]> git.ipfire.org Git - thirdparty/kernel/linux.git/log
thirdparty/kernel/linux.git
4 weeks agoplatform/x86/amd/pmc: Add PMC driver support for AMD 1Ah M80H SoC
Shyam Sundar S K [Tue, 9 Jun 2026 14:39:52 +0000 (20:09 +0530)] 
platform/x86/amd/pmc: Add PMC driver support for AMD 1Ah M80H SoC

The 1Ah M80H SoC uses a different set of SMU mailbox register offsets
compared to the existing 1Ah variants: message at 0xA10, argument at
0xA18, and response at 0xA14.

Add amd_1ah_m80_cpu_info with these offsets, wire it into the PCI ID
table via PCI_DEVICE_DATA(), populate scratch_reg field with
AMD_PMC_SCRATCH_REG_1AH and add the corresponding ACPI ID AMDI000C.

Reviewed-by: Mario Limonciello (AMD) <superm1@kernel.org>
Co-developed-by: Sanket Goswami <Sanket.Goswami@amd.com>
Signed-off-by: Sanket Goswami <Sanket.Goswami@amd.com>
Signed-off-by: Shyam Sundar S K <Shyam-sundar.S-k@amd.com>
Link: https://patch.msgid.link/20260609143952.2999707-3-Shyam-sundar.S-k@amd.com
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
4 weeks agoplatform/x86/amd/pmc: Use per-SoC cpu_info struct for SMU mailbox and IP info
Shyam Sundar S K [Tue, 9 Jun 2026 14:39:51 +0000 (20:09 +0530)] 
platform/x86/amd/pmc: Use per-SoC cpu_info struct for SMU mailbox and IP info

Replace the scattered per-field assignments in amd_pmc_get_ip_info() with
a single amd_pmc_cpu_info struct capturing all SoC-specific parameters
such as SMU offsets, IP block table, and OS hint.

Define static const instances per SoC variant and embed them as driver_data
in the PCI ID table via PCI_DEVICE_DATA(). Consolidate pci_match_id() into
amd_pmc_set_cpu_info(), which assigns driver_data directly to cpu_info,
the switch falls through only for 1Ah M20H/M60H variants requiring
boot_cpu_data.x86_model detection to distinguish the M70 sub-variant.

Add scratch_reg to amd_pmc_cpu_info and populate it for each SoC
variant, allowing amd_pmc_idlemask_read() to drop its cpu_id switch
in favour of a single cpu_info->scratch_reg lookup.

Move dev->cpu_id assignment into amd_pmc_set_cpu_info() so it is valid
before the switch statement. Handle SP/SHP directly in the switch since
their NULL driver_data bypasses the early return, and remove the duplicate
check from probe.

Remove amd_pmc_get_os_hint() and use cpu_info->os_hint directly at call
sites and rename AMD_CPU_ID_* to PCI_DEVICE_ID_AMD_CPU_ID_* with backward
compatibility aliases.

Reviewed-by: Mario Limonciello (AMD) <superm1@kernel.org>
Co-developed-by: Sanket Goswami <Sanket.Goswami@amd.com>
Signed-off-by: Sanket Goswami <Sanket.Goswami@amd.com>
Signed-off-by: Shyam Sundar S K <Shyam-sundar.S-k@amd.com>
Link: https://patch.msgid.link/20260609143952.2999707-2-Shyam-sundar.S-k@amd.com
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
4 weeks agoASoC: dt-bindings: everest,es8389: Document audio graph port
Diederik de Haas [Sun, 7 Jun 2026 10:58:49 +0000 (12:58 +0200)] 
ASoC: dt-bindings: everest,es8389: Document audio graph port

Provide an endpoint for binding with the other side of the audio link,
which is achieved via the 'port' property.

Signed-off-by: Diederik de Haas <diederik@cknow-tech.com>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
Link: https://patch.msgid.link/20260607105913.355966-1-diederik@cknow-tech.com
Signed-off-by: Mark Brown <broonie@kernel.org>
4 weeks agoplatform/x86: intel-hid: Add HP ProBook x360 440 G1 to button_array_table
Nikolay Metchev [Tue, 9 Jun 2026 21:33:09 +0000 (22:33 +0100)] 
platform/x86: intel-hid: Add HP ProBook x360 440 G1 to button_array_table

The volume rocker buttons on the HP ProBook x360 440 G1 convertible emit
events 0xc4-0xc7 via the intel-hid ACPI device (INT33D5). These codes are
only present in intel_array_keymap, which is used when the "5 button
array" input device exists. On this machine button_array_present()
returns false because the firmware does not advertise the array through
the HEBC method, so notify_handler() routes the events to a NULL
priv->array and they are dropped as "unknown event 0xc4". As a result
the side volume keys do nothing.

Add the machine to button_array_table so the array device is created and
the volume rocker emits KEY_VOLUMEUP / KEY_VOLUMEDOWN. This is equivalent
to booting with the enable_5_button_array=1 module parameter, which was
used to confirm the fix on the affected hardware.

Signed-off-by: Nikolay Metchev <nikolaymetchev@gmail.com>
Reviewed-by: Hans de Goede <johannes.goede@oss.qualcomm.com>
Link: https://patch.msgid.link/20260609213309.445019-1-nikolaymetchev@gmail.com
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
4 weeks agospi: dt-bindings: nuvoton,npcm750-fiu: Convert to DT schema
Tomer Maimon [Tue, 9 Jun 2026 16:39:19 +0000 (19:39 +0300)] 
spi: dt-bindings: nuvoton,npcm750-fiu: Convert to DT schema

Convert the Nuvoton NPCM FIU binding to DT schema format.

Document the required control registers and the optional direct-
mapped flash window separately, matching the driver behavior
when the direct mapping is not described.

Signed-off-by: Tomer Maimon <tmaimon77@gmail.com>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
Link: https://patch.msgid.link/20260609163919.3321228-4-tmaimon77@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
4 weeks agoASoC: SOF: topology: validate vendor array size before parsing
Cássio Gabriel [Wed, 3 Jun 2026 17:57:54 +0000 (14:57 -0300)] 
ASoC: SOF: topology: validate vendor array size before parsing

sof_parse_token_sets() reads array->size while iterating over topology
private data. The loop condition only checks that some data remains, so a
malformed topology with a truncated trailing vendor array can make the
parser read the size field before a full vendor-array header is available.

Validate that the remaining private data contains a complete
snd_soc_tplg_vendor_array header before reading array->size.

The declared array size check also needs to remain signed. asize is an int,
but sizeof(*array) has type size_t, so comparing them directly promotes
negative asize values to unsigned and lets them pass the check,
as reported in the stable review thread reference below.

Cast sizeof(*array) to int when validating the declared array size. This
rejects negative, zero and otherwise too-small sizes before the parser
dispatches to the tuple-specific code.

Link: https://lore.kernel.org/stable/CANiDSCsjR5NHqu_Ui5cOqWdJgFqmYsQ9WR8O7m0WOhngaYXFpw@mail.gmail.com/t/#m9b3be379221e79327cc13fd71009287368ef4f23
Fixes: 215e5fe75881 ("ASoC: SOF: topology: reject invalid vendor array size in token parser")
Cc: stable@vger.kernel.org
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260603-sof-topology-array-size-signed-v1-1-84f97879a4ef@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
4 weeks agoASoC: Use codec_info_list.is_amp directly in find_acpi_adr_device()
Mark Brown [Wed, 10 Jun 2026 11:06:09 +0000 (12:06 +0100)] 
ASoC: Use codec_info_list.is_amp directly in find_acpi_adr_device()

Bard Liao <yung-chuan.liao@linux.intel.com> says:

This series sets is_amp to all amp type codecs in codec_info_list[].
So that we can use the flag directly instead of using a local flag to
check if the codec is an AMP type. The flag will be used to set
different name_prefix for amp and non-amp codecs.

Link: https://patch.msgid.link/20260605101805.121428-1-yung-chuan.liao@linux.intel.com
4 weeks agoASoC: SOF: Intel: Use codec_info_list.is_amp directly
Bard Liao [Fri, 5 Jun 2026 10:18:05 +0000 (18:18 +0800)] 
ASoC: SOF: Intel: Use codec_info_list.is_amp directly

Now we set is_amp to all amp type codecs. We can use the flag directly
instead of using a local flag to check if the codec is an AMP type.

Signed-off-by: Bard Liao <yung-chuan.liao@linux.intel.com>
Reviewed-by: Péter Ujfalusi <peter.ujfalusi@linux.intel.com>
Reviewed-by: Charles Keepax <ckeepax@opensource.cirrus.com>
Link: https://patch.msgid.link/20260605101805.121428-3-yung-chuan.liao@linux.intel.com
Signed-off-by: Mark Brown <broonie@kernel.org>
4 weeks agoASoC: soc_sdw_utils: add is_amp flag to all amps
Bard Liao [Fri, 5 Jun 2026 10:18:04 +0000 (18:18 +0800)] 
ASoC: soc_sdw_utils: add is_amp flag to all amps

The is_amp flag will be used for the codec name_prefix.
We detect it by checking if the codec support endpoints other than amp.
However, it is not accurate. Currently, the is_amp flag is only set to
the amps that include other types of endpoints. But it can't cover the
case that a monolithic codec that only the amp endpoint is present.
Add the is_amp flag to all amp type codecs and will set the name_prefix
by the flag in the follow up commit.

Signed-off-by: Bard Liao <yung-chuan.liao@linux.intel.com>
Reviewed-by: Péter Ujfalusi <peter.ujfalusi@linux.intel.com>
Reviewed-by: Charles Keepax <ckeepax@opensource.cirrus.com>
Link: https://patch.msgid.link/20260605101805.121428-2-yung-chuan.liao@linux.intel.com
Signed-off-by: Mark Brown <broonie@kernel.org>
4 weeks agoASoC: cs35l56: Don't leave parent IRQ disabled if system_suspend fails
Richard Fitzgerald [Wed, 10 Jun 2026 10:55:56 +0000 (11:55 +0100)] 
ASoC: cs35l56: Don't leave parent IRQ disabled if system_suspend fails

In cs35l56_system_suspend() re-enable the parent IRQ if the call to
pm_runtime_force_suspend() returns an error.

Fixes: f9dc6b875ec0 ("ASoC: cs35l56: Add basic system suspend handling")
Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
Link: https://patch.msgid.link/20260610105556.612830-1-rf@opensource.cirrus.com
Signed-off-by: Mark Brown <broonie@kernel.org>
4 weeks agoASoC/sh: roll back Ecovec24/7724se Sound support
Mark Brown [Wed, 10 Jun 2026 11:00:25 +0000 (12:00 +0100)] 
ASoC/sh: roll back Ecovec24/7724se Sound support

Kuninori Morimoto <kuninori.morimoto.gx@renesas.com> says:

Hi Mark, Adrian

Due to a communication miss, the Ecovec24/7724se Sound support
were removed. We need to keep them for a while, until they will
support "DT-style".
Roll back Ecovec24/7724se "platform data style", and its necessary header.

Link: https://patch.msgid.link/87wlw743x2.wl-kuninori.morimoto.gx@renesas.com
4 weeks agoASoC: renesas: fsi: remove platform data style support
Kuninori Morimoto [Wed, 10 Jun 2026 00:49:24 +0000 (00:49 +0000)] 
ASoC: renesas: fsi: remove platform data style support

Renesas FSI driver has created for "platform data style" first, and
expanded to "DT style".

SuperH Ecovec24/7724se are the last user of "platform data style", but
its sound should not work during almost 10 years, because Simple-Card's
"platform data style" is broken, but no one reported it.

SuperH is planning to switch to "DT style", "platform data style" is no
longer working, and it seems there is no user. Let's remove "platform
data style", because keeping compatibility is difficult.

Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Link: https://patch.msgid.link/87tsrb43u3.wl-kuninori.morimoto.gx@renesas.com
Signed-off-by: Mark Brown <broonie@kernel.org>
4 weeks agosh: roll back Ecovec24/7724se Sound support
Kuninori Morimoto [Wed, 10 Jun 2026 00:48:31 +0000 (00:48 +0000)] 
sh: roll back Ecovec24/7724se Sound support

Due to a communication miss, the Ecovec24/7724se Sound support
were removed. We need to keep them for a while, until they will
support "DT-style".
Roll back Ecovec24/7724se "platform data style", and its necessary header.

Fixes: deadb855b694d ("sh: 7724se: remove FSI/AK4642/Simple-Audio-Card support")
Fixes: 9cc93ebc85e71 ("sh: ecovec24: remove FSI/DA7210/Simple-Audio-Card support")
Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Link: https://patch.msgid.link/87v7br43vk.wl-kuninori.morimoto.gx@renesas.com
Signed-off-by: Mark Brown <broonie@kernel.org>
4 weeks agoarm64: errata: Mitigate TLBI errata on Microsoft Azure Cobalt 100 CPU
Will Deacon [Wed, 10 Jun 2026 11:00:21 +0000 (12:00 +0100)] 
arm64: errata: Mitigate TLBI errata on Microsoft Azure Cobalt 100 CPU

Commit fb091ff39479 ("arm64: Subscribe Microsoft Azure Cobalt 100 to ARM
Neoverse N2 errata") states that Microsoft Azure Cobalt 100 CPU "is a
Microsoft implemented CPU based on r0p0 of the ARM Neoverse N2 CPU, and
therefore suffers from all the same errata.".

So enable the workaround for the latest broadcast TLB invalidation bug
on these parts.

Signed-off-by: Will Deacon <will@kernel.org>
4 weeks agoASoC: tas2783A: remove unused tas25xx_(de)register_misc() functions
Ethan Nelson-Moore [Wed, 10 Jun 2026 01:35:34 +0000 (18:35 -0700)] 
ASoC: tas2783A: remove unused tas25xx_(de)register_misc() functions

The tas2783 driver defines two functions tas25xx_register_misc and
tas25xx_deregister_misc which have stub implementations. It uses
external implementations if CONFIG_SND_SOC_TAS2783_UTIL is enabled, but
that symbol has never been present in the kernel. Therefore, these
functions are entirely unused. Remove them.

Discovered while searching for CONFIG_* symbols referenced in code but
not defined in any Kconfig file.

Signed-off-by: Ethan Nelson-Moore <enelsonmoore@gmail.com>
Link: https://patch.msgid.link/20260610013534.30762-1-enelsonmoore@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
4 weeks agoarm64: errata: Mitigate TLBI errata on NVIDIA Olympus CPU
Shanker Donthineni [Tue, 9 Jun 2026 23:40:44 +0000 (18:40 -0500)] 
arm64: errata: Mitigate TLBI errata on NVIDIA Olympus CPU

NVIDIA Olympus cores are affected by the TLBI completion issue tracked as
CVE-2025-10263. The existing ARM64_ERRATUM_4118414 handling already uses
ARM64_WORKAROUND_REPEAT_TLBI to issue an additional broadcast TLBI;DSB
sequence and ensure affected memory write effects are globally observed.

Add MIDR_NVIDIA_OLYMPUS to the repeat-TLBI match list so the same
mitigation is enabled on affected Olympus systems. Also document the
NVIDIA Olympus erratum in the arm64 silicon errata table and list it in
the Kconfig help text.

Signed-off-by: Shanker Donthineni <sdonthineni@nvidia.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will@kernel.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Acked-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Will Deacon <will@kernel.org>
4 weeks agoKVM: arm64: nv: Avoid dereferencing NULL VNCR pseudo-TLB
Marc Zyngier [Sun, 7 Jun 2026 17:57:45 +0000 (18:57 +0100)] 
KVM: arm64: nv: Avoid dereferencing NULL VNCR pseudo-TLB

VNCR TLB invalidation occurs from MMU notifiers or TLBI instructions,
and either can race against a vcpu not being onlined yet (no pseudo-TLB
allocated). Similarly, the TLB might be invalid, and the invalidation
should be skipped in this case.

Both kvm_invalidate_vncr_ipa() and kvm_invalidate_vncr_va() are
expected to perform the same checks, except that the latter doesn't
check for the allocation and blindly dereferences the pointer.

Solve this by introducing a new iterator built on top of the usual
kvm_for_each_vcpu() that checks for both of the above conditions,
and convert the two users to it.

Reported-by: Hyunwoo Kim <imv4bel@gmail.com>
Link: https://lore.kernel.org/r/aiUvSbrWndQeUPc8@v4bel
Fixes: 4ffa72ad8f37 ("KVM: arm64: nv: Add S1 TLB invalidation primitive for VNCR_EL2")
Cc: stable@vger.kernel.org
Reviewed-by: Oliver Upton <oupton@kernel.org>
Link: https://patch.msgid.link/20260607175745.297793-1-maz@kernel.org
Signed-off-by: Marc Zyngier <maz@kernel.org>
4 weeks agoarm64: errata: Mitigate TLBI errata on various Arm CPUs
Mark Rutland [Tue, 9 Jun 2026 10:12:03 +0000 (11:12 +0100)] 
arm64: errata: Mitigate TLBI errata on various Arm CPUs

A number of CPUs developed by Arm suffer from errata whereby a broadcast
TLBI;DSB sequence may complete before the global observation of writes
which are translated by an affected TLB entry.

These errata ONLY affect the completion of memory accesses which have
been translated by an invalidated TLB entry, and these errata DO NOT
affect the actual invalidation of TLB entries. TLB entries are removed
correctly.

This issue has been assigned CVE ID CVE-2025-10263.

To mitigate this issue, Arm recommends that software follows any
affected TLBI;DSB sequence with an additional TLBI;DSB, which will
ensure that all memory write effects affected by the first TLBI have
been globally observed. The additional TLBI can use any operation that
is broadcast to affected CPUs, and the additional DSB can use any option
that is sufficient to complete the additional TLBI.

The ARM64_WORKAROUND_REPEAT_TLBI workaround is sufficient to mitigate
the issue. Enable this workaround for affected CPUs, and update the
silicon errata documentation accordingly.

Note that due to the manner in which Arm develops IP and tracks errata,
some CPUs share a common erratum number.

Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will@kernel.org>
Signed-off-by: Will Deacon <will@kernel.org>
4 weeks agoarm64: cputype: Add C1-Premium definitions
Mark Rutland [Tue, 9 Jun 2026 10:12:02 +0000 (11:12 +0100)] 
arm64: cputype: Add C1-Premium definitions

Add cputype definitions for C1-Premium. These will be used for errata
detection in subsequent patches.

These values can be found in the C1-Premium TRM:

  https://developer.arm.com/documentation/109416/0100/

... in section A.5.1 ("MIDR_EL1, Main ID Register").

Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will@kernel.org>
Signed-off-by: Will Deacon <will@kernel.org>
4 weeks agoarm64: cputype: Add C1-Ultra definitions
Mark Rutland [Tue, 9 Jun 2026 10:12:01 +0000 (11:12 +0100)] 
arm64: cputype: Add C1-Ultra definitions

Add cputype definitions for C1-Ultra. These will be used for errata
detection in subsequent patches.

These values can be found in the C1-Ultra TRM:

  https://developer.arm.com/documentation/108014/0100/

... in section A.5.1 ("MIDR_EL1, Main ID Register").

Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will@kernel.org>
Signed-off-by: Will Deacon <will@kernel.org>
4 weeks agoMerge branch 'intel-sst' of https://github.com/spandruvada/linux-kernel into review...
Ilpo Järvinen [Wed, 10 Jun 2026 10:40:39 +0000 (13:40 +0300)] 
Merge branch 'intel-sst' of https://github.com/spandruvada/linux-kernel into review-ilpo-next

4 weeks agoRevert "arm64: mm: Unmap kernel data/bss entirely from the linear map"
Will Deacon [Wed, 10 Jun 2026 10:40:23 +0000 (11:40 +0100)] 
Revert "arm64: mm: Unmap kernel data/bss entirely from the linear map"

This reverts commit 63e0b6a5b6934d6a919d1c65ea185303200a1874.

Unmapping the kernel '.bss' appears to break KVM initialisation on some
devices, breaking the boot on popular platforms such as RaspberryPi3 and
4.

Revert this change for now so that we can revisit it in future.

Reported-by: Mark Brown <broonie@kernel.org>
Reported-by: Marek Szyprowski <m.szyprowski@samsung.com>
Link: https://lore.kernel.org/all/aicVyebkEMs6w6UV@sirena.co.uk
Link: https://lore.kernel.org/r/a1b27e97-182c-485d-a448-56c19c5de2c2@samsung.com
Signed-off-by: Will Deacon <will@kernel.org>
4 weeks agoRevert "arm64: mm: Defer remap of linear alias of data/bss"
Will Deacon [Wed, 10 Jun 2026 10:34:39 +0000 (11:34 +0100)] 
Revert "arm64: mm: Defer remap of linear alias of data/bss"

This reverts commit 53205d56212cbff880a77497e25a0e44036d490a.

Unmapping the kernel '.bss' appears to break KVM initialisation on some
devices, breaking the boot on popular platforms such as RaspberryPi3 and
4.

Revert this change for now so that we can revisit it in future.

Reported-by: Mark Brown <broonie@kernel.org>
Reported-by: Marek Szyprowski <m.szyprowski@samsung.com>
Link: https://lore.kernel.org/all/aicVyebkEMs6w6UV@sirena.co.uk
Link: https://lore.kernel.org/r/a1b27e97-182c-485d-a448-56c19c5de2c2@samsung.com
Signed-off-by: Will Deacon <will@kernel.org>
4 weeks agontfs3: reject direct userspace writes to reserved $LX* xattrs
Konstantin Komarov [Wed, 10 Jun 2026 10:31:01 +0000 (12:31 +0200)] 
ntfs3: reject direct userspace writes to reserved $LX* xattrs

NTFS3 uses $LXUID, $LXGID, $LXMOD and $LXDEV as internal WSL
permission metadata and reloads them into i_uid, i_gid and i_mode
from ntfs_get_wsl_perm().

Because the empty-prefix xattr handler also lets file owners call
setxattr() on these names directly, an unprivileged writer on a
writable ntfs3 mount can plant root ownership and S_ISUID on their own
file and gain euid 0 after inode reload.

Reject direct userspace writes to the reserved $LX* names. Internal
ntfs3 metadata updates are unchanged because ntfs_save_wsl_perm()
writes them via ntfs_set_ea() directly.

Signed-off-by: Zhen Yan <sdjasjbuaa@gmail.com>
[almaz.alexandrovich@paragon-software.com: added an additional check for non privileged users]
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
4 weeks agofs/ntfs3: resize log->one_page_buf when adopting on-disk page size
Jamie Nguyen [Fri, 5 Jun 2026 04:19:30 +0000 (21:19 -0700)] 
fs/ntfs3: resize log->one_page_buf when adopting on-disk page size

log_replay() allocates log->one_page_buf using the page size that was
chosen from the host PAGE_SIZE:

log->one_page_buf = kmalloc(log->page_size, GFP_NOFS);

Later, when a restart area is found, the log page size recorded on disk
is adopted:

t32 = le32_to_cpu(log->rst_info.r_page->sys_page_size);
if (log->page_size != t32) {
log->l_size = log->orig_file_size;
log->page_size = norm_file_page(t32, &log->l_size,
t32 == DefaultLogPageSize);
}

If the on-disk page size is larger than the size used for the initial
allocation, log->page_size grows but one_page_buf is left at its
original, smaller size. A subsequent unaligned read_log_page() then
reads log->page_size bytes into the undersized scratch buffer:

page_buf = page_off ? log->one_page_buf : *buffer;
err = ntfs_read_run_nb_ra(ni->mi.sbi, &ni->file.run, page_vbo, page_buf,
  log->page_size, NULL, &log->read_ahead);

overflowing the allocation. This is reachable when mounting a dirty
NTFS volume whose log was formatted with a page size larger than the
buffer initially allocated on the mounting host (for example a 64K-log
volume mounted on a host that allocated a 4K scratch buffer).

Grow one_page_buf when the adopted on-disk page size exceeds the size
used for the initial allocation. On krealloc() failure the original
buffer is left intact and freed by the existing error path.

Fixes: b46acd6a6a627 ("fs/ntfs3: Add NTFS journal")
Reported-by: Carol L Soto <csoto@nvidia.com>
Signed-off-by: Jamie Nguyen <jamien@nvidia.com>
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
4 weeks agofs/ntfs3: prevent potential lcn remains uninitialized
Edward Adam Davis [Tue, 26 May 2026 08:08:04 +0000 (16:08 +0800)] 
fs/ntfs3: prevent potential lcn remains uninitialized

The target VCN being sought was not found within runs[0], causing
run_lookup() to return false. This causes run_lookup_entry() to return
false, which in turn results in a len value of 0, and the new parameter
passed to attr_data_get_block() is NULL. Collectively, these factors
ultimately cause attr_data_get_block_locked() to exit prematurely without
initializing lcn, thereby triggering [1].

To prevent [1], the clen check within ni_seek_data_or_hole() has been
moved to occur before the lcn check.

[1]
BUG: KMSAN: uninit-value in ni_seek_data_or_hole+0x24f/0x5f0 fs/ntfs3/frecord.c:2862
 ni_seek_data_or_hole+0x24f/0x5f0 fs/ntfs3/frecord.c:2862
 ntfs_llseek+0x22a/0x4a0 fs/ntfs3/file.c:1530
 vfs_llseek fs/read_write.c:391 [inline]

Fixes: c61326967728 ("fs/ntfs3: implement llseek SEEK_DATA/SEEK_HOLE by scanning data runs")
Reported-by: syzbot+c2cfe997245202e46f10@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=c2cfe997245202e46f10
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
4 weeks agoMerge tag 'usb-serial-7.1-rc8' of ssh://gitolite.kernel.org/pub/scm/linux/kernel...
Greg Kroah-Hartman [Wed, 10 Jun 2026 10:25:33 +0000 (12:25 +0200)] 
Merge tag 'usb-serial-7.1-rc8' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/johan/usb-serial into usb-linus

Johan writes:

USB serial fixes for 7.1-rc8

Here is one more buffer overflow fix.

This one has been in linux-next overnight with no reported issues.

* tag 'usb-serial-7.1-rc8' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/johan/usb-serial:
  USB: serial: kl5kusb105: fix bulk-out buffer overflow

4 weeks agoASoC: cs35l56: Fix some cleanup memory leaks
Mark Brown [Wed, 10 Jun 2026 10:24:47 +0000 (11:24 +0100)] 
ASoC: cs35l56: Fix some cleanup memory leaks

Richard Fitzgerald <rf@opensource.cirrus.com> says:

These are for-next.

They are not urgent because it only leaks memory if the driver failed to
component_probe or is removed, which wouldn't happen in normal use.

This series fixes some memory leaks:
- The memory allocated by wm_adsp/cs_dsp was not freed.
- If component_probe() failed it didn't clean up.

The addition of this cleanup in patch #3 exposes an existing possible
double-free of the debugfs, which is fixed in patch #2.

Link: https://patch.msgid.link/20260610093432.557375-1-rf@opensource.cirrus.com
4 weeks agoASoC: cs35l56: Cleanup if component_probe fails
Richard Fitzgerald [Wed, 10 Jun 2026 09:34:32 +0000 (10:34 +0100)] 
ASoC: cs35l56: Cleanup if component_probe fails

If cs35l56_component_probe() fails, call cs35l56_component_remove() to
clean up.

All the cleanup in cs35l56_component_remove() is the same cleanup that
would need to be done (at least partially) if cs35l56_component_probe()
fails. So calling cs35l56_component_remove() avoids convoluted cleanup
gotos and duplicated code in cs35l56_component_probe().

The only action in cs35l56_component_remove() that is nominally
dependent on having completed the component_probe() action is the call
to wm_adsp2_component_remove(). Though it is currently safe to call that
even if wm_adsp2_component_probe() was not called. However,
wm_adsp2_component_probe() has been trivially updated to check itself
whether it needs to cleanup.

Fixes: e49611252900 ("ASoC: cs35l56: Add driver for Cirrus Logic CS35L56")
Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
Link: https://patch.msgid.link/20260610093432.557375-4-rf@opensource.cirrus.com
Signed-off-by: Mark Brown <broonie@kernel.org>
4 weeks agoASoC: cs35l56: Prevent double-free of debugfs
Richard Fitzgerald [Wed, 10 Jun 2026 09:34:31 +0000 (10:34 +0100)] 
ASoC: cs35l56: Prevent double-free of debugfs

Invalidate the debugfs pointer after debugfs_remove_recursive() in
cs35l56_remove_cal_debugfs(). This prevents a double-free situation when
a future commit adds proper failure cleanup in cs35l56_component_probe().

As described by Sashiko (including the future cs35l56_component_probe()
cleanup commit):

During a normal component unbind, cs35l56_component_remove() calls
cs35l56_remove_cal_debugfs() which removes the directory but leaves
a dangling pointer.

If the component is later bound again, but _cs35l56_component_probe()
fails early (for example, if the init_completion times out), this new
error path will call cs35l56_component_remove(). This causes
cs35l56_remove_cal_debugfs() to be called again with the dangling
cs35l56_base->debugfs pointer from the previous lifecycle, resulting in
a use-after-free in debugfs_remove_recursive().

Fixes: f7097161e94c ("ASoC: cs35l56: Add common code for factory calibration")
Reported-by: sashiko <sashiko@sashiko.dev>
Link: https://sashiko.dev/#/patchset/20260609120738.284770-1-rf%40opensource.cirrus.com
Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
Link: https://patch.msgid.link/20260610093432.557375-3-rf@opensource.cirrus.com
Signed-off-by: Mark Brown <broonie@kernel.org>
4 weeks agoASoC: cs35l56: Fix missing calls to wm_adsp2_remove()
Richard Fitzgerald [Wed, 10 Jun 2026 09:34:30 +0000 (10:34 +0100)] 
ASoC: cs35l56: Fix missing calls to wm_adsp2_remove()

Call wm_adsp2_remove() in cs35l56_remove() and the error path of
cs35l56_common_probe().

Depends on commit 7d3fb78b5503 ("ASoC: wm_adsp: Fix NULL dereference
when removing firmware controls").

The call to wm_halo_init() during driver probe should be paired with
a call to wm_adsp2_remove() but this was missing. The consequence
would be a memory leak of the control lists in the cs_dsp driver.

Fixes: e49611252900 ("ASoC: cs35l56: Add driver for Cirrus Logic CS35L56")
Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
Link: https://patch.msgid.link/20260610093432.557375-2-rf@opensource.cirrus.com
Signed-off-by: Mark Brown <broonie@kernel.org>
4 weeks agoxfs: cleanup xfs_growfs_compute_deltas
Christoph Hellwig [Tue, 9 Jun 2026 07:52:45 +0000 (09:52 +0200)] 
xfs: cleanup xfs_growfs_compute_deltas

xfs_growfs_compute_deltas has an odd calling conventions, and looks
very convoluted due to the use of do_div and strangely named and typed
variables.

Rename it, make it return the agcount and let the caller calculate the
delta.  The internally use the better div_u64_rem helper and descriptive
variable names and types.  Also add a comment describing what the
function is used for.

Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: "Darrick J. Wong" <djwong@kernel.org>
Signed-off-by: Carlos Maiolino <cem@kernel.org>
4 weeks agoxfs: pass back updated nb from xfs_growfs_compute_deltas
Christoph Hellwig [Tue, 9 Jun 2026 07:52:44 +0000 (09:52 +0200)] 
xfs: pass back updated nb from xfs_growfs_compute_deltas

xfs_growfs_compute_deltas can update nb for corner cases like a number
of blocks that would create a less the minimal sized AG, or running
past the max AG limit.  Pass back the calculated value to the caller,
as it relies on to calculate the new number of perag structures.

Note that the grown file system size is not affected by this
miscalculation as it uses the passed back delta value.

Fixes: a49b7ff63f98 ("xfs: Refactoring the nagcount and delta calculation")
Cc: stable@vger.kernel.org # v7.0
Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: "Darrick J. Wong" <djwong@kernel.org>
Reviewed-by: Carlos Maiolino <cmaiolino@redhat.com>
Signed-off-by: Carlos Maiolino <cem@kernel.org>
4 weeks agoxfs: fix pointer arithmetic error on 32-bit systems
Darrick J. Wong [Wed, 10 Jun 2026 04:57:24 +0000 (21:57 -0700)] 
xfs: fix pointer arithmetic error on 32-bit systems

The translation of the old XFS_BMBT_KEY_ADDR macro into a static
function is not correct on 32-bit systems because the sizeof() argument
went from being a xfs_bmbt_key_t (i.e. a struct) to a (struct
xfs_bmbt_key *) (i.e. a pointer to the same struct).  On 64-bit systems
this turns out ok because they are the same size, but on 32-bit systems
this is catastrophic because they are not the same size.  So far there
have been no complaints, most likely because the xfs developers urge
against running it on 32-bit systems.  But this needs fixing asap.

Cc: stable@vger.kernel.org # v6.12
Fixes: 79124b37400635 ("xfs: replace shouty XFS_BM{BT,DR} macros")
Signed-off-by: "Darrick J. Wong" <djwong@kernel.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Carlos Maiolino <cem@kernel.org>
4 weeks agoxfs: initialize iomap->flags earlier in xfs_bmbt_to_iomap
Christoph Hellwig [Tue, 9 Jun 2026 07:53:44 +0000 (09:53 +0200)] 
xfs: initialize iomap->flags earlier in xfs_bmbt_to_iomap

Otherwise we lose the IOMAP_IOEND_BOUNDARY assingment for writes to the
first block in a realtime group, and could cause incorrect merges for
such writes.

Fixes: b91afef72471 ("xfs: don't merge ioends across RTGs")
Cc: <stable@vger.kernel.org> # v6.13
Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: "Darrick J. Wong" <djwong@kernel.org>
Signed-off-by: Carlos Maiolino <cem@kernel.org>
4 weeks agoxfs: only log freed extents for the current RTG in zoned growfs
Christoph Hellwig [Wed, 10 Jun 2026 05:07:21 +0000 (07:07 +0200)] 
xfs: only log freed extents for the current RTG in zoned growfs

Otherwise a power fail or crash during growfs could lead to an
elevated sb_rblocks counter.

Note that the step function is much simpler compared to the classic RT
allocator as zoned RT sections must be aligned to real time group
boundaries.

Fixes: 01b71e64bb87 ("xfs: support growfs on zoned file systems")
Cc: <stable@vger.kernel.org> # v6.15
Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: "Darrick J. Wong" <djwong@kernel.org>
Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
Signed-off-by: Carlos Maiolino <cem@kernel.org>
4 weeks agodrm/amd/display: use plane color_mgmt_changed to track colorop changes
Melissa Wen [Tue, 9 Jun 2026 10:20:21 +0000 (12:20 +0200)] 
drm/amd/display: use plane color_mgmt_changed to track colorop changes

Ensure the driver tracks changes in any colorop property of a plane
color pipeline by using the same mechanism of CRTC color management and
update plane color blocks when any colorop property changes. It fixes an
issue observed on gamescope settings for night mode which is done via
shaper/3D-LUT updates.

Fixes: 9ba25915efba ("drm/amd/display: Add support for sRGB EOTF in DEGAM block")
Reviewed-by: Harry Wentland <harry.wentland@amd.com>
Reviewed-by: Alex Hung <alex.hung@amd.com>
Signed-off-by: Melissa Wen <mwen@igalia.com>
Signed-off-by: Melissa Wen <melissa.srw@gmail.com>
Link: https://patch.msgid.link/20260609110420.1298352-5-mwen@igalia.com
4 weeks agodrm/atomic: track individual colorop updates
Melissa Wen [Tue, 9 Jun 2026 10:20:20 +0000 (12:20 +0200)] 
drm/atomic: track individual colorop updates

As we do for CRTC color mgmt properties, use color_mgmt_changed flag to
track any value changes in the color pipeline of a given plane, so that
drivers can update color blocks as soon as plane color pipeline or
individual colorop values change. Since we're here, only announce and
track changes to plane COLOR_PIPELINE prop if its value is actually
changing.

Fixes: 8c5ea1745f4c ("drm/colorop: Add BYPASS property")
Fixes: 7fa3ee8c0a79 ("drm/colorop: Define LUT_1D interpolation")
Fixes: 41651f9d42eb ("drm/colorop: Add 1D Curve subtype")
Fixes: 3410108037d5 ("drm/colorop: Add multiplier type")
Fixes: db971856bbe0 ("drm/colorop: Add 3D LUT support to color pipeline")
Fixes: e5719e7f1900 ("drm/colorop: Add 3x4 CTM type")
Fixes: 99a4e4f08abe ("drm/colorop: Add 1D Curve Custom LUT type")
Fixes: 2afc3184f3b3 ("drm/plane: Add COLOR PIPELINE property")
Reviewed-by: Harry Wentland <harry.wentland@amd.com> #v1
Reviewed-by: Chaitanya Kumar Borah <chaitanya.kumar.borah@intel.com>
Reviewed-by: Alex Hung <alex.hung@amd.com>
Fixes: 9ba25915efba ("drm/amd/display: Add support for sRGB EOTF in DEGAM block")
Signed-off-by: Melissa Wen <mwen@igalia.com>
Signed-off-by: Melissa Wen <melissa.srw@gmail.com>
Link: https://patch.msgid.link/20260609110420.1298352-4-mwen@igalia.com
4 weeks agodrm/colorop: make lut(1/3)d_interpolation props correctly behave as mutable
Melissa Wen [Tue, 9 Jun 2026 10:20:19 +0000 (12:20 +0200)] 
drm/colorop: make lut(1/3)d_interpolation props correctly behave as mutable

As interpolation props are actually mutable props, any changes should be
handled by drm_colorop_state. Move their enum and make it correctly
behaves as mutable.

Fixes: 7fa3ee8c0a79 ("drm/colorop: Define LUT_1D interpolation")
Fixes: db971856bbe0 ("drm/colorop: Add 3D LUT support to color pipeline")
Reviewed-by: Chaitanya Kumar Borah <chaitanya.kumar.borah@intel.com>
Reviewed-by: Alex Hung <alex.hung@amd.com>
Fixes: 9ba25915efba ("drm/amd/display: Add support for sRGB EOTF in DEGAM block")
Signed-off-by: Melissa Wen <mwen@igalia.com>
Signed-off-by: Melissa Wen <melissa.srw@gmail.com>
Link: https://patch.msgid.link/20260609110420.1298352-3-mwen@igalia.com
4 weeks agodrm/colorop: Remove read-only comments from interpolation fields
Alex Hung [Tue, 9 Jun 2026 10:20:18 +0000 (12:20 +0200)] 
drm/colorop: Remove read-only comments from interpolation fields

The lut1d_interpolation and lut3d_interpolation fields and their
associated properties were marked as read-only, but userspace
can set them via drm_atomic_colorop_set_property().

Fixes: 7fa3ee8c0a79 ("drm/colorop: Define LUT_1D interpolation")
Fixes: db971856bbe0 ("drm/colorop: Add 3D LUT support to color pipeline")
Reviewed-by: Chaitanya Kumar Borah <chaitanya.kumar.borah@intel.com>
Signed-off-by: Alex Hung <alex.hung@amd.com>
Fixes: 9ba25915efba ("drm/amd/display: Add support for sRGB EOTF in DEGAM block")
Signed-off-by: Melissa Wen <mwen@igalia.com>
Signed-off-by: Melissa Wen <melissa.srw@gmail.com>
Link: https://patch.msgid.link/20260609110420.1298352-2-mwen@igalia.com
4 weeks agoata: libata-pmp: add JMicron JMS562 quirk
Xu Rao [Wed, 10 Jun 2026 05:28:35 +0000 (13:28 +0800)] 
ata: libata-pmp: add JMicron JMS562 quirk

JMicron JMS562, as used in QNAP QDA-A2AR RAID1 adapters, may
keep the exported ATA device not ready while the array is rebuilding.

In this state, libata may repeatedly try to softreset and classify
the fan-out link.  On the affected adapter, this can time out, make
PMP/SCR access fail, and eventually disable the fan-out link before
the RAID volume is exported.

A failing boot shows the fan-out link failing SRST, PMP access
timing out, SCR read failing, and the link being disabled:

  ata4.00: softreset failed (device not ready)
  ata4.15: qc timeout after 3000 msecs (cmd 0xe4)
  ata4.00: failed to read SCR 0 (Emask=0x4)
  ata4.00: failed to recover link after 3 tries, disabling

After that, the root filesystem on the exported RAID volume cannot
be found.

Add JMS562 to the existing JMicron PMP quirk that disables LPM,
avoids softreset on fan-out links, and assumes an ATA device.  This
prevents libata from dropping the exported RAID volume during rebuild
recovery.

Signed-off-by: Xu Rao <raoxu@uniontech.com>
Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
Signed-off-by: Niklas Cassel <cassel@kernel.org>
4 weeks agofanotify: allow reporting pidfds for reaped tasks
AnonymeMeow [Sun, 7 Jun 2026 00:33:43 +0000 (08:33 +0800)] 
fanotify: allow reporting pidfds for reaped tasks

Fanotify used to refuse to report pidfds for reaped tasks by applying a
pid_has_task() check before calling pidfd_prepare(). This prevented
userspace from obtaining information about the task.

Register the event pid with pidfs when creating the fanotify event if
pidfd reporting was requested, so pidfd_prepare() can later create a
pidfd for the reaped task.

Suggested-by: Christian Brauner <brauner@kernel.org>
Link: https://lore.kernel.org/linux-fsdevel/20260528-schmuckvoll-heilen-garen-be77b4208671@brauner/
Signed-off-by: AnonymeMeow <anonymemeow@gmail.com>
Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>
Link: https://patch.msgid.link/20260607003343.425939-3-anonymemeow@gmail.com
Signed-off-by: Jan Kara <jack@suse.cz>
4 weeks agofanotify: report thread pidfds for FAN_REPORT_TID
AnonymeMeow [Sun, 7 Jun 2026 00:33:42 +0000 (08:33 +0800)] 
fanotify: report thread pidfds for FAN_REPORT_TID

The FAN_REPORT_PIDFD and FAN_REPORT_TID flags used to be mutually
exclusive because by the time the pidfd support was introduced to
fanotify, pidfds could only be created for thread group leaders. Now
that the pidfd API supports thread-specific pidfds via PIDFD_THREAD,
this restriction can be lifted.

Reviewed-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: AnonymeMeow <anonymemeow@gmail.com>
Link: https://patch.msgid.link/20260607003343.425939-2-anonymemeow@gmail.com
Signed-off-by: Jan Kara <jack@suse.cz>
4 weeks agoARM: remove the last few uses of do_bad_IRQ()
Ethan Nelson-Moore [Wed, 10 Jun 2026 04:56:26 +0000 (21:56 -0700)] 
ARM: remove the last few uses of do_bad_IRQ()

The do_bad_IRQ() macro simply calls handle_bad_irq() with a lock around
it. It also carries a comment stating that uses of it should be
replaced. According to commit aec0095653cd ("irqchip: gic: Call
handle_bad_irq() directly"), which replaced another use of
do_bad_IRQ(), locking the IRQ descriptor is not necessary for error
reporting. Therefore, replace all uses of do_bad_IRQ() with calls to
handle_bad_irq() and remove do_bad_IRQ().

Signed-off-by: Ethan Nelson-Moore <enelsonmoore@gmail.com>
Reviewed-by: Linus Walleij <linusw@kernel.org>
Link: https://lore.kernel.org/r/20260610045626.248643-1-enelsonmoore@gmail.com
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
4 weeks agob43: add RF power offset for N-PHY r8 + radio 2057 r8
Alessio Ferri [Thu, 28 May 2026 17:31:41 +0000 (19:31 +0200)] 
b43: add RF power offset for N-PHY r8 + radio 2057 r8

Add the 2.4 GHz RF power offset table for N-PHY rev 8 paired with
radio 2057 rev 8 and wire it to the existing dispatcher.

b43_ntab_get_rf_pwr_offset_table() currently dispatches on phy->rev
== 17 (radio_rev 14) and phy->rev == 16 (radio_rev 9) for 2.4 GHz.
phy->rev == 8 falls through and the function logs:

    b43-phyX ERROR: No 2GHz RF power table available for this device

Add a phy->rev == 8 / radio_rev == 8 case returning the new table.

The values are sourced from the proprietary Broadcom wl driver's
nphy_papd_padgain_dlt_2g_2057rev5 array. Reusing the rev 5 values
is structurally appropriate: the IPA TX gain table added by the
preceding patch in this series shares the low 24 bits of every
entry with rev 5 - same gain step amplitudes, only the PAD-gain
selector byte differs. b43's pad_gain extraction in
b43_nphy_tx_pwr_ctl_init() reads bits 19..23 of the gain entry,
which sit in the shared low-24-bit range; the same gain index
therefore maps to the same physical PAD gain code on both
revisions and warrants the same per-index dB offset.

Note that b43_nphy_tx_gain_table_upload() currently has a "TODO:
Enable this once we have gains configured" early-return for
phy->rev >= 7. With that early-return in place, this table is
fetched (silencing the b43err that would otherwise abort PHY
init) but its values are not yet written to MMIO. Resolving the
TODO is a future, separate task.

Assisted-by: Claude:claude-4.7-opus
Signed-off-by: Alessio Ferri <alessio.ferri@mythread.it>
Acked-by: Michael Büsch <m@bues.ch>
Reviewed-by: Joshua Peisach <jpeisach@ubuntu.com>
Link: https://patch.msgid.link/20260528-b43_complete_n_phy_rev_8_radio_2057_rev_8_support-v4-7-464566194d47@gmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
4 weeks agob43: add channel info table for N-PHY r8 + radio 2057 r8
Alessio Ferri [Thu, 28 May 2026 17:31:40 +0000 (19:31 +0200)] 
b43: add channel info table for N-PHY r8 + radio 2057 r8

Add the 2.4 GHz channel info table for N-PHY rev 8 paired with
radio 2057 rev 8 and wire it to the existing dispatcher in
r2057_get_chantabent_rev7().

The dispatcher's case 8 currently handles radio_rev == 5 only.
For radio_rev == 8 both output pointers stay NULL,
b43_nphy_set_channel() returns an error and channel switch to
the default channel fails.

The new b43_nphy_chantab_phy_rev8_radio_rev8[] is 14 entries
covering the standard 2.4 GHz channel set (2412..2472 in 5 MHz
steps, plus 2484 for channel 14).

Values extracted from an MMIO dump of the proprietary Broadcom wl
driver running on BCM6362 silicon (wl driver 6.30.102.7).

Assisted-by: Claude:claude-4.7-opus
Signed-off-by: Alessio Ferri <alessio.ferri@mythread.it>
Acked-by: Michael Büsch <m@bues.ch>
Reviewed-by: Joshua Peisach <jpeisach@ubuntu.com>
Link: https://patch.msgid.link/20260528-b43_complete_n_phy_rev_8_radio_2057_rev_8_support-v4-6-464566194d47@gmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
4 weeks agob43: add IPA TX gain table for N-PHY r8 + radio 2057 r8
Alessio Ferri [Thu, 28 May 2026 17:31:39 +0000 (19:31 +0200)] 
b43: add IPA TX gain table for N-PHY r8 + radio 2057 r8

Add the 2.4 GHz IPA TX gain table for N-PHY rev 8 paired with radio
2057 rev 8 and wire it to the existing dispatcher.

b43_nphy_get_ipa_gain_table() in tables_nphy.c currently handles
case 8 only for radio_rev == 5; radio_rev == 8 falls through and
the function logs:

    b43-phyX ERROR: No 2GHz IPA gain table available for this device
    b43-phyX ERROR: PHY init: Channel switch to default failed

leaving b43_phy_init() to return an error and core_init to abort
before the MAC is enabled.

The high byte of every entry differs from the rev 5 sibling (0x40
vs 0x30): different PAD-gain code prefix for the rev 8 front-end.
The low 24 bits coincide with rev 5 across the whole table - the
gain step amplitudes are the same, only the PAD-gain selector
prefix changes.

Values extracted from an MMIO dump of the proprietary Broadcom wl
driver running on BCM6362 silicon (wl driver 6.30.102.7).

Assisted-by: Claude:claude-4.7-opus
Signed-off-by: Alessio Ferri <alessio.ferri@mythread.it>
Acked-by: Michael Büsch <m@bues.ch>
Reviewed-by: Joshua Peisach <jpeisach@ubuntu.com>
Link: https://patch.msgid.link/20260528-b43_complete_n_phy_rev_8_radio_2057_rev_8_support-v4-5-464566194d47@gmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
4 weeks agob43: support radio 2057 rev 8
Alessio Ferri [Thu, 28 May 2026 17:31:38 +0000 (19:31 +0200)] 
b43: support radio 2057 rev 8

Add support for radio 2057 revision 8, paired with N-PHY rev 8 on
the Broadcom BCM6362 single-die integrated 2.4 GHz wireless block.

Three correlated changes are needed for the same chip:

  - main.c: the radio_rev allow-list under B43_PHYTYPE_N currently
    accepts radio 2057 revisions 9 and 14 only; extend to include
    rev 8.

  - radio_2057.c: the existing r2057_rev8_init[] is a 54-entry stub
    declared inside a TODO comment block and never referenced
    from r2057_upload_inittabs().
    Replace it with the full 412-entry register set actually
    programmed by the proprietary Broadcom wl driver on this radio.
    I couldn't find the origin of the original 54-entry stub - 8
    of its entries do not appear at all in the rev 8 register set
    and 7 more carry different values.
    Loading it instead of using the real table leaves the radio
    hanging producing a "Microcode not responding" timeout.

  - radio_2057.c: r2057_upload_inittabs() case 8 handles radio_rev
    5 and 7 only; add the radio_rev == 8 branch pointing at the
    new table.

The init table is extracted from an MMIO dump of the radio
register set programmed during proprietary driver initialisation
on BCM6362 silicon (Broadcom wl driver 6.30.102.7).

Assisted-by: Claude:claude-4.7-opus
Signed-off-by: Alessio Ferri <alessio.ferri@mythread.it>
Acked-by: Michael Büsch <m@bues.ch>
Reviewed-by: Joshua Peisach <jpeisach@ubuntu.com>
Link: https://patch.msgid.link/20260528-b43_complete_n_phy_rev_8_radio_2057_rev_8_support-v4-4-464566194d47@gmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
4 weeks agob43: route d11 corerev 22 to 24-bit indirect radio access
Alessio Ferri [Thu, 28 May 2026 17:31:37 +0000 (19:31 +0200)] 
b43: route d11 corerev 22 to 24-bit indirect radio access

Rev 22 backports the older 802.11 core but pairs it with a radio
in the 2057 family, which requires the 24-bit indirect path. With
the current dispatch, corerev 22 falls into the legacy 4-wire branch,
reads garbage for radio_id, and bails out with -EOPNOTSUPP at the
"FOUND UNSUPPORTED RADIO" branch below.

brcmsmac handles the same silicon family with the equivalent
dispatch in drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/
phy_cmn.c read_radio_reg() and write_radio_reg():

    if ((D11REV_GE(pi->sh->corerev, 24)) ||
        (D11REV_IS(pi->sh->corerev, 22)
         && (pi->pubpi.phy_type != PHY_TYPE_SSN))) {
            /* radioregaddr / radioregdata (indirect) */
    } else {
            /* phy4waddr / phy4wdatalo (legacy)      */
    }

b43 does not support SSN/SSLPN PHYs - they are rejected earlier in
b43_phy_versioning() at the "unsupported PHY type" switch - so just
adding the check corerev == 22 will do.

Assisted-by: Claude:claude-4.7-opus
Signed-off-by: Alessio Ferri <alessio.ferri@mythread.it>
Acked-by: Michael Büsch <m@bues.ch>
Reviewed-by: Joshua Peisach <jpeisach@ubuntu.com>
Link: https://patch.msgid.link/20260528-b43_complete_n_phy_rev_8_radio_2057_rev_8_support-v4-3-464566194d47@gmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
4 weeks agob43: add d11 core revision 0x16 to id table
Alessio Ferri [Thu, 28 May 2026 17:31:36 +0000 (19:31 +0200)] 
b43: add d11 core revision 0x16 to id table

Add d11 core revision 0x16 (= 22) to the b43 bcma device id table.

The b43 bcma id table covers d11 revisions 0x11, 0x15, 0x17, 0x18,
0x1C, 0x1D, 0x1E, 0x28 and 0x2A. Revision 0x16 belongs to the same
N-PHY family as revisions 0x17 and 0x18 (radio 2057) and needs no
new PHY or radio code beyond the radio_rev 8 dispatcher entries
added later in this series - only the device id entry is missing.
Without it bcma scan enumerates the 802.11 core but no driver binds.

The revision is used by the Broadcom BCM6362 single-die integrated
2.4 GHz wireless block found in xDSL SoCs.

Assisted-by: Claude:claude-4.7-opus
Signed-off-by: Alessio Ferri <alessio.ferri@mythread.it>
Acked-by: Michael Büsch <m@bues.ch>
Reviewed-by: Joshua Peisach <jpeisach@ubuntu.com>
Link: https://patch.msgid.link/20260528-b43_complete_n_phy_rev_8_radio_2057_rev_8_support-v4-2-464566194d47@gmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
4 weeks agob43: add firmware mappings for rev22
Alessio Ferri [Thu, 28 May 2026 17:31:35 +0000 (19:31 +0200)] 
b43: add firmware mappings for rev22

add the specific firmware mappings for rev22, and drop comments wondering about rev22 initvals

Assisted-by: Claude:claude-4.7-opus
Signed-off-by: Alessio Ferri <alessio.ferri@mythread.it>
Acked-by: Michael Büsch <m@bues.ch>
Reviewed-by: Joshua Peisach <jpeisach@ubuntu.com>
Link: https://patch.msgid.link/20260528-b43_complete_n_phy_rev_8_radio_2057_rev_8_support-v4-1-464566194d47@gmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
4 weeks agodrm/i915/gem: Fix phys BO pread/pwrite with offset
Joonas Lahtinen [Wed, 10 Jun 2026 06:03:14 +0000 (09:03 +0300)] 
drm/i915/gem: Fix phys BO pread/pwrite with offset

sg_page() returns struct page pointer not (void *) so the scaling
of pread/pwrite is wrong for phys BO and wrong parts of BO would be
accessed if non-zero offset is used.

Last impacted platform with overlay or cursor planes using phys
mapping was Gen3/945G/Lakeport.

Reported-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Fixes: c6790dc22312 ("drm/i915: Wean off drm_pci_alloc/drm_pci_free")
Cc: <stable@vger.kernel.org> # v4.5+
Cc: Tvrtko Ursulin <tursulin@ursulin.net>
Cc: Simona Vetter <simona@ffwll.ch>
Cc: Jani Nikula <jani.nikula@linux.intel.com>
Cc: Rodrigo Vivi <rodrigo.vivi@intel.com>
Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Reviewed-by: Tvrtko Ursulin <tvrtko.ursulin@igalia.com>
Link: https://patch.msgid.link/20260610060314.26111-1-joonas.lahtinen@linux.intel.com
(cherry picked from commit 3e49a2f85070b2fb672c1e0fdba281a4ea3aebe6)
Signed-off-by: Tvrtko Ursulin <tursulin@ursulin.net>
4 weeks agorfkill: Replace strcpy() with memcpy()
David Laight [Sat, 6 Jun 2026 20:26:02 +0000 (21:26 +0100)] 
rfkill: Replace strcpy() with memcpy()

The length of the string is calculated in order to allocate the correct
sized memory block, use the same length to copy the string.

Signed-off-by: David Laight <david.laight.linux@gmail.com>
Link: https://patch.msgid.link/20260606202633.5018-8-david.laight.linux@gmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
4 weeks agogpiolib: handle gpio-hogs only once
Daniel Drake [Mon, 8 Jun 2026 21:01:08 +0000 (22:01 +0100)] 
gpiolib: handle gpio-hogs only once

Commit d1d564ec49929 ("gpio: move hogs into GPIO core") introduced a
behaviour change that breaks boot on Raspberry Pi 5 when using the
firmware-supplied device tree:

  gpiochip_add_data_with_key: GPIOs 544..575
    (/soc@107c000000/gpio@7d517c00) failed to register, -22
  brcmstb-gpio 107d517c00.gpio: Could not add gpiochip for bank 1
  brcmstb-gpio 107d517c00.gpio: probe with driver brcmstb-gpio failed
    with error -22

gpio-brcmstb registers two gpio_chips against the device tree
node gpio@7d517c00, one for each bank. The firmware-supplied DT includes
a gpio-hog on RP1 RUN, and this gpio-hog is attempted to be applied to
*both* gpio_chips. This succeeds against bank 0 (which hosts the GPIO)
and fails for bank 1 (which does not).

In the previous implementation, failures to apply gpio-hogs were
quietly ignored. In the new code, the error code propagates and causes
probe to fail.

Closely approximate the previous behaviour by using the OF_POPULATED flag
to ensure that each gpio-hog is processed only once. The flag was
previously being set before the gpio-hogs were processed, so as part
of this change, the flag now gets set only after the gpio-hog is actioned.
The handling of gpio-hogs on a DT node with multiple gpio_chips remains a
bit incomplete/unclear, but this at least retains the ability to apply
hogs to the first gpio_chip per node.

Fixes: d1d564ec49929 ("gpio: move hogs into GPIO core")
Signed-off-by: Daniel Drake <dan@reactivated.net>
Link: https://patch.msgid.link/20260608210108.36248-1-dan@reactivated.net
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
4 weeks agobacking-file: fix backing_file_open() kerneldoc parameter
Li Wang [Thu, 28 May 2026 10:42:08 +0000 (18:42 +0800)] 
backing-file: fix backing_file_open() kerneldoc parameter

The kerneldoc for backing_file_open() documented a @user_path argument,
but the function takes const struct file *user_file. The user
path is derived as &user_file->f_path.

Update the @-tag to @user_file and adjust the description accordingly.
Also fix the "reuqested" typo to 'requested' in the old comment.

Signed-off-by: Li Wang <liwang@kylinos.cn>
Link: https://patch.msgid.link/20260528104208.395757-1-liwang@kylinos.cn
Reviewed-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>
4 weeks agoata: pata_isapnp: Drop unused assignments from pnp_device_id array
Uwe Kleine-König (The Capable Hub) [Tue, 9 Jun 2026 16:51:13 +0000 (18:51 +0200)] 
ata: pata_isapnp: Drop unused assignments from pnp_device_id array

Explicitly assigning .driver_data in drivers that don't use this member
is silly and a bit irritating. Drop it. Also simplify the list
terminator entry to be just empty to match what most other device_id
tables do.

There is no changed semantic, not even a change in the compiled result.

Signed-off-by: Uwe Kleine-König (The Capable Hub) <u.kleine-koenig@baylibre.com>
Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
Signed-off-by: Niklas Cassel <cassel@kernel.org>
4 weeks agoALSA: timer: Disable work at freeing timer object
Takashi Iwai [Tue, 9 Jun 2026 11:50:55 +0000 (13:50 +0200)] 
ALSA: timer: Disable work at freeing timer object

There might be a pending work at freeing a timer object, hence clean
it up properly.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://patch.msgid.link/20260609115100.806869-4-tiwai@suse.de
4 weeks agoRevert "ALSA: timer: Fix UAF at snd_timer_user_params()"
Takashi Iwai [Tue, 9 Jun 2026 11:50:54 +0000 (13:50 +0200)] 
Revert "ALSA: timer: Fix UAF at snd_timer_user_params()"

This reverts commit 053a401b592be424fea9d57c789f66cd5d8cec11.

With the change of the timer object lifecycle with kref, this
temporary workaround is no longer needed.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://patch.msgid.link/20260609115100.806869-3-tiwai@suse.de
4 weeks agoALSA: timer: Manage timer object with kref
Takashi Iwai [Tue, 9 Jun 2026 11:50:53 +0000 (13:50 +0200)] 
ALSA: timer: Manage timer object with kref

So far we've tried to address UAFs in ALSA timer code by applying the
locks at various places, but the fundamental problem is that the timer
object may be released while the belonging timer instance objects are
still present and accessing to it.  This patch is a more proper fix to
address that issue, namely, by refcounting and keeping the timer
object.

The basic implementation is to use kref for the refcount of the timer
object, and take/release the reference at assigning/releasing the
instance, as well as at referring from ioctls or ALSA sequencer code.
The reference from ioctl or ALSA sequencer is abstracted with
snd_timeri_timer auto-cleanup.

Note that this change assumes that the code already took the fix
commit da3039e91d1f ("ALSA: timer: Forcibly close timer instances at
closing"); otherwise the refcount may be unbalanced when the timer is
freed while slave instances are still present.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://patch.msgid.link/20260609115100.806869-2-tiwai@suse.de
4 weeks agogpio: fix cleanup path on hog failure
Bartosz Golaszewski [Tue, 9 Jun 2026 12:17:50 +0000 (14:17 +0200)] 
gpio: fix cleanup path on hog failure

If gpiochip_hog_lines() successfully processes some hogs but fails on
a later one, the error handling path in gpiochip_add_data_with_key()
jumps directly to err_remove_of_chip. This leaks resources allocated
earlier for ACPI, interrupts and hogs that were successfully processed.
Use the right label in error path.

Closes: https://sashiko.dev/#/patchset/20260608210108.36248-1-dan%40reactivated.net
Fixes: d1d564ec4992 ("gpio: move hogs into GPIO core")
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Link: https://patch.msgid.link/20260609-gpio-hogs-fixes-v1-2-b4064f8070e7@oss.qualcomm.com
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
4 weeks agoALSA: hda/realtek: Add quirk for HP 255 15.6 inch G9 Notebook PC
Furst Blumier [Tue, 9 Jun 2026 20:17:06 +0000 (22:17 +0200)] 
ALSA: hda/realtek: Add quirk for HP 255 15.6 inch G9 Notebook PC

The HP 255 15.6 inch G9 Notebook PC (PCI SSID 103c:8a1b) uses the
ALC236 codec but lacks an entry in the quirk table, causing the kernel
to fall back to a null SSID match (103c:0000) and skip the necessary
fixup. Add a quirk entry using ALC236_FIXUP_HP_MUTE_LED_COEFBIT2,
matching the HP 255 G8 which uses the same codec and fixup. This fixes
the mute-button LED and fixes an issue with unplugging and replugging a
headset jack not being recognized as an audio sink.

Signed-off-by: Furst Blumier <seal@furst.blue>
Link: https://patch.msgid.link/20260609201706.502075-1-seal@furst.blue
Signed-off-by: Takashi Iwai <tiwai@suse.de>
4 weeks agoALSA: Improve style of pnp_device_id array terminators
Uwe Kleine-König (The Capable Hub) [Tue, 9 Jun 2026 16:46:10 +0000 (18:46 +0200)] 
ALSA: Improve style of pnp_device_id array terminators

To match how device-id array terminators look like for other device
types drop `.id = ""` from it and let the compiler care for zeroing the
entry.

There are no changes in the compiled drivers, only the source looks
nicer.

Signed-off-by: Uwe Kleine-König (The Capable Hub) <u.kleine-koenig@baylibre.com>
Link: https://patch.msgid.link/47ae32220446ec1869898cf5e4b75ec94c32dfdf.1781023479.git.u.kleine-koenig@baylibre.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
4 weeks agoALSA: hda/tas2781: Fix device-0 reset issue and handle -EXDEV in block data processing
Baojun Xu [Tue, 9 Jun 2026 10:52:53 +0000 (18:52 +0800)] 
ALSA: hda/tas2781: Fix device-0 reset issue and handle -EXDEV in block data processing

Fix reset for device-0:‌ In older projects (e.g., Merino), the hardware
reset pin for the first SPI device (device-0) is ineffective, causing
initialization failures. Added a software reset sequence for device-0
to ensure proper initialization.

‌Handle -EXDEV correctly:‌ When processing block data, if the data does
not belong to the current SPI device, the driver returned -EXDEV.
This error code is now ignored to allow the driver to continue iterating
through the block data and correctly calculate the total block size.

Signed-off-by: Baojun Xu <baojun.xu@ti.com>
Link: https://patch.msgid.link/20260609105253.19510-1-baojun.xu@ti.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
4 weeks agoALSA: hda/realtek: Add quirk for Lenovo Yoga Pro 7 14IRH8
Moritz Baron [Tue, 9 Jun 2026 14:16:48 +0000 (16:16 +0200)] 
ALSA: hda/realtek: Add quirk for Lenovo Yoga Pro 7 14IRH8

The Lenovo Yoga Pro 7 14IRH8 (ALC287 codec, subsystem ID 0x17aa:0x38b1)
has bass speakers on pin 0x17 that are not routed through a DAC with
volume control. This causes the bass speakers to play at full volume
regardless of the volume slider position.

Apply ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN which corrects the DAC
routing for pin 0x17, enabling proper volume control. This is the same
fix used for other Yoga Pro 7 models with identical audio topology
(14APH8, 14AHP9, 14ASP10, 14IAH10).

Link: https://bugzilla.kernel.org/show_bug.cgi?id=217949
Co-developed-by: Felix Aljoscha Schnuell <felix.aljoscha.schnuell@stud.uni-hannover.de>
Signed-off-by: Felix Aljoscha Schnuell <felix.aljoscha.schnuell@stud.uni-hannover.de>
Signed-off-by: Moritz Baron <moritz.baron@stud.uni-hannover.de>
Link: https://patch.msgid.link/20260609141648.60608-1-moritz.baron@stud.uni-hannover.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
4 weeks agoiomap: pass the correct len to fserror_report_io in __iomap_write_begin
Christoph Hellwig [Wed, 10 Jun 2026 05:06:42 +0000 (07:06 +0200)] 
iomap: pass the correct len to fserror_report_io in __iomap_write_begin

len is size of the (larger) write request, plen is the range for which
the read failed here.

Fixes: a9d573ee88af ("iomap: report file I/O errors to the VFS")
Signed-off-by: Christoph Hellwig <hch@lst.de>
Link: https://patch.msgid.link/20260610050642.1906695-1-hch@lst.de
Reviewed-by: "Darrick J. Wong" <djwong@kernel.org>
Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>
4 weeks agom68k: Correct CONFIG_MVME16x macro name in #endif comment
Ethan Nelson-Moore [Tue, 9 Jun 2026 20:12:08 +0000 (13:12 -0700)] 
m68k: Correct CONFIG_MVME16x macro name in #endif comment

A comment in arch/m68k/kernel/head.S incorrectly refers to
CONFIG_MVME162 and CONFIG_MVME167 instead of CONFIG_MVME16x. Correct it.

Discovered while searching for CONFIG_* symbols referenced in code but
not defined in any Kconfig file.

Signed-off-by: Ethan Nelson-Moore <enelsonmoore@gmail.com>
Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
Link: https://patch.msgid.link/20260609201211.173438-1-enelsonmoore@gmail.com
Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
4 weeks agorust: make `build_assert` module the home of related macros
Gary Guo [Tue, 9 Jun 2026 14:26:33 +0000 (15:26 +0100)] 
rust: make `build_assert` module the home of related macros

Given the macro scoping rules, all macros are rendered twice, in the
module and in the top-level of kernel crate.

Add `#[doc(hidden)]` to the macro definition and `#[doc(inline)]` to the
re-export inside `build_assert` module so the top-level items are hidden.

[ Sadly, because the definition is hidden, `rustdoc` decides to not list
  them as re-exports in the `prelude` page anymore, even if we refer to
  the not-actually-hidden item.

    - Miguel ]

Acked-by: Danilo Krummrich <dakr@kernel.org>
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Acked-by: Alexandre Courbot <acourbot@nvidia.com>
Acked-by: FUJITA Tomonori <fujita.tomonori@gmail.com>
Acked-by: Boqun Feng <boqun@kernel.org>
Signed-off-by: Gary Guo <gary@garyguo.net>
Link: https://patch.msgid.link/20260609142637.373347-1-gary@kernel.org
[ Kept a single declaration in the prelude, and reworded since they
  already had `no_inline`. Removed other imports from `predefine` since
  we now use the prelude. - Miguel ]
Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
4 weeks agorust: str: clean unused import for Rust >= 1.98
Miguel Ojeda [Tue, 9 Jun 2026 10:41:52 +0000 (12:41 +0200)] 
rust: str: clean unused import for Rust >= 1.98

Starting with Rust 1.98.0 (expected 2026-08-20), the compiler has changed
how the resolution algorithm works [1] in upstream commit c4d84db5f184
("Resolver: Batched import resolution."), and it now spots:

    error: unused import: `flags::*`
     --> rust/kernel/str.rs:7:9
      |
    7 |         flags::*,
      |         ^^^^^^^^
      |
      = note: `-D unused-imports` implied by `-D warnings`
      = help: to override `-D warnings` add `#[allow(unused_imports)]`

It happens to not be needed because the `prelude::*` already provides
the flags.

Thus clean it up.

Cc: stable@vger.kernel.org # Needed in 6.18.y and later (prelude added to `str`).
Link: https://github.com/rust-lang/rust/pull/145108
Reviewed-by: Gary Guo <gary@garyguo.net>
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Link: https://patch.msgid.link/20260609104152.261145-2-ojeda@kernel.org
Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
4 weeks agorust: str: use the "kernel vertical" imports style
Miguel Ojeda [Tue, 9 Jun 2026 10:41:51 +0000 (12:41 +0200)] 
rust: str: use the "kernel vertical" imports style

Convert the imports to use the "kernel vertical" imports style [1].

No functional changes intended.

Link: https://docs.kernel.org/rust/coding-guidelines.html#imports
Reviewed-by: Gary Guo <gary@garyguo.net>
Link: https://patch.msgid.link/20260609104152.261145-1-ojeda@kernel.org
Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
4 weeks agorust: aref: use the "kernel vertical" imports style
Andreas Hindborg [Thu, 4 Jun 2026 20:11:20 +0000 (22:11 +0200)] 
rust: aref: use the "kernel vertical" imports style

Convert the imports to use the "kernel vertical" imports style [1].

No functional changes intended.

Link: https://docs.kernel.org/rust/coding-guidelines.html#imports
Signed-off-by: Andreas Hindborg <a.hindborg@kernel.org>
Link: https://patch.msgid.link/20260604-unique-ref-v17-8-7b4c3d2930b9@kernel.org
[ Picked from larger series and reworded. - Miguel ]
Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
4 weeks agorust: page: use the "kernel vertical" imports style
Andreas Hindborg [Thu, 4 Jun 2026 20:11:16 +0000 (22:11 +0200)] 
rust: page: use the "kernel vertical" imports style

Convert the imports to use the "kernel vertical" imports style [1].

No functional changes intended.

Link: https://docs.kernel.org/rust/coding-guidelines.html#imports
Signed-off-by: Andreas Hindborg <a.hindborg@kernel.org>
Link: https://patch.msgid.link/20260604-unique-ref-v17-4-7b4c3d2930b9@kernel.org
[ Picked from larger series and reworded. Adjusted the `error::`
  block too. - Miguel ]
Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
4 weeks agowifi: brcmfmac: flowring: simplify flow allocation
Rosen Penev [Mon, 8 Jun 2026 05:11:02 +0000 (22:11 -0700)] 
wifi: brcmfmac: flowring: simplify flow allocation

Use a flexible array member and kzalloc_flex to combine allocations.
Simplifies code slightly.

Add __counted_by for extra runtime analysis.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Link: https://patch.msgid.link/20260608051102.6698-1-rosenp@gmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
4 weeks agowifi: brcm80211: change current_bss to value
Rosen Penev [Mon, 8 Jun 2026 05:28:54 +0000 (22:28 -0700)] 
wifi: brcm80211: change current_bss to value

Change to a single allocation and remove some boilerplate.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Link: https://patch.msgid.link/20260608052854.11718-1-rosenp@gmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
4 weeks agoMerge tag 'ath-next-20260609' of git://git.kernel.org/pub/scm/linux/kernel/git/ath/ath
Johannes Berg [Wed, 10 Jun 2026 06:30:33 +0000 (08:30 +0200)] 
Merge tag 'ath-next-20260609' of git://git.kernel.org/pub/scm/linux/kernel/git/ath/ath

Jeff Johnson says:
==================
ath.git patches for v7.2 (PR #4)

An assortment of cleanups and minor bug fixes across wcn36xx, ath9k,
ath10k, ath11k, and ath12k.
==================

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
4 weeks agoxfs: add newly added RTGs to the free pool in growfs
Christoph Hellwig [Wed, 10 Jun 2026 05:07:20 +0000 (07:07 +0200)] 
xfs: add newly added RTGs to the free pool in growfs

When growing a zoned RT section, the newly added RTGs also need to be
tagged as free in the radix tree and add to the nr_free_zones counters.
Call xfs_add_free_zone to do that, otherwise using up the newly added
space will wait for free zones forever.

Fixes: 01b71e64bb87 ("xfs: support growfs on zoned file systems")
Cc: stable@vger.kernel.org # v6.15
Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
Reviewed-by: "Darrick J. Wong" <djwong@kernel.org>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Carlos Maiolino <cem@kernel.org>
4 weeks agoxfs: factor out a xfs_zone_mark_free helper
Christoph Hellwig [Wed, 10 Jun 2026 05:07:19 +0000 (07:07 +0200)] 
xfs: factor out a xfs_zone_mark_free helper

Add a helper for adding a zone to the free pool in preparation of adding
another caller.

Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
Reviewed-by: "Darrick J. Wong" <djwong@kernel.org>
Signed-off-by: Carlos Maiolino <cem@kernel.org>
4 weeks agoaccel/amdxdna: Clear sva pointer after unbind
Lizhi Hou [Thu, 4 Jun 2026 20:28:15 +0000 (13:28 -0700)] 
accel/amdxdna: Clear sva pointer after unbind

Add client->sva = NULL after the unbind makes it consistent with how
amdxdna_sva_fini() already clears the pointer after unbinding. The
IS_ERR_OR_NULL guard in sva_fini will then correctly skip the second
unbind.

Fixes: 3cc5d7a59519 ("accel/amdxdna: Add carveout memory support for non-IOMMU systems")
Reviewed-by: Mario Limonciello (AMD) <superm1@kernel.org>
Signed-off-by: Lizhi Hou <lizhi.hou@amd.com>
Link: https://patch.msgid.link/20260604202815.2425882-1-lizhi.hou@amd.com
4 weeks agocan: virtio: Fix comment in UAPI header
Nathan Chancellor [Thu, 4 Jun 2026 22:57:15 +0000 (15:57 -0700)] 
can: virtio: Fix comment in UAPI header

When compile testing the UAPI headers with clang, there is an warning turned
error for using a C++ style ('//') comment, which is explicitly forbidden for
UAPI headers.

  In file included from <built-in>:1:
  ./usr/include/linux/virtio_can.h:29:35: error: // comments are not allowed in this language [-Werror,-Wcomment]
     29 | #define VIRTIO_CAN_MAX_DLEN    64 // this is like CANFD_MAX_DLEN
        |                                   ^
  1 error generated.

Switch to a standard C style comment.

Fixes: 2b6b4bb7d96f ("can: virtio: Add virtio CAN driver")
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-ID: <20260604-virtio_can-fix-uapi-comment-v1-1-199fa96ec5f0@kernel.org>

4 weeks agocan: virtio: Add virtio CAN driver
Matias Ezequiel Vara Larsen [Tue, 26 May 2026 16:42:23 +0000 (18:42 +0200)] 
can: virtio: Add virtio CAN driver

Add virtio CAN driver based on Virtio 1.4 specification (see
https://github.com/oasis-tcs/virtio-spec/tree/virtio-1.4). The driver
implements a complete CAN bus interface over Virtio transport,
supporting both CAN Classic and CAN-FD Ids. In term of frames, it
supports classic and CAN FD. RTR frames are only supported with classic
CAN.

Usage:
- "ip link set up can0" - start controller
- "ip link set down can0" - stop controller
- "candump can0" - receive frames
- "cansend can0 123#DEADBEEF" - send frames

Signed-off-by: Harald Mommer <harald.mommer@oss.qualcomm.com>
Co-developed-by: Harald Mommer <harald.mommer@oss.qualcomm.com>
Signed-off-by: Mikhail Golubev-Ciuchea <mikhail.golubev-ciuchea@oss.qualcomm.com>
Co-developed-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Cc: Damir Shaikhutdinov <Damir.Shaikhutdinov@opensynergy.com>
Reviewed-by: Francesco Valla <francesco@valla.it>
Tested-by: Francesco Valla <francesco@valla.it>
Signed-off-by: Matias Ezequiel Vara Larsen <mvaralar@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-ID: <ahXNb+KzuHYbS24+@fedora>

4 weeks agovirtio: add num_vf callback to virtio_bus
Yui Washizu [Tue, 10 Mar 2026 06:14:52 +0000 (15:14 +0900)] 
virtio: add num_vf callback to virtio_bus

Recent QEMU versions added support for virtio SR-IOV emulation,
allowing virtio devices to expose SR-IOV VFs to the guest.
However, virtio_bus does not implement the num_vf callback of bus_type,
causing dev_num_vf() to return 0 for virtio devices even when
SR-IOV VFs are active.

net/core/rtnetlink.c calls dev_num_vf(dev->dev.parent) to populate
IFLA_NUM_VF in RTM_GETLINK responses.  For a virtio-net device,
dev.parent points to the virtio_device, whose busis virtio_bus.
Without num_vf, SR-IOV VF information is silently
omitted from tools that rely on rtnetlink, such as 'ip link show'.

Add a num_vf callback that delegates to dev_num_vf(dev->parent),
which in turn reaches the underlying transport (pci_bus_type for
virtio-pci) where the actual VF count is tracked.  Non-PCI transports
are unaffected as dev_num_vf() returns 0 when no num_vf callback is
present.

Signed-off-by: Yui Washizu <yui.washidu@gmail.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-ID: <20260310061454.683894-1-yui.washidu@gmail.com>

4 weeks agofw_cfg: Add support for LoongArch architecture
Huacai Chen [Fri, 29 May 2026 14:05:59 +0000 (22:05 +0800)] 
fw_cfg: Add support for LoongArch architecture

Qemu fw_cfg support was missing for LoongArch, which made some functions
unusable in virtual machines. So add the missing LoongArch defines.

Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-ID: <20260529140559.1775511-1-chenhuacai@loongson.cn>

4 weeks agovdpa/octeon_ep: fix IRQ-to-ring mapping in interrupt handler
Srujana Challa [Tue, 24 Feb 2026 09:52:26 +0000 (15:22 +0530)] 
vdpa/octeon_ep: fix IRQ-to-ring mapping in interrupt handler

Look up the IRQ index in oct_hw->irqs instead of assuming
irq - irqs[0]. This supports non-contiguous IRQ numbers and
avoids incorrect ring indexing when irqs[0] is not the base.

Fixes: 26f8ce06af64 ("vdpa/octeon_ep: enable support for multiple interrupts per device")
Signed-off-by: Srujana Challa <schalla@marvell.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-ID: <20260224095226.1001151-5-schalla@marvell.com>

4 weeks agovdpa/octeon_ep: Add vDPA device event handling for firmware notifications
Vamsi Attunuru [Tue, 24 Feb 2026 09:52:25 +0000 (15:22 +0530)] 
vdpa/octeon_ep: Add vDPA device event handling for firmware notifications

Handle vDPA device add and remove events from Octeon firmware. Use
irq 0 for event delivery as device interrupts are multiplexed.

Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-ID: <20260224095226.1001151-4-schalla@marvell.com>

4 weeks agovdpa/octeon_ep: Use 4 bytes for mailbox signature
Vamsi Attunuru [Tue, 24 Feb 2026 09:52:24 +0000 (15:22 +0530)] 
vdpa/octeon_ep: Use 4 bytes for mailbox signature

The upper 4 bytes are reserved by the firmware for
storing meta data. Use only lower 4 bytes to update
the signature details.

Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-ID: <20260224095226.1001151-3-schalla@marvell.com>

4 weeks agovdpa/octeon_ep: Fix PF->VF mailbox data address calculation
Srujana Challa [Tue, 24 Feb 2026 09:52:23 +0000 (15:22 +0530)] 
vdpa/octeon_ep: Fix PF->VF mailbox data address calculation

The mailbox address was computed assuming 1 ring per VF. Read the
actual rings-per-VF from OCTEP_EPF_RINFO and use it when calculating
OCTEP_PF_MBOX_DATA offsets, fixing VF initialization when rings
per VF > 1.

Fixes: 8b6c724cdab8 ("virtio: vdpa: vDPA driver for Marvell OCTEON DPU devices")
Signed-off-by: Srujana Challa <schalla@marvell.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-ID: <20260224095226.1001151-2-schalla@marvell.com>

4 weeks agovhost_task_create: kill unnecessary .exit_signal initialization
Oleg Nesterov [Sun, 22 Mar 2026 15:19:55 +0000 (16:19 +0100)] 
vhost_task_create: kill unnecessary .exit_signal initialization

The only reason for this janitorial change is that this initialization
adds unnecessary noise to "git grep exit_signal".

args.exit_signal has no effect with CLONE_THREAD, not to mention it is
zero-initialized by the compiler anyway.

Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-ID: <acAIm732QPFZs15C@redhat.com>

4 weeks agovhost: remove unnecessary module_init/exit functions
Ethan Nelson-Moore [Sat, 31 Jan 2026 02:00:09 +0000 (18:00 -0800)] 
vhost: remove unnecessary module_init/exit functions

The vhost driver has unnecessary empty module_init and
module_exit functions. Remove them. Note that if a module_init function
exists, a module_exit function must also exist; otherwise, the module
cannot be unloaded.

Signed-off-by: Ethan Nelson-Moore <enelsonmoore@gmail.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-ID: <20260131020010.45647-1-enelsonmoore@gmail.com>

4 weeks agovdpa/mlx5: Use kvzalloc_flex() for MTT command memory
Rosen Penev [Fri, 8 May 2026 05:18:37 +0000 (22:18 -0700)] 
vdpa/mlx5: Use kvzalloc_flex() for MTT command memory

The create mkey command memory embeds the MTT array as a flexible array
member. Use kvzalloc_flex() to allocate it directly instead of open-coding
the struct_size() calculation with kvcalloc().

The MTT allocation still needs to be aligned to MLX5_VDPA_MTT_ALIGN bytes.
Since each MTT entry is __be64, align the entry count directly and avoid
carrying a separate byte length variable.

Assisted-by: Codex:GPT-5.5
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Reviewed-by: Dragos Tatulea <dtatulea@nvidia.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-ID: <20260508051837.1744409-1-rosenp@gmail.com>

4 weeks agovdpa_sim_net: switch to dynamic root device
Johan Hovold [Fri, 24 Apr 2026 10:47:03 +0000 (12:47 +0200)] 
vdpa_sim_net: switch to dynamic root device

Driver core expects devices to be dynamically allocated and will, for
example, complain loudly when no release function has been provided.

Use root_device_register() to allocate and register the root device
instead of open coding using a static device.

Signed-off-by: Johan Hovold <johan@kernel.org>
Acked-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-ID: <20260424104703.2619093-3-johan@kernel.org>

4 weeks agovdpa_sim_blk: switch to dynamic root device
Johan Hovold [Fri, 24 Apr 2026 10:47:02 +0000 (12:47 +0200)] 
vdpa_sim_blk: switch to dynamic root device

Driver core expects devices to be dynamically allocated and will, for
example, complain loudly when no release function has been provided.

Use root_device_register() to allocate and register the root device
instead of open coding using a static device.

Signed-off-by: Johan Hovold <johan@kernel.org>
Acked-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-ID: <20260424104703.2619093-2-johan@kernel.org>

4 weeks agovirtio-mem: Destroy mutex before freeing virtio_mem
Maurice Hieronymus [Sun, 23 Nov 2025 17:57:49 +0000 (18:57 +0100)] 
virtio-mem: Destroy mutex before freeing virtio_mem

Add a call to mutex_destroy in the error code path as well as in the
virtio_mem_remove code path.

Signed-off-by: Maurice Hieronymus <mhi@mailbox.org>
Acked-by: David Hildenbrand (Red Hat) <david@kernel.org>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-ID: <20251123175750.445461-3-mhi@mailbox.org>

4 weeks agovirtio-balloon: Destroy mutex before freeing virtio_balloon
Maurice Hieronymus [Sun, 23 Nov 2025 17:57:48 +0000 (18:57 +0100)] 
virtio-balloon: Destroy mutex before freeing virtio_balloon

Add a call to mutex_destroy in the error code path as well as in the
virtballoon_remove code path.

Signed-off-by: Maurice Hieronymus <mhi@mailbox.org>
Acked-by: David Hildenbrand (Red Hat) <david@kernel.org>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-ID: <20251123175750.445461-2-mhi@mailbox.org>

4 weeks agotools/virtio: fix build for kmalloc_obj API and missing stubs
Michael S. Tsirkin [Wed, 3 Jun 2026 20:33:28 +0000 (16:33 -0400)] 
tools/virtio: fix build for kmalloc_obj API and missing stubs

Add stubs for kmalloc_obj() and kmalloc_objs() to the tools/virtio
test harness, matching the new kernel allocator API. Also add the
DMA_ATTR_CPU_CACHE_CLEAN definition and include kernel.h from err.h
for the unlikely() macro.

Assisted-by: Claude:claude-opus-4-6
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-ID: <a0bd4b5bed56c49626c92a754d7aceab3325de25.1780520728.git.mst@redhat.com>

4 weeks agovirtio_ring: Add READ_ONCE annotations for device-writable fields
Alexander Graf [Sat, 31 Jan 2026 10:28:09 +0000 (11:28 +0100)] 
virtio_ring: Add READ_ONCE annotations for device-writable fields

KCSAN reports data races when accessing virtio ring fields that are
concurrently written by the device (host). These are legitimate
concurrent accesses where the CPU reads fields that the device updates
via DMA-like mechanisms.

Add accessor functions that use READ_ONCE() to properly annotate these
device-writable fields and prevent compiler optimizations that could in
theory break the code. This also serves as documentation showing which
fields are shared with the device.

The affected fields are:
- Split ring: used->idx, used->ring[].id, used->ring[].len
- Packed ring: desc[].flags, desc[].id, desc[].len

This patch was partially written using the help of Kiro, an
AI coding assistant, to automate the mechanical work of generating the
inline function definition.

Signed-off-by: Alexander Graf <graf@amazon.com>
[jth: Add READ_ONCE in virtqueue_kick_prepare_split ]
Co-developed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Signed-off-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Reviewed-by: Alexander Graf <graf@amazon.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-ID: <20260131102810.1254845-1-johannes.thumshirn@wdc.com>

4 weeks agovduse: fix compat handling for VDUSE_IOTLB_GET_FD/VDUSE_VQ_GET_INFO
Arnd Bergmann [Fri, 13 Feb 2026 15:40:46 +0000 (16:40 +0100)] 
vduse: fix compat handling for VDUSE_IOTLB_GET_FD/VDUSE_VQ_GET_INFO

These two ioctls are incompatible on 32-bit x86 userspace, because
the data structures are shorter than they are on 64-bit.

Add a proper .compat_ioctl handler for x86 that reads the structures
with the smaller padding before calling the internal handlers. On
all other architectures, CONFIG_COMPAT_FOR_U64_ALIGNMENT is disabled
and no special handling is required.

Fixes: ad146355bfad ("vduse: Support querying information of IOVA regions")
Fixes: c8a6153b6c59 ("vduse: Introduce VDUSE - vDPA Device in Userspace")
Acked-by: Eugenio Pérez <eperezma@redhat.com>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-ID: <20260213154051.4172275-1-arnd@kernel.org>

4 weeks agotools/virtio: check mmap return value in vringh_test
longlong yan [Fri, 5 Jun 2026 02:14:45 +0000 (10:14 +0800)] 
tools/virtio: check mmap return value in vringh_test

In parallel_test(), the return values of mmap() for both host_map and
guest_map are not checked against MAP_FAILED. If mmap() fails, the
subsequent code will dereference the invalid pointer, leading to a
segmentation fault.

Add MAP_FAILED checks after both mmap() calls, using err() to report
the error and exit, consistent with the existing error handling style
in this file (e.g., the open() call on line 149).

Fixes: 1515c5ce26ae ("tools/virtio: add vring_test.")
Signed-off-by: longlong yan <yanlonglong@kylinos.cn>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-ID: <20260605021446.1611-1-yanlonglong@kylinos.cn>

4 weeks agovhost/net: complete zerocopy ubufs only once
Qing Ming [Mon, 1 Jun 2026 10:43:00 +0000 (18:43 +0800)] 
vhost/net: complete zerocopy ubufs only once

vhost-net initializes one ubuf_info per outstanding zerocopy TX
descriptor and hands it to the backend socket.  The networking stack may
then clone a zerocopy skb before all skb references are released.  For
example, batman-adv fragmentation reaches skb_split(), which calls
skb_zerocopy_clone() and increments the same ubuf_info refcount.

vhost_zerocopy_complete() currently treats every ubuf callback as a
completed vhost descriptor.  It dereferences ubuf->ctx, writes the
descriptor completion state, and drops the vhost_net_ubuf_ref even when
the callback only releases a cloned skb reference.  A backend reset can
therefore wait for and free the vhost_net_ubuf_ref while another cloned
skb still carries the same ubuf_info.  A later completion then
dereferences the freed ubufs pointer.

KASAN reports the stale completion as:

  BUG: KASAN: slab-use-after-free in vhost_zerocopy_complete+0x1d7/0x1f0
  BUG: KASAN: slab-use-after-free in vhost_zerocopy_complete+0x101/0x1f0
  vhost_zerocopy_complete
  skb_copy_ubufs
  __dev_forward_skb2
  veth_xmit

The freed object was allocated from vhost_net_ioctl() while setting the
backend and freed through kfree_rcu()/kvfree_rcu_bulk after backend
removal, while delayed skb completion still reached
vhost_zerocopy_complete().

Honor the generic ubuf_info refcount before touching vhost state, and run
the vhost descriptor completion only for the final ubuf reference.  This
matches the msg_zerocopy_complete() ownership rule for cloned zerocopy
skbs.

Fixes: bab632d69ee4 ("vhost: vhost TX zero-copy support")
Signed-off-by: Qing Ming <a0yami@mailbox.org>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-ID: <20260601104300.197210-1-a0yami@mailbox.org>

4 weeks agoVDUSE: avoid leaking information to userspace
Jason Wang [Fri, 30 Jan 2026 05:07:50 +0000 (13:07 +0800)] 
VDUSE: avoid leaking information to userspace

The bounceing is not necessarily page aligned, so current VDUSE can
leak kernel information through mapping bounce pages to
userspace. Allocate bounce pages with __GFP_ZERO to avoid leaking
information to userspace.

Fixes: 8c773d53fb7b ("vduse: Implement an MMU-based software IOTLB")
Cc: stable@vger.kernel.org
Signed-off-by: Jason Wang <jasowang@redhat.com>
Reviewed-by: Xie Yongji <xieyongji@bytedance.com>
Reviewed-by: Eugenio Pérez <eperezma@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-ID: <20260130050750.4050-1-jasowang@redhat.com>

4 weeks agovduse: Fix race in vduse_dev_msg_sync and vduse_dev_read_iter
Zhang Tianci [Thu, 26 Feb 2026 11:55:50 +0000 (19:55 +0800)] 
vduse: Fix race in vduse_dev_msg_sync and vduse_dev_read_iter

There is one race case in vduse_dev_msg_sync and vduse_dev_read_iter:

vduse_dev_read_iter():
    lock(msg_lock);
    dequeue_msg(send_list);
    unlock(msg_lock);
vduse_dev_msg_sync():
    wait_timeout() finish
    lock(msg_lock);
    check msg->complete is false
        list_del(msg);   <- double list_del() crash!

To fix this case, we shall ensure vduse_msg is on send_list or recv_list
outside the msg_lock critical section.

Fixes: c8a6153b6c59 ("vduse: Introduce VDUSE - vDPA Device in Userspace")
Cc: stable@vger.kernel.org
Signed-off-by: Zhang Tianci <zhangtianci.1997@bytedance.com>
Reviewed-by: Xie Yongji <xieyongji@bytedance.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Acked-by: Eugenio Pérez <eperezma@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-ID: <20260226115550.1814-3-zhangtianci.1997@bytedance.com>

4 weeks agovduse: Requeue failed read to send_list head
Zhang Tianci [Thu, 26 Feb 2026 11:55:49 +0000 (19:55 +0800)] 
vduse: Requeue failed read to send_list head

When copy_to_iter() fails in vduse_dev_read_iter(), put the message back
at the head of send_list to preserve FIFO ordering and retry the oldest
pending request first.

Fixes: c8a6153b6c59 ("vduse: Introduce VDUSE - vDPA Device in Userspace")
Reported-by: Michael S. Tsirkin <mst@redhat.com>
Suggested-by: Xie Yongji <xieyongji@bytedance.com>
Signed-off-by: Zhang Tianci <zhangtianci.1997@bytedance.com>
Reviewed-by: Xie Yongji <xieyongji@bytedance.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Acked-by: Eugenio Pérez <eperezma@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-ID: <20260226115550.1814-2-zhangtianci.1997@bytedance.com>