Linus Torvalds [Sun, 29 Mar 2026 16:30:06 +0000 (09:30 -0700)]
Merge tag 'ext4_for_linus-7.0-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4
Pull ext4 fixes from Ted Ts'o:
- Update the MAINTAINERS file to add reviewers for the ext4 file system
- Add a test issue an ext4 warning (not a WARN_ON) if there are still
dirty pages attached to an evicted inode.
- Fix a number of Syzkaller issues
- Fix memory leaks on error paths
- Replace some BUG and WARN with EFSCORRUPTED reporting
- Fix a potential crash when disabling discard via remount followed by
an immediate unmount. (Found by Sashiko)
- Fix a corner case which could lead to allocating blocks for an
indirect-mapped inode block numbers > 2**32
- Fix a race when reallocating a freed inode that could result in a
deadlock
- Fix a user-after-free in update_super_work when racing with umount
- Fix build issues when trying to build ext4's kunit tests as a module
- Fix a bug where ext4_split_extent_zeroout() could fail to pass back
an error from ext4_ext_dirty()
- Avoid allocating blocks from a corrupted block group in
ext4_mb_find_by_goal()
- Fix a percpu_counters list corruption BUG triggered by an ext4
extents kunit
- Fix a potetial crash caused by the fast commit flush path potentially
accessing the jinode structure before it is fully initialized
- Fix fsync(2) in no-journal mode to make sure the dirtied inode is
write to storage
- Fix a bug when in no-journal mode, when ext4 tries to avoid using
recently deleted inodes, if lazy itable initialization is enabled,
can lead to an unitialized inode getting skipped and triggering an
e2fsck complaint
- Fix journal credit calculation when setting an xattr when both the
encryption and ea_inode feeatures are enabled
- Fix corner cases which could result in stale xarray tags after
writeback
- Fix generic/475 failures caused by ENOSPC errors while creating a
symlink when the system crashes resulting to a file system
inconsistency when replaying the fast commit journal
* tag 'ext4_for_linus-7.0-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4: (27 commits)
ext4: always drain queued discard work in ext4_mb_release()
ext4: handle wraparound when searching for blocks for indirect mapped blocks
ext4: skip split extent recovery on corruption
ext4: fix iloc.bh leak in ext4_fc_replay_inode() error paths
ext4: fix deadlock on inode reallocation
ext4: fix use-after-free in update_super_work when racing with umount
ext4: fix the might_sleep() warnings in kvfree()
ext4: reject mount if bigalloc with s_first_data_block != 0
ext4: fix extents-test.c is not compiled when EXT4_KUNIT_TESTS=M
ext4: fix mballoc-test.c is not compiled when EXT4_KUNIT_TESTS=M
ext4: introduce EXPORT_SYMBOL_FOR_EXT4_TEST() helper
jbd2: gracefully abort on checkpointing state corruptions
ext4: avoid infinite loops caused by residual data
ext4: validate p_idx bounds in ext4_ext_correct_indexes
ext4: test if inode's all dirty pages are submitted to disk
ext4: minor fix for ext4_split_extent_zeroout()
ext4: avoid allocate block from corrupted group in ext4_mb_find_by_goal()
ext4: kunit: extents-test: lix percpu_counters list corruption
ext4: publish jinode after initialization
ext4: replace BUG_ON with proper error handling in ext4_read_inline_folio
...
Meghana Malladi [Mon, 23 Mar 2026 09:03:58 +0000 (14:33 +0530)]
arm64: defconfig: Enable DP83TG720 PHY driver
Enable DP83TG720 PHY driver as a module to support TI's DP83TG720
1000BASE-T1 Automotive Ethernet PHY. This is required for the
DP83TG720-IND-SPE-EVM daughter card used with AM642 EVM ICSSG0
interface.
Merge tag 'iio-fixes-for-7.0c' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/jic23/iio into char-misc-linus
Jonathan writes:
IIO: 3rd set of fixes for the 7.0 cycle.
Note that this pull is in addition to the 2nd set of such fixes that are
waiting to be picked up. Absolutely fine to queue these for the merge
window if that makes more sense.
Usual mixed back of ancient issues surfacing and newer problems.
adi,ad57770r
- Stop eating an error in read_raw.
adi,adxl313
- Check return of regmap_write() instead of ignoring it in one place.
adi,adxl355
- Fix the description of the temperature channel to be unsigned rather
than signed.
bosch,bmi160
- Avoid use of uninitialized data.
- Fix validation of small reference voltages.
hid-sensor-rotation:
- The timestamp location in this driver has unfortunately been broken for
a long time. Given it was correct for 6 years and then broken for the
next 6 years, use a one off hack to duplicate it in both locations.
The issue was as a result of the unique nature of quaternion
representation combined with large precision resulting in an
128 bit aligned channel.
nxp,sar-adc
- Avoid leaking a dma channel.
rfdigital,rfd77402
- Close a race between reinit_completion() and the irq happening.
ti,adc161s626
- Fix up buffer handling on big endian hosts which was broken due to
casting of pointers to different sized integers.
- Ensure a DMA safe buffer is used.
vishay,vcnl4035
- Fix up buffer handling on big endian hosts which was broken due to
casting of pointers to different sized integers.
vishay,veml6070
- Fix return value mess up that occurred when doing a guard() conversion.
* tag 'iio-fixes-for-7.0c' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/jic23/iio:
iio: light: veml6070: fix veml6070_read() return value
iio: adc: nxp-sar-adc: Fix DMA channel leak in trigger mode
iio: accel: adxl313: add missing error check in predisable
iio: dac: ad5770r: fix error return in ad5770r_read_raw()
iio: accel: fix ADXL355 temperature signature value
iio: light: vcnl4035: fix scan buffer on big-endian
iio: adc: ti-adc161s626: use DMA-safe memory for spi_read()
iio: adc: ti-adc161s626: fix buffer read on big-endian
iio: dac: mcp47feb02: Fix Vref validation [1-999] case
iio: imu: bmi160: Remove potential undefined behavior in bmi160_config_pin()
iio: orientation: hid-sensor-rotation: add timestamp hack to not break userspace
iio: proximity: rfd77402: Fix completion race condition in IRQ mode
Michal Piekos [Sun, 29 Mar 2026 11:43:04 +0000 (13:43 +0200)]
arm64: dts: allwinner: enable h616 timer support
Add support for timer by reusing existing sun4i timer driver.
H616 timer is compatible with earlier sunxi timer variants and provides
both clocksource and clockevent functionality. It runs from 24 MHz
oscillator. It can serve as broadcast clockevent for wake up from idle
states.
Tested on Orange Pi Zero 3:
- timer is registered as clocksource:
- switching clocksource at runtime works
- timer operates as a broadcast clockevent device
- no regression observed compared to arch_sys_counter
Merge tag 'iio-fixes-for-7.0b' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/jic23/iio into char-misc-linux
Jonathan writes:
IIO: 2nd set of fixes for the 7.0 cycle
Usual mixed bag of fixes for recent code and much older issues that have
surfaced. Biggest group are continued resolution of IRQF_ONE_SHOT
being used incorrectly (which now triggers a warning)
adi,ad4062
- Replace IRQF_ONESHOT (as no threaded handler) with IRQF_NO_THREAD as
the caller makes use of iio_trigger_poll() which cannot run from a
thread.
adi,ade9000
- Move mutex_init() earlier to ensure it is available if spurious IRQ
occurs.
adi,adis16550
- Fix swapped gyro and accel filter functions.
adi,adxl3380
- Fix some bit manipulation that was always resulting in 0.
- Fix incorrect register map for calibbias on the active power channel.
- Fix returning IRQF_HANDLED from a function that should return 0 or
-ERRNO.
aspeed,adc
- Clear a reference voltage bit that might be set prior to driver load.
bosch,bno055
- Off by one channel buffer sizing. Benine due to padding prior to the
subsequent timestamp.
hid-sensors
- A more complex fix to IRQF_ONESHOT warning as this driver had a trigger
that was never actually used but the ABI that exposed had to be
maintained to avoid regressions.
hid-sensors-rotation
- An obscure buffer alignment case that applies to quaternions only was
recently broken resulting in writes beyond the end of the channel buffer.
Add a new core macro and apply it in this driver to make it very clear
what was going on.
honeywell,abp2030pa
- Remove meaningless IRQF_ONESHOT from a non threaded IRQ handler.
Warning fix only.
invense,mpu3050
- Fix token passed to free_irq() to match the one used at setup.
- Fix an irq resource leak in error path.
- Reorder probe so that userspace interfaces are exposed only after
everything else has finished.
- Reorder remove slightly to cleanup the buffer only after irq removed
ensuring reverse of probe sequence.
microchip,mcp47feb02
- Fix use of mutex before it was initialized by not performing unnecessary
lock that was early enough in probe that all code was serial.
st,lsm6dsx
- Ensure that FIFO ODR is only controllable for accel and gyro channels
avoiding incorrect register accesses.
- Restrict separation of buffer sampling from main sampling rate to
accelerometer. It is only useful for running event detection faster
than the fifo and the only events are on the accelerometer.
ti,ads1018
- Fix overflow of u8 which wasn't big enough to store max data rate value.
ti,ads1119:
- Fix unbalanced pm in an error path.
- IRQF_ONESHOT (as no threaded handler) replaced with IRQF_NO_THREAD
(needed for iio_trigger_poll()).
- Ensure complete reinitialized before reuse. Previously it would have
completed immediate after the first time.
ti,ads7950
- Fix return value of gpio_get() to be 0 or 1.
- Avoid accidental overwrite of state resulting in gpio_get() only
returning 0 or -ERRNO but never 1.
* tag 'iio-fixes-for-7.0b' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/jic23/iio: (25 commits)
iio: imu: adis16550: fix swapped gyro/accel filter functions
iio: adc: aspeed: clear reference voltage bits before configuring vref
iio: adc: ti-ads1119: Reinit completion before wait_for_completion_timeout()
iio: adc: ti-ads1018: fix type overflow for data rate
iio: adc: ti-ads7950: do not clobber gpio state in ti_ads7950_get()
iio: adc: ti-ads7950: normalize return value of gpio_get
iio: orientation: hid-sensor-rotation: fix quaternion alignment
iio: add IIO_DECLARE_QUATERNION() macro
iio: adc: ti-ads1119: Replace IRQF_ONESHOT with IRQF_NO_THREAD
iio: imu: bno055: fix BNO055_SCAN_CH_COUNT off by one
iio: hid-sensors: Use software trigger
iio: adc: ad4062: Replace IRQF_ONESHOT with IRQF_NO_THREAD
iio: gyro: mpu3050: Fix out-of-sequence free_irq()
iio: gyro: mpu3050: Move iio_device_register() to correct location
iio: gyro: mpu3050: Fix irq resource leak
iio: gyro: mpu3050: Fix incorrect free_irq() variable
iio: imu: st_lsm6dsx: Set buffer sampling frequency for accelerometer only
iio: imu: st_lsm6dsx: Set FIFO ODR for accelerometer and gyroscope only
iio: dac: mcp47feb02: Fix mutex used before initialization
iio: adc: ade9000: fix wrong return type in streaming push
...
Merge tag 'icc-7.0-rc6' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/djakov/icc into char-misc-linus
interconnect fix for v7.0-rc
This contains one driver fix for the current cycle.
- interconnect: qcom: sm8450: Fix NULL pointer dereference in icc_link_nodes()
Signed-off-by: Georgi Djakov <djakov@kernel.org>
* tag 'icc-7.0-rc6' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/djakov/icc:
interconnect: qcom: sm8450: Fix NULL pointer dereference in icc_link_nodes()
Use the new snp_prepare() to initialize SNP from the ccp driver instead of at
boot time. This means that SNP is not enabled unless it is really going to be
used (i.e. kvm_amd loads the ccp driver automatically).
1. clear the RMP table
2. disable MFDM to prevent the FW_WARN in k8_check_syscfg_dram_mod_en() in
the event of a kexec
Create and export to the CCP driver a function that does them.
Also change the MFDM helper to allow for disabling the bit, since the SNP x86
shutdown path needs to disable MFDM.
The comment for k8_check_syscfg_dram_mod_en() notes, the "BIOS" is supposed
clear it, or the kernel in the case of module unload and shutdown followed by
kexec.
Takashi Iwai [Sun, 29 Mar 2026 09:12:38 +0000 (11:12 +0200)]
ALSA: ctxfi: Check the error for index mapping
The ctxfi driver blindly assumed a proper value returned from
daio_device_index(), but it's not always true. Add a proper error
check to deal with the error from the function.
Takashi Iwai [Sun, 29 Mar 2026 09:12:37 +0000 (11:12 +0200)]
ALSA: ctxfi: Fix missing SPDIFI1 index handling
SPDIF1 DAIO type isn't properly handled in daio_device_index() for
hw20k2, and it returned -EINVAL, which ended up with the out-of-bounds
array access. Follow the hw20k1 pattern and return the proper index
for this type, too.
Cássio Gabriel [Sat, 28 Mar 2026 23:42:01 +0000 (20:42 -0300)]
ALSA: hda: intel: Drop obsolete probe-work unlock workaround
Commit ab949d519601 ("ALSA: hda - Fix deadlock of controller device
lock at unbinding") added a temporary device_unlock()/device_lock()
pair around probe-work cancellation to avoid a deadlock between
controller unbind and codec probe.
That deadlock depended on the driver core taking both a device lock and
its parent lock during bind and unbind. Since commit 8c97a46af04b
("driver core: hold dev's parent lock when needed") and follow-up
fixes, the parent lock is only taken when bus->need_parent_lock is set.
The HDA bus does not set that flag, so codec binding no longer locks
the controller device as the codec's parent.
Keep cancel_delayed_work_sync(), since the async probe/remove race
still needs to be serialized, but drop the stale unlock/relock
workaround and its outdated FIXME comment. Keeping it around only
opens an unnecessary unlocked window inside azx_remove().
Linus Torvalds [Sat, 28 Mar 2026 22:23:03 +0000 (15:23 -0700)]
Merge tag 'for-7.0-rc5-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux
Pull btrfs fixes from David Sterba:
"A few more fixes. There's one that stands out in size as it fixes an
edge case in fsync.
- fix issue on fsync where file with zero size appears as a non-zero
after log replay
- in zlib compression, handle a crash when data alignment causes
folio reference issues
- fix possible crash with enabled tracepoints on a overlayfs mount
- handle device stats update error
- on zoned filesystems, fix kobject leak on sub-block groups
- fix super block offset in an error message in validation"
* tag 'for-7.0-rc5-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
btrfs: fix lost error when running device stats on multiple devices fs
btrfs: tracepoints: get correct superblock from dentry in event btrfs_sync_file()
btrfs: zlib: handle page aligned compressed size correctly
btrfs: fix leak of kobject name for sub-group space_info
btrfs: fix zero size inode with non-zero size after log replay
btrfs: fix super block offset in error message in btrfs_validate_super()
Gary Guo [Thu, 19 Mar 2026 12:16:45 +0000 (12:16 +0000)]
rust: move `static_assert` into `build_assert`
Conceptually, `static_assert` is also a build-time assertion that occurs
earlier in the pipeline. Consolidate the implementation so that we can use
this as the canonical place to add more useful build-time assertions.
Reviewed-by: Yury Norov <ynorov@nvidia.com> Signed-off-by: Gary Guo <gary@garyguo.net> Reviewed-by: Alice Ryhl <aliceryhl@google.com> Reviewed-by: Danilo Krummrich <dakr@kernel.org> Link: https://patch.msgid.link/20260319121653.2975748-2-gary@kernel.org
[ Used kernel vertical style. - Miguel ] Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
Linus Torvalds [Sat, 28 Mar 2026 21:19:55 +0000 (14:19 -0700)]
Merge tag 'mm-hotfixes-stable-2026-03-28-10-45' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
Pull misc fixes from Andrew Morton:
"10 hotfixes. 8 are cc:stable. 9 are for MM.
There's a 3-patch series of DAMON fixes from Josh Law and SeongJae
Park. The rest are singletons - please see the changelogs for details"
* tag 'mm-hotfixes-stable-2026-03-28-10-45' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm:
mm/mseal: update VMA end correctly on merge
bug: avoid format attribute warning for clang as well
mm/pagewalk: fix race between concurrent split and refault
mm/memory: fix PMD/PUD checks in follow_pfnmap_start()
mm/damon/sysfs: check contexts->nr in repeat_call_fn
mm/damon/sysfs: check contexts->nr before accessing contexts_arr[0]
mm/damon/sysfs: fix param_ctx leak on damon_sysfs_new_test_ctx() failure
mm/swap: fix swap cache memcg accounting
MAINTAINERS, mailmap: update email address for Harry Yoo
mm/huge_memory: fix folio isn't locked in softleaf_to_folio()
In preparation for delayed SNP initialization, create a function snp_prepare()
that does the necessary architecture setup. Export this function for the ccp
module to allow it to do the setup as necessary.
Introduce a cpu_read_lock/unlock() wrapper around the MFDM and SNP enable.
While CPU hotplug is not supported, this makes sure that the bit setting
happens on the same set of CPUs in both cases.
Tom Lendacky [Tue, 24 Mar 2026 16:12:55 +0000 (10:12 -0600)]
x86/sev: Create a function to clear/zero the RMP
In preparation for delayed SNP initialization and disablement on shutdown,
create a function, clear_rmp(), that clears the RMP bookkeeping area and the
RMP entries.
David Laight [Thu, 26 Mar 2026 20:18:24 +0000 (20:18 +0000)]
tracing: Remove spurious default precision from show_event_trigger/filter formats
Change 2d8b7f9bf8e6e ("tracing: Have show_event_trigger/filter format a bit more in columns")
added space padding to align the output.
However it used ("%*.s", len, "") which requests the default precision.
It doesn't matter here whether the userspace default (0) or kernel
default (no precision) is used, but the format should be "%*s".
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com> Cc: Rasmus Villemoes <linux@rasmusvillemoes.dk> Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com> Cc: Sergey Senozhatsky <senozhatsky@chromium.org> Cc: Andrew Morton <akpm@linux-foundation.org> Link: https://patch.msgid.link/20260326201824.3919-1-david.laight.linux@gmail.com Signed-off-by: David Laight <david.laight.linux@gmail.com> Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org> Reviewed-by: Petr Mladek <pmladek@suse.com> Reviewed-by: Aaron Tomlin <atomlin@atomlin.com> Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
cpufreq: Use trace_call__##name() at guarded tracepoint call sites
Replace trace_foo() with the new trace_call__foo() at sites already
guarded by trace_foo_enabled(), avoiding a redundant
static_branch_unlikely() re-evaluation inside the tracepoint.
trace_call__foo() calls the tracepoint callbacks directly without
utilizing the static branch again.
Cc: Huang Rui <ray.huang@amd.com> Cc: Mario Limonciello <mario.limonciello@amd.com> Cc: Perry Yuan <perry.yuan@amd.com> Cc: "Rafael J. Wysocki" <rafael@kernel.org> Cc: Viresh Kumar <viresh.kumar@linaro.org> Cc: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com> Cc: Len Brown <lenb@kernel.org> Link: https://patch.msgid.link/20260323160052.17528-7-vineeth@bitbyteword.org Suggested-by: Steven Rostedt <rostedt@goodmis.org> Suggested-by: Peter Zijlstra <peterz@infradead.org> Signed-off-by: Vineeth Pillai (Google) <vineeth@bitbyteword.org> Assisted-by: Claude:claude-sonnet-4-6 Acked-by: Rafael J. Wysocki (Intel) <rafael@kernel.org> # cpufreq core Reviewed-by: Gautham R. Shenoy <gautham.shenoy@amd.com> Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Will Deacon [Fri, 27 Mar 2026 13:00:46 +0000 (13:00 +0000)]
KVM: arm64: Don't pass host_debug_state to BRBE world-switch routines
Now that the SPE and BRBE nVHE world-switch routines operate on the
host_debug_state directly, tweak the BRBE code to do the same for
consistency.
This is purely cosmetic.
Cc: Marc Zyngier <maz@kernel.org> Cc: Oliver Upton <oupton@kernel.org> Cc: James Clark <james.clark@linaro.org> Cc: Leo Yan <leo.yan@arm.com> Cc: Suzuki K Poulose <suzuki.poulose@arm.com> Cc: Fuad Tabba <tabba@google.com> Cc: Alexandru Elisei <alexandru.elisei@arm.com> Signed-off-by: Will Deacon <will@kernel.org> Tested-by: Fuad Tabba <tabba@google.com> Reviewed-by: Fuad Tabba <tabba@google.com> Link: https://patch.msgid.link/20260327130047.21065-4-will@kernel.org Signed-off-by: Marc Zyngier <maz@kernel.org>
Will Deacon [Fri, 27 Mar 2026 13:00:45 +0000 (13:00 +0000)]
KVM: arm64: Disable SPE Profiling Buffer when running in guest context
The nVHE world-switch code relies on zeroing PMSCR_EL1 to disable
profiling data generation in guest context when SPE is in use by the
host.
Unfortunately, this may leave PMBLIMITR_EL1.E set and consequently we
can end up running in guest/hypervisor context with the Profiling Buffer
enabled. The current "known issues" document for Rev M.a of the Arm ARM
states that this can lead to speculative, out-of-context translations:
| 2.18 D23136:
|
| When the Profiling Buffer is enabled, profiling is not stopped, and
| Discard mode is not enabled, the Statistical Profiling Unit might
| cause speculative translations for the owning translation regime,
| including when the owning translation regime is out-of-context.
In a similar fashion to TRBE, ensure that the Profiling Buffer is
disabled during the nVHE world switch before we start messing with the
stage-2 MMU and trap configuration.
Cc: Marc Zyngier <maz@kernel.org> Cc: Oliver Upton <oupton@kernel.org> Cc: James Clark <james.clark@linaro.org> Cc: Leo Yan <leo.yan@arm.com> Cc: Suzuki K Poulose <suzuki.poulose@arm.com> Cc: Fuad Tabba <tabba@google.com> Cc: Alexandru Elisei <alexandru.elisei@arm.com> Reviewed-by: Alexandru Elisei <alexandru.elisei@arm.com> Reviewed-by: Fuad Tabba <tabba@google.com> Tested-by: Alexandru Elisei <alexandru.elisei@arm.com> Tested-by: Fuad Tabba <tabba@google.com> Fixes: f85279b4bd48 ("arm64: KVM: Save/restore the host SPE state when entering/leaving a VM") Signed-off-by: Will Deacon <will@kernel.org> Link: https://patch.msgid.link/20260327130047.21065-3-will@kernel.org Signed-off-by: Marc Zyngier <maz@kernel.org>
Will Deacon [Fri, 27 Mar 2026 13:00:44 +0000 (13:00 +0000)]
KVM: arm64: Disable TRBE Trace Buffer Unit when running in guest context
The nVHE world-switch code relies on zeroing TRFCR_EL1 to disable trace
generation in guest context when self-hosted TRBE is in use by the host.
Per D3.2.1 ("Controls to prohibit trace at Exception levels"), clearing
TRFCR_EL1 means that trace generation is prohibited at EL1 and EL0 but
per R_YCHKJ the Trace Buffer Unit will still be enabled if
TRBLIMITR_EL1.E is set. R_SJFRQ goes on to state that, when enabled, the
Trace Buffer Unit can perform address translation for the "owning
exception level" even when it is out of context.
Consequently, we can end up in a state where TRBE performs speculative
page-table walks for a host VA/IPA in guest/hypervisor context depending
on the value of MDCR_EL2.E2TB, which changes over world-switch. The
potential result appears to be a heady mixture of SErrors, data
corruption and hardware lockups.
Extend the TRBE world-switch code to clear TRBLIMITR_EL1.E after
draining the buffer, restoring the register on return to the host. This
unfortunately means we need to tackle CPU errata #2064142 and #2038923
which add additional synchronisation requirements around manipulations
of the limit register. Hopefully this doesn't need to be fast.
Cc: Marc Zyngier <maz@kernel.org> Cc: Oliver Upton <oupton@kernel.org> Cc: James Clark <james.clark@linaro.org> Cc: Leo Yan <leo.yan@arm.com> Cc: Suzuki K Poulose <suzuki.poulose@arm.com> Cc: Fuad Tabba <tabba@google.com> Cc: Alexandru Elisei <alexandru.elisei@arm.com> Tested-by: Leo Yan <leo.yan@arm.com> Tested-by: Fuad Tabba <tabba@google.com> Reviewed-by: Suzuki K Poulose <suzuki.poulose@arm.com> Reviewed-by: Fuad Tabba <tabba@google.com> Fixes: a1319260bf62 ("arm64: KVM: Enable access to TRBE support for host") Signed-off-by: Will Deacon <will@kernel.org> Link: https://patch.msgid.link/20260327130047.21065-2-will@kernel.org Signed-off-by: Marc Zyngier <maz@kernel.org>
Linus Torvalds [Sat, 28 Mar 2026 16:59:09 +0000 (09:59 -0700)]
Merge tag 'trace-v7.0-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace
Pull tracing fixes from Steven Rostedt:
- Fix potential deadlock in osnoise and hotplug
The interface_lock can be called by a osnoise thread and the CPU
shutdown logic of osnoise can wait for this thread to finish. But
cpus_read_lock() can also be taken while holding the interface_lock.
This produces a circular lock dependency and can cause a deadlock.
Swap the ordering of cpus_read_lock() and the interface_lock to have
interface_lock taken within the cpus_read_lock() context to prevent
this circular dependency.
- Fix freeing of event triggers in early boot up
If the same trigger is added on the kernel command line, the second
one will fail to be applied and the trigger created will be freed.
This calls into the deferred logic and creates a kernel thread to do
the freeing. But the command line logic is called before kernel
threads can be created and this leads to a NULL pointer dereference.
Delay freeing event triggers until late init.
* tag 'trace-v7.0-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace:
tracing: Drain deferred trigger frees if kthread creation fails
tracing: Fix potential deadlock in cpu hotplug with osnoise
Linus Torvalds [Sat, 28 Mar 2026 16:50:11 +0000 (09:50 -0700)]
Merge tag 's390-7.0-6' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux
Pull s390 fixes from Vasily Gorbik:
- Add array_index_nospec() to syscall dispatch table lookup to prevent
limited speculative out-of-bounds access with user-controlled syscall
number
- Mark array_index_mask_nospec() __always_inline since GCC may emit an
out-of-line call instead of the inline data dependency sequence the
mitigation relies on
- Clear r12 on kernel entry to prevent potential speculative use of
user value in system_call, ext/io/mcck interrupt handlers
* tag 's390-7.0-6' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
s390/entry: Scrub r12 register on kernel entry
s390/syscalls: Add spectre boundary for syscall dispatch table
s390/barrier: Make array_index_mask_nospec() __always_inline
Linus Walleij [Sat, 28 Mar 2026 16:14:58 +0000 (17:14 +0100)]
Merge tag 'renesas-pinctrl-for-v7.1-tag1' of git://git.kernel.org/pub/scm/linux/kernel/git/geert/renesas-drivers into devel
pinctrl: renesas: Updates for v7.1
- Add pin configuration support for RZ/T2H and RZ/N2H,
- Fix save/restore of registers for ports with variable pincfg per pin
on RZ/G3E, RZ/V2H(P), RZ/V2N, and RZ/Five,
- Drop a superfluous blank line.
Steven Rostedt [Sat, 28 Mar 2026 14:19:46 +0000 (10:19 -0400)]
tracing: Remove tracing_alloc_snapshot() when snapshot isn't defined
The function tracing_alloc_snapshot() is only used between trace.c and
trace_snapshot.c. When snapshot isn't configured, it's not used at all.
The stub function was defined as a global with no users and no prototype
causing build issues.
Remove the function when snapshot isn't configured as nothing is calling
it.
Also remove the EXPORT_SYMBOL_GPL() that was associated with it as it's
not used outside of the tracing subsystem which also includes any modules.
Cc: Masami Hiramatsu <mhiramat@kernel.org> Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com> Link: https://patch.msgid.link/20260328101946.2c4ef4a5@robin Reported-by: Mark Brown <broonie@kernel.org> Closes: https://lore.kernel.org/all/acb-IuZ4vDkwwQLW@sirena.co.uk/ Fixes: bade44fe546212 (tracing: Move snapshot code out of trace.c and into trace_snapshot.c) Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Cássio Gabriel [Sat, 28 Mar 2026 04:53:35 +0000 (01:53 -0300)]
ALSA: hda/proc: show GPI and GPO state in codec proc output
print_gpio() prints the GPIO capability header and the bidirectional
GPIO state, but it never reports the separate GPI and GPO pins even
though AC_PAR_GPIO_CAP exposes their counts.
The HD-audio specification defines dedicated GPI and GPO verbs
alongside the GPIO ones, so codecs with input-only or output-only
general-purpose pins currently lose that state from
/proc/asound/card*/codec#* altogether.
Add the missing read verb definitions and extend print_gpio() to dump
the GPI and GPO pins, too, while leaving the existing IO[] output
unchanged.
Danilo Krummrich [Sat, 21 Mar 2026 17:27:47 +0000 (18:27 +0100)]
rust: dma: add CoherentHandle for DMA allocations without kernel mapping
Add CoherentHandle, an opaque DMA allocation type for buffers that are
only ever accessed by hardware. Unlike Coherent<T>, it does not provide
CPU access to the allocated memory.
CoherentHandle implicitly sets DMA_ATTR_NO_KERNEL_MAPPING and stores the
value returned by dma_alloc_attrs() as an opaque handle
(NonNull<c_void>) rather than a typed pointer, since with this flag the
C API returns an opaque cookie (e.g. struct page *), not a CPU pointer
to the allocated memory.
Only the DMA bus address is exposed to drivers; the opaque handle is
used solely to free the allocation on drop.
This commit is for reference only; there is currently no in-tree user.
Phil Willoughby [Sat, 28 Mar 2026 11:08:41 +0000 (11:08 +0000)]
ALSA: usb-audio: Add quirks for Arturia AF16Rig
The AF16Rig supports 34 channels at 44.1k/48k, 18 channels at 88.2k/96k
and 10 channels at 176.4k/192k.
This quirks is necessary because the automatic probing process we would
otherwise use fails. The root cause of that is that the AF16Rig clock is
not readable (its descriptor says that it is but the reads fail).
Except as described below, the values in the audio format quirks were
copied from the USB descriptors of the device. The rate information is
from the datasheet of the device. The clock is the internal clock of the
AF16Rig.
Tested-By: Phil Willoughby <willerz@gmail.com>
I have tested all the configurations enabled by this patch.
Pengpeng Hou [Sat, 28 Mar 2026 10:28:08 +0000 (18:28 +0800)]
ALSA: asihpi: detect truncated control names
asihpi_ctl_init() builds mixer control names in the fixed 44-byte
hpi_ctl->name buffer with sprintf().
This is not only a defensive cleanup. The current in-tree name tables and
format strings can already exceed 44 bytes. For example,
"Bitstream 0 Internal 0 Monitor Playback Volume"
is 46 characters before the trailing NUL, so the current sprintf() call
writes past the end of hpi_ctl->name.
The generated control name is used as the ALSA control element key, so
blindly truncating it is not sufficient. Switch the formatting to
snprintf() and emit an error if truncation happens, showing the
truncated name while still keeping the write bounded to hpi_ctl->name.
Danilo Krummrich [Sat, 21 Mar 2026 17:27:46 +0000 (18:27 +0100)]
rust: dma: remove DMA_ATTR_NO_KERNEL_MAPPING from public attrs
When DMA_ATTR_NO_KERNEL_MAPPING is passed to dma_alloc_attrs(), the
returned CPU address is not a pointer to the allocated memory but an
opaque handle (e.g. struct page *).
Coherent<T> (or CoherentAllocation<T> respectively) stores this value as
NonNull<T> and exposes methods that dereference it and even modify its
contents.
Remove the flag from the public attrs module such that drivers cannot
pass it to Coherent<T> (or CoherentAllocation<T> respectively) in the
first place.
Instead DMA_ATTR_NO_KERNEL_MAPPING can be supported with an additional
opaque type (e.g. CoherentHandle) which does not provide access to the
allocated memory.
Davidlohr Bueso [Thu, 26 Mar 2026 00:17:59 +0000 (17:17 -0700)]
futex: Clear stale exiting pointer in futex_lock_pi() retry path
Fuzzying/stressing futexes triggered:
WARNING: kernel/futex/core.c:825 at wait_for_owner_exiting+0x7a/0x80, CPU#11: futex_lock_pi_s/524
When futex_lock_pi_atomic() sees the owner is exiting, it returns -EBUSY
and stores a refcounted task pointer in 'exiting'.
After wait_for_owner_exiting() consumes that reference, the local pointer
is never reset to nil. Upon a retry, if futex_lock_pi_atomic() returns a
different error, the bogus pointer is passed to wait_for_owner_exiting().
CPU0 CPU1 CPU2
futex_lock_pi(uaddr)
// acquires the PI futex
exit()
futex_cleanup_begin()
futex_state = EXITING;
futex_lock_pi(uaddr)
futex_lock_pi_atomic()
attach_to_pi_owner()
// observes EXITING
*exiting = owner; // takes ref
return -EBUSY
wait_for_owner_exiting(-EBUSY, owner)
put_task_struct(); // drops ref
// exiting still points to owner
goto retry;
futex_lock_pi_atomic()
lock_pi_update_atomic()
cmpxchg(uaddr)
*uaddr ^= WAITERS // whatever
// value changed
return -EAGAIN;
wait_for_owner_exiting(-EAGAIN, exiting) // stale
WARN_ON_ONCE(exiting)
Fix this by resetting upon retry, essentially aligning it with requeue_pi.
Wesley Atwell [Tue, 24 Mar 2026 22:13:26 +0000 (16:13 -0600)]
tracing: Drain deferred trigger frees if kthread creation fails
Boot-time trigger registration can fail before the trigger-data cleanup
kthread exists. Deferring those frees until late init is fine, but the
post-boot fallback must still drain the deferred list if kthread
creation never succeeds.
Otherwise, boot-deferred nodes can accumulate on
trigger_data_free_list, later frees fall back to synchronously freeing
only the current object, and the older queued entries are leaked
forever.
To trigger this, add the following to the kernel command line:
The second traceon trigger will fail and be freed. This triggers a NULL
pointer dereference and crashes the kernel.
Keep the deferred boot-time behavior, but when kthread creation fails,
drain the whole queued list synchronously. Do the same in the late-init
drain path so queued entries are not stranded there either.
Marc Zyngier [Sun, 15 Mar 2026 14:58:44 +0000 (14:58 +0000)]
KVM: arm64: Simplify integration of adjust_nested_*_perms()
Instead of passing pointers to adjust_nested_*_perms(), allow
them to return a new set of permissions.
With some careful moving around so that the canonical permissions
are computed before the nested ones are applied, we end-up with
a bit less code, and something a bit more readable.
Tested-by: Fuad Tabba <tabba@google.com> Reviewed-by: Fuad Tabba <tabba@google.com> Reviewed-by: Suzuki K Poulose <suzuki.poulose@arm.com> Signed-off-by: Marc Zyngier <maz@kernel.org>
Marc Zyngier [Sat, 14 Mar 2026 09:44:36 +0000 (09:44 +0000)]
KVM: arm64: Move device mapping management into kvm_s2_fault_pin_pfn()
Attributes computed for devices are computed very late in the fault
handling process, meanning they are mutable for that long.
Introduce both 'device' and 'map_non_cacheable' attributes to the
vma_info structure, allowing that information to be set in stone
earlier, in kvm_s2_fault_pin_pfn().
Tested-by: Fuad Tabba <tabba@google.com> Reviewed-by: Fuad Tabba <tabba@google.com> Reviewed-by: Suzuki K Poulose <suzuki.poulose@arm.com> Signed-off-by: Marc Zyngier <maz@kernel.org>
Marc Zyngier [Fri, 13 Mar 2026 09:22:04 +0000 (09:22 +0000)]
KVM: arm64: Replace force_pte with a max_map_size attribute
force_pte is annoyingly limited in what it expresses, and we'd
be better off with a more generic primitive. Introduce max_map_size
instead, which does the trick and can be moved into the vma_info
structure. This firther allows it to reduce the scopes in which
it is mutable.
Tested-by: Fuad Tabba <tabba@google.com> Reviewed-by: Fuad Tabba <tabba@google.com> Reviewed-by: Suzuki K Poulose <suzuki.poulose@arm.com> Signed-off-by: Marc Zyngier <maz@kernel.org>
Marc Zyngier [Mon, 9 Mar 2026 14:31:06 +0000 (14:31 +0000)]
KVM: arm64: Move VMA-related information to kvm_s2_fault_vma_info
Mecanically extract a bunch of VMA-related fields from kvm_s2_fault
and move them to a new kvm_s2_fault_vma_info structure.
This is not much, but it already allows us to define which functions
can update this structure, and which ones are pure consumers of the
data. Those in the latter camp are updated to take a const pointer
to that structure.
Tested-by: Fuad Tabba <tabba@google.com> Reviewed-by: Fuad Tabba <tabba@google.com> Reviewed-by: Suzuki K Poulose <suzuki.poulose@arm.com> Signed-off-by: Marc Zyngier <maz@kernel.org>
Marc Zyngier [Mon, 9 Mar 2026 11:52:40 +0000 (11:52 +0000)]
KVM: arm64: Kill topup_memcache from kvm_s2_fault
The topup_memcache field can be easily replaced by the equivalent
conditions, and the resulting code is not much worse. While at it,
split prepare_mmu_memcache() into get/topup helpers, which makes
the code more readable.
Tested-by: Fuad Tabba <tabba@google.com> Reviewed-by: Fuad Tabba <tabba@google.com> Reviewed-by: Suzuki K Poulose <suzuki.poulose@arm.com> Signed-off-by: Marc Zyngier <maz@kernel.org>
Marc Zyngier [Mon, 9 Mar 2026 11:22:59 +0000 (11:22 +0000)]
KVM: arm64: Kill write_fault from kvm_s2_fault
We already have kvm_is_write_fault() as a predicate indicating
a S2 fault on a write, and we're better off just using that instead
of duplicating the state.
Tested-by: Fuad Tabba <tabba@google.com> Reviewed-by: Fuad Tabba <tabba@google.com> Reviewed-by: Suzuki K Poulose <suzuki.poulose@arm.com> Signed-off-by: Marc Zyngier <maz@kernel.org>
Marc Zyngier [Mon, 9 Mar 2026 09:59:38 +0000 (09:59 +0000)]
KVM: arm64: Replace fault_is_perm with a helper
Carrying a boolean to indicate that a given fault is a permission fault
is slightly odd, as this is a property of the fault itself, and we'd
better avoid duplicating state.
For this purpose, introduce a kvm_s2_fault_is_perm() predicate that
can take a fault descriptor as a parameter. fault_is_perm is therefore
dropped from kvm_s2_fault.
Marc Zyngier [Sun, 8 Mar 2026 15:03:49 +0000 (15:03 +0000)]
KVM: arm64: Move fault context to const structure
In order to make it clearer what gets updated or not during fault
handling, move a set of information that losely represents the
fault context.
This gets populated early, from handle_mem_abort(), and gets passed
along as a const pointer. user_mem_abort()'s signature is majorly
improved in doing so, and kvm_s2_fault loses a bunch of fields.
gmem_abort() will get a similar treatment down the line.
Tested-by: Fuad Tabba <tabba@google.com> Reviewed-by: Fuad Tabba <tabba@google.com> Reviewed-by: Suzuki K Poulose <suzuki.poulose@arm.com> Signed-off-by: Marc Zyngier <maz@kernel.org>
Marc Zyngier [Sat, 7 Mar 2026 11:39:49 +0000 (11:39 +0000)]
KVM: arm64: Kill fault->ipa
fault->ipa, in a nested contest, represents the output of the guest's
S2 translation for the fault->fault_ipa input, and is equal to
fault->fault_ipa otherwise,
Given that this is readily available from kvm_s2_trans_output(),
drop fault->ipa and directly compute fault->gfn instead, which
is really what we want.
Tested-by: Fuad Tabba <tabba@google.com> Reviewed-by: Fuad Tabba <tabba@google.com> Reviewed-by: Suzuki K Poulose <suzuki.poulose@arm.com> Signed-off-by: Marc Zyngier <maz@kernel.org>
Fuad Tabba [Fri, 6 Mar 2026 14:02:32 +0000 (14:02 +0000)]
KVM: arm64: Clean up control flow in kvm_s2_fault_map()
Clean up the KVM MMU lock retry loop by pre-assigning the error code.
Add clear braces to the THP adjustment integration for readability, and
safely unnest the transparent hugepage logic branches.
Signed-off-by: Fuad Tabba <tabba@google.com> Signed-off-by: Marc Zyngier <maz@kernel.org>
Fuad Tabba [Fri, 6 Mar 2026 14:02:31 +0000 (14:02 +0000)]
KVM: arm64: Hoist MTE validation check out of MMU lock path
Simplify the non-cacheable attributes assignment by using a ternary
operator. Additionally, hoist the MTE validation check (mte_allowed) out
of kvm_s2_fault_map() and into kvm_s2_fault_compute_prot(). This allows
us to fail faster and avoid acquiring the KVM MMU lock unnecessarily
when the VMM introduces a disallowed VMA for an MTE-enabled guest.
Signed-off-by: Fuad Tabba <tabba@google.com> Signed-off-by: Marc Zyngier <maz@kernel.org>
Fuad Tabba [Fri, 6 Mar 2026 14:02:30 +0000 (14:02 +0000)]
KVM: arm64: Optimize early exit checks in kvm_s2_fault_pin_pfn()
Optimize the early exit checks in kvm_s2_fault_pin_pfn by grouping all
error responses under the generic is_error_noslot_pfn check first,
avoiding unnecessary branches in the hot path.
Fuad Tabba [Fri, 6 Mar 2026 14:02:29 +0000 (14:02 +0000)]
KVM: arm64: Initialize struct kvm_s2_fault completely at declaration
Simplify the initialization of struct kvm_s2_fault in user_mem_abort().
Instead of partially initializing the struct via designated initializers
and then sequentially assigning the remaining fields (like write_fault
and topup_memcache) further down the function, evaluate those
dependencies upfront.
This allows the entire struct to be fully initialized at declaration. It
also eliminates the need for the intermediate fault_data variable and
its associated fault pointer, reducing boilerplate.
Signed-off-by: Fuad Tabba <tabba@google.com> Signed-off-by: Marc Zyngier <maz@kernel.org>
Fuad Tabba [Fri, 6 Mar 2026 14:02:28 +0000 (14:02 +0000)]
KVM: arm64: Simplify return logic in user_mem_abort()
With the refactoring done, the final return block of user_mem_abort()
can be tidied up a bit more.
Clean up the trailing edge by dropping the unnecessary assignment,
collapsing the return evaluation for kvm_s2_fault_compute_prot(), and
tail calling kvm_s2_fault_map() directly.
Signed-off-by: Fuad Tabba <tabba@google.com> Signed-off-by: Marc Zyngier <maz@kernel.org>
Fuad Tabba [Fri, 6 Mar 2026 14:02:26 +0000 (14:02 +0000)]
KVM: arm64: Simplify nested VMA shift calculation
In the kvm_s2_resolve_vma_size() helper, the local variable vma_pagesize
is calculated from vma_shift, only to be used to bound the vma_pagesize
by max_map_size and subsequently convert it back to a shift via __ffs().
Because vma_pagesize and max_map_size are both powers of two, we can
simplify the logic by omitting vma_pagesize entirely and bounding the
vma_shift directly using the shift of max_map_size. This achieves the
same result while keeping the size-to-shift conversion out of the helper
logic.
Signed-off-by: Fuad Tabba <tabba@google.com> Signed-off-by: Marc Zyngier <maz@kernel.org>
Fuad Tabba [Fri, 6 Mar 2026 14:02:25 +0000 (14:02 +0000)]
KVM: arm64: Extract page table mapping in user_mem_abort()
Extract the code responsible for locking the KVM MMU and mapping the PFN
into the stage-2 page tables into a new helper, kvm_s2_fault_map().
This helper manages the kvm_fault_lock, checks for MMU invalidation
retries, attempts to adjust for transparent huge pages (THP), handles
MTE sanitization if needed, and finally maps or relaxes permissions on
the stage-2 entries.
With this change, the main user_mem_abort() function is now a sequential
dispatcher that delegates to specialized helper functions.
Signed-off-by: Fuad Tabba <tabba@google.com> Signed-off-by: Marc Zyngier <maz@kernel.org>
Fuad Tabba [Fri, 6 Mar 2026 14:02:24 +0000 (14:02 +0000)]
KVM: arm64: Extract stage-2 permission logic in user_mem_abort()
Extract the logic that computes the stage-2 protections and checks for
various permission faults (e.g., execution faults on non-cacheable
memory) into a new helper function, kvm_s2_fault_compute_prot(). This
helper also handles injecting atomic/exclusive faults back into the
guest when necessary.
This refactoring step separates the permission computation from the
mapping logic, making the main fault handler flow clearer.
Signed-off-by: Fuad Tabba <tabba@google.com> Signed-off-by: Marc Zyngier <maz@kernel.org>
Fuad Tabba [Fri, 6 Mar 2026 14:02:23 +0000 (14:02 +0000)]
KVM: arm64: Isolate mmap_read_lock inside new kvm_s2_fault_get_vma_info() helper
Extract the VMA lookup and metadata snapshotting logic from
kvm_s2_fault_pin_pfn() into a tightly-scoped sub-helper.
This refactoring structurally fixes a TOCTOU (Time-Of-Check to
Time-Of-Use) vulnerability and Use-After-Free risk involving the vma
pointer. In the previous layout, the mmap_read_lock is taken, the vma is
looked up, and then the lock is dropped before the function continues to
map the PFN. While an explicit vma = NULL safeguard was present, the vma
variable was still lexically in scope for the remainder of the function.
By isolating the locked region into kvm_s2_fault_get_vma_info(), the vma
pointer becomes a local variable strictly confined to that sub-helper.
Because the pointer's scope literally ends when the sub-helper returns,
it is not possible for the subsequent page fault logic in
kvm_s2_fault_pin_pfn() to accidentally access the vanished VMA,
eliminating this bug class by design.
Signed-off-by: Fuad Tabba <tabba@google.com> Signed-off-by: Marc Zyngier <maz@kernel.org>
Fuad Tabba [Fri, 6 Mar 2026 14:02:22 +0000 (14:02 +0000)]
KVM: arm64: Extract PFN resolution in user_mem_abort()
Extract the section of code responsible for pinning the physical page
frame number (PFN) backing the faulting IPA into a new helper,
kvm_s2_fault_pin_pfn().
This helper encapsulates the critical section where the mmap_read_lock
is held, the VMA is looked up, the mmu invalidate sequence is sampled,
and the PFN is ultimately resolved via __kvm_faultin_pfn(). It also
handles the early exits for hardware poisoned pages and noslot PFNs.
By isolating this region, we can begin to organize the state variables
required for PFN resolution into the kvm_s2_fault struct, clearing out
a significant amount of local variable clutter from user_mem_abort().
Signed-off-by: Fuad Tabba <tabba@google.com> Signed-off-by: Marc Zyngier <maz@kernel.org>
Fuad Tabba [Fri, 6 Mar 2026 14:02:21 +0000 (14:02 +0000)]
KVM: arm64: Introduce struct kvm_s2_fault to user_mem_abort()
The user_mem_abort() function takes many arguments and defines a large
number of local variables. Passing all these variables around to helper
functions would result in functions with too many arguments.
Introduce struct kvm_s2_fault to encapsulate the stage-2 fault state.
This structure holds both the input parameters and the intermediate
state required during the fault handling process.
Update user_mem_abort() to initialize this structure and replace the
usage of local variables with fields from the new structure.
This prepares the ground for further extracting parts of
user_mem_abort() into smaller helper functions that can simply take a
pointer to the fault state structure.
KVM: arm64: ptdump: Initialize parser_state before pgtable walk
If we go through the "need a bigger buffer" path in seq_read_iter(), which
is likely to happen as we're dumping page tables, we will pass the
populated-by-last-run st::parser_state to
kvm_pgtable_walk()/kvm_ptdump_visitor(). As a result, the output of
stage2_page_tables on my box looks like
0x0000000240000000-0x0000000000000000 17179869175G 1
0x0000000000000000-0x0000000000200000 2M 2 R px ux AF BLK
0x0000000000200000-0x0000000040000000 1022M 2
0x0000000040000000-0x0000000040200000 2M 2 R W PXNUXN AF BLK
[...]
Fix it by always initializing st::parser_state before starting a new
pgtable walk.
Besides, remove st::range as it's not used by note_page(); remove the
explicit initialization of parser_state::start_address as it will be
initialized in note_page() anyway.
Cássio Gabriel [Wed, 25 Mar 2026 05:24:04 +0000 (02:24 -0300)]
ALSA: core: Validate compress device numbers without dynamic minors
Without CONFIG_SND_DYNAMIC_MINORS, ALSA reserves only two fixed minors
for compress devices on each card: comprD0 and comprD1.
snd_find_free_minor() currently computes the compress minor as
type + dev without validating dev first, so device numbers greater than
1 spill into the HWDEP minor range instead of failing registration.
ASoC passes rtd->id to snd_compress_new(), so this can happen on real
non-dynamic-minor builds.
Add a dedicated fixed-minor check for SNDRV_DEVICE_TYPE_COMPRESS in
snd_find_free_minor() and reject out-of-range device numbers with
-EINVAL before constructing the minor.
Also remove the stale TODO in compress_offload.c that still claims
multiple compress nodes are missing.
Phil Willoughby [Sat, 28 Mar 2026 08:07:34 +0000 (08:07 +0000)]
ALSA: usb-audio: Fix quirk flags for NeuralDSP Quad Cortex
The NeuralDSP Quad Cortex does not support DSD playback. We need
this product-specific entry with zero quirks because otherwise it
falls through to the vendor-specific entry which marks it as
supporting DSD playback.
Cc: Yue Wang <yuleopen@gmail.com> Cc: Jaroslav Kysela <perex@perex.cz> Cc: Takashi Iwai <tiwai@suse.com> Signed-off-by: Phil Willoughby <willerz@gmail.com> Link: https://patch.msgid.link/20260328080921.3310-1-willerz@gmail.com Signed-off-by: Takashi Iwai <tiwai@suse.de>
Linus Walleij [Tue, 24 Feb 2026 10:26:32 +0000 (11:26 +0100)]
fork: zero vmap stack using clear_pages() instead of memset()
After the introduction of clear_pages() we exploit the fact that the
process vm_area is allocated in contiguous pages to just clear them all in
one swift operation.
Link: https://lkml.kernel.org/r/20260224-mm-fork-clear-pages-v1-1-184c65a72d49@kernel.org Signed-off-by: Linus Walleij <linusw@kernel.org> Suggested-by: Mateusz Guzik <mjguzik@gmail.com> Link: https://lore.kernel.org/linux-mm/dpnwsp7dl4535rd7qmszanw6u5an2p74uxfex4dh53frpb7pu3@2bnjjavjrepe/ Suggested-by: Pasha Tatashin <pasha.tatashin@soleen.com> Link: https://lore.kernel.org/20240311164638.2015063-7-pasha.tatashin@soleen.com Reviewed-by: Lorenzo Stoakes (Oracle) <ljs@kernel.org> Cc: Ankur Arora <ankur.a.arora@oracle.com> Cc: Ben Segall <bsegall@google.com> Cc: David Hildenbrand <david@kernel.org> Cc: Dietmar Eggemann <dietmar.eggemann@arm.com> Cc: Ingo Molnar <mingo@redhat.com> Cc: Juri Lelli <juri.lelli@redhat.com> Cc: Kees Cook <kees@kernel.org> Cc: Liam Howlett <liam.howlett@oracle.com> Cc: Mel Gorman <mgorman@suse.de> Cc: Michal Hocko <mhocko@suse.com> Cc: Mike Rapoport <rppt@kernel.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Steven Rostedt <rostedt@goodmis.org> Cc: Suren Baghdasaryan <surenb@google.com> Cc: Valentin Schneider <vschneid@redhat.com> Cc: Vincent Guittot <vincent.guittot@linaro.org> Cc: Vlastimil Babka <vbabka@suse.cz> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Junrui Luo [Sat, 7 Mar 2026 07:21:09 +0000 (15:21 +0800)]
ocfs2/dlm: fix off-by-one in dlm_match_regions() region comparison
The local-vs-remote region comparison loop uses '<=' instead of '<',
causing it to read one entry past the valid range of qr_regions. The
other loops in the same function correctly use '<'.
Fix the loop condition to use '<' for consistency and correctness.
Link: https://lkml.kernel.org/r/SYBPR01MB78813DA26B50EC5E01F00566AF7BA@SYBPR01MB7881.ausprd01.prod.outlook.com Fixes: ea2034416b54 ("ocfs2/dlm: Add message DLM_QUERY_REGION") Signed-off-by: Junrui Luo <moonafterrain@outlook.com> Reported-by: Yuhao Jiang <danisjiang@gmail.com> Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com> Cc: Mark Fasheh <mark@fasheh.com> Cc: Joel Becker <jlbec@evilplan.org> Cc: Junxiao Bi <junxiao.bi@oracle.com> Cc: Changwei Ge <gechangwei@live.cn> Cc: Jun Piao <piaojun@huawei.com> Cc: Heming Zhao <heming.zhao@suse.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Junrui Luo [Sat, 7 Mar 2026 07:21:08 +0000 (15:21 +0800)]
ocfs2/dlm: validate qr_numregions in dlm_match_regions()
Patch series "ocfs2/dlm: fix two bugs in dlm_match_regions()".
In dlm_match_regions(), the qr_numregions field from a DLM_QUERY_REGION
network message is used to drive loops over the qr_regions buffer without
sufficient validation. This series fixes two issues:
- Patch 1 adds a bounds check to reject messages where qr_numregions
exceeds O2NM_MAX_REGIONS. The o2net layer only validates message
byte length; it does not constrain field values, so a crafted message
can set qr_numregions up to 255 and trigger out-of-bounds reads past
the 1024-byte qr_regions buffer.
- Patch 2 fixes an off-by-one in the local-vs-remote comparison loop,
which uses '<=' instead of '<', reading one entry past the valid range
even when qr_numregions is within bounds.
This patch (of 2):
The qr_numregions field from a DLM_QUERY_REGION network message is used
directly as loop bounds in dlm_match_regions() without checking against
O2NM_MAX_REGIONS. Since qr_regions is sized for at most O2NM_MAX_REGIONS
(32) entries, a crafted message with qr_numregions > 32 causes
out-of-bounds reads past the qr_regions buffer.
Add a bounds check for qr_numregions before entering the loops.
Josh Law [Wed, 18 Mar 2026 07:48:05 +0000 (07:48 +0000)]
lib/bch: fix signed left-shift undefined behavior
Patch series "lib/bch: fix undefined behavior from signed left-shifts".
Fix two instances of undefined behavior in lib/bch.c caused by
left-shifting signed integers into or past the sign bit.
While the kernel's -fno-strict-overflow flag prevents miscompilation
today, these are formally UB per C11 6.5.7p4 and trivial to fix.
This patch (of 2):
Use 1u instead of 1 to avoid undefined behavior when left-shifting into
the sign bit of a signed int. deg() can return up to 31, and 1 << 31 is
UB per C11.
Patrick Bellasi [Wed, 18 Mar 2026 15:05:45 +0000 (15:05 +0000)]
scripts/decodecode: return 0 on success
The decodecode script always returns an exit code of 1, regardless of
whether the operation was successful or not. This is because the
"cleanup" function, which is registered to run on any script exit via
"trap cleanup EXIT", contains an unconditional "exit 1".
Remove the "exit 1" from the "cleanup" function so that it only performs
the necessary file cleanup without forcing a non-zero exit status.
Do that to ensure successful script executions now exit with code 0.
Exits due to errors are all handled by the "die()" function and will still
correctly exit with code 1.
Petr Mladek [Mon, 23 Mar 2026 17:21:38 +0000 (18:21 +0100)]
doc: watchdog: futher improvements
Make further additions and alterations to the watchdog documentation.
Link: https://lkml.kernel.org/r/acF3tXBxSr0KOP9b@pathway.suse.cz Signed-off-by: Petr Mladek <pmladek@suse.com> Reviewed-by: Douglas Anderson <dianders@chromium.org> Cc: Ian Rogers <irogers@google.com> Cc: Jonathan Corbet <corbet@lwn.net> Cc: Li Huafei <lihuafei1@huawei.com> Cc: Max Kellermann <max.kellermann@ionos.com> Cc: Mayank Rungta <mrungta@google.com> Cc: Shuah Khan <skhan@linuxfoundation.org> Cc: Stephane Erainan <eranian@google.com> Cc: Wang Jinchao <wangjinchao600@gmail.com> Cc: Yunhui Cui <cuiyunhui@bytedance.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Mayank Rungta [Thu, 12 Mar 2026 23:22:06 +0000 (16:22 -0700)]
doc: watchdog: document buddy detector
The current documentation generalizes the hardlockup detector as primarily
NMI-perf-based and lacks details on the SMP "Buddy" detector.
Update the documentation to add a detailed description of the Buddy
detector, and also restructure the "Implementation" section to explicitly
separate "Softlockup Detector", "Hardlockup Detector (NMI/Perf)", and
"Hardlockup Detector (Buddy)".
Clarify that the softlockup hrtimer acts as the heartbeat generator for
both hardlockup mechanisms and centralize the configuration details in a
"Frequency and Heartbeats" section.
Link: https://lkml.kernel.org/r/20260312-hardlockup-watchdog-fixes-v2-5-45bd8a0cc7ed@google.com Signed-off-by: Mayank Rungta <mrungta@google.com> Reviewed-by: Douglas Anderson <dianders@chromium.org> Cc: Ian Rogers <irogers@google.com> Cc: Jonathan Corbet <corbet@lwn.net> Cc: Li Huafei <lihuafei1@huawei.com> Cc: Max Kellermann <max.kellermann@ionos.com> Cc: Petr Mladek <pmladek@suse.com> Cc: Shuah Khan <skhan@linuxfoundation.org> Cc: Stephane Erainan <eranian@google.com> Cc: Wang Jinchao <wangjinchao600@gmail.com> Cc: Yunhui Cui <cuiyunhui@bytedance.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Mayank Rungta [Thu, 12 Mar 2026 23:22:05 +0000 (16:22 -0700)]
watchdog/hardlockup: improve buddy system detection timeliness
Currently, the buddy system only performs checks every 3rd sample. With a
4-second interval. If a check window is missed, the next check occurs 12
seconds later, potentially delaying hard lockup detection for up to 24
seconds.
Modify the buddy system to perform checks at every interval (4s).
Introduce a missed-interrupt threshold to maintain the existing grace
period while reducing the detection window to 8-12 seconds.
Best and worst case detection scenarios:
Before (12s check window):
- Best case: Lockup occurs after first check but just before heartbeat
interval. Detected in ~8s (8s till next check).
- Worst case: Lockup occurs just after a check.
Detected in ~24s (missed check + 12s till next check + 12s logic).
After (4s check window with threshold of 3):
- Best case: Lockup occurs just before a check.
Detected in ~8s (0s till 1st check + 4s till 2nd + 4s till 3rd).
- Worst case: Lockup occurs just after a check.
Detected in ~12s (4s till 1st check + 4s till 2nd + 4s till 3rd).
Link: https://lkml.kernel.org/r/20260312-hardlockup-watchdog-fixes-v2-4-45bd8a0cc7ed@google.com Signed-off-by: Mayank Rungta <mrungta@google.com> Reviewed-by: Douglas Anderson <dianders@chromium.org> Reviewed-by: Petr Mladek <pmladek@suse.com> Cc: Ian Rogers <irogers@google.com> Cc: Jonathan Corbet <corbet@lwn.net> Cc: Li Huafei <lihuafei1@huawei.com> Cc: Max Kellermann <max.kellermann@ionos.com> Cc: Shuah Khan <skhan@linuxfoundation.org> Cc: Stephane Erainan <eranian@google.com> Cc: Wang Jinchao <wangjinchao600@gmail.com> Cc: Yunhui Cui <cuiyunhui@bytedance.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
The current documentation implies that a hardlockup is strictly defined as
looping for "more than 10 seconds." However, the detection mechanism is
periodic (based on `watchdog_thresh`), meaning detection time varies
significantly depending on when the lockup occurs relative to the NMI perf
event.
Update the definition to remove the strict "more than 10 seconds"
constraint in the introduction and defer details to the Implementation
section.
Additionally, add a "Detection Overhead" section illustrating the Best
Case (~6s) and Worst Case (~20s) detection scenarios to provide
administrators with a clearer understanding of the watchdog's latency.
Link: https://lkml.kernel.org/r/20260312-hardlockup-watchdog-fixes-v2-3-45bd8a0cc7ed@google.com Signed-off-by: Mayank Rungta <mrungta@google.com> Reviewed-by: Petr Mladek <pmladek@suse.com> Reviewed-by: Douglas Anderson <dianders@chromium.org> Cc: Ian Rogers <irogers@google.com> Cc: Jonathan Corbet <corbet@lwn.net> Cc: Li Huafei <lihuafei1@huawei.com> Cc: Max Kellermann <max.kellermann@ionos.com> Cc: Shuah Khan <skhan@linuxfoundation.org> Cc: Stephane Erainan <eranian@google.com> Cc: Wang Jinchao <wangjinchao600@gmail.com> Cc: Yunhui Cui <cuiyunhui@bytedance.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Mayank Rungta [Thu, 12 Mar 2026 23:22:03 +0000 (16:22 -0700)]
watchdog: update saved interrupts during check
Currently, arch_touch_nmi_watchdog() causes an early return that skips
updating hrtimer_interrupts_saved. This leads to stale comparisons and
delayed lockup detection.
I found this issue because in our system the serial console is fairly
chatty. For example, the 8250 console driver frequently calls
touch_nmi_watchdog() via console_write(). If a CPU locks up after a timer
interrupt but before next watchdog check, we see the following sequence:
* watchdog_hardlockup_check() saves counter (e.g., 1000)
* Timer runs and updates the counter (1001)
* touch_nmi_watchdog() is called
* CPU locks up
* 10s pass: check() notices touch, returns early, skips update
* 10s pass: check() saves counter (1001)
* 10s pass: check() finally detects lockup
This delays detection to 30 seconds. With this fix, we detect the lockup
in 20 seconds.
Link: https://lkml.kernel.org/r/20260312-hardlockup-watchdog-fixes-v2-2-45bd8a0cc7ed@google.com Signed-off-by: Mayank Rungta <mrungta@google.com> Reviewed-by: Douglas Anderson <dianders@chromium.org> Reviewed-by: Petr Mladek <pmladek@suse.com> Cc: Ian Rogers <irogers@google.com> Cc: Jonathan Corbet <corbet@lwn.net> Cc: Li Huafei <lihuafei1@huawei.com> Cc: Max Kellermann <max.kellermann@ionos.com> Cc: Shuah Khan <skhan@linuxfoundation.org> Cc: Stephane Erainan <eranian@google.com> Cc: Wang Jinchao <wangjinchao600@gmail.com> Cc: Yunhui Cui <cuiyunhui@bytedance.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Mayank Rungta [Thu, 12 Mar 2026 23:22:02 +0000 (16:22 -0700)]
watchdog: return early in watchdog_hardlockup_check()
Patch series "watchdog/hardlockup: Improvements to hardlockup", v2.
This series addresses limitations in the hardlockup detector
implementations and updates the documentation to reflect actual behavior
and recent changes.
The changes are structured as follows:
Refactoring (Patch 1)
=====================
Patch 1 refactors watchdog_hardlockup_check() to return early if no
lockup is detected. This reduces the indentation level of the main
logic block, serving as a clean base for the subsequent changes.
Hardlockup Detection Improvements (Patches 2 & 4)
=================================================
The hardlockup detector logic relies on updating saved interrupt counts to
determine if the CPU is making progress.
Patch 1 ensures that the saved interrupt count is updated unconditionally
before checking the "touched" flag. This prevents stale comparisons which
can delay detection. This is a logic fix that ensures the detector
remains accurate even when the watchdog is frequently touched.
Patch 3 improves the Buddy detector's timeliness. The current checking
interval (every 3rd sample) causes high variability in detection time (up
to 24s). This patch changes the Buddy detector to check at every hrtimer
interval (4s) with a missed-interrupt threshold of 3, narrowing the
detection window to a consistent 8-12 second range.
Documentation Updates (Patches 3 & 5)
=====================================
The current documentation does not fully capture the variable nature of
detection latency or the details of the Buddy system.
Patch 3 removes the strict "10 seconds" definition of a hardlockup, which
was misleading given the periodic nature of the detector. It adds a
"Detection Overhead" section to the admin guide, using "Best Case" and
"Worst Case" scenarios to illustrate that detection time can vary
significantly (e.g., ~6s to ~20s).
Patch 5 adds a dedicated section for the Buddy detector, which was
previously undocumented. It details the mechanism, the new timing logic,
and known limitations.
This patch (of 5):
Invert the `is_hardlockup(cpu)` check in `watchdog_hardlockup_check()` to
return early when a hardlockup is not detected. This flattens the main
logic block, reducing the indentation level and making the code easier to
read and maintain.
This refactoring serves as a preparation patch for future hardlockup
changes.
Link: https://lkml.kernel.org/r/20260312-hardlockup-watchdog-fixes-v2-0-45bd8a0cc7ed@google.com Link: https://lkml.kernel.org/r/20260312-hardlockup-watchdog-fixes-v2-1-45bd8a0cc7ed@google.com Signed-off-by: Mayank Rungta <mrungta@google.com> Reviewed-by: Douglas Anderson <dianders@chromium.org> Reviewed-by: Petr Mladek <pmladek@suse.com> Cc: Ian Rogers <irogers@google.com> Cc: Jonathan Corbet <corbet@lwn.net> Cc: Li Huafei <lihuafei1@huawei.com> Cc: Max Kellermann <max.kellermann@ionos.com> Cc: Shuah Khan <skhan@linuxfoundation.org> Cc: Stephane Erainan <eranian@google.com> Cc: Wang Jinchao <wangjinchao600@gmail.com> Cc: Yunhui Cui <cuiyunhui@bytedance.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Eric Biggers [Sat, 14 Mar 2026 20:42:43 +0000 (13:42 -0700)]
kernel/crash: remove inclusion of crypto/sha1.h
Several files related to kernel crash dumps include crypto/sha1.h but
never use any of its functionality. Remove these includes so that these
files don't unnecessarily come up in searches for which kernel code is
still using the obsolete SHA-1 algorithm.
Link: https://lkml.kernel.org/r/20260314204243.45001-1-ebiggers@kernel.org Signed-off-by: Eric Biggers <ebiggers@kernel.org> Cc: Baoquan He <bhe@redhat.com> Cc: Dave Young <dyoung@redhat.com> Cc: Vivek Goyal <vgoyal@redhat.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Hisam Mehboob [Thu, 12 Mar 2026 01:17:42 +0000 (06:17 +0500)]
CREDITS: simplify the end-of-file alphabetical order comment
The existing comment references specific individuals by name which becomes
outdated as new entries are added. Simplify it to state the alphabetical
ordering rule clearly without depending on who happens to be the last
entry.
Link: https://lkml.kernel.org/r/20260312011741.846664-2-hisamshar@gmail.com Signed-off-by: Hisam Mehboob <hisamshar@gmail.com> Suggested-by: Randy Dunlap <rdunlap@infradead.org> Acked-by: Randy Dunlap <rdunlap@infradead.org> Cc: Jakub Kacinski <kuba@kernel.org> Cc: Simon Horman <horms@kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Josh Law [Thu, 12 Mar 2026 21:52:49 +0000 (21:52 +0000)]
lib/glob: initialize back_str to silence uninitialized variable warning
back_str is only used when back_pat is non-NULL, and both are always set
together, so it is safe in practice. Initialize back_str to NULL to make
this safety invariant explicit and silence compiler/static analysis
warnings.
projects / thirdparty / kernel / stable.git / log
