]> git.ipfire.org Git - thirdparty/kernel/linux.git/log
thirdparty/kernel/linux.git
3 weeks agorxrpc: Don't move a peeked OOB message onto the pending queue
Hyunwoo Kim [Tue, 9 Jun 2026 14:09:06 +0000 (15:09 +0100)] 
rxrpc: Don't move a peeked OOB message onto the pending queue

rxrpc_recvmsg_oob() takes a received oob message off recvmsg_oobq and,
if a response is needed, moves it onto the pending_oobq tree. However,
only the unlink from recvmsg_oobq is guarded by MSG_PEEK; the move onto
pending_oobq always runs.

As a result, reading a challenge with MSG_PEEK leaves the skb on
recvmsg_oobq while also adding it to pending_oobq. Since struct
sk_buff's rbnode shares storage with its next and prev pointers,
rb_insert_color() overwrites the list linkage, and the skb, which holds
a single reference, becomes reachable from both queues at once.

When the socket is closed both queues are drained in turn. While
draining recvmsg_oobq, __skb_unlink() follows the next and prev
pointers that rbnode has overwritten and writes to a bad address. Also,
as the skb holds a single reference but is freed from each queue, both
the skb and the connection reference it holds are released twice. This
leads to memory corruption and to a use-after-free caused by the
connection refcount underflow.

MSG_PEEK does not consume the message from the queue, so only unlink it
from recvmsg_oobq and then move it onto pending_oobq or free it when
the message is actually consumed.

Fixes: 5800b1cf3fd8 ("rxrpc: Allow CHALLENGEs to the passed to the app for a RESPONSE")
Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: Simon Horman <horms@kernel.org>
cc: linux-afs@lists.infradead.org
cc: stable@kernel.org
Link: https://patch.msgid.link/20260609140911.838677-3-dhowells@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
3 weeks agorxrpc: rxrpc_verify_data ensure rx_dec_buffer alloc
Jeffrey Altman [Tue, 9 Jun 2026 14:09:05 +0000 (15:09 +0100)] 
rxrpc: rxrpc_verify_data ensure rx_dec_buffer alloc

rxrpc_recvmsg_data() calls rxrpc_verify_data() whenever the
rxrpc_call.rx_dec_buffer is unallocated and assumes that upon
successful return that rx_dec_buffer must be allocated.
However, rxrpc_verify_data() does not request an allocation if
the rxrpc_skb_priv.len is zero.

In addition, failure to allocate rx_dec_buffer will result in a
call to skb_copy_bits() with a NULL destination which can
trigger a NULL pointer dereference.

To prevent these issues rxrpc_verify_data() is modified to
always attempt to allocate the rxrpc_call.rx_dec_buffer if it
is NULL.

This issue was identified with assistance of a private
sashiko instance.

Fixes: d2bc90cf6c75cb ("rxrpc: Fix DATA decrypt vs splice() by copying data to buffer in recvmsg")
Reported-by: Simon Horman <simon.horman@redhat.com>
Signed-off-by: Jeffrey Altman <jaltman@auristor.com>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Jiayuan Chen <jiayuan.chen@linux.dev>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: linux-afs@lists.infradead.org
cc: stable@kernel.org
Link: https://patch.msgid.link/20260609140911.838677-2-dhowells@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
3 weeks agoMerge branch 'net-remove-tls_toe'
Jakub Kicinski [Fri, 12 Jun 2026 23:43:14 +0000 (16:43 -0700)] 
Merge branch 'net-remove-tls_toe'

Sabrina Dubroca says:

====================
net: remove tls_toe

This series removes the tls_toe feature, its single user (chtls), and
cleans up the EXPORT_SYMBOL()s that no other module requires.

Driver changes only compile-tested.
====================

Link: https://patch.msgid.link/cover.1781165969.git.sd@queasysnail.net
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
3 weeks agonet: remove some unused EXPORT_SYMBOL()s
Sabrina Dubroca [Thu, 11 Jun 2026 10:21:34 +0000 (12:21 +0200)] 
net: remove some unused EXPORT_SYMBOL()s

chtls was using a lot of symbols that no other module requires. Remove
those EXPORT_SYMBOL()s.

Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/d124db74f6f0838b652f0ee4b4530964f3cf8d49.1781165969.git.sd@queasysnail.net
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
3 weeks agotls: remove tls_toe and the related driver
Sabrina Dubroca [Thu, 11 Jun 2026 10:21:33 +0000 (12:21 +0200)] 
tls: remove tls_toe and the related driver

The tls_toe feature and its single user (chelsio chtls) have been
unmaintained for multiple years. It also hooks into the core of the
TCP implementation, and bypasses most of the networking stack.

Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/1f30e73275c07bf879f547589872d0916025a52e.1781165969.git.sd@queasysnail.net
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
3 weeks agoethtool: tsconfig: always take rtnl_lock
Jakub Kicinski [Thu, 11 Jun 2026 20:03:55 +0000 (13:03 -0700)] 
ethtool: tsconfig: always take rtnl_lock

mlx5 throws ASSERT_RTNL() warnings on timestamp config, because
it tries to update features. mlx5e_hwtstamp_set() calls
netdev_update_features().

I missed this while grepping the drivers because tsconfig goes
through ndo_hwtstamp_set/get, not ethtool ops, even tho the new
uAPI is in ethtool Netlink. We could add a dedicated opt out bit
for mlx5, but NDOs were not supposed to be part of the ethtool locking
conversion in the first place.

The mlx5 features update is related to the "compressed CQE" format
which lacks timestamp, apparently. See commit c0194e2d0ef0 ("net/mlx5e:
Disable rxhash when CQE compress is enabled").

Fixes: f9a3e05114b8 ("net: ethtool: optionally skip rtnl_lock on Netlink path for SET ops")
Acked-by: Stanislav Fomichev <sdf@fomichev.me>
Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
Reviewed-by: Kory Maincent <kory.maincent@bootlin.com>
Link: https://patch.msgid.link/20260611200355.2020663-1-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
3 weeks agoip_tunnel: annotate data-races around t->err_count and t->err_time
Eric Dumazet [Thu, 11 Jun 2026 16:52:47 +0000 (16:52 +0000)] 
ip_tunnel: annotate data-races around t->err_count and t->err_time

ip_tunnel_xmit() runs locklessly (dev->lltx == true).

ipgre_err() and ipip_err() also run locklessly.

We need to add READ_ONCE() and WRITE_ONCE() annotations
around t->err_count and t->err_time.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260611165247.2710257-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
3 weeks agovirtio_net: do not allow tunnel csum offload for non GSO packets
Paolo Abeni [Thu, 11 Jun 2026 16:36:48 +0000 (18:36 +0200)] 
virtio_net: do not allow tunnel csum offload for non GSO packets

Fiona reports broken connectivity for virtio net setup using UDP tunnel
inside the guest and NIC with not UDP tunnel TSO support in the host.

Currently the virtio_net driver exposes csum offload for UDP-tunneled,
TCP non GSO packets. Such packet reach the host as CSUM_PARTIAL ones
with the 'encapsulation' flag cleared, as the virtio specification do
not support this specific kind of offload.

HW NICs with UDP tunnel TSO support - and those drivers directly
accessing skb->csum_start/csum_offset - are still capable of computing
the needed csum correctly, but otherwise the packets reach the wire with
bad csum on both the inner and outer transport header.

Address the issue explicitly disabling csum offload for UDP tunneled,
non GSO packets via the ndo_features_check op.

Fixes: 56a06bd40fab ("virtio_net: enable gso over UDP tunnel support.")
Reported-by: Fiona Ebner <f.ebner@proxmox.com>
Closes: https://bugzilla.proxmox.com/show_bug.cgi?id=7627
Tested-by: Fiona Ebner <f.ebner@proxmox.com>
Tested-by: Gabriel Goller <g.goller@proxmox.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Gabriel Goller <g.goller@proxmox.com>
Tested-by: Gabriel Goller <g.goller@proxmox.com>
Link: https://patch.msgid.link/6c3b6c47fb05c100f384630dc48f3975cf37b67a.1781195144.git.pabeni@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
3 weeks agonet: atm: reject out-of-range traffic classes in QoS validation
Zhengchuan Liang [Tue, 9 Jun 2026 08:34:37 +0000 (16:34 +0800)] 
net: atm: reject out-of-range traffic classes in QoS validation

Reject ATM traffic classes above ATM_ANYCLASS in check_tp().
SO_ATMQOS stores the supplied QoS after check_qos() succeeds, so
accepting larger values leaves invalid traffic_class values in
vcc->qos.

That bad state later reaches pvc_info(), which indexes class_name[]
with vcc->qos.{rx,tp}.traffic_class. Values above ATM_ANYCLASS cause
an out-of-bounds read when /proc/net/atm/pvc is read.

Tighten the existing QoS validation so invalid traffic_class values
are rejected at the point where user supplied QoS is accepted.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Zhengchuan Liang <zcliangcn@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/58f02c6f73d9818fd5d2022e1116759fdde6116b.1780965530.git.zcliangcn@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
3 weeks agonet: hsr: simplify fill_last_seq_nrs()
Yury Norov [Tue, 9 Jun 2026 17:15:44 +0000 (13:15 -0400)] 
net: hsr: simplify fill_last_seq_nrs()

The function checks the HSR_PT_SLAVE_A and HSR_PT_SLAVE_B bitmaps
for emptiness right before calling find_last_bit().

This pass may be avoided, because if the bitmap is empty, the
find_last_bit() returns >= HSR_SEQ_BLOCK_SIZE

Signed-off-by: Yury Norov <ynorov@nvidia.com>
Reviewed-by: Felix Maurer <fmaurer@redhat.com>
Link: https://patch.msgid.link/20260609171545.1051322-1-ynorov@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
3 weeks agotcp: clear sock_ops cb flags before force-closing a child socket
Sechang Lim [Thu, 11 Jun 2026 09:29:18 +0000 (09:29 +0000)] 
tcp: clear sock_ops cb flags before force-closing a child socket

A child socket inherits the listener's bpf_sock_ops_cb_flags via
sk_clone_lock(). If its setup fails in tcp_v4_syn_recv_sock() /
tcp_v6_syn_recv_sock(), the child is freed through put_and_exit, where
inet_csk_prepare_forced_close() drops the socket lock and tcp_done() runs
without it.

If BPF_SOCK_OPS_STATE_CB_FLAG was inherited, tcp_done() -> tcp_set_state()
calls tcp_call_bpf(), which expects the lock and trips sock_owned_by_me():

  WARNING: include/net/sock.h:1799 at tcp_set_state+0x433/0x550
  RIP: 0010:tcp_set_state+0x433/0x550 include/net/sock.h:1799
  Call Trace:
   <IRQ>
   tcp_done+0xba/0x250 net/ipv4/tcp.c:5095
   tcp_v4_syn_recv_sock+0x850/0xa50 net/ipv4/tcp_ipv4.c:1787
   tcp_check_req+0xf30/0x1360 net/ipv4/tcp_minisocks.c:926
   tcp_v4_rcv+0x1047/0x1b50 net/ipv4/tcp_ipv4.c:2164
   </IRQ>

The child is freed before it is ever established, so it should run no
sock_ops callback. Clear its cb flags in inet_csk_prepare_for_destroy_sock(),
the common point for the IPv4, IPv6 and chtls forced-close paths and for the
MPTCP ->syn_recv_sock() failure path (dispose_child), which reaches tcp_done()
on a child that was never established too.

Suggested-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Fixes: d44874910a26 ("bpf: Add BPF_SOCK_OPS_STATE_CB")
Signed-off-by: Sechang Lim <rhkrqnwk98@gmail.com>
Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260611092923.1895982-1-rhkrqnwk98@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
3 weeks agonet: ethernet: sis900: correct CONFIG_VLAN_8021Q macro name in comment
Ethan Nelson-Moore [Tue, 9 Jun 2026 17:56:55 +0000 (10:56 -0700)] 
net: ethernet: sis900: correct CONFIG_VLAN_8021Q macro name in comment

A comment in drivers/net/ethernet/sis/sis900.h incorrectly refers to
CONFIG_VLAN_802_1Q instead of CONFIG_VLAN_8021Q. Correct it.

Discovered while searching for CONFIG_* symbols referenced in code but
not defined in any Kconfig file.

Signed-off-by: Ethan Nelson-Moore <enelsonmoore@gmail.com>
Link: https://patch.msgid.link/20260609175656.20574-1-enelsonmoore@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
3 weeks agodocs: net: fix minor issues with XDP metadata docs
Jakub Kicinski [Tue, 9 Jun 2026 20:12:22 +0000 (13:12 -0700)] 
docs: net: fix minor issues with XDP metadata docs

Minor updates to the XDP metadata documentation:
- s/union/struct/ for xsk_tx_metadata
- document nested request and completion metadata fields
- point capability queries at the xsk-features attribute
- fix grammar in the XDP RX metadata guide
- typos

Acked-by: Stanislav Fomichev <sdf@fomichev.me>
Acked-by: Jesper Dangaard Brouer <hawk@kernel.org>
Link: https://patch.msgid.link/20260609201224.1191391-2-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
3 weeks agobnxt: fix head underflow on XDP head-grow
Joe Damato [Tue, 9 Jun 2026 20:44:58 +0000 (13:44 -0700)] 
bnxt: fix head underflow on XDP head-grow

The xdp.py test test_xdp_native_adjst_head_grow_data crashes when run on
a bnxt machine (and also crashes in NIPA).

It seems that the bug is an underflow in bnxt_rx_multi_page_skb, which
builds the skb head:

  napi_build_skb(data_ptr - bp->rx_offset, rxr->rx_page_size);

The problem with this expression is that in page mode, rx_offset is:

  bp->rx_offset = NET_IP_ALIGN + XDP_PACKET_HEADROOM;

Which evaluates (at least on x86_64) to 258.

The test test_xdp_native_adjst_head_grow_data tests a case where the
head is adjusted by -256.

When this test runs, data_ptr is shifted to frag_start + 2 (where
frag_start = page_address(page) + offset).

Then, bnxt_rx_multi_page_skb is invoked and the napi_build_skb
expression subtracts 258, landing at an address before frag_start. This
could be either the previous fragment or the previous physical page when
the offset is < 256 (e.g. if the fragment started at offset 0).

When the skb is freed, the page pool fragment reference is dropped on
either the wrong page or the wrong frag of the right page. In either
case, the corrupted reference count can lead to the page being
prematurely recycled while still in use. Once (incorrectly) recycled, it
can be handed out again and on driver teardown this would result in a
double free.

The commit under fixes updated this code to handle the case where the
native page size is >= 64k, but it unintentionally broke the head grow
case.

To fix this, add an offset field to struct bnxt_sw_rx_bd, mirroring the
existing offset field in struct bnxt_sw_rx_agg_bd. Populate it on
allocation and preserve it on reuse.

In bnxt_rx_multi_page_skb, use the newly added offset field to compute
the fragment start and pass that to napi_build_skb. Adjust the layout
with skb_reserve.

There are two cases, the non-adjustment case and the adjustment case.

In both cases, the skb is built at page_address(page) + offset to
account for the case where the native page size >= 64K and skb_reserve
is called with data_ptr - (page_address(page) + offset). That
difference equals bp->rx_offset when data_ptr was not moved, or
bp->rx_offset + xdp_adjust when XDP adjusted the head.

Re-running the failing test with this commit applied causes the test to
run successfully to completion.

The other rx_skb_func implementations don't have this issue.

Fixes: f6974b4c2d8e ("bnxt_en: Fix page pool logic for page size >= 64K")
Signed-off-by: Joe Damato <joe@dama.to>
Reviewed-by: Michael Chan <michael.chan@broadcom.com>
Link: https://patch.msgid.link/20260609204458.2237787-2-joe@dama.to
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
3 weeks agonet: stmmac: xgmac2: disable RBUE in default RX interrupt mask
Nazim Amirul [Tue, 9 Jun 2026 12:17:03 +0000 (05:17 -0700)] 
net: stmmac: xgmac2: disable RBUE in default RX interrupt mask

Enabling the RX Buffer Unavailable (RBUE) interrupt is counterproductive
and can trigger a MAC interrupt storm under heavy RX pressure. When the
DMA runs out of RX descriptors it fires RBUE continuously until software
refills the ring.

However, RBUE is redundant: the normal RX completion interrupt (RIE)
already triggers NAPI, which processes completed descriptors and refills
the ring, causing the DMA to resume. The RBUE handler itself only sets
handle_rx - the same outcome as RIE.

On Agilex5 under heavy RX pressure, the MAC interrupt (which includes
RBUE) was observed firing 1,821,811,555 times against only 2,618,627
actual RX completions - a ~695x ratio - confirming the severity of the
storm.

RBUE does not provide OOM recovery. If page_pool is exhausted,
stmmac_rx_refill() cannot advance the DMA tail pointer, the DMA stays
suspended, and RBUE fires again on the next NAPI completion - a storm
with no forward progress. This patch trades that storm for a clean
stall with the same RX outcome. Proper OOM recovery is a pre-existing
gap outside the scope of this fix.

Note: as a consequence of disabling RBUE, the rx_buf_unav_irq ethtool
counter will always read 0 on XGMAC2 devices. This behaviour is already
inconsistent across DWMAC core versions.

Remove RBUE from XGMAC_DMA_INT_DEFAULT_EN and XGMAC_DMA_INT_DEFAULT_RX
to prevent the interrupt storm while keeping normal RX handling intact.

Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Signed-off-by: Nazim Amirul <muhammad.nazim.amirul.nazle.asmade@altera.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260609121703.9736-1-muhammad.nazim.amirul.nazle.asmade@altera.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
3 weeks agoMerge tag 'drm-fixes-2026-06-13' of https://gitlab.freedesktop.org/drm/kernel
Linus Torvalds [Fri, 12 Jun 2026 22:51:16 +0000 (15:51 -0700)] 
Merge tag 'drm-fixes-2026-06-13' of https://gitlab.freedesktop.org/drm/kernel

Pull drm fixes from Dave Airlie:
 "Looks like it's settled down a bit more thankfully. Small changes
  across the board, amdgpu/xe leading with some colorop changes in the
  core/amd. Otherwise some misc driver fixes.

  colorop:
   - make lut interpolation mutable
   - track colorop updates correctly

  amdgpu:
   - UserQ fix
   - Userptr fix
   - MCCS freesync fix
   - track colorop changes correctly

  amdkfd:
   - Fix an event information leak
   - Events bounds check fix
   - Trap cleanup fix

  i915:
   - Check supported link rates DPCD read
   - Fix phys BO pread/pwrite with offset

  xe:
   - fix oops in suspend/shutdown without display
   - RAS fixes
   - Use HW_ERR prefix in log
   - include all registered queues in TLB invalidation
   - Fix refcount leak in xe_range_tree in error paths
   - fix job timeout recovery for unstarted jobs and kernel queues

  amdxdna:
   - fix possible leak of mm_struct

  ivpu:
   - fix integer truncation

  vc4:
   - fix leak in krealloc() error handling

  virtio:
   - fix dma_fence ref-count leak"

* tag 'drm-fixes-2026-06-13' of https://gitlab.freedesktop.org/drm/kernel: (24 commits)
  accel/amdxdna: Fix mm_struct reference leak in aie2_populate_range()
  drm/xe: fix job timeout recovery for unstarted jobs and kernel queues
  drm/xe: fix refcount leak in xe_range_fence_insert()
  drm/xe: include all registered queues in TLB invalidation
  drm/xe/hw_error: Use HW_ERR prefix in log
  drm/xe/drm_ras: Add per node cleanup action
  drm/xe/drm_ras: Make counter allocation drm managed
  drm/xe/display: fix oops in suspend/shutdown without display
  drm/amd/display: use plane color_mgmt_changed to track colorop changes
  drm/atomic: track individual colorop updates
  drm/colorop: make lut(1/3)d_interpolation props correctly behave as mutable
  drm/colorop: Remove read-only comments from interpolation fields
  drm/i915/gem: Fix phys BO pread/pwrite with offset
  drm/vc4: fix krealloc() memory leak
  drm/virtio: Fix driver removal with disabled KMS
  drm/i915/edp: Check supported link rates DPCD read
  accel/ivpu: Fix signed integer truncation in IPC receive
  drm/virtio: fix dma_fence refcount leak on error in virtio_gpu_dma_fence_wait()
  drm/amd/display: Consult MCCS FreeSync cap only if requested & supported
  drm/amdkfd: Unwind debug trap enable on copy_to_user failure
  ...

3 weeks agohandshake: Require admin permission for DONE command
Chuck Lever [Tue, 9 Jun 2026 14:18:31 +0000 (10:18 -0400)] 
handshake: Require admin permission for DONE command

ACCEPT and DONE are the two downcalls of the handshake genl
family, both intended for use by the trusted handshake agent
(tlshd). ACCEPT already requires GENL_ADMIN_PERM; DONE has
no privilege check at all.

The fd-lookup in handshake_nl_done_doit() only confirms that
some pending handshake request exists for the supplied sockfd;
it does not authenticate the sender. An unprivileged process
that guesses or observes a valid sockfd can therefore submit
a DONE with HANDSHAKE_A_DONE_STATUS == 0, leaving the kernel
consumer to proceed as if the handshake succeeded. A non-zero
status on a forged DONE tears down a legitimate in-flight
handshake before tlshd can report its real result.

Fixes: 3b3009ea8abb ("net/handshake: Create a NETLINK service for handling handshake requests")
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Reviewed-by: Hannes Reinecke <hare@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Link: https://patch.msgid.link/20260609141831.90694-1-cel@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
3 weeks agoMerge branch 'selftests-xsk-simplify-umem-setup'
Jakub Kicinski [Fri, 12 Jun 2026 22:23:34 +0000 (15:23 -0700)] 
Merge branch 'selftests-xsk-simplify-umem-setup'

Tushar Vyavahare says:

====================
selftests/xsk: simplify UMEM setup

This series simplifies UMEM handling in selftests/xsk.

It centralizes UMEM property setup through helpers, moves UMEM ownership
from ifobject to socket-owned state, and normalizes umem_size/mmap_size
usage across the touched paths.
====================

Link: https://patch.msgid.link/20260608130938.958793-1-tushar.vyavahare@intel.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
3 weeks agoselftests/xsk: Introduce mmap_size in umem struct
Tushar Vyavahare [Mon, 8 Jun 2026 13:09:37 +0000 (18:39 +0530)] 
selftests/xsk: Introduce mmap_size in umem struct

UMEM teardown currently recomputes the munmap() length from frame
geometry, shared-UMEM adjustment, and hugepage rounding. This duplicates
setup-time logic in cleanup and relies on re-deriving the mapping size
instead of using the size originally established for the mapping.

Store the final mapping length in xsk_umem_info as mmap_size when the
UMEM mapping is created, and use that value during teardown.

Also join the RX worker thread before cleanup in the single-thread
path. This establishes synchronization before reading umem->mmap_size
in teardown and avoids a potential visibility race.

This removes duplicated size arithmetic in cleanup and makes munmap()
use the canonical mapping size recorded at setup time.

Signed-off-by: Magnus Karlsson <magnus.karlsson@intel.com>
Signed-off-by: Tushar Vyavahare <tushar.vyavahare@intel.com>
Reviewed-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
Link: https://patch.msgid.link/20260608130938.958793-5-tushar.vyavahare@intel.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
3 weeks agoselftests/xsk: Use umem_size() helper consistently
Tushar Vyavahare [Mon, 8 Jun 2026 13:09:36 +0000 (18:39 +0530)] 
selftests/xsk: Use umem_size() helper consistently

Replace remaining open-coded `umem->num_frames * umem->frame_size`
calculations in test_xsk.c with the existing `umem_size()` helper.

This keeps UMEM size computation centralized, avoids duplicated arithmetic,
and improves readability with no intended behavior change.

Signed-off-by: Magnus Karlsson <magnus.karlsson@intel.com>
Signed-off-by: Tushar Vyavahare <tushar.vyavahare@intel.com>
Reviewed-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
Link: https://patch.msgid.link/20260608130938.958793-4-tushar.vyavahare@intel.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
3 weeks agoselftests/xsk: Move UMEM state from ifobject to xsk_socket_info
Tushar Vyavahare [Mon, 8 Jun 2026 13:09:35 +0000 (18:39 +0530)] 
selftests/xsk: Move UMEM state from ifobject to xsk_socket_info

Move UMEM ownership from ifobject to xsk_socket_info and access it
through xsk->umem.

Allocate one shared umem_real in ifobject_create() and let all
sockets reference it through xsk->umem, while keeping ownership in
xsk_arr[0]. Keep the existing goto-based error path in
ifobject_create() and free the allocation once in ifobject_delete().

Reset the existing umem_real in __test_spec_init() with memset()
instead of reallocating it.

Preserve shared-UMEM behavior by copying RX UMEM state into a TX-local
UMEM state in thread_common_ops_tx() and reset base_addr/next_buffer
before TX socket configuration.

Signed-off-by: Magnus Karlsson <magnus.karlsson@intel.com>
Signed-off-by: Tushar Vyavahare <tushar.vyavahare@intel.com>
Link: https://patch.msgid.link/20260608130938.958793-3-tushar.vyavahare@intel.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
3 weeks agoselftests/xsk: Introduce helpers for setting UMEM properties
Tushar Vyavahare [Mon, 8 Jun 2026 13:09:34 +0000 (18:39 +0530)] 
selftests/xsk: Introduce helpers for setting UMEM properties

UMEM properties are set via open-coded field assignments in multiple test
paths, which makes updates noisy and error-prone.

Introduce two helpers to set UMEM properties through a single interface.
This keeps setup logic consistent across tests and makes future refactoring
simpler.

No functional behavior change is intended.

Signed-off-by: Magnus Karlsson <magnus.karlsson@intel.com>
Signed-off-by: Tushar Vyavahare <tushar.vyavahare@intel.com>
Reviewed-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
Link: https://patch.msgid.link/20260608130938.958793-2-tushar.vyavahare@intel.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
3 weeks agopinctrl: Match DT helper types
Rob Herring (Arm) [Fri, 12 Jun 2026 21:49:38 +0000 (16:49 -0500)] 
pinctrl: Match DT helper types

The affected pinctrl drivers either check for the presence of a standard
property or read a property documented with an 8-bit cell encoding.
Using boolean or u32 helpers for those cases disagrees with the binding.

Use a presence helper for "gpio-ranges" and read
"microchip,spi-present-mask" with the u8 helper documented by the
binding.

Assisted-by: Codex:gpt-5-5
Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
Signed-off-by: Linus Walleij <linusw@kernel.org>
3 weeks agodt-bindings: embedded-controller: Add Qualcomm reference device EC description
Maya Matuszczyk [Mon, 11 May 2026 12:43:19 +0000 (18:13 +0530)] 
dt-bindings: embedded-controller: Add Qualcomm reference device EC description

Add description for the EC firmware running on Hamoa/Purwa and Glymur
reference devices.

Signed-off-by: Maya Matuszczyk <maccraft123mc@gmail.com>
Co-developed-by: Sibi Sankar <sibi.sankar@oss.qualcomm.com>
Signed-off-by: Sibi Sankar <sibi.sankar@oss.qualcomm.com>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
Co-developed-by: Anvesh Jain P <anvesh.p@oss.qualcomm.com>
Signed-off-by: Anvesh Jain P <anvesh.p@oss.qualcomm.com>
Link: https://patch.msgid.link/20260511-add-driver-for-ec-v9-1-e5437c39b7f8@oss.qualcomm.com
Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
3 weeks agodt-bindings: pwm: add IPQ6018 binding
Devi Priya [Mon, 6 Apr 2026 20:24:38 +0000 (22:24 +0200)] 
dt-bindings: pwm: add IPQ6018 binding

DT binding for the PWM block in Qualcomm IPQ6018 SoC.

Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Co-developed-by: Baruch Siach <baruch.siach@siklu.com>
Signed-off-by: Baruch Siach <baruch.siach@siklu.com>
Signed-off-by: Devi Priya <quic_devipriy@quicinc.com>
Signed-off-by: George Moussalem <george.moussalem@outlook.com>
Link: https://patch.msgid.link/20260406-ipq-pwm-v21-1-6ed1e868e4c2@outlook.com
Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
3 weeks agoselftests: tc: act_pedit: require matching IPv4 L4 protocol
Victor Nogueira [Tue, 9 Jun 2026 18:56:35 +0000 (18:56 +0000)] 
selftests: tc: act_pedit: require matching IPv4 L4 protocol

Add a tdc test that checks the act_pedit extended L4 header mode does not
edit a packet whose IPv4 protocol does not match the selected transport
header.

The test installs an ingress pedit rule that sets the UDP destination
port, then injects a TCP packet with dport 2222. The UDP and TCP
destination ports sit at the same L4 offset, so a buggy kernel rewrites
the TCP dport. A second flower filter matches TCP dport 2222 and drops
the packet through an indexed gact action; the test then verifies via
JSON that this action saw exactly one packet, i.e. the dport was left
untouched and still matched 2222.

Signed-off-by: Victor Nogueira <victor@mojatatu.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
3 weeks agonet/sched: act_pedit: require matching IPv4 L4 protocol
Samuel Moelius [Tue, 9 Jun 2026 18:56:34 +0000 (18:56 +0000)] 
net/sched: act_pedit: require matching IPv4 L4 protocol

The extended IPv4 L4 header mode in act_pedit can select TCP or UDP
header fields without confirming that the IPv4 protocol field matches
the selected transport header.

That lets a rule written for TCP or UDP modify unrelated payload bytes
in a packet carrying a different protocol.

Verify that the IPv4 header is long enough, that the protocol matches
the selected TCP or UDP header, and that the packet is not a non-initial
fragment before applying TCP or UDP extended header edits.

Cc: stable+noautosel@kernel.org # in real rule sets the match confirms this before calling the action
Signed-off-by: Samuel Moelius <sam.moelius@trailofbits.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
3 weeks agoMerge tag 'drm-misc-next-fixes-2026-06-11' of https://gitlab.freedesktop.org/drm...
Dave Airlie [Fri, 12 Jun 2026 21:58:44 +0000 (07:58 +1000)] 
Merge tag 'drm-misc-next-fixes-2026-06-11' of https://gitlab.freedesktop.org/drm/misc/kernel into drm-next

drm-misc-next-fixes for v7.2:
- Fix agp_amd64_probe error propagation.
- Require carveout when PASID is not enabled amdxdna.
- Clear variable to prevent second unbind in amdxdna.
- Add separate Kconfig option for DMABUF_HEAPS_SYSTEM_CC_SHARED.

Signed-off-by: Dave Airlie <airlied@redhat.com>
From: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Link: https://patch.msgid.link/c7a9dbb0-a5c8-4e67-904e-1a52b3de9bb4@linux.intel.com
3 weeks agodt-bindings: hwmon: Add Apple System Management Controller hwmon schema
James Calligeros [Mon, 15 Dec 2025 09:37:45 +0000 (19:37 +1000)] 
dt-bindings: hwmon: Add Apple System Management Controller hwmon schema

Apple Silicon devices integrate a vast array of sensors, monitoring
current, power, temperature, and voltage across almost every part of
the system. The sensors themselves are all connected to the System
Management Controller (SMC). The SMC firmware exposes the data
reported by these sensors via its standard FourCC-based key-value
API. The SMC is also responsible for monitoring and controlling any
fans connected to the system, exposing them in the same way.

For reasons known only to Apple, each device exposes its sensors with
an almost totally unique set of keys. This is true even for devices
which share an SoC. An M1 Mac mini, for example, will report its core
temperatures on different keys to an M1 MacBook Pro. Worse still, the
SMC does not provide a way to enumerate the available keys at runtime,
nor do the keys follow any sort of reasonable or consistent naming
rules that could be used to deduce their purpose. We must therefore
know which keys are present on any given device, and which function
they serve, ahead of time.

Add a schema so that we can describe the available sensors for a given
Apple Silicon device in the Devicetree.

Reviewed-by: Neal Gompa <neal@gompa.dev>
Reviewed-by: Rob Herring (Arm) <robh@kernel.org>
Signed-off-by: James Calligeros <jcalligeros99@gmail.com>
Acked-by: Guenter Roeck <linux@roeck-us.net>
Link: https://patch.msgid.link/20251215-macsmc-subdevs-v6-1-0518cb5f28ae@gmail.com
Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
3 weeks agoDocumentation: ABI: sysfs-class-reboot-mode-reboot_modes: fix doc warnings
Randy Dunlap [Sun, 26 Apr 2026 23:27:05 +0000 (16:27 -0700)] 
Documentation: ABI: sysfs-class-reboot-mode-reboot_modes: fix doc warnings

Repair the docs build warnings in this file by unindenting the description,
adding blank lines, and using `` to quote *arg.

WARNING: Documentation/ABI/testing/sysfs-class-reboot-mode-reboot_modes:36: abi_sys_class_reboot_mode_driver_reboot_modes doesn't have a description
Documentation/ABI/testing/sysfs-class-reboot-mode-reboot_modes:1: ERROR: Unexpected indentation. [docutils]
Documentation/ABI/testing/sysfs-class-reboot-mode-reboot_modes:1: ERROR: Unexpected indentation. [docutils]
Documentation/ABI/testing/sysfs-class-reboot-mode-reboot_modes:1: WARNING: Inline emphasis start-string without end-string. [docutils]
Documentation/ABI/testing/sysfs-class-reboot-mode-reboot_modes:1: ERROR: Unexpected indentation. [docutils]

Fixes: d3da03025e6d ("Documentation: ABI: Add sysfs-class-reboot-mode-reboot_modes")
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Reviewed-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Link: https://patch.msgid.link/20260426232705.422938-1-rdunlap@infradead.org
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
3 weeks agopower: supply: charger-manager: fix refcount leak in is_full_charged()
WenTao Liang [Thu, 11 Jun 2026 00:53:21 +0000 (08:53 +0800)] 
power: supply: charger-manager: fix refcount leak in is_full_charged()

In is_full_charged(), power_supply_get_by_name() is called to
obtain a reference to the fuel_gauge power supply. If the
voltage check (uV >= desc->fullbatt_uV) succeeds, the function
returns true directly without releasing the reference, leaking
the refcount.

Fix this by setting a flag and jumping to the out label where
power_supply_put() properly drops the reference.

Cc: stable@vger.kernel.org
Fixes: e132fc6bb89b ("power: supply: charger-manager: Make decisions focussed on battery status")
Signed-off-by: WenTao Liang <vulab@iscas.ac.cn>
Link: https://patch.msgid.link/20260611005322.53096-1-vulab@iscas.ac.cn
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
3 weeks agopower: supply: core: fix supplied_from allocations
Lucas Tsai [Tue, 9 Jun 2026 11:44:03 +0000 (19:44 +0800)] 
power: supply: core: fix supplied_from allocations

If dts property power-supplies has multiple values, then accessing to
psy->supplied_from[i-1] in __power_supply_populate_supplied_from will
overrun supplied_from array.

Fixes: f6e0b081fb30 ("power_supply: Populate supplied_from hierarchy from the device tree")
Signed-off-by: Lucas Tsai <lucas_tsai@richtek.com>
Link: https://patch.msgid.link/20260609114403.3896073-1-lucas_tsai@richtek.com
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
3 weeks agoMerge tag 'drm-misc-fixes-2026-06-12' of https://gitlab.freedesktop.org/drm/misc...
Dave Airlie [Fri, 12 Jun 2026 21:50:04 +0000 (07:50 +1000)] 
Merge tag 'drm-misc-fixes-2026-06-12' of https://gitlab.freedesktop.org/drm/misc/kernel into drm-fixes

Short summary of fixes pull:

amd:
- track colorop changes correctly

amdxdna:
- fix possible leak of mm_struct

colorop:
- make lut interpolation mutable
- track colorop updates correctly

ivpu:
- fix integer truncation

vc4:
- fix leak in krealloc() error handling

virtio:
- fix dma_fence ref-count leak

Signed-off-by: Dave Airlie <airlied@redhat.com>
From: Thomas Zimmermann <tzimmermann@suse.de>
Link: https://patch.msgid.link/20260612081418.GA17001@2a02-2455-9062-2500-e496-5a17-62ba-545e.dyn6.pyur.net
3 weeks agofbdev: modedb: Fix misaligned fields in the 1920x1080-60 mode
Steffen Persvold [Fri, 12 Jun 2026 16:40:41 +0000 (18:40 +0200)] 
fbdev: modedb: Fix misaligned fields in the 1920x1080-60 mode

The 1920x1080@60 modedb entry has one too many initializers before
its sync field: a stray "0" occupies the sync slot, which shifts the
remaining values by one field. The entry therefore decodes as
sync = 0, vmode = FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT (0x3,
i.e. FB_VMODE_INTERLACED | FB_VMODE_DOUBLE), and flag =
FB_VMODE_NONINTERLACED, instead of the intended sync = positive H/V,
vmode = non-interlaced.

fb_find_mode() then returns a 1920x1080 mode flagged as interlaced +
doublescan with active-low syncs. Drivers that honour var->vmode and
var->sync when programming display timing enable doublescan and the
wrong sync polarity, corrupting the output.

Drop the stray initializer so sync and vmode hold their intended
values (positive H/V sync, non-interlaced), matching the adjacent
1920x1200 entry.

Fixes: c8902258b2b8 ("fbdev: modedb: Add 1920x1080 at 60 Hz video mode")
Cc: stable@vger.kernel.org
Signed-off-by: Steffen Persvold <spersvold@gmail.com>
Signed-off-by: Helge Deller <deller@gmx.de>
3 weeks agoMerge tag 'pci-v7.1-fixes-3' of git://git.kernel.org/pub/scm/linux/kernel/git/pci/pci
Linus Torvalds [Fri, 12 Jun 2026 20:49:45 +0000 (13:49 -0700)] 
Merge tag 'pci-v7.1-fixes-3' of git://git.kernel.org/pub/scm/linux/kernel/git/pci/pci

Pull pci fix from Bjorn Helgaas:

 - Add Frank Li as PCI endpoint reviewer (Frank Li)

* tag 'pci-v7.1-fixes-3' of git://git.kernel.org/pub/scm/linux/kernel/git/pci/pci:
  MAINTAINERS: Add Frank Li as PCI endpoint reviewer

3 weeks agoMerge branch 'for-7.2/cxl-type2-attach-region' into cxl-for-next
Dave Jiang [Fri, 12 Jun 2026 20:47:53 +0000 (13:47 -0700)] 
Merge branch 'for-7.2/cxl-type2-attach-region' into cxl-for-next

cxl: Add dummy function for cxl_memdev_attach_region for !CONFIG_CXL_REGION
cxl/region: Introduce devm_cxl_probe_mem()
cxl/memdev: Introduce cxl_class_memdev_type
cxl/memdev: Pin parents for entire memdev lifetime
cxl/region: Resolve region deletion races
cxl/region: Block region delete during region creation

3 weeks agocxl: Add dummy function for cxl_memdev_attach_region for !CONFIG_CXL_REGION
Dave Jiang [Wed, 10 Jun 2026 00:13:24 +0000 (17:13 -0700)] 
cxl: Add dummy function for cxl_memdev_attach_region for !CONFIG_CXL_REGION

Add a dummy function that returns -EOPNOTSUPP for cxl_memdev_attach_region
when CONFIG_CXL_REGION is not enabled. This allow sbuilding when
cxl/core/region.o isn't built.

Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202606100401.GOjzpKHo-lkp@intel.com/
Fixes: 9b1e70e8f9ec ("cxl/region: Introduce devm_cxl_probe_mem()")
Reviewed-by: Alison Schofield <alison.schofield@intel.com>
Reviewed-by: Dan Williams <djbw@kernel.org>
Link: https://patch.msgid.link/20260610001324.260268-1-dave.jiang@intel.com
Signed-off-by: Dave Jiang <dave.jiang@intel.com>
3 weeks agocxl/region: Introduce devm_cxl_probe_mem()
Dan Williams [Tue, 19 May 2026 21:01:58 +0000 (14:01 -0700)] 
cxl/region: Introduce devm_cxl_probe_mem()

To date, platform firmware maps accelerator memory and accelerator drivers
simply want an address range that they can map themselves. This typically
results in a single region being auto-assembled upon registration of a
memory device.  Use the @attach mechanism of devm_cxl_add_memdev()
parameter to retrieve that region while also adhering to CXL subsystem
locking and lifetime rules. As part of adhering to current object lifetime
rules, if the region or the CXL port topology is invalidated, the CXL core
arranges for the accelertor driver to be detached as well.

The locking and lifetime rules were validated with Dave's work-in-progress
cxl-type-2 support for cxl_test.

devm_cxl_add_classdev() supports the general memory expansion flow where
region assembly is optional, dynamic, and user controlled.

Cc: Alejandro Lucero <alucerop@amd.com>
Signed-off-by: Dan Williams <djbw@kernel.org>
Reviewed-by: Alejandro Lucero <alucerop@amd.com>
Tested-by: Alejandro Lucero <alucerop@amd.com>
Reviewed-by: Dave Jiang <dave.jiang@intel.com>
Link: https://patch.msgid.link/20260519210158.1499795-6-djbw@kernel.org
Signed-off-by: Dave Jiang <dave.jiang@intel.com>
3 weeks agocxl/memdev: Introduce cxl_class_memdev_type
Dan Williams [Tue, 19 May 2026 21:01:57 +0000 (14:01 -0700)] 
cxl/memdev: Introduce cxl_class_memdev_type

In preparation for memdev's without mailbox related infrastructure,
introduce cxl_class_memdev_type as a superset of a cxl_memdev_type.
Effectively the only difference is that cxl_class_memdev_type exports
common sysfs attributes where cxl_memdev_type has none.

Related to this is all the cxl_mem_probe() paths that assume the presence
of a class device mailbox are updated to skip that requirement.

Co-developed-by: Alejandro Lucero <alucerop@amd.com>
Signed-off-by: Alejandro Lucero <alucerop@amd.com>
Signed-off-by: Dan Williams <djbw@kernel.org>
Tested-by: ALejandro Lucero <alucerop@amd.com>
Reviewed-by: Dave Jiang <dave.jiang@intel.com>
Link: https://patch.msgid.link/20260519210158.1499795-5-djbw@kernel.org
Signed-off-by: Dave Jiang <dave.jiang@intel.com>
3 weeks agocxl/memdev: Pin parents for entire memdev lifetime
Dan Williams [Tue, 19 May 2026 21:01:56 +0000 (14:01 -0700)] 
cxl/memdev: Pin parents for entire memdev lifetime

In order to be able to manage the driver that uses a memdev attach
mechanism the parent needs to stick around for the
device_release_driver(cxlmd->dev.parent) event.

Fixes: 29317f8dc6ed ("cxl/mem: Introduce cxl_memdev_attach for CXL-dependent operation")
Signed-off-by: Dan Williams <djbw@kernel.org>
Reviewed-by: Alejandro Lucero <alucerop@amd.com>
Tested-by: ALejandro Lucero <alucerop@amd.com>
Reviewed-by: Dave Jiang <dave.jiang@intel.com>
Link: https://patch.msgid.link/20260519210158.1499795-4-djbw@kernel.org
Signed-off-by: Dave Jiang <dave.jiang@intel.com>
3 weeks agocxl/region: Resolve region deletion races
Dan Williams [Tue, 19 May 2026 21:01:55 +0000 (14:01 -0700)] 
cxl/region: Resolve region deletion races

Sungwoo noticed that the sysfs trigger to delete a region may try to delete
a region multiple times. It also has no exclusion relative to the kernel
releasing the region via CXL root device teardown.

Instead of installing new cxl root devres actions per region, use the
existing root decoder unregistration event to remove all remaining regions.
An xarray of regions replaces a devres list of regions.

This handles 3 separate issues with the old approach:

1/ sysfs users racing to delete the same region: no longer possible now
   that the regions_lock is held over the lookup and deletion.

2/ multiple actions triggering deletion of the same region: solved by
   erasing regions while holding @regions_lock, and only proceeding on
   successful erasure.

3/ userspace racing devres_release_all() to trigger the devres not found
   warning: solved by sysfs unregistration not requiring a release action

Fixes: 779dd20cfb56 ("cxl/region: Add region creation support")
Reported-by: Sungwoo Kim <iam@sung-woo.kim>
Closes: http://lore.kernel.org/20260427032010.916681-2-iam@sung-woo.kim
Signed-off-by: Dan Williams <djbw@kernel.org>
Reviewed-by: Alejandro Lucero <alucerop@amd.com>
Tested-by: ALejandro Lucero <alucerop@amd.com>
Reviewed-by: Dave Jiang <dave.jiang@intel.com>
Link: https://patch.msgid.link/20260519210158.1499795-3-djbw@kernel.org
Signed-off-by: Dave Jiang <dave.jiang@intel.com>
3 weeks agocxl/region: Block region delete during region creation
Dan Williams [Tue, 19 May 2026 21:01:54 +0000 (14:01 -0700)] 
cxl/region: Block region delete during region creation

Expand the range lock, rename it "regions_lock", to disable region deletion
in the critical period between construct_region() and attach_target(), as
well as the period between device_add() and registering the remove actions.

Otherwise, userspace can confuse the kernel. It can violate the assumption
the region stays registered through the completion of cxl_add_to_region().
It can violate the assumption that devm_add_action_or_reset() is working
with a live 'struct cxl_region'.

It is ok for the region to disappear outside of those windows as that
mirrors device hotplug flows where the proper locks are held.

Fixes: a32320b71f08 ("cxl/region: Add region autodiscovery")
Signed-off-by: Dan Williams <djbw@kernel.org>
Reviewed-by: Alejandro Lucero <alucerop@amd.com>
Tested-by: ALejandro Lucero <alucerop@amd.com>
Reviewed-by: Dave Jiang <dave.jiang@intel.com>
Link: https://patch.msgid.link/20260519210158.1499795-2-djbw@kernel.org
Signed-off-by: Dave Jiang <dave.jiang@intel.com>
3 weeks agoKVM: selftests: access_tracking_perf_test: bump number of NUMA nodes to 32
Maxim Levitsky [Fri, 12 Jun 2026 15:00:38 +0000 (11:00 -0400)] 
KVM: selftests: access_tracking_perf_test: bump number of NUMA nodes to 32

It's rare to find a system that has more than 4 sockets,
but a system can have more than 4 NUMA nodes if each socket
exposes its chiplets as separate NUMA nodes.

In particular, our CI caught a failure in this test on a system with
two sockets, each containing an 'AMD EPYC 7601 32-Core Processor'.

Bump the limit to 32, just in case.

Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
Message-ID: <20260612150038.1277394-1-mlevitsk@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
3 weeks agoMAINTAINERS: Add Frank Li as PCI endpoint reviewer
Frank Li [Thu, 11 Jun 2026 21:00:05 +0000 (17:00 -0400)] 
MAINTAINERS: Add Frank Li as PCI endpoint reviewer

I have volunteered to review PCI endpoint-related changes.  Add myself as a
reviewer to be notified when related patches are posted.

Signed-off-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
Link: https://patch.msgid.link/20260611210007.529205-1-Frank.Li@oss.nxp.com
3 weeks agodocs: pt_BR: Translate 3.Early-stage.rst into Portuguese
Daniel Pereira [Mon, 1 Jun 2026 19:23:44 +0000 (16:23 -0300)] 
docs: pt_BR: Translate 3.Early-stage.rst into Portuguese

Translate the documentation file '3.Early-stage.rst' into Portuguese.

This section addresses corporate kernel development constraints,
the balance between company secrecy and the open-loop approach,
and the use of NDAs or Linux Foundation programs to avoid
integration issues.

Signed-off-by: Daniel Pereira <danielmaraboo@gmail.com>
Signed-off-by: Jonathan Corbet <corbet@lwn.net>
Message-ID: <20260601192346.192752-1-danielmaraboo@gmail.com>

3 weeks agodocs: pt_BR: update "Purpose of Defconfigs" section in maintainer-soc.rst
Amanda Corrêa [Thu, 4 Jun 2026 03:18:40 +0000 (00:18 -0300)] 
docs: pt_BR: update "Purpose of Defconfigs" section in maintainer-soc.rst

This update includes the "Purpose of Defconfigs" section translated
to Brazilian Portuguese.

Signed-off-by: Amanda Corrêa <amandacorreasilvax@gmail.com>
Acked-by: Daniel Pereira <danielmaraboo@gmail.com>
Signed-off-by: Jonathan Corbet <corbet@lwn.net>
Message-ID: <20260604031840.17236-1-amandacorreasilvax@gmail.com>

3 weeks agoDocumentation: bug-hunting.rst: fix grammar
Manuel Ebner [Fri, 5 Jun 2026 19:00:56 +0000 (21:00 +0200)] 
Documentation: bug-hunting.rst: fix grammar

Fix a grammar issue to improve readability

Signed-off-by: Manuel Ebner <manuelebner@mailbox.org>
Acked-by: Randy Dunlap <rdunlap@infradead.org>
Signed-off-by: Jonathan Corbet <corbet@lwn.net>
Message-ID: <20260605190055.15921-2-manuelebner@mailbox.org>

3 weeks agodocs/ja_JP: translate submitting-patches.rst (interleaved-replies)
Akiyoshi Kurita [Sat, 6 Jun 2026 03:59:54 +0000 (12:59 +0900)] 
docs/ja_JP: translate submitting-patches.rst (interleaved-replies)

Translate the "Use trimmed interleaved replies in email discussions"
and "Don't get discouraged - or impatient" sections in
Documentation/translations/ja_JP/process/submitting-patches.rst.

Keep the wording close to the English text and wrap lines to match
the style used in the surrounding Japanese translation.

Signed-off-by: Akiyoshi Kurita <weibu@redadmin.org>
Acked-by: Akira Yokosawa <akiyks@gmail.com>
Signed-off-by: Jonathan Corbet <corbet@lwn.net>
Message-ID: <20260606035954.27605-1-weibu@redadmin.org>

3 weeks agodocs: Fix minor grammatical error
Brigham Campbell [Tue, 9 Jun 2026 07:06:17 +0000 (01:06 -0600)] 
docs: Fix minor grammatical error

Fix minor grammatical error in the administration guide.

Signed-off-by: Brigham Campbell <me@brighamcampbell.com>
Acked-by: Randy Dunlap <rdunlap@infradead.org>
Signed-off-by: Jonathan Corbet <corbet@lwn.net>
Message-ID: <20260609070618.12566-1-me@brighamcampbell.com>

3 weeks agodocs/{it_it,sp_SP,zh_CN,zh_TW}: update references to removed CONFIG_DEBUG_SLAB
Ethan Nelson-Moore [Thu, 11 Jun 2026 01:00:04 +0000 (18:00 -0700)] 
docs/{it_it,sp_SP,zh_CN,zh_TW}: update references to removed CONFIG_DEBUG_SLAB

CONFIG_DEBUG_SLAB was removed in commit 2a19be61a651 ("mm/slab: remove
CONFIG_SLAB from all Kconfig and Makefile"), but references to it
remained in documentation. The English documentation was updated to
refer to CONFIG_SLUB_DEBUG in commit 5969fbf30274 ("docs:
submit-checklist: structure by category"), but these translations were
never similarly updated. Update them.

Discovered while searching for CONFIG_* symbols referenced in the
kernel but not defined in any Kconfig file.

Signed-off-by: Ethan Nelson-Moore <enelsonmoore@gmail.com>
Reviewed-by: Dongliang Mu <dzm91@hust.edu.cn>
Reviewed-by: Randy Dunlap <rdunlap@infradead.org>
Signed-off-by: Jonathan Corbet <corbet@lwn.net>
Message-ID: <20260611010014.412841-1-enelsonmoore@gmail.com>

3 weeks agoDocumentation: process: fix brackets
Manuel Ebner [Thu, 11 Jun 2026 06:43:12 +0000 (08:43 +0200)] 
Documentation: process: fix brackets

Fix missing ')' and needless ')'

Signed-off-by: Manuel Ebner <manuelebner@mailbox.org>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Jonathan Corbet <corbet@lwn.net>
Message-ID: <20260611064311.117023-2-manuelebner@mailbox.org>

3 weeks agoDocumentation: arch: fix brackets
Manuel Ebner [Fri, 12 Jun 2026 09:54:22 +0000 (11:54 +0200)] 
Documentation: arch: fix brackets

Add missing and remove needless parentheses, brackets and curly braces.
Fix typos.

Signed-off-by: Manuel Ebner <manuelebner@mailbox.org>
Reviewed-by: Randy Dunlap <rdunlap@infradead.org>
Signed-off-by: Jonathan Corbet <corbet@lwn.net>
Message-ID: <20260612095432.177759-2-manuelebner@mailbox.org>

3 weeks agoMerge tag 'spi-fix-v7.1-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi
Linus Torvalds [Fri, 12 Jun 2026 18:06:16 +0000 (11:06 -0700)] 
Merge tag 'spi-fix-v7.1-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi

Pull spi fixes from Mark Brown:
 "A couple of driver specific fixes: a small targeted fix for hardware
  error handling on DesignWare controllers and another for handling of
  custom chip select management on Qualcomm GENI controllers"

* tag 'spi-fix-v7.1-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi:
  spi: dw: fix race between IRQ handler and error handler on SMP
  spi: qcom-geni: Fix cs_change handling on the last transfer

3 weeks agoASoC: don't use array if single pattern
Mark Brown [Fri, 12 Jun 2026 17:58:00 +0000 (18:58 +0100)] 
ASoC: don't use array if single pattern

Kuninori Morimoto <kuninori.morimoto.gx@renesas.com> says:

Current ASoC supports snd_soc_daifmt_parse_format() which can specify DAI
format by "dai-format" property from DT.
But strictly speaking, it is SW settings, so doesn't match to DT's policy.

Current ASoC is supporting auto format select via
snd_soc_dai_ops :: .auto_selectable_formats.
But the user is very few today.

DT doesn't need to specify the DAI format via "dai-format", if both CPU
and Codec drivers were supporting .auto_selectable_formats. It will be
automatically selected from .auto_selectable_formats.

But, I noticed that current auto format select method can't handle all cases.
For example, current .auto_selectable_formats is like below

static u64 xxx_auto_formats[] = {
(A) /* First Priority */
SND_SOC_POSSIBLE_DAIFMT_I2S |
SND_SOC_POSSIBLE_DAIFMT_LEFT_J |
SND_SOC_POSSIBLE_DAIFMT_NB_NF |
SND_SOC_POSSIBLE_DAIFMT_NB_IF | (x)
SND_SOC_POSSIBLE_DAIFMT_IB_NF |
SND_SOC_POSSIBLE_DAIFMT_IB_IF, (x)

/* Second Priority */
(B) SND_SOC_POSSIBLE_DAIFMT_DSP_A | (y)
SND_SOC_POSSIBLE_DAIFMT_DSP_B, (y)
};

It try to find DAI format from (A) first, and next it will use (A | B).
But it can't handle the format if some format were independent.
For example, DSP_x (y) can't use with xB_IF (x), etc.

So, I would like to update the method. New method doesn't use OR.
It try to find DAI format from (a), next it will use (b).

static u64 xxx_auto_formats[] = {
(a) /* First Priority */
SND_SOC_POSSIBLE_DAIFMT_I2S |
SND_SOC_POSSIBLE_DAIFMT_LEFT_J |
SND_SOC_POSSIBLE_DAIFMT_NB_NF |
SND_SOC_POSSIBLE_DAIFMT_NB_IF |
SND_SOC_POSSIBLE_DAIFMT_IB_NF |
SND_SOC_POSSIBLE_DAIFMT_IB_IF,

/* Second Priority */
(b) SND_SOC_POSSIBLE_DAIFMT_DSP_A |
SND_SOC_POSSIBLE_DAIFMT_DSP_B |
SND_SOC_POSSIBLE_DAIFMT_NB_NF |
SND_SOC_POSSIBLE_DAIFMT_IB_NF,
};

Switch old method to new method, Current auto select user need to update
.auto_selectable_formats. Fortunately, current few users doesn't have
above limitation. update (A)(B) to (a)(b) style is possible.

a = A
b = A | B

I would like to update method, and add .auto_selectable_formats
support on all drivers.

One note is that auto select might not find best format on some CPU/Codec
combination. So "dai-format" is necessary anyway.

And, there haven't been any big problems on .auto_selectable_formats,
because there were few users.
But if all drivers try to use this, it cannot be denied that they may
encounter unknown problems... In such case, "dai-format" can help, though.

Link: https://patch.msgid.link/87v7bs36m0.wl-kuninori.morimoto.gx@renesas.com
3 weeks agoASoC: audio-graph-card2: recommend to use auto select DAI format
Kuninori Morimoto [Tue, 9 Jun 2026 00:23:41 +0000 (00:23 +0000)] 
ASoC: audio-graph-card2: recommend to use auto select DAI format

"Simple Audio Card", "Audio Graph Card", "Audio Graph Card2" are
possible to set DAI format via DT.

OTOH, ASoC is supporting .auto_selectable_formats to select DAI
format automatically. Let's recommend to use it on "Audio Graph Card2".
One note is that it keeps supporting DAI format setting via DT.

Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Link: https://patch.msgid.link/87ik7s36k2.wl-kuninori.morimoto.gx@renesas.com
Signed-off-by: Mark Brown <broonie@kernel.org>
3 weeks agoASoC: update auto format selection method
Kuninori Morimoto [Tue, 9 Jun 2026 00:23:35 +0000 (00:23 +0000)] 
ASoC: update auto format selection method

Current DAI supports auto format selection. It allow to have array like
below.

(X) static u64 xxx_auto_formats[] = {
(A) /* First Priority */
SND_SOC_POSSIBLE_DAIFMT_I2S |
SND_SOC_POSSIBLE_DAIFMT_LEFT_J,

/* Second Priority */
(B) SND_SOC_POSSIBLE_DAIFMT_DSP_A |
SND_SOC_POSSIBLE_DAIFMT_DSP_B,
};

It try to find available format from I2S/LEFT_J first (A).
Then, try to find from I2S/LEFT_J/DSP_A/DSP_B if couldn't find (A)+(B).
(OR:ed)

In this method, it can't handle if there is format combination.
For example, some driver has pattern.

Pattern1
I2S/RIFHT_J/LEFT_J (FORMAT) and NB_NF/IB_IF/IB_NF/NB_IF (INV)_
Pattern2
DSP_A/DSP_B        (FORMAT) and NB_NF/      IB_NF

Because it will try to OR Pattern1 and Pattern2, un-supported
pattern might be selected.

This patch update method not to use OR, and assumes full format array.
Above sample (X) need to be

static u64 xxx_auto_formats[] = {
/* First Priority */
SND_SOC_POSSIBLE_DAIFMT_I2S |
SND_SOC_POSSIBLE_DAIFMT_LEFT_J,

/* Second Priority */
SND_SOC_POSSIBLE_DAIFMT_I2S |
SND_SOC_POSSIBLE_DAIFMT_LEFT_J |
SND_SOC_POSSIBLE_DAIFMT_DSP_A |
SND_SOC_POSSIBLE_DAIFMT_DSP_B,
};

Note: It doesn't support Multi CPU/Codec for now

Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Link: https://patch.msgid.link/87jys836k8.wl-kuninori.morimoto.gx@renesas.com
Signed-off-by: Mark Brown <broonie@kernel.org>
3 weeks agoASoC: renesas: rcar: update auto select format
Kuninori Morimoto [Tue, 9 Jun 2026 00:23:28 +0000 (00:23 +0000)] 
ASoC: renesas: rcar: update auto select format

Current auto select format start with the highest priority format and
gradually add lower priority formats one by one, and search matched
format. Like A+X -> A+B+X -> A+B+C+X+Y... (a)

But in this method, we can't handle format if HW has some kind of
patterns, like A+X or B+Y etc (b).

Current drivers are using (a) style, this patch switch to use (b) style.
This is needed before update auto select format method.

Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Link: https://patch.msgid.link/87ldco36kf.wl-kuninori.morimoto.gx@renesas.com
Signed-off-by: Mark Brown <broonie@kernel.org>
3 weeks agoASoC: codecs: pcm3168a: update auto select format
Kuninori Morimoto [Tue, 9 Jun 2026 00:23:22 +0000 (00:23 +0000)] 
ASoC: codecs: pcm3168a: update auto select format

Current auto select format start with the highest priority format and
gradually add lower priority formats one by one, and search matched
format. Like A+X -> A+B+X -> A+B+C+X+Y... (a)

But in this method, we can't handle format if HW has some kind of
patterns, like A+X or B+Y etc (b).

Current drivers are using (a) style, this patch switch to use (b) style.
This is needed before update auto select format method.

Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Link: https://patch.msgid.link/87mrx436kl.wl-kuninori.morimoto.gx@renesas.com
Signed-off-by: Mark Brown <broonie@kernel.org>
3 weeks agoASoC: codecs: ak4619: update auto select format
Kuninori Morimoto [Tue, 9 Jun 2026 00:23:18 +0000 (00:23 +0000)] 
ASoC: codecs: ak4619: update auto select format

Current auto select format start with the highest priority format and
gradually add lower priority formats one by one, and search matched
format. Like A+X -> A+B+X -> A+B+C+X+Y... (a)

But in this method, we can't handle format if HW has some kind of
patterns, like A+X or B+Y etc (b).

Current drivers are using (a) style, this patch switch to use (b) style.
This is needed before update auto select format method.

Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Link: https://patch.msgid.link/87o6hk36kp.wl-kuninori.morimoto.gx@renesas.com
Signed-off-by: Mark Brown <broonie@kernel.org>
3 weeks agoASoC: codecs: peb2466: don't use array if single pattern
Kuninori Morimoto [Tue, 9 Jun 2026 00:23:14 +0000 (00:23 +0000)] 
ASoC: codecs: peb2466: don't use array if single pattern

Because it is confusable during debugging ASoC FW update, tidyup
auto format style not to use array if single pattern case.

Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Link: https://patch.msgid.link/87pl2036kt.wl-kuninori.morimoto.gx@renesas.com
Signed-off-by: Mark Brown <broonie@kernel.org>
3 weeks agoASoC: codecs: idt821034: don't use array if single pattern
Kuninori Morimoto [Tue, 9 Jun 2026 00:23:09 +0000 (00:23 +0000)] 
ASoC: codecs: idt821034: don't use array if single pattern

Because it is confusable during debugging ASoC FW update, tidyup
auto format style not to use array if single pattern case.

Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Link: https://patch.msgid.link/87qzmg36ky.wl-kuninori.morimoto.gx@renesas.com
Signed-off-by: Mark Brown <broonie@kernel.org>
3 weeks agoASoC: codecs: framer-codec: don't use array if single pattern
Kuninori Morimoto [Tue, 9 Jun 2026 00:22:57 +0000 (00:22 +0000)] 
ASoC: codecs: framer-codec: don't use array if single pattern

Because it is confusable during debugging ASoC FW update, tidyup
auto format style not to use array if single pattern case.

Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Link: https://patch.msgid.link/87se6w36la.wl-kuninori.morimoto.gx@renesas.com
Signed-off-by: Mark Brown <broonie@kernel.org>
3 weeks agoASoC: remove SND_SOC_POSSIBLE_xBx_xFx
Kuninori Morimoto [Tue, 9 Jun 2026 00:22:50 +0000 (00:22 +0000)] 
ASoC: remove SND_SOC_POSSIBLE_xBx_xFx

Clock provider / consumer selection is based on board, we can't select
automatically from software. Let's remove SND_SOC_POSSIBLE_xBx_xFx.

Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Link: https://patch.msgid.link/87tsrc36li.wl-kuninori.morimoto.gx@renesas.com
Signed-off-by: Mark Brown <broonie@kernel.org>
3 weeks agoMerge tag 'io_uring-7.1-20260611' of git://git.kernel.org/pub/scm/linux/kernel/git...
Linus Torvalds [Fri, 12 Jun 2026 17:49:59 +0000 (10:49 -0700)] 
Merge tag 'io_uring-7.1-20260611' of git://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux

Pull io_uring fixes from Jens Axboe:

 - Tweak for an off-by-one in the CQ ring accounting for the min wait
   support.

 - Don't truncate end buffer length for a bundle, as the transfer might
   not happen. It's not required in the first place, as the completion
   side handles this condition already.

* tag 'io_uring-7.1-20260611' of git://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux:
  io_uring/wait: fix min_timeout behavior
  io_uring/kbuf: don't truncate end buffer for bundles

3 weeks agoMerge tag 'usb-7.1-final' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb
Linus Torvalds [Fri, 12 Jun 2026 17:29:06 +0000 (10:29 -0700)] 
Merge tag 'usb-7.1-final' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb

Pull USB / Thunderbolt fixes from Greg KH:
 "Here are some small bugfixes for USB serial and Thunderbolt drivers
  for some reported and found issues. Included in here are:

   - usb serial overflow bugs fixed

   - new usb serial device id

   - thunderbolt validation fixes for reported issues

  All of these have been in linux-next this week with no reported
  issues"

* tag 'usb-7.1-final' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
  USB: serial: kl5kusb105: fix bulk-out buffer overflow
  USB: serial: option: add usb-id for Dell Wireless DW5826e-m
  USB: serial: io_ti: fix heap overflow in build_i2c_fw_hdr()
  USB: serial: io_ti: fix heap overflow in get_manuf_info()
  thunderbolt: Limit XDomain response copy to actual frame size
  thunderbolt: Validate XDomain request packet size before type cast
  thunderbolt: Clamp XDomain response data copy to allocation size
  thunderbolt: Bound root directory content to block size
  thunderbolt: Reject zero-length property entries in validator

3 weeks agoASoC: adau1372: Clear PLL_EN on failed PLL lock without reset GPIO
Guangshuo Li [Thu, 4 Jun 2026 12:55:20 +0000 (20:55 +0800)] 
ASoC: adau1372: Clear PLL_EN on failed PLL lock without reset GPIO

The PLL lock failure path in adau1372_set_power() unwinds by putting
the regmap back in cache-only mode, asserting the optional power-down
GPIO and disabling mclk.

adau1372_enable_pll() enables CLK_CTRL.PLL_EN before polling the PLL
lock bit. If the lock fails on a board without a power-down GPIO, the
error path disables mclk and returns an error, but leaves PLL_EN set in
the hardware register. The normal power-off path already handles the
no-GPIO case by explicitly clearing PLL_EN.

Mirror that cleanup in the PLL lock failure path and clear PLL_EN while
the regmap is still live, before switching it back to cache-only mode.

Fixes: bfe6a264effc ("ASoC: adau1372: Fix clock leak on PLL lock failure")
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
Link: https://patch.msgid.link/20260604125520.1428905-1-lgs201920130244@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
3 weeks agoMerge tag 'staging-7.1-final' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh...
Linus Torvalds [Fri, 12 Jun 2026 17:10:12 +0000 (10:10 -0700)] 
Merge tag 'staging-7.1-final' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging

Pull staging driver fixes from Greg KH:
 "Here are two small bugfixes for a staging driver to fix a
  much-reported issue.

  The fixes are for the rtl8723bs driver and it's something that many
  scanning tools keep tripping over in convoluted ways (and seems to be
  able to be triggered by network traffic)

  These fixes have been in linux-next for many weeks with no reported
  issues, sorry for the delay in getting them to you"

* tag 'staging-7.1-final' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging:
  staging: rtl8723bs: rtw_mlme: add bounds checks before ie_length subtraction
  staging: rtl8723bs: fix buffer over-read in rtw_update_protection

3 weeks agoblock: add configurable error injection
Christoph Hellwig [Thu, 11 Jun 2026 14:06:47 +0000 (16:06 +0200)] 
block: add configurable error injection

Add a new block error injection interface that allows to inject specific
status code for specific ranges.

Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
Reviewed-by: Hannes Reinecke <hare@kernel.org>
Reviewed-by: Md Haris Iqbal <haris.iqbal@linux.dev>
Link: https://patch.msgid.link/20260611140703.2401204-5-hch@lst.de
Signed-off-by: Jens Axboe <axboe@kernel.dk>
3 weeks agoblock: add a str_to_blk_op helper
Christoph Hellwig [Thu, 11 Jun 2026 14:06:46 +0000 (16:06 +0200)] 
block: add a str_to_blk_op helper

Add a helper to find the REQ_OP_XYZ constant from the "XYZ" string.
This will be used for the error injection debugfs interface.

Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Keith Busch <kbusch@kernel.org>
Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
Reviewed-by: Hannes Reinecke <hare@kernel.org>
Reviewed-by: Md Haris Iqbal <haris.iqbal@linux.dev>
Link: https://patch.msgid.link/20260611140703.2401204-4-hch@lst.de
Signed-off-by: Jens Axboe <axboe@kernel.dk>
3 weeks agoblock: add a "tag" for block status codes
Christoph Hellwig [Thu, 11 Jun 2026 14:06:45 +0000 (16:06 +0200)] 
block: add a "tag" for block status codes

The full name of the status codes is not good for user interfaces as it
can contain white spaces.  Add the name of the status code without the
BLK_STS_ prefix as a tag so that it can be used for user interfaces.

Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Keith Busch <kbusch@kernel.org>
Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
Reviewed-by: Hannes Reinecke <hare@kernel.org>
Reviewed-by: Md Haris Iqbal <haris.iqbal@linux.dev>
Link: https://patch.msgid.link/20260611140703.2401204-3-hch@lst.de
Signed-off-by: Jens Axboe <axboe@kernel.dk>
3 weeks agoblock: add a macro to initialize the status table
Christoph Hellwig [Thu, 11 Jun 2026 14:06:44 +0000 (16:06 +0200)] 
block: add a macro to initialize the status table

Prepare for adding a new value to the error table by adding a macro
to fill it.

Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Reviewed-by: Keith Busch <kbusch@kernel.org>
Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
Reviewed-by: Hannes Reinecke <hare@kernel.org>
Reviewed-by: Md Haris Iqbal <haris.iqbal@linux.dev>
Link: https://patch.msgid.link/20260611140703.2401204-2-hch@lst.de
Signed-off-by: Jens Axboe <axboe@kernel.dk>
3 weeks agoMerge branch 'for-7.2/cxl-misc' into cxl-for-next
Dave Jiang [Fri, 12 Jun 2026 16:34:35 +0000 (09:34 -0700)] 
Merge branch 'for-7.2/cxl-misc' into cxl-for-next

cxl/region: Fill first free targets[] slot during auto-discovery
cxl/region: Fix out-of-bounds access in cxl_cancel_auto_attach()
tools/testing/cxl: Resolve auto-region decoder targets like real HW
cxl: Align interleave decode/encode helpers with their callers
cxl/test: Add check after kzalloc() memory in alloc_mock_res()
cxl/test: Unregister cxl_acpi in cxl_test_init() error path
cxl/test: Zero out LSA backing memory to avoid leaking to user
cxl/test: Fix integer overflow in mock LSA bounds checks
cxl/test: Verify cmd->size_in before accessing payload
cxl/port: update reference to removed CONFIG_PROVE_CXL_LOCKING
cxl/region: Avoid variable shadowing in region attach paths
cxl: Fix CXL_HEADERLOG_SIZE to match RAS Capability size
cxl/test: Fix __fortify_panic
cxl/fwctl: Fix __fortify_panic
MAINTAINERS: Add CXL reviewer
cxl/test: Enforce PMD alignment for volatile mock regions
cxl/region: Validate partition index before array access
cxl/memdev: Hold memdev lock during memdev poison injection/clear

3 weeks agovfio: selftests: Ensure libvfio output dirs are always created
David Matlack [Thu, 11 Jun 2026 21:39:45 +0000 (21:39 +0000)] 
vfio: selftests: Ensure libvfio output dirs are always created

Add an explicit dependency between the output object files and the
output directories that need to be created to hold those files. This
ensures that the output directories are always created.

Creating the output directories at parse time (current behavior) doesn't
support the scenario where someone does "make clean all". The
directories will be created during parsing, deleted during "clean" and
then not available for the "all" target.

Use an order-only prerequisite for the output directories, rather than a
normal prerequisite, to avoid unnecessary recompilations.

Fixes: 19faf6fd969c ("vfio: selftests: Add a helper library for VFIO selftests")
Reported-by: Sashiko <sashiko-bot@kernel.org>
Closes: https://lore.kernel.org/kvm/20260610010314.DB8861F00893@smtp.kernel.org/
Signed-off-by: David Matlack <dmatlack@google.com>
Link: https://lore.kernel.org/r/20260611213945.3714421-1-dmatlack@google.com
Signed-off-by: Alex Williamson <alex@shazbot.org>
3 weeks agodocs: dt: writing-schema: Clarify what is required in a schema
Krzysztof Kozlowski [Tue, 9 Jun 2026 10:35:51 +0000 (12:35 +0200)] 
docs: dt: writing-schema: Clarify what is required in a schema

Clarify that we do not require all properties from a binding, but above
schema keywords/properties.

Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
Link: https://patch.msgid.link/20260609103550.234472-2-krzysztof.kozlowski@oss.qualcomm.com
Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
3 weeks agousb: ucsi: huawei_gaokun: support mode switching
Pengyu Luo [Sun, 7 Jun 2026 10:18:44 +0000 (18:18 +0800)] 
usb: ucsi: huawei_gaokun: support mode switching

The USB PHY (QMP Combo PHY) is always initialized in USB3+DP mode. In
the past, there was no MUX, and it was unnecessary to set it, since
MSM only supported 2-lane DP. But now, MST and 4-lane DP support has
been added to MSM, and a MUX has been added to the PHY. To support
4-lane DP and mode switching for gaokun, get the MUX and set it.

Signed-off-by: Pengyu Luo <mitltlatltl@gmail.com>
Acked-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://patch.msgid.link/20260607101844.820064-1-mitltlatltl@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
3 weeks agoMerge tag 'usb-serial-7.2-rc1' of ssh://gitolite.kernel.org/pub/scm/linux/kernel...
Greg Kroah-Hartman [Fri, 12 Jun 2026 16:01:39 +0000 (18:01 +0200)] 
Merge tag 'usb-serial-7.2-rc1' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/johan/usb-serial into usb-next

Johan writes:

USB serial updates for 7.2-rc1

Here are the USB serial updates for 7.2-rc1, including:

 - an updated mxuport number-of-ports encoding, and
 - include directive cleanups

Everything has been in linux-next with no reported issues.

* tag 'usb-serial-7.2-rc1' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/johan/usb-serial:
  USB: serial: whiteheat: drop termbits include
  USB: serial: add missing atomic includes
  USB: serial: garmin_gps: drop unused atomic include
  USB: serial: drop unused moduleparam includes
  USB: serial: drop unused uaccess includes
  USB: serial: xr: add missing uaccess include
  USB: serial: drop unused tty_flip includes
  USB: serial: drop unused tty_driver includes
  USB: serial: mxuport: update number-of-ports encoding

3 weeks agoMerge tag 'char-misc-7.1-final' of git://git.kernel.org/pub/scm/linux/kernel/git...
Linus Torvalds [Fri, 12 Jun 2026 16:00:28 +0000 (09:00 -0700)] 
Merge tag 'char-misc-7.1-final' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc

Pull char/misc driver fixes from Greg KH:
 "Here are some small driver fixes for 7.1-final to resolve some
  reported issues. Included in here are:

   - slimbus qcom driver bugfixes

   - nvmem driver bugfixes

   - fastrpc driver bugfixes

   - stratix10 firmware driver bugfixes

  All of these have been in linux-next for over a week with no
  reported issues"

* tag 'char-misc-7.1-final' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc:
  misc: fastrpc: fix use-after-free race in fastrpc_map_create
  misc: fastrpc: Fix NULL pointer dereference in rpmsg callback
  misc: fastrpc: fix DMA address corruption due to find_vma misuse
  misc: fastrpc: fix use-after-free of fastrpc_user in workqueue context
  slimbus: qcom-ngd-ctrl: Avoid ABBA on tx_lock/ctrl->lock
  slimbus: qcom-ngd-ctrl: Balance pm_runtime enablement for NGD
  slimbus: qcom-ngd-ctrl: Initialize controller resources in controller
  slimbus: qcom-ngd-ctrl: Register callbacks after creating the ngd
  slimbus: qcom-ngd-ctrl: Correct PDR and SSR cleanup ownership
  slimbus: qcom-ngd-ctrl: Fix probe error path ordering
  slimbus: qcom-ngd-ctrl: Fix up platform_driver registration
  slimbus: qcom-ngd-ctrl: fix OF node refcount
  nvmem: core: fix use-after-free bugs in error paths
  nvmem: layouts: onie-tlv: fix hang on unknown types
  firmware: stratix10-rsu: Fix NULL deref on rsu_send_msg() timeout in probe
  firmware: stratix10-svc: Don't fail probe when async ops unsupported
  firmware: stratix10-svc: Return -EOPNOTSUPP when ATF async unsupported

3 weeks agoMerge tag 'sound-7.1' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound
Linus Torvalds [Fri, 12 Jun 2026 15:52:10 +0000 (08:52 -0700)] 
Merge tag 'sound-7.1' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound

Pull sound fixes from Takashi Iwai:
 "A few small fixes for the last spurt. All changes are small, mostly
  consisting of driver-specific fixes, along with two UAF fixes for the
  ALSA timer core.

  Core:
   - Two UAF fixes in ALSA timer core

  ASoC:
   - SDCA: Fix NULL pointer dereference
   - amd / yc: Add DMI quirk for ASUS ExpertBook PM1403CDA
   - SOF amd: Fix garbage/spurious warnings
   - wm_adsp: Fix potential NULL dereference when removing firmware
     controls
   - loongson: Fix negative position calculation
   - spi-rzv2h-rspi: Fix SPDR read access width on 16-bit RX path"

* tag 'sound-7.1' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
  ASoC: SDCA: fix NULL pointer dereference in sdca_dev_unregister_functions
  ASoC: loongson: Fix invalid position error in ls_pcm_pointer
  spi: rzv2h-rspi: Fix SPDR read access width for 16-bit RX
  ASoC: amd: yc: Add DMI quirk for ASUS EXPERTBOOK PM1403CDA
  ASoC: SOF: amd: set ipc flags to zero
  ASoC: SOF: amd: fix for ipc flags check
  ASoC: wm_adsp: Fix NULL dereference when removing firmware controls
  ALSA: timer: Fix UAF at snd_timer_user_params()
  ALSA: timer: Forcibly close timer instances at closing

3 weeks agocxl/region: Fill first free targets[] slot during auto-discovery
Li Ming [Sat, 6 Jun 2026 07:51:01 +0000 (15:51 +0800)] 
cxl/region: Fill first free targets[] slot during auto-discovery

Any invalid endpoint decoder pointer in the target array of an active
region is not allowed by cxl driver. This means cxl driver always
assumes the first p->nr_targets entries of the target array in an
auto-assembly region are valid. However, there are scenarios that could
leave NULL endpoint decoder pointer holes in the target array.

1. When cxl_cancel_auto_attach() removes an endpoint decoder from a
   target array, the target slot is set to NULL. If the removed endpoint
   decoder is not the last element in the target array, the target array
   will contain a NULL hole.

2. When a auto-assembly region removes an assigned endpoint decoder, if
   the removed endpoint decoder is not the last element in the target
   array, always remains a NULL hole in the target array.

When a NULL pointer hole exists in a region's target array, it
introduces two potential problems:
1. Access an endpoint decoder via a NULL pointer. it always trigger
   calltrace like that.
    Oops: general protection fault, probably for non-canonical address 0xdffffc0000000008: 0000 [#1] SMP KASAN PTI
    RIP: 0010:cxl_calc_interleave_pos+0x26/0x810 [cxl_core]
    Call Trace:
      <TASK>
      cxl_region_attach+0xc50/0x2140 [cxl_core]
      cxl_add_to_region+0x321/0x2330 [cxl_core]
      discover_region+0x92/0x150 [cxl_port]
      device_for_each_child+0xf3/0x170
      cxl_port_probe+0x150/0x200 [cxl_port]
      cxl_bus_probe+0x4f/0xa0 [cxl_core]
      really_probe+0x1c8/0x960
      __driver_probe_device+0x323/0x450
      driver_probe_device+0x45/0x120
      __device_attach_driver+0x15d/0x280
      bus_for_each_drv+0x10f/0x190

2. Not having enough valid endpoint decoders attached to an
   auto-assembly region. if an auto-assembly region is created with lock
   flag or assigned endpoint decoder with lock flag, which means
   assigned endpoint decoder will not be reset during detaching, they
   could re-attach to the auto-assembly region again. But cxl region
   driver relies on p->nr_targets to verify whether the required number
   of endpoint decoders has been attached, and NULL endpoint decoder
   pointers are still counted in that case.

To fix above issues, adjust cxl_region_attach_auto() logic to find the
first free target slot for endpoint decoder attachment, this ensures
NULL holes in the target array are filled, rather than adding new
endpoint decoders at the tail of the target array.

Fixes: 87805c32e6ad ("cxl/region: Fix use-after-free from auto assembly failure")
Fixes: 2230c4bdc412 ("cxl: Add handling of locked CXL decoder")
Suggested-by: Alison Schofield <alison.schofield@intel.com>
Signed-off-by: Li Ming <ming.li@zohomail.com>
Reviewed-by: Alison Schofield <alison.schofield@intel.com>
Link: https://patch.msgid.link/20260606-fix_two_issues_introduced_by_cxl_cancel_auto_attach-v1-2-5d94ca06c4e4@zohomail.com
Signed-off-by: Dave Jiang <dave.jiang@intel.com>
3 weeks agocxl/region: Fix out-of-bounds access in cxl_cancel_auto_attach()
Li Ming [Sat, 6 Jun 2026 07:51:00 +0000 (15:51 +0800)] 
cxl/region: Fix out-of-bounds access in cxl_cancel_auto_attach()

In cxl_cancel_auto_attach(), it assumes cxled->pos is a valid index for
accessing p->targets[]. However, cxled->pos can be set to negative errno
in cxl_region_sort_targets() if cxl_calc_interleave_pos() fails. This
causes the driver to use a negative index to access p->targets[],
resulting in out-of-bounds access.

Fix it by walking p->targets[] instead of using cxled->pos directly.

Fixes: 87805c32e6ad ("cxl/region: Fix use-after-free from auto assembly failure")
Signed-off-by: Li Ming <ming.li@zohomail.com>
Reviewed-by: Alison Schofield <alison.schofield@intel.com>
Link: https://patch.msgid.link/20260606-fix_two_issues_introduced_by_cxl_cancel_auto_attach-v1-1-5d94ca06c4e4@zohomail.com
Signed-off-by: Dave Jiang <dave.jiang@intel.com>
3 weeks agoMerge tag 'soc-fixes-7.1-3' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc
Linus Torvalds [Fri, 12 Jun 2026 15:44:56 +0000 (08:44 -0700)] 
Merge tag 'soc-fixes-7.1-3' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc

Pull SoC fixes from Arnd Bergmann:
 "Two more small fixes came in, both addressing corner cases in platform
  specific code: the microchip mpfs system controller probe and the CPU
  power management on 32-bit rockchips SoCs"

* tag 'soc-fixes-7.1-3' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc:
  ARM: rockchip: keep reset control around
  soc: microchip: mpfs-sys-controller: fix resource leak on probe error

3 weeks agoALSA: seq: Don't re-bounce the error event
Takashi Iwai [Fri, 12 Jun 2026 11:33:45 +0000 (13:33 +0200)] 
ALSA: seq: Don't re-bounce the error event

The error bouncing may fail again, and we have no check for
re-bouncing.  For avoiding the loop, add the event type check at
bouncing, and stop re-bouncing if it's already a bounce error.

Link: https://patch.msgid.link/20260612113350.407465-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
3 weeks agoof: Respect #{iommu,msi}-cells in maps
Robin Murphy [Wed, 3 Jun 2026 07:13:14 +0000 (12:43 +0530)] 
of: Respect #{iommu,msi}-cells in maps

So far our parsing of {iommu,msi}-map properties has always blindly
assumed that the output specifiers will always have exactly 1 cell.
This typically does happen to be the case, but is not actually enforced
(and the PCI msi-map binding even explicitly states support for 0 or 1
cells) - as a result we've now ended up with dodgy DTs out in the field
which depend on this behaviour to map a 1-cell specifier for a 2-cell
provider, despite that being bogus per the bindings themselves.

Since there is some potential use in being able to map at least single
input IDs to multi-cell output specifiers (and properly support 0-cell
outputs as well), add support for properly parsing and using the target
nodes' #cells values, albeit with the unfortunate complication of still
having to work around expectations of the old behaviour too.

Since there are multi-cell output specifiers, the callers of of_map_id()
may need to get the exact cell output value for further processing.
Update of_map_id() to set args_count in the output to reflect the actual
number of output specifier cells.

Signed-off-by: Robin Murphy <robin.murphy@arm.com>
Signed-off-by: Charan Teja Kalla <charan.kalla@oss.qualcomm.com>
Signed-off-by: Vijayanand Jitta <vijayanand.jitta@oss.qualcomm.com>
Link: https://patch.msgid.link/20260603-parse_iommu_cells-v16-3-dc509dacb19a@oss.qualcomm.com
Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
3 weeks agoof: Factor arguments passed to of_map_id() into a struct
Charan Teja Kalla [Wed, 3 Jun 2026 07:13:13 +0000 (12:43 +0530)] 
of: Factor arguments passed to of_map_id() into a struct

Change of_map_id() to take a pointer to struct of_phandle_args
instead of passing target device node and translated IDs separately.
Update all callers accordingly.

Add an explicit filter_np parameter to of_map_id() and of_map_msi_id()
to separate the filter input from the output. Previously, the target
parameter served dual purpose: as an input filter (if non-NULL, only
match entries targeting that node) and as an output (receiving the
matched node with a reference held). Now filter_np is the explicit
input filter and arg->np is the pure output.

Previously, of_map_id() would call of_node_put() on the matched node
when a filter was provided, making reference ownership inconsistent.
Remove this internal of_node_put() call so that of_map_id() now always
transfers ownership of the matched node reference to the caller via
arg->np. Callers are now consistently responsible for releasing this
reference with of_node_put(arg->np) when done.

Acked-by: Frank Li <Frank.Li@nxp.com>
Suggested-by: Rob Herring (Arm) <robh@kernel.org>
Suggested-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Signed-off-by: Charan Teja Kalla <charan.kalla@oss.qualcomm.com>
Signed-off-by: Vijayanand Jitta <vijayanand.jitta@oss.qualcomm.com>
Link: https://patch.msgid.link/20260603-parse_iommu_cells-v16-2-dc509dacb19a@oss.qualcomm.com
Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
3 weeks agoof: Add convenience wrappers for of_map_id()
Robin Murphy [Wed, 3 Jun 2026 07:13:12 +0000 (12:43 +0530)] 
of: Add convenience wrappers for of_map_id()

Since we now have quite a few users parsing "iommu-map" and "msi-map"
properties, give them some wrappers to conveniently encapsulate the
appropriate sets of property names. This will also make it easier to
then change of_map_id() to correctly account for specifier cells.

Reviewed-by: Rob Herring (Arm) <robh@kernel.org>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Acked-by: Marc Zyngier <maz@kernel.org>
Acked-by: Bjorn Helgaas <bhelgaas@google.com>
Signed-off-by: Robin Murphy <robin.murphy@arm.com>
Signed-off-by: Vijayanand Jitta <vijayanand.jitta@oss.qualcomm.com>
Link: https://patch.msgid.link/20260603-parse_iommu_cells-v16-1-dc509dacb19a@oss.qualcomm.com
Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
3 weeks agotools/testing/cxl: Resolve auto-region decoder targets like real HW
Richard Cheng [Fri, 12 Jun 2026 01:12:27 +0000 (09:12 +0800)] 
tools/testing/cxl: Resolve auto-region decoder targets like real HW

The mock auto-region created at module load wrote switch and host-bridge
decoder target[] directly, in addition to target_map[]. Real HW programs
only target_map[] and resolves target[] as dports enumerate, via
update_decoder_targets(). Region replay already follows that ordering,
the initial auto-region did not.

Drop the direct target[] writes and call
cxl_port_update_decoder_targets() so target[] is resolved the same way
as real HW and region replay, exercising more of the auto-region driver
path.

This is inspired by the discussion [1] below:

[1]: https://lore.kernel.org/all/20260521084806.28232-1-icheng@nvidia.com/

Suggested-by: Alison Schofield <alison.schofield@intel.com>
Signed-off-by: Richard Cheng <icheng@nvidia.com>
Reviewed-by: Alison Schofield <alison.schofield@intel.com?>
Reviewed-by: Dave Jiang <dave.jiang@intel.com>
Tested-by: Dave Jiang <dave.jiang@intel.com>
Link: https://patch.msgid.link/20260612011227.4220-1-icheng@nvidia.com
Signed-off-by: Dave Jiang <dave.jiang@intel.com>
3 weeks agoASoC: use scoped OF node handling in manual cleanup paths
Mark Brown [Fri, 12 Jun 2026 15:12:13 +0000 (16:12 +0100)] 
ASoC: use scoped OF node handling in manual cleanup paths

Cássio Gabriel <cassiogabrielcontato@gmail.com> says:

Some ASoC drivers still manually release child OF nodes
when leaving child-node iteration loops early.

Convert these focused cases to scoped OF node cleanup
so early returns and normal loop exits keep the same node
lifetime handling without explicit of_node_put() calls.

- Patch 1 updates qcom_snd_parse_of() to use
  for_each_available_child_of_node_scoped() for link nodes and
  __free(device_node) for temporary cpu/platform/codec child nodes.
- Patch 2 updates fsl_qmc_audio to use
  for_each_available_child_of_node_scoped() for DAI child-node parsing.
- Patch 3 updates cygnus-ssp to use
  for_each_available_child_of_node_scoped() for SSP child-node parsing.

Link: https://patch.msgid.link/20260608-asoc-of-node-scoped-cleanup-v1-0-9e3ac518dc2e@gmail.com
3 weeks agoASoC: bcm: cygnus: use scoped child node loop
Cássio Gabriel [Mon, 8 Jun 2026 13:39:13 +0000 (10:39 -0300)] 
ASoC: bcm: cygnus: use scoped child node loop

cygnus_ssp_probe() manually puts the current child node before returning
from the child parsing loop on error.

Use for_each_available_child_of_node_scoped() so the current child node is
released automatically on early return and normal loop exit.

Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260608-asoc-of-node-scoped-cleanup-v1-3-9e3ac518dc2e@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
3 weeks agoASoC: fsl: fsl_qmc_audio: use scoped child node loop
Cássio Gabriel [Mon, 8 Jun 2026 13:39:12 +0000 (10:39 -0300)] 
ASoC: fsl: fsl_qmc_audio: use scoped child node loop

qmc_audio_probe() manually puts the current child node before returning
from the DAI parsing loop on error.

Use for_each_available_child_of_node_scoped() so the current child node is
released automatically on early return and normal loop exit.

Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260608-asoc-of-node-scoped-cleanup-v1-2-9e3ac518dc2e@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
3 weeks agoASoC: qcom: common: use scoped OF node handling
Cássio Gabriel [Mon, 8 Jun 2026 13:39:11 +0000 (10:39 -0300)] 
ASoC: qcom: common: use scoped OF node handling

qcom_snd_parse_of() manually drops the link child node and the
cpu/platform/codec child nodes on error paths and at the end of each
iteration.

Use for_each_available_child_of_node_scoped() for the link node and
__free(device_node) for the named child nodes. This keeps the existing
ownership rules for DAI component phandle references, while removing the
manual cleanup labels from a path that has previously needed OF refcount
fixes.

Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260608-asoc-of-node-scoped-cleanup-v1-1-9e3ac518dc2e@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
3 weeks agoASoC: sdw_utils: fix missing component_name for cs42l43 part_id 0x2A3B
Chia-Lin Kao (AceLan) [Wed, 10 Jun 2026 04:17:53 +0000 (12:17 +0800)] 
ASoC: sdw_utils: fix missing component_name for cs42l43 part_id 0x2A3B

commit 87a3f5c8ac20 ("ASoC: sdw_utils: cs42l43: allow spk component names
to be combined") moved spk:cs42l43-spk generation from rtd_init() into
the asoc_sdw_rtd_init() generic path by adding component_name to
codec_info_list entries. However, only the 0x4243 cs42l43 entry was
updated; the 0x2A3B entry (vendor_id 0x01fa, Cirrus Logic cs42l43 with
sidecar bridge) was missed.

Without component_name on the 0x2A3B dp6 DAI, asoc_sdw_rtd_init() never
accumulates spk_components and never appends 'spk:cs42l43-spk' (or its
sidecar alias 'spk:cs35l56-bridge') to card->components. The sof-soundwire
UCM regex ' spk:([a-z0-9]+...)' then fails to match, causing WirePlumber
to mark all HiFi profiles as unavailable=no and fall back to the Off
profile — resulting in Dummy Output in GNOME.

The existing sidecar redirect in asoc_sdw_rtd_init() already handles the
SOC_SDW_SIDECAR_AMPS case: when component_name is 'cs42l43-spk' and
sidecar amps are active, it substitutes 'cs35l56-bridge' into
card->components, which matches the existing cs35l56-bridge.conf UCM file.

Fixes: 87a3f5c8ac20 ("ASoC: sdw_utils: cs42l43: allow spk component names to be combined")
Signed-off-by: Chia-Lin Kao (AceLan) <acelan.kao@canonical.com>
Link: https://patch.msgid.link/20260610041753.1151088-1-acelan.kao@canonical.com
Signed-off-by: Mark Brown <broonie@kernel.org>
3 weeks agocxl: Align interleave decode/encode helpers with their callers
Alison Schofield [Fri, 5 Jun 2026 04:07:59 +0000 (21:07 -0700)] 
cxl: Align interleave decode/encode helpers with their callers

The interleave conversion helpers translate between encoded HDM
interleave values and the granularity and way values used by the
driver.

These helpers have been a recurring source of static analysis
complaints that expose type mismatches and potentially uninitialized
outputs. Fix those issues in the helpers so callers inherit the
consistent behavior automatically.

The decode and encode helpers have different interface issues.

The decode helpers return values through unsigned int pointers, but
the decoded values are ultimately represented as int throughout the
driver. Align the helper interfaces with their callers by changing
the out-parameters to int * and updating the handful of affected
locals to match.

The encode helpers leave their out-parameters unchanged on error. That
means callers that ignore the return value may observe uninitialized
encoded values. Initialize the outputs so failed conversions leave
defined values. This issue was originally reported by Purva and the
helper-side fix was suggested by Dan [1].

Tidy up a related, pre-existing, printk format specifier mismatch in
cxl_validate_translation_params().

No functional change for valid interleave parameters.

[1] https://lore.kernel.org/linux-cxl/20250419203530.45594-1-purvayeshi550@gmail.com/

Reported-by: Purva Yeshi <purvayeshi550@gmail.com>
Suggested-by: Dan Williams <djbw@kernel.org>
Signed-off-by: Alison Schofield <alison.schofield@intel.com>
Reviewed-by: Li Ming <ming.li@zohomail.com>
Reviewed-by: Dave Jiang <dave.jiang@intel.com>
Link: https://patch.msgid.link/20260605040801.865965-1-alison.schofield@intel.com
Signed-off-by: Dave Jiang <dave.jiang@intel.com>
3 weeks agoASoC: mediatek: tidyup details
Mark Brown [Fri, 12 Jun 2026 15:07:06 +0000 (16:07 +0100)] 
ASoC: mediatek: tidyup details

Kuninori Morimoto <kuninori.morimoto.gx@renesas.com> says:

These are tidyup details of mediatek drivers. Basically there is no
functional change. This is prepare for later Card capsuling.
This makes code review easy when Card capsuling happen.

Kuninori Morimoto (6):

Link: https://patch.msgid.link/87ik7tesdw.wl-kuninori.morimoto.gx@renesas.com
3 weeks agoASoC: mediatek: mt8365_mt6357: use *dev in mt8365_mt6357_gpio_probe()
Kuninori Morimoto [Mon, 8 Jun 2026 01:25:03 +0000 (01:25 +0000)] 
ASoC: mediatek: mt8365_mt6357: use *dev in mt8365_mt6357_gpio_probe()

use *dev, instead of card->dev.
No functional change, but is preparation for cleanup driver.

Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Link: https://patch.msgid.link/87a4t5escw.wl-kuninori.morimoto.gx@renesas.com
Signed-off-by: Mark Brown <broonie@kernel.org>
3 weeks agoASoC: mediatek: mt8186-mt6366: use *dev in mt8186_mt6366_soc_card_probe()
Kuninori Morimoto [Mon, 8 Jun 2026 01:24:59 +0000 (01:24 +0000)] 
ASoC: mediatek: mt8186-mt6366: use *dev in mt8186_mt6366_soc_card_probe()

use *dev, instead of card->dev.
No functional change, but is preparation for cleanup driver.

Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Link: https://patch.msgid.link/87bjdlesd0.wl-kuninori.morimoto.gx@renesas.com
Signed-off-by: Mark Brown <broonie@kernel.org>
3 weeks agoASoC: mediatek: mt8186-mt6366: tidyup mt8186_mt6366_card_set_be_link()
Kuninori Morimoto [Mon, 8 Jun 2026 01:24:55 +0000 (01:24 +0000)] 
ASoC: mediatek: mt8186-mt6366: tidyup mt8186_mt6366_card_set_be_link()

mt8186_mt6366_card_set_be_link() requests *card, but necessary is
card->dev. Tidyup it.

Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Link: https://patch.msgid.link/87cxy1esd4.wl-kuninori.morimoto.gx@renesas.com
Signed-off-by: Mark Brown <broonie@kernel.org>
3 weeks agoASoC: mediatek: mtk-soundcard-driver: tidyup set_dailink_daifmt()
Kuninori Morimoto [Mon, 8 Jun 2026 01:24:52 +0000 (01:24 +0000)] 
ASoC: mediatek: mtk-soundcard-driver: tidyup set_dailink_daifmt()

card is not used. Remove it.

Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Link: https://patch.msgid.link/87ecihesd8.wl-kuninori.morimoto.gx@renesas.com
Signed-off-by: Mark Brown <broonie@kernel.org>
3 weeks agoASoC: mediatek: mtk-soundcard-driver: tidyup set_card_codec_info()
Kuninori Morimoto [Mon, 8 Jun 2026 01:24:48 +0000 (01:24 +0000)] 
ASoC: mediatek: mtk-soundcard-driver: tidyup set_card_codec_info()

set_card_codec_info() requests *card, but necessary is card->dev.
Tidyup it.

Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Link: https://patch.msgid.link/87fr2xesdc.wl-kuninori.morimoto.gx@renesas.com
Signed-off-by: Mark Brown <broonie@kernel.org>
3 weeks agoASoC: mediatek: cleanup mtk_sof_dailink_parse_of() param
Kuninori Morimoto [Mon, 8 Jun 2026 01:24:43 +0000 (01:24 +0000)] 
ASoC: mediatek: cleanup mtk_sof_dailink_parse_of() param

mtk_sof_dailink_parse_of() is using unnecessarily complicated parameters.
Let's cleanup it.

Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Link: https://patch.msgid.link/87h5ndesdg.wl-kuninori.morimoto.gx@renesas.com
Signed-off-by: Mark Brown <broonie@kernel.org>
3 weeks agoMerge tag 'i2c-host-fixes-7.1-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git...
Wolfram Sang [Fri, 12 Jun 2026 15:05:44 +0000 (17:05 +0200)] 
Merge tag 'i2c-host-fixes-7.1-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/andi.shyti/linux into i2c/for-current

i2c-host-fixes for v7.1-rc8

- imx: keep clock and pinctrl states consistent in runtime PM
- imx-lpi2c: fix DMA resource leaks on PIO fallback
- qcom-cci: fix NULL pointer dereference on remove
- riic: fix reset refcount leak on resume_noirq error path
- stm32f7: account for analog filter in timing computation
- tegra: fix suspend/resume handling in NOIRQ phase
- tegra: update Tegra410 I2C timings to match hardware specs
- MAINTAINERS: hand over I2C maintainership to Andi