0x10e0 [xfs]
__x64_sys_ioctl+0x76/0xc0
do_syscall_64+0x4e/0x1e0
entry_SYSCALL_64_after_hwframe+0x4b/0x53
CPU: 1 UID: 0 PID: 1300113 Comm: xfs_scrub Not tainted 6.18.0-rc4-djwx #rc4 PREEMPT(lazy) 3d744dd94e92690f00a04398d2bd8631dcef1954
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-4.module+el8.8.0+21164+ed375313 04/01/2014
==================================================================
On further analysis, I realized that the second parameter to min() is
not correct. xfs_ifork::if_bytes is the size of the xfs_ifork::if_data
buffer. if_bytes can be smaller than the data fork size because:
(a) the forkoff code tries to keep the data area as large as possible
(b) for symbolic links, if_bytes is the ondisk file size + 1
(c) forkoff is always a multiple of 8.
Case in point: for a single-byte symlink target, forkoff will be
8 but the buffer will only be 2 bytes long.
In other words, the logic here is wrong and we walk off the end of the
incore buffer. Fix that.
Cc: stable@vger.kernel.org # v6.10
Fixes: 2651923d8d8db0 ("xfs: online repair of symbolic links")
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Carlos Maiolino <cem@kernel.org>
