Leo Yan [Fri, 15 May 2026 20:08:31 +0000 (21:08 +0100)]
coresight: Add PM callbacks for sink device
Unlike system level sinks, per-CPU sinks may lose power during CPU idle
states. Currently, this applies specifically to TRBE. This commit
invokes save and restore callbacks for the sink in the CPU PM notifier.
If the sink provides PM callbacks but the source does not, this is
unsafe because the sink cannot be disabled safely unless the source
can also be controlled, so veto low power entry to avoid lockups.
Leo Yan [Fri, 15 May 2026 20:08:30 +0000 (21:08 +0100)]
coresight: Control path during CPU idle
Extend the CPU PM flow to control the path: disable from source up to
the node before the sink, then re-enable the same range on restore.
To avoid latency, control it up to the node before the sink.
Track per-CPU PM restore failures using percpu_pm_failed. Once a CPU
hits a restore failure, set the percpu_pm_failed and return NOTIFY_BAD
on subsequent notifications to avoid repeating half-completed
transitions.
Setting percpu_pm_failed permanently blocks CPU PM on that CPU. Such
failures are typically seen during development; disabling PM operations
simplifies the implementation, and a warning highlights the issue.
Clear this flag when the source device is unregistered.
Leo Yan [Fri, 15 May 2026 20:08:26 +0000 (21:08 +0100)]
coresight: Save active path for system tracers
This commit only set the path pointer for system tracers (e.g. STM) in
coresight_{enable|disable}_source().
Later changes will set the path pointer locally for per-CPU sources.
This is because the mode and path pointer must be set together, so that
they are observed atomically by the CPU PM notifier.
Leo Yan [Fri, 15 May 2026 20:08:23 +0000 (21:08 +0100)]
coresight: Control path with range
CPU PM notifiers need to control only part of a path instead of always
operating on the full path.
Add internal enable and disable helpers that take an inclusive node
range [from, to], validate that the requested nodes are ordered before
using them.
Update the existed coresight_{enable|disable}_path() interfaces as
full-path wrappers by passing the first and last path nodes. The helpers
coresight_path_{first|last}_node() are provided for conveniently
fetching the first and last nodes on the path.
In coresight_enable_path_from_to(), if a failure occurs at the last node
in the range, no device is actually enabled in this case, bail out
directly.
Leo Yan [Fri, 15 May 2026 20:08:22 +0000 (21:08 +0100)]
coresight: Disable source helpers in coresight_disable_path()
coresight_enable_path() enables helpers attached to every device in
the path, including those bound to the source. However,
coresight_disable_path() skips the source node, so source helpers had
to be disabled separately in coresight_disable_source().
Move source helper disabling into coresight_disable_path() instead.
Make coresight_disable_path_from() start from the passed node nd, so
it can also disable helpers on the source. Update the comments
accordingly.
As coresight_disable_path_from() now changes its semantics from
"start beyond nd" to "start from nd", update the failure handling in
coresight_enable_path(). If enabling a node fails, iterate to the
previous node (the last successfully enabled one) and pass it to
coresight_disable_path_from() for rollback.
Leo Yan [Fri, 15 May 2026 20:08:21 +0000 (21:08 +0100)]
coresight: syscfg: Use IRQ-safe spinlock to protect active variables
cscfg_config_sysfs_get_active_cfg() will be used from idle flows, while
sleeping locks are not allowed. Introduce sysfs_store_lock to replace
the mutex to protect sysfs_active_config and sysfs_active_preset
accesses, with IRQ-safe locking to avoid lockdep complaint.
Refactor cscfg_config_sysfs_activate() to use spinlock for
sysfs_active_config and activate/deactivate config.
Leo Yan [Fri, 15 May 2026 20:08:20 +0000 (21:08 +0100)]
coresight: etm4x: Remove redundant checks in PM save and restore
ETMv4 driver save/restore callbacks still re-check conditions that are
already validated by the core layer before the callbacks are invoked.
Remove the duplicated checks and fold the two-level functions into
direct callback implementations. The obsolete WARN_ON() checks are
removed as well.
Reviewed-by: Mike Leach <mike.leach@linaro.org> Tested-by: James Clark <james.clark@linaro.org> Reviewed-by: Yeoreum Yun <yeoreum.yun@arm.com> Reviewed-by: James Clark <james.clark@linaro.org> Tested-by: Jie Gan <jie.gan@oss.qualcomm.com> Signed-off-by: Leo Yan <leo.yan@arm.com> Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com> Link: https://lore.kernel.org/r/20260515-arm_coresight_path_power_management_improvement-v14-13-f88c4a3ecfe9@arm.com
Leo Yan [Fri, 15 May 2026 20:08:19 +0000 (21:08 +0100)]
coresight: etm4x: Hook CPU PM callbacks
Add a helper etm4_pm_save_needed() to detect if need save context for
self-hosted PM mode and hook pm_save_disable() and pm_restore_enable()
callbacks through etm4_cs_pm_ops structure. With this, ETMv4 PM
save/restore is integrated into the core layer's CPU PM.
Organize etm4_cs_ops and etm4_cs_pm_ops together for more readable.
The CPU PM notifier in the ETMv4 driver is no longer needed, remove it
along with its registration and unregistration code.
Leo Yan [Fri, 15 May 2026 20:08:18 +0000 (21:08 +0100)]
coresight: Register CPU PM notifier in core layer
The current implementation only saves and restores the context for ETM
sources while ignoring the context of links. However, if funnels or
replicators on a linked path resides in a CPU or cluster power domain,
the hardware context for the link will be lost after resuming from low
power states.
To support context management for links during CPU low power modes, a
better way is to implement CPU PM callbacks in the Arm CoreSight core
layer. As the core layer has sufficient information for linked paths,
from tracers to links, which can be used for power management.
As a first step, this patch registers CPU PM notifier in the core layer.
If a source device provides callbacks for saving and restoring context,
these callbacks will be invoked in CPU suspend and resume.
Leo Yan [Fri, 15 May 2026 20:08:17 +0000 (21:08 +0100)]
coresight: Take per-CPU source reference during AUX setup
etm_setup_aux() fetches the per-CPU source pointer while preparing perf
AUX trace paths. This can race with CoreSight device unregistration, the
ETM device may has been released while the AUX setup still use it,
leading to use-after-free.
Move per-CPU path construction into etm_event_build_path() and use
the coresight_{get|put}_percpu_source_ref() pairs to take and drop
the device references, this ensures the device is safe to access during
path construction.
Update comments accordingly. Document a PREEMPT_RT corner case: the
put_device() may release resources while coresight_dev_lock (a raw
spinlock) is held, and the release may attempt to acquire a spinlock
that becomes sleepable under PREEMPT_RT. This will be fixed in the
future.
Leo Yan [Fri, 15 May 2026 20:08:15 +0000 (21:08 +0100)]
coresight: Take a reference on csdev
coresight_get_ref() currently pins the provider module and takes a
reference on the parent device, but it does not pin &csdev->dev. Take a
reference on &csdev->dev when grabbing a CoreSight device and drop it in
coresight_put_ref().
Reorder the sequence to follow child-to-parent dependencies: first take
a reference on csdev, then on the parent device and grab the driver
module. Once the data and module are pinned, take a PM runtime
reference to power on the hardware.
Leo Yan [Fri, 15 May 2026 20:08:14 +0000 (21:08 +0100)]
coresight: perf: Retrieve path and source from event data
ETM perf callbacks currently use the per-CPU csdev_src pointer, which
can race with updates during device registration and unregistration.
The AUX setup already builds and stores the path in the event data.
Use this path to retrieve the source instead of csdev_src to avoid
the race.
Export coresight_get_source() and add etm_event_get_ctxt_path() to
retrieve the context's path and its source with READ_ONCE() /
WRITE_ONCE() accessors. Give the comments to explain why this
approach is safe when pause or resume callbacks preempt the disable
callback (e.g. via NMI).
Leo Yan [Fri, 15 May 2026 20:08:13 +0000 (21:08 +0100)]
coresight: Take hotplug lock in enable_source_store() for Sysfs mode
The hotplug lock is acquired and released in etm{3|4}_disable_sysfs(),
which are low-level functions. This prevents us from a new solution for
hotplug.
Firstly, hotplug callbacks cannot invoke etm{3|4}_disable_sysfs() to
disable the source; otherwise, a deadlock issue occurs. The reason is
that, in the hotplug flow, the kernel acquires the hotplug lock before
calling callbacks. Subsequently, if coresight_disable_source() is
invoked and it calls etm{3|4}_disable_sysfs(), the hotplug lock will be
acquired twice, leading to a double lock issue.
Secondly, when hotplugging a CPU on or off, if we want to manipulate all
components on a path attached to the CPU, we need to maintain atomicity
for the entire path. Otherwise, a race condition may occur with users
setting the same path via the Sysfs knobs, ultimately causing mess
states in CoreSight components.
This patch moves the hotplug locking from etm{3|4}_disable_sysfs() into
enable_source_store(). As a result, when users control the Sysfs knobs,
the whole flow is protected by hotplug locking, ensuring it is mutual
exclusive with hotplug callbacks.
Note, the paired function etm{3|4}_enable_sysfs() does not use hotplug
locking, which is why this patch does not modify it.
Reviewed-by: Mike Leach <mike.leach@linaro.org> Tested-by: James Clark <james.clark@linaro.org> Reviewed-by: Yeoreum Yun <yeoreum.yun@arm.com> Reviewed-by: James Clark <james.clark@linaro.org> Tested-by: Jie Gan <jie.gan@oss.qualcomm.com> Signed-off-by: Leo Yan <leo.yan@arm.com> Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com> Link: https://lore.kernel.org/r/20260515-arm_coresight_path_power_management_improvement-v14-6-f88c4a3ecfe9@arm.com
Leo Yan [Fri, 15 May 2026 20:08:11 +0000 (21:08 +0100)]
coresight: Populate CPU ID into coresight_device
Add a new flag CORESIGHT_DESC_CPU_BOUND to indicate components that
are CPU bound. Populate CPU ID into the coresight_device structure;
otherwise, set CPU ID to -1 for non CPU bound devices.
Use the {0} initializer to clear coresight_desc structures to avoid
uninitialized values.
Leo Yan [Fri, 15 May 2026 20:08:09 +0000 (21:08 +0100)]
coresight: Handle helper enable failure properly
If a helper fails to be enabled, unwind any helpers that were already
enabled earlier in the loop. This avoids leaving partially enabled
helpers behind.
Fixes: 6148652807ba ("coresight: Enable and disable helper devices adjacent to the path") Reviewed-by: Yeoreum Yun <yeoreum.yun@arm.com> Reviewed-by: James Clark <james.clark@linaro.org> Tested-by: James Clark <james.clark@linaro.org> Tested-by: Jie Gan <jie.gan@oss.qualcomm.com> Signed-off-by: Leo Yan <leo.yan@arm.com> Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com> Link: https://lore.kernel.org/r/20260515-arm_coresight_path_power_management_improvement-v14-2-f88c4a3ecfe9@arm.com
Jie Gan [Fri, 15 May 2026 20:08:08 +0000 (21:08 +0100)]
coresight: Fix source not disabled on idr_alloc_u32 failure
In coresight_enable_sysfs(), for non-CPU sources (SOFTWARE, TPDM,
OTHERS), the source device is enabled via coresight_enable_source_sysfs()
before idr_alloc_u32() maps the path. If idr_alloc_u32() fails, the
original code jumped directly to err_source, which only calls
coresight_disable_path() and coresight_release_path(). The source device
was left enabled with an incremented refcnt but no path tracked for it,
leaving the device in an inconsistent state.
Disable the source before jumping to err_source so the enable and path
operations are fully unwound.
Thorsten Blum [Mon, 4 May 2026 08:18:05 +0000 (10:18 +0200)]
dio: Replace deprecated strcpy with strscpy in dio_init
strcpy() has been deprecated [1] because it performs no bounds checking
on the destination buffer, which can lead to buffer overflows. While the
current code works correctly, replace strcpy() with the safer strscpy()
to follow secure coding best practices.
Johan Hovold [Fri, 24 Apr 2026 10:40:11 +0000 (12:40 +0200)]
nubus: Switch to dynamic root device
Driver core expects devices to be dynamically allocated and will, for
example, complain loudly if a device that lacks a release function is
ever freed.
Use root_device_register() to allocate and register the root device
instead of open coding using a static device.
Signed-off-by: Johan Hovold <johan@kernel.org> Acked-by: Finn Thain <fthain@linux-m68k.org> Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org> Link: https://patch.msgid.link/20260424104011.2616970-1-johan@kernel.org Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Prathamesh Shete [Thu, 14 May 2026 12:48:34 +0000 (12:48 +0000)]
dt-bindings: gpio: Add Tegra238 support
Extend the existing Tegra186 GPIO controller device tree bindings with
support for the GPIO controllers found on Tegra238. Tegra238 has two
GPIO controllers: the main controller and always-on (AON) controller.
The number of pins is slightly different, but the programming model
remains the same.
Add a new header, include/dt-bindings/gpio/nvidia,tegra238-gpio.h,
that defines port IDs as well as the TEGRA238_MAIN_GPIO() helper,
both of which are used in conjunction to create a unique specifier
for each pin.
Regions with a BO are checked against the BO size, but the SRAM
region is not. The SRAM region doesn't have a BO, but the command stream
region size should be checked against the SRAM size. The job's
"sram_size" isn't useful here because an evil userspace could lie about
the size.
Introduce device-managed helpers for clocksource registration.
The clocksource framework currently provides __clocksource_register_scale()
along with convenience wrappers for Hz and kHz registration. However,
drivers must handle error paths and cleanup manually, typically by pairing
registration with an explicit clocksource_unregister() call.
Add a devm-based variant, __devm_clocksource_register_scale(), along with
devm_clocksource_register_hz() and devm_clocksource_register_khz() helpers.
These helpers register the clocksource and attach a devres action to
automatically unregister it on driver detach or probe failure.
This simplifies driver code by:
* removing explicit cleanup paths
* ensuring correct teardown ordering
* aligning with the devm-based resource management model widely used
across the kernel
While drivers can open-code devm_add_action_or_reset(), providing a
dedicated helper avoids duplication, reduces boilerplate, and ensures
consistent usage across drivers, following patterns used in other
subsystems.
This is also particularly useful for drivers built as modules, where
device-managed resource handling avoids manual cleanup in remove paths and
ensures correct teardown on module unload.
This helper is self-contained and can be adopted progressively by drivers.
Crystal Wood [Tue, 12 May 2026 17:37:31 +0000 (12:37 -0500)]
rtla: Stop the record trace on interrupt
Before, when rtla got a signal, it stopped the main trace but not the
record trace. With "--on-end trace", this can lead to
save_trace_to_file() failing to keep up, especially on a debug kernel.
Plus, it adds post-stoppage noise to the trace file.
Signed-off-by: Crystal Wood <crwood@redhat.com> Fixes: c73cab9dbed0 ("rtla/timerlat_hist: Stop timerlat tracer on signal") Fixes: a4dfce7559d7 ("rtla/timerlat_top: Stop timerlat tracer on signal") Fixes: 3aadb65db5d6 ("rtla/timerlat: Add action on end feature") Link: https://lore.kernel.org/r/20260512173731.2151841-1-crwood@redhat.com Signed-off-by: Tomas Glozar <tglozar@redhat.com>
Tomas Glozar [Fri, 24 Apr 2026 14:02:44 +0000 (16:02 +0200)]
rtla/tests: Add unit tests for actions module
Add unit tests covering all functions in the actions module, including
both valid and invalid inputs and all action types, except for
actions_perform(), where only shell and continue actions are tested.
To support testing multiple modules, the unit test build was modified so
that it links the entire rtla-in.o file. For this to work, the main()
function in rtla.c was declared weak, so that the unit test main is able
to override it.
Other included minor changes to unit tests are:
- Make unit test output verbose to show which tests are being run, now
that we have more than 3 tests.
- Add unit_tests file to .gitignore.
- Split unit test sources to one file per test suite, and keep only
main() function in unit_tests.c.
- Fix Makefile dependencies so that "make unit-tests" will rebuild the
binary with the changes in the commit.
Also with the linking the entire rtla-in.o file, it now has rtla's
nr_cpus symbol, so the declaration in utils unit tests is made extern.
Tomas Glozar [Thu, 23 Apr 2026 13:05:58 +0000 (15:05 +0200)]
rtla/tests: Add runtime tests for -C/--cgroup
Add a new script check-cgroup-match.sh that retrieves the cgroup of the
main rtla process and compares it to the cgroup of the rtla workload
threads.
Add a new test based on this script, for both osnoise and timerlat
tools, testing the variant of -C without argument (which sets the cgroup
of the workload to the cgroup of the rtla main process).
Note that this has to be tested in kernel mode to be significant for
timerlat tool, as user workloads inherit the parent rtla process cgroup
even without the option.
Tomas Glozar [Thu, 23 Apr 2026 13:05:57 +0000 (15:05 +0200)]
rtla/tests: Add runtime test for -k and -u options
Add runtime test for rtla-timerlat's -k/--kernel-threads and
-u/--user-threads options using get_workload_pids.sh to check whether
the appropriate threads are being created.
The tests are implemented for both top and hist. Additionally, all tests
related to timerlat threads are moved to a separate section in the test
files. The latter is also done for rtla-osnoise tests.
Tomas Glozar [Thu, 23 Apr 2026 13:05:55 +0000 (15:05 +0200)]
rtla/tests: Cover all hist options in runtime tests
Cover all options regarding histogram formatting for both
rtla-osnoise-hist and rtla-timerlat-hist tools. All options also have
output checking using positive or negative match, except for
-b/--bucket-size and -E/--entries, which cannot be tested in isolated
due to the output depending on the actual data collected.
Old -E/--entries test for rtla-osnoise was replaced with a new one
equivalent to the timerlat one.
Tomas Glozar [Thu, 23 Apr 2026 13:05:54 +0000 (15:05 +0200)]
rtla/tests: Extend timerlat top --aa-only coverage
rtla-timerlat-top's --aa-only option is currently only tested for return
value.
Extend the tests to also check that only auto-analysis is being done via
a negative match for the "Timer Latency" text in the top header, and
further split the test case into two:
- one test case for --aa-only stopping on threshold
- one test case for --aa-only exiting without threshold being hit
For both cases, the expected output ("analyzing it" or "Max latency was"
respectively) is checked against in addition to the negative match.
Tomas Glozar [Thu, 23 Apr 2026 13:05:52 +0000 (15:05 +0200)]
rtla/tests: Check -c/--cpus thread affinity
RTLA runtime tests verify the -c/--cpus options, but do not check
whether the correct affinity is actually applied.
Add a script named check-cpus.sh that retrieves the affinity of all
workload threads and use it to check the -c/--cpus option for both
osnoise and timerlat tools.
Tomas Glozar [Thu, 23 Apr 2026 13:05:51 +0000 (15:05 +0200)]
rtla/tests: Add get_workload_pids() helper
RTLA runtime tests that check workload processes (currently the test
case "verify -P/--priority" of timerlat.t and "verify the --priority/-P
param" of osnoise.t) use "pgrep timerlatu/" or "pgrep osnoise/"
respectively to identify the workload.
Make them more robust by adding a get_workload_pids() helper that
finds the main rtla process and returns the PIDs of all siblings other
than the test script itself, plus all child processes of kthreadd that
have the osnoise/timerlat kthread pattern comm.
This filters out any spurious processes not related to the running test
that happen to have "timerlatu/" or "osnoise/" in their command, for
example, a user grepping the same names at the time of the running of
the test.
Tomas Glozar [Thu, 23 Apr 2026 13:05:50 +0000 (15:05 +0200)]
rtla/tests: Cover both top and hist tools where possible
RTLA runtime tests currently do not cover both tool variants for osnoise
and timerlat properly. Many tests applicable to both tools are only
tested for one tool, selected randomly.
Introduce two new shell functions, check_top_hist() and
check_top_q_hist(). The functions use the same syntax as check() and run
check() on the arguments twice: once replacing the "TOOL" string in the
command with "top" (or "top -q"), once replacing it with "hist". The top
-q variant is used for tests relying on messages printed after aborting
the RTLA main loop with a starting new line, which only happens for top
tools in quiet mode; without -q, the top output is printed on the same
line and the matches would fail.
Tests that are applicable to both top and hist tools were modified to
the run for both; additionally, tests that were already done for both
tools were migrated to the new shell functions, unless the test command
or matches differ between the tools. Additional tests were added to test
tool-specific help messages.
RDMA/cma: Constify struct configfs_item_operations and configfs_group_operations
'struct configfs_item_operations' and 'configfs_group_operations' are not
modified in this driver.
Constifying these structures moves some data to a read-only section, so
increases overall security, especially when the structure holds some
function pointers.
On a x86_64, with allmodconfig:
Before:
======
text data bss dec hex filename
6677 2776 64 9517 252d drivers/infiniband/core/cma_configfs.o
After:
=====
text data bss dec hex filename
6901 2552 64 9517 252d drivers/infiniband/core/cma_configfs.o
Jason Gunthorpe [Tue, 12 May 2026 00:09:39 +0000 (21:09 -0300)]
RDMA: Replace memset with = {} pattern for ib_respond_udata()
Most drivers do this already, but some open-code a memset. Switch
all instances found. qedr_copy_qp_uresp() is already called with
zeroed memory so that memset is redundant.
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com> Signed-off-by: Leon Romanovsky <leon@kernel.org>
Jason Gunthorpe [Tue, 12 May 2026 00:09:37 +0000 (21:09 -0300)]
RDMA: Use proper driver data response structs instead of open coding
At some point the response structs were added and rdma-core is using
them, but the kernel was not changed to use them as well. Replace
the open-coded copy with the right struct and ib_respond_udata().
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com> Signed-off-by: Leon Romanovsky <leon@kernel.org>
Jason Gunthorpe [Tue, 12 May 2026 00:09:36 +0000 (21:09 -0300)]
RDMA/mlx: Replace response_len with ib_respond_udata()
The Mellanox drivers have a pattern where they compute the response
length they think they need based on what the user asked for, then
blindly write that ignoring the provided size limit on the response
structure.
Drop this and just use ib_respond_udata() which caps the response
struct to the user's memory, which is fine for what mlx5 is doing.
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com> Signed-off-by: Leon Romanovsky <leon@kernel.org>
Jason Gunthorpe [Tue, 12 May 2026 00:09:34 +0000 (21:09 -0300)]
RDMA/cxgb4: Convert to ib_respond_udata()
These cases carefully work around 32-bit unpadded structures, but
the min integrated into ib_respond_udata() handles this
automatically. Zero-initialize data that would not have been copied.
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com> Signed-off-by: Leon Romanovsky <leon@kernel.org>
Rohit Chavan [Tue, 5 May 2026 08:57:08 +0000 (14:27 +0530)]
RDMA/bng_re: Remove unused variable rc
The variable 'rc' is initialized to 0 and returned at the end of
bng_re_process_qp_event(), but it is never modified in between.
Simplify the function by removing the redundant variable and returning 0
directly. This cleans up the code and avoids potential compiler warnings
about unused variables.
Chengchang Tang [Thu, 7 May 2026 01:21:48 +0000 (09:21 +0800)]
RDMA/hns: Support congestion control algorithm parameter configuration
hns RoCE supports 4 congestion control algorithms. Each algorihm
involves multiple parameters. Support configuring these parameters
by debugfs.
Here are some examples of this feature:
* The directory structure:
$ ls /sys/kernel/debug/hns_roce/0000\:35\:00.0/
dcqcn_cc_param dip_cc_param hc3_cc_param ldcp_cc_param
$ ls /sys/kernel/debug/hns_roce/0000\:35\:00.0/dcqcn_cc_param/
ai al alp ashift cnp_time f g lifespan max_speed tkp tmp
* Read the value of a param:
$ cat /sys/kernel/debug/hns_roce/0000\:35\:00.0/dcqcn_cc_param/ai
1
* Set a new value for a param:
$ echo 2 > /sys/kernel/debug/hns_roce/0000\:35\:00.0/dcqcn_cc_param/ai
Junxian Huang [Thu, 7 May 2026 01:21:46 +0000 (09:21 +0800)]
RDMA/hns: Initialize seqfile before creating file
The debugfs file was created before seq->read and seq->data were set,
leaving a small window where userspace could access an uninitialized
seqfile.
Move debugfs_create_file() after the assignments to avoid this issue.
Also, inline the original init_debugfs_seqfile() since it is not a
really necessary helper.
Rohit Chavan [Tue, 5 May 2026 10:05:49 +0000 (15:35 +0530)]
RDMA/mlx5: Use max() macro for bfreg calculation
Simplify the calculation of medium blue flame registers by using the
max() macro instead of open-coded ternary logic. This improves
readability and aligns with the subsystem's preference for using
standard kernel helpers.
Sara Venkatesh [Mon, 4 May 2026 08:00:36 +0000 (01:00 -0700)]
RDMA/srpt: fix integer overflow in immediate data length check
imm_buf->len is a user-controlled uint32_t received from the network.
Adding it to imm_data_offset without overflow checking allows a
malicious initiator to send len=0xFFFFFFFF, causing req_size to wrap
around to a small value, bypassing the bounds check, and subsequently
passing a ~4GB length to sg_init_one().
Use check_add_overflow() to detect wrapping before the comparison.
Fixes: 5dabcd0456d7 ("RDMA/srpt: Add support for immediate data") Reported-by: Carlos Bilbao (Lambda) <carlos.bilbao@kernel.org> Signed-off-by: Sara Venkatesh <sarajvenkatesh@gmail.com> Link: https://patch.msgid.link/20260504080036.3482415-1-sarajvenkatesh@gmail.com Reviewed-by: Carlos Bilbao (Lambda) <carlos.bilbao@kernel.org> Reviewed-by: Bart Van Assche <bvanassche@acm.org> Signed-off-by: Leon Romanovsky <leon@kernel.org>
Rohit Chavan [Tue, 5 May 2026 07:53:07 +0000 (13:23 +0530)]
RDMA/mlx4: Use secs_to_jiffies() instead of open-coding
The conversion from seconds to jiffies is currently performed by
multiplying the value by 1000 and passing it to msecs_to_jiffies().
Use the more direct secs_to_jiffies() helper instead. This simplifies the
code, improves readability, and avoids the manual multiplication step
by using the dedicated kernel API.
Li RongQing [Sun, 3 May 2026 02:33:49 +0000 (22:33 -0400)]
IB/mlx5: Reduce spinlock contention by moving free operations outside
The functions kfree() and kvfree() can occasionally trigger a long
chain of calls or face contention in the slab allocator. Executing
these inside a spinlock increases the risk of CPU stalls and increases
lock contention under heavy event load.
Move the memory freeing logic out of the critical sections in devx.c
by using temporary lists and local flags. This narrows the lock's
scope to only protect the list integrity and state transitions.
MLX5_IB_METHOD_DEVX_SUBSCRIBE_EVENT() links event_sub into sub_list
before initializing the fields used by the shared error path.
If eventfd_ctx_fdget() then fails, the unwind path dereferences
event_sub->ev_file in uverbs_uobject_put() and calls
subscribe_event_xa_dealloc() with an unset xa_key_level1.
subscribe_event_xa_alloc() creates the XA entry exactly once for a given
key_level1, on the first occurrence of that key. The unwind path must
therefore call subscribe_event_xa_dealloc() exactly once for it as well.
Enforce that by adding devx_key_in_sub_list() and calling
subscribe_event_xa_dealloc() only when the last matching pending entry is
being cleaned up.
Fixes: 759738537142 ("IB/mlx5: Enable subscription for device events over DEVX") Signed-off-by: Prathamesh Deshpande <prathameshdeshpande7@gmail.com> Link: https://patch.msgid.link/20260428224319.37682-1-prathameshdeshpande7@gmail.com Reviewed-by: Yishai Hadas <yishaih@nvidia.com> Signed-off-by: Leon Romanovsky <leon@kernel.org>
RDMA/mlx5: Fix UMR XLT cleanup on ODP populate failure
mlx5r_umr_update_xlt() allocates and DMA maps an XLT buffer with
mlx5r_umr_create_xlt(). The buffer is released by the common cleanup path
through mlx5r_umr_unmap_free_xlt().
After mlx5_odp_populate_xlt() became fallible, its error path returned
directly and skipped that cleanup. This leaks the XLT DMA mapping and
buffer. If the emergency XLT page was used, it also leaves
xlt_emergency_page_mutex locked.
Break out of the loop so execution falls through the existing cleanup path.
RDMA/efa: Add checksum support for admin responses
EFA devices added support for CRC16 checksum on admin responses and to
expose it to the driver the API version increased to 0.2. Add a check
for support on device init and if supported validate the checksum on
each admin response the driver receives. If the checksum validation
failed, drop the CQE.
Add the CRC16 module to Kconfig to have the in-tree dependency.
Create a virtual TUN net device with RXE support, then run rping
server and client to invoke networking packets, finally compare both
*port_xmit_data* and *port_rcv_data* of such device.
zhenwei pi [Tue, 14 Apr 2026 06:29:47 +0000 (14:29 +0800)]
RDMA/rxe: support perf mgmt GET method
In RXE, hardware counters are already supported, but not in a
standardized manner. For instance, user-space monitoring tools like
atop only read from the *counters* directory. Therefore, it is
necessary to add perf management support to RXE.
Also use rxe_counter_get instead of raw atomic64_read in hw-counters.
zhenwei pi [Tue, 14 Apr 2026 06:29:45 +0000 (14:29 +0800)]
RDMA/rxe: remove rxe_ib_device_get_netdev() and RXE_PORT
Suggested by Leon, remove the rxe_ib_device_get_netdev() wrapper and
the RXE_PORT definition. These additions do not improve readability,
and RXE has always had only a single port.
RDMA/hns: Fix arithmetic overflow in calc_hem_config()
If bt_num is 3 or 2, then the expressions like
l0_idx * chunk_ba_num + l1_idx are computed in 32-bit
arithmetic before being assigned to a u64 index field,
which can lead to overflow.
Cast the first operand to u64 to ensure the arithmetic
is performed in 64-bit.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
RDMA/mlx5: Use QP port when decoding responder CQEs
The responder CQE path determines the link layer via
rdma_port_get_link_layer(). Use qp->port instead of
hardcoding port 1, which can mis-decode completions on
multi-port devices.
IB/mlx5: Fix transport-domain rollback and initialize lb mutex earlier
mlx5_ib_alloc_transport_domain() allocates a transport domain and then
may fail in mlx5_ib_enable_lb(). In that case, the allocated TD is leaked.
Fix this by deallocating the TD when mlx5_ib_enable_lb() returns an
error. Also return 0 explicitly in the no-loopback-capability success
branch, and move dev->lb.mutex initialization to mlx5_ib_stage_init_init().
Fixes: 146d2f1af324 ("IB/mlx5: Allocate a Transport Domain for each ucontext") Signed-off-by: Prathamesh Deshpande <prathameshdeshpande7@gmail.com> Signed-off-by: Leon Romanovsky <leon@kernel.org>
Helen Koike [Mon, 11 May 2026 21:53:05 +0000 (18:53 -0300)]
debugobjects: Do not fill_pool() if pi_blocked_on
On RT enabled kernels, fill_pool() ends up calling rtlock_lock(), which
asserts if current::pi_blocked_on is set, because a task can obviously only
block on one lock as otherwise the priority inheritenace chain gets
corrupted.
Prevent this by expanding the conditional to take current::pi_blocked_on
into account.
Fixes: 4bedcc28469a ("debugobjects: Make them PREEMPT_RT aware") Reported-by: syzbot+b8ca586b9fc235f0c0df@syzkaller.appspotmail.com Signed-off-by: Helen Koike <koike@igalia.com> Signed-off-by: Thomas Gleixner <tglx@kernel.org> Link: https://patch.msgid.link/20260511215359.3351259-1-koike@igalia.com Closes: https://syzkaller.appspot.com/bug?extid=b8ca586b9fc235f0c0df
udf: validate free block extents against the partition length
udf_free_blocks() checks the logical block number and count against the
partition length, but drops the extent offset from that final bound. A
crafted extent can pass the guard while logicalBlockNum + offset + count
points past the partition, which later indexes past the space bitmap
array.
A single ftruncate(2) on a file backed by such an extent reliably
panics the kernel. This is a local availability issue. On desktop
systems where UDisks/polkit allows the active user to mount removable
UDF media without CAP_SYS_ADMIN, an unprivileged local user can supply
the crafted filesystem and trigger the panic by truncating a writable
file on it. Systems that require root or CAP_SYS_ADMIN to mount the
image have a higher prerequisite.
No confidentiality or integrity impact is claimed: the reproduced
primitive is an out-of-bounds read of a bitmap pointer slot followed by
a kernel panic.
Use the already computed logicalBlockNum + offset + count value for the
partition length check. Also make load_block_bitmap() reject an
out-of-range block group before indexing s_block_bitmap[], so corrupted
callers cannot walk past the flexible array.
Fixes: 56e69e59751d ("udf: prevent integer overflow in udf_bitmap_free_blocks()") Cc: stable@vger.kernel.org Assisted-by: Claude:claude-opus-4-7 Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com> Link: https://patch.msgid.link/20260515142327.1120767-1-michael.bommarito@gmail.com Signed-off-by: Jan Kara <jack@suse.cz>
gpio: Initialize i2c_device_id arrays using member names
While being less compact, using named initializers allows to more easily
see which members of the structs are assigned which value without having
to lookup the declaration of the struct. And it's also more robust
against changes to the struct definition.
The mentioned robustness is relevant for a planned change to struct
i2c_device_id that replaces .driver_data by an anonymous union.
This patch doesn't modify the compiled arrays, only their representation
in source form benefits. The former was confirmed with x86 and arm64
builds.
Chen Ni [Tue, 28 Apr 2026 07:53:29 +0000 (15:53 +0800)]
pwm: atmel-tcb: Remove unneeded semicolon
Remove unnecessary semicolons reported by Coccinelle/coccicheck and the
semantic patch at scripts/coccinelle/misc/semicolon.cocci.
This was introduced in commit 68637b68afcc ("pwm: atmel-tcb:
Cache clock rates and mark chip as atomic") in Uwe's adaption of
Sangyun's original patch.
Jianpeng Chang [Wed, 13 May 2026 07:22:09 +0000 (15:22 +0800)]
dma-mapping: move dma_map_resource() sanity check into debug code
dma_map_resource() uses pfn_valid() to ensure the range is not RAM.
However, pfn_valid() only checks for availability of the memory map for
a PFN but it does not ensure that the PFN is actually backed by RAM. On
ARM64 with SPARSEMEM (128MB section granularity), MMIO addresses that
share a section with RAM will falsely trigger the WARN_ON_ONCE and cause
dma_map_resource() to return DMA_MAPPING_ERROR.
This causes a WARNING on Raspberry Pi 4 during spi_bcm2835 probe because
the SPI FIFO register (0xfe204004) falls in the same sparsemem section
as the end of RAM (0xf8000000-0xfbffffff), both in section 31
(0xf8000000-0xffffffff).
Move the sanity check from dma_map_resource() into debug_dma_map_phys()
and replace the unreliable pfn_valid() with pfn_valid() &&
!PageReserved(), which correctly identifies actual usable RAM without
false positives for MMIO regions that happen to have struct pages.
Since dma_map_resource() is dma_map_phys(DMA_ATTR_MMIO), the check
applies equally to both APIs. Any non-reserved page represents kernel
memory to a sufficient degree that using DMA_ATTR_MMIO on it is almost
certainly wrong and risks breaking coherency on non-coherent platforms.
ZONE_DEVICE pages used for PCI P2P DMA (MEMORY_DEVICE_PCI_P2PDMA) have
PageReserved set, so they will not trigger a false positive.
The check no longer blocks the mapping and uses err_printk() to
integrate with dma-debug filtering.
Fixes: f7326196a781 ("dma-mapping: export new dma_*map_phys() interface") Reviewed-by: Robin Murphy <robin.murphy@arm.com> Signed-off-by: Jianpeng Chang <jianpeng.chang.cn@windriver.com> Reviewed-by: Leon Romanovsky <leonro@nvidia.com> Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> Link: https://lore.kernel.org/r/20260513072209.1486986-1-jianpeng.chang.cn@windriver.com
Stepan Ionichev [Sun, 17 May 2026 16:15:30 +0000 (21:15 +0500)]
pinctrl: intel: move PWM base computation past feature check
Compute base inside intel_pinctrl_probe_pwm() only after the
PINCTRL_FEATURE_PWM and CONFIG_PWM_LPSS checks have passed. Tidy
up; no functional change.
Suggested-by: Andy Shevchenko <andy@kernel.org> Link: https://lore.kernel.org/linux-gpio/aglu5jy5SbW9Wjwj@ashevche-desk.local/ Signed-off-by: Stepan Ionichev <sozdayvek@gmail.com> Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com> Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
soc: aspeed: Move MODULE_DEVICE_TABLE next to the table itself
By convention MODULE_DEVICE_TABLE() immediately follows the ID table it
exports, because this is easier to read and verify. It also makes more
sense since #ifdef for ACPI or OF could hide both of them.
Most of the privers already have this correctly placed, so adjust
the missing ones. No functional impact.
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com> Signed-off-by: Andrew Jeffery <andrew@codeconstruct.com.au>
Ender Hsieh [Tue, 5 May 2026 05:05:41 +0000 (14:05 +0900)]
ARM: dts: aspeed: msx4: enable BMC networking via MAC0
Add &mac0, &mdio3, and the ethphy3 PHY node to enable BMC networking
on the AST2600-based NVIDIA MSX4 board. The PHY is attached to MDIO3
at address 2 and uses RGMII with PHY-internal delays.
These nodes were intentionally omitted in commit f28674fab34f ("ARM:
dts: aspeed: Add NVIDIA MSX4 HPM") at Andrew Lunn's request, pending
clarification of the RGMII delay handling. Following his guidance on
linux-aspeed, the bootloader has been modified to stop enabling MAC
clock delays on the SoC side, so phy-mode = "rgmii-id" correctly
results in the PHY adding the required ~2ns delay without any
double-delay from the MAC controller.
The corresponding U-Boot change has been submitted to openbmc/u-boot.
Jouni Högander [Fri, 15 May 2026 09:57:56 +0000 (12:57 +0300)]
drm/i915/psr: Apply SDP on prior scanline workaround for Xe3p
In Xe3p there is an HW optimization done. When there is an SU triggered in
Capture state, Link will be kept ON post Capture CRC SDP. Before valid SU
pixels Intel source will transmit dummy pixels. Some TCONS are improperly
considering these dummy pixels as a valid pixel data. Prior Xe3p link was
was turned off even if there was SU triggered in capture state and no dummy
pixels were transmitted. These dummy pixels are problem only if SDP on
prior scanline is used and Early Transport is not in use. The workaround is
to start SU area always at scanline 0.
Jouni Högander [Fri, 15 May 2026 09:57:55 +0000 (12:57 +0300)]
drm/i915/psr: Apply Intel DPCD workaround when SDP on prior line used
There is Intel specific workaround DPCD address containing workaround for
case where SDP is on prior line. Apply this workaround according to values
in the offset.
Jouni Högander [Fri, 15 May 2026 09:57:54 +0000 (12:57 +0300)]
drm/i915/psr: Read Intel DPCD workaround register
Read Intel DPCD workaround register and store it into
intel_connector->dp.psr_caps. psr_caps was chosen as currently it contains
only PSR workaround for PSR2 SDP on prior scanline implementation.
Jouni Högander [Fri, 15 May 2026 09:57:53 +0000 (12:57 +0300)]
drm/i915/psr: Add defininitions for INTEL_WA_REGISTER_CAPS DPCD register
EDP specification says:
"If either VSC SDP is unable to be transmitted 100 ns before the SU region,
the Source device may optionally transmit the VSC SDP during the prior
video scan line’s HBlank period There is a Intel specific drm dp register
currently containing bits related how TCON can support PSR2 with SDP on
prior line."
Unfortunately many panels are having problems in implementing this. So
there is a custom Intel specific DPCD register (INTEL_WA_REGISTER_CAPS) to
figure out if this is properly implemented on a panel or if panel doesn't
require that 100 ns delay before the SU region. Here are the definitions in
this custom DPCD address:
0 = Panel doesn't support SDP on prior line
1 = Panel supports SDP on prior line
2 = Panel doesn't have 100ns requirement
3 = Reserved
Add definitions for this new register and it's values into new header
intel_dpcd.h.
Add JTAG_CPLD_TRST_R_N to the sgpiom0 pin name table on Facebook Anacapa
BMC. This exposes the CPLD JTAG TRST signal through SGPIO, allowing
proper JTAG reset control during debug.
Minxi Hou [Mon, 18 May 2026 03:15:42 +0000 (11:15 +0800)]
ALSA: hda/realtek: Add quirk for HP Z66 G6 14 laptop
The HP Z66 G6 14 inch laptop uses the ALC236 codec with subsystem ID
0x103c:8df7. Without a quirk entry, the PCI SSID falls back to the
generic 0x103c:0000 fixup, which does not configure the mute/micmute
LED GPIOs correctly.
Add the SND_PCI_QUIRK entry for this model using
ALC236_FIXUP_HP_GPIO_LED, matching the surrounding HP EliteBook G12
entries (0x8dec-0x8dfe) which share the same ALC236 codec and GPIO LED
layout.
Jiakai Xu [Thu, 14 May 2026 08:17:51 +0000 (08:17 +0000)]
RISC-V: KVM: Fix sign extension for MMIO loads
The kvm_riscv_vcpu_mmio_return() function handles MMIO read results
by writing the data back to the guest register. For signed load
instructions (LB, LH, LW on RV64), the value needs sign-extension
from a smaller integer to unsigned long.
The current code uses:
(ulong)data << shift >> shift
but (ulong) makes the right shift a logical shift (zero-extend)
rather than an arithmetic shift (sign-extend), causing incorrect
results when the MMIO device returns a negative value. For example,
LB reading 0x80 would return 128 instead of -128.
Fix this by casting to (long) after the left shift so that the
subsequent right shift is arithmetic and correctly propagates
the sign bit:
(long)((ulong)data << shift) >> shift
Additionally, remove the unnecessary shift assignment for LBU
(unsigned byte load) since it does not need sign extension.
This makes LBU consistent with LHU and LWU which already keep
shift = 0.
The SBI v0.1 SEND_IPI handler iterates over the hart mask and calls
kvm_get_vcpu_by_id() to find the target vcpu for each set bit. When a
guest provides a hart mask containing bits for non-existent vcpu_ids,
kvm_get_vcpu_by_id() returns NULL, which is then unconditionally
dereferenced by kvm_riscv_vcpu_set_interrupt(), causing a kernel crash.
Fix this by adding a NULL check before dereferencing the return value.
If the target vcpu is not found, skip it and continue processing the
remaining valid harts.
Fixes: a046c2d8578c ("RISC-V: KVM: Reorganize SBI code by moving SBI v0.1 to its own file") Signed-off-by: Jiakai Xu <jiakaiPeanut@gmail.com> Signed-off-by: Jiakai Xu <xujiakai2025@iscas.ac.cn> Assisted-by: OpenClaw:DeepSeek-V3.2 Reviewed-by: Anup Patel <anup@brainfault.org> Link: https://lore.kernel.org/r/20260517124414.420919-1-xujiakai2025@iscas.ac.cn Signed-off-by: Anup Patel <anup@brainfault.org>
Osama Abdelkader [Thu, 14 May 2026 17:36:41 +0000 (19:36 +0200)]
riscv: kvm: return SBI_ERR_FAILURE for pmu_event_info() when OOM
kvm_riscv_vcpu_pmu_event_info() returned -ENOMEM from the
SBI extension handler, which caused kvm_riscv_vcpu_sbi_ecall()
to abort KVM_RUN and surface the error to userspace instead of
completing the ECALL with a negative SBI error in a0.
Use SBI_ERR_FAILURE and the normal retdata path, matching other PMU
handlers and kvm_sbi_ext_pmu_handler comment.
Osama Abdelkader [Thu, 14 May 2026 17:36:40 +0000 (19:36 +0200)]
riscv: kvm: return SBI_ERR_FAILURE for pmu_snapshot_set_shmem() when OOM
kvm_riscv_vcpu_pmu_snapshot_set_shmem() returned -ENOMEM from the
SBI extension handler, which caused kvm_riscv_vcpu_sbi_ecall() to
abort KVM_RUN and surface the error to userspace instead of
ompleting the ECALL with a negative SBI error in a0.
Use SBI_ERR_FAILURE and the normal retdata path, matching other PMU
handlers and kvm_sbi_ext_pmu_handler comment.
RISC-V: KVM: Fix invalid HVA warning in steal-time recording
kvm_riscv_vcpu_record_steal_time() assumes that the steal-time shared
memory GPA (vcpu->arch.sta.shmem) is always backed by a valid guest
memory slot. However, this assumption is not guaranteed by the KVM
userspace ABI.
A malicious or buggy userspace can set the STA shared memory GPA via
KVM_SET_ONE_REG without establishing a corresponding memory region via
KVM_SET_USER_MEMORY_REGION. In such cases, the GPA cannot be translated
to a valid HVA and kvm_vcpu_gfn_to_hva() returns an error address.
The current implementation incorrectly treats this as a kernel warning
using WARN_ON(), which may escalate to a kernel panic when panic_on_warn
is enabled.
This is not a kernel bug condition but a normal invalid configuration
from userspace, and should be handled gracefully.
Fix it by removing WARN_ON() and treating invalid HVA as a normal
failure case, resetting the STA shared memory state.
Fixes: e9f12b5fff8ad0 ("RISC-V: KVM: Implement SBI STA extension") Signed-off-by: Jiakai Xu <xujiakai2025@iscas.ac.cn> Signed-off-by: Jiakai Xu <jiakaiPeanut@gmail.com> Assisted-by: OpenClaw:DeepSeek-V3.2 Reviewed-by: Nutty Liu <nutty.liu@hotmail.com> Reviewed-by: Andrew Jones <andrew.jones@oss.qualcomm.com> Link: https://lore.kernel.org/r/20260415075216.2757427-1-xujiakai2025@iscas.ac.cn Signed-off-by: Anup Patel <anup@brainfault.org>
projects / thirdparty / kernel / linux.git / log
