ip6mr: Convert ip6mr_net_exit_batch() to ->exit_rtnl().
ip6mr_net_ops uses ->exit_batch() to acquire RTNL only once
for dying network namespaces.
ip6mr does not depend on the ordering of ->exit_rtnl() and
->exit_batch() of other pernet_operations (unlike fib_net_ops).
Once ip6mr_free_table() is called and all devices are
queued for destruction in ->exit_rtnl(), later during
NETDEV_UNREGISTER, ip6mr_device_event() will not see anything
in vif table and just do nothing.
Let's convert ip6mr_net_exit_batch() to ->exit_rtnl().
We will remove RTNL and unregister_netdevice_many() in
ip6mr_rules_init().
Since default_device_exit_batch() is called after ->exit_rtnl(),
idev->mc_ifc_work could finally call mroute6_is_socket() under RCU
while ->exit_rtnl() is running. [0]
With CONFIG_IPV6_MROUTE_MULTIPLE_TABLES=n, ip6mr_fib_lookup() does
not check if net->ipv6.mrt6 is NULL. If ip6mr_net_exit_batch()
set net->ipv6.mrt6 to NULL and freed it, the mrt->mroute_sk access
could result in null-ptr-deref or use-after-free.
Let's prepare for that situation by applying RCU rule to ip6mr
table similarly.
!check_net(net) is added in ip6mr_cache_unresolved() and
mroute_clean_tables() to synchronise the two by mfc_unres_lock
so that ip6mr_cache_unresolved() will not queue skb after
mroute_clean_tables() purged &mrt->mfc_unres_queue.
rcu_read_lock() in reg_vif_xmit() is moved up to cover
ip6mr_fib_lookup() as with ipmr.
Commit 22e36ea9f5d7 ("inet: allow ip_valid_fib_dump_req() to
be called with RTNL or RCU") introduced the rtnl_held field in
struct fib_dump_filter to switch __dev_get_by_index() and
dev_get_by_index_rcu() depending on the caller's context.
This field served as an interim measure while we were incrementally
converting all callers of ip_valid_fib_dump_req() to RCU.
Now that all users (IPv4, IPv6, ipmr, ip6mr, and MPLS) have
been converted to RCU, the field is no longer necessary.
Jakub Kicinski [Mon, 8 Jun 2026 23:00:12 +0000 (16:00 -0700)]
Merge branch 'so_txtime-improvements'
Willem de Bruijn says:
====================
SO_TXTIME improvements
FQ targets monotonic timestamps as generated by the TCP stack.
But SO_TXTIME was later added, which can send skbs with timestamps
against other clocks. It is now possible to detect these through skb
tstamp_type.
Make FQ robust by converting these timestamps for use in FQ (patch 2).
This also requires testing against out-of-bounds values. Prefer to do
this at the source, when parsing SCM_TXTIME (patch 1). But, tests in
the hot path are still needed, to handle BPF sources.
Extend the so_txtime selftest to handle this new case (patch 3).
net_sched: sch_fq: convert skb->tstamp if not monotonic
FQ currently assumes skb->tstamp holds monotonic time, as used by TCP.
Users with ns_capable CAP_NET_ADMIN can transmit skbs using SO_TXTIME
with CLOCK_MONOTONIC, CLOCK_REALTIME or CLOCK_TAI clockids as of
commit 80b14dee2bea ("net: Add a new socket option for a future
transmit time.")
More recently, skbs also gained tstamp_type to explicitly communicate
the clockid of skb->tstamp, with commit 4d25ca2d6801 ("net: Rename
mono_delivery_time to tstamp_type for scalabilty"), commit 1693c5db6ab8 ("net: Add additional bit to support clockid_t timestamp
type") and a few others.
Detect other clocks and convert to monotonic for use in FQ. That is,
convert fq_skb_cb(skb)->time_to_send. Do not convert skb->tstamp
itself. Network device clocks are more commonly synchronized to TAI.
Conversion may be imprecise due to clock adjustment (e.g., adjfreq)
between when SCM_TSTAMP is set and when it is converted in fq_enqueue.
The common codepath is short, so skew will be well below common pacing
operation. Even in edge cases, bursts (too soon) or beyond horizon
(too late) are indistinguishable from network conditions. To which
senders must be robust, as long as infrequent.
Avoid overflow due to negative offsets becoming huge when converting
from signed ktime_t to u64 time_to_send. Bound lower to mono 1 and
upper to now + q->horizon. This protects against bad input, e.g.,
from BPF programs.
Detect legacy BPF programs that program skb->tstamp without setting
skb->tstamp_type. Here tstamp_type is zero (SKB_CLOCK_REALTIME), but
the value will be unrealistic for realtime in the 21st century. Follow
existing TIME_UPTIME_SEC_MAX as bound between mono and realtime.
Signed-off-by: Willem de Bruijn <willemb@google.com>
----
Changes
v1 -> v2
- replace Fixes tag with references inside the commit message
net: ensure SCM_TXTIME delivery time is no older than system boot
Limit input to sane values to avoid having to add tests later in the
kernel hot path, e.g., in FQ.
SCM_TXTIME timestamps are converted to signed ktime_t when assigned to
skb->tstamp. Avoid having negative values overflow into large positive
ones when again used as u64, e.g., in FQ time_to_send.
For CLOCK_MONOTONIC, only allow positive values.
For CLOCK_REALTIME and CLOCK_TAI, allow equivalent values, i.e., no
older than the boot of the machine.
skb->tstamp zero is a special case signaling feature off. This is not
converted between clockids.
Handle the special case where the realtime clock is set so small that
real - mono is negative, however unlikely in practice.
Ideally we would also set a sane upper bound, but that would require
reading the clock, which is an expensive operation. Continue to defer
that validation to users of the data. FQ already does this.
Bound rather than return error on older timestamps. This is the
existing policy e.g., in FQ.
Signed-off-by: Willem de Bruijn <willemb@google.com>
----
Changes
v1 -> v2
- remove spurious semicolon at end of switch
- remove Fixes tag
Linus Walleij [Mon, 8 Jun 2026 22:59:55 +0000 (00:59 +0200)]
Merge tag 'renesas-pinctrl-for-v7.2-tag3' of git://git.kernel.org/pub/scm/linux/kernel/git/geert/renesas-drivers into devel
pinctrl: renesas: Updates for v7.2 (take three)
- Fix locking on RZ/G3L.
* tag 'renesas-pinctrl-for-v7.2-tag3' of git://git.kernel.org/pub/scm/linux/kernel/git/geert/renesas-drivers:
pinctrl: renesas: rzg2l: Use raw_spinlock_irqsave() on power source update
geneve: Move udp_conf.local_ip6 under CONFIG_IPV6 in geneve_create_sock().
Unlike struct ip_tunnel_key, struct udp_port_cfg does not always
define IPv6 address fields.
>> drivers/net/geneve.c:778:12: error: no member named 'local_ip6' in 'struct udp_port_cfg'
778 | udp_conf.local_ip6 = info->key.u.ipv6.src;
| ~~~~~~~~ ^
Let's add CONFIG_IPV6 guard in geneve_create_sock().
Fixes: afabbb56a726 ("geneve: Introduce IFLA_GENEVE_LOCAL and IFLA_GENEVE_LOCAL6.") Reported-by: kernel test robot <lkp@intel.com> Closes: https://lore.kernel.org/oe-kbuild-all/202606070019.yx2LhZPU-lkp@intel.com/ Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com> Link: https://patch.msgid.link/20260606204848.1987046-1-kuniyu@google.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Timur Tabi [Tue, 2 Jun 2026 21:11:16 +0000 (16:11 -0500)]
pinctrl: PINCTRL_STMFX should depend on CONFIG_OF
Commit e785c990adcc ("pinctrl: Kconfig: drop unneeded dependencies
on OF_GPIO") removed a redundant dependecy on CONFIG_OF_GPIO for
several pinctrl drivers, but this change also removed a dependency
on CONFIG_OF for some of those drivers.
Normally, this wouldn't be a problem, but PINCTRL_STMFX also selected
MFD_STMFX, which does depend on CONFIG_OF. This conflict allows
MFD_STMFX to be enabled even if CONFIG_OF is disabled.
Fix this by also having PINCTRL_STMFX depend on CONFIG_OF. This is
okay because the pinctrl-stmfx driver actually does depend on CONFIG_OF
functions.
Fixes: e785c990adcc ("pinctrl: Kconfig: drop unneeded dependencies on OF_GPIO") Signed-off-by: Timur Tabi <ttabi@nvidia.com> Signed-off-by: Linus Walleij <linusw@kernel.org>
Yu-Chun Lin [Mon, 1 Jun 2026 07:52:29 +0000 (15:52 +0800)]
dt-bindings: pinctrl: realtek,rtd1625: Fix input voltage property name
The property 'input-voltage-microvolt' is a typo. Rename it to
'input-threshold-voltage-microvolt' to align with the standard pin
configuration defined in pincfg-node.yaml and parsed by pinconf-generic.c.
Jakub Kicinski [Mon, 8 Jun 2026 22:40:54 +0000 (15:40 -0700)]
Merge tag 'batadv-next-pullrequest-20260605' of https://git.open-mesh.org/batadv
Simon Wunderlich says:
====================
This cleanup patchset includes the following patches, all by
Sven Eckelmann:
- tp_meter: initialize last_recv_time during init
- convert cancellation of work items to disable helper
- clean up wifi detection cache (3 patches)
- clean up kernel-doc: corrections, reword, typos (6 patches)
* tag 'batadv-next-pullrequest-20260605' of https://git.open-mesh.org/batadv:
batman-adv: fix kernel-doc typos and grammar errors
batman-adv: fix batadv_v_ogm_packet_recv error handling kernel-doc
batman-adv: uapi: keep kernel-doc in struct member order
batman-adv: bla: update stale kernel-doc
batman-adv: tp_meter: update stale kernel-doc after refactoring
batman-adv: correct batadv_wifi_* kernel-doc
batman-adv: document cleanup of batadv_wifi_net_devices entries
batman-adv: use GFP_KERNEL allocations for the wifi detection cache
batman-adv: drop duplicated wifi_flags assignments
batman-adv: convert cancellation of work items to disable helper
batman-adv: tp_meter: initialize last_recv_time during init
====================
Eric Dumazet [Fri, 5 Jun 2026 11:21:34 +0000 (11:21 +0000)]
tcp: restrict SO_ATTACH_FILTER to priv users
This patch restricts the use of SO_ATTACH_FILTER (cBPF) on TCP sockets
to users with CAP_NET_ADMIN capability.
This blocks potential side-channel attack where an unprivileged application
attaches a filter to leak TCP sequence/acknowledgment numbers.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: Tamir Shahar <tamirthesis@gmail.com> Reported-by: Amit Klein <aksecurity@gmail.com> Cc: Willem de Bruijn <willemb@google.com> Cc: Alexei Starovoitov <ast@kernel.org> Cc: Daniel Borkmann <daniel@iogearbox.net> Cc: Andrii Nakryiko <andrii@kernel.org> Cc: Martin KaFai Lau <martin.lau@linux.dev> Cc: Eduard Zingerman <eddyz87@gmail.com> Cc: Kumar Kartikeya Dwivedi <memxor@gmail.com> Cc: Song Liu <song@kernel.org> Cc: Yonghong Song <yonghong.song@linux.dev> Cc: Jiri Olsa <jolsa@kernel.org> Cc: John Fastabend <john.fastabend@gmail.com> Cc: Stanislav Fomichev <sdf@fomichev.me> Acked-by: Daniel Borkmann <daniel@iogearbox.net> Reviewed-by: Willem de Bruijn <willemb@google.com> Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Jakub Kicinski [Mon, 8 Jun 2026 22:33:34 +0000 (15:33 -0700)]
Merge tag 'nf-next-26-06-07' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next
Pablo Neira Ayuso says:
====================
Netfilter/IPVS updates for net-next
The following patchset contains Netfilter/IPVS updates for net-next,
this contains updates to address sashiko reports in IPVS and Netfilter
on possible pre-existing issues. This also includes a series to add
refcount for ct helper and timeout to deal with a corner case scenario
with unconfirmed conntracks flying to nfqueue.
1) Add a conn_max sysctl to IPVS to limit the maximum number of
connections, from Julian Anastasov.
2) Use get_unaligned_be16() to access TCP MSS in nfnetlink_osf,
from Fernando Fernandez Mancera.
3) Use {READ,WRITE}_ONCE to access helper flags from nfnetlink_helper.
Several patches for the synproxy infrastructure, from Fernando
Fernandez Mancera:
4) Drop packet if TCP timestamp adjustment fails.
5) Continue parsing of TCP timestamp to deal with possible duplicates.
6) Use {get,put}_unaligned_be32() to acess the TCP timestamp.
7) Hold ct->lock to initialize nf_ct_seqadj_init().
Updates for the ct timeout infrastructure, to deal with a corner case
for unconfirmed conntracks flying to nfqueue:
8) Add a refcount to track ct timeout policy use by ct extension,
release the timeout until the last ct extension drops the refcnt
on it.
Similar update for the ct helper infrastructure:
9) Dynamic allocation of ct helpers, as a preparation for adding
refcount to track ct extension use.
10) Move destroy_sibling_or_exp() to nf_conntrack_proto_gre, so
pptp conntrack helper module removal does not make this code
unreachable via the helper->destroy callback. This is another
dependency for the new refcount coming in this series.
11) Add a refcount to track use of it from the ct extension, then
ct helper and timeout is reachable to the connection until
it goes away.
12) Remove the genid infrastructure in ct extensions. The primary
goal was to detect that a ct extension such as ct timeout and
ct helper went stale for unconfirmed conntrack, either because
object or module was removed. This deactivates all ct extensions
though for this unconfirmed conntrack.
13) Call nf_ct_gre_keymap_destroy() if this is a master conntrack
with a pptp helper only.
sashiko.dev reports one more relevant issue when unsetting the helper
via ctnetlink that I will address in a follow up patch.
Then, two more assorted updates:
14) Avoid a unlikely underflow in bridge VLAN untag, only possible
if buggy bridge VLAN filtering is buggy, remove WARN_ON_ONCE
while at it. From David Carlier.
15) Use get_unaligned_be32() in nf_conntrack_tcp to access sack
extension, from Rosen Penev.
* tag 'nf-next-26-06-07' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next:
netfilter: nf_conntrack: use get_unaligned_be32() in tcp_sack()
netfilter: flowtable: avoid num_encaps underflow on bridge VLAN untag
netfilter: conntrack: call nf_ct_gre_keymap_destroy() if master helper is pptp
netfilter: conntrack: revert ct extension genid infrastructure
netfilter: nf_conntrack_helper: add refcounting from datapath
netfilter: nf_conntrack_pptp: move GRE specific cleanup to GRE tracker
netfilter: nf_conntrack_helper: dynamically allocate struct nf_conntrack_helper
netfilter: cttimeout: detach dataplane timeout policy and repurpose refcount
netfilter: synproxy: protect nf_ct_seqadj_init() with conntrack lock
netfilter: synproxy: fix unaligned memory access in timestamp adjustment
netfilter: synproxy: adjust duplicate timestamp options
netfilter: synproxy: drop packets if timestamp adjustment fails
netfilter: nfnetlink_cthelper: use {READ,WRITE}_ONCE for accessing helper flags
netfilter: nfnetlink_osf: fix mss parsing on big-endian architectures
ipvs: add conn_max sysctl to limit connections
====================
Recursively zap orphaned nested TDP shadow pages when emulating a guest
write to a shadowed page table, regardless of whether or not the associated
(parent) shadow page will be zapped, e.g. due to detected write-flooding.
This plugs a hole where KVM fails to reclaim defunct, unsync shadow pages
for select L1 hypervisor patterns. Commit 2de4085cccea ("KVM: x86/MMU:
Recursively zap nested TDP SPs when zapping last/only parent") modified KVM
to recursively zap synchronized shadow pages (KVM already recursively zaps
unsync children) when a child is orphaned. But the fix effectively only
applied the logic to kvm_mmu_page_unlink_children(), i.e. only performs the
recursive zap when KVM is already zapping a parent SP and processing its
children.
If L1 zaps SPTEs bottom-up (4KiB => 2MiB => ...), as KVM's TDP MMU does
with CONFIG_KVM_PROVE_MMU=n since commit 8ca983631f3c ("KVM: x86/mmu: Zap
invalidated TDP MMU roots at 4KiB granularity"), then KVM (as L0) will leak
upwards of 4 shadow pages per GiB of L2 guest memory. Over hundreds or
thousands of L2 boots, if the VM is "lucky" enough to escape write-flooding
detection, i.e. not trigger reclaim of the orphaned shadow pages by dumb
luck, then it's possible to end up with tens or even hundreds of thousands
of unsync shadow pages and associated rmap entries.
Polluting the hash table and rmap entries with a horde of stale entries
can eventually degrade L2 guest boot time by an order of magnitude,
especially if there is any antagonistic activity in the host, i.e. anything
that will contend for mmu_lock and/or needs to walk rmaps.
With "top"-down zapping, where "top" is 1GiB or above, then L0 KVM is
effectively limited to leaking 4 shadow pages per 256 GiB of memory, as
KVM's write flooding detection will kick in on the third write to an L1
TDP PUD, and thus recursively zap the entire 256 GiB range of the parent
PGD. I.e. even though L1 KVM still recursively zaps 2MiB => 4KiB SPTEs
when zapping each 1GiB SPTE, KVM only gets through two of the 1GiB SPTEs
before dropping everything. E.g. hacking tracing into L0 KVM's
kvm_mmu_track_write(), the top-down zapping of L1's TDP MMU for an L2 with
16GiB of memory leads to:
Note, in the shadow MMU, "level" describes the level a shadow page "points"
at, not the level of its associated SPTE. I.e. when write-flooding of 1GiB
PUD entries is detected, KVM recursively zaps shadow pages covering 256GiB
worth of memory. And as shown above, KVM's write-flooding detection
operates at all levels, so a single PMD (in L1) can effectively only leak
two unsync children (4KiB shadow pages) before it gets recursively zapped.
As a result, for the top-down zap, L0 KVM will leak at most 4 unsync shadow
pages per 256GiB of L2 memory.
The top-down zap also makes it more likely that L1 will self-heal (to some
extent), as any shadow pages that are "rediscovered" by future runs of L2
can get reclaimed by a recursive zap, whereas bottom-up zapping orphans
shadow pages over and over.
Note, in theory, there is some risk of over-zapping, e.g. due to zapping a
a large branch of the paging tree that L1 is only temporarily removing. In
practice, the usage patterns of hypervisors are highly unlikely to trigger
false positives. E.g. temporarily changing paging protections is typically
done at the leaf, not on a non-leaf entry. And if the L1 hypervisor is
updating large swaths of PTEs, e.g. to (temporarily?) remove chunks of
memory from L2, then L0 KVM's write-flooding detection will kick in, and
the children would be zapped anyways.
Fixes: 2de4085cccea ("KVM: x86/MMU: Recursively zap nested TDP SPs when zapping last/only parent") Cc: Yosry Ahmed <yosry@kernel.org> Cc: Jim Mattson <jmattson@google.com> Cc: James Houghton <jthoughton@google.com> Reviewed-by: Jim Mattson <jmattson@google.com> Reviewed-by: Yosry Ahmed <yosry@kernel.org> Link: https://patch.msgid.link/20260605174611.2222504-2-seanjc@google.com Signed-off-by: Sean Christopherson <seanjc@google.com>
tcm_loop_target_reset is supposed to handle all the LUNs on a target but
it's only doing a TMR_LUN_RESET so only that one LUN is handled. This
will cause us to return early while IOs to other LUNs are still hung in
lower layers. This just removes the target reset handler for the driver
because LIO doesn't support target resets and for the common case where
this is run from the scsi-ml error hamdler we have already tried an
abort and lun reset so waiting again is most likely useless.
Fixes: 1333eee56cdf ("scsi: target: tcm_loop: Drain commands in target_reset handler") Signed-off-by: Mike Christie <michael.christie@oracle.com> Reviewed-by: Hannes Reinecke <hare@kernel.org> Link: https://patch.msgid.link/20260530052349.5134-1-michael.christie@oracle.com Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Comment-only changes across the lpfc driver, found by running
scripts/checkpatch.pl with the kernel's scripts/spelling.txt list
against drivers/scsi/lpfc/. No functional impact.
v1 covered a single site in lpfc_bsg.c. v2 expands to all
checkpatch-detected comment misspellings across the driver, per review
feedback from Justin Tee on the v1 thread. Identifiers that happen to
match common-typo entries (e.g. LSEXP_CANT_GIVE_DATA,
LPFC_FC_LA_TOP_UNKOWN) are intentionally left untouched, as renaming
them would change the driver's internal API.
Hongjie Fang [Fri, 5 Jun 2026 11:20:34 +0000 (19:20 +0800)]
scsi: ufs: core: Handle PM commands timeout before SCSI EH
A PM START STOP sent from the UFS well-known LU resume path can race
with SCSI EH:
The "wl resume" task flow is:
__ufshcd_wl_resume()
ufshcd_set_dev_pwr_mode(UFS_ACTIVE_PWR_MODE)
ufshcd_execute_start_stop()
scsi_execute_cmd()
blk_execute_rq <-- wait
scsi_check_passthrough() <-- may retry START STOP
If the first START STOP time out, SCSI EH may already recover the link and
reset the device before scsi_execute_cmd() returns:
scsi_timeout()
scsi_eh_scmd_add()
scsi_error_handler()
scsi_unjam_host()
scsi_eh_ready_devs()
scsi_eh_host_reset()
ufshcd_eh_host_reset_handler()
if (hba->pm_op_in_progress)
ufshcd_link_recovery()
ufshcd_device_reset()
ufshcd_host_reset_and_restore()
...
scsi_eh_flush_done_q() <-- wakeup "wl resume" task
... <-- host still in SHOST_RECOVERY
scsi_restart_operations()
A later passthrough retry can then run while the host is still in
SHOST_RECOVERY and hit the SCMD_FAIL_IF_RECOVERING path:
scsi_queue_rq()
if (scsi_host_in_recovery(shost) &&
cmd->flags & SCMD_FAIL_IF_RECOVERING)
return BLK_STS_OFFLINE
That retry completes with DID_ERROR or DID_NO_CONNECT even though EH may
already have restored the device to an operational ACTIVE state.
Handle these PM timeouts directly from ufshcd_eh_timed_out() instead.
After ufshcd_link_recovery(), complete the timed-out command immediately
if it has not been completed already.
For regular SCSI commands, complete them with DID_REQUEUE to match the
existing MCQ force-completion semantics and allow scsi_execute_cmd() to
retry if needed. For reserved internal device-management commands,
finish the request with DID_TIME_OUT without calling
ufshcd_release_scsi_cmd() since those commands use different resource
lifetime rules.
The system_suspending flag is no longer needed because PM command
timeout handling now uses pm_op_in_progress.
Fixes: b8c3a7bac9b6 ("scsi: ufs: Have midlayer retry start stop errors") Signed-off-by: Hongjie Fang <hongjiefang@asrmicro.com> Reviewed-by: Bart Van Assche <bvanassche@acm.org> Reviewed-by: Peter Wang <peter.wang@mediatek.com> Link: https://patch.msgid.link/20260605112034.3802540-1-hongjiefang@asrmicro.com Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
The Promise VTrak Ex10 series share the same hardware base and firmware.
Consequently all interface variants, whether fibre channel ("f") or SAS
("s") in dual/single controller, exhibit the same SCSI behavior.
Instead of adding separate blacklist entries for every specific model
variant (such as E610f, E610s, E310f, E310s), consolidate and broaden
the match strings to "VTrak E310" and "VTrak E610".
Cc: Alexander Perlis <aperlis@math.lsu.edu> Cc: Nikkos Svoboda <nsvoboda@math.lsu.edu> Cc: Martin Wilck <mwilck@suse.com> Cc: Benjamin Marzinski <bmarzins@redhat.com> Cc: Christophe Varoqui <christophe.varoqui@opensvc.com> Cc: Christoph Hellwig <hch@lst.de> Cc: James E.J. Bottomley <James.Bottomley@HansenPartnership.com> Cc: Martin K. Petersen <martin.petersen@oracle.com> Cc: SCSI-ML <linux-scsi@vger.kernel.org> Cc: DM_DEVEL-ML <dm-devel@lists.linux.dev> Signed-off-by: Xose Vazquez Perez <xose.vazquez@gmail.com> Reviewed-by: Martin Wilck <mwilck@suse.com> Link: https://patch.msgid.link/20260529205602.177515-1-xose.vazquez@gmail.com Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
John Garry [Thu, 4 Jun 2026 14:58:40 +0000 (14:58 +0000)]
nvme: quieten sparse warning in valid LBA size check
Currently building with C=1 generates the following warning:
CC drivers/nvme/host/core.o
CHECK drivers/nvme/host/core.c
drivers/nvme/host/core.c:2426:13: warning: unsigned value that used to be signed checked against zero?
drivers/nvme/host/core.c:2426:13: signed value source
This issue was introduced when using check_shl_overflow() to check for
invalid LBA size. Sparse is having trouble dealing with __bitwise __le64
conversion when passing to check_shl_overflow().
Resolve the issue by moving the check_shl_overflow() call to a separate
function, where types are not converted.
The id->lbaf[lbaf].ds < SECTOR_SHIFT check is dropped as
check_shl_overflow() is able to detect negative shifts.
Reviewed-by: Christoph Hellwig <hch@lst.de> Signed-off-by: John Garry <john.g.garry@oracle.com> Signed-off-by: Keith Busch <kbusch@kernel.org>
Shashank Balaji [Mon, 18 May 2026 10:20:00 +0000 (19:20 +0900)]
driver core: platform: set mod_name in driver registration
Pass KBUILD_MODNAME through the driver registration macro so that the
driver core can create the module symlink in sysfs for built-in drivers,
and fixup all callers.
The Rust platform adapter is updated to pass the module name through to
the new parameter.
Tested on qemu with:
- x86 defconfig + CONFIG_RUST
- arm64 defconfig + CONFIG_RUST + CONFIG_CORESIGHT stuff
Shashank Balaji [Mon, 18 May 2026 10:19:59 +0000 (19:19 +0900)]
coresight: pass THIS_MODULE implicitly through a macro
Rename coresight_init_driver() to coresight_init_driver_with_owner() and
replace it with a macro wrapper that passes THIS_MODULE implicitly. This
is in line with what other buses do.
Shashank Balaji [Mon, 1 Jun 2026 10:19:41 +0000 (19:19 +0900)]
kernel: param: initialize module_kset in a pure_initcall
Commit "driver core: platform: set mod_name in driver registration" will
set struct device_driver's mod_name member for platform driver
registration. For a driver to be registered with its mod_name set,
module_kset needs to be initialized, which currently happens in a
subsys_initcall in param_sysfs_init(). The tegra cbb drivers register
themselves before module_kset init, in a core_initcall. This works
currently because lookup_or_create_module_kobject(), which dereferences
module_kset via kset_find_obj(), is not called if mod_name is not set,
which is the case now.
So in preparation for the commit "driver core: platform: set mod_name in
driver registration", move module_kset init to pure_initcall level,
ensuring it happens before tegra cbb driver registration.
Shashank Balaji [Mon, 18 May 2026 10:19:57 +0000 (19:19 +0900)]
soc/tegra: cbb: Move driver registration from pure_initcall to core_initcall
Commit "driver core: platform: set mod_name in driver registration" will
set struct device_driver's mod_name member for platform driver
registration. For a driver to be registered with its mod_name set,
module_kset needs to be initialized, which currently happens in a
subsys_initcall in param_sysfs_init(). The tegra cbb drivers register
themselves before module_kset init, in a pure_initcall. This works
currently because lookup_or_create_module_kobject(), which dereferences
module_kset via kset_find_obj(), is not called if mod_name is not set,
which is the case now.
So in preparation for the commit "driver core: platform: set mod_name in
driver registration", move tegra cbb driver registration to
core_initcall level, and commit "kernel: param: initialize module_kset
in a pure_initcall" will move module_kset init to pure_initcall level,
ensuring module_kset init happens before tegra cbb driver registration.
scsi: target: Use constant-time crypto_memneq() for CHAP digests
A constant-time memory comparison is more suitable than plain memcmp()
for authentication digest comparison. CHAP digests use an
authenticator-provided random challenge, so any timing side-channel
shouldn't be easily exploitable.
A mutual CHAP handshake requires target processing of an initiator-sent
CHAP_I identifier. The RFC 3720 specification states:
11.1.4. Challenge Handshake Authentication Protocol (CHAP)
...
CHAP_A=<A> CHAP_I=<I> CHAP_C=<C>
...
Where N, (A,A1,A2), I, C, and R are (correspondingly) the Name,
Algorithm, Identifier, Challenge, and Response as defined in
[RFC1994], N is a text string, A,A1,A2, and I are numbers
CHAP_I parsing currently calls extract_param(), which returns the
@identifier string (stripped of any 0b/0B or 0x/0X prefix) and a @type
which indicates DECIMAL, HEX, or BASE64 encoding (based on any stripped
prefix).
Any HEX encoded CHAP_I string is further processed via:
ret = kstrtoul(&identifier[2], 0, &id);
This is incorrect for two reasons:
* The @identifier string has already been stripped of the 0x/0X prefix,
so skipping the first two bytes omits part of the number.
* The kstrtoul() call specifies a base of 0, which will see
&identifier[2] parsed as a decimal, unless a '0x' or (octal) '0' is
erroneously present at that offset.
Fix this by passing the (zero-offset) identifier string to kstrtoul()
along with a base=16 parameter. Also add an explicit error handler for
BASE64 encoding.
Hex-encoded CHAP_I handling can be testing using the libiscsi EncodedI
test linked below.
The tape setup path uses one tape_block entry as the end-of-data marker
after the usable tape blocks. For the one-partition layout, partition 0
uses all TAPE_UNITS data slots and partition 1's marker is written at
tape_blocks[0] + TAPE_UNITS.
Only TAPE_UNITS entries are allocated, so that marker write is one
element past the allocation during device initialization before any
command is issued.
Allocate one extra tape_block entry for the marker. This keeps the
existing partitioning paths unchanged while providing backing storage
for the sentinel.
Bart Van Assche [Tue, 2 Jun 2026 17:51:25 +0000 (10:51 -0700)]
scsi: mailmap: Update Avri Altman's email address
Avri Altman's email address changed from @wdc.com into @sandisk.com. Add
this information in the .mailmap file such that scripts/get_maintainer.pl
produces the correct email address for UFS kernel patches.
Nick Chan [Sun, 7 Jun 2026 06:10:58 +0000 (14:10 +0800)]
nvme-apple: Prevent shared tags across queues on Apple A11
On Apple A11, tags of pending commands must be unique across the admin
and IO queues, else the firmware crashes with
"duplicate tag error for tag N", with N being the tag.
Apply the existing workaround for M1 of reserving two tags for the admin
queue to A11.
Cc: stable@vger.kernel.org Fixes: 04d8ecf37b5e ("nvme: apple: Add Apple A11 support") Reviewed-by: Sven Peter <sven@kernel.org> Signed-off-by: Nick Chan <towinchenmi@gmail.com> Signed-off-by: Keith Busch <kbusch@kernel.org>
w1: ds2482: Use named initializers for arrays of i2c_device_data
While being less compact, using named initializers allows to more easily
see which members of the structs are assigned which value without having
to lookup the declaration of the struct. And it's also more robust
against changes to the struct definition.
The mentioned robustness is relevant for a planned change to struct
i2c_device_id that replaces .driver_data by an anonymous union.
This patch doesn't modify the compiled arrays, only their representation
in source form benefits. The former was confirmed with x86 and arm64
builds.
Merge tag 'svc_updates_for_v7.2' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/dinguyen/linux into char-misc-next
Dinh writes:
SoCFPGA firmware updates for v7.2
- Simplify service driver memory management by using a flexible array
- Change FCS call to get provision data to asynchronous
- Avoid blocking the call the reboot_image sysfs when busy
- Add support to query the ATF version
* tag 'svc_updates_for_v7.2' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/dinguyen/linux:
firmware: stratix10-svc: Add support to query Arm Trusted Firmware (ATF) version
firmware: stratix10-rsu: avoid blocking reboot_image sysfs when busy
firmware: stratix10-svc: change get provision data to async SMC call
firmware: stratix10-svc: kmalloc_array + kzalloc to flex
Merge tag 'coresight-next-v7.2' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/coresight/linux into char-misc-next
Suzuki writes:
coresight: Self-hosted tracing updates for Linux v7.2
Updates for the CoreSight self hosted tracing subsystem includes:
- Better power management for components based on the CPU PM, including
support for components on the trace path for CPUs. Add support for
save/restore for TRBE
- Miscellaneous fixes to the drivers
* Fix overflow when the buffer size is > 2GB for tmc-etr
* Ultrasoc SMB Perf buffer OOB access
Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
* tag 'coresight-next-v7.2' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/coresight/linux: (36 commits)
coresight: ultrasoc-smb: Fix OOB write in smb_sync_perf_buffer()
coresight: etb10: restore atomic_t for shared reading state
coresight: platform: defer connection counter increment until alloc succeeds
coresight: sysfs: Validate CPU online status for per-CPU sources
coresight: Move CPU hotplug callbacks to core layer
coresight: sysfs: Increment refcount only for software source
coresight: trbe: Save and restore state across CPU low power state
coresight: Add PM callbacks for sink device
coresight: Control path during CPU idle
coresight: sysfs: Use source's path pointer for path control
coresight: etm3x: Set active path on target CPU
coresight: etm4x: Set active path on target CPU
coresight: Save active path for system tracers
coresight: Introduce coresight_enable_source() helper
coresight: Use helpers to fetch first and last nodes
coresight: Control path with range
coresight: Disable source helpers in coresight_disable_path()
coresight: syscfg: Use IRQ-safe spinlock to protect active variables
coresight: etm4x: Remove redundant checks in PM save and restore
coresight: etm4x: Hook CPU PM callbacks
...
Merge tag 'icc-7.2-rc1' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/djakov/icc into char-misc-next
Georgi writes:
This pull request contains the following interconnect updates for
the 7.2-rc1 merge window:
- New driver for Shikra SoC
- New driver for Nord SoC
- New driver for Hawi SoC including CPU/LLCC bwmon support
- Add missing SDCC nodes for Eliza SoC
- Misc cleanups and fixes.
Signed-off-by: Georgi Djakov <djakov@kernel.org>
* tag 'icc-7.2-rc1' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/djakov/icc:
interconnect: qcom: add Hawi interconnect provider driver
dt-bindings: interconnect: qcom: document the RPMh NoC for Hawi SoC
dt-bindings: interconnect: qcom-bwmon: Add Hawi llcc-bwmon compatible
interconnect: qcom: eliza: Add SDCC1 slave node
dt-bindings: interconnect: qcom,eliza-rpmh: Add SDCC1 slave
interconnect: qcom: Restrict drivers per ARM/ARM64
interconnect: qcom: Fix indentation
dt-bindings: interconnect: qcom,sm6115: Restrict children and clocks
dt-bindings: interconnect: qcom,sm6115: Drop incorrect children if:then: block
dt-bindings: interconnect: qcom,sdm660: Disallow clocks when appropriate
interconnect: Move MODULE_DEVICE_TABLE next to the table itself
interconnect: Do not create empty devres on missing interconnects
dt-bindings: interconnect: qcom-bwmon: Add Hawi cpu-bwmon compatible
interconnect: qcom: Add interconnect provider driver for Nord SoC
dt-bindings: interconnect: Document RPMh Network-On-Chip for Qualcomm Nord SoC
interconnect: qcom: add Shikra interconnect provider driver
dt-bindings: interconnect: document the RPM Network-On-Chip interconnect in Shikra SoC
Merge tag 'iio-for-7.2a' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/jic23/iio into work-testing
IIO: New device support, features and cleanup for the 7.2 cycle.
Like many areas of the kernel IIO has seen a lot of new contributors
though in this case that is not all AI driven, but also reflects and annual
surge of student contributions from usp.br. We also have several new
regular reviewers who are helping with the surge (thanks to all our
active reviewers!)
Given there was a lot of cases of similar improvements applied to
different drivers, I have grouped those into a special section (various
drivers) to avoid mass duplication.
New device support
------------------
adi,ad4130
- Add support for AD4129-4, AD4129-8, AD4130-4, AD4131-4 and AD4131-8
after reworking the driver to be suitable for multiple device support.
adi,ad4080
- Support the AD4880 and AD4884 dual-channel parts. Interesting parts
as have two separate data pipelines (including SPI buses interfaces),
but the only current backend IP combines the two so they cannot be
treated as independent devices.
adi,ad5706r
- New driver for this 4 channel current output DAC.
adi,ad4691
- New driver supporting this family of ADCs. Support for AD4691, AD4692,
AD4693 and AD4694 which support either 8 or 16 channels with different
max sampling rates. Feature rich driver including SPI offload support.
adi,ltc2983
- Add support for the ADT7604 in which the same sensor die as the
LTC2984 is used for leak detection (liquid coverage of a sense area).
allwinner,adc
- Support for A523 SoCs. Similar to existing parts but with an additional
clock. Includes adding support for non contiguous channel lookup
for in kernel use (fwnode_xlate callback).
broadcomm,apds9999
- New driver for the APDS9999 Ambient Light, RGB and proximity sensor.
memsic,mmc5983
- New driver for this 3-axis magnetometer.
taos,tsl2772
- Add support for the AVAGO APDS9900 and APDS9901 Ambient Light and
Proximity sensors. which are very similar to existing part with slightly
different integration time choices. Includes removal of driver for these
parts from drivers/misc.
vishay,veml3328
- New driver for this RGB+IR light sensor.
Features
--------
IIO Core
- Support for IEEE 754 floating point values in buffer scan elements.
- Support quaternion axis representation (missing the scaler part)
microchip,mcp4821
- Add configurable gain control
qcom,pm8xxx-xoadc
- Add per channel labels.
st,lsm6dsx
- Support for rotation sensing on the LSM6DSV and LSM6DSV16X using
both floating point and new quaterionaxis rotation modifier.
MAINTAINERS update
------------------
IIO top level entry
- Include Documentation/driver-api/iio/
adi,*
- Top level ADI entry maintainer switch from Lars-Peter Clausen to Nuno Sá
reflecting what has been the reality for some time. Thanks to Lars-Peter
who was very active for many years, but has moved on to other things.
Also add the linux@analog.com email list to ensure we don't get a gap
in future.
- Maintainer updates to reflect Cosmin Tanislav having moved on - thanks
to Marcelo Schmitt for taking these over.
sensiron,scd30
- Replace maintainer (Tomasz Duszynski) with Maxwell Doose.
Cleanups, minor fixes and hardening.
------------------------------------
Documentation
- Add missing powerdown modes to ABI docs.
- Use modern helpers for buffer definition in the examples.
core
- Rework of the handling of timestamps so that the offset is cached at
buffer resize time (during enabling) rather than based on assumption
that relied in the timestamp being last and the largest element and
so always 8 bytes before end of the scan. Underlying problem was
triggered by scans with repeated type elements such as quaternions
with each element more than 2 bytes - Giving a 16 byte+ aligned channel
with result that a following timestamp may be 16 bytes from end of scan,
rather than 8. Note that for the bosch,bno55 a compatibility hack means
that it will duplicate the timestamp putting a second copy at previously
incorrect location.
- Tidy up use of kernel types in buffer code to not use int64_t given all
calls use s64.
various drivers
- Drop unused driver_data in device id tables - includes cleanup of various
drivers that had only one choice where it can be hard coded elsewhere.
- Move to named initializers for many i2c_device_id and platform_device_id
tables (I have no idea how we go into habit of using named initializers
for only a subset of the table types - e.g. of_device_id).
- Make IIO_CHAN_SOFT_TIMESTAMP() macro a compound literal allowing simple
use in various drivers that do dynamic channel definitions. Use it in
all such cases.
- Use dev_err_probe() and local dev variables to tidy up older drivers.
- Switch more drivers to devm_mutex_init() to provide minor debug benefits.
- Reorder code to put MODULE_DEVICE_TABLE() next to the tables.
- Lots of use of cleanup.h magic to improve code flow, often including
related refactors such as introducing helpers.
- Replacement of usleep_range() with fsleep()
- Reduce logging noise where functions either provide their own extensive
reports on error, or where a clear error code is returned to userspace.
- Minor spelling and style fixes (improving bracket usage, not using
__packed etc)
hid-sensors-*
- Drop helpers for setting channel bit masks in favor of a compound
literal at the call site. Also general cleanup of surrounding code.
hid-sensors-magn
- Use u32 rather than bare unsigned for types.
hid-sensors-rotation
- Make sue of ext_scan_type handling for static case rather than duplicate
chan_info structures.
adi,ad3552r
- Use field_get() to replace open coded equivalent.
adi,ad4170
- Switch from switch to table lookup for GPIO modes.
adi,ad5686
- Apply IWYU principal to included a consistent set of headers.
- Deduplicate regmaps for AD5684 and AD5693 as identical.
- Switch from an enum value in driver data and array look up to pointers
to separate structures, improving readabilty and avoiding issues with
0 value when using helpers to deal with different firmware types.
- Add of_match_id table to SPI driver rather than relying on fallback to
spi_device_id table.
- Introduce some helpers for powerdown mask control.
- Add helpers for control sync simplifying a couple of corner cases.
- Docs fixes.
- Add an ops structure to simplify future addition of operations beyond
read and write.
adi,ad7191
- Switch to best practice of using device_property_present() to detect
if an optional property is there rather than error values on querying
the property.
adi,ad7280a
- Use local variables to improve readability of breaking up chan-address.
adi,ad7825
- Cleanup a type mismatch in clamp() call.
adi,ad799x
- Include improvements
- Local dev variable to shorten code lines.
- Cache regulator voltage at probe (these never change in practice)
- Convert to devm for all unwind handling.
adi,ad9832
- Improve include relevance including replacing kernel.h with more specific
headers.
- Simplify some maths.
adi,ad9834
- Improve include relevance including replacing kernel.h with more specific
headers.
adi,adt7316
- Add a comment to avoid future 'fixes' for error handling during the
odd sequence used to flip from I2C mode to SPI mode.
adi,adxl*
- Documentation consistency improvements.
asahi-kasei,ak8975
- Fix missing runtime pm calls for buffered capture.
- Fix missing pm_runtime_put_autosuspend() in an error path that would leave
the device stuck on.
- Close a potential uninitialized kernel stack leak.
- Extensive driver modernization including: header relevance, fsleep()
various minor bugs, dropping duplicate error messages and avoiding
magic lengths for buffers.
- Replace opencoded polling with iopoll().
- Add error checking to gpio reads.
avia,hx711
- Move scale computation from global data to per device avoiding problems
if multiple devices present.
- General binding text cleanup.
bosch,bmg160
- Add missing mount-matrix entry to binding.
bosch,bno55
- Terminate error strings with newlines.
devantech,srf08
- Replace sprintf() with sysfs_emit() and sysfs_emit_at() to make intent
clearer.
freescale,mma8452
- Add missing return value check.
- Fix potential probe ordering issue by switching to non devm irq request.
linear,ltc2309
- Add chip specific read delays.
- Improve chip_info structure, adding __counted_by_ptr marking and
reorganizing to improve packing.
linear,ltc2983
- Fix a firmware combination where default n_wires of 2 bypasses exclusion
of adi,current-rotate whereas explicitly setting it to 2 does not.
- Fix potential race with completion reinit.
- Improve error message wording consistency.
- Use fwnode_property_present() to detect optional properties rather
than fragile return value checking.
microchip,mcp3422
- Use of GENMASK(), FIELD_GET(), FIELD_PREP() to improve readability and
generally modernize driver.
microchip,mcp47feb02
- Fix binding example to use a possible I2C address.
- Fix binding bounds on channel number.
- Standardize binding example indentation
nxp,saradc
- Increase chances of recovering from a failure in the interrupt handler
by notifying the trigger that it can reenable even when the read failed.
- Use field_get() to replace opencoded equivalent.
qualcomm,*
- Standardize on Qualcomm company naming in Kconfig.
richtek,rtq6056
- Add i2c_device_id table for legacy instantiation.
samsung,ssp
- Replace custom timestamp channel macro with main one.
sciosense,ens210
- Now scoped_guard() has been reworked, no need for a return
that can never be reached.
sensiron,scd30
- Constify command lookup table.
- Sanity check for NULL buffer of non zero size being provided to
sc30_i2c_command()
sensortek,stk3310
- Include more appropriate headers.
- Ensure interrupt in appropriate mode after resume.
- Structure definition improvements.
- Use size_of() to replace opencoded sizes.
siliconimage,si1133
- Resolve counter related issues on timeout error paths.
- Unused macro removal, improved macro definitions,.
- Include relevance improvements.
st,lsm6dsx
- Fix an issue with applying invalid data check to wrong type of sample.
taos,tcs3472
- Try to powerdown chip on probe failure.
- Devm usage and dropping of remove() callback.
- Various other minor cleanup.
taos,tsl2591
- Dead code removal.
- Simplify tsl2591_persist functions using a look up table.
ti,ads1298
- Fix wrong comment on timeout (and minor code improvement)
- Drop unnecessary CONFIG2 write during init.
ti,ads7950
- Check ret rather that ret < 0 for spi_setup() call.
- Use fully devm managed resources including moving to
devm_regulator_get_enable_read_voltage() at probe time rather than
querying evey time.
- Using spi_optimize_message() to reduce CPU usage.
ti,ads8688
- User read_avail() callback rather than open coding handling of
available attributes.
ti,opt3001
- Header relevance improvements
- Use GENMASK for field definitions to improve readability.
vishay,vcnl4000
- Switch from enum in device_data to individual names structures
impmroving code readabililty.
- Move to devm handling for remainder of probe.
vishay,veml6030
- Drop pointless read of current Iteration Time index as it is not used.
xilinx,ams
- Fix potential out of bound channel lookup.
- Replace some large switch statements with table lookups.
yamaha,yas530
- Put label in chip info structure to avoid look up in i2c_device_id table.
Drop
----
iio-trig-interrupt.
- Not used for some time and no support for modern firmware bindings or
in kernel users. So drop it.
* tag 'iio-for-7.2a' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/jic23/iio: (266 commits)
iio: adc: nxp-sar-adc: harden buffer ISR against per-channel read failure
iio: chemical: scd30: Replace manual locking with RAII locking
iio: light: tsl2591: remove unneeded tsl2591_compatible_als_persist_cycle()
iio: dac: ad5686: create bus ops struct
iio: dac: ad5686: cleanup doc header of local structs
iio: dac: ad5686: add control_sync() for single-channel devices
iio: dac: ad5686: add helpers to handle powerdown masks
iio: dac: ad5686: add of_match table to the spi driver
iio: dac: ad5686: drop enum id
iio: dac: ad5686: remove redundant register definition
iio: dac: ad5686: refactor include headers
iio: adc: ad4080: fix AD4880 chip ID
iio: light: veml3328: add support for new device
dt-bindings: iio: light: veml6030: add veml3328
docs: iio: adc: ad4691: add driver documentation
iio: adc: ad4691: add oversampling support
iio: adc: ad4691: add SPI offload support
iio: adc: ad4691: add triggered buffer support
iio: adc: ad4691: add initial driver for AD4691 family
dt-bindings: iio: adc: add AD4691 family
...
Sneh Mankad [Fri, 29 May 2026 12:55:45 +0000 (18:25 +0530)]
pinctrl: qcom: Fix resolving register base address from device node
Commit 56ffb63749f4 ("pinctrl: qcom: add multi TLMM region option parameter")
added reg-names property based register reading. However multiple platforms
are not using the reg-names as they have only single TLMM register region.
Commit tried to handle this using the default_region module parameter,
however this condition is unreachable as the error return precedes it by
just checking if reg-names property exists or not, making it impossible
to use tlmm-test for the SoCs (x1e80100) which don't have reg-names
property in TLMM device.
Fix this by moving the default_region check at the start of the
tlmm_reg_base().
Sneh Mankad [Fri, 29 May 2026 12:55:44 +0000 (18:25 +0530)]
pinctrl: qcom: Modify MSM_PULL_MASK to accurately represent PULL bits
MSM_PULL_MASK currently spans bits [2:0], but the GPIO_PULL field in the
GPIO_CFG register only occupies bits [1:0]. Bit 2 belongs to
FUNC_SEL.
MSM_PULL_MASK is used to isolate the GPIO_PULL bits before writing the
pull configuration (PULL_DOWN: 0x1, PULL_UP: 0x3) to the GPIO_CFG
register. Narrow it to bits [1:0] to prevent unintended modification of
the FUNC_SEL field.
This causes no functional change since the driver currently does not
modify the FUNC_SEL bit, but align the mask with hardware configuration
nonetheless.
Merge tag 'mhi-for-v7.2' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/mani/mhi into char-misc-next
Manivannan writes:
MHI Host
--------
- Request power-of-2 MSI vectors from pci_generic driver for sanity.
- Add support for Telit FE910C04 modem based on Qcom SDX35 chipset
- Fix the check used to identify the physical functions to work with both SR-IOV
and non-SR-IOV devices
MHI Endpoint
------------
- Fix a potential deadlock in the mhi_ep_reset_worker() helper
- Add lock around mhi_ep_handle_syserr() in the error path to avoid race in
setting MHI state in the error path
- Add missing state_lock protection for mhi_state access
* tag 'mhi-for-v7.2' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/mani/mhi:
bus: mhi: host: pci_generic: Fix the physical function check
bus: mhi: ep: Protect mhi_ep_handle_syserr() in the error path
bus: mhi: host: pci_generic: Add Telit FE910C04 modem support
bus: mhi: ep: Add missing state_lock protection for mhi_state access
bus: mhi: ep: Fix potential deadlock in mhi_ep_reset_worker()
bus: mhi: host: pci_generic: Round up nr_irqs to power of two
Merge tag 'fpga-for-7.2-rc1' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/fpga/linux-fpga into char-misc-next
Xu writes:
FPGA Manager changes for 7.2-rc1
- Wentao fixes use-after-free issue in of-fpga-region
- Phil adds the of matching for Altera ts73xx fpga driver
- Ian adds Efinix FPGA SPI programming driver
- Andy fixes several minor issues for Lattice FPGA driver
- Manish converts dt-bindings to YAML schema for several Altera devices
- Sebastian fixes several minor issues for Intel DFL & Microchip FPGAs
All patches have been reviewed on the mailing list, and have been in the
last linux-next releases (as part of our for-next branch).
Signed-off-by: Xu Yilun <yilun.xu@intel.com>
* tag 'fpga-for-7.2-rc1' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/fpga/linux-fpga:
fpga: microchip-spi: fix zero header_size OOB read in mpf_ops_parse_header()
fpga: dfl-afu: validate DMA mapping length in afu_dma_map_region()
fpga: dfl: add bounds check in dfh_get_param_size()
dt-bindings: fpga: altr,socfpga-fpga-mgr: convert to DT schema
dt-bindings: fpga: altr,a10-pr-ip: convert to DT schema
fpga: lattice-sysconfig-spi: simplify with spi_get_device_match_data()
fpga: lattice-sysconfig-spi: Don't use "proxy" headers
fpga: lattice-sysconfig-spi: Drop of_match_ptr() protection
fpga: lattice-sysconfig-spi: Fix the terminator entries in ID tables
fpga-mgr: Add Efinix SPI programming driver
dt-bindings: fpga: Add Efinix SPI programming bindings
dt-bindings: vendor-prefix: Add prefix for Efinix, Inc.
fpga: ts73xx-fpga: add OF match table for device tree probing
dt-bindings: fpga: Add Technologic Systems TS-7300 FPGA Manager
fpga: region: fix use-after-free in child_regions_with_firmware()
Merge tag 'counter-updates-for-7.2' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/wbg/counter into char-misc-next
William writes:
Counter updates for 7.2
Manual mutex lock logic is replaced by lock guards in intel-qep.
Additionally, devm_mutex_init() is now used in ftm-quaddec,
interrupt-cnt, and intel-qep to handle mutex cleanup automatically.
* tag 'counter-updates-for-7.2' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/wbg/counter:
counter: intel-qep: Use devm_mutex_init()
counter: interrupt-cnt: use devm_mutex_init()
counter: ftm-quaddec: use devm_mutex_init()
counter: intel-qep: Replace manual mutex logic with lock guards
Akhil R [Mon, 18 May 2026 11:40:11 +0000 (17:10 +0530)]
i2c: tegra: Disable fair arbitration for non-MCTP buses
Recent Tegra I2C controllers have a fairness arbitration register, which
allows configuring the fair idle time required to support MCTP protocol
over I2C. It is enabled by default, adding a per-transfer latency overhead
that impacts non-MCTP I2C buses.
Disable the fairness arbitration register during controller init for buses
that are not MCTP controllers.
Akhil R [Mon, 18 May 2026 11:40:10 +0000 (17:10 +0530)]
i2c: tegra: use dmaengine_get_dma_device() for DMA buffer allocation
Use dmaengine_get_dma_device() to obtain the correct struct device
pointer for dma_alloc_coherent() instead of directly dereferencing
chan->device->dev.
The dmaengine_get_dma_device() helper checks whether the DMA channel
has a per-channel DMA device (chan->dev->chan_dma_dev) and returns it
when available, falling back to the controller device otherwise. On
platforms where the DMA controller sits behind an IOMMU with
per-channel IOVA spaces (e.g. Tegra264 GPC DMA), the per-channel
device carries the correct DMA mapping context. Using the controller
device directly would allocate DMA buffers against the wrong IOMMU
domain, leading to SMMU faults at runtime.
On platforms without per-channel DMA devices the helper returns the
same pointer as before, so there is no change in behavior for existing
hardware.
Akhil R [Mon, 18 May 2026 11:40:13 +0000 (17:10 +0530)]
i2c: tegra: Fix NOIRQ suspend/resume
The Tegra I2C driver relies on runtime PM to wake up the controller before
each transfer. However, runtime PM is disabled between the system suspend
and NOIRQ suspend. If an I2C device initiates a transfer during this
window, the I2C controller fails to wake up and the transfer fails. To
handle this, the controller must be kept available for this period to
allow transfers.
Rework the I2C controller's system PM callbacks such that the controller
is resumed from runtime suspend during system suspend and it stays
RPM_ACTIVE throughout the suspend-resume cycle until it is runtime
suspended back in the system resume. The clocks are disabled in NOIRQ
suspend and enabled back in NOIRQ resume by calling the controller's
runtime PM functions directly.
Fixes: 8ebf15e9c869 ("i2c: tegra: Move suspend handling to NOIRQ phase") Assisted-by: Cursor:claude-4.6-opus Signed-off-by: Akhil R <akhilrajeev@nvidia.com> Cc: <stable@vger.kernel.org> # v5.4+ Reviewed-by: Jon Hunter <jonathanh@nvidia.com> Signed-off-by: Andi Shyti <andi.shyti@kernel.org> Link: https://lore.kernel.org/r/20260518114013.62065-5-akhilrajeev@nvidia.com
Akhil R [Mon, 18 May 2026 11:40:12 +0000 (17:10 +0530)]
i2c: tegra: Update Tegra410 I2C timing parameters
Update Tegra410 I2C timing parameters based on hardware characterization
results. This adjusts the fast mode and HS mode settings to be compliant
with the I2C specification.
Yang Erkun [Thu, 26 Feb 2026 01:22:03 +0000 (09:22 +0800)]
nfs: use nfsi->rwsem to protect traversal of the file lock list
Lingfeng identified a bug and suggested two solutions, but both appear
to have issues.
Generally, we cannot release flc_lock while iterating over the file lock
list to avoid use-after-free (UAF) problems with file locks. However,
functions like nfs_delegation_claim_locks and nfs4_reclaim_locks cannot
adhere to this rule because recover_lock or nfs4_lock_delegation_recall
may take a long time. To resolve this, NFS switches to using nfsi->rwsem
for the same protection, and nfs_reclaim_locks follows this approach.
Although nfs_delegation_claim_locks uses so_delegreturn_mutex instead,
this is inadequate since a single inode can have multiple nfs4_state
instances. Therefore, the fix is to also use nfsi->rwsem in this case.
Furthermore, after commit c69899a17ca4 ("NFSv4: Update of VFS byte range
lock must be atomic with the stateid update"), the functions
nfs4_locku_done and nfs4_lock_done also break this rule because they
call locks_lock_inode_wait without holding nfsi->rwsem. Simply adding
this protection could cause many deadlocks, so instead, the call to
locks_lock_inode_wait is moved into _nfs4_proc_setlk. Regarding the bug
fixed by commit c69899a17ca4 ("NFSv4: Update of VFS byte range
lock must be atomic with the stateid update"), it has been resolved
after commit 0460253913e5 ("NFSv4: nfs4_do_open() is incorrectly triggering
state recovery") because all slots are drained before calling
nfs4_do_reclaim, which prevents concurrent stateid changes along this path.
Also, nfs_delegation_claim_locks does not cause this concurrency either
since when _nfs4_proc_setlk is called with NFS_DELEGATED_STATE, no RPC is
sent, so nfs4_lock_done is not called. Therefore,
nfs4_lock_delegation_recall from nfs_delegation_claim_locks is the first
time the stateid is set.
Reported-by: Li Lingfeng <lilingfeng3@huawei.com> Closes: https://lore.kernel.org/all/20250419085709.1452492-1-lilingfeng3@huawei.com/ Closes: https://lore.kernel.org/all/20250715030559.2906634-1-lilingfeng3@huawei.com/ Fixes: c69899a17ca4 ("NFSv4: Update of VFS byte range lock must be atomic with the stateid update") Signed-off-by: Yang Erkun <yangerkun@huawei.com> Reviewed-by: Jeff Layton <jlayton@kernel.org> Signed-off-by: Anna Schumaker <anna.schumaker@hammerspace.com>
Lei Yin [Fri, 24 Apr 2026 09:26:41 +0000 (09:26 +0000)]
NFSv4.1/pNFS: fix LAYOUTCOMMIT retry loop on OLD_STATEID
Handle -NFS4ERR_OLD_STATEID in nfs4_layoutcommit_done().
This issue was reproduced on NFSv4.2.
Without refreshing data->args.stateid, LAYOUTCOMMIT can keep retrying
with the same stale stateid after OLD_STATEID, resulting in an
unbounded retry loop.
Refresh the layout stateid with nfs4_layout_refresh_old_stateid()
and restart the RPC only after a successful refresh.
Changes since v1: update refreshed stateid in inode layout header.
Signed-off-by: Lei Yin <yinlei2@lenovo.com>
[Anna: Fix up dprintk() format specifier] Signed-off-by: Anna Schumaker <anna.schumaker@hammerspace.com>
Yuho Choi [Mon, 1 Jun 2026 19:20:05 +0000 (15:20 -0400)]
watchdog: unregister PM notifier on watchdog unregister
watchdog_register_device() registers wdd->pm_nb when
WDOG_NO_PING_ON_SUSPEND is set, but watchdog_unregister_device() does not
remove it. This leaves an embedded notifier block on the PM notifier chain
after the watchdog device has been unregistered.
A later suspend/resume notification can then call watchdog_pm_notifier()
with a stale watchdog_device pointer, or at minimum after wdd->wd_data has
been cleared by watchdog_dev_unregister().
Unregister the PM notifier before tearing down the watchdog device.
Al Viro [Tue, 12 May 2026 16:18:21 +0000 (12:18 -0400)]
configfs: mark pinned dentries persistent
on the removal side we can (finally) get rid of __simple_unlink()
and __simple_rmdir() kludges now that dentries in question are
properly marked persistent - simple_unlink() and simple_rmdir()
will do the right thing for those.
Reviewed-by: Jan Kara <jack@suse.cz> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Tue, 12 May 2026 07:19:41 +0000 (03:19 -0400)]
configfs: dentry refcount needs to be pinned only once
currently we have a weird situation where
* symlinks and roots of subtrees created by mkdir are pinned once
* subdirectories of subtrees created by mkdir are pinned twice
* roots of subtrees created by register_{group,subsystem} are pinned
twice.
It makes things harder to follow for no good reason. The goal is to
encapsulate the unbalanced dget/dput into d_{make,discard}_persisitent()
and, preferably, allow a use of simple_recursive_removal() or analogue
thereof. So let's regularize that and pin things only once.
create_default_group() and configfs_register_subsystem() don't need to
keep their reference around on success - configfs_create_dir() has pinned
the sucker already. So we can drop the reference passed to
configfs_create_dir() (via configfs_attach_group(), etc.) both on success
and on failure. On the removal side we no longer have the double references,
so we need an explicit dget() to compensate.
Reviewed-by: Jan Kara <jack@suse.cz> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Tue, 12 May 2026 07:13:37 +0000 (03:13 -0400)]
switch configfs_detach_{group,item}() to passing dentry
... and there's no need to grab/drop it, or check for NULL - none
of the callers would even get there with NULL dentry and all of
them have the sucker pinned
Note that if sd is a directory configfs_dirent, we have sd->s_element
pointing to config_item with item->ci_dentry equal to sd->s_dentry.
Which is the only reason why detach_groups() gets away with using
the latter for locking the inode and the former for removal.
Aren't redundant data structures wonderful, for obfuscation if nothing
else?
Reviewed-by: Jan Kara <jack@suse.cz> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Tue, 12 May 2026 06:26:41 +0000 (02:26 -0400)]
configfs_remove_dir(), detach_attrs(): switch to passing dentry
... and deal with grabbing/dropping it in the sole caller.
After that configfs_remove_dir() becomes an unconditional call of remove_dir(),
so we can fold them together.
Reviewed-by: Jan Kara <jack@suse.cz> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Tue, 12 May 2026 06:18:38 +0000 (02:18 -0400)]
populate_attrs(): move cleanup to the sole caller
... where it folds with configfs_remove_dir() into a call of
configfs_detach_item(). Note that at the early failure exit
(before we'd added any children) we were not calling detach_attrs()
only because there it would've been a no-op - nothing added,
nothing there to be removed.
Reviewed-by: Jan Kara <jack@suse.cz> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Tue, 12 May 2026 05:25:48 +0000 (01:25 -0400)]
configfs_do_depend_item(): pass configfs_dirent instead of dentry
Again, the only thing it uses the argument for is its ->d_fsdata
and callers already have that - as the matter of fact, they are
passing ->s_dentry of that configfs_dirent, so that the function
could get it back as ->d_fsdata of that. With nothing else in
dentry even looked at...
configfs_dirent in question is a directory one - in this case those
are subdirectories of root (aka roots of "subsystem" trees).
Reviewed-by: Jan Kara <jack@suse.cz> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Tue, 12 May 2026 05:23:29 +0000 (01:23 -0400)]
configfs_depend_prep(): pass configfs_dirent instead of dentry
Again, the only thing it uses dentry for is dentry->d_fsdata; for the
recursive call the situation is the same as with configfs_detach_prep()
and the same observation about ->s_dentry->d_fsdata applies.
Reviewed-by: Jan Kara <jack@suse.cz> Reviewed-by: Breno Leitao <leitao@debian.org> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Tue, 12 May 2026 05:17:13 +0000 (01:17 -0400)]
configfs_detach_prep(): pass configfs_dirent instead of dentry
The only thing it uses the argument for is its ->d_fsdata and
all callers have that already available.
Note that in the recursive call we are dealing with a (sub)directory
configfs_dirent, and for those ->s_dentry->d_fsdata points back
to configfs_dirent itself.
Reviewed-by: Jan Kara <jack@suse.cz> Reviewed-by: Breno Leitao <leitao@debian.org> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Sat, 30 May 2026 07:48:34 +0000 (03:48 -0400)]
configfs: fix lockless traversals of ->s_children
Having the parent directory locked protects entries from removal
by another thread, but it does *not* protect cursors from being
moved around by lseek() - or freed, for that matter.
Fixes: 6f6107640625 ("configfs: Introduce configfs_dirent_lock") Reviewed-by: Jan Kara <jack@suse.cz> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Wentao Liang [Sun, 7 Jun 2026 09:03:03 +0000 (09:03 +0000)]
drm/virtio: fix dma_fence refcount leak on error in virtio_gpu_dma_fence_wait()
dma_fence_unwrap_for_each() internally calls dma_fence_unwrap_first()
which does cursor->chain = dma_fence_get(head), taking an extra
reference. On normal loop completion, dma_fence_unwrap_next()
releases this via dma_fence_chain_walk() -> dma_fence_put().
When virtio_gpu_do_fence_wait() fails and the function returns early
from inside the loop, the cursor->chain reference is never released.
This is the only caller in the entire kernel that does an early return
inside dma_fence_unwrap_for_each.
Add dma_fence_put(itr.chain) before the early return.
Cc: stable@vger.kernel.org Fixes: eba57fb5498f ("drm/virtio: Wait for each dma-fence of in-fence array individually") Signed-off-by: Wentao Liang <vulab@iscas.ac.cn> Reviewed-by: Dmitry Osipenko <dmitry.osipenko@collabora.com> Signed-off-by: Dmitry Osipenko <dmitry.osipenko@collabora.com> Link: https://patch.msgid.link/20260607090303.92423-1-vulab@iscas.ac.cn
i2c: qcom-cci: Fix NULL pointer dereference in cci_remove()
On all modern platforms Qualcomm CCI controller provides two I2C masters,
and on particular boards only one I2C master may be initialized, and in
such cases the device unbinding or driver removal causes a NULL pointer
dereference, because cci_halt() is called for all two I2C masters, but
a completion is initialized only for the single enabled master:
RDMA/rtrs-srv: Fix integer underflow in process_read and process_write
usr_len is read from a network-supplied message field (le16_to_cpu)
and used to compute data_len = off - usr_len without validating that
usr_len <= off. A malicious RDMA client can send usr_len > off causing
an integer underflow, resulting in data_len wrapping to a huge size_t
value which is then passed to the rdma_ev callback as a memory length,
leading to out-of-bounds memory access.
Fix by reading and validating usr_len <= off before rtrs_srv_get_ops_ids()
in both process_read() and process_write(), ensuring the early return
path acquires no reference and has no resource leak.
Link: https://patch.msgid.link/r/20260608134802.5019-1-aurelien@hackers.camp Reported-by: Aurelien DESBRIERES <aurelien@hackers.camp> Reviewed-by: Md Haris Iqbal <haris.iqbal@ionos.com> Signed-off-by: Aurelien DESBRIERES <aurelien@hackers.camp> Assisted-by: Claude <claude-sonnet-4-6> Acked-by: Md Haris Iqbal <haris.iqbal@ionos.com> Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Dmitry Vyukov [Fri, 29 May 2026 15:09:06 +0000 (15:09 +0000)]
firmware_loader: Fix recursive lock in device_cache_fw_images()
A recursive locking deadlock can occur in the firmware loader's power
management notification handler.
During system suspend or hibernation preparation, fw_pm_notify() calls
device_cache_fw_images(). This function acquires fw_lock to set the
firmware cache state to FW_LOADER_START_CACHE and then iterates over all
devices using dpm_for_each_dev() while still holding the lock.
For each device, dev_cache_fw_image() schedules asynchronous work to cache
the firmware. If memory allocation for the async work entry fails (e.g., in
out-of-memory conditions), async_schedule_node_domain() falls back to
executing the work function synchronously in the current thread.
The synchronous execution path (__async_dev_cache_fw_image() ->
cache_firmware() -> request_firmware() -> assign_fw()) attempts to acquire
fw_lock again. Since the current thread already holds fw_lock, this results
in a recursive locking deadlock.
Fix this by releasing fw_lock immediately after updating the cache state
and before calling dpm_for_each_dev(). The lock is only needed to protect
the state update. Concurrent firmware requests will correctly see the
FW_LOADER_START_CACHE state and use the piggyback mechanism, which is
independently protected by its own fwc->name_lock.
Aaron Ma [Thu, 28 May 2026 08:21:10 +0000 (16:21 +0800)]
ASoC: amd: acp-sdw-sof: Bound DAI link iteration
create_sdw_dailinks() walks sof_dais until it finds an entry with
initialised cleared, but sof_dais is allocated with exactly num_ends
entries. If all entries are initialised, the loop reads past the end of
the array.
Pass the allocated entry count to create_sdw_dailinks() and stop before
reading past the array.
Aaron Ma [Thu, 28 May 2026 08:21:09 +0000 (16:21 +0800)]
ASoC: amd: acp-sdw-legacy: Bound DAI link iteration
create_sdw_dailinks() walks soc_dais until it finds an entry with
initialised cleared, but soc_dais is allocated with exactly num_ends
entries. If all entries are initialised, the loop reads past the end of
the array.
This was reported by KASAN:
BUG: KASAN: slab-out-of-bounds in mc_probe+0x26b3/0x2774 [snd_acp_sdw_legacy_mach]
Read of size 1
Pass the allocated entry count to create_sdw_dailinks() and stop before
reading past the array.
The driver uses pcim_enable_device(), so IRQ vectors are automatically
freed by devres on driver detach. The explicit pci_free_irq_vectors()
calls in the probe error path and remove function are redundant.
Felix Gu [Fri, 29 May 2026 15:31:06 +0000 (23:31 +0800)]
spi: ep93xx: fix double-free of zeropage on DMA setup failure
If DMA setup fails after allocating the zeropage, the error path frees
the page but leaves espi->zeropage dangling. A subsequent call to
ep93xx_spi_release_dma() sees the non-NULL pointer and frees the page
again.
Clear the pointer after freeing in the error path of
ep93xx_spi_setup_dma().
Tuo Li [Thu, 28 May 2026 06:41:06 +0000 (14:41 +0800)]
ASoC: mediatek: mt8365-afe-pcm: fix possible NULL-pointer dereferences in mt8365_afe_suspend()
mt8365_afe_suspend() allocates the register backup buffer with
devm_kcalloc(), but does not check for allocation failure before using the
returned pointer. This may lead to a NULL pointer dereference when
accessing afe->reg_back_up[i].
Add the missing NULL check and return -ENOMEM on allocation failure after
disabling the main clock.
Also propagate the return value of mt8365_afe_suspend() in
mt8365_afe_dev_runtime_suspend() so that the suspended state is not updated
when suspend fails.
projects / thirdparty / kernel / linux.git / log
