summaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)AuthorLines
2026-04-06ice: ptp: don't WARN when controlling PF is unavailableKohei Enju-1/+7
In VFIO passthrough setups, it is possible to pass through only a PF which doesn't own the source timer. In that case the PTP controlling PF (adapter->ctrl_pf) is never initialized in the VM, so ice_get_ctrl_ptp() returns NULL and triggers WARN_ON() in ice_ptp_setup_pf(). Since this is an expected behavior in that configuration, replace WARN_ON() with an informational message and return -EOPNOTSUPP. Fixes: e800654e85b5 ("ice: Use ice_adapter for PTP shared data instead of auxdev") Signed-off-by: Kohei Enju <kohei@enjuk.jp> Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com> Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
2026-04-06idpf: set the payload size before calling the async handlerEmil Tantilov-0/+4
Set the payload size before forwarding the reply to the async handler. Without this, xn->reply_sz will be 0 and idpf_mac_filter_async_handler() will never get past the size check. Fixes: 34c21fa894a1 ("idpf: implement virtchnl transaction manager") Cc: stable@vger.kernel.org Signed-off-by: Emil Tantilov <emil.s.tantilov@intel.com> Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com> Reviewed-by: Li Li <boolli@google.com> Acked-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de> Tested-by: Samuel Salin <Samuel.salin@intel.com> Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
2026-04-06idpf: improve locking around idpf_vc_xn_push_free()Emil Tantilov-0/+2
Protect the set_bit() operation for the free_xn bitmask in idpf_vc_xn_push_free(), to make the locking consistent with rest of the code and avoid potential races in that logic. Fixes: 34c21fa894a1 ("idpf: implement virtchnl transaction manager") Cc: stable@vger.kernel.org Reported-by: Ray Zhang <sgzhang@google.com> Signed-off-by: Emil Tantilov <emil.s.tantilov@intel.com> Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com> Acked-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de> Tested-by: Samuel Salin <Samuel.salin@intel.com> Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
2026-04-06idpf: fix PREEMPT_RT raw/bh spinlock nesting for async VC handlingEmil Tantilov-11/+8
Switch from using the completion's raw spinlock to a local lock in the idpf_vc_xn struct. The conversion is safe because complete/_all() are called outside the lock and there is no reason to share the completion lock in the current logic. This avoids invalid wait context reported by the kernel due to the async handler taking BH spinlock: [ 805.726977] ============================= [ 805.726991] [ BUG: Invalid wait context ] [ 805.727006] 7.0.0-rc2-net-devq-031026+ #28 Tainted: G S OE [ 805.727026] ----------------------------- [ 805.727038] kworker/u261:0/572 is trying to lock: [ 805.727051] ff190da6a8dbb6a0 (&vport_config->mac_filter_list_lock){+...}-{3:3}, at: idpf_mac_filter_async_handler+0xe9/0x260 [idpf] [ 805.727099] other info that might help us debug this: [ 805.727111] context-{5:5} [ 805.727119] 3 locks held by kworker/u261:0/572: [ 805.727132] #0: ff190da6db3e6148 ((wq_completion)idpf-0000:83:00.0-mbx){+.+.}-{0:0}, at: process_one_work+0x4b5/0x730 [ 805.727163] #1: ff3c6f0a6131fe50 ((work_completion)(&(&adapter->mbx_task)->work)){+.+.}-{0:0}, at: process_one_work+0x1e5/0x730 [ 805.727191] #2: ff190da765190020 (&x->wait#34){+.+.}-{2:2}, at: idpf_recv_mb_msg+0xc8/0x710 [idpf] [ 805.727218] stack backtrace: ... [ 805.727238] Workqueue: idpf-0000:83:00.0-mbx idpf_mbx_task [idpf] [ 805.727247] Call Trace: [ 805.727249] <TASK> [ 805.727251] dump_stack_lvl+0x77/0xb0 [ 805.727259] __lock_acquire+0xb3b/0x2290 [ 805.727268] ? __irq_work_queue_local+0x59/0x130 [ 805.727275] lock_acquire+0xc6/0x2f0 [ 805.727277] ? idpf_mac_filter_async_handler+0xe9/0x260 [idpf] [ 805.727284] ? _printk+0x5b/0x80 [ 805.727290] _raw_spin_lock_bh+0x38/0x50 [ 805.727298] ? idpf_mac_filter_async_handler+0xe9/0x260 [idpf] [ 805.727303] idpf_mac_filter_async_handler+0xe9/0x260 [idpf] [ 805.727310] idpf_recv_mb_msg+0x1c8/0x710 [idpf] [ 805.727317] process_one_work+0x226/0x730 [ 805.727322] worker_thread+0x19e/0x340 [ 805.727325] ? __pfx_worker_thread+0x10/0x10 [ 805.727328] kthread+0xf4/0x130 [ 805.727333] ? __pfx_kthread+0x10/0x10 [ 805.727336] ret_from_fork+0x32c/0x410 [ 805.727345] ? __pfx_kthread+0x10/0x10 [ 805.727347] ret_from_fork_asm+0x1a/0x30 [ 805.727354] </TASK> Fixes: 34c21fa894a1 ("idpf: implement virtchnl transaction manager") Cc: stable@vger.kernel.org Suggested-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de> Reported-by: Ray Zhang <sgzhang@google.com> Signed-off-by: Emil Tantilov <emil.s.tantilov@intel.com> Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com> Acked-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de> Tested-by: Samuel Salin <Samuel.salin@intel.com> Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
2026-04-06kunit: tool: Terminate kernel under test on SIGINTDavid Gow-9/+19
kunit.py will attempt to catch SIGINT / ^C in order to ensure the TTY isn't messed up, but never actually attempts to terminate the running kernel (be it UML or QEMU). This can lead to a bit of frustration if the kernel has crashed or hung. Terminate the kernel process in the signal handler, if it's running. This requires plumbing through the process handle in a few more places (and having some checks to see if the kernel is still running in places where it may have already been killed). Reported-by: Andy Shevchenko <andriy.shevchenko@intel.com> Closes: https://lore.kernel.org/all/aaFmiAmg9S18EANA@smile.fi.intel.com/ Signed-off-by: David Gow <david@davidgow.net> Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com> Tested-by: Andy Shevchenko <andriy.shevchenko@intel.com> Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
2026-04-06kunit: tool: skip stty when stdin is not a ttyShuvam Pandey-2/+50
run_kernel() cleanup and signal_handler() invoke stty unconditionally. When stdin is not a tty (for example in CI or unit tests), this writes noise to stderr. Call stty only when stdin is a tty. Add regression tests for these paths: - run_kernel() with non-tty stdin - signal_handler() with non-tty stdin - signal_handler() with tty stdin Signed-off-by: Shuvam Pandey <shuvampandey1@gmail.com> Reviewed-by: David Gow <david@davidgow.net> Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
2026-04-06kunit: tool: Recommend --raw_output=all if no KTAP foundDavid Gow-1/+2
If no KTAP header is found in the kernel output (e.g., because the kernel crashed before the KUnit executor was run), it's very useful to re-run the test with --raw_output=all, as that will show any error output (such as a stacktrace, log message, BUG, etc). This is not particularly intuitive, however, as --raw_output=all is not well known. Add an extra log line to advertise --raw_output=all in this case, as it's a terrible user experience to just get "Did any KUnit tests run?" Signed-off-by: David Gow <david@davidgow.net> Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com> Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
2026-04-06kunit: Add --list_suites to show suitesRyota Sakamoto-5/+27
Currently, kunit.py allows listing all individual tests via --list_tests. However, users often need to see only the available test suites. Add --list_suites to show suites. This option parses the test list output from the kernel and prints only the suite names. Example of the output of --list_suites: example_init miscdev_init printk-ringbuffer Signed-off-by: Ryota Sakamoto <sakamo.ryota@gmail.com> Reviewed-by: David Gow <david@davidgow.net> Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
2026-04-06blk-wbt: remove WARN_ON_ONCE from wbt_init_enable_default()Yuto Ohnuki-2/+3
wbt_init_enable_default() uses WARN_ON_ONCE to check for failures from wbt_alloc() and wbt_init(). However, both are expected failure paths: - wbt_alloc() can return NULL under memory pressure (-ENOMEM) - wbt_init() can fail with -EBUSY if wbt is already registered syzbot triggers this by injecting memory allocation failures during MTD partition creation via ioctl(BLKPG), causing a spurious warning. wbt_init_enable_default() is a best-effort initialization called from blk_register_queue() with a void return type. Failure simply means the disk operates without writeback throttling, which is harmless. Replace WARN_ON_ONCE with plain if-checks, consistent with how wbt_set_lat() in the same file already handles these failures. Add a pr_warn() for the wbt_init() failure to retain diagnostic information without triggering a full stack trace. Reported-by: syzbot+71fcf20f7c1e5043d78c@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=71fcf20f7c1e5043d78c Fixes: 41afaeeda509 ("blk-wbt: fix possible deadlock to nest pcpu_alloc_mutex under q_usage_counter") Signed-off-by: Yuto Ohnuki <ytohnuki@amazon.com> Reviewed-by: Yu Kuai <yukuai@fnnas.com> Reviewed-by: Nilay Shroff <nilay@linux.ibm.com> Link: https://patch.msgid.link/20260316070358.65225-2-ytohnuki@amazon.com Signed-off-by: Jens Axboe <axboe@kernel.dk>
2026-04-06ocfs2: fix out-of-bounds write in ocfs2_write_end_inlineJoseph Qi-0/+10
KASAN reports a use-after-free write of 4086 bytes in ocfs2_write_end_inline, called from ocfs2_write_end_nolock during a copy_file_range splice fallback on a corrupted ocfs2 filesystem mounted on a loop device. The actual bug is an out-of-bounds write past the inode block buffer, not a true use-after-free. The write overflows into an adjacent freed page, which KASAN reports as UAF. The root cause is that ocfs2_try_to_write_inline_data trusts the on-disk id_count field to determine whether a write fits in inline data. On a corrupted filesystem, id_count can exceed the physical maximum inline data capacity, causing writes to overflow the inode block buffer. Call trace (crash path): vfs_copy_file_range (fs/read_write.c:1634) do_splice_direct splice_direct_to_actor iter_file_splice_write ocfs2_file_write_iter generic_perform_write ocfs2_write_end ocfs2_write_end_nolock (fs/ocfs2/aops.c:1949) ocfs2_write_end_inline (fs/ocfs2/aops.c:1915) memcpy_from_folio <-- KASAN: write OOB So add id_count upper bound check in ocfs2_validate_inode_block() to alongside the existing i_size check to fix it. Link: https://lkml.kernel.org/r/20260403063830.3662739-1-joseph.qi@linux.alibaba.com Signed-off-by: Joseph Qi <joseph.qi@linux.alibaba.com> Reported-by: syzbot+62c1793956716ea8b28a@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=62c1793956716ea8b28a Cc: Mark Fasheh <mark@fasheh.com> Cc: Joel Becker <jlbec@evilplan.org> Cc: Junxiao Bi <junxiao.bi@oracle.com> Cc: Changwei Ge <gechangwei@live.cn> Cc: Jun Piao <piaojun@huawei.com> Cc: Heming Zhao <heming.zhao@suse.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2026-04-06mm/damon/stat: deallocate damon_call() failure leaking damon_ctxSeongJae Park-0/+7
damon_stat_start() always allocates the module's damon_ctx object (damon_stat_context). Meanwhile, if damon_call() in the function fails, the damon_ctx object is not deallocated. Hence, if the damon_call() is failed, and the user writes Y to “enabled” again, the previously allocated damon_ctx object is leaked. This cannot simply be fixed by deallocating the damon_ctx object when damon_call() fails. That's because damon_call() failure doesn't guarantee the kdamond main function, which accesses the damon_ctx object, is completely finished. In other words, if damon_stat_start() deallocates the damon_ctx object after damon_call() failure, the not-yet-terminated kdamond could access the freed memory (use-after-free). Fix the leak while avoiding the use-after-free by keeping returning damon_stat_start() without deallocating the damon_ctx object after damon_call() failure, but deallocating it when the function is invoked again and the kdamond is completely terminated. If the kdamond is not yet terminated, simply return -EAGAIN, as the kdamond will soon be terminated. The issue was discovered [1] by sashiko. Link: https://lkml.kernel.org/r/20260402134418.74121-1-sj@kernel.org Link: https://lore.kernel.org/20260401012428.86694-1-sj@kernel.org [1] Fixes: 405f61996d9d ("mm/damon/stat: use damon_call() repeat mode instead of damon_callback") Signed-off-by: SeongJae Park <sj@kernel.org> Cc: <stable@vger.kernel.org> # 6.17.x Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2026-04-06mm/vma: fix memory leak in __mmap_region()Sechang Lim-0/+7
commit 605f6586ecf7 ("mm/vma: do not leak memory when .mmap_prepare swaps the file") handled the success path by skipping get_file() via file_doesnt_need_get, but missed the error path. When /dev/zero is mmap'd with MAP_SHARED, mmap_zero_prepare() calls shmem_zero_setup_desc() which allocates a new shmem file to back the mapping. If __mmap_new_vma() subsequently fails, this replacement file is never fput()'d - the original is released by ksys_mmap_pgoff(), but nobody releases the new one. Add fput() for the swapped file in the error path. Reproducible with fault injection. FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 1 CPU: 2 UID: 0 PID: 366 Comm: syz.7.14 Not tainted 7.0.0-rc6 #2 PREEMPT(full) Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x164/0x1f0 should_fail_ex+0x525/0x650 should_failslab+0xdf/0x140 kmem_cache_alloc_noprof+0x78/0x630 vm_area_alloc+0x24/0x160 __mmap_region+0xf6b/0x2660 mmap_region+0x2eb/0x3a0 do_mmap+0xc79/0x1240 vm_mmap_pgoff+0x252/0x4c0 ksys_mmap_pgoff+0xf8/0x120 __x64_sys_mmap+0x12a/0x190 do_syscall_64+0xa9/0x580 entry_SYSCALL_64_after_hwframe+0x76/0x7e </TASK> kmemleak: 1 new suspected memory leaks (see /sys/kernel/debug/kmemleak) BUG: memory leak unreferenced object 0xffff8881118aca80 (size 360): comm "syz.7.14", pid 366, jiffies 4294913255 hex dump (first 32 bytes): 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... ff ff ff ff ff ff ff ff c0 28 4d ae ff ff ff ff .........(M..... backtrace (crc db0f53bc): kmem_cache_alloc_noprof+0x3ab/0x630 alloc_empty_file+0x5a/0x1e0 alloc_file_pseudo+0x135/0x220 __shmem_file_setup+0x274/0x420 shmem_zero_setup_desc+0x9c/0x170 mmap_zero_prepare+0x123/0x140 __mmap_region+0xdda/0x2660 mmap_region+0x2eb/0x3a0 do_mmap+0xc79/0x1240 vm_mmap_pgoff+0x252/0x4c0 ksys_mmap_pgoff+0xf8/0x120 __x64_sys_mmap+0x12a/0x190 do_syscall_64+0xa9/0x580 entry_SYSCALL_64_after_hwframe+0x76/0x7e Found by syzkaller. Link: https://lkml.kernel.org/r/20260331180811.1333348-1-rhkrqnwk98@gmail.com Fixes: 605f6586ecf7 ("mm/vma: do not leak memory when .mmap_prepare swaps the file") Signed-off-by: Sechang Lim <rhkrqnwk98@gmail.com> Reviewed-by: Lorenzo Stoakes (Oracle) <ljs@kernel.org> Acked-by: Vlastimil Babka (SUSE) <vbabka@kernel.org> Cc: Jann Horn <jannh@google.com> Cc: Liam Howlett <liam.howlett@oracle.com> Cc: Lorenzo Stoakes (Oracle) <ljs@kernel.org> Cc: Pedro Falcato <pfalcato@suse.de> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2026-04-06mm/memory_hotplug: maintain N_NORMAL_MEMORY during hotplugHao Li-0/+20
N_NORMAL_MEMORY is initialized from zone population at boot, but memory hotplug currently only updates N_MEMORY. As a result, a node that gains normal memory via hotplug can remain invisible to users iterating over N_NORMAL_MEMORY, while a node that loses its last normal memory can stay incorrectly marked as such. The most visible effect is that /sys/devices/system/node/has_normal_memory does not report a node even after that node has gained normal memory via hotplug. Also, list_lru-based shrinkers can undercount objects on such a node and may skip reclaim on that node entirely, which can lead to a higher memory footprint than expected. Restore N_NORMAL_MEMORY maintenance directly in online_pages() and offline_pages(). Set the bit when a node that currently lacks normal memory onlines pages into a zone <= ZONE_NORMAL, and clear it when offlining removes the last present pages from zones <= ZONE_NORMAL. This restores the intended semantics without bringing back the old status_change_nid_normal notifier plumbing which was removed in 8d2882a8edb8. Current users that benefit include list_lru, zswap, nfsd filecache, hugetlb_cgroup, and has_normal_memory sysfs reporting. Link: https://lkml.kernel.org/r/20260330035941.518186-1-hao.li@linux.dev Fixes: 8d2882a8edb8 ("mm,memory_hotplug: remove status_change_nid_normal and update documentation") Signed-off-by: Hao Li <hao.li@linux.dev> Reviewed-by: Harry Yoo (Oracle) <harry@kernel.org> Acked-by: Vlastimil Babka (SUSE) <vbabka@kernel.org> Reviewed-by: Joshua Hahn <joshua.hahnjy@gmail.com> Acked-by: David Hildenbrand (Arm) <david@kernel.org> Cc: Oscar Salvador <osalvador@suse.de> Cc: Vlastimil Babka <vbabka@suse.cz> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2026-04-06mm/damon/sysfs: dealloc repeat_call_control if damon_call() failsSeongJae Park-1/+2
damon_call() for repeat_call_control of DAMON_SYSFS could fail if somehow the kdamond is stopped before the damon_call(). It could happen, for example, when te damon context was made for monitroing of a virtual address processes, and the process is terminated immediately, before the damon_call() invocation. In the case, the dyanmically allocated repeat_call_control is not deallocated and leaked. Fix the leak by deallocating the repeat_call_control under the damon_call() failure. This issue is discovered by sashiko [1]. Link: https://lkml.kernel.org/r/20260327003224.55752-1-sj@kernel.org Link: https://lore.kernel.org/20260320020630.962-1-sj@kernel.org [1] Fixes: 04a06b139ec0 ("mm/damon/sysfs: use dynamically allocated repeat mode damon_call_control") Signed-off-by: SeongJae Park <sj@kernel.org> Cc: <stable@vger.kernel.org> [6.17+] Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2026-04-06mm: reinstate unconditional writeback start in balance_dirty_pages()Joanne Koong-0/+21
Commit 64dd89ae01f2 ("mm/block/fs: remove laptop_mode") removed this unconditional writeback start from balance_dirty_pages(): if (unlikely(!writeback_in_progress(wb))) wb_start_background_writeback(wb); This logic needs to be reinstated to prevent performance regressions for strictlimited BDIs and memcg setups. The problem occurs because: a) For strictlimited BDIs, throttling is calculated using per-wb thresholds. The per-wb threshold can be exceeded even when the global dirty threshold was not exceeded (nr_dirty < gdtc->bg_thresh) b) For memcg-based throttling, memcg uses its own dirty count / thresholds and can trigger throttling even when the global threshold isn't exceeded Without the unconditional writeback start, IO is throttled as it waits for dirty pages to be written back but there is no writeback running. This leads to severe stalls. On fuse, buffered write performance dropped from 1400 MiB/s to 2000 KiB/s. Reinstate the unconditional writeback start so that writeback is guaranteed to be running whenever IO needs to be throttled. Link: https://lkml.kernel.org/r/20260326215127.3857682-2-joannelkoong@gmail.com Fixes: 64dd89ae01f2 ("mm/block/fs: remove laptop_mode") Signed-off-by: Joanne Koong <joannelkoong@gmail.com> Reviewed-by: Christoph Hellwig <hch@lst.de> Reviewed-by: Jan Kara <jack@suse.cz> Acked-by: Johannes Weiner <hannes@cmpxchg.org> Cc: Matthew Wilcox (Oracle) <willy@infradead.org> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2026-04-06liveupdate: propagate file deserialization failuresLeo Timmins-2/+7
luo_session_deserialize() ignored the return value from luo_file_deserialize(). As a result, a session could be left partially restored even though the /dev/liveupdate open path treats deserialization failures as fatal. Propagate the error so a failed file deserialization aborts session deserialization instead of silently continuing. Link: https://lkml.kernel.org/r/20260325044608.8407-1-leotimmins1974@gmail.com Link: https://lkml.kernel.org/r/20260325044608.8407-2-leotimmins1974@gmail.com Fixes: 16cec0d26521 ("liveupdate: luo_session: add ioctls for file preservation") Signed-off-by: Leo Timmins <leotimmins1974@gmail.com> Reviewed-by: Pasha Tatashin <pasha.tatashin@soleen.com> Reviewed-by: Pratyush Yadav <pratyush@kernel.org> Cc: Mike Rapoport <rppt@kernel.org> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2026-04-06mm: filemap: fix nr_pages calculation overflow in filemap_map_pages()Baolin Wang-3/+8
When running stress-ng on my Arm64 machine with v7.0-rc3 kernel, I encountered some very strange crash issues showing up as "Bad page state": " [ 734.496287] BUG: Bad page state in process stress-ng-env pfn:415735fb [ 734.496427] page: refcount:0 mapcount:1 mapping:0000000000000000 index:0x4cf316 pfn:0x415735fb [ 734.496434] flags: 0x57fffe000000800(owner_2|node=1|zone=2|lastcpupid=0x3ffff) [ 734.496439] raw: 057fffe000000800 0000000000000000 dead000000000122 0000000000000000 [ 734.496440] raw: 00000000004cf316 0000000000000000 0000000000000000 0000000000000000 [ 734.496442] page dumped because: nonzero mapcount " After analyzing this page’s state, it is hard to understand why the mapcount is not 0 while the refcount is 0, since this page is not where the issue first occurred. By enabling the CONFIG_DEBUG_VM config, I can reproduce the crash as well and captured the first warning where the issue appears: " [ 734.469226] page: refcount:33 mapcount:0 mapping:00000000bef2d187 index:0x81a0 pfn:0x415735c0 [ 734.469304] head: order:5 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 734.469315] memcg:ffff000807a8ec00 [ 734.469320] aops:ext4_da_aops ino:100b6f dentry name(?):"stress-ng-mmaptorture-9397-0-2736200540" [ 734.469335] flags: 0x57fffe400000069(locked|uptodate|lru|head|node=1|zone=2|lastcpupid=0x3ffff) ...... [ 734.469364] page dumped because: VM_WARN_ON_FOLIO((_Generic((page + nr_pages - 1), const struct page *: (const struct folio *)_compound_head(page + nr_pages - 1), struct page *: (struct folio *)_compound_head(page + nr_pages - 1))) != folio) [ 734.469390] ------------[ cut here ]------------ [ 734.469393] WARNING: ./include/linux/rmap.h:351 at folio_add_file_rmap_ptes+0x3b8/0x468, CPU#90: stress-ng-mlock/9430 [ 734.469551] folio_add_file_rmap_ptes+0x3b8/0x468 (P) [ 734.469555] set_pte_range+0xd8/0x2f8 [ 734.469566] filemap_map_folio_range+0x190/0x400 [ 734.469579] filemap_map_pages+0x348/0x638 [ 734.469583] do_fault_around+0x140/0x198 ...... [ 734.469640] el0t_64_sync+0x184/0x188 " The code that triggers the warning is: "VM_WARN_ON_FOLIO(page_folio(page + nr_pages - 1) != folio, folio)", which indicates that set_pte_range() tried to map beyond the large folio’s size. By adding more debug information, I found that 'nr_pages' had overflowed in filemap_map_pages(), causing set_pte_range() to establish mappings for a range exceeding the folio size, potentially corrupting fields of pages that do not belong to this folio (e.g., page->_mapcount). After above analysis, I think the possible race is as follows: CPU 0 CPU 1 filemap_map_pages() ext4_setattr() //get and lock folio with old inode->i_size next_uptodate_folio() ....... //shrink the inode->i_size i_size_write(inode, attr->ia_size); //calculate the end_pgoff with the new inode->i_size file_end = DIV_ROUND_UP(i_size_read(mapping->host), PAGE_SIZE) - 1; end_pgoff = min(end_pgoff, file_end); ...... //nr_pages can be overflowed, cause xas.xa_index > end_pgoff end = folio_next_index(folio) - 1; nr_pages = min(end, end_pgoff) - xas.xa_index + 1; ...... //map large folio filemap_map_folio_range() ...... //truncate folios truncate_pagecache(inode, inode->i_size); To fix this issue, move the 'end_pgoff' calculation before next_uptodate_folio(), so the retrieved folio stays consistent with the file end to avoid 'nr_pages' calculation overflow. After this patch, the crash issue is gone. Link: https://lkml.kernel.org/r/1cf1ac59018fc647a87b0dad605d4056a71c14e4.1773739704.git.baolin.wang@linux.alibaba.com Fixes: 743a2753a02e ("filemap: cap PTE range to be created to allowed zero fill in folio_map_range()") Signed-off-by: Baolin Wang <baolin.wang@linux.alibaba.com> Reported-by: Yuanhe Shu <xiangzao@linux.alibaba.com> Tested-by: Yuanhe Shu <xiangzao@linux.alibaba.com> Acked-by: Kiryl Shutsemau (Meta) <kas@kernel.org> Acked-by: David Hildenbrand (Arm) <david@kernel.org> Cc: Christian Brauner <brauner@kernel.org> Cc: Daniel Gomez <da.gomez@samsung.com> Cc: "Darrick J. Wong" <djwong@kernel.org> Cc: Dave Chinner <dchinner@redhat.com> Cc: David Howells <dhowells@redhat.com> Cc: Hannes Reinecke <hare@suse.de> Cc: Lorenzo Stoakes (Oracle) <ljs@kernel.org> Cc: Luis Chamberalin <mcgrof@kernel.org> Cc: Matthew Wilcox (Oracle) <willy@infradead.org> Cc: Pankaj Raghav <p.raghav@samsung.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2026-04-06sched_ext: Documentation: Add ops.dequeue() to task lifecycleAndrea Righi-9/+15
Document ops.dequeue() in the sched_ext task lifecycle now that its semantics are well-defined. Also update the pseudo-code to use task_is_runnable() consistently and clarify the case where ops.dispatch() does not refill the time slice. Signed-off-by: Andrea Righi <arighi@nvidia.com> Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com> Signed-off-by: Tejun Heo <tj@kernel.org>
2026-04-06tools/sched_ext: Fix off-by-one in scx_sdt payload zeroingCheng-Yang Chou-1/+2
scx_alloc_free_idx() zeroes the payload of a freed arena allocation one word at a time. The loop bound was alloc->pool.elem_size / 8, but elem_size includes sizeof(struct sdt_data) (the 8-byte union sdt_id header). This caused the loop to write one extra u64 past the allocation, corrupting the tid field of the adjacent pool element. Fix the loop bound to (elem_size - sizeof(struct sdt_data)) / 8 so only the payload portion is zeroed. Test plan: - Add a temporary sanity check in scx_task_free() before the free call: if (mval->data->tid.idx != mval->tid.idx) scx_bpf_error("tid corruption: arena=%d storage=%d", mval->data->tid.idx, (int)mval->tid.idx); - stress-ng --fork 100 -t 10 & sudo ./build/bin/scx_sdt Without this fix, running scx_sdt under fork-heavy load triggers the corruption error. With the fix applied, the same workload completes without error. Fixes: 36929ebd17ae ("tools/sched_ext: add arena based scheduler") Signed-off-by: Cheng-Yang Chou <yphbchou0911@gmail.com> Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com> Signed-off-by: Tejun Heo <tj@kernel.org>
2026-04-06selftests/nolibc: only use libgcc when really necessaryThomas Weißschuh-13/+4
nolibc should work without libgcc to be compatible with as many toolchains as possible. Currently the functionality tested by nolibc-test does not contain any dependencies, make sure it stays this way by not linking libgcc anymore. On the ppc target GCC always emits references to '_restgpr_' functions, so keep linking libgcc there. Signed-off-by: Thomas Weißschuh <linux@weissschuh.net> Acked-by: Willy Tarreau <w@1wt.eu> Link: https://patch.msgid.link/20260404-nolibc-libgcc-v1-1-eb3ecfe0e176@weissschuh.net
2026-04-06selftests/nolibc: test the memory allocatorThomas Weißschuh-0/+55
The memory allocator has not seen any testing so far. Add a simple testcase for it. Suggested-by: Willy Tarreau <w@1wt.eu> Link: https://lore.kernel.org/lkml/adDRK8D6YBZgv36H@1wt.eu/ Signed-off-by: Thomas Weißschuh <linux@weissschuh.net> Acked-by: Willy Tarreau <w@1wt.eu> Link: https://patch.msgid.link/20260404-nolibc-asprintf-v2-2-17d2d0df9763@weissschuh.net
2026-04-06tools/nolibc: check for overflow in calloc() without divisionsThomas Weißschuh-2/+2
On some architectures without native division instructions the division can generate calls into libgcc/compiler-rt. This library might not be available, so its use should be avoided. Use the compiler builtin to check for overflows without needing a division. The builtin has been available since GCC 3 and clang 3.8. Signed-off-by: Thomas Weißschuh <linux@weissschuh.net> Acked-by: Willy Tarreau <w@1wt.eu> Link: https://patch.msgid.link/20260404-nolibc-asprintf-v2-1-17d2d0df9763@weissschuh.net
2026-04-06tools/nolibc: add support for asprintf()Thomas Weißschuh-0/+74
Add support for dynamically allocating formatted strings through asprintf() and vasprintf(). Signed-off-by: Thomas Weißschuh <linux@weissschuh.net> Acked-by: Willy Tarreau <w@1wt.eu> Link: https://patch.msgid.link/20260401-nolibc-asprintf-v1-3-46292313439f@weissschuh.net
2026-04-06PCI/NPEM: Set LED_HW_PLUGGABLE for hotplug-capable portsRichard Cheng-1/+1
NPEM registers LED classdevs on PCI endpoint that may be behind hotplug-capable ports. During hot-removal, led_classdev_unregister() calls led_set_brightness(LED_OFF) which leads to a PCI config read to a disconnected device, which fails and returns -ENODEV (topology details in msgid.link below): leds 0003:01:00.0:enclosure:ok: Setting an LED's brightness failed (-19) The LED core already suppresses this for devices with LED_HW_PLUGGABLE set, but NPEM never sets it. Add the flag since NPEM LEDs are on hot-pluggable hardware by nature. Fixes: 4e893545ef87 ("PCI/NPEM: Add Native PCIe Enclosure Management support") Signed-off-by: Richard Cheng <icheng@nvidia.com> Signed-off-by: Bjorn Helgaas <bhelgaas@google.com> Reviewed-by: Lukas Wunner <lukas@wunner.de> Acked-by: Kai-Heng Feng <kaihengf@nvidia.com> Link: https://patch.msgid.link/20260402093850.23075-1-icheng@nvidia.com
2026-04-06cpupower: remove extern declarations in cmd functionsKaushlendra Kumar-12/+0
extern char *optarg and extern int optind, opterr, optopt are already declared by <getopt.h>, which is included at the top of the file. Repeating extern declarations inside a function body is misleading and unnecessary. Signed-off-by: Kaushlendra Kumar <kaushlendra.kumar@intel.com> Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
2026-04-06Merge tag 'soc-fixes-7.0-2' of ↵Linus Torvalds-271/+271
git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc Pull SoC fixes from Arnd Bergmann: "The largest part here are devicetree fixes for Qualcomm, and NXP i.MX, addressing a few regressions and incorrect settings in board and SoC pecific dts files. The largest single commits are a revert of a cleanup patch for i.MX that caused regressions for the NAND flash controller and a fixup for an incomplete cleanup of the PCIe controller on Qualcomm platforms that broke because the state was left incompatible with both the old and new behavior. On the Rockchips, Hisilicon, Renesas, Allwinner and AT91 platforms, only a single simple dts bugfix each was added since the last round of fixes. On the SoC specific device drivers, everything is relatively harmless: three reset controller driver fixes, a compatibility for fix ASpeed soc ID, and error handling fixes for Qualcomm and Microchip. One regression fix on Qualcomm addresses a problem with a previous fix for DisplayPort alt mode" * tag 'soc-fixes-7.0-2' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc: (32 commits) arm64: dts: qcom: hamoa: Fix incomplete Root Port property migration dt-bindings: display/msm: qcm2290-mdss: Fix missing ranges in example firmware: microchip: fail auto-update probe if no flash found arm64: dts: renesas: sparrow-hawk: Reserve first 128 MiB of DRAM arm64: dts: qcom: agatti: Fix IOMMU DT properties dt-bindings: media: venus: Fix iommus property dt-bindings: display: msm: qcm2290-mdss: Fix iommus property arm64: dts: allwinner: sun55i: Fix r-spi DMA reset: spacemit: k3: Decouple composite reset lines reset: gpio: fix double free in reset_add_gpio_aux_device() error path ARM: dts: microchip: sam9x7: fix gpio-lines count for pioB arm64: dts: hisilicon: hi3798cv200: Add missing dma-ranges arm64: dts: hisilicon: poplar: Correct PCIe reset GPIO polarity reset: rzg2l-usbphy-ctrl: Fix malformed MODULE_AUTHOR string soc: microchip: mpfs-mss-top-sysreg: Fix resource leak on driver unbind soc: microchip: mpfs-control-scb: Fix resource leak on driver unbind soc: qcom: pmic_glink_altmode: Fix TBT->SAFE->!TBT transition arm64: dts: qcom: monaco: Reserve full Gunyah metadata region arm64: dts: imx8mq-librem5: Bump BUCK1 suspend voltage up to 0.85V Revert "arm64: dts: imx8mq-librem5: Set the DVS voltages lower" ...
2026-04-06PCI: imx6: Fix reference clock source selection for i.MX95Franz Schnyder-2/+2
In the PCIe PHY init for the i.MX95, the reference clock source selection uses a conditional instead of always passing the mask. This currently breaks functionality if the internal refclk is used. To fix this issue, always pass IMX95_PCIE_REF_USE_PAD as the mask and clear bit if external refclk is not used. This essentially swaps the parameters. Fixes: d8574ce57d76 ("PCI: imx6: Add external reference clock input mode support") Signed-off-by: Franz Schnyder <franz.schnyder@toradex.com> Signed-off-by: Manivannan Sadhasivam <mani@kernel.org> Signed-off-by: Bjorn Helgaas <bhelgaas@google.com> Acked-by: Richard Zhu <hongxing.zhu@nxp.com> Cc: stable@vger.kernel.org Link: https://patch.msgid.link/20260325093118.684142-1-fra.schnyder@gmail.com
2026-04-06PCI/TPH: Pass ACPI Processor UID to Cache Locality _DSMChengwen Feng-9/+15
pcie_tph_get_cpu_st() uses the Query Cache Locality Features _DSM [1] to retrieve the TPH Steering Tag for memory associated with the CPU identified by its "cpu_uid" parameter, a Linux logical CPU ID. The _DSM requires an ACPI Processor UID, which pcie_tph_get_cpu_st() previously assumed was the same as the Linux logical CPU ID. This is true on x86 but not on arm64, so pcie_tph_get_cpu_st() returned the wrong Steering Tag, resulting in incorrect TPH functionality on arm64. Convert the Linux logical CPU ID to the ACPI Processor UID with acpi_get_cpu_uid() before passing it to the _DSM. Additionally, rename the pcie_tph_get_cpu_st() parameter from "cpu_uid" to "cpu" to reflect that it represents a logical CPU ID (not an ACPI Processor UID). [1] According to ECN_TPH-ST_Revision_20200924 (https://members.pcisig.com/wg/PCI-SIG/document/15470), the input is defined as: "If the target is a processor, then this field represents the ACPI Processor UID of the processor as specified in the MADT. If the target is a processor container, then this field represents the ACPI Processor UID of the processor container as specified in the PPTT." Fixes: d2e8a34876ce ("PCI/TPH: Add Steering Tag support") Signed-off-by: Chengwen Feng <fengchengwen@huawei.com> Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com> Reviewed-by: Bjorn Helgaas <bhelgaas@google.com> Link: https://patch.msgid.link/20260401081640.26875-9-fengchengwen@huawei.com Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
2026-04-06ACPI: PPTT: Use acpi_get_cpu_uid() and remove get_acpi_id_for_cpu()Chengwen Feng-26/+37
Update acpi/pptt.c to use acpi_get_cpu_uid() and remove unused get_acpi_id_for_cpu() from arm64/loongarch/riscv, completing PPTT's migration to the unified ACPI CPU UID interface Signed-off-by: Chengwen Feng <fengchengwen@huawei.com> Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com> Link: https://patch.msgid.link/20260401081640.26875-8-fengchengwen@huawei.com Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
2026-04-06perf: arm_cspmu: Switch to acpi_get_cpu_uid() from get_acpi_id_for_cpu()Chengwen Feng-2/+4
Update arm_cspmu to use acpi_get_cpu_uid() instead of get_acpi_id_for_cpu(), aligning with unified ACPI CPU UID interface. No functional changes are introduced by this switch (valid inputs retain original behavior). Signed-off-by: Chengwen Feng <fengchengwen@huawei.com> Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com> Link: https://patch.msgid.link/20260401081640.26875-7-fengchengwen@huawei.com Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
2026-04-06ACPI: Centralize acpi_get_cpu_uid() declaration in include/linux/acpi.hChengwen Feng-5/+11
Centralize acpi_get_cpu_uid() in include/linux/acpi.h (global scope) and remove arch-specific declarations from arm64/loongarch/riscv/x86 asm/acpi.h. This unifies the interface across architectures and simplifies maintenance by eliminating duplicate prototypes. Signed-off-by: Chengwen Feng <fengchengwen@huawei.com> Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com> Link: https://patch.msgid.link/20260401081640.26875-6-fengchengwen@huawei.com Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
2026-04-06x86/acpi: Add acpi_get_cpu_uid() for unified ACPI CPU UID retrievalChengwen Feng-4/+25
As a step towards unifying the interface for retrieving ACPI CPU UID across architectures, introduce a new function acpi_get_cpu_uid() for x86. While at it, add input validation to make the code more robust. Update Xen-related code to use acpi_get_cpu_uid() instead of the legacy cpu_acpi_id() function, and remove the now-unused cpu_acpi_id() to clean up redundant code. Signed-off-by: Chengwen Feng <fengchengwen@huawei.com> Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com> Reviewed-by: Juergen Gross <jgross@suse.com> Link: https://patch.msgid.link/20260401081640.26875-5-fengchengwen@huawei.com Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
2026-04-06RISC-V: ACPI: Add acpi_get_cpu_uid() for unified ACPI CPU UID retrievalChengwen Feng-4/+29
As a step towards unifying the interface for retrieving ACPI CPU UID across architectures, introduce a new function acpi_get_cpu_uid() for riscv. While at it, add input validation to make the code more robust. And also update acpi_numa.c and rhct.c to use the new interface instead of the legacy get_acpi_id_for_cpu(). Signed-off-by: Chengwen Feng <fengchengwen@huawei.com> Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com> Link: https://patch.msgid.link/20260401081640.26875-4-fengchengwen@huawei.com Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
2026-04-06LoongArch: Add acpi_get_cpu_uid() for unified ACPI CPU UID retrievalChengwen Feng-0/+10
As a step towards unifying the interface for retrieving ACPI CPU UID across architectures, introduce a new function acpi_get_cpu_uid() for loongarch. While at it, add input validation to make the code more robust. Signed-off-by: Chengwen Feng <fengchengwen@huawei.com> Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com> Link: https://patch.msgid.link/20260401081640.26875-3-fengchengwen@huawei.com Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
2026-04-06arm64: acpi: Add acpi_get_cpu_uid() for unified ACPI CPU UID retrievalChengwen Feng-12/+32
As a step towards unifying the interface for retrieving ACPI CPU UID across architectures, introduce a new function acpi_get_cpu_uid() for arm64. While at it, add input validation to make the code more robust. Reimplement get_cpu_for_acpi_id() based on acpi_get_cpu_uid() for consistency, and move its implementation next to the new function for code coherence. Signed-off-by: Chengwen Feng <fengchengwen@huawei.com> Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com> Acked-by: Catalin Marinas <catalin.marinas@arm.com> Link: https://patch.msgid.link/20260401081640.26875-2-fengchengwen@huawei.com Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
2026-04-06remoteproc: qcom: pas: Add Eliza ADSP supportAbel Vesa-0/+1
The ADSP found on Eliza SoC is similar to the one found on SM8550. So just add the dedicated compatible for Eliza ADSP and reuse the SM8550 resource configuration. Signed-off-by: Abel Vesa <abel.vesa@oss.qualcomm.com> Link: https://lore.kernel.org/r/20260327-eliza-remoteproc-adsp-v1-2-1c46c5e5f809@oss.qualcomm.com Signed-off-by: Bjorn Andersson <andersson@kernel.org>
2026-04-06ACPI: APEI: GHES: Add NVIDIA vendor CPER record handlerKai-Heng Feng-0/+170
Add support for decoding NVIDIA-specific CPER sections delivered via the APEI GHES vendor record notifier chain. NVIDIA hardware generates vendor-specific CPER sections containing error signatures and diagnostic register dumps. This implementation registers a notifier_block with the GHES vendor record notifier and decodes these sections, printing error details via dev_info(). The driver binds to ACPI device NVDA2012, present on NVIDIA server platforms. The NVIDIA CPER section contains a fixed header with error metadata (signature, error type, severity, socket) followed by variable-length register address-value pairs for hardware diagnostics. This work is based on libcper [1]. Example output: nvidia-ghes NVDA2012:00: NVIDIA CPER section, error_data_length: 544 nvidia-ghes NVDA2012:00: signature: CMET-INFO nvidia-ghes NVDA2012:00: error_type: 0 nvidia-ghes NVDA2012:00: error_instance: 0 nvidia-ghes NVDA2012:00: severity: 3 nvidia-ghes NVDA2012:00: socket: 0 nvidia-ghes NVDA2012:00: number_regs: 32 nvidia-ghes NVDA2012:00: instance_base: 0x0000000000000000 nvidia-ghes NVDA2012:00: register[0]: address=0x8000000100000000 value=0x0000000100000000 https://github.com/openbmc/libcper/commit/683e055061ce [1] Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com> Signed-off-by: Kai-Heng Feng <kaihengf@nvidia.com> [ rjw: Changelog edits ] Link: https://patch.msgid.link/20260330094203.38022-4-kaihengf@nvidia.com Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
2026-04-06PCI: hisi: Use devm_ghes_register_vendor_record_notifier()Kai-Heng Feng-11/+1
Switch to the device-managed variant so the notifier is automatically unregistered on device removal, allowing the open-coded remove callback to be dropped entirely. Signed-off-by: Kai-Heng Feng <kaihengf@nvidia.com> Acked-by: Manivannan Sadhasivam <mani@kernel.org> Reviewed-by: Shiju Jose <shiju.jose@huawei.com> Link: https://patch.msgid.link/20260330094203.38022-3-kaihengf@nvidia.com Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
2026-04-06ACPI: APEI: GHES: Add devm_ghes_register_vendor_record_notifier()Kai-Heng Feng-0/+29
Add a device-managed wrapper around ghes_register_vendor_record_notifier() so drivers can avoid manual cleanup on device removal or probe failure. Signed-off-by: Kai-Heng Feng <kaihengf@nvidia.com> Reviewed-by: Breno Leitao <leitao@debian.org> Reviewed-by: Shiju Jose <shiju.jose@huawei.com> Reviewed-by: Shuai Xue <xueshuai@linux.alibaba.com> Link: https://patch.msgid.link/20260330094203.38022-2-kaihengf@nvidia.com Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
2026-04-06dt-bindings: remoteproc: qcom,milos-pas: Document Eliza ADSPAbel Vesa-0/+3
Since the devicetree bindings are exactly the same between Eliza ADSP and Milos ADSP, reuse the existing Milos schema, just add the Eliza specific ADSP compatible. Signed-off-by: Abel Vesa <abel.vesa@oss.qualcomm.com> Link: https://lore.kernel.org/r/20260327-eliza-remoteproc-adsp-v1-1-1c46c5e5f809@oss.qualcomm.com Signed-off-by: Bjorn Andersson <andersson@kernel.org>
2026-04-06remoteproc: qcom: Add missing space before closing bracketShawn Guo-86/+86
Add missing space before closing curly bracket for qcom_q6v5_mss and qcom_q6v5_pas driver of_match[] lines, so that all qcom remoteproc drivers are consistent on the common coding style. Signed-off-by: Shawn Guo <shengchao.guo@oss.qualcomm.com> Link: https://lore.kernel.org/r/20260306145607.1394878-1-shengchao.guo@oss.qualcomm.com Signed-off-by: Bjorn Andersson <andersson@kernel.org>
2026-04-06dt-bindings: remoteproc: qcom: Drop types for firmware-nameShawn Guo-8/+2
The type of firmware-name is already defined by core schemas. Drop it from individual bindings that have either a redundant definition or an override as string type. For the later cases, constrain the number of expected firmware names to 1. Signed-off-by: Shawn Guo <shengchao.guo@oss.qualcomm.com> Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com> Link: https://lore.kernel.org/r/20260309123357.1911586-1-shengchao.guo@oss.qualcomm.com Signed-off-by: Bjorn Andersson <andersson@kernel.org>
2026-04-06remoteproc: qcom: Fix minidump out-of-bounds access on subsystems arrayMukesh Ojha-3/+14
MAX_NUM_OF_SS was hardcoded to 10 in the minidump_global_toc struct, which is a direct overlay on an SMEM item allocated by the firmware. Newer Qualcomm SoC firmware allocates space for more subsystems, while older firmware only allocates space for 10. Bumping the constant would cause Linux to read/write beyond the SMEM item boundary on older platforms. Fix this by converting subsystems[] to a flexible array member and deriving the actual number of subsystems at runtime from the size returned by qcom_smem_get(). Add a bounds check on minidump_id against the derived count before indexing into the array. Signed-off-by: Mukesh Ojha <mukesh.ojha@oss.qualcomm.com> Acked-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com> Link: https://lore.kernel.org/r/20260331171243.1962067-1-mukesh.ojha@oss.qualcomm.com Signed-off-by: Bjorn Andersson <andersson@kernel.org>
2026-04-06hwspinlock: remove now unused pdata from header fileWolfram Sang-28/+0
The last user turned out to be obsolete and was removed. Remove the unused struct now, too. Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com> Reviewed-by: Linus Walleij <linusw@kernel.org> Acked-by: Andy Shevchenko <andriy.shevchenko@intel.com> Link: https://lore.kernel.org/r/20260401071141.4718-3-wsa+renesas@sang-engineering.com Signed-off-by: Bjorn Andersson <andersson@kernel.org>
2026-04-06hwspinlock: u8500: delete driverWolfram Sang-168/+0
The U8500 platform was converted to DT around 2013 and is DT only meanwhile. This driver has never been converted to a DT driver, so it clearly hasn't been used since then. To ease upcoming refactoring in the hwspinlock subsystem, remove this obsolete driver. Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com> Reviewed-by: Linus Walleij <linusw@kernel.org> Acked-by: Andy Shevchenko <andriy.shevchenko@intel.com> Link: https://lore.kernel.org/r/20260401071141.4718-2-wsa+renesas@sang-engineering.com Signed-off-by: Bjorn Andersson <andersson@kernel.org>
2026-04-06ACPI: tables: Enable FPDT on LoongArchXi Ruoyao-1/+1
FPDT provides system- and application-readable performance statistics, useful for profiling and analyzing boot-time performance. FPDT table support is now available as a pending patch at the EDK II upstream [1] and has been tested on real hardware such as Loongson XA61200_V1.1 and XB612B0_V1.2 with patched firmware. We have also cross checked systemd-analyze(1) against a stop watch and the `dp' command in EFI Shell to see that the timing information are correct. Now that the functionality of FPDT is verified on LoongArch hardware, list LOONGARCH as a possible dependency, allowing it to be enabled. Link: https://github.com/tianocore/edk2/pull/12378 [1] Signed-off-by: Xi Ruoyao <xry111@xry111.site> [ rjw: Subject tweak ] Link: https://patch.msgid.link/20260401135311.1737958-2-xry111@xry111.site Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
2026-04-06media: platform: mtk-mdp3: Constify buffer passed to mdp_vpu_sendmsg()Krzysztof Kozlowski-1/+1
mdp_vpu_sendmsg() passes the buffer to scp_ipi_send(), which takes now pointer to const, so adjust this interface as well for increased code safety and code readability. Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com> Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com> Link: https://lore.kernel.org/r/20260317-rpmsg-send-const-v3-5-4d7fd27f037f@oss.qualcomm.com Signed-off-by: Bjorn Andersson <andersson@kernel.org>
2026-04-06ASoC: qcom: Constify GPR packet being send over GPR interfaceKrzysztof Kozlowski-13/+14
gpr_send_pkt() and pkt_router_send_svc_pkt() only send the GPR packet they receive, without any need to actually modify it, so mark the pointer to GPR packet as pointer to const for code safety and code self-documentation. Several users of this interface can follow up and also operate on pointer to const. Acked-by: Mathieu Poirier <mathieu.poirier@linaro.org> Acked-by: Mark Brown <broonie@kernel.org> Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com> Link: https://lore.kernel.org/r/20260317-rpmsg-send-const-v3-4-4d7fd27f037f@oss.qualcomm.com Signed-off-by: Bjorn Andersson <andersson@kernel.org>
2026-04-06rpmsg: Constify buffer passed to send APIKrzysztof Kozlowski-38/+46
The rpmsg_send(), rpmsg_sendto() and other variants of sending interfaces should only send the passed data, without modifying its contents, so mark pointer 'data' as pointer to const. All users of this interface already follow this approach, so only the function declarations have to be updated. Acked-by: Mathieu Poirier <mathieu.poirier@linaro.org> Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com> Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com> Link: https://lore.kernel.org/r/20260317-rpmsg-send-const-v3-3-4d7fd27f037f@oss.qualcomm.com Signed-off-by: Bjorn Andersson <andersson@kernel.org>
2026-04-06remoteproc: mtk_scp: Constify buffer passed to scp_send_ipi()Krzysztof Kozlowski-2/+2
scp_send_ipi() should only send the passed buffer, without modifying its contents, so mark pointer 'buf' as pointer to const. Acked-by: Mathieu Poirier <mathieu.poirier@linaro.org> Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com> Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com> Link: https://lore.kernel.org/r/20260317-rpmsg-send-const-v3-2-4d7fd27f037f@oss.qualcomm.com Signed-off-by: Bjorn Andersson <andersson@kernel.org>