summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2026-06-10pinctrl: qcom: eliza: Add missing sdc2 pin function mappingsAbel Vesa
GPIOs 38, 39, 48 and 49 support the SDC2 DATA function, while GPIO 51 supports SDC2 CMD and GPIO 62 supports SDC2 CLK. However, the sdc2 pin function is not listed in the corresponding pingroup definitions, preventing these pins from being muxed for SDC2 operation. Add the missing sdc2 function mappings. Fixes: 6f26989e15fb ("pinctrl: qcom: Add Eliza pinctrl driver") Signed-off-by: Abel Vesa <abel.vesa@oss.qualcomm.com> Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com> Signed-off-by: Linus Walleij <linusw@kernel.org>
2026-06-10pinctrl: Use named initializers for arrays of i2c_device_dataUwe Kleine-König (The Capable Hub)
While being less compact, using named initializers allows to more easily see which members of the structs are assigned which value without having to lookup the declaration of the struct. And it's also more robust against changes to the struct definition. The mentioned robustness is relevant for a planned change to struct i2c_device_id that replaces .driver_data by an anonymous union. While touching all these arrays, unify usage of whitespace in the list terminator. This patch doesn't modify the compiled arrays, only their representation in source form benefits. The former was confirmed with x86 and arm64 builds. Signed-off-by: Uwe Kleine-König (The Capable Hub) <u.kleine-koenig@baylibre.com> Signed-off-by: Linus Walleij <linusw@kernel.org>
2026-06-10i2c: mxs: add missing kernel-doc for struct mxs_i2c_dev membersRosen Penev
Add kernel-doc documentation for the struct members that were previously undocumented. This fixes warnings when building with W=1 and ensures the struct is fully documented per kernel-doc conventions. Assisted-by: opencode:big-pickle Signed-off-by: Rosen Penev <rosenp@gmail.com> Reviewed-by: Frank Li <Frank.Li@nxp.com> Signed-off-by: Andi Shyti <andi.shyti@kernel.org> Link: https://lore.kernel.org/r/20260603031135.289302-1-rosenp@gmail.com
2026-06-10Merge tag 'imx-dt64-7.2-part2' of ↵Arnd Bergmann
git://git.kernel.org/pub/scm/linux/kernel/git/frank.li/linux into soc/dt i.MX arm64 device tree changes for v7.2 (part2) - Revert the 32-bit non-prefetchable PCIe window from 3 GiB back to 1 GiB to prevent overlap between inbound DMA address space and low system RAM. Such overlap can cause DMA transactions to be routed to a BAR on the same host bridge instead of system memory. * tag 'imx-dt64-7.2-part2' of git://git.kernel.org/pub/scm/linux/kernel/git/frank.li/linux: arm64: dts: lx2160a-rev2: avoid 32-bit pcie window system ram overlap Signed-off-by: Arnd Bergmann <arnd@arndb.de>
2026-06-10Merge tag 'imx-dt64-7.2' of ↵Arnd Bergmann
git://git.kernel.org/pub/scm/linux/kernel/git/frank.li/linux into soc/dt i.MX dt64 changes for v7.2 New Board Support: Added 15+ new boards including i.MX95 (FRDM PRO, Aquila, Audio Board v2), i.MX93/91 (Variscite DART/VAR-SOM), i.MX8 (TQMa8QM, SolidRun i.MX8DXL HummingBoard), Toradex Verdin Zinnia variants, and LX2160A Half Twins. PCIe Improvements: Added Root Port nodes and PERST properties across iMX8MM/MP/MQ/DXL/QM/QXP/95, new PCIe support for iMX94/943, common M.2 PCIe overlay, fixed outbound address space configuration Graphics, Camera and Display: Mali G310 GPU for iMX952, HDMI for iMX8MP PhyBoard, extensive DH Electronics panel overlays, Extensive overlay ecosystem for DH Electronics iMX8MP boards, PhyBoard PEB-AV-18, camera (OV5640), and ethernet configuration overlays Peripheral Support: S32G2/G3 PIT/ADC/PWM, iMX8ULP CSI/ISI, iMX943 SD WiFi, USB hub for LX2160A, TPM/CAN/ADC support for Variscite boards, Bluetooth and UART enhancements for Toradex SMARC boards. Enhancements Added gpio-line-namesacross PhyBOARD platforms. Watchdog reset pinctrl configurations for iMX91 boards, Ethernet PHY reset GPIO support. Bug Fixes: Corrected DDR PMU interrupts, SMMU registers, watchdog addresses, interrupt flags, GPIO configurations, PHY reset handling, and RS485 polarity, USDHC signal configurations for PhyCORE SoMs. * tag 'imx-dt64-7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/frank.li/linux: (110 commits) arm64: dts: imx{91,93}-phyboard-segin: Add peb-av-18 overlays arm64: dts: imx93-var-som-symphony: enable ADC arm64: dts: imx93-var-som-symphony: enable TPM3 PWM arm64: dts: imx93-var-som-symphony: keep RGB_SEL low arm64: dts: imx93-var-som-symphony: enable UART7 arm64: dts: imx93-var-som-symphony: add TPM support arm64: dts: imx91-var-som-symphony: fix RGB_SEL handling arm64: dts: freescale: fsl-ls1028a-tqmls1028a-mbls1028a: switch mmc aliases arm64: dts: imx943-evk-sdwifi: add a new dtso to support SDIW612 WiFi arm64: dts: imx8mp-kontron: Fix GPIO for display power switch arm64: dts: freescale: imx95-aquila: Add Clover carrier board arm64: dts: freescale: add Aquila iMX95 support dt-bindings: arm: fsl: add Aquila iMX95 arm64: dts: tqma8mpql-mba8mpxl: configure sai clock in audio codec as well arm64: dts: freescale: add i.MX95 19x19 FRDM PRO board dts dt-bindings: arm: fsl: Add i.MX95 19x19 FRDM PRO board arm64: dts: s32g: add PWM support for s32g2 and s32g3 arm64: dts: s32g3: Fix SWT8 watchdog address arm64: dts: imx95-var-dart-sonata: add CAN controller arm64: dts: imx95-var-dart-sonata: add TPM reset GPIO ... Signed-off-by: Arnd Bergmann <arnd@arndb.de>
2026-06-10pinctrl: qcom: lpass-lpi: drop unused runtime-PM write helperAjay Kumar Nandam
lpi_gpio_write() became unused after the PM clock runtime conversion switched write paths to register helper calls inside callers that already hold an active runtime-PM reference. With -Werror this triggers: error: 'lpi_gpio_write' defined but not used [-Wunused-function] Drop the dead wrapper and rename the low-level MMIO helpers from __lpi_gpio_* to lpi_gpio_*_reg for neutral register-accessor naming. Fixes: b719ede389d8 ("pinctrl: qcom: lpass-lpi: Switch to PM clock framework for runtime PM") Reported-by: Nathan Chancellor <nathan@kernel.org> Closes: https://lore.kernel.org/all/f03850f6-186d-4988-a450-e6e95f24a551@kernel.org/ Signed-off-by: Ajay Kumar Nandam <ajay.nandam@oss.qualcomm.com> Signed-off-by: Linus Walleij <linusw@kernel.org>
2026-06-10vfio/qat: fix f_pos race in qat_vf_resume_write()Giovanni Cabiddu
qat_vf_resume_write() checks filp->f_pos before taking migf->lock, but copies into the migration-state buffer after taking the lock and re-reading the shared file position. Two concurrent writers could therefore pass the bounds check with the old offset, then have the second writer copy after the first advanced f_pos, writing past the end of the migration-state buffer. Take migf->lock before doing the boundary checks. Fixes: bb208810b1ab ("vfio/qat: Add vfio_pci driver for Intel QAT SR-IOV VF devices") Reviewed-by: Ahsan Atta <ahsan.atta@intel.com> Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com> Link: https://lore.kernel.org/r/20260608151317.136613-1-giovanni.cabiddu@intel.com Signed-off-by: Alex Williamson <alex@shazbot.org>
2026-06-10dt-bindings: interrupt-controller: renesas,r9a09g077-icu: Fix reg size in ↵Geert Uytterhoeven
example According to Figure 5.1 ("Unified memory map"), the safety register block is 64 KiB large, just like the non-safety register block. Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be> Acked-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com> Link: https://patch.msgid.link/364ff570c8a1845fab24bd89557f06c9e406f8de.1781105007.git.geert+renesas@glider.be Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
2026-06-10perf tools: Fix the check for parameterized field in event termAthira Rajeev
The format_alias() function in util/pmu.c has a check to detect whether the event has parameterized field ( =? ). The string alias->terms contains the event and if the event has user configurable parameter, there will be presence of sub string "=?" in the alias->terms. Snippet of code: /* Paramemterized events have the parameters shown. */ if (strstr(alias->terms, "=?")) { /* No parameters. */ snprintf(buf, len, "%.*s/%s/", (int)pmu_name_len, pmu->name, alias->name); if "strstr" contains the substring, it returns a pointer and hence enters the above check which is not the expected check. And hence "perf list" doesn't have the parameterized fields in the result. Fix this check to use: if (!strstr(alias->terms, "=?")) { With this change, perf list shows the events correctly with the strings showing parameters. Before the fix: # ./perf list|grep -w PM_PAU_CYC hv_24x7/PM_PAU_CYC/ [Kernel PMU event] With this fix: # ./perf list|grep -w PM_PAU_CYC hv_24x7/PM_PAU_CYC,chip=?/ [Kernel PMU event] Reviewed-by: Ian Rogers <irogers@google.com> Signed-off-by: Athira Rajeev <atrajeev@linux.ibm.com> Tested-by: Venkat Rao Bagalkote <venkat88@linux.ibm.com> Acked-by: Namhyung Kim <namhyung@kernel.org> Cc: Adrian Hunter <adrian.hunter@intel.com> Cc: Hari Bathini <hbathini@linux.vnet.ibm.com> Cc: Jiri Olsa <jolsa@kernel.org> Cc: Madhavan Srinivasan <maddy@linux.ibm.com> Cc: Michael Petlan <mpetlan@redhat.com> Cc: Shivani Nittor <shivani@linux.ibm.com> Cc: Tanushree.Shah@ibm.com Cc: Tejas.Manhas1@ibm.com Cc: Thomas Richter <tmricht@linux.ibm.com> Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
2026-06-10HID: intel-thc-hid: intel-quickspi: reset touch IC on system resumeDanny D.
On the Surface Pro 10 (Meteor Lake) the touchscreen stops working after a suspend/resume cycle and only recovers after a reboot. The driver logs "GET_DEVICE_INFO: recv failed: -11" on resume. This platform suspends through s2idle: /sys/power/mem_sleep exposes "[s2idle]" as the only state, there is no "deep"/S3 entry at all. The touch IC nonetheless loses power across that s2idle suspend, the same way it does across hibernation. quickspi_resume() only re-selects the THC port, restores interrupts and DMA and sends a HIDSPI_ON command, assuming the touch IC kept its power and state. When it has actually lost power the HIDSPI_ON command is never acknowledged and the descriptor read fails, leaving the touchscreen dead until the module is reloaded. quickspi_restore() already handles this for hibernation by reconfiguring the THC SPI/LTR settings and running reset_tic() to re-enumerate the device. Make quickspi_resume() do the same when the device is not a wake source. A wake-enabled device keeps its power and state across suspend, so it stays on the light restore path: resetting it would discard a pending wake touch event and break wake-on-touch. The non-wake path mirrors the existing quickspi_restore() sequence, including enabling interrupts before reset_tic(), so it introduces no new ordering relative to code already in the driver. This change has been validated on a Surface Pro 10 running the linux-surface kernel across multiple s2idle suspend/resume cycles; it has not been tested on a mainline build. Closes: https://github.com/linux-surface/linux-surface/issues/1799 Signed-off-by: Danny D. <d3z.the.dev@gmail.com> Reviewed-by: Even Xu <even.xu@intel.com> Signed-off-by: Jiri Kosina <jkosina@suse.com>
2026-06-10perf data convert json: Fix addr_location leak on time-filtered samplesTanushree Shah
When samples are skipped due to time filtering in process_sample_event(), the early return path bypasses addr_location__exit(), causing memory leaks of thread, map, and maps references acquired by machine__resolve(). These references must be released through addr_location__exit() before returning. Fixes: 8e746e95c3e4eb56 ("perf data: Allow filtering conversion by time range") Reviewed-by: Ian Rogers <irogers@google.com> Signed-off-by: Tanushree Shah <tshah@linux.ibm.com> Cc: Adrian Hunter <adrian.hunter@intel.com> Cc: Athira Rajeev <atrajeev@linux.ibm.com> Cc: Derek Foreman <derek.foreman@collabora.com> Cc: Hari Bathini <hbathini@linux.ibm.com> Cc: Jiri Olsa <jolsa@kernel.org> Cc: Madhavan Srinivasan <maddy@linux.ibm.com> Cc: Michael Petlan <mpetlan@redhat.com> Cc: Namhyung Kim <namhyung@kernel.org> Cc: Shivani.Nittor@ibm.com Cc: Tanushree.Shah@ibm.com Cc: Tejas.Manhas1@ibm.com Cc: Thomas Richter <tmricht@linux.ibm.com> Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
2026-06-10perf s390: Fix TEXTREL in Python extension by compiling as PICJens Remus
On s390 the Python extension build fails as follows when using a linker that is configured to treat text relocations (TEXTREL) in shared libraries as error by default: GEN python/perf.cpython-314-s390x-linux-gnu.so /usr/bin/ld.bfd: error: read-only segment has dynamic relocations This occurrs because util/llvm-c-helpers.o is erroneously built from util/llvm-c-helpers.cpp without compiler option -fPIC but linked into the shared library (via libperf-util.a(perf-util-in.o)). On s390, object files must be compiled as position-indepedent code (PIC) in order to be linked into shared libraries. Commit a9a3f1d18a6c ("perf s390: Always build with -fPIC") added compiler option -fPIC to CFLAGS for s390, which is used in C compiles. Add -fPIC to CXXFLAGS for s390 as well, so that it is also used in C++ compiles. Fixes: a9a3f1d18a6c9ccf ("perf s390: Always build with -fPIC") Reported-by: Thomas Richter <tmricht@linux.ibm.com> Reviewed-by: Ian Rogers <irogers@google.com> Reviewed-by: James Clark <james.clark@linaro.org> Signed-off-by: Jens Remus <jremus@linux.ibm.com> Cc: Adrian Hunter <adrian.hunter@intel.com> Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com> Cc: Bill Wendling <morbo@google.com> Cc: Heiko Carstens <hca@linux.ibm.com> Cc: Hendrik Brueckner <brueckner@linux.ibm.com> Cc: Ingo Molnar <mingo@redhat.com> Cc: Jan Polensky <japo@linux.ibm.com> Cc: Jiri Olsa <jolsa@kernel.org> Cc: Justin Stitt <justinstitt@google.com> Cc: Mark Rutland <mark.rutland@arm.com> Cc: Namhyung Kim <namhyung@kernel.org> Cc: Nathan Chancellor <nathan@kernel.org> Cc: Nick Desaulniers <nick.desaulniers+lkml@gmail.com> Cc: Peter Zijlstra <peterz@infradead.org> Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
2026-06-10perf build: Do not duplicate CFLAGS in Python extension buildsJens Remus
setuptools already uses CFLAGS. Passing CFLAGS with additional flags as extra compile arguments causes CFLAGS to effectively get passed twice: $ make -C tools/perf V=1 JOBS=1 ... building 'perf' extension gcc [CFLAGS] -fPIC -Iutil/include -I/usr/include/python3.14 \ -c /root/linux/tools/perf/util/python.c \ -o python_ext_build/tmp/root/linux/tools/perf/util/python.o \ [CFLAGS] \ -fno-strict-aliasing -Wno-write-strings -Wno-unused-parameter \ -Wno-redundant-decls -Wno-cast-function-type \ -Wno-declaration-after-statement Reviewed-by: James Clark <james.clark@linaro.org> Signed-off-by: Jens Remus <jremus@linux.ibm.com> Cc: Adrian Hunter <adrian.hunter@intel.com> Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com> Cc: Heiko Carstens <hca@linux.ibm.com> Cc: Hendrik Brueckner <brueckner@linux.ibm.com> Cc: Ian Rogers <irogers@google.com> Cc: Ingo Molnar <mingo@redhat.com> Cc: Jan Polensky <japo@linux.ibm.com> Cc: Jiri Olsa <jolsa@kernel.org> Cc: Mark Rutland <mark.rutland@arm.com> Cc: Namhyung Kim <namhyung@kernel.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Thomas Richter <tmricht@linux.ibm.com> Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
2026-06-10perf build: Respect V=1 for Python extension buildsJens Remus
Make util/setup.py respect the verbose build flag (V=1) by conditionally passing --quiet only when not in verbose mode. This eases debugging of Python extension compilation issues and aligns with the existing perf build system behavior. Reviewed-by: Ian Rogers <irogers@google.com> Signed-off-by: Jens Remus <jremus@linux.ibm.com> Tested-by: Jan Polensky <japo@linux.ibm.com> Cc: Adrian Hunter <adrian.hunter@intel.com> Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com> Cc: Heiko Carstens <hca@linux.ibm.com> Cc: Ingo Molnar <mingo@redhat.com> Cc: James Clark <james.clark@linaro.org> Cc: Jiri Olsa <jolsa@kernel.org> Cc: Mark Rutland <mark.rutland@arm.com> Cc: Namhyung Kim <namhyung@kernel.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Thomas Richter <tmricht@linux.ibm.com> Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
2026-06-10kbuild: Use ld.lld for linking host programs when LLVM is setNathan Chancellor
Currently, host programs are linked with HOSTCC using the toolchain's default linker. This can result in confusing behavior when using the LLVM Kbuild variable (which states that the user would like to build with the LLVM toolchain instead of the GNU one), as clang's default linker is ld for most platforms, not ld.lld. The documentation mentions HOSTLD=ld.lld is set but this variable is not used by Kbuild proper, only within some tools/ projects. Kbuild provides the HOSTLDFLAGS variable, which allow users to provide the '-fuse-ld' or '--ld-path' flags to customize what linker is used, but this is not super obvious to folks not familiar with Kbuild. If the user has not customized the linker already using one of these flags, default to ld.lld when using the LLVM variable, which is more in line with user expectations when using that variable. Closes: https://github.com/ClangBuiltLinux/linux/issues/2167 Link: https://patch.msgid.link/20260610-kbuild-use-lld-for-linking-hostprogs-v1-1-70396fe42ee3@kernel.org Signed-off-by: Nathan Chancellor <nathan@kernel.org>
2026-06-10perf riscv: fix register name stringsMartin Kaiser
On risc-v, pref probe generates an invalid syntax for a named register in a kprobe. $ perf probe --debug verbose --add "n_tty_write tty" ... Writing event: p:probe/n_tty_write _text+8922528 tty=%"%a0":x64 Failed to write event: Invalid argument The problem is the combination of #define REG_DWARFNUM_NAME(reg, idx) [idx] = "%" #reg and entries such as REG_DWARFNUM_NAME("%a0", 10) where #reg will escape the quotes of the first macro parameter. Update the macro definition to produce the correct syntax for a named register in a kprobe, i.e. the unquoted register name with only one leading %. Fixes: a90c4519186dfc08 ("perf riscv: Remove dwarf-regs.c and add dwarf-regs-table.h") Reviewed-by: Ian Rogers <irogers@google.com> Signed-off-by: Martin Kaiser <martin@kaiser.cx> Cc: Ian Rogers <irogers@google.com> Cc: Namhyung Kim <namhyung@kernel.org> Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
2026-06-10perf dwarf: Avoid redefinition warnings for REG_DWARFNUM_NAMEMartin Kaiser
dwarf-regs.c includes an arch-specific dwarf-regs-table.h for several architectures. This pulls in different definitions of REG_DWARFNUM_NAME and causes compiler warnings for W=1 builds. In file included from util/dwarf-regs.c:23: .../dwarf-regs-table.h:5: error: "REG_DWARFNUM_NAME" redefined [-Werror] #define REG_DWARFNUM_NAME(reg, idx) [idx] = reg Undefine REG_DWARFNUM_NAME before each new definition. Suggested-by: Arnaldo Carvalho de Melo <acme@redhat.com> Signed-off-by: Martin Kaiser <martin@kaiser.cx> Cc: Ian Rogers <irogers@google.com> Cc: Namhyung Kim <namhyung@kernel.org> Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
2026-06-10hwmon: (dell-smm) Add Dell Latitude 7530 to fan control whitelistArmin Wolf
A user reported that the Dell Latitude 7530 needs to be whitelisted for the special SMM calls necessary for globally enabling/disabling BIOS fan control. Closes: https://github.com/Wer-Wolf/i8kutils/issues/17 Signed-off-by: Armin Wolf <W_Armin@gmx.de> Acked-by: Pali Rohár <pali@kernel.org> Link: https://lore.kernel.org/r/20260610180141.311503-1-W_Armin@gmx.de Signed-off-by: Guenter Roeck <linux@roeck-us.net>
2026-06-10hwmon: temperature: add support for EMC1812Marius Cristea
This is the hwmon driver for Microchip EMC1812/13/14/15/33 Multichannel Low-Voltage Remote Diode Sensor Family. EMC1812 has one external remote temperature monitoring channel. EMC1813 has two external remote temperature monitoring channels. EMC1814 has three external remote temperature monitoring channels, channels 2 and 3 support anti parallel diode. EMC1815 has four external remote temperature monitoring channels and channels 1/2 and 3/4 support anti parallel diode. EMC1833 has two external remote temperature monitoring channels and channels 1 and 2 support anti parallel diode. Resistance Error Correction is supported on channels 1/2 and 3/4. Signed-off-by: Marius Cristea <marius.cristea@microchip.com> Link: https://lore.kernel.org/r/20260610-hw_mon-emc1812-v11-2-cef809af5c19@microchip.com Signed-off-by: Guenter Roeck <linux@roeck-us.net>
2026-06-10xprtrdma: Return sendctx slot after Send preparation failureChuck Lever
rpcrdma_prepare_send_sges() gets a sendctx before it maps the SGEs for the Send WR. If one of the mapping helpers fails, no Send WR is posted, so no Send completion is guaranteed to advance rb_sc_tail. Current cleanup clears sc_req so a later completion can sweep over that slot, but a consecutive run of preparation failures can still advance rb_sc_head until the ring appears full. At that point rpcrdma_sendctx_get_locked() returns NULL and no Send can be posted to produce the completion needed to recover the ring. The trigger requires CONFIG_SUNRPC_XPRT_RDMA and an NFS/RDMA mount. Mount setup and reliable DMA-map fault injection require local admin authority. Unprivileged I/O on an existing mount can exercise the send path, but a remote peer alone cannot force this local DMA-map failure. Add rpcrdma_sendctx_unget_locked() for the single-consumer send path to rewind rb_sc_head when the just-acquired sendctx is canceled before ib_post_send(). Wake waiters after making the slot available again. After the rewind, every slot the completion sweep visits belongs to a posted Send, so rpcrdma_sendctx_put_locked() no longer needs to test sc_req before unmapping. Fixes: ae72950abf99 ("xprtrdma: Add data structure to manage RDMA Send arguments") Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Anna Schumaker <anna.schumaker@hammerspace.com>
2026-06-10xprtrdma: Repost Receive buffers for malformed repliesChuck Lever
rpcrdma_wc_receive() decrements the transport's Receive count for every completion before it dispatches a successful Receive to rpcrdma_reply_handler(). The handler must post a replacement Receive WR before returning unless ownership of the rep has moved elsewhere, as on the backchannel path. Commit 2ae50ad68cd7 ("xprtrdma: Close window between waking RPC senders and posting Receives") moved the Receive refill out of rpcrdma_wc_receive(), where it had run ahead of every reply, into rpcrdma_reply_handler() so that the responder's credit grant could be parsed before reposting. The bad-version and short-reply exits never reach that refill: they recycle the rep and return without calling rpcrdma_post_recvs(). A remote peer can therefore drain the client's posted Receive queue by sending a sustained stream of replies that are shorter than the fixed transport header or that carry an unrecognized RPC/RDMA version. Each such reply consumes one posted Receive without replacing it. Once the queue empties, the peer's next Send finds no posted Receive and the transport stalls until reconnect. Route both malformed-reply exits through the shared repost tail after recycling the rep, refilling against buf->rb_credits, the most recent accepted credit grant. Neither exit updates the congestion window, so RPCs admitted under the previous grant remain in flight awaiting replies. A smaller refill target would let a stream of malformed replies ratchet the posted Receive count down to the batch floor while the congestion window still admits rb_credits RPCs; a burst of valid replies to those RPCs could then overrun the posted Receives, and because the client connects with rnr_retry_count of zero, a single RNR NAK terminates the connection. Refilling against rb_credits also restores the target that applied to malformed replies before commit 2ae50ad68cd7 ("xprtrdma: Close window between waking RPC senders and posting Receives") when rpcrdma_post_recvs() computed it from rb_credits internally. rb_credits is at least one from connection establishment onward, so the repost path always keeps Receives posted. Fixes: 2ae50ad68cd7 ("xprtrdma: Close window between waking RPC senders and posting Receives") Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Anna Schumaker <anna.schumaker@hammerspace.com>
2026-06-10xprtrdma: Sanitize the reply credit grant after parsingChuck Lever
The out_norqst exit in rpcrdma_reply_handler() branches away before the credit clamp, so a reply that matches no pending request reaches out_post carrying the raw credit value parsed from the wire. rpcrdma_post_recvs() does not bound its @needed argument: the refill loop allocates and chains Receive WRs until the count is satisfied or allocation fails. A peer that sends a well-formed reply carrying an unknown XID and an inflated credit grant therefore drives rep allocation and Receive posting past re_max_requests on every such reply. Move the clamp to immediately after the credit field is parsed, ahead of the first branch that can reach out_post, so every later consumer sees a sanitized value. The cwnd update stays on the matched-request path. Fixes: 704f3f640f72 ("xprtrdma: Post receive buffers after RPC completion") Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Anna Schumaker <anna.schumaker@hammerspace.com>
2026-06-10xprtrdma: Fix bcall rep leak and unbounded peekChris Mason
rpcrdma_is_bcall() decodes a reply's first words to decide whether the frame is a backchannel call. Two issues in that decode path let a short or malformed reply leak the receive buffer and drain the Receive queue. First, the speculative peek p = xdr_inline_decode(xdr, 0); /* five p++ reads follow */ asks xdr_inline_decode() for zero bytes, which returns xdr->p without consulting xdr->end. The five subsequent __be32 reads can then walk up to 20 bytes past the wire payload into stale regbuf contents and misclassify the reply as a backchannel call. Second, after the post-peek p = xdr_inline_decode(xdr, 3 * sizeof(*p)); if (unlikely(!p)) return true; the short-header arm returns true without calling rpcrdma_bc_receive_call(). The contract with the caller is that a true return transfers ownership of rep to the backchannel path: rpcrdma_reply_handler() if (rpcrdma_is_bcall(r_xprt, rep)) return; /* bare return, skips out_post */ ... out_post: rpcrdma_post_recvs(r_xprt, credits + ...); Because rpcrdma_bc_receive_call() never ran, no one took rep, but rpcrdma_reply_handler still bare-returns past rpcrdma_rep_put() and rpcrdma_post_recvs(). The rep, with its persistently DMA-mapped receive buffer, is orphaned on rb_all_reps and freed only at transport teardown. This completion reposts nothing, so its slot is reclaimed only when a later forward-channel reply reaches out_post and rpcrdma_post_recvs() allocates a fresh rep to backfill; absent that traffic the Receive queue drains and the peer's Sends draw RNR NAKs. Fix by consulting xdr->end after the zero-length peek so the five __be32 reads cannot run unless 20 bytes of wire payload remain. A byte-precise comparison against xdr->end is required because a non-4-aligned receive rounds the stream's word count up past the true payload. Also return false from the short-header arm so the reply falls through the normal out_norqst cleanup chain (rpcrdma_rep_put() plus rpcrdma_post_recvs()). Fixes: 41c8f70f5a3d ("xprtrdma: Harden backchannel call decoding") Assisted-by: kres:claude-opus-4-7 Signed-off-by: Chris Mason <clm@meta.com> Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Anna Schumaker <anna.schumaker@hammerspace.com>
2026-06-10xprtrdma: Resize reply buffers before reposting receivesChuck Lever
Commit 0e13dd9ea8be ("xprtrdma: Remove temp allocation of rpcrdma_rep objects") made rpcrdma_rep objects survive disconnects. That is normally fine, but it also means their receive regbufs keep the size they had when they were first allocated. Each rep's receive buffer is sized to ep->re_inline_recv when the rep is created. rpcrdma_ep_create() resets that threshold to the rdma_max_inline_read ceiling for every new endpoint, and the connect handshake then shrinks it to the peer's advertised inline send size. A rep allocated under a smaller negotiated threshold keeps that size: on disconnect, rpcrdma_xprt_disconnect() drains and DMA-unmaps the surviving reps but does not free or resize them. The threshold can come back larger on the next connection. The first peer may supply no RPC-over-RDMA CM private data, defaulting its send size to 1024, while the reconnect target is an ordinary server offering 4096; or, with rdma_max_inline_read raised above its default, the reconnect target may advertise a larger svcrdma_max_req_size than the first. rpcrdma_post_recvs() then reposts a surviving rep whose SGE length is still the old, smaller value, and a larger inline Reply hits a receive length error and forces another disconnect. The undersized rep returns to the free list when its failed Receive flushes, so the following reconnect reposts the same rep and fails the same way. The transport flaps without making forward progress for as long as the peer keeps advertising the larger inline size. This is local/admin-triggerable rather than remote-triggerable: a local administrator must create and maintain the NFS/RDMA mount, while the server or reconnect target has to advertise a larger inline send size and return a reply that uses it. Fix this by checking each rep before it is reposted. If the receive regbuf is smaller than the current endpoint's inline receive size, reallocate it on the current RDMA device's NUMA node and reinitialize the rep's xdr_buf before DMA-mapping and posting the Receive WR. Fixes: 0e13dd9ea8be ("xprtrdma: Remove temp allocation of rpcrdma_rep objects") Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Anna Schumaker <anna.schumaker@hammerspace.com>
2026-06-10xprtrdma: Check frwr_wp_create() during connectChuck Lever
frwr_wp_create() creates the singleton Memory Region used to encode padding for Write chunks whose payload length is not XDR-aligned. Its failure paths return a negative errno and leave ep->re_write_pad_mr set to NULL. rpcrdma_xprt_connect() currently ignores that return value. If frwr_wp_create() fails after the rest of the connection setup succeeds, xprt_rdma_connect_worker() treats the connection attempt as successful and sets XPRT_CONNECTED. A later NFS/RDMA read with a non-4-byte-aligned receive page length reaches rpcrdma_encode_write_list(), passes the NULL write-pad MR to encode_rdma_segment(), and dereferences it. This is locally triggerable on an NFS/RDMA client after a connect or reconnect hits a local MR allocation, DMA-map, MR-map, or post-send failure; a remote peer alone cannot force the local MR setup failure. Check the return value and fail the connect as -ENOTCONN, matching the adjacent setup failures. This keeps XPRT_CONNECTED clear and lets the normal reconnect path retry. Fixes: 21037b8c2258 ("xprtrdma: Provide a buffer to pad Write chunks of unaligned length") Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Anna Schumaker <anna.schumaker@hammerspace.com>
2026-06-10xprtrdma: Initialize re_id before removal registrationChris Mason
rpcrdma_create_id() registers ep->re_rn with the rpcrdma ib_client before returning the new rdma_cm_id to rpcrdma_ep_create(). However rpcrdma_ep_create() currently stores that pointer in ep->re_id only after rpcrdma_create_id() returns. A local administrator can race an NFS/RDMA mount against RDMA device removal. If rpcrdma_remove_one() observes the just-registered notification before rpcrdma_ep_create() assigns ep->re_id, rpcrdma_ep_removal_done() calls trace_xprtrdma_device_removal(NULL). The tracepoint dereferences id->device->name and copies id->route.addr.dst_addr, so the callback can crash the kernel with a NULL pointer dereference. Store the rdma_cm_id in ep->re_id immediately before publishing ep->re_rn. The existing error path still destroys the id directly if registration fails; ep is then freed by the caller without using ep->re_id. Remove the later duplicate assignment in rpcrdma_ep_create(). Fixes: 3f4eb9ff9234 ("xprtrdma: Handle device removal outside of the CM event handler") Assisted-by: kres:openai-gpt-5 Signed-off-by: Chris Mason <clm@meta.com> Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Anna Schumaker <anna.schumaker@hammerspace.com>
2026-06-10xprtrdma: Fix ep kref imbalance on ADDR_CHANGEChris Mason
rpcrdma_cm_event_handler() falls through to the disconnected: label on RDMA_CM_EVENT_ADDR_CHANGE and calls rpcrdma_ep_put() with no matching get when the event arrives before RDMA_CM_EVENT_ESTABLISHED. The kref then underflows during connect teardown and rpcrdma_xprt_disconnect() operates on a freed ep. Reference counts across a normal connection lifecycle: rpcrdma_ep_create() kref_init ->1 rpcrdma_xprt_connect() ep_get ->2 (before post_recvs) RDMA_CM_EVENT_ESTABLISHED ep_get ->3 RDMA_CM_EVENT_DISCONNECTED ep_put ->2 rpcrdma_xprt_drain() ep_put ->1 rpcrdma_xprt_disconnect() tail ep_put ->0 (ep_destroy) The connect-time get in rpcrdma_xprt_connect(), taken just before rpcrdma_post_recvs() "while there are outstanding Receives," is balanced by rpcrdma_xprt_drain. ADDR_CHANGE before ESTABLISHED has no get to consume, so its put drops the count to 1 and the drain put then frees the ep while rpcrdma_xprt_disconnect() still holds a pointer to it. Fix by dispatching on the prior re_connect_status via xchg(): for prev == 0 (pre-ESTABLISHED) wake the connect waiter and return with no put; for prev == 1 call rpcrdma_force_disconnect() and return. The case-1 arm relies on the subsequent RDMA_CM_EVENT_DISCONNECTED event -- reliably delivered when rdma_disconnect() is called on a still-connected cm_id -- to balance the ESTABLISHED get; rpcrdma_xprt_drain() continues to balance only that connect-time get. Any other prior value means teardown is already in flight. Fixes: 2acc5cae2923 ("xprtrdma: Prevent dereferencing r_xprt->rx_ep after it is freed") Assisted-by: kres:claude-opus-4-7 Signed-off-by: Chris Mason <clm@meta.com> Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Anna Schumaker <anna.schumaker@hammerspace.com>
2026-06-10xprtrdma: Convert send buffer free list to llistChuck Lever
rpcrdma_buffer_get() and rpcrdma_buffer_put() both take rb_lock to pop/push from the rb_send_bufs free list. Under high I/O concurrency (e.g., nconnect=N with small random writes), this spinlock is contended between the request submission path and the transport completion path. Replace the list_head with an llist_head. The put side uses lockless llist_add(), which is safe for concurrent producers. The get side retains the spinlock to satisfy the llist single-consumer contract portably; submitters continue to serialize there. Completion handlers returning buffers no longer contend on rb_lock, eliminating contention on the return path. rb_lock remains for the MR free list and the tracking lists used during setup and teardown. rb_free_reps already uses llist_head, so the llist idiom is established in this structure. The precedent is the data structure, not the locking: rb_free_reps serializes its single consumer through the re_receiving gate in rpcrdma_post_recvs, whereas rb_send_bufs serializes its consumer with rb_lock. Both satisfy the llist single-consumer contract. Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Anna Schumaker <anna.schumaker@hammerspace.com>
2026-06-10dt-bindings: hwmon: temperature: add support for EMC1812Marius Cristea
This is the devicetree schema for Microchip EMC1812/13/14/15/33 Multichannel Low-Voltage Remote Diode Sensor Family. It also updates the MAINTAINERS file to include the new driver. EMC1812 has one external remote temperature monitoring channel. EMC1813 has two external remote temperature monitoring channels. EMC1814 has three external remote temperature monitoring channels and channels 2 and 3 support anti parallel diode. EMC1815 has four external remote temperature monitoring channels and channels 1/2 and 3/4 support anti parallel diode. EMC1833 has two external remote temperature monitoring channels and channels 1 and 2 support anti parallel diode. Resistance Error Correction is supported on channels 1/2 and 3/4. Signed-off-by: Marius Cristea <marius.cristea@microchip.com> Reviewed-by: Rob Herring (Arm) <robh@kernel.org> Link: https://lore.kernel.org/r/20260610-hw_mon-emc1812-v11-1-cef809af5c19@microchip.com Signed-off-by: Guenter Roeck <linux@roeck-us.net>
2026-06-10PCI: Avoid SBR for Qualcomm WCN6855/WCN7850 WiFi, SDX62/SDX65 modemsJose Ignacio Tornos Martinez
Some Qualcomm PCIe devices (WCN6855/WCN7850 WiFi cards, SDX62/SDX65 modems) do not properly support Secondary Bus Reset (SBR). Testing confirms this is device-specific, not deployment-specific: MediaTek MT7925e successfully uses bus reset through the same passive M.2-to-PCIe adapters where Qualcomm devices fail, proving PERST# is properly wired through the adapters. Prevent use of Secondary Bus Reset for these devices. Signed-off-by: Jose Ignacio Tornos Martinez <jtornosm@redhat.com> Signed-off-by: Bjorn Helgaas <bhelgaas@google.com> Link: https://lore.kernel.org/all/20260609163649.319755-4-jtornosm@redhat.com
2026-06-10dt-bindings: nvmem: consumer: Make 'nvmem' an array of one-item entriesKonrad Dybcio
'nvmem' unlike 'nvmem-cells', consumes references to just a single phandle with no arguments (i.e. with 0 cells). Constrain the schema to enforce that, so that the number of such single-item entries can then be regulated by IP block-specific YAMLs. Suggested-by: Rob Herring <robh@kernel.org> Signed-off-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com> Link: https://patch.msgid.link/20260610-topic-nvmem_schema_warning_fix-v1-1-4029becf13f9@oss.qualcomm.com Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
2026-06-10Merge tag 'pm-7.1-rc8' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull power management fixes from Rafael Wysocki: "These address some remaining fallout after introducing dynamic EPP support in the amd-pstate driver during the current development cycle: - Restore allowing writing EPP of 0 when in performance mode in the amd-pstate driver which was unnecessarily disallowed by one of the recent updates (Mario Limonciello) - Remove stale documentation of the epp_cached field in struct amd_cpudata that has been dropped recently (Zhan Xusheng)" * tag 'pm-7.1-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: cpufreq/amd-pstate: Fix setting EPP in performance mode cpufreq/amd-pstate: drop stale @epp_cached kdoc
2026-06-10drivers/of/overlay: Use memcpy() to copy known length stringsDavid Laight
Avoid calls to strcpy(). The lengths of the strings have been used for the kzalloc(), replace the strcpy() calls with memcpy() using the known lengths. Signed-off-by: David Laight <david.laight.linux@gmail.com> Link: https://patch.msgid.link/20260608185121.22331-1-david.laight.linux@gmail.com Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
2026-06-10dt-bindings: add self-test fixtures for style checkerDaniel Golle
Provide good/ and bad/ DTS and YAML fixtures plus a small runner that feeds them to dt-check-style and diffs the output against expected text files. Wired into a new top-level dt_style_selftest make target so the suite can be exercised independently of the full tree. Signed-off-by: Daniel Golle <daniel@makrotopia.org> Link: https://patch.msgid.link/80fec5d2cfcdee0f9c5e2d4921ebbd4115d392b7.1779908995.git.daniel@makrotopia.org Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
2026-06-10dt-bindings: wire style checker into dt_binding_checkDaniel Golle
Run dt-check-style as part of dt_binding_check_one. The recipe wraps the tool with scripts/jobserver-exec so worker count follows the GNU make jobserver -- `make -j N dt_binding_check` constrains the checker to N workers rather than spawning one per CPU. Default mode (relaxed) is zero-violation on the current tree, so this does not introduce new warnings into make dt_binding_check. Stricter rules are available via --mode=strict (eg. for use by checkpatch.pl in a future series). Signed-off-by: Daniel Golle <daniel@makrotopia.org> Link: https://patch.msgid.link/a14fdbded0acdc4fef1c1278100f2f4c6a93a488.1779908995.git.daniel@makrotopia.org Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
2026-06-10scripts/jobserver-exec: propagate child exit statusDaniel Golle
main() called JobserverExec().run() and discarded its return value, then the script exited with the implicit status 0. As a result, any Makefile that wired a build step through jobserver-exec saw the step silently succeed even when the wrapped command had failed. Two in-tree callers were affected: Documentation/devicetree/bindings/Makefile cmd_chk_style runs a python checker via jobserver-exec and uses "&& touch $@ || true" so failures leave the stamp file untouched and the next make rerun reports them again. The swallowed exit code made the stamp file get created even on failure, caching the failed run and hiding the reported issues until the inputs change. scripts/Makefile.vmlinux_o cmd_gen_initcalls_lds runs scripts/generate_initcall_order.pl via jobserver-exec; a perl failure was masked by the wrapper. Return the subprocess exit code from main() and pass it to sys.exit() so the wrapped command's status reaches make. Signed-off-by: Daniel Golle <daniel@makrotopia.org> Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com> Link: https://patch.msgid.link/660368ca16e2d3845577a9fd157d2f37f0e09e85.1779908995.git.daniel@makrotopia.org Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
2026-06-10dt-bindings: add DTS style checkerDaniel Golle
Add a Python tool that checks DTS coding style on examples in YAML binding files and on .dts/.dtsi/.dtso source files. Rules are kept in a small declarative registry, each tagged 'relaxed' (default; must be zero-violation on the current tree) or 'strict' (opt-in for new submissions). Promoting a rule from strict to relaxed is a one-line edit once the tree is clean. Relaxed mode covers trailing whitespace, tab characters in YAML examples, mixed tab+space indents, and missing tabs in .dts files. Strict adds indent unit and consistency checks, blank-line placement, sibling address ordering, "compatible" and "reg" ordering, and unused labels. The tool reads file paths from @argfile and parallelises across CPUs via -j N. With no -j given it picks up $PARALLELISM (set by scripts/jobserver-exec from the GNU make jobserver) and falls back to os.cpu_count() otherwise. Running as one Python invocation amortises the ruamel.yaml import across the whole tree -- ~2s on a 32-CPU host vs ~28s sequential. Signed-off-by: Daniel Golle <daniel@makrotopia.org> Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com> Link: https://patch.msgid.link/224923f3d1c73ff55cebb3e0796f119e32c1bb43.1779908995.git.daniel@makrotopia.org Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
2026-06-10HID: uhid: convert to hid_safe_input_report()Carlos Llamas
Commit 0a3fe972a7cb ("HID: core: Mitigate potential OOB by removing bogus memset()"), added a check in hid_report_raw_event() to reject reports if the received data size is smaller than expected. This was intended to prevent OOB errors by no longer allowing zeroing-out of shorter reports due to the lack of buffer size information. However, this leads to regressions in hid_report_raw_event(), where shorter than expected reports are rejected, even though their buffers are sufficiently large to be zero-padded. To solve this issue, Benjamin introduced a safer alternative in commit 206342541fc8 ("HID: core: introduce hid_safe_input_report()"), which forwards the buffer size and allows hid_report_raw_event() to safely zero-pad the data. Convert uhid to use hid_safe_input_report() and pass UHID_DATA_MAX as the buffer size. This prevents the reported regressions [1], allowing hid core to zero-pad the shorter reports safely as expected. Cc: stable@vger.kernel.org Fixes: 0a3fe972a7cb ("HID: core: Mitigate potential OOB by removing bogus memset()") Closes: https://lore.kernel.org/all/ahsh0UtTX6e0ZeHa@google.com/ [1] Signed-off-by: Carlos Llamas <cmllamas@google.com> Reviewed-by: Lee Jones <lee@kernel.org> Closes: https://lore.kernel.org/all/ahsh0UtTX6e0ZeHa@google.com/ Signed-off-by: Jiri Kosina <jkosina@suse.com>
2026-06-10Input: ads7846 - restore half-duplex supportAaro Koskinen
On some boards, the SPI controller is limited to half-duplex and the driver fails spamming "ads7846 spi2.1: spi_sync --> -22". Restore half-duplex support with multiple SPI transfers. Fixes: 9c9509717b53 ("Input: ads7846 - convert to full duplex") Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi> Link: https://patch.msgid.link/20260419161848.825831-2-aaro.koskinen@iki.fi Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
2026-06-10of: cpu: add check in __of_find_n_match_cpu_property()Sergey Shtylyov
In __of_find_n_match_cpu_property(), checking the variable ac for 0 won't prevent a possible overflow when multiplying it by sizeof(*cell). Besides, of_read_number() (called in the *for* loop) can't return correct result if that variable (which equals the #address-cells prop's value) exceeds 2, so additionally checking for that seems logical... Found by Linux Verification Center (linuxtesting.org) with the Svace static analysis tool. Fixes: f3cea45a77c8 ("of: Fix iteration bug over CPU reg properties") Signed-off-by: Sergey Shtylyov <s.shtylyov@auroraos.dev> Link: https://patch.msgid.link/0c7bf7e9-887c-42d5-bcfb-0ba7fe1e70b6@auroraos.dev Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
2026-06-10dt-bindings: media: mt9m114: document common video device propertiesSvyatoslav Ryhel
Document common video interface device properties, such as rotation and orientation. Signed-off-by: Svyatoslav Ryhel <clamor95@gmail.com> Acked-by: Rob Herring (Arm) <robh@kernel.org> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Link: https://patch.msgid.link/20260531092924.12929-2-clamor95@gmail.com Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
2026-06-10libperf: Document code simplification case for widening struct perf_cpuArnaldo Carvalho de Melo
Add a bullet point to the libperf ABI TODO explaining the code simplification benefit of widening struct perf_cpu.cpu from int16_t to int: the narrow type forces defensive truncation checks at every boundary where wider CPU indices are narrowed, and values > 32767 silently wrap to negative numbers (two's complement), bypassing bounds validation without them. Acked-by: Ian Rogers <irogers@google.com> Cc: Ian Rogers <irogers@google.com> Cc: Namhyung Kim <namhyung@kernel.org> Assisted-by: Claude:claude-opus-4.6 Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
2026-06-10perf tools: Use scnprintf() in build_id__snprintf() and hwmon read_events()Arnaldo Carvalho de Melo
build_id__snprintf() and hwmon_pmu__read_events() accumulate formatted output via snprintf(), which returns the would-have-been-written count on truncation. In build_id__snprintf(), this inflates the return value beyond the buffer size. In hwmon_pmu__read_events(), len overshoots out_buf_len and the next 'out_buf_len - len' underflows. Switch both to scnprintf() which returns actual bytes written. In build_id__snprintf(), also tighten the loop guard from 'offs < bf_size' to 'offs + 1 < bf_size': since scnprintf() returns at most size-1, offs never reaches bf_size, and the original condition would spin doing zero-byte writes once the buffer fills. Fixes: fccaaf6fbbc59910 ("perf build-id: Change sprintf functions to snprintf") Fixes: 53cc0b351ec99278 ("perf hwmon_pmu: Add a tool PMU exposing events from hwmon in sysfs") Reported-by: sashiko-bot <sashiko-bot@kernel.org> Reviewed-by: Ian Rogers <irogers@google.com> Cc: Ian Rogers <irogers@google.com> Assisted-by: Claude:claude-opus-4.6 Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
2026-06-10perf hists: Fix snprintf() in hists__scnprintf_title() UID filter pathArnaldo Carvalho de Melo
hists__scnprintf_title() accumulates formatted output into a buffer using scnprintf() for all filter clauses except the UID filter, which uses snprintf(). If the buffer fills up and snprintf() returns more than the remaining space, printed exceeds size and the next 'size - printed' underflows, causing later scnprintf() calls to write past the buffer. Switch the UID filter clause to scnprintf() to match the rest of the function. Fixes: 25c312dbf88ca402 ("perf hists: Move hists__scnprintf_title() away from the TUI code") Reported-by: sashiko-bot <sashiko-bot@kernel.org> Reviewed-by: Ian Rogers <irogers@google.com> Cc: Arnaldo Carvalho de Melo <acme@redhat.com> Assisted-by: Claude:claude-opus-4.6 Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
2026-06-10perf bpf: Use scnprintf() in snprintf_hex() and synthesize_bpf_prog_name()Arnaldo Carvalho de Melo
Both functions accumulate formatted output via ret += snprintf(buf + ret, size - ret, ...). If the buffer is too small and snprintf() returns more than the remaining space, ret exceeds size and the next 'size - ret' underflows, causing snprintf() to write past the buffer end. Switch to scnprintf() which returns the actual number of bytes written, making the accumulation safe. Fixes: 7b612e291a5affb1 ("perf tools: Synthesize PERF_RECORD_* for loaded BPF programs") Reported-by: sashiko-bot <sashiko-bot@kernel.org> Reviewed-by: Ian Rogers <irogers@google.com> Cc: Song Liu <song@kernel.org> Assisted-by: Claude:claude-opus-4.6 Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
2026-06-10perf tools: Add O_CLOEXEC to open() calls in DSO and ELF codeArnaldo Carvalho de Melo
open() calls in dso.c and symbol-elf.c omit O_CLOEXEC, which leaks file descriptors to child processes spawned during symbol resolution (e.g., addr2line, objdump). This can exhaust the fd limit during long profiling sessions or when processing many DSOs. Add O_CLOEXEC to all open() calls in both files (12 call sites). Fixes: cdd059d731eeb466 ("perf tools: Move dso_* related functions into dso object") Fixes: e5a1845fc0aeca85 ("perf symbols: Split out util/symbol-elf.c") Reported-by: sashiko-bot <sashiko-bot@kernel.org> Reviewed-by: Ian Rogers <irogers@google.com> Cc: Jiri Olsa <jolsa@kernel.org> Cc: Namhyung Kim <namhyung@kernel.org> Assisted-by: Claude:claude-opus-4.6 Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
2026-06-10perf sched: Fix idle-hist callchain display using wrong rb_first variantArnaldo Carvalho de Melo
timehist_print_idlehist_callchain() calls rb_first_cached() on sorted_root, but the sort function (callchain_param.sort) populates it via rb_insert_color() on the plain rb_root member — not the cached variant. This means rb_leftmost is never set, so rb_first_cached() always returns NULL and the entire callchain summary is silently dropped from --idle-hist output. The original code in ba957ebb54893aca ("perf sched timehist: Show callchains for idle stat") was correct — it used struct rb_root and rb_first(). The bug was introduced when sorted_root was converted to rb_root_cached without converting the sort insertion path to use rb_insert_color_cached(). Use rb_first(&root->rb_root) to match how the tree was populated. Fixes: cb4c13a5137766c3 ("perf sched: Use cached rbtrees") Reported-by: sashiko-bot <sashiko-bot@kernel.org> Cc: Davidlohr Bueso <dave@stgolabs.net> Cc: Namhyung Kim <namhyung@kernel.org> Acked-by: Ian Rogers <irogers@google.com> Assisted-by: Claude:claude-opus-4.6 Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
2026-06-10perf sched: Bounds-check prio before test_bit() in timehistArnaldo Carvalho de Melo
timehist_skip_sample() reads prio from untrusted tracepoint data via perf_sample__intval(sample, "prev_prio") without bounds validation. A crafted perf.data with prev_prio >= MAX_PRIO (140) causes test_bit() to read past the end of the prio_bitmap, which is only MAX_PRIO bits. Add a prio >= 0 guard before the test_bit() call and skip out-of-range values (>= MAX_PRIO) that can never match the user's filter set. The original prio != -1 already let all negatives other than -1 through (after an undefined-behavior bitmap read); the new prio >= 0 guard preserves that pass-through behavior — negative means "no priority info", so the event is shown unfiltered — while fixing the OOB. Values >= MAX_PRIO are skipped because they cannot be represented in the filter bitmap. Fixes: 9b3a48bbe20d9692 ("perf sched timehist: Add --prio option") Reported-by: sashiko-bot <sashiko-bot@kernel.org> Reviewed-by: Ian Rogers <irogers@google.com> Cc: Yang Jihong <yangjihong@bytedance.com> Assisted-by: Claude:claude-opus-4.6 Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
2026-06-10cxl/test: Zero out LSA backing memory to avoid leaking to userDave Jiang
Memory through vmalloc() is not zeroed out. When this memory is copied into output payload, it leaks memory content to user. Use vzalloc() instead to zero out the memory. Suggested-by: sashiko-bot Link: https://lore.kernel.org/linux-cxl/20260605173146.2B9A31F00893@smtp.kernel.org/ Fixes: 7d3eb23c4ccf ("tools/testing/cxl: Introduce a mock memory device + driver") Reviewed-by: Alison Schofield <alison.schofield@intel.com> Link: https://patch.msgid.link/20260605184426.4070913-1-dave.jiang@intel.com Signed-off-by: Dave Jiang <dave.jiang@intel.com>
2026-06-10cxl/test: Fix integer overflow in mock LSA bounds checksDave Jiang
Pre-existing issue discovered by sashiko-bot. mock_get_lsa() and mock_set_lsa() validate the requested LSA range with "offset + length > LSA_SIZE". Both offset and length are u32 and, in mock_get_lsa(), both are taken directly from the user-supplied payload. The addition is evaluated modulo 2^32, so a large offset combined with a small length wraps around and passes the check. Rewrite the checks to first bound offset, then compare length against the remaining LSA size. Suggested-by: sashiko-bot Fixes: 7d3eb23c4ccf ("tools/testing/cxl: Introduce a mock memory device + driver") Link: https://lore.kernel.org/linux-cxl/20260605143748.235271F00893@smtp.kernel.org/ Assisted-by: Claude:claude-opus-4-8 Reviewed-by: Alison Schofield <alison.schofield@intel.com> Signed-off-by: Dave Jiang <dave.jiang@intel.com>