cgroup, sched_ext: Include exiting tasks in cgroup iter
a72f73c4dd9b ("cgroup: Don't expose dead tasks in cgroup") made
css_task_iter_advance() skip exiting tasks so cgroup.procs stays consistent
with waitpid() visibility. Unfortunately, this broke scx_task_iter.
scx_task_iter walks either scx_tasks (global) or a cgroup subtree via
css_task_iter() and the two modes are expected to cover the same set of
tasks. After the above change the cgroup-scoped mode silently skips tasks
past exit_signals() that are still on scx_tasks.
scx_sub_enable_workfn()'s abort path is one of the symptoms: an exiting
SCX_TASK_SUB_INIT task can race past the cgroup iter leaking
__scx_init_task() state. Other iterations share the same gap.
Add CSS_TASK_ITER_WITH_DEAD to opt out of the skip and use it from
scx_task_iter().
Tejun Heo [Fri, 1 May 2026 18:31:22 +0000 (08:31 -1000)]
cgroup: Defer css percpu_ref kill on rmdir until cgroup is depopulated
A chain of commits going back to v7.0 reworked rmdir to satisfy the
controller invariant that a subsystem's ->css_offline() must not run while
tasks are still doing kernel-side work in the cgroup.
[1] d245698d727a ("cgroup: Defer task cgroup unlink until after the task is done switching out")
[2] a72f73c4dd9b ("cgroup: Don't expose dead tasks in cgroup")
[3] 1b164b876c36 ("cgroup: Wait for dying tasks to leave on rmdir")
[4] 4c56a8ac6869 ("cgroup: Fix cgroup_drain_dying() testing the wrong condition")
[5] 13e786b64bd3 ("cgroup: Increment nr_dying_subsys_* from rmdir context")
[1] moved task cset unlink from do_exit() to finish_task_switch() so a
task's cset link drops only after the task has fully stopped scheduling.
That made tasks past exit_signals() linger on cset->tasks until their final
context switch, which led to a series of problems as what userspace expected
to see after rmdir diverged from what the kernel needs to wait for. [2]-[5]
tried to bridge that divergence: [2] filtered the exiting tasks from
cgroup.procs; [3] had rmdir(2) sleep in TASK_UNINTERRUPTIBLE for them; [4]
fixed the wait's condition; [5] made nr_dying_subsys_* visible
synchronously.
The cgroup_drain_dying() wait in [3] turned out to be a dead end. When the
rmdir caller is also the reaper of a zombie that pins a pidns teardown (e.g.
host PID 1 systemd reaping orphan pids that were re-parented to it during
the same teardown), rmdir blocks in TASK_UNINTERRUPTIBLE waiting for those
pids to free, the pids can't free because PID 1 is the reaper and it's stuck
in rmdir, and the system A-A deadlocks. No internal lock ordering breaks
this; the wait itself is the bug.
The css killing side that drove the original reorder, however, can be made
cleanly asynchronous: ->css_offline() is already async, run from
css_killed_work_fn() driven by percpu_ref_kill_and_confirm(). The fix is to
make that chain start only after all tasks have left the cgroup. rmdir's
user-visible side then returns as soon as cgroup.procs and friends are
empty, while ->css_offline() still runs only after the cgroup is fully
drained.
Verified by the original reproducer (pidns teardown + zombie reaper, runs
under vng) which hangs vanilla and succeeds here, and by per-commit
deterministic repros for [2], [3], [4], [5] with a boot parameter that
widens the post-exit_signals() window so each state is reliably reachable.
Some stress tests on top of that.
cgroup_apply_control_disable() has the same shape of pre-existing race:
when a controller is disabled via subtree_control, kill_css() ran
synchronously while tasks past exit_signals() could still be linked to
the cgroup's csets, and ->css_offline() could fire before they drained.
This patch preserves the existing synchronous behavior at that call site
(kill_css_sync() + kill_css_finish() back-to-back) and a follow-up patch
will defer kill_css_finish() there using a per-css trigger.
This seems like the right approach and I don't see problems with it. The
changes are somewhat invasive but not excessively so, so backporting to
-stable should be okay. If something does turn out to be wrong, the fallback
is to revert the entire chain ([1]-[5]) and rework in the development branch
instead.
v2: Pin cgrp across the deferred destroy work with explicit
cgroup_get()/cgroup_put() around queue_work() and the work_fn. v1
wasn't actually broken (ordered cgroup_offline_wq + queue_work order
in cgroup_task_dead() saved it) but the explicit ref removes the
dependency on those non-obvious invariants. Also note the
pre-existing cgroup_apply_control_disable() race in the description;
a follow-up will defer kill_css_finish() there.
Introduce driver for the External Memory Controller (EMC) found in
Tegra114 SoC. It controls the external DRAM on the board. The purpose of
this driver is to program memory timing for external memory on the EMC
clock rate change.
Include Tegra114 support into existing Tegra124 EMC schema with the most
notable difference being the amount of EMC timings and a few SoC unique
entries.
David Gow [Sat, 25 Apr 2026 03:41:53 +0000 (11:41 +0800)]
kunit: config: Enable KUNIT_DEBUGFS by default
The KUNIT_DEBUGFS option is currently enabled based on the value of
KUNIT_ALL_TESTS, but it really doesn't have anything to do with the set of
enabled tests, so just enable it by default anyway. In particular, this
shouldn't be only visible if KUNIT_ALL_TESTS is set, which is quite
confusing.
Add Memory Controller driver support for Tegra238 SOC, including:
- MC client definitions with Tegra238-specific stream IDs
- Reuse of Tegra234 ICC operations for bandwidth management via BPMP-FW
- Device tree compatible string "nvidia,tegra238-mc"
Export tegra234_mc_icc_ops so it can be shared with the Tegra238 MC
driver, as both SoCs use the same ICC aggregation and bandwidth
management logic.
memory: tegra: Restore MC interrupt masks on resume
The MC interrupt mask registers lose their state across Tegra low power
suspend state (aka. SC7). Without re-applying them on resume, MC
interrupts that were enabled at probe remain masked after wake, so any
post-resume MC error goes unreported.
Factor the existing intmask programming out of tegra_mc_probe() into
tegra_mc_setup_intmask() and reuse it from the system resume callback
so the mask state is restored on wake.
The tegra-mc platform driver does not register any dev_pm_ops, so the
SoC-specific ->resume() is never invoked (e.g. tegra186_mc_resume) on
system wake. On Tegra186 and later this means MC client Stream-ID
override registers are not reprogrammed, and clients behind the ARM
SMMU fault on the first DMA after resume.
Register a dev_pm_ops on the tegra-mc driver and route the system
resume callback into mc->soc->ops->resume() so the existing SID
restore path runs again on wake.
No suspend callback is needed as the resume path reprograms all MC
state from the static SoC tables, so there is nothing to save.
Fixes: fe3b082a6eb8 ("memory: tegra: Add SID override programming for MC clients") Signed-off-by: Ashish Mhetre <amhetre@nvidia.com> Reviewed-by: Jon Hunter <jonathanh@nvidia.com> Link: https://patch.msgid.link/20260430095202.1167651-3-amhetre@nvidia.com Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
memory: tegra: Make ->resume() callback return void
tegra186_mc_resume() is the only implementation of the SoC ->resume()
op in struct tegra_mc_ops, and it can never fail as the SID override
loop has no error path. The int return value is therefore not used.
Change the prototype to return void so callers do not need to deal
with a value that is always 0. If a future SoC needs to report
failure from resume, an int return type can be reintroduced then.
As is, the EMC drivers for each 32-bit platform contain almost
identical duplicated code for aggregating rate requests. Move this
code out to a shared tegra-emc-common file to reduce duplication,
and add kerneldoc comments.
Alexander Dahl [Wed, 29 Apr 2026 12:59:30 +0000 (14:59 +0200)]
memory: atmel-ebi: Allow deferred probing
After removing of_platform_default_populate() calls the atmel-ebi driver
was affected by deferred probing. platform_driver_probe() is
incompatible with deferred probing. This led to atmel-ebi driver
eventually not being probed on at91 sam9x60-curiosity and other sam9x60
based boards. Subsequently the nand-controller driver (nand-controller
being a child node of ebi) on that platform was not probed and thus raw
NAND flash was inaccessible, preventing devices to boot with rootfs on
raw NAND flash (e.g. with UBI/UBIFS).
The crag6410 board is one of the last users of the gpio-led driver
with plain gpio numbers. The driver has several ways to pass this
information without using gpio numbers, using a lookup table is
the easiest way.
Ricardo Ribalda [Mon, 4 May 2026 10:55:03 +0000 (10:55 +0000)]
Input: atmel_mxt_ts - set byte_offset as signed
The calculations done to obtain byte_offset can result into a negative
number, fix its type.
This patch fixes the following sparse error:
drivers/input/touchscreen/atmel_mxt_ts.c:1481:44: warning: unsigned value that used to be signed checked against zero?
drivers/input/touchscreen/atmel_mxt_ts.c:1479:49: signed value source
This is a Sonix SN8P2202XG microcontroller with firmware compatible with
the already supported Northstar 04eb:e004, implementing an MCE IR receiver
(PCB seems to be tracked for a transmitter too but missing related parts).
Found in a Skintek SK-CR-IN+IR ( http://www.skintek.it/SK-CR-IN+IR.php )
internal 3.5 inch USB card reader and MCE receiver combo
(implemented by, and wired as, separate USB devices)
PCB marking: AU6475 966816 STIR REV:A02 MCE
Signed-off-by: Riccardo Boninsegna <rboninsegna2@gmail.com> Signed-off-by: Sean Young <sean@mess.org>
Lucas Poupeau [Mon, 4 May 2026 15:38:31 +0000 (17:38 +0200)]
ALSA: ac97: clean up whitespace and move EXPORT_SYMBOLs
Clean up an unnecessary space in a conditional statement and move
EXPORT_SYMBOL_GPL(snd_ac97_reset) and EXPORT_SYMBOL(ac97_bus_type)
to immediately follow their respective definitions.
This complies with the Linux kernel coding style convention which
prefers exports to be placed next to the exported symbol for better
code locality and readability.
Nicola Lunghi [Mon, 4 May 2026 14:45:20 +0000 (16:45 +0200)]
ALSA: usb-audio: add clock quirk for Motu 1248
The Motu 1248 (and probably other older Motu AVB interfaces) take more
than 2 seconds to switch clock. During the clock switching process the
device return that the clock is not valid. This is similar to what
already implemented for the Microbook II interface. Add the Motu
1248 usb id to the existing Motu quirk.
Cássio Gabriel [Mon, 4 May 2026 14:08:45 +0000 (11:08 -0300)]
ALSA: usb-audio: midi2: Restart output URBs on resume
USB MIDI 2.0 suspend saves the endpoint running state, clears it and
kills all endpoint URBs. Resume restores the running state, but only
restarts input endpoints.
For a running output endpoint, this leaves the endpoint marked running
with an empty URB queue. Output transfer progress depends on either the
rawmidi trigger path starting the queue or an output completion refilling
it. After suspend there is no completion left, and output data that
remains queued in the raw UMP or legacy rawmidi buffer can stay stalled
until userspace happens to trigger the stream again.
Restore the saved state with atomic accessors, keep input endpoints
restarted as before, and restart output endpoints that were running before
suspend. Clear the saved suspend state after restoring it.
ALSA: hda/realtek: Fix mute and mic-mute LEDs for HP Envy X360 15-fh0xxx
This enables the mute and mic-mute LEDs on the HP Envy X360 15-fh0xxx
2-in-1 laptops.
The quirk 'ALC245_FIXUP_HP_ENVY_X360_15_FH0XXX' has been created and
is now enabled for this device.
This is my first patch, and I'm still getting to grips with the code,
so there's probably a better way to implement this fix.
I apologize for any inconvenience caused by the constant release of
new versions of this patch.
Rong Zhang [Mon, 4 May 2026 11:38:05 +0000 (19:38 +0800)]
ALSA: usb-audio: Add quirk flags for JBL Pebbles
JBL Pebbles is a pair of desktop speakers with UAC interface. Its
Playback and Capture mixers use linear volume with val = 0/999/1 and
0/3996/4. Meanwhile, the reported sample rates are truncated to
multiples of 0x100 (i.e., 44100 => 44032), resulting in noisy kmsg, as a
warning message is printed each time a stream is opened.
Add a quirk table entry matching VID/PID=0x05fc/0x0231 and applying
linear volume and sample rate quirk flags, so that it can work properly.
Also note that the volume control knob on device is an incremental
encoder. It does nothing but sends KEY_VOLUMEUP and KEY_VOLUMEDOWN per
rotation, controlling the UAC Playback volume mixer indirectly. Hence,
the linear volume quirk flags also enable the volume control knob to
function properly.
Quirky device sample:
usb 5-1.1: new full-speed USB device number 12 using xhci_hcd
usb 5-1.1: New USB device found, idVendor=05fc, idProduct=0231, bcdDevice= 1.00
usb 5-1.1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
usb 5-1.1: Product: JBL Pebbles
usb 5-1.1: Manufacturer: Harman International Industries
usb 5-1.1: SerialNumber: 1.0.0
usb-storage 5-1.1:1.0: USB Mass Storage device detected
scsi host0: usb-storage 5-1.1:1.0
usb 5-1.1: Found last interface = 1
usb 5-1.1: 2:1: add audio endpoint 0x5
usb 5-1.1: Creating new data endpoint #5
usb 5-1.1: 2:1 Set sample rate 44100, clock 0
usb 5-1.1: current rate 44032 is different from the runtime rate 44100
usb 5-1.1: 3:1: add audio endpoint 0x84
usb 5-1.1: Creating new data endpoint #84
usb 5-1.1: 3:1 Set sample rate 44100, clock 0
usb 5-1.1: current rate 44032 is different from the runtime rate 44100
usb 5-1.1: [2] FU [PCM Playback Switch] ch = 1, val = 0/1/1
usb 5-1.1: Warning! Unlikely big volume step count (=999), linear volume or wrong cval->res?
usb 5-1.1: [2] FU [PCM Playback Volume] ch = 2, val = 0/999/1
usb 5-1.1: [5] FU [Mic Capture Switch] ch = 1, val = 0/1/1
usb 5-1.1: Warning! Unlikely big volume step count (=999), linear volume or wrong cval->res?
usb 5-1.1: [5] FU [Mic Capture Volume] ch = 2, val = 0/3996/4
input: Harman International Industries JBL Pebbles as /devices/pci0000:00/0000:00:08.3/0000:67:00.3/usb5/5-1/5-1.1/5-1.1:1.4/0003:05FC:0231.0018/input/input55
hid-generic 0003:05FC:0231.0018: input,hidraw2: USB HID v2.01 Device [Harman International Industries JBL Pebbles] on usb-0000:67:00.3-1.1/input4
Cássio Gabriel [Mon, 4 May 2026 00:55:52 +0000 (21:55 -0300)]
ALSA: firewire-tascam: Do not drop unread control events
tscm_hwdep_read_queue() copies as many queued control events as fit in
the userspace buffer. When the buffer is smaller than the current
contiguous queue segment, length is rounded down to the number of bytes
that can be copied.
However, after copying that shortened length, the code advances pull_pos
to the original tail_pos, marking the whole contiguous segment as
consumed. Any events between the copied portion and tail_pos are lost.
Limit tail_pos to the position after the entries actually copied before
updating pull_pos. When the whole segment fits, this is equivalent to the
old tail_pos update; when the buffer is smaller, the remaining events
stay queued for the next read.
Fixes: a8c0d13267a4 ("ALSA: firewire-tascam: notify events of change of state for userspace applications") Cc: stable@vger.kernel.org Suggested-by: Takashi Sakamoto <o-takashi@sakamocchi.jp> Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com> Reviewed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp> Co-developed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp> Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp> Signed-off-by: Takashi Iwai <tiwai@suse.de> Link: https://patch.msgid.link/20260503-alsa-firewire-tascam-read-queue-v2-1-126c6efd7642@gmail.com
Anton Swart [Sun, 3 May 2026 21:15:17 +0000 (23:15 +0200)]
ALSA: usb-audio: Add quirk flags for AlphaTheta EUPHONIA
The AlphaTheta EUPHONIA (VID 0x2b73, PID 0x0047) is a USB Audio
Class 2 DJ mixer that requires implicit feedback for full-duplex
operation. The capture endpoint (0x83 IN, interface 2) acts as the
implicit feedback source for the playback endpoint (0x03 OUT,
interface 1), and the device firmware does not send isochronous
data on the capture endpoint unless the host is simultaneously
sending data on the playback endpoint, i.e. playback must be
started first.
Without QUIRK_FLAG_PLAYBACK_FIRST the kernel waits for capture URBs
before submitting playback URBs, creating a deadlock: the device
waits for playback data and the host waits for capture data.
Without QUIRK_FLAG_GENERIC_IMPLICIT_FB the kernel does not detect
the implicit feedback relationship between the two interfaces.
The same flag combination is already used for the Behringer UMC202HD,
UMC204HD and UMC404HD (0x1397:0x0507/0x0508/0x0509), which exhibit
the identical implicit-feedback topology.
Tested on Raspberry Pi 5 with kernel 6.12.75; continuous full-duplex
streaming at 96 kHz / 24-bit, zero XRUNs.
Moksh Panicker [Mon, 4 May 2026 14:28:11 +0000 (14:28 +0000)]
staging: rtl8723bs: Remove commented-out dead code in hal_btcoex.c
Remove three commented-out lines of dead code that are never executed.
Keeping commented-out code is discouraged as it clutters the codebase
and serves no purpose.
Nikolay Kulikov [Sat, 2 May 2026 21:55:47 +0000 (00:55 +0300)]
staging: rtl8723bs: move normal_chip field to struct hal_com_data
The 'chip_normal' field is the only remaining member of the 'struct
hal_version' that is used.
Move this field to the hal_com_data struct, where other chip information
is already stored. The order of assignments and reads to this variable
remains unchanged. This is purely a data relocation patch.
Nikolay Kulikov [Sat, 2 May 2026 21:55:44 +0000 (00:55 +0300)]
staging: rtl8723bs: remove unused VendorType from struct hal_version
The 'VendorType' field of the 'struct hal_version' is set once when the
chip is initialized, but no one ever reads this data, so remove it to
eliminate unused code.
Nikolay Kulikov [Sat, 2 May 2026 21:55:43 +0000 (00:55 +0300)]
staging: rtl8723bs: remove unused ICType from struct hal_version
Remove the unused 'ICType' field from the 'struct hal_version', as it
always takes a single value (CHIP_8723B) upon initialization and is
never used in driver.
Nikolay Kulikov [Sat, 2 May 2026 21:55:41 +0000 (00:55 +0300)]
staging: rtl8723bs: replace type and rename the chip_type field
The 'chip_type' field always accepts one value from the
hal_chip_type_e enumeration: TEST_CHIP or NORMAL_CHIP (FPGA is never
used).
Changing this field's type to bool will allow it to be used directly in
conditions without the need for wrapped macros.
The new type requires a corresponding variable name, so rename it to
'chip_normal' to improve code readability.
drm/bridge: tda998x: Return NULL instead of 0 in tda998x_edid_read()
tda998x_edid_read() returns a const struct drm_edid pointer, but when
tda998x_edid_delay_wait() fails (process killed while waiting for the
HPD timeout), the integer literal 0 is returned instead of NULL,
triggering a sparse warning: "Using plain integer as NULL pointer"
Replace 0 with NULL to fix the sparse warning.
Fixes: c76a8be4feec ("drm/bridge: tda998x: Add support for DRM_BRIDGE_ATTACH_NO_CONNECTOR") Reported-by: kernel test robot <lkp@intel.com> Closes: https://lore.kernel.org/oe-kbuild-all/202604172257.Imo6GOH9-lkp@intel.com/ Signed-off-by: Kory Maincent (TI) <kory.maincent@bootlin.com> Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com> Link: https://patch.msgid.link/20260417155446.1068893-1-kory.maincent@bootlin.com Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Wrap lines exceeding 100 characters to improve code readability
and conform to the Linux kernel coding style. This fixes the
LONG_LINE issues identified by checkpatch.pl.
Andrei Khomenkov [Mon, 27 Apr 2026 17:58:45 +0000 (20:58 +0300)]
staging: rtl8723bs: fix alignment of continued conditions
Fix alignment of continued conditions to improve code readability
and conform to the Linux kernel coding style. This fixes the
PARENTHESIS_ALIGNMENT issues identified by checkpatch.pl.
Andrei Khomenkov [Mon, 27 Apr 2026 17:58:44 +0000 (20:58 +0300)]
staging: rtl8723bs: move logical operators to previous line
Move logical operators to the previous line to improve code
readability and conform to the Linux kernel coding style.
This fixes the LOGICAL_CONTINUATIONS issues identified by
checkpatch.pl.
Andrei Khomenkov [Mon, 27 Apr 2026 17:58:43 +0000 (20:58 +0300)]
staging: rtl8723bs: remove redundant braces for single-statement block
Remove redundant curly braces for single-statement block to improve
code readability and conform to the Linux kernel coding style.
This fixes the BRACES issue identified by checkpatch.pl.
Andrei Khomenkov [Mon, 27 Apr 2026 17:58:42 +0000 (20:58 +0300)]
staging: rtl8723bs: add spaces around bitwise OR operators
Add spaces around bitwise OR operators to improve code readability
and conform to the Linux kernel coding style. This fixes the
SPACING issues identified by checkpatch.pl.
staging: rtl8723bs: fix block comment alignment in hal_pwr_seq.c
Fix the multi-line block comment at the top of the file to follow
the kernel coding style: each continuation line should start with
' * ' and the closing '*/' should be on its own line without a
preceding blank line.
This fixes the following checkpatch.pl warning:
WARNING: Block comments should align the * on each line
Nikolay Kulikov [Thu, 30 Apr 2026 17:29:06 +0000 (20:29 +0300)]
staging: rtl8723bs: rename DisableInterrupt8723BSdio() to snake_case
Rename function DisableInterrupt8723BSdio() to
rtw_sdio_disable_interrupt() and format its description to comply with
Linux kernel coding style.
Declare this function without 'extern' prototype in the .h file to fix
checkpatch.pl warning.
staging: rtl8723bs: simplify NULL pointer comparisons in rtw_recv.h
Fix checkpatch.pl warnings regarding explicit comparisons to NULL.
The kernel coding style prefers the shorter if (!ptr) idiom over
if (ptr == NULL). Clean up the inline functions in rtw_recv.h to
match this standard.
staging: rtl8723bs: add function definition arg names to rtw_btcoex.h
Adds function definition argument names to rtw_btcoex.h in order to
conform to kernel code style. This eliminates warnings generated by
checkpatch.pl.
In all cases it's the 'struct adapter *' argument which has been given
the name 'padapter'. This matches the names used in the implementations
of these functions.
drm/bridge: tda998x: Use __be32 for audio port OF property pointer
of_get_property() returns a pointer to big-endian (__be32) data, but
port_data in tda998x_get_audio_ports() was declared as const u32 *,
causing a sparse endianness type mismatch warning. Fix the declaration
to use const __be32 *.
Fixes: 7e567624dc5a4 ("drm/i2c: tda998x: Register ASoC hdmi-codec and add audio DT binding") Cc: stable@vger.kernel.org Signed-off-by: Kory Maincent (TI) <kory.maincent@bootlin.com> Reviewed-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk> Link: https://patch.msgid.link/20260428090457.121894-1-kory.maincent@bootlin.com Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Eric Wu [Mon, 27 Apr 2026 15:54:27 +0000 (23:54 +0800)]
staging: octeon: convert cvmx_pip_port_status_t from typedef to plain struct
The Linux kernel coding style discourages the use of typedefs for
structs. Convert cvmx_pip_port_status_t to a plain 'struct
cvmx_pip_port_status' and update all users across the MIPS Octeon
architecture code and the staging driver.
Eric Wu [Mon, 27 Apr 2026 15:54:26 +0000 (23:54 +0800)]
staging: octeon: convert cvmx_pko_port_status_t from typedef to plain struct
The Linux kernel coding style discourages the use of typedefs for
structs. Convert cvmx_pko_port_status_t to a plain 'struct
cvmx_pko_port_status' and update all users across the MIPS Octeon
architecture code and the staging driver.
Eric Wu [Mon, 27 Apr 2026 15:54:25 +0000 (23:54 +0800)]
staging: octeon: convert cvmx_pko_status_t from typedef to plain enum
The Linux kernel coding style discourages the use of typedefs for
enums. Convert cvmx_pko_status_t to a plain 'enum cvmx_pko_status' and
update all users across the MIPS Octeon architecture code and the
staging driver stubs.
Eric Wu [Mon, 27 Apr 2026 15:54:24 +0000 (23:54 +0800)]
staging: octeon: convert cvmx_pko_lock_t from typedef to plain enum
The Linux kernel coding style discourages the use of typedefs for
enums. Convert cvmx_pko_lock_t to a plain 'enum cvmx_pko_lock' and
update all users across the MIPS Octeon architecture code and the
staging driver stubs.
Eric Wu [Mon, 27 Apr 2026 15:54:23 +0000 (23:54 +0800)]
staging: octeon: convert cvmx_pow_wait_t from typedef to plain enum
The Linux kernel coding style discourages the use of typedefs for
enums. Convert cvmx_pow_wait_t to a plain 'enum cvmx_pow_wait' and
update all users across the MIPS Octeon architecture code and the
staging driver stubs.
Eric Wu [Mon, 27 Apr 2026 15:54:22 +0000 (23:54 +0800)]
staging: octeon: convert cvmx_helper_interface_mode_t from typedef to plain enum
The Linux kernel coding style discourages the use of typedefs for
enums. Convert cvmx_helper_interface_mode_t to a plain 'enum
cvmx_helper_interface_mode' and update all users across the MIPS
Octeon architecture code and the staging driver stubs.
Eric Wu [Mon, 27 Apr 2026 15:54:21 +0000 (23:54 +0800)]
staging: octeon: convert cvmx_spi_mode_t from typedef to plain enum
The Linux kernel coding style discourages the use of typedefs for
enums. Convert cvmx_spi_mode_t to a plain 'enum cvmx_spi_mode' and
update all users across the MIPS Octeon architecture code and the
staging driver stubs.
This is part of a series converting all remaining enum typedefs in
the octeon subsystem to plain enums, improving compliance with the
kernel coding style.
tegra_nvec_remove() unconditionally sets pm_power_off = NULL, even if
nvec was not the one that registered it. This breaks any other driver
that may have set pm_power_off to its own handler.
Replace the unconditional assignment with a guarded check so that
pm_power_off is only cleared if nvec was the one that set it.
Also remove the stale FIXME comment, as the guard addresses exactly
what it was asking for.
Alexandru Hossu [Mon, 27 Apr 2026 08:17:12 +0000 (10:17 +0200)]
staging: nvec: fix use-after-free in nvec_rx_completed()
In nvec_rx_completed(), when an incomplete RX transfer is detected,
nvec_msg_free() is called to return the message back to the pool by
clearing its 'used' atomic flag. Immediately after this, the code
accesses nvec->rx->data[0] to check the message type.
Since nvec_msg_free() marks the pool slot as available via atomic_set(),
any concurrent or subsequent call to nvec_msg_alloc() could claim that
same slot and overwrite its data[] array. Reading nvec->rx->data[0] after
freeing the message is therefore a use-after-free.
Fix this by saving the message type byte before calling nvec_msg_free(),
then using the saved value for the battery quirk check.
Fixes: d6bdcf2e1019 ("staging: nvec: Add battery quirk to ignore incomplete responses") Reviewed-by: Dan Carpenter <error27@gmail.com> Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com> Link: https://patch.msgid.link/20260427081713.3401874-2-hossu.alexandru@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Hungyu Lin [Mon, 27 Apr 2026 05:46:56 +0000 (05:46 +0000)]
staging: sm750fb: return -ETIMEDOUT on timeout in de_wait functions
The hw_sm750le_de_wait() and hw_sm750_de_wait() functions return -1
when a timeout occurs. Replace these with -ETIMEDOUT to use a proper
errno value and better describe the error condition.
All callers check the return value as non-zero, so this change does
not alter existing behavior.
staging: rtl8723bs: reduce nesting in rtw_security.c
Improve readability of functions:
rtw_tkip_encrypt, rtw_tkip_decrypt, rtw_aes_encrypt
in rtw_security.c by adding early returns for the
encryption type check and the stainfo null check.
Vincent reports:
> The ath5k driver seems to do an array-index-out-of-bounds access as
> shown by the UBSAN kernel message:
> UBSAN: array-index-out-of-bounds in drivers/net/wireless/ath/ath5k/base.c:1741:20
> index 4 is out of range for type 'ieee80211_tx_rate [4]'
> ...
> Call Trace:
> <TASK>
> dump_stack_lvl+0x5d/0x80
> ubsan_epilogue+0x5/0x2b
> __ubsan_handle_out_of_bounds.cold+0x46/0x4b
> ath5k_tasklet_tx+0x4e0/0x560 [ath5k]
> tasklet_action_common+0xb5/0x1c0
It is real. 'ts->ts_final_idx' can be 3 on 5212, so:
info->status.rates[ts->ts_final_idx + 1].idx = -1;
with the array defined as:
struct ieee80211_tx_rate rates[IEEE80211_TX_MAX_RATES];
while the size is:
#define IEEE80211_TX_MAX_RATES 4
is indeed bogus.
Set this 'idx = -1' sentinel only if the array index is less than the
array size. As mac80211 will not look at rates beyond the size
(IEEE80211_TX_MAX_RATES).
Note: The effect of the OOB write is negligible. It just overwrites the
next member of info->status, i.e. ack_signal.
ath12k_dp_rx_deliver_msdu() currently uses hal_rx_desc_data::peer_id
parsed from mpdu_start descriptor to do peer lookup. However In an A-MSDU
aggregation scenario, hardware only populates mpdu_start descriptor for
the first sub-msdu, but not the following ones. In that case peer_id could
be invalid, leading to peer lookup failure:
ath12k_wifi7_pci 0000:06:00.0: rx skb 00000000c391c041 len 1532 peer (null) 0 ucast sn 0 eht320 rate_idx 12 vht_nss 2 freq 6105 band 3 flag 0x40d1a fcs-err 0 mic-err 0 amsdu-more 0
As a result pubsta is NULL and parts of ieee80211_rx_status structure are
left uninitialized, which may cause unexpected behavior.
Fix it by switching the normal RX path to use ath12k_skb_rxcb::peer_id
which is parsed from REO ring's rx_mpdu_desc and is always valid.
hal_rx_desc_data::peer_id is still used in
ath12k_wifi7_dp_rx_frag_h_mpdu(), which is safe since A-MSDU
aggregation does not occur for fragmented frames. Similarly,
ath12k_skb_rxcb::peer_id may be overwritten by hal_rx_desc_data::peer_id
in ath12k_wifi7_dp_rx_h_mpdu(), which only handles non-aggregated
multicast/broadcast traffic.
wifi: ath12k: initialize RSSI dBm conversion event state
Currently, the RSSI dBm conversion event handler leaves struct
ath12k_wmi_rssi_dbm_conv_info_arg uninitialized on the stack before
calling the TLV parser. If one of the optional sub-TLVs is absent, the
corresponding *_present flag retains stack garbage and later gets read
in ath12k_wmi_update_rssi_offsets(). With UBSAN enabled this triggers an
invalid-load report for _Bool:
UBSAN: invalid-load in drivers/net/wireless/ath/ath12k/wmi.c:9682:15
load of value 9 is not a valid value for type '_Bool'
Call Trace:
ath12k_wmi_rssi_dbm_conversion_params_info_event.cold+0x72/0x85 [ath12k]
ath12k_wmi_op_rx+0x1871/0x2ab0 [ath12k]
ath12k_htc_rx_completion_handler+0x44b/0x810 [ath12k]
ath12k_ce_recv_process_cb+0x554/0x9f0 [ath12k]
ath12k_ce_per_engine_service+0xbe/0xf0 [ath12k]
ath12k_pci_ce_workqueue+0x69/0x120 [ath12k]
Initialize the parsed event state to zero before passing it to the TLV
parser so missing sub-TLVs correctly leave the presence flags false.
Nicolas Escande [Wed, 22 Apr 2026 16:32:58 +0000 (18:32 +0200)]
wifi: ath12k: fix leak in some ath12k_wmi_xxx() functions
Some wmi functions were using plain 'return ath12k_wmi_cmd_send(...)'
without explicitly handling the error code. This leads to leaking the skb
in case of error.
The DRM core uAPI headers are licensed under the MIT license, and carry
copies of the license with slight variations. Replace them with SPDX
headers.
Following a discussion with Simona Vetter on this topic, add a
clarification in the drm-uapi.rst file that independent closed-source
userspace implementations of software using the DRM uAPI are accepted,
as allowed by the MIT license.
Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com> Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Reviewed-by: Thomas Gleixner <tglx@linutronix.de> Reviewed-by: Simona Vetter <simona.vetter@ffwll.ch> Reviewed-by: Dave Airlie <airlied@redhat.com> Link: https://patch.msgid.link/20260407104951.1781047-1-laurent.pinchart+renesas@ideasonboard.com Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
David Carlier [Thu, 23 Apr 2026 12:56:48 +0000 (13:56 +0100)]
mm/memfd_luo: document preservation of file seals
Commit 8a552d68a86e ("mm: memfd_luo: preserve file seals") started
preserving file seals across live update and restoring them via
memfd_add_seals() on retrieve, but the DOC header was not updated and
still listed seals under "Non-Preserved Properties" as being unsealed
on restore.
Move the Seals entry to the "Preserved Properties" section and describe
the actual behavior, including the MEMFD_LUO_ALL_SEALS restriction that
both preserve and retrieve enforce.
memfd_luo_preserve_folios() declares max_folios as unsigned int and
computes it from the inode size, then passes it to memfd_pin_folios()
which itself caps max_folios at unsigned int. For files whose base-page
count exceeds UINT_MAX (larger than 16 TiB with 4 KiB pages), the
assignment truncates silently: only a prefix of the file gets pinned and
preserved, while memfd_luo_preserve() still records the full inode size
in ser->size. On retrieve the inode is restored to the full size but
only the preserved prefix repopulates the page cache, so the tail comes
back as holes and user data is silently lost across the live update.
Reject such files at preserve time with -EFBIG rather than chunk the
pin loop, which would also require enlarging the preserved folios array
well beyond what is practical.
projects / thirdparty / linux.git / log
