summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2026-06-10s390/string: Convert memmove() to CHeiko Carstens
Convert memmove() from assembler to C, which should make it easier to read and change, if required. And it allows the compiler to optimize the code, and use different instructions, except for the used inline assemblies. Reviewed-by: Juergen Christ <jchrist@linux.ibm.com> Signed-off-by: Heiko Carstens <hca@linux.ibm.com> Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
2026-06-10s390/string: Add -ffreestanding compile option to string.oHeiko Carstens
Use -ffreestanding for string.o to avoid that the compiler generates calls into themselves for standard library functions like memset(). Reviewed-by: Juergen Christ <jchrist@linux.ibm.com> Signed-off-by: Heiko Carstens <hca@linux.ibm.com> Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
2026-06-10s390: Add .noinstr.text to boot and purgatory linker scriptsHeiko Carstens
Upcoming changes will result in a .noinstr.text section within the boot and purgatory string.o binary. Explicitly add the new section to avoid orphaned warnings from the linker. Reviewed-by: Juergen Christ <jchrist@linux.ibm.com> Signed-off-by: Heiko Carstens <hca@linux.ibm.com> Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
2026-06-10s390/purgatory: Enforce z10 minimum architecture levelHeiko Carstens
The purgatory code is compiled without the -march option. This means the default architecture level of the compiler is used. This can cause problems, e.g. if instructions used in inline assemblies are for a higher architecture level than the default architecture level of the compiler. Use z10 as minimum architecture level, similar to the boot code, to enforce a defined architecture level set. Reviewed-by: Juergen Christ <jchrist@linux.ibm.com> Signed-off-by: Heiko Carstens <hca@linux.ibm.com> Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
2026-06-10ext4: validate donor file superblock early in EXT4_IOC_MOVE_EXTYun Zhou
Reject the EXT4_IOC_MOVE_EXT ioctl early if the donor file does not belong to the same superblock as the original file. Currently, this validation is performed inside ext4_move_extents() by mext_check_validity(), but only after lock_two_nondirectories() has already acquired the inode locks. When the donor fd refers to a file on a different filesystem (e.g., overlayfs), this late validation creates a circular lock dependency: CPU0 (overlayfs write) CPU1 (ext4 ioctl) ---- ---- inode_lock(ovl_inode) mnt_want_write_file(filp) sb_start_write(ext4_sb) [sb_writers] backing_file_write_iter() vfs_iter_write(real_file) file_start_write(real_file) sb_start_write(ext4_sb) [blocked by freeze] lock_two_nondirectories() inode_lock(ovl_inode) [blocked] With a concurrent freeze operation holding sb_writers write side, this forms a deadlock cycle: CPU0 waits for freeze to complete, freeze waits for CPU1's sb_writers reader to exit, CPU1 waits for CPU0's inode lock. Since EXT4_IOC_MOVE_EXT exchanges physical extents between two files, it fundamentally requires both files to reside on the same ext4 filesystem. Moving the superblock check before any lock acquisition is both semantically correct and eliminates the circular dependency by ensuring that cross-filesystem donor fds are rejected before sb_writers or inode locks are taken. Fixes: fcf6b1b729bc ("ext4: refactor ext4_move_extents code base") Reported-by: syzbot+ad6118a7584b607c67f2@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=ad6118a7584b607c67f2 Signed-off-by: Yun Zhou <yun.zhou@windriver.com> Reviewed-by: Jan Kara <jack@suse.cz> Reviewed-by: Andreas Dilger <adilger@dilger.ca> Link: https://patch.msgid.link/20260608152521.1292656-1-yun.zhou@windriver.com Signed-off-by: Theodore Ts'o <tytso@mit.edu>
2026-06-10ext4: fix kernel BUG in ext4_write_inline_data_endAditya Prakash Srivastava
When the data=journal mount option is used, the ext4_journalled_write_end() function incorrectly calls ext4_write_inline_data_end() without checking if the EXT4_STATE_MAY_INLINE_DATA flag is still set on the inode. If a previous attempt to convert the inline data to an extent failed (e.g. due to ENOSPC), the EXT4_STATE_MAY_INLINE_DATA flag is cleared, but the EXT4_INODE_INLINE_DATA flag remains set. In this scenario, the next call to ext4_write_begin() will not prepare the inline data xattr for writing, but ext4_journalled_write_end() will incorrectly attempt to write to it, triggering a BUG_ON(pos + len > EXT4_I(inode)->i_inline_size) in ext4_write_inline_data() since i_inline_size was not expanded. Fix this by ensuring that ext4_journalled_write_end() only calls ext4_write_inline_data_end() if the EXT4_STATE_MAY_INLINE_DATA flag is set, mirroring the behavior of ext4_write_end() and ext4_da_write_end(). Reported-by: syzbot+0c89d865531d053abb2d@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=0c89d865531d053abb2d Fixes: 3fdcfb668fd7 ("ext4: add journalled write support for inline data") Signed-off-by: Aditya Prakash Srivastava <aditya.ansh182@gmail.com> Reviewed-by: Jan Kara <jack@suse.cz> Link: https://patch.msgid.link/20260608065227.3018-1-aditya.ansh182@gmail.com Signed-off-by: Theodore Ts'o <tytso@mit.edu>
2026-06-10Merge branch 'bonding-3ad-fix-carrier-state-with-no-usable-slaves'Jakub Kicinski
Louis Scalbert says: ==================== bonding: 3ad: fix carrier state with no usable slaves This series addresses a blackholing issue and a subsequent link-flapping issue in the 802.3ad bonding driver when dealing with inactive slaves and the `min_links` parameter. When an 802.3ad (LACP) bonding interface has no slaves in the collecting/distributing state, the bonding master still reports carrier as up as long as at least 'min_links' slaves have carrier. In this situation, only one slave is effectively used for TX/RX, while traffic received on other slaves is dropped. Upper-layer daemons therefore consider the interface operational, even though traffic may be blackholed if the lack of LACP negotiation means the partner is not ready to deal with traffic. This patchset introduces an optional behavior, widely adopted across the industry, to address this issue. It consists of bringing the bonding master interface down to signal to upper-layer processes that it is not usable. This patchset depends on the following iproute2 change: ip/bond: add lacp_strict support Link: https://lore.kernel.org/netdev/20260408152409.276358-1-louis.scalbert@6wind.com/ Patch 1 adds the missing IFLA_BOND_BROADCAST_NEIGH in if_link UAPI header. Patch 2 adds missing broadcast-neigh to YAML rt-link specs. Patch 3 introduces the lacp_strict configuration knob, which is applied in the subsequent patch. The default (off) mode preserves the existing behavior, while the strict mode (on) is intended to force the bonding master carrier down in this situation. Patch 4 addresses the core issue when lacp_strict is set to strict. It ensures that carrier is asserted only when at least 'min_links' slaves are in the Collecting/Distributing state. Patch 5 fixes a side effect of the previous patch. Tightening the carrier logic exposes a state persistence bug: when a physical link goes down, the LACP collecting/distributing flags remain set. When the link returns, the interface briefly hallucinates that it is ready, bounces the carrier up, and then drops it again once LACP renegotiation starts. Fix by resetting Collecting and Distributing state as soon as the link goes down. Patch 6 adds a test for bonding lacp_strict both modes. ==================== Link: https://patch.msgid.link/20260603150331.1919611-1-louis.scalbert@6wind.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-10selftests: bonding: add test for lacp_strict modeLouis Scalbert
Add a test for the bonding lacp_strict mode. Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com> Acked-by: Jay Vosburgh <jv@jvosburgh.net> Link: https://patch.msgid.link/20260603150331.1919611-7-louis.scalbert@6wind.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-10bonding: 3ad: fix mux port state on oper downLouis Scalbert
When the bonding interface has carrier down due to the absence of usable slaves and a slave transitions from down to up, the bonding interface briefly goes carrier up, then down again, and finally up once LACP negotiates collecting and distributing on the port. When lacp_strict mode is on, the interface should not transition to carrier up until LACP negotiation is complete. This happens because the actor and partner port states remain in Collecting_Distributing when the port goes down. When the port comes back up, it temporarily remains in this state until LACP renegotiation occurs. Previously this was mostly cosmetic, but since the bonding carrier state may depend on the LACP negotiation state, it causes the interface to flap. According to IEEE 802.3ad-2000 and IEEE 802.1ax-2014, Collecting and Distributing should be reset when a port goes down: - In the Receive state machine, port_enabled == FALSE causes a transition to the PORT_DISABLED state, which is expected to clear Partner_Oper_Port_State.Synchronization. - In the Mux state machine, Partner_Oper_Port_State.Synchronization == FALSE causes a transition to the ATTACHED state, which disables Collecting and Distributing. However, Partner_Oper_Port_State.Synchronization is not cleared in the PORT_DISABLED state. Clear Partner_Oper_Port_State.Synchronization in the Receive PORT_DISABLED state. Fixes: 655f8919d549 ("bonding: add min links parameter to 802.3ad") Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com> Acked-by: Jay Vosburgh <jv@jvosburgh.net> Link: https://patch.msgid.link/20260603150331.1919611-6-louis.scalbert@6wind.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-10bonding: 3ad: fix carrier when no usable slavesLouis Scalbert
Apply the "lacp_strict" configuration from the previous commit. "lacp_strict" mode "on" asserts that the bonding master carrier is up only when at least 'min_links' slaves are in the Collecting_Distributing state. Fixes: 655f8919d549 ("bonding: add min links parameter to 802.3ad") Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com> Acked-by: Jay Vosburgh <jv@jvosburgh.net> Link: https://patch.msgid.link/20260603150331.1919611-5-louis.scalbert@6wind.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-10bonding: 3ad: add lacp_strict configuration knobLouis Scalbert
When an 802.3ad (LACP) bonding interface has no slaves in the collecting/distributing state, the bonding master still reports carrier as up as long as at least 'min_links' slaves have carrier. In this situation, only one slave is effectively used for TX/RX, while traffic received on other slaves is dropped. Upper-layer daemons therefore consider the interface operational, even though traffic may be blackholed if the lack of LACP negotiation means the partner is not ready to deal with traffic. Introduce a configuration knob to control this behavior. It allows the bonding master to assert carrier only when at least 'min_links' slaves are in Collecting_Distributing state. The default mode preserves the existing behavior. This patch only introduces the knob; its behavior is implemented in the subsequent commit. Fixes: 655f8919d549 ("bonding: add min links parameter to 802.3ad") Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com> Acked-by: Jay Vosburgh <jv@jvosburgh.net> Link: https://patch.msgid.link/20260603150331.1919611-4-louis.scalbert@6wind.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-10Merge branch 'rust-for-s390' into featuresAlexander Gordeev
Jan Polensky says: =================== Rust support on s390 requires a small set of architecture-specific pieces before the generic Rust kernel infrastructure can be used. The series wires up s390 as a Rust-capable 64-bit architecture, adds the missing assembly interfaces needed by Rust for WARN/BUG reporting and for static branches, adjusts bindgen parameters to avoid repr layout conflicts caused by packed and aligned s390 structures, and fixes issues discovered during testing. s390 currently requires rustc with support for -Zpacked-stack, and the minimum tool version gating is adjusted accordingly. Link: https://github.com/Rust-for-Linux/linux/issues/2 Tested against: rustc 1.96.0 (ac68faa20 2026-05-25) =================== Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
2026-06-10netlink: specs: rt-link: missed broadcast-neighLouis Scalbert
Add missed broadcast-neigh. Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com> Acked-by: Jay Vosburgh <jv@jvosburgh.net> Link: https://patch.msgid.link/20260603150331.1919611-3-louis.scalbert@6wind.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-10tools: missed broadcast_neigh if_link uapi headerLouis Scalbert
Add missing IFLA_BOND_BROADCAST_NEIGH in if_link uapi header. Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com> Acked-by: Jay Vosburgh <jv@jvosburgh.net> Link: https://patch.msgid.link/20260603150331.1919611-2-louis.scalbert@6wind.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-10ext4: fix ERR_PTR(0) in ext4_mkdir()Hongling Zeng
When mkdir succeeds, ext4_mkdir() returns ERR_PTR(0) which is incorrect. It should return NULL instead for success and ERR_PTR() only with negative error codes for failure. Fixes: 88d5baf69082 ("Change inode_operations.mkdir to return struct dentry *") Signed-off-by: Hongling Zeng <zenghongling@kylinos.cn> Reviewed-by: Jan Kara <jack@suse.cz> Reviewed-by: Baokun Li <libaokun@linux.alibaba.com> Link: https://patch.msgid.link/20260604073647.211279-1-zenghongling@kylinos.cn Signed-off-by: Theodore Ts'o <tytso@mit.edu>
2026-06-10nvmet-auth: reject short AUTH_RECEIVE buffersMichael Bommarito
nvmet_execute_auth_receive() trusts the AUTH_RECEIVE allocation length after checking only that it is nonzero and matches the transfer length. In the SUCCESS1 and FAILURE1/default states, that lets a remote NVMe-oF initiator reach the fixed-size DH-HMAC-CHAP response builders with a kmalloc() buffer shorter than the response, so nvmet_auth_success1() and nvmet_auth_failure1() write past the allocation; both only WARN_ON the short length and then format the message anyway. Impact: A remote NVMe-oF initiator with access to an auth-enabled target can trigger a 16-byte heap out-of-bounds write via a one-byte AUTH_RECEIVE allocation length. Compute the minimum response length for the current DH-HMAC-CHAP step in nvmet_auth_receive_data_len() and report a zero data length when the host-supplied allocation length is shorter, so the existing zero-length check in nvmet_execute_auth_receive() rejects the command before any builder runs. The SUCCESS1 minimum is sizeof(struct nvmf_auth_dhchap_success1_data) plus the HMAC hash length, because the response hash is written into the rval[] flexible-array tail, so the minimum is state dependent rather than a flat sizeof. CHALLENGE keeps its existing variable-length guard in nvmet_auth_challenge(). This is reachable only when in-band DH-HMAC-CHAP authentication is configured on the target. Fixes: db1312dd9548 ("nvmet: implement basic In-Band Authentication") Cc: stable@vger.kernel.org Assisted-by: Codex:gpt-5-5-xhigh Assisted-by: Claude:claude-opus-4-8 Reviewed-by: Hannes Reinecke <hare@kernel.org> Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com> Signed-off-by: Keith Busch <kbusch@kernel.org>
2026-06-10jbd2: remove special jbd2 slabsMatthew Wilcox (Oracle)
When jbd2 was originally written, kmalloc() would not guarantee memory alignment for the requested objects. Since commit 59bb47985c1d in 2019, kmalloc has guaranteed natural alignment for power-of-two allocations. We can now remove the jbd2 special slabs and just use kmalloc() directly. Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org> Reviewed-by: Jan Kara <jack@suse.cz> Acked-by: Mike Rapoport (Microsoft) <rppt@kernel.org> Acked-by: Vlastimil Babka (SUSE) <vbabka@kernel.org> Reviewed-by: Tal Zussman <tz2294@columbia.edu> Link: https://patch.msgid.link/20260528171413.1088143-1-willy@infradead.org Signed-off-by: Theodore Ts'o <tytso@mit.edu>
2026-06-10ext4: remove mention of PageWritebackMatthew Wilcox (Oracle)
Update a comment to refer to the concept of writeback instead of the (now obsolete) detail of how it's implemented. Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org> Reviewed-by: Baokun Li <libaokun@linux.alibaba.com> Reviewed-by: Ojaswin Mujoo <ojaswin@linux.ibm.com> Reviewed-by: Jan Kara <jack@suse.cz> Link: https://patch.msgid.link/20260526190805.341676-1-willy@infradead.org Signed-off-by: Theodore Ts'o <tytso@mit.edu>
2026-06-10perf tools: Use perf_env__get_cpu_topology() in machine__resolve()Arnaldo Carvalho de Melo
machine__resolve() accesses env->cpu[al->cpu].socket_id after checking al->cpu >= 0 and env->cpu != NULL, but without validating al->cpu against env->nr_cpus_avail. Since al->cpu comes from the untrusted perf.data sample, a crafted file with a large CPU index causes an out-of-bounds heap read. Use perf_env__get_cpu_topology() which validates both NULL and bounds. Also bounds-check al->cpu before the cast to struct perf_cpu (int16_t): without this, values like 65536 silently truncate to 0, bypassing the accessor's internal check and returning CPU 0's topology. Fixes: 0c4c4debb0adda4c ("perf tools: Add processor socket info to hist_entry and addr_location") Reported-by: sashiko-bot <sashiko-bot@kernel.org> Reviewed-by: Ian Rogers <irogers@google.com> Cc: Kan Liang <kan.liang@intel.com> Cc: Ian Rogers <irogers@google.com> Assisted-by: Claude:claude-opus-4.6 Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
2026-06-10perf tools: Use scnprintf() in cpu_map__snprint() to prevent overflowArnaldo Carvalho de Melo
cpu_map__snprint() accumulates snprintf() return values in ret. snprintf() returns the number of characters that *would have been written* on truncation, not the actual count. When a fragmented CPU list exceeds the buffer, ret grows past size, causing `size - ret` to underflow (both are size_t), and subsequent snprintf() calls write past the end of the caller's stack buffer. Switch to scnprintf() which returns the actual number of characters written, making ret accumulation safe by construction. Fixes: a24020e6b7cf6eb8 ("perf tools: Change cpu_map__fprintf output") Reported-by: sashiko-bot <sashiko-bot@kernel.org> Reviewed-by: Ian Rogers <irogers@google.com> Cc: Jiri Olsa <jolsa@kernel.org> Cc: Ian Rogers <irogers@google.com> Assisted-by: Claude:claude-opus-4.6 Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
2026-06-10perf tools: Fix get_max_num() size_t underflow on empty sysfs fileArnaldo Carvalho de Melo
get_max_num() reads a sysfs file (cpu/possible, cpu/present, or node/possible) and scans backward from the end to find the last number. If the file is empty, filename__read_str() returns num == 0. The loop `while (--num)` decrements the size_t from 0 to SIZE_MAX, reading backward across the heap until a comma or hyphen is found or unmapped memory is hit. Add an early return for empty files before the backward scan. Fixes: 7780c25bae59fd04 ("perf tools: Allow ability to map cpus to nodes easily") Reported-by: sashiko-bot <sashiko-bot@kernel.org> Reviewed-by: Ian Rogers <irogers@google.com> Cc: Don Zickus <dzickus@redhat.com> Cc: Ian Rogers <irogers@google.com> Assisted-by: Claude:claude-opus-4.6 Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
2026-06-10nvme-fc: Do not cancel requests in io target before it is initializedMohamed Khalfella
A new nvme-fc controller in CONNECTING state sees admin request timeout schedules ctrl->ioerr_work to abort inflight requests. This ends up calling __nvme_fc_abort_outstanding_ios() which aborts requests in both admin and io tagsets. In case fc_ctrl->tag_set was not initialized we see the warning below. This is because ctrl.queue_count is initialized early in nvme_fc_alloc_ctrl(). nvme nvme0: NVME-FC{0}: starting error recovery Connectivity Loss INFO: trying to register non-static key. The code is fine but needs lockdep annotation, or maybe lpfc 0000:ab:00.0: queue 0 connect admin queue failed (-6). you didn't initialize this object before use? turning off the locking correctness validator. Workqueue: nvme-reset-wq nvme_fc_ctrl_ioerr_work [nvme_fc] Call Trace: <TASK> dump_stack_lvl+0x57/0x80 register_lock_class+0x567/0x580 __lock_acquire+0x330/0xb90 lock_acquire.part.0+0xad/0x210 blk_mq_tagset_busy_iter+0xf9/0xc00 __nvme_fc_abort_outstanding_ios+0x23f/0x320 [nvme_fc] nvme_fc_ctrl_ioerr_work+0x172/0x210 [nvme_fc] process_one_work+0x82c/0x1450 worker_thread+0x5ee/0xfd0 kthread+0x3a0/0x750 ret_from_fork+0x439/0x670 ret_from_fork_asm+0x1a/0x30 </TASK> Update the check in __nvme_fc_abort_outstanding_ios() confirm that io tagset was created before iterating over busy requests. Also make sure to cancel ctrl->ioerr_work before removing io tagset. Reviewed-by: Randy Jennings <randyj@purestorage.com> Reviewed-by: Hannes Reinecke <hare@kernel.org> Reviewed-by: Daniel Wagner <dwagner@suse.de> Reviewed-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Mohamed Khalfella <mkhalfella@purestorage.com> Signed-off-by: James Smart <jsmart833426@gmail.com> Signed-off-by: Maurizio Lombardi <mlombard@redhat.com> Signed-off-by: Keith Busch <kbusch@kernel.org>
2026-06-10nvme: make nvme_add_ns{_head}_cdev return voidJohn Garry
The return code from nvme_add_ns_head_cdev() and nvme_add_ns_cdev() is never checked, so make those functions return void. A cdev add failure is tolerated during initialization, and flags NVME_NS_CDEV_LIVE and NVME_NSHEAD_CDEV_LIVE are for determining whether a cdev needs to be deleted during un-initialization. Reviewed-by: Christoph Hellwig <hch@lst.de> Reviewed-by: Hannes Reinecke <hare@kernel.org> Signed-off-by: John Garry <john.g.garry@oracle.com> Signed-off-by: Keith Busch <kbusch@kernel.org>
2026-06-10nvme: make some sysfs diagnostic structures staticJohn Garry
Building with C=1 generates the following warnings: drivers/nvme/host/sysfs.c:397:25: warning: symbol 'dev_attr_io_errors' was not declared. Should it be static? drivers/nvme/host/sysfs.c:444:30: warning: symbol 'nvme_ns_diag_attr_group' was not declared. Should it be static? drivers/nvme/host/sysfs.c:1150:25: warning: symbol 'dev_attr_adm_errors' was not declared. Should it be static? Make those structures static. Closes: https://lore.kernel.org/oe-kbuild-all/202606101329.T3zXNqdy-lkp@intel.com/ Reviewed-by: Nilay Shroff <nilay@linux.ibm.com> Reviewed-by: Christoph Hellwig <hch@lst.de> Signed-off-by: John Garry <john.g.garry@oracle.com> Signed-off-by: Keith Busch <kbusch@kernel.org>
2026-06-10ALSA: pcm: Fix unlocked state reads in read/write file opsCássio Gabriel
The PCM read/write and readv/writev file operations reject streams in OPEN or DISCONNECTED state before accessing the configured runtime parameters. However, each operation reads runtime->state without the PCM stream lock. PCM state updates are serialized by the stream lock and may occur concurrently from IRQ context. Use a local predicate based on snd_pcm_get_state() to take a locked state snapshot for these VFS entry checks. This also consolidates the duplicated OPEN and DISCONNECTED tests. The conditions and returned errors remain unchanged. Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com> Link: https://patch.msgid.link/20260610-alsa-pcm-read-write-state-helper-v1-1-93b7b992db09@gmail.com Signed-off-by: Takashi Iwai <tiwai@suse.de>
2026-06-10s390: Enable Rust supportJan Polensky
Enable building Rust code on s390 by wiring the architecture into the kernel Rust infrastructure. Add s390 to the Rust arch support documentation, provide the s390 Rust target and required compiler flags, and set the bindgen target for arch/s390. Adjust the Rust target generation and minimum rustc version gating so the s390 setup is handled explicitly. The Rust toolchain uses the "s390x" triple naming for the 64 bit target. Rust support is currently incompatible with CONFIG_EXPOLINE, which relies on compiler support for the -mindirect-branch= and -mfunction_return= options. Therefore, select HAVE_RUST only when EXPOLINE is disabled. Acked-by: Miguel Ojeda <ojeda@kernel.org> Acked-by: Gary Guo <gary@garyguo.net> Acked-by: Heiko Carstens <hca@linux.ibm.com> Signed-off-by: Jan Polensky <japo@linux.ibm.com> Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
2026-06-10s390/cmpxchg: Fix KASAN stack-out-of-bounds in atomic helpersJan Polensky
The __arch_cmpxchg1, __arch_cmpxchg2, __arch_xchg1, and __arch_xchg2 functions emulate 1-byte and 2-byte atomic operations using 4-byte cmpxchg instructions, since s390 lacks native 1/2-byte cmpxchg support. When KASAN is enabled, the READ_ONCE() operations in these functions trigger stack-out-of-bounds warnings because they perform 4-byte reads when only 1 or 2 bytes should be accessed. Mark these functions as __no_sanitize_or_inline to prevent KASAN instrumentation while maintaining correct functionality. This resolves the following KASAN error during rust_atomics KUnit tests: BUG: KASAN: stack-out-of-bounds in rust_helper_atomic_i8_xchg+0xb2/0xc0 Read of size 4 at addr 001bff7ffdbefcf0 by task kunit_try_catch/142 Reported-by: Miguel Ojeda <miguel.ojeda.sandonis@gmail.com> Link: https://lore.kernel.org/rust-for-linux/CANiq72m4GVWFYqnxNtCHTPu7XcGewHB5LNwOoayTfnXs9pPbNg@mail.gmail.com/ Suggested-by: Gary Guo <gary@garyguo.net> Link: https://lore.kernel.org/rust-for-linux/DITFTAVVHTNQ.380OHUHGTOI6M@garyguo.net/ Acked-by: Heiko Carstens <hca@linux.ibm.com> Acked-by: Gary Guo <gary@garyguo.net> Signed-off-by: Jan Polensky <japo@linux.ibm.com> Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
2026-06-10rust: helpers: Add memchr wrapper for string operationsJan Polensky
Add a dedicated string helper file with a memchr wrapper that uses the kernel's instrumented memchr() function to ensure KASAN and FORTIFY_SOURCE protections are preserved for Rust code. Reported-by: Miguel Ojeda <miguel.ojeda.sandonis@gmail.com> Link: https://lore.kernel.org/rust-for-linux/CANiq72mXAZc0sNM7ShX8VDVs_7zJddawP-e=wt+ERr1YUCcWUw@mail.gmail.com/ Signed-off-by: Jan Polensky <japo@linux.ibm.com> Acked-by: Heiko Carstens <hca@linux.ibm.com> Acked-by: Gary Guo <gary@garyguo.net> Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
2026-06-10rust/bindgen_parameters: Mark s390 types as opaque to prevent repr conflictsJan Polensky
Bindgen attempts to generate Rust layouts for a number of s390 structs that are packed but contain, or transitively contain, aligned fields. Rust rejects such layouts with E0588 ("packed type cannot transitively contain a #[repr(align)] type"). Add the affected s390 types to the opaque type list so bindgen emits opaque blob types instead of full representations. This matches existing workarounds for x86 types such as alt_instr and x86_msi_data. Link: https://lore.kernel.org/all/e5c7aa10-590d-0d20-dd3b-385bee2377e7@intel.com/ Acked-by: Miguel Ojeda <ojeda@kernel.org> Reviewed-by: Gary Guo <gary@garyguo.net> Acked-by: Heiko Carstens <hca@linux.ibm.com> Signed-off-by: Jan Polensky <japo@linux.ibm.com> Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
2026-06-10s390/jump_label: Implement ARCH_STATIC_BRANCH_JUMP_ASM and ↵Jan Polensky
ARCH_STATIC_BRANCH_ASM macros Rust static branch support needs the s390 jump label instruction sequence and __jump_table emission in a reusable form. The current implementation embeds the sequence directly in the C asm goto blocks, which cannot be shared with Rust. Introduce ARCH_STATIC_BRANCH_ASM and ARCH_STATIC_BRANCH_JUMP_ASM to describe the brcl sequences for the likely-false and likely-true cases and to emit the same __jump_table entries as before. Switch the existing C helpers to use the new macros to avoid duplication without changing the generated code. Acked-by: Gary Guo <gary@garyguo.net> Acked-by: Miguel Ojeda <ojeda@kernel.org> Acked-by: Heiko Carstens <hca@linux.ibm.com> Reviewed-by: Alice Ryhl <aliceryhl@google.com> Signed-off-by: Jan Polensky <japo@linux.ibm.com> Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
2026-06-10s390/bug: Provide ARCH_WARN_ASM for Rust WARN/BUG supportJan Polensky
Rust WARN and BUG support relies on ARCH_WARN_ASM to emit __bug_table entries. On s390 the macro is missing, so Rust code cannot generate proper WARN/BUG metadata for the kernel's bug reporting infrastructure. Define ARCH_WARN_ASM to produce the same assembly sequence and __bug_table entry format as the existing s390 BUG handling, including the monitor call. Define ARCH_WARN_REACHABLE as empty since s390 does not provide reachability analysis for warning paths. Acked-by: Gary Guo <gary@garyguo.net> Acked-by: Miguel Ojeda <ojeda@kernel.org> Acked-by: Heiko Carstens <hca@linux.ibm.com> Signed-off-by: Jan Polensky <japo@linux.ibm.com> Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
2026-06-10Merge tag 'riscv-for-linux-7.1-rc8' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux Pull RISC-V fixes from Paul Walmsley: - Fix the implementation of the CFI branch landing pad control prctl()s to return -EINVAL if unknown control bits are set, rather than silently ignoring the request; and add a kselftest for this case - Fix unaligned access performance testing to happen earlier in boot, which fixes a performance regression in the lib/checksum code - Fix a binfmt_elf warning when dumping core (due to missing .core_note_name for CFI registers) * tag 'riscv-for-linux-7.1-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux: riscv: cfi: reject unknown flags in PR_SET_CFI riscv: Fix fast_unaligned_access_speed_key not getting initialized riscv/ptrace: Use USER_REGSET_NOTE_TYPE for REGSET_CFI
2026-06-10namespace: restrict OPEN_TREE_NAMESPACE/FSMOUNT_NAMESPACE to directoriesJann Horn
open_tree(..., OPEN_TREE_NAMESPACE) and fsmount(..., FSMOUNT_NAMESPACE, ...) currently work on non-directories, like regular files. That's bad for two reasons: - It ends up mounting a regular file over the inherited namespace root, which is a directory; mounting a non-directory over a directory is normally explicitly forbidden, see for example do_move_mount() - It causes setns() on the new namespace to set the cwd to a regular file, which the rest of VFS does not expect Fix it by restricting create_new_namespace() (which is used by both of these flags) to directories. Leave the behavior for OPEN_TREE_CLONE as-is, that seems unproblematic. Fixes: 9b8a0ba68246 ("mount: add OPEN_TREE_NAMESPACE") Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: Christian Brauner <brauner@kernel.org> Cc: Jan Kara <jack@suse.cz> Cc: stable@kernel.org Signed-off-by: Jann Horn <jannh@google.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2026-06-10PCI: imx6: Integrate new pwrctrl APISherry Sun
Integrate the PCI pwrctrl framework into the pci-imx6 driver to provide standardized power management for PCI devices. Legacy regulator handling (vpcie-supply at controller level) is maintained for backward compatibility with existing device trees. New device trees should specify power supplies at the Root Port level to utilize the pwrctrl framework. Signed-off-by: Sherry Sun <sherry.sun@nxp.com> Signed-off-by: Manivannan Sadhasivam <mani@kernel.org> Reviewed-by: Frank Li <Frank.Li@nxp.com> Link: https://patch.msgid.link/20260520084904.2424253-2-sherry.sun@oss.nxp.com
2026-06-10platform/x86: ISST: Restore SST-PP control to all domainsSrinivas Pandruvada
The SST-PP control offset is only restored to power domain 0 after resume. During suspend, control values are read and stored for all power domains. Use pd_info->sst_base instead of power_domain_info->sst_base, which only points to power domain 0 base address. Fixes: dc7901b5a156 ("platform/x86: ISST: Store and restore all domains data") Reported-by: Yi Lai <yi1.lai@intel.com> Signed-off-by: Srinivas Pandruvada <srinivas.pandruvada@intel.com> Cc: stable@vger.kernel.org Link: https://patch.msgid.link/20260528204521.3531456-1-srinivas.pandruvada@linux.intel.com Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
2026-06-10hwmon: (gpd-fan): fix race condition between device removal and sysfs accessPei Xiao
Replace the manual gpd_fan_remove() callback with a devres-managed action using devm_add_action_or_reset(). The original remove hook resets the fan to AUTOMATIC mode, but the hwmon sysfs interface (registered with devm_hwmon_device_register_with_info()) remains active until after the remove callback completes. This creates a race window where a concurrent userspace sysfs access can interleave with the EC I/O sequence, potentially corrupting EC registers. Using devm_add_action_or_reset() registers the reset function as a devres action. Due to the LIFO release order of devres, the hwmon device is unregistered (sysfs removed) before the reset action executes, eliminating the race condition. Fixes: 0ab88e239439 ("hwmon: add GPD devices sensor driver") Signed-off-by: Pei Xiao <xiaopei01@kylinos.cn> Link: https://lore.kernel.org/r/4400828422cf3a88adad4db224d9efccdb1049d2.1781055639.git.xiaopei01@kylinos.cn Signed-off-by: Guenter Roeck <linux@roeck-us.net>
2026-06-10hwmon: (gpd-fan): upgrade log level from warn to err for platform device ↵Pei Xiao
creation failure When platform_create_bundle() fails, the error is fatal and prevents the driver from loading. Use pr_err() instead of pr_warn() to clearly indicate a critical failure. Signed-off-by: Pei Xiao <xiaopei01@kylinos.cn> Link: https://lore.kernel.org/r/aeb2eaa6df90178b18057a8022a0eccde7bbc82c.1781055639.git.xiaopei01@kylinos.cn Signed-off-by: Guenter Roeck <linux@roeck-us.net>
2026-06-10hwmon: (gpd-fan): Initialize EC before registering hwmon devicePei Xiao
Move the gpd_init_ec() call to before devm_hwmon_device_register_with_info in the probe function. With the previous ordering the hwmon device was registered and exposed to userspace before the EC initialization completes, creating a window where sysfs reads could return invalid values. Some buggy firmware won't initialize EC properly on boot. Before its initialization, reading RPM will always return 0, and writing PWM will have no effect. So move gpd_init_ec to before hwmon device register. Fixes: 0ab88e239439 ("hwmon: add GPD devices sensor driver") Signed-off-by: Pei Xiao <xiaopei01@kylinos.cn> Link: https://lore.kernel.org/r/4be3734b135c8013157979ab5e80c7ee51243ddd.1781055639.git.xiaopei01@kylinos.cn Signed-off-by: Guenter Roeck <linux@roeck-us.net>
2026-06-10hwmon: (gpd-fan): drop global driver data and use per-device allocationPei Xiao
replace the global state gpd_driver_priv with per-device private data (struct gpd_fan_data) allocated in probe. This allows the driver to support multiple instances in the future and aligns with kernel best practices. No functional change intended. Signed-off-by: Pei Xiao <xiaopei01@kylinos.cn> Link: https://lore.kernel.org/r/1cd3e13033fdd3d0f9b59322f7c86e350d113b92.1781055639.git.xiaopei01@kylinos.cn Signed-off-by: Guenter Roeck <linux@roeck-us.net>
2026-06-10hwmon: (pmbus/max34440): add support adpm12250Alexis Czezar Torreno
ADPM12250 is a quarter brick DC/DC Power Module. It is a high power non-isolated converter capable of delivering regulated 12V with continuous power level of 2500W. Uses PMBus. Signed-off-by: Alexis Czezar Torreno <alexisczezar.torreno@analog.com> Reviewed-by: Nuno Sá <nuno.sa@analog.com> Link: https://lore.kernel.org/r/20260610-dev-adpm12250-v1-1-422760bb80da@analog.com Signed-off-by: Guenter Roeck <linux@roeck-us.net>
2026-06-10watchdog: sc1200: Drop unused assignment of pnp_device_id driver dataUwe Kleine-König (The Capable Hub)
The driver explicitly sets the .driver_data member of struct pnp_device_id to zero without relying on that value. Drop this unused assignments. While touching this array simplify the list terminator. This patch doesn't modify the compiled array, only its representation in source form benefits. The former was confirmed with builds on x86 and arm64. Signed-off-by: Uwe Kleine-König (The Capable Hub) <u.kleine-koenig@baylibre.com> Link: https://lore.kernel.org/r/0793f81a854f9e5880ad38f54c8583b3d56e5d60.1781081216.git.u.kleine-koenig@baylibre.com Signed-off-by: Guenter Roeck <linux@roeck-us.net>
2026-06-10floppy: Drop unused pnp driver dataUwe Kleine-König (The Capable Hub)
The pnp_device_id array is only used for module data to support auto-loading the floppy module. So the .driver_data member is unused and this assignment can be dropped. While touching that array, align the coding style to what is used most for these. This patch doesn't modify the compiled array, only its representation in source form benefits. The former was confirmed with x86 and arm64 builds. Signed-off-by: Uwe Kleine-König (The Capable Hub) <u.kleine-koenig@baylibre.com> Reviewed-by: Denis Efremov (Oracle) <efremov@linux.com> Link: https://patch.msgid.link/99dbf851ffb99229ea1dcfd8f58e9ee6a1f05349.1781075967.git.u.kleine-koenig@baylibre.com Signed-off-by: Jens Axboe <axboe@kernel.dk>
2026-06-10KVM: arm64: nv: Hold kvm->mmu_lock while initialising vcpu->arch.vncr_tlbMarc Zyngier
Sashiko reports that there is a race between initialising vncr_tlb and making use of it, as we don't hold the mmu_lock at this point. Additionally, it identifies a memory leak, should userspace repeatedly invokes the KVM_RUN ioctl after a failure of kvm_arch_vcpu_run_pid_change(), as we assign vncr_tlb blindly on first run, irrespective of prior allocations. Slap the two bugs in one go by taking the kvm->mmu_lock on assigning vncr_tlb, preventing the race for good, and by checking that vncr_tlb is indeed NULL prior to allocation. Reported-by: Sashiko <sashiko-bot@kernel.org> Link: https://lore.kernel.org/r/20260607180815.85FBC1F00893@smtp.kernel.org Reviewed-by: Oliver Upton <oupton@kernel.org> Link: https://patch.msgid.link/20260608081108.2244133-1-maz@kernel.org Signed-off-by: Marc Zyngier <maz@kernel.org>
2026-06-10platform/x86/intel-uncore-freq: Fix current_freq_khz after CPU hotplugGuixiong Wei
When the last CPU of a legacy uncore die goes offline, uncore_freq_remove_die_entry() clears control_cpu. During CPU hotplug re-add, uncore_freq_add_entry() still populates sysfs attributes before assigning the new control CPU. As a result, the current frequency read returns -ENXIO and current_freq_khz is omitted from the recreated sysfs group. Assign control_cpu before the initial read paths and before create_attr_group() so sysfs recreation uses the new online CPU. If sysfs creation fails, restore control_cpu to -1 to keep the error path state consistent. Fixes: 4d73c6772ab7 ("platform/x86: intel-uncore-freq: Conditionally create attribute for read frequency") Cc: stable@vger.kernel.org Signed-off-by: Guixiong Wei <weiguixiong@bytedance.com> Acked-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com> Link: https://patch.msgid.link/20260602020752.3126-1-weiguixiong@bytedance.com Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
2026-06-10platform/x86: intel-hid: Protect ACPI notify handler against recursionHyeongJun An
Since commit e2ffcda16290 ("ACPI: OSL: Allow Notify () handlers to run on all CPUs") ACPI notify handlers like the intel-hid notify_handler() may run on multiple CPU cores racing with themselves. On convertibles and detachables (matched by DMI chassis-type 31 and 32 in dmi_auto_add_switch[]) the SW_TABLET_MODE input device is registered lazily from notify_handler() on the first tablet-mode event, via intel_hid_switches_setup(). When two such events race on different CPUs both can pass the !priv->switches check and register the priv->switches input device twice, resulting in a duplicate sysfs entry and a subsequent NULL pointer dereference. This is the same class of bug fixed by commit e075c3b13a0a ("platform/x86: intel-vbtn: Protect ACPI notify handler against recursion") for the sibling intel-vbtn driver. Protect intel-hid notify_handler() from racing with itself with a mutex to fix this. Fixes: e2ffcda16290 ("ACPI: OSL: Allow Notify () handlers to run on all CPUs") Cc: stable@vger.kernel.org Signed-off-by: HyeongJun An <sammiee5311@gmail.com> Link: https://patch.msgid.link/20260605174905.131095-1-sammiee5311@gmail.com Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
2026-06-10platform/x86/intel/vsec: Restore BAR fallback for header walkDavid E. Box
The base_addr refactor changed intel_vsec_walk_header() to pass info->base_addr as the discovery-table base address. For the PCI VSEC driver this info comes from driver_data, but exported callers may provide their own static headers and leave base_addr unset. For xe, this made the discovery-table base address zero instead of the BAR selected by header->tbir, preventing PMT endpoints from being created. Restore the previous behavior for the header-walk path by falling back to pci_resource_start(pdev, header->tbir) when base_addr is not specified. Keep explicit base_addr override behavior unchanged. This preserves the refactor structure while fixing the functional regression in manual-header users. Fixes: 904b333fc51c ("platform/x86/intel/vsec: Refactor base_addr handling") Assisted-by: Claude:claude-sonnet-4-6 Signed-off-by: David E. Box <david.e.box@linux.intel.com> Reviewed-by: Michael J. Ruhl <michael.j.ruhl@intel.com> Link: https://patch.msgid.link/20260529183150.129744-1-david.e.box@linux.intel.com Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
2026-06-10platform/x86: dell-laptop: fix missing cleanups in init error pathHaoxiang Li
dell_init() initializes several resources after dell_setup_rfkill(), including the optional touchpad LED, keyboard backlight LED, battery hook, debugfs directory and dell-laptop notifier. If a later LED or backlight registration fails, the error path only tears down the battery hook and rfkill resources. This leaves the notifier, debugfs directory, keyboard backlight LED and optional touchpad LED registered after dell_init() returns an error. Add the missing cleanup calls before tearing down rfkill. Fixes: 9c656b07997f ("platform/x86: dell-*: Call new led hw_changed API on kbd brightness change") Fixes: 037accfa14b2 ("dell-laptop: Add debugfs support") Fixes: 2d8b90be4f1c ("dell-laptop: support Synaptics/Alps touchpad led") Fixes: 6cff8d60aa0a ("platform: x86: dell-laptop: Add support for keyboard backlight") Cc: stable@vger.kernel.org Signed-off-by: Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn> Link: https://patch.msgid.link/20260609081419.1995169-1-lihaoxiang@isrc.iscas.ac.cn Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
2026-06-10ASoC: remove .debugfs_prefix from ComponentMark Brown
Kuninori Morimoto <kuninori.morimoto.gx@renesas.com> says: Basically, we are assuming to use snd_soc_register_component() (X) to register Component. It requests Component driver (A). And, current Component has .debugfs_prefix (B). Now we can set component->debugfs_prefix (B) via component_driver->debugfs_prefix (A) today. But some drivers are still trying to set it via (B). Thus, they need to use snd_soc_component_initialize() (1) / snd_soc_component_add() (2) instead of (X), because they need to access component->debugfs_prefix (B). These functions (= 1, 2) should be capsuled into soc-xxx.c, but can't because of above drivers. This patch-set removes component->debugfs_prefix (B). The functions (= 1, 2) are still not yet be capsuled. This is step1 for it, step2 will be posted after this. Link: https://patch.msgid.link/87ldcxk5wz.wl-kuninori.morimoto.gx@renesas.com
2026-06-10ASoC: soc-component: remove .debugfs_prefix from ComponentKuninori Morimoto
All drivers are now setting .debugfs_prefix via Component driver. Remove it from Component. Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com> Link: https://patch.msgid.link/87cxy9k5vj.wl-kuninori.morimoto.gx@renesas.com Signed-off-by: Mark Brown <broonie@kernel.org>
2026-06-10ASoC: mediatek: mt8173-afe-pcm: set debugfs_prefix via Component driverKuninori Morimoto
We can set component->debugfs_prefix via component_driver->debugfs_prefix. Use it. Now it no longer need to use snd_soc_component_initialize() / snd_soc_component_add(). use snd_soc_component_register() instead. Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com> Link: https://patch.msgid.link/87ecipk5vo.wl-kuninori.morimoto.gx@renesas.com Signed-off-by: Mark Brown <broonie@kernel.org>