]> git.ipfire.org Git - thirdparty/kernel/linux.git/log
thirdparty/kernel/linux.git
8 weeks agowifi: mac80211_hwsim: move timestamp writing later in the datapath
Benjamin Berg [Mon, 4 May 2026 07:20:52 +0000 (10:20 +0300)] 
wifi: mac80211_hwsim: move timestamp writing later in the datapath

By delegating writing the timestamp into beacons and probe responses, we
can remove the abs_bcn_ts from the global data and still avoid any time
offset issues. This also seems conceptually closer to "real" hardware
where the timestamp will be written late in the TX path.

Move sending the SKB to the monitor interface to happen later, so that
the frame timestamp has the value filled in by mac80211_hwsim.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://patch.msgid.link/20260504101829.ad4d77d85e0d.I86810bbbf9b171acc6dbf07f9904ce1686b5167a@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
8 weeks agowifi: mac80211_hwsim: rename and switch simulation time to boottime
Benjamin Berg [Mon, 4 May 2026 07:20:51 +0000 (10:20 +0300)] 
wifi: mac80211_hwsim: rename and switch simulation time to boottime

The mac80211_hwsim base time for the simulation of the TSF was based on
the real time of the system. This clock is subject to unexpected
changes. Switch it to use boottime which is always monotonic and also
continues to run through times where the system is suspended.

Also change the function name from tsf_raw to sim_tsf to better
differentiate between the TSF of the mac and the TSF base of the
simulation.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://patch.msgid.link/20260504101829.2a64333111ff.I2ef047f3cdd6dc52af4bb7bf747368fb78014f18@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
8 weeks agowifi: mac80211_hwsim: split NAN handling into separate file
Benjamin Berg [Mon, 4 May 2026 07:20:50 +0000 (10:20 +0300)] 
wifi: mac80211_hwsim: split NAN handling into separate file

Having everything in one file for mac80211_hwsim is starting to get a
lot and it will be even worse if we implement more parts of NAN. Split
the NAN implementation into separate files to improve the code
structuring.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://patch.msgid.link/20260504101829.541371b35f02.I9484d746286eb2ab71ac987dfb907497d213c2bb@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
8 weeks agowifi: mac80211_hwsim: move NAN related variables into a struct
Benjamin Berg [Mon, 4 May 2026 07:20:49 +0000 (10:20 +0300)] 
wifi: mac80211_hwsim: move NAN related variables into a struct

Move it all into a common struct to better segment the code.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://patch.msgid.link/20260504101829.56feb1563479.Ia82f11ae5cbd0ac02b3697d010489d5a93906d40@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
8 weeks agowifi: mac80211_hwsim: remove unused nan_vif struct member
Benjamin Berg [Mon, 4 May 2026 07:20:48 +0000 (10:20 +0300)] 
wifi: mac80211_hwsim: remove unused nan_vif struct member

The struct also contains nan_device_vif and that is the member that is
being used.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://patch.msgid.link/20260504101829.b09e2428aa61.I35d3eae582461af7ee25c63c56b13adff17cf20f@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
8 weeks agowifi: mac80211: add NAN channel evacuation support
Miri Korenblit [Mon, 4 May 2026 07:20:47 +0000 (10:20 +0300)] 
wifi: mac80211: add NAN channel evacuation support

A NAN channel can be evacuated, i.e. detached from its chanctx, if all
chanctxs are used by NAN and a chanctx is needed for something else.
For example if the STA interface needs to perform a channel switch.

Implement the evacuation: detach the NAN channel from its chanctx, remove
all the peer NAN channels that were using this chanctx, and update the
driver.

Internally, the NAN channel evacuation will be triggered in the scenario
described above, and API is provided for the driver to also trigger it.

The driver/device is assumed to publish a ULW to notify the peers about
the fact that we won't be present on this NAN channel anymore.

Also export this as an API for the drivers: if a driver has other
resources per channel, it might want to trigger channel evacuation in
order to free up such internal resources for other usages.

Reviewed-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://patch.msgid.link/20260504101829.1e1dc40d2f3e.I003fe84dc6373bb9ad55abd7824b9fc21c51203f@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
8 weeks agowifi: mac80211: avoid out-of-bounds access in monitor
Miri Korenblit [Mon, 4 May 2026 07:20:46 +0000 (10:20 +0300)] 
wifi: mac80211: avoid out-of-bounds access in monitor

In NAN, we don't know on what band the frame will be sent. Therefore we
set info->band to NUM_NL80211_BANDS. However, this leads to out-of-bound
access in ieee80211_add_tx_radiotap_header when we try to access the
sbands array.

Fix it by not accessing the array if the band is NUM_NL80211_BANDS.
This means that we will not report rate info for legacy rate in NAN.
But nobody really cares about it.

Reviewed-by: Ilan Peer <ilan.peer@intel.com>
Reviewed-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://patch.msgid.link/20260504101829.346c9893d136.I15919027597c04ec35c6217db6e52e2a605e5cfc@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
8 weeks agowifi: mac80211: Fix a kernel panic in ieee80211_encrypt_tx_skb()
Andrei Otcheretianski [Mon, 4 May 2026 07:20:45 +0000 (10:20 +0300)] 
wifi: mac80211: Fix a kernel panic in ieee80211_encrypt_tx_skb()

skb->dev may be NULL for frames on non-netdev devices. For example, NAN
device frames after pairing. Fix it.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://patch.msgid.link/20260504072055.1292999-2-miriam.rachel.korenblit@intel.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
8 weeks agowifi: mac80211: Allow setting MAC address on interface creation
Ilan Peer [Mon, 4 May 2026 07:20:44 +0000 (10:20 +0300)] 
wifi: mac80211: Allow setting MAC address on interface creation

Allow setting the interface MAC address for NAN Device interfaces
and P2P Device interfaces on interface creation.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Reviewed-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://patch.msgid.link/20260504101829.d268b245037b.I351e16270c34ee734fed98da25db848211ab7cc2@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
8 weeks agowifi: mac80211: accept protected frames for NAN device
Avraham Stern [Mon, 4 May 2026 07:20:43 +0000 (10:20 +0300)] 
wifi: mac80211: accept protected frames for NAN device

Some frames sent to the NAN device may be protected, such as
protected action frames (in particular protected dual of
public action).

Accept robust management frames except disassoc on the NAN
device, and clean up the code a little bit.

Signed-off-by: Avraham Stern <avraham.stern@intel.com>
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://patch.msgid.link/20260504101829.1900c926c2e8.Ia25b2e82b250058fefa179c39327d9c8b3c3cd62@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
8 weeks agowifi: mac80211: allow userspace TX/RX over NAN Data interfaces
Ilan Peer [Mon, 4 May 2026 07:20:42 +0000 (10:20 +0300)] 
wifi: mac80211: allow userspace TX/RX over NAN Data interfaces

Allow TX/RX of action frames (for NAN action frames) over
NAN Data interfaces to support cases where there's a secure
NDP and NAFs may be exchanged over that.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://patch.msgid.link/20260504101829.4ac207c60ebb.Ic4b1c90552497b7ff2616651a408e5fe8bde7b99@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
8 weeks agowifi: mac80211: track the id of the NAN cluster we joined
Miri Korenblit [Mon, 4 May 2026 07:20:41 +0000 (10:20 +0300)] 
wifi: mac80211: track the id of the NAN cluster we joined

Currently, we store in nan.conf the cluster id that was configured from
upper layer to be used when the device opens a cluster.
But after we joined a cluster, the configured cluster id is no longer
relevant. Particularly, in reconfig we will give the driver the
(possibly) wrong cluster id.

Add an API to be called by the driver when joined a cluster
in which the cluster id will be updated.
Use the locally stored cluster id instead of cfg80211's copy.

Ignore cluster id updates from cfg80211 if we already have one
configured.

Adjust the drivers that use the cfg80211 API
(cfg80211_nan_cluster_joined) directly, otherwise we break functionality
(i.e. accept frame check won't evaluate to true).

Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://patch.msgid.link/20260504101829.5dada1b756a4.I0f1060215267fd8aef31afd99f8f42e6fde7f234@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
8 weeks agowifi: mac80211: set assoc_encrypted for EPP associations
Kavita Kavita [Mon, 4 May 2026 12:36:24 +0000 (18:06 +0530)] 
wifi: mac80211: set assoc_encrypted for EPP associations

Populate the assoc_encrypted field in cfg80211_rx_assoc_resp_data
for mac80211-based drivers to indicate that the entire (re)association
exchange was encrypted.

When epp_peer is set, mac80211 enforces that unprotected
(Re)Association Request/Response frames are dropped. This ensures that
by the time the (Re)Association Response is processed, the entire
exchange was transmitted encrypted over the air.

Add support to populate assoc_encrypted based on epp_peer flag.

Signed-off-by: Kavita Kavita <kavita.kavita@oss.qualcomm.com>
Link: https://patch.msgid.link/20260504123624.529218-3-kavita.kavita@oss.qualcomm.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
8 weeks agowifi: cfg80211: indicate (Re)Association frame encryption to userspace
Kavita Kavita [Mon, 4 May 2026 12:36:23 +0000 (18:06 +0530)] 
wifi: cfg80211: indicate (Re)Association frame encryption to userspace

In SME-in-driver mode, the driver handles the entire (re)association
exchange. Userspace (e.g., wpa_supplicant) currently has no explicit
indication of whether the (re)association exchange was encrypted,
making it difficult to distinguish EPP (Enhanced Privacy Protection,
IEEE 802.11bi) associations from non-EPP associations.

When (Re)Association frame encryption is used, the (Re)Association
Response frame must contain a Key Delivery element as specified in
IEEE P802.11bi/D4.0, Table 9-65. Userspace must process this element
only when the (Re)Association Response frame is actually encrypted.
Processing it unconditionally for unencrypted frames leads to incorrect
behavior. Without an explicit indication from the driver, userspace
cannot determine whether encryption was used and whether the Key
Delivery element is valid.

Add a new flag attribute NL80211_ATTR_ASSOC_ENCRYPTED and a
corresponding field "assoc_encrypted" in cfg80211_connect_resp_params
to indicate that both the (Re)Association Request and Response frames
are transmitted encrypted over the air.

For mac80211-based drivers, extend cfg80211_rx_assoc_resp_data with
the assoc_encrypted field as well, which is then propagated to
cfg80211_connect_resp_params.

Pass the flag to userspace via NL80211_CMD_CONNECT event.

Signed-off-by: Kavita Kavita <kavita.kavita@oss.qualcomm.com>
Link: https://patch.msgid.link/20260504123624.529218-2-kavita.kavita@oss.qualcomm.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
8 weeks agowifi: cfg80211: fix max_channel_switch_time documentation unit
Israel Kozitz [Mon, 4 May 2026 09:17:40 +0000 (12:17 +0300)] 
wifi: cfg80211: fix max_channel_switch_time documentation unit

The max_channel_switch_time field in struct wiphy_nan_capa was documented
as being in milliseconds, but it is actually in microseconds as defined
in the Wi-Fi Aware specification and as indicated in the nl80211
NL80211_NAN_CAPA_MAX_CHANNEL_SWITCH_TIME attribute.

Fix the documentation to say microseconds.

Signed-off-by: Israel Kozitz <israel.kozitz@intel.com>
Reviewed-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://patch.msgid.link/20260504121734.d0a0152f7d8c.I47e5c91f7ead4f8006fb13f9194d95a55cf9c398@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
8 weeks agomedia: platform: cros-ec: Add Kulnex and Moxoe to the match table
Ken Lin [Thu, 2 Apr 2026 07:50:08 +0000 (15:50 +0800)] 
media: platform: cros-ec: Add Kulnex and Moxoe to the match table

The Google Kulnex and Moxoe device uses the same approach as Google Brask
which enables the HDMI CEC via the cros-ec-cec driver.

Signed-off-by: Ken Lin <kenlin5@quanta.corp-partner.google.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
8 weeks agomedia: mgb4: Fix DV timings limits
Martin Tůma [Wed, 25 Mar 2026 12:01:18 +0000 (13:01 +0100)] 
media: mgb4: Fix DV timings limits

Provide the real DV timings limits in VIDIOC_DV_TIMINGS_CAP. For the
outputs the pixelclock is limited by the CMT table <25000kHz, 2*94642kHz>,
for the inputs a slightly broader range is possible. The minimal
supported/tested resolution is 64px.

Signed-off-by: Martin Tůma <martin.tuma@digiteqautomotive.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
8 weeks agodrm/panel: simple: Add Displaytech DT050BTFT-PTS panel
Marek Vasut [Wed, 22 Apr 2026 21:07:25 +0000 (23:07 +0200)] 
drm/panel: simple: Add Displaytech DT050BTFT-PTS panel

Add support for the Displaytech DT050BTFT-PTS 5.0" (800x480) color TFT
LCD panel, connected over DPI. Timings are taken from the datasheet
from 16 Nov 2023 is available from Seacomp:

https://www.seacomp.com/sites/default/files/datasheets/DT050BTFT-Displaytech-Spec.pdf

Signed-off-by: Marek Vasut <marex@nabladev.com>
Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
Link: https://patch.msgid.link/20260422210806.80948-3-marex@nabladev.com
8 weeks agodt-bindings: display: simple: Document Displaytech DT050BTFT-PTS panel
Marek Vasut [Wed, 22 Apr 2026 21:07:24 +0000 (23:07 +0200)] 
dt-bindings: display: simple: Document Displaytech DT050BTFT-PTS panel

Document the Displaytech DT050BTFT-PTS 5.0" (800x480) color TFT LCD
panel, connected over DPI. The datasheet from 16 Nov 2023 is available
from Seacomp:

https://www.seacomp.com/sites/default/files/datasheets/DT050BTFT-Displaytech-Spec.pdf

Signed-off-by: Marek Vasut <marex@nabladev.com>
Acked-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
Link: https://patch.msgid.link/20260422210806.80948-2-marex@nabladev.com
8 weeks agodt-bindings: vendor-prefixes: Add Displaytech Ltd.
Marek Vasut [Wed, 22 Apr 2026 21:07:23 +0000 (23:07 +0200)] 
dt-bindings: vendor-prefixes: Add Displaytech Ltd.

Add "displaytech" vendor prefix for Displaytech Ltd. .

Signed-off-by: Marek Vasut <marex@nabladev.com>
Acked-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
Link: https://patch.msgid.link/20260422210806.80948-1-marex@nabladev.com
8 weeks agodrm/panel: simple: Add Team Source Display TST070WSBE-196C panel
William Bright [Tue, 28 Apr 2026 15:17:25 +0000 (16:17 +0100)] 
drm/panel: simple: Add Team Source Display TST070WSBE-196C panel

Add a dedicated panel driver for the Team Source Display
TST070WSBE-196C, a 7" 1024x600 MIPI-DSI TFT LCD panel
using an EK79007AD controller.

The DSI timings were calculated using
"linux-mdss-dsi-panel-driver-generator" [1], reading the downstream
file "dsi-panel-imdt-tst070wsbe165c-video.dtsi" [2].

[1] https://github.com/msm8916-mainline/linux-mdss-dsi-panel-driver-generator
[2] https://raw.githubusercontent.com/imd-tec/meta-imdt-qcom/refs/heads/kirkstone/recipes-display/displaydevicetree/displaydevicetree/0001-Initial-bringup-of-IMDT-Display-3.patch

Signed-off-by: William Bright <william.bright@imd-tec.com>
Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
Link: https://patch.msgid.link/20260428-imdt-dsi-display-v2-2-cf7294b5d7d6@imd-tec.com
8 weeks agodt-bindings: panel-simple-dsi: Add Team Source Display TST070WSNE-196C
William Bright [Tue, 28 Apr 2026 15:17:24 +0000 (16:17 +0100)] 
dt-bindings: panel-simple-dsi: Add Team Source Display TST070WSNE-196C

Add device tree binding documentation for the Team Source Display
TST070WSBE-196C, a 7" 1024x600 MIPI-DSI TFT LCD panel
using an EK79007AD controller.

Signed-off-by: William Bright <william.bright@imd-tec.com>
Acked-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
Link: https://patch.msgid.link/20260428-imdt-dsi-display-v2-1-cf7294b5d7d6@imd-tec.com
8 weeks agoALSA: usb-audio: simplify mixer control name handling
Thorsten Blum [Mon, 4 May 2026 21:20:10 +0000 (23:20 +0200)] 
ALSA: usb-audio: simplify mixer control name handling

In get_term_name(), remove hard-coded return values and a strlen() call,
and return the number of bytes copied by strscpy() directly.

Since get_term_name() may now return -E2BIG on string truncation, check
name_len < 0 and return early from get_connector_control_name() if
needed. Also replace strlcat() with strscpy().

Other get_term_name() callers only check the return value for non-zero
and are not affected by this change.

Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
Link: https://patch.msgid.link/20260504212008.147373-4-thorsten.blum@linux.dev
Signed-off-by: Takashi Iwai <tiwai@suse.de>
8 weeks agodrm/panel: Add panel driver for ChipWealth CH13726A based panels
Teguh Sobirin [Mon, 27 Apr 2026 04:39:38 +0000 (23:39 -0500)] 
drm/panel: Add panel driver for ChipWealth CH13726A based panels

This is used by the AYN Thor for the bottom panel.

Signed-off-by: Teguh Sobirin <teguh@sobir.in>
Co-developed-by: Aaron Kling <webgeek1234@gmail.com>
Signed-off-by: Aaron Kling <webgeek1234@gmail.com>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
Link: https://patch.msgid.link/20260426-ch13726a-v7-2-554247c569e5@gmail.com
8 weeks agodt-bindings: display: panel: Add ChipWealth CH13726A AMOLED driver
Aaron Kling [Mon, 27 Apr 2026 04:39:37 +0000 (23:39 -0500)] 
dt-bindings: display: panel: Add ChipWealth CH13726A AMOLED driver

The Chip Wealth Technology CH13726A AMOLED driver is a single chip
solution for MIPI-DSI. This is used for the AYN Thor bottom panel.

Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
Signed-off-by: Aaron Kling <webgeek1234@gmail.com>
Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
Link: https://patch.msgid.link/20260426-ch13726a-v7-1-554247c569e5@gmail.com
8 weeks agodrm/panel: simple: Add Startek KD070HDFLD092 LVDS panel support
Stefan Kerkmann [Tue, 7 Apr 2026 09:31:17 +0000 (11:31 +0200)] 
drm/panel: simple: Add Startek KD070HDFLD092 LVDS panel support

The Startek KD070HDFLD092 is a 7" WSVGA LVDS panel.

Signed-off-by: Stefan Kerkmann <s.kerkmann@pengutronix.de>
Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
Link: https://patch.msgid.link/20260407-panel-simple-startek-upstream-v1-2-76721696655f@pengutronix.de
8 weeks agodt-bindings: display: simple: Add Startek KD070HDFLD092 panel
Stefan Kerkmann [Tue, 7 Apr 2026 09:31:16 +0000 (11:31 +0200)] 
dt-bindings: display: simple: Add Startek KD070HDFLD092 panel

Add Startek KD070HDFLD092 7" WSVGA LVDS panel compatible.

Signed-off-by: Stefan Kerkmann <s.kerkmann@pengutronix.de>
Acked-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
Link: https://patch.msgid.link/20260407-panel-simple-startek-upstream-v1-1-76721696655f@pengutronix.de
8 weeks agowifi: libertas: notify firmware load wait on disconnect
Jakov Novak [Mon, 4 May 2026 16:23:57 +0000 (18:23 +0200)] 
wifi: libertas: notify firmware load wait on disconnect

Currently, when the firmware is not fully loaded and if_usb_disconnect
is called, if_usb_prog_firmware gets stuck waiting for
cardp->surprise_removed or cardp->fwdnldover while lbs_remove_card
also waits for the firmware loading to be completed, which never happens.
This caused the reported syzbot bug. To address this, the wake_up
function call can be added in the if_usb_disconnect function which notifies
the if_usb_prog_firmware thread and resolves the firmware loading.

Fixes: 954ee164f4f4 ("[PATCH] libertas: reorganize and simplify init sequence")
Reported-and-tested-by: syzbot+c99d17aa44dbdba16ad2@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=c99d17aa44dbdba16ad2
Signed-off-by: Jakov Novak <jakovnovak30@gmail.com>
Link: https://patch.msgid.link/20260504162356.17250-2-jakovnovak30@gmail.com
[fix subject]
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
8 weeks agoriscv: dts: spacemit: define a SPI controller node
Alex Elder [Sun, 3 May 2026 01:30:53 +0000 (21:30 -0400)] 
riscv: dts: spacemit: define a SPI controller node

Define a node for the fourth SoC SPI controller (number 3) on the
SpacemiT K1 SoC.

Enable it on the Banana Pi BPI-F3 board, which exposes this feature
via its GPIO block:
  GPIO PIN 19:  MOSI
  GPIO PIN 21:  MISO
  GPIO PIN 23:  SCLK
  GPIO PIN 24:  SS (inverted)

Define pincontrol configurations for the pins as used on that board.

(This was tested using a GigaDevice GD25Q64E SPI NOR chip.)

Reviewed-by: Yixun Lan <dlan@gentoo.org>
Signed-off-by: Alex Elder <elder@riscstar.com>
Signed-off-by: Guodong Xu <guodong@riscstar.com>
Link: https://lore.kernel.org/r/20260502-spi-spacemit-k1-v10-3-f412e1ae8a34@riscstar.com
Signed-off-by: Yixun Lan <dlan@kernel.org>
8 weeks agodrm/panel: Add driver for Novatek NT35532
Cristian Cozzolino [Tue, 31 Mar 2026 09:47:10 +0000 (11:47 +0200)] 
drm/panel: Add driver for Novatek NT35532

Add support for Novatek NT35532-based 1080p video mode DSI panel.

Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Signed-off-by: Cristian Cozzolino <cristian_ci@protonmail.com>
Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
Link: https://patch.msgid.link/20260331-rimob-new-features-v5-2-5fcf42a29c12@protonmail.com
8 weeks agodt-bindings: display: panel: Add Novatek NT35532 LCD DSI
Cristian Cozzolino [Tue, 31 Mar 2026 09:47:09 +0000 (11:47 +0200)] 
dt-bindings: display: panel: Add Novatek NT35532 LCD DSI

Document Novatek NT35532-based DSI display panel.
Since it's not possible to identify panel vendor nor id, add a suitable
compatible (matching the device's user, which makes use of this DDIC)
and set "novatek,nt35532" as fallback.

Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
Signed-off-by: Cristian Cozzolino <cristian_ci@protonmail.com>
Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
Link: https://patch.msgid.link/20260331-rimob-new-features-v5-1-5fcf42a29c12@protonmail.com
8 weeks agoriscv: dts: microchip: add gpio line names on beaglev-fire
Conor Dooley [Thu, 5 Mar 2026 10:31:05 +0000 (10:31 +0000)] 
riscv: dts: microchip: add gpio line names on beaglev-fire

GPIO controller 2 has the gpio-line-names property, but the two other
controllers do not. Add the property for these controllers too.

Signed-off-by: Conor Dooley <conor.dooley@microchip.com>
8 weeks agoriscv: dts: microchip: add adc interrupt on beaglev-fire
Conor Dooley [Thu, 5 Mar 2026 10:27:14 +0000 (10:27 +0000)] 
riscv: dts: microchip: add adc interrupt on beaglev-fire

The mcp3464r on the beaglev-fire has its interrupt wired up, but not
present in the devicetree. Add it.

Signed-off-by: Conor Dooley <conor.dooley@microchip.com>
8 weeks agoriscv: dts: microchip: clean up beaglev-fire regulator node names
Conor Dooley [Thu, 5 Mar 2026 10:12:12 +0000 (10:12 +0000)] 
riscv: dts: microchip: clean up beaglev-fire regulator node names

Recently the binding for regulator-fixed introduced preferred naming, in
the regulator-XvY format. Change the existing regulators to match this
pattern.

Signed-off-by: Conor Dooley <conor.dooley@microchip.com>
8 weeks agoriscv: dts: microchip: remove gpio hogs from beaglev-fire
Conor Dooley [Thu, 5 Mar 2026 10:30:03 +0000 (10:30 +0000)] 
riscv: dts: microchip: remove gpio hogs from beaglev-fire

sd-det-hog should be cd-gpios, but when the mmc-spi-slot was added, the
"cd-" prefix was omitted and the collision with the hog was not noticed.

vio-enable-hog is just a regulator that can be modelled as such.

Fixes: 1088d49b62648 ("riscv: dts: microchip: enable qspi adc/mmc-spi-slot on BeagleV Fire")
Signed-off-by: Conor Dooley <conor.dooley@microchip.com>
8 weeks agoriscv: dts: microchip: gpio controllers on mpfs need 2 interrupt cells
Conor Dooley [Thu, 19 Mar 2026 16:26:35 +0000 (16:26 +0000)] 
riscv: dts: microchip: gpio controllers on mpfs need 2 interrupt cells

The platform has variable interrupt types for GPIO interrupts, in
addition to having multiple lines per GPIO controller. Two interrupt
cells are required.

Fixes: 528a5b1f2556d ("riscv: dts: microchip: add new peripherals to icicle kit device tree")
Signed-off-by: Conor Dooley <conor.dooley@microchip.com>
8 weeks agoriscv: dts: microchip: sort pic64gx i2c nodes alphanumerically
Conor Dooley [Tue, 7 Apr 2026 15:36:25 +0000 (16:36 +0100)] 
riscv: dts: microchip: sort pic64gx i2c nodes alphanumerically

The i2c nodes are out of place, sort them where they should be.

Signed-off-by: Conor Dooley <conor.dooley@microchip.com>
8 weeks agoriscv: dts: microchip: update pic64gx gpio interrupts to better match the SoC
Conor Dooley [Tue, 7 Apr 2026 15:36:24 +0000 (16:36 +0100)] 
riscv: dts: microchip: update pic64gx gpio interrupts to better match the SoC

Just like PolarFire SoC, the same issues with GPIO interrupts exist in
the pic64gx, due to their similarity. Yoinking from the commit message
for the same change for PolarFire SoC:

There are 3 GPIO controllers on this SoC, of which:
- GPIO controller 0 has 14 GPIOs
- GPIO controller 1 has 24 GPIOs
- GPIO controller 2 has 32 GPIOs

All GPIOs are capable of generating interrupts, for a total of 70.
There are only 41 IRQs available however, so a configurable mux is used
to ensure all GPIOs can be used for interrupt generation.
38 of the 41 interrupts are in what the documentation calls "direct
mode", as they provide an exclusive connection from a GPIO to the PLIC.
The 3 remaining interrupts are used to mux the interrupts which do not
have a exclusive connection, one for each GPIO controller.

The mux was overlooked when the bindings and driver were originally
written for the GPIO controllers on Polarfire SoC, and the interrupts
property in the GPIO nodes used to try and convey what the mapping was.
Instead, the mux should be a device in its own right, and the GPIO
controllers should be connected to it, rather than to the PLIC.
Now that a binding exists for that mux, fix the inaccurate description
of the interrupt controller hierarchy.

Signed-off-by: Conor Dooley <conor.dooley@microchip.com>
8 weeks agoriscv: dts: microchip: add tsu clock to macb on pic64gx
Conor Dooley [Tue, 7 Apr 2026 15:36:23 +0000 (16:36 +0100)] 
riscv: dts: microchip: add tsu clock to macb on pic64gx

In increment mode, the tsu clock for the macb is provided separately to
the pck, usually the same clock as the reference to the rtc provided by
an off-chip oscillator. pclk is 150 MHz typically, and the reference is
either 100 MHz or 125 MHz, so having the tsu clock is required for
correct rate selection.

Signed-off-by: Conor Dooley <conor.dooley@microchip.com>
8 weeks agodrm/etnaviv: Fix armed job not being pushed to the DRM scheduler
Maíra Canal [Thu, 2 Apr 2026 19:32:35 +0000 (16:32 -0300)] 
drm/etnaviv: Fix armed job not being pushed to the DRM scheduler

When xa_alloc_cyclic() failed in etnaviv_sched_push_job(), the error
path skipped drm_sched_entity_push_job(). This is a violation of the DRM
scheduler contract, as once a job has been armed with drm_sched_job_arm(),
it must be pushed with drm_sched_entity_push_job(). From the DRM
scheduler documentation,

"""
drm_sched_job_arm() is a point of no return since it initializes the
fences and their sequence number etc. Once that function has been called,
you *must* submit it with drm_sched_entity_push_job() and cannot simply
abort it by calling drm_sched_job_cleanup().
"""

Fix this by splitting the fence ID allocation into two phases: first,
alloc an xarray slot before arming the job (which can fail), then fill in
the actual fence with xa_store() after arming. This way, allocation
failures are handled before the job is armed, and once armed, the job is
always pushed to the scheduler.

This also fixes a double call to drm_sched_job_cleanup(), as both
etnaviv_sched_push_job() and its caller would call it on failure.

Fixes: 764be12345c3 ("drm/etnaviv: convert user fence tracking to XArray")
Signed-off-by: Maíra Canal <mcanal@igalia.com>
Link: https://patch.msgid.link/20260402193424.2023318-1-mcanal@igalia.com
Signed-off-by: Christian Gmeiner <cgmeiner@igalia.com>
8 weeks agonfc: llcp: Fix use-after-free race in nfc_llcp_recv_cc()
Lee Jones [Wed, 29 Apr 2026 13:40:42 +0000 (13:40 +0000)] 
nfc: llcp: Fix use-after-free race in nfc_llcp_recv_cc()

A race condition exists in the NFC LLCP connection state machine where
the connection acceptance packet (CC) can be processed concurrently with
socket release.  This can lead to a use-after-free of the socket object.

When nfc_llcp_recv_cc() moves the socket from the connecting_sockets
list to the sockets list, it does so without holding the socket lock.
If llcp_sock_release() is executing concurrently, it might have already
unlinked the socket and dropped its references, which can result in
nfc_llcp_recv_cc() linking a freed socket into the live list.

Fix this by holding lock_sock() during the state transition and list
movement in nfc_llcp_recv_cc().  After acquiring the lock, check if
the socket is still hashed to ensure it hasn't already been unlinked
and marked for destruction by the release path.  This aligns the locking
pattern with recv_hdlc() and recv_disc().

Fixes: a69f32af86e3 ("NFC: Socket linked list")
Signed-off-by: Lee Jones <lee@kernel.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260429134115.3558604-2-lee@kernel.org
Signed-off-by: David Heidelberg <david@ixit.cz>
8 weeks agonfc: llcp: Fix use-after-free in llcp_sock_release()
Lee Jones [Wed, 29 Apr 2026 13:40:41 +0000 (13:40 +0000)] 
nfc: llcp: Fix use-after-free in llcp_sock_release()

llcp_sock_release() unconditionally unlinks the socket from the local
sockets list.  However, if the socket is still in connecting state, it
is on the connecting list.

Fix this by checking the socket state and unlinking from the correct list.

Fixes: b4011239a08e ("NFC: llcp: Fix non blocking sockets connections")
Signed-off-by: Lee Jones <lee@kernel.org>
Link: https://patch.msgid.link/20260429134115.3558604-1-lee@kernel.org
Signed-off-by: David Heidelberg <david@ixit.cz>
8 weeks agopinctrl: qcom: add the TLMM driver for the Nord platforms
Bartosz Golaszewski [Mon, 4 May 2026 10:07:26 +0000 (12:07 +0200)] 
pinctrl: qcom: add the TLMM driver for the Nord platforms

Add support for the TLMM controller on the Qualcomm Nord platform.

Co-developed-by: Shawn Guo <shengchao.guo@oss.qualcomm.com>
Signed-off-by: Shawn Guo <shengchao.guo@oss.qualcomm.com>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Reviewed-by: Maulik Shah <maulik.shah@oss.qualcomm.com>
Reviewed-by: Pankaj Patil <pankaj.patil@oss.qualcomm.com>
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Signed-off-by: Linus Walleij <linusw@kernel.org>
8 weeks agodt-bindings: pinctrl: describe the Qualcomm nord-tlmm
Bartosz Golaszewski [Mon, 4 May 2026 10:07:25 +0000 (12:07 +0200)] 
dt-bindings: pinctrl: describe the Qualcomm nord-tlmm

Add a DT binding document describing the TLMM pin controller available
on the Nord platforms from Qualcomm.

Co-developed-by: Shawn Guo <shengchao.guo@oss.qualcomm.com>
Signed-off-by: Shawn Guo <shengchao.guo@oss.qualcomm.com>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Signed-off-by: Linus Walleij <linusw@kernel.org>
8 weeks agopinctrl: qcom: Fix wakeirq map by removing disconnected irqs for sm8150
Maulik Shah [Tue, 28 Apr 2026 12:14:58 +0000 (17:44 +0530)] 
pinctrl: qcom: Fix wakeirq map by removing disconnected irqs for sm8150

PDC interrupts 122-125 were meant for ibi_i3c wakeup but sm8150 do not
support i3c. GPIOs 39,51,88 and 144 are also connected to different PDC
pin and already reflected in the wake irq map.

Remove the unsupported wakeup interrupts from the map.

Fixes: 90337380c809 ("pinctrl: qcom: sm8150: Specify PDC map")
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Signed-off-by: Maulik Shah <maulik.shah@oss.qualcomm.com>
Signed-off-by: Navya Malempati <navya.malempati@oss.qualcomm.com>
Signed-off-by: Linus Walleij <linusw@kernel.org>
8 weeks agopinctrl: sunxi: fix regulator leak in sunxi_pmx_request() error path
Felix Gu [Mon, 4 May 2026 14:53:26 +0000 (22:53 +0800)] 
pinctrl: sunxi: fix regulator leak in sunxi_pmx_request() error path

In the error path of sunxi_pmx_request(), the code calls
regulator_put(s_reg->regulator) to release the regulator. However,
s_reg->regulator is only assigned after a successful regulator_enable().
This causes a memory leak: the regulator obtained via regulator_get()
is never properly released when regulator_enable() fails.

Fixes: dc1445584177 ("pinctrl: sunxi: Fix and simplify pin bank regulator handling")
Signed-off-by: Felix Gu <ustc.gu@gmail.com>
Reviewed-by: Andre Przywara <andre.przywara@arm.com>
Signed-off-by: Linus Walleij <linusw@kernel.org>
8 weeks agodrm/tve200: Fix probe cleanup after register failure
Myeonghun Pak [Fri, 24 Apr 2026 12:40:39 +0000 (21:40 +0900)] 
drm/tve200: Fix probe cleanup after register failure

tve200_modeset_init() creates a panel bridge and initializes the DRM
mode config before tve200_probe() registers the DRM device. If
drm_dev_register() fails, probe returns an error and the driver's remove
callback is not called, so those modeset resources are left behind.

Unwind the panel bridge and mode config on that failure path before
disabling the clock and dropping the DRM device reference.

Signed-off-by: Myeonghun Pak <mhun512@gmail.com>
Signed-off-by: Linus Walleij <linusw@kernel.org>
Link: https://patch.msgid.link/20260424124118.38649-1-mhun512@gmail.com
8 weeks agoauxdisplay: max6959: use regmap_assign_bits() in max6959_enable()
Andy Shevchenko [Mon, 4 May 2026 10:00:28 +0000 (12:00 +0200)] 
auxdisplay: max6959: use regmap_assign_bits() in max6959_enable()

Replace the ternary with a direct call to the regmap_assign_bits()
helper and save a couple lines of code.

Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
8 weeks agodts: spacemit: set console baud rate on bpif3
Conor Dooley [Thu, 30 Apr 2026 18:52:12 +0000 (19:52 +0100)] 
dts: spacemit: set console baud rate on bpif3

Because the default console's baud rate is not set, defconfig kernels do
not have any serial output on this platform. Set the baud rate to
115200, matching what is used by U-Boot etc on this platform.

Suggested-by: Vivian Wang <wangruikang@iscas.ac.cn>
Fixes: d60d57ab6b2a8 ("riscv: dts: spacemit: add Banana Pi BPI-F3 board device tree")
Signed-off-by: Conor Dooley <conor.dooley@microchip.com>
Reviewed-by: Yixun Lan <dlan@kernel.org>
Link: https://lore.kernel.org/r/20260430-reword-overstep-3be08b7eab25@spud
Signed-off-by: Yixun Lan <dlan@kernel.org>
8 weeks agolib/vsprintf: Limit the returning size to INT_MAX
Masami Hiramatsu (Google) [Thu, 26 Mar 2026 12:12:10 +0000 (21:12 +0900)] 
lib/vsprintf: Limit the returning size to INT_MAX

The return value of vsnprintf() and bstr_printf() can overflow INT_MAX
and return a minus value. In the @size is checked input overflow, but
it does not check the output, which is expected required size.

This should never happen but it should be checked and limited.

Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Reviewed-by: Petr Mladek <pmladek@suse.com>
Link: https://patch.msgid.link/177452713020.197965.3164174544083829000.stgit@devnote2
Signed-off-by: Petr Mladek <pmladek@suse.com>
8 weeks agolib/vsprintf: Fix to check field_width and precision
Masami Hiramatsu (Google) [Thu, 26 Mar 2026 12:12:00 +0000 (21:12 +0900)] 
lib/vsprintf: Fix to check field_width and precision

Check the field_width and presition correctly. Previously it depends
on the bitfield conversion from int to check out-of-range error.
However, commit 938df695e98d ("vsprintf: associate the format state
with the format pointer") changed those fields to int.
We need to check the out-of-range correctly without bitfield
conversion.

Fixes: 938df695e98d ("vsprintf: associate the format state with the format pointer")
Reported-by: David Laight <david.laight.linux@gmail.com>
Closes: https://lore.kernel.org/all/20260318151250.40fef0ab@pumpkin/
Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Reviewed-by: Petr Mladek <pmladek@suse.com>
Link: https://patch.msgid.link/177452712047.197965.16376597502504928495.stgit@devnote2
Signed-off-by: Petr Mladek <pmladek@suse.com>
8 weeks agox86/xen: Fix a potential problem in xen_e820_resolve_conflicts()
Juergen Gross [Tue, 5 May 2026 08:06:53 +0000 (10:06 +0200)] 
x86/xen: Fix a potential problem in xen_e820_resolve_conflicts()

When fixing a conflict in xen_e820_resolve_conflicts(), the loop over
the E820 map entries needs to be restarted, as the E820 map will have
been modified by the fix. Otherwise entries might be skipped by
accident.

Fixes: be35d91c8880 ("xen: tolerate ACPI NVS memory overlapping with Xen allocated memory")
Signed-off-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Cc: xen-devel@lists.xenproject.org
Link: https://patch.msgid.link/20260505080653.197775-1-jgross@suse.com
8 weeks agodt-bindings: crypto: qcom-qce: Add Qualcomm Eliza QCE
Krzysztof Kozlowski [Tue, 7 Apr 2026 13:51:42 +0000 (15:51 +0200)] 
dt-bindings: crypto: qcom-qce: Add Qualcomm Eliza QCE

Document the QCE crypto engine on Qualcomm Eliza SoC, fully compatible
with earlier generations.

Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
Reviewed-by: Harshal Dev <harshal.dev@oss.qualcomm.com>
Reviewed-by: Kuldeep Singh <kuldeep.singh@oss.qualcomm.com>
Acked-by: Rob Herring (Arm) <robh@kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 weeks agocrypto: qat - fix heartbeat error injection
Damian Muszynski [Tue, 7 Apr 2026 10:04:26 +0000 (12:04 +0200)] 
crypto: qat - fix heartbeat error injection

The current implementation of the heartbeat error injection uses
adf_disable_arb_thd() to stop a specific accelerator engine thread
from processing requests. This does not reliably prevent the device
from generating responses.

Fix the error injection by disabling the device arbiter through
exit_arb() instead. This properly simulates a device failure by
stopping all arbitration, which results in missing responses for
sent requests.

Remove the now unused adf_disable_arb_thd() function and its
declaration.

Fixes: e2b67859ab6e ("crypto: qat - add heartbeat error simulator")
Signed-off-by: Damian Muszynski <damian.muszynski@intel.com>
Reviewed-by: Ahsan Atta <ahsan.atta@intel.com>
Reviewed-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 weeks agodt-bindings: crypto: qcom-qce: Document the Milos crypto engine
Alexander Koskovich [Mon, 6 Apr 2026 02:10:07 +0000 (02:10 +0000)] 
dt-bindings: crypto: qcom-qce: Document the Milos crypto engine

Document the crypto engine on the Milos platform.

Signed-off-by: Alexander Koskovich <akoskovich@pm.me>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
Reviewed-by: Kuldeep Singh <kuldeep.singh@oss.qualcomm.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 weeks agokeys: cleanup dead code in Kconfig for FIPS_SIGNATURE_SELFTEST
Julian Braha [Tue, 31 Mar 2026 12:22:14 +0000 (13:22 +0100)] 
keys: cleanup dead code in Kconfig for FIPS_SIGNATURE_SELFTEST

There is already an 'if ASYMMETRIC_KEY_TYPE' condition wrapping
FIPS_SIGNATURE_SELFTEST, making the 'depends on' statement a
duplicate dependency (dead code).

I propose leaving the outer 'if ASYMMETRIC_KEY_TYPE...endif' and removing
the individual 'depends on' statement.

This dead code was found by kconfirm, a static analysis tool for Kconfig.

Signed-off-by: Julian Braha <julianbraha@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 weeks agos390/cio: Purge based on the cdev's online status
Vineeth Vijayan [Tue, 28 Apr 2026 08:43:41 +0000 (10:43 +0200)] 
s390/cio: Purge based on the cdev's online status

Ensure that all devices currently offline are purged correctly.

Previously, purging logic relied on the internal FSM state to
determine whether a device was offline. However, devices with a
target state of offline could be skipped if CIO internal
processing was still ongoing during the purge operation.

Update the purge decision logic to rely on the online variable
in the cdev structure instead of the internal FSM state,
providing a more reliable indication of actual device
availability.

Signed-off-by: Vineeth Vijayan <vneethv@linux.ibm.com>
Reviewed-by: Peter Oberparleiter <oberpar@linux.ibm.com>
Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
8 weeks agos390: Remove extra check of task_stack_page()
Maninder Singh [Tue, 28 Apr 2026 10:56:07 +0000 (16:26 +0530)] 
s390: Remove extra check of task_stack_page()

There is no need to call task_stack_page(),
because try_get_task_stack() already takes care of that.

Signed-off-by: Maninder Singh <maninder1.s@samsung.com>
Reviewed-by: Heiko Carstens <hca@linux.ibm.com>
Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
8 weeks agorhashtable: Add bucket_table_free_atomic() helper
Uladzislau Rezki (Sony) [Tue, 28 Apr 2026 16:14:19 +0000 (18:14 +0200)] 
rhashtable: Add bucket_table_free_atomic() helper

rhashtable_insert_rehash() allocates a new bucket table
with GFP_ATOMIC, as it is called from an RCU read-side
critical section.

If rhashtable_rehash_attach() then fails, the new table
is freed via kvfree(). This is unsafe, since kvfree() may
fall back to vfree() for vmalloc-backed allocations, which
can sleep and trigger:

  BUG: sleeping function called from invalid context

Add bucket_table_free_atomic(), which uses kvfree_atomic()
so the table can be freed safely from non-sleeping context.

Signed-off-by: Uladzislau Rezki (Sony) <urezki@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 weeks agomm/slab: Add kvfree_atomic() helper
Uladzislau Rezki (Sony) [Tue, 28 Apr 2026 16:14:18 +0000 (18:14 +0200)] 
mm/slab: Add kvfree_atomic() helper

kvmalloc() now supports non-sleeping GFP flags, including
the vmalloc fallback path. This means it may return vmalloc
memory even for GFP_ATOMIC and GFP_NOWAIT allocations.

Freeing such memory with kvfree() may then end up calling
vfree(), which is not safe for non-sleeping contexts.

Introduce kvfree_atomic() helper for such cases. It mirrors
kvfree(), but uses vfree_atomic() for vmalloced memory.

Signed-off-by: Uladzislau Rezki (Sony) <urezki@gmail.com>
Acked-by: Vlastimil Babka (SUSE) <vbabka@kernel.org>
Acked-by: Harry Yoo (Oracle) <harry@kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 weeks agorhashtable: drop ht->mutex in rhashtable_free_and_destroy()
Mikhail Gavrilov [Wed, 22 Apr 2026 21:33:49 +0000 (02:33 +0500)] 
rhashtable: drop ht->mutex in rhashtable_free_and_destroy()

rhashtable_free_and_destroy() is a single-shot teardown routine:
cancel_work_sync() has already quiesced the deferred rehash worker, and
the function's documented contract requires the caller to guarantee no
other concurrent access to the rhashtable. Under those conditions
ht->mutex is not protecting anything -- taking it is a leftover from
the original teardown path.

That leftover is actively harmful: it closes a circular lock-class
dependency with fs_reclaim. The deferred rehash worker takes ht->mutex
and then allocates GFP_KERNEL memory in bucket_table_alloc(),
establishing

    &ht->mutex  ->  fs_reclaim

After commit b32c4a213698 ("xattr: add rhashtable-based simple_xattr
infrastructure") introduced simple_xattr_ht_free(), which calls
rhashtable_free_and_destroy(), the simple_xattrs teardown became
reachable from evict() under the dcache shrinker. The subsequent
per-subsystem adaptations made the reverse edge concrete in three
independent code paths:

  * commit 52b364fed6e1 ("shmem: adapt to rhashtable-based simple_xattrs with lazy allocation")
  * commit 5bd97f5c5f24 ("kernfs: adapt to rhashtable-based simple_xattrs with lazy allocation")
  * commit 50704c391fbf ("pidfs: adapt to rhashtable-based simple_xattrs")

Any of the three closes the cycle

    fs_reclaim  ->  &ht->mutex

which lockdep reports as follows. This particular splat was observed
organically on a workstation kernel built from vfs-7.1-rc1.xattr at
~35h uptime under normal mixed workload, with CONFIG_PROVE_LOCKING=y.
The path happens to go through kernfs:

  WARNING: possible circular locking dependency detected
  7.0.0-faeab166167f-with-fixes-v1+ #191 Tainted: G     U
  kswapd0/243 is trying to acquire lock:
  ffff8882e475c0f8 (&ht->mutex){+.+.}-{4:4},
    at: rhashtable_free_and_destroy+0x36/0x740
  but task is already holding lock:
  ffffffffa8ad1d00 (fs_reclaim){+.+.}-{0:0},
    at: balance_pgdat+0x995/0x1600

  the existing dependency chain (in reverse order) is:

  -> #1 (fs_reclaim){+.+.}-{0:0}:
         __lock_acquire+0x506/0xbf0
         lock_acquire.part.0+0xc7/0x280
         fs_reclaim_acquire+0xd9/0x130
         __kvmalloc_node_noprof+0xcd/0xb40
         bucket_table_alloc.isra.0+0x5a/0x440
         rhashtable_rehash_alloc+0x4e/0xd0
         rht_deferred_worker+0x14b/0x440
         process_one_work+0x8fd/0x16a0
         worker_thread+0x601/0xff0
         kthread+0x36b/0x470
         ret_from_fork+0x5bf/0x910
         ret_from_fork_asm+0x1a/0x30

  -> #0 (&ht->mutex){+.+.}-{4:4}:
         check_prev_add+0xdb/0xce0
         validate_chain+0x554/0x780
         __lock_acquire+0x506/0xbf0
         lock_acquire.part.0+0xc7/0x280
         __mutex_lock+0x1b2/0x2550
         rhashtable_free_and_destroy+0x36/0x740
         kernfs_put.part.0+0x119/0x570
         evict+0x3b6/0x9c0
         __dentry_kill+0x181/0x540
         shrink_dentry_list+0x135/0x440
         prune_dcache_sb+0xdb/0x150
         super_cache_scan+0x2ff/0x520
         do_shrink_slab+0x35a/0xee0
         shrink_slab_memcg+0x457/0x950
         shrink_slab+0x43b/0x550
         shrink_one+0x31a/0x6f0
         shrink_many+0x31e/0xc80
         shrink_node+0xeb3/0x14a0
         balance_pgdat+0x8ed/0x1600
         kswapd+0x2f3/0x530
         kthread+0x36b/0x470
         ret_from_fork+0x5bf/0x910
         ret_from_fork_asm+0x1a/0x30

   Possible unsafe locking scenario:

         CPU0                    CPU1
         ----                    ----
    lock(fs_reclaim);
                                 lock(&ht->mutex);
                                 lock(fs_reclaim);
    lock(&ht->mutex);

Note that lockdep tracks lock classes, not instances: the two
&ht->mutex sites are on different rhashtable objects (the deferred
worker was triggered by some unrelated rhashtable growth), but because
rhashtable_init() uses a single static lockdep key for all rhashtables,
this is a real class-level cycle. Once reported, lockdep disables
itself for the remainder of the boot, masking any subsequent locking
bugs.

Drop the mutex. After cancel_work_sync() the rehash worker is quiesced
and, per this function's contract, no other concurrent access is
possible; the tables are therefore owned exclusively by this function
and can be walked without any lock held.

Switch the table walks from rht_dereference() (which requires
ht->mutex to be held under CONFIG_PROVE_RCU) to rcu_dereference_raw(),
which has no lockdep annotation. rht_ptr_exclusive() already uses
rcu_dereference_protected(p, 1) and needs no change.

This is the only place in lib/rhashtable.c where &ht->mutex is
acquired from a path reachable under fs_reclaim; the deferred worker
is the only other site and it is the forward edge. Removing the
acquisition here therefore eliminates the class cycle for all three
subsystems that use simple_xattrs, not just the one in the splat
above. No locking-semantics change is introduced for correct users;
incorrect users would already be racing with rehash worker completion
regardless of the mutex.

Synthetic reproduction of the splat within a few-minute window was
unsuccessful across several attempts (tmpfs and kernfs zombies via
cgroupfs with open-fd-through-rmdir, with and without swap, up to
~60k reclaim-path executions of simple_xattr_ht_free() in a single
run), consistent with the rare coincidence-of-edges profile of the
bug: the forward edge is already registered in /proc/lockdep on any
idle system via rht_deferred_worker, but the reverse edge requires
evict() to complete kernfs_put()'s final release inside the fs_reclaim
critical section, which in my attempts was ordered against rather than
interleaved with the worker.

Fixes: b32c4a213698 ("xattr: add rhashtable-based simple_xattr infrastructure")
Signed-off-by: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 weeks agoblock: only read from sqe on initial invocation of blkdev_uring_cmd()
Jens Axboe [Mon, 4 May 2026 14:34:32 +0000 (08:34 -0600)] 
block: only read from sqe on initial invocation of blkdev_uring_cmd()

This passthrough helper currently only supports discards. Part of that
command is the start and length, which is read from the SQE. It does
so on every invocation, where it really should just make it stable
on the first invocation. This avoids needing to copy the SQE upfront,
as we only really need those two 8b values stored in our per-req
payload.

Cc: stable@vger.kernel.org # 6.17+
Signed-off-by: Jens Axboe <axboe@kernel.dk>
8 weeks agox86/efi: Restore IRQ state in EFI page fault handler
Ard Biesheuvel [Fri, 1 May 2026 07:16:38 +0000 (09:16 +0200)] 
x86/efi: Restore IRQ state in EFI page fault handler

The kernel's softirq API does not permit re-enabling softirqs while IRQs
are disabled. The reason for this is that local_bh_enable() will not
only re-enable delivery of softirqs over the back of IRQs, it will also
handle any pending softirqs immediately, regardless of whether IRQs are
enabled at that point.

For this reason, commit

  d02198550423 ("x86/fpu: Improve crypto performance by making kernel-mode FPU reliably usable in softirqs")

disables softirqs only when IRQs are enabled, as it is not permitted
otherwise, but also unnecessary, given that asynchronous softirq
delivery never happens to begin with while IRQs are disabled.

However, this does mean that entering a kernel mode FPU section with
IRQs enabled and leaving it with IRQs disabled leads to problems, as
identified by Sashiko [0]: the EFI page fault handler is called from
page_fault_oops() with IRQs disabled, and thus ends the kernel mode FPU
section with IRQs disabled as well, regardless of whether IRQs were
enabled when it was started. This may result in schedule() being called
with a non-zero preempt_count, causing a BUG().

So take care to re-enable IRQs when handling any EFI page faults if they
were taken with IRQs enabled.

[0] https://sashiko.dev/#/patchset/20260430074107.27051-1-ivan.hu%40canonical.com

Cc: Eric Biggers <ebiggers@kernel.org>
Cc: Ivan Hu <ivan.hu@canonical.com>
Cc: x86@kernel.org
Cc: <stable@vger.kernel.org>
Fixes: d02198550423 ("x86/fpu: Improve crypto performance by making kernel-mode FPU reliably usable in softirqs")
Reviewed-by: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
8 weeks agoMerge patch series "scsi: ufs: Add persistent TX Equalization settings support"
Martin K. Petersen [Tue, 5 May 2026 07:28:56 +0000 (03:28 -0400)] 
Merge patch series "scsi: ufs: Add persistent TX Equalization settings support"

Can Guo <can.guo@oss.qualcomm.com> says:

Hi,

This series is a follow-up to the earlier TX Equalization enablement series:

https://lore.kernel.org/all/20260325152154.1604082-1-can.guo@oss.qualcomm.com

In that cover letter, the "Next" section mentioned adding support for
UFS v5.0 Attributes qTxEQGnSettings and wTxEQGnSettingsExt, and enabling
persistent storage/retrieval of optimal TX Equalization settings. This
2-patch series implements that part.

Motivation
==========

TX EQTR procedure is required to find the optimal TX Equalization settings
for HS Gears (4-6) before changing Power Mode to the target HS Gears.
However, TX EQTR procedure introduces latencies to the first Power Mode
change.

With optimal TX Equalization settings stored in UFS v5.0 Attributes
qTxEQGnSettings and wTxEQGnSettingsExt, host software can reuse known-good
settings and avoid going through the TX EQTR procedure.

Array Attribute Model
=====================

qTxEQGnSettings and wTxEQGnSettingsExt are array-type Attributes. Each
element in an array-type Attribute is selected by an (Index, Selector) pair.

For these two attributes:
- Valid Index range: [0, Max HS Gear - 1]
- Valid Selector range: [0, 1]

This effectively forms a 2-dimensional array. For HS-Gear n, its TX
Equalization settings are stored/retrieved at Index (n - 1). Selector is
configurable via a module parameter so that platforms can choose the
Selector policy that matches their use.

Implementation Overview
=======================

1. Introduce a generic helper for 64-bit query attributes:
   ufshcd_query_attr_qword().

2. Add TX EQ settings persistence flow:
   - Read stored settings from qTxEQGnSettings & wTxEQGnSettingsExt.
   - Decode and populate per-gear TX EQ parameters.
   - Use Bit[15] in wTxEQGnSettingsExt as validity indication.
   - Store trained settings back to these attributes for future reuse.

3. Integrate with existing lifecycle:
   - Retrieve settings during device parameter initialization.
   - Store settings during shutdown.

New Module Parameters
=====================

Three module parameters are added for TX EQ settings persistence control:

 - txeq_setting_sel (default: 0, range: 0..1)
    Selects which selector value is used when reading/writing
    qTxEQGnSettings and wTxEQGnSettingsExt.

 - retrieve_txeq_setting (default: true)
    Enables/disables retrieving stored TX EQ settings from device
    attributes during initialization.

 - store_txeq_setting (default: true)
    Enables/disables storing last trained TX EQ settings into device
    attributes during shutdown.

Testing
=======

Tested on a UFS v5.0 platform:

 - TX Equalization setting store path, settings were correctly encoded
   and stored.

 - TX Equalization setting retrieval path, settings were correctly
   extracted and reused.

 - Full TX EQTR procedure was skipped for a given HS Gear when valid
   TX EQ settings
  were provided in qTxEQGnSettings & wTxEQGnSettingsExt for the given HS-Gear.

Link: https://patch.msgid.link/20260424151420.111675-1-can.guo@oss.qualcomm.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
8 weeks agoscsi: ufs: core: Add support to retrieve and store TX Equalization settings
Can Guo [Fri, 24 Apr 2026 15:14:20 +0000 (08:14 -0700)] 
scsi: ufs: core: Add support to retrieve and store TX Equalization settings

Add support for UFS v5.0 JEDEC attributes qTxEQGnSettings and
wTxEQGnSettingsExt to enable persistent storage and retrieval of
optimal TX Equalization settings.

This provides a fast-path for TX Equalization by reusing previously
stored optimal settings, avoiding TX Equalization Training (EQTR)
procedures during subsequent Power Mode changes.

When no valid TX Equalization settings are found, fall back to full TX
EQTR procedures and optionally save the results for future use.

The validity of one set of TX Equalization settings is indicated by
Bit[15] in wTxEQGnSettingsExt.

Signed-off-by: Can Guo <can.guo@oss.qualcomm.com>
Reviewed-by: Peter Wang <peter.wang@mediatek.com>
Reviewed-by: Bean Huo <beanhuo@micron.com>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Link: https://patch.msgid.link/20260424151420.111675-3-can.guo@oss.qualcomm.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
8 weeks agoscsi: ufs: core: Introduce function ufshcd_query_attr_qword()
Can Guo [Fri, 24 Apr 2026 15:14:19 +0000 (08:14 -0700)] 
scsi: ufs: core: Introduce function ufshcd_query_attr_qword()

Introduce a new generic function ufshcd_query_attr_qword() to handle
quad-word (64-bit) UFS attribute operations. This consolidates the
handling of 64-bit attributes which was previously scattered across
multiple specialized functions.

Reviewed-by: Peter Wang <peter.wang@mediatek.com>
Signed-off-by: Can Guo <can.guo@oss.qualcomm.com>
Reviewed-by: Bean Huo <beanhuo@micron.com>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Link: https://patch.msgid.link/20260424151420.111675-2-can.guo@oss.qualcomm.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
8 weeks agomedia: v4l2-subdev: Fail {enable,disable}_streams and s_streaming nicely
Sakari Ailus [Sat, 21 Mar 2026 21:41:50 +0000 (23:41 +0200)] 
media: v4l2-subdev: Fail {enable,disable}_streams and s_streaming nicely

If a sub-device does not set enable_streams() and disable_streams() pad
ops while it sets the s_stream() video op to
v4l2_subdev_s_stream_helper(), enabling or disabling streaming either way
on the sub-device will result calling v4l2_subdev_s_stream_helper() and
v4l2_subdev_{enable,disable}_streams() recursively, exhausting the stack.
Return -ENOIOCTLCMD in this case to handle the situation gracefully.

Fixes: b62949ddaa52 ("media: subdev: Support single-stream case in v4l2_subdev_enable/disable_streams()")
Cc: stable@vger.kernel.org
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Reviewed-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
8 weeks agodrm/i915/display: enable ccs modifiers on dg2
Juha-Pekka Heikkila [Mon, 27 Apr 2026 16:57:15 +0000 (19:57 +0300)] 
drm/i915/display: enable ccs modifiers on dg2

Since Xe driver aux ccs enablement dg2 ccs modifiers have been
disabled on i915 driver. Here allow dg2 to use ccs again for framebuffers.

Fixes: 6a99e91a6ca8 ("drm/i915/display: Detect AuxCCS support via display parent interface")
Signed-off-by: Juha-Pekka Heikkila <juhapekka.heikkila@gmail.com>
Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Signed-off-by: Mika Kahola <mika.kahola@intel.com>
Link: https://patch.msgid.link/20260427165715.864721-1-juhapekka.heikkila@gmail.com
(cherry picked from commit aee13ba1448213975f36942ba5d1ce693eb5c002)
Signed-off-by: Tvrtko Ursulin <tursulin@ursulin.net>
8 weeks agocpufreq: qcom-cpufreq-hw: Fix possible double free
Guangshuo Li [Fri, 1 May 2026 19:00:05 +0000 (03:00 +0800)] 
cpufreq: qcom-cpufreq-hw: Fix possible double free

qcom_cpufreq.data is allocated with devm_kzalloc() in probe() as an
array of per-domain data. qcom_cpufreq_hw_cpu_init() stores a pointer to
one element of this array in policy->driver_data.

qcom_cpufreq_hw_cpu_exit() currently calls kfree() on policy->driver_data.
This is not valid because the memory is devm-managed. For the first
domain, this can free the devm-managed allocation while the devres entry
is still active, leading to a possible double free when the platform
device is later detached. For other domains, the pointer may refer to an
element inside the array rather than the allocation base.

Remove the kfree(data) call and let devres release qcom_cpufreq.data.

This issue was found by a static analysis tool I am developing.

Fixes: 054a3ef683a1 ("cpufreq: qcom-hw: Allocate qcom_cpufreq_data during probe")
Cc: stable@vger.kernel.org
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
Reviewed-by: Zhongqiu Han <zhongqiu.han@oss.qualcomm.com>
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
8 weeks agoxfrm: esp: avoid in-place decrypt on shared skb frags
Kuan-Ting Chen [Mon, 4 May 2026 15:27:12 +0000 (23:27 +0800)] 
xfrm: esp: avoid in-place decrypt on shared skb frags

MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP
marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(),
so later paths that may modify packet data can first make a private
copy. The IPv4/IPv6 datagram append paths did not set this flag when
splicing pages into UDP skbs.

That leaves an ESP-in-UDP packet made from shared pipe pages looking
like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW
fast path for uncloned skbs without a frag_list and decrypts in place
over data that is not owned privately by the skb.

Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching
TCP. Also make ESP input fall back to skb_cow_data() when the flag is
present, so ESP does not decrypt externally backed frags in place.
Private nonlinear skb frags still use the existing fast path.

This intentionally does not change ESP output. In esp_output_head(),
the path that appends the ESP trailer to existing skb tailroom without
calling skb_cow_data() is not reachable for nonlinear skbs:
skb_tailroom() returns zero when skb->data_len is nonzero, while ESP
tailen is positive. Thus ESP output will either use the separate
destination-frag path or fall back to skb_cow_data().

Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible")
Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible")
Fixes: 7da0dde68486 ("ip, udp: Support MSG_SPLICE_PAGES")
Fixes: 6d8192bd69bb ("ip6, udp6: Support MSG_SPLICE_PAGES")
Reported-by: Hyunwoo Kim <imv4bel@gmail.com>
Reported-by: Kuan-Ting Chen <h3xrabbit@gmail.com>
Tested-by: Hyunwoo Kim <imv4bel@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Kuan-Ting Chen <h3xrabbit@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
8 weeks agoobjtool/klp: Cache dont_correlate() result
Josh Poimboeuf [Mon, 20 Apr 2026 04:06:28 +0000 (21:06 -0700)] 
objtool/klp: Cache dont_correlate() result

Cache the dont_correlate() result once per symbol at the start of
correlate_symbols().  This reduces klp diff time on an arm64 LTO
vmlinux.o from 2m51s to 35s.

Acked-by: Song Liu <song@kernel.org>
Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
8 weeks agoobjtool: Improve and simplify prefix symbol detection
Josh Poimboeuf [Wed, 8 Apr 2026 03:56:48 +0000 (20:56 -0700)] 
objtool: Improve and simplify prefix symbol detection

Only create prefix symbols for functions that have
__patchable_function_entries entries, since those are the only C
functions where prefix NOPs are intentional.

This both simplifies the detection and makes it more accurate.

Note that assembly functions using SYM_TYPED_FUNC_START() can also have
prefixed NOPs, but that macro already creates their __cfi_ symbols.

Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
8 weeks agoobjtool/klp: Fix kCFI prefix finding/cloning
Josh Poimboeuf [Tue, 28 Apr 2026 04:15:52 +0000 (21:15 -0700)] 
objtool/klp: Fix kCFI prefix finding/cloning

With CFI+CALL_PADDING, Clang places .Ltmp labels at the start of the NOP
padding (offset 5) between the __cfi_ prefix and the function entry
point.  get_func_prefix() only checks the immediately previous symbol,
so the intervening .Ltmp label causes it to miss the __cfi_ prefix
symbol.

This results in klp-diff not cloning the kCFI type hash into the
livepatch module, causing a CFI failure at module load when calling
callback functions through indirect calls:

  CFI failure at __klp_enable_patch+0xab/0x140
    (target: pre_patch_callback+0x0/0x80 [livepatch_combined];
     expected type: 0xde073954)

Instead of walking backward through the section's symbol list, just use
find_func_containing() for the byte before the function.  This works now
that __cfi_ symbols are being grown by objtool to fill the padding.

Acked-by: Song Liu <song@kernel.org>
Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
8 weeks agoobjtool: Grow __cfi_* prefix symbols for all CFI+CALL_PADDING
Josh Poimboeuf [Thu, 23 Apr 2026 22:53:17 +0000 (15:53 -0700)] 
objtool: Grow __cfi_* prefix symbols for all CFI+CALL_PADDING

For all CONFIG_CFI+CONFIG_CALL_PADDING configs, for C functions, the
__cfi_ symbols only cover the 5-byte kCFI type hash.  After that there
also N bytes of NOP padding between the hash and the function entry
which aren't associated with any symbol.

The NOPs can be replaced with actual code at runtime.  Without a symbol,
unwinders and tooling have no way of knowing where those bytes belong.

Grow the existing __cfi_* symbols to fill that gap.

Note that assembly functions with SYM_TYPED_FUNC_START() aren't affected
by this issue, their __cfi_ symbols also cover the padding.

Also, CONFIG_PREFIX_SYMBOLS has no reason to exist: CONFIG_CALL_PADDING
is what causes the compiler to emit NOP padding before function entry
(via -fpatchable-function-entry), so it's the right condition for
creating prefix symbols.

Remove CONFIG_PREFIX_SYMBOLS, as it's no longer needed.  Simplify the
LONGEST_SYM_KUNIT_TEST dependency accordingly.  Rework objtool's
arguments a bit to handle the variety of prefix/cfi-related cases.

Suggested-by: Peter Zijlstra <peterz@infradead.org>
Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
8 weeks agoobjtool/klp: Fix position-dependent checksums for non-relocated jumps/calls
Josh Poimboeuf [Fri, 3 Apr 2026 18:57:02 +0000 (11:57 -0700)] 
objtool/klp: Fix position-dependent checksums for non-relocated jumps/calls

When computing klp checksums, instructions with non-relocated jump/call
destination offsets are problematic because the offset values can change
when surrounding code has moved, causing the function to be incorrectly
marked as changed.

Specifically, that includes jumps from alternatives to the end of the
alternative, which from objtool's perspective are jumps to the end of
the alternative instruction block in the original function.

Note that 'jump_dest' jumps don't include sibling calls (those use
call_dest), nor do they include jumps to/from .cold sub functions (those
are cross-section and need a reloc).

Fix it by hashing the opcode bytes (excluding the immediate operand)
along with a position-independent representation of the destination.
For calls, use the function name, and for jumps, use the destination's
offset within its function.

[Note the "9 bit hole" comment was wrong: it has been 8 bits since
commit 70589843b36f ("objtool: Add option to trace function validation")
added the 'trace' field.  Adding the 4-bit 'immediate_len' field now
leaves a 4-bit hole.]

Fixes: 0d83da43b1e1 ("objtool/klp: Add --checksum option to generate per-function checksums")
Acked-by: Song Liu <song@kernel.org>
Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
8 weeks agoobjtool: Add insn_sym() helper
Josh Poimboeuf [Sat, 4 Apr 2026 18:30:37 +0000 (11:30 -0700)] 
objtool: Add insn_sym() helper

Alternative replacement instructions awkwardly have insn->sym set to the
function they get patched to rather than the symbol (or rather lack
thereof) they belong to in the file.

This makes it difficult to know where a given instruction actually
lives.

Add a new insn_sym() helper which preserves the existing semantic of
insn->sym.  Rename insn->sym to insn->_sym, which contains the actual
ELF binary symbol (or NULL, for alternative replacements) an instruction
lives in.

The private insn->_sym value will be needed for a subsequent patch.

Acked-by: Song Liu <song@kernel.org>
Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
8 weeks agoobjtool/klp: Add correlation debugging output
Josh Poimboeuf [Tue, 21 Apr 2026 05:58:37 +0000 (22:58 -0700)] 
objtool/klp: Add correlation debugging output

Add debugging messages to show how duplicate symbols get correlated, and
split the --debug feature into --debug-correlate and --debug-clone.

Acked-by: Song Liu <song@kernel.org>
Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
8 weeks agoobjtool/klp: Rewrite symbol correlation algorithm
Josh Poimboeuf [Fri, 10 Apr 2026 03:51:27 +0000 (20:51 -0700)] 
objtool/klp: Rewrite symbol correlation algorithm

Rewrite the symbol correlation code, using a tiered list of
deterministic strategies in a loop.  For duplicately named symbols, each
tier applies a filter with the goal of finding a 1:1 deterministic
correlation between the original and patched version of the symbol.

The three matching strategies are:

  find_twin(): A funnel of progressively tighter filters.  Candidates
  with the same demangled name are counted at four levels: name, scope
  (local-vs-global), file (strict file association), and checksum
  (unchanged functions).  The widest level that yields a 1:1 match wins,
  narrower levels are only tried when the wider level is ambiguous.

  find_twin_suffixed(): Uses already-correlated LLVM symbol pairs to map
  .llvm.<hash> suffixes from orig to patched.  Because all promoted
  symbols from the same TU share the same hash, one correlated pair
  seeds the mapping for the entire TU.

  find_twin_positional(): Last resort, matches symbols by position among
  same-named candidates, similar to livepatch sympos.  Used for data
  objects like __quirk variables where no deterministic filter can
  distinguish the candidates.

Overall this works much better than the existing algorithm, particularly
with LTO kernels.

Acked-by: Song Liu <song@kernel.org>
Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
8 weeks agoobjtool/klp: Calculate object checksums
Josh Poimboeuf [Thu, 16 Apr 2026 05:49:53 +0000 (22:49 -0700)] 
objtool/klp: Calculate object checksums

Start checksumming data objects in preparation for revamping the
correlation algorithm.

Acked-by: Song Liu <song@kernel.org>
Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
8 weeks agoklp-build: Validate short-circuit prerequisites
Josh Poimboeuf [Fri, 17 Apr 2026 20:33:55 +0000 (13:33 -0700)] 
klp-build: Validate short-circuit prerequisites

The --short-circuit option implicitly requires that certain directories
are already in klp-tmp.  Enforce that to prevent confusing errors.

Acked-by: Song Liu <song@kernel.org>
Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
8 weeks agoobjtool/klp: Remove "objtool --checksum"
Josh Poimboeuf [Fri, 3 Apr 2026 20:10:29 +0000 (13:10 -0700)] 
objtool/klp: Remove "objtool --checksum"

The checksum functionality has been moved to "objtool klp checksum"
which is now used by klp-build.  Remove the now-dead --checksum and
--debug-checksum options from the default objtool command.

Acked-by: Song Liu <song@kernel.org>
Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
8 weeks agoklp-build: Use "objtool klp checksum" subcommand
Josh Poimboeuf [Fri, 3 Apr 2026 20:09:34 +0000 (13:09 -0700)] 
klp-build: Use "objtool klp checksum" subcommand

Use the new "objtool klp checksum" subcommand instead of injecting
--checksum into every objtool invocation via OBJTOOL_ARGS during the
kernel build.

This decouples checksum generation from the build, running it in
separate post-build passes, making the code (and the patch generation
pipeline itself) more modular.

Acked-by: Song Liu <song@kernel.org>
Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
8 weeks agoobjtool/klp: Add "objtool klp checksum" subcommand
Josh Poimboeuf [Fri, 3 Apr 2026 20:08:32 +0000 (13:08 -0700)] 
objtool/klp: Add "objtool klp checksum" subcommand

Move the checksum functionality out of the main objtool command into a
new "objtool klp checksum" subcommand.

This has the benefit of making the code (and the patch generation
process itself) more modular.

For bisectability, both "objtool --checksum" and "objtool klp checksum"
work for now.  The former will be removed after klp-build has been
converted to use the new subcommand.

Acked-by: Song Liu <song@kernel.org>
Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
8 weeks agoobjtool: Consolidate file decoding into decode_file()
Josh Poimboeuf [Fri, 3 Apr 2026 20:04:28 +0000 (13:04 -0700)] 
objtool: Consolidate file decoding into decode_file()

decode_sections() relies on CFI and cfi_hash initialization done
separately in check(), making it unusable outside of check().

Consolidate the initialization into decode_sections() and rename it to
decode_file(), and make it global along with free_insns() and
insn_reloc() for use by other objtool components -- namely, the checksum
code which will be moving to another file.

Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Acked-by: Song Liu <song@kernel.org>
Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
8 weeks agoobjtool/klp: Extricate checksum calculation from validate_branch()
Josh Poimboeuf [Fri, 3 Apr 2026 19:11:17 +0000 (12:11 -0700)] 
objtool/klp: Extricate checksum calculation from validate_branch()

In preparation for porting the checksum code to other arches, make its
functionality independent from the CFG reverse engineering code.

Move it into a standalone calculate_checksums() function which iterates
all functions and instructions directly, rather than being called inline
from do_validate_branch().

Since checksum_update_insn() is no longer called during CFG traversal,
it needs to manually iterate the alternatives.

Acked-by: Song Liu <song@kernel.org>
Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
8 weeks agoobjtool: Add is_cold_func() helper
Josh Poimboeuf [Wed, 18 Mar 2026 22:33:58 +0000 (15:33 -0700)] 
objtool: Add is_cold_func() helper

Add an is_cold_func() helper.  No functional changes intended.

Acked-by: Song Liu <song@kernel.org>
Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
8 weeks agoobjtool: Add is_alias_sym() helper
Josh Poimboeuf [Wed, 18 Mar 2026 22:42:30 +0000 (15:42 -0700)] 
objtool: Add is_alias_sym() helper

Improve readability with a new is_alias_sym() helper.

No functional changes intended.

Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Acked-by: Song Liu <song@kernel.org>
Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
8 weeks agoobjtool/klp: Handle Clang .data..Lanon anonymous data sections
Josh Poimboeuf [Fri, 10 Apr 2026 03:50:35 +0000 (20:50 -0700)] 
objtool/klp: Handle Clang .data..Lanon anonymous data sections

Clang generates anonymous data sections named .data..Lanon.<hash>.
These need section-symbol references in the same way as .data..Lubsan
(GCC) and .data..L__unnamed_ (Clang UBSAN) sections.  Without this,
convert_reloc_sym() fails when processing relocations that reference
these sections.

Acked-by: Song Liu <song@kernel.org>
Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
8 weeks agoobjtool/klp: Create empty checksum sections for function-less object files
Josh Poimboeuf [Tue, 31 Mar 2026 04:50:46 +0000 (21:50 -0700)] 
objtool/klp: Create empty checksum sections for function-less object files

If an object file has no functions, objtool has nothing to checksum, so
it doesn't create the .discard.sym_checksum symbol.

Then when 'objtool klp diff' reads symbol checksums, it errors out due
to the missing .discard.sym_checksum section.

Instead, just create an empty checksum section to signal to
read_sym_checksums() that the file has been processed.

Acked-by: Song Liu <song@kernel.org>
Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
8 weeks agoobjtool: Include libsubcmd headers directly from source tree
Josh Poimboeuf [Sun, 12 Apr 2026 17:59:42 +0000 (10:59 -0700)] 
objtool: Include libsubcmd headers directly from source tree

Instead of installing libsubcmd headers to a build output directory and
including from there, include directly from tools/lib/ where they
already exist.  This fixes clangd indexing which otherwise can't find
libsubcmd headers.

Acked-by: Song Liu <song@kernel.org>
Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
8 weeks agoobjtool/klp: Don't set sym->file for section symbols
Josh Poimboeuf [Mon, 13 Apr 2026 05:40:02 +0000 (22:40 -0700)] 
objtool/klp: Don't set sym->file for section symbols

Section symbols aren't grouped after their corresponding FILE symbols.
Their sym->file should really be NULL rather than whatever random FILE
happened to be last.

Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Acked-by: Song Liu <song@kernel.org>
Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
8 weeks agoklp-build: Remove redundant SRC and OBJ variables
Josh Poimboeuf [Thu, 30 Apr 2026 15:54:57 +0000 (08:54 -0700)] 
klp-build: Remove redundant SRC and OBJ variables

SRC and OBJ are both set to $(pwd) and are always identical.  The script
already enforces that klp-build runs from the kernel root directory, and
builds are done in-place, making these variables unnecessary.

Suggested-by: Song Liu <song@kernel.org>
Acked-by: Song Liu <song@kernel.org>
Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
8 weeks agoklp-build: Print "objtool klp diff" command in verbose mode
Josh Poimboeuf [Fri, 3 Apr 2026 23:17:46 +0000 (16:17 -0700)] 
klp-build: Print "objtool klp diff" command in verbose mode

Print the full objtool command line when '--verbose' is given to help
with debugging.

Acked-by: Song Liu <song@kernel.org>
Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
8 weeks agoklp-build: Reject patches to realmode
Josh Poimboeuf [Mon, 20 Apr 2026 02:57:48 +0000 (19:57 -0700)] 
klp-build: Reject patches to realmode

Realmode code is compiled as a separate 16-bit binary and embedded into
the kernel image via rmpiggy.S.  It can't be livepatched.

Acked-by: Song Liu <song@kernel.org>
Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
8 weeks agoklp-build: Reject patches to vDSO
Josh Poimboeuf [Sun, 12 Apr 2026 19:09:39 +0000 (12:09 -0700)] 
klp-build: Reject patches to vDSO

vDSO code runs in userspace and can't be livepatched.  Such patches also
cause spurious "new function" errors due to generated files like
vdso*-image.c having unstable line numbers across builds.

Acked-by: Song Liu <song@kernel.org>
Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
8 weeks agoklp-build: Fix patch cleanup on interrupt
Josh Poimboeuf [Fri, 3 Apr 2026 02:08:39 +0000 (19:08 -0700)] 
klp-build: Fix patch cleanup on interrupt

If a build error occurs and the user hits Ctrl-C while a large patch is
being reverted during cleanup, the cleanup EXIT trap gets re-triggered
and tries to re-revert the already partially-reverted patch.  That
causes 'patch -R' to repeatedly prompt

  "Unreversed patch detected!  Ignore -R? [n]"

for each already-reverted hunk, with no way to break out.

Fix it by adding '--force' to the patch revert command in
revert_patch(), which causes it to silently ignore already-reverted
hunks.  And ignore errors, as the cleanup is always best-effort.

For similar reasons, add to APPLIED_PATCHES before (rather than after)
applying the patch in apply_patch() so an interrupted apply will also
get cleaned up.

Fixes: d36a7343f4ba ("livepatch/klp-build: switch to GNU patch and recountdiff")
Acked-by: Song Liu <song@kernel.org>
Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
8 weeks agoklp-build: Suppress excessive fuzz output by default
Josh Poimboeuf [Fri, 3 Apr 2026 23:17:31 +0000 (16:17 -0700)] 
klp-build: Suppress excessive fuzz output by default

When a patch applies with fuzz, the detailed output from the patch tool
can be very noisy, especially for big patches.

Suppress the fuzz details by default, while keeping the "applied with
fuzz" warning.  The noise can be restored with '--verbose'.

Acked-by: Song Liu <song@kernel.org>
Reviewed-by: Miroslav Benes <mbenes@suse.cz>
Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
8 weeks agoklp-build: Validate patch file existence
Josh Poimboeuf [Fri, 3 Apr 2026 02:48:45 +0000 (19:48 -0700)] 
klp-build: Validate patch file existence

Make sure all patch files actually exist.  Otherwise there can be
confusing errors later.

Acked-by: Song Liu <song@kernel.org>
Reviewed-by: Miroslav Benes <mbenes@suse.cz>
Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
8 weeks agoklp-build: Don't use errexit
Josh Poimboeuf [Sun, 5 Apr 2026 23:17:08 +0000 (16:17 -0700)] 
klp-build: Don't use errexit

The errtrace option (combined with the ERR trap) already serves the same
function (and more) as errexit, so errexit is redundant.  And it has
more pitfalls.  Remove it.

Acked-by: Song Liu <song@kernel.org>
Reviewed-by: Miroslav Benes <mbenes@suse.cz>
Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
8 weeks agoklp-build: Fix checksum comparison for changed offsets
Josh Poimboeuf [Sat, 11 Apr 2026 04:49:56 +0000 (21:49 -0700)] 
klp-build: Fix checksum comparison for changed offsets

The klp-build -f/--show-first-changed feature uses diff to compare
checksum log lines between original and patched objects.  However, diff
compares entire lines, including the offset field.  When a function is
at a different section offset, the offset field differs even though the
instruction checksum is identical, causing the wrong instruction to be
printed.

Only compare the checksum field when looking for the first changed
instruction.  Also print both the original and patched offsets when they
differ.

Fixes: 78be9facfb5e ("livepatch/klp-build: Add --show-first-changed option to show function divergence")
Acked-by: Song Liu <song@kernel.org>
Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>