Will Deacon [Mon, 30 Mar 2026 14:48:27 +0000 (15:48 +0100)]
KVM: arm64: Reclaim faulting page from pKVM in spurious fault handler
Host kernel accesses to pages that are inaccessible at stage-2 result in
the injection of a translation fault, which is fatal unless an exception
table fixup is registered for the faulting PC (e.g. for user access
routines). This is undesirable, since a get_user_pages() call could be
used to obtain a reference to a donated page and then a subsequent
access via a kernel mapping would lead to a panic().
Rework the spurious fault handler so that stage-2 faults injected back
into the host result in the target page being forcefully reclaimed when
no exception table fixup handler is registered.
Will Deacon [Mon, 30 Mar 2026 14:48:26 +0000 (15:48 +0100)]
KVM: arm64: Introduce hypercall to force reclaim of a protected page
Introduce a new hypercall, __pkvm_force_reclaim_guest_page(), to allow
the host to forcefully reclaim a physical page that was previous donated
to a protected guest. This results in the page being zeroed and the
previous guest mapping being poisoned so that new pages cannot be
subsequently donated at the same IPA.
Will Deacon [Mon, 30 Mar 2026 14:48:25 +0000 (15:48 +0100)]
KVM: arm64: Annotate guest donations with handle and gfn in host stage-2
Handling host kernel faults arising from accesses to donated guest
memory will require an rmap-like mechanism to identify the guest mapping
of the faulting page.
Extend the page donation logic to encode the guest handle and gfn
alongside the owner information in the host stage-2 pte.
Will Deacon [Mon, 30 Mar 2026 14:48:24 +0000 (15:48 +0100)]
KVM: arm64: Change 'pkvm_handle_t' to u16
'pkvm_handle_t' doesn't need to be a 32-bit type and subsequent patches
will rely on it being no more than 16 bits so that it can be encoded
into a pte annotation.
Change 'pkvm_handle_t' to a u16 and add a compile-type check that the
maximum handle fits into the reduced type.
Rework host_stage2_set_owner_locked() to add a new helper function,
host_stage2_set_owner_metadata_locked(), which will allow us to store
additional metadata alongside a 3-bit owner ID for invalid host stage-2
entries.
kvm_pgtable_stage2_set_owner() can be generalised into a way to store
up to 59 bits in the page tables alongside a 4-bit 'type' identifier
specific to the format of the 59-bit payload.
Introduce kvm_pgtable_stage2_annotate() and move the existing invalid
ptes (for locked ptes and donated pages) over to the new scheme.
Will Deacon [Mon, 30 Mar 2026 14:48:21 +0000 (15:48 +0100)]
KVM: arm64: Avoid pointless annotation when mapping host-owned pages
When a page is transitioned to host ownership, we can eagerly map it
into the host stage-2 page-table rather than going via the convoluted
step of a faulting annotation to trigger the mapping.
Call host_stage2_idmap_locked() directly when transitioning a page to
be owned by the host.
Quentin Perret [Mon, 30 Mar 2026 14:48:20 +0000 (15:48 +0100)]
KVM: arm64: Inject SIGSEGV on illegal accesses
The pKVM hypervisor will currently panic if the host tries to access
memory that it doesn't own (e.g. protected guest memory). Sadly, as
guest memory can still be mapped into the VMM's address space, userspace
can trivially crash the kernel/hypervisor by poking into guest memory.
To prevent this, inject the abort back in the host with S1PTW set in the
ESR, hence allowing the host to differentiate this abort from normal
userspace faults and inject a SIGSEGV cleanly.
Will Deacon [Mon, 30 Mar 2026 14:48:19 +0000 (15:48 +0100)]
KVM: arm64: Support translation faults in inject_host_exception()
Extend inject_host_exception() to support the injection of translation
faults on both the data and instruction side to 32-bit and 64-bit EL0
as well as 64-bit EL1. This will be used in a subsequent patch when
resolving an unhandled host stage-2 abort.
Will Deacon [Mon, 30 Mar 2026 14:48:18 +0000 (15:48 +0100)]
KVM: arm64: Factor out pKVM host exception injection logic
inject_undef64() open-codes the logic to inject an exception into the
pKVM host. In preparation for reusing this logic to inject a data abort
on an unhandled stage-2 fault from the host, factor out the meat and
potatoes of the function into a new inject_host_exception() function
which takes the ESR as a parameter.
Will Deacon [Mon, 30 Mar 2026 14:48:17 +0000 (15:48 +0100)]
KVM: arm64: Hook up reclaim hypercall to pkvm_pgtable_stage2_destroy()
During teardown of a protected guest, its memory pages must be reclaimed
from the hypervisor by issuing the '__pkvm_reclaim_dying_guest_page'
hypercall.
Add a new helper, __pkvm_pgtable_stage2_reclaim(), which is called
during the VM teardown operation to reclaim pages from the hypervisor
and drop the GUP pin on the host.
To enable reclaim of pages from a protected VM during teardown,
introduce a new hypercall to reclaim a single page from a protected
guest that is in the dying state.
Since the EL2 code is non-preemptible, the new hypercall deliberately
acts on a single page at a time so as to allow EL1 to reschedule
frequently during the teardown operation.
Reviewed-by: Vincent Donnefort <vdonnefort@google.com> Tested-by: Fuad Tabba <tabba@google.com> Tested-by: Mostafa Saleh <smostafa@google.com> Co-developed-by: Quentin Perret <qperret@google.com> Signed-off-by: Quentin Perret <qperret@google.com> Signed-off-by: Will Deacon <will@kernel.org> Link: https://patch.msgid.link/20260330144841.26181-16-will@kernel.org Signed-off-by: Marc Zyngier <maz@kernel.org>
Will Deacon [Mon, 30 Mar 2026 14:48:15 +0000 (15:48 +0100)]
KVM: arm64: Handle aborts from protected VMs
Introduce a new abort handler for resolving stage-2 page faults from
protected VMs by pinning and donating anonymous memory. This is
considerably simpler than the infamous user_mem_abort() as we only have
to deal with translation faults at the pte level.
Will Deacon [Mon, 30 Mar 2026 14:48:14 +0000 (15:48 +0100)]
KVM: arm64: Hook up donation hypercall to pkvm_pgtable_stage2_map()
Mapping pages into a protected guest requires the donation of memory
from the host.
Extend pkvm_pgtable_stage2_map() to issue a donate hypercall when the
target VM is protected. Since the hypercall only handles a single page,
the splitting logic used for the share path is not required.
Will Deacon [Mon, 30 Mar 2026 14:48:13 +0000 (15:48 +0100)]
KVM: arm64: Introduce __pkvm_host_donate_guest()
In preparation for supporting protected VMs, whose memory pages are
isolated from the host, introduce a new pKVM hypercall to allow the
donation of pages to a guest.
Will Deacon [Mon, 30 Mar 2026 14:48:12 +0000 (15:48 +0100)]
KVM: arm64: Split teardown hypercall into two phases
In preparation for reclaiming protected guest VM pages from the host
during teardown, split the current 'pkvm_teardown_vm' hypercall into
separate 'start' and 'finalise' calls.
The 'pkvm_start_teardown_vm' hypercall puts the VM into a new 'is_dying'
state, which is a point of no return past which no vCPU of the pVM is
allowed to run any more. Once in this new state,
'pkvm_finalize_teardown_vm' can be used to reclaim meta-data and
page-table pages from the VM. A subsequent patch will add support for
reclaiming the individual guest memory pages.
Will Deacon [Mon, 30 Mar 2026 14:48:11 +0000 (15:48 +0100)]
KVM: arm64: Ignore -EAGAIN when mapping in pages for the pKVM host
If the host takes a stage-2 translation fault on two CPUs at the same
time, one of them will get back -EAGAIN from the page-table mapping code
when it runs into the mapping installed by the other.
Rather than handle this explicitly in handle_host_mem_abort(), pass the
new KVM_PGTABLE_WALK_IGNORE_EAGAIN flag to kvm_pgtable_stage2_map() from
__host_stage2_idmap() and return -EEXIST if host_stage2_adjust_range()
finds a valid pte. This will avoid having to test for -EAGAIN on the
reclaim path in subsequent patches.
Will Deacon [Mon, 30 Mar 2026 14:48:09 +0000 (15:48 +0100)]
KVM: arm64: Ignore MMU notifier callbacks for protected VMs
In preparation for supporting the donation of pinned pages to protected
VMs, return early from the MMU notifiers when called for a protected VM,
as the necessary hypercalls are exposed only for non-protected guests.
Will Deacon [Mon, 30 Mar 2026 14:48:08 +0000 (15:48 +0100)]
KVM: arm64: Remove is_protected_kvm_enabled() checks from hypercalls
When pKVM is not enabled, the host shouldn't issue pKVM-specific
hypercalls and so there's no point checking for this in the pKVM
hypercall handlers.
Remove the redundant is_protected_kvm_enabled() checks from each
hypercall and instead rejig the hypercall table so that the
pKVM-specific hypercalls are unreachable when pKVM is not being used.
Fuad Tabba [Mon, 30 Mar 2026 14:48:07 +0000 (15:48 +0100)]
KVM: arm64: Expose self-hosted debug regs as RAZ/WI for protected guests
Debug and trace are not currently supported for protected guests, so
trap accesses to the related registers and emulate them as RAZ/WI for
now. Although this isn't strictly compatible with the architecture, it's
sufficient for Linux guests and means that debug support can be added
later on.
Will Deacon [Mon, 30 Mar 2026 14:48:06 +0000 (15:48 +0100)]
KVM: arm64: Don't advertise unsupported features for protected guests
Both SVE and PMUv3 are treated as "restricted" features for protected
guests and attempts to access their corresponding architectural state
from a protected guest result in an undefined exception being injected
by the hypervisor.
Since these exceptions are unexpected and typically fatal for the guest,
don't advertise these features for protected guests.
Will Deacon [Mon, 30 Mar 2026 14:48:05 +0000 (15:48 +0100)]
KVM: arm64: Rename __pkvm_pgtable_stage2_unmap()
In preparation for adding support for protected VMs, where pages are
donated rather than shared, rename __pkvm_pgtable_stage2_unmap() to
__pkvm_pgtable_stage2_unshare() to make it clearer about what is going
on.
Will Deacon [Mon, 30 Mar 2026 14:48:04 +0000 (15:48 +0100)]
KVM: arm64: Move handle check into pkvm_pgtable_stage2_destroy_range()
When pKVM is enabled, a VM has a 'handle' allocated by the hypervisor
in kvm_arch_init_vm() and released later by kvm_arch_destroy_vm().
Consequently, the only time __pkvm_pgtable_stage2_unmap() can run into
an uninitialised 'handle' is on the kvm_arch_init_vm() failure path,
where we destroy the empty stage-2 page-table if we fail to allocate a
handle.
Move the handle check into pkvm_pgtable_stage2_destroy_range(), which
will additionally handle protected VMs in subsequent patches.
Will Deacon [Mon, 30 Mar 2026 14:48:02 +0000 (15:48 +0100)]
KVM: arm64: Remove unused PKVM_ID_FFA definition
Commit 7cbf7c37718e ("KVM: arm64: Drop pkvm_mem_transition for host/hyp
sharing") removed the last users of PKVM_ID_FFA, so drop the definition
altogether.
Simon Richter [Sat, 7 Mar 2026 17:35:37 +0000 (02:35 +0900)]
PCI/VGA: Fail pci_set_vga_state() if VGA decoding not supported
PCI bridges are allowed to refuse activating VGA decoding, by simply
ignoring attempts to set the bit that enables it, so after setting the bit,
read it back to verify.
One example of such a bridge is the root bridge in IBM PowerNV, but this is
also useful for GPU passthrough into virtual machines, where it is
difficult to set up routing for legacy IO through IOMMU.
Nicolas Pitre [Sat, 28 Mar 2026 03:09:47 +0000 (23:09 -0400)]
vt: resize saved unicode buffer on alt screen exit after resize
Instead of discarding the saved unicode buffer when the console was
resized while in the alternate screen, resize it to the current
dimensions using vc_uniscr_copy_area() to preserve its content. This
properly restores the unicode screen on alt screen exit rather than
lazily rebuilding it from a lossy reverse glyph translation.
On allocation failure the stale buffer is freed and vc_uni_lines is
set to NULL so it gets lazily rebuilt via vc_uniscr_check() when next
needed.
Fixes: 40014493cece ("vt: discard stale unicode buffer on alt screen exit after resize") Cc: stable <stable@kernel.org> Signed-off-by: Nicolas Pitre <nico@fluxnic.net> Link: https://patch.msgid.link/3nsr334n-079q-125n-7807-n4nq818758ns@syhkavp.arg Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Liav Mordouch [Fri, 27 Mar 2026 17:02:04 +0000 (20:02 +0300)]
vt: discard stale unicode buffer on alt screen exit after resize
When enter_alt_screen() saves vc_uni_lines into vc_saved_uni_lines and
sets vc_uni_lines to NULL, a subsequent console resize via vc_do_resize()
skips reallocating the unicode buffer because vc_uni_lines is NULL.
However, vc_saved_uni_lines still points to the old buffer allocated for
the original dimensions.
When leave_alt_screen() later restores vc_saved_uni_lines, the buffer
dimensions no longer match vc_rows/vc_cols. Any operation that iterates
over the unicode buffer using the current dimensions (e.g. csi_J clearing
the screen) will access memory out of bounds, causing a kernel oops:
BUG: unable to handle page fault for address: 0x0000002000000020
RIP: 0010:csi_J+0x133/0x2d0
The faulting address 0x0000002000000020 is two adjacent u32 space
characters (0x20) interpreted as a pointer, read from the row data area
past the end of the 25-entry pointer array in a buffer allocated for
80x25 but accessed with 240x67 dimensions.
Fix this by checking whether the console dimensions changed while in the
alternate screen. If they did, free the stale saved buffer instead of
restoring it. The unicode screen will be lazily rebuilt via
vc_uniscr_check() when next needed.
Jason Andryuk [Wed, 18 Mar 2026 23:53:26 +0000 (19:53 -0400)]
hvc/xen: Check console connection flag
When the console out buffer is filled, __write_console() will return 0
as it cannot send any data. domU_write_console() will then spin in
`while (len)` as len doesn't decrement until xenconsoled attaches. This
would block a domU and nullify the parallelism of Hyperlaunch until dom0
userspace starts xenconsoled, which empties the buffer.
Xen 4.21 added a connection field to the xen console page. This is set
to XENCONSOLE_DISCONNECTED (1) when a domain is built, and xenconsoled
will set it to XENCONSOLE_CONNECTED (0) when it connects.
Update the hvc_xen driver to check the field. When the field is
disconnected, drop the write with -ENOTCONN. We only drop the write
when the field is XENCONSOLE_DISCONNECTED (1) to try for maximum
compatibility. The Xen toolstack has historically zero initialized the
console, so it should see XENCONSOLE_CONNECTED (0) by default. If an
implemenation used uninitialized memory, only checking for
XENCONSOLE_DISCONNECTED could have the lowest chance of not connecting.
This lets the hyperlaunched domU boot without stalling. Once dom0
starts xenconsoled, xl console can be used to access the domU's hvc0.
Paritally sync console.h from xen.git to bring in the new field.
Biju Das [Thu, 12 Mar 2026 08:26:59 +0000 (08:26 +0000)]
serial: sh-sci: Add support for RZ/G3L RSCI
Add support for RZ/G3L RSCI. The RSCI IP found on the RZ/G3L SoC is
similar to RZ/G3E, but it has 3 clocks (2 module clocks + 1 external
clock) instead of 6 clocks (5 module clocks + 1 external clock) on the
RZ/G3E. Both RZ/G3L and RZ/G3E have a 32-bit FIFO, but RZ/G3L has a
single TCLK with internal dividers, whereas the RZ/G3E has explicit
clocks for TCLK and its dividers. Add a new port type
RSCI_PORT_SCIF32_SINGLE_TCLK to handle this clock difference.
Document the serial communication interface (RSCI) used on the Renesas
RZ/G3L (R9A08G046) SoC. This SoC integrates the same RSCI IP block as
the RZ/G3E (R9A09G047), but it has 3 clocks compared to 6 clocks on
the RZ/G3E SoC. The RZ/G3L has a single TCLK with internal dividers,
whereas the RZ/G3E has explicit clocks for TCLK and its dividers.
Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com> Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be> Reviewed-by: Rob Herring (Arm) <robh@kernel.org> Link: https://patch.msgid.link/20260312082708.98835-2-biju.das.jz@bp.renesas.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Kexin Sun [Tue, 24 Mar 2026 02:48:57 +0000 (10:48 +0800)]
tty: atmel_serial: update outdated reference to atmel_tasklet_func()
The modem-status comparison that used irq_status_prev was
moved from atmel_tasklet_func() into atmel_handle_status() in
commit d033e82db9a5 ("tty/serial: at91: handle IRQ status
more safely"). Update the comment accordingly.
The UART controller on Loongson 3A4000 is compatible with Loongson
2K1500, which is NS16550A-compatible with an additional fractional
frequency divisor register.
Add loongson,ls3a4000-uart as compatible with loongson,ls2k1500-uart.
Acked-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com> Signed-off-by: Rong Zhang <rongrong@oss.cipunited.com> Reviewed-by: Jiaxun Yang <jiaxun.yang@flygoat.com> Link: https://patch.msgid.link/20260315184301.412844-2-rongrong@oss.cipunited.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Kuen-Han Tsai [Fri, 20 Mar 2026 08:54:50 +0000 (16:54 +0800)]
usb: gadget: f_rndis: Fix net_device lifecycle with device_move
The net_device is allocated during function instance creation and
registered during the bind phase with the gadget device as its sysfs
parent. When the function unbinds, the parent device is destroyed, but
the net_device survives, resulting in dangling sysfs symlinks:
console:/ # ls -l /sys/class/net/usb0
lrwxrwxrwx ... /sys/class/net/usb0 ->
/sys/devices/platform/.../gadget.0/net/usb0
console:/ # ls -l /sys/devices/platform/.../gadget.0/net/usb0
ls: .../gadget.0/net/usb0: No such file or directory
Use device_move() to reparent the net_device between the gadget device
tree and /sys/devices/virtual across bind and unbind cycles. During the
final unbind, calling device_move(NULL) moves the net_device to the
virtual device tree before the gadget device is destroyed. On rebinding,
device_move() reparents the device back under the new gadget, ensuring
proper sysfs topology and power management ordering.
To maintain compatibility with legacy composite drivers (e.g., multi.c),
the borrowed_net flag is used to indicate whether the network device is
shared and pre-registered during the legacy driver's bind phase.
Fixes: f466c6353819 ("usb: gadget: f_rndis: convert to new function interface with backward compatibility") Cc: stable@vger.kernel.org Signed-off-by: Kuen-Han Tsai <khtsai@google.com> Link: https://patch.msgid.link/20260320-usb-net-lifecycle-v1-7-4886b578161b@google.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Kuen-Han Tsai [Fri, 20 Mar 2026 08:54:49 +0000 (16:54 +0800)]
usb: gadget: f_subset: Fix net_device lifecycle with device_move
The net_device is allocated during function instance creation and
registered during the bind phase with the gadget device as its sysfs
parent. When the function unbinds, the parent device is destroyed, but
the net_device survives, resulting in dangling sysfs symlinks:
console:/ # ls -l /sys/class/net/usb0
lrwxrwxrwx ... /sys/class/net/usb0 ->
/sys/devices/platform/.../gadget.0/net/usb0
console:/ # ls -l /sys/devices/platform/.../gadget.0/net/usb0
ls: .../gadget.0/net/usb0: No such file or directory
Use device_move() to reparent the net_device between the gadget device
tree and /sys/devices/virtual across bind and unbind cycles. During the
final unbind, calling device_move(NULL) moves the net_device to the
virtual device tree before the gadget device is destroyed. On rebinding,
device_move() reparents the device back under the new gadget, ensuring
proper sysfs topology and power management ordering.
To maintain compatibility with legacy composite drivers (e.g., multi.c),
the bound flag is used to indicate whether the network device is shared
and pre-registered during the legacy driver's bind phase.
Fixes: 8cedba7c73af ("usb: gadget: f_subset: convert to new function interface with backward compatibility") Cc: stable@vger.kernel.org Signed-off-by: Kuen-Han Tsai <khtsai@google.com> Link: https://patch.msgid.link/20260320-usb-net-lifecycle-v1-6-4886b578161b@google.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Kuen-Han Tsai [Fri, 20 Mar 2026 08:54:48 +0000 (16:54 +0800)]
usb: gadget: f_eem: Fix net_device lifecycle with device_move
The net_device is allocated during function instance creation and
registered during the bind phase with the gadget device as its sysfs
parent. When the function unbinds, the parent device is destroyed, but
the net_device survives, resulting in dangling sysfs symlinks:
console:/ # ls -l /sys/class/net/usb0
lrwxrwxrwx ... /sys/class/net/usb0 ->
/sys/devices/platform/.../gadget.0/net/usb0
console:/ # ls -l /sys/devices/platform/.../gadget.0/net/usb0
ls: .../gadget.0/net/usb0: No such file or directory
Use device_move() to reparent the net_device between the gadget device
tree and /sys/devices/virtual across bind and unbind cycles. During the
final unbind, calling device_move(NULL) moves the net_device to the
virtual device tree before the gadget device is destroyed. On rebinding,
device_move() reparents the device back under the new gadget, ensuring
proper sysfs topology and power management ordering.
To maintain compatibility with legacy composite drivers (e.g., multi.c),
the bound flag is used to indicate whether the network device is shared
and pre-registered during the legacy driver's bind phase.
Fixes: b29002a15794 ("usb: gadget: f_eem: convert to new function interface with backward compatibility") Cc: stable@vger.kernel.org Signed-off-by: Kuen-Han Tsai <khtsai@google.com> Link: https://patch.msgid.link/20260320-usb-net-lifecycle-v1-5-4886b578161b@google.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Kuen-Han Tsai [Fri, 20 Mar 2026 08:54:47 +0000 (16:54 +0800)]
usb: gadget: f_ecm: Fix net_device lifecycle with device_move
The net_device is allocated during function instance creation and
registered during the bind phase with the gadget device as its sysfs
parent. When the function unbinds, the parent device is destroyed, but
the net_device survives, resulting in dangling sysfs symlinks:
console:/ # ls -l /sys/class/net/usb0
lrwxrwxrwx ... /sys/class/net/usb0 ->
/sys/devices/platform/.../gadget.0/net/usb0
console:/ # ls -l /sys/devices/platform/.../gadget.0/net/usb0
ls: .../gadget.0/net/usb0: No such file or directory
Use device_move() to reparent the net_device between the gadget device
tree and /sys/devices/virtual across bind and unbind cycles. During the
final unbind, calling device_move(NULL) moves the net_device to the
virtual device tree before the gadget device is destroyed. On rebinding,
device_move() reparents the device back under the new gadget, ensuring
proper sysfs topology and power management ordering.
To maintain compatibility with legacy composite drivers (e.g., multi.c),
the bound flag is used to indicate whether the network device is shared
and pre-registered during the legacy driver's bind phase.
Fixes: fee562a6450b ("usb: gadget: f_ecm: convert to new function interface with backward compatibility") Cc: stable@vger.kernel.org Signed-off-by: Kuen-Han Tsai <khtsai@google.com> Link: https://patch.msgid.link/20260320-usb-net-lifecycle-v1-4-4886b578161b@google.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Kuen-Han Tsai [Fri, 20 Mar 2026 08:54:44 +0000 (16:54 +0800)]
usb: gadget: f_subset: Fix unbalanced refcnt in geth_free
geth_alloc() increments the reference count, but geth_free() fails to
decrement it. This prevents the configuration of attributes via configfs
after unlinking the function.
Decrement the reference count in geth_free() to ensure proper cleanup.
Xu Yang [Mon, 30 Mar 2026 06:35:18 +0000 (14:35 +0800)]
dt-bindings: connector: add pd-disable dependency
When Power Delivery is not supported, the source is unable to obtain the
current capability from the Source PDO. As a result, typec-power-opmode
needs to be added to advertise such capability.
Andrei Kuchynski [Tue, 24 Mar 2026 10:30:12 +0000 (10:30 +0000)]
usb: typec: thunderbolt: Set enter_vdo during initialization
In the current implementation, if a cable's alternate mode enter operation
is not supported, the tbt->plug[TYPEC_PLUG_SOP_P] pointer is cleared by the
time tbt_enter_mode() is called. This prevents the driver from identifying
the cable's VDO.
As a result, the Thunderbolt connection falls back to the default
TBT_CABLE_USB3_PASSIVE speed, even if the cable supports higher speeds.
To ensure the correct VDO value is used during mode entry, calculate and
store the enter_vdo earlier during the initialization phase in tbt_ready().
Cc: stable <stable@kernel.org> Fixes: 100e25738659 ("usb: typec: Add driver for Thunderbolt 3 Alternate Mode") Tested-by: Madhu M <madhu.m@intel.corp-partner.google.com> Signed-off-by: Andrei Kuchynski <akuchynski@chromium.org> Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com> Reviewed-by: Benson Leung <bleung@chromium.org> Link: https://patch.msgid.link/20260324103012.1417616-1-akuchynski@chromium.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Andrei Kuchynski [Tue, 24 Mar 2026 10:29:03 +0000 (10:29 +0000)]
usb: typec: Remove alt->adev.dev.class assignment
The typec plug alternate mode is already registered as part of the bus.
When both class and bus are set for a device, device_add() attempts to
create the "subsystem" symlink in the device's sysfs directory twice, once
for the bus and once for the class.
This results in a duplicate filename error during registration,
causing the alternate mode registration to fail with warnings:
Cc: stable <stable@kernel.org> Fixes: 67ab45426215 ("usb: typec: Set the bus also for the port and plug altmodes") Tested-by: Madhu M <madhu.m@intel.corp-partner.google.com> Signed-off-by: Andrei Kuchynski <akuchynski@chromium.org> Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com> Reviewed-by: Benson Leung <bleung@chromium.org> Link: https://patch.msgid.link/20260324102903.1416210-1-akuchynski@chromium.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Juno Choi [Tue, 24 Mar 2026 01:49:10 +0000 (10:49 +0900)]
usb: dwc2: gadget: Fix spin_lock/unlock mismatch in dwc2_hsotg_udc_stop()
dwc2_gadget_exit_clock_gating() internally calls call_gadget() macro,
which expects hsotg->lock to be held since it does spin_unlock/spin_lock
around the gadget driver callback invocation.
However, dwc2_hsotg_udc_stop() calls dwc2_gadget_exit_clock_gating()
without holding the lock. This leads to:
- spin_unlock on a lock that is not held (undefined behavior)
- The lock remaining held after dwc2_gadget_exit_clock_gating() returns,
causing a deadlock when spin_lock_irqsave() is called later in the
same function.
Fix this by acquiring hsotg->lock before calling
dwc2_gadget_exit_clock_gating() and releasing it afterwards, which
satisfies the locking requirement of the call_gadget() macro.
Fixes: af076a41f8a2 ("usb: dwc2: also exit clock_gating when stopping udc while suspended") Cc: stable <stable@kernel.org> Signed-off-by: Juno Choi <juno.choi@lge.com> Link: https://patch.msgid.link/20260324014910.2798425-1-juno.choi@lge.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Jimmy Hu [Fri, 20 Mar 2026 06:54:27 +0000 (14:54 +0800)]
usb: gadget: uvc: fix NULL pointer dereference during unbind race
Commit b81ac4395bbe ("usb: gadget: uvc: allow for application to cleanly
shutdown") introduced two stages of synchronization waits totaling 1500ms
in uvc_function_unbind() to prevent several types of kernel panics.
However, this timing-based approach is insufficient during power
management (PM) transitions.
When the PM subsystem starts freezing user space processes, the
wait_event_interruptible_timeout() is aborted early, which allows the
unbind thread to proceed and nullify the gadget pointer
(cdev->gadget = NULL):
[ 814.123447][ T947] configfs-gadget.g1 gadget.0: uvc: uvc_function_unbind()
[ 814.178583][ T3173] PM: suspend entry (deep)
[ 814.192487][ T3173] Freezing user space processes
[ 814.197668][ T947] configfs-gadget.g1 gadget.0: uvc: uvc_function_unbind no clean disconnect, wait for release
When the PM subsystem resumes or aborts the suspend and tasks are
restarted, the V4L2 release path is executed and attempts to access the
already nullified gadget pointer, triggering a kernel panic:
Address the race condition and NULL pointer dereference by:
1. State Synchronization (flag + mutex)
Introduce a 'func_unbound' flag in struct uvc_device. This allows
uvc_function_disconnect() to safely skip accessing the nullified
cdev->gadget pointer. As suggested by Alan Stern, this flag is protected
by a new mutex (uvc->lock) to ensure proper memory ordering and prevent
instruction reordering or speculative loads. This mutex is also used to
protect 'func_connected' for consistent state management.
2. Explicit Synchronization (completion)
Use a completion to synchronize uvc_function_unbind() with the
uvc_vdev_release() callback. This prevents Use-After-Free (UAF) by
ensuring struct uvc_device is freed after all video device resources
are released.
Fixes: b81ac4395bbe ("usb: gadget: uvc: allow for application to cleanly shutdown") Cc: stable <stable@kernel.org> Suggested-by: Alan Stern <stern@rowland.harvard.edu> Suggested-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Jimmy Hu <hhhuuu@google.com> Link: https://patch.msgid.link/20260320065427.1374555-1-hhhuuu@google.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Miao Li [Thu, 19 Mar 2026 05:39:27 +0000 (13:39 +0800)]
usb: quirks: add DELAY_INIT quirk for another Silicon Motion flash drive
Another Silicon Motion flash drive also randomly work incorrectly
(lsusb does not list the device) on Huawei hisi platforms during
500 reboot cycles, and the DELAY_INIT quirk fixes this issue.
Eliav Farber [Wed, 18 Feb 2026 14:35:22 +0000 (14:35 +0000)]
mtd: spi-nor: winbond: Fix locking support for w25q256jw
The Winbond w25q256jw device:
- Supports lock/unlock via SR.
- Has Top/Bottom (TB) protect bit.
- Uses Status Register bit 6 as the Top/Bottom (TB) protect bit.
- Supports four Block Protect (BP) bits.
Update the flash parameters by enabling SPI_NOR_HAS_LOCK, SPI_NOR_HAS_TB,
SPI_NOR_TB_SR_BIT6 and SPI_NOR_4BIT_BP. Without these flags, the locking
configuration is incorrect.
usb: gadget: f_hid: don't call cdev_init while cdev in use
When calling unbind, then bind again, cdev_init reinitialized the cdev,
even though there may still be references to it. That's the case when
the /dev/hidg* device is still opened. This obviously unsafe behavior
like oopes.
This fixes this by using cdev_alloc to put the cdev on the heap. That
way, we can simply allocate a new one in hidg_bind.
usb: typec: tcpm/tcpci_maxim: deprecate WAR for setting charger mode
TCPCI maxim driver directly writes to the charger's register space to
set charger mode depending on the power role. As MAX77759 chg driver
exists, this WAR is not required.
Instead, use a regulator interface to source vbus when typec is in
source power mode. In other power modes, this regulator will be turned
off if active.
Add support for MAX77759 battery charger driver. This is a 4A 1-Cell
Li+/LiPoly dual input switch mode charger. While the device can support
USB & wireless charger inputs, this implementation only supports USB
input. This implementation supports both buck and boost modes.
Add a helper function to find the selector for a given value in a linear
range array. The selector should be such that the value it represents
should be higher or equal to the given value.
mfd: max77759: add register bitmasks and modify irq configs for charger
Add register bitmasks for charger function.
In addition split the charger IRQs further such that each bit represents
an IRQ downstream of charger regmap irq chip. In addition populate the
ack_base to offload irq ack to the regmap irq chip framework.
dt-bindings: usb: maxim,max33359: Add supply property for vbus
Add a regulator supply property for vbus. This notifies the regulator
provider to source vbus when Type-C operates in Source power mode,
while turn off sourcing vbus when operating in Sink mode or
disconnected.
dt-bindings: mfd: maxim,max77759: reference power-supply schema and add regulator property
Extend the max77759 binding to reference power-supply schema, so that
PMIC node can reference its supplier. Also, add regulator property to
control CHGIN (OTG) voltage.
Oliver Neukum [Wed, 25 Mar 2026 14:55:20 +0000 (15:55 +0100)]
usb: translate ENOSPC for user space
In case of insufficient bandwidth usb_submit_urb()
returns -ENOSPC. Translating this to -EIO is not
optimal. There are insufficient resources not
an error. EBUSY is a better fit.
Oliver Neukum [Thu, 19 Mar 2026 14:46:23 +0000 (15:46 +0100)]
usb: uapi: add usb 3.0 authentication declarations
This adds the USB authentication extensions to the
uapi chapter 9 declarations, so that user space tools
correctly operate on the descriptor and commands.
This is necessary for sniffing and debugging in gadget
mode to correctly work, even though the kernel
does not use these requests in host mode.
Terminus FE1.1s is USB2.0 protocol compliant 4-port USB HUB, It support
MTT (Multiple Transaction Translator) mode, the upstream port supports
high-speed 480MHz and full-speed 12MHz modes, also it has integrated 5V
to 3.3V/1.8V regulator and Power-On-Reset circuit.
Yixun Lan [Thu, 19 Mar 2026 07:51:03 +0000 (07:51 +0000)]
dt-bindings: usb: Add support for Terminus FE1.1s USB2.0 Hub controller
Terminus FE1.1s is USB2.0 protocol compliant 4-port USB HUB, It support
MTT (Multiple Transaction Translator) mode, the upstream port supports
high-speed 480MHz and full-speed 12MHz modes, also has integrated 5V to
3.3V, 1.8V regulator and Power-On-Reset circuit.
dt-bindings: usb: qcom,snps-dwc3: Add constraints for IPQ5424 and IPQ9574
The qcom,ipq5424-dwc3 and qcom,ipq9574-dwc3 are already documented in
top level part, but they miss specific constraints for clocks (IPQ5424)
and interrupts (both).
dt-bindings: usb: qcom,snps-dwc3: Add constraints for SM4250
The qcom,sm4250-dwc3 is already documented in top level part, but it
misses specific constraints for clocks. The SoC is derivative of SM6115
(or vice versa), so the interrupts part is incorrectly placed and should
be same as for SM6115.
dt-bindings: usb: qcom,snps-dwc3: Add missing clocks and interrupts constraints
The top-level part defines variable number of clocks and interrupts, and
each "if:then:" block narrows them. It however narrows only the
maxItems leaving minItems undefined, which then takes different values
depending on dtschema being used.
Recommended style is to avoid ambiguity in such case, thus if top-level
part has broad constraints, then each "if:then:" must specify both upper
and lower limits.
Add missing constraints, mostly minItems but also maxItems for one
variant.
Peter Chen [Mon, 16 Mar 2026 06:48:31 +0000 (14:48 +0800)]
usb: cdns3: Add USBSSP platform driver support
The Cadence USBSSP (CDNSP) controller was previously only accessible
through PCI, coupling the gadget driver with the PCI glue layer into a
single monolithic module (cdnsp-udc-pci). This prevented using the
CDNSP IP on SoC/platform designs that expose the controller through
device tree. It restructures the driver to decouple the CDNSP gadget
from PCI.
- Introduce CONFIG_USB_CDNSP as a standalone tristate (analogous to
CONFIG_USB_CDNS3), with USB_CDNSP_GADGET and USB_CDNSP_HOST as
bool sub-options. The gadget code builds as a separate cdnsp.ko
module.
- Regroup USBSSP and CDNS3 Kconfig options under the USB_CDNS_SUPPORT
menu so they appear properly grouped in menuconfig.
- Refactor cdnsp-pci.c into a thin PCI-to-platform wrapper (similar
to cdns3-pci-wrap.c) that registers a platform device and passes
PCI resources and platform data to the common platform driver.
- Auto-detect the controller version (USBSS vs USBSSP) at runtime by
reading the DRD/OTG Device ID register in cdns_drd_init(), and select
the appropriate gadget init function (cdns3_gadget_init or
cdnsp_gadget_init) based on cdns->version. This follows the same
pattern already used for host initialization.
- Fix gadget-export.h to use IS_REACHABLE() keyed on the tristate
module config (CONFIG_USB_CDNS3/CONFIG_USB_CDNSP) instead of
IS_ENABLED() on the bool gadget config. The bool configs are always
'y' when enabled, causing IS_ENABLED/IS_REACHABLE to always return
true and resulting in link errors when cdns-usb-common is built-in
but the gadget module is loadable.
- Add missing MODULE_LICENSE()/MODULE_DESCRIPTION() and
EXPORT_SYMBOL_GPL() to the cdns3 and cdnsp gadget modules, required
by modpost.
- Pass override_apb_timeout through cdns3_platform_data so the PCI
wrapper can communicate PCI-specific APB timeout values to the
common driver.
Peter Chen [Mon, 16 Mar 2026 06:48:30 +0000 (14:48 +0800)]
dt-bindings: usb: cdns,usb3: document USBSSP controller support
Update the Cadence USBSS DRD binding to document that it also covers
the USBSSP (SuperSpeed Plus, USB 3.1 gen2x1) controller. Both USBSS
and USBSSP share the same DRD/OTG register interface, so the driver
auto-detects the controller version at runtime — no additional
compatible string is needed.
Changes to the binding:
- Update title and add description
- maximum-speed: add super-speed-plus
Add names to the memory-region-names for easier identification of memory
regions. As the meaning of the second memory region can be different
also require the use of memory-region-names if memory-region is in use.
dt-bindings: remoteproc: k3-r5f: Split up memory regions
Split up the region reserved for the firmware image in more specific
sections to expose the full fixed layout. Especially the LPM metadata
section is important for bootloaders as it contains information about
how to exit IO+DDR. This is read by the bootloader but is written by the
firmware.
Alexey Charkov [Wed, 18 Mar 2026 14:32:56 +0000 (18:32 +0400)]
usb: typec: tcpci_rt1711h: Drop unnecessary VID/PID/DID checks
Existing checks for VID/PID/DID in the driver are redundant since the
driver is already matched to the device via I2C device ID and OF
compatible strings, and they preclude the use of fallback compatibles.
Remove them to make the driver slimmer and adding new clones easier.
Alexey Charkov [Wed, 18 Mar 2026 14:32:54 +0000 (18:32 +0400)]
dt-bindings: usb: richtek,rt1711h: Switch ETEK ET7304 to use a fallback compatible
As stated in [1], ETEK ET7304 is identical to Richtek RT1715, except for
the VID value in its registers, so reflect it in the bindings via a
fallback compatible.
As there are various TCPCI chips by different vendors reimplementing the
registers and behavior of the RT1711H/RT1715, fallback compatibles will
scale better.
Chukun Pan [Thu, 26 Mar 2026 10:00:10 +0000 (18:00 +0800)]
usb: dwc3: Add optional VBUS regulator support to SpacemiT K1
Some SpacemiT K1 boards (like OrangePi R2S) provide USB VBUS
through a controllable regulator. Add support for the optional
vbus-supply property so the regulator can be properly managed
in host mode instead of left always-on. Note that this doesn't
apply to USB Hub downstream ports with different VBUS supplies.
The enabled and disabled actions of the regulator are handled
automatically by devm_regulator_get_enable_optional().
Yixun Lan [Fri, 20 Mar 2026 07:15:37 +0000 (07:15 +0000)]
dt-bindings: usb: dwc3: spacemit: add support for K3 SoC
Add compatible string for DWC3 USB controller found in SpacemiT K3 SoC.
The USB2.0 host controller in K3 SoC actually use DWC3 IP but only support
USB2.0 functionality, thus in the hardware layer, it has only one USB2 PHY.
While in K1 SoC, the USB controller has both USB2 and USB3 Combo PHY
connected, but able to work in a reduced USB2.0 mode which requres only
one USB2 PHY, leaves the USB3 Combo PHY to PCIe controller. So both K1
and K3 SoC are able to work in the USB2.0 mode which requires one PHY.
Explicitly reduce number of phy property to minimal one.
Kexin Sun [Sat, 21 Mar 2026 11:00:06 +0000 (19:00 +0800)]
usb: gadget: udc: update outdated comment for renamed usb_gadget_udc_start()
The function usb_gadget_udc_start() was renamed to
usb_gadget_udc_start_locked() by commit 286d9975a838 ("usb: gadget:
udc: core: Prevent soft_connect_store() race"). Update the comment
in usb_gadget_udc_set_speed() accordingly.
Xu Yang [Thu, 19 Mar 2026 09:48:49 +0000 (17:48 +0800)]
usb: typec: tcpci: support setting orientation via GPIO
If the chip indicates its "Connection Orientation" standard output control
in STANDARD_OUTPUT_CAPABILITIES register, it can do the thing by
programming CONFIG_STANDARD_OUTPUT register. Due to the optional feature,
the chip which not present this capability currently doesn't have a way to
correctly set the data path. This add the support to set orientation via
a simple GPIO.
The Type-C chip know the cable orientation and then normally will set the
switch channel to correctly configure the data path. Some chips itself
support to output the control signal by indicating the capability in
bit[0] of STANDARD_OUTPUT_CAPABILITIES register and do it in
CONFIG_STANDARD_OUTPUT register. For PTN5110 which doesn't present this
capability currently there is no way to achieve the orientation setting.
Add an optional "orientation-gpios" property to achieve the same purpose.
Alexander Stein [Fri, 13 Mar 2026 14:12:19 +0000 (15:12 +0100)]
dt-bindings: usb: ti,usb8041: Support nested USB hubs
Onboard USB hubs might be nested. Add the reference for the generic
usb-hub.yaml binding and lift the restriction on peer-hub.
A (downstream) hub might only be connected on USB High-Speed lines.
Abel Vesa [Wed, 18 Mar 2026 08:13:22 +0000 (10:13 +0200)]
dt-bindings: usb: qcom,snps-dwc3: Document the Eliza compatible
Document the compatible for the Qualcomm Synopsys DWC3 glue controller
found on Eliza SoC.
It follows the same binding requirements as other recent Qualcomm
SoCs, so add it to the existing schema conditionals covering the
required properties.
Pengpeng Hou [Mon, 23 Mar 2026 12:17:30 +0000 (20:17 +0800)]
usb: gadget: bdc: validate status-report endpoint indices
bdc_sr_xsf() decodes a 5-bit endpoint number from the hardware status
report and uses it to index bdc->bdc_ep_array[] directly. The array is
only allocated to bdc->num_eps for the current controller instance, so a
status report can carry an endpoint number that still fits the 5-bit
field but does not fit the runtime-sized endpoint table.
Reject status reports whose endpoint number is outside bdc->num_eps
before indexing the endpoint array.
Mark Brown [Mon, 30 Mar 2026 14:45:39 +0000 (15:45 +0100)]
regulator: mt6315: add regulator supplies
Chen-Yu Tsai <wenst@chromium.org> says:
This series is part of a broader collection of regulator related
cleanups for MediaTek Chromebooks. This one covers the MT6315 PMIC.
Patch 1 adds the names of the power supply inputs to the binding.
Patch 2 adds the supply names from the DT binding change in patch 1
to the regulator descriptions in the driver. This patch has a
checkpatch.pl warnings, but I wonder if it's because the context size
for checking complex macros is not large enough.
Device tree changes will be sent separately. The goal is to get the
regulator tree as complete as possible. This includes adding supply
names to other regulator DT bindings, and adding all the supply links
to the existing DTs.
Luca Weiss [Mon, 30 Mar 2026 14:14:13 +0000 (16:14 +0200)]
regulator: devres: Use enum regulator_get_type in internal functions
The enum regulator_get_type has been available since 2017, so use that
enum instead of an "untyped" int in the three functions where "get_type"
is used.
arm64: dts: qcom: sm8550-hdk: add support for the Display Card overlay
The SM8550-HDK board may be connected to a Display Card external PCB,
which is identical to the already supported SM8650-HDK Display Card,
it provides a VTDR6130 display with Goodix Berlin Touch controller, see
also commit bc90f56a1699 ("arm64: dts: sm8650-hdk: add support for the
Display Card overlay") for additional details.
Two overlays are added to support SM8550-HDK plus Display Card and
SM8550-HDK plus Display Card plus Rear Camera Card setups.
Signed-off-by: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org> Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com> Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com> Link: https://lore.kernel.org/r/20260311001238.4191034-1-vladimir.zapolskiy@linaro.org Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Hans Holmberg [Wed, 25 Mar 2026 12:43:12 +0000 (13:43 +0100)]
xfs: start gc on zonegc_low_space attribute updates
Start gc if the agressiveness of zone garbage collection is changed
by the user (if the file system is not read only).
Without this change, the new setting will not be taken into account
until the gc thread is woken up by e.g. a write.
Cc: stable@vger.kernel.org # v6.15 Fixes: 845abeb1f06a8a ("xfs: add tunable threshold parameter for triggering zone GC") Signed-off-by: Hans Holmberg <hans.holmberg@wdc.com> Reviewed-by: Christoph Hellwig <hch@lst.de> Reviewed-by: Damien Le Moal <dlemoal@kernel.org> Signed-off-by: Carlos Maiolino <cem@kernel.org>
xfs: don't decrement the buffer LRU count for in-use buffers
XFS buffers are added to the LRU when they are unused, but are only
removed from the LRU lazily when the LRU list scan finds a used buffer.
So far this only happen when the LRU counter hits 0, which is suboptimal
as buffers that were added to the LRU, but are in use again still consume
LRU scanning resources and are aged while actually in use.
Fix this by checking for in-use buffers and removing the from the LRU
before decrementing the LRU counter.
Signed-off-by: Christoph Hellwig <hch@lst.de> Reviewed-by: Darrick J. Wong <djwong@kernel.org> Signed-off-by: Carlos Maiolino <cem@kernel.org>
projects / thirdparty / kernel / stable.git / log
