summaryrefslogtreecommitdiff
path: root/include
AgeCommit message (Collapse)Author
2026-05-25Merge tag 'v7.1-rc5' into rdma.git for-nextJason Gunthorpe
For dependencies in the following patches Resolve conflicts, use the goto labels from the rc tag. * tag 'v7.1-rc5': (1526 commits) Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
2026-05-25remoteproc: use rsc_table_for_each_entry() in rproc_handle_resources()Mukesh Ojha
Replace the open-coded resource table iteration loop in rproc_handle_resources() with the rsc_table_for_each_entry() helper. The remoteproc-specific dispatch logic (vendor resource handling via rproc_handle_rsc(), RSC_LAST bounds check, handler table lookup) is moved into a local callback rproc_handle_rsc_entry(), keeping the iteration mechanics in one canonical place. The callback receives the payload offset within the table so that handlers which write back into the resource table (e.g. rproc_handle_carveout() recording a dynamically allocated address via rsc_offset) continue to work correctly. No functional change. Signed-off-by: Mukesh Ojha <mukesh.ojha@oss.qualcomm.com> Link: https://lore.kernel.org/r/20260506050107.1985033-3-mukesh.ojha@oss.qualcomm.com
2026-05-25remoteproc: Move resource table data structure to its own headerMukesh Ojha
The resource table data structure has traditionally been associated with the remoteproc framework, where the resource table is included as a section within the remote processor firmware binary. However, it is also possible to obtain the resource table through other means—such as from a reserved memory region populated by the boot firmware, statically maintained driver data, or via a secure SMC call—when it is not embedded in the firmware. There are multiple Qualcomm remote processors (e.g., Venus, Iris, GPU, etc.) in the upstream kernel that do not use the remoteproc framework to manage their lifecycle for various reasons. When Linux is running at EL2, similar to the Qualcomm PAS driver (qcom_q6v5_pas.c), client drivers for subsystems like video and GPU may also want to use the resource table SMC call to retrieve and map resources before they are used by the remote processor. In such cases, the resource table data structure is no longer tightly coupled with the remoteproc headers. Client drivers that do not use the remoteproc framework should still be able to parse the resource table obtained through alternative means. Therefore, there is a need to decouple the resource table definitions from the remoteproc headers. Signed-off-by: Mukesh Ojha <mukesh.ojha@oss.qualcomm.com> Link: https://lore.kernel.org/r/20260506050107.1985033-2-mukesh.ojha@oss.qualcomm.com
2026-05-25Merge branch 'arena_direct_access'Alexei Starovoitov
Tejun Heo says: ==================== This makes BPF arena memory directly dereferenceable from kernel code (struct_ops callbacks, kfuncs). Each arena gets a per-arena scratch page that an arch fault hook installs into empty PTEs on kernel-side faults, after KFENCE. The faulting instruction retries and the violation is reported through the program's BPF stream. v4: - Patch 1: note that the strict-zero cmpxchg is narrower than pte_none() in inline comments on both x86 and arm64. (Andrea) - Patch 2: stub bpf_arena_handle_page_fault() for !CONFIG_BPF_SYSCALL via a new include/linux/bpf_defs.h. (lkp) - Patch 7: scx_arena_alloc() retries via a loop instead of a single retry on pool growth. (Andrea) - Picked up Reviewed-by tags from Emil and Andrea. v3: https://lore.kernel.org/r/20260520235052.4180316-1-tj@kernel.org v2: https://lore.kernel.org/r/20260517211232.1670594-1-tj@kernel.org v1 (RFC): https://lore.kernel.org/r/20260427105109.2554518-1-tj@kernel.org Motivation ---------- sched_ext's ops_cid.set_cmask() hands the BPF scheduler a struct scx_cmask *. The kernel translates a kernel cpumask to a cmask, but it had no way to write into the arena, so the cmask lived in kernel memory and was passed as a trusted pointer. BPF cmask helpers all operate on arena cmasks though, so the BPF side had to word-by-word probe-read the kernel cmask into an arena cmask via cmask_copy_from_kernel() before any helper could touch it. It works, but is clumsy. The shape isn't unique to set_cmask. Sub-scheduler support is on the way and more sched_ext callbacks will want to pass structured data to BPF. Anywhere a kfunc or struct_ops callback wants to hand a struct to a BPF program, arena residence is the natural answer. Approach -------- Each arena gets a per-arena scratch page. Arenas stay sparsely mapped as today - PTEs are populated only for allocated pages. A new arch fault hook (bpf_arena_handle_page_fault) is wired into x86 page_fault_oops() and arm64 __do_kernel_fault(), after KFENCE. When a kernel-side access faults inside an arena's kern_vm range, the helper walks the stack to find the BPF program responsible, range-checks the fault address against prog->aux->arena, and atomically installs the scratch page into the empty PTE via the new ptep_try_set() wrapper. The kernel instruction retries and reads/writes the scratch page. Free paths and map destruction treat scratch as non-owned. Real allocation refuses to overwrite scratch (apply_range_set_cb returns -EBUSY). A scratched address stays dead until map destroy, since its presence means the BPF program has already malfunctioned. The mechanism is default behavior - no UAPI flag. What this preserves ------------------- All the debugging properties of today's sparse-PTE design are preserved: * BPF programs still fault on unmapped arena accesses. The fault semantics (instruction retry with rdst = 0) and the violation report through bpf_streams are unchanged for prog-side accesses. * The first kernel-side touch of an unmapped address is reported via bpf_streams the same way as a prog-side fault, with the stack walk attributing it to the originating prog. * User-side fault on a never-scratched address still lazy-allocates a real page (or returns SIGSEGV under BPF_F_SEGV_ON_FAULT). User-side fault on a scratched address SIGSEGVs. What changes for the kernel-side caller is just that an unmapped deref no longer oopses - it retries through the scratch page and emits a violation report. The same shape today's BPF instruction faults have. Patches 1-2 (atomic PTE install + arena scratch-page recovery) -------------------------------------------------------------- mm: Add ptep_try_set() for lockless empty-slot installs bpf: Recover arena kernel faults with scratch page Patches 3-5 (helpers used by struct_ops registration) ----------------------------------------------------- bpf: Add sleepable variant of bpf_arena_alloc_pages for kernel callers bpf: Add bpf_struct_ops_for_each_prog() bpf/arena: Add bpf_arena_map_kern_vm_start() and bpf_prog_arena() ==================== Link: https://lore.kernel.org/bpf/20260522172219.1423324-1-tj@kernel.org/ Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-05-25ACPI: bus: Introduce devm_acpi_install_notify_handler()Rafael J. Wysocki
Introduce devm_acpi_install_notify_handler() for installing an ACPI notify handler managed by devres that will be removed automatically on driver detach. It installs the notify handler on the device object in the ACPI namespace that corresponds to the owner device's ACPI companion, if present (an error is returned if the owner device doesn't have an ACPI companion). Currently, there is no way to manually remove the notify handler installed by it because none of its users brought on subsequently will need to do that. Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> [ rjw: Kerneldoc comment refinement ] Link: https://patch.msgid.link/2268031.irdbgypaU6@rafael.j.wysocki Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
2026-05-25firmware: zynqmp: Add dynamic CSU register discovery and sysfs interfaceRonak Jain
Add support for dynamically discovering and exposing Configuration Security Unit (CSU) registers through sysfs. Leverage the existing PM_QUERY_DATA API to discover available registers at runtime, making the interface flexible and maintainable. Key features: - Dynamic register discovery using PM_QUERY_DATA API * PM_QID_GET_NODE_COUNT: Query number of available registers * PM_QID_GET_NODE_NAME: Query register names by index - Automatic sysfs attribute creation under csu_registers/ group - Read operations via existing IOCTL_READ_REG API - Write operations via existing IOCTL_MASK_WRITE_REG API The sysfs interface is created at: /sys/devices/platform/firmware:zynqmp-firmware/csu_registers/ Currently supported registers include: - multiboot (CSU_MULTI_BOOT) - idcode (CSU_IDCODE, read-only) - pcap-status (CSU_PCAP_STATUS, read-only) The dynamic discovery approach allows firmware to control which registers are exposed without requiring kernel changes, improving maintainability and security. The firmware does not currently expose per-register access mode information, so the kernel cannot distinguish read-only registers from read-write ones at discovery time. All discovered registers are therefore created with sysfs mode 0644, and the firmware is responsible for rejecting writes to registers it treats as read-only (for example idcode and pcap-status); that error is propagated back to userspace from the store callback. If a per-register access-mode query is added to the firmware in the future, sysfs permissions can be tightened to match. CSU register discovery is an optional feature: on firmware that lacks support for PM_QID_GET_NODE_COUNT or PM_QID_GET_NODE_NAME, the probe returns gracefully without exposing any sysfs entries. To keep the memory footprint minimal on that path, partial devm allocations made during discovery are explicitly released on failure so that no memory lingers until device unbind when the feature is unavailable. Signed-off-by: Ronak Jain <ronak.jain@amd.com> Signed-off-by: Michal Simek <michal.simek@amd.com> Link: https://lore.kernel.org/r/20260520093654.3303917-3-ronak.jain@amd.com
2026-05-25Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf 7.1-rc5Alexei Starovoitov
Cross-merge BPF and other fixes after downstream PR. Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-05-25ASoC: soc-core: Add core support for ignoring suspend on selected DAPM widgetsMark Brown
Chancel Liu <chancel.liu@nxp.com> says: Some audio systems require specific DAPM widgets to remain powered during system suspend. Introduce a generic and reusable mechanism in the ASoC core to mark selected DAPM widgets as ignore_suspend. The unified mechanism consists of two parts: 1. Parse and store the name list of widgets to ignore suspend in struct snd_soc_card The list of widgets can be provided either by the machine driver or parsed from Device Tree. Different machines have different routing and power requirements. Each machine can specify its own widgets to ignore suspend through DT property. It enables flexible policy without hard code. A new helper, snd_soc_of_parse_ignore_suspend_widgets() is added for this purpose. 2. Apply ignore_suspend flags during snd_soc_bind_card() After all components have been probed and all DAPM widgets have been registered, snd_soc_bind_card() performs a unified lookup of the configured widget names across all DAPM contexts of the card and marks the matching widgets with ignore_suspend = 1. Switch to use core ignore-suspend-widgets support for imx-rpmsg driver. Chancel Liu (3): ASoC: dapm: Fix widget lookup with prefixed names across DAPM contexts ASoC: soc-core: Add core support for ignoring suspend on selected DAPM widgets ASoC: fsl: imx-rpmsg: Switch to core ignore-suspend-widgets support Link: https://patch.msgid.link/20260507013654.2945915-1-chancel.liu@nxp.com
2026-05-25ASoC: soc-core: Add core support for ignoring suspend on selected DAPM widgetsChancel Liu
Some audio systems require specific DAPM widgets to remain powered during system suspend. Introduce a generic and reusable mechanism in the ASoC core to mark selected DAPM widgets as ignore_suspend. The unified mechanism consists of two parts: 1. Parse and store the name list of widgets to ignore suspend in struct snd_soc_card The list of widgets can be provided either by the machine driver or parsed from Device Tree. Different machines have different routing and power requirements. Each machine can specify its own widgets to ignore suspend through DT property. It enables flexible policy without hard code. A new helper, snd_soc_of_parse_ignore_suspend_widgets() is added for this purpose. 2. Apply ignore_suspend flags during snd_soc_bind_card() After all components have been probed and all DAPM widgets have been registered, snd_soc_bind_card() performs a unified lookup of the configured widget names across all DAPM contexts of the card and marks the matching widgets with ignore_suspend = 1. Signed-off-by: Chancel Liu <chancel.liu@nxp.com> Link: https://patch.msgid.link/20260507013654.2945915-3-chancel.liu@nxp.com Signed-off-by: Mark Brown <broonie@kernel.org>
2026-05-25ASoC: dapm: Fix widget lookup with prefixed names across DAPM contextsChancel Liu
Currently dapm_find_widget() manually constructs a prefixed widget name based on the provided DAPM context and compares it using strcmp(). This happens to work in most cases because callers usually know which DAPM context the target widget belongs to and pass in the matching DAPM context. However, this assumption breaks when search_other_contexts is enabled. In such cases, callers may intentionally pass a different DAPM context, while searching for a widget that actually belongs to another DAPM context. For example, when searching for a "DAC" widget, the widget belongs to the codec DAPM and be registered with a codec prefix, while the caller passes card->dapm and intends to search across all DAPM contexts. The current implementation incorrectly applies the caller card DAPM causing the lookup to fail even though the widget exists on the card. Improve the matching strategy to support both use cases: 1. When the caller provides a fully qualified name with prefix, perform exact string matching. This preserves the ability to use prefixes for disambiguation. 2. When the caller provides a bare widget name without prefix, try exact matching first, then fall back to prefix-stripped comparison using snd_soc_dapm_widget_name_cmp(). To determine whether the pin name includes a prefix, a new helper function snd_soc_dapm_pin_has_prefix() is introduced. It checks if the pin name starts with any known component prefix on the card. This fixes widget lookup failures when searching across different DAPM contexts while maintaining backward compatibility for explicitly prefixed lookups. Fixes: ae4fc532244b ("ASoC: dapm: use component prefix when checking widget names") Signed-off-by: Chancel Liu <chancel.liu@nxp.com> Assisted-by: Cody:Claude-4.5-Sonnet Link: https://patch.msgid.link/20260507013654.2945915-2-chancel.liu@nxp.com Signed-off-by: Mark Brown <broonie@kernel.org>
2026-05-25ASoC: add shared BCLK rate constraint for cross-DAI coordinationMark Brown
Troy Mitchell <troy.mitchell@linux.spacemit.com> says: On some SoCs (e.g. SpacemiT K3), multiple I2S controllers share the same physical BCLK. When one controller is already streaming, the others must use hw_params that result in the same BCLK rate, otherwise the shared clock would be reconfigured and corrupt the active stream. This series adds framework-level support for this constraint: Patch 1 adds the dt-bindings for the spacemit,k3-i2s compatible. The K3 SoC uses the same I2S IP as K1 but requires additional clocks: a dedicated sysclk_div, along with c_sysclk and c_bclk which are shared across multiple I2S controllers. Patch 2 adds a DEFINE_GUARD wrapping snd_soc_card_mutex_lock() and snd_soc_card_mutex_unlock() so that scope-based locking picks up the SND_SOC_CARD_CLASS_RUNTIME lockdep subclass. Patch 3 adds the constraint logic in soc-pcm.c. During PCM open, every DAI that has a bclk clock pointer gets a hw_rule registered unconditionally. The rule callback runs at hw_refine time: it scans the card for an active peer sharing the same physical BCLK (via clk_is_match()) that has already completed hw_params, then constrains the current stream's rate to match the established BCLK rate. The first DAI to complete hw_params is unconstrained; subsequent DAIs must match. Two modes are supported: - Default (I2S): BCLK = rate * channels * sample_bits. The rule derives the valid rate range from the current channel and sample_bits intervals. - Explicit ratio (TDM): if the driver sets dai->bclk_ratio (e.g. slots * slot_width), the rule computes the single valid rate as active_bclk_rate / bclk_ratio. This series was prompted by review feedback on the SpacemiT K3 I2S series, where a vendor-specific fixed-sample-rate property was rejected in favor of a generic framework solution: https://lore.kernel.org/all/afFqgF6ZRwYdfUmL@sirena.co.uk/ Link: https://patch.msgid.link/20260522-i2s-same-blk-v4-0-a71a86faaa20@linux.spacemit.com
2026-05-25ASoC: soc-dai: add shared BCLK clock for cross-DAI rate constraintsTroy Mitchell
Add a bclk field to struct snd_soc_dai and a helper function snd_soc_dai_set_bclk_clk() that platform drivers can use to declare which clock is their BCLK. Also cache the bclk_ratio in snd_soc_dai_set_bclk_ratio() so that the framework can use it later in hw_rule evaluation for TDM configurations where BCLK = rate * slots * slot_width. When multiple DAIs on the same card share the same physical BCLK (detected via clk_is_match()), the ASoC core can automatically constrain their hw_params so that the resulting BCLK rates are compatible. This commit adds the data structure support; the actual constraint logic follows in the next patch. Signed-off-by: Troy Mitchell <troy.mitchell@linux.spacemit.com> Link: https://patch.msgid.link/20260522-i2s-same-blk-v4-1-a71a86faaa20@linux.spacemit.com Signed-off-by: Mark Brown <broonie@kernel.org>
2026-05-25drm/exec, drm/xe, drm/amdgpu: Add an accessor for struct drm_exec::ticketThomas Hellström
Drivers were accessing this drm_exec member directly. While that may seem harmless, it will require action if the drm_exec utility is made a subclass of a dma-resv transaction utility as outlined in the cover-letter. Provide an accessor, drm_exec_ticket() to avoid that. v2: - Fix amdgpu compile error (Intel CI) - Update the commit message. Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com> Reviewed-by: Christian König <christian.koenig@amd.com> Link: https://patch.msgid.link/20260520101616.41284-5-thomas.hellstrom@linux.intel.com
2026-05-25drm/exec, drm/xe: Avoid abusing the drm_exec retry pointerThomas Hellström
The xe driver was using the drm_exec retry pointer directly to restart the locking loop after out-of-memory errors. This is relying on undocumented behaviour. Instead add a drm_exec_retry() macro that can be used in this situation, and that also warns if the struct drm_exec is not newly (re-)initialized. Use that macro in xe. v2: - Only allow if the drm_exec context is newly initialized. (Christian) Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com> Reviewed-by: Christian König <christian.koenig@amd.com> Link: https://patch.msgid.link/20260520101616.41284-4-thomas.hellstrom@linux.intel.com
2026-05-25drm/exec: Make the drm_exec_until_all_locked() macro more readableThomas Hellström
Use __UNIQUE_ID as done elsewhere in the kernel rather than a hand-rolled __PASTE to craft a unique id. Also use __maybe_unused rather than (void) to signify that a variable, althrough written to, may not actually be used. v2: - Move assignment to declaration (Christian) - Declare the retry pointer as void *const. Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com> Reviewed-by: Christian König <christian.koenig@amd.com> Link: https://patch.msgid.link/20260520101616.41284-3-thomas.hellstrom@linux.intel.com
2026-05-25drm/exec: Remove the index parameter from drm_exec_for_each_locked_obj[_reverse]Thomas Hellström
Nobody makes any use of it. Possible internal future users can instead use the _index variable. External users shouldn't use it since the array it's pointing into is internal drm_exec state. v2: - Use a unique id for the loop variable (Christian) Assisted-by: GitHub Copilot:claude-sonnet-4.6 Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com> Reviewed-by: Christian König <christian.koenig@amd.com> Link: https://patch.msgid.link/20260520101616.41284-2-thomas.hellstrom@linux.intel.com
2026-05-25ACPI: button: Enable wakeup GPEs for ACPI buttons at probe timeRafael J. Wysocki
Prior to commit 57c31e6d620f ("ACPI: scan: Use acpi_setup_gpe_for_wake() for buttons"), ACPI button wakeup GPEs having handler methods remained enabled after acpi_wakeup_gpe_init(), but currently they are not enabled because acpi_setup_gpe_for_wake() disables them. That causes function keys to stop working on some systems [1] and there may be other related issues elsewhere. To address that, make the ACPI button driver enable wakeup GPEs for ACPI buttons so long as they have handler methods. While this does not restore the old behavior exactly (the ACPI button driver needs to be bound to the button devices for the GPEs to be enabled), it should be sufficient to restore the missing functionality. For this purpose, introduce acpi_enable_gpe_cond() that enables a GPE if its dispatch type matches the supplied one and modify acpi_button_probe() to use that function for enabling the GPEs in question. Fixes: 57c31e6d620f ("ACPI: scan: Use acpi_setup_gpe_for_wake() for buttons") Reported-by: Nick <nick@kousu.ca> Closes: https://lore.kernel.org/linux-acpi/E2OXET.4X5GTP37VTNC3@kousu.ca/ [1] Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> Tested-by: Nick <nick@kousu.ca> Cc: 7.0+ <stable@vger.kernel.org> # 7.0+ Link: https://patch.msgid.link/9629117.CDJkKcVGEf@rafael.j.wysocki
2026-05-25Merge branch 'for-linus' into for-nextTakashi Iwai
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2026-05-25Merge tag 'v7.1-rc5' into driver-core-nextDanilo Krummrich
We need the driver-core fixes in here as well to build on top of. Signed-off-by: Danilo Krummrich <dakr@kernel.org>
2026-05-24regulator: add support for SGM3804 Dual Output driverMark Brown
Neil Armstrong <neil.armstrong@linaro.org> says: Add support for the SG Micro SGM3804 Single Inductor Dual Output Buck/Boost Converter used to power LCD panels a provide positive and negative power rails with configurable voltage and active discharge function for each output. The SGM3804 is powered by the enable GPIO pins inputs and only supports I2C write messages. In order to add flexibility and simplify the driver, the regmap cache is enabled and populated with default values since we can't write registers when the 2 GPIOs are down. This regulator is used to provide vsn and vsn power to the Ayaneo Pocket S2 dual-DSI LCD panel. Link: https://patch.msgid.link/20260522-topic-sm8650-ayaneo-pocket-s2-sgm3804-v5-0-bd6b1c300ecc@linaro.org
2026-05-24netfilter: x_tables: disable 32bit compat interface in user namespacesFlorian Westphal
This feature is required to use 32bit arp/ip/ip6/ebtables binaries on 64bit kernels. I don't think there are many users left. Support has been a compile-time option since 2021 and defaults to off since 2023. The XTABLES_COMPAT config option is already off in many distributions including Debian and Fedora. Give a few more months before complete removal but disable support in user namespaces already. Assisted-by: Claude:claude-sonnet-4-6 Signed-off-by: Florian Westphal <fw@strlen.de>
2026-05-24Merge tag 'bpf-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpfLinus Torvalds
Pull bpf fixes from Alexei Starovoitov: - Fix bpf_throw() and global subprog combination (Kumar Kartikeya Dwivedi) - Fix out of bounds access in BPF interpreter (Yazhou Tang) - Fix potential out of bounds access in inner per-cpu array map (Guannan Wang) - Reject NULL data/sig in bpf_verify_pkcs7_signature (KP Singh) * tag 'bpf-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf: libbpf: fix off-by-one in emit_signature_match jump offset bpf: Reject NULL data/sig in bpf_verify_pkcs7_signature selftests/bpf: Cover global subprog exception leaks bpf: Check global subprog exception paths bpf: make bpf_session_is_return() reference optional bpf: Use array_map_meta_equal for percpu array inner map replacement selftests/bpf: Add test for large offset bpf-to-bpf call bpf: Fix s16 truncation for large bpf-to-bpf call offsets bpf: Fix out-of-bounds read in bpf_patch_call_args()
2026-05-24RDMA/bnxt_re: Enable app allocated QPsSriharsha Basavapatna
The driver supports a new comp_mask: REQ_MASK_FIXED_QUE_ATTR. The application sets this comp_mask bit in the CREATE_QP ureq to indicate direct control of the QP. The driver goes through the required processing for app allocated QPs (previous patches). Only variable WQE mode is supported for these QPs. This patch removes an unused comp_mask: BNXT_RE_QP_REQ_MASK_VAR_WQE_SQ_SLOTS Link: https://patch.msgid.link/r/20260519150041.7251-10-sriharsha.basavapatna@broadcom.com Signed-off-by: Sriharsha Basavapatna <sriharsha.basavapatna@broadcom.com> Reviewed-by: Selvin Xavier <selvin.xavier@broadcom.com> Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
2026-05-24RDMA/bnxt_re: Support doorbells for app allocated QPsSriharsha Basavapatna
App allocated QPs can use a separate doorbell for each QP. This doorbell region can be passed through a new driver specific DBR_HANDLE attribute, during QP creation. When this attribute is set, associate the QP with the given doorbell region. While the QP holds a reference to the dbr, the dbr itself cannot be destroyed and is rejected with EBUSY error. Link: https://patch.msgid.link/r/20260519150041.7251-9-sriharsha.basavapatna@broadcom.com Signed-off-by: Sriharsha Basavapatna <sriharsha.basavapatna@broadcom.com> Reviewed-by: Selvin Xavier <selvin.xavier@broadcom.com> Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
2026-05-24RDMA/bnxt_re: Update msn table size for app allocated QPsSriharsha Basavapatna
For app allocated QPs, the driver shouldn't use slots/round-up logic to compute the msn table size. The application handles this logic and computes 'sq_npsn' and passes it to the driver using a new uapi parameter. Link: https://patch.msgid.link/r/20260519150041.7251-5-sriharsha.basavapatna@broadcom.com Signed-off-by: Sriharsha Basavapatna <sriharsha.basavapatna@broadcom.com> Reviewed-by: Selvin Xavier <selvin.xavier@broadcom.com> Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
2026-05-24rcu: Document rcu_access_pointer() feeding into cmpxchg()Paul E. McKenney
This commit documents the rcu_access_pointer() use case for fetching the old value of an RCU-protected pointer within a lockless updater for use by an atomic cmpxchg() operation. Reviewed-by: Frederic Weisbecker <frederic@kernel.org> Reported-by: Maxim Mikityanskiy <maximmi@nvidia.com> Signed-off-by: Paul E. McKenney <paulmck@kernel.org> Signed-off-by: Uladzislau Rezki (Sony) <urezki@gmail.com>
2026-05-24srcu: Fix kerneldoc header comment typo in srcu_down_read_fast()Paul E. McKenney
s/srcu_read_lock_safe()/srcu_read_lock_fast_updown(), there being no such thing as srcu_read_lock_safe(). Signed-off-by: Paul E. McKenney <paulmck@kernel.org> Signed-off-by: Uladzislau Rezki (Sony) <urezki@gmail.com>
2026-05-24torture: Add torture_sched_set_normal() for user-specified nice valuesPaul E. McKenney
This new torture_sched_set_normal() function clamps the nice value at the MIN_NICE..MAX_NICE limits, splatting it these limits are exceeded. It then invokes sched_set_normal() to set the new value. This prevents more difficult-to-debug failures within the scheduler. Signed-off-by: Paul E. McKenney <paulmck@kernel.org> Signed-off-by: Uladzislau Rezki (Sony) <urezki@gmail.com>
2026-05-23Merge tag 'driver-core-7.1-rc5' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/driver-core/driver-core Pull driver core fixes from Danilo Krummrich: - Remove the software node on platform device release(); without this, the software node remains registered after the device is gone and a subsequent platform_device_register_full() reusing the same node fails with -EBUSY - In sysfs_update_group(), do not remove a pre-existing directory when create_files() fails; the previous code would silently destroy a sysfs group that the caller did not create - Set fwnode->secondary to NULL in fwnode_init() to avoid dereferencing uninitialized memory (e.g. in dev_to_swnode()) when the firmware node is allocated on the stack or via a non-zeroing allocator * tag 'driver-core-7.1-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/driver-core/driver-core: device property: set fwnode->secondary to NULL in fwnode_init() sysfs: don't remove existing directory on update failure driver core: platform: remove software node on release()
2026-05-23Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdmaLinus Torvalds
Pull rdma fixes from Jason Gunthorpe: - syzbot triggred crash in rxe due to concurrent plug/unplug - Possible non-zero'd memory exposed to userspace in bnxt_re - Malicous 'magic packet' with SIW causes a buffer overflow - Tighten the new uAPI validation code to not crash in debugging prints and have the right module dependencies in drivers - mana was missing the max_msg_sz report to userspace - UAF in rtrs on an error path * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma: RDMA/rtrs: Fix use-after-free in path file creation cleanup RDMA/mana_ib: Report max_msg_sz in mana_ib_query_port RDMA/core: Do not read wild stack memory in uverbs_get_handler_fn() RDMA/core: Move the _ib_copy_validate_udata* functions to ib_core_uverbs RDMA/siw: Reject MPA FPDU length underflow before signed receive math RDMA/bnxt_re: zero shared page before exposing to userspace selftests/rdma: explicitly skip tests when required modules are missing RDMA/nldev: Add mutual exclusion in nldev_dellink()
2026-05-23PCI: Indicate context lost if L1SS exit is broken during resume from system ↵Manivannan Sadhasivam
suspend Per PCIe v7.0, sec 5.5.3.3.1, when exiting L1.2 due to an endpoint asserting CLKREQ# signal, the REFCLK must be turned on within the latency advertised in the LTR message. This requirement applies to L1.1 as well. On some platforms like Qcom, these requirements are satisfied during OS runtime, but not while resuming from the system suspend. This happens because the PCIe RC driver may remove all resource votes and turn off the PHY analog circuitry during suspend to maximize power savings while keeping the link in L1SS. Consequently, when the endpoint asserts CLKREQ# to wake up, the RC driver must restore the PHY and enable the REFCLK. When this recovery process exceeds the L1SS exit latency time (roughly L10_REFCLK_ON + T_COMMONMODE), the endpoint may treat it as a fatal condition and trigger Link Down (LDn). This results in a reset that destroys the internal device state. So to indicate this platform limitation to the client drivers, introduce a new flag 'pci_host_bridge::broken_l1ss_resume' and check it in pci_suspend_retains_context(). If the flag is set by the RC driver, the API will return 'false' indicating the client drivers that the device context may not be retained and the drivers must be prepared for context loss. Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com> Signed-off-by: Bjorn Helgaas <bhelgaas@google.com> Link: https://patch.msgid.link/20260519-l1ss-fix-v2-2-b2c3a4bdeb15@oss.qualcomm.com
2026-05-23char: dtlk: remove driver for ISA speech synthesizer cardEthan Nelson-Moore
The dtlk driver supports the RC Systems DoubleTalk PC ISA speech synthesizer card. It has severe coding style issues and has only received tree-wide fixes and drive-by cleanups in the entire Git history (since Linux 2.6.12-rc2). The same hardware is supported by drivers/accessibility/speakup for screen reader use, but that implementation does not share any code with this driver. Given all of these factors, it is likely the driver is entirely unused. Remove it to reduce future maintenance workload. Note: The removed maintainer is already listed in CREDITS. Signed-off-by: Ethan Nelson-Moore <enelsonmoore@gmail.com> Link: https://patch.msgid.link/20260502043341.34324-1-enelsonmoore@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2026-05-23PCI: Add pci_suspend_retains_context() to check if device state is preserved ↵Manivannan Sadhasivam
during suspend Currently, PCI endpoint drivers (e.g. nvme) use pm_suspend_via_firmware() to check whether device state is preserved during system suspend. If firmware will be invoked at the end of suspend, we don't know whether devices will retain their internal state. But device context might be lost due to platform issues as well. Having those checks in endpoint drivers will not scale and will cause a lot of code duplication. Add pci_suspend_retains_context() as a sole point of truth that the endpoint drivers can rely on to check whether they can expect the device context to be retained or not. If pci_suspend_retains_context() returns 'false', drivers need to prepare for context loss by performing actions such as resetting the device, saving the context, shutting it down etc. If it returns 'true', drivers do not need to perform any special action and can leave the device in active state. Right now, this API only incorporates pm_suspend_via_firmware(), but will be extended in future commits. Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com> Signed-off-by: Bjorn Helgaas <bhelgaas@google.com> Link: https://patch.msgid.link/20260519-l1ss-fix-v2-1-b2c3a4bdeb15@oss.qualcomm.com
2026-05-23bpf/arena: Add bpf_arena_map_kern_vm_start() and bpf_prog_arena()Tejun Heo
struct bpf_arena is opaque to callers outside arena.c. Add two helpers for struct_ops subsystems that need to reach into an arena: bpf_arena_map_kern_vm_start(struct bpf_map *map) returns @map's kern_vm_start. A sched_ext follow-up needs this to translate kern_va <-> uaddr. bpf_prog_arena(struct bpf_prog *prog) returns the bpf_map of the arena referenced by @prog (NULL if @prog references no arena). The verifier enforces at most one arena per program. Used by struct_ops callers that auto-discover an arena from a member prog and need to take a map reference. Suggested-by: Kumar Kartikeya Dwivedi <memxor@gmail.com> Signed-off-by: Tejun Heo <tj@kernel.org> Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com> Link: https://lore.kernel.org/r/20260522172219.1423324-6-tj@kernel.org Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-05-23bpf: Add bpf_struct_ops_for_each_prog()Tejun Heo
Add a helper that walks the member progs of the struct_ops map containing a given @kdata vmtable. struct_ops ->reg() callbacks (and similar) sometimes need to inspect the loaded BPF programs, e.g. to discover maps they reference via prog->aux->used_maps. The implementation mirrors bpf_struct_ops_id(): container_of @kdata to recover the bpf_struct_ops_map, then iterate st_map->links[i]->prog for i in [0, funcs_cnt). Same access pattern, no new locking - by the time ->reg() fires st_map is fully populated and stable. A sched_ext follow-up walks the member progs of a cid-form scheduler's struct_ops map, reads prog->aux->arena directly, and requires all member progs to reference exactly one arena, without requiring the BPF program to call a registration kfunc. Signed-off-by: Tejun Heo <tj@kernel.org> Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com> Link: https://lore.kernel.org/r/20260522172219.1423324-5-tj@kernel.org Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-05-23bpf: Add sleepable variant of bpf_arena_alloc_pages for kernel callersTejun Heo
The existing kernel-side export of bpf_arena_alloc_pages is _non_sleepable only - it's used by the verifier to inline the kfunc when the call site is non-sleepable. There is no sleepable equivalent for kernel callers. The kfunc bpf_arena_alloc_pages itself is BPF-only. sched_ext needs sleepable kernel-side allocs for its arena pool init/grow paths. Add bpf_arena_alloc_pages_sleepable() mirroring the _non_sleepable wrapper but passing sleepable=true to arena_alloc_pages(). Signed-off-by: Tejun Heo <tj@kernel.org> Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com> Link: https://lore.kernel.org/r/20260522172219.1423324-4-tj@kernel.org Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-05-23bpf: Recover arena kernel faults with scratch pageKumar Kartikeya Dwivedi
BPF arena usage is becoming more prevalent, but kernel <-> BPF communication over arena memory is awkward today. Data has to be staged through a trusted kernel pointer with extra code and copying on the BPF side. While reads through arena pointers can use a fault-safe helper, writes don't have a good solution. The in-line alternative would need instruction emulation or asm fixup labels. Enable direct kernel-side reads and writes within GUARD_SZ / 2 of any handed-in arena pointer, without bounds checking. A per-arena scratch page is installed by the arch fault path into empty arena kernel PTEs - x86 from page_fault_oops() for not-present faults, arm64 from __do_kernel_fault() for translation faults, both after the existing exception-table and KFENCE handling. The faulting instruction retries and the access is also reported through the program's BPF stream, preserving error reporting. bpf_prog_find_from_stack() resolves the current BPF program (and its arena) from the kernel stack - no new bpf_run_ctx state is added. Recovery covers the 4 GiB arena plus the upper half-guard (GUARD_SZ / 2). The lower half-guard is excluded because well-behaved kfuncs only access forward from arena pointers. The kfunc-author contract - access at most GUARD_SZ / 2 past a handed-in pointer - is documented in Documentation/bpf/kfuncs.rst. The install is lock-free via ptep_try_set(). On race-loss the winning installer's PTE is already valid, so the access retry succeeds. The arena clear path uses ptep_get_and_clear() so installer and clearer race through atomic accessors. No flush_tlb_kernel_range() afterwards. Stale "not mapped" entries just cause one extra re-fault, cheaper than a global IPI on every install. Scratch exists only to keep the kernel from oopsing on an in-line arena access. Its presence at a PTE means the BPF program has already malfunctioned, and the violation is reported through the program's BPF stream. The only requirement for behavior on a scratched PTE is that the kernel doesn't crash. In particular, any user-side access through such a PTE may segfault. The shared scratch page is freed once during map destruction. BPF instruction faults continue to use the existing JIT exception-table path. This patch changes only the kernel-text fault path. No UAPI flag is added. The new behavior is the default. v2: Use ptep_get_and_clear() in apply_range_clear_cb(). (David) v3: Stub bpf_arena_handle_page_fault() for !CONFIG_BPF_SYSCALL. (lkp) Suggested-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com> Signed-off-by: Tejun Heo <tj@kernel.org> Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com> Cc: David Hildenbrand <david@kernel.org> Link: https://lore.kernel.org/r/20260522172219.1423324-3-tj@kernel.org Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-05-23mm: Add ptep_try_set() for lockless empty-slot installsTejun Heo
Add ptep_try_set(ptep, new_pte): atomically set *ptep to new_pte iff it is currently pte_none(). Returns true on success, false if the slot was already populated or the arch has no implementation. The intended caller is the upcoming bpf_arena kernel-side fault recovery path. The install runs from a page fault that can be nested under locks held by the faulting kernel caller (e.g. a BPF program holding raw_res_spin_lock_irqsave on its arena's spinlock), so trylock-and-retry would A-A deadlock. Lock-free cmpxchg is the only viable option, which constrains this helper to special kernel page tables where concurrent writers cooperate via atomic accessors. The generic version in <linux/pgtable.h> returns false. x86 and arm64 override with try_cmpxchg-based implementations on the underlying pteval. Other architectures get the false stub - the callers there already fall through to oops. v2: Rename to ptep_try_set(). Tighten kerneldoc. (David, Alexei) v3: Note that strict-zero cmpxchg is narrower than pte_none(). (Andrea) Suggested-by: Kumar Kartikeya Dwivedi <memxor@gmail.com> Suggested-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: Tejun Heo <tj@kernel.org> Reviewed-by: Andrea Righi <arighi@nvidia.com> Cc: David Hildenbrand <david@kernel.org> Acked-by: David Hildenbrand (arm) <david@kernel.org> Link: https://lore.kernel.org/r/20260522172219.1423324-2-tj@kernel.org Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-05-23Merge tag 'renesas-pinctrl-for-v7.2-tag1' of ↵Linus Walleij
git://git.kernel.org/pub/scm/linux/kernel/git/geert/renesas-drivers into devel pinctrl: renesas: Updates for v7.2 - Save/restore more registers during suspend/resume on the RZ/G2L and RZ/V2H SoC families, - Add support for the RZ/G3L (R9A08G046) SoC, - Add support for pinconf-groups in debugfs on EMMA Mobile, SH/R-Mobile, R-Car, RZ/G1, and RZ/G2 SoCs, - Miscellaneous fixes and improvements. Signed-off-by: Linus Walleij <linusw@kernel.org>
2026-05-22scsi: core: Convert INQUIRY informationBart Van Assche
Currently the vendor, model, and revision members of struct scsi_device are pointers to fixed-length strings that are not NUL-terminated. Fixed-precision format specifiers (e.g., "%.8s") are required whenever they are printed and strncmp() must be used to compare these fields. This is error-prone. Convert these fields to fixed-size character arrays within struct scsi_device. Remove an !sdev->model check because sdev->model is now guaranteed not to be NULL. This patch fixes a bug in the qla2xxx driver. It makes the following code safe: if (state_flags & BIT_4) scmd_printk(KERN_WARNING, cp, "Unsupported device '%s' found.\n", cp->device->vendor); Signed-off-by: Bart Van Assche <bvanassche@acm.org> Tested-by: Brian Bunker <brian@purestorage.com> Link: https://patch.msgid.link/20260515205222.1754621-4-bvanassche@acm.org Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2026-05-22scsi: core: target: Add INQUIRY-related constants to scsi_common.hBart Van Assche
Move three constants from target/target_core_base.h into scsi/scsi_common.h. Add three new constants in the scsi_common.h header file. This patch prepares for using these constants in the SCSI core. Signed-off-by: Bart Van Assche <bvanassche@acm.org> Tested-by: Brian Bunker <brian@purestorage.com> Link: https://patch.msgid.link/20260515205222.1754621-2-bvanassche@acm.org Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2026-05-22scsi: ufs: core: Add a quirk for extended TX EQTR Adapt L0L1L2L3 lengthCan Guo
Add a quirk to support TX Equalization Training (EQTR) using Adapt L0L1L2L3 length which is larger than what is allowed by M-PHY spec ver 6.0. Signed-off-by: Can Guo <can.guo@oss.qualcomm.com> Reviewed-by: Bean Huo <beanhuo@micron.com> Reviewed-by: Bart Van Assche <bvanassche@acm.org> Reviewed-by: Peter Wang <peter.wang@mediatek.com> Reviewed-by: Ziqi Chen <ziqi.chen@oss.qualcomm.com> Link: https://patch.msgid.link/20260501131641.826258-2-can.guo@oss.qualcomm.com Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2026-05-22dpll: change dpll_netdev_pin_handle_size() to assume DPLL_A_PIN_ID will be usedEric Dumazet
We plan to no longer hold RTNL in "ip link show", and use RCU instead. Assume rtnl_fill_dpll_pin() will have to fill DPLL_A_PIN_ID. It is fine to over-estimate skb size (by 8 bytes) in if_nlmsg_size(). Signed-off-by: Eric Dumazet <edumazet@google.com> Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev> Link: https://patch.msgid.link/20260521171440.114956-1-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-05-22net/sched: tbf: add extack to offload paramsDavid Yang
Drivers might have error messages to propagate to user space. Propagate the netlink extack so that they can inform user space in a verbal way of their limitations. Signed-off-by: David Yang <mmyangfl@gmail.com> Link: https://patch.msgid.link/20260521010320.208138-3-mmyangfl@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-05-22Merge tag 'cgroup-for-7.1-rc4-fixes' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup Pull cgroup fixes from Tejun Heo: "Two rstat fixes: - Out-of-bounds access in the css_rstat_updated() BPF kfunc when called with an unchecked user-supplied cpu - Over-strict NMI guard after the recent switch to try_cmpxchg left sparc and ppc64 unable to queue rstat updates from NMI" * tag 'cgroup-for-7.1-rc4-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup: cgroup: rstat: relax NMI guard after switch to try_cmpxchg cgroup/rstat: validate cpu before css_rstat_cpu() access
2026-05-22Merge tag 'drm-fixes-2026-05-23' of https://gitlab.freedesktop.org/drm/kernelLinus Torvalds
Pull drm fixes from Dave Airlie: "Regular fixes pull, amdgpu/xe being the usual, with bonus msm content to bulk things out, otherwise it has the usual scattered changes, with amdxdna dropping a badly thought out userspace api. gem: - clean up LRU locking msm: - Core: - Fixed bindings for SM8650, SM8750 and Eliza - Don't use UTS_RELEASE directly - Fix typo in clock-names property - DPU: - Fixed CWB description on Kaanapali - Fixed scanline strides for YUV UBWC formats - Stopped DSI register dumping to access past the end of region - DSI: - Fix dumping unaligned regions - GPU: - Fix GMEM_BASE for a6xx gen3 - Fix userspace reachable crash on a2xx-a4xx - Fix sysprof_active for counter collection with IFPC enabled GPUs - Fix shrinker lockdep amdgpu: - Userq fixes - VPE fix - SMU 15 fix - Misc fixes - VCE fixes - DC bios parsing fixes - DC aux fix - Mode1 reset fix - RAS fixes amdkfd: - Misc fixes radeon: - CS parser fix xe: - SRIOV related fixes - Fix leak and double-free - Multi-cast register fixes - Multi-queue fix i915: - Fix joiner color pipeline selection [display] - Fix readback for target_rr in Adaptive Sync SDP [dp] - Apply Intel DPCD workaround when SDP on prior line used [psr] amdxdna: - remove mmap and export for ubuf bridge: - chipone-icn6211: managed bridge cleanup - lt66121: acquire reset GPIO - megachips: fix clean up on failed IRQ requests v3d: - fix UAF in error code paths - release GEM-object ref on free'd jobs virtio: - use uninterruptible resv locking in plane updates mediatek: - fix sparse warnings" * tag 'drm-fixes-2026-05-23' of https://gitlab.freedesktop.org/drm/kernel: (78 commits) drm/xe/oa: Fix exec_queue leak on width check in stream open drm/virtio: use uninterruptible resv lock for plane updates drm/amdgpu: fix handling in amdgpu_userq_create drm/radeon/evergreen_cs: Add missing NULL prefix check in surface check drm/amdgpu: userq_va_mapped should remain true once done drm/amdgpu: avoid integer overflow in VA range check drm/amd/ras: Fix UMC error address allocation leak drm/amdgpu: unmap all user mappings of framebuffer and doorbell before mode1 reset drm/amd/display: Validate payload length and link_index in dc_process_dmub_aux_transfer_async drm/amd/display: Validate GPIO pin LUT table size before iterating drm/amd/display: Fix integer overflow in bios_get_image() drm/amdkfd: Check bounds for allocate_sdma_queue restore_sdma_id drm/amdgpu: use atomic operation to achieve lockless serialization drm/amdkfd: Check bounds on allocate_doorbell drm/amdgpu/vce3: Fix VCE 3 firmware size and offsets drm/amdgpu/vce2: Fix VCE 2 firmware size and offsets drm/amdgpu/vce1: Stop using amdgpu_vce_resume drm/amdgpu/vce1: Fix VCE 1 firmware size and offsets drm/amdgpu/vce1: Don't repeat GTT MGR node allocation drm/amdgpu/vce1: Check if VRAM address is lower than GART. ...
2026-05-22net: mana: Expose hardware diagnostic info via debugfsErni Sri Satya Vennela
Add debugfs entries to expose hardware configuration and diagnostic information that aids in debugging driver initialization and runtime operations without adding noise to dmesg. The debugfs directory for each PCI device is named using pci_name() (the unique BDF address), and its creation and removal is integrated into mana_gd_setup() and mana_gd_cleanup_device() respectively, so that all callers (probe, remove, suspend, resume, shutdown) share a single code path. Device-level entries (under /sys/kernel/debug/mana/<BDF>/): - num_msix_usable, max_num_queues: Max resources from hardware - gdma_protocol_ver, pf_cap_flags1: VF version negotiation results - num_vports, bm_hostmode: Device configuration Per-vPort entries (under /sys/kernel/debug/mana/<BDF>/vportN/): - port_handle: Hardware vPort handle - max_sq, max_rq: Max queues from vPort config - indir_table_sz: Indirection table size - steer_rx, steer_rss, steer_update_tab, steer_cqe_coalescing: Last applied steering configuration parameters Signed-off-by: Erni Sri Satya Vennela <ernis@linux.microsoft.com> Reviewed-by: Simon Horman <horms@kernel.org> Link: https://patch.msgid.link/20260519064621.772154-1-ernis@linux.microsoft.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-05-22cpufreq: Avoid redundant target() calls for unchanged limitsViresh Kumar
Drivers setting CPUFREQ_NEED_UPDATE_LIMITS expect target() to be invoked even if the target frequency remains unchanged, so they can update their internal policy limits state. Currently the core invokes target() unconditionally whenever the requested frequency matches policy->cur for such drivers, even if policy->min and policy->max haven't changed since the previous update. Track pending policy limit updates explicitly and skip redundant target() invocations when neither the target frequency nor the effective limits changed. Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org> Reviewed-by: Lifeng Zheng <zhenglifeng1@huawei.com> Reviewed-by: Zhongqiu Han <zhongqiu.han@oss.qualcomm.com> Link: https://patch.msgid.link/d0107c364b709abca21acf88072220bc05478594.1779423281.git.viresh.kumar@linaro.org Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
2026-05-22cpufreq: Fix typo in commentViresh Kumar
Replace "diver" with "driver" in the comment describing CPUFREQ_NEED_UPDATE_LIMITS. Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org> Reviewed-by: Zhongqiu Han <zhongqiu.han@oss.qualcomm.com> Reviewed-by: Lifeng Zheng <zhenglifeng1@huawei.com> Link: https://patch.msgid.link/396f64411431ffbb5b4f07d1f2e0bbf9763d468f.1779423281.git.viresh.kumar@linaro.org Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
2026-05-22vfio/pci: Use a private flag to prevent power state change with VFsRaghavendra Rao Ananta
The current implementation uses pci_num_vf() while holding the memory_lock to prevent changing the power state of a PF when VFs are enabled. This creates a lockdep circular dependency warning because memory_lock is held during device probing. [ 286.997167] ====================================================== [ 287.003363] WARNING: possible circular locking dependency detected [ 287.009562] 7.0.0-dbg-DEV #3 Tainted: G S [ 287.015074] ------------------------------------------------------ [ 287.021270] vfio_pci_sriov_/18636 is trying to acquire lock: [ 287.026942] ff45bea2294d4968 (&vdev->memory_lock){+.+.}-{4:4}, at: vfio_pci_core_runtime_resume+0x1f/0xa0 [ 287.036530] [ 287.036530] but task is already holding lock: [ 287.042383] ff45bea3a96b8230 (&new_dev_set->lock){+.+.}-{4:4}, at: vfio_group_fops_unl_ioctl+0x44d/0x7b0 [ 287.051879] [ 287.051879] which lock already depends on the new lock. [ 287.051879] [ 287.060070] [ 287.060070] the existing dependency chain (in reverse order) is: [ 287.067568] [ 287.067568] -> #2 (&new_dev_set->lock){+.+.}-{4:4}: [ 287.073941] __mutex_lock+0x92/0xb80 [ 287.078058] vfio_assign_device_set+0x66/0x1b0 [ 287.083042] vfio_pci_core_register_device+0xd1/0x2a0 [ 287.088638] vfio_pci_probe+0xd2/0x100 [ 287.092933] local_pci_probe_callback+0x4d/0xa0 [ 287.098001] process_scheduled_works+0x2ca/0x680 [ 287.103158] worker_thread+0x1e8/0x2f0 [ 287.107452] kthread+0x10c/0x140 [ 287.111230] ret_from_fork+0x18e/0x360 [ 287.115519] ret_from_fork_asm+0x1a/0x30 [ 287.119983] [ 287.119983] -> #1 ((work_completion)(&arg.work)){+.+.}-{0:0}: [ 287.127219] __flush_work+0x345/0x490 [ 287.131429] pci_device_probe+0x2e3/0x490 [ 287.135979] really_probe+0x1f9/0x4e0 [ 287.140180] __driver_probe_device+0x77/0x100 [ 287.145079] driver_probe_device+0x1e/0x110 [ 287.149803] __device_attach_driver+0xe3/0x170 [ 287.154789] bus_for_each_drv+0x125/0x150 [ 287.159346] __device_attach+0xca/0x1a0 [ 287.163720] device_initial_probe+0x34/0x50 [ 287.168445] pci_bus_add_device+0x6e/0x90 [ 287.172995] pci_iov_add_virtfn+0x3c9/0x3e0 [ 287.177719] sriov_add_vfs+0x2c/0x60 [ 287.181838] sriov_enable+0x306/0x4a0 [ 287.186038] vfio_pci_core_sriov_configure+0x184/0x220 [ 287.191715] sriov_numvfs_store+0xd9/0x1c0 [ 287.196351] kernfs_fop_write_iter+0x13f/0x1d0 [ 287.201338] vfs_write+0x2be/0x3b0 [ 287.205286] ksys_write+0x73/0x100 [ 287.209233] do_syscall_64+0x14d/0x750 [ 287.213529] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 287.219120] [ 287.219120] -> #0 (&vdev->memory_lock){+.+.}-{4:4}: [ 287.225491] __lock_acquire+0x14c6/0x2800 [ 287.230048] lock_acquire+0xd3/0x2f0 [ 287.234168] down_write+0x3a/0xc0 [ 287.238019] vfio_pci_core_runtime_resume+0x1f/0xa0 [ 287.243436] __rpm_callback+0x8c/0x310 [ 287.247730] rpm_resume+0x529/0x6f0 [ 287.251765] __pm_runtime_resume+0x68/0x90 [ 287.256402] vfio_pci_core_enable+0x44/0x310 [ 287.261216] vfio_pci_open_device+0x1c/0x80 [ 287.265947] vfio_df_open+0x10f/0x150 [ 287.270148] vfio_group_fops_unl_ioctl+0x4a4/0x7b0 [ 287.275476] __se_sys_ioctl+0x71/0xc0 [ 287.279679] do_syscall_64+0x14d/0x750 [ 287.283975] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 287.289559] [ 287.289559] other info that might help us debug this: [ 287.289559] [ 287.297582] Chain exists of: [ 287.297582] &vdev->memory_lock --> (work_completion)(&arg.work) --> &new_dev_set->lock [ 287.297582] [ 287.310023] Possible unsafe locking scenario: [ 287.310023] [ 287.315961] CPU0 CPU1 [ 287.320510] ---- ---- [ 287.325059] lock(&new_dev_set->lock); [ 287.328917] lock((work_completion)(&arg.work)); [ 287.336153] lock(&new_dev_set->lock); [ 287.342523] lock(&vdev->memory_lock); [ 287.346382] [ 287.346382] *** DEADLOCK *** [ 287.346382] [ 287.352315] 2 locks held by vfio_pci_sriov_/18636: [ 287.357125] #0: ff45bea208ed3e18 (&group->group_lock){+.+.}-{4:4}, at: vfio_group_fops_unl_ioctl+0x3e3/0x7b0 [ 287.367048] #1: ff45bea3a96b8230 (&new_dev_set->lock){+.+.}-{4:4}, at: vfio_group_fops_unl_ioctl+0x44d/0x7b0 [ 287.376976] [ 287.376976] stack backtrace: [ 287.381353] CPU: 191 UID: 0 PID: 18636 Comm: vfio_pci_sriov_ Tainted: G S 7.0.0-dbg-DEV #3 PREEMPTLAZY [ 287.381355] Tainted: [S]=CPU_OUT_OF_SPEC [ 287.381356] Call Trace: [ 287.381357] <TASK> [ 287.381358] dump_stack_lvl+0x54/0x70 [ 287.381361] print_circular_bug+0x2e1/0x300 [ 287.381363] check_noncircular+0xf9/0x120 [ 287.381364] ? __lock_acquire+0x5b4/0x2800 [ 287.381366] __lock_acquire+0x14c6/0x2800 [ 287.381368] ? pci_mmcfg_read+0x4f/0x220 [ 287.381370] ? pci_mmcfg_write+0x57/0x220 [ 287.381371] ? lock_acquire+0xd3/0x2f0 [ 287.381373] ? pci_mmcfg_write+0x57/0x220 [ 287.381374] ? lock_release+0xef/0x360 [ 287.381376] ? vfio_pci_core_runtime_resume+0x1f/0xa0 [ 287.381377] lock_acquire+0xd3/0x2f0 [ 287.381378] ? vfio_pci_core_runtime_resume+0x1f/0xa0 [ 287.381379] ? lock_is_held_type+0x76/0x100 [ 287.381382] down_write+0x3a/0xc0 [ 287.381382] ? vfio_pci_core_runtime_resume+0x1f/0xa0 [ 287.381383] vfio_pci_core_runtime_resume+0x1f/0xa0 [ 287.381384] ? __pfx_pci_pm_runtime_resume+0x10/0x10 [ 287.381385] __rpm_callback+0x8c/0x310 [ 287.381386] ? ktime_get_mono_fast_ns+0x3d/0xb0 [ 287.381389] ? __pfx_pci_pm_runtime_resume+0x10/0x10 [ 287.381390] rpm_resume+0x529/0x6f0 [ 287.381392] ? lock_is_held_type+0x76/0x100 [ 287.381394] __pm_runtime_resume+0x68/0x90 [ 287.381396] vfio_pci_core_enable+0x44/0x310 [ 287.381398] vfio_pci_open_device+0x1c/0x80 [ 287.381399] vfio_df_open+0x10f/0x150 [ 287.381401] vfio_group_fops_unl_ioctl+0x4a4/0x7b0 [ 287.381402] __se_sys_ioctl+0x71/0xc0 [ 287.381404] do_syscall_64+0x14d/0x750 [ 287.381405] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 287.381406] ? trace_irq_disable+0x25/0xd0 [ 287.381409] entry_SYSCALL_64_after_hwframe+0x77/0x7f Introduce a private flag 'sriov_active' in the vfio_pci_core_device struct. This allows the driver to track the SR-IOV power state requirement without relying on pci_num_vf() while holding the memory_lock. The lock is now only held to set the flag and ensure the device is in D0, after which pci_enable_sriov() can be called without the lock. Fixes: f4162eb1e2fc ("vfio/pci: Change the PF power state to D0 before enabling VFs") Cc: stable@vger.kernel.org Suggested-by: Jason Gunthorpe <jgg@ziepe.ca> Suggested-by: Alex Williamson <alex@shazbot.org> Signed-off-by: Raghavendra Rao Ananta <rananta@google.com> Link: https://lore.kernel.org/r/20260514173449.3282188-1-rananta@google.com [promote bitfield to plain bool to avoid storage-unit races] Signed-off-by: Alex Williamson <alex@shazbot.org>