Johan Hovold [Fri, 27 Mar 2026 10:43:05 +0000 (11:43 +0100)]
spi: ch341: fix devres lifetime
USB drivers bind to USB interfaces and any device managed resources
should have their lifetime tied to the interface rather than parent USB
device. This avoids issues like memory leaks when drivers are unbound
without their devices being physically disconnected (e.g. on probe
deferral or configuration changes).
Fix the controller and driver data lifetime so that they are released
on driver unbind.
Note that this also makes sure that the SPI controller is placed
correctly under the USB interface in the device tree.
Fixes: 8846739f52af ("spi: add ch341a usb2spi driver") Cc: stable@vger.kernel.org # 6.11 Cc: Johannes Thumshirn <jth@kernel.org> Signed-off-by: Johan Hovold <johan@kernel.org> Link: https://patch.msgid.link/20260327104305.1309915-3-johan@kernel.org Signed-off-by: Mark Brown <broonie@kernel.org>
Johan Hovold [Fri, 27 Mar 2026 10:43:04 +0000 (11:43 +0100)]
spi: ch341: fix memory leaks on probe failures
Make sure to deregister the controller, disable pins, and kill and free
the RX URB on probe failures to mirror disconnect and avoid memory
leaks and use-after-free.
Also add an explicit URB kill on disconnect for symmetry (even if that
is not strictly required as USB core would have stopped it in the
current setup).
Fixes: 8846739f52af ("spi: add ch341a usb2spi driver") Cc: stable@vger.kernel.org # 6.11 Cc: Johannes Thumshirn <jth@kernel.org> Signed-off-by: Johan Hovold <johan@kernel.org> Link: https://patch.msgid.link/20260327104305.1309915-2-johan@kernel.org Signed-off-by: Mark Brown <broonie@kernel.org>
Merge tag 'renesas-dts-for-v7.1-tag2' of git://git.kernel.org/pub/scm/linux/kernel/git/geert/renesas-devel into soc/dt
Renesas DTS updates for v7.1 (take two)
- Add DT overlay support for the MayQueen PixPaper display on the
Yuridenki-Shokai Kakip board,
- Add Ethernet PHY interrupt support for the RZ/T2H and RZ/N2H EVK
boards,
- Add SPI and PCIe support for the RZ/G3E SoC and the RZ/G3E SMARC EVK
board,
- Add DT overlay support for the WaveShare 13.3" 1920x1080 DSI
Capacitive Touch Display and the Olimex MIPI-HDMI adapter on the
Retronix Sparrow Hawk board,
- Drop several superfluous C22 Ethernet PHY compatible strings,
- Remove WDT nodes meant for other CPU cores on the RZ/V2N SoC,
- Remove unavailable LVDS panel support for the Beacon ReneSoM base
board,
- Add initial support for the RZ/G3L (R9A08G046) SoC, and the RZ/G3L
SMARC SoM and EVK boards,
- Add Versa3 clock generator support for the RZ/V2H EVK development
board,
- Miscellaneous fixes and improvements.
Kevin Brodsky [Wed, 18 Mar 2026 09:25:43 +0000 (09:25 +0000)]
arm64: mm: Use generic enum pgtable_level
enum pgtable_type was introduced for arm64 by commit c64f46ee1377
("arm64: mm: use enum to identify pgtable level instead of
*_SHIFT"). In the meantime, the generic enum pgtable_level got
introduced by commit b22cc9a9c7ff ("mm/rmap: convert "enum
rmap_level" to "enum pgtable_level"").
Let's switch to the generic enum pgtable_level. The only difference
is that it also includes PGD level; __pgd_pgtable_alloc() isn't
expected to create PGD tables so we add a VM_WARN_ON() for that
case.
Suggested-by: David Hildenbrand (Arm) <david@kernel.org> Reviewed-by: David Hildenbrand (Arm) <david@kernel.org> Reviewed-by: Ryan Roberts <ryan.roberts@arm.com> Signed-off-by: Kevin Brodsky <kevin.brodsky@arm.com> Reviewed-by: Anshuman Khandual <anshuman.khandual@arm.com> Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
arm64/mm: Reject memory removal that splits a kernel leaf mapping
Linear and vmemmap mappings that get torn down during a memory hot remove
operation might contain leaf level entries on any page table level. If the
requested memory range's linear or vmemmap mappings falls within such leaf
entries, new mappings need to be created for the remaining memory mapped on
the leaf entry earlier, following standard break before make aka BBM rules.
But kernel cannot tolerate BBM and hence remapping to fine grained leaves
would not be possible on systems without BBML2_NOABORT.
Currently memory hot remove operation does not perform such restructuring,
and so removing memory ranges that could split a kernel leaf level mapping
need to be rejected.
While memory_hotplug.c does appear to permit hot removing arbitrary ranges
of memory, the higher layers that drive memory_hotplug (e.g. ACPI, virtio,
...) all appear to treat memory as fixed size devices. So it is impossible
to hot unplug a different amount than was previously hot plugged, and hence
we should never see a rejection in practice, but adding the check makes us
robust against a future change.
Cc: Will Deacon <will@kernel.org> Cc: linux-arm-kernel@lists.infradead.org Cc: linux-kernel@vger.kernel.org Link: https://lore.kernel.org/all/aWZYXhrT6D2M-7-N@willie-the-truck/ Reviewed-by: David Hildenbrand (Arm) <david@kernel.org> Reviewed-by: Ryan Roberts <ryan.roberts@arm.com> Suggested-by: Ryan Roberts <ryan.roberts@arm.com> Signed-off-by: Anshuman Khandual <anshuman.khandual@arm.com> Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
arm64/mm: Enable batched TLB flush in unmap_hotplug_range()
During a memory hot remove operation, both linear and vmemmap mappings for
the memory range being removed, get unmapped via unmap_hotplug_range() but
mapped pages get freed only for vmemmap mapping. This is just a sequential
operation where each table entry gets cleared, followed by a leaf specific
TLB flush, and then followed by memory free operation when applicable.
This approach was simple and uniform both for vmemmap and linear mappings.
But linear mapping might contain CONT marked block memory where it becomes
necessary to first clear out all entire in the range before a TLB flush.
This is as per the architecture requirement. Hence batch all TLB flushes
during the table tear down walk and finally do it in unmap_hotplug_range().
Prior to this fix, it was hypothetically possible for a speculative access
to a higher address in the contiguous block to fill the TLB with shattered
entries for the entire contiguous range after a lower address had already
been cleared and invalidated. Due to the table entries being shattered, the
subsequent TLB invalidation for the higher address would not then clear the
TLB entries for the lower address, meaning stale TLB entries could persist.
Besides it also helps in improving the performance via TLBI range operation
along with reduced synchronization instructions. The time spent executing
unmap_hotplug_range() improved 97% measured over a 2GB memory hot removal
in KVM guest.
This scheme is not applicable during vmemmap mapping tear down where memory
needs to be freed and hence a TLB flush is required after clearing out page
table entry.
Cc: Will Deacon <will@kernel.org> Cc: linux-arm-kernel@lists.infradead.org Cc: linux-kernel@vger.kernel.org Closes: https://lore.kernel.org/all/aWZYXhrT6D2M-7-N@willie-the-truck/ Fixes: bbd6ec605c0f ("arm64/mm: Enable memory hot remove") Cc: stable@vger.kernel.org Reviewed-by: David Hildenbrand (Arm) <david@kernel.org> Reviewed-by: Ryan Roberts <ryan.roberts@arm.com> Signed-off-by: Ryan Roberts <ryan.roberts@arm.com> Signed-off-by: Anshuman Khandual <anshuman.khandual@arm.com> Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Li Ming [Wed, 1 Apr 2026 12:49:51 +0000 (20:49 +0800)]
cxl/region: Add a region sysfs interface for region lock status
There are 3 scenarios that leads to a locked region:
1. A region is created on a root decoder with Fixed Device Confiuration
attribute.
2. CXL_HDM_DECODER0_CTRL_LOCK.
Both 1 & 1 are well described in:
commit 2230c4bdc412 ("cxl: Add handling of locked CXL decoder")
3) Platform that has region creation with PRMT address translation always
locks the region, regardless of the FIXED attribute or decoder ctrl bit.
Region locked means region destroy operations are not permitted. CXL
region driver returns -EPERM for region destroy operations.
Although the locked status of the corresponding root decoder implies the
region is also locked, exposing the region lock status directly to
userspace improves usability for users who may not be aware of this
relationship.
[ dj: Amended commit log with additional locking scenarios. ]
Signed-off-by: Li Ming <ming.li@zohomail.com> Reviewed-by: Dave Jiang <dave.jiang@intel.com> Reviewed-by: Alejandro Lucero <alucerop@amd.com> Reviewed-by: Alison Schofield <alison.schofield@intel.com> Link: https://patch.msgid.link/20260401124951.1290041-1-ming.li@zohomail.com Signed-off-by: Dave Jiang <dave.jiang@intel.com>
Merge tag 'stm32-dt-for-7.1-1' of git://git.kernel.org/pub/scm/linux/kernel/git/atorgue/stm32 into soc/dt
STM32 DT for v7.1, round 1
Highlights:
----------
- MPU:
- STM32MP13:
- Introduce and enable debug bus on DK board.
- Enable Coresight on DK board.
- Add DT overlays for DH board.
- Add Wakeup capabilities on I2C nodes.
- STMP32MP15:
- ST:
- Enable DCMI DMA chaining to improve performances.
- Introduce and enable debug bus on EV and DK board.
- Enable Coresight on EV and DK board.
- DH:
- Add DT overlays for DH board.
- Phytec:
- Rename "Phycore" to "phyboard-sargas" DT files and introduce
SOM device tree file.
- Fix and enhance current support.
- STM32MP21:
- Add Bsec support.
- STM32MP23:
- Add LTDC and LVDS support and enable display on STM32MP235F-DK
board.
- STM32MP25:
- Enable display on STM32MP235F-DK board.
* tag 'stm32-dt-for-7.1-1' of git://git.kernel.org/pub/scm/linux/kernel/git/atorgue/stm32: (42 commits)
arm64: defconfig: Enable STMicroelectronics STM32 display support
arm64: dts: st: enable display support on stm32mp257f-dk board
arm64: dts: st: describe power supplies for stm32mp257f-dk board
arm64: dts: st: enable display support on stm32mp235f-dk board
arm64: dts: st: describe power supplies for stm32mp235f-dk board
arm64: dts: st: add clock-cells to syscfg node on stm32mp231
arm64: dts: st: add lvds support on stm32mp235
arm64: dts: st: add ltdc support on stm32mp235
arm64: dts: st: add ltdc support on stm32mp231
arm64: dts: st: omit unused pinctrl groups from stm32mp25 dtb files
arm64: dts: st: add bootph-all in bsec node to stm32mp215f-dk
arm64: dts: st: add bsec support to stm32mp21
ARM: dts: stm32: fix misalignments in nodes of stm32mp131
ARM: dts: stm32: fix misalignments in nodes of stm32mp151
arm64: dts: st: describe i2c2 / i2c8 on stm32mp235f-dk
arm64: dts: st: describe i2c2 / i2c8 on stm32mp257f-dk
arm64: dts: st: disable DMA usage for i2c on stm32mp257f-ev1
arm64: dts: st: add i2c2 pinmux nodes in stm32mp25-pinctrl.dtsi
arm64: dts: st: update i2c nodes interrupt/wakeup-source in stm32mp231
arm64: dts: st: update i2c nodes interrupt/wakeup-source in stm32mp251
...
KVM: arm64: vgic-v5: Fold PPI state for all exposed PPIs
GICv5 supports up to 128 PPIs, which would introduce a large amount of
overhead if all of them were actively tracked. Rather than keeping
track of all 128 potential PPIs, we instead only consider the set of
architected PPIs (the first 64). Moreover, we further reduce that set
by only exposing a subset of the PPIs to a guest. In practice, this
means that only 4 PPIs are typically exposed to a guest - the SW_PPI,
PMUIRQ, and the timers.
When folding the PPI state, changed bits in the active or pending were
used to choose which state to sync back. However, this breaks badly
for Edge interrupts when exiting the guest before it has consumed the
edge. There is no change in pending state detected, and the edge is
lost forever.
Given the reduced set of PPIs exposed to the guest, and the issues
around tracking the edges, drop the tracking of changed state, and
instead iterate over the limited subset of PPIs exposed to the guest
directly.
This change drops the second copy of the PPI pending state used for
detecting edges in the pending state, and reworks
vgic_v5_fold_ppi_state() to iterate over the VM's PPI mask instead.
Zhan Xusheng [Tue, 31 Mar 2026 07:48:11 +0000 (15:48 +0800)]
hrtimer: Fix incorrect #endif comment for BITS_PER_LONG check
The #endif comment says "BITS_PER_LONG >= 64", but the corresponding #if
guard is "BITS_PER_LONG < 64".
The comment was originally correct when the block had a three-way
#if/#else/#endif structure, where the #else branch provided a 64-bit inline
version. Commit 79bf2bb335b8 ("[PATCH] tick-management: dyntick / highres
functionality") removed the #else branch but did not update the #endif
comment, leaving it inconsistent with the remaining #if condition.
In a PowerNV environment, for devices that supports DMA mask less than
64 bit but larger than 32 bits, iommu is incorrectly bypassing DMA
APIs while allocating and mapping buffers for DMA operations.
Devices are failing with ENOMEN during probe with the following messages
amdgpu 0000:01:00.0: [drm] Detected VRAM RAM=4096M, BAR=4096M
amdgpu 0000:01:00.0: [drm] RAM width 128bits GDDR5
amdgpu 0000:01:00.0: iommu: 64-bit OK but direct DMA is limited by 0
amdgpu 0000:01:00.0: dma_iommu_get_required_mask: returning bypass mask 0xfffffffffffffff
amdgpu 0000:01:00.0: 4096M of VRAM memory ready
amdgpu 0000:01:00.0: 32570M of GTT memory ready.
amdgpu 0000:01:00.0: (-12) failed to allocate kernel bo
amdgpu 0000:01:00.0: [drm] Debug VRAM access will use slowpath MM access
amdgpu 0000:01:00.0: [drm] GART: num cpu pages 4096, num gpu pages 65536
amdgpu 0000:01:00.0: [drm] PCIE GART of 256M enabled (table at 0x000000F4FFF80000).
amdgpu 0000:01:00.0: (-12) failed to allocate kernel bo
amdgpu 0000:01:00.0: (-12) create WB bo failed
amdgpu 0000:01:00.0: amdgpu_device_wb_init failed -12
amdgpu 0000:01:00.0: amdgpu_device_ip_init failed
amdgpu 0000:01:00.0: Fatal error during GPU init
amdgpu 0000:01:00.0: finishing device.
amdgpu 0000:01:00.0: probe with driver amdgpu failed with error -12
amdgpu 0000:01:00.0: ttm finalized
Merge tag 'samsung-dt64-7.1' of https://git.kernel.org/pub/scm/linux/kernel/git/krzk/linux into soc/dt
Samsung DTS ARM64 changes for v7.1
1. Add initial support for Axis ARTPEC-9 SoC and Alfred board using it.
Just like ARTPEC-8, this is a derivative of Samsung Exynos SoC made
for Axis, sharing most or all of core SoC blocks with Samsung
designs.
2. New boards: Exynos7870 based Samsung Galaxy J7 (2016) and Samsung
Galaxy J5 (2017).
3. Google GS101 Pixel phone: describe all PMIC regulators and Maxim
fuel-gauge.
KVM: arm64: selftests: Avoid testing the IMPDEF behavior
It turned out that we can't really force KVM to use the "slow" path when
emulating AT instructions [1]. We should therefore avoid testing the IMPDEF
behavior (i.e., TEST_ACCESS_FLAG - address translation instructions are
permitted to update AF but not required).
Merge tag 'arm-soc/for-7.1/devicetree-arm64' of https://github.com/Broadcom/stblinux into soc/dt
This pull request contains Broadcom ARM64-based SoCs Device Tree updates
for 7.1, please pull the following:
- Maira adds the V3D DT node to the 2712 (Raspberry Pi 5) SoC
- Gergor adds the I2C controller, CSI (camera), ISP (image signal
processor), fixes the pinctrl node and updates the UART10 interrupt
for the RP1 sister chip to the 2712 (Raspberry Pi 5)
- Rob moves the firmware and GPU to the root level to fix DTC warnings
Anas Iqbal [Tue, 31 Mar 2026 21:07:39 +0000 (22:07 +0100)]
io_uring: cast id to u64 before shifting in io_allocate_rbuf_ring()
Smatch warns:
io_uring/zcrx.c:393 io_allocate_rbuf_ring() warn: should 'id << 16' be a 64 bit type?
The expression 'id << IORING_OFF_PBUF_SHIFT' is evaluated using 32-bit
arithmetic because id is a u32. This may overflow before being promoted
to the 64-bit mmap_offset.
Cast id to u64 before shifting to ensure the shift is performed in
64-bit arithmetic.
Pavel Begunkov [Tue, 31 Mar 2026 21:07:38 +0000 (22:07 +0100)]
io_uring/zcrx: reject REG_NODEV with large rx_buf_size
The copy fallback path doesn't care about the actual niov size and only
uses first PAGE_SIZE bytes, and any additional space will be wasted.
Since ZCRX_REG_NODEV solely relies on the copy path, it doesn't make
sense to support non-standard rx_buf_len. Reject it for now, and
re-enable once improved.
io_uring/cancel: validate opcode for IORING_ASYNC_CANCEL_OP
io_async_cancel_prep() reads the opcode selector from sqe->len and
stores it in cancel->opcode, which is an 8-bit field. Since sqe->len
is a 32-bit value, values larger than U8_MAX are implicitly truncated.
This can cause unintended opcode matches when the truncated value
corresponds to a valid io_uring opcode. For example, submitting a value
such as 0x10b will be truncated to 0x0b (IORING_OP_TIMEOUT), allowing a
cancel request to match operations it did not intend to target.
Validate the opcode value before assigning it to the 8-bit field and
reject values outside the valid io_uring opcode range.
Jackie Liu [Tue, 31 Mar 2026 10:45:09 +0000 (18:45 +0800)]
io_uring/rsrc: use io_cache_free() to free node
Replace kfree(node) with io_cache_free() in io_buffer_register_bvec()
to match all other error paths that free nodes allocated via
io_rsrc_node_alloc(). The node is allocated through io_cache_alloc()
internally, so it should be returned to the cache via io_cache_free()
for proper object reuse.
Pavel Begunkov [Mon, 23 Mar 2026 12:44:03 +0000 (12:44 +0000)]
io_uring/zcrx: cache fallback availability in zcrx ctx
Store a flag in struct io_zcrx_ifq telling if the backing memory is
normal page or dmabuf based. It was looking it up from the area, however
it logically allocates from the zcrx ctx and not a particular area, and
once we add more than one area it'll become a mess.
Pavel Begunkov [Mon, 23 Mar 2026 12:44:01 +0000 (12:44 +0000)]
io_uring/zcrx: consolidate dma syncing
Split refilling into two steps, first allocate niovs, and then do DMA
sync for them. This way dma synchronisation code can be better
optimised. E.g. we don't need to call dma_dev_need_sync() for each every
niov, and maybe we can coalesce sync for adjacent netmems in the future
as well.
Pavel Begunkov [Mon, 23 Mar 2026 12:44:00 +0000 (12:44 +0000)]
io_uring/zcrx: netmem array as refiling format
Instead of peeking into page pool allocation cache directly or via
net_mp_netmem_place_in_cache(), pass a netmem array around. It's a
better intermediate format, e.g. you can have it on stack and reuse the
refilling code and decouples it from page pools a bit more.
It still points into the page pool directly, there will be no additional
copies. As the next step, we can change the callback prototype to take
the netmem array from page pool.
Pavel Begunkov [Mon, 23 Mar 2026 12:43:58 +0000 (12:43 +0000)]
io_uring/zcrx: move count check into zcrx_get_free_niov
Instead of relying on the caller of __io_zcrx_get_free_niov() to check
that there are free niovs available (i.e. free_count > 0), move the
check into the function and return NULL if can't allocate. It
consolidates the free count checks, and it'll be easier to extend the
niov free list allocator in the future.
Pavel Begunkov [Mon, 23 Mar 2026 12:43:54 +0000 (12:43 +0000)]
io_uring/zcrx: implement device-less mode for zcrx
Allow creating a zcrx instance without attaching it to a net device.
All data will be copied through the fallback path. The user is also
expected to use ZCRX_CTRL_FLUSH_RQ to handle overflows as it normally
should even with a netdev, but it becomes even more relevant as there
will likely be no one to automatically pick up buffers.
Apart from that, it follows the zcrx uapi for the I/O path, and is
useful for testing, experimentation, and potentially for the copy
receive path in the future if improved.
Pavel Begunkov [Mon, 23 Mar 2026 12:43:52 +0000 (12:43 +0000)]
io_uring/zcrx: always dma map in advance
zcrx was originally establisihing dma mappings at a late stage when it
was being bound to a page pool. Dma-buf couldn't work this way, so it's
initialised during area creation.
It's messy having them do it at different spots, just move everything to
the area creation time.
Pavel Begunkov [Mon, 23 Mar 2026 12:43:51 +0000 (12:43 +0000)]
io_uring/zcrx: fully clean area on error in io_import_umem()
When accounting fails, io_import_umem() sets the page array, etc. and
returns an error expecting that the error handling code will take care
of the rest. To make the next patch simpler, only return a fully
initialised areas from the function.
Pavel Begunkov [Mon, 23 Mar 2026 12:43:50 +0000 (12:43 +0000)]
io_uring/zcrx: return back two step unregistration
There are reports where io_uring instance removal takes too long and an
ifq reallocation by another zcrx instance fails. Split zcrx destruction
into two steps similarly how it was before, first close the queue early
but maintain zcrx alive, and then when all inflight requests are
completed, drop the main zcrx reference. For extra protection, mark
terminated zcrx instances in xarray and warn if we double put them.
reset: rzv2h-usb2phy: Add support for VBUS mux controller registration
The RZ/V2H USB2 PHY requires control of the VBUS selection line
(VBENCTL) through a mux controller described in the device tree as
"mux-controller". This change adds support for registering the
rzv2h-usb-vbenctl auxiliary driver during probe.
This enables proper management of USB2.0 VBUS source selection on
platforms using the RZ/V2H SoC.
Reviewed-by: Philipp Zabel <p.zabel@pengutronix.de> Signed-off-by: Tommaso Merciai <tommaso.merciai.xr@bp.renesas.com> Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
Replace raw MMIO accesses (readl/writel) with regmap_read() and
regmap_multi_reg_write() via devm_regmap_init_mmio().
Drop the manual spinlock as regmap provides internal locking.
Replace the custom rzv2h_usb2phy_regval struct with the standard
reg_sequence, and encode assert/deassert sequences as reg_sequence
arrays rather than individual scalar fields in the of_data
descriptor.
Use the reg_sequence .delay_us field to encode the 11 µs post-assert
delay, replacing the explicit usleep_range(11, 20) call in
rzv2h_usbphy_reset_assert().
Select REGMAP_MMIO in Kconfig.
Signed-off-by: Tommaso Merciai <tommaso.merciai.xr@bp.renesas.com> Reviewed-by: Philipp Zabel <p.zabel@pengutronix.de> Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
Document USB2PHY reset controller bindings for RZ/G3E ("R9A09G047") SoC.
The RZ/G3E USB2PHY reset controller is functionally identical to the one
found on the RZ/V2H(P), so no driver changes are needed. The existing
"renesas,r9a09g057-usb2phy-reset" will be used as a fallback compatible
for this IP.
Add the '#mux-state-cells' property to support describing the USB VBUS_SEL
multiplexer as a mux-controller in the Renesas RZ/V2H(P) USB2PHY binding.
The mux-controller cannot be integrated into the parent USB2PHY node
because the VBUS source selector is part of a separate hardware block,
not the USB2PHY block itself.
This is required to properly configure USB PHY power selection on
RZ/V2H(P) and RZ/G3E SoCs.
Acked-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com> Signed-off-by: Tommaso Merciai <tommaso.merciai.xr@bp.renesas.com> Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
Add bindings for the Awinic AW86938 haptic chip which can be found in
smartphones. These two chips require a similar devicetree configuration,
but have a register layout that's not 100% compatible.
Still, because chip model is fully detectable via ID register, these
chips can be documnented in the same file.
David Laight [Mon, 23 Mar 2026 11:22:47 +0000 (11:22 +0000)]
tools/nolibc/printf: Support negative variable width and precision
For (eg) "%*.*s" treat a negative field width as a request to left align
the output (the same as the '-' flag), and a negative precision to
request the default precision.
Set the default precision to -1 (not INT_MAX) and add explicit checks
to the string handling for negative values (makes the tet unsigned).
For numeric output check for 'precision >= 0' instead of testing
_NOLIBC_PF_FLAGS_CONTAIN(flags, '.').
This needs an inverted test, some extra goto and removes an indentation.
The changed conditionals fix printf("%0-#o", 0) - but '0' and '-' shouldn't
both be specified.
Will Deacon [Fri, 27 Mar 2026 19:27:57 +0000 (19:27 +0000)]
KVM: arm64: Destroy stage-2 page-table in kvm_arch_destroy_vm()
kvm_arch_destroy_vm() can be called on the kvm_create_vm() error path
after we have failed to register the MMU notifiers for the new VM. In
this case, we cannot rely on the MMU ->release() notifier to call
kvm_arch_flush_shadow_all() and so the stage-2 page-table allocated in
kvm_arch_init_vm() will be leaked.
Explicitly destroy the stage-2 page-table in kvm_arch_destroy_vm(), so
that we clean up after kvm_arch_destroy_vm() without relying on the MMU
notifiers.
Will Deacon [Fri, 27 Mar 2026 19:27:56 +0000 (19:27 +0000)]
KVM: arm64: Don't leave mmu->pgt dangling on kvm_init_stage2_mmu() error
If kvm_init_stage2_mmu() fails to allocate 'mmu->last_vcpu_ran', it
destroys the newly allocated stage-2 page-table before returning ENOMEM.
Unfortunately, it also leaves a dangling pointer in 'mmu->pgt' which
points at the freed 'kvm_pgtable' structure. This is likely to confuse
the kvm_vcpu_init_nested() failure path which can double-free the
structure if it finds it via kvm_free_stage2_pgd().
Ensure that the dangling 'mmu->pgt' pointer is cleared when returning an
error from kvm_init_stage2_mmu().
Sebastian Ene [Mon, 30 Mar 2026 10:54:41 +0000 (10:54 +0000)]
KVM: arm64: Prevent the host from using an smc with imm16 != 0
The ARM Service Calling Convention (SMCCC) specifies that the function
identifier and parameters should be passed in registers, leaving the
16-bit immediate field un-handled in pKVM when an SMC instruction is
trapped.
Since the HVC is a private interface between EL2 and the host,
enforce the host kernel running under pKVM to use an immediate value
of 0 only when using SMCs to make it clear for non-compliant software
talking to Trustzone that we only use SMCCC.
Dan Williams [Fri, 27 Mar 2026 05:28:21 +0000 (22:28 -0700)]
tools/testing/cxl: Test dax_hmem takeover of CXL regions
When platform firmware is committed to publishing EFI_CONVENTIONAL_MEMORY
in the memory map, but CXL fails to assemble the region, dax_hmem can
attempt to attach a dax device to the memory range.
Take advantage of the new ability to support multiple "hmem_platform"
devices, and to enable regression testing of several scenarios:
* CXL correctly assembles a region, check dax_hmem fails to attach dax
* CXL fails to assemble a region, check dax_hmem successfully attaches dax
* Check that loading the dax_cxl driver loads the dax_hmem driver
* Attempt to race cxl_mock_mem async probe vs dax_hmem probe flushing.
Check that both positive and negative cases.
Signed-off-by: Dan Williams <dan.j.williams@intel.com> Reviewed-by: Ira Weiny <ira.weiny@intel.com> Reviewed-by: Dave Jiang <dave.jiang@intel.com> Reviewed-by: Alison Schofield <alison.schofield@intel.com> Tested-by: Alison Schofield <alison.schofield@intel.com> Link: https://patch.msgid.link/20260327052821.440749-10-dan.j.williams@intel.com Signed-off-by: Dave Jiang <dave.jiang@intel.com>
Dan Williams [Fri, 27 Mar 2026 05:28:20 +0000 (22:28 -0700)]
tools/testing/cxl: Simulate auto-assembly failure
Add a cxl_test module option to skip setting up one of the members of the
default auto-assembled region.
This simulates a device failing between firmware setup and OS boot, or
region configuration interrupted by an event like kexec.
Signed-off-by: Dan Williams <dan.j.williams@intel.com> Reviewed-by: Ira Weiny <ira.weiny@intel.com> Reviewed-by: Alison Schofield <alison.schofield@intel.com> Reviewed-by: Dave Jiang <dave.jiang@intel.com> Link: https://patch.msgid.link/20260327052821.440749-9-dan.j.williams@intel.com Signed-off-by: Dave Jiang <dave.jiang@intel.com>
Dan Williams [Fri, 27 Mar 2026 05:28:19 +0000 (22:28 -0700)]
dax/hmem: Parent dax_hmem devices
For test purposes it is useful to be able to determine which
"hmem_platform" device is hosting a given sub-device.
Register hmem devices underneath "hmem_platform".
Signed-off-by: Dan Williams <dan.j.williams@intel.com> Reviewed-by: Ira Weiny <ira.weiny@intel.com> Reviewed-by: Alison Schofield <alison.schofield@intel.com> Reviewed-by: Dave Jiang <dave.jiang@intel.com> Link: https://patch.msgid.link/20260327052821.440749-8-dan.j.williams@intel.com Signed-off-by: Dave Jiang <dave.jiang@intel.com>
Dan Williams [Fri, 27 Mar 2026 05:28:18 +0000 (22:28 -0700)]
dax/hmem: Fix singleton confusion between dax_hmem_work and hmem devices
dax_hmem (ab)uses a platform device to allow for a module to autoload in
the presence of "Soft Reserved" resources. The dax_hmem driver had no
dependencies on the "hmem_platform" device being a singleton until the
recent "dax_hmem vs dax_cxl" takeover solution.
Replace the layering violation of dax_hmem_work assuming that there will
never be more than one "hmem_platform" device associated with a global work
item with a dax_hmem local workqueue that can theoretically support any
number of hmem_platform devices.
Fixup the reference counting to only pin the device while it is live in the
queue.
Signed-off-by: Dan Williams <dan.j.williams@intel.com> Reviewed-by: Ira Weiny <ira.weiny@intel.com> Reviewed-by: Alison Schofield <alison.schofield@intel.com> Reviewed-by: Dave Jiang <dave.jiang@intel.com> Link: https://patch.msgid.link/20260327052821.440749-7-dan.j.williams@intel.com Signed-off-by: Dave Jiang <dave.jiang@intel.com>
Dan Williams [Fri, 27 Mar 2026 05:28:17 +0000 (22:28 -0700)]
dax/hmem: Reduce visibility of dax_cxl coordination symbols
No other module or use case should be using dax_hmem_initial_probe or
dax_hmem_flush_work(). Limit their use to dax_hmem, and dax_cxl
respectively.
Signed-off-by: Dan Williams <dan.j.williams@intel.com> Reviewed-by: Ira Weiny <ira.weiny@intel.com> Reviewed-by: Alison Schofield <alison.schofield@intel.com> Reviewed-by: Dave Jiang <dave.jiang@intel.com> Link: https://patch.msgid.link/20260327052821.440749-6-dan.j.williams@intel.com Signed-off-by: Dave Jiang <dave.jiang@intel.com>
The call to cxl_region_resource_contains() in hmem_register_cxl_device()
need not cast away 'const'. The problem is the usage of the
bus_for_each_dev() API which does not mark its @data parameter as 'const'.
Switch to bus_find_device() which does take 'const' @data, fixup
cxl_region_resource_contains() and its caller.
Signed-off-by: Dan Williams <dan.j.williams@intel.com> Reviewed-by: Ira Weiny <ira.weiny@intel.com> Reviewed-by: Alison Schofield <alison.schofield@intel.com> Reviewed-by: Dave Jiang <dave.jiang@intel.com> Link: https://patch.msgid.link/20260327052821.440749-5-dan.j.williams@intel.com Signed-off-by: Dave Jiang <dave.jiang@intel.com>
Dan Williams [Fri, 27 Mar 2026 05:28:15 +0000 (22:28 -0700)]
cxl/region: Limit visibility of cxl_region_contains_resource()
The dax_hmem dependency on cxl_region_contains_resource() is a one-off
special case. It is not suitable for other use cases.
Move the definition to the other CONFIG_CXL_REGION guarded definitions in
drivers/cxl/cxl.h and include that by a relative path include. This matches
what drivers/dax/cxl.c does for its limited private usage of CXL core
symbols.
Reduce the symbol export visibility from global to just dax_hmem, to
further clarify its applicability.
Signed-off-by: Dan Williams <dan.j.williams@intel.com> Reviewed-by: Ira Weiny <ira.weiny@intel.com> Reviewed-by: Alison Schofield <alison.schofield@intel.com> Reviewed-by: Dave Jiang <dave.jiang@intel.com> Link: https://patch.msgid.link/20260327052821.440749-4-dan.j.williams@intel.com Signed-off-by: Dave Jiang <dave.jiang@intel.com>
Dan Williams [Fri, 27 Mar 2026 05:28:14 +0000 (22:28 -0700)]
dax/cxl: Fix HMEM dependencies
The expectation is that DEV_DAX_HMEM=y should be disallowed if any of
CXL_ACPI, or CXL_PCI are set =m. Also DEV_DAX_CXL=y should be disallowed if
DEV_DAX_HMEM=m. Use "$config || !$config" syntax for each dependency.
Otherwise, the invalid DEV_DAX_HMEM=m && DEV_DAX_CXL=y configuration is
allowed.
Lastly, dax_hmem depends on the availability of the
cxl_region_contains_resource() symbol published by the cxl_core.ko module.
So, also prevent DEV_DAX_HMEM from being built-in when the cxl_core module
is not built-in.
Signed-off-by: Dan Williams <dan.j.williams@intel.com> Reviewed-by: Ira Weiny <ira.weiny@intel.com> Reviewed-by: Alison Schofield <alison.schofield@intel.com> Reviewed-by: Dave Jiang <dave.jiang@intel.com> Link: https://patch.msgid.link/20260327052821.440749-3-dan.j.williams@intel.com Signed-off-by: Dave Jiang <dave.jiang@intel.com>
Dan Williams [Fri, 27 Mar 2026 05:28:13 +0000 (22:28 -0700)]
cxl/region: Fix use-after-free from auto assembly failure
The following crash signature results from region destruction while an
endpoint decoder is staged, but not fully attached.
[ dj: Moved bus_find_device( to next line. ]
Signed-off-by: Dan Williams <dan.j.williams@intel.com> Reviewed-by: Ira Weiny <ira.weiny@intel.com> Reviewed-by: Alison Schofield <alison.schofield@intel.com> Reviewed-by: Dave Jiang <dave.jiang@intel.com> Link: https://patch.msgid.link/20260327052821.440749-2-dan.j.williams@intel.com Signed-off-by: Dave Jiang <dave.jiang@intel.com>
dt-bindings: display/msm: move DSI PHY bindings to phy/ subdir
Historically DSI PHY bindings landed to the display/msm subdir, however
they describe PHYs and as such they should be in the phy/ subdir.
Follow the example of other Qualcomm display-related PHYs (HDMI, eDP)
and move bindings for the Qualcomm DSI PHYs to the correct subdir.
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com> Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org> Acked-by: Vinod Koul <vkoul@kernel.org>
Patchwork: https://patchwork.freedesktop.org/patch/709008/ Link: https://lore.kernel.org/r/20260305-msm-dsi-phy-v1-1-0a99ac665995@oss.qualcomm.com Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
The driver references CWB array from SM8650, but should use the Eliza
specific, which has different register space sizes. This should not
have noticeable impact on function but is indeed confusing, since the
Eliza table is used for .cwb_count.
Fixes: 0eb707bbc7fc ("drm/msm/dpu: Add support for Eliza SoC") Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com> Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Patchwork: https://patchwork.freedesktop.org/patch/715623/ Link: https://lore.kernel.org/r/20260331161156.211623-2-krzysztof.kozlowski@oss.qualcomm.com Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Vladimir Oltean [Fri, 27 Mar 2026 18:46:53 +0000 (20:46 +0200)]
drm/msm/dp: remove debugging prints with internal struct phy state
These do not provide much value, and will become hard to maintain once
the Generic PHY framework starts hiding the contents of struct phy from
consumers.
Due to historical reasons we ended up with dummy values being specified
for MST-related interfaces some of them had INTF_NONE, others had
non-existing DP controller indices. Those workarounds are no longer
necessary. Fix types and indices for all DP-MST related INTF instances.
The only exception is INTF_3 on SC8180X, which has unique design. It can
be used either with INTF_0 / DP0 or with INTF_4 / DP1. This interface is
left with the dummy value until somebody implements necessary bits for
that platform.
Dmitry Baryshkov [Wed, 25 Mar 2026 03:06:06 +0000 (05:06 +0200)]
drm/msm/mdp5: drop workarounds specific to MDP5 1.0
With support for MSM8974v1 being removed from the driver, there is no
need to keep workarounds specific to that particular MDP5 revision. Drop
them, slightly simplifying the logic.
Dmitry Baryshkov [Wed, 25 Mar 2026 02:59:02 +0000 (04:59 +0200)]
drm/msm/mdp5: drop single flush support
Support for using a single CTL for flushing both interfaces was not in
use since the MDP5 driver dropped support for dual DSI configurations in
the commit df3c7899946c ("drm/msm/mdp5: drop split display support").
Having the MDP 3.x support migrated to the DPU driver the single CTL
flush is applicable to the platforms suspproted by the MDP5 driver. Drop
it alltogether.
Corey Hickey [Tue, 31 Mar 2026 21:49:06 +0000 (14:49 -0700)]
hwmon: (asus-ec-sensors) Fix T_Sensor for PRIME X670E-PRO WIFI
On the Asus PRIME X670E-PRO WIFI, the driver reports a constant value of
zero for T_Sensor. On this board, the register for T_Sensor is at a
different address, as found by experimentation and confirmed by
comparison to an independent temperature reading.
* sensor disconnected: -62.0°C
* ambient temperature: +22.0°C
* held between fingers: +30.0°C
Introduce SENSOR_TEMP_T_SENSOR_ALT1 to support the PRIME X670E-PRO WIFI
without causing a regression for other 600-series boards
Marc Zyngier [Wed, 1 Apr 2026 10:36:11 +0000 (11:36 +0100)]
KVM: arm64: set_id_regs: Allow GICv3 support to be set at runtime
set_id_regs creates a GIC3 guest when possible, and then proceeds
to write the ID registers as if they were not affected by the presence
of a GIC. As it turns out, ID_AA64PFR1_EL1 is the proof of the
contrary.
KVM now makes a point in exposing the GIC support to the guest,
no matter what userspace says (userspace such as QEMU is known to
write silly things at times).
Accommodate for this level of nonsense by teaching set_id_regs about
fields that are mutable, and only compare registers that have been
re-sanitised first.
Marc Zyngier [Wed, 1 Apr 2026 10:36:10 +0000 (11:36 +0100)]
KVM: arm64: Don't advertises GICv3 in ID_PFR1_EL1 if AArch32 isn't supported
Although the AArch32 ID regs are architecturally UNKNOWN when AArch32
isn't supported at any EL, KVM makes a point in making them RAZ.
Therefore, advertising GICv3 in ID_PFR1_EL1 must be gated on AArch32
being supported at least at EL0.
Reviewed-by: Sascha Bischoff <sascha.bischoff@arm.com> Fixes: a258a383b9177 ("KVM: arm64: gic-v5: Sanitize ID_AA64PFR2_EL1.GCIE") Reported-by: Mark Brown <broonie@kernel.org> Tested-by: Mark Brown <broonie@kernel.org> Link: https://patch.msgid.link/20260401103611.357092-16-maz@kernel.org Signed-off-by: Marc Zyngier <maz@kernel.org>
Marc Zyngier [Wed, 1 Apr 2026 10:36:09 +0000 (11:36 +0100)]
KVM: arm64: Correctly plumb ID_AA64PFR2_EL1 into pkvm idreg handling
While we now compute ID_AA64PFR2_EL1 to a glorious 0, we never use
that data and instead return the 0 that corresponds to an allocated
idreg. Not a big deal, but we might as well be consistent.
Marc Zyngier [Wed, 1 Apr 2026 10:36:08 +0000 (11:36 +0100)]
KVM: arm64: Move GICv5 timer PPI validation into timer_irqs_are_valid()
Userspace can set the timer PPI numbers way before a GIC has been
created, leading to odd behaviours on GICv5 as we'd accept non
architectural PPI numbers.
Move the v5 check into timer_irqs_are_valid(), which aligns the
behaviour with the pre-v5 GICs, and is also guaranteed to run
only once a GIC has been configured.
Marc Zyngier [Wed, 1 Apr 2026 10:36:07 +0000 (11:36 +0100)]
KVM: arm64: Remove evaluation of timer state in kvm_cpu_has_pending_timer()
The vgic-v5 code added some evaluations of the timers in a helper funtion
(kvm_cpu_has_pending_timer()) that is called to determine whether
the vcpu can wake-up.
But looking at the timer there is wrong:
- we want to see timers that are signalling an interrupt to the
vcpu, and not just that have a pending interrupt
- we already have kvm_arch_vcpu_runnable() that evaluates the
state of interrupts
- kvm_cpu_has_pending_timer() really is about WFIT, as the timeout
does not generate an interrupt, and is therefore distinct from
the point above
As a consequence, revert these changes and teach vgic_v5_has_pending_ppi()
about checking for pending HW interrupts instead.
Marc Zyngier [Wed, 1 Apr 2026 10:36:06 +0000 (11:36 +0100)]
KVM: arm64: Kill arch_timer_context::direct field
The newly introduced arch_timer_context::direct field is a bit pointless,
as it is always set on timers that are... err... direct, while
we already have a way to get to that by doing a get_map() operation.
Additionally, this field is:
- only set when get_map() is called
- never cleared
and the single point where it is actually checked doesn't call get_map()
at all.
At this stage, it is probably better to just kill it, and rely on
get_map() to give us the correct information.
Marc Zyngier [Wed, 1 Apr 2026 10:36:05 +0000 (11:36 +0100)]
KVM: arm64: vgic-v5: Correctly set dist->ready once initialised
kvm_vgic_map_resources() targetting a v5 model results in vgic->dist_ready
never being set. This doesn't result in anything really bad, only
some more heavy locking as we go and re-init something for no good reason.
Rejig the code to correctly set the ready flag in all non-failing
cases.
Marc Zyngier [Wed, 1 Apr 2026 10:36:04 +0000 (11:36 +0100)]
KVM: arm64: vgic-v5: Make the effective priority mask a strict limit
The way the effective priority mask is compared to the priority of
an interrupt to decide whether to wake-up or not, is slightly odd,
and breaks at the limits.
This could result in spurious wake-ups that are undesirable.
Make the computed priority mask comparison a strict inequality, so
that interrupts that have the same priority as the mask are not
signalled.
Marc Zyngier [Wed, 1 Apr 2026 10:36:02 +0000 (11:36 +0100)]
KVM: arm64: vgic-v5: Transfer edge pending state to ICH_PPI_PENDRx_EL2
While it is perfectly correct to leave the pending state of a level
interrupt as is when queuing it (it is, after all, only driven by
the line), edge pending state must be transfered, as nothing will
lower it.
Marc Zyngier [Wed, 1 Apr 2026 10:36:01 +0000 (11:36 +0100)]
KVM: arm64: vgic-v5: Hold config_lock while finalizing GICv5 PPIs
Finalizing the PPI state is done without holding any lock, which
means that two vcpus can race against each other and have one zeroing
the state while another one is setting it, or even maybe using it.
Fixing this is done by:
- holding the config lock while performing the initialisation
- checking if SW_PPI has already been advertised, meaning that
we have already completed the initialisation once
Marc Zyngier [Wed, 1 Apr 2026 10:36:00 +0000 (11:36 +0100)]
KVM: arm64: Account for RESx bits in __compute_fgt()
When computing Fine Grained Traps, it is preferable to account for
the reserved bits. The HW will most probably ignore them, unless the
bits have been repurposed to do something else.
Use caution, and fold our view of the reserved bits in,
Marc Zyngier [Wed, 1 Apr 2026 10:35:56 +0000 (11:35 +0100)]
KVM: arm64: vgic: Don't reset cpuif/redist addresses at finalize time
Although we are OK with rewriting idregs at finalize time, resetting
the guest's cpuif (GICv3) or redistributor (GICv3) addresses once
we start running the guest is a pretty bad idea.
Move back this initialisation to vgic creation time.
Paul Sajna [Wed, 1 Apr 2026 03:15:11 +0000 (20:15 -0700)]
arm64: dts: qcom: sdm845-lg: Add uarts and Bluetooth
uart9 is debug serial on USB SBU1/2
UART RX is SBU1 and UART TX is SBU2 of the USB-C port).
1.8V Logic Level
Tested using pololu usb07a https://www.pololu.com/product/2585
and CH340 USB-UART
uart6 is bluetooth
Bluetooth: hci0: setting up wcn399x
Bluetooth: hci0: QCA Product ID :0x0000000a
Bluetooth: hci0: QCA SOC Version :0x40010214
Bluetooth: hci0: QCA ROM Version :0x00000201
Bluetooth: hci0: QCA Patch Version:0x00000001
Bluetooth: hci0: QCA controller version 0x02140201
Bluetooth: hci0: QCA Downloading qca/crbtfw21.tlv
Bluetooth: hci0: QCA Downloading qca/judyln/crnv21.bin
Bluetooth: hci0: QCA setup on UART is completed
Add paths for Qualcomm firmware, including:
ipa, modem, venus, gpu
GPU and bluetooth are confirmed working, others may need more
testing/fixes
But regardless they will need the firmware paths specified here
and firmware added upstream before they will work, so might as well
get started on it now.
Abel Vesa [Mon, 30 Mar 2026 14:24:08 +0000 (17:24 +0300)]
arm64: dts: qcom: glymur-crd: Enable DisplayPort support
The two Type-C ports found on Glymur CRD are DisplayPort alternate mode
capable. Everything is in place already for the USB, but for DisplayPort
the controllers need to be enabled.
So enable the related DisplayPort controller for each of these two
ports. Also define the supported link frequencies for each output.
Jens Axboe [Tue, 31 Mar 2026 14:16:58 +0000 (08:16 -0600)]
io_uring/bpf_filters: retain COW'ed settings on parse failures
If io_parse_restrictions() fails, it ends up clearing any restrictions
currently set. The intent is only to clear whatever it already applied,
but it ends up clearing everything, including whatever settings may have
been applied in a copy-on-write fashion already. Ensure that those are
retained.
projects / thirdparty / linux.git / log
