]> git.ipfire.org Git - thirdparty/linux.git/log
thirdparty/linux.git
6 weeks agortla/tests: Cover all hist options in runtime tests
Tomas Glozar [Thu, 23 Apr 2026 13:05:55 +0000 (15:05 +0200)] 
rtla/tests: Cover all hist options in runtime tests

Cover all options regarding histogram formatting for both
rtla-osnoise-hist and rtla-timerlat-hist tools. All options also have
output checking using positive or negative match, except for
-b/--bucket-size and -E/--entries, which cannot be tested in isolated
due to the output depending on the actual data collected.

Old -E/--entries test for rtla-osnoise was replaced with a new one
equivalent to the timerlat one.

Reviewed-by: Wander Lairson Costa <wander@redhat.com>
Link: https://lore.kernel.org/r/20260423130558.882022-7-tglozar@redhat.com
Signed-off-by: Tomas Glozar <tglozar@redhat.com>
6 weeks agortla/tests: Extend timerlat top --aa-only coverage
Tomas Glozar [Thu, 23 Apr 2026 13:05:54 +0000 (15:05 +0200)] 
rtla/tests: Extend timerlat top --aa-only coverage

rtla-timerlat-top's --aa-only option is currently only tested for return
value.

Extend the tests to also check that only auto-analysis is being done via
a negative match for the "Timer Latency" text in the top header, and
further split the test case into two:

- one test case for --aa-only stopping on threshold
- one test case for --aa-only exiting without threshold being hit

For both cases, the expected output ("analyzing it" or "Max latency was"
respectively) is checked against in addition to the negative match.

Reviewed-by: Wander Lairson Costa <wander@redhat.com>
Link: https://lore.kernel.org/r/20260423130558.882022-6-tglozar@redhat.com
Signed-off-by: Tomas Glozar <tglozar@redhat.com>
6 weeks agortla/tests: Use negative match when testing --aa-only
Tomas Glozar [Thu, 23 Apr 2026 13:05:53 +0000 (15:05 +0200)] 
rtla/tests: Use negative match when testing --aa-only

For testing the -a/--auto option in timerlat tool, the string "analyzing
it" is matched against to make sure auto-analysis was triggered.

Use the same string as a negative match for --aa-only option test.

Reviewed-by: Wander Lairson Costa <wander@redhat.com>
Link: https://lore.kernel.org/r/20260423130558.882022-5-tglozar@redhat.com
Signed-off-by: Tomas Glozar <tglozar@redhat.com>
6 weeks agortla/tests: Check -c/--cpus thread affinity
Tomas Glozar [Thu, 23 Apr 2026 13:05:52 +0000 (15:05 +0200)] 
rtla/tests: Check -c/--cpus thread affinity

RTLA runtime tests verify the -c/--cpus options, but do not check
whether the correct affinity is actually applied.

Add a script named check-cpus.sh that retrieves the affinity of all
workload threads and use it to check the -c/--cpus option for both
osnoise and timerlat tools.

Also add missing -c/--cpus test for osnoise.

Reviewed-by: Wander Lairson Costa <wander@redhat.com>
Link: https://lore.kernel.org/r/20260423130558.882022-4-tglozar@redhat.com
Signed-off-by: Tomas Glozar <tglozar@redhat.com>
6 weeks agortla/tests: Add get_workload_pids() helper
Tomas Glozar [Thu, 23 Apr 2026 13:05:51 +0000 (15:05 +0200)] 
rtla/tests: Add get_workload_pids() helper

RTLA runtime tests that check workload processes (currently the test
case "verify -P/--priority" of timerlat.t and "verify the --priority/-P
param" of osnoise.t) use "pgrep timerlatu/" or "pgrep osnoise/"
respectively to identify the workload.

Make them more robust by adding a get_workload_pids() helper that
finds the main rtla process and returns the PIDs of all siblings other
than the test script itself, plus all child processes of kthreadd that
have the osnoise/timerlat kthread pattern comm.

This filters out any spurious processes not related to the running test
that happen to have "timerlatu/" or "osnoise/" in their command, for
example, a user grepping the same names at the time of the running of
the test.

Reviewed-by: Wander Lairson Costa <wander@redhat.com>
Link: https://lore.kernel.org/r/20260423130558.882022-3-tglozar@redhat.com
Signed-off-by: Tomas Glozar <tglozar@redhat.com>
6 weeks agortla/tests: Cover both top and hist tools where possible
Tomas Glozar [Thu, 23 Apr 2026 13:05:50 +0000 (15:05 +0200)] 
rtla/tests: Cover both top and hist tools where possible

RTLA runtime tests currently do not cover both tool variants for osnoise
and timerlat properly. Many tests applicable to both tools are only
tested for one tool, selected randomly.

Introduce two new shell functions, check_top_hist() and
check_top_q_hist(). The functions use the same syntax as check() and run
check() on the arguments twice: once replacing the "TOOL" string in the
command with "top" (or "top -q"), once replacing it with "hist". The top
-q variant is used for tests relying on messages printed after aborting
the RTLA main loop with a starting new line, which only happens for top
tools in quiet mode; without -q, the top output is printed on the same
line and the matches would fail.

Tests that are applicable to both top and hist tools were modified to
the run for both; additionally, tests that were already done for both
tools were migrated to the new shell functions, unless the test command
or matches differ between the tools. Additional tests were added to test
tool-specific help messages.

Reviewed-by: Wander Lairson Costa <wander@redhat.com>
Link: https://lore.kernel.org/r/20260423130558.882022-2-tglozar@redhat.com
Signed-off-by: Tomas Glozar <tglozar@redhat.com>
6 weeks agotools/rtla: Fix --dump-tasks usage in timerlat
Costa Shulyupin [Tue, 14 Apr 2026 18:52:18 +0000 (21:52 +0300)] 
tools/rtla: Fix --dump-tasks usage in timerlat

Fix --dump-task to --dump-tasks in timerlat_hist usage string
and getopt_long table for consistency with timerlat_top.

Add missing --dump-tasks to timerlat_top usage synopsis.

Assisted-by: Claude:claude-opus-4-6
Signed-off-by: Costa Shulyupin <costa.shul@redhat.com>
Fixes: 2091336b9a8b ("rtla/timerlat_hist: Add auto-analysis support")
Link: https://lore.kernel.org/r/20260414185223.65353-1-costa.shul@redhat.com
Signed-off-by: Tomas Glozar <tglozar@redhat.com>
6 weeks agoRDMA/cma: Constify struct configfs_item_operations and configfs_group_operations
Christophe JAILLET [Sat, 16 May 2026 09:17:47 +0000 (11:17 +0200)] 
RDMA/cma: Constify struct configfs_item_operations and configfs_group_operations

'struct configfs_item_operations' and 'configfs_group_operations' are not
modified in this driver.

Constifying these structures moves some data to a read-only section, so
increases overall security, especially when the structure holds some
function pointers.

On a x86_64, with allmodconfig:
Before:
======
   text    data     bss     dec     hex filename
   6677    2776      64    9517    252d drivers/infiniband/core/cma_configfs.o

After:
=====
   text    data     bss     dec     hex filename
   6901    2552      64    9517    252d drivers/infiniband/core/cma_configfs.o

Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Link: https://patch.msgid.link/6acd9c8a79b868b5e541a7e080a6b4b145e4fd4f.1778923041.git.christophe.jaillet@wanadoo.fr
Signed-off-by: Leon Romanovsky <leon@kernel.org>
6 weeks agoRDMA: Replace memset with = {} pattern for ib_respond_udata()
Jason Gunthorpe [Tue, 12 May 2026 00:09:39 +0000 (21:09 -0300)] 
RDMA: Replace memset with = {} pattern for ib_respond_udata()

Most drivers do this already, but some open-code a memset. Switch
all instances found. qedr_copy_qp_uresp() is already called with
zeroed memory so that memset is redundant.

Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
6 weeks agoRDMA: Add missed = {} initialization to uresp structs
Jason Gunthorpe [Tue, 12 May 2026 00:09:38 +0000 (21:09 -0300)] 
RDMA: Add missed = {} initialization to uresp structs

All of these are fully initialized so no bugs are being fixed. Add
the missing initializer as a precaution against future changes.

Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
6 weeks agoRDMA: Use proper driver data response structs instead of open coding
Jason Gunthorpe [Tue, 12 May 2026 00:09:37 +0000 (21:09 -0300)] 
RDMA: Use proper driver data response structs instead of open coding

At some point the response structs were added and rdma-core is using
them, but the kernel was not changed to use them as well. Replace
the open-coded copy with the right struct and ib_respond_udata().

Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
6 weeks agoRDMA/mlx: Replace response_len with ib_respond_udata()
Jason Gunthorpe [Tue, 12 May 2026 00:09:36 +0000 (21:09 -0300)] 
RDMA/mlx: Replace response_len with ib_respond_udata()

The Mellanox drivers have a pattern where they compute the response
length they think they need based on what the user asked for, then
blindly write that ignoring the provided size limit on the response
structure.

Drop this and just use ib_respond_udata() which caps the response
struct to the user's memory, which is fine for what mlx5 is doing.

Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
6 weeks agoRDMA/qedr: Replace qedr_ib_copy_to_udata() with ib_respond_udata()
Jason Gunthorpe [Tue, 12 May 2026 00:09:35 +0000 (21:09 -0300)] 
RDMA/qedr: Replace qedr_ib_copy_to_udata() with ib_respond_udata()

This is another instance of the min() pattern.

Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
6 weeks agoRDMA/cxgb4: Convert to ib_respond_udata()
Jason Gunthorpe [Tue, 12 May 2026 00:09:34 +0000 (21:09 -0300)] 
RDMA/cxgb4: Convert to ib_respond_udata()

These cases carefully work around 32-bit unpadded structures, but
the min integrated into ib_respond_udata() handles this
automatically. Zero-initialize data that would not have been copied.

Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
6 weeks agoRDMA: Convert drivers using sizeof() to ib_respond_udata()
Jason Gunthorpe [Tue, 12 May 2026 00:09:33 +0000 (21:09 -0300)] 
RDMA: Convert drivers using sizeof() to ib_respond_udata()

Convert the pattern:

    ib_copy_to_udata(udata, &resp, sizeof(resp));

Using Coccinelle:

@@
identifier resp;
expression udata;
@@

- ib_copy_to_udata(udata, &resp, sizeof(resp))
+ ib_respond_udata(udata, resp)

Run another pass with AI to propagate the return code correctly and
remove redundant prints.

Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
6 weeks agoRDMA: Convert drivers using min to ib_respond_udata()
Jason Gunthorpe [Tue, 12 May 2026 00:09:32 +0000 (21:09 -0300)] 
RDMA: Convert drivers using min to ib_respond_udata()

Convert the pattern:

   ib_copy_to_udata(udata, &resp, min(sizeof(resp), udata->outlen));

Using Coccinelle:

@@
identifier resp;
expression udata;
@@

- ib_copy_to_udata(udata, &resp, min(sizeof(resp), udata->outlen))
+ ib_respond_udata(udata, resp)

@@
identifier resp;
expression udata;
@@

- ib_copy_to_udata(udata, &resp, min(udata->outlen, sizeof(resp)))
+ ib_respond_udata(udata, resp)

Run another pass with AI to propagate the return code correctly and
remove redundant prints.

Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
6 weeks agoIB/rdmavt: Don't abuse udata and ib_respond_udata()
Jason Gunthorpe [Tue, 12 May 2026 00:09:31 +0000 (21:09 -0300)] 
IB/rdmavt: Don't abuse udata and ib_respond_udata()

Use copy_to_user() directly since the data is not being placed in the
udata response memory.

It is unclear why this is trying to do two copies, but leave it alone.

Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
6 weeks agoRDMA: Use ib_is_udata_in_empty() for places calling ib_is_udata_cleared()
Jason Gunthorpe [Tue, 12 May 2026 00:09:30 +0000 (21:09 -0300)] 
RDMA: Use ib_is_udata_in_empty() for places calling ib_is_udata_cleared()

Convert the pattern:

  if (udata->inlen && !ib_is_udata_cleared(udata, 0, udata->inlen))

Using Coccinelle:

virtual patch
virtual context
virtual report

@@
expression udata;
@@
(
- udata->inlen && !ib_is_udata_cleared(udata, 0, udata->inlen)
+ !ib_is_udata_in_empty(udata)
|
- udata->inlen > 0 && !ib_is_udata_cleared(udata, 0, udata->inlen)
+ !ib_is_udata_in_empty(udata)
)

@@
expression udata;
@@
- udata && udata->inlen && !ib_is_udata_cleared(udata, 0, udata->inlen)
+ !ib_is_udata_in_empty(udata)

These cases are already checking for zeroed data that the kernel does
not understand.

Run another pass with AI to propagate the return code correctly and
remove redundant prints.

Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
6 weeks agoRDMA/hns: Use named initializer for pci_device_id array
Uwe Kleine-König (The Capable Hub) [Thu, 7 May 2026 07:54:37 +0000 (09:54 +0200)] 
RDMA/hns: Use named initializer for pci_device_id array

While being more verbose using a named initializer yields easier to
understand code and doesn't rely on the two hidden zeros in the
PCI_VDEVICE macro.

While at it, also drop the explicit zero in the terminating entry.

This doesn't introduce any changes to the compiled result of the array,
which was confirmed on x86 and arm64.

Signed-off-by: Uwe Kleine-König (The Capable Hub) <u.kleine-koenig@baylibre.com>
Link: https://patch.msgid.link/20260507075437.2669363-2-u.kleine-koenig@baylibre.com
Reviewed-by: Junxian Huang <huangjunxian6@hisilicon.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
6 weeks agoRDMA/siw: use kzalloc_flex
Bernard Metzler [Mon, 11 May 2026 14:11:49 +0000 (16:11 +0200)] 
RDMA/siw: use kzalloc_flex

Simplify umem allocation by using flexible array member.
Add __counted_by to get extra runtime analysis.

Suggested-by: Rosen Penev <rosenp@gmail.com>
Signed-off-by: Bernard Metzler <bernard.metzler@linux.dev>
Link: https://patch.msgid.link/20260511141149.52362-1-bernard.metzler@linux.dev
Signed-off-by: Leon Romanovsky <leon@kernel.org>
6 weeks agoRDMA/bng_re: Remove unused variable rc
Rohit Chavan [Tue, 5 May 2026 08:57:08 +0000 (14:27 +0530)] 
RDMA/bng_re: Remove unused variable rc

The variable 'rc' is initialized to 0 and returned at the end of
bng_re_process_qp_event(), but it is never modified in between.

Simplify the function by removing the redundant variable and returning 0
directly. This cleans up the code and avoids potential compiler warnings
about unused variables.

Signed-off-by: Rohit Chavan <roheetchavan@gmail.com>
Link: https://patch.msgid.link/20260505085709.1755534-1-roheetchavan@gmail.com
Reviewed-by: Siva Reddy Kallam <siva.kallam@broadcom.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
6 weeks agoRDMA/hns: Support congestion control algorithm parameter configuration
Chengchang Tang [Thu, 7 May 2026 01:21:48 +0000 (09:21 +0800)] 
RDMA/hns: Support congestion control algorithm parameter configuration

hns RoCE supports 4 congestion control algorithms. Each algorihm
involves multiple parameters. Support configuring these parameters
by debugfs.

Here are some examples of this feature:

* The directory structure:
$ ls /sys/kernel/debug/hns_roce/0000\:35\:00.0/
dcqcn_cc_param  dip_cc_param  hc3_cc_param  ldcp_cc_param
$ ls /sys/kernel/debug/hns_roce/0000\:35\:00.0/dcqcn_cc_param/
ai  al  alp  ashift  cnp_time  f  g  lifespan  max_speed  tkp  tmp

* Read the value of a param:
$ cat /sys/kernel/debug/hns_roce/0000\:35\:00.0/dcqcn_cc_param/ai
1

* Set a new value for a param:
$ echo 2 > /sys/kernel/debug/hns_roce/0000\:35\:00.0/dcqcn_cc_param/ai

Signed-off-by: Chengchang Tang <tangchengchang@huawei.com>
Signed-off-by: Junxian Huang <huangjunxian6@hisilicon.com>
Link: https://patch.msgid.link/20260507012148.1079712-4-huangjunxian6@hisilicon.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
6 weeks agoRDMA/hns: Add write support to debugfs
Junxian Huang [Thu, 7 May 2026 01:21:47 +0000 (09:21 +0800)] 
RDMA/hns: Add write support to debugfs

Add write support to debugfs.

Signed-off-by: Junxian Huang <huangjunxian6@hisilicon.com>
Link: https://patch.msgid.link/20260507012148.1079712-3-huangjunxian6@hisilicon.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
6 weeks agoRDMA/hns: Initialize seqfile before creating file
Junxian Huang [Thu, 7 May 2026 01:21:46 +0000 (09:21 +0800)] 
RDMA/hns: Initialize seqfile before creating file

The debugfs file was created before seq->read and seq->data were set,
leaving a small window where userspace could access an uninitialized
seqfile.

Move debugfs_create_file() after the assignments to avoid this issue.
Also, inline the original init_debugfs_seqfile() since it is not a
really necessary helper.

Fixes: ca7ad04cd5d2 ("RDMA/hns: Add debugfs to hns RoCE")
Signed-off-by: Junxian Huang <huangjunxian6@hisilicon.com>
Link: https://patch.msgid.link/20260507012148.1079712-2-huangjunxian6@hisilicon.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
6 weeks agoRDMA/mlx5: Use max() macro for bfreg calculation
Rohit Chavan [Tue, 5 May 2026 10:05:49 +0000 (15:35 +0530)] 
RDMA/mlx5: Use max() macro for bfreg calculation

Simplify the calculation of medium blue flame registers by using the
max() macro instead of open-coded ternary logic. This improves
readability and aligns with the subsystem's preference for using
standard kernel helpers.

Signed-off-by: Rohit Chavan <roheetchavan@gmail.com>
Link: https://patch.msgid.link/20260505100550.1810139-1-roheetchavan@gmail.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
6 weeks agoRDMA/srpt: fix integer overflow in immediate data length check
Sara Venkatesh [Mon, 4 May 2026 08:00:36 +0000 (01:00 -0700)] 
RDMA/srpt: fix integer overflow in immediate data length check

imm_buf->len is a user-controlled uint32_t received from the network.
Adding it to imm_data_offset without overflow checking allows a
malicious initiator to send len=0xFFFFFFFF, causing req_size to wrap
around to a small value, bypassing the bounds check, and subsequently
passing a ~4GB length to sg_init_one().

Use check_add_overflow() to detect wrapping before the comparison.

Fixes: 5dabcd0456d7 ("RDMA/srpt: Add support for immediate data")
Reported-by: Carlos Bilbao (Lambda) <carlos.bilbao@kernel.org>
Signed-off-by: Sara Venkatesh <sarajvenkatesh@gmail.com>
Link: https://patch.msgid.link/20260504080036.3482415-1-sarajvenkatesh@gmail.com
Reviewed-by: Carlos Bilbao (Lambda) <carlos.bilbao@kernel.org>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
6 weeks agoRDMA/mlx4: Use secs_to_jiffies() instead of open-coding
Rohit Chavan [Tue, 5 May 2026 07:53:07 +0000 (13:23 +0530)] 
RDMA/mlx4: Use secs_to_jiffies() instead of open-coding

The conversion from seconds to jiffies is currently performed by
multiplying the value by 1000 and passing it to msecs_to_jiffies().

Use the more direct secs_to_jiffies() helper instead. This simplifies the
code, improves readability, and avoids the manual multiplication step
by using the dedicated kernel API.

Signed-off-by: Rohit Chavan <roheetchavan@gmail.com>
Link: https://patch.msgid.link/20260505075308.1754861-1-roheetchavan@gmail.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
6 weeks agoIB/mlx5: Reduce spinlock contention by moving free operations outside
Li RongQing [Sun, 3 May 2026 02:33:49 +0000 (22:33 -0400)] 
IB/mlx5: Reduce spinlock contention by moving free operations outside

The functions kfree() and kvfree() can occasionally trigger a long
chain of calls or face contention in the slab allocator. Executing
these inside a spinlock increases the risk of CPU stalls and increases
lock contention under heavy event load.

Move the memory freeing logic out of the critical sections in devx.c
by using temporary lists and local flags. This narrows the lock's
scope to only protect the list integrity and state transitions.

Signed-off-by: Li RongQing <lirongqing@baidu.com>
Link: https://patch.msgid.link/20260503023349.1959-1-lirongqing@baidu.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
6 weeks agoRDMA/mlx5: Fix devx subscribe-event unwind NULL dereference
Prathamesh Deshpande [Tue, 28 Apr 2026 22:42:49 +0000 (23:42 +0100)] 
RDMA/mlx5: Fix devx subscribe-event unwind NULL dereference

MLX5_IB_METHOD_DEVX_SUBSCRIBE_EVENT() links event_sub into sub_list
before initializing the fields used by the shared error path.

If eventfd_ctx_fdget() then fails, the unwind path dereferences
event_sub->ev_file in uverbs_uobject_put() and calls
subscribe_event_xa_dealloc() with an unset xa_key_level1.

subscribe_event_xa_alloc() creates the XA entry exactly once for a given
key_level1, on the first occurrence of that key. The unwind path must
therefore call subscribe_event_xa_dealloc() exactly once for it as well.

Enforce that by adding devx_key_in_sub_list() and calling
subscribe_event_xa_dealloc() only when the last matching pending entry is
being cleaned up.

Fixes: 759738537142 ("IB/mlx5: Enable subscription for device events over DEVX")
Signed-off-by: Prathamesh Deshpande <prathameshdeshpande7@gmail.com>
Link: https://patch.msgid.link/20260428224319.37682-1-prathameshdeshpande7@gmail.com
Reviewed-by: Yishai Hadas <yishaih@nvidia.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
6 weeks agoRDMA/mlx5: Fix UMR XLT cleanup on ODP populate failure
Prathamesh Deshpande [Sun, 26 Apr 2026 13:23:41 +0000 (14:23 +0100)] 
RDMA/mlx5: Fix UMR XLT cleanup on ODP populate failure

mlx5r_umr_update_xlt() allocates and DMA maps an XLT buffer with
mlx5r_umr_create_xlt(). The buffer is released by the common cleanup path
through mlx5r_umr_unmap_free_xlt().

After mlx5_odp_populate_xlt() became fallible, its error path returned
directly and skipped that cleanup. This leaks the XLT DMA mapping and
buffer. If the emergency XLT page was used, it also leaves
xlt_emergency_page_mutex locked.

Break out of the loop so execution falls through the existing cleanup path.

Fixes: 1efe8c0670d6 ("RDMA/core: Convert UMEM ODP DMA mapping to caching IOVA and page linkage")
Signed-off-by: Prathamesh Deshpande <prathameshdeshpande7@gmail.com>
Link: https://patch.msgid.link/20260426132356.22264-1-prathameshdeshpande7@gmail.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
6 weeks agoRDMA/efa: Add checksum support for admin responses
Yonatan Nachum [Thu, 9 Apr 2026 07:49:05 +0000 (07:49 +0000)] 
RDMA/efa: Add checksum support for admin responses

EFA devices added support for CRC16 checksum on admin responses and to
expose it to the driver the API version increased to 0.2. Add a check
for support on device init and if supported validate the checksum on
each admin response the driver receives. If the checksum validation
failed, drop the CQE.

Add the CRC16 module to Kconfig to have the in-tree dependency.

Reviewed-by: Firas Jahjah <firasj@amazon.com>
Reviewed-by: Michael Margolin <mrgolin@amazon.com>
Signed-off-by: Yonatan Nachum <ynachum@amazon.com>
Link: https://patch.msgid.link/20260409074905.3126023-1-ynachum@amazon.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
6 weeks agoselftest/rxe: Add selftests for perf
Zhu Yanjun [Tue, 14 Apr 2026 06:29:48 +0000 (14:29 +0800)] 
selftest/rxe: Add selftests for perf

Create a virtual TUN net device with RXE support, then run rping
server and client to invoke networking packets, finally compare both
*port_xmit_data* and *port_rcv_data* of such device.

Signed-off-by: Zhu Yanjun <yanjun.zhu@linux.dev>
Link: https://patch.msgid.link/20260414062948.671658-5-zhenwei.pi@linux.dev
Signed-off-by: Leon Romanovsky <leon@kernel.org>
6 weeks agoRDMA/rxe: support perf mgmt GET method
zhenwei pi [Tue, 14 Apr 2026 06:29:47 +0000 (14:29 +0800)] 
RDMA/rxe: support perf mgmt GET method

In RXE, hardware counters are already supported, but not in a
standardized manner. For instance, user-space monitoring tools like
atop only read from the *counters* directory. Therefore, it is
necessary to add perf management support to RXE.

Also use rxe_counter_get instead of raw atomic64_read in hw-counters.

Signed-off-by: zhenwei pi <zhenwei.pi@linux.dev>
Link: https://patch.msgid.link/20260414062948.671658-4-zhenwei.pi@linux.dev
Signed-off-by: Leon Romanovsky <leon@kernel.org>
6 weeks agoRDMA/rxe: add SENT/RCVD bytes
zhenwei pi [Tue, 14 Apr 2026 06:29:46 +0000 (14:29 +0800)] 
RDMA/rxe: add SENT/RCVD bytes

There is a lack of sent/received counter in bytes.

Signed-off-by: zhenwei pi <zhenwei.pi@linux.dev>
Link: https://patch.msgid.link/20260414062948.671658-3-zhenwei.pi@linux.dev
Signed-off-by: Leon Romanovsky <leon@kernel.org>
6 weeks agoRDMA/rxe: remove rxe_ib_device_get_netdev() and RXE_PORT
zhenwei pi [Tue, 14 Apr 2026 06:29:45 +0000 (14:29 +0800)] 
RDMA/rxe: remove rxe_ib_device_get_netdev() and RXE_PORT

Suggested by Leon, remove the rxe_ib_device_get_netdev() wrapper and
the RXE_PORT definition. These additions do not improve readability,
and RXE has always had only a single port.

Signed-off-by: zhenwei pi <zhenwei.pi@linux.dev>
Link: https://patch.msgid.link/20260414062948.671658-2-zhenwei.pi@linux.dev
Signed-off-by: Leon Romanovsky <leon@kernel.org>
6 weeks agoRDMA/hns: Fix arithmetic overflow in calc_hem_config()
Alexander Chesnokov [Mon, 13 Apr 2026 09:14:43 +0000 (12:14 +0300)] 
RDMA/hns: Fix arithmetic overflow in calc_hem_config()

If bt_num is 3 or 2, then the expressions like
l0_idx * chunk_ba_num + l1_idx are computed in 32-bit
arithmetic before being assigned to a u64 index field,
which can lead to overflow.

Cast the first operand to u64 to ensure the arithmetic
is performed in 64-bit.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: 2f49de21f3e9 ("RDMA/hns: Optimize mhop get flow for multi-hop addressing")
Signed-off-by: Alexander Chesnokov <Alexander.Chesnokov@kaspersky.com>
Link: https://patch.msgid.link/20260413091527.39990-1-Alexander.Chesnokov@kaspersky.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
6 weeks agoRDMA/mlx5: Use QP port when decoding responder CQEs
Chenguang Zhao [Fri, 10 Apr 2026 07:40:46 +0000 (15:40 +0800)] 
RDMA/mlx5: Use QP port when decoding responder CQEs

The responder CQE path determines the link layer via
rdma_port_get_link_layer(). Use qp->port instead of
hardcoding port 1, which can mis-decode completions on
multi-port devices.

Signed-off-by: Chenguang Zhao <zhaochenguang@kylinos.cn>
Link: https://patch.msgid.link/20260410074046.2044595-1-zhaochenguang@kylinos.cn
Signed-off-by: Leon Romanovsky <leon@kernel.org>
6 weeks agoIB/mlx5: Fix transport-domain rollback and initialize lb mutex earlier
Prathamesh Deshpande [Sun, 12 Apr 2026 01:18:49 +0000 (02:18 +0100)] 
IB/mlx5: Fix transport-domain rollback and initialize lb mutex earlier

mlx5_ib_alloc_transport_domain() allocates a transport domain and then
may fail in mlx5_ib_enable_lb(). In that case, the allocated TD is leaked.

Fix this by deallocating the TD when mlx5_ib_enable_lb() returns an
error. Also return 0 explicitly in the no-loopback-capability success
branch, and move dev->lb.mutex initialization to mlx5_ib_stage_init_init().

Fixes: 146d2f1af324 ("IB/mlx5: Allocate a Transport Domain for each ucontext")
Signed-off-by: Prathamesh Deshpande <prathameshdeshpande7@gmail.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
6 weeks agodebugobjects: Do not fill_pool() if pi_blocked_on
Helen Koike [Mon, 11 May 2026 21:53:05 +0000 (18:53 -0300)] 
debugobjects: Do not fill_pool() if pi_blocked_on

On RT enabled kernels, fill_pool() ends up calling rtlock_lock(), which
asserts if current::pi_blocked_on is set, because a task can obviously only
block on one lock as otherwise the priority inheritenace chain gets
corrupted.

Prevent this by expanding the conditional to take current::pi_blocked_on
into account.

Fixes: 4bedcc28469a ("debugobjects: Make them PREEMPT_RT aware")
Reported-by: syzbot+b8ca586b9fc235f0c0df@syzkaller.appspotmail.com
Signed-off-by: Helen Koike <koike@igalia.com>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Link: https://patch.msgid.link/20260511215359.3351259-1-koike@igalia.com
Closes: https://syzkaller.appspot.com/bug?extid=b8ca586b9fc235f0c0df
6 weeks agoudf: validate free block extents against the partition length
Michael Bommarito [Fri, 15 May 2026 14:23:27 +0000 (10:23 -0400)] 
udf: validate free block extents against the partition length

udf_free_blocks() checks the logical block number and count against the
partition length, but drops the extent offset from that final bound.  A
crafted extent can pass the guard while logicalBlockNum + offset + count
points past the partition, which later indexes past the space bitmap
array.

A single ftruncate(2) on a file backed by such an extent reliably
panics the kernel.  This is a local availability issue.  On desktop
systems where UDisks/polkit allows the active user to mount removable
UDF media without CAP_SYS_ADMIN, an unprivileged local user can supply
the crafted filesystem and trigger the panic by truncating a writable
file on it.  Systems that require root or CAP_SYS_ADMIN to mount the
image have a higher prerequisite.

No confidentiality or integrity impact is claimed: the reproduced
primitive is an out-of-bounds read of a bitmap pointer slot followed by
a kernel panic.

Use the already computed logicalBlockNum + offset + count value for the
partition length check.  Also make load_block_bitmap() reject an
out-of-range block group before indexing s_block_bitmap[], so corrupted
callers cannot walk past the flexible array.

Fixes: 56e69e59751d ("udf: prevent integer overflow in udf_bitmap_free_blocks()")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Link: https://patch.msgid.link/20260515142327.1120767-1-michael.bommarito@gmail.com
Signed-off-by: Jan Kara <jack@suse.cz>
6 weeks agogpio: Initialize i2c_device_id arrays using member names
Uwe Kleine-König (The Capable Hub) [Tue, 12 May 2026 15:21:25 +0000 (17:21 +0200)] 
gpio: Initialize i2c_device_id arrays using member names

While being less compact, using named initializers allows to more easily
see which members of the structs are assigned which value without having
to lookup the declaration of the struct. And it's also more robust
against changes to the struct definition.

The mentioned robustness is relevant for a planned change to struct
i2c_device_id that replaces .driver_data by an anonymous union.

This patch doesn't modify the compiled arrays, only their representation
in source form benefits. The former was confirmed with x86 and arm64
builds.

Signed-off-by: Uwe Kleine-König (The Capable Hub) <u.kleine-koenig@baylibre.com>
Link: https://patch.msgid.link/20260512152125.924433-2-u.kleine-koenig@baylibre.com
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
6 weeks agopwm: atmel-tcb: Remove unneeded semicolon
Chen Ni [Tue, 28 Apr 2026 07:53:29 +0000 (15:53 +0800)] 
pwm: atmel-tcb: Remove unneeded semicolon

Remove unnecessary semicolons reported by Coccinelle/coccicheck and the
semantic patch at scripts/coccinelle/misc/semicolon.cocci.

This was introduced in commit 68637b68afcc ("pwm: atmel-tcb:
Cache clock rates and mark chip as atomic") in Uwe's adaption of
Sangyun's original patch.

Signed-off-by: Chen Ni <nichen@iscas.ac.cn>
Link: https://patch.msgid.link/20260428075329.1234735-1-nichen@iscas.ac.cn
Signed-off-by: Uwe Kleine-König <ukleinek@kernel.org>
6 weeks agodma-mapping: move dma_map_resource() sanity check into debug code
Jianpeng Chang [Wed, 13 May 2026 07:22:09 +0000 (15:22 +0800)] 
dma-mapping: move dma_map_resource() sanity check into debug code

dma_map_resource() uses pfn_valid() to ensure the range is not RAM.
However, pfn_valid() only checks for availability of the memory map for
a PFN but it does not ensure that the PFN is actually backed by RAM. On
ARM64 with SPARSEMEM (128MB section granularity), MMIO addresses that
share a section with RAM will falsely trigger the WARN_ON_ONCE and cause
dma_map_resource() to return DMA_MAPPING_ERROR.

This causes a WARNING on Raspberry Pi 4 during spi_bcm2835 probe because
the SPI FIFO register (0xfe204004) falls in the same sparsemem section
as the end of RAM (0xf8000000-0xfbffffff), both in section 31
(0xf8000000-0xffffffff).

Move the sanity check from dma_map_resource() into debug_dma_map_phys()
and replace the unreliable pfn_valid() with pfn_valid() &&
!PageReserved(), which correctly identifies actual usable RAM without
false positives for MMIO regions that happen to have struct pages.

Since dma_map_resource() is dma_map_phys(DMA_ATTR_MMIO), the check
applies equally to both APIs. Any non-reserved page represents kernel
memory to a sufficient degree that using DMA_ATTR_MMIO on it is almost
certainly wrong and risks breaking coherency on non-coherent platforms.
ZONE_DEVICE pages used for PCI P2P DMA (MEMORY_DEVICE_PCI_P2PDMA) have
PageReserved set, so they will not trigger a false positive.

The check no longer blocks the mapping and uses err_printk() to
integrate with dma-debug filtering.

Fixes: f7326196a781 ("dma-mapping: export new dma_*map_phys() interface")
Reviewed-by: Robin Murphy <robin.murphy@arm.com>
Signed-off-by: Jianpeng Chang <jianpeng.chang.cn@windriver.com>
Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Link: https://lore.kernel.org/r/20260513072209.1486986-1-jianpeng.chang.cn@windriver.com
6 weeks agopinctrl: intel: move PWM base computation past feature check
Stepan Ionichev [Sun, 17 May 2026 16:15:30 +0000 (21:15 +0500)] 
pinctrl: intel: move PWM base computation past feature check

Compute base inside intel_pinctrl_probe_pwm() only after the
PINCTRL_FEATURE_PWM and CONFIG_PWM_LPSS checks have passed. Tidy
up; no functional change.

Suggested-by: Andy Shevchenko <andy@kernel.org>
Link: https://lore.kernel.org/linux-gpio/aglu5jy5SbW9Wjwj@ashevche-desk.local/
Signed-off-by: Stepan Ionichev <sozdayvek@gmail.com>
Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
6 weeks agosoc: aspeed: Move MODULE_DEVICE_TABLE next to the table itself
Krzysztof Kozlowski [Tue, 5 May 2026 10:26:36 +0000 (12:26 +0200)] 
soc: aspeed: Move MODULE_DEVICE_TABLE next to the table itself

By convention MODULE_DEVICE_TABLE() immediately follows the ID table it
exports, because this is easier to read and verify.  It also makes more
sense since #ifdef for ACPI or OF could hide both of them.

Most of the privers already have this correctly placed, so adjust
the missing ones.  No functional impact.

Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
Signed-off-by: Andrew Jeffery <andrew@codeconstruct.com.au>
6 weeks agoARM: dts: aspeed: msx4: enable BMC networking via MAC0
Ender Hsieh [Tue, 5 May 2026 05:05:41 +0000 (14:05 +0900)] 
ARM: dts: aspeed: msx4: enable BMC networking via MAC0

Add &mac0, &mdio3, and the ethphy3 PHY node to enable BMC networking
on the AST2600-based NVIDIA MSX4 board. The PHY is attached to MDIO3
at address 2 and uses RGMII with PHY-internal delays.

These nodes were intentionally omitted in commit f28674fab34f ("ARM:
dts: aspeed: Add NVIDIA MSX4 HPM") at Andrew Lunn's request, pending
clarification of the RGMII delay handling. Following his guidance on
linux-aspeed, the bootloader has been modified to stop enabling MAC
clock delays on the SoC side, so phy-mode = "rgmii-id" correctly
results in the PHY adding the required ~2ns delay without any
double-delay from the MAC controller.

The corresponding U-Boot change has been submitted to openbmc/u-boot.

Link: https://patch.msgid.link/eac09481-0ba1-4ac2-ad8c-d859822ff0d5@lunn.ch
Link: https://patch.msgid.link/20260504044702.2613879-1-andhsieh@nvidia.com
Cc: Andrew Lunn <andrew@lunn.ch>
Cc: Marc Olberding <molberding@nvidia.com>
Signed-off-by: Ender Hsieh <andhsieh@nvidia.com>
Signed-off-by: Andrew Jeffery <andrew@codeconstruct.com.au>
6 weeks agoMerge tag 'i2c-host-fixes-7.1-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git...
Wolfram Sang [Mon, 18 May 2026 06:09:34 +0000 (08:09 +0200)] 
Merge tag 'i2c-host-fixes-7.1-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/andi.shyti/linux into i2c/for-current

i2c-host-fixes for v7.1-rc4

- tegra:
  - drop runtime PM reference when exiting on mutex_lock failure
  - preserve transfer errors when releasing the mutex

6 weeks agodrm/i915/psr: Apply SDP on prior scanline workaround for Xe3p
Jouni Högander [Fri, 15 May 2026 09:57:56 +0000 (12:57 +0300)] 
drm/i915/psr: Apply SDP on prior scanline workaround for Xe3p

In Xe3p there is an HW optimization done. When there is an SU triggered in
Capture state, Link will be kept ON post Capture CRC SDP. Before valid SU
pixels Intel source will transmit dummy pixels. Some TCONS are improperly
considering these dummy pixels as a valid pixel data. Prior Xe3p link was
was turned off even if there was SU triggered in capture state and no dummy
pixels were transmitted. These dummy pixels are problem only if SDP on
prior scanline is used and Early Transport is not in use. The workaround is
to start SU area always at scanline 0.

v2: use intel_display_wa

Bspec: 74741, 79482
Signed-off-by: Jouni Högander <jouni.hogander@intel.com>
Reviewed-by: Suraj Kandpal <suraj.kandpal@intel.com>
Link: https://patch.msgid.link/20260515095756.2799483-5-jouni.hogander@intel.com
6 weeks agodrm/i915/psr: Apply Intel DPCD workaround when SDP on prior line used
Jouni Högander [Fri, 15 May 2026 09:57:55 +0000 (12:57 +0300)] 
drm/i915/psr: Apply Intel DPCD workaround when SDP on prior line used

There is Intel specific workaround DPCD address containing workaround for
case where SDP is on prior line. Apply this workaround according to values
in the offset.

Fixes: 61e887329e33 ("drm/i915/xelpd: Handle PSR2 SDP indication in the prior scanline")
Cc: <stable@vger.kernel.org> # v5.15+
Signed-off-by: Jouni Högander <jouni.hogander@intel.com>
Reviewed-by: Suraj Kandpal <suraj.kandpal@intel.com>
Link: https://patch.msgid.link/20260515095756.2799483-4-jouni.hogander@intel.com
6 weeks agodrm/i915/psr: Read Intel DPCD workaround register
Jouni Högander [Fri, 15 May 2026 09:57:54 +0000 (12:57 +0300)] 
drm/i915/psr: Read Intel DPCD workaround register

Read Intel DPCD workaround register and store it into
intel_connector->dp.psr_caps. psr_caps was chosen as currently it contains
only PSR workaround for PSR2 SDP on prior scanline implementation.

Signed-off-by: Jouni Högander <jouni.hogander@intel.com>
Reviewed-by: Suraj Kandpal <suraj.kandpal@intel.com>
Link: https://patch.msgid.link/20260515095756.2799483-3-jouni.hogander@intel.com
6 weeks agodrm/i915/psr: Add defininitions for INTEL_WA_REGISTER_CAPS DPCD register
Jouni Högander [Fri, 15 May 2026 09:57:53 +0000 (12:57 +0300)] 
drm/i915/psr: Add defininitions for INTEL_WA_REGISTER_CAPS DPCD register

EDP specification says:

"If either VSC SDP is unable to be transmitted 100 ns before the SU region,
the Source device may optionally transmit the VSC SDP during the prior
video scan line’s HBlank period There is a Intel specific drm dp register
currently containing bits related how TCON can support PSR2 with SDP on
prior line."

Unfortunately many panels are having problems in implementing this. So
there is a custom Intel specific DPCD register (INTEL_WA_REGISTER_CAPS) to
figure out if this is properly implemented on a panel or if panel doesn't
require that 100 ns delay before the SU region. Here are the definitions in
this custom DPCD address:

0 = Panel doesn't support SDP on prior line
1 = Panel supports SDP on prior line
2 = Panel doesn't have 100ns requirement
3 = Reserved

Add definitions for this new register and it's values into new header
intel_dpcd.h.

v2: add INTEL_DPCD_ prefix to definitions

Bspec: 74741
Signed-off-by: Jouni Högander <jouni.hogander@intel.com>
Reviewed-by: Suraj Kandpal <suraj.kandpal@intel.com>
Link: https://patch.msgid.link/20260515095756.2799483-2-jouni.hogander@intel.com
6 weeks agoARM: dts: aspeed: anacapa: Add JTAG CPLD TRST pin to SGPIO map
Colin Huang [Mon, 11 May 2026 09:47:56 +0000 (17:47 +0800)] 
ARM: dts: aspeed: anacapa: Add JTAG CPLD TRST pin to SGPIO map

Add JTAG_CPLD_TRST_R_N to the sgpiom0 pin name table on Facebook Anacapa
BMC. This exposes the CPLD JTAG TRST signal through SGPIO, allowing
proper JTAG reset control during debug.

[arj: Minor tidying of commit message formatting]

Signed-off-by: Colin Huang <u8813345@gmail.com>
Link: https://patch.msgid.link/20260511-add-jtag-trst-pin-v1-1-b0be2f7b2da5@gmail.com
Signed-off-by: Andrew Jeffery <andrew@codeconstruct.com.au>
6 weeks agoALSA: hda/realtek: Add quirk for HP Z66 G6 14 laptop
Minxi Hou [Mon, 18 May 2026 03:15:42 +0000 (11:15 +0800)] 
ALSA: hda/realtek: Add quirk for HP Z66 G6 14 laptop

The HP Z66 G6 14 inch laptop uses the ALC236 codec with subsystem ID
0x103c:8df7. Without a quirk entry, the PCI SSID falls back to the
generic 0x103c:0000 fixup, which does not configure the mute/micmute
LED GPIOs correctly.

Add the SND_PCI_QUIRK entry for this model using
ALC236_FIXUP_HP_GPIO_LED, matching the surrounding HP EliteBook G12
entries (0x8dec-0x8dfe) which share the same ALC236 codec and GPIO LED
layout.

Signed-off-by: Minxi Hou <houminxi@gmail.com>
Link: https://patch.msgid.link/20260518031542.2899188-1-houminxi@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
6 weeks agoRISC-V: KVM: Fix sign extension for MMIO loads
Jiakai Xu [Thu, 14 May 2026 08:17:51 +0000 (08:17 +0000)] 
RISC-V: KVM: Fix sign extension for MMIO loads

The kvm_riscv_vcpu_mmio_return() function handles MMIO read results
by writing the data back to the guest register. For signed load
instructions (LB, LH, LW on RV64), the value needs sign-extension
from a smaller integer to unsigned long.

The current code uses:
    (ulong)data << shift >> shift
but (ulong) makes the right shift a logical shift (zero-extend)
rather than an arithmetic shift (sign-extend), causing incorrect
results when the MMIO device returns a negative value. For example,
LB reading 0x80 would return 128 instead of -128.

Fix this by casting to (long) after the left shift so that the
subsequent right shift is arithmetic and correctly propagates
the sign bit:
    (long)((ulong)data << shift) >> shift

Additionally, remove the unnecessary shift assignment for LBU
(unsigned byte load) since it does not need sign extension.
This makes LBU consistent with LHU and LWU which already keep
shift = 0.

Fixes: b91f0e4cb8a3 ("RISC-V: KVM: Factor-out instruction emulation into separate sources")
Signed-off-by: Jiakai Xu <jiakaiPeanut@gmail.com>
Signed-off-by: Jiakai Xu <xujiakai2025@iscas.ac.cn>
Assisted-by: OpenClaw:DeepSeek-V3.2
Reviewed-by: Anup Patel <anup@brainfault.org>
Link: https://lore.kernel.org/r/20260514081752.472987-1-xujiakai2025@iscas.ac.cn
Signed-off-by: Anup Patel <anup@brainfault.org>
6 weeks agoRISC-V: KVM: Fix NULL pointer dereference in SBI v0.1 SEND_IPI handler
Jiakai Xu [Sun, 17 May 2026 12:44:14 +0000 (12:44 +0000)] 
RISC-V: KVM: Fix NULL pointer dereference in SBI v0.1 SEND_IPI handler

The SBI v0.1 SEND_IPI handler iterates over the hart mask and calls
kvm_get_vcpu_by_id() to find the target vcpu for each set bit. When a
guest provides a hart mask containing bits for non-existent vcpu_ids,
kvm_get_vcpu_by_id() returns NULL, which is then unconditionally
dereferenced by kvm_riscv_vcpu_set_interrupt(), causing a kernel crash.

Fix this by adding a NULL check before dereferencing the return value.
If the target vcpu is not found, skip it and continue processing the
remaining valid harts.

Fixes: a046c2d8578c ("RISC-V: KVM: Reorganize SBI code by moving SBI v0.1 to its own file")
Signed-off-by: Jiakai Xu <jiakaiPeanut@gmail.com>
Signed-off-by: Jiakai Xu <xujiakai2025@iscas.ac.cn>
Assisted-by: OpenClaw:DeepSeek-V3.2
Reviewed-by: Anup Patel <anup@brainfault.org>
Link: https://lore.kernel.org/r/20260517124414.420919-1-xujiakai2025@iscas.ac.cn
Signed-off-by: Anup Patel <anup@brainfault.org>
6 weeks agoriscv: kvm: return SBI_ERR_FAILURE for pmu_event_info() when OOM
Osama Abdelkader [Thu, 14 May 2026 17:36:41 +0000 (19:36 +0200)] 
riscv: kvm: return SBI_ERR_FAILURE for pmu_event_info() when OOM

kvm_riscv_vcpu_pmu_event_info() returned -ENOMEM from the
SBI extension handler, which caused kvm_riscv_vcpu_sbi_ecall()
to abort KVM_RUN and surface the error to userspace instead of
completing the ECALL with a negative SBI error in a0.
Use SBI_ERR_FAILURE and the normal retdata path, matching other PMU
handlers and kvm_sbi_ext_pmu_handler comment.

Fixes: e309fd113b9f ("RISC-V: KVM: Implement get event info function")
Cc: stable@vger.kernel.org
Signed-off-by: Osama Abdelkader <osama.abdelkader@gmail.com>
Reviewed-by: Anup Patel <anup@brainfault.org>
Link: https://lore.kernel.org/r/20260514173642.41448-2-osama.abdelkader@gmail.com
Signed-off-by: Anup Patel <anup@brainfault.org>
6 weeks agoriscv: kvm: return SBI_ERR_FAILURE for pmu_snapshot_set_shmem() when OOM
Osama Abdelkader [Thu, 14 May 2026 17:36:40 +0000 (19:36 +0200)] 
riscv: kvm: return SBI_ERR_FAILURE for pmu_snapshot_set_shmem() when OOM

kvm_riscv_vcpu_pmu_snapshot_set_shmem() returned -ENOMEM from the
SBI extension handler, which caused kvm_riscv_vcpu_sbi_ecall() to
abort KVM_RUN and surface the error to userspace instead of
ompleting the ECALL with a negative SBI error in a0.
Use SBI_ERR_FAILURE and the normal retdata path, matching other PMU
handlers and kvm_sbi_ext_pmu_handler comment.

Fixes: c2f41ddbcdd7 ("RISC-V: KVM: Implement SBI PMU Snapshot feature")
Cc: stable@vger.kernel.org
Signed-off-by: Osama Abdelkader <osama.abdelkader@gmail.com>
Reviewed-by: Anup Patel <anup@brainfault.org>
Link: https://lore.kernel.org/r/20260514173642.41448-1-osama.abdelkader@gmail.com
Signed-off-by: Anup Patel <anup@brainfault.org>
6 weeks agoRISC-V: KVM: Fix invalid HVA warning in steal-time recording
Jiakai Xu [Wed, 15 Apr 2026 07:52:16 +0000 (07:52 +0000)] 
RISC-V: KVM: Fix invalid HVA warning in steal-time recording

kvm_riscv_vcpu_record_steal_time() assumes that the steal-time shared
memory GPA (vcpu->arch.sta.shmem) is always backed by a valid guest
memory slot. However, this assumption is not guaranteed by the KVM
userspace ABI.

A malicious or buggy userspace can set the STA shared memory GPA via
KVM_SET_ONE_REG without establishing a corresponding memory region via
KVM_SET_USER_MEMORY_REGION. In such cases, the GPA cannot be translated
to a valid HVA and kvm_vcpu_gfn_to_hva() returns an error address.

The current implementation incorrectly treats this as a kernel warning
using WARN_ON(), which may escalate to a kernel panic when panic_on_warn
is enabled.

This is not a kernel bug condition but a normal invalid configuration
from userspace, and should be handled gracefully.

Fix it by removing WARN_ON() and treating invalid HVA as a normal
failure case, resetting the STA shared memory state.

Fixes: e9f12b5fff8ad0 ("RISC-V: KVM: Implement SBI STA extension")
Signed-off-by: Jiakai Xu <xujiakai2025@iscas.ac.cn>
Signed-off-by: Jiakai Xu <jiakaiPeanut@gmail.com>
Assisted-by: OpenClaw:DeepSeek-V3.2
Reviewed-by: Nutty Liu <nutty.liu@hotmail.com>
Reviewed-by: Andrew Jones <andrew.jones@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260415075216.2757427-1-xujiakai2025@iscas.ac.cn
Signed-off-by: Anup Patel <anup@brainfault.org>
6 weeks agoARM: dts: aspeed-g6: Add nodes for i3c controllers
Dawid Glazik [Fri, 24 Apr 2026 20:21:01 +0000 (22:21 +0200)] 
ARM: dts: aspeed-g6: Add nodes for i3c controllers

Add the i3c controller devices to the ast2600 g6 common dts. We add all
6 busses to the common g6 definition, but leave disabled through the
status property, to be enabled per-platform.

Suggested-by: Jeremy Kerr <jk@codeconstruct.com.au>
Signed-off-by: Dawid Glazik <dawid.glazik@linux.intel.com>
Link: https://patch.msgid.link/7a94a5f4cf84c11c7fba7485e666ecbaddfbe5cf.1777058942.git.dawid.glazik@linux.intel.com
Signed-off-by: Andrew Jeffery <andrew@codeconstruct.com.au>
6 weeks agoARM: dts: aspeed-g6: move i2c controllers directly into apb node
Dawid Glazik [Fri, 24 Apr 2026 20:20:59 +0000 (22:20 +0200)] 
ARM: dts: aspeed-g6: move i2c controllers directly into apb node

We currently have the apb's mapping of the i2c controller space as a
labelled mostly-empty node:

  apb {
    i2c: bus@1e78a000 {
      ranges = <...>;
    };
  }

... and then define the contents of the i2c block later:

  i2c: {
    i2c0: i2c-bus@80 {
      reg = <0x80 0x80>;
    };
    i2c1: i2c-bus@100 {
      reg = <0x100 0x80>;
    };
  }

Krzysztof mentions[1] that isn't convention though, with the top-level
simple-bus being empty and linked via the label. So, drop the label
usage and move the i2c bus definition into the simple-bus node directly
under the apb:

  apb {
     bus@1e78a000 {
      ranges = <...>;

      i2c0: i2c-bus@80 {
        reg = <0x80 0x80>;
      };
      i2c1: i2c-bus@100 {
        reg = <0x100 0x80>;
      };
    };
  }

This will allow us to be consistent when we add new definitions for the
i3c nodes, which would require the latter format.

Link: https://lore.kernel.org/linux-devicetree/c5331cf8-7295-4e6a-ba39-e0751a2c357e@kernel.org/
Suggested-by: Jeremy Kerr <jk@codeconstruct.com.au>
Signed-off-by: Dawid Glazik <dawid.glazik@linux.intel.com>
Link: https://patch.msgid.link/7c7010a87bb70b9e2abdadfea76d41cdcb88a82f.1777058942.git.dawid.glazik@linux.intel.com
Signed-off-by: Andrew Jeffery <andrew@codeconstruct.com.au>
6 weeks agodrm/i915/dp: Include all relevant AS SDP fields in comparison
Ankit Nautiyal [Mon, 11 May 2026 12:32:18 +0000 (18:02 +0530)] 
drm/i915/dp: Include all relevant AS SDP fields in comparison

Add missing drm_dp_as_sdp header fields to intel_compare_dp_as_sdp()
comparison.

Signed-off-by: Ankit Nautiyal <ankit.k.nautiyal@intel.com>
Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Link: https://patch.msgid.link/20260511123218.1589830-5-ankit.k.nautiyal@intel.com
6 weeks agodrm/i915/dp: Set sdp_type in AS SDP unpack
Ankit Nautiyal [Mon, 11 May 2026 12:32:17 +0000 (18:02 +0530)] 
drm/i915/dp: Set sdp_type in AS SDP unpack

Add sdp_type in AS SDP unpack. Since the field sdp_type is not compared
in intel_compare_dp_as_sdp() it doesn't throw up any mismatch error yet.

In the subsequent change this field will be added along with other missing
fields for comparison.

Signed-off-by: Ankit Nautiyal <ankit.k.nautiyal@intel.com>
Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Link: https://patch.msgid.link/20260511123218.1589830-4-ankit.k.nautiyal@intel.com
6 weeks agodrm/i915/dp: Use revision field of AS SDP data structure
Ankit Nautiyal [Mon, 11 May 2026 12:32:16 +0000 (18:02 +0530)] 
drm/i915/dp: Use revision field of AS SDP data structure

Use the revision field of struct drm_dp_as_sdp instead of current
hardcoding for the AS SDP revisions.

Signed-off-by: Ankit Nautiyal <ankit.k.nautiyal@intel.com>
Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Link: https://patch.msgid.link/20260511123218.1589830-3-ankit.k.nautiyal@intel.com
6 weeks agodrm/i915/dp: Fix readback for target_rr in Adaptive Sync SDP
Ankit Nautiyal [Mon, 11 May 2026 12:32:15 +0000 (18:02 +0530)] 
drm/i915/dp: Fix readback for target_rr in Adaptive Sync SDP

Correct the bit-shift logic to properly readback the 10 bit target_rr from
DB3 and DB4.

v2: Align the style with readback for vtotal. (Ville)

Fixes: 12ea89291603 ("drm/i915/dp: Add Read/Write support for Adaptive Sync SDP")
Cc: Mitul Golani <mitulkumar.ajitkumar.golani@intel.com>
Cc: Ankit Nautiyal <ankit.k.nautiyal@intel.com>
Signed-off-by: Ankit Nautiyal <ankit.k.nautiyal@intel.com>
Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Link: https://patch.msgid.link/20260511123218.1589830-2-ankit.k.nautiyal@intel.com
6 weeks agoLinux 7.1-rc4 v7.1-rc4
Linus Torvalds [Sun, 17 May 2026 20:59:58 +0000 (13:59 -0700)] 
Linux 7.1-rc4

6 weeks agoselftests/bpf: Add exception tests with stack arguments
Yonghong Song [Sun, 17 May 2026 15:07:07 +0000 (08:07 -0700)] 
selftests/bpf: Add exception tests with stack arguments

Add tests to verify that bpf_throw() correctly unwinds the stack
when the program uses outgoing stack arguments (functions with >5
args). Without the preceding x86 fix, these tests crash the kernel
on x86 due to corrupted callee-saved register restore. There is
no change for arm64 to support exception with stack arguments.

Acked-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
Signed-off-by: Yonghong Song <yonghong.song@linux.dev>
Link: https://lore.kernel.org/r/20260517150707.289273-1-yonghong.song@linux.dev
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
6 weeks agobpf,x86: Fix exception unwinding with outgoing stack arguments
Yonghong Song [Sun, 17 May 2026 15:07:02 +0000 (08:07 -0700)] 
bpf,x86: Fix exception unwinding with outgoing stack arguments

When a main program with exception_boundary has outgoing stack
arguments (e.g. from calling subprogs with >5 args), bpf_throw() fails
to correctly restore callee-saved registers, causing a kernel crash.

The x86 JIT allocates the outgoing stack arg area below the
callee-saved registers via 'sub rsp, outgoing_rsp' in the prologue.
When bpf_throw() unwinds, it captures the main program's sp (which
includes this outgoing area) and passes it to the exception callback.
The callback gets rsp and rbp, followed by pop_callee_regs, but rsp
points into the outgoing arg area rather than the callee-saved
registers, so the pops restore garbage values. Returning to the
kernel with corrupted callee-saved registers causes a crash.

Fix this by adjusting the sp (adding stack_arg_sp_adjust) passed to
the exception callback, so it points to the bottom of the callee-saved
registers instead of the outgoing arg area. When stack_arg_sp_adjust
is 0 (the common case), this is a no-op.

Fixes: 324c3ca6eed6 ("bpf,x86: Implement JIT support for stack arguments")
Acked-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
Signed-off-by: Yonghong Song <yonghong.song@linux.dev>
Link: https://lore.kernel.org/r/20260517150702.288031-1-yonghong.song@linux.dev
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
6 weeks agoMerge branch 'for-7.1-fixes' into for-7.2
Tejun Heo [Sun, 17 May 2026 20:31:10 +0000 (10:31 -1000)] 
Merge branch 'for-7.1-fixes' into for-7.2

Pull to receive:

 39e25a210060 ("sched_ext: Drop NONE early return in scx_disable_and_exit_task()")
 b273b75b8d67 ("sched_ext: INIT_LIST_HEAD() &sch->all in scx_alloc_and_add_sched()")
 cceb874eee46 ("sched_ext: Defer sub_kset base put to scx_sched_free_rcu_work")
 6ae315d37924 ("sched_ext: Use HK_TYPE_DOMAIN_BOOT to detect isolcpus= domain isolation")
 515e3996a4c2 ("sched_ext: Fix deadlock between scx_root_disable() and concurrent forks")

to prepare for-7.2 for further sub-sched changes.

Signed-off-by: Tejun Heo <tj@kernel.org>
6 weeks agoALSA: pcm: Don't setup bogus iov_iter for silencing
Takashi Iwai [Sun, 17 May 2026 16:51:20 +0000 (18:51 +0200)] 
ALSA: pcm: Don't setup bogus iov_iter for silencing

At transition to the iov_iter for PCM data transfer, we blindly
applied the iov_iter setup also for silencing (i.e. data = NULL), and
it leads to a calculation of bogus iov_iter.  Fortunately this didn't
cause troubles on most of architectures but it goes wrong on RISC-V
now, causing a NULL dereference.

Handle the NULL data case to treat the silencing in interleaved_copy()
for addressing the bug above.  noninterleaved_copy() has already the
NULL data handling, so it doesn't need changes.

Reported-by: Jiakai Xu <xujiakai24@mails.ucas.ac.cn>
Closes: https://lore.kernel.org/20260515051516.3103036-1-xujiakai24@mails.ucas.ac.cn
Fixes: cf393babb37a ("ALSA: pcm: Add copy ops with iov_iter")
Cc: <stable@vger.kernel.org>
Link: https://patch.msgid.link/20260517165121.31399-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
6 weeks agoALSA: hda/realtek: Add mute LED quirk for HP Pavilion Plus 14
Aryan Kushwaha [Sat, 16 May 2026 14:44:36 +0000 (20:14 +0530)] 
ALSA: hda/realtek: Add mute LED quirk for HP Pavilion Plus 14

The HP Pavilion Plus 14-eh0xxx with subsystem ID 103c:8a36 needs the
ALC245 COEF bit mute LED quirk for the mute LED to follow the audio mute
state.

Add the missing quirk entry.

Signed-off-by: Aryan Kushwaha <aryankushwaha3101@gmail.com>
Link: https://patch.msgid.link/20260516144436.35022-1-aryankushwaha3101@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
6 weeks agosched_ext: Fix deadlock between scx_root_disable() and concurrent forks
Tejun Heo [Sun, 17 May 2026 17:43:16 +0000 (07:43 -1000)] 
sched_ext: Fix deadlock between scx_root_disable() and concurrent forks

scx_root_disable() enters SCX_DISABLING before it grabs scx_enable_mutex to
clear __scx_switched_all and scx_switching_all. task_should_scx() short-circuits on DISABLING,
so forks in that window land on fair while next_active_class() still skips
fair - the new tasks stall.

This can deadlock the disable path itself: scx_alloc_and_add_sched() runs
under scx_enable_mutex and creates a helper kthread; if that new kthread is
one of the stalled fair tasks, the mutex holder waits forever and
scx_root_disable() can never make progress. Only sub-sched support exposes
this, since sub-sched enables are the only path where
scx_alloc_and_add_sched() can race the root's disable.

Move the DISABLING check after @scx_switching_all. @scx_switching_all
serves as a proxy for __scx_switched_all, so while it's set, forks keep
going to scx. Once cleared, DISABLING applies normally.

v2: Reword in-source comment and description. (Andrea)

Fixes: 337ec00b1d9c ("sched_ext: Implement cgroup sub-sched enabling and disabling")
Signed-off-by: Tejun Heo <tj@kernel.org>
Reviewed-by: Andrea Righi <arighi@nvidia.com>
6 weeks agoMerge tag 'trace-v7.1-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/trace...
Linus Torvalds [Sun, 17 May 2026 19:02:31 +0000 (12:02 -0700)] 
Merge tag 'trace-v7.1-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace

Pull tracing fixes from Steven Rostedt:

 - Add more functions to the remote allowed list

   randconfig found more functions that are allowed for the remote code
   for s390 and arm. Add them to the allowed list.

 - Fix remote_test error path

   If one of the simple ring buffers fails to load, the code is supposed
   to rollback its initialized buffers. Instead of rolling back the
   buffers for the failed load, it uses the global variable and rolls
   back all the successfully loaded buffers.

* tag 'trace-v7.1-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace:
  tracing: Fix desc in error path for the trace remote test module
  ring-buffer remote: Avoid unexpected symbol warnings (arm, s390)

6 weeks agovirt: sev-guest: Do not use host-controlled page order in cleanup path
Carlos López [Tue, 12 May 2026 10:00:41 +0000 (12:00 +0200)] 
virt: sev-guest: Do not use host-controlled page order in cleanup path

When issuing an extended guest request (SVM_VMGEXIT_EXT_GUEST_REQUEST),
get_ext_report() allocates a buffer to retrieve a certificate blob from the
host, keeping track of its size in report_req->certs_len.

However, the host may return SNP_GUEST_VMM_ERR_INVALID_LEN, indicating
an invalid buffer size, as well as the expected length of such buffer.
get_ext_report() subsequently updates report_req->certs_len with the
host-controlled value, and cleans up the buffer by computing a page order
from such value. This is incorrect, as the host-provided length may not
match the page order of the original allocation, potentially resulting
in corruption in the page allocator.

Fix this by using alloc_pages_exact() instead, and reusing @npages to
compute the size passed to free_pages_exact(). For consistency, also
use @npages to compute the size when allocating the pages, even though
this last change has no functional effect.

Fixes: 3e385c0d6ce8 ("virt: sev-guest: Move SNP Guest Request data pages handling under snp_cmd_mutex")
Signed-off-by: Carlos López <clopez@suse.de>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Tested-by: Michael Roth <michael.roth@amd.com>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
6 weeks agoMerge tag 'x86-urgent-2026-05-17' of git://git.kernel.org/pub/scm/linux/kernel/git...
Linus Torvalds [Sun, 17 May 2026 18:40:18 +0000 (11:40 -0700)] 
Merge tag 'x86-urgent-2026-05-17' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip

Pull x86 fix from Ingo Molnar:

 - Fix x86 boot crash for non-kjump kexecs (David Woodhouse)

* tag 'x86-urgent-2026-05-17' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  x86/kexec: Push kjump return address even for non-kjump kexec

6 weeks agoMerge branch 'fix-bpf_throw-global-subprogs-interaction'
Alexei Starovoitov [Sun, 17 May 2026 18:15:05 +0000 (11:15 -0700)] 
Merge branch 'fix-bpf_throw-global-subprogs-interaction'

Kumar Kartikeya Dwivedi says:

====================
Fix bpf_throw() vs global subprogs interaction

There is a bug where bpf_throw()'s reachability across global subprogs
is missed by the verifier, leading to successful verification when any
kernel resource or lock is held across global subprog call boundary.

Fix this by effect summarization like other related side effects and
propagate exception reachability into callees.

Changelog:
----------
v1 -> v2
v1: https://lore.kernel.org/bpf/20260516022426.2109698-1-memxor@gmail.com

 * Reorder might_throw bit to avoid bpf-next conflicts. (Alexei)
====================

Link: https://patch.msgid.link/20260517075530.3461166-1-memxor@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
6 weeks agoselftests/bpf: Cover global subprog exception leaks
Kumar Kartikeya Dwivedi [Sun, 17 May 2026 07:55:29 +0000 (09:55 +0200)] 
selftests/bpf: Cover global subprog exception leaks

Add a verifier failure case where the caller holds a reference across a
global subprog call that may throw. The program must be rejected because
the exceptional path would skip the caller's reference release.

Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
Link: https://lore.kernel.org/r/20260517075530.3461166-3-memxor@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
6 weeks agobpf: Check global subprog exception paths
Kumar Kartikeya Dwivedi [Sun, 17 May 2026 07:55:28 +0000 (09:55 +0200)] 
bpf: Check global subprog exception paths

Global subprogs are verified independently and are not descended into
when their callers are symbolically executed. This means a caller can
hold references or locks across a global subprog call that may throw,
while the verifier only checks the non-exceptional return path at the
call site.

Record whether a subprog might throw in the CFG summary pass, alongside
the existing might_sleep and packet-data-changing summaries, and
propagate that effect through reachable callees.

When a global subprog is marked as possibly throwing, push the normal
continuation and validate the exceptional path immediately at the call
site, avoiding a synthetic exception state and associated special case
in the pruning checks.

Fixes: f18b03fabaa9 ("bpf: Implement BPF exceptions")
Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
Link: https://lore.kernel.org/r/20260517075530.3461166-2-memxor@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
6 weeks agoMerge tag 'timers-urgent-2026-05-17' of git://git.kernel.org/pub/scm/linux/kernel...
Linus Torvalds [Sun, 17 May 2026 18:07:09 +0000 (11:07 -0700)] 
Merge tag 'timers-urgent-2026-05-17' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip

Pull timer fix from Ingo Molnar:

 - Fix potential garbage reads in the vDSO gettimeofday code
   (Thomas Weißschuh)

* tag 'timers-urgent-2026-05-17' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  vdso/gettimeofday: Reload sequence counter after switch to time page in do_aux()

6 weeks agoMerge tag 'sched-urgent-2026-05-17' of git://git.kernel.org/pub/scm/linux/kernel...
Linus Torvalds [Sun, 17 May 2026 17:59:32 +0000 (10:59 -0700)] 
Merge tag 'sched-urgent-2026-05-17' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip

Pull scheduler fix from Ingo Molnar:

 - Fix ARM64-specific rseq regressions (Mark Rutland)

* tag 'sched-urgent-2026-05-17' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  arm64/entry: Fix arm64-specific rseq brokenness

6 weeks agoMerge tag 'ras-urgent-2026-05-17' of git://git.kernel.org/pub/scm/linux/kernel/git...
Linus Torvalds [Sun, 17 May 2026 17:50:13 +0000 (10:50 -0700)] 
Merge tag 'ras-urgent-2026-05-17' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip

Pull MCE fix from Ingo Molnar:

 - Fix an MCE polling interval adjustment regression (Borislav Petkov)

* tag 'ras-urgent-2026-05-17' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  x86/mce: Restore MCA polling interval halving

6 weeks agoMerge tag 'irq-urgent-2026-05-17' of git://git.kernel.org/pub/scm/linux/kernel/git...
Linus Torvalds [Sun, 17 May 2026 17:34:15 +0000 (10:34 -0700)] 
Merge tag 'irq-urgent-2026-05-17' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip

Pull IRQ fixes from Ingo Molnar:

 - Fix use-after-free in irq_work_single() on PREEMPT_RT (Jiayuan Chen)

 - Don't call add_interrupt_randomness() for NMIs in
   handle_percpu_devid_irq() (Mark Rutland)

 - Remove unused function in the ath79-cpu irqchip driver causing LKP
   CI build warnings (Rosen Penev)

 - Fix IRQ allocation/teardown leakage regressions in the GICv5 irqchip
   driver (Sascha Bischoff)

 - Fix an IRQ trigger type regression in the Meson S4 SoC irqchip driver
   (Xianwei Zhao)

 - Fix CPU offlining regression in the RiscV IMSIC irqchip driver
   (Yong-Xuan Wang)

* tag 'irq-urgent-2026-05-17' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  irq_work: Fix use-after-free in irq_work_single() on PREEMPT_RT
  irqchip/riscv-imsic: Clear interrupt move state during CPU offlining
  irqchip/meson-gpio: Use the correct register in meson_s4_gpio_irq_set_type()
  irqchip/ath79-cpu: Remove unused function
  genirq/chip: Don't call add_interrupt_randomness() for NMIs
  irqchip/gic-v5: Allocate ITS parent LPIs as a range
  irqchip/gic-v5: Support range allocation for LPIs
  irqchip/gic-v5: Move LPI allocation into the LPI domain

6 weeks agomedia: imon: Add iMON VFD HID OEM v1.2 key mappings
Alessandro Baldi [Sun, 17 May 2026 09:14:15 +0000 (11:14 +0200)] 
media: imon: Add iMON VFD HID OEM v1.2 key mappings

Add Vol+/Vol-/Mute panel button mappings for iMON VFD HID OEM v1.2.
This version differs in the codes that generate the
KEY_VOLUMEUP, KEY_VOLUMEDOWN and KEY_MUTE events.

Signed-off-by: Alessandro Baldi <baldovic@virgilio.it>
Signed-off-by: Sean Young <sean@mess.org>
6 weeks agoMerge tag 'riscv-for-linus-7.1-rc4' of git://git.kernel.org/pub/scm/linux/kernel...
Linus Torvalds [Sun, 17 May 2026 16:33:49 +0000 (09:33 -0700)] 
Merge tag 'riscv-for-linus-7.1-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux

Pull RISC-V fixes from Paul Walmsley:
 "Relatively low-impact fixes. Probably the most notable one is that we
  no longer ask the monitor-mode firmware to delegate misaligned access
  handling to the kernel by default, since the kernel code needs
  significant improvement to match the functionality of the firmware.
  This change avoids functional problems at some cost in performance,
  but shouldn't affect any system with misaligned access handling in
  hardware.

   - Disable satp register probing when no5lvl is specified on the
     kernel command line

   - Fix a CFI-related issue with the misaligned access speed
     measurement code

   - Reduce the CFI shadow stack size limit from 4GB to 2GB (following
     ARM64 GCS)

   - Prevent the kernel from requesting delegation of misaligned access
     faults unless a new Kconfig option, RISCV_SBI_FWFT_DELEGATE_MISALIGNED,
     is enabled. This will depend on CONFIG_NONPORTABLE until the
     deficiencies of the kernel misaligned access fixup code are fixed

   - Fix some potential uninitialized memory accesses in error paths in
     compat_riscv_gpr_set() and compat_restore_sigcontext()

   - Fix a bug in the RISC-V MIPS vendor errata patching code where a
     logical-and was used in place of a bitwise-and

   - Drop some unnecessary code in riscv_fill_hwcap_from_isa_string()

   - Use macros for isa2hwcap indices in riscv_fill_hwcap(), rather than
     open-coding them

   - Fix some documentation typos (one affecting 'make htmldocs')"

* tag 'riscv-for-linus-7.1-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux:
  riscv: misaligned: Make enabling delegation depend on NONPORTABLE
  riscv: Docs: fix unmatched quote warning
  riscv: cfi: reduce shadow stack size limit from 4GB to 2GB
  riscv: cpufeature: Use pre-defined ISA ext macros to index isa2hwcap
  riscv: mm: Fixup no5lvl failure when vaddr is invalid
  riscv: Fix register corruption from uninitialized cregs on error
  riscv: errata: Fix bitwise vs logical AND in MIPS errata patching
  Documentation: riscv: cmodx: fix typos
  riscv: cpufeature: Drop this_hwcap clear in T-Head vector workaround
  riscv: Define __riscv_copy_{,vec_}{words,bytes}_unaligned() using SYM_TYPED_FUNC_START

6 weeks agoMerge tag 'hwmon-for-v7.1-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/groec...
Linus Torvalds [Sun, 17 May 2026 16:23:28 +0000 (09:23 -0700)] 
Merge tag 'hwmon-for-v7.1-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging

Pull hwmon fixes from Guenter Roeck:

 - asus_atk0110, acpi_power_meter: Add missing NULL pointer checks

 - lm90: Fix locking and UAF issues

 - sy7636a: Fix sysfs attribute name in documentation

* tag 'hwmon-for-v7.1-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging:
  hwmon: (lm90) Add lock protection to lm90_alert
  hwmon: (lm90) Stop work before releasing hwmon device
  docs: hwmon: sy7636a: fix temperature sysfs attribute name
  hwmon: (asus_atk0110) Check ACPI_COMPANION() against NULL
  hwmon: (acpi_power_meter) Check ACPI_COMPANION() against NULL

6 weeks agosoundwire: intel_ace2x: release bpt_stream when close it
Bard Liao [Thu, 14 May 2026 14:16:25 +0000 (22:16 +0800)] 
soundwire: intel_ace2x: release bpt_stream when close it

The BPT stream was allocated in intel_ace2x_bpt_open_stream(), we need
to free it in intel_ace2x_bpt_close_stream().

Fixes: 4c1ce9f37d8a8 ("soundwire: intel_ace2x: add BPT send_async/wait callbacks")
Signed-off-by: Bard Liao <yung-chuan.liao@linux.intel.com>
Reviewed-by: Simon Trimmer <simont@opensource.cirrus.com>
Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.dev>
Link: https://patch.msgid.link/20260514141625.1834216-1-yung-chuan.liao@linux.intel.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
6 weeks agodt-bindings: display/msm: Fix typo in clock-names property
Lad Prabhakar [Tue, 28 Apr 2026 10:03:38 +0000 (11:03 +0100)] 
dt-bindings: display/msm: Fix typo in clock-names property

Fix the typo "clocks-names" to "clock-names" in the allOf/if conditional
blocks.

Fixes: 9be5c47908e66 ("dt-bindings: display/msm: expand to support MST")
Fixes: 7403e87c13847 ("dt-bindings: display: msm: Fix reg ranges and clocks on Glymur")
Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
Patchwork: https://patchwork.freedesktop.org/patch/721682/
Message-ID: <20260428100338.3179722-1-prabhakar.mahadev-lad.rj@bp.renesas.com>
Signed-off-by: Rob Clark <robin.clark@oss.qualcomm.com>
6 weeks agofirmware: arm_ffa: Defer probe until pKVM is initialized
Sudeep Holla [Fri, 8 May 2026 17:54:18 +0000 (18:54 +0100)] 
firmware: arm_ffa: Defer probe until pKVM is initialized

When protected KVM is enabled, the kernel includes a pKVM FF-A proxy
that sits in front of the normal FF-A driver. The proxy has to perform
its own FF-A version negotiation and setup first, so that it can mediate
subsequent FF-A traffic correctly.

Defer FF-A core probing until pKVM has completed initialization. This
keeps the normal driver from negotiating the FF-A version or performing
other transport setup before the pKVM proxy is ready, and lets the
driver model retry probing once the protected KVM state required by the
FF-A transport is available.

Suggested-by: Yeoreum Yun <yeoreum.yun@arm.com>
Reviewed-by: Yeoreum Yun <yeoreum.yun@arm.com>
Link: https://patch.msgid.link/20260508-b4-ffa_plat_dev-v1-4-c5a30f8cf7b8@kernel.org
Signed-off-by: Sudeep Holla <sudeep.holla@kernel.org>
6 weeks agofirmware: arm_ffa: Set the core device as FF-A device parent
Sudeep Holla [Fri, 8 May 2026 17:54:17 +0000 (18:54 +0100)] 
firmware: arm_ffa: Set the core device as FF-A device parent

Pass a parent device into ffa_device_register() and use the synthetic
arm-ffa platform device as the parent for each registered FF-A device.

This keeps the enumerated FF-A partition devices anchored below the FF-A
core device in the driver model, matching the platform-driver conversion
of the core transport.

Suggested-by: Yeoreum Yun <yeoreum.yun@arm.com>
Reviewed-by: Yeoreum Yun <yeoreum.yun@arm.com>
Link: https://patch.msgid.link/20260508-b4-ffa_plat_dev-v1-3-c5a30f8cf7b8@kernel.org
Signed-off-by: Sudeep Holla <sudeep.holla@kernel.org>
6 weeks agofirmware: arm_ffa: Register core as a platform driver
Sudeep Holla [Fri, 8 May 2026 17:54:16 +0000 (18:54 +0100)] 
firmware: arm_ffa: Register core as a platform driver

Move the FF-A core bring-up and teardown paths into platform driver
probe and remove callbacks, and register a synthetic arm-ffa platform
device to bind the driver.

This makes the FF-A core lifetime follow the driver model while keeping
the device creation internal to the FF-A core. Use normal platform driver
registration so the probe path has standard driver-core semantics.

The synthetic platform device is a temporary bridge until ACPI and
devicetree describe the FF-A core device or object. Once those firmware
description paths are defined, the internal platform device creation can
be dropped and the driver can bind to the firmware-described device
directly.

Since the transport selection now happens from the platform probe path,
drop the __init annotation from ffa_transport_init().

Reviewed-by: Yeoreum Yun <yeoreum.yun@arm.com>
Link: https://patch.msgid.link/20260508-b4-ffa_plat_dev-v1-2-c5a30f8cf7b8@kernel.org
Signed-off-by: Sudeep Holla <sudeep.holla@kernel.org>
6 weeks agoRevert "firmware: arm_ffa: Change initcall level of ffa_init() to rootfs_initcall"
Yeoreum Yun [Fri, 8 May 2026 17:54:15 +0000 (18:54 +0100)] 
Revert "firmware: arm_ffa: Change initcall level of ffa_init() to rootfs_initcall"

This reverts commit 0e0546eabcd6c19765a8dbf5b5db3723e7b0ea75, which was
added to address ordering issues with the IMA LSM initialisation where
the TPM would not be fully ready by the time IMA wanted it. This has
been resolved within IMA by retrying setup during late_initcall_sync if
the TPM is not available at first.

Signed-off-by: Yeoreum Yun <yeoreum.yun@arm.com>
Link: https://patch.msgid.link/20260508-b4-ffa_plat_dev-v1-1-c5a30f8cf7b8@kernel.org
Signed-off-by: Sudeep Holla <sudeep.holla@kernel.org>
6 weeks agoriscv: dts: spacemit: enable QSPI for OrangePi RV2
Chukun Pan [Sat, 16 May 2026 08:00:30 +0000 (16:00 +0800)] 
riscv: dts: spacemit: enable QSPI for OrangePi RV2

Enable the QSPI controller and the XM25QU128C SPI NOR flash on the
OrangePi RV2 board. Add a flash partition layout from vendor UBoot.

Signed-off-by: Chukun Pan <amadeus@jmu.edu.cn>
Reviewed-by: Yixun Lan <dlan@kernel.org>
Link: https://patch.msgid.link/20260516080030.1736836-1-amadeus@jmu.edu.cn
Signed-off-by: Yixun Lan <dlan@kernel.org>
6 weeks agoauxdisplay: Kconfig: drop unneeded quotes in PANEL_BOOT_MESSAGE dep
Stepan Ionichev [Fri, 15 May 2026 13:30:04 +0000 (18:30 +0500)] 
auxdisplay: Kconfig: drop unneeded quotes in PANEL_BOOT_MESSAGE dep

The PANEL_BOOT_MESSAGE dependency uses a quoted-string comparison
against the PANEL_CHANGE_MESSAGE bool symbol:

depends on PANEL_CHANGE_MESSAGE="y"

This is the only such pattern under drivers/auxdisplay/ (grep shows
no other Kconfig file in the tree uses depends on FOO="y" with
quotes for a plain bool symbol). The quoted form is parsed by
Kconfig but is not idiomatic; the common form for the same intent
is the unquoted tristate-style dependency:

depends on PANEL_CHANGE_MESSAGE

which evaluates true when PANEL_CHANGE_MESSAGE is y or m. Since
PANEL_CHANGE_MESSAGE is declared as bool (not tristate), there is
no behaviour change in practice: y is the only enabled value
either form can match.

Drop the quoted comparison so the dependency matches the prevailing
kernel Kconfig style and so it is obvious to readers that the
comparison works.

Suggested-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Link: https://lore.kernel.org/r/CAHp75VfsA_LsbEKjxoeMdbhPbWj7OHZ7=0SYNA3c=ZLj_M94Bw@mail.gmail.com
Signed-off-by: Stepan Ionichev <sozdayvek@gmail.com>
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
6 weeks agoauxdisplay: line-display: fix OOB read on zero-length message_store()
Stepan Ionichev [Thu, 14 May 2026 17:43:42 +0000 (22:43 +0500)] 
auxdisplay: line-display: fix OOB read on zero-length message_store()

linedisp_display() unconditionally reads msg[count - 1] before
checking whether count is zero, so a write of zero bytes to the
message sysfs attribute hits msg[-1]:

write(fd, "", 0);

-> message_store(..., buf, count=0)
   -> linedisp_display(linedisp, buf, count=0)
      -> msg[count - 1] == '\n'  ; OOB read

The kernfs write buffer for that store is a 1-byte allocation
(kernfs_fop_write_iter() does kmalloc(len + 1) with len == 0),
so msg[-1] is a 1-byte read before the slab object. On a
KASAN-enabled kernel this trips an out-of-bounds report and
panics; on stock kernels it silently reads adjacent slab data
and, if that byte happens to be '\n', the following count--
wraps ssize_t 0 to -1 and is then passed to kmemdup_nul().

linedisp_display() is reached from the message_store() sysfs
callback (drivers/auxdisplay/line-display.c message attribute,
mode 0644) and from the in-tree initial-message setup with
count == -1, so the OOB path is only userspace-triggerable via
zero-byte writes; vfs_write() does not short-circuit on
count == 0 and kernfs_fop_write_iter() dispatches the store
callback regardless.

Guard the trailing-newline trim with a count check. The
existing if (!count) block then takes the clear-display path
unchanged.

Affects every auxdisplay driver that registers via
linedisp_register() / linedisp_attach(): ht16k33, max6959,
img-ascii-lcd, seg-led-gpio.

Fixes: 7e76aece6f03 ("auxdisplay: Extract character line display core support")
Signed-off-by: Stepan Ionichev <sozdayvek@gmail.com>
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
6 weeks agoarm64: dts: qcom: sdm845-shift-axolotl: describe WiFi/BT properly
David Heidelberg [Wed, 15 Apr 2026 11:56:08 +0000 (13:56 +0200)] 
arm64: dts: qcom: sdm845-shift-axolotl: describe WiFi/BT properly

The onboard WiFi / BT device, WCN3990, has a simple on-chip PMU, which
further spreads generated voltage. Describe the PMU in the device tree.

Signed-off-by: David Heidelberg <david@ixit.cz>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260415-axolotl-wifi-v1-1-07df39cfc0a4@ixit.cz
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
6 weeks agoclk: qcom: clk-rpmh: Make all VRMs optional
Alexander Koskovich [Tue, 14 Apr 2026 17:34:28 +0000 (17:34 +0000)] 
clk: qcom: clk-rpmh: Make all VRMs optional

Some VRMs aren't present on all boards, so mark them as optional. This
prevents probe failures on boards where not all VRMs are present.

This resolves an issue seen on the Nothing Phone (4a) Pro (Eliza) where
probe fails due to RPMH_RF_CLK5 not being present on the board, this is
due to this device having a slightly different PMIC configuration from
the Eliza MTP.

This matches the downstream approach of marking all VRMs as optional
and makes the previous clka_optional handling redundant.

Signed-off-by: Alexander Koskovich <akoskovich@pm.me>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260414-clk-rpmh-vrm-opt-v3-1-8ca21469ffbc@pm.me
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
6 weeks agoarm64: dts: qcom: monaco: add GDSP fastrpc-compute-cb nodes
Ekansh Gupta [Wed, 15 Apr 2026 06:40:46 +0000 (12:10 +0530)] 
arm64: dts: qcom: monaco: add GDSP fastrpc-compute-cb nodes

Add GDSP fastrpc compute-cb nodes for monaco SoC.

Signed-off-by: Ekansh Gupta <ekansh.gupta@oss.qualcomm.com>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260415-monacogdsp-v1-1-077ded36c7fc@oss.qualcomm.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
6 weeks agoMerge branch 'bpf-follow-up-fixes-for-stack-argument-support'
Alexei Starovoitov [Sun, 17 May 2026 00:46:17 +0000 (17:46 -0700)] 
Merge branch 'bpf-follow-up-fixes-for-stack-argument-support'

Yonghong Song says:

====================
bpf: Follow-up fixes for stack argument support

Commit cd59fa185a03 ("bpf: Support stack arguments for BPF functions and kfuncs")
added stack argument support for bpf functions and kfuncs. This patch set
is to fix various issues related to stack arguments, mainly include:
  - Validate outgoing stack args when btf_prepare_func_args fails
  - Fix arg_track_join log to use sa prefix for stack arg slots
  - Clean up redundant stack arg checks for non-JITed programs

Changelog:
  v2 -> v3:
    - v2: https://lore.kernel.org/bpf/20260515014958.1186132-1-yonghong.song@linux.dev/
    - Add additional fix (fix arg_track_join log, fix exception with outgoing stack
      arguments, some cleanup, etc.).
  v1 -> v2:
    - v1: https://lore.kernel.org/bpf/20260514184827.1619863-1-yonghong.song@linux.dev/
    - Remove 'Reported-by: Sashiko <sashiko-bot@kernel.org>'.
    - Add proper fix tag.
====================

Link: https://patch.msgid.link/20260515225035.821178-1-yonghong.song@linux.dev
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
6 weeks agobpf: Clean up redundant stack arg checks for non-JITed programs
Yonghong Song [Fri, 15 May 2026 22:51:01 +0000 (15:51 -0700)] 
bpf: Clean up redundant stack arg checks for non-JITed programs

Remove a redundant stack_arg_cnt check in __bpf_prog_select_runtime()
and start the stack arg loop from index 0 in bpf_fixup_call_args().
Both changes are no-ops that simplify the code:

In __bpf_prog_select_runtime(), the subprog_info[0].stack_arg_cnt
check is unreachable:
  - when there is only a main program (no bpf-to-bpf calls),
    subprog_info[0].stack_arg_cnt is always 0 because the main
    program's arg_cnt is forced to 1
  - when bpf-to-bpf calls use stack args and JIT succeeds,
    fp->bpf_func is set and this code is skipped
  - when JIT fails, bpf_fixup_call_args() rejects the program
    before we get to __bpf_prog_select_runtime().

In bpf_fixup_call_args(), starting the loop at i=1 skipped subprog 0,
which is safe since the main program always has arg_cnt=1 and thus
bpf_in_stack_arg_cnt() returns 0. Starting at i=0 removes the need
to reason about this invariant.

Signed-off-by: Yonghong Song <yonghong.song@linux.dev>
Link: https://lore.kernel.org/r/20260515225101.824054-1-yonghong.song@linux.dev
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
6 weeks agobpf: Fix arg_track_join log to use sa prefix for stack arg slots
Yonghong Song [Fri, 15 May 2026 22:50:56 +0000 (15:50 -0700)] 
bpf: Fix arg_track_join log to use sa prefix for stack arg slots

arg_track_join() logs state transitions at CFG merge points. For
stack arg slots (r >= MAX_BPF_REG), it printed "r11:", "r12:", etc.,
which is misleading since r11 is a special register (BPF_REG_PARAMS)
not meaningful to the user.

Fix it to print "sa0:", "sa1:", etc., matching the per-instruction
transition log in arg_track_log() which already uses the "sa" prefix.

Update the existing stack_arg_pruning_type_mismatch selftest to expect
the corrected format.

Fixes: 2af4e792773f ("bpf: Extend liveness analysis to track stack argument slots")
Signed-off-by: Yonghong Song <yonghong.song@linux.dev>
Link: https://lore.kernel.org/r/20260515225056.823086-1-yonghong.song@linux.dev
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
6 weeks agoselftests/bpf: Log arg_track_join for stack arg slots in liveness analysis
Yonghong Song [Fri, 15 May 2026 22:50:51 +0000 (15:50 -0700)] 
selftests/bpf: Log arg_track_join for stack arg slots in liveness analysis

Commit 2af4e792773f ("bpf: Extend liveness analysis to track stack argument slots")
added stack arg supports. For selftest
  verifier_stack_arg/stack_arg: pruning with different stack arg types
the following are two arg JOIN messages:
  arg JOIN insn 9 -> 10 r1: fp0-8 + _ => fp0-8|fp0+0
  arg JOIN insn 9 -> 10 r11: fp0-8 + _ => fp0-8|fp0+0

Here the "r11:" label for stack arg slot 0 is misleading since r11
is a special register (BPF_REG_PARAMS). The next patch corrects
this to "sa0:", properly representing the 'stack arg slot 0'.

Signed-off-by: Yonghong Song <yonghong.song@linux.dev>
Link: https://lore.kernel.org/r/20260515225051.822739-1-yonghong.song@linux.dev
Signed-off-by: Alexei Starovoitov <ast@kernel.org>