commit 38725491e7665640545c8155db53a7b21bcdf886 Author: Bart Van Assche Date: Wed Nov 19 08:57:32 2025 -0800 scsi: MAINTAINERS: Add the UFS include directory Make sure that the linux-scsi mailing list is Cc-ed for changes to UFS include headers. Signed-off-by: Bart Van Assche Link: https://patch.msgid.link/20251119165742.536170-1-bvanassche@acm.org Signed-off-by: Martin K. Petersen commit 90449f2d1e1f020835cba5417234636937dd657e Author: Bart Van Assche Date: Thu Nov 13 10:16:43 2025 -0800 scsi: sg: Do not sleep in atomic context sg_finish_rem_req() calls blk_rq_unmap_user(). The latter function may sleep. Hence, call sg_finish_rem_req() with interrupts enabled instead of disabled. Reported-by: syzbot+c01f8e6e73f20459912e@syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-scsi/691560c4.a70a0220.3124cb.001a.GAE@google.com/ Cc: Hannes Reinecke Cc: stable@vger.kernel.org Fixes: 97d27b0dd015 ("scsi: sg: close race condition in sg_remove_sfp_usercontext()") Signed-off-by: Bart Van Assche Link: https://patch.msgid.link/20251113181643.1108973-1-bvanassche@acm.org Signed-off-by: Martin K. Petersen commit 13b77ed9c2a9e5a1248222df8aeaecb0c2ead9cb Author: Bart Van Assche Date: Thu Nov 13 09:41:51 2025 -0800 scsi: scsi_debug: Support injecting unaligned write errors Allow user space software, e.g. a blktests test, to inject unaligned write errors. Acked-by: Douglas Gilbert Reviewed-by: Damien Le Moal Cc: Martin K. Petersen Cc: Christoph Hellwig Cc: Ming Lei Signed-off-by: Bart Van Assche Link: https://patch.msgid.link/20251113174151.1095574-1-bvanassche@acm.org Signed-off-by: Martin K. Petersen commit 78b1a242fe612a755f2158fd206ee6bb577d18ca Author: Zilin Guan Date: Thu Nov 13 15:12:46 2025 +0000 scsi: qla2xxx: Fix improper freeing of purex item In qla2xxx_process_purls_iocb(), an item is allocated via qla27xx_copy_multiple_pkt(), which internally calls qla24xx_alloc_purex_item(). The qla24xx_alloc_purex_item() function may return a pre-allocated item from a per-adapter pool for small allocations, instead of dynamically allocating memory with kzalloc(). An error handling path in qla2xxx_process_purls_iocb() incorrectly uses kfree() to release the item. If the item was from the pre-allocated pool, calling kfree() on it is a bug that can lead to memory corruption. Fix this by using the correct deallocation function, qla24xx_free_purex_item(), which properly handles both dynamically allocated and pre-allocated items. Fixes: 875386b98857 ("scsi: qla2xxx: Add Unsolicited LS Request and Response Support for NVMe") Signed-off-by: Zilin Guan Reviewed-by: Himanshu Madhani Link: https://patch.msgid.link/20251113151246.762510-1-zilin@seu.edu.cn Signed-off-by: Martin K. Petersen commit cda5f23eed84cdca374d60734bf0190138788608 Author: Shawn Lin Date: Thu Nov 13 13:18:11 2025 +0800 scsi: ufs: rockchip: Fix compile error without CONFIG_GPIOLIB drivers/ufs/host/ufs-rockchip.c:168:19: error: implicit declaration of function 'devm_gpiod_get'; did you mean 'em_pd_get'? [-Werror=implicit-function-declaration] drivers/ufs/host/ufs-rockchip.c:214:2: error: implicit declaration of function 'gpiod_set_value_cansleep'; did you mean 'gpio_set_value_cansleep'? [-Werror=implicit-function-declaration] Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-kbuild-all/202511130238.LlA0MKxW-lkp@intel.com/ Signed-off-by: Shawn Lin Reviewed-by: Bart Van Assche Link: https://patch.msgid.link/1763011091-243727-1-git-send-email-shawn.lin@rock-chips.com Signed-off-by: Martin K. Petersen commit b0ee72db9132bd19b1b80152b35e0cf6a6cbd9f2 Author: Shawn Lin Date: Thu Nov 13 12:52:55 2025 +0800 scsi: ufs: rockchip: Reset controller on PRE_CHANGE of hce enable notify This fixes the dme-reset failed when doing recovery. Because device reset is not enough, we could occasionally see the error below: ufshcd-rockchip 2a2d0000.ufs: uic cmd 0x14 with arg3 0x0 completion timeout ufshcd-rockchip 2a2d0000.ufs: dme-reset: error code -110 ufshcd-rockchip 2a2d0000.ufs: DME_RESET failed ufshcd-rockchip 2a2d0000.ufs: ufshcd_host_reset_and_restore: Host init failed -110 Fix this by resetting the controller on PRE_CHANGE stage of hce enable notify. Fixes: d3cbe455d6eb ("scsi: ufs: rockchip: Initial support for UFS") Signed-off-by: Shawn Lin Link: https://patch.msgid.link/1763009575-237552-1-git-send-email-shawn.lin@rock-chips.com Signed-off-by: Martin K. Petersen commit 31e6e7e54b294f1015681ca284c28d37e94a48eb Author: Bart Van Assche Date: Thu Nov 13 15:52:43 2025 -0800 scsi: ufs: core: Use scsi_device_busy() Use scsi_device_busy() instead of open-coding it. This patch prepares for skipping the SCSI device budget map initialization in certain cases. Reviewed-by: Peter Wang Signed-off-by: Bart Van Assche Link: https://patch.msgid.link/20251113235252.2015185-1-bvanassche@acm.org Signed-off-by: Martin K. Petersen commit 02b5822d2fea1e89009ff167fed5aea2f1e1de85 Author: Bart Van Assche Date: Fri Nov 14 11:34:03 2025 -0800 scsi: ufs: core: Fix single doorbell mode support Commit 22089c218037 ("scsi: ufs: core: Optimize the hot path") accidentally broke support for the legacy single doorbell mode. The tag_set.shared_tags pointer is only != NULL if shared tag support is enabled. The UFS driver only enables shared tag support in MCQ mode. Fix this by handling legacy and MCQ modes differently in ufshcd_tag_to_cmd(). Reported-by: Marek Szyprowski Closes: https://lore.kernel.org/linux-scsi/c988a6dd-588d-4dbc-ab83-bbee17f2a686@samsung.com/ Reported-by: André Draszik Closes: https://lore.kernel.org/linux-scsi/83ffbceb9e66b2a3b6096231551d969034ed8a74.camel@linaro.org/ Tested-by: Marek Szyprowski Fixes: 22089c218037 ("scsi: ufs: core: Optimize the hot path") Signed-off-by: Bart Van Assche Tested-by: André Draszik Link: https://patch.msgid.link/20251114193406.3097237-1-bvanassche@acm.org Signed-off-by: Martin K. Petersen commit 8d5cad38cf7da7848a2f4d7ca5adb4110b2cd968 Author: Marco Crivellari Date: Fri Nov 7 16:52:57 2025 +0100 scsi: pm80xx: Add WQ_PERCPU to alloc_workqueue() users Currently if a user enqueues a work item using schedule_delayed_work() the used wq is "system_wq" (per-cpu wq) while queue_delayed_work() use WORK_CPU_UNBOUND (used when a cpu is not specified). The same applies to schedule_work() that is using system_wq and queue_work(), that makes use again of WORK_CPU_UNBOUND. This lack of consistency cannot be addressed without refactoring the API. alloc_workqueue() treats all queues as per-CPU by default, while unbound workqueues must opt-in via WQ_UNBOUND. This default is suboptimal: most workloads benefit from unbound queues, allowing the scheduler to place worker threads where they’re needed and reducing noise when CPUs are isolated. This continues the effort to refactor workqueue APIs, which began with the introduction of new workqueues and a new alloc_workqueue flag in: commit 128ea9f6ccfb ("workqueue: Add system_percpu_wq and system_dfl_wq") commit 930c2ea566af ("workqueue: Add new WQ_PERCPU flag") This adds a new WQ_PERCPU flag to explicitly request to alloc_workqueue() to be per-cpu when WQ_UNBOUND has not been specified. With the introduction of the WQ_PERCPU flag (equivalent to !WQ_UNBOUND), any alloc_workqueue() caller that doesn’t explicitly specify WQ_UNBOUND must now use WQ_PERCPU. Once migration is complete, WQ_UNBOUND can be removed and unbound will become the implicit default. Suggested-by: Tejun Heo Signed-off-by: Marco Crivellari Link: https://patch.msgid.link/20251107155257.316728-1-marco.crivellari@suse.com Signed-off-by: Martin K. Petersen commit 2e2e559390db56c36ebaa8db82fd16a2e367dfb6 Author: Marco Crivellari Date: Fri Nov 7 16:40:08 2025 +0100 scsi: target: Add WQ_PERCPU to alloc_workqueue() users Currently if a user enqueues a work item using schedule_delayed_work() the used wq is "system_wq" (per-cpu wq) while queue_delayed_work() use WORK_CPU_UNBOUND (used when a cpu is not specified). The same applies to schedule_work() that is using system_wq and queue_work(), that makes use again of WORK_CPU_UNBOUND. This lack of consistency cannot be addressed without refactoring the API. alloc_workqueue() treats all queues as per-CPU by default, while unbound workqueues must opt-in via WQ_UNBOUND. This default is suboptimal: most workloads benefit from unbound queues, allowing the scheduler to place worker threads where they’re needed and reducing noise when CPUs are isolated. This continues the effort to refactor workqueue APIs, which began with the introduction of new workqueues and a new alloc_workqueue flag in: commit 128ea9f6ccfb ("workqueue: Add system_percpu_wq and system_dfl_wq") commit 930c2ea566af ("workqueue: Add new WQ_PERCPU flag") This change adds a new WQ_PERCPU flag to explicitly request alloc_workqueue() to be per-cpu when WQ_UNBOUND has not been specified. With the introduction of the WQ_PERCPU flag (equivalent to !WQ_UNBOUND), any alloc_workqueue() caller that doesn’t explicitly specify WQ_UNBOUND must now use WQ_PERCPU. Once migration is complete, WQ_UNBOUND can be removed and unbound will become the implicit default. Suggested-by: Tejun Heo Signed-off-by: Marco Crivellari Link: https://patch.msgid.link/20251107154008.304127-1-marco.crivellari@suse.com Signed-off-by: Martin K. Petersen commit f60b8957d8cc18c8913812e693593debc3829b77 Author: Marco Crivellari Date: Fri Nov 7 16:16:18 2025 +0100 scsi: qedi: Add WQ_PERCPU to alloc_workqueue() users Currently if a user enqueues a work item using schedule_delayed_work() the used wq is "system_wq" (per-cpu wq) while queue_delayed_work() use WORK_CPU_UNBOUND (used when a cpu is not specified). The same applies to schedule_work() that is using system_wq and queue_work(), that makes use again of WORK_CPU_UNBOUND. This lack of consistency cannot be addressed without refactoring the API. alloc_workqueue() treats all queues as per-CPU by default, while unbound workqueues must opt-in via WQ_UNBOUND. This default is suboptimal: most workloads benefit from unbound queues, allowing the scheduler to place worker threads where they’re needed and reducing noise when CPUs are isolated. This continues the effort to refactor workqueue APIs, which began with the introduction of new workqueues and a new alloc_workqueue flag in: commit 128ea9f6ccfb ("workqueue: Add system_percpu_wq and system_dfl_wq") commit 930c2ea566af ("workqueue: Add new WQ_PERCPU flag") This change adds a new WQ_PERCPU flag to explicitly request alloc_workqueue() to be per-cpu when WQ_UNBOUND has not been specified. With the introduction of the WQ_PERCPU flag (equivalent to !WQ_UNBOUND), any alloc_workqueue() caller that doesn’t explicitly specify WQ_UNBOUND must now use WQ_PERCPU. Once migration is complete, WQ_UNBOUND can be removed and unbound will become the implicit default. Suggested-by: Tejun Heo Signed-off-by: Marco Crivellari Link: https://patch.msgid.link/20251107151618.281250-1-marco.crivellari@suse.com Signed-off-by: Martin K. Petersen commit 42312d3acde57c37c9a688bef97c85618bd26cae Author: Marco Crivellari Date: Fri Nov 7 16:05:42 2025 +0100 scsi: target: ibmvscsi: Add WQ_PERCPU to alloc_workqueue() users Currently if a user enqueues a work item using schedule_delayed_work() the used wq is "system_wq" (per-cpu wq) while queue_delayed_work() use WORK_CPU_UNBOUND (used when a cpu is not specified). The same applies to schedule_work() that is using system_wq and queue_work(), that makes use again of WORK_CPU_UNBOUND. This lack of consistency cannot be addressed without refactoring the API. alloc_workqueue() treats all queues as per-CPU by default, while unbound workqueues must opt-in via WQ_UNBOUND. This default is suboptimal: most workloads benefit from unbound queues, allowing the scheduler to place worker threads where they’re needed and reducing noise when CPUs are isolated. This continues the effort to refactor workqueue APIs, which began with the introduction of new workqueues and a new alloc_workqueue flag in: commit 128ea9f6ccfb ("workqueue: Add system_percpu_wq and system_dfl_wq") commit 930c2ea566af ("workqueue: Add new WQ_PERCPU flag") This change adds a new WQ_PERCPU flag to explicitly request alloc_workqueue() to be per-cpu when WQ_UNBOUND has not been specified. With the introduction of the WQ_PERCPU flag (equivalent to !WQ_UNBOUND), any alloc_workqueue() caller that doesn’t explicitly specify WQ_UNBOUND must now use WQ_PERCPU. Once migration is complete, WQ_UNBOUND can be removed and unbound will become the implicit default. Suggested-by: Tejun Heo Signed-off-by: Marco Crivellari Link: https://patch.msgid.link/20251107150542.271229-1-marco.crivellari@suse.com Signed-off-by: Martin K. Petersen commit e036dadf78f8c1bcbb3a4e5933f553c24fe5c162 Author: Marco Crivellari Date: Fri Nov 7 16:01:55 2025 +0100 scsi: qedf: Add WQ_PERCPU to alloc_workqueue() users Currently if a user enqueues a work item using schedule_delayed_work() the used wq is "system_wq" (per-cpu wq) while queue_delayed_work() use WORK_CPU_UNBOUND (used when a cpu is not specified). The same applies to schedule_work() that is using system_wq and queue_work(), that makes use again of WORK_CPU_UNBOUND. This lack of consistency cannot be addressed without refactoring the API. alloc_workqueue() treats all queues as per-CPU by default, while unbound workqueues must opt-in via WQ_UNBOUND. This default is suboptimal: most workloads benefit from unbound queues, allowing the scheduler to place worker threads where they’re needed and reducing noise when CPUs are isolated. This continues the effort to refactor workqueue APIs, which began with the introduction of new workqueues and a new alloc_workqueue flag in: commit 128ea9f6ccfb ("workqueue: Add system_percpu_wq and system_dfl_wq") commit 930c2ea566af ("workqueue: Add new WQ_PERCPU flag") This change adds a new WQ_PERCPU flag to explicitly request alloc_workqueue() to be per-cpu when WQ_UNBOUND has not been specified. With the introduction of the WQ_PERCPU flag (equivalent to !WQ_UNBOUND), any alloc_workqueue() caller that doesn’t explicitly specify WQ_UNBOUND must now use WQ_PERCPU. Once migration is complete, WQ_UNBOUND can be removed and unbound will become the implicit default. Suggested-by: Tejun Heo Signed-off-by: Marco Crivellari Link: https://patch.msgid.link/20251107150155.267651-3-marco.crivellari@suse.com Signed-off-by: Martin K. Petersen commit a43a2e48d534ffc6361ef5a026fc71e5f03696b8 Author: Marco Crivellari Date: Fri Nov 7 16:01:54 2025 +0100 scsi: bnx2fc: Add WQ_PERCPU to alloc_workqueue() users Currently if a user enqueues a work item using schedule_delayed_work() the used wq is "system_wq" (per-cpu wq) while queue_delayed_work() use WORK_CPU_UNBOUND (used when a cpu is not specified). The same applies to schedule_work() that is using system_wq and queue_work(), that makes use again of WORK_CPU_UNBOUND. This lack of consistency cannot be addressed without refactoring the API. alloc_workqueue() treats all queues as per-CPU by default, while unbound workqueues must opt-in via WQ_UNBOUND. This default is suboptimal: most workloads benefit from unbound queues, allowing the scheduler to place worker threads where they’re needed and reducing noise when CPUs are isolated. This continues the effort to refactor workqueue APIs, which began with the introduction of new workqueues and a new alloc_workqueue flag in: commit 128ea9f6ccfb ("workqueue: Add system_percpu_wq and system_dfl_wq") commit 930c2ea566af ("workqueue: Add new WQ_PERCPU flag") This change adds a new WQ_PERCPU flag to explicitly request alloc_workqueue() to be per-cpu when WQ_UNBOUND has not been specified. With the introduction of the WQ_PERCPU flag (equivalent to !WQ_UNBOUND), any alloc_workqueue() caller that doesn’t explicitly specify WQ_UNBOUND must now use WQ_PERCPU. Once migration is complete, WQ_UNBOUND can be removed and unbound will become the implicit default. Suggested-by: Tejun Heo Signed-off-by: Marco Crivellari Link: https://patch.msgid.link/20251107150155.267651-2-marco.crivellari@suse.com Signed-off-by: Martin K. Petersen commit 6184ec8b633e507df39b2258f4627095a4dfd752 Author: Marco Crivellari Date: Fri Nov 7 15:49:49 2025 +0100 scsi: be2iscsi: Add WQ_PERCPU to alloc_workqueue() users Currently if a user enqueues a work item using schedule_delayed_work() the used wq is "system_wq" (per-cpu wq) while queue_delayed_work() use WORK_CPU_UNBOUND (used when a cpu is not specified). The same applies to schedule_work() that is using system_wq and queue_work(), that makes use again of WORK_CPU_UNBOUND. This lack of consistency cannot be addressed without refactoring the API. alloc_workqueue() treats all queues as per-CPU by default, while unbound workqueues must opt-in via WQ_UNBOUND. This default is suboptimal: most workloads benefit from unbound queues, allowing the scheduler to place worker threads where they’re needed and reducing noise when CPUs are isolated. This continues the effort to refactor workqueue APIs, which began with the introduction of new workqueues and a new alloc_workqueue flag in: commit 128ea9f6ccfb ("workqueue: Add system_percpu_wq and system_dfl_wq") commit 930c2ea566af ("workqueue: Add new WQ_PERCPU flag") This change adds a new WQ_PERCPU flag to explicitly request alloc_workqueue() to be per-cpu when WQ_UNBOUND has not been specified. With the introduction of the WQ_PERCPU flag (equivalent to !WQ_UNBOUND), any alloc_workqueue() caller that doesn’t explicitly specify WQ_UNBOUND must now use WQ_PERCPU. Once migration is complete, WQ_UNBOUND can be removed and unbound will become the implicit default. Suggested-by: Tejun Heo Signed-off-by: Marco Crivellari Link: https://patch.msgid.link/20251107144949.256894-1-marco.crivellari@suse.com Signed-off-by: Martin K. Petersen commit f0dc44177ac048e1b166661d520db4c833e6b40b Author: Marco Crivellari Date: Fri Nov 7 15:14:58 2025 +0100 scsi: message: fusion: Add WQ_PERCPU to alloc_workqueue() users Currently if a user enqueues a work item using schedule_delayed_work() the used wq is "system_wq" (per-cpu wq) while queue_delayed_work() use WORK_CPU_UNBOUND (used when a cpu is not specified). The same applies to schedule_work() that is using system_wq and queue_work(), that makes use again of WORK_CPU_UNBOUND. This lack of consistency cannot be addressed without refactoring the API. alloc_workqueue() treats all queues as per-CPU by default, while unbound workqueues must opt-in via WQ_UNBOUND. This default is suboptimal: most workloads benefit from unbound queues, allowing the scheduler to place worker threads where they’re needed and reducing noise when CPUs are isolated. This continues the effort to refactor workqueue APIs, which began with the introduction of new workqueues and a new alloc_workqueue flag in: commit 128ea9f6ccfb ("workqueue: Add system_percpu_wq and system_dfl_wq") commit 930c2ea566af ("workqueue: Add new WQ_PERCPU flag") This change adds a new WQ_PERCPU flag to explicitly request alloc_workqueue() to be per-cpu when WQ_UNBOUND has not been specified. With the introduction of the WQ_PERCPU flag (equivalent to !WQ_UNBOUND), any alloc_workqueue() caller that doesn’t explicitly specify WQ_UNBOUND must now use WQ_PERCPU. Once migration is complete, WQ_UNBOUND can be removed and unbound will become the implicit default. Suggested-by: Tejun Heo Signed-off-by: Marco Crivellari Link: https://patch.msgid.link/20251107141458.225119-1-marco.crivellari@suse.com Signed-off-by: Martin K. Petersen commit 84150ef06f897cc2c03456edb5ad5c2a03faf9f1 Author: Marco Crivellari Date: Tue Nov 4 12:08:08 2025 +0100 scsi: lpfc: WQ_PERCPU added to alloc_workqueue() users Currently if a user enqueue a work item using schedule_delayed_work() the used wq is "system_wq" (per-cpu wq) while queue_delayed_work() use WORK_CPU_UNBOUND (used when a cpu is not specified). The same applies to schedule_work() that is using system_wq and queue_work(), that makes use again of WORK_CPU_UNBOUND. This lack of consistentcy cannot be addressed without refactoring the API. alloc_workqueue() treats all queues as per-CPU by default, while unbound workqueues must opt-in via WQ_UNBOUND. This default is suboptimal: most workloads benefit from unbound queues, allowing the scheduler to place worker threads where they’re needed and reducing noise when CPUs are isolated. This change adds a new WQ_PERCPU flag to explicitly request alloc_workqueue() to be per-cpu when WQ_UNBOUND has not been specified. This patch continues the effort to refactor worqueue APIs, which has begun with the change introducing new workqueues and a new alloc_workqueue flag: commit 128ea9f6ccfb ("workqueue: Add system_percpu_wq and system_dfl_wq") commit 930c2ea566af ("workqueue: Add new WQ_PERCPU flag") With the introduction of the WQ_PERCPU flag (equivalent to !WQ_UNBOUND), any alloc_workqueue() caller that doesn’t explicitly specify WQ_UNBOUND must now use WQ_PERCPU. Once migration is complete, WQ_UNBOUND can be removed and unbound will become the implicit default. Suggested-by: Tejun Heo Signed-off-by: Marco Crivellari Reviewed-by: Justin Tee Link: https://patch.msgid.link/20251104110808.123424-1-marco.crivellari@suse.com Signed-off-by: Martin K. Petersen commit f76e4e1e836df41f602fa4c85f64f09e2a99266e Author: Marco Crivellari Date: Fri Oct 31 10:56:43 2025 +0100 scsi: scsi_transport_fc: WQ_PERCPU added to alloc_workqueue users() Currently if a user enqueue a work item using schedule_delayed_work() the used wq is "system_wq" (per-cpu wq) while queue_delayed_work() use WORK_CPU_UNBOUND (used when a cpu is not specified). The same applies to schedule_work() that is using system_wq and queue_work(), that makes use again of WORK_CPU_UNBOUND. This lack of consistentcy cannot be addressed without refactoring the API. alloc_workqueue() treats all queues as per-CPU by default, while unbound workqueues must opt-in via WQ_UNBOUND. This default is suboptimal: most workloads benefit from unbound queues, allowing the scheduler to place worker threads where they’re needed and reducing noise when CPUs are isolated. This change adds a new WQ_PERCPU flag to explicitly request alloc_workqueue() to be per-cpu when WQ_UNBOUND has not been specified. With the introduction of the WQ_PERCPU flag (equivalent to !WQ_UNBOUND), any alloc_workqueue() caller that doesn’t explicitly specify WQ_UNBOUND must now use WQ_PERCPU. Once migration is complete, WQ_UNBOUND can be removed and unbound will become the implicit default. Suggested-by: Tejun Heo Signed-off-by: Marco Crivellari Reviewed-by: Justin Tee Link: https://patch.msgid.link/20251031095643.74246-5-marco.crivellari@suse.com Signed-off-by: Martin K. Petersen commit afad6b34defed8ca19f8593b692024e8e296287f Author: Marco Crivellari Date: Fri Oct 31 10:56:42 2025 +0100 scsi: scsi_dh_alua: WQ_PERCPU added to alloc_workqueue() users Currently if a user enqueue a work item using schedule_delayed_work() the used wq is "system_wq" (per-cpu wq) while queue_delayed_work() use WORK_CPU_UNBOUND (used when a cpu is not specified). The same applies to schedule_work() that is using system_wq and queue_work(), that makes use again of WORK_CPU_UNBOUND. This lack of consistentcy cannot be addressed without refactoring the API. alloc_workqueue() treats all queues as per-CPU by default, while unbound workqueues must opt-in via WQ_UNBOUND. This default is suboptimal: most workloads benefit from unbound queues, allowing the scheduler to place worker threads where they’re needed and reducing noise when CPUs are isolated. This change adds a new WQ_PERCPU flag to explicitly request alloc_workqueue() to be per-cpu when WQ_UNBOUND has not been specified. With the introduction of the WQ_PERCPU flag (equivalent to !WQ_UNBOUND), any alloc_workqueue() caller that doesn’t explicitly specify WQ_UNBOUND must now use WQ_PERCPU. Once migration is complete, WQ_UNBOUND can be removed and unbound will become the implicit default. Suggested-by: Tejun Heo Signed-off-by: Marco Crivellari Link: https://patch.msgid.link/20251031095643.74246-4-marco.crivellari@suse.com Signed-off-by: Martin K. Petersen commit 5ca003bb438197791f6394d5c05e5abf403ada24 Author: Marco Crivellari Date: Fri Oct 31 10:56:41 2025 +0100 scsi: qla2xxx: WQ_PERCPU added to alloc_workqueue() users Currently if a user enqueue a work item using schedule_delayed_work() the used wq is "system_wq" (per-cpu wq) while queue_delayed_work() use WORK_CPU_UNBOUND (used when a cpu is not specified). The same applies to schedule_work() that is using system_wq and queue_work(), that makes use again of WORK_CPU_UNBOUND. This lack of consistentcy cannot be addressed without refactoring the API. alloc_workqueue() treats all queues as per-CPU by default, while unbound workqueues must opt-in via WQ_UNBOUND. This default is suboptimal: most workloads benefit from unbound queues, allowing the scheduler to place worker threads where they’re needed and reducing noise when CPUs are isolated. This change adds a new WQ_PERCPU flag to explicitly request alloc_workqueue() to be per-cpu when WQ_UNBOUND has not been specified. With the introduction of the WQ_PERCPU flag (equivalent to !WQ_UNBOUND), any alloc_workqueue() caller that doesn’t explicitly specify WQ_UNBOUND must now use WQ_PERCPU. Once migration is complete, WQ_UNBOUND can be removed and unbound will become the implicit default. Suggested-by: Tejun Heo Signed-off-by: Marco Crivellari Link: https://patch.msgid.link/20251031095643.74246-3-marco.crivellari@suse.com Signed-off-by: Martin K. Petersen commit 0ba2fc767af711de1d830a61c8473168dcb31a8a Author: Marco Crivellari Date: Tue Nov 4 11:45:18 2025 +0100 scsi: target: sbp: Replace use of system_unbound_wq with system_dfl_wq Currently if a user enqueue a work item using schedule_delayed_work() the used wq is "system_wq" (per-cpu wq) while queue_delayed_work() use WORK_CPU_UNBOUND (used when a cpu is not specified). The same applies to schedule_work() that is using system_wq and queue_work(), that makes use again of WORK_CPU_UNBOUND. This lack of consistentcy cannot be addressed without refactoring the API. This patch continues the effort to refactor worqueue APIs, which has begun with the change introducing new workqueues and a new alloc_workqueue flag: commit 128ea9f6ccfb ("workqueue: Add system_percpu_wq and system_dfl_wq") commit 930c2ea566af ("workqueue: Add new WQ_PERCPU flag") system_dfl_wq should be the default workqueue so as not to enforce locality constraints for random work whenever it's not required. The old system_unbound_wq will be kept for a few release cycles. Suggested-by: Tejun Heo Signed-off-by: Marco Crivellari Link: https://patch.msgid.link/20251104104518.102130-1-marco.crivellari@suse.com Signed-off-by: Martin K. Petersen commit cd87aa2e507abb02560043c8e0e5bb9967ae7d72 Author: Marco Crivellari Date: Fri Oct 31 10:56:40 2025 +0100 scsi: scsi_transport_iscsi: Replace use of system_unbound_wq with system_dfl_wq Currently if a user enqueue a work item using schedule_delayed_work() the used wq is "system_wq" (per-cpu wq) while queue_delayed_work() use WORK_CPU_UNBOUND (used when a cpu is not specified). The same applies to schedule_work() that is using system_wq and queue_work(), that makes use again of WORK_CPU_UNBOUND. This lack of consistency cannot be addressed without refactoring the API. system_unbound_wq should be the default workqueue so as not to enforce locality constraints for random work whenever it's not required. Adding system_dfl_wq to encourage its use when unbound work should be used. The old system_unbound_wq will be kept for a few release cycles. Suggested-by: Tejun Heo Signed-off-by: Marco Crivellari Link: https://patch.msgid.link/20251031095643.74246-2-marco.crivellari@suse.com Signed-off-by: Martin K. Petersen commit 49783aca15fb73adb08e8ca5edc4dfb0a32540b9 Author: Marco Crivellari Date: Fri Oct 31 10:56:40 2025 +0100 scsi: qla2xxx: Replace use of system_unbound_wq with system_dfl_wq Currently if a user enqueue a work item using schedule_delayed_work() the used wq is "system_wq" (per-cpu wq) while queue_delayed_work() use WORK_CPU_UNBOUND (used when a cpu is not specified). The same applies to schedule_work() that is using system_wq and queue_work(), that makes use again of WORK_CPU_UNBOUND. This lack of consistency cannot be addressed without refactoring the API. system_unbound_wq should be the default workqueue so as not to enforce locality constraints for random work whenever it's not required. Adding system_dfl_wq to encourage its use when unbound work should be used. The old system_unbound_wq will be kept for a few release cycles. Suggested-by: Tejun Heo Signed-off-by: Marco Crivellari Link: https://patch.msgid.link/20251031095643.74246-2-marco.crivellari@suse.com Signed-off-by: Martin K. Petersen commit 3813d28b2b12dea8f44a6828b9c30b38208d3fc5 Author: Ally Heev Date: Wed Nov 5 19:44:43 2025 +0530 scsi: scsi_debug: Fix uninitialized pointers with __free attr Uninitialized pointers with '__free' attribute can cause undefined behaviour as the memory assigned(randomly) to the pointer is freed automatically when the pointer goes out of scope scsi doesn't have any bugs related to this as of now, but it is better to initialize and assign pointers with '__free' attr in one statement to ensure proper scope-based cleanup Reported-by: Dan Carpenter Closes: https://lore.kernel.org/all/aPiG_F5EBQUjZqsl@stanley.mountain/ Signed-off-by: Ally Heev Link: https://patch.msgid.link/20251105-aheev-uninitialized-free-attr-scsi-v1-1-d28435a0a7ea@gmail.com Signed-off-by: Martin K. Petersen commit 18987143d4b1945a1bfcb3963ae1961ca29b27dd Author: Bart Van Assche Date: Tue Nov 11 10:47:59 2025 -0800 scsi: ufs: core: Remove an unnecessary NULL pointer check The !payload check tests the address of a member of a data structure. We know that the start address of this data structure (job) is not NULL since the 'job' pointer has already been dereferenced. Hence, the !payload check is superfluous. Remove this test. This was reported by the CodeSonar static analyzer. Signed-off-by: Bart Van Assche Link: https://patch.msgid.link/20251111184802.125111-1-bvanassche@acm.org Signed-off-by: Martin K. Petersen commit 1028258914f608023279725d1756abf5b974e6d6 Author: Nuno Sá Date: Tue Nov 11 17:50:17 2025 +0000 scsi: pm: Drop unneeded call to pm_runtime_mark_last_busy() There's no need to explicitly call pm_runtime_mark_last_busy() since pm_runtime_autosuspend() is now doing it since commit 08071e64cb64 ("PM: runtime: Mark last busy stamp in pm_runtime_autosuspend()") Signed-off-by: Nuno Sá Link: https://patch.msgid.link/20251111-scsi-pm-improv-v2-1-626b8491f4b4@analog.com Signed-off-by: Martin K. Petersen commit acd194d9b5bac419e04968ffa44351afabb50bac Author: Haotian Zhang Date: Wed Oct 29 11:25:55 2025 +0800 scsi: sim710: Fix resource leak by adding missing ioport_unmap() calls The driver calls ioport_map() to map I/O ports in sim710_probe_common() but never calls ioport_unmap() to release the mapping. This causes resource leaks in both the error path when request_irq() fails and in the normal device removal path via sim710_device_remove(). Add ioport_unmap() calls in the out_release error path and in sim710_device_remove(). Fixes: 56fece20086e ("[PATCH] finally fix 53c700 to use the generic iomem infrastructure") Signed-off-by: Haotian Zhang Link: https://patch.msgid.link/20251029032555.1476-1-vulab@iscas.ac.cn Signed-off-by: Martin K. Petersen commit f6ab594672d4cba08540919a4e6be2e202b60007 Author: Junrui Luo Date: Wed Oct 29 00:29:04 2025 +0800 scsi: aic94xx: fix use-after-free in device removal path The asd_pci_remove() function fails to synchronize with pending tasklets before freeing the asd_ha structure, leading to a potential use-after-free vulnerability. When a device removal is triggered (via hot-unplug or module unload), race condition can occur. The fix adds tasklet_kill() before freeing the asd_ha structure, ensuring all scheduled tasklets complete before cleanup proceeds. Reported-by: Yuhao Jiang Reported-by: Junrui Luo Fixes: 2908d778ab3e ("[SCSI] aic94xx: new driver") Cc: stable@vger.kernel.org Signed-off-by: Junrui Luo Link: https://patch.msgid.link/ME2PR01MB3156AB7DCACA206C845FC7E8AFFDA@ME2PR01MB3156.ausprd01.prod.outlook.com Signed-off-by: Martin K. Petersen commit 4f5eb50f7c8206b0b08dba8e01cf83812ddaaeb2 Author: Tony Battersby Date: Mon Nov 10 11:05:53 2025 -0500 scsi: qla2xxx: target: Improve safety of cmd lookup by handle The driver associates two different structs with numeric handles and passes the handles to the hardware. When the hardware passes the handle back to the driver, the driver consults a table of void * to convert the handle back to the struct without checking the type of struct. This can lead to type confusion if the HBA firmware misbehaves (and some firmware versions do). So verify the type of struct is what is expected before using it. But we can also do better than that. Also verify that the exchange address of the message sent from the hardware matches the exchange address of the command being returned. This adds an extra guard against buggy HBA firmware that returns duplicate messages multiple times (which has also been seen) in case the driver has reused the handle for a different command of the same type. These problems were seen on a QLE2694L with firmware 9.08.02 when testing SLER / SRR support. The SRR caused the HBA to flood the response queue with hundreds of bogus entries. Signed-off-by: Tony Battersby Link: https://patch.msgid.link/7c7cb574-fe62-42ae-b800-d136d8dd89ca@cybernetics.com Signed-off-by: Martin K. Petersen commit c7bd85a7b9c5abcf2b69b32ac8c67f0d683b5113 Author: Tony Battersby Date: Mon Nov 10 11:04:42 2025 -0500 scsi: qla2xxx: target: Add back SRR support Background: loading qla2xxx with "ql2xtgt_tape_enable=1" enables Sequence Level Error Recovery (SLER), which is most commonly used for tape drives. With SLER enabled, if there is a recoverable I/O error during a SCSI command, a Sequence Retransmission Request (SRR) will be used to retry the I/O at a low-level completely within the driver without propagating the error to the upper levels of the SCSI stack. SRR support was removed in 2017 by commit 2c39b5ca2a8c ("qla2xxx: Remove SRR code"). Add it back, new and improved. The old removed SRR code used sequence numbers to correlate the SRR CTIOs with SRR immediate notify messages. I don't see how that would work reliably with MSI-X interrupts and multiple queues. So instead use the exchange address to find the command associated with the immediate notify (qlt_srr_to_cmd). The old removed SRR code had a function qlt_check_srr_debug() to simulate a SRR, but it didn't work for me. Instead I just used fiber optic attenuators attached to the FC cable to reduce the strength of the signal and induce errors. Unfortunately this only worked for inducing SRRs on Data-Out (write) commands, so that is all I was able to test. The code to build a new scatterlist for a SRR with nonzero offset has been improved to reduce memory requirements and has been well-tested. However it does not support protection information. When a single cmd gets multiple SRRs, the old removed SRR code would restore the data buffer from the values in cmd->se_cmd before processing the new SRR. That might be needed if the offset for the new SRR was lower than the offset for the previous SRR, but I am not sure if that can happen. In my testing, when a single cmd gets multiple SRRs, the SRR offset always increases or stays the same. But in case it can decrease, I added the function qlt_restore_orig_sg(). If this is not supposed to happen then qlt_restore_orig_sg() can be removed to simplify the code. I ran into some HBA firmware bugs with QLE269x, QLE27xx, and QLE28xx firmware 9.05.xx - 9.08.xx where a SRR would cause the HBA to misbehave badly. Since SRRs are rare and therefore difficult to test, I figured it would be worth checking for the buggy firmware and disabling SLER with a warning instead of letting others run into the same problem on the rare occasion that they get a SRR. This turned out to be difficult because the firmware version isn't known in the normal NVRAM config routine, so I added a second NVRAM config routine that is called after the firmware version is known. Signed-off-by: Tony Battersby Link: https://patch.msgid.link/654b7181-b79e-40ed-a15b-6d6e441a5d5f@cybernetics.com Signed-off-by: Martin K. Petersen commit 04957d8c9852d8772321c4594242162d87f668aa Author: Tony Battersby Date: Mon Nov 10 11:03:25 2025 -0500 scsi: qla2xxx: target: Improve cmd logging - Add the command tag to various messages so that different messages about the same command can be correlated. - For CTIO errors (i.e. when the HW reports an error about a cmd), print the cmd tag, opcode, state, initiator WWPN, and LUN. This info helps an administrator determine what is going wrong. - When a command experiences a transport error, log a message when it is freed. This makes debugging exceptions easier. Signed-off-by: Tony Battersby Link: https://patch.msgid.link/c579987d-5658-41ae-9653-f0e58c9d1880@cybernetics.com Signed-off-by: Martin K. Petersen commit f4199d5812561466a26fadba8ad044e346e58b3c Author: Tony Battersby Date: Mon Nov 10 11:02:13 2025 -0500 scsi: qla2xxx: target: Add cmd->rsp_sent Add cmd->rsp_sent to indicate that the SCSI status has been sent successfully, so that SCST can be informed of any transport errors. This will also be used for logging in later patches. Signed-off-by: Tony Battersby Link: https://patch.msgid.link/d4b0203f-7817-4517-9789-5866bb24fad7@cybernetics.com Signed-off-by: Martin K. Petersen commit 091719c21d5aa0d461496de3e120cd864c5750a0 Author: Tony Battersby Date: Mon Nov 10 11:01:00 2025 -0500 scsi: qla2xxx: target: Fix invalid memory access with big CDBs struct atio7_fcp_cmnd is a variable-length data structure because of add_cdb_len, but it is embedded in struct atio_from_isp and copied around like a fixed-length data structure. For big CDBs > 16 bytes, get_datalen_for_atio() called on a fixed-length copy of the atio will access invalid memory. In some cases this can be fixed by moving the atio to the end of the data structure and using a variable-length allocation. In other cases such as allocating struct qla_tgt_cmd, the fixed-length data structures are preallocated for speed, so in the case that add_cdb_len != 0, allocate a separate buffer for the CDB. Also add memcpy_atio() as a safeguard against invalid memory accesses. Signed-off-by: Tony Battersby Link: https://patch.msgid.link/306a9d0b-3c89-42fc-a69c-eebca8171347@cybernetics.com Signed-off-by: Martin K. Petersen commit 3d56983cc6f03aef05ab30f8cd16039c1db3c5e0 Author: Tony Battersby Date: Mon Nov 10 10:59:35 2025 -0500 scsi: qla2xxx: Fix TMR failure handling (target mode) If handle_tmr() fails: - The code for QLA_TGT_ABTS results in memory-use-after-free and double-free: qlt_do_tmr_work() qlt_build_abts_resp_iocb() qpair->req->outstanding_cmds[h] = (srb_t *)mcmd; mempool_free(mcmd, qla_tgt_mgmt_cmd_mempool); FIRST FREE qlt_handle_abts_completion() mcmd = qlt_ctio_to_cmd() cmd = req->outstanding_cmds[h]; return cmd; vha = mcmd->vha; USE-AFTER-FREE ha->tgt.tgt_ops->free_mcmd(mcmd); SECOND FREE - qlt_send_busy() makes no sense because it sends a SCSI command response instead of a TMR response. Instead just call qlt_xmit_tm_rsp() to send a TMR failed response, since that code is well-tested and handles a number of corner cases. But it would be incorrect to call ha->tgt.tgt_ops->free_mcmd() after handle_tmr() failed, so add a flag to mcmd indicating the proper way to free the mcmd so that qlt_xmit_tm_rsp() can be used for both cases. Signed-off-by: Tony Battersby Link: https://patch.msgid.link/09a1ff3d-6738-4953-a31b-10e89c540462@cybernetics.com Signed-off-by: Martin K. Petersen commit 5c50d84798eb2d05fa86f923ec869934d04e6f31 Author: Tony Battersby Date: Mon Nov 10 10:58:12 2025 -0500 scsi: qla2xxx: target: Improve checks in qlt_xmit_response() / qlt_rdy_to_xfer() Similar fixes to both functions: qlt_xmit_response: - If the cmd cannot be processed, remember to call ->free_cmd() to prevent the target-mode midlevel from seeing a cmd lockup. - Do not try to send the response if the exchange has been terminated. - Check for chip reset once after lock instead of both before and after lock. - Give errors from qlt_pre_xmit_response() a lower priority to compensate for removing the first check for chip reset. qlt_rdy_to_xfer: - Check for chip reset after lock instead of before lock to avoid races. - Do not try to receive data if the exchange has been terminated. - Give errors from qlt_pci_map_calc_cnt() a lower priority to compensate for moving the check for chip reset. Signed-off-by: Tony Battersby Link: https://patch.msgid.link/cd6ccd31-33fa-4454-be36-507bf578a546@cybernetics.com Signed-off-by: Martin K. Petersen commit 17488f1390749af61152ca4012b754ac3edcb42b Author: Tony Battersby Date: Mon Nov 10 10:57:00 2025 -0500 scsi: qla2xxx: target: Fix races with aborting commands cmd->cmd_lock only protects cmd->aborted, but when deciding how to process a cmd, it is necessary to consider other factors such as cmd->state and if the chip has been reset, which are protected by qpair->qp_lock_ptr. So replace cmd_lock with qp_lock_ptr, whick makes it possible to check additional values and make decisions about what to do without racing with the CTIO handler and other code. - Lock cmd->qpair->qp_lock_ptr when aborting a cmd. - Eliminate cmd->cmd_lock and change cmd->aborted to a bitfield since it is now protected by qp_lock_ptr just like all the other flags. - Add another command state QLA_TGT_STATE_DONE to avoid any possible races between qlt_abort_cmd() and tgt_ops->free_cmd(). - Add the cmd->sent_term_exchg flag to indicate if qlt_send_term_exchange() has already been called. - Export qlt_send_term_exchange() for SCST so that it can be called directly instead of trying to make qlt_abort_cmd() work for both TMR abort and HW timeout. Signed-off-by: Tony Battersby Link: https://patch.msgid.link/2c8d03e4-308b-4d5a-a418-a334be23f815@cybernetics.com Signed-off-by: Martin K. Petersen commit d46c69a087aa3d1513f7a78f871b80251ea0c1ae Author: Tony Battersby Date: Mon Nov 10 11:07:37 2025 -0500 scsi: qla2xxx: Clear cmds after chip reset Commit aefed3e5548f ("scsi: qla2xxx: target: Fix offline port handling and host reset handling") caused two problems: 1. Commands sent to FW, after chip reset got stuck and never freed as FW is not going to respond to them anymore. 2. BUG_ON(cmd->sg_mapped) in qlt_free_cmd(). Commit 26f9ce53817a ("scsi: qla2xxx: Fix missed DMA unmap for aborted commands") attempted to fix this, but introduced another bug under different circumstances when two different CPUs were racing to call qlt_unmap_sg() at the same time: BUG_ON(!valid_dma_direction(dir)) in dma_unmap_sg_attrs(). So revert "scsi: qla2xxx: Fix missed DMA unmap for aborted commands" and partially revert "scsi: qla2xxx: target: Fix offline port handling and host reset handling" at __qla2x00_abort_all_cmds. Fixes: aefed3e5548f ("scsi: qla2xxx: target: Fix offline port handling and host reset handling") Fixes: 26f9ce53817a ("scsi: qla2xxx: Fix missed DMA unmap for aborted commands") Co-developed-by: Dmitry Bogdanov Signed-off-by: Dmitry Bogdanov Signed-off-by: Tony Battersby Link: https://patch.msgid.link/0e7e5d26-e7a0-42d1-8235-40eeb27f3e98@cybernetics.com Signed-off-by: Martin K. Petersen commit ed382b95f5de9b98668b3d00c7adddfdd4fc5c31 Author: Tony Battersby Date: Mon Nov 10 10:55:22 2025 -0500 scsi: qla2xxx: target: Fix term exchange when cmd_sent_to_fw == 1 Properly set the nport_handle field of the terminate exchange message. Previously when this field was not set properly, the term exchange would fail when cmd_sent_to_fw == 1 but work when cmd_sent_to_fw == 0 (i.e. it would fail when the HW was actively transferring data or status for the cmd but work when the HW was idle). With this change, term exchange works in any cmd state, which now makes it possible to abort a command that is locked up in the HW. Signed-off-by: Tony Battersby Link: https://patch.msgid.link/1a221699-969b-4f28-8ea4-395d2f7a7c0a@cybernetics.com Signed-off-by: Martin K. Petersen commit c34e373f535e74d3caf1c0d81b6819deb52d37ed Author: Tony Battersby Date: Mon Nov 10 10:54:07 2025 -0500 scsi: qla2xxx: target: Improve debug output for term exchange Print better debug info when terminating a command, and print the response status from the hardware. Signed-off-by: Tony Battersby Link: https://patch.msgid.link/22f8a0b6-0e24-474d-9f28-9d65c9b7af03@cybernetics.com Signed-off-by: Martin K. Petersen commit 9da4e1dcea465acfa9a33586019e686f2b5ad379 Author: Tony Battersby Date: Mon Nov 10 10:52:49 2025 -0500 scsi: qla2xxx: target: Remove code for unsupported hardware As far as I can tell, CONTINUE_TGT_IO_TYPE and CTIO_A64_TYPE are message types from non-FWI2 boards (older than ISP24xx), which are not supported by qla_target.c. Removing them makes it possible to turn a void * into the real type and avoid some typecasts. Signed-off-by: Tony Battersby Link: https://patch.msgid.link/cb006628-e321-4e30-a60b-08b37b8685a5@cybernetics.com Signed-off-by: Martin K. Petersen commit 957aa5974989fba4ae4f807ebcb27f12796edd4d Author: Tony Battersby Date: Mon Nov 10 10:51:28 2025 -0500 scsi: qla2xxx: Use reinit_completion on mbx_intr_comp If a mailbox command completes immediately after wait_for_completion_timeout() times out, ha->mbx_intr_comp could be left in an inconsistent state, causing the next mailbox command not to wait for the hardware. Fix by reinitializing the completion before use. Signed-off-by: Tony Battersby Link: https://patch.msgid.link/11b6485e-0bfd-4784-8f99-c06a196dad94@cybernetics.com Signed-off-by: Martin K. Petersen commit 4f6aaade2a22ac428fa99ed716cf2b87e79c9837 Author: Tony Battersby Date: Mon Nov 10 10:50:05 2025 -0500 scsi: qla2xxx: Fix lost interrupts with qlini_mode=disabled When qla2xxx is loaded with qlini_mode=disabled, ha->flags.disable_msix_handshake is used before it is set, resulting in the wrong interrupt handler being used on certain HBAs (qla2xxx_msix_rsp_q_hs() is used when qla2xxx_msix_rsp_q() should be used). The only difference between these two interrupt handlers is that the _hs() version writes to a register to clear the "RISC" interrupt, whereas the other version does not. So this bug results in the RISC interrupt being cleared when it should not be. This occasionally causes a different interrupt handler qla24xx_msix_default() for a different vector to see ((stat & HSRX_RISC_INT) == 0) and ignore its interrupt, which then causes problems like: qla2xxx [0000:02:00.0]-d04c:6: MBX Command timeout for cmd 20, iocontrol=8 jiffies=1090c0300 mb[0-3]=[0x4000 0x0 0x40 0xda] mb7 0x500 host_status 0x40000010 hccr 0x3f00 qla2xxx [0000:02:00.0]-101e:6: Mailbox cmd timeout occurred, cmd=0x20, mb[0]=0x20. Scheduling ISP abort (the cmd varies; sometimes it is 0x20, 0x22, 0x54, 0x5a, 0x5d, or 0x6a) This problem can be reproduced with a 16 or 32 Gbps HBA by loading qla2xxx with qlini_mode=disabled and running a high IOPS test while triggering frequent RSCN database change events. While analyzing the problem I discovered that even with disable_msix_handshake forced to 0, it is not necessary to clear the RISC interrupt from qla2xxx_msix_rsp_q_hs() (more below). So just completely remove qla2xxx_msix_rsp_q_hs() and the logic for selecting it, which also fixes the bug with qlini_mode=disabled. The test below describes the justification for not needing qla2xxx_msix_rsp_q_hs(): Force disable_msix_handshake to 0: qla24xx_config_rings(): if (0 && (ha->fw_attributes & BIT_6) && (IS_MSIX_NACK_CAPABLE(ha)) && (ha->flags.msix_enabled)) { In qla24xx_msix_rsp_q() and qla2xxx_msix_rsp_q_hs(), check: (rd_reg_dword(®->host_status) & HSRX_RISC_INT) Count the number of calls to each function with HSRX_RISC_INT set and the number with HSRX_RISC_INT not set while performing some I/O. If qla2xxx_msix_rsp_q_hs() clears the RISC interrupt (original code): qla24xx_msix_rsp_q: 50% of calls have HSRX_RISC_INT set qla2xxx_msix_rsp_q_hs: 5% of calls have HSRX_RISC_INT set (# of qla2xxx_msix_rsp_q_hs interrupts) = (# of qla24xx_msix_rsp_q interrupts) * 3 If qla2xxx_msix_rsp_q_hs() does not clear the RISC interrupt (patched code): qla24xx_msix_rsp_q: 100% of calls have HSRX_RISC_INT set qla2xxx_msix_rsp_q_hs: 9% of calls have HSRX_RISC_INT set (# of qla2xxx_msix_rsp_q_hs interrupts) = (# of qla24xx_msix_rsp_q interrupts) * 3 In the case of the original code, qla24xx_msix_rsp_q() was seeing HSRX_RISC_INT set only 50% of the time because qla2xxx_msix_rsp_q_hs() was clearing it when it shouldn't have been. In the patched code, qla24xx_msix_rsp_q() sees HSRX_RISC_INT set 100% of the time, which makes sense if that interrupt handler needs to clear the RISC interrupt (which it does). qla2xxx_msix_rsp_q_hs() sees HSRX_RISC_INT only 9% of the time, which is just overlap from the other interrupt during the high IOPS test. Tested with SCST on: QLE2742 FW:v9.08.02 (32 Gbps 2-port) QLE2694L FW:v9.10.11 (16 Gbps 4-port) QLE2694L FW:v9.08.02 (16 Gbps 4-port) QLE2672 FW:v8.07.12 (16 Gbps 2-port) both initiator and target mode Signed-off-by: Tony Battersby Link: https://patch.msgid.link/56d378eb-14ad-49c7-bae9-c649b6c7691e@cybernetics.com Signed-off-by: Martin K. Petersen commit 8f58fc64d559b5fda1b0a5e2a71422be61e79ab9 Author: Tony Battersby Date: Mon Nov 10 10:48:45 2025 -0500 scsi: qla2xxx: Fix initiator mode with qlini_mode=exclusive When given the module parameter qlini_mode=exclusive, qla2xxx in initiator mode is initially unable to successfully send SCSI commands to devices it finds while scanning, resulting in an escalating series of resets until an adapter reset clears the issue. Fix by checking the active mode instead of the module parameter. Signed-off-by: Tony Battersby Link: https://patch.msgid.link/1715ec14-ba9a-45dc-9cf2-d41aa6b81b5e@cybernetics.com Signed-off-by: Martin K. Petersen commit b57fbc88715b6d18f379463f48a15b560b087ffe Author: Tony Battersby Date: Mon Nov 10 10:47:35 2025 -0500 scsi: Revert "scsi: qla2xxx: Perform lockless command completion in abort path" This reverts commit 0367076b0817d5c75dfb83001ce7ce5c64d803a9. The commit being reverted added code to __qla2x00_abort_all_cmds() to call sp->done() without holding a spinlock. But unlike the older code below it, this new code failed to check sp->cmd_type and just assumed TYPE_SRB, which results in a jump to an invalid pointer in target-mode with TYPE_TGT_CMD: qla2xxx [0000:65:00.0]-d034:8: qla24xx_do_nack_work create sess success 0000000009f7a79b qla2xxx [0000:65:00.0]-5003:8: ISP System Error - mbx1=1ff5h mbx2=10h mbx3=0h mbx4=0h mbx5=191h mbx6=0h mbx7=0h. qla2xxx [0000:65:00.0]-d01e:8: -> fwdump no buffer qla2xxx [0000:65:00.0]-f03a:8: qla_target(0): System error async event 0x8002 occurred qla2xxx [0000:65:00.0]-00af:8: Performing ISP error recovery - ha=0000000058183fda. BUG: kernel NULL pointer dereference, address: 0000000000000000 PF: supervisor instruction fetch in kernel mode PF: error_code(0x0010) - not-present page PGD 0 P4D 0 Oops: 0010 [#1] SMP CPU: 2 PID: 9446 Comm: qla2xxx_8_dpc Tainted: G O 6.1.133 #1 Hardware name: Supermicro Super Server/X11SPL-F, BIOS 4.2 12/15/2023 RIP: 0010:0x0 Code: Unable to access opcode bytes at 0xffffffffffffffd6. RSP: 0018:ffffc90001f93dc8 EFLAGS: 00010206 RAX: 0000000000000282 RBX: 0000000000000355 RCX: ffff88810d16a000 RDX: ffff88810dbadaa8 RSI: 0000000000080000 RDI: ffff888169dc38c0 RBP: ffff888169dc38c0 R08: 0000000000000001 R09: 0000000000000045 R10: ffffffffa034bdf0 R11: 0000000000000000 R12: ffff88810800bb40 R13: 0000000000001aa8 R14: ffff888100136610 R15: ffff8881070f7400 FS: 0000000000000000(0000) GS:ffff88bf80080000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffffffffd6 CR3: 000000010c8ff006 CR4: 00000000003706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ? __die+0x4d/0x8b ? page_fault_oops+0x91/0x180 ? trace_buffer_unlock_commit_regs+0x38/0x1a0 ? exc_page_fault+0x391/0x5e0 ? asm_exc_page_fault+0x22/0x30 __qla2x00_abort_all_cmds+0xcb/0x3e0 [qla2xxx_scst] qla2x00_abort_all_cmds+0x50/0x70 [qla2xxx_scst] qla2x00_abort_isp_cleanup+0x3b7/0x4b0 [qla2xxx_scst] qla2x00_abort_isp+0xfd/0x860 [qla2xxx_scst] qla2x00_do_dpc+0x581/0xa40 [qla2xxx_scst] kthread+0xa8/0xd0 Then commit 4475afa2646d ("scsi: qla2xxx: Complete command early within lock") added the spinlock back, because not having the lock caused a race and a crash. But qla2x00_abort_srb() in the switch below already checks for qla2x00_chip_is_down() and handles it the same way, so the code above the switch is now redundant and still buggy in target-mode. Remove it. Cc: stable@vger.kernel.org Signed-off-by: Tony Battersby Link: https://patch.msgid.link/3a8022dc-bcfd-4b01-9f9b-7a9ec61fa2a3@cybernetics.com Signed-off-by: Martin K. Petersen commit 08b12cda6c44dc015bcc152613c35ee0ae8f37b9 Author: Bart Van Assche Date: Fri Oct 31 13:39:36 2025 -0700 scsi: ufs: core: Switch to scsi_get_internal_cmd() Instead of storing the tag of the reserved command in hba->reserved_slot, use scsi_get_internal_cmd() and scsi_put_internal_cmd() to allocate the tag for the reserved command dynamically. Add ufshcd_queue_reserved_command() for submitting reserved commands. Add support in ufshcd_abort() for device management commands. Use blk_execute_rq() for submitting reserved commands. Remove the code and data structures that became superfluous. This includes ufshcd_wait_for_dev_cmd(), hba->reserved_slot and ufs_dev_cmd.complete. Signed-off-by: Bart Van Assche Link: https://patch.msgid.link/20251031204029.2883185-29-bvanassche@acm.org Signed-off-by: Martin K. Petersen commit a11c015c8a4fff99cf91a5cbc9789cc7a72b3ccf Author: Bart Van Assche Date: Fri Oct 31 13:39:35 2025 -0700 scsi: ufs: core: Move code out of ufshcd_wait_for_dev_cmd() The ufshcd_dev_cmd_completion() call is useful for some but not for all ufshcd_wait_for_dev_cmd() callers. Hence, remove the ufshcd_dev_cmd_completion() call from ufshcd_wait_for_dev_cmd() and move it past the ufshcd_issue_dev_cmd() calls where appropriate. This makes it easier to detect timeout errors for UPIU frames submitted through the BSG interface. Reviewed-by: Avri Altman Signed-off-by: Bart Van Assche Link: https://patch.msgid.link/20251031204029.2883185-28-bvanassche@acm.org Signed-off-by: Martin K. Petersen commit 4b6c0d9cca359d1d2f666e14c42482befe5c4829 Author: Bart Van Assche Date: Fri Oct 31 13:39:34 2025 -0700 scsi: ufs: core: Make blk_mq_tagset_busy_iter() skip reserved requests A later patch will convert hba->reserved_slot into a reserved tag. Make blk_mq_tagset_busy_iter() skip reserved requests such that device management commands are skipped. Signed-off-by: Bart Van Assche Link: https://patch.msgid.link/20251031204029.2883185-27-bvanassche@acm.org Signed-off-by: Martin K. Petersen commit 9a2c9500921d5ebbe96f7531adc73d9205c76485 Author: Bart Van Assche Date: Fri Oct 31 13:39:33 2025 -0700 scsi: ufs: core: Remove the ufshcd_lrb task_tag member Remove the ufshcd_lrb task_tag member and use scsi_cmd_to_rq(cmd)->tag instead. Use rq->tag instead of lrbp->task_tag. This patch reduces the size of struct ufshcd_lrb. Signed-off-by: Bart Van Assche Link: https://patch.msgid.link/20251031204029.2883185-26-bvanassche@acm.org Signed-off-by: Martin K. Petersen commit 176b93004c3475cfc0c939a4aeec846f6bf2b9a0 Author: Bart Van Assche Date: Fri Oct 31 13:39:32 2025 -0700 scsi: ufs: core: Pass a SCSI pointer instead of an LRB pointer Pass a pointer to a SCSI command between functions instead of an LRB pointer. This change prepares for removing the ufshcd_lrb task_tag member. Signed-off-by: Bart Van Assche Link: https://patch.msgid.link/20251031204029.2883185-25-bvanassche@acm.org Signed-off-by: Martin K. Petersen commit 22089c218037ca7cd50d4fa20e8b5bd746a9b397 Author: Bart Van Assche Date: Fri Oct 31 13:39:31 2025 -0700 scsi: ufs: core: Optimize the hot path Set .cmd_size in the SCSI host template such that the SCSI core makes struct scsi_cmnd and struct ufshcd_lrb adjacent. Convert the cmd->lrbp and lrbp->cmd memory loads into pointer offset calculations. Remove the data structure members that became superfluous, namely ufshcd_lrb.cmd and ufs_hba.lrb. Since ufshcd_lrb.cmd is removed, this pointer cannot be used anymore to test whether or not a command is a SCSI command. Introduce a new function for this purpose, namely ufshcd_is_scsi_cmd(). Signed-off-by: Bart Van Assche Link: https://patch.msgid.link/20251031204029.2883185-24-bvanassche@acm.org Signed-off-by: Martin K. Petersen commit e5f9cc2af9a82700e989ac08be3c85c25046a6f6 Author: Bart Van Assche Date: Fri Oct 31 13:39:30 2025 -0700 scsi: ufs: core: Do not clear driver-private command data Tell the SCSI core to skip the memset() call that clears driver-private data because __ufshcd_setup_cmd() performs all necessary initialization. Signed-off-by: Bart Van Assche Link: https://patch.msgid.link/20251031204029.2883185-23-bvanassche@acm.org Signed-off-by: Martin K. Petersen commit 1d0af94ffb5d4c9b99d38646521b6d3e4119d044 Author: Bart Van Assche Date: Fri Oct 31 13:39:29 2025 -0700 scsi: ufs: core: Make the reserved slot a reserved request Instead of letting the SCSI core allocate hba->nutrs - 1 commands, let the SCSI core allocate hba->nutrs commands, set the number of reserved tags to 1 and use the reserved tag for device management commands. This patch changes the 'reserved slot' from hba->nutrs - 1 into 0 because the block layer reserves the smallest tags for reserved commands. Signed-off-by: Bart Van Assche Link: https://patch.msgid.link/20251031204029.2883185-22-bvanassche@acm.org Signed-off-by: Martin K. Petersen commit d3fd0fd7768681eaeb03742c9e8ae846c505f564 Author: Bart Van Assche Date: Fri Oct 31 13:39:28 2025 -0700 scsi: ufs: core: Use hba->reserved_slot Use hba->reserved_slot instead of open-coding it. This patch prepares for changing the value of hba->reserved_slot. Signed-off-by: Bart Van Assche Link: https://patch.msgid.link/20251031204029.2883185-21-bvanassche@acm.org Signed-off-by: Martin K. Petersen commit 45e636ea129486c4cf7bb342b0d59c186ae2fabb Author: Bart Van Assche Date: Fri Oct 31 13:39:27 2025 -0700 scsi: ufs: core: Call ufshcd_init_lrb() later Call ufshcd_init_lrb() from inside ufshcd_setup_dev_cmd() instead of ufshcd_host_memory_configure(). This patch prepares for calling ufshcd_host_memory_configure() before the information is available that is required to call ufshcd_setup_dev_cmd(). Reviewed-by: Avri Altman Signed-off-by: Bart Van Assche Link: https://patch.msgid.link/20251031204029.2883185-20-bvanassche@acm.org Signed-off-by: Martin K. Petersen commit f46b9a595fa95c82e3279b687869cac249838e96 Author: Bart Van Assche Date: Fri Oct 31 13:39:26 2025 -0700 scsi: ufs: core: Allocate the SCSI host earlier Call ufshcd_add_scsi_host() before any UPIU commands are sent to the UFS device. This patch prepares for letting ufshcd_add_scsi_host() allocate memory for both SCSI and UPIU commands. Signed-off-by: Bart Van Assche Link: https://patch.msgid.link/20251031204029.2883185-19-bvanassche@acm.org Signed-off-by: Martin K. Petersen commit e8ea985a8314e0170124476e0fa5a5da868a7a40 Author: Bart Van Assche Date: Fri Oct 31 13:39:25 2025 -0700 scsi: ufs: core: Rework the SCSI host queue depth calculation code Prepare for allocating the SCSI host earlier by making the SCSI host queue depth independent of the queue depth supported by the UFS device. This patch may increase the queue depth of the UFS SCSI host. Signed-off-by: Bart Van Assche Link: https://patch.msgid.link/20251031204029.2883185-18-bvanassche@acm.org Signed-off-by: Martin K. Petersen commit f18fac1e2b729d3bdeb41b946d90b57f3515f438 Author: Bart Van Assche Date: Fri Oct 31 13:39:24 2025 -0700 scsi: ufs: core: Rework ufshcd_eh_device_reset_handler() Merge the MCQ mode and legacy mode loops into a single loop. This patch prepares for optimizing the hot path by removing the direct hba->lrb[] accesses from ufshcd_eh_device_reset_handler(). Reviewed-by: Avri Altman Signed-off-by: Bart Van Assche Link: https://patch.msgid.link/20251031204029.2883185-17-bvanassche@acm.org Signed-off-by: Martin K. Petersen commit 63a5b959c854c33f280533eedd27bd3489e2b704 Author: Bart Van Assche Date: Fri Oct 31 13:39:23 2025 -0700 scsi: ufs: core: Rework ufshcd_mcq_compl_pending_transfer() Replace a tag loop with blk_mq_tagset_busy_iter(). This patch prepares for removing the hba->lrb[] array. Reviewed-by: Avri Altman Signed-off-by: Bart Van Assche Link: https://patch.msgid.link/20251031204029.2883185-16-bvanassche@acm.org Signed-off-by: Martin K. Petersen commit f59568f4e27af9ba3b0e89909c6fb2cab38700c5 Author: Bart Van Assche Date: Fri Oct 31 13:39:22 2025 -0700 scsi: ufs: core: Change the monitor function argument types Pass a SCSI command pointer instead of a struct ufshcd_lrb pointer. This patch prepares for combining the SCSI command and ufshcd_lrb data structures into a single data structure. Reviewed-by: Avri Altman Signed-off-by: Bart Van Assche Link: https://patch.msgid.link/20251031204029.2883185-15-bvanassche@acm.org Signed-off-by: Martin K. Petersen commit ae7bf255b10e4c8382faec06f527ba832c18be24 Author: Bart Van Assche Date: Fri Oct 31 13:39:21 2025 -0700 scsi: ufs: core: Only call ufshcd_should_inform_monitor() for SCSI commands ufshcd_should_inform_monitor() only returns 'true' for SCSI commands. Instead of checking inside ufshcd_should_inform_monitor() whether its second argument represents a SCSI command, only call this function for SCSI commands. This patch prepares for removing the lrbp->cmd member. Reviewed-by: Peter Wang Signed-off-by: Bart Van Assche Link: https://patch.msgid.link/20251031204029.2883185-14-bvanassche@acm.org Signed-off-by: Martin K. Petersen commit 3e7fff3fee5b7fa1538b2cef023733cf10366a4a Author: Bart Van Assche Date: Fri Oct 31 13:39:20 2025 -0700 scsi: ufs: core: Change the type of one ufshcd_send_command() argument Change the 'task_tag' argument into an LRB pointer. This patch prepares for the removal of the hba->lrb[] array. Reviewed-by: Avri Altman Reviewed-by: Peter Wang Signed-off-by: Bart Van Assche Link: https://patch.msgid.link/20251031204029.2883185-13-bvanassche@acm.org Signed-off-by: Martin K. Petersen commit ffa5d8c15300a3047c9a445dce81515cd3cde86e Author: Bart Van Assche Date: Fri Oct 31 13:39:19 2025 -0700 scsi: ufs: core: Change the type of one ufshcd_add_command_trace() argument Change the 'tag' argument into a SCSI command pointer. This patch prepares for the removal of the hba->lrb[] array. Reviewed-by: Avri Altman Reviewed-by: Peter Wang Signed-off-by: Bart Van Assche Link: https://patch.msgid.link/20251031204029.2883185-12-bvanassche@acm.org Signed-off-by: Martin K. Petersen commit 60a1f6a8ad334475372a128a6856e893a910302e Author: Bart Van Assche Date: Fri Oct 31 13:39:18 2025 -0700 scsi: ufs: core: Only call ufshcd_add_command_trace() for SCSI commands Instead of checking inside ufshcd_add_command_trace() whether 'cmd' points at a SCSI command, let the caller perform that check. This patch prepares for removing the lrbp->cmd pointer. Reviewed-by: Avri Altman Reviewed-by: Peter Wang Signed-off-by: Bart Van Assche Link: https://patch.msgid.link/20251031204029.2883185-11-bvanassche@acm.org Signed-off-by: Martin K. Petersen commit 9f8e09230f532c806ed088417f1ad794dd19a10f Author: Bart Van Assche Date: Fri Oct 31 13:39:17 2025 -0700 scsi: ufs: core: Change the type of one ufshcd_add_cmd_upiu_trace() argument Change the 'tag' argument into an LRB pointer. This patch prepares for the removal of the hba->lrb[] array. Reviewed-by: Avri Altman Reviewed-by: Peter Wang Signed-off-by: Bart Van Assche Link: https://patch.msgid.link/20251031204029.2883185-10-bvanassche@acm.org Signed-off-by: Martin K. Petersen commit dd4299af9b049c0dcb28699327ebc1386aab4b2a Author: Bart Van Assche Date: Fri Oct 31 13:39:16 2025 -0700 scsi: ufs: core: Move an assignment in ufshcd_mcq_process_cqe() Since 'tag' is only used inside the if-statement, move the 'tag' assignment into the if-statement. This patch prepares for introducing a WARN_ON_ONCE() call in ufshcd_mcq_get_tag() if the tag lookup fails. Reviewed-by: Avri Altman Signed-off-by: Bart Van Assche Link: https://patch.msgid.link/20251031204029.2883185-9-bvanassche@acm.org Signed-off-by: Martin K. Petersen commit 581ca490353ca5f4bee0d662595af27c06e603d4 Author: Bart Van Assche Date: Fri Oct 31 13:39:15 2025 -0700 scsi: scsi_debug: Abort SCSI commands via an internal command Add a .queue_reserved_command() implementation and call it from the code path that aborts SCSI commands. This ensures that the code for allocating a pseudo SCSI device and also the code for allocating and processing reserved commands gets triggered while running blktests. Most of the code in this patch is a modified version of code from John Garry. See also https://lore.kernel.org/linux-scsi/75018e17-4dea-4e1b-8c92-7a224a1e13b9@oracle.com/ Reviewed-by: John Garry Suggested-by: John Garry Signed-off-by: Bart Van Assche Link: https://patch.msgid.link/20251031204029.2883185-8-bvanassche@acm.org Signed-off-by: Martin K. Petersen commit a2ab4e33286de37f3fe8f28f86f5f71d6b0ae3b0 Author: Hannes Reinecke Date: Fri Oct 31 13:39:14 2025 -0700 scsi: core: Add scsi_{get,put}_internal_cmd() helpers Add helper functions to allow LLDDs to allocate and free internal commands. [ bvanassche: changed the 'nowait' argument into a 'flags' argument. See also https://lore.kernel.org/linux-scsi/20211125151048.103910-3-hare@suse.de/ ] Reviewed-by: John Garry Signed-off-by: Hannes Reinecke Signed-off-by: Bart Van Assche Link: https://patch.msgid.link/20251031204029.2883185-7-bvanassche@acm.org Signed-off-by: Martin K. Petersen commit 11ea1de3fc4ba94127034cb01df63a666c4c9836 Author: John Garry Date: Fri Oct 31 13:39:13 2025 -0700 scsi: core: Introduce .queue_reserved_command() Reserved commands will be used by SCSI LLDs for submitting internal commands. Since the SCSI host, target and device limits do not apply to the reserved command use cases, bypass the SCSI host limit checks for reserved commands. Introduce the .queue_reserved_command() callback for reserved commands. Additionally, do not activate the SCSI error handler if a reserved command fails such that reserved commands can be submitted from inside the SCSI error handler. [ bvanassche: modified patch title and patch description. Renamed .reserved_queuecommand() into .queue_reserved_command(). Changed the second argument of __blk_mq_end_request() from 0 into error code in the completion path if cmd->result != 0. Rewrote the scsi_queue_rq() changes. See also https://lore.kernel.org/linux-scsi/1666693096-180008-5-git-send-email-john.garry@huawei.com/ ] Cc: Hannes Reinecke Signed-off-by: John Garry Signed-off-by: Bart Van Assche Reviewed-by: Hannes Reinecke Link: https://patch.msgid.link/20251031204029.2883185-6-bvanassche@acm.org Signed-off-by: Martin K. Petersen commit d630fbf6fc8ce2fc95de7784de5499387b682dc1 Author: Hannes Reinecke Date: Fri Oct 31 13:39:12 2025 -0700 scsi: core: Support allocating a pseudo SCSI device Allocate a pseudo SCSI device if 'nr_reserved_cmds' has been set. Pseudo SCSI devices have the SCSI ID :U64_MAX so they won't clash with any devices the LLD might create. Pseudo SCSI devices are excluded from scanning and will not show up in sysfs. Additionally, pseudo SCSI devices are skipped by shost_for_each_device(). This prevents that the SCSI error handler tries to submit a reset to a non-existent logical unit. Do not allocate a budget map for pseudo SCSI devices since the cmd_per_lun limit does not apply to pseudo SCSI devices. Do not perform queue depth ramp up / ramp down for pseudo SCSI devices. Pseudo SCSI devices will be used to send internal commands to a storage device. [ bvanassche: edited patch description / renamed host_sdev into pseudo_sdev / unexported scsi_get_host_dev() / modified error path in scsi_get_pseudo_dev() / skip pseudo devices in __scsi_iterate_devices() and also when calling sdev_init(), sdev_configure() and sdev_destroy(). See also https://lore.kernel.org/linux-scsi/20211125151048.103910-2-hare@suse.de/ ] Reviewed-by: John Garry Signed-off-by: Hannes Reinecke Signed-off-by: Bart Van Assche Link: https://patch.msgid.link/20251031204029.2883185-5-bvanassche@acm.org Signed-off-by: Martin K. Petersen commit a47c7bef57858d29b83cd7f101112f52821439f9 Author: Bart Van Assche Date: Fri Oct 31 13:39:11 2025 -0700 scsi: core: Make the budget map optional Prepare for not allocating a budget map for pseudo SCSI devices by checking whether a budget map has been allocated before using it. Reviewed-by: Hannes Reinecke Cc: John Garry Cc: Ming Lei Signed-off-by: Bart Van Assche Link: https://patch.msgid.link/20251031204029.2883185-4-bvanassche@acm.org Signed-off-by: Martin K. Petersen commit 21008cabc5d9bf2864ff244f4f94abebe3380947 Author: Bart Van Assche Date: Fri Oct 31 13:39:10 2025 -0700 scsi: core: Move two statements Move two statements that will be needed for pseudo SCSI devices in front of code that won't be needed for pseudo SCSI devices. No functionality has been changed. Reviewed-by: John Garry Reviewed-by: Hannes Reinecke Signed-off-by: Bart Van Assche Link: https://patch.msgid.link/20251031204029.2883185-3-bvanassche@acm.org Signed-off-by: Martin K. Petersen commit d604e1ec246d236deff57ac7e89e073dd911d60b Author: Hannes Reinecke Date: Fri Oct 31 13:39:09 2025 -0700 scsi: core: Support allocating reserved commands Quite some drivers are using management commands internally. These commands typically use the same tag pool as regular SCSI commands. Tags for these management commands are set aside before allocating the block-mq tag bitmap for regular SCSI commands. The block layer already supports this via the reserved tag mechanism. Add a new field 'nr_reserved_cmds' to the SCSI host template to instruct the block layer to set aside a tag space for these management commands by using reserved tags. Exclude reserved commands from .can_queue because .can_queue is visible in sysfs. [ bvanassche: modified patch title and patch description. Left out the following statements: "if (sht->nr_reserved_cmds)" and also "if (sdev->host->nr_reserved_cmds) flags |= BLK_MQ_REQ_RESERVED;". Moved nr_reserved_cmds declarations and statements close to the corresponding can_queue declarations and statements. See also https://lore.kernel.org/linux-scsi/20210503150333.130310-11-hare@suse.de/ ] Signed-off-by: Hannes Reinecke Reviewed-by: John Garry Signed-off-by: Bart Van Assche Link: https://patch.msgid.link/20251031204029.2883185-2-bvanassche@acm.org Signed-off-by: Martin K. Petersen commit b06b8c421485e0e96d7fd6aa614fb0b6f2778a03 Author: Bean Huo Date: Sat Nov 8 00:05:18 2025 +0100 scsi: ufs: core: Add OP-TEE based RPMB driver for UFS devices Add OP-TEE based RPMB support for UFS devices. This enables secure RPMB operations on UFS devices through OP-TEE, providing the same functionality available for eMMC devices and extending kernel-based secure storage support to UFS-based systems. Benefits of OP-TEE based RPMB implementation: - Eliminates dependency on userspace supplicant for RPMB access - Enables early boot secure storage access (e.g., fTPM, secure UEFI variables) - Provides kernel-level RPMB access as soon as UFS driver is initialized - Removes complex initramfs dependencies and boot ordering requirements - Ensures reliable and deterministic secure storage operations - Supports both built-in and modular fTPM configurations [mkp: make this build as a module] Co-developed-by: Can Guo Signed-off-by: Can Guo Reviewed-by: Avri Altman Reviewed-by: Bart Van Assche Signed-off-by: Bean Huo Link: https://patch.msgid.link/20251107230518.4060231-4-beanhuo@iokpp.de Signed-off-by: Martin K. Petersen commit d794b499f948801f54d67ddbc34a6eac5a6d150a Author: Bean Huo Date: Sat Nov 8 00:05:17 2025 +0100 scsi: ufs: core: fix incorrect buffer duplication in ufshcd_read_string_desc() The function ufshcd_read_string_desc() was duplicating memory starting from the beginning of struct uc_string_id, which included the length and type fields. As a result, the allocated buffer contained unwanted metadata in addition to the string itself. The correct behavior is to duplicate only the Unicode character array in the structure. Update the code so that only the actual string content is copied into the new buffer. Fixes: 5f57704dbcfe ("scsi: ufs: Use kmemdup in ufshcd_read_string_desc()") Reviewed-by: Avri Altman Reviewed-by: Bart Van Assche Signed-off-by: Bean Huo Link: https://patch.msgid.link/20251107230518.4060231-3-beanhuo@iokpp.de Signed-off-by: Martin K. Petersen commit 0d9a7085ec24983b5b8a4971c0eb6c756c75f1bf Author: Bean Huo Date: Sat Nov 8 00:05:16 2025 +0100 scsi: ufs: core: Convert string descriptor format macros to enum Convert SD_ASCII_STD and SD_RAW from boolean macros to enum values for improved code readability. This makes ufshcd_read_string_desc() calls self-documenting by using explicit enum values instead of true/false. Move the ufshcd_read_string_desc() declaration from include/ufs/ufshcd.h to drivers/ufs/core/ufshcd-priv.h since this function is not exported. Co-developed-by: Bart Van Assche Signed-off-by: Bart Van Assche Suggested-by: Avri Altman Signed-off-by: Bean Huo Link: https://patch.msgid.link/20251107230518.4060231-2-beanhuo@iokpp.de Signed-off-by: Martin K. Petersen commit 8c59fc1c90df7ff29565d9743f0e61180e9ee00d Author: Markus Probst Date: Tue Nov 4 14:24:34 2025 +0000 scsi: ata: Stop disk on restart if ACPI power resources are found Some embedded devices have the ability to control whether power is provided to the disks via the SATA power connector or not. ACPI power resources are usually off by default, thus making it unclear if the specific power resource will retain its state after a restart. If power resources are defined on ATA ports / devices in ACPI, we should stop the disk on SYSTEM_RESTART, to ensure the disk will not lose power while active. Add a new function, ata_acpi_dev_manage_restart(), that will be used to determine if a disk should be stopped before restarting the system. If a usable ACPI power resource has been found, it is assumed that the disk will lose power after a restart and should be stopped to avoid unclean shutdown due to power loss. Reviewed-by: Damien Le Moal Signed-off-by: Markus Probst Link: https://patch.msgid.link/20251104142413.322347-4-markus.probst@posteo.de Signed-off-by: Martin K. Petersen commit ce6d26b5330c5de4f458143e9675984e367f6a40 Author: Markus Probst Date: Tue Nov 4 14:24:33 2025 +0000 scsi: ata: Use ACPI methods to power on disks Some embedded devices have the ability to control whether power is provided to the disks via the SATA power connector or not. If power resources are defined on ATA ports / devices in ACPI, we should try to set the power state to D0 before probing the disk to ensure that any power supply or power gate that may exist is providing power to the disk. An example for such devices would be newer synology NAS devices. Every disk slot has its own SATA power connector. Whether the connector is providing power is controlled via an gpio, which is *off by default*. Also the disk loses power on reboots. Add a new function, ata_acpi_port_power_on(), that will be used to power on the SATA power connector if usable ACPI power resources on the associated ATA port / device are found. It will be called right before probing the port, therefore the disk will be powered on just in time. Signed-off-by: Markus Probst Reviewed-by: Damien Le Moal Link: https://patch.msgid.link/20251104142413.322347-3-markus.probst@posteo.de Signed-off-by: Martin K. Petersen commit 8fdfdb1488162c195f3f0af10b7bc2b8b42928c5 Author: Markus Probst Date: Tue Nov 4 14:24:32 2025 +0000 scsi: sd: Add manage_restart device attribute to scsi_disk In addition to the already existing manage_shutdown, manage_system_start_stop and manage_runtime_start_stop device scsi_disk attributes, add manage_restart, which allows the high-level device driver (sd) to manage the device power state for SYSTEM_RESTART if set to 1. This attribute is necessary for the following commit "ata: stop disk on restart if ACPI power resources are found" to avoid a potential disk power failure in the case the SATA power connector does not retain the power state after a restart. Reviewed-by: Damien Le Moal Signed-off-by: Markus Probst Link: https://patch.msgid.link/20251104142413.322347-2-markus.probst@posteo.de Signed-off-by: Martin K. Petersen commit d45fdc6cdd7370ce2c8eb55b65af34594cdd9d7e Author: Justin Tee Date: Thu Nov 6 14:46:39 2025 -0800 scsi: lpfc: Update lpfc version to 14.4.0.12 Update lpfc version to 14.4.0.12 Signed-off-by: Justin Tee Link: https://patch.msgid.link/20251106224639.139176-11-justintee8345@gmail.com Signed-off-by: Martin K. Petersen commit 191da2c71b13b1975d8759f852b0ce9bbc913545 Author: Justin Tee Date: Thu Nov 6 14:46:38 2025 -0800 scsi: lpfc: Add capability to register Platform Name ID to fabric FC-LS and FC-GS specifications outline fields for registering a platform name identifier (PNI) to the fabric. The PNI assists fabrics with identifying the physical server source of frames in the fabric. lpfc generates a PNI based partially on the uuid specific for the system. Initial attempts to extract a uuid are made from SMBIOS's System Information 08h uuid entry. If SMBIOS DMI does not exist, a PNI is not generated and PNI registration with the fabric is skipped. The PNI is submitted in FLOGI and FDISC frames. After successful fabric login, the RSPNI_PNI CT frame is submitted to the fabric to register the OS host name tying it to the PNI. Signed-off-by: Justin Tee Link: https://patch.msgid.link/20251106224639.139176-10-justintee8345@gmail.com Signed-off-by: Martin K. Petersen commit 683df5fc3ec5b9bd2596f84d120c4fda8151fd09 Author: Justin Tee Date: Thu Nov 6 14:46:37 2025 -0800 scsi: lpfc: Allow support for BB credit recovery in point-to-point topology Currently, BB credit recovery is excluded to fabric topology mode. This patch allows setting of BB_SC_N in PLOGIs and PLOGI_ACCs when in point-to-point mode so that BB credit recovery can operate in point-to-point topology as well. Signed-off-by: Justin Tee Link: https://patch.msgid.link/20251106224639.139176-9-justintee8345@gmail.com Signed-off-by: Martin K. Petersen commit 07caedc6a3887938813727beafea40f07c497705 Author: Justin Tee Date: Thu Nov 6 14:46:36 2025 -0800 scsi: lpfc: Fix reusing an ndlp that is marked NLP_DROPPED during FLOGI It's possible for an unstable link to repeatedly bounce allowing a FLOGI retry, but then bounce again forcing an abort of the FLOGI. Ensure that the initial reference count on the FLOGI ndlp is restored in this faulty link scenario. Signed-off-by: Justin Tee Link: https://patch.msgid.link/20251106224639.139176-8-justintee8345@gmail.com Signed-off-by: Martin K. Petersen commit 0b8b15a0b74dafe4b184dfae120d715172960ae5 Author: Justin Tee Date: Thu Nov 6 14:46:35 2025 -0800 scsi: lpfc: Modify kref handling for Fabric Controller ndlps Currently, there is a kref put in the lpfc_cleanup() routine that takes care of outstanding references on fabric controller ndlps in UNUSED state. While typically there is a state change from UNUSED -> REGLOGIN when the ndlp successfully logs into the fabric, there may be cases when FLOGI is unsuccessful and the ndlp will remain in UNUSED state without a registered rpi, yet the ndlp incorrectly has a kref count of one. To address this, handling of Fabric Controller ndlps are moved into the routines: lpfc_issue_els_scr(), lpfc_issue_els_rdf(), lpfc_cmpl_els_disc_cmd(). In both lpfc_issue_els_scr() and lpfc_issue_els_rdf(), if there does not exist a previously created fabric controller ndlp, an ndlp will be created. Otherwise, we can reuse the pre-existing ndlp object. In lpfc_cmpl_els_disc_cmd(), if the SCR or RDF are not successfully issued, the initial reference on the ndlp that is not registered with upper layers will be decremented with a kref_put(). Signed-off-by: Justin Tee Link: https://patch.msgid.link/20251106224639.139176-7-justintee8345@gmail.com Signed-off-by: Martin K. Petersen commit 23f4906729a0064e734fb9da2ed02e8fbbf8db00 Author: Justin Tee Date: Thu Nov 6 14:46:34 2025 -0800 scsi: lpfc: Fix leaked ndlp krefs when in point-to-point topology In point-to-point topology, the driver sometimes defers the unsolicited FLOGI LS_ACC until it sends its FLOGI to the remote port. When this happens, lpfc neglects to release the ndlp allocated for the unsolicited FLOGI. This patch adds code to release the ndlp for the deferred unsolicited FLOGI LS_ACC. An NLP_FLOGI_DFR_ACC flag is introduced to facilitate identifying an ndlp with an expected deferred FLOGI LS_ACC completion. When lpfc_cmpl_els_rsp() detects the correct qualifiers, it releases the initial reference on the ndlp object. And when lpfc_cmpl_els_rsp() exits, the remaining put for the deferred action is executed and the ndlp is released. Signed-off-by: Justin Tee Link: https://patch.msgid.link/20251106224639.139176-6-justintee8345@gmail.com Signed-off-by: Martin K. Petersen commit 6f81582b7a9deb3ab10354e801b3ea5cec92b06c Author: Justin Tee Date: Thu Nov 6 14:46:33 2025 -0800 scsi: lpfc: Ensure unregistration of rpis for received PLOGIs Unregistration of an rpi object should be done when a PLOGI is received as PLOGI receipt implies an implicit LOGO. Previously, the driver would continue using the same, already registered, rpi and ACC the received PLOGI. Replace the ACC and early return statement with break to execute the rest of the lpfc_rcv_plogi logic outside the switch case statement. This ensures unregistration and reregistration of an rpi after PLOGI_ACC completion. Signed-off-by: Justin Tee Link: https://patch.msgid.link/20251106224639.139176-5-justintee8345@gmail.com Signed-off-by: Martin K. Petersen commit 3c228061c80df4ea63c2d5ca2c781323885bac7a Author: Justin Tee Date: Thu Nov 6 14:46:32 2025 -0800 scsi: lpfc: Remove redundant NULL ptr assignment in lpfc_els_free_iocb() Remove redundant cmd_dmabuf and bpl_dmabuf NULL ptr assignment as they are already initialized to NULL when handling a new unsolicited event. Signed-off-by: Justin Tee Link: https://patch.msgid.link/20251106224639.139176-4-justintee8345@gmail.com Signed-off-by: Martin K. Petersen commit f7a302e4759c521fe57c7319e40549697424393d Author: Justin Tee Date: Thu Nov 6 14:46:31 2025 -0800 scsi: lpfc: Revise discovery related function headers and comments Correcting discovery related function headers, return status information, and comment descriptions. There are no functional changes. Signed-off-by: Justin Tee Link: https://patch.msgid.link/20251106224639.139176-3-justintee8345@gmail.com Signed-off-by: Martin K. Petersen commit 051d4b65e839c1b5dd43469b291cd1199d16bc68 Author: Justin Tee Date: Thu Nov 6 14:46:30 2025 -0800 scsi: lpfc: Update various NPIV diagnostic log messaging Update PRLI status log message to automatically warn when CQE status is non-zero. When issuing an RSCN, log ndlp's kref count to the debugfs trace buffer. Add the NPIV virtual port index to the FDMI registration log message with the fabric. Signed-off-by: Justin Tee Link: https://patch.msgid.link/20251106224639.139176-2-justintee8345@gmail.com Signed-off-by: Martin K. Petersen commit 4cec99e83d924045e68418034ced62a6e5f3b513 Author: Don Brace Date: Thu Nov 6 10:38:22 2025 -0600 scsi: smartpqi: Update version to 2.1.36-026 Update driver version to 2.1.36-026 Reviewed-by: Scott Benesh Reviewed-by: Scott Teel Reviewed-by: Gerry Morong Signed-off-by: Don Brace Link: https://patch.msgid.link/20251106163823.786828-5-don.brace@microchip.com Signed-off-by: Martin K. Petersen commit 48e6b7e708029cea451e53a8c16fc8c16039ecdc Author: David Strahan Date: Thu Nov 6 10:38:21 2025 -0600 scsi: smartpqi: Add support for Hurray Data new controller PCI device Add support for new Hurray Data controller. All entries are in HEX. Add PCI IDs for Hurray Data controllers: VID / DID / SVID / SDID ---- ---- ---- ---- 9005 028f 207d 4840 Reviewed-by: Scott Benesh Reviewed-by: Scott Teel Reviewed-by: Mike McGowen Signed-off-by: David Strahan Signed-off-by: Don Brace Link: https://patch.msgid.link/20251106163823.786828-4-don.brace@microchip.com Signed-off-by: Martin K. Petersen commit b518e86d1a70a88f6592a7c396cf1b93493d1aab Author: Mike McGowen Date: Thu Nov 6 10:38:20 2025 -0600 scsi: smartpqi: Fix device resources accessed after device removal Correct possible race conditions during device removal. Previously, a scheduled work item to reset a LUN could still execute after the device was removed, leading to use-after-free and other resource access issues. This race condition occurs because the abort handler may schedule a LUN reset concurrently with device removal via sdev_destroy(), leading to use-after-free and improper access to freed resources. - Check in the device reset handler if the device is still present in the controller's SCSI device list before running; if not, the reset is skipped. - Cancel any pending TMF work that has not started in sdev_destroy(). - Ensure device freeing in sdev_destroy() is done while holding the LUN reset mutex to avoid races with ongoing resets. Fixes: 2d80f4054f7f ("scsi: smartpqi: Update deleting a LUN via sysfs") Reviewed-by: Scott Teel Reviewed-by: Scott Benesh Signed-off-by: Mike McGowen Signed-off-by: Don Brace Link: https://patch.msgid.link/20251106163823.786828-3-don.brace@microchip.com Signed-off-by: Martin K. Petersen commit f3ecbba1aa715fd22234df3d2f3a0ecf7c458e36 Author: Mike McGowen Date: Thu Nov 6 10:38:19 2025 -0600 scsi: smartpqi: Add timeout value to RAID path requests to physical devices Add a timeout value to requests sent to physical devices via the RAID path. A timeout value of zero means wait indefinitely, which may cause the OS to issue Target Management Function (TMF) commands if the device does not respond. For input timeouts of 8 seconds or greater, the value sent to firmware is reduced by 3 seconds to provide an earlier firmware timeout and allow the OS additional time before timing out. This change improves timeout handling between the driver, firmware, and OS, helping to better manage device responsiveness and avoid indefinite waits. Reviewed-by: David Strahan Reviewed-by: Scott Benesh Reviewed-by: Scott Teel Signed-off-by: Mike McGowen Signed-off-by: Don Brace Link: https://patch.msgid.link/20251106163823.786828-2-don.brace@microchip.com Signed-off-by: Martin K. Petersen commit 02880c083c13143ecf7c624808eda7980f843368 Author: Thomas Richard (TI.com) Date: Thu Nov 6 15:21:54 2025 +0100 scsi: ufs: ti-j721e: Add suspend-resume support Restore the ctrl register to resume the TI UFS wrapper. Signed-off-by: Thomas Richard (TI.com) Link: https://patch.msgid.link/20251106-scsi-ufs-ti-j721e-suspend-resume-support-v1-1-6f395f51219e@bootlin.com Signed-off-by: Martin K. Petersen commit e6965188f84a7883e6a0d3448e86b0cf29b24dfc Author: Hamza Mahfooz Date: Wed Nov 5 11:25:46 2025 -0800 scsi: target: tcm_loop: Fix segfault in tcm_loop_tpg_address_show() If the allocation of tl_hba->sh fails in tcm_loop_driver_probe() and we attempt to dereference it in tcm_loop_tpg_address_show() we will get a segfault, see below for an example. So, check tl_hba->sh before dereferencing it. Unable to allocate struct scsi_host BUG: kernel NULL pointer dereference, address: 0000000000000194 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 1 PID: 8356 Comm: tokio-runtime-w Not tainted 6.6.104.2-4.azl3 #1 Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 09/28/2024 RIP: 0010:tcm_loop_tpg_address_show+0x2e/0x50 [tcm_loop] ... Call Trace: configfs_read_iter+0x12d/0x1d0 [configfs] vfs_read+0x1b5/0x300 ksys_read+0x6f/0xf0 ... Cc: stable@vger.kernel.org Fixes: 2628b352c3d4 ("tcm_loop: Show address of tpg in configfs") Signed-off-by: Hamza Mahfooz Reviewed-by: Chaitanya Kulkarni Reviewed-by: Allen Pais Link: https://patch.msgid.link/1762370746-6304-1-git-send-email-hamzamahfooz@linux.microsoft.com Signed-off-by: Martin K. Petersen commit 57565f97b0eaf56934c5d40f8673d1873cfd11cf Author: Marco Crivellari Date: Wed Nov 5 16:03:36 2025 +0100 scsi: fcoe: Add WQ_PERCPU to alloc_workqueue() users Currently if a user enqueues a work item using schedule_delayed_work() the used wq is "system_wq" (per-cpu wq) while queue_delayed_work() uses WORK_CPU_UNBOUND (used when a CPU is not specified). The same applies to schedule_work() that is using system_wq and queue_work(), that makes use again of WORK_CPU_UNBOUND. This lack of consistentcy cannot be addressed without refactoring the API. alloc_workqueue() treats all queues as per-CPU by default, while unbound workqueues must opt-in via WQ_UNBOUND. This default is suboptimal: most workloads benefit from unbound queues, allowing the scheduler to place worker threads where they’re needed and reducing noise when CPUs are isolated. Continue the effort to refactor workqueue APIs, which has begun with the change introducing new workqueues and a new alloc_workqueue flag: commit 128ea9f6ccfb ("workqueue: Add system_percpu_wq and system_dfl_wq") commit 930c2ea566af ("workqueue: Add new WQ_PERCPU flag") Adds a new WQ_PERCPU flag to explicitly request alloc_workqueue() to be per-CPU when WQ_UNBOUND has not been specified. With the introduction of the WQ_PERCPU flag (equivalent to !WQ_UNBOUND), any alloc_workqueue() caller that doesn’t explicitly specify WQ_UNBOUND must now use WQ_PERCPU. Once migration is complete, WQ_UNBOUND can be removed and unbound will become the implicit default. Suggested-by: Tejun Heo Signed-off-by: Marco Crivellari Reviewed-by: Hannes Reinecke Link: https://patch.msgid.link/20251105150336.244079-1-marco.crivellari@suse.com Signed-off-by: Martin K. Petersen commit d27418aaf8bcb21f3f9b54a57427a0ae4f025bf7 Author: David Jeffery Date: Tue Nov 4 10:46:23 2025 -0500 scsi: st: Skip buffer flush for information ioctls With commit 9604eea5bd3a ("scsi: st: Add third party poweron reset handling") some customer tape applications fail from being unable to complete ioctls to verify ID information for the device when there has been any type of reset event to their tape devices. The st driver currently will fail all standard SCSI ioctls if a call to flush_buffer() fails in st_ioctl(). This causes ioctls which otherwise have no effect on tape state to succeed or fail based on events unrelated to the requested ioctl. This makes SCSI information ioctls unreliable after a reset even if no buffering is in use. With a reset setting the pos_unknown field, flush_buffer() will report failure and fail all ioctls. So any application expecting to use ioctls to check the identify the device will be unable to do so in such a state. For SCSI information ioctls, avoid the need for a buffer flush and allow the ioctls to execute regardless of buffer state. Signed-off-by: David Jeffery Tested-by: Laurence Oberman Acked-by: Kai Mäkisara Reviewed-by: John Meneghini Tested-by: John Meneghini Link: https://patch.msgid.link/20251104154709.6436-2-djeffery@redhat.com Signed-off-by: Martin K. Petersen commit b37d70c0df85e217a868ecdf535500ff926427ae Author: David Jeffery Date: Tue Nov 4 10:46:22 2025 -0500 scsi: st: Separate st-unique ioctl handling from SCSI common ioctl handling The st ioctl function currently interleaves code for handling various st specific ioctls with parts of code needed for handling ioctls common to all SCSI devices. Separate out st's code for the common ioctls into a more manageable, separate function. Signed-off-by: David Jeffery Tested-by: Laurence Oberman Acked-by: Kai Mäkisara Reviewed-by: John Meneghini Tested-by: John Meneghini Link: https://patch.msgid.link/20251104154709.6436-1-djeffery@redhat.com Signed-off-by: Martin K. Petersen commit ad4716ad48d4f1da4f991a1707f2230f4a97bff1 Author: Peter Wang Date: Mon Nov 3 19:57:36 2025 +0800 scsi: dt-bindings: phy: mediatek,ufs-phy: Update maintainer information in mediatek,ufs-phy.yaml Replace Stanley Chu with me and Chaotian in the maintainers field, since his email address is no longer active. Signed-off-by: Peter Wang Acked-by: Conor Dooley Link: https://patch.msgid.link/20251103115808.3771214-1-peter.wang@mediatek.com Signed-off-by: Martin K. Petersen commit 20da637eb545b04753e20c675cfe97b04c7b600b Author: Haotian Zhang Date: Tue Nov 4 17:48:47 2025 +0800 scsi: stex: Fix reboot_notifier leak in probe error path In stex_probe(), register_reboot_notifier() is called at the beginning, but if any subsequent initialization step fails, the function returns without unregistering the notifier, resulting in a resource leak. Add unregister_reboot_notifier() in the out_disable error path to ensure proper cleanup on all failure paths. Fixes: 61b745fa63db ("scsi: stex: Add S6 support") Signed-off-by: Haotian Zhang Link: https://patch.msgid.link/20251104094847.270-1-vulab@iscas.ac.cn Signed-off-by: Martin K. Petersen commit bbb490053173b737604a87af03f2113fb1c279a0 Author: Mike Christie Date: Wed Sep 17 17:12:55 2025 -0500 scsi: target: Move LUN stats to per-CPU The atomic use in the main I/O path is causing perf issues when using higher performance backend devices and multiple queues (more than 10 when using vhost-scsi) like with this fio workload: [global] bs=4K iodepth=128 direct=1 ioengine=libaio group_reporting time_based runtime=120 name=standard-iops rw=randread numjobs=16 cpus_allowed=0-15 To fix this issue, move the LUN stats to per CPU. Note: I forgot to include this patch with the delayed/ordered per CPU tracking and per device/device entry per CPU stats. With this patch you get the full 33% improvements when using fast backends, multiple queues and multiple IO submiters. Signed-off-by: Mike Christie Reviewed-by: Dmitry Bogdanov Link: https://patch.msgid.link/20250917221338.14813-4-michael.christie@oracle.com Signed-off-by: Martin K. Petersen commit ed6b97a79577db9bf9d7b21fd623f24f499e3acc Author: Mike Christie Date: Wed Sep 17 17:12:54 2025 -0500 scsi: target: Create and use macro helpers for per-CPU stats Create some macros to reduce code duplication for when we handle per-CPU stats. Convert the existing LUN and auth cases. Note: This is similar to percpu_counters but they only support s64 since they are also used for non-stat counters where you need to handle/prevent rollover more gracefully. Our use is just for stats where the spec defines u64 use plus we already have some files exporting u64 values so it's not possible to directly use percpu_counters. Signed-off-by: Mike Christie Reviewed-by: Dmitry Bogdanov Link: https://patch.msgid.link/20250917221338.14813-3-michael.christie@oracle.com Signed-off-by: Martin K. Petersen commit 95aa2041c654161d1b5c1eca5379d67d91ef1cf2 Author: Mike Christie Date: Wed Sep 17 17:12:53 2025 -0500 scsi: target: Fix LUN/device R/W and total command stats In commit 9cf2317b795d ("scsi: target: Move I/O path stats to per CPU") I saw we sometimes use %u and also misread the spec. As a result I thought all the stats were supposed to be 32-bit only. However, for the majority of cases we support currently, the spec specifies u64 bit stats. This patch converts the stats changed in the commit above to u64. Fixes: 9cf2317b795d ("scsi: target: Move I/O path stats to per CPU") Signed-off-by: Mike Christie Reviewed-by: Dmitry Bogdanov Link: https://patch.msgid.link/20250917221338.14813-2-michael.christie@oracle.com Signed-off-by: Martin K. Petersen commit 867e4b1bae4bc990dcdbc756f2caa680818036bd Author: Bart Van Assche Date: Fri Oct 31 15:18:44 2025 -0700 scsi: core: Improve sdev_store_timeout() Check whether or not the conversion of the argument to an integer succeeded. Reject invalid timeout values. Signed-off-by: Bart Van Assche Link: https://patch.msgid.link/20251031221844.2921694-1-bvanassche@acm.org Signed-off-by: Martin K. Petersen commit 61deab8a323da26415363af045a0a1f2c12baf4a Author: Bart Van Assche Date: Fri Oct 31 15:08:56 2025 -0700 scsi: core: Remove unused code from scsi_sysfs.c Remove unused code since we do not keep unused code in the Linux kernel. Signed-off-by: Bart Van Assche Link: https://patch.msgid.link/20251031220857.2917954-1-bvanassche@acm.org Signed-off-by: Martin K. Petersen commit 480ca7954664e7ac458b573728024039f62709a1 Author: Peter Wang Date: Fri Oct 31 20:19:12 2025 +0800 scsi: ufs: dt-bindings: mediatek,ufs: Update maintainer information in mediatek,ufs.yaml Replace Stanley Chu with me and Chaotian in the maintainers field since Stanley's email address is no longer active. Signed-off-by: Peter Wang Acked-by: Conor Dooley Link: https://patch.msgid.link/20251031122008.1517549-1-peter.wang@mediatek.com Signed-off-by: Martin K. Petersen commit b0b9c7ccc1ef60a2c4a42795493797a35bbeb11b Author: Peter Wang Date: Fri Oct 31 19:53:16 2025 +0800 scsi: ufs: mediatek: Add the maintainer for MediaTek UFS hooks Add Chaotian Jing as the maintainer of the MediaTek UFS hooks. Signed-off-by: Peter Wang Link: https://patch.msgid.link/20251031115356.1501765-1-peter.wang@mediatek.com Signed-off-by: Martin K. Petersen commit f010c39ae14c3adcef78c3a98eb904f5585dbb0a Author: Bart Van Assche Date: Mon Oct 27 11:46:39 2025 -0700 scsi: target: Simplify target_lu_gp_members_show() Remove the stack buffer 'buf'. This patch does not modify the output produced by target_lu_gp_members_show(). An example of the output that is produced with this patch applied: $ cat /sys/kernel/config/target/core/alua/lu_gps/default_lu_gp/members fileio_0/vdev0 fileio_1/vdev1 iblock_0/vdev2 $ od -c /sys/kernel/config/target/core/alua/lu_gps/default_lu_gp/members 0000000 f i l e i o _ 0 / v d e v 0 \n f 0000020 i l e i o _ 1 / v d e v 1 \n i b 0000040 l o c k _ 0 / v d e v 2 \n 0000055 Signed-off-by: Bart Van Assche Link: https://patch.msgid.link/20251027184639.3501254-3-bvanassche@acm.org Signed-off-by: Martin K. Petersen commit c03b55f235e283cae49c88b9602fd11096b92eba Author: Bart Van Assche Date: Mon Oct 27 11:46:38 2025 -0700 scsi: target: Do not write NUL characters into ASCII configfs output NUL characters are not allowed in ASCII configfs output. Hence this patch. Fixes: c66ac9db8d4a ("[SCSI] target: Add LIO target core v4.0.0-rc6") Signed-off-by: Bart Van Assche Link: https://patch.msgid.link/20251027184639.3501254-2-bvanassche@acm.org Signed-off-by: Martin K. Petersen commit 8e62d8f4b159ae80b4db5b5e46db0c5fec58c4a2 Author: Mike Christie Date: Mon Oct 20 10:38:20 2025 +0000 scsi: target: Add atomic support to target_core_iblock Make target_core_iblock use the LIO helper function to translate its block_device atomic settings to LIO settings. If we then get a write that LIO has indicated is atomic via the SCF_ATOMIC flag, we use the REQ_ATOMIC flag to tell the block layer to perform an atomic write. Signed-off-by: Mike Christie Signed-off-by: John Garry Reviewed-by: John Garry Link: https://patch.msgid.link/20251020103820.2917593-8-john.g.garry@oracle.com Signed-off-by: Martin K. Petersen commit 2d9668883bba31b206f9b02bfc8db1fcb4ca6079 Author: Mike Christie Date: Mon Oct 20 10:38:19 2025 +0000 scsi: target: Add WRITE_ATOMIC_16 support to RSOC Report if the device supports WRITE_ATOMIC_16 in the REPORT_SUPPORTED_OPERATION_CODES command. Signed-off-by: Mike Christie Signed-off-by: John Garry Link: https://patch.msgid.link/20251020103820.2917593-7-john.g.garry@oracle.com Signed-off-by: Martin K. Petersen commit 710ad826e300ef6d13aa6fddd613a04285cc451d Author: Mike Christie Date: Mon Oct 20 10:38:18 2025 +0000 scsi: target: Report atomic values in INQUIRY Report the atomic values in the Block Limits VPD page. Signed-off-by: Mike Christie jpg: handle not having atomic_supported attribute Signed-off-by: John Garry Link: https://patch.msgid.link/20251020103820.2917593-6-john.g.garry@oracle.com Signed-off-by: Martin K. Petersen commit 526145725106b490b0c2d9f200b705b17a3da6b6 Author: Mike Christie Date: Mon Oct 20 10:38:17 2025 +0000 scsi: target: Add WRITE_ATOMIC_16 handler Add the core LIO code to process the WRITE_ATOMIC_16 command. Signed-off-by: Mike Christie jpg: fix return code from sbc_check_atomic, reformat Signed-off-by: John Garry Link: https://patch.msgid.link/20251020103820.2917593-5-john.g.garry@oracle.com Signed-off-by: Martin K. Petersen commit c486634fe2b10301bd8f0319c70a919433bfdf17 Author: Mike Christie Date: Mon Oct 20 10:38:16 2025 +0000 scsi: target: Add helper to set up atomic values from block_device Add a helper function that sets up the atomic value based on a block_device similar to what we do for unmap. Signed-off-by: Mike Christie jpg: Set atomic alignment, drop atomic_supported reference Signed-off-by: John Garry Link: https://patch.msgid.link/20251020103820.2917593-4-john.g.garry@oracle.com Signed-off-by: Martin K. Petersen commit d505447b8d78f4d81a67d492ac72b8d3a1805e72 Author: Mike Christie Date: Mon Oct 20 10:38:15 2025 +0000 scsi: target: Add atomic se_device fields Add atomic fields to the se_device and export them in configfs. Initially only target_core_iblock will be supported and we will inherit all the settings from the block layer. Signed-off-by: Mike Christie jpg: Stop being allowed to configure atomic write alignment, Signed-off-by: John Garry Link: https://patch.msgid.link/20251020103820.2917593-3-john.g.garry@oracle.com Signed-off-by: Martin K. Petersen commit 3434be392051a2fdb295df3cfe07bf75235250a0 Author: Mike Christie Date: Mon Oct 20 10:38:14 2025 +0000 scsi: target: Rename target_configure_unmap_from_queue() Rename target_configure_unmap_from_queue() to target_configure_unmap_from_bdev() since it now takes a bdev. Signed-off-by: Mike Christie Signed-off-by: John Garry Reviewed-by: John Garry Link: https://patch.msgid.link/20251020103820.2917593-2-john.g.garry@oracle.com Signed-off-by: Martin K. Petersen commit 525a411f9a5ff736bf017c36823aefda93eeae36 Author: Krzysztof Kozlowski Date: Mon Oct 27 12:31:08 2025 +0100 scsi: ufs: dt-bindings: qcom: Drop redundant "reg" constraints The "reg" in top-level has maxItems:2, thus repeating this in "if:then:" blocks is redundant. Similarly number of items cannot be less than 1. Signed-off-by: Krzysztof Kozlowski Acked-by: Rob Herring (Arm) Link: https://patch.msgid.link/20251027113107.75835-2-krzysztof.kozlowski@linaro.org Signed-off-by: Martin K. Petersen commit a2b32bc1d9e359a9f90d0de6af16699facb10935 Author: Adrian Hunter Date: Fri Oct 24 11:59:18 2025 +0300 scsi: ufs: core: Fix invalid probe error return value After DME Link Startup, the error return value is set to the MIPI UniPro GenericErrorCode which can be 0 (SUCCESS) or 1 (FAILURE). Upon failure during driver probe, the error code 1 is propagated back to the driver probe function which must return a negative value to indicate an error, but 1 is not negative, so the probe is considered to be successful even though it failed. Subsequently, removing the driver results in an oops because it is not in a valid state. This happens because none of the callers of ufshcd_init() expect a non-negative error code. Fix the return value and documentation to match actual usage. Fixes: 69f5eb78d4b0 ("scsi: ufs: core: Move the ufshcd_device_init(hba, true) call") Cc: stable@vger.kernel.org Signed-off-by: Adrian Hunter Reviewed-by: Bart Van Assche Link: https://patch.msgid.link/20251024085918.31825-5-adrian.hunter@intel.com Signed-off-by: Martin K. Petersen commit d968e99488c4b08259a324a89e4ed17bf36561a4 Author: Adrian Hunter Date: Fri Oct 24 11:59:17 2025 +0300 scsi: ufs: ufs-pci: Set UFSHCD_QUIRK_PERFORM_LINK_STARTUP_ONCE for Intel ADL Link startup becomes unreliable for Intel Alder Lake based host controllers when a 2nd DME_LINKSTARTUP is issued unnecessarily. Employ UFSHCD_QUIRK_PERFORM_LINK_STARTUP_ONCE to suppress that from happening. Fixes: 7dc9fb47bc9a ("scsi: ufs: ufs-pci: Add support for Intel ADL") Cc: stable@vger.kernel.org Signed-off-by: Adrian Hunter Reviewed-by: Bart Van Assche Link: https://patch.msgid.link/20251024085918.31825-4-adrian.hunter@intel.com Signed-off-by: Martin K. Petersen commit d34caa89a132cd69efc48361d4772251546fdb88 Author: Adrian Hunter Date: Fri Oct 24 11:59:16 2025 +0300 scsi: ufs: core: Add a quirk to suppress link_startup_again ufshcd_link_startup() has a facility (link_startup_again) to issue DME_LINKSTARTUP a 2nd time even though the 1st time was successful. Some older hardware benefits from that, however the behaviour is non-standard, and has been found to cause link startup to be unreliable for some Intel Alder Lake based host controllers. Add UFSHCD_QUIRK_PERFORM_LINK_STARTUP_ONCE to suppress link_startup_again, in preparation for setting the quirk for affected controllers. Fixes: 7dc9fb47bc9a ("scsi: ufs: ufs-pci: Add support for Intel ADL") Cc: stable@vger.kernel.org Signed-off-by: Adrian Hunter Reviewed-by: Bart Van Assche Link: https://patch.msgid.link/20251024085918.31825-3-adrian.hunter@intel.com Signed-off-by: Martin K. Petersen commit bb44826c3bdbf1fa3957008a04908f45e5666463 Author: Adrian Hunter Date: Fri Oct 24 11:59:15 2025 +0300 scsi: ufs: ufs-pci: Fix S0ix/S3 for Intel controllers Intel platforms with UFS, can support Suspend-to-Idle (S0ix) and Suspend-to-RAM (S3). For S0ix the link state should be HIBERNATE. For S3, state is lost, so the link state must be OFF. Driver policy, expressed by spm_lvl, can be 3 (link HIBERNATE, device SLEEP) for S0ix but must be changed to 5 (link OFF, device POWEROFF) for S3. Fix support for S0ix/S3 by switching spm_lvl as needed. During suspend ->prepare(), if the suspend target state is not Suspend-to-Idle, ensure the spm_lvl is at least 5 to ensure that resume will be possible from deep sleep states. During suspend ->complete(), restore the spm_lvl to its original value that is suitable for S0ix. This fix is first needed in Intel Alder Lake based controllers. Fixes: 7dc9fb47bc9a ("scsi: ufs: ufs-pci: Add support for Intel ADL") Cc: stable@vger.kernel.org Signed-off-by: Adrian Hunter Reviewed-by: Bart Van Assche Link: https://patch.msgid.link/20251024085918.31825-2-adrian.hunter@intel.com Signed-off-by: Martin K. Petersen commit f838d624fd1183e07db86f3138bcd05fd7630a1e Author: Bart Van Assche Date: Tue Oct 28 15:24:24 2025 -0700 scsi: ufs: core: Revert "Make HID attributes visible" Patch "Make HID attributes visible" is needed for older kernel versions (e.g. 6.12) where ufs_get_device_desc() is called from ufshcd_probe_hba(). In these older kernel versions ufshcd_get_device_desc() may be called after the sysfs attributes have been added. In the upstream kernel however ufshcd_get_device_desc() is called before ufs_sysfs_add_nodes(). See also the ufshcd_device_params_init() call from ufshcd_init(). Hence, calling sysfs_update_group() is not necessary. See also commit 69f5eb78d4b0 ("scsi: ufs: core: Move the ufshcd_device_init(hba, true) call") in kernel v6.13. This patch fixes the following kernel warning: sysfs: cannot create duplicate filename '/devices/platform/3c2d0000.ufs/hid' Workqueue: async async_run_entry_fn Call trace: dump_backtrace+0xfc/0x17c show_stack+0x18/0x28 dump_stack_lvl+0x40/0x104 dump_stack+0x18/0x3c sysfs_warn_dup+0x6c/0xc8 internal_create_group+0x1c8/0x504 sysfs_create_groups+0x38/0x9c ufs_sysfs_add_nodes+0x20/0x58 ufshcd_init+0x1114/0x134c ufshcd_pltfrm_init+0x728/0x7d8 ufs_google_probe+0x30/0x84 platform_probe+0xa0/0xe0 really_probe+0x114/0x454 __driver_probe_device+0xa4/0x160 driver_probe_device+0x44/0x23c __device_attach_driver+0x15c/0x1f4 bus_for_each_drv+0x10c/0x168 __device_attach_async_helper+0x80/0xf8 async_run_entry_fn+0x4c/0x17c process_one_work+0x26c/0x65c worker_thread+0x33c/0x498 kthread+0x110/0x134 ret_from_fork+0x10/0x20 ufshcd 3c2d0000.ufs: ufs_sysfs_add_nodes: sysfs groups creation failed (err = -17) Cc: Daniel Lee Cc: Peter Wang Cc: Bjorn Andersson Cc: Neil Armstrong Fixes: bb7663dec67b ("scsi: ufs: sysfs: Make HID attributes visible") Signed-off-by: Bart Van Assche Fixes: bb7663dec67b ("scsi: ufs: sysfs: Make HID attributes visible") Acked-by: Neil Armstrong Reviewed-by: Peter Wang Reviewed-by: Bjorn Andersson Link: https://patch.msgid.link/20251028222433.1108299-1-bvanassche@acm.org Signed-off-by: Martin K. Petersen commit 769b8b2ffded4cd880669edd83e2952efeeb27f7 Author: Sai Krishna Potthuri Date: Tue Oct 21 17:00:03 2025 +0530 scsi: ufs: amd-versal2: Add UFS support for AMD Versal Gen 2 SoC Add support for the UFS host controller on the AMD Versal Gen 2 SoC, built on the Synopsys DWC UFS architecture, using the UFSHCD DWC and UFSHCD platform driver. This controller requires specific configurations like M-PHY/RMMI/UniPro and vendor specific registers programming before doing the UIC_LINKSTARTUP. Signed-off-by: Sai Krishna Potthuri Signed-off-by: Ajay Neeli Acked-by: Bart Van Assche Link: https://patch.msgid.link/20251021113003.13650-5-ajay.neeli@amd.com Signed-off-by: Martin K. Petersen commit 0e4d26f79a74bc633846a27a9a20d52217c108dc Author: Ajay Neeli Date: Tue Oct 21 17:00:02 2025 +0530 scsi: firmware: xilinx: Add APIs for UFS PHY initialization - Add APIs for UFS PHY initialization. - Verify M-PHY TX-RX configuration readiness. - Confirm SRAM initialization and Set SRAM bypass. - Retrieve UFS calibration values. Signed-off-by: Ajay Neeli Acked-by: Senthil Nathan Thangaraj Acked-by: Michal Simek Acked-by: Bart Van Assche Link: https://patch.msgid.link/20251021113003.13650-4-ajay.neeli@amd.com Signed-off-by: Martin K. Petersen commit 00b3e8480be7a49203594bd1fdb4fd46f3b69d59 Author: Izhar Ameer Shaikh Date: Tue Oct 21 17:00:01 2025 +0530 scsi: firmware: xilinx: Add support for secure read/write ioctl interface Add support for a generic ioctl read/write interface using which users can request firmware to perform read/write operations on a protected and secure address space. The functionality is introduced through the means of two new IOCTL IDs which extend the existing PM_IOCTL EEMI API: - IOCTL_READ_REG - IOCTL_MASK_WRITE_REG The caller only passes the node id of the given device and an offset. The base address is not exposed to the caller and internally retrieved by the firmware. Firmware will enforce an access policy on the incoming read/write request. Signed-off-by: Izhar Ameer Shaikh Reviewed-by: Tanmay Shah Signed-off-by: Radhey Shyam Pandey Signed-off-by: Ajay Neeli Acked-by: Senthil Nathan Thangaraj Acked-by: Michal Simek Acked-by: Bart Van Assche Link: https://patch.msgid.link/20251021113003.13650-3-ajay.neeli@amd.com Signed-off-by: Martin K. Petersen commit 754c6f539effa8ad332e305e34665849638fa40f Author: Sai Krishna Potthuri Date: Tue Oct 21 17:00:00 2025 +0530 scsi: ufs: dt-bindings: amd-versal2: Add UFS Host Controller for AMD Versal Gen 2 SoC Add devicetree document for UFS Host Controller on AMD Versal Gen 2 SoC. This includes clocks and clock-names as mandated by UFS common bindings. Signed-off-by: Sai Krishna Potthuri Co-developed-by: Ajay Neeli Signed-off-by: Ajay Neeli Reviewed-by: Conor Dooley Acked-by: Bart Van Assche Link: https://patch.msgid.link/20251021113003.13650-2-ajay.neeli@amd.com Signed-off-by: Martin K. Petersen commit e9ff858c9adff26f5d2f77d3575e39fb1470027c Author: Alok Tiwari Date: Tue Oct 21 02:03:52 2025 -0700 scsi: qla4xxx: Use correct variable in memset for clarity Both mbox_cmd and mbox_sts have the same size, so using sizeof(mbox_cmd) when clearing mbox_sts did not cause any functional issue. However, it is misleading and reduces code readability. Update the memset() calls to use sizeof(mbox_sts) to make the intent clear Signed-off-by: Alok Tiwari Link: https://patch.msgid.link/20251021090354.1804327-1-alok.a.tiwari@oracle.com Signed-off-by: Martin K. Petersen commit e414748b7e83673cc777ce33e44d90e5157d687f Author: Bart Van Assche Date: Tue Oct 21 13:17:43 2025 -0700 scsi: aacraid: Improve code readability aac_queuecommand() is a scsi_host_template.queuecommand() implementation. Any value returned by this function other than one of the following values is translated into SCSI_MLQUEUE_HOST_BUSY: * 0 * SCSI_MLQUEUE_HOST_BUSY * SCSI_MLQUEUE_DEVICE_BUSY * SCSI_MLQUEUE_EH_RETRY * SCSI_MLQUEUE_TARGET_BUSY Improve readability of aac_queuecommand() by returning SCSI_MLQUEUE_HOST_BUSY instead of FAILED. Cc: Gilbert Wu Cc: Sagar Biradar Cc: John Garry Signed-off-by: Bart Van Assche Reviewed-by: John Garry Link: https://patch.msgid.link/20251021201743.3539900-1-bvanassche@acm.org Signed-off-by: Martin K. Petersen commit bb798c1f43c0010d792b93dc9cbb9cef7a052f61 Author: John Garry Date: Thu Oct 23 08:54:51 2025 +0000 scsi: advansys: Don't call asc_prt_scsi_host() -> scsi_host_busy() The driver calls asc_prt_scsi_host() -> scsi_host_busy() prior to calling scsi_add_host(). This should not be done, and has raised issues for other drivers, like [0]. Function asc_prt_scsi_host() only has a single callsite, as above, where the shost busy count would always be 0. Avoid printing the shost busy count to avoid this problem. [0] https://lore.kernel.org/linux-scsi/20251014200118.3390839-3-bvanassche@acm.org/ Reported-by: Bart Van Assche Signed-off-by: John Garry Reviewed-by: Bart Van Assche Link: https://patch.msgid.link/20251023085451.3933666-1-john.g.garry@oracle.com Signed-off-by: Martin K. Petersen commit dcc98c11364e19df1b4b49d75a04149f99c1b348 Author: John Garry Date: Thu Oct 23 08:27:59 2025 +0000 scsi: core: Minor comment fixes for scsi_host_busy() I guess that the @shost comment on scsi_host_busy() was copied from scsi_host_get() (as it is the same), however they do not do the same thing. Also drop reference to busy counter, which has been removed. Signed-off-by: John Garry Reviewed-by: Bart Van Assche Link: https://patch.msgid.link/20251023082759.3927000-1-john.g.garry@oracle.com Signed-off-by: Martin K. Petersen commit bfe5f5dacfbab96a6424c3bb376557bf0d8e4a20 Author: Bart Van Assche Date: Tue Oct 14 13:01:00 2025 -0700 scsi: ufs: core: Simplify ufshcd_mcq_sq_cleanup() using guard() Simplify ufshcd_mcq_sq_cleanup() by using guard(mutex)() instead of explicit mutex_lock() and mutex_unlock() calls. No functionality has been changed. Signed-off-by: Bart Van Assche Reviewed-by: Peter Wang Link: https://patch.msgid.link/20251014200118.3390839-9-bvanassche@acm.org Signed-off-by: Martin K. Petersen commit 047f190494a010d402b13f31bf37b2b16bf5720a Author: Bart Van Assche Date: Tue Oct 14 13:00:59 2025 -0700 scsi: ufs: core: Remove a goto label from ufshcd_uic_cmd_compl() Return directly instead of jumping to a return statement. No functionality has been changed. Signed-off-by: Bart Van Assche Reviewed-by: Peter Wang Link: https://patch.msgid.link/20251014200118.3390839-8-bvanassche@acm.org Signed-off-by: Martin K. Petersen commit b30006b5bec1dcba207bc42e7f7cd96a568acc27 Author: Bart Van Assche Date: Tue Oct 14 13:00:58 2025 -0700 scsi: ufs: core: Move the ufshcd_enable_intr() declaration ufshcd_enable_intr() is not exported and hence should not be declared in include/ufs/ufshcd.h. Fixes: 253757797973 ("scsi: ufs: core: Change MCQ interrupt enable flow") Signed-off-by: Bart Van Assche Reviewed-by: Peter Wang Link: https://patch.msgid.link/20251014200118.3390839-7-bvanassche@acm.org Signed-off-by: Martin K. Petersen commit a332735a53d6877f0d4fe28bc9263864da3dd470 Author: Bart Van Assche Date: Tue Oct 14 13:00:57 2025 -0700 scsi: ufs: core: Remove UFS_DEV_COMP Remove the UFS_DEV_COMP constant because it is not used. Signed-off-by: Bart Van Assche Reviewed-by: Peter Wang Link: https://patch.msgid.link/20251014200118.3390839-6-bvanassche@acm.org Signed-off-by: Martin K. Petersen commit b3b0842bcb0696e25b1977238ce2907a4c02d8c4 Author: Bart Van Assche Date: Tue Oct 14 13:00:56 2025 -0700 scsi: ufs: core: Change the type of uic_command::cmd_active Since uic_command::cmd_active is used as a boolean variable, change its type from 'int' into 'bool'. No functionality has been changed. Signed-off-by: Bart Van Assche Link: https://patch.msgid.link/20251014200118.3390839-5-bvanassche@acm.org Signed-off-by: Martin K. Petersen commit 7b2c4224faa7bc6cdaf1fb6106ec7b46c63a28cb Author: Bart Van Assche Date: Tue Oct 14 13:00:55 2025 -0700 scsi: ufs: core: Improve documentation in include/ufs/ufshci.h Make it easier to find the sections in the UFSHCI standard where these constants come from. Signed-off-by: Bart Van Assche Link: https://patch.msgid.link/20251014200118.3390839-4-bvanassche@acm.org Signed-off-by: Martin K. Petersen commit c0e37ac6a5d4c4bc33b9c4408d22714fe370a1b0 Author: Bart Van Assche Date: Tue Oct 14 13:00:54 2025 -0700 scsi: ufs: core: Reduce link startup failure logging Some systems, e.g. Rock 4D, have a pluggable UFS module. Link startup fails systematically on these systems. If no UFS module has been plugged in, more than fourty lines are logged after the "link startup failed" message. Avoid this by reducing link startup failure logging. An intended side effect of this patch is that scsi_host_busy() is not called before scsi_add_host() is called. Commit 995412e23bb2 ("blk-mq: Replace tags->lock with SRCU for tag iterators") introduced a regression - the warning shown below is triggered during every boot. This patch fixes that regression. Call trace: __srcu_read_lock+0x30/0x80 (P) blk_mq_tagset_busy_iter+0x44/0x300 scsi_host_busy+0x38/0x70 ufshcd_print_host_state+0x34/0x1bc ufshcd_link_startup.constprop.0+0xe4/0x2e0 ufshcd_init+0x944/0xf80 ufshcd_pltfrm_init+0x504/0x820 ufs_rockchip_probe+0x2c/0x88 platform_probe+0x5c/0xa4 really_probe+0xc0/0x38c __driver_probe_device+0x7c/0x150 driver_probe_device+0x40/0x120 __driver_attach+0xc8/0x1e0 bus_for_each_dev+0x7c/0xdc driver_attach+0x24/0x30 bus_add_driver+0x110/0x230 driver_register+0x68/0x130 __platform_driver_register+0x20/0x2c ufs_rockchip_pltform_init+0x1c/0x28 do_one_initcall+0x60/0x1e0 kernel_init_freeable+0x248/0x2c4 kernel_init+0x20/0x140 ret_from_fork+0x10/0x20 Reported-by: Sebastian Reichel Closes: https://lore.kernel.org/linux-block/pnezafputodmqlpumwfbn644ohjybouveehcjhz2hmhtcf2rka@sdhoiivync4y/ Signed-off-by: Bart Van Assche Link: https://patch.msgid.link/20251014200118.3390839-3-bvanassche@acm.org Signed-off-by: Martin K. Petersen commit c74dc8ab47c1ec3927f63ca83b542c363249b3d8 Author: Bart Van Assche Date: Tue Oct 14 13:00:53 2025 -0700 scsi: ufs: core: Fix a race condition related to the "hid" attribute group ufs_sysfs_add_nodes() is called concurrently with ufs_get_device_desc(). This may cause the following code to be called before ufs_sysfs_add_nodes(): sysfs_update_group(&hba->dev->kobj, &ufs_sysfs_hid_group); If this happens, ufs_sysfs_add_nodes() triggers a kernel warning and fails. Fix this by calling ufs_sysfs_add_nodes() before SCSI LUNs are scanned since the sysfs_update_group() call happens from the context of thread that executes ufshcd_async_scan(). This patch fixes the following kernel warning: sysfs: cannot create duplicate filename '/devices/platform/3c2d0000.ufs/hid' Workqueue: async async_run_entry_fn Call trace: dump_backtrace+0xfc/0x17c show_stack+0x18/0x28 dump_stack_lvl+0x40/0x104 dump_stack+0x18/0x3c sysfs_warn_dup+0x6c/0xc8 internal_create_group+0x1c8/0x504 sysfs_create_groups+0x38/0x9c ufs_sysfs_add_nodes+0x20/0x58 ufshcd_init+0x1114/0x134c ufshcd_pltfrm_init+0x728/0x7d8 ufs_google_probe+0x30/0x84 platform_probe+0xa0/0xe0 really_probe+0x114/0x454 __driver_probe_device+0xa4/0x160 driver_probe_device+0x44/0x23c __device_attach_driver+0x15c/0x1f4 bus_for_each_drv+0x10c/0x168 __device_attach_async_helper+0x80/0xf8 async_run_entry_fn+0x4c/0x17c process_one_work+0x26c/0x65c worker_thread+0x33c/0x498 kthread+0x110/0x134 ret_from_fork+0x10/0x20 ufshcd 3c2d0000.ufs: ufs_sysfs_add_nodes: sysfs groups creation failed (err = -17) Cc: Daniel Lee Fixes: bb7663dec67b ("scsi: ufs: sysfs: Make HID attributes visible") Signed-off-by: Bart Van Assche Link: https://patch.msgid.link/20251014200118.3390839-2-bvanassche@acm.org Signed-off-by: Martin K. Petersen commit 5127be409c6c3815c4a7d8f6d88043e44f9b9543 Author: Nitin Rawat Date: Sun Oct 12 23:08:28 2025 +0530 scsi: ufs: ufs-qcom: Fix UFS OCP issue during UFS power down (PC=3) According to UFS specifications, the power-off sequence for a UFS device includes: - Sending an SSU command with Power_Condition=3 and await a response. - Asserting RST_N low. - Turning off REF_CLK. - Turning off VCC. - Turning off VCCQ/VCCQ2. As part of ufs shutdown, after the SSU command completion, asserting hardware reset (HWRST) triggers the device firmware to wake up and execute its reset routine. This routine initializes hardware blocks and takes a few milliseconds to complete. During this time, the ICCQ draws a large current. This large ICCQ current may cause issues for the regulator which is supplying power to UFS, because the turn off request from UFS driver to the regulator framework will be immediately followed by low power mode(LPM) request by regulator framework. This is done by framework because UFS which is the only client is requesting for disable. So if the rail is still in the process of shutting down while ICCQ exceeds LPM current thresholds, and LPM mode is activated in hardware during this state, it may trigger an overcurrent protection (OCP) fault in the regulator. To prevent this, a 10ms delay is added after asserting HWRST. This allows the reset operation to complete while power rails remain active and in high-power mode. Currently there is no way for Host to query whether the reset is completed or not and hence this the delay is based on experiments with Qualcomm UFS controllers across multiple UFS vendors. Signed-off-by: Nitin Rawat Reviewed-by: Manivannan Sadhasivam Link: https://patch.msgid.link/20251012173828.9880-1-nitin.rawat@oss.qualcomm.com Signed-off-by: Martin K. Petersen commit ea0e278a5c5500be1fdfc1be68c63de4c31513fc Author: Magnus Lindholm Date: Thu Oct 2 07:25:24 2025 +0200 scsi: qla1280: Fix compiler warnings (DEBUG mode) Building the qla1280 driver with DEBUG_QLA1280 set will emit compiler warnings. Fix some print formatting strings to reflect the correct type of printed variables as well as remove unused code. (static function ql1280_dump_device) in order to avoid compiler warnings. [mkp: fixed a few more checkpatch warnings] Signed-off-by: Magnus Lindholm Link: https://patch.msgid.link/20251002052604.24590-1-linmag7@gmail.com Signed-off-by: Martin K. Petersen commit 9ce37e94c30090d26df26b1bbb2fa9c51ede7651 Author: Naomi Chu Date: Wed Sep 24 17:43:30 2025 +0800 scsi: ufs: host: mediatek: Support new features for MT6991 Add support for the MT6991 platform by enabling MRTT settings and random performance improvements. These enhancements aim to optimize performance and efficiency on the MT6991 hardware. Enable multi-Round Trip Time (MRTT) for improved data handling. Enable random performance improvement features to boost overall system responsiveness. Signed-off-by: Naomi Chu Reviewed-by: Peter Wang Acked-by: Chun-Hung Wu Signed-off-by: Peter Wang Link: https://patch.msgid.link/20250924094527.2992256-9-peter.wang@mediatek.com Signed-off-by: Martin K. Petersen commit 4fb4c835a92b6dfa3a461102ba0943b416ae7e55 Author: Peter Wang Date: Wed Sep 24 17:43:29 2025 +0800 scsi: ufs: host: mediatek: Add support for new platform with MMIO_OTSD_CTR Introduce support for a new UFS Mediatek platform by adding the REG_UFS_UFS_MMIO_OTSD_CTRL register. This update includes checks for legacy platforms and uses the new register to replace debug selection and handle specific operations. The changes ensure compatibility across different hardware versions and prevent potential issues with debug usage on newer platforms. Additional updates include error logging improvements during link setup for newer and legacy platforms, ensuring proper event logging and debugging. Signed-off-by: Peter Wang Acked-by: Chun-Hung Wu Link: https://patch.msgid.link/20250924094527.2992256-8-peter.wang@mediatek.com Signed-off-by: Martin K. Petersen commit 9b2b03b36168bcda298546b121d6ecc530d01d25 Author: Peter Wang Date: Wed Sep 24 17:43:28 2025 +0800 scsi: ufs: host: mediatek: Remove duplicate function Remove the duplicate ufs_mtk_us_to_ahit() function in the UFS Mediatek driver and export the existing ufshcd_us_to_ahit() function for shared use. This change reduces redundancy and maintains consistency across the codebase. Signed-off-by: Peter Wang Reviewed-by: Bart Van Assche Acked-by: Chun-Hung Wu Link: https://patch.msgid.link/20250924094527.2992256-7-peter.wang@mediatek.com Signed-off-by: Martin K. Petersen commit 014de20bb36ba03e0e0b0a7e0a1406ab900c9fda Author: Peter Wang Date: Wed Sep 24 17:43:27 2025 +0800 scsi: ufs: host: mediatek: Fix shutdown/suspend race condition Address a race condition between shutdown and suspend operations in the UFS Mediatek driver. Before entering suspend, check if a shutdown is in progress to prevent conflicts and ensure system stability. Signed-off-by: Peter Wang Acked-by: Chun-Hung Wu Link: https://patch.msgid.link/20250924094527.2992256-6-peter.wang@mediatek.com Signed-off-by: Martin K. Petersen commit 1fd05367d5b1a5edd3d14c966a5f510e5b8a0c5e Author: Peter Wang Date: Wed Sep 24 17:43:26 2025 +0800 scsi: ufs: host: mediatek: Adjust sync length for FASTAUTO mode Set the sync length for FASTAUTO G1 mode in the UFS Mediatek driver. This ensures the sync length meets minimum values for high-speed gears, improving stability during power mode changes. Signed-off-by: Peter Wang Reviewed-by: Bart Van Assche Acked-by: Chun-Hung Wu Link: https://patch.msgid.link/20250924094527.2992256-5-peter.wang@mediatek.com Signed-off-by: Martin K. Petersen commit 16b42c4281ae536a6ceda97303d9820ac5741293 Author: Peter Wang Date: Wed Sep 24 17:43:25 2025 +0800 scsi: ufs: host: mediatek: Handle clock scaling for high gear in PM flow Add clock scaling down for power management flow in the UFS Mediatek driver. If clock scaling is disabled and fixed in high gear, ensure the clock scales down during suspend and scales up again after resume to support high gear. This adjustment maintains proper power management. Signed-off-by: Peter Wang Acked-by: Chun-Hung Wu Link: https://patch.msgid.link/20250924094527.2992256-4-peter.wang@mediatek.com Signed-off-by: Martin K. Petersen commit 55ce691dc75a356e4b7c552505ce0a427c72f3af Author: Peter Wang Date: Wed Sep 24 17:43:24 2025 +0800 scsi: ufs: host: mediatek: Adjust clock scaling for PM flow Adjust clock scaling during suspend and resume in the UFS Mediatek driver. Ensure that the clock scales down during suspend if it was scaled up, and scales up again after resume. This adjustment maintains proper power management. Signed-off-by: Peter Wang Acked-by: Chun-Hung Wu Link: https://patch.msgid.link/20250924094527.2992256-3-peter.wang@mediatek.com Signed-off-by: Martin K. Petersen commit 7162536410768ec6b219524c36d3a871ff97adf8 Author: Peter Wang Date: Wed Sep 24 17:43:23 2025 +0800 scsi: ufs: host: mediatek: Correct clock scaling with PM QoS flow Correct clock scaling with PM QoS during suspend and resume. Ensure PM QoS is released during suspend if scaling up and re-applied after resume. This prevents performance issues and maintains proper power management. Signed-off-by: Peter Wang Reviewed-by: Bart Van Assche Acked-by: Chun-Hung Wu Link: https://patch.msgid.link/20250924094527.2992256-2-peter.wang@mediatek.com Signed-off-by: Martin K. Petersen commit 4760b639b43c107c8bfccd658478bbb3152fa56f Author: Bao D. Nguyen Date: Mon Oct 13 12:38:16 2025 -0700 scsi: ufs: core: Replace hard coded vcc-off delay with a variable After the UFS device VCC is powered off, all the UFS device manufacturers require a minimum of 1ms of power-off time before VCC can be powered on again. This requirement has been verified with all the UFS device manufacturer's datasheets. Replace the hard coded 5ms delay with a variable with a default setting of 2ms to improve the system resume latency. The platform drivers can override this setting as needed. Signed-off-by: Bao D. Nguyen Reviewed-by: Bart Van Assche Reviewed-by: Peter Wang Link: https://patch.msgid.link/72fa649406a0bf02271575b7d58f22c968aa5d7e.1760383740.git.quic_nguyenb@quicinc.com Signed-off-by: Martin K. Petersen commit f8e82ae65eaf347fb8924a1d9c544da7bcb9f798 Author: Bao D. Nguyen Date: Mon Oct 13 12:38:15 2025 -0700 scsi: ufs: core: Remove UFS_DEVICE_QUIRK_DELAY_AFTER_LPM quirk After the UFS device VCC is turned off, all the UFS device manufacturers require a period of power-off time before the VCC can be turned on again. This requirement has been confirmed with all the UFS device manufacturer's datasheets. Remove the UFS_DEVICE_QUIRK_DELAY_AFTER_LPM quirk in the UFS core driver and implement a universal delay that is required by all the UFS device manufacturers. In addition, remove the support for this quirk in the platform drivers. Signed-off-by: Bao D. Nguyen Reviewed-by: Peter Wang Reviewed-by: Bart Van Assche Link: https://patch.msgid.link/25f134d5a42e8b8365be64d512d1bb5fc2bce6ff.1760383740.git.quic_nguyenb@quicinc.com Signed-off-by: Martin K. Petersen commit 8627f322cb7b6f1f9f7a78bd9c79b82534fbc9c9 Author: Peter Wang Date: Thu Oct 16 10:32:32 2025 +0800 scsi: ufs: core: Support dumping CQ entry in MCQ Mode Enhance the ufshcd_print_tr() function to support dumping completion queue (CQ) entries in MCQ mode when an error occurs. This addition provides more detailed debugging information by including the CQ entry data in the error logs, aiding in the diagnosis of issues in MCQ mode. Signed-off-by: Peter Wang Reviewed-by: Bart Van Assche Link: https://patch.msgid.link/20251016023507.1000664-3-peter.wang@mediatek.com Signed-off-by: Martin K. Petersen commit bfe0d22f12559f44bf27ae88b9c4a9f8fdae65d0 Author: Peter Wang Date: Thu Oct 16 10:32:31 2025 +0800 scsi: ufs: core: Update CQ Entry to UFS 4.1 format Update the completion queue (CQ) entry format according to the UFS 4.1 specification. UFS 4.1 introduces new members in reserved record DW5. Also refine DW4 with detailed members defined in UFS 4.0. Modify the code to incorporate these changes by updating the overall_status in the CQ entry structure. Signed-off-by: Peter Wang Reviewed-by: Bart Van Assche Link: https://patch.msgid.link/20251016023507.1000664-2-peter.wang@mediatek.com Signed-off-by: Martin K. Petersen commit ce085ecdba23a5d5462877d884ecff3ffceaad22 Author: Bart Van Assche Date: Tue Oct 14 15:04:25 2025 -0700 scsi: core: Do not declare scsi_cmnd pointers const This change allows removing multiple casts and hence improves type checking by the compiler. Cc: Hannes Reinecke Suggested-by: John Garry Signed-off-by: Bart Van Assche Reviewed-by: John Garry Link: https://patch.msgid.link/20251014220426.3690007-1-bvanassche@acm.org Signed-off-by: Martin K. Petersen commit d54c676d4fe0543d1642ab7a68ffdd31e8639a5d Author: Bart Van Assche Date: Tue Oct 14 15:02:43 2025 -0700 scsi: core: Fix the unit attention counter implementation scsi_decide_disposition() may call scsi_check_sense(). scsi_decide_disposition() calls are not serialized. Hence, counter updates by scsi_check_sense() must be serialized. Hence this patch that makes the counters updated by scsi_check_sense() atomic. Cc: Kai Mäkisara Fixes: a5d518cd4e3e ("scsi: core: Add counters for New Media and Power On/Reset UNIT ATTENTIONs") Signed-off-by: Bart Van Assche Reviewed-by: Ewan D. Milne Link: https://patch.msgid.link/20251014220244.3689508-1-bvanassche@acm.org Signed-off-by: Martin K. Petersen commit 35bc3c8ee319083333b758355ffd739a96af5c00 Author: Wonkon Kim Date: Mon Oct 20 15:15:39 2025 +0900 scsi: ufs: core: Declare tx_lanes witout initialization A value of an attribute will be initialized at ufshcd_dme_get_attr(). There is no need to initialize a tx_lanes. Signed-off-by: Wonkon Kim Reviewed-by: Bart Van Assche Link: https://patch.msgid.link/20251020061539.28661-3-wkon.kim@samsung.com Signed-off-by: Martin K. Petersen commit 6fe4c679dde3075cb481beb3945269bb2ef8b19a Author: Wonkon Kim Date: Mon Oct 20 15:15:38 2025 +0900 scsi: ufs: core: Initialize value of an attribute returned by uic cmd If ufshcd_send_cmd() fails, *mib_val may have a garbage value. It can get an unintended value of an attribute. Make ufshcd_dme_get_attr() always initialize *mib_val. Fixes: 12b4fdb4f6bc ("[SCSI] ufs: add dme configuration primitives") Signed-off-by: Wonkon Kim Reviewed-by: Bart Van Assche Link: https://patch.msgid.link/20251020061539.28661-2-wkon.kim@samsung.com Signed-off-by: Martin K. Petersen commit e23ef4f22db30a1e49c8b060e4ebc9dc9ca99c49 Author: Peter Wang Date: Wed Oct 8 14:55:43 2025 +0800 scsi: ufs: core: Fix error handler host_sem issue Fix the issue where host_sem is not released due to a new return path in commit f966e02ae521 ("scsi: ufs: core: Fix runtime suspend error deadlock"). Check pm_op_in_progress before acquiring hba->host_sem to prevent deadlocks and ensure proper resource management during error handling. Add comment for use ufshcd_rpm_get_noresume() to safely perform link recovery without interfering with ongoing PM operations. Fixes: f966e02ae521 ("scsi: ufs: core: Fix runtime suspend error deadlock") Reported-by: Dan Carpenter Signed-off-by: Peter Wang Reviewed-by: Bart Van Assche Link: https://patch.msgid.link/20251008065651.1589614-2-peter.wang@mediatek.com Signed-off-by: Martin K. Petersen commit 3d0d1c7a5c9981ca35e2976337c0b6c9e644d269 Author: Qiang Liu Date: Fri Oct 17 15:55:03 2025 +0800 scsi: fnic: Self-assignment of intr_time_type has no effect Remove the self-assignment statement of the intr_time_type variable. Signed-off-by: Qiang Liu Reviewed-by: Karan Tilak Kumar Link: https://patch.msgid.link/20251017075504.143491-1-liuqiangneo@163.com Signed-off-by: Martin K. Petersen commit 79a2287c1df4896d4f930a24c0dc77571959d3b3 Author: André Draszik Date: Tue Oct 7 16:56:28 2025 +0100 scsi: ufs: dt-bindings: exynos: Add power-domains The UFS controller can be part of a power domain, so we need to allow the relevant property 'power-domains'. Signed-off-by: André Draszik Reviewed-by: Peter Griffin Reviewed-by: Krzysztof Kozlowski Reviewed-by: Alim Akhtar Link: https://patch.msgid.link/20251007-power-domains-scsi-ufs-dt-bindings-exynos-v1-1-1acfa81a887a@linaro.org Signed-off-by: Martin K. Petersen commit 05e66c18e3fd27b4b017ff02e4a7a908274ff755 Author: Bhanu Seshu Kumar Valluri Date: Tue Oct 7 12:23:45 2025 +0530 scsi: smartpqi: Prefer kmalloc_array() over kmalloc() As a best practice use kmalloc_array() to safely calculate dynamic object sizes without overflow. [mkp: line exceeding 100 chars, added newline] Acked-by: Don Brace Signed-off-by: Bhanu Seshu Kumar Valluri Link: https://patch.msgid.link/20251007065345.8853-1-bhanuseshukumar@gmail.com Signed-off-by: Martin K. Petersen commit 81cb6c228ff877ca0046a432ea831788590633ff Author: Gustavo A. R. Silva Date: Fri Sep 19 13:56:29 2025 +0200 scsi: megaraid_sas: Avoid a couple -Wflex-array-member-not-at-end warnings -Wflex-array-member-not-at-end was introduced in GCC-14, and we are getting ready to enable it, globally. Use the new TRAILING_OVERLAP() helper to fix the following warnings: drivers/scsi/megaraid/megaraid_sas_fusion.h:1153:31: warning: structure containing a flexible array member is not at the end of another structure [-Wflex-array-member-not-at-end] drivers/scsi/megaraid/megaraid_sas_fusion.h:1198:32: warning: structure containing a flexible array member is not at the end of another structure [-Wflex-array-member-not-at-end] This helper creates a union between a flexible-array member (FAM) and a set of MEMBERS that would otherwise follow it --in this case 'struct MR_LD_SPAN_MAP ldSpanMap[MAX_LOGICAL_DRIVES_DYN]' and 'struct MR_LD_SPAN_MAP ldSpanMap[MAX_LOGICAL_DRIVES]' in the corresponding structures. This overlays the trailing members onto the FAM (struct MR_LD_SPAN_MAP ldSpanMap[];) while keeping the FAM and the start of MEMBERS aligned. The static_assert() ensures this alignment remains, and it's intentionally placed inmediately after the corresponding structures --no blank line in between. Signed-off-by: Gustavo A. R. Silva Link: https://patch.msgid.link/aM1E7Xa8qYdZ598N@kspp Signed-off-by: Martin K. Petersen commit 11956e4b912167459ffc51d66f56341a97a94323 Author: Gustavo A. R. Silva Date: Fri Sep 19 13:24:30 2025 +0200 scsi: isci: Avoid -Wflex-array-member-not-at-end warning -Wflex-array-member-not-at-end was introduced in GCC-14, and we are getting ready to enable it, globally. Move the conflicting declaration (which happens to be in a union, so we're moving the entire union) to the end of the corresponding structure. Notice that `struct ssp_response_iu` is a flexible structure, this is a structure that contains a flexible-array member. With these changes fix the following warning: drivers/scsi/isci/task.h:92:11: warning: structure containing a flexible array member is not at the end of another structure [-Wflex-array-member-not-at-end] Signed-off-by: Gustavo A. R. Silva Link: https://patch.msgid.link/aM09bpl1xj9KZSZl@kspp Signed-off-by: Martin K. Petersen commit a0b7780602b1b196f47e527fec82166a7e67c4d0 Author: Bart Van Assche Date: Tue Oct 7 14:48:00 2025 -0700 scsi: core: Fix a regression triggered by scsi_host_busy() Commit 995412e23bb2 ("blk-mq: Replace tags->lock with SRCU for tag iterators") introduced the following regression: Call trace: __srcu_read_lock+0x30/0x80 (P) blk_mq_tagset_busy_iter+0x44/0x300 scsi_host_busy+0x38/0x70 ufshcd_print_host_state+0x34/0x1bc ufshcd_link_startup.constprop.0+0xe4/0x2e0 ufshcd_init+0x944/0xf80 ufshcd_pltfrm_init+0x504/0x820 ufs_rockchip_probe+0x2c/0x88 platform_probe+0x5c/0xa4 really_probe+0xc0/0x38c __driver_probe_device+0x7c/0x150 driver_probe_device+0x40/0x120 __driver_attach+0xc8/0x1e0 bus_for_each_dev+0x7c/0xdc driver_attach+0x24/0x30 bus_add_driver+0x110/0x230 driver_register+0x68/0x130 __platform_driver_register+0x20/0x2c ufs_rockchip_pltform_init+0x1c/0x28 do_one_initcall+0x60/0x1e0 kernel_init_freeable+0x248/0x2c4 kernel_init+0x20/0x140 ret_from_fork+0x10/0x20 Fix this regression by making scsi_host_busy() check whether the SCSI host tag set has already been initialized. tag_set->ops is set by scsi_mq_setup_tags() just before blk_mq_alloc_tag_set() is called. This fix is based on the assumption that scsi_host_busy() and scsi_mq_setup_tags() calls are serialized. This is the case in the UFS driver. Reported-by: Sebastian Reichel Closes: https://lore.kernel.org/linux-block/pnezafputodmqlpumwfbn644ohjybouveehcjhz2hmhtcf2rka@sdhoiivync4y/ Cc: Ming Lei Cc: Jens Axboe Signed-off-by: Bart Van Assche Reviewed-by: Ming Lei Tested-by: Sebastian Reichel Link: https://patch.msgid.link/20251007214800.1678255-1-bvanassche@acm.org Signed-off-by: Martin K. Petersen commit 211ddde0823f1442e4ad052a2f30f050145ccada Author: Linus Torvalds Date: Sun Oct 19 15:19:16 2025 -1000 Linux 6.18-rc2 commit dbfdaeb381a49a7bc753d18e2876bc56a15e01cc Author: Stuart Yoder Date: Sat Oct 18 14:25:18 2025 +0300 tpm_crb: Add idle support for the Arm FF-A start method According to the CRB over FF-A specification [1], a TPM that implements the ABI must comply with the TCG PTP specification. This requires support for the Idle and Ready states. This patch implements CRB control area requests for goIdle and cmdReady on FF-A based TPMs. The FF-A message used to notify the TPM of CRB updates includes a locality parameter, which provides a hint to the TPM about which locality modified the CRB. This patch adds a locality parameter to __crb_go_idle() and __crb_cmd_ready() to support this. [1] https://developer.arm.com/documentation/den0138/latest/ Signed-off-by: Stuart Yoder Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen commit a1e83d4c0361f4b0e3b7ef8b603bf5e5ef60af86 Author: Brahmajit Das Date: Fri Oct 17 22:45:51 2025 +0530 selftests/bpf: Fix redefinition of 'off' as different kind of symbol This fixes the following build error CLNG-BPF [test_progs] verifier_global_ptr_args.bpf.o progs/verifier_global_ptr_args.c:228:5: error: redefinition of 'off' as different kind of symbol 228 | u32 off; | ^ The symbol 'off' was previously defined in tools/testing/selftests/bpf/tools/include/vmlinux.h, which includes an enum i40e_ptp_gpio_pin_state from drivers/net/ethernet/intel/i40e/i40e_ptp.c: enum i40e_ptp_gpio_pin_state { end = -2, invalid = -1, off = 0, in_A = 1, in_B = 2, out_A = 3, out_B = 4, }; This enum is included when CONFIG_I40E is enabled. As of commit 032676ff8217 ("LoongArch: Update Loongson-3 default config file"), CONFIG_I40E is set in the defconfig, which leads to the conflict. Renaming the local variable avoids the redefinition and allows the build to succeed. Suggested-by: Yonghong Song Signed-off-by: Brahmajit Das Acked-by: Yonghong Song Link: https://lore.kernel.org/r/20251017171551.53142-1-listout@listout.xyz Signed-off-by: Alexei Starovoitov commit 7c33e97a6ef5d84e98b892c3e00c6d1678d20395 Author: Sahil Chandna Date: Wed Oct 15 00:26:35 2025 +0530 bpf: Do not disable preemption in bpf_test_run(). The timer mode is initialized to NO_PREEMPT mode by default, this disables preemption and force execution in atomic context causing issue on PREEMPT_RT configurations when invoking spin_lock_bh(), leading to the following warning: BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 6107, name: syz.0.17 preempt_count: 1, expected: 0 RCU nest depth: 1, expected: 1 Preemption disabled at: [] bpf_test_timer_enter+0xf8/0x140 net/bpf/test_run.c:42 Fix this, by removing NO_PREEMPT/NO_MIGRATE mode check. Also, the test timer context no longer needs explicit calls to migrate_disable()/migrate_enable() with rcu_read_lock()/rcu_read_unlock(). Use helpers rcu_read_lock_dont_migrate() and rcu_read_unlock_migrate() instead. Reported-by: syzbot+1f1fbecb9413cdbfbef8@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=1f1fbecb9413cdbfbef8 Suggested-by: Yonghong Song Suggested-by: Menglong Dong Acked-by: Yonghong Song Tested-by: syzbot+1f1fbecb9413cdbfbef8@syzkaller.appspotmail.com Co-developed-by: Brahmajit Das Signed-off-by: Brahmajit Das Signed-off-by: Sahil Chandna Link: https://lore.kernel.org/r/20251014185635.10300-1-chandna.sahil@gmail.com Signed-off-by: Alexei Starovoitov commit ea0d55ae4b3207c33691a73da3443b1fd379f1d2 Author: Ada Couprie Diaz Date: Tue Oct 14 10:25:36 2025 +0100 arm64: debug: always unmask interrupts in el0_softstp() We intend that EL0 exception handlers unmask all DAIF exceptions before calling exit_to_user_mode(). When completing single-step of a suspended breakpoint, we do not call local_daif_restore(DAIF_PROCCTX) before calling exit_to_user_mode(), leaving all DAIF exceptions masked. When pseudo-NMIs are not in use this is benign. When pseudo-NMIs are in use, this is unsound. At this point interrupts are masked by both DAIF.IF and PMR_EL1, and subsequent irq flag manipulation may not work correctly. For example, a subsequent local_irq_enable() within exit_to_user_mode_loop() will only unmask interrupts via PMR_EL1 (leaving those masked via DAIF.IF), and anything depending on interrupts being unmasked (e.g. delivery of signals) will not work correctly. This was detected by CONFIG_ARM64_DEBUG_PRIORITY_MASKING. Move the call to `try_step_suspended_breakpoints()` outside of the check so that interrupts can be unmasked even if we don't call the step handler. Fixes: 0ac7584c08ce ("arm64: debug: split single stepping exception entry") Cc: # 6.17 Signed-off-by: Ada Couprie Diaz Acked-by: Mark Rutland [catalin.marinas@arm.com: added Mark's rewritten commit log and some whitespace] Signed-off-by: Catalin Marinas commit e9ad390a4812fd60c1da46823f7a6f84f2411f0c Author: Lorenzo Pieralisi Date: Tue Oct 7 12:26:00 2025 +0200 arm64/sysreg: Fix GIC CDEOI instruction encoding The GIC CDEOI system instruction requires the Rt field to be set to 0b11111 otherwise the instruction behaviour becomes CONSTRAINED UNPREDICTABLE. Currenly, its usage is encoded as a system register write, with a constant 0 value: write_sysreg_s(0, GICV5_OP_GIC_CDEOI) While compiling with GCC, the 0 constant value, through these asm constraints and modifiers ('x' modifier and 'Z' constraint combo): asm volatile(__msr_s(r, "%x0") : : "rZ" (__val)); forces the compiler to issue the XZR register for the MSR operation (ie that corresponds to Rt == 0b11111) issuing the right instruction encoding. Unfortunately LLVM does not yet understand that modifier/constraint combo so it ends up issuing a different register from XZR for the MSR source, which in turns means that it encodes the GIC CDEOI instruction wrongly and the instruction behaviour becomes CONSTRAINED UNPREDICTABLE that we must prevent. Add a conditional to write_sysreg_s() macro that detects whether it is passed a constant 0 value and issues an MSR write with XZR as source register - explicitly doing what the asm modifier/constraint is meant to achieve through constraints/modifiers, fixing the LLVM compilation issue. Fixes: 7ec80fb3f025 ("irqchip/gic-v5: Add GICv5 PPI support") Suggested-by: Catalin Marinas Signed-off-by: Lorenzo Pieralisi Acked-by: Marc Zyngier Cc: stable@vger.kernel.org Cc: Sascha Bischoff Cc: Will Deacon Cc: Mark Rutland Cc: Marc Zyngier Reviewed-by: Catalin Marinas Signed-off-by: Catalin Marinas commit 2a786348004b34c5f61235d51c40c1c718b1f8f9 Author: Dawn Gardner Date: Thu Oct 16 15:42:06 2025 -0300 ALSA: hda/realtek: Fix mute led for HP Omen 17-cb0xxx This laptop uses the ALC285 codec, fixed by enabling the ALC285_FIXUP_HP_MUTE_LED quirk Signed-off-by: Dawn Gardner Link: https://patch.msgid.link/20251016184218.31508-3-dawn.auroali@gmail.com Signed-off-by: Takashi Iwai commit a78835b86a4414230e4cf9a9f16d22302cdb8388 Author: Mario Limonciello (AMD) Date: Mon Oct 13 17:08:26 2025 -0500 PCI/VGA: Select SCREEN_INFO on X86 commit 337bf13aa9dda ("PCI/VGA: Replace vga_is_firmware_default() with a screen info check") introduced an implicit dependency upon SCREEN_INFO by removing the open coded implementation. If a user didn't have CONFIG_SCREEN_INFO set, vga_is_firmware_default() would now return false. SCREEN_INFO is only used on X86 so add a conditional select for SCREEN_INFO to ensure that the VGA arbiter works as intended. Fixes: 337bf13aa9dda ("PCI/VGA: Replace vga_is_firmware_default() with a screen info check") Reported-by: Eric Biggers Closes: https://lore.kernel.org/linux-pci/20251012182302.GA3412@sol/ Suggested-by: Thomas Zimmermann Signed-off-by: Mario Limonciello (AMD) Signed-off-by: Bjorn Helgaas Reviewed-by: Thomas Zimmermann Reviewed-by: Ilpo Järvinen Tested-by: Eric Biggers Link: https://patch.msgid.link/20251013220829.1536292-1-superm1@kernel.org commit e433110eb5bf067f74d3d15c5fb252206c66ae0b Author: Inochi Amaoto Date: Tue Oct 14 09:46:07 2025 +0800 PCI: vmd: Override irq_startup()/irq_shutdown() in vmd_init_dev_msi_info() Since commit 54f45a30c0d0 ("PCI/MSI: Add startup/shutdown for per device domains") set callback irq_startup() and irq_shutdown() of the struct pci_msi[x]_template, __irq_startup() will always invokes irq_startup() callback instead of irq_enable() callback overridden in vmd_init_dev_msi_info(). This will not start the IRQ correctly. Also override irq_startup()/irq_shutdown() in vmd_init_dev_msi_info(), so the irq_startup() can invoke the real logic. Fixes: 54f45a30c0d0 ("PCI/MSI: Add startup/shutdown for per device domains") Reported-by: Kenneth Crudup Closes: https://lore.kernel.org/r/8a923590-5b3a-406f-a324-7bd1cf894d8f@panix.com/ Reported-by: Genes Lists Closes: https://lore.kernel.org/r/4b392af8847cc19720ffcd53865f60ab3edc56b3.camel@sapience.com Reported-by: Todd Brandt Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220658 Reported-by: Oliver Hartkopp Closes: https://lore.kernel.org/r/8d6887a5-60bc-423c-8f7a-87b4ab739f6a@hartkopp.net Reported-by: Hervé Signed-off-by: Inochi Amaoto Signed-off-by: Bjorn Helgaas Tested-by: Kenneth R. Crudup Tested-by: Genes Lists Tested-by: Oliver Hartkopp Tested-by: Todd Brandt Tested-by: Hervé Cc: stable@vger.kernel.org Link: https://patch.msgid.link/20251014014607.612586-1-inochiama@gmail.com commit 1f1d3e1d094db732d22b892227bf1e1ac3a8ca04 Author: Miguel Ojeda Date: Fri Oct 17 00:57:54 2025 +0200 rust: bitmap: fix formatting We do our best to keep the repository `rustfmt`-clean, thus run the tool to fix the formatting issue. Link: https://docs.kernel.org/rust/coding-guidelines.html#style-formatting Link: https://rust-for-linux.com/contributing#submit-checklist-addendum Fixes: 0f5878834d6c ("rust: bitmap: clean Rust 1.92.0 `unused_unsafe` warning") Reviewed-by: Burak Emir Signed-off-by: Miguel Ojeda commit 32f072d9eaf9c31c2b0527a4a3370570a731e3cc Author: Miguel Ojeda Date: Fri Oct 10 19:43:51 2025 +0200 rust: cpufreq: fix formatting We do our best to keep the repository `rustfmt`-clean, thus run the tool to fix the formatting issue. Link: https://docs.kernel.org/rust/coding-guidelines.html#style-formatting Link: https://rust-for-linux.com/contributing#submit-checklist-addendum Fixes: f97aef092e19 ("cpufreq: Make drivers using CPUFREQ_ETERNAL specify transition latency") Acked-by: Viresh Kumar Reviewed-by: Benno Lossin Signed-off-by: Miguel Ojeda commit 8a7c601e14576a22c2bbf7f67455ccf3f3d2737f Author: Miguel Ojeda Date: Fri Oct 10 19:43:50 2025 +0200 rust: alloc: employ a trailing comment to keep vertical layout Apply the formatting guidelines introduced in the previous commit to make the file `rustfmt`-clean again. Reviewed-by: Benno Lossin Signed-off-by: Miguel Ojeda commit 4a9cb2eecc78fa9d388481762dd798fa770e1971 Author: Miguel Ojeda Date: Fri Oct 10 19:43:49 2025 +0200 docs: rust: add section on imports formatting `rustfmt`, by default, formats imports in a way that is prone to conflicts while merging and rebasing, since in some cases it condenses several items into the same line. For instance, Linus mentioned [1] that the following case: use crate::{ fmt, page::AsPageIter, }; is compressed by `rustfmt` into: use crate::{fmt, page::AsPageIter}; which is undesirable. Similarly, `rustfmt` may put several items in the same line even if the braces span already multiple lines, e.g.: use kernel::{ acpi, c_str, device::{property, Core}, of, platform, }; The options that control the formatting behavior around imports are generally unstable, and `rustfmt` releases do not allow to use nightly features, unlike the compiler and other Rust tooling [2]. For the moment, we can introduce a workaround to prevent `rustfmt` from compressing the example above -- the "trailing empty comment": use crate::{ fmt, page::AsPageIter, // }; which is reminiscent of the trailing comma behavior in other formatters. We already used empty comments for formatting purposes in the past, e.g. in commit b9b701fce49a ("rust: clarify the language unstable features in use"). In addition, `rustfmt` actually reformats with a vertical layout (i.e. it does not put two items in the same line) when seeing such a comment, i.e. it doesn't just preserve the formatting, which is good in the sense that we can use it to easily reformat some imports, since it matches the style we generally want to have. A Git merge driver would help (suggested by Gary and Wedson), though maintainers would need to set it up, the diffs would still be larger and the formatting rules for imports would remain hard to predict. Thus document the style that we will follow in the coding guidelines by introducing a new section and explain how the trailing empty comment works there too. We discussed the issue with upstream Rust in our usual Rust <-> Rust for Linux meeting [3], and there have also been a few other discussions in parallel in issues [4][5] and Zulip [6]. We will see what happens, but upstream Rust has already created a subteam of `rustfmt` to try to overcome the bandwidth issue [7], which is a good signal, and some organization work has already started (e.g. tracking issues). We will continue our discussions with them about it. Cc: Caleb Cartwright Cc: Yacin Tmimi Cc: Manish Goregaokar Cc: Deadbeef Cc: Cameron Steffen Cc: Jieyou Xu Link: https://lore.kernel.org/all/CAHk-=wgO7S_FZUSBbngG5vtejWOpzDfTTBkVvP3_yjJmFddbzA@mail.gmail.com/ [1] Link: https://github.com/rust-lang/rustfmt/issues/4884 [2] Link: https://hackmd.io/iSCyY3JTTz-g8YM-nnzTTA [3] Link: https://github.com/rust-lang/rustfmt/issues/4991 [4] Link: https://github.com/rust-lang/rustfmt/issues/3361 [5] Link: https://rust-lang.zulipchat.com/#narrow/channel/392734-council/topic/rustfmt.20maintenance/near/543815381 [6] Link: https://github.com/rust-lang/team/pull/2017 [7] Reviewed-by: Benno Lossin Signed-off-by: Miguel Ojeda commit 5a869d017793399fd1d2609ff27e900534173eb3 Author: Wilfred Mallawa Date: Fri Oct 10 17:19:42 2025 +1000 nvme/tcp: handle tls partially sent records in write_space() With TLS enabled, records that are encrypted and appended to TLS TX list can fail to see a retry if the underlying TCP socket is busy, for example, hitting an EAGAIN from tcp_sendmsg_locked(). This is not known to the NVMe TCP driver, as the TLS layer successfully generated a record. Typically, the TLS write_space() callback would ensure such records are retried, but in the NVMe TCP Host driver, write_space() invokes nvme_tcp_write_space(). This causes a partially sent record in the TLS TX list to timeout after not being retried. This patch fixes the above by calling queue->write_space(), which calls into the TLS layer to retry any pending records. Fixes: be8e82caa685 ("nvme-tcp: enable TLS handshake upcall") Signed-off-by: Wilfred Mallawa Reviewed-by: Hannes Reinecke Signed-off-by: Keith Busch commit f6fddc6df3fc0cffce329b87927db4eb5989728d Author: Shardul Bankar Date: Thu Oct 16 12:03:30 2025 +0530 bpf: Fix memory leak in __lookup_instance error path When __lookup_instance() allocates a func_instance structure but fails to allocate the must_write_set array, it returns an error without freeing the previously allocated func_instance. This causes a memory leak of 192 bytes (sizeof(struct func_instance)) each time this error path is triggered. Fix by freeing 'result' on must_write_set allocation failure. Fixes: b3698c356ad9 ("bpf: callchain sensitive stack liveness tracking using CFG") Reported-by: BPF Runtime Fuzzer (BRF) Signed-off-by: Shardul Bankar Signed-off-by: Martin KaFai Lau Acked-by: Eduard Zingerman Link: https://patch.msgid.link/20251016063330.4107547-1-shardulsb08@gmail.com commit 0c1999ed33722f85476a248186d6e0eb2bf3dd2a Author: Xing Guo Date: Thu Oct 16 11:53:30 2025 +0800 selftests: arg_parsing: Ensure data is flushed to disk before reading. test_parse_test_list_file writes some data to /tmp/bpf_arg_parsing_test.XXXXXX and parse_test_list_file() will read the data back. However, after writing data to that file, we forget to call fsync() and it's causing testing failure in my laptop. This patch helps fix it by adding the missing fsync() call. Fixes: 64276f01dce8 ("selftests/bpf: Test_progs can read test lists from file") Signed-off-by: Xing Guo Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/20251016035330.3217145-1-higuoxing@gmail.com commit ed80cc4667ac997b84546e6d35f0a0ae525d239c Author: Stuart Hayhurst Date: Mon Oct 6 02:05:49 2025 +0100 HID: logitech-hidpp: Add HIDPP_QUIRK_RESET_HI_RES_SCROLL The Logitech G502 Hero Wireless's high resolution scrolling resets after being unplugged without notifying the driver, causing extremely slow scrolling. The only indication of this is a battery update packet, so add a quirk to detect when the device is unplugged and re-enable the scrolling. Link: https://bugzilla.kernel.org/show_bug.cgi?id=218037 Signed-off-by: Stuart Hayhurst Signed-off-by: Jiri Kosina commit 6de1dec1c166c7f7324ce52ccfdf43e2fa743b19 Author: Eric Dumazet Date: Wed Oct 15 05:27:15 2025 +0000 udp: do not use skb_release_head_state() before skb_attempt_defer_free() Michal reported and bisected an issue after recent adoption of skb_attempt_defer_free() in UDP. The issue here is that skb_release_head_state() is called twice per skb, one time from skb_consume_udp(), then a second time from skb_defer_free_flush() and napi_consume_skb(). As Sabrina suggested, remove skb_release_head_state() call from skb_consume_udp(). Add a DEBUG_NET_WARN_ON_ONCE(skb_nfct(skb)) in skb_attempt_defer_free() Many thanks to Michal, Sabrina, Paolo and Florian for their help. Fixes: 6471658dc66c ("udp: use skb_attempt_defer_free()") Reported-and-bisected-by: Michal Kubecek Closes: https://lore.kernel.org/netdev/gpjh4lrotyephiqpuldtxxizrsg6job7cvhiqrw72saz2ubs3h@g6fgbvexgl3r/ Signed-off-by: Eric Dumazet Tested-by: Michal Kubecek Cc: Sabrina Dubroca Cc: Florian Westphal Reviewed-by: Sabrina Dubroca Link: https://patch.msgid.link/20251015052715.4140493-1-edumazet@google.com Signed-off-by: Paolo Abeni commit 86f54f9b6c17d6567c69e3a6fed52fdf5d7dbe93 Author: Hao Ge Date: Wed Oct 15 22:16:42 2025 +0800 slab: reset slab->obj_ext when freeing and it is OBJEXTS_ALLOC_FAIL If obj_exts allocation failed, slab->obj_exts is set to OBJEXTS_ALLOC_FAIL, But we do not clear it when freeing the slab. Since OBJEXTS_ALLOC_FAIL and MEMCG_DATA_OBJEXTS currently share the same bit position, during the release of the associated folio, a VM_BUG_ON_FOLIO() check in folio_memcg_kmem() is triggered because the OBJEXTS_ALLOC_FAIL flag was not cleared, causing it to be interpreted as a kmem folio (non-slab) with MEMCG_OBJEXTS_DATA flag set, which is invalid because MEMCG_OBJEXTS_DATA is supposed to be set only on slabs. Another problem that predates sharing the OBJEXTS_ALLOC_FAIL and MEMCG_DATA_OBJEXTS bits is that on configurations with is_check_pages_enabled(), the non-cleared bit in page->memcg_data will trigger a free_page_is_bad() failure "page still charged to cgroup" When freeing a slab, we clear slab->obj_exts if the obj_ext array has been successfully allocated. So let's clear it also when the allocation has failed. Fixes: 09c46563ff6d ("codetag: debug: introduce OBJEXTS_ALLOC_FAIL to mark failed slab_ext allocations") Fixes: 7612833192d5 ("slab: Reuse first bit for OBJEXTS_ALLOC_FAIL") Link: https://lore.kernel.org/all/20251015141642.700170-1-hao.ge@linux.dev/ Cc: Signed-off-by: Hao Ge Reviewed-by: Suren Baghdasaryan Reviewed-by: Harry Yoo Signed-off-by: Vlastimil Babka commit 5801e65206b065b0b2af032f7f1eef222aa2fd83 Author: Tvrtko Ursulin Date: Wed Oct 15 09:40:15 2025 +0100 drm/sched: Fix potential double free in drm_sched_job_add_resv_dependencies When adding dependencies with drm_sched_job_add_dependency(), that function consumes the fence reference both on success and failure, so in the latter case the dma_fence_put() on the error path (xarray failed to expand) is a double free. Interestingly this bug appears to have been present ever since commit ebd5f74255b9 ("drm/sched: Add dependency tracking"), since the code back then looked like this: drm_sched_job_add_implicit_dependencies(): ... for (i = 0; i < fence_count; i++) { ret = drm_sched_job_add_dependency(job, fences[i]); if (ret) break; } for (; i < fence_count; i++) dma_fence_put(fences[i]); Which means for the failing 'i' the dma_fence_put was already a double free. Possibly there were no users at that time, or the test cases were insufficient to hit it. The bug was then only noticed and fixed after commit 9c2ba265352a ("drm/scheduler: use new iterator in drm_sched_job_add_implicit_dependencies v2") landed, with its fixup of commit 4eaf02d6076c ("drm/scheduler: fix drm_sched_job_add_implicit_dependencies"). At that point it was a slightly different flavour of a double free, which commit 963d0b356935 ("drm/scheduler: fix drm_sched_job_add_implicit_dependencies harder") noticed and attempted to fix. But it only moved the double free from happening inside the drm_sched_job_add_dependency(), when releasing the reference not yet obtained, to the caller, when releasing the reference already released by the former in the failure case. As such it is not easy to identify the right target for the fixes tag so lets keep it simple and just continue the chain. While fixing we also improve the comment and explain the reason for taking the reference and not dropping it. Signed-off-by: Tvrtko Ursulin Fixes: 963d0b356935 ("drm/scheduler: fix drm_sched_job_add_implicit_dependencies harder") Reported-by: Dan Carpenter Closes: https://lore.kernel.org/dri-devel/aNFbXq8OeYl3QSdm@stanley.mountain/ Cc: Christian König Cc: Rob Clark Cc: Daniel Vetter Cc: Matthew Brost Cc: Danilo Krummrich Cc: Philipp Stanner Cc: Christian König Cc: dri-devel@lists.freedesktop.org Cc: stable@vger.kernel.org # v5.16+ Signed-off-by: Philipp Stanner Link: https://lore.kernel.org/r/20251015084015.6273-1-tvrtko.ursulin@igalia.com commit c6fceaf166479c05f7d3158ef08e78ae3e3dfa23 Author: Pauli Virtanen Date: Thu Oct 16 00:11:30 2025 +0300 ALSA: usb-audio: fix vendor quirk for Logitech H390 Vendor quirk QUIRK_FLAG_CTL_MSG_DELAY_1M was inadvertently missing when adding quirk for Logitech H390. Add it back. Fixes: 2b929b6eec0c ("ALSA: usb-audio: add mixer_playback_min_mute quirk for Logitech H390") Signed-off-by: Pauli Virtanen Signed-off-by: Takashi Iwai commit 9af61fc91486c7ba93cf1ec3bd381978cac8308c Author: Pauli Virtanen Date: Wed Oct 15 22:47:10 2025 +0300 ALSA: usb-audio: add volume quirks for MS LifeChat LX-3000 ID 045e:070f Microsoft Corp. LifeChat LX-3000 Headset has muted minimum Speaker Playback Volume, and 4 amixer steps were observed to produce 1 actual volume step. Apply min_mute quirk and correct res=48 -> 4*48. Tested with the device. Signed-off-by: Pauli Virtanen Signed-off-by: Takashi Iwai commit 225bc03d85427e7e3821d6f99f4f2d4a09350dda Author: Matthew Auld Date: Fri Oct 10 16:24:58 2025 +0100 drm/xe/evict: drop bogus assert This assert can trigger here with non pin_map users that select LATE_RESTORE, since the vmap is allowed to be NULL given that save/restore can now use the blitter instead. The check here doesn't seem to have much value anymore given that we no longer move pinned memory, so any existing vmap is left well alone, and doesn't need to be recreated upon restore, so just drop the assert here. Fixes: 86f69c26113c ("drm/xe: use backup object for pinned save/restore") Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/6213 Signed-off-by: Matthew Auld Cc: Thomas Hellström Cc: Matthew Brost Reviewed-by: Thomas Hellström Link: https://lore.kernel.org/r/20251010152457.177884-2-matthew.auld@intel.com (cherry picked from commit a10b4a69c7f8f596d2c5218fbe84430734fab3b2) Signed-off-by: Lucas De Marchi commit 6a91af25cdbce2086d85cc4994cf791bda3a2c90 Author: Matthew Auld Date: Fri Oct 10 17:20:21 2025 +0100 drm/xe/migrate: don't misalign current bytes If current bytes exceeds the max copy size, ensure the clamped size still accounts for the XE_CACHELINE_BYTES alignment, otherwise we trigger the assert in xe_migrate_vram with the size now being out of alignment. Fixes: 8c2d61e0e916 ("drm/xe/migrate: don't overflow max copy size") Link: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/6212 Signed-off-by: Matthew Auld Cc: Stuart Summers Cc: Matthew Brost Reviewed-by: Matthew Brost Link: https://lore.kernel.org/r/20251010162020.190962-2-matthew.auld@intel.com (cherry picked from commit 641bcf8731d21b56760e3646a39a65f471e9efd1) Signed-off-by: Lucas De Marchi commit 6d36f65ba551d28710c3e1aaceecacf19df0cd8f Author: Matt Roper Date: Mon Oct 13 08:30:15 2025 -0700 drm/xe/kunit: Fix kerneldoc for parameterized tests Kunit's generate_params() was recently updated to take an additional test context parameter. Xe's IP and platform parameter generators were updated accordingly at the same time, but the new parameter was not added to the functions' kerneldoc, resulting in the following warnings: Warning: drivers/gpu/drm/xe/tests/xe_pci.c:78 function parameter 'test' not described in 'xe_pci_fake_data_gen_params' Warning: drivers/gpu/drm/xe/tests/xe_pci.c:254 function parameter 'test' not described in 'xe_pci_graphics_ip_gen_param' Warning: drivers/gpu/drm/xe/tests/xe_pci.c:278 function parameter 'test' not described in 'xe_pci_media_ip_gen_param' Warning: drivers/gpu/drm/xe/tests/xe_pci.c:302 function parameter 'test' not described in 'xe_pci_id_gen_param' Warning: drivers/gpu/drm/xe/tests/xe_pci.c:390 function parameter 'test' not described in 'xe_pci_live_device_gen_param' 5 warnings as errors Document the new parameter to eliminate the warnings and make CI happy. Fixes: b9a214b5f6aa ("kunit: Pass parameterized test context to generate_params()") Reviewed-by: Shuicheng Lin Link: https://lore.kernel.org/r/20251013153014.2362879-2-matthew.d.roper@intel.com Signed-off-by: Matt Roper (cherry picked from commit 89e347f8a70165d1e8d88a93d875da7742c902ce) Signed-off-by: Lucas De Marchi commit 7987b93e3a11a7a95ddf2b21563d3286661b999c Author: Thomas Hellström Date: Fri Oct 10 12:41:48 2025 +0200 drm/xe/svm: Ensure data will be migrated to system if indicated by madvise. If the location madvise() is set to DRM_XE_PREFERRED_LOC_DEFAULT_SYSTEM, the drm_pagemap in the SVM gpu fault handler will be set to NULL. However there is nothing that explicitly migrates the data to system if it is already present in device memory. In that case, set the device memory owner to NULL to ensure data gets properly migrated to system on page-fault. v2: - Remove redundant dpagemap assignment (Himal Prasad Ghimiray) Signed-off-by: Thomas Hellström Reviewed-by: Matthew Brost #v1 Reviewed-by: Himal Prasad Ghimiray Link: https://lore.kernel.org/r/20251010104149.72783-2-thomas.hellstrom@linux.intel.com Fixes: 10aa5c806030 ("drm/gpusvm, drm/xe: Fix userptr to not allow device private pages") (cherry picked from commit 2cfcea7a745794f9b8e265a309717ca6ba335fc4) Signed-off-by: Lucas De Marchi commit 3c15a6df61bab034b087f00181408b1537a535bb Author: Eric Biggers Date: Sat Oct 11 18:57:38 2025 -0700 smb: client: Consolidate cmac(aes) shash allocation Now that smb3_crypto_shash_allocate() and smb311_crypto_shash_allocate() are identical and only allocate "cmac(aes)", delete the latter and replace the call to it with the former. Reviewed-by: Stefan Metzmacher Acked-by: Ard Biesheuvel Signed-off-by: Eric Biggers Signed-off-by: Steve French commit 2c09630d09c64b6b46e3d59a0031bc1807f742c4 Author: Eric Biggers Date: Sat Oct 11 18:57:37 2025 -0700 smb: client: Remove obsolete crypto_shash allocations Now that the SMB client accesses MD5, HMAC-MD5, HMAC-SHA256, and SHA-512 only via the library API and not via crypto_shash, allocating crypto_shash objects for these algorithms is no longer necessary. Remove all these allocations, their corresponding kconfig selections, and their corresponding module soft dependencies. Reviewed-by: Stefan Metzmacher Acked-by: Ard Biesheuvel Signed-off-by: Eric Biggers Signed-off-by: Steve French commit 395a77b030a878a353465386e8618b5272a480ca Author: Eric Biggers Date: Sat Oct 11 18:57:36 2025 -0700 smb: client: Use HMAC-MD5 library for NTLMv2 For the HMAC-MD5 computations in NTLMv2, use the HMAC-MD5 library instead of a "hmac(md5)" crypto_shash. This is simpler and faster. With the library there's no need to allocate memory, no need to handle errors, and the HMAC-MD5 code is accessed directly without inefficient indirect calls and other unnecessary API overhead. To preserve the existing behavior of NTLMv2 support being disabled when the kernel is booted with "fips=1", make setup_ntlmv2_rsp() check fips_enabled itself. Previously it relied on the error from cifs_alloc_hash("hmac(md5)", &hmacmd5). Reviewed-by: Stefan Metzmacher Acked-by: Ard Biesheuvel Signed-off-by: Eric Biggers Signed-off-by: Steve French commit c04e55b257b42f5eb5a2c5e92ebd043fd75fe3ab Author: Eric Biggers Date: Sat Oct 11 18:57:35 2025 -0700 smb: client: Use MD5 library for SMB1 signature calculation Convert cifs_calc_signature() to use the MD5 library instead of a "md5" crypto_shash. This is simpler and faster. With the library there's no need to allocate memory, no need to handle errors, and the MD5 code is accessed directly without inefficient indirect calls and other unnecessary API overhead. To preserve the existing behavior of MD5 signature support being disabled when the kernel is booted with "fips=1", make cifs_calc_signature() check fips_enabled itself. Previously it relied on the error from cifs_alloc_hash("md5", &server->secmech.md5). Reviewed-by: Stefan Metzmacher Acked-by: Ard Biesheuvel Signed-off-by: Eric Biggers Signed-off-by: Steve French commit ae04b1bb06f8c1738d01dc2f9b9391c4480544e4 Author: Eric Biggers Date: Sat Oct 11 18:57:34 2025 -0700 smb: client: Use MD5 library for M-F symlink hashing Convert parse_mf_symlink() and format_mf_symlink() to use the MD5 library instead of a "md5" crypto_shash. This is simpler and faster. With the library there's no need to allocate memory, no need to handle errors, and the MD5 code is accessed directly without inefficient indirect calls and other unnecessary API overhead. This also fixes an issue where these functions did not work on kernels booted in FIPS mode. The use of MD5 here is for data integrity rather than a security purpose, so it can use a non-FIPS-approved algorithm. Reviewed-by: Stefan Metzmacher Acked-by: Ard Biesheuvel Signed-off-by: Eric Biggers Signed-off-by: Steve French commit e05b3115e75381369be84abe5d46565ce0fcedc8 Author: Eric Biggers Date: Sat Oct 11 18:57:33 2025 -0700 smb: client: Use HMAC-SHA256 library for SMB2 signature calculation Convert smb2_calc_signature() to use the HMAC-SHA256 library instead of a "hmac(sha256)" crypto_shash. This is simpler and faster. With the library there's no need to allocate memory, no need to handle errors, and the HMAC-SHA256 code is accessed directly without inefficient indirect calls and other unnecessary API overhead. To make this possible, make __cifs_calc_signature() support both the HMAC-SHA256 library and crypto_shash. (crypto_shash is still needed for HMAC-MD5 and AES-CMAC. A later commit will switch HMAC-MD5 from shash to the library. I'd like to eventually do the same for AES-CMAC, but it doesn't have a library API yet. So for now, shash is still needed.) Also remove the unnecessary 'sigptr' variable. For now smb3_crypto_shash_allocate() still allocates a "hmac(sha256)" crypto_shash. It will be removed in a later commit. Reviewed-by: Stefan Metzmacher Acked-by: Ard Biesheuvel Signed-off-by: Eric Biggers Signed-off-by: Steve French commit 4b4c6fdb25de4edc0a34b1b93cccb439e00e1f35 Author: Eric Biggers Date: Sat Oct 11 18:57:32 2025 -0700 smb: client: Use HMAC-SHA256 library for key generation Convert generate_key() to use the HMAC-SHA256 library instead of a "hmac(sha256)" crypto_shash. This is simpler and faster. With the library there's no need to allocate memory, no need to handle errors, and the HMAC-SHA256 code is accessed directly without inefficient indirect calls and other unnecessary API overhead. Also remove the unnecessary 'hashptr' variable. For now smb3_crypto_shash_allocate() still allocates a "hmac(sha256)" crypto_shash. It will be removed in a later commit. Reviewed-by: Stefan Metzmacher Acked-by: Ard Biesheuvel Signed-off-by: Eric Biggers Signed-off-by: Steve French commit af5fea51411224cae61d54064a55fe22020bd2b7 Author: Eric Biggers Date: Sat Oct 11 18:57:31 2025 -0700 smb: client: Use SHA-512 library for SMB3.1.1 preauth hash Convert smb311_update_preauth_hash() to use the SHA-512 library instead of a "sha512" crypto_shash. This is simpler and faster. With the library there's no need to allocate memory, no need to handle errors, and the SHA-512 code is accessed directly without inefficient indirect calls and other unnecessary API overhead. Remove the call to smb311_crypto_shash_allocate() from smb311_update_preauth_hash(), since it appears to have been needed only to allocate the "sha512" crypto_shash. (It also had the side effect of allocating the "cmac(aes)" crypto_shash, but that's also done in generate_key() which is where the AES-CMAC key is initialized.) For now the "sha512" crypto_shash is still being allocated elsewhere. It will be removed in a later commit. Reviewed-by: Stefan Metzmacher Acked-by: Ard Biesheuvel Signed-off-by: Eric Biggers Signed-off-by: Steve French commit 6447b0e355562a1ff748c4a2ffb89aae7e84d2c9 Author: Eugene Korenevsky Date: Mon Oct 13 21:39:30 2025 +0300 cifs: parse_dfs_referrals: prevent oob on malformed input Malicious SMB server can send invalid reply to FSCTL_DFS_GET_REFERRALS - reply smaller than sizeof(struct get_dfs_referral_rsp) - reply with number of referrals smaller than NumberOfReferrals in the header Processing of such replies will cause oob. Return -EINVAL error on such replies to prevent oob-s. Signed-off-by: Eugene Korenevsky Cc: stable@vger.kernel.org Suggested-by: Nathan Chancellor Acked-by: Paulo Alcantara (Red Hat) Signed-off-by: Steve French commit c2b77f42205ef485a647f62082c442c1cd69d3fc Author: Shuhao Fu Date: Thu Oct 16 02:52:55 2025 +0000 smb: client: Fix refcount leak for cifs_sb_tlink Fix three refcount inconsistency issues related to `cifs_sb_tlink`. Comments for `cifs_sb_tlink` state that `cifs_put_tlink()` needs to be called after successful calls to `cifs_sb_tlink()`. Three calls fail to update refcount accordingly, leading to possible resource leaks. Fixes: 8ceb98437946 ("CIFS: Move rename to ops struct") Fixes: 2f1afe25997f ("cifs: Use smb 2 - 3 and cifsacl mount options getacl functions") Fixes: 366ed846df60 ("cifs: Use smb 2 - 3 and cifsacl mount options setacl function") Cc: stable@vger.kernel.org Signed-off-by: Shuhao Fu Signed-off-by: Steve French commit 8d93ff40d49d70e05c82a74beae31f883fe0eaf8 Author: I Viswanath Date: Mon Oct 13 23:46:48 2025 +0530 net: usb: lan78xx: fix use of improperly initialized dev->chipid in lan78xx_reset dev->chipid is used in lan78xx_init_mac_address before it's initialized: lan78xx_reset() { lan78xx_init_mac_address() lan78xx_read_eeprom() lan78xx_read_raw_eeprom() <- dev->chipid is used here dev->chipid = ... <- dev->chipid is initialized correctly here } Reorder initialization so that dev->chipid is set before calling lan78xx_init_mac_address(). Fixes: a0db7d10b76e ("lan78xx: Add to handle mux control per chip id") Signed-off-by: I Viswanath Reviewed-by: Vadim Fedorenko Reviewed-by: Khalid Aziz Link: https://patch.msgid.link/20251013181648.35153-1-viswanathiyyappan@gmail.com Signed-off-by: Jakub Kicinski commit 1a8fed52f7be14e45785e8e54d0d0b50fc17dbd8 Author: Breno Leitao Date: Tue Oct 14 02:17:25 2025 -0700 netdevsim: set the carrier when the device goes up Bringing a linked netdevsim device down and then up causes communication failure because both interfaces lack carrier. Basically a ifdown/ifup on the interface make the link broken. Commit 3762ec05a9fbda ("netdevsim: add NAPI support") added supported for NAPI, calling netif_carrier_off() in nsim_stop(). This patch re-enables the carrier symmetrically on nsim_open(), in case the device is linked and the peer is up. Signed-off-by: Breno Leitao Fixes: 3762ec05a9fbda ("netdevsim: add NAPI support") Reviewed-by: Andrew Lunn Link: https://patch.msgid.link/20251014-netdevsim_fix-v2-1-53b40590dae1@debian.org Signed-off-by: Jakub Kicinski commit 3667e9b442b95b021189db793b9156552f918e99 Author: Sabrina Dubroca Date: Tue Oct 14 11:17:02 2025 +0200 selftests: tls: add test for short splice due to full skmsg We don't have a test triggering a partial splice caused by a full skmsg. Add one, based on a program by Jann Horn. Use MAX_FRAGS=48 to make sure the skmsg will be full for any allowed value of CONFIG_MAX_SKB_FRAGS (17..45). Signed-off-by: Sabrina Dubroca Link: https://patch.msgid.link/1d129a15f526ea3602f3a2b368aa0b6f7e0d35d5.1760432043.git.sd@queasysnail.net Signed-off-by: Jakub Kicinski commit f95fce1e953b8a7af3fbad84aaffe92804196e2d Author: Sabrina Dubroca Date: Tue Oct 14 11:17:01 2025 +0200 selftests: net: tls: add tests for cmsg vs MSG_MORE We don't have a test to check that MSG_MORE won't let us merge records of different types across sendmsg calls. Add new tests that check: - MSG_MORE is only allowed for DATA records - a pending DATA record gets closed and pushed before a non-DATA record is processed Signed-off-by: Sabrina Dubroca Link: https://patch.msgid.link/b34feeadefe8a997f068d5ed5617afd0072df3c0.1760432043.git.sd@queasysnail.net Signed-off-by: Jakub Kicinski commit 7f846c65ca11e63d2409868ff039081f80e42ae4 Author: Sabrina Dubroca Date: Tue Oct 14 11:17:00 2025 +0200 tls: don't rely on tx_work during send() With async crypto, we rely on tx_work to actually transmit records once encryption completes. But while send() is running, both the tx_lock and socket lock are held, so tx_work_handler cannot process the queue of encrypted records, and simply reschedules itself. During a large send(), this could last a long time, and use a lot of memory. Transmit any pending encrypted records before restarting the main loop of tls_sw_sendmsg_locked. Fixes: a42055e8d2c3 ("net/tls: Add support for async encryption of records for performance") Reported-by: Jann Horn Signed-off-by: Sabrina Dubroca Link: https://patch.msgid.link/8396631478f70454b44afb98352237d33f48d34d.1760432043.git.sd@queasysnail.net Signed-off-by: Jakub Kicinski commit b8a6ff84abbcbbc445463de58704686011edc8e1 Author: Sabrina Dubroca Date: Tue Oct 14 11:16:59 2025 +0200 tls: wait for pending async decryptions if tls_strp_msg_hold fails Async decryption calls tls_strp_msg_hold to create a clone of the input skb to hold references to the memory it uses. If we fail to allocate that clone, proceeding with async decryption can lead to various issues (UAF on the skb, writing into userspace memory after the recv() call has returned). In this case, wait for all pending decryption requests. Fixes: 84c61fe1a75b ("tls: rx: do not use the standard strparser") Reported-by: Jann Horn Signed-off-by: Sabrina Dubroca Link: https://patch.msgid.link/b9fe61dcc07dab15da9b35cf4c7d86382a98caf2.1760432043.git.sd@queasysnail.net Signed-off-by: Jakub Kicinski commit b6fe4c29bb51cf239ecf48eacf72b924565cb619 Author: Sabrina Dubroca Date: Tue Oct 14 11:16:58 2025 +0200 tls: always set record_type in tls_process_cmsg When userspace wants to send a non-DATA record (via the TLS_SET_RECORD_TYPE cmsg), we need to send any pending data from a previous MSG_MORE send() as a separate DATA record. If that DATA record is encrypted asynchronously, tls_handle_open_record will return -EINPROGRESS. This is currently treated as an error by tls_process_cmsg, and it will skip setting record_type to the correct value, but the caller (tls_sw_sendmsg_locked) handles that return value correctly and proceeds with sending the new message with an incorrect record_type (DATA instead of whatever was requested in the cmsg). Always set record_type before handling the open record. If tls_handle_open_record returns an error, record_type will be ignored. If it succeeds, whether with synchronous crypto (returning 0) or asynchronous (returning -EINPROGRESS), the caller will proceed correctly. Fixes: a42055e8d2c3 ("net/tls: Add support for async encryption of records for performance") Reported-by: Jann Horn Signed-off-by: Sabrina Dubroca Link: https://patch.msgid.link/0457252e578a10a94e40c72ba6288b3a64f31662.1760432043.git.sd@queasysnail.net Signed-off-by: Jakub Kicinski commit b014a4e066c555185b7c367efacdc33f16695495 Author: Sabrina Dubroca Date: Tue Oct 14 11:16:57 2025 +0200 tls: wait for async encrypt in case of error during latter iterations of sendmsg If we hit an error during the main loop of tls_sw_sendmsg_locked (eg failed allocation), we jump to send_end and immediately return. Previous iterations may have queued async encryption requests that are still pending. We should wait for those before returning, as we could otherwise be reading from memory that userspace believes we're not using anymore, which would be a sort of use-after-free. This is similar to what tls_sw_recvmsg already does: failures during the main loop jump to the "wait for async" code, not straight to the unlock/return. Fixes: a42055e8d2c3 ("net/tls: Add support for async encryption of records for performance") Reported-by: Jann Horn Signed-off-by: Sabrina Dubroca Link: https://patch.msgid.link/c793efe9673b87f808d84fdefc0f732217030c52.1760432043.git.sd@queasysnail.net Signed-off-by: Jakub Kicinski commit ce5af41e3234425a40974696682163edfd21128c Author: Sabrina Dubroca Date: Tue Oct 14 11:16:56 2025 +0200 tls: trim encrypted message to match the plaintext on short splice During tls_sw_sendmsg_locked, we pre-allocate the encrypted message for the size we're expecting to send during the current iteration, but we may end up sending less, for example when splicing: if we're getting the data from small fragments of memory, we may fill up all the slots in the skmsg with less data than expected. In this case, we need to trim the encrypted message to only the length we actually need, to avoid pushing uninitialized bytes down the underlying TCP socket. Fixes: fe1e81d4f73b ("tls/sw: Support MSG_SPLICE_PAGES") Reported-by: Jann Horn Signed-off-by: Sabrina Dubroca Link: https://patch.msgid.link/66a0ae99c9efc15f88e9e56c1f58f902f442ce86.1760432043.git.sd@queasysnail.net Signed-off-by: Jakub Kicinski commit 0c3f2e62815a43628e748b1e4ad97a1c46cce703 Author: Alexey Simakov Date: Tue Oct 14 19:47:38 2025 +0300 tg3: prevent use of uninitialized remote_adv and local_adv variables Some execution paths that jump to the fiber_setup_done label could leave the remote_adv and local_adv variables uninitialized and then use it. Initialize this variables at the point of definition to avoid this. Fixes: 85730a631f0c ("tg3: Add SGMII phy support for 5719/5718 serdes") Co-developed-by: Alexandr Sapozhnikov Signed-off-by: Alexandr Sapozhnikov Signed-off-by: Alexey Simakov Reviewed-by: Pavan Chebbi Link: https://patch.msgid.link/20251014164736.5890-1-bigalex934@gmail.com Signed-off-by: Jakub Kicinski commit bc384963bc18e4f21cf8615b57cbbc9c5e0d309a Author: Justin Iurman Date: Tue Oct 14 19:06:50 2025 +0200 MAINTAINERS: new entry for IPv6 IOAM Create a maintainer entry for IPv6 IOAM. Add myself as I authored most if not all of the IPv6 IOAM code in the kernel and actively participate in the related IETF groups. Signed-off-by: Justin Iurman Link: https://patch.msgid.link/20251014170650.27679-1-justin.iurman@uliege.be Signed-off-by: Jakub Kicinski commit 18d6b1743eafeb3fb1e0ea5a2b7fd0a773d525a8 Author: Jens Axboe Date: Wed Oct 15 13:38:53 2025 -0600 io_uring/rw: check for NULL io_br_sel when putting a buffer Both the read and write side use kiocb_done() to finish a request, and kiocb_done() will call io_put_kbuf() in case a provided buffer was used for the request. Provided buffers are not supported for writes, hence NULL is being passed in. This normally works fine, as io_put_kbuf() won't actually use the value unless REQ_F_BUFFER_RING or REQ_F_BUFFER_SELECTED is set in the request flags. But depending on compiler (or whether or not CONFIG_CC_OPTIMIZE_FOR_SIZE is set), that may be done even though the value is never used. This will then cause a NULL pointer dereference. Make it a bit more obvious and check for a NULL io_br_sel, and don't even bother calling io_put_kbuf() for that case. Fixes: 5fda51255439 ("io_uring/kbuf: switch to storing struct io_buffer_list locally") Reported-by: David Howells Tested-by: David Howells Signed-off-by: Jens Axboe commit e6416c2dfe23c9a6fec881fda22ebb9ae486cfc5 Author: Rong Zhang Date: Sat Oct 11 00:59:58 2025 +0800 x86/CPU/AMD: Prevent reset reasons from being retained across reboot The S5_RESET_STATUS register is parsed on boot and printed to kmsg. However, this could sometimes be misleading and lead to users wasting a lot of time on meaningless debugging for two reasons: * Some bits are never cleared by hardware. It's the software's responsibility to clear them as per the Processor Programming Reference (see [1]). * Some rare hardware-initiated platform resets do not update the register at all. In both cases, a previous reboot could leave its trace in the register, resulting in users seeing unrelated reboot reasons while debugging random reboots afterward. Write the read value back to the register in order to clear all reason bits since they are write-1-to-clear while the others must be preserved. [1]: https://bugzilla.kernel.org/show_bug.cgi?id=206537#attach_303991 [ bp: Massage commit message. ] Fixes: ab8131028710 ("x86/CPU/AMD: Print the reason for the last reset") Signed-off-by: Rong Zhang Signed-off-by: Borislav Petkov (AMD) Reviewed-by: Mario Limonciello (AMD) Reviewed-by: Yazen Ghannam Cc: Link: https://lore.kernel.org/all/20250913144245.23237-1-i@rong.moe/ commit 5726b68473f7153a7f6294185e5998b7e2a230a2 Author: Li Qiang Date: Wed Oct 15 15:55:30 2025 +0800 ASoC: amd/sdw_utils: avoid NULL deref when devm_kasprintf() fails devm_kasprintf() may return NULL on memory allocation failure, but the debug message prints cpus->dai_name before checking it. Move the dev_dbg() call after the NULL check to prevent potential NULL pointer dereference. Fixes: cb8ea62e64020 ("ASoC: amd/sdw_utils: add sof based soundwire generic machine driver") Signed-off-by: Li Qiang Link: https://patch.msgid.link/20251015075530.146851-1-liqiang01@kylinos.cn Signed-off-by: Mark Brown commit 7a37291ed40a33a5f6c3d370fdde5ee0d8f7d0e4 Author: Sharique Mohammad Date: Wed Oct 15 15:42:15 2025 +0200 ASoC: max98090/91: fixed max98091 ALSA widget powering up/down The widgets DMIC3_ENA and DMIC4_ENA must be defined in the DAPM suppy widget, just like DMICL_ENA and DMICR_ENA. Whenever they are turned on or off, the required startup or shutdown sequences must be taken care by the max98090_shdn_event. Signed-off-by: Sharique Mohammad Link: https://patch.msgid.link/20251015134215.750001-1-sharq0406@gmail.com Signed-off-by: Mark Brown commit fcd298fdc2a32f1d90cdf9a452c5c5fdc6e8d137 Author: Frank Li Date: Fri Oct 10 12:03:20 2025 -0400 ASoC: dt-bindings: Add compatible string fsl,imx-audio-tlv320 Add compatible string fsl,imx-audio-tlv320 to fix below CHECK_DTBS warning: arch/arm/boot/dts/nxp/imx/imx6dl-gw5903.dtb: /sound: failed to match any schema with compatible: ['fsl,imx-audio-tlv320'] Signed-off-by: Frank Li Acked-by: Rob Herring (Arm) Link: https://patch.msgid.link/20251010160321.2130093-1-Frank.Li@nxp.com Signed-off-by: Mark Brown commit 2aab1f993c8cb753ccb3d5b848cd758e2e87d965 Author: Ankan Biswas Date: Wed Oct 15 20:50:57 2025 +0530 drm/gpuvm: Fix kernel-doc warning for drm_gpuvm_map_req.map The kernel-doc for struct drm_gpuvm_map_req.map was added as '@op_map' instead of '@map', leading to this warning during htmldocs build: WARNING: include/drm/drm_gpuvm.h:1083 struct member 'map' not described in 'drm_gpuvm_map_req' Fixes: 000a45dce7ad ("drm/gpuvm: Pass map arguments through a struct") Reported-by: Stephen Rothwell Closes: https://lore.kernel.org/all/20250821133539.03aa298e@canb.auug.org.au/ Signed-off-by: Ankan Biswas Signed-off-by: Danilo Krummrich commit d451a0e88e9fa710df33f8dd5dc7ca63e22ef211 Author: Stefan Metzmacher Date: Wed Oct 15 17:05:04 2025 +0200 smb: client: let smbd_destroy() wait for SMBDIRECT_SOCKET_DISCONNECTED We should wait for the rdma_cm to become SMBDIRECT_SOCKET_DISCONNECTED, it turns out that (at least running some xfstests e.g. cifs/001) often triggers the case where wait_event_interruptible() returns with -ERESTARTSYS instead of waiting for SMBDIRECT_SOCKET_DISCONNECTED to be reached. Or we are already in SMBDIRECT_SOCKET_DISCONNECTING and never wait for SMBDIRECT_SOCKET_DISCONNECTED. Fixes: 050b8c374019 ("smbd: Make upper layer decide when to destroy the transport") Fixes: e8b3bfe9bc65 ("cifs: smbd: Don't destroy transport on RDMA disconnect") Fixes: b0aa92a229ab ("smb: client: make sure smbd_disconnect_rdma_work() doesn't run after smbd_destroy() took over") Cc: Steve French Cc: Tom Talpey Cc: Long Li Cc: Namjae Jeon Cc: linux-cifs@vger.kernel.org Cc: samba-technical@lists.samba.org Signed-off-by: Stefan Metzmacher Signed-off-by: Steve French commit bfdd74166a639930baaba27a8d729edaacd46907 Author: Tim Hostetler Date: Tue Oct 14 00:47:39 2025 +0000 gve: Check valid ts bit on RX descriptor before hw timestamping The device returns a valid bit in the LSB of the low timestamp byte in the completion descriptor that the driver should check before setting the SKB's hardware timestamp. If the timestamp is not valid, do not hardware timestamp the SKB. Cc: stable@vger.kernel.org Fixes: b2c7aeb49056 ("gve: Implement ndo_hwtstamp_get/set for RX timestamping") Reviewed-by: Joshua Washington Signed-off-by: Tim Hostetler Signed-off-by: Harshitha Ramamurthy Reviewed-by: Simon Horman Reviewed-by: Willem de Bruijn Reviewed-by: Vadim Fedorenko Link: https://patch.msgid.link/20251014004740.2775957-1-hramamurthy@google.com Signed-off-by: Jakub Kicinski commit d9b3014a7f1425011909ad358dc0c8f187853a12 Author: Benjamin Tissoires Date: Wed Oct 8 16:06:59 2025 +0200 selftests/hid: add tests for missing release on the Dell Synaptics Add a simple test for the corner case not currently covered by the sticky fingers quirk. Because it's a corner case test, we only test this on a couple of devices, not on all of them because the value of adding the same test over and over is rather moot. Signed-off-by: Benjamin Tissoires Signed-off-by: Jiri Kosina commit 46f781e0d151844589dc2125c8cce3300546f92a Author: Benjamin Tissoires Date: Wed Oct 8 16:06:58 2025 +0200 HID: multitouch: fix sticky fingers The sticky fingers quirk (MT_QUIRK_STICKY_FINGERS) was only considering the case when slots were not released during the last report. This can be problematic if the firmware forgets to release a finger while others are still present. This was observed on the Synaptics DLL0945 touchpad found on the Dell XPS 9310 and the Dell Inspiron 5406. Fixes: 4f4001bc76fd ("HID: multitouch: fix rare Win 8 cases when the touch up event gets missing") Cc: stable@vger.kernel.org Signed-off-by: Benjamin Tissoires Signed-off-by: Jiri Kosina commit aa4daea418ee4215dca5c8636090660c545cb233 Author: Thadeu Lima de Souza Cascardo Date: Wed Oct 8 09:40:33 2025 -0300 HID: multitouch: fix name of Stylus input devices HID_DG_PEN devices should have a suffix of "Stylus", as pointed out by commit c0ee1d571626 ("HID: hid-input: Add suffix also for HID_DG_PEN"). However, on multitouch devices, these suffixes may be overridden. Before that commit, HID_DG_PEN devices would get the "Stylus" suffix, but after that, multitouch would override them to have an "UNKNOWN" suffix. Just add HID_DG_PEN to the list of non-overriden suffixes in multitouch. Before this fix: [ 0.470981] input: ELAN9008:00 04F3:2E14 UNKNOWN as /devices/pci0000:00/0000:00:15.1/i2c_designware.1/i2c-16/i2c-ELAN9008:00/0018:04F3:2E14.0001/input/input8 ELAN9008:00 04F3:2E14 UNKNOWN After this fix: [ 0.474332] input: ELAN9008:00 04F3:2E14 Stylus as /devices/pci0000:00/0000:00:15.1/i2c_designware.1/i2c-16/i2c-ELAN9008:00/0018:04F3:2E14.0001/input/input8 ELAN9008:00 04F3:2E14 Stylus Fixes: c0ee1d571626 ("HID: hid-input: Add suffix also for HID_DG_PEN") Signed-off-by: Thadeu Lima de Souza Cascardo Reviewed-by: Mika Westerberg Signed-off-by: Jiri Kosina commit 0187c08058da3e7f11b356ac27e0c427d36f33f2 Author: Dmitry Torokhov Date: Tue Oct 14 21:28:44 2025 -0700 HID: hid-input: only ignore 0 battery events for digitizers Commit 581c4484769e ("HID: input: map digitizer battery usage") added handling of battery events for digitizers (typically for batteries presented in stylii). Digitizers typically report correct battery levels only when stylus is actively touching the surface, and in other cases they may report battery level of 0. To avoid confusing consumers of the battery information the code was added to filer out reports with 0 battery levels. However there exist other kinds of devices that may legitimately report 0 battery levels. Fix this by filtering out 0-level reports only for digitizer usages, and continue reporting them for other kinds of devices (Smart Batteries, etc). Reported-by: 卢国宏 Fixes: 581c4484769e ("HID: input: map digitizer battery usage") Signed-off-by: Dmitry Torokhov Signed-off-by: Jiri Kosina commit 1f4a222b0e334540343fbb5d3eac4584a6bfe180 Author: Linus Torvalds Date: Wed Oct 15 07:57:28 2025 -0700 Remove long-stale ext3 defconfig option Inspired by commit c065b6046b34 ("Use CONFIG_EXT4_FS instead of CONFIG_EXT3_FS in all of the defconfigs") I looked around for any other left-over EXT3 config options, and found some old defconfig files still mentioned CONFIG_EXT3_DEFAULTS_TO_ORDERED. That config option was removed a decade ago in commit c290ea01abb7 ("fs: Remove ext3 filesystem driver"). It had a good run, but let's remove it for good. Signed-off-by: Linus Torvalds commit 7e85ac9da1acc591bd5269f2b890ed1994c42e96 Author: Nicolas Frattaroli Date: Mon Oct 13 09:34:04 2025 +0200 PM / devfreq: rockchip-dfi: switch to FIELD_PREP_WM16 macro The era of hand-rolled HIWORD_UPDATE macros is over, at least for those drivers that use constant masks. Like many other Rockchip drivers, rockchip-dfi brings with it its own HIWORD_UPDATE macro. This variant doesn't shift the value (and like the others, doesn't do any checking). Remove it, and replace instances of it with hw_bitfield.h's FIELD_PREP_WM16. Since FIELD_PREP_WM16 requires contiguous masks and shifts the value for us, some reshuffling of definitions needs to happen. This gives us better compile-time error checking, and in my opinion, nicer code. Tested on an RK3568 ODROID-M1 board (LPDDR4X at 1560 MHz, an RK3588 Radxa ROCK 5B board (LPDDR4X at 2112 MHz) and an RK3588 Radxa ROCK 5T board (LPDDR5 at 2400 MHz). perf measurements were consistent with the measurements of stress-ng --stream in all cases. Signed-off-by: Nicolas Frattaroli Signed-off-by: Yury Norov (NVIDIA) commit 0f5878834d6ce97426219b64c02a2c4081419d53 Author: Miguel Ojeda Date: Mon Oct 13 02:14:22 2025 +0200 rust: bitmap: clean Rust 1.92.0 `unused_unsafe` warning Starting with Rust 1.92.0 (expected 2025-12-11), Rust allows to safely take the address of a union field [1][2]: CLIPPY L rust/kernel.o error: unnecessary `unsafe` block --> rust/kernel/bitmap.rs:169:13 | 169 | unsafe { core::ptr::addr_of!(self.repr.bitmap) } | ^^^^^^ unnecessary `unsafe` block | = note: `-D unused-unsafe` implied by `-D warnings` = help: to override `-D warnings` add `#[allow(unused_unsafe)]` error: unnecessary `unsafe` block --> rust/kernel/bitmap.rs:185:13 | 185 | unsafe { core::ptr::addr_of_mut!(self.repr.bitmap) } | ^^^^^^ unnecessary `unsafe` block Thus allow both instances to clean the warning in newer compilers. Link: https://github.com/rust-lang/rust/issues/141264 [1] Link: https://github.com/rust-lang/rust/pull/141469 [2] Signed-off-by: Miguel Ojeda Reviewed-by: Alice Ryhl Signed-off-by: Yury Norov (NVIDIA) commit 95355766e5871e9cdc574be5a3b115392ad33aea Author: Jouni Högander Date: Mon Sep 22 13:27:25 2025 +0300 drm/i915/psr: Deactivate PSR only on LNL and when selective fetch enabled Using intel_psr_exit in frontbuffer flush on older platforms seems to be causing problems. Sending single full frame update using intel_psr_force_update is anyways more optimal compared to psr deactivate/activate -> move back to this approach on PSR1, PSR HW tracking and Panel Replay full frame update and use deactivate/activate only on LunarLake and only when selective fetch is enabled. Tested-by: Lemen Tested-by: Koos Vriezen Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/14946 Signed-off-by: Jouni Högander Reviewed-by: Mika Kahola Link: https://lore.kernel.org/r/20250922102725.2752742-1-jouni.hogander@intel.com (cherry picked from commit 924adb0bbdd8fef25fd229c76e3f602c3e8752ee) Signed-off-by: Rodrigo Vivi commit 437c23357d897f5b5b7d297c477da44b56654d46 Author: Pavel Begunkov Date: Wed Oct 15 13:10:31 2025 +0100 io_uring: fix unexpected placement on same size resizing There might be many reasons why a user is resizing a ring, e.g. moving to huge pages or for some memory compaction using IORING_SETUP_NO_MMAP. Don't bypass resizing, the user will definitely be surprised seeing 0 while the rings weren't actually moved to a new place. Signed-off-by: Pavel Begunkov Signed-off-by: Jens Axboe commit be7cab44ed099566c605a8dac686c3254db01b35 Author: Pavel Begunkov Date: Wed Oct 15 13:07:23 2025 +0100 io_uring: protect mem region deregistration io_create_region_mmap_safe() protects publishing of a region against concurrent mmap calls, however we should also protect against it when removing a region. There is a gap io_register_mem_region() where it safely publishes a region, but then copy_to_user goes wrong and it unsafely frees the region. Cc: stable@vger.kernel.org Fixes: 087f997870a94 ("io_uring/memmap: implement mmap for regions") Signed-off-by: Pavel Begunkov Signed-off-by: Jens Axboe commit 08823e89e3e269bf4c4a20b4c24a8119920cc7a4 Author: Ming Lei Date: Wed Oct 15 18:30:39 2025 +0800 block: Remove elevator_lock usage from blkg_conf frozen operations Remove the acquisition and release of q->elevator_lock in the blkg_conf_open_bdev_frozen() and blkg_conf_exit_frozen() functions. The elevator lock is no longer needed in these code paths since commit 78c271344b6f ("block: move wbt_enable_default() out of queue freezing from sched ->exit()") which introduces `disk->rqos_state_mutex` for protecting wbt state change, and not necessary to abuse elevator_lock for this purpose. This change helps to solve the lockdep warning reported from Yu Kuai[1]. Pass blktests/throtl with lockdep enabled. Links: https://lore.kernel.org/linux-block/e5e7ac3f-2063-473a-aafb-4d8d43e5576e@yukuai.org.cn/ [1] Fixes: commit 78c271344b6f ("block: move wbt_enable_default() out of queue freezing from sched ->exit()") Signed-off-by: Ming Lei Reviewed-by: Nilay Shroff Signed-off-by: Jens Axboe commit dc96cefef0d3032c69e46a21b345c60e56b18934 Author: Yu Kuai Date: Wed Oct 15 09:48:27 2025 +0800 blk-mq: fix stale tag depth for shared sched tags in blk_mq_update_nr_requests() Commit 7f2799c546db ("blk-mq: cleanup shared tags case in blk_mq_update_nr_requests()") moves blk_mq_tag_update_sched_shared_tags() before q->nr_requests is updated, however, it's still using the old q->nr_requests to resize tag depth. Fix this problem by passing in expected new tag depth. Fixes: 7f2799c546db ("blk-mq: cleanup shared tags case in blk_mq_update_nr_requests()") Signed-off-by: Yu Kuai Reviewed-by: Ming Lei Reviewed-by: Nilay Shroff Reported-by: Chris Mason Link: https://lore.kernel.org/linux-block/20251014130507.4187235-2-clm@meta.com/ Signed-off-by: Jens Axboe commit d877470b59910b5c50383d634dda3782386bba51 Author: ZhangGuoDong Date: Mon Oct 13 00:17:30 2025 +0800 smb: move some duplicate definitions to common/cifsglob.h In order to maintain the code more easily, move duplicate definitions to new common header file. Co-developed-by: ChenXiaoSong Signed-off-by: ChenXiaoSong Signed-off-by: ZhangGuoDong Signed-off-by: Steve French commit b0432201a11b3caaeca6c03f2b3e399275b2e489 Author: Stefan Metzmacher Date: Sun Oct 12 21:10:30 2025 +0200 smb: client: let destroy_mr_list() keep smbdirect_mr_io memory if registered If a smbdirect_mr_io structure if still visible to callers of smbd_register_mr() we can't free the related memory when the connection is disconnected! Otherwise smbd_deregister_mr() will crash. Now we use a mutex and refcounting in order to keep the memory around if the connection is disconnected. It means smbd_deregister_mr() can be called at any later time to free the memory, which is no longer referenced by nor referencing the connection. It also means smbd_destroy() no longer needs to wait for mr_io.used.count to become 0. Fixes: 050b8c374019 ("smbd: Make upper layer decide when to destroy the transport") Cc: Steve French Cc: Tom Talpey Cc: Long Li Cc: Namjae Jeon Cc: linux-cifs@vger.kernel.org Cc: samba-technical@lists.samba.org Signed-off-by: Stefan Metzmacher Signed-off-by: Steve French commit 88f170814fea74911ceab798a43cbd7c5599bed4 Author: Marios Makassikis Date: Wed Oct 15 09:25:46 2025 +0200 ksmbd: fix recursive locking in RPC handle list access Since commit 305853cce3794 ("ksmbd: Fix race condition in RPC handle list access"), ksmbd_session_rpc_method() attempts to lock sess->rpc_lock. This causes hung connections / tasks when a client attempts to open a named pipe. Using Samba's rpcclient tool: $ rpcclient //192.168.1.254 -U user%password $ rpcclient $> srvinfo Kernel side: "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/0:0 state:D stack:0 pid:5021 tgid:5021 ppid:2 flags:0x00200000 Workqueue: ksmbd-io handle_ksmbd_work Call trace: __schedule from schedule+0x3c/0x58 schedule from schedule_preempt_disabled+0xc/0x10 schedule_preempt_disabled from rwsem_down_read_slowpath+0x1b0/0x1d8 rwsem_down_read_slowpath from down_read+0x28/0x30 down_read from ksmbd_session_rpc_method+0x18/0x3c ksmbd_session_rpc_method from ksmbd_rpc_open+0x34/0x68 ksmbd_rpc_open from ksmbd_session_rpc_open+0x194/0x228 ksmbd_session_rpc_open from create_smb2_pipe+0x8c/0x2c8 create_smb2_pipe from smb2_open+0x10c/0x27ac smb2_open from handle_ksmbd_work+0x238/0x3dc handle_ksmbd_work from process_scheduled_works+0x160/0x25c process_scheduled_works from worker_thread+0x16c/0x1e8 worker_thread from kthread+0xa8/0xb8 kthread from ret_from_fork+0x14/0x38 Exception stack(0x8529ffb0 to 0x8529fff8) The task deadlocks because the lock is already held: ksmbd_session_rpc_open down_write(&sess->rpc_lock) ksmbd_rpc_open ksmbd_session_rpc_method down_read(&sess->rpc_lock) <-- deadlock Adjust ksmbd_session_rpc_method() callers to take the lock when necessary. Fixes: 305853cce3794 ("ksmbd: Fix race condition in RPC handle list access") Signed-off-by: Marios Makassikis Acked-by: Namjae Jeon Signed-off-by: Steve French commit 379510a815cb2e64eb0a379cb62295d6ade65df0 Author: ZhangGuoDong Date: Sun Oct 12 00:51:36 2025 +0800 smb/server: fix possible refcount leak in smb2_sess_setup() Reference count of ksmbd_session will leak when session need reconnect. Fix this by adding the missing ksmbd_user_session_put(). Co-developed-by: ChenXiaoSong Signed-off-by: ChenXiaoSong Signed-off-by: ZhangGuoDong Acked-by: Namjae Jeon Signed-off-by: Steve French commit 6fced056d2cc8d01b326e6fcfabaacb9850b71a4 Author: ZhangGuoDong Date: Sun Oct 12 00:47:59 2025 +0800 smb/server: fix possible memory leak in smb2_read() Memory leak occurs when ksmbd_vfs_read() fails. Fix this by adding the missing kvfree(). Co-developed-by: ChenXiaoSong Signed-off-by: ChenXiaoSong Signed-off-by: ZhangGuoDong Acked-by: Namjae Jeon Signed-off-by: Steve French commit 5fb750e8a9ae123b2034771b864b8a21dbef65cd Author: Alexei Starovoitov Date: Tue Oct 14 17:07:00 2025 -0700 bpf: Replace bpf_map_kmalloc_node() with kmalloc_nolock() to allocate bpf_async_cb structures. The following kmemleak splat: [ 8.105530] kmemleak: Trying to color unknown object at 0xff11000100e918c0 as Black [ 8.106521] Call Trace: [ 8.106521] [ 8.106521] dump_stack_lvl+0x4b/0x70 [ 8.106521] kvfree_call_rcu+0xcb/0x3b0 [ 8.106521] ? hrtimer_cancel+0x21/0x40 [ 8.106521] bpf_obj_free_fields+0x193/0x200 [ 8.106521] htab_map_update_elem+0x29c/0x410 [ 8.106521] bpf_prog_cfc8cd0f42c04044_overwrite_cb+0x47/0x4b [ 8.106521] bpf_prog_8c30cd7c4db2e963_overwrite_timer+0x65/0x86 [ 8.106521] bpf_prog_test_run_syscall+0xe1/0x2a0 happens due to the combination of features and fixes, but mainly due to commit 6d78b4473cdb ("bpf: Tell memcg to use allow_spinning=false path in bpf_timer_init()") It's using __GFP_HIGH, which instructs slub/kmemleak internals to skip kmemleak_alloc_recursive() on allocation, so subsequent kfree_rcu()-> kvfree_call_rcu()->kmemleak_ignore() complains with the above splat. To fix this imbalance, replace bpf_map_kmalloc_node() with kmalloc_nolock() and kfree_rcu() with call_rcu() + kfree_nolock() to make sure that the objects allocated with kmalloc_nolock() are freed with kfree_nolock() rather than the implicit kfree() that kfree_rcu() uses internally. Note, the kmalloc_nolock() happens under bpf_spin_lock_irqsave(), so it will always fail in PREEMPT_RT. This is not an issue at the moment, since bpf_timers are disabled in PREEMPT_RT. In the future bpf_spin_lock will be replaced with state machine similar to bpf_task_work. Fixes: 6d78b4473cdb ("bpf: Tell memcg to use allow_spinning=false path in bpf_timer_init()") Signed-off-by: Alexei Starovoitov Signed-off-by: Daniel Borkmann Reviewed-by: Shakeel Butt Acked-by: Harry Yoo Acked-by: Vlastimil Babka Cc: linux-mm@kvack.org Link: https://lore.kernel.org/bpf/20251015000700.28988-1-alexei.starovoitov@gmail.com commit d5cda96d0130effd4255f7c5e720a58760a032a4 Author: Srinivas Kandagatla Date: Wed Oct 8 15:58:01 2025 +0100 ASoC: codecs: wcd938x-sdw: remove redundant runtime pm calls Component bind callbacks already does runtime pm calls, soundwire codec also tries to do the exactly same thing resulting in Unbalanced pm_runtime_enable and disable calls. Remove the redundant calls from wcd938x-sdw driver. Reported-by: Konrad Dybcio Fixes: ebaf88c0546d ("ASoC: codecs: wcd-common: move component ops to common") Signed-off-by: Srinivas Kandagatla Link: https://patch.msgid.link/20251008145801.3479-1-srinivas.kandagatla@oss.qualcomm.com Signed-off-by: Mark Brown commit 57b00ab3d33d2b177bf45d568fa1e6203cd099b6 Author: Shuming Fan Date: Tue Oct 14 17:21:57 2025 +0800 ASoC: sdw_utils: add rt1321 part id to codec_info_list The SdW machine driver supports the part id rt1321 amplifier. Signed-off-by: Shuming Fan Link: https://patch.msgid.link/20251014092157.2789054-1-shumingf@realtek.com Signed-off-by: Mark Brown commit 2d8636119b92970ba135c3c4da87d24dbfdeb8ca Author: Jeongjun Park Date: Wed Oct 15 16:34:54 2025 +0900 exfat: fix out-of-bounds in exfat_nls_to_ucs2() Since the len argument value passed to exfat_ioctl_set_volume_label() from exfat_nls_to_utf16() is passed 1 too large, an out-of-bounds read occurs when dereferencing p_cstring in exfat_nls_to_ucs2() later. And because of the NLS_NAME_OVERLEN macro, another error occurs when creating a file with a period at the end using utf8 and other iocharsets. So to avoid this, you should remove the code that uses NLS_NAME_OVERLEN macro and make the len argument value be the length of the label string, but with a maximum length of FSLABEL_MAX - 1. Reported-by: syzbot+98cc76a76de46b3714d4@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=98cc76a76de46b3714d4 Fixes: d01579d590f7 ("exfat: Add support for FS_IOC_{GET,SET}FSLABEL") Suggested-by: Pali Rohár Signed-off-by: Jeongjun Park Signed-off-by: Namjae Jeon commit 28412b489b088fb88dff488305fd4e56bd47f6e4 Author: Jiaming Zhang Date: Wed Oct 15 13:16:45 2025 +0800 ALSA: usb-audio: Fix NULL pointer deference in try_to_register_card In try_to_register_card(), the return value of usb_ifnum_to_if() is passed directly to usb_interface_claimed() without a NULL check, which will lead to a NULL pointer dereference when creating an invalid USB audio device. Fix this by adding a check to ensure the interface pointer is valid before passing it to usb_interface_claimed(). Fixes: 39efc9c8a973 ("ALSA: usb-audio: Fix last interface check for registration") Closes: https://lore.kernel.org/all/CANypQFYtQxHL5ghREs-BujZG413RPJGnO5TH=xjFBKpPts33tA@mail.gmail.com/ Signed-off-by: Jiaming Zhang Signed-off-by: Takashi Iwai commit 6f719373b943a955fee6fc2012aed207b65e2854 Author: Thomas Zimmermann Date: Tue Oct 14 10:46:34 2025 +0200 drm/ast: Blank with VGACR17 sync enable, always clear VGACRB6 sync off Blank the display by disabling sync pulses with VGACR17<7>. Unblank by reenabling them. This VGA setting should be supported by all Aspeed hardware. Ast currently blanks via sync-off bits in VGACRB6. Not all BMCs handle VGACRB6 correctly. After disabling sync during a reboot, some BMCs do not reenable it after the soft reset. The display output remains dark. When the display is off during boot, some BMCs set the sync-off bits in VGACRB6, so the display remains dark. Observed with Blackbird AST2500 BMCs. Clearing the sync-off bits unconditionally fixes these issues. Also do not modify VGASR1's SD bit for blanking, as it only disables GPU access to video memory. v2: - init vgacrb6 correctly (Jocelyn) Signed-off-by: Thomas Zimmermann Fixes: ce3d99c83495 ("drm: Call drm_atomic_helper_shutdown() at shutdown time for misc drivers") Tested-by: Nick Bowler Reported-by: Nick Bowler Closes: https://lore.kernel.org/dri-devel/wpwd7rit6t4mnu6kdqbtsnk5bhftgslio6e2jgkz6kgw6cuvvr@xbfswsczfqsi/ Cc: Douglas Anderson Cc: Dave Airlie Cc: Thomas Zimmermann Cc: Jocelyn Falempe Cc: dri-devel@lists.freedesktop.org Cc: # v6.7+ Reviewed-by: Jocelyn Falempe Link: https://lore.kernel.org/r/20251014084743.18242-1-tzimmermann@suse.de commit 82ebecdc74ff555daf70b811d854b1f32a296bea Author: Jaehun Gou Date: Tue Oct 14 22:01:46 2025 +0900 exfat: fix improper check of dentry.stream.valid_size We found an infinite loop bug in the exFAT file system that can lead to a Denial-of-Service (DoS) condition. When a dentry in an exFAT filesystem is malformed, the following system calls — SYS_openat, SYS_ftruncate, and SYS_pwrite64 — can cause the kernel to hang. Root cause analysis shows that the size validation code in exfat_find() does not check whether dentry.stream.valid_size is negative. As a result, the system calls mentioned above can succeed and eventually trigger the DoS issue. This patch adds a check for negative dentry.stream.valid_size to prevent this vulnerability. Co-developed-by: Seunghun Han Signed-off-by: Seunghun Han Co-developed-by: Jihoon Kwon Signed-off-by: Jihoon Kwon Signed-off-by: Jaehun Gou Signed-off-by: Namjae Jeon commit 7f0fddd817ba6daebea1445ae9fab4b6d2294fa8 Author: Florian Westphal Date: Mon Oct 13 20:50:52 2025 +0200 net: core: fix lockdep splat on device unregister Since blamed commit, unregister_netdevice_many_notify() takes the netdev mutex if the device needs it. If the device list is too long, this will lock more device mutexes than lockdep can handle: unshare -n \ bash -c 'for i in $(seq 1 100);do ip link add foo$i type dummy;done' BUG: MAX_LOCK_DEPTH too low! turning off the locking correctness validator. depth: 48 max: 48! 48 locks held by kworker/u16:1/69: #0: ..148 ((wq_completion)netns){+.+.}-{0:0}, at: process_one_work #1: ..d40 (net_cleanup_work){+.+.}-{0:0}, at: process_one_work #2: ..bd0 (pernet_ops_rwsem){++++}-{4:4}, at: cleanup_net #3: ..aa8 (rtnl_mutex){+.+.}-{4:4}, at: default_device_exit_batch #4: ..cb0 (&dev_instance_lock_key#3){+.+.}-{4:4}, at: unregister_netdevice_many_notify [..] Add a helper to close and then unlock a list of net_devices. Devices that are not up have to be skipped - netif_close_many always removes them from the list without any other actions taken, so they'd remain in locked state. Close devices whenever we've used up half of the tracking slots or we processed entire list without hitting the limit. Fixes: 7e4d784f5810 ("net: hold netdev instance lock during rtnetlink operations") Signed-off-by: Florian Westphal Link: https://patch.msgid.link/20251013185052.14021-1-fw@strlen.de Signed-off-by: Jakub Kicinski commit e603a342cf7ecd64ef8f36207dfe1caacb9e2583 Author: Andrii Nakryiko Date: Tue Oct 14 13:20:37 2025 -0700 selftests/bpf: make arg_parsing.c more robust to crashes We started getting a crash in BPF CI, which seems to originate from test_parse_test_list_file() test and is happening at this line: ASSERT_OK(strcmp("test_with_spaces", set.tests[0].name), "test 0 name"); One way we can crash there is if set.cnt zero, which is checked for with ASSERT_EQ() above, but we proceed after this regardless of the outcome. Instead of crashing, we should bail out with test failure early. Similarly, if parse_test_list_file() fails, we shouldn't be even looking at set, so bail even earlier if ASSERT_OK() fails. Fixes: 64276f01dce8 ("selftests/bpf: Test_progs can read test lists from file") Signed-off-by: Andrii Nakryiko Tested-by: Ihor Solodrai Link: https://lore.kernel.org/r/20251014202037.72922-1-andrii@kernel.org Signed-off-by: Alexei Starovoitov commit a4bbb493a3247ef32f6191fd8b2a0657139f8e08 Author: Alison Schofield Date: Tue Oct 14 14:38:49 2025 -0700 cxl/trace: Subtract to find an hpa_alias0 in cxl_poison events Traces of cxl_poison events include an hpa_alias0 field if the poison address is in a region configured with an ELC, Extended Linear Cache. Since the ELC always comes first in the region, the calculation needs to subtract the ELC size from the calculated HPA address. Fixes: 8c520c5f1e76 ("cxl: Add extended linear cache address alias emission for cxl events") Signed-off-by: Alison Schofield Reviewed-by: Dave Jiang Signed-off-by: Dave Jiang commit df5a1f4aeb6ff5e7c5ac47d16a347f03509dd441 Author: Jonas Gorski Date: Mon Oct 13 20:03:47 2025 +0200 MAINTAINERS: add myself as maintainer for b53 I wrote the original OpenWrt driver that Florian used as the base for the dsa driver, I might as well take responsibility for it. Signed-off-by: Jonas Gorski Reviewed-by: Florian Fainelli Reviewed-by: Andrew Lunn Reviewed-by: Vladimir Oltean Link: https://patch.msgid.link/20251013180347.133246-1-jonas.gorski@gmail.com Signed-off-by: Jakub Kicinski commit 469276c06affdfd2d9e88c9f228bb81119ec1a20 Author: Ilpo Järvinen Date: Tue Oct 14 19:36:02 2025 +0300 PCI: Revert early bridge resource set up The commit a43ac325c7cb ("PCI: Set up bridge resources earlier") moved bridge window resources set up earlier than before. The change was necessary to support another change that got pulled on the last minute due to breaking s390 and other systems. The presence of valid bridge window resources earlier than before allows pci_assign_unassigned_root_bus_resources() call from pci_host_probe() assign the bridge windows. Some host bridges, however, have to wait first for the link up event before they can enumerate successfully (see e.g. qcom_pcie_global_irq_thread()) and thus the bus has not been enumerated yet while calling pci_host_probe(). Calling pci_assign_unassigned_root_bus_resources() without results from enumeration can result in sizing bridge windows with too small sizes which cannot be later corrected after the enumeration has completed because bridge windows have become pinned in place by the other resources. Interestingly, it seems pci_read_bridge_bases() is not called at all in the problematic case and the bridge window resource type setup is done by pci_bridge_check_ranges() and sizing by the usual resource fitting logic. The root problem behind all this looks pretty generic. If resource fitting is called too early, the hotplug reservation and old size lower bounding cause the bridge windows to be assigned without children but with non-zero size, which leads to these pinning problems. As such, this can likely be solved on the general level but the solution does not look trivial. As the commit a43ac325c7cb ("PCI: Set up bridge resources earlier") was prequisite for other change that did not end up into kernel yet, revert it to resolve the resource assignment failures and give time to code and test a generic solution. Fixes: a43ac325c7cb ("PCI: Set up bridge resources earlier") Reported-by: Val Packett Link: https://lore.kernel.org/r/017ff8df-511c-4da8-b3cf-edf2cb7f1a67@packett.cool Reported-by: Guenter Roeck Link: https://lore.kernel.org/r/df266709-a9b3-4fd8-af3a-c22eb3c9523a@roeck-us.net Signed-off-by: Ilpo Järvinen Signed-off-by: Bjorn Helgaas Link: https://patch.msgid.link/20251014163602.17138-1-ilpo.jarvinen@linux.intel.com commit 257c4b03a2f7d8c15f79c79b09a561af9734f6c4 Author: Alison Schofield Date: Tue Oct 14 00:31:04 2025 -0700 cxl/region: Use %pa printk format to emit resource_size_t KASAN reports a stack-out-of-bounds access in validate_region_offset() while running the cxl-poison.sh unit test because the printk format specifier, %pr format, is not a match for the resource_size_t type of the variables. %pr expects struct resource pointers and attempts to dereference the structure fields, reading beyond the bounds of the stack variables. Since these messages emit an 'A exceeds B' type of message, keep the resource_size_t's and use the %pa specifier to be architecture safe. BUG: KASAN: stack-out-of-bounds in resource_string.isra.0+0xe9a/0x1690 [] Read of size 8 at addr ffff88800a7afb40 by task bash/1397 ... [] The buggy address belongs to stack of task bash/1397 [] and is located at offset 56 in frame: [] validate_region_offset+0x0/0x1c0 [cxl_core] Fixes: c3dd67681c70 ("cxl/region: Add inject and clear poison by region offset") Signed-off-by: Alison Schofield Reviewed-by: Dave Jiang Signed-off-by: Dave Jiang commit f4d027921c811ff7fc16e4d03c6bbbf4347cf37a Author: Dave Jiang Date: Fri Oct 10 13:57:55 2025 -0700 cxl: Fix match_region_by_range() to use region_res_match_cxl_range() match_region_by_range() is not using the helper function that also takes extended linear cache size into account when comparing regions. This causes a x2 region to show up as 2 partial incomplete regions rather than a single CXL region with extended linear cache support. Replace the open coded compare logic with the proper helper function for comparison. User visible impact is that when 'cxl list' is issued, no activa CXL region(s) are shown. There may be multiple idle regions present. No actual active CXL region is present in the kernel. [dj: Fix stable address] Fixes: 0ec9849b6333 ("acpi/hmat / cxl: Add extended linear cache support for CXL") Cc: stable@vger.kernel.org Reviewed-by: Gregory Price Reviewed-by: Alison Schofield Reviewed-by: Dan Williams Signed-off-by: Dave Jiang commit 0f6f1982cb28abf1b8a3a8ba906e2c6ade6a70e8 Author: Dave Jiang Date: Fri Oct 10 13:57:54 2025 -0700 cxl: Set range param for region_res_match_cxl_range() as const The function takes two parameters and compares them. The second parameter should be const since no modification should be done to it. Reviewed-by: Gregory Price Reviewed-by: Alison Schofield Signed-off-by: Dave Jiang commit 2e41e5a91a37202ff6743c3ae5329e106aeb1c6c Author: Dave Jiang Date: Fri Oct 10 13:57:53 2025 -0700 cxl/acpi: Fix setup of memory resource in cxl_acpi_set_cache_size() In order to compare the resource against the HMAT memory target, the resource needs to be memory type. Change the DEFINE_RES() macro to DEFINE_RES_MEM() in order to set the correct resource type. hmat_get_extended_linear_cache_size() uses resource_contains() internally. This causes a regression for platforms with the extended linear cache enabled as the comparison always fails and the cache size is not set. User visible impact is that when 'cxl list' is issued, a CXL region with extended linear cache support will only report half the size of the actual size. And this also breaks MCE reporting of the memory region due to incorrect offset calculation for the memory. [dj: Fixup commit log suggested by djbw] [dj: Fixup stable address for cc] Fixes: 12b3d697c812 ("cxl: Remove core/acpi.c and cxl core dependency on ACPI") Cc: stable@vger.kernel.org Reviewed-by: Gregory Price Reviewed-by: Alison Schofield Reviewed-by: Dan Williams Signed-off-by: Dave Jiang commit 7f9ee5fc97e14682e36fe22ae2654c07e4998b82 Author: Shardul Bankar Date: Tue Oct 14 17:30:37 2025 +0530 bpf: test_run: Fix ctx leak in bpf_prog_test_run_xdp error path Fix a memory leak in bpf_prog_test_run_xdp() where the context buffer allocated by bpf_ctx_init() is not freed when the function returns early due to a data size check. On the failing path: ctx = bpf_ctx_init(...); if (kattr->test.data_size_in - meta_sz < ETH_HLEN) return -EINVAL; The early return bypasses the cleanup label that kfree()s ctx, leading to a leak detectable by kmemleak under fuzzing. Change the return to jump to the existing free_ctx label. Fixes: fe9544ed1a2e ("bpf: Support specifying linear xdp packet data size for BPF_PROG_TEST_RUN") Reported-by: BPF Runtime Fuzzer (BRF) Signed-off-by: Shardul Bankar Signed-off-by: Martin KaFai Lau Acked-by: Jiri Olsa Acked-by: Daniel Borkmann Link: https://patch.msgid.link/20251014120037.1981316-1-shardulsb08@gmail.com commit df90f6cd29d8c77be6de4f9adf9cbe42ce2f0016 Author: Vlastimil Babka Date: Tue Oct 14 10:40:57 2025 +0200 slab: fix clearing freelist in free_deferred_objects() defer_free() links pending objects using the slab's freelist offset which is fine as they are not free yet. free_deferred_objects() then clears this pointer to avoid confusing the debugging consistency checks that may be enabled for the cache. However, with CONFIG_SLAB_FREELIST_HARDENED, even the NULL pointer needs to be encoded appropriately using set_freepointer(), otherwise it's decoded as something else and triggers the consistency checks, as found by the kernel test robot. Use set_freepointer() to prevent the issue. Fixes: af92793e52c3 ("slab: Introduce kmalloc_nolock() and kfree_nolock().") Reported-and-tested-by: kernel test robot Closes: https://lore.kernel.org/oe-lkp/202510101652.7921fdc6-lkp@intel.com Acked-by: Alexei Starovoitov Reviewed-by: Harry Yoo Signed-off-by: Vlastimil Babka commit 7e091add9c433bab6912228799bf508e2414acc3 Author: Martin George Date: Mon Sep 8 22:54:57 2025 +0530 nvme-auth: update sc_c in host response The sc_c field is currently not updated in the host response to the controller challenge leading to failures while attempting secure channel concatenation. Fix this by adding a new sc_c variable to the dhchap queue context structure which is appropriately set during negotiate and then used in the host response. Fixes: e88a7595b57f ("nvme-tcp: request secure channel concatenation") Signed-off-by: Martin George Signed-off-by: Prashanth Adurthi Reviewed-by: Hannes Reinecke Signed-off-by: Keith Busch commit 52e59f7740ba23bbb664914967df9a00208ca10c Author: Pranjal Ramajor Asha Kanojiya Date: Tue Oct 7 08:18:37 2025 +0200 accel/qaic: Synchronize access to DBC request queue head & tail pointer Two threads of the same process can potential read and write parallelly to head and tail pointers of the same DBC request queue. This could lead to a race condition and corrupt the DBC request queue. Fixes: ff13be830333 ("accel/qaic: Add datapath") Signed-off-by: Pranjal Ramajor Asha Kanojiya Signed-off-by: Youssef Samir Reviewed-by: Jeff Hugo Reviewed-by: Carl Vanderlip [jhugo: Add fixes tag] Signed-off-by: Jeff Hugo Link: https://lore.kernel.org/r/20251007061837.206132-1-youssef.abdulrahman@oss.qualcomm.com commit 11f08c30a3e4157305ba692f1d44cca5fc9a8fca Author: Youssef Samir Date: Tue Oct 7 14:23:20 2025 +0200 accel/qaic: Treat remaining == 0 as error in find_and_map_user_pages() Currently, if find_and_map_user_pages() takes a DMA xfer request from the user with a length field set to 0, or in a rare case, the host receives QAIC_TRANS_DMA_XFER_CONT from the device where resources->xferred_dma_size is equal to the requested transaction size, the function will return 0 before allocating an sgt or setting the fields of the dma_xfer struct. In that case, encode_addr_size_pairs() will try to access the sgt which will lead to a general protection fault. Return an EINVAL in case the user provides a zero-sized ALP, or the device requests continuation after all of the bytes have been transferred. Fixes: 96d3c1cadedb ("accel/qaic: Clean up integer overflow checking in map_user_pages()") Signed-off-by: Youssef Samir Signed-off-by: Youssef Samir Reviewed-by: Jeff Hugo Reviewed-by: Carl Vanderlip Signed-off-by: Jeff Hugo Link: https://lore.kernel.org/r/20251007122320.339654-1-youssef.abdulrahman@oss.qualcomm.com commit fd6e385528d8f85993b7bfc6430576136bb14c65 Author: Jeff Hugo Date: Tue Oct 7 13:57:50 2025 +0200 accel/qaic: Fix bootlog initialization ordering As soon as we queue MHI buffers to receive the bootlog from the device, we could be receiving data. Therefore all the resources needed to process that data need to be setup prior to queuing the buffers. We currently initialize some of the resources after queuing the buffers which creates a race between the probe() and any data that comes back from the device. If the uninitialized resources are accessed, we could see page faults. Fix the init ordering to close the race. Fixes: 5f8df5c6def6 ("accel/qaic: Add bootlog debugfs") Signed-off-by: Jeffrey Hugo Signed-off-by: Youssef Samir Reviewed-by: Jeff Hugo Reviewed-by: Carl Vanderlip Signed-off-by: Jeff Hugo Link: https://lore.kernel.org/r/20251007115750.332169-1-youssef.abdulrahman@oss.qualcomm.com commit d41f68dff783d181a8fd462e612bda0fbab7f735 Author: Randy Dunlap Date: Mon Oct 13 20:05:52 2025 -0700 ALSA: firewire: amdtp-stream: fix enum kernel-doc warnings Fix spelling of CIP_NO_HEADER to prevent a kernel-doc warning. Warning: amdtp-stream.h:57 Enum value 'CIP_NO_HEADER' not described in enum 'cip_flags' Warning: amdtp-stream.h:57 Excess enum value '%CIP_NO_HEADERS' description in 'cip_flags' Fixes: 3b196c394dd9f ("ALSA: firewire-lib: add no-header packet processing") Signed-off-by: Randy Dunlap Reviewed-by: Takashi Sakamoto Signed-off-by: Takashi Iwai commit 4f86eb0a38bc719ba966f155071a6f0594327f34 Author: Wang Liang Date: Mon Oct 13 16:00:39 2025 +0800 selftests: net: check jq command is supported The jq command is used in vlan_bridge_binding.sh, if it is not supported, the test will spam the following log. # ./vlan_bridge_binding.sh: line 51: jq: command not found # ./vlan_bridge_binding.sh: line 51: jq: command not found # ./vlan_bridge_binding.sh: line 51: jq: command not found # ./vlan_bridge_binding.sh: line 51: jq: command not found # ./vlan_bridge_binding.sh: line 51: jq: command not found # TEST: Test bridge_binding on->off when lower down [FAIL] # Got operstate of , expected 0 The rtnetlink.sh has the same problem. It makes sense to check if jq is installed before running these tests. After this patch, the vlan_bridge_binding.sh skipped if jq is not supported: # timeout set to 3600 # selftests: net: vlan_bridge_binding.sh # TEST: jq not installed [SKIP] Fixes: dca12e9ab760 ("selftests: net: Add a VLAN bridge binding selftest") Fixes: 6a414fd77f61 ("selftests: rtnetlink: Add an address proto test") Signed-off-by: Wang Liang Reviewed-by: Hangbin Liu Link: https://patch.msgid.link/20251013080039.3035898-1-wangliang74@huawei.com Signed-off-by: Paolo Abeni commit 867537094124b0736ca2a40193de94fc5dc0b8d3 Author: Rob Herring (Arm) Date: Mon Oct 13 16:31:18 2025 -0500 dt-bindings: i2c: Convert apm,xgene-slimpro-i2c to DT schema Convert APM X-Gene slimpro-i2c binding to DT schema format. It's a straight-forward conversion. Signed-off-by: Rob Herring (Arm) Signed-off-by: Wolfram Sang commit 72f437e674e54f1c143dccc67e5556d8d5acb241 Author: Hans de Goede Date: Wed Oct 1 23:23:10 2025 +0200 i2c: usbio: Add ACPI device-id for MTL-CVF devices Add "INTC10D2" ACPI device-id for MTL-CVF devices, like the Dell Latitude 7450. Closes: https://bugzilla.redhat.com/show_bug.cgi?id=2368506 Signed-off-by: Hans de Goede Acked-by: Sakari Ailus Acked-by: Israel Cepeda Signed-off-by: Wolfram Sang commit ae11e08c3d0c78d08dac4cea30bf39ede2130b03 Author: Sakari Ailus Date: Fri Jul 4 10:54:15 2025 +0300 i2c: Remove redundant pm_runtime_mark_last_busy() calls pm_runtime_put_autosuspend(), pm_runtime_put_sync_autosuspend(), pm_runtime_autosuspend() and pm_request_autosuspend() now include a call to pm_runtime_mark_last_busy(). Remove the now-reduntant explicit call to pm_runtime_mark_last_busy(). Signed-off-by: Sakari Ailus Acked-by: Andi Shyti Signed-off-by: Wolfram Sang commit 17e3e88ed0b6318fde0d1c14df1a804711cab1b5 Author: Vincent Guittot Date: Wed Oct 8 15:12:14 2025 +0200 sched/fair: Fix pelt lost idle time detection The check for some lost idle pelt time should be always done when pick_next_task_fair() fails to pick a task and not only when we call it from the fair fast-path. The case happens when the last running task on rq is a RT or DL task. When the latter goes to sleep and the /Sum of util_sum of the rq is at the max value, we don't account the lost of idle time whereas we should. Fixes: 67692435c411 ("sched: Rework pick_next_task() slow-path") Signed-off-by: Vincent Guittot Signed-off-by: Peter Zijlstra (Intel) commit ee6e44dfe6e50b4a5df853d933a96bdff5309e6e Author: Peter Zijlstra (Intel) Date: Fri Oct 10 00:17:27 2025 +0530 sched/deadline: Stop dl_server before CPU goes offline IBM CI tool reported kernel warning[1] when running a CPU removal operation through drmgr[2]. i.e "drmgr -c cpu -r -q 1" WARNING: CPU: 0 PID: 0 at kernel/sched/cpudeadline.c:219 cpudl_set+0x58/0x170 NIP [c0000000002b6ed8] cpudl_set+0x58/0x170 LR [c0000000002b7cb8] dl_server_timer+0x168/0x2a0 Call Trace: [c000000002c2f8c0] init_stack+0x78c0/0x8000 (unreliable) [c0000000002b7cb8] dl_server_timer+0x168/0x2a0 [c00000000034df84] __hrtimer_run_queues+0x1a4/0x390 [c00000000034f624] hrtimer_interrupt+0x124/0x300 [c00000000002a230] timer_interrupt+0x140/0x320 Git bisects to: commit 4ae8d9aa9f9d ("sched/deadline: Fix dl_server getting stuck") This happens since: - dl_server hrtimer gets enqueued close to cpu offline, when kthread_park enqueues a fair task. - CPU goes offline and drmgr removes it from cpu_present_mask. - hrtimer fires and warning is hit. Fix it by stopping the dl_server before CPU is marked dead. [1]: https://lore.kernel.org/all/8218e149-7718-4432-9312-f97297c352b9@linux.ibm.com/ [2]: https://github.com/ibm-power-utilities/powerpc-utils/tree/next/src/drmgr [sshegde: wrote the changelog and tested it] Fixes: 4ae8d9aa9f9d ("sched/deadline: Fix dl_server getting stuck") Closes: https://lore.kernel.org/all/8218e149-7718-4432-9312-f97297c352b9@linux.ibm.com Signed-off-by: Peter Zijlstra (Intel) Reported-by: Venkat Rao Bagalkote Signed-off-by: Shrikanth Hegde Signed-off-by: Peter Zijlstra (Intel) Tested-by: Marek Szyprowski Tested-by: Shrikanth Hegde commit a7cdc2086c19e435d4cec3f9393b5f46899c0468 Author: Colin Ian King Date: Sun Sep 28 22:01:18 2025 +0100 HID: hid-debug: Fix spelling mistake "Rechargable" -> "Rechargeable" There is a spelling mistake in HID description. Fix it. Signed-off-by: Colin Ian King Signed-off-by: Jiri Kosina commit bd5afca115f181c85f992d42a57cd497bc823ccb Author: Lorenzo Bianconi Date: Sun Oct 12 11:19:44 2025 +0200 net: airoha: Take into account out-of-order tx completions in airoha_dev_xmit() Completion napi can free out-of-order tx descriptors if hw QoS is enabled and packets with different priority are queued to same DMA ring. Take into account possible out-of-order reports checking if the tx queue is full using circular buffer head/tail pointer instead of the number of queued packets. Fixes: 23020f0493270 ("net: airoha: Introduce ethernet support for EN7581 SoC") Suggested-by: Simon Horman Signed-off-by: Lorenzo Bianconi Reviewed-by: Simon Horman Link: https://patch.msgid.link/20251012-airoha-tx-busy-queue-v2-1-a600b08bab2d@kernel.org Signed-off-by: Paolo Abeni commit 295ce1eb36ae47dc862d6c8a1012618a25516208 Author: Eric Dumazet Date: Sat Oct 11 11:57:42 2025 +0000 tcp: fix tcp_tso_should_defer() vs large RTT Neal reported that using neper tcp_stream with TCP_TX_DELAY set to 50ms would often lead to flows stuck in a small cwnd mode, regardless of the congestion control. While tcp_stream sets TCP_TX_DELAY too late after the connect(), it highlighted two kernel bugs. The following heuristic in tcp_tso_should_defer() seems wrong for large RTT: delta = tp->tcp_clock_cache - head->tstamp; /* If next ACK is likely to come too late (half srtt), do not defer */ if ((s64)(delta - (u64)NSEC_PER_USEC * (tp->srtt_us >> 4)) < 0) goto send_now; If next ACK is expected to come in more than 1 ms, we should not defer because we prefer a smooth ACK clocking. While blamed commit was a step in the good direction, it was not generic enough. Another patch fixing TCP_TX_DELAY for established flows will be proposed when net-next reopens. Fixes: 50c8339e9299 ("tcp: tso: restore IW10 after TSO autosizing") Reported-by: Neal Cardwell Signed-off-by: Eric Dumazet Reviewed-by: Neal Cardwell Tested-by: Neal Cardwell Link: https://patch.msgid.link/20251011115742.1245771-1-edumazet@google.com [pabeni@redhat.com: fixed whitespace issue] Signed-off-by: Paolo Abeni commit 083a4f3f3cc7d107728c8f297e4f6276f0876b2d Author: Jonathan Denose Date: Mon Oct 13 20:54:57 2025 +0000 HID: Kconfig: Fix build error from CONFIG_HID_HAPTIC Temporarily change CONFIG_HID_HAPTIC to be bool instead of tristate, until we implement a permanent solution. Recently the CONFIG_HID_HAPTIC Kconfig option was reported as causing the following build errors: MODPOST Module.symvers ERROR: modpost: "hid_haptic_init" [drivers/hid/hid-multitouch.ko] undefined! ERROR: modpost: "hid_haptic_pressure_increase" [drivers/hid/hid-multitouch.ko] undefined! ERROR: modpost: "hid_haptic_check_pressure_unit" [drivers/hid/hid-multitouch.ko] undefined! ERROR: modpost: "hid_haptic_input_configured" [drivers/hid/hid-multitouch.ko] undefined! ERROR: modpost: "hid_haptic_input_mapping" [drivers/hid/hid-multitouch.ko] undefined! ERROR: modpost: "hid_haptic_feature_mapping" [drivers/hid/hid-multitouch.ko] undefined! ERROR: modpost: "hid_haptic_pressure_reset" [drivers/hid/hid-multitouch.ko] undefined! make[3]: *** [/home/thl/var/linux.dev/scripts/Makefile.modpost:147: Module.symvers] Error 1 when the kernel is compiled with the following configuration: CONFIG_HID=y CONFIG_HID_MULTITOUCH=m CONFIG_HID_HAPTIC=m To resolve this, temporarily change the CONFIG_HID_HAPTIC option to be bool, until we arrive at a permanent solution to enable CONFIG_HID_HAPTIC to be tristate. For a more detailed discussion, see [1]. [1]: https://lore.kernel.org/linux-input/auypydfkhx2eg7vp764way4batdilzc35inqda3exwzs3tk3ff@oagat6g46zto/ Signed-off-by: Jonathan Denose Signed-off-by: Jiri Kosina commit 75527d61d60d493d1eb064f335071a20ca581f54 Author: Yi Cong Date: Sat Oct 11 16:24:15 2025 +0800 r8152: add error handling in rtl8152_driver_init rtl8152_driver_init() is missing the error handling. When rtl8152_driver registration fails, rtl8152_cfgselector_driver should be deregistered. Fixes: ec51fbd1b8a2 ("r8152: add USB device driver for config selection") Cc: stable@vger.kernel.org Signed-off-by: Yi Cong Reviewed-by: Simon Horman Link: https://patch.msgid.link/20251011082415.580740-1-yicongsrfy@163.com [pabeni@redhat.com: clarified the commit message] Signed-off-by: Paolo Abeni commit b8874720b2f33a06ff1d4cf3827e7ec1195cb360 Author: Vicki Pfau Date: Mon Oct 6 18:05:33 2025 -0700 HID: nintendo: Rate limit IMU compensation message Some controllers are very bad at updating the IMU, leading to these messages spamming the syslog. Rate-limiting them helps with this a bit. Signed-off-by: Vicki Pfau Signed-off-by: Jiri Kosina commit b73bc6a51f0c0066912c7e181acee41091c70fe6 Author: Vicki Pfau Date: Mon Oct 6 18:05:32 2025 -0700 HID: nintendo: Wait longer for initial probe Some third-party controllers, such as the PB Tails CHOC, won't always respond quickly on startup. Since this packet is needed for probe, and only once during probe, let's just wait an extra second, which makes connecting consistent. Signed-off-by: Vicki Pfau Signed-off-by: Jiri Kosina commit 1d64624243af8329b4b219d8c39e28ea448f9929 Author: Vicki Pfau Date: Mon Oct 6 18:05:31 2025 -0700 HID: core: Add printk_ratelimited variants to hid_warn() etc hid_warn_ratelimited() is needed. Add the others as part of the block. Signed-off-by: Vicki Pfau Signed-off-by: Jiri Kosina commit 327cd4b68b4398b6c24f10eb2b2533ffbfc10185 Author: Zqiang Date: Sat Oct 11 15:05:18 2025 +0800 usbnet: Fix using smp_processor_id() in preemptible code warnings Syzbot reported the following warning: BUG: using smp_processor_id() in preemptible [00000000] code: dhcpcd/2879 caller is usbnet_skb_return+0x74/0x490 drivers/net/usb/usbnet.c:331 CPU: 1 UID: 0 PID: 2879 Comm: dhcpcd Not tainted 6.15.0-rc4-syzkaller-00098-g615dca38c2ea #0 PREEMPT(voluntary) Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 check_preemption_disabled+0xd0/0xe0 lib/smp_processor_id.c:49 usbnet_skb_return+0x74/0x490 drivers/net/usb/usbnet.c:331 usbnet_resume_rx+0x4b/0x170 drivers/net/usb/usbnet.c:708 usbnet_change_mtu+0x1be/0x220 drivers/net/usb/usbnet.c:417 __dev_set_mtu net/core/dev.c:9443 [inline] netif_set_mtu_ext+0x369/0x5c0 net/core/dev.c:9496 netif_set_mtu+0xb0/0x160 net/core/dev.c:9520 dev_set_mtu+0xae/0x170 net/core/dev_api.c:247 dev_ifsioc+0xa31/0x18d0 net/core/dev_ioctl.c:572 dev_ioctl+0x223/0x10e0 net/core/dev_ioctl.c:821 sock_do_ioctl+0x19d/0x280 net/socket.c:1204 sock_ioctl+0x42f/0x6a0 net/socket.c:1311 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:906 [inline] __se_sys_ioctl fs/ioctl.c:892 [inline] __x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f For historical and portability reasons, the netif_rx() is usually run in the softirq or interrupt context, this commit therefore add local_bh_disable/enable() protection in the usbnet_resume_rx(). Fixes: 43daa96b166c ("usbnet: Stop RX Q on MTU change") Link: https://syzkaller.appspot.com/bug?id=81f55dfa587ee544baaaa5a359a060512228c1e1 Suggested-by: Jakub Kicinski Signed-off-by: Zqiang Link: https://patch.msgid.link/20251011070518.7095-1-qiang.zhang@linux.dev Signed-off-by: Paolo Abeni commit 1141ed52348d3df82d3fd2316128b3fc6203a68c Author: Oleg Makarenko Date: Mon Sep 29 18:46:11 2025 +0300 HID: quirks: Add ALWAYS_POLL quirk for VRS R295 steering wheel This patch adds ALWAYS_POLL quirk for the VRS R295 steering wheel joystick. This device reboots itself every 8-10 seconds if it is not polled. Signed-off-by: Oleg Makarenko Signed-off-by: Jiri Kosina commit 0be4253bf878d9aaa2b96031ac8683fceeb81480 Author: Tristan Lobb Date: Sun Sep 28 18:25:43 2025 +0200 HID: quirks: avoid Cooler Master MM712 dongle wakeup bug The Cooler Master Mice Dongle includes a vendor defined HID interface alongside its mouse interface. Not polling it will cause the mouse to stop responding to polls on any interface once woken up again after going into power saving mode. Add the HID_QUIRK_ALWAYS_POLL quirk alongside the Cooler Master VID and the Dongle's PID. Signed-off-by: Tristan Lobb Signed-off-by: Jiri Kosina commit c5705a2a4aa35350e504b72a94b5c71c3754833c Author: Harshit Mogalapalli Date: Fri Oct 10 13:42:39 2025 -0700 Octeontx2-af: Fix missing error code in cgx_probe() When CGX fails mapping to NIX, set the error code to -ENODEV, currently err is zero and that is treated as success path. Reported-by: Dan Carpenter Closes: https://lore.kernel.org/all/aLAdlCg2_Yv7Y-3h@stanley.mountain/ Fixes: d280233fc866 ("Octeontx2-af: Fix NIX X2P calibration failures") Signed-off-by: Harshit Mogalapalli Reviewed-by: Simon Horman Link: https://patch.msgid.link/20251010204239.94237-1-harshit.m.mogalapalli@oracle.com Signed-off-by: Paolo Abeni commit 362f21536966d7039da1de762f28f4ad44565acc Author: Deepak Sharma Date: Fri Sep 26 20:28:11 2025 +0530 HID: cp2112: Add parameter validation to data length Syzkaller reported a stack OOB access in cp2112_write_req caused by lack of parameter validation for the user input in I2C SMBUS ioctl in cp2112 driver Add the parameter validation for the data->block[0] to be bounded by I2C_SMBUS_BLOCK_MAX + the additional compatibility padding [jkosina@suse.com: fix whitespace damage] Reported-by: syzbot+7617e19c8a59edfbd879@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=7617e19c8a59edfbd879 Tested-by: syzbot+7617e19c8a59edfbd879@syzkaller.appspotmail.com Signed-off-by: Deepak Sharma Signed-off-by: Jiri Kosina commit 50f1f782f8d621a90108340c632bcb6ab4307d2e Author: Abhishek Tamboli Date: Wed Sep 24 10:07:20 2025 +0530 HID: intel-thc-hid: intel-quickspi: Add ARL PCI Device Id's Add the missing PCI ID for the quickspi device used on the Lenovo Yoga Pro 9i 16IAH10. Buglink: https://bugzilla.kernel.org/show_bug.cgi?id=220567 Signed-off-by: Abhishek Tamboli Reviewed-by: Even Xu Signed-off-by: Jiri Kosina commit 8fe2cd8ec84b3592b57f40b080f9d5aeebd553af Author: Even Xu Date: Fri Sep 19 15:09:39 2025 +0800 HID: intel-thc-hid: Intel-quickspi: switch first interrupt from level to edge detection The original implementation used level detection for the first interrupt after device reset to avoid potential interrupt line noise and missed interrupts during the initialization phase. However, this approach introduced unintended side effects when tested with certain touch panels, including: - Delayed hardware interrupt response - Multiple spurious interrupt triggers Switching back to edge detection for the first interrupt resolves these issues while maintaining reliable interrupt handling. Extensive testing across multiple platforms with touch panels from various vendors confirms this change introduces no regressions. [jkosina@suse.com: properly capitalize shortlog] Fixes: 9d8d51735a3a ("HID: intel-thc-hid: intel-quickspi: Add HIDSPI protocol implementation") Tested-by: Rui Zhang Signed-off-by: Even Xu Signed-off-by: Jiri Kosina commit 6c26c055523d915afb8d18e7277848eff66a3085 Author: Xinpeng Sun Date: Thu Oct 9 11:31:08 2025 +0800 HID: intel-thc-hid: intel-quicki2c: Fix wrong type casting The type definition of qcdev->i2c_max_frame_size is already u32, so remove the unnecessary type casting le16_to_cpu. Signed-off-by: Xinpeng Sun Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-kbuild-all/202509280841.pxmgBzKW-lkp@intel.com/ Signed-off-by: Jiri Kosina commit fa4f4bae893fbce8a3edfff1ab7ece0c01dc1328 Author: Adrian Hunter Date: Mon Oct 13 10:22:44 2025 +0300 perf/core: Fix MMAP2 event device with backing files Some file systems like FUSE-based ones or overlayfs may record the backing file in struct vm_area_struct vm_file, instead of the user file that the user mmapped. That causes perf to misreport the device major/minor numbers of the file system of the file, and the generation of the file, and potentially other inode details. There is an existing helper file_user_inode() for that situation. Use file_user_inode() instead of file_inode() to get the inode for MMAP2 events. Example: Setup: # cd /root # mkdir test ; cd test ; mkdir lower upper work merged # cp `which cat` lower # mount -t overlay overlay -olowerdir=lower,upperdir=upper,workdir=work merged # perf record -e cycles:u -- /root/test/merged/cat /proc/self/maps ... 55b2c91d0000-55b2c926b000 r-xp 00018000 00:1a 3419 /root/test/merged/cat ... [ perf record: Woken up 1 times to write data ] [ perf record: Captured and wrote 0.004 MB perf.data (5 samples) ] # # stat /root/test/merged/cat File: /root/test/merged/cat Size: 1127792 Blocks: 2208 IO Block: 4096 regular file Device: 0,26 Inode: 3419 Links: 1 Access: (0755/-rwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2025-09-08 12:23:59.453309624 +0000 Modify: 2025-09-08 12:23:59.454309624 +0000 Change: 2025-09-08 12:23:59.454309624 +0000 Birth: 2025-09-08 12:23:59.453309624 +0000 Before: Device reported 00:02 differs from stat output and /proc/self/maps # perf script --show-mmap-events | grep /root/test/merged/cat cat 377 [-01] 243.078558: PERF_RECORD_MMAP2 377/377: [0x55b2c91d0000(0x9b000) @ 0x18000 00:02 3419 2068525940]: r-xp /root/test/merged/cat After: Device reported 00:1a is the same as stat output and /proc/self/maps # perf script --show-mmap-events | grep /root/test/merged/cat cat 362 [-01] 127.755167: PERF_RECORD_MMAP2 362/362: [0x55ba6e781000(0x9b000) @ 0x18000 00:1a 3419 0]: r-xp /root/test/merged/cat With respect to stable kernels, overlayfs mmap function ovl_mmap() was added in v4.19 but file_user_inode() was not added until v6.8 and never back-ported to stable kernels. FMODE_BACKING that it depends on was added in v6.5. This issue has gone largely unnoticed, so back-porting before v6.8 is probably not worth it, so put 6.8 as the stable kernel prerequisite version, although in practice the next long term kernel is 6.12. Signed-off-by: Adrian Hunter Signed-off-by: Peter Zijlstra (Intel) Acked-by: Amir Goldstein Cc: stable@vger.kernel.org # 6.8 commit 8818f507a9391019a3ec7c57b1a32e4b386e48a5 Author: Adrian Hunter Date: Mon Oct 13 10:22:43 2025 +0300 perf/core: Fix MMAP event path names with backing files Some file systems like FUSE-based ones or overlayfs may record the backing file in struct vm_area_struct vm_file, instead of the user file that the user mmapped. Since commit def3ae83da02f ("fs: store real path instead of fake path in backing file f_path"), file_path() no longer returns the user file path when applied to a backing file. There is an existing helper file_user_path() for that situation. Use file_user_path() instead of file_path() to get the path for MMAP and MMAP2 events. Example: Setup: # cd /root # mkdir test ; cd test ; mkdir lower upper work merged # cp `which cat` lower # mount -t overlay overlay -olowerdir=lower,upperdir=upper,workdir=work merged # perf record -e intel_pt//u -- /root/test/merged/cat /proc/self/maps ... 55b0ba399000-55b0ba434000 r-xp 00018000 00:1a 3419 /root/test/merged/cat ... [ perf record: Woken up 1 times to write data ] [ perf record: Captured and wrote 0.060 MB perf.data ] # Before: File name is wrong (/cat), so decoding fails: # perf script --no-itrace --show-mmap-events cat 367 [016] 100.491492: PERF_RECORD_MMAP2 367/367: [0x55b0ba399000(0x9b000) @ 0x18000 00:02 3419 489959280]: r-xp /cat ... # perf script --itrace=e | wc -l Warning: 19 instruction trace errors 19 # After: File name is correct (/root/test/merged/cat), so decoding is ok: # perf script --no-itrace --show-mmap-events cat 364 [016] 72.153006: PERF_RECORD_MMAP2 364/364: [0x55ce4003d000(0x9b000) @ 0x18000 00:02 3419 3132534314]: r-xp /root/test/merged/cat # perf script --itrace=e # perf script --itrace=e | wc -l 0 # Fixes: def3ae83da02f ("fs: store real path instead of fake path in backing file f_path") Signed-off-by: Adrian Hunter Signed-off-by: Peter Zijlstra (Intel) Acked-by: Amir Goldstein Cc: stable@vger.kernel.org commit ebfc8542ad62d066771e46c8aa30f5624b89cad8 Author: Adrian Hunter Date: Mon Oct 13 10:22:42 2025 +0300 perf/core: Fix address filter match with backing files It was reported that Intel PT address filters do not work in Docker containers. That relates to the use of overlayfs. overlayfs records the backing file in struct vm_area_struct vm_file, instead of the user file that the user mmapped. In order for an address filter to match, it must compare to the user file inode. There is an existing helper file_user_inode() for that situation. Use file_user_inode() instead of file_inode() to get the inode for address filter matching. Example: Setup: # cd /root # mkdir test ; cd test ; mkdir lower upper work merged # cp `which cat` lower # mount -t overlay overlay -olowerdir=lower,upperdir=upper,workdir=work merged # perf record --buildid-mmap -e intel_pt//u --filter 'filter * @ /root/test/merged/cat' -- /root/test/merged/cat /proc/self/maps ... 55d61d246000-55d61d2e1000 r-xp 00018000 00:1a 3418 /root/test/merged/cat ... [ perf record: Woken up 1 times to write data ] [ perf record: Captured and wrote 0.015 MB perf.data ] # perf buildid-cache --add /root/test/merged/cat Before: Address filter does not match so there are no control flow packets # perf script --itrace=e # perf script --itrace=b | wc -l 0 # perf script -D | grep 'TIP.PGE' | wc -l 0 # After: Address filter does match so there are control flow packets # perf script --itrace=e # perf script --itrace=b | wc -l 235 # perf script -D | grep 'TIP.PGE' | wc -l 57 # With respect to stable kernels, overlayfs mmap function ovl_mmap() was added in v4.19 but file_user_inode() was not added until v6.8 and never back-ported to stable kernels. FMODE_BACKING that it depends on was added in v6.5. This issue has gone largely unnoticed, so back-porting before v6.8 is probably not worth it, so put 6.8 as the stable kernel prerequisite version, although in practice the next long term kernel is 6.12. Closes: https://lore.kernel.org/linux-perf-users/aBCwoq7w8ohBRQCh@fremen.lan Reported-by: Edd Barrett Signed-off-by: Adrian Hunter Signed-off-by: Peter Zijlstra (Intel) Acked-by: Amir Goldstein Cc: stable@vger.kernel.org # 6.8 commit 62685ab071de7c39499212bff19f1b5bc0148bc7 Author: Jiri Olsa Date: Wed Oct 1 15:24:49 2025 +0200 uprobe: Move arch_uprobe_optimize right after handlers execution It's less confusing to optimize uprobe right after handlers execution and before we do the check for changed ip register to avoid situations where changed ip register would skip uprobe optimization. Suggested-by: Linus Torvalds Signed-off-by: Jiri Olsa Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Masami Hiramatsu (Google) Acked-by: Andrii Nakryiko Acked-by: Oleg Nesterov commit 7f38a1487555604bc4e210fa7cc9b1bce981c40e Author: Alok Tiwari Date: Sun Oct 12 07:20:01 2025 -0700 drm/rockchip: vop2: use correct destination rectangle height check The vop2_plane_atomic_check() function incorrectly checks drm_rect_width(dest) twice instead of verifying both width and height. Fix the second condition to use drm_rect_height(dest) so that invalid destination rectangles with height < 4 are correctly rejected. Fixes: 604be85547ce ("drm/rockchip: Add VOP2 driver") Signed-off-by: Alok Tiwari Reviewed-by: Andy Yan Signed-off-by: Heiko Stuebner Link: https://lore.kernel.org/r/20251012142005.660727-1-alok.a.tiwari@oracle.com commit 2616222e423398bb374ffcb5d23dea4ba2c3e524 Author: Raju Rangoju Date: Fri Oct 10 12:21:42 2025 +0530 amd-xgbe: Avoid spurious link down messages during interface toggle During interface toggle operations (ifdown/ifup), the driver currently resets the local helper variable 'phy_link' to -1. This causes the link state machine to incorrectly interpret the state as a link change event, resulting in spurious "Link is down" messages being logged when the interface is brought back up. Preserve the phy_link state across interface toggles to avoid treating the -1 sentinel value as a legitimate link state transition. Fixes: 88131a812b16 ("amd-xgbe: Perform phy connect/disconnect at dev open/stop") Signed-off-by: Raju Rangoju Reviewed-by: Dawid Osuchowski Link: https://patch.msgid.link/20251010065142.1189310-1-Raju.Rangoju@amd.com Signed-off-by: Paolo Abeni commit 095232711f23179053ca26bcf046ca121a91a465 Author: Francesco Valla Date: Fri Oct 3 12:33:03 2025 +0200 drm/draw: fix color truncation in drm_draw_fill24 The color parameter passed to drm_draw_fill24() was truncated to 16 bits, leading to an incorrect color drawn to the target iosys_map. Fix this behavior, widening the parameter to 32 bits. Fixes: 31fa2c1ca0b2 ("drm/panic: Move drawing functions to drm_draw") Signed-off-by: Francesco Valla Reviewed-by: Jocelyn Falempe Link: https://lore.kernel.org/r/20251003-drm_draw_fill24_fix-v1-1-8fb7c1c2a893@valla.it Signed-off-by: Jocelyn Falempe commit ca88ecdce5f51874a7c151809bd2c936ee0d3805 Author: Marc Zyngier Date: Wed Oct 8 22:35:15 2025 +0100 arm64: Revamp HCR_EL2.E2H RES1 detection We currently have two ways to identify CPUs that only implement FEAT_VHE and not FEAT_E2H0: - either they advertise it via ID_AA64MMFR4_EL1.E2H0, - or the HCR_EL2.E2H bit is RAO/WI However, there is a third category of "cpus" that fall between these two cases: on CPUs that do not implement FEAT_FGT, it is IMPDEF whether an access to ID_AA64MMFR4_EL1 can trap to EL2 when the register value is zero. A consequence of this is that on systems such as Neoverse V2, a NV guest cannot reliably detect that it is in a VHE-only configuration (E2H is writable, and ID_AA64MMFR0_EL1 is 0), despite the hypervisor's best effort to repaint the id register. Replace the RAO/WI test by a sequence that makes use of the VHE register remnapping between EL1 and EL2 to detect this situation, and work out whether we get the VHE behaviour even after having set HCR_EL2.E2H to 0. This solves the NV problem, and provides a more reliable acid test for CPUs that do not completely follow the letter of the architecture while providing a RES1 behaviour for HCR_EL2.E2H. Suggested-by: Mark Rutland Acked-by: Mark Rutland Acked-by: Catalin Marinas Reviewed-by: Oliver Upton Tested-by: Jan Kotas Signed-off-by: Marc Zyngier Link: https://lore.kernel.org/r/15A85F2B-1A0C-4FA7-9FE4-EEC2203CC09E@global.cadence.com commit c065b6046b3493a878c2ceb810aed845431badb4 Author: Theodore Ts'o Date: Mon Oct 13 21:50:40 2025 -0400 Use CONFIG_EXT4_FS instead of CONFIG_EXT3_FS in all of the defconfigs Commit d6ace46c82fd ("ext4: remove obsolete EXT3 config options") removed the obsolete EXT3_CONFIG options, since it had been over a decade since fs/ext3 had been removed. Unfortunately, there were a number of defconfigs that still used CONFIG_EXT3_FS which the cleanup commit didn't fix up. This led to a large number of defconfig test builds to fail. Oops. Fixes: d6ace46c82fd ("ext4: remove obsolete EXT3 config options") Signed-off-by: Theodore Ts'o commit 2c67301584f2671e320236df6bbe75ae09feb4d0 Author: Marek Vasut Date: Sat Oct 11 13:02:49 2025 +0200 net: phy: realtek: Avoid PHYCR2 access if PHYCR2 not present The driver is currently checking for PHYCR2 register presence in rtl8211f_config_init(), but it does so after accessing PHYCR2 to disable EEE. This was introduced in commit bfc17c165835 ("net: phy: realtek: disable PHY-mode EEE"). Move the PHYCR2 presence test before the EEE disablement and simplify the code. Fixes: bfc17c165835 ("net: phy: realtek: disable PHY-mode EEE") Signed-off-by: Marek Vasut Reviewed-by: Maxime Chevallier Reviewed-by: Russell King (Oracle) Link: https://patch.msgid.link/20251011110309.12664-1-marek.vasut@mailbox.org Signed-off-by: Jakub Kicinski commit 5feef67b646d8f5064bac288e22204ffba2b9a4a Author: Koichiro Den Date: Thu Oct 9 17:03:51 2025 -0700 ixgbe: fix too early devlink_free() in ixgbe_remove() Since ixgbe_adapter is embedded in devlink, calling devlink_free() prematurely in the ixgbe_remove() path can lead to UAF. Move devlink_free() to the end. KASAN report: BUG: KASAN: use-after-free in ixgbe_reset_interrupt_capability+0x140/0x180 [ixgbe] Read of size 8 at addr ffff0000adf813e0 by task bash/2095 CPU: 1 UID: 0 PID: 2095 Comm: bash Tainted: G S 6.17.0-rc2-tnguy.net-queue+ #1 PREEMPT(full) [...] Call trace: show_stack+0x30/0x90 (C) dump_stack_lvl+0x9c/0xd0 print_address_description.constprop.0+0x90/0x310 print_report+0x104/0x1f0 kasan_report+0x88/0x180 __asan_report_load8_noabort+0x20/0x30 ixgbe_reset_interrupt_capability+0x140/0x180 [ixgbe] ixgbe_clear_interrupt_scheme+0xf8/0x130 [ixgbe] ixgbe_remove+0x2d0/0x8c0 [ixgbe] pci_device_remove+0xa0/0x220 device_remove+0xb8/0x170 device_release_driver_internal+0x318/0x490 device_driver_detach+0x40/0x68 unbind_store+0xec/0x118 drv_attr_store+0x64/0xb8 sysfs_kf_write+0xcc/0x138 kernfs_fop_write_iter+0x294/0x440 new_sync_write+0x1fc/0x588 vfs_write+0x480/0x6a0 ksys_write+0xf0/0x1e0 __arm64_sys_write+0x70/0xc0 invoke_syscall.constprop.0+0xcc/0x280 el0_svc_common.constprop.0+0xa8/0x248 do_el0_svc+0x44/0x68 el0_svc+0x54/0x160 el0t_64_sync_handler+0xa0/0xe8 el0t_64_sync+0x1b0/0x1b8 Fixes: a0285236ab93 ("ixgbe: add initial devlink support") Signed-off-by: Koichiro Den Tested-by: Rinitha S Reviewed-by: Jedrzej Jagielski Reviewed-by: Aleksandr Loktionov Reviewed-by: Paul Menzel Signed-off-by: Jacob Keller Link: https://patch.msgid.link/20251009-jk-iwl-net-2025-10-01-v3-6-ef32a425b92a@intel.com Signed-off-by: Jakub Kicinski commit 823be089f9c8ab136ba382b516aedd3f7ac854bd Author: Jedrzej Jagielski Date: Thu Oct 9 17:03:50 2025 -0700 ixgbe: handle IXGBE_VF_FEATURES_NEGOTIATE mbox cmd Send to VF information about features supported by the PF driver. Increase API version to 1.7. Reviewed-by: Przemek Kitszel Reviewed-by: Aleksandr Loktionov Signed-off-by: Jedrzej Jagielski Tested-by: Rafal Romanowski Signed-off-by: Jacob Keller Link: https://patch.msgid.link/20251009-jk-iwl-net-2025-10-01-v3-5-ef32a425b92a@intel.com Signed-off-by: Jakub Kicinski commit a7075f501bd33c93570af759b6f4302ef0175168 Author: Jedrzej Jagielski Date: Thu Oct 9 17:03:49 2025 -0700 ixgbevf: fix mailbox API compatibility by negotiating supported features There was backward compatibility in the terms of mailbox API. Various drivers from various OSes supporting 10G adapters from Intel portfolio could easily negotiate mailbox API. This convention has been broken since introducing API 1.4. Commit 0062e7cc955e ("ixgbevf: add VF IPsec offload code") added support for IPSec which is specific only for the kernel ixgbe driver. None of the rest of the Intel 10G PF/VF drivers supports it. And actually lack of support was not included in the IPSec implementation - there were no such code paths. No possibility to negotiate support for the feature was introduced along with introduction of the feature itself. Commit 339f28964147 ("ixgbevf: Add support for new mailbox communication between PF and VF") increasing API version to 1.5 did the same - it introduced code supported specifically by the PF ESX driver. It altered API version for the VF driver in the same time not touching the version defined for the PF ixgbe driver. It led to additional discrepancies, as the code provided within API 1.6 cannot be supported for Linux ixgbe driver as it causes crashes. The issue was noticed some time ago and mitigated by Jake within the commit d0725312adf5 ("ixgbevf: stop attempting IPSEC offload on Mailbox API 1.5"). As a result we have regression for IPsec support and after increasing API to version 1.6 ixgbevf driver stopped to support ESX MBX. To fix this mess add new mailbox op asking PF driver about supported features. Basing on a response determine whether to set support for IPSec and ESX-specific enhanced mailbox. New mailbox op, for compatibility purposes, must be added within new API revision, as API version of OOT PF & VF drivers is already increased to 1.6 and doesn't incorporate features negotiate op. Features negotiation mechanism gives possibility to be extended with new features when needed in the future. Reported-by: Jacob Keller Closes: https://lore.kernel.org/intel-wired-lan/20241101-jk-ixgbevf-mailbox-v1-5-fixes-v1-0-f556dc9a66ed@intel.com/ Fixes: 0062e7cc955e ("ixgbevf: add VF IPsec offload code") Fixes: 339f28964147 ("ixgbevf: Add support for new mailbox communication between PF and VF") Reviewed-by: Jacob Keller Reviewed-by: Przemek Kitszel Reviewed-by: Aleksandr Loktionov Cc: stable@vger.kernel.org Signed-off-by: Jedrzej Jagielski Tested-by: Rafal Romanowski Signed-off-by: Jacob Keller Link: https://patch.msgid.link/20251009-jk-iwl-net-2025-10-01-v3-4-ef32a425b92a@intel.com Signed-off-by: Jakub Kicinski commit f7f97cbc03a470ce405d48dedb7f135713caa0fa Author: Jedrzej Jagielski Date: Thu Oct 9 17:03:48 2025 -0700 ixgbe: handle IXGBE_VF_GET_PF_LINK_STATE mailbox operation Update supported API version and provide handler for IXGBE_VF_GET_PF_LINK_STATE cmd. Simply put stored values of link speed and link_up from adapter context. Reviewed-by: Przemek Kitszel Reviewed-by: Aleksandr Loktionov Signed-off-by: Jedrzej Jagielski Link: https://lore.kernel.org/stable/20250828095227.1857066-3-jedrzej.jagielski%40intel.com Tested-by: Rafal Romanowski Signed-off-by: Jacob Keller Link: https://patch.msgid.link/20251009-jk-iwl-net-2025-10-01-v3-3-ef32a425b92a@intel.com Signed-off-by: Jakub Kicinski commit 53f0eb62b4d23d40686f2dd51776b8220f2887bb Author: Jedrzej Jagielski Date: Thu Oct 9 17:03:47 2025 -0700 ixgbevf: fix getting link speed data for E610 devices E610 adapters no longer use the VFLINKS register to read PF's link speed and linkup state. As a result VF driver cannot get actual link state and it incorrectly reports 10G which is the default option. It leads to a situation where even 1G adapters print 10G as actual link speed. The same happens when PF driver set speed different than 10G. Add new mailbox operation to let the VF driver request a PF driver to provide actual link data. Update the mailbox api to v1.6. Incorporate both ways of getting link status within the legacy ixgbe_check_mac_link_vf() function. Fixes: 4c44b450c69b ("ixgbevf: Add support for Intel(R) E610 device") Co-developed-by: Andrzej Wilczynski Signed-off-by: Andrzej Wilczynski Reviewed-by: Przemek Kitszel Reviewed-by: Aleksandr Loktionov Cc: stable@vger.kernel.org Signed-off-by: Jedrzej Jagielski Tested-by: Rafal Romanowski Signed-off-by: Jacob Keller Link: https://patch.msgid.link/20251009-jk-iwl-net-2025-10-01-v3-2-ef32a425b92a@intel.com Signed-off-by: Jakub Kicinski commit a3f8c0a273120fd2638f03403e786c3de2382e72 Author: Milena Olech Date: Thu Oct 9 17:03:46 2025 -0700 idpf: cleanup remaining SKBs in PTP flows When the driver requests Tx timestamp value, one of the first steps is to clone SKB using skb_get. It increases the reference counter for that SKB to prevent unexpected freeing by another component. However, there may be a case where the index is requested, SKB is assigned and never consumed by PTP flows - for example due to reset during running PTP apps. Add a check in release timestamping function to verify if the SKB assigned to Tx timestamp latch was freed, and release remaining SKBs. Fixes: 4901e83a94ef ("idpf: add Tx timestamp capabilities negotiation") Signed-off-by: Milena Olech Signed-off-by: Anton Nadezhdin Reviewed-by: Aleksandr Loktionov Tested-by: Samuel Salin Signed-off-by: Jacob Keller Link: https://patch.msgid.link/20251009-jk-iwl-net-2025-10-01-v3-1-ef32a425b92a@intel.com Signed-off-by: Jakub Kicinski commit 21f4d45eba0b2dcae5dbc9e5e0ad08735c993f16 Author: Dmitry Safonov <0x7f454c46@gmail.com> Date: Thu Oct 9 16:02:19 2025 +0100 net/ip6_tunnel: Prevent perpetual tunnel growth Similarly to ipv4 tunnel, ipv6 version updates dev->needed_headroom, too. While ipv4 tunnel headroom adjustment growth was limited in commit 5ae1e9922bbd ("net: ip_tunnel: prevent perpetual headroom growth"), ipv6 tunnel yet increases the headroom without any ceiling. Reflect ipv4 tunnel headroom adjustment limit on ipv6 version. Credits to Francesco Ruggeri, who was originally debugging this issue and wrote local Arista-specific patch and a reproducer. Fixes: 8eb30be0352d ("ipv6: Create ip6_tnl_xmit") Cc: Florian Westphal Cc: Francesco Ruggeri Signed-off-by: Dmitry Safonov Link: https://patch.msgid.link/20251009-ip6_tunnel-headroom-v2-1-8e4dbd8f7e35@arista.com Signed-off-by: Jakub Kicinski commit e4d0c909bf8328d986bf3aadba0c33a72b5ae30d Author: Kamil Horák - 2N Date: Thu Oct 9 15:06:56 2025 +0200 net: phy: bcm54811: Fix GMII/MII/MII-Lite selection The Broadcom bcm54811 is hardware-strapped to select among RGMII and GMII/MII/MII-Lite modes. However, the corresponding bit, RGMII Enable in Miscellaneous Control Register must be also set to select desired RGMII or MII(-lite)/GMII mode. Fixes: 3117a11fff5af9e7 ("net: phy: bcm54811: PHY initialization") Signed-off-by: Kamil Horák - 2N Reviewed-by: Florian Fainelli Link: https://patch.msgid.link/20251009130656.1308237-2-kamilh@axis.com Signed-off-by: Jakub Kicinski commit 70f92ab97042f243e1c8da1c457ff56b9b3e49f1 Author: Linmao Li Date: Thu Oct 9 20:25:49 2025 +0800 r8169: fix packet truncation after S4 resume on RTL8168H/RTL8111H After resume from S4 (hibernate), RTL8168H/RTL8111H truncates incoming packets. Packet captures show messages like "IP truncated-ip - 146 bytes missing!". The issue is caused by RxConfig not being properly re-initialized after resume. Re-initializing the RxConfig register before the chip re-initialization sequence avoids the truncation and restores correct packet reception. This follows the same pattern as commit ef9da46ddef0 ("r8169: fix data corruption issue on RTL8402"). Fixes: 6e1d0b898818 ("r8169:add support for RTL8168H and RTL8107E") Signed-off-by: Linmao Li Reviewed-by: Jacob Keller Reviewed-by: Heiner Kallweit Link: https://patch.msgid.link/20251009122549.3955845-1-lilinmao@kylinos.cn Signed-off-by: Jakub Kicinski commit 25718fdcbdd2dadd15fc8b684df59b43970b91ed Author: Sebastian Andrzej Siewior Date: Thu Oct 9 11:43:38 2025 +0200 net: gro_cells: Use nested-BH locking for gro_cell The gro_cell data structure is per-CPU variable and relies on disabled BH for its locking. Without per-CPU locking in local_bh_disable() on PREEMPT_RT this data structure requires explicit locking. Add a local_lock_t to the data structure and use local_lock_nested_bh() for locking. This change adds only lockdep coverage and does not alter the functional behaviour for !PREEMPT_RT. Reported-by: syzbot+8715dd783e9b0bef43b1@syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/68c6c3b1.050a0220.2ff435.0382.GAE@google.com/ Fixes: 3253cb49cbad ("softirq: Allow to drop the softirq-BKL lock on PREEMPT_RT") Signed-off-by: Sebastian Andrzej Siewior Link: https://patch.msgid.link/20251009094338.j1jyKfjR@linutronix.de Signed-off-by: Jakub Kicinski commit fcb8b32a68fd40b0440cb9468cf6f6ab9de9f3c5 Author: Ivan Vecera Date: Wed Oct 8 16:14:45 2025 +0200 dpll: zl3073x: Handle missing or corrupted flash configuration If the internal flash contains missing or corrupted configuration, basic communication over the bus still functions, but the device is not capable of normal operation (for example, using mailboxes). This condition is indicated in the info register by the ready bit. If this bit is cleared, the probe procedure times out while fetching the device state. Handle this case by checking the ready bit value in zl3073x_dev_start() and skipping DPLL device and pin registration if it is cleared. Do not report this condition as an error, allowing the devlink device to be registered and enabling the user to flash the correct configuration. Prior this patch: [ 31.112299] zl3073x-i2c 1-0070: Failed to fetch input state: -ETIMEDOUT [ 31.116332] zl3073x-i2c 1-0070: error -ETIMEDOUT: Failed to start device [ 31.136881] zl3073x-i2c 1-0070: probe with driver zl3073x-i2c failed with error -110 After this patch: [ 41.011438] zl3073x-i2c 1-0070: FW not fully ready - missing or corrupted config Fixes: 75a71ecc24125 ("dpll: zl3073x: Register DPLL devices and pins") Signed-off-by: Ivan Vecera Reviewed-by: Simon Horman Link: https://patch.msgid.link/20251008141445.841113-1-ivecera@redhat.com Signed-off-by: Jakub Kicinski commit 9d5c4f5c7a2c7677e1b3942772122b032c265aae Author: Jaegeuk Kim Date: Tue Oct 7 03:32:30 2025 +0000 f2fs: fix wrong block mapping for multi-devices Assuming the disk layout as below, disk0: 0 --- 0x00035abfff disk1: 0x00035ac000 --- 0x00037abfff disk2: 0x00037ac000 --- 0x00037ebfff and we want to read data from offset=13568 having len=128 across the block devices, we can illustrate the block addresses like below. 0 .. 0x00037ac000 ------------------- 0x00037ebfff, 0x00037ec000 ------- | ^ ^ ^ | fofs 0 13568 13568+128 | ------------------------------------------------------ | LBA 0x37e8aa9 0x37ebfa9 0x37ec029 --- map 0x3caa9 0x3ffa9 In this example, we should give the relative map of the target block device ranging from 0x3caa9 to 0x3ffa9 where the length should be calculated by 0x37ebfff + 1 - 0x37ebfa9. In the below equation, however, map->m_pblk was supposed to be the original address instead of the one from the target block address. - map->m_len = min(map->m_len, dev->end_blk + 1 - map->m_pblk); Cc: stable@vger.kernel.org Fixes: 71f2c8206202 ("f2fs: multidevice: support direct IO") Reviewed-by: Chao Yu Signed-off-by: Jaegeuk Kim commit 1ee889fdf409ce68c1e3b62912333a5cc69acaa0 Author: Mateusz Guzik Date: Wed Oct 1 01:29:57 2025 +0200 f2fs: don't call iput() from f2fs_drop_inode() iput() calls the problematic routine, which does a ->i_count inc/dec cycle. Undoing it with iput() recurses into the problem. Note f2fs should not be playing games with the refcount to begin with, but that will be handled later. Right now solve the immediate regression. Fixes: bc986b1d756482a ("fs: stop accessing ->i_count directly in f2fs and gfs2") Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-lkp/202509301450.138b448f-lkp@intel.com Signed-off-by: Mateusz Guzik Reviewed-by: Chao Yu Signed-off-by: Jaegeuk Kim commit d6fc45100aa8c02be3ddd16fae569b84086c15a9 Author: Hans Zhang <18255117159@163.com> Date: Fri Oct 10 22:43:07 2025 +0800 PCI: cadence: Search for MSI Capability with correct ID 907912c1daa7 ("PCI: cadence: Use cdns_pcie_find_*capability() to avoid hardcoding offsets") incorrectly searched for the MSI-X Capability ID instead of the MSI Capability ID in cdns_pcie_ep_get_msi(). Search for PCI_CAP_ID_MSI, not PCI_CAP_ID_MSIX, to fix this problem. Fixes: 907912c1daa7 ("PCI: cadence: Use cdns_pcie_find_*capability() to avoid hardcoding offsets") Reported-by: Sasha Levin Closes: https://lore.kernel.org/r/aOfMk9BW8BH2P30V@laps/ Signed-off-by: Hans Zhang <18255117159@163.com> Signed-off-by: Bjorn Helgaas Link: https://patch.msgid.link/20251010144307.12979-1-18255117159@163.com commit 83b0177a6c4889b3a6e865da5e21b2c9d97d0551 Author: Ingo Molnar Date: Fri May 16 15:43:04 2025 +0200 x86/mm: Fix SMP ordering in switch_mm_irqs_off() Stephen noted that it is possible to not have an smp_mb() between the loaded_mm store and the tlb_gen load in switch_mm(), meaning the ordering against flush_tlb_mm_range() goes out the window, and it becomes possible for switch_mm() to not observe a recent tlb_gen update and fail to flush the TLBs. [ dhansen: merge conflict fixed by Ingo ] Fixes: 209954cbc7d0 ("x86/mm/tlb: Update mm_cpumask lazily") Reported-by: Stephen Dolan Closes: https://lore.kernel.org/all/CAHDw0oGd0B4=uuv8NGqbUQ_ZVmSheU2bN70e4QhFXWvuAZdt2w@mail.gmail.com/ Signed-off-by: Peter Zijlstra (Intel) Signed-off-by: Ingo Molnar Signed-off-by: Dave Hansen commit f25785f9b088ed65089dd0d0034da52858417839 Author: Rik van Riel Date: Sun Oct 5 23:48:05 2025 -0400 x86/mm: Fix overflow in __cpa_addr() The change to have cpa_flush() call flush_kernel_pages() introduced a bug where __cpa_addr() can access an address one larger than the largest one in the cpa->pages array. KASAN reports the issue like this: BUG: KASAN: slab-out-of-bounds in __cpa_addr arch/x86/mm/pat/set_memory.c:309 [inline] BUG: KASAN: slab-out-of-bounds in __cpa_addr+0x1d3/0x220 arch/x86/mm/pat/set_memory.c:306 Read of size 8 at addr ffff88801f75e8f8 by task syz.0.17/5978 This bug could cause cpa_flush() to not properly flush memory, which somehow never showed any symptoms in my tests, possibly because cpa_flush() is called so rarely, but could potentially cause issues for other people. Fix the issue by directly calculating the flush end address from the start address. Fixes: 86e6815b316e ("x86/mm: Change cpa_flush() to call flush_kernel_range() directly") Reported-by: syzbot+afec6555eef563c66c97@syzkaller.appspotmail.com Signed-off-by: Rik van Riel Signed-off-by: Dave Hansen Reviewed-by: Kiryl Shutsemau Link: https://lore.kernel.org/all/68e2ff90.050a0220.2c17c1.0038.GAE@google.com/ commit a375246fcf2bbdaeb1df7fa7ee5a8b884a89085e Author: Dave Jiang Date: Thu Oct 9 08:40:01 2025 -0700 cxl/features: Add check for no entries in cxl_feature_info cxl EDAC calls cxl_feature_info() to get the feature information and if the hardware has no Features support, cxlfs may be passed in as NULL. [ 51.957498] BUG: kernel NULL pointer dereference, address: 0000000000000008 [ 51.965571] #PF: supervisor read access in kernel mode [ 51.971559] #PF: error_code(0x0000) - not-present page [ 51.977542] PGD 17e4f6067 P4D 0 [ 51.981384] Oops: Oops: 0000 [#1] SMP NOPTI [ 51.986300] CPU: 49 UID: 0 PID: 3782 Comm: systemd-udevd Not tainted 6.17.0dj test+ #64 PREEMPT(voluntary) [ 51.997355] Hardware name: [ 52.009790] RIP: 0010:cxl_feature_info+0xa/0x80 [cxl_core] Add a check for cxlfs before dereferencing it and return -EOPNOTSUPP if there is no cxlfs created due to no hardware support. Fixes: eb5dfcb9e36d ("cxl: Add support to handle user feature commands for set feature") Reviewed-by: Davidlohr Bueso Reviewed-by: Alison Schofield Signed-off-by: Dave Jiang commit 8aec9dbf2db2e958de5bd20e23b8fbb8f2aa1fa6 Author: Gustavo A. R. Silva Date: Fri Oct 3 15:11:06 2025 +0100 btrfs: send: fix -Wflex-array-member-not-at-end warning in struct send_ctx The warning -Wflex-array-member-not-at-end was introduced in GCC-14, and we are getting ready to enable it, globally. Fix the following warning: fs/btrfs/send.c:181:24: warning: structure containing a flexible array member is not at the end of another structure [-Wflex-array-member-not-at-end] and move the declaration of send_ctx::cur_inode_path to the end. Notice that struct fs_path contains a flexible array member inline_buf, but also a padding array and a limit calculated for the usable space of inline_buf (FS_PATH_INLINE_SIZE). It is not the pattern where flexible array is in the middle of a structure and could potentially overwrite other members. Signed-off-by: Gustavo A. R. Silva Reviewed-by: David Sterba Signed-off-by: David Sterba commit e92c2941204de7b62e9c2deecfeb9eaefe54a22a Author: Dan Carpenter Date: Wed Oct 8 18:08:58 2025 +0300 btrfs: tree-checker: fix bounds check in check_inode_extref() The parentheses for the unlikely() annotation were put in the wrong place so it means that the condition is basically never true and the bounds checking is skipped. Fixes: aab9458b9f00 ("btrfs: tree-checker: add inode extref checks") Signed-off-by: Dan Carpenter Reviewed-by: Qu Wenruo Signed-off-by: David Sterba commit fec9b9d3ced39f16be8d7afdf81f4dd2653da319 Author: Miquel Sabaté Solà Date: Wed Oct 8 14:18:59 2025 +0200 btrfs: fix memory leaks when rejecting a non SINGLE data profile without an RST At the end of btrfs_load_block_group_zone_info() the first thing we do is to ensure that if the mapping type is not a SINGLE one and there is no RAID stripe tree, then we return early with an error. Doing that, though, prevents the code from running the last calls from this function which are about freeing memory allocated during its run. Hence, in this case, instead of returning early, we set the ret value and fall through the rest of the cleanup code. Fixes: 5906333cc4af ("btrfs: zoned: don't skip block group profile checks on conventional zones") CC: stable@vger.kernel.org # 6.8+ Reviewed-by: Johannes Thumshirn Signed-off-by: Miquel Sabaté Solà Signed-off-by: David Sterba commit 8ab2fa69691b2913a67f3c54fbb991247b3755be Author: Boris Burkov Date: Tue Sep 30 21:05:17 2025 -0700 btrfs: fix incorrect readahead expansion length The intent of btrfs_readahead_expand() was to expand to the length of the current compressed extent being read. However, "ram_bytes" is *not* that, in the case where a single physical compressed extent is used for multiple file extents. Consider this case with a large compressed extent C and then later two non-compressed extents N1 and N2 written over C, leaving C1 and C2 pointing to offset/len pairs of C: [ C ] [ N1 ][ C1 ][ N2 ][ C2 ] In such a case, ram_bytes for both C1 and C2 is the full uncompressed length of C. So starting readahead in C1 will expand the readahead past the end of C1, past N2, and into C2. This will then expand readahead again, to C2_start + ram_bytes, way past EOF. First of all, this is totally undesirable, we don't want to read the whole file in arbitrary chunks of the large underlying extent if it happens to exist. Secondly, it results in zeroing the range past the end of C2 up to ram_bytes. This is particularly unpleasant with fs-verity as it can zero and set uptodate pages in the verity virtual space past EOF. This incorrect readahead behavior can lead to verity verification errors, if we iterate in a way that happens to do the wrong readahead. Fix this by using em->len for readahead expansion, not em->ram_bytes, resulting in the expected behavior of stopping readahead at the extent boundary. Reported-by: Max Chernoff Link: https://bugzilla.redhat.com/show_bug.cgi?id=2399898 Fixes: 9e9ff875e417 ("btrfs: use readahead_expand() on compressed extents") CC: stable@vger.kernel.org # 6.17 Reviewed-by: Filipe Manana Signed-off-by: Boris Burkov Signed-off-by: David Sterba commit a5a51bf4e9b7354ce7cd697e610d72c1b33fd949 Author: Filipe Manana Date: Wed Oct 1 11:08:13 2025 +0100 btrfs: do not assert we found block group item when creating free space tree Currently, when building a free space tree at populate_free_space_tree(), if we are not using the block group tree feature, we always expect to find block group items (either extent items or a block group item with key type BTRFS_BLOCK_GROUP_ITEM_KEY) when we search the extent tree with btrfs_search_slot_for_read(), so we assert that we found an item. However this expectation is wrong since we can have a new block group created in the current transaction which is still empty and for which we still have not added the block group's item to the extent tree, in which case we do not have any items in the extent tree associated to the block group. The insertion of a new block group's block group item in the extent tree happens at btrfs_create_pending_block_groups() when it calls the helper insert_block_group_item(). This typically is done when a transaction handle is released, committed or when running delayed refs (either as part of a transaction commit or when serving tickets for space reservation if we are low on free space). So remove the assertion at populate_free_space_tree() even when the block group tree feature is not enabled and update the comment to mention this case. Syzbot reported this with the following stack trace: BTRFS info (device loop3 state M): rebuilding free space tree assertion failed: ret == 0 :: 0, in fs/btrfs/free-space-tree.c:1115 ------------[ cut here ]------------ kernel BUG at fs/btrfs/free-space-tree.c:1115! Oops: invalid opcode: 0000 [#1] SMP KASAN PTI CPU: 1 UID: 0 PID: 6352 Comm: syz.3.25 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 RIP: 0010:populate_free_space_tree+0x700/0x710 fs/btrfs/free-space-tree.c:1115 Code: ff ff e8 d3 (...) RSP: 0018:ffffc9000430f780 EFLAGS: 00010246 RAX: 0000000000000043 RBX: ffff88805b709630 RCX: fea61d0e2e79d000 RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000 RBP: ffffc9000430f8b0 R08: ffffc9000430f4a7 R09: 1ffff92000861e94 R10: dffffc0000000000 R11: fffff52000861e95 R12: 0000000000000001 R13: 1ffff92000861f00 R14: dffffc0000000000 R15: 0000000000000000 FS: 00007f424d9fe6c0(0000) GS:ffff888125afc000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fd78ad212c0 CR3: 0000000076d68000 CR4: 00000000003526f0 Call Trace: btrfs_rebuild_free_space_tree+0x1ba/0x6d0 fs/btrfs/free-space-tree.c:1364 btrfs_start_pre_rw_mount+0x128f/0x1bf0 fs/btrfs/disk-io.c:3062 btrfs_remount_rw fs/btrfs/super.c:1334 [inline] btrfs_reconfigure+0xaed/0x2160 fs/btrfs/super.c:1559 reconfigure_super+0x227/0x890 fs/super.c:1076 do_remount fs/namespace.c:3279 [inline] path_mount+0xd1a/0xfe0 fs/namespace.c:4027 do_mount fs/namespace.c:4048 [inline] __do_sys_mount fs/namespace.c:4236 [inline] __se_sys_mount+0x313/0x410 fs/namespace.c:4213 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f424e39066a Code: d8 64 89 02 (...) RSP: 002b:00007f424d9fde68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 00007f424d9fdef0 RCX: 00007f424e39066a RDX: 0000200000000180 RSI: 0000200000000380 RDI: 0000000000000000 RBP: 0000200000000180 R08: 00007f424d9fdef0 R09: 0000000000000020 R10: 0000000000000020 R11: 0000000000000246 R12: 0000200000000380 R13: 00007f424d9fdeb0 R14: 0000000000000000 R15: 00002000000002c0 Modules linked in: ---[ end trace 0000000000000000 ]--- Reported-by: syzbot+884dc4621377ba579a6f@syzkaller.appspotmail.com Link: https://lore.kernel.org/linux-btrfs/68dc3dab.a00a0220.102ee.004e.GAE@google.com/ Fixes: a5ed91828518 ("Btrfs: implement the free space B-tree") CC: # 6.1.x: 1961d20f6fa8: btrfs: fix assertion when building free space tree CC: # 6.1.x Reviewed-by: Qu Wenruo Signed-off-by: Filipe Manana Signed-off-by: David Sterba commit 42d3a055d946878a327ee030f0e0c7df0f0f15c8 Author: Qu Wenruo Date: Tue Sep 30 07:54:30 2025 +0930 btrfs: do not use folio_test_partial_kmap() in ASSERT()s [BUG] Syzbot reported an ASSERT() triggered inside scrub: BTRFS info (device loop0): scrub: started on devid 1 assertion failed: !folio_test_partial_kmap(folio) :: 0, in fs/btrfs/scrub.c:697 ------------[ cut here ]------------ kernel BUG at fs/btrfs/scrub.c:697! Oops: invalid opcode: 0000 [#1] SMP KASAN PTI CPU: 0 UID: 0 PID: 6077 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 RIP: 0010:scrub_stripe_get_kaddr+0x1bb/0x1c0 fs/btrfs/scrub.c:697 Call Trace: scrub_bio_add_sector fs/btrfs/scrub.c:932 [inline] scrub_submit_initial_read+0xf21/0x1120 fs/btrfs/scrub.c:1897 submit_initial_group_read+0x423/0x5b0 fs/btrfs/scrub.c:1952 flush_scrub_stripes+0x18f/0x1150 fs/btrfs/scrub.c:1973 scrub_stripe+0xbea/0x2a30 fs/btrfs/scrub.c:2516 scrub_chunk+0x2a3/0x430 fs/btrfs/scrub.c:2575 scrub_enumerate_chunks+0xa70/0x1350 fs/btrfs/scrub.c:2839 btrfs_scrub_dev+0x6e7/0x10e0 fs/btrfs/scrub.c:3153 btrfs_ioctl_scrub+0x249/0x4b0 fs/btrfs/ioctl.c:3163 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f ---[ end trace 0000000000000000 ]--- Which doesn't make much sense, as all the folios we allocated for scrub should not be highmem. [CAUSE] Thankfully syzbot has a detailed kernel config file, showing that CONFIG_DEBUG_KMAP_LOCAL_FORCE_MAP is set to y. And that debug option will force all folio_test_partial_kmap() to return true, to improve coverage on highmem tests. But in our case we really just want to make sure the folios we allocated are not highmem (and they are indeed not). Such incorrect result from folio_test_partial_kmap() is just screwing up everything. [FIX] Replace folio_test_partial_kmap() to folio_test_highmem() so that we won't bother those highmem specific debuging options. Fixes: 5fbaae4b8567 ("btrfs: prepare scrub to support bs > ps cases") Reported-by: syzbot+bde59221318c592e6346@syzkaller.appspotmail.com Signed-off-by: Qu Wenruo Reviewed-by: David Sterba Signed-off-by: David Sterba commit b7fdfd29a136a17c5c8ad9e9bbf89c48919c3d19 Author: Qu Wenruo Date: Fri Sep 26 14:20:11 2025 +0930 btrfs: only set the device specific options after devices are opened [BUG] With v6.17-rc kernels, btrfs will always set 'ssd' mount option even if the block device is not a rotating one: # cat /sys/block/sdd/queue/rotational 1 # cat /etc/fstab: LABEL=DATA2 /data2 btrfs rw,relatime,space_cache=v2,subvolid=5,subvol=/,nofail,nosuid,nodev 0 0 # mount [...] /dev/sdd on /data2 type btrfs (rw,nosuid,nodev,relatime,ssd,space_cache=v2,subvolid=5,subvol=/) [CAUSE] The 'ssd' mount option is set by set_device_specific_options(), and it expects that if there is any rotating device in the btrfs, it will set fs_devices::rotating. However after commit bddf57a70781 ("btrfs: delay btrfs_open_devices() until super block is created"), the device opening is delayed until the super block is created. But the timing of set_device_specific_options() is still left as is, this makes the function be called without any device opened. Since no device is opened, thus fs_devices::rotating will never be set, making btrfs incorrectly set 'ssd' mount option. [FIX] Only call set_device_specific_options() after btrfs_open_devices(). Also only call set_device_specific_options() after a new mount, if we're mounting a mounted btrfs, there is no need to set the device specific mount options again. Reported-by: HAN Yuwei Link: https://lore.kernel.org/linux-btrfs/C8FF75669DFFC3C5+5f93bf8a-80a0-48a6-81bf-4ec890abc99a@bupt.moe/ Fixes: bddf57a70781 ("btrfs: delay btrfs_open_devices() until super block is created") CC: stable@vger.kernel.org # 6.17 Signed-off-by: Qu Wenruo Reviewed-by: David Sterba Signed-off-by: David Sterba commit 53a4acbfc1de85fa637521ffab4f4e2ee03cbeeb Author: Miquel Sabaté Solà Date: Thu Sep 25 20:41:39 2025 +0200 btrfs: fix memory leak on duplicated memory in the qgroup assign ioctl On 'btrfs_ioctl_qgroup_assign' we first duplicate the argument as provided by the user, which is kfree'd in the end. But this was not the case when allocating memory for 'prealloc'. In this case, if it somehow failed, then the previous code would go directly into calling 'mnt_drop_write_file', without freeing the string duplicated from the user space. Fixes: 4addc1ffd67a ("btrfs: qgroup: preallocate memory before adding a relation") CC: stable@vger.kernel.org # 6.12+ Reviewed-by: Boris Burkov Reviewed-by: Filipe Manana Signed-off-by: Miquel Sabaté Solà Signed-off-by: Filipe Manana Reviewed-by: David Sterba Signed-off-by: David Sterba commit 7e5a5983edda664e8e4bb20af17b80f5135c655c Author: Filipe Manana Date: Wed Sep 24 16:10:38 2025 +0100 btrfs: fix clearing of BTRFS_FS_RELOC_RUNNING if relocation already running When starting relocation, at reloc_chunk_start(), if we happen to find the flag BTRFS_FS_RELOC_RUNNING is already set we return an error (-EINPROGRESS) to the callers, however the callers call reloc_chunk_end() which will clear the flag BTRFS_FS_RELOC_RUNNING, which is wrong since relocation was started by another task and still running. Finding the BTRFS_FS_RELOC_RUNNING flag already set is an unexpected scenario, but still our current behaviour is not correct. Fix this by never calling reloc_chunk_end() if reloc_chunk_start() has returned an error, which is what logically makes sense, since the general widespread pattern is to have end functions called only if the counterpart start functions succeeded. This requires changing reloc_chunk_start() to clear BTRFS_FS_RELOC_RUNNING if there's a pending cancel request. Fixes: 907d2710d727 ("btrfs: add cancellable chunk relocation support") CC: stable@vger.kernel.org # 5.15+ Reviewed-by: Boris Burkov Reviewed-by: Johannes Thumshirn Reviewed-by: Qu Wenruo Signed-off-by: Filipe Manana Reviewed-by: David Sterba Signed-off-by: David Sterba commit 9f64b3cd051b825de0a2a9f145c8e003200cedd5 Author: Shuicheng Lin Date: Fri Oct 10 17:25:29 2025 +0000 drm/xe/guc: Check GuC running state before deregistering exec queue In normal operation, a registered exec queue is disabled and deregistered through the GuC, and freed only after the GuC confirms completion. However, if the driver is forced to unbind while the exec queue is still running, the user may call exec_destroy() after the GuC has already been stopped and CT communication disabled. In this case, the driver cannot receive a response from the GuC, preventing proper cleanup of exec queue resources. Fix this by directly releasing the resources when GuC is not running. Here is the failure dmesg log: " [ 468.089581] ---[ end trace 0000000000000000 ]--- [ 468.089608] pci 0000:03:00.0: [drm] *ERROR* GT0: GUC ID manager unclean (1/65535) [ 468.090558] pci 0000:03:00.0: [drm] GT0: total 65535 [ 468.090562] pci 0000:03:00.0: [drm] GT0: used 1 [ 468.090564] pci 0000:03:00.0: [drm] GT0: range 1..1 (1) [ 468.092716] ------------[ cut here ]------------ [ 468.092719] WARNING: CPU: 14 PID: 4775 at drivers/gpu/drm/xe/xe_ttm_vram_mgr.c:298 ttm_vram_mgr_fini+0xf8/0x130 [xe] " v2: use xe_uc_fw_is_running() instead of xe_guc_ct_enabled(). As CT may go down and come back during VF migration. Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs") Cc: stable@vger.kernel.org Cc: Matthew Brost Signed-off-by: Shuicheng Lin Reviewed-by: Matthew Brost Signed-off-by: Matthew Brost Link: https://lore.kernel.org/r/20251010172529.2967639-2-shuicheng.lin@intel.com (cherry picked from commit 9b42321a02c50a12b2beb6ae9469606257fbecea) Signed-off-by: Lucas De Marchi commit 1852d27aa998272696680607b65a2ceac966104e Author: Vinay Belgaumkar Date: Thu Oct 9 18:10:47 2025 -0700 drm/xe: Enable media sampler power gating Where applicable, enable media sampler power gating. Also, add it to the powergate_info debugfs. v2: Remove the sampler powergate status since it is cleared quickly anyway. v3: Use vcs mask (Rodrigo) and fix the version check for media v4: Remove extra spaces v5: Media samplers are independent of vcs mask, use Media version 1255 (Matt Roper) Fixes: 38e8c4184ea0 ("drm/xe: Enable Coarse Power Gating") Cc: Rodrigo Vivi Cc: Matt Roper Reviewed-by: Rodrigo Vivi Signed-off-by: Vinay Belgaumkar Link: https://lore.kernel.org/r/20251010011047.2047584-1-vinay.belgaumkar@intel.com Signed-off-by: Rodrigo Vivi (cherry picked from commit 4cbc08649a54c3d533df9832342d52d409dfbbf0) Signed-off-by: Lucas De Marchi commit 7413e9f2be6b2b0caff9c517efa123d988914bba Author: Matthew Brost Date: Thu Oct 9 06:06:29 2025 -0700 drm/xe: Handle mixed mappings and existing VRAM on atomic faults Moving to VRAM will fail if mixed mappings are present or if the page is already located in VRAM. Atomic faults that require a move to VRAM currently retry without attempting to evict mixed mappings or locate existing VRAM mappings. This patch fixes the issue by attempting to evict mixed mappings or find existing VRAM pages when a move to VRAM fails during atomic fault handling. Fixes: a9ac0fa455b0 ("drm/xe: Strict migration policy for atomic SVM faults") Signed-off-by: Matthew Brost Reviewed-by: Himal Prasad Ghimiray Link: https://lore.kernel.org/r/20251009130629.3531962-1-matthew.brost@intel.com (cherry picked from commit 75188605c56d10c1bd3b1cd94f4872f349c3a9c8) Signed-off-by: Lucas De Marchi commit 1117e7d1e8e66bf7e40291178b829a8513f83a7a Author: Thomas Hellström Date: Wed Sep 10 18:09:39 2025 +0200 drm/xe/migrate: Fix an error path The exhaustive eviction accidently changed an error path goto to a return. Fix this. Fixes: 59eabff2a352 ("drm/xe: Convert xe_bo_create_pin_map() for exhaustive eviction") Cc: Matthew Brost Signed-off-by: Thomas Hellström Reviewed-by: Francois Dugast Link: https://lore.kernel.org/r/20250910160939.103473-1-thomas.hellstrom@linux.intel.com (cherry picked from commit 381f1ed15159c4b3f00dd37cc70924dedebeb111) Signed-off-by: Lucas De Marchi commit d30203739be798d3de5c84db3060e96f00c54e82 Author: Lucas De Marchi Date: Thu Sep 18 13:58:57 2025 -0700 drm/xe: Move rebar to be done earlier There may be cases in which the BAR0 also needs to move to accommodate the bigger BAR2. However if it's not released, the BAR2 resize fails. During the vram probe it can't be released as it's already in use by xe_mmio for early register access. Add a new function in xe_vram and let xe_pci call it directly before even early device probe. This allows the BAR2 to resize in cases BAR0 also needs to move, assuming there aren't other reasons to hold that move: [] xe 0000:03:00.0: vgaarb: deactivate vga console [] xe 0000:03:00.0: [drm] Attempting to resize bar from 8192MiB -> 16384MiB [] xe 0000:03:00.0: BAR 0 [mem 0x83000000-0x83ffffff 64bit]: releasing [] xe 0000:03:00.0: BAR 2 [mem 0x4000000000-0x41ffffffff 64bit pref]: releasing [] pcieport 0000:02:01.0: bridge window [mem 0x4000000000-0x41ffffffff 64bit pref]: releasing [] pcieport 0000:01:00.0: bridge window [mem 0x4000000000-0x41ffffffff 64bit pref]: releasing [] pcieport 0000:01:00.0: bridge window [mem 0x4000000000-0x43ffffffff 64bit pref]: assigned [] pcieport 0000:02:01.0: bridge window [mem 0x4000000000-0x43ffffffff 64bit pref]: assigned [] xe 0000:03:00.0: BAR 2 [mem 0x4000000000-0x43ffffffff 64bit pref]: assigned [] xe 0000:03:00.0: BAR 0 [mem 0x83000000-0x83ffffff 64bit]: assigned [] pcieport 0000:00:01.0: PCI bridge to [bus 01-04] [] pcieport 0000:00:01.0: bridge window [mem 0x83000000-0x840fffff] [] pcieport 0000:00:01.0: bridge window [mem 0x4000000000-0x44007fffff 64bit pref] [] pcieport 0000:01:00.0: PCI bridge to [bus 02-04] [] pcieport 0000:01:00.0: bridge window [mem 0x83000000-0x840fffff] [] pcieport 0000:01:00.0: bridge window [mem 0x4000000000-0x43ffffffff 64bit pref] [] pcieport 0000:02:01.0: PCI bridge to [bus 03] [] pcieport 0000:02:01.0: bridge window [mem 0x83000000-0x83ffffff] [] pcieport 0000:02:01.0: bridge window [mem 0x4000000000-0x43ffffffff 64bit pref] [] xe 0000:03:00.0: [drm] BAR2 resized to 16384M [] xe 0000:03:00.0: [drm:xe_pci_probe [xe]] BATTLEMAGE e221:0000 dgfx:1 gfx:Xe2_HPG (20.02) ... For BMG there are additional fix needed in the PCI side, but this helps getting it to a working resize. All the rebar logic is more pci-specific than xe-specific and can be done very early in the probe sequence. In future it would be good to move it out of xe_vram.c, but this refactor is left for later. Cc: Ilpo Järvinen Cc: stable@vger.kernel.org # 6.12+ Link: https://lore.kernel.org/intel-xe/fafda2a3-fc63-ce97-d22b-803f771a4d19@linux.intel.com Reviewed-by: Ilpo Järvinen Link: https://lore.kernel.org/r/20250918-xe-pci-rebar-2-v1-2-6c094702a074@intel.com Signed-off-by: Lucas De Marchi (cherry picked from commit 45e33f220fd625492c11e15733d8e9b4f9db82a4) Signed-off-by: Lucas De Marchi commit 7ac74613e5f2ef3450f44fd2127198662c2563a9 Author: Matthew Brost Date: Thu Oct 9 04:06:18 2025 -0700 drm/xe: Don't allow evicting of BOs in same VM in array of VM binds An array of VM binds can potentially evict other buffer objects (BOs) within the same VM under certain conditions, which may lead to NULL pointer dereferences later in the bind pipeline. To prevent this, clear the allow_res_evict flag in the xe_bo_validate call. v2: - Invert polarity of no_res_evict (Thomas) - Add comment in code explaining issue (Thomas) Cc: stable@vger.kernel.org Reported-by: Paulo Zanoni Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/6268 Fixes: 774b5fa509a9 ("drm/xe: Avoid evicting object of the same vm in none fault mode") Fixes: 77f2ef3f16f5 ("drm/xe: Lock all gpuva ops during VM bind IOCTL") Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs") Signed-off-by: Matthew Brost Tested-by: Paulo Zanoni Reviewed-by: Thomas Hellström Link: https://lore.kernel.org/r/20251009110618.3481870-1-matthew.brost@intel.com (cherry picked from commit 8b9ba8d6d95fe75fed6b0480bb03da4b321bea08) Signed-off-by: Lucas De Marchi commit e5ae8d1eb08a3e27fff4ae264af4c8056d908639 Author: Kenneth Graunke Date: Fri Sep 12 15:31:45 2025 -0700 drm/xe: Increase global invalidation timeout to 1000us The previous timeout of 500us seems to be too small; panning the map in the Roll20 VTT in Firefox on a KDE/Wayland desktop reliably triggered timeouts within a few seconds of usage, causing the monitor to freeze and the following to be printed to dmesg: [Jul30 13:44] xe 0000:03:00.0: [drm] *ERROR* GT0: Global invalidation timeout [Jul30 13:48] xe 0000:03:00.0: [drm] *ERROR* [CRTC:82:pipe A] flip_done timed out I haven't hit a single timeout since increasing it to 1000us even after several multi-hour testing sessions. Fixes: 0dd2dd0182bc ("drm/xe: Move DSB l2 flush to a more sensible place") Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/5710 Signed-off-by: Kenneth Graunke Cc: stable@vger.kernel.org Cc: Maarten Lankhorst Reviewed-by: Shuicheng Lin Link: https://lore.kernel.org/r/20250912223254.147940-1-kenneth@whitecape.org Signed-off-by: Lucas De Marchi (cherry picked from commit 146046907b56578263434107f5a7d5051847c459) Signed-off-by: Lucas De Marchi commit 93a27b5891b8194a8c083c9a80d2141d4bf47ba8 Author: Tetsuo Handa Date: Sat Sep 27 21:11:16 2025 +0900 can: j1939: add missing calls in NETDEV_UNREGISTER notification handler Currently NETDEV_UNREGISTER event handler is not calling j1939_cancel_active_session() and j1939_sk_queue_drop_all(). This will result in these calls being skipped when j1939_sk_release() is called. And I guess that the reason syzbot is still reporting unregister_netdevice: waiting for vcan0 to become free. Usage count = 2 is caused by lack of these calls. Calling j1939_cancel_active_session(priv, sk) from j1939_sk_release() can be covered by calling j1939_cancel_active_session(priv, NULL) from j1939_netdev_notify(). Calling j1939_sk_queue_drop_all() from j1939_sk_release() can be covered by calling j1939_sk_netdev_event_netdown() from j1939_netdev_notify(). Therefore, we can reuse j1939_cancel_active_session(priv, NULL) and j1939_sk_netdev_event_netdown(priv) for NETDEV_UNREGISTER event handler. Fixes: 7fcbe5b2c6a4 ("can: j1939: implement NETDEV_UNREGISTER notification handler") Signed-off-by: Tetsuo Handa Tested-by: Oleksij Rempel Acked-by: Oleksij Rempel Link: https://patch.msgid.link/3ad3c7f8-5a74-4b07-a193-cb0725823558@I-love.SAKURA.ne.jp Signed-off-by: Marc Kleine-Budde commit b5746b3e8ea4a8a4df776e0864322028d4f5e4b1 Author: Vincent Mailhol Date: Mon Oct 13 19:10:23 2025 +0900 can: add Transmitter Delay Compensation (TDC) documentation Back in 2021, support for CAN TDC was added to the kernel in series [1] and in iproute2 in series [2]. However, the documentation was never updated. Add a new sub-section under CAN-FD driver support to document how to configure the TDC using the "ip tool". [1] add the netlink interface for CAN-FD Transmitter Delay Compensation (TDC) Link: https://lore.kernel.org/all/20210918095637.20108-1-mailhol.vincent@wanadoo.fr/ [2] iplink_can: cleaning, fixes and adding TDC support Link: https://lore.kernel.org/all/20211103164428.692722-1-mailhol.vincent@wanadoo.fr/ Signed-off-by: Vincent Mailhol Link: https://patch.msgid.link/20251013-can-fd-doc-v2-2-5d53bdc8f2ad@kernel.org Signed-off-by: Marc Kleine-Budde commit c282993ccd97ad627d213645dc485086de034647 Author: Vincent Mailhol Date: Mon Oct 13 19:10:22 2025 +0900 can: remove false statement about 1:1 mapping between DLC and length The CAN-FD section of can.rst still states that there is a 1:1 mapping between the Classical CAN DLC and its length. This is only true for the DLC values up to 8. Beyond that point, the length remains at 8. For reference, the mapping between the CAN DLC and the length is given in below table [1]: DLC value CBFF and CEFF FBFF and FEFF [decimal] [byte] [byte] ---------------------------------------------- 0 0 0 1 1 1 2 2 2 3 3 3 4 4 4 5 5 5 6 6 6 7 7 7 8 8 8 9 8 12 10 8 16 11 8 20 12 8 24 13 8 32 14 8 48 15 8 64 Remove the erroneous statement. Instead just state that the length of a Classical CAN frame ranges from 0 to 8. [1] ISO 11898-1:2024, Table 5 -- DLC: coding of the four LSB Signed-off-by: Vincent Mailhol Link: https://patch.msgid.link/20251013-can-fd-doc-v2-1-5d53bdc8f2ad@kernel.org Signed-off-by: Marc Kleine-Budde commit 15292f1b4c55a3a7c940dbcb6cb8793871ed3d92 Author: Babu Moger Date: Fri Oct 10 12:08:35 2025 -0500 x86/resctrl: Fix miscount of bandwidth event when reactivating previously unavailable RMID Users can create as many monitoring groups as the number of RMIDs supported by the hardware. However, on AMD systems, only a limited number of RMIDs are guaranteed to be actively tracked by the hardware. RMIDs that exceed this limit are placed in an "Unavailable" state. When a bandwidth counter is read for such an RMID, the hardware sets MSR_IA32_QM_CTR.Unavailable (bit 62). When such an RMID starts being tracked again the hardware counter is reset to zero. MSR_IA32_QM_CTR.Unavailable remains set on first read after tracking re-starts and is clear on all subsequent reads as long as the RMID is tracked. resctrl miscounts the bandwidth events after an RMID transitions from the "Unavailable" state back to being tracked. This happens because when the hardware starts counting again after resetting the counter to zero, resctrl in turn compares the new count against the counter value stored from the previous time the RMID was tracked. This results in resctrl computing an event value that is either undercounting (when new counter is more than stored counter) or a mistaken overflow (when new counter is less than stored counter). Reset the stored value (arch_mbm_state::prev_msr) of MSR_IA32_QM_CTR to zero whenever the RMID is in the "Unavailable" state to ensure accurate counting after the RMID resets to zero when it starts to be tracked again. Example scenario that results in mistaken overflow ================================================== 1. The resctrl filesystem is mounted, and a task is assigned to a monitoring group. $mount -t resctrl resctrl /sys/fs/resctrl $mkdir /sys/fs/resctrl/mon_groups/test1/ $echo 1234 > /sys/fs/resctrl/mon_groups/test1/tasks $cat /sys/fs/resctrl/mon_groups/test1/mon_data/mon_L3_*/mbm_total_bytes 21323 <- Total bytes on domain 0 "Unavailable" <- Total bytes on domain 1 Task is running on domain 0. Counter on domain 1 is "Unavailable". 2. The task runs on domain 0 for a while and then moves to domain 1. The counter starts incrementing on domain 1. $cat /sys/fs/resctrl/mon_groups/test1/mon_data/mon_L3_*/mbm_total_bytes 7345357 <- Total bytes on domain 0 4545 <- Total bytes on domain 1 3. At some point, the RMID in domain 0 transitions to the "Unavailable" state because the task is no longer executing in that domain. $cat /sys/fs/resctrl/mon_groups/test1/mon_data/mon_L3_*/mbm_total_bytes "Unavailable" <- Total bytes on domain 0 434341 <- Total bytes on domain 1 4. Since the task continues to migrate between domains, it may eventually return to domain 0. $cat /sys/fs/resctrl/mon_groups/test1/mon_data/mon_L3_*/mbm_total_bytes 17592178699059 <- Overflow on domain 0 3232332 <- Total bytes on domain 1 In this case, the RMID on domain 0 transitions from "Unavailable" state to active state. The hardware sets MSR_IA32_QM_CTR.Unavailable (bit 62) when the counter is read and begins tracking the RMID counting from 0. Subsequent reads succeed but return a value smaller than the previously saved MSR value (7345357). Consequently, the resctrl's overflow logic is triggered, it compares the previous value (7345357) with the new, smaller value and incorrectly interprets this as a counter overflow, adding a large delta. In reality, this is a false positive: the counter did not overflow but was simply reset when the RMID transitioned from "Unavailable" back to active state. Here is the text from APM [1] available from [2]. "In PQOS Version 2.0 or higher, the MBM hardware will set the U bit on the first QM_CTR read when it begins tracking an RMID that it was not previously tracking. The U bit will be zero for all subsequent reads from that RMID while it is still tracked by the hardware. Therefore, a QM_CTR read with the U bit set when that RMID is in use by a processor can be considered 0 when calculating the difference with a subsequent read." [1] AMD64 Architecture Programmer's Manual Volume 2: System Programming Publication # 24593 Revision 3.41 section 19.3.3 Monitoring L3 Memory Bandwidth (MBM). [ bp: Split commit message into smaller paragraph chunks for better consumption. ] Fixes: 4d05bf71f157d ("x86/resctrl: Introduce AMD QOS feature") Signed-off-by: Babu Moger Signed-off-by: Borislav Petkov (AMD) Reviewed-by: Reinette Chatre Tested-by: Reinette Chatre Cc: stable@vger.kernel.org # needs adjustments for <= v6.17 Link: https://bugzilla.kernel.org/show_bug.cgi?id=206537 # [2] commit 2b929b6eec0c7c45eb554256d349c16c0ba1df3c Author: Pauli Virtanen Date: Mon Oct 13 20:33:06 2025 +0300 ALSA: usb-audio: add mixer_playback_min_mute quirk for Logitech H390 ID 046d:0a8f Logitech, Inc. H390 headset with microphone is reported to have muted min playback volume. Apply quirk for that. Link: https://gitlab.freedesktop.org/pipewire/pipewire/-/issues/4929 Signed-off-by: Pauli Virtanen Signed-off-by: Takashi Iwai commit 02e7567f5da023524476053a38c54f4f19130959 Author: Li Ming Date: Wed Oct 1 14:03:37 2025 +0800 cxl/port: Avoid missing port component registers setup port->nr_dports is used to represent how many dports added to the cxl port, it will increase in add_dport() when a new dport is being added to the cxl port, but it will not be reduced when a dport is removed from the cxl port. Currently, when the first dport is added to a cxl port, it will trigger component registers setup on the cxl port, the implementation is using port->nr_dports to confirm if the dport is the first dport. A corner case here is that adding dport could fail after port->nr_dports updating and before checking port->nr_dports for component registers setup. If the failure happens during the first dport attaching, it will cause that CXL subsystem has not chance to execute component registers setup for the cxl port. the failure flow like below: port->nr_dports = 0 dport 1 adding to the port: add_dport() # port->nr_dports: 1 failed on devm_add_action_or_reset() or sysfs_create_link() return error # port->nr_dports: 1 dport 2 adding to the port: add_dport() # port->nr_dports: 2 no failure skip component registers setup because of port->nr_dports is 2 The solution here is that moving component registers setup closer to add_dport(), so if add_dport() is executed correctly for the first dport, component registers setup on the port will be executed immediately after that. Fixes: f6ee24913de2 ("cxl: Move port register setup to when first dport appear") Signed-off-by: Li Ming Reviewed-by: Dave Jiang Reviewed-by: Davidlohr Bueso Reviewed-by: Jonathan Cameron Signed-off-by: Dave Jiang commit 9bb3baa9d1604cd20f49ae7dac9306b4037a0e7a Author: Joshua Watt Date: Thu Oct 9 15:48:04 2025 -0600 NFS4: Fix state renewals missing after boot Since the last renewal time was initialized to 0 and jiffies start counting at -5 minutes, any clients connected in the first 5 minutes after a reboot would have their renewal timer set to a very long interval. If the connection was idle, this would result in the client state timing out on the server and the next call to the server would return NFS4ERR_BADSESSION. Fix this by initializing the last renewal time to the current jiffies instead of 0. Signed-off-by: Joshua Watt Signed-off-by: Anna Schumaker commit 9ff022f3820a31507cb93be6661bf5f3ca0609a4 Author: Scott Mayhew Date: Thu Oct 9 16:42:12 2025 -0400 NFS: check if suid/sgid was cleared after a write as needed I noticed xfstests generic/193 and generic/355 started failing against knfsd after commit e7a8ebc305f2 ("NFSD: Offer write delegation for OPEN with OPEN4_SHARE_ACCESS_WRITE"). I ran those same tests against ONTAP (which has had write delegation support for a lot longer than knfsd) and they fail there too... so while it's a new failure against knfsd, it isn't an entirely new failure. Add the NFS_INO_REVAL_FORCED flag so that the presence of a delegation doesn't keep the inode from being revalidated to fetch the updated mode. Signed-off-by: Scott Mayhew Signed-off-by: Anna Schumaker commit 7a84394f02ab1985ebbe0a8d6f6d69bd040de4b3 Author: Joshua Watt Date: Tue Oct 7 15:22:58 2025 -0600 NFS4: Apply delay_retrans to async operations The setting of delay_retrans is applied to synchronous RPC operations because the retransmit count is stored in same struct nfs4_exception that is passed each time an error is checked. However, for asynchronous operations (READ, WRITE, LOCKU, CLOSE, DELEGRETURN), a new struct nfs4_exception is made on the stack each time the task callback is invoked. This means that the retransmit count is always zero and thus delay_retrans never takes effect. Apply delay_retrans to these operations by tracking and updating their retransmit count. Change-Id: Ieb33e046c2b277cb979caa3faca7f52faf0568c9 Signed-off-by: Joshua Watt Reviewed-by: Benjamin Coddington Signed-off-by: Anna Schumaker commit 8db4a1d146f83c6bdb0f5b98c50c509ae8549827 Author: Mike Snitzer Date: Tue Oct 7 13:39:05 2025 -0400 NFSv4/flexfiles: fix to allocate mirror->dss before use Move mirror_array's dss_count initialization and dss allocation to ff_layout_alloc_mirror(), just before the loop that initializes each nfs4_ff_layout_ds_stripe's nfs_file_localio. Also handle NULL return from kcalloc() and remove one level of indent in ff_layout_alloc_mirror(). This commit fixes dangling nfsd_serv refcount issues seen when using NFS LOCALIO and then attempting to stop the NFSD service. Fixes: 20b1d75fb840 ("NFSv4/flexfiles: Add support for striped layouts") Signed-off-by: Mike Snitzer Signed-off-by: Anna Schumaker commit 927069c4ac2cd1a37efa468596fb5b8f86db9df0 Author: Jens Axboe Date: Mon Oct 13 12:05:31 2025 -0600 Revert "io_uring/rw: drop -EOPNOTSUPP check in __io_complete_rw_common()" This reverts commit 90bfb28d5fa8127a113a140c9791ea0b40ab156a. Kevin reports that this commit causes an issue for him with LVM snapshots, most likely because of turning off NOWAIT support while a snapshot is being created. This makes -EOPNOTSUPP bubble back through the completion handler, where io_uring read/write handling should just retry it. Reinstate the previous check removed by the referenced commit. Cc: stable@vger.kernel.org Fixes: 90bfb28d5fa8 ("io_uring/rw: drop -EOPNOTSUPP check in __io_complete_rw_common()") Reported-by: Salvatore Bonaccorso Reported-by: Kevin Lumik Link: https://lore.kernel.org/io-uring/cceb723c-051b-4de2-9a4c-4aa82e1619ee@kernel.dk/ Signed-off-by: Jens Axboe commit 079ae5118e1f0dcf5b1ab68ffdb5760b06ed79a2 Author: Jonathan Kim Date: Wed Jun 18 10:31:15 2025 -0400 drm/amdkfd: fix suspend/resume all calls in mes based eviction path Suspend/resume all gangs should be done with the device lock is held. Signed-off-by: Jonathan Kim Acked-by: Alex Deucher Reviewed-by: Harish Kasiviswanathan Signed-off-by: Alex Deucher commit 277bb0f83e98261018ddd82b7ab8154bb9b93237 Author: Jonathan Kim Date: Thu Jun 5 10:18:37 2025 -0400 drm/amdgpu: enable suspend/resume all for gfx 12 Suspend/resume all gangs has been available for GFX12 for a while now so enable it. Signed-off-by: Jonathan Kim Acked-by: Alex Deucher Signed-off-by: Alex Deucher commit 0ef930e1faca6418316e5b9a3b4d1f6ae9e5b240 Author: Jonathan Kim Date: Thu Oct 9 11:28:19 2025 -0400 drm/amdgpu: fix hung reset queue array memory allocation By design the MES will return an array result that is twice the number of hung doorbells it can report. i.e. if up k reported doorbells are supported, then the second half of the array, also of length k, holds the HQD information (type/queue/pipe) where queue 1 corresponds to index 0 and k, queue 2 corresponds to index 1 and k + 1 etc ... The driver will use the HDQ info to target queue/pipe reset for hardware scheduled user compute queues. Signed-off-by: Jonathan Kim Reviewed-by: Alex Deucher Signed-off-by: Alex Deucher commit 8745ca5efb2aad0b6591d9b8cd48573ea49c929d Author: Jonathan Kim Date: Thu Oct 9 10:48:09 2025 -0400 drm/amdgpu: fix initialization of doorbell array for detect and hang Initialized doorbells should be set to invalid rather than 0 to prevent driver from over counting hung doorbells since it checks against the invalid value to begin with. Signed-off-by: Jonathan Kim Reviewed-by: Alex Deucher Signed-off-by: Alex Deucher commit d0de79f66a80eeb849033fae34bd07a69ce72235 Author: Jonathan Kim Date: Thu Oct 9 10:45:42 2025 -0400 drm/amdgpu: fix gfx12 mes packet status return check GFX12 MES uses low 32 bits of status return for success (1 or 0) and high bits for debug information if low bits are 0. GFX11 MES doesn't do this so checking full 64-bit status return for 1 or 0 is still valid. Signed-off-by: Jonathan Kim Reviewed-by: Alex Deucher Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org commit 883f309add55060233bf11c1ea6947140372920f Author: Jesse.Zhang Date: Mon Oct 13 13:46:12 2025 +0800 drm/amdgpu: Fix NULL pointer dereference in VRAM logic for APU devices Previously, APU platforms (and other scenarios with uninitialized VRAM managers) triggered a NULL pointer dereference in `ttm_resource_manager_usage()`. The root cause is not that the `struct ttm_resource_manager *man` pointer itself is NULL, but that `man->bdev` (the backing device pointer within the manager) remains uninitialized (NULL) on APUs—since APUs lack dedicated VRAM and do not fully set up VRAM manager structures. When `ttm_resource_manager_usage()` attempts to acquire `man->bdev->lru_lock`, it dereferences the NULL `man->bdev`, leading to a kernel OOPS. 1. **amdgpu_cs.c**: Extend the existing bandwidth control check in `amdgpu_cs_get_threshold_for_moves()` to include a check for `ttm_resource_manager_used()`. If the manager is not used (uninitialized `bdev`), return 0 for migration thresholds immediately—skipping VRAM-specific logic that would trigger the NULL dereference. 2. **amdgpu_kms.c**: Update the `AMDGPU_INFO_VRAM_USAGE` ioctl and memory info reporting to use a conditional: if the manager is used, return the real VRAM usage; otherwise, return 0. This avoids accessing `man->bdev` when it is NULL. 3. **amdgpu_virt.c**: Modify the vf2pf (virtual function to physical function) data write path. Use `ttm_resource_manager_used()` to check validity: if the manager is usable, calculate `fb_usage` from VRAM usage; otherwise, set `fb_usage` to 0 (APUs have no discrete framebuffer to report). This approach is more robust than APU-specific checks because it: - Works for all scenarios where the VRAM manager is uninitialized (not just APUs), - Aligns with TTM's design by using its native helper function, - Preserves correct behavior for discrete GPUs (which have fully initialized `man->bdev` and pass the `ttm_resource_manager_used()` check). v4: use ttm_resource_manager_used(&adev->mman.vram_mgr.manager) instead of checking the adev->gmc.is_app_apu flag (Christian) Reviewed-by: Christian König Suggested-by: Lijo Lazar Signed-off-by: Jesse Zhang Signed-off-by: Alex Deucher commit 33cc891b56b93cad1a83263eaf2e417436f70c82 Author: Christian König Date: Tue Oct 7 10:10:52 2025 +0200 drm/amdgpu: hide VRAM sysfs attributes on GPUs without VRAM Otherwise accessing them can cause a crash. Signed-off-by: Christian König Tested-by: Mangesh Gadre Acked-by: Alex Deucher Reviewed-by: Arunpravin Paneer Selvam Signed-off-by: Alex Deucher commit 74de0eaa00eac2e0cbad1dda6dcf8f44ab27629e Author: Sathishkumar S Date: Fri Oct 10 23:32:40 2025 +0530 drm/amdgpu: fix bit shift logic BIT_ULL(n) sets nth bit, remove explicit shift and set the position Fixes: a7a411e24626 ("drm/amdgpu: fix shift-out-of-bounds in amdgpu_debugfs_jpeg_sched_mask_set") Signed-off-by: Sathishkumar S Reviewed-by: Leo Liu Signed-off-by: Alex Deucher commit 6917112af2ba36c5f19075eb9f2933ffd07e55bf Author: Timur Kristóf Date: Mon Oct 13 08:06:42 2025 +0200 drm/amd/powerplay: Fix CIK shutdown temperature Remove extra multiplication. CIK GPUs such as Hawaii appear to use PP_TABLE_V0 in which case the shutdown temperature is hardcoded in smu7_init_dpm_defaults and is already multiplied by 1000. The value was mistakenly multiplied another time by smu7_get_thermal_temperature_range. Fixes: 4ba082572a42 ("drm/amd/powerplay: export the thermal ranges of VI asics (V2)") Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/1676 Reviewed-by: Alex Deucher Signed-off-by: Timur Kristóf Signed-off-by: Alex Deucher commit ef38b4eab146715bc68d45029257f5e69ea3f2cd Author: Alex Deucher Date: Fri Oct 10 16:40:57 2025 -0400 drm/amdgpu: drop unused structures in amdgpu_drm.h These were never used and are duplicated with the interface that is used. Maybe leftovers from a previous revision of the patch that added them. Fixes: 90c448fef312 ("drm/amdgpu: add new AMDGPU_INFO subquery for userq objects") Reviewed-by: Prike Liang Signed-off-by: Alex Deucher commit 6df8e84aa6b5b1812cc2cacd6b3f5ccbb18cda2b Author: Gui-Dong Han Date: Wed Oct 8 03:43:27 2025 +0000 drm/amdgpu: use atomic functions with memory barriers for vm fault info The atomic variable vm_fault_info_updated is used to synchronize access to adev->gmc.vm_fault_info between the interrupt handler and get_vm_fault_info(). The default atomic functions like atomic_set() and atomic_read() do not provide memory barriers. This allows for CPU instruction reordering, meaning the memory accesses to vm_fault_info and the vm_fault_info_updated flag are not guaranteed to occur in the intended order. This creates a race condition that can lead to inconsistent or stale data being used. The previous implementation, which used an explicit mb(), was incomplete and inefficient. It failed to account for all potential CPU reorderings, such as the access of vm_fault_info being reordered before the atomic_read of the flag. This approach is also more verbose and less performant than using the proper atomic functions with acquire/release semantics. Fix this by switching to atomic_set_release() and atomic_read_acquire(). These functions provide the necessary acquire and release semantics, which act as memory barriers to ensure the correct order of operations. It is also more efficient and idiomatic than using explicit full memory barriers. Fixes: b97dfa27ef3a ("drm/amdgpu: save vm fault information for amdkfd") Cc: stable@vger.kernel.org Signed-off-by: Gui-Dong Han Signed-off-by: Felix Kuehling Reviewed-by: Felix Kuehling Signed-off-by: Alex Deucher commit ff780f4f80323148d43198f2052c14160c8428d3 Author: Alex Deucher Date: Wed Sep 3 13:48:23 2025 -0400 drm/amdgpu: set an error on all fences from a bad context When we backup ring contents to reemit after a queue reset, we don't backup ring contents from the bad context. When we signal the fences, we should set an error on those fences as well. v2: misc cleanups v3: add locking for fence error, fix comment (Christian) v4: fix wrap around, locking (Christian) Fixes: 77cc0da39c7c ("drm/amdgpu: track ring state associated with a fence") Reviewed-by: Christian König Signed-off-by: Alex Deucher commit 1f22fcb88bfef26a966e9eb242c692c6bf253d47 Author: Alex Deucher Date: Mon Sep 15 12:37:32 2025 -0400 drm/amdgpu: handle wrap around in reemit handling Compare the sequence numbers directly. Fixes: 77cc0da39c7c ("drm/amdgpu: track ring state associated with a fence") Reviewed-by: Christian König Signed-off-by: Alex Deucher commit 357d90be2c7aaa526a840cddffd2b8d676fe75a6 Author: Alex Deucher Date: Fri Sep 26 17:31:32 2025 -0400 drm/amdgpu: fix handling of harvesting for ip_discovery firmware Chips which use the IP discovery firmware loaded by the driver reported incorrect harvesting information in the ip discovery table in sysfs because the driver only uses the ip discovery firmware for populating sysfs and not for direct parsing for the driver itself as such, the fields that are used to print the harvesting info in sysfs report incorrect data for some IPs. Populate the relevant fields for this case as well. Fixes: 514678da56da ("drm/amdgpu/discovery: fix fw based ip discovery") Acked-by: Tom St Denis Reviewed-by: Lijo Lazar Signed-off-by: Alex Deucher commit 8f74c70be57527d7b79e2ecf6de1a154d148254d Author: Christian König Date: Mon Sep 22 14:18:16 2025 +0200 drm/amdgpu: block CE CS if not explicitely allowed by module option The Constant Engine found on gfx6-gfx10 HW has been a notorious source of problems. RADV never used it in the first place, radeonsi only used it for a few releases around 2017 for gfx6-gfx9 before dropping support for it as well. While investigating another problem I just recently found that submitting to the CE seems to be completely broken on gfx9 for quite a while. Since nobody complained about that problem it most likely means that nobody is using any of the affected radeonsi versions on current Linux kernels any more. So to potentially phase out the support for the CE and eliminate another source of problems block submitting CE IBs unless it is enabled again using a debug flag. Signed-off-by: Christian König Reviewed-by: Alex Deucher Acked-by: Timur Kristóf Signed-off-by: Alex Deucher commit 5d55ed19d4190d2c210ac05ac7a53f800a8c6fe5 Author: Christian König Date: Wed Aug 27 14:47:23 2025 +0200 drm/amdgpu: remove two invalid BUG_ON()s Those can be triggered trivially by userspace. Signed-off-by: Christian König Reviewed-by: Alex Deucher Acked-by: Timur Kristóf Signed-off-by: Alex Deucher commit 7bdd91abf0cb3ea78160e2e78fb58b12f6a38d55 Author: Timur Kristóf Date: Fri Sep 26 20:26:13 2025 +0200 drm/amd: Disable ASPM on SI Enabling ASPM causes randoms hangs on Tahiti and Oland on Zen4. It's unclear if this is a platform-specific or GPU-specific issue. Disable ASPM on SI for the time being. Reviewed-by: Alex Deucher Signed-off-by: Timur Kristóf Signed-off-by: Alex Deucher commit 5c05bcf6ae7732da1bd4dc1958d527b5f07f216a Author: Timur Kristóf Date: Fri Sep 26 20:26:12 2025 +0200 drm/amd/pm: Disable MCLK switching on SI at high pixel clocks On various SI GPUs, a flickering can be observed near the bottom edge of the screen when using a single 4K 60Hz monitor over DP. Disabling MCLK switching works around this problem. Reviewed-by: Alex Deucher Signed-off-by: Timur Kristóf Signed-off-by: Alex Deucher commit 9858ea4c29c283f0a8a3cdbb42108d464ece90a8 Author: Matthew Schwartz Date: Thu Oct 9 14:19:00 2025 +0200 Revert "drm/amd/display: Only restore backlight after amdgpu_dm_init or dm_resume" This fix regressed the original issue that commit 7875afafba84 ("drm/amd/display: Fix brightness level not retained over reboot") solved, so revert it until a different approach to solve the regression that it caused with AMD_PRIVATE_COLOR is found. Fixes: a490c8d77d50 ("drm/amd/display: Only restore backlight after amdgpu_dm_init or dm_resume") Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4620 Cc: stable@vger.kernel.org Signed-off-by: Matthew Schwartz Signed-off-by: Alex Deucher commit 86af6b90e0556fcefbc6e98eb78bdce90327ee76 Author: Ville Syrjälä Date: Fri Oct 3 17:57:31 2025 +0300 drm/i915/fb: Fix the set_tiling vs. addfb race, again intel_frontbuffer_get() is what locks out subsequent set_tiling changes to the bo. Thus the fence vs. modifier check must be done after intel_frontbuffer_get(), or else a concurrent set_tiling ioctl might sneak in and change the fence after the check has been done. Close the race again. See commit dd689287b977 ("drm/i915: Prevent concurrent tiling/framebuffer modifications") for the previous instance. v2: Reorder intel_user_framebuffer_destroy() to match the unwind (Jani) Cc: Jouni Högander Reviewed-by: Jani Nikula Fixes: 10690b8a49bc ("drm/i915/display: Add intel_fb_bo_framebuffer_fini") Signed-off-by: Ville Syrjälä Link: https://patchwork.freedesktop.org/patch/msgid/20251003145734.7634-3-ville.syrjala@linux.intel.com (cherry picked from commit 1d1e4ded216017f8febd91332ee337f0e0e79285) Signed-off-by: Rodrigo Vivi commit 760039c95c78490c5c66ef584fcd536797ed6a2f Author: Ville Syrjälä Date: Fri Oct 3 17:57:30 2025 +0300 drm/i915/frontbuffer: Move bo refcounting intel_frontbuffer_{get,release}() Currently xe's intel_frontbuffer implementation forgets to hold a reference on the bo. This makes the entire thing extremely fragile as the cleanup order now depends on bo references held by other things (namely intel_fb_bo_framebuffer_fini()). Move the bo refcounting to intel_frontbuffer_{get,release}() so that both i915 and xe do this the same way. I first tried to fix this by having xe do the refcounting from its intel_bo_set_frontbuffer() implementation (which is what i915 does currently), but turns out xe's drm_gem_object_free() can sleep and thus drm_gem_object_put() isn't safe to call while we hold fb_tracking.lock. Fixes: 10690b8a49bc ("drm/i915/display: Add intel_fb_bo_framebuffer_fini") Signed-off-by: Ville Syrjälä Link: https://patchwork.freedesktop.org/patch/msgid/20251003145734.7634-2-ville.syrjala@linux.intel.com Reviewed-by: Jani Nikula (cherry picked from commit eb4d490729a5fd8dc5a76d334f8d01fec7c14bbe) Signed-off-by: Rodrigo Vivi commit 1696b0cfcf004a3af34ffe4c57a14e837ef18144 Author: Zhanjun Dong Date: Mon Sep 29 11:29:04 2025 -0400 drm/i915/guc: Skip communication warning on reset in progress GuC IRQ and tasklet handler receive just single G2H message, and let other messages to be received from next tasklet. During this chained tasklet process, if reset process started, communication will be disabled. Skip warning for this condition. Fixes: 65dd4ed0f4e1 ("drm/i915/guc: Don't receive all G2H messages in irq handler") Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/15018 Signed-off-by: Zhanjun Dong Reviewed-by: Vinay Belgaumkar Signed-off-by: Daniele Ceraolo Spurio Link: https://lore.kernel.org/r/20250929152904.269776-1-zhanjun.dong@intel.com (cherry picked from commit 604b5ee4a653a70979ce689dbd6a5d942eb016bf) Signed-off-by: Rodrigo Vivi commit e0b5a7967dec05144bc98125f98c47f74fd1152b Author: Oliver Upton Date: Wed Sep 24 16:51:50 2025 -0700 KVM: arm64: nv: Use FGT write trap of MDSCR_EL1 when available Marc reports that the performance of running an L3 guest has regressed by 60% as a result of setting MDCR_EL2.TDA to hide bad architecture. That's of course terrible for the single user of recursive NV ;-) While there's nothing to be done on non-FGT systems, take advantage of the precise write trap of MDSCR_EL1 and leave the rest of the debug registers untrapped. Reported-by: Marc Zyngier Signed-off-by: Oliver Upton Reviewed-by: Joey Gouly Signed-off-by: Marc Zyngier commit fb10ddf35c1cc3b2888a944c0a3b1aa3baea585e Author: Oliver Upton Date: Wed Sep 24 16:51:49 2025 -0700 KVM: arm64: Compute per-vCPU FGTs at vcpu_load() To date KVM has used the fine-grained traps for the sake of UNDEF enforcement (so-called FGUs), meaning the constituent parts could be computed on a per-VM basis and folded into the effective value when programmed. Prepare for traps changing based on the vCPU context by computing the whole mess of them at vcpu_load(). Aggressively inline all the helpers to preserve the build-time checks that were there before. Signed-off-by: Oliver Upton Reviewed-by: Joey Gouly Signed-off-by: Marc Zyngier commit 5c7cf1e44e94a5408b1b5277810502b0f82b77fe Author: Marc Zyngier Date: Mon Sep 29 17:04:57 2025 +0100 KVM: arm64: selftests: Fix misleading comment about virtual timer encoding The userspace-visible encoding for CNTV_CVAL_EL0 and CNTVCNT_EL0 have been swapped for as long as usersapce has had access to the registers. This is documented in arch/arm64/include/uapi/asm/kvm.h. Despite that, the get_reg_list test has unhelpful comments indicating the wrong register for the encoding. Replace this with definitions exposed in the include file, and a comment explaining again the brokenness. Signed-off-by: Marc Zyngier commit 4da5a9af78b74fb771a4d25dc794296d10e170b1 Author: Marc Zyngier Date: Mon Sep 29 17:04:56 2025 +0100 KVM: arm64: selftests: Add an E2H=0-specific configuration to get_reg_list Add yet another configuration, this time dealing E2H=0. Signed-off-by: Marc Zyngier commit 6418330c8478735f625398bc4e96d3ac6ce1e055 Author: Marc Zyngier Date: Mon Sep 29 17:04:55 2025 +0100 KVM: arm64: selftests: Make dependencies on VHE-specific registers explicit The hyp virtual timer registers only exist when VHE is present, Similarly, VNCR_EL2 only exists when NV2 is present. Make these dependencies explicit. Signed-off-by: Marc Zyngier commit 386aac77da112651a5cdadc4a6b29181592f5aa0 Author: Marc Zyngier Date: Mon Sep 29 17:04:54 2025 +0100 KVM: arm64: Kill leftovers of ad-hoc timer userspace access Now that the whole timer infrastructure is handled as system register accesses, get rid of the now unused ad-hoc infrastructure. Signed-off-by: Marc Zyngier commit 892f7c38ba3b7de19b3dffb8e148d5fbf1228f20 Author: Marc Zyngier Date: Mon Sep 29 17:04:53 2025 +0100 KVM: arm64: Fix WFxT handling of nested virt The spec for WFxT indicates that the parameter to the WFxT instruction is relative to the reading of CNTVCT_EL0. This means that the implementation needs to take the execution context into account, as CNTVOFF_EL2 does not always affect readings of CNTVCT_EL0 (such as when HCR_EL2.E2H is 1 and that we're in host context). This also rids us of the last instance of KVM_REG_ARM_TIMER_CNT outside of the userspace interaction code. Signed-off-by: Marc Zyngier commit c3be3a48fb18f9d243fac452e0be41469bb246b4 Author: Marc Zyngier Date: Mon Sep 29 17:04:52 2025 +0100 KVM: arm64: Move CNT*CT_EL0 userspace accessors to generic infrastructure Moving the counter registers is a bit more involved than for the control and comparator (there is no shadow data for the counter), but still pretty manageable. Reviewed-by: Joey Gouly Signed-off-by: Marc Zyngier commit 8af198980eff2ed2a5df3d2ee39f8c9d61f40559 Author: Marc Zyngier Date: Mon Sep 29 17:04:51 2025 +0100 KVM: arm64: Move CNT*_CVAL_EL0 userspace accessors to generic infrastructure As for the control registers, move the comparator registers to the common infrastructure. Signed-off-by: Marc Zyngier commit 09424d5d7d4e8b427ee4a737fb7765103789e08a Author: Marc Zyngier Date: Mon Sep 29 17:04:50 2025 +0100 KVM: arm64: Move CNT*_CTL_EL0 userspace accessors to generic infrastructure Remove the handling of CNT*_CTL_EL0 from guest.c, and move it to sys_regs.c, using a new TIMER_REG() definition to encapsulate it. Signed-off-by: Marc Zyngier commit 77a0c42eaf03c66936429d190bb2ea1a214bd528 Author: Marc Zyngier Date: Mon Sep 29 17:04:49 2025 +0100 KVM: arm64: Add timer UAPI workaround to sysreg infrastructure Amongst the numerous bugs that plague the KVM/arm64 UAPI, one of the most annoying thing is that the userspace view of the virtual timer has its CVAL and CNT encodings swapped. In order to reduce the amount of code that has to know about this, start by adding handling for this bug in the sys_reg code. Nothing is making use of it yet, as the code responsible for userspace interaction is catching the accesses early. Signed-off-by: Marc Zyngier commit a92d552266890f83126fdef4f777a985cc1302bd Author: Marc Zyngier Date: Mon Sep 29 17:04:48 2025 +0100 KVM: arm64: Make timer_set_offset() generally accessible Move the timer_set_offset() helper to arm_arch_timer.h, so that it is next to timer_get_offset(), and accessible by the rest of KVM. Signed-off-by: Marc Zyngier commit 8625a670afb05f1e1d69d50a74dbcc9d1b855efe Author: Marc Zyngier Date: Mon Sep 29 17:04:47 2025 +0100 KVM: arm64: Replace timer context vcpu pointer with timer_id Having to follow a pointer to a vcpu is pretty dumb, when the timers are are a fixed offset in the vcpu structure itself. Trade the vcpu pointer for a timer_id, which can then be used to compute the vcpu address as needed. Reviewed-by: Joey Gouly Signed-off-by: Marc Zyngier commit aa68975c973ed3b0bd4ff513113495588afb855c Author: Marc Zyngier Date: Mon Sep 29 17:04:46 2025 +0100 KVM: arm64: Introduce timer_context_to_vcpu() helper We currently have a vcpu pointer nested into each timer context. As we are about to remove this pointer, introduce a helper (aptly named timer_context_to_vcpu()) that returns this pointer, at least until we repaint the data structure. Signed-off-by: Marc Zyngier commit 4cab5c857d1f92b4b322e30349fdc5e2e38e7a2f Author: Marc Zyngier Date: Mon Sep 29 17:04:45 2025 +0100 KVM: arm64: Hide CNTHV_*_EL2 from userspace for nVHE guests Although we correctly UNDEF any CNTHV_*_EL2 access from the guest when E2H==0, we still expose these registers to userspace, which is a bad idea. Drop the ad-hoc UNDEF injection and switch to a .visibility() callback which will also hide the register from userspace. Fixes: 0e45981028550 ("KVM: arm64: timer: Don't adjust the EL2 virtual timer offset") Signed-off-by: Marc Zyngier commit 164ecbf73c3ea61455e07eefdad8050a7b569558 Author: Sascha Bischoff Date: Tue Oct 7 15:48:54 2025 +0000 Documentation: KVM: Update GICv3 docs for GICv5 hosts GICv5 hosts optionally include FEAT_GCIE_LEGACY, which allows them to execute GICv3-based VMs on GICv5 hardware. Update the GICv3 documentation to reflect this now that GICv3 guests are supports on compatible GICv5 hosts. Signed-off-by: Sascha Bischoff Signed-off-by: Marc Zyngier commit 3193287ddffbce29fd1a79d812f543c0fe4861d1 Author: Sascha Bischoff Date: Tue Oct 7 16:07:13 2025 +0000 KVM: arm64: gic-v3: Only set ICH_HCR traps for v2-on-v3 or v3 guests The ICH_HCR_EL2 traps are used when running on GICv3 hardware, or when running a GICv3-based guest using FEAT_GCIE_LEGACY on GICv5 hardware. When running a GICv2 guest on GICv3 hardware the traps are used to ensure that the guest never sees any part of GICv3 (only GICv2 is visible to the guest), and when running a GICv3 guest they are used to trap in specific scenarios. They are not applicable for a GICv2-native guest, and won't be applicable for a(n upcoming) GICv5 guest. The traps themselves are configured in the vGIC CPU IF state, which is stored as a union. Updating the wrong aperture of the union risks corrupting state, and therefore needs to be avoided at all costs. Bail early if we're not running a compatible guest (GICv2 on GICv3 hardware, GICv3 native, GICv3 on GICv5 hardware). Trap everything unconditionally if we're running a GICv2 guest on GICv3 hardware. Otherwise, conditionally set up GICv3-native trapping. Signed-off-by: Sascha Bischoff Signed-off-by: Marc Zyngier commit d5e6310a0d996493b1af9f3eeec418350523388b Author: Oliver Upton Date: Tue Oct 7 12:52:55 2025 -0700 KVM: arm64: selftests: Actually enable IRQs in vgic_lpi_stress vgic_lpi_stress rather hilariously leaves IRQs disabled for the duration of the test. While the ITS translation of MSIs happens regardless of this, for completeness the guest should actually handle the LPIs. Signed-off-by: Oliver Upton Reviewed-by: Zenghui Yu Signed-off-by: Marc Zyngier commit 2192d348c0aa0cc2e7249dc3709f21bfe0a0170c Author: Zenghui Yu Date: Wed Oct 8 23:45:20 2025 +0800 KVM: arm64: selftests: Allocate vcpus with correct size vcpus array contains pointers to struct kvm_vcpu {}. It is way overkill to allocate the array with (nr_cpus * sizeof(struct kvm_vcpu)). Fix the allocation by using the correct size. Signed-off-by: Zenghui Yu Signed-off-by: Marc Zyngier commit c35dd838666d47de2848639234ec32e3ba22b49f Author: Mukesh Ojha Date: Fri Oct 10 23:17:07 2025 +0530 KVM: arm64: Guard PMSCR_EL1 initialization with SPE presence check Commit efad60e46057 ("KVM: arm64: Initialize PMSCR_EL1 when in VHE") does not perform sufficient check before initializing PMSCR_EL1 to 0 when running in VHE mode. On some platforms, this causes the system to hang during boot, as EL3 has not delegated access to the Profiling Buffer to the Non-secure world, nor does it reinject an UNDEF on sysreg trap. To avoid this issue, restrict the PMSCR_EL1 initialization to CPUs that support Statistical Profiling Extension (FEAT_SPE) and have the Profiling Buffer accessible in Non-secure EL1. This is determined via a new helper `cpu_has_spe()` which checks both PMSVer and PMBIDR_EL1.P. This ensures the initialization only affects CPUs where SPE is implemented and usable, preventing boot failures on platforms where SPE is not properly configured. Fixes: efad60e46057 ("KVM: arm64: Initialize PMSCR_EL1 when in VHE") Signed-off-by: Mukesh Ojha Signed-off-by: Marc Zyngier commit 1ef0e16c3d7ca07432987840d8eef1a9ffb67dec Author: Stefan Metzmacher Date: Sun Oct 12 21:10:29 2025 +0200 smb: client: let destroy_mr_list() call ib_dereg_mr() before ib_dma_unmap_sg() This is more consistent as we call ib_dma_unmap_sg() only when the memory is no longer registered. This is the same pattern as calling ib_dma_unmap_sg() after IB_WR_LOCAL_INV. Fixes: c7398583340a ("CIFS: SMBD: Implement RDMA memory registration") Cc: Steve French Cc: Tom Talpey Cc: Long Li Cc: Namjae Jeon Cc: linux-cifs@vger.kernel.org Cc: samba-technical@lists.samba.org Signed-off-by: Stefan Metzmacher Signed-off-by: Steve French commit b9c0becc2fceb53e4a958575344e92c0e4f812bb Author: Stefan Metzmacher Date: Sun Oct 12 21:10:28 2025 +0200 smb: client: call ib_dma_unmap_sg if mr->sgt.nents is not 0 This seems to be the more reliable way to check if we need to call ib_dma_unmap_sg(). Fixes: c7398583340a ("CIFS: SMBD: Implement RDMA memory registration") Cc: Steve French Cc: Tom Talpey Cc: Long Li Cc: Namjae Jeon Cc: linux-cifs@vger.kernel.org Cc: samba-technical@lists.samba.org Signed-off-by: Stefan Metzmacher Signed-off-by: Steve French commit 56c817e31acedc8a9041b181a15755e5a7b55f2b Author: Stefan Metzmacher Date: Sun Oct 12 21:10:27 2025 +0200 smb: client: improve logic in smbd_deregister_mr() - use 'mr' as variable name - style fixes This will make further changes easier. Cc: Steve French Cc: Tom Talpey Cc: Long Li Cc: Namjae Jeon Cc: linux-cifs@vger.kernel.org Cc: samba-technical@lists.samba.org Signed-off-by: Stefan Metzmacher Signed-off-by: Steve French commit c8478502960eb8fb9847b36a66380adf421cdc62 Author: Stefan Metzmacher Date: Sun Oct 12 21:10:26 2025 +0200 smb: client: improve logic in smbd_register_mr() - use 'mr' as variable name - style fixes This will make further changes easier. Cc: Steve French Cc: Tom Talpey Cc: Long Li Cc: Namjae Jeon Cc: linux-cifs@vger.kernel.org Cc: samba-technical@lists.samba.org Signed-off-by: Stefan Metzmacher Signed-off-by: Steve French commit 9bebb8924b27f06e7072f0b18a5f78cef561c810 Author: Stefan Metzmacher Date: Sun Oct 12 21:10:25 2025 +0200 smb: client: improve logic in allocate_mr_list() - use 'mr' as variable name - use goto lables for easier cleanup - use destroy_mr_list() - style fixes - INIT_WORK(&sc->mr_io.recovery_work, smbd_mr_recovery_work) on success This will make further changes easier. Cc: Steve French Cc: Tom Talpey Cc: Long Li Cc: Namjae Jeon Cc: linux-cifs@vger.kernel.org Cc: samba-technical@lists.samba.org Signed-off-by: Stefan Metzmacher Signed-off-by: Steve French commit a8e128b293e2b08d4ecca7c63ed1cb5b97f30af9 Author: Stefan Metzmacher Date: Sun Oct 12 21:10:24 2025 +0200 smb: client: let destroy_mr_list() remove locked from the list This should make sure get_mr() can't see the removed entries. Cc: Steve French Cc: Tom Talpey Cc: Long Li Cc: Namjae Jeon Cc: linux-cifs@vger.kernel.org Cc: samba-technical@lists.samba.org Signed-off-by: Stefan Metzmacher Signed-off-by: Steve French commit 19421ec198981f60373080af67e67b6a6fcf191e Author: Stefan Metzmacher Date: Sun Oct 12 21:10:23 2025 +0200 smb: client: let destroy_mr_list() call list_del(&mr->list) This makes the code clearer and will make further changes easier. Cc: Steve French Cc: Tom Talpey Cc: Long Li Cc: Namjae Jeon Cc: linux-cifs@vger.kernel.org Cc: samba-technical@lists.samba.org Signed-off-by: Stefan Metzmacher Signed-off-by: Steve French commit abe5b71c391352127925bf951f3169d205c5caa7 Author: Stefan Metzmacher Date: Sun Oct 12 21:10:22 2025 +0200 smb: client: change smbd_deregister_mr() to return void No callers checks the return value and this makes further changes easier. Cc: Steve French Cc: Tom Talpey Cc: Long Li Cc: Namjae Jeon Cc: linux-cifs@vger.kernel.org Cc: samba-technical@lists.samba.org Signed-off-by: Stefan Metzmacher Signed-off-by: Steve French commit e487f13cc94fa80c71f217d7b176e48fbb5d6c46 Author: Stefan Metzmacher Date: Sun Oct 12 21:10:21 2025 +0200 smb: smbdirect: introduce smbdirect_mr_io.{kref,mutex} and SMBDIRECT_MR_DISABLED This will be used in the next commits in order to improve the client code. A broken connection can just disable the smbdirect_mr_io while keeping the memory arround for the caller. Cc: Steve French Cc: Tom Talpey Cc: Long Li Cc: Namjae Jeon Cc: linux-cifs@vger.kernel.org Cc: samba-technical@lists.samba.org Signed-off-by: Stefan Metzmacher Signed-off-by: Steve French commit 911063b590ce77d473e92716f05f34712f97ef95 Author: Markus Elfring Date: Fri Oct 10 14:48:13 2025 +0200 smb: client: Omit one redundant variable assignment in cifs_xattr_set() The local variable “rc” is assigned a value in an if branch without using it before it is reassigned there. Thus delete this assignment statement. Signed-off-by: Markus Elfring Signed-off-by: Steve French commit b9ce79887e270ed64ed499aa69f903cdca401c2f Author: Markus Elfring Date: Fri Oct 10 21:04:16 2025 +0200 smb: client: Return a status code only as a constant in sid_to_id() Return a status code without storing it in an intermediate variable. This issue was detected by using the Coccinelle software. Signed-off-by: Markus Elfring Signed-off-by: Steve French commit 9a7f87eb587da49993f47f44c4c5535d8de76750 Author: Zenghui Yu Date: Sun Oct 12 23:43:52 2025 +0800 KVM: arm64: selftests: Sync ID_AA64PFR1, MPIDR, CLIDR in guest We forgot to sync several registers (ID_AA64PFR1, MPIDR, CLIDR) in guest to make sure that the guest had seen the written value. Add them to the list. Signed-off-by: Zenghui Yu Reviewed-By: Ben Horgan Signed-off-by: Marc Zyngier commit 05a02490faeb952f1c8d2f5c38346fa0a717a483 Author: Osama Abdelkader Date: Tue Sep 30 16:56:21 2025 +0300 KVM: arm64: Remove unreachable break after return Remove an unnecessary 'break' statement that follows a 'return' in arch/arm64/kvm/at.c. The break is unreachable. Signed-off-by: Osama Abdelkader Reviewed-by: Zenghui Yu Signed-off-by: Marc Zyngier commit a133052666bed0dc0b169952e9d3f9e6b2125f9a Author: Oliver Upton Date: Tue Sep 30 12:33:02 2025 -0700 KVM: selftests: Fix irqfd_test for non-x86 architectures The KVM_IRQFD ioctl fails if no irqchip is present in-kernel, which isn't too surprising as there's not much KVM can do for an IRQ if it cannot resolve a destination. As written the irqfd_test assumes that a 'default' VM created in selftests has an in-kernel irqchip created implicitly. That may be the case on x86 but it isn't necessarily true on other architectures. Add an arch predicate indicating if 'default' VMs get an irqchip and make the irqfd_test depend on it. Work around arm64 VGIC initialization requirements by using vm_create_with_one_vcpu(), ignoring the created vCPU as it isn't used for the test. Reported-by: Sebastian Ott Reported-by: Naresh Kamboju Acked-by: Sean Christopherson Fixes: 7e9b231c402a ("KVM: selftests: Add a KVM_IRQFD test to verify uniqueness requirements") Signed-off-by: Oliver Upton Signed-off-by: Marc Zyngier commit cc4309324dc695f62d25d56c0b29805e9724170c Author: Oliver Upton Date: Tue Sep 30 16:36:20 2025 -0700 KVM: arm64: Document vCPU event ioctls as requiring init'ed vCPU KVM rejects calls to KVM_{GET,SET}_VCPU_EVENTS for an uninitialized vCPU as of commit cc96679f3c03 ("KVM: arm64: Prevent access to vCPU events before init"). Update the corresponding API documentation. Signed-off-by: Oliver Upton Signed-off-by: Marc Zyngier commit 0aa1b76fe1429629215a7c79820e4b96233ac4a3 Author: Oliver Upton Date: Tue Sep 30 01:52:37 2025 -0700 KVM: arm64: Prevent access to vCPU events before init Another day, another syzkaller bug. KVM erroneously allows userspace to pend vCPU events for a vCPU that hasn't been initialized yet, leading to KVM interpreting a bunch of uninitialized garbage for routing / injecting the exception. In one case the injection code and the hyp disagree on whether the vCPU has a 32bit EL1 and put the vCPU into an illegal mode for AArch64, tripping the BUG() in exception_target_el() during the next injection: kernel BUG at arch/arm64/kvm/inject_fault.c:40! Internal error: Oops - BUG: 00000000f2000800 [#1] SMP CPU: 3 UID: 0 PID: 318 Comm: repro Not tainted 6.17.0-rc4-00104-g10fd0285305d #6 PREEMPT Hardware name: linux,dummy-virt (DT) pstate: 21402009 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) pc : exception_target_el+0x88/0x8c lr : pend_serror_exception+0x18/0x13c sp : ffff800082f03a10 x29: ffff800082f03a10 x28: ffff0000cb132280 x27: 0000000000000000 x26: 0000000000000000 x25: ffff0000c2a99c20 x24: 0000000000000000 x23: 0000000000008000 x22: 0000000000000002 x21: 0000000000000004 x20: 0000000000008000 x19: ffff0000c2a99c20 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 00000000200000c0 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 x8 : ffff800082f03af8 x7 : 0000000000000000 x6 : 0000000000000000 x5 : ffff800080f621f0 x4 : 0000000000000000 x3 : 0000000000000000 x2 : 000000000040009b x1 : 0000000000000003 x0 : ffff0000c2a99c20 Call trace: exception_target_el+0x88/0x8c (P) kvm_inject_serror_esr+0x40/0x3b4 __kvm_arm_vcpu_set_events+0xf0/0x100 kvm_arch_vcpu_ioctl+0x180/0x9d4 kvm_vcpu_ioctl+0x60c/0x9f4 __arm64_sys_ioctl+0xac/0x104 invoke_syscall+0x48/0x110 el0_svc_common.constprop.0+0x40/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0xf0 el0t_64_sync_handler+0xa0/0xe4 el0t_64_sync+0x198/0x19c Code: f946bc01 b4fffe61 9101e020 17fffff2 (d4210000) Reject the ioctls outright as no sane VMM would call these before KVM_ARM_VCPU_INIT anyway. Even if it did the exception would've been thrown away by the eventual reset of the vCPU's state. Cc: stable@vger.kernel.org # 6.17 Fixes: b7b27facc7b5 ("arm/arm64: KVM: Add KVM_GET/SET_VCPU_EVENTS") Signed-off-by: Oliver Upton Signed-off-by: Marc Zyngier commit cb49b7b8622e914171e9eb7197c006320889e0fc Author: Sean Christopherson Date: Fri Sep 26 08:58:38 2025 -0700 KVM: arm64: selftests: Track width of timer counter as "int", not "uint64_t" Store the width of arm64's timer counter as an "int", not a "uint64_t". ilog2() returns an "int", and more importantly using what is an "unsigned long" under the hood makes clang unhappy due to a type mismatch when clamping the width to a sane value. arm64/arch_timer_edge_cases.c:1032:10: error: comparison of distinct pointer types ('typeof (width) *' (aka 'unsigned long *') and 'typeof (56) *' (aka 'int *')) [-Werror,-Wcompare-distinct-pointer-types] 1032 | width = clamp(width, 56, 64); | ^~~~~~~~~~~~~~~~~~~~ tools/include/linux/kernel.h:47:45: note: expanded from macro 'clamp' 47 | #define clamp(val, lo, hi) min((typeof(val))max(val, lo), hi) | ^~~~~~~~~~~~ tools/include/linux/kernel.h:33:17: note: expanded from macro 'max' 33 | (void) (&_max1 == &_max2); \ | ~~~~~~ ^ ~~~~~~ tools/include/linux/kernel.h:39:9: note: expanded from macro 'min' 39 | typeof(x) _min1 = (x); \ | ^ Fixes: fad4cf944839 ("KVM: arm64: selftests: Determine effective counter width in arch_timer_edge_cases") Cc: Sebastian Ott Signed-off-by: Sean Christopherson Reviewed-by: Oliver Upton Signed-off-by: Marc Zyngier commit 890c608b4d5e6a616693da92a2d4e7de4ab9e6c5 Author: Oliver Upton Date: Fri Sep 26 15:44:54 2025 -0700 KVM: arm64: selftests: Test effective value of HCR_EL2.AMO A defect against the architecture now allows an implementation to treat AMO as 1 when HCR_EL2.{E2H, TGE} = {1, 0}. KVM now takes advantage of this interpretation to address a quality of emulation issue w.r.t. SError injection. Add a corresponding test case and expect a pending SError to be taken. Signed-off-by: Oliver Upton Signed-off-by: Marc Zyngier commit a46c09b382eea3f9e3d16576096b987a2171fcca Author: Oliver Upton Date: Fri Sep 26 15:42:46 2025 -0700 KVM: arm64: Use the in-context stage-1 in __kvm_find_s1_desc_level() Running the external_aborts selftest at EL2 leads to an ugly splat due to the stage-1 MMU being disabled for the walked context, owing to the fact that __kvm_find_s1_desc_level() is hardcoded to the EL1&0 regime. Select the appropriate translation regime for the stage-1 walk based on the current vCPU context. Fixes: b8e625167a32 ("KVM: arm64: Add S1 IPA to page table level walker") Signed-off-by: Oliver Upton Signed-off-by: Marc Zyngier commit 9a1950f97741a23fc68a7b2cfd487e059d389be5 Author: Marc Zyngier Date: Fri Sep 26 12:41:08 2025 -0700 KVM: arm64: nv: Don't advance PC when pending an SVE exception Jan reports that running a nested guest on Neoverse-V2 leads to a WARN in the host due to simultaneously pending an exception and PC increment after an access to ZCR_EL2. Returning true from a sysreg accessor is an indication that the sysreg instruction has been retired. Of course this isn't the case when we've pended a synchronous SVE exception for the guest. Fix the return value and let the exception propagate to the guest as usual. Reported-by: Jan Kotas Closes: https://lore.kernel.org/kvmarm/865xd61tt5.wl-maz@kernel.org/ Signed-off-by: Oliver Upton Signed-off-by: Marc Zyngier commit ed25dcfbc4327570b28f0328a8e17d121434c0ea Author: Oliver Upton Date: Fri Sep 26 12:41:07 2025 -0700 KVM: arm64: nv: Don't treat ZCR_EL2 as a 'mapped' register Unlike the other mapped EL2 sysregs ZCR_EL2 isn't guaranteed to be resident when a vCPU is loaded as it actually follows the SVE context. As such, the contents of ZCR_EL1 may belong to another guest if the vCPU has been preempted before reaching sysreg emulation. Unconditionally use the in-memory value of ZCR_EL2 and switch to the memory-only accessors. The in-memory value is guaranteed to be valid as fpsimd_lazy_switch_to_{guest,host}() will restore/save the register appropriately. Signed-off-by: Oliver Upton Signed-off-by: Marc Zyngier commit ee70bacef1c6050e4836409927294d744dbcfa72 Author: Cristian Ciocaltea Date: Fri Oct 3 21:03:27 2025 +0300 ASoC: nau8821: Avoid unnecessary blocking in IRQ handler The interrupt handler offloads the microphone detection logic to nau8821_jdet_work(), which implies a sleep operation. However, before being able to process any subsequent hotplug event, the interrupt handler needs to wait for any prior scheduled work to complete. Move the sleep out of jdet_work by converting it to a delayed work. This eliminates the undesired blocking in the interrupt handler when attempting to cancel a recently scheduled work item and should help reducing transient input reports that might confuse user-space. Signed-off-by: Cristian Ciocaltea Link: https://patch.msgid.link/20251003-nau8821-jdet-fixes-v1-5-f7b0e2543f09@collabora.com Signed-off-by: Mark Brown commit 2b4eda7bf7d8a4e2f7575a98f55d8336dec0f302 Author: Cristian Ciocaltea Date: Fri Oct 3 21:03:26 2025 +0300 ASoC: nau8821: Add DMI quirk to bypass jack debounce circuit Stress testing the audio jack hotplug handling on a few Steam Deck units revealed that the debounce circuit is responsible for having a negative impact on the detection reliability, e.g. in some cases the ejection interrupt is not fired, while in other instances it goes into a kind of invalid state and generates a flood of misleading interrupts. Add new entries to the DMI table introduced via commit 1bc40efdaf4a ("ASoC: nau8821: Add DMI quirk mechanism for active-high jack-detect") and extend the quirk logic to allow bypassing the debounce circuit used for jack detection on Valve Steam Deck LCD and OLED models. While at it, rename existing NAU8821_JD_ACTIVE_HIGH quirk bitfield to NAU8821_QUIRK_JD_ACTIVE_HIGH. This should help improve code readability by differentiating from similarly named register bits. Fixes: aab1ad11d69f ("ASoC: nau8821: new driver") Signed-off-by: Cristian Ciocaltea Link: https://patch.msgid.link/20251003-nau8821-jdet-fixes-v1-4-f7b0e2543f09@collabora.com Signed-off-by: Mark Brown commit a698679fe8b0fec41d1fb9547a53127a85c1be92 Author: Cristian Ciocaltea Date: Fri Oct 3 21:03:25 2025 +0300 ASoC: nau8821: Consistently clear interrupts before unmasking The interrupt handler attempts to perform some IRQ status clear operations *after* rather than *before* unmasking and enabling interrupts. This is a rather fragile approach since it may generally lead to missing IRQ requests or causing spurious interrupts. Make use of the nau8821_irq_status_clear() helper instead of manipulating the related register directly and ensure any interrupt clearing is performed *after* the target interrupts are disabled/masked and *before* proceeding with additional interrupt unmasking/enablement operations. This also implicitly drops the redundant clear operation of the ejection IRQ in the interrupt handler, since nau8821_eject_jack() has been already responsible for clearing all active interrupts. Fixes: aab1ad11d69f ("ASoC: nau8821: new driver") Fixes: 2551b6e89936 ("ASoC: nau8821: Add headset button detection") Signed-off-by: Cristian Ciocaltea Link: https://patch.msgid.link/20251003-nau8821-jdet-fixes-v1-3-f7b0e2543f09@collabora.com Signed-off-by: Mark Brown commit 9273aa85b35cc02d0953a1ba3b7bd694e5a2c10e Author: Cristian Ciocaltea Date: Fri Oct 3 21:03:24 2025 +0300 ASoC: nau8821: Generalize helper to clear IRQ status Instead of adding yet another utility function for dealing with the interrupt clearing register, generalize nau8821_int_status_clear_all() by renaming it to nau8821_irq_status_clear(), whilst introducing a second parameter to allow restricting the operation scope to a single interrupt instead of the whole range of active IRQs. While at it, also fix a spelling typo in the comment block. Note this is mainly a prerequisite for subsequent patches aiming to address some deficiencies in the implementation of the interrupt handler. Thus the presence of the Fixes tag below is intentional, to facilitate backporting. Fixes: aab1ad11d69f ("ASoC: nau8821: new driver") Signed-off-by: Cristian Ciocaltea Link: https://patch.msgid.link/20251003-nau8821-jdet-fixes-v1-2-f7b0e2543f09@collabora.com Signed-off-by: Mark Brown commit 6e54919cb541fdf1063b16f3254c28d01bc9e5ff Author: Cristian Ciocaltea Date: Fri Oct 3 21:03:23 2025 +0300 ASoC: nau8821: Cancel jdet_work before handling jack ejection The microphone detection work scheduled by a prior jack insertion interrupt may still be in a pending state or under execution when a jack ejection interrupt has been fired. This might lead to a racing condition or nau8821_jdet_work() completing after nau8821_eject_jack(), which will override the currently disconnected state of the jack and incorrectly report the headphone or the headset as being connected. Cancel any pending jdet_work or wait for its execution to finish before attempting to handle the ejection interrupt. Proceed similarly before launching the eject handler as a consequence of detecting an invalid insert interrupt. Fixes: aab1ad11d69f ("ASoC: nau8821: new driver") Signed-off-by: Cristian Ciocaltea Link: https://patch.msgid.link/20251003-nau8821-jdet-fixes-v1-1-f7b0e2543f09@collabora.com Signed-off-by: Mark Brown commit 7e8242405b94ceac6db820de7d4fd9318cbc1219 Author: Bean Huo Date: Wed Oct 1 08:08:03 2025 +0200 rpmb: move rpmb_frame struct and constants to common header Move struct rpmb_frame and RPMB operation constants from MMC block driver to include/linux/rpmb.h for reuse across different RPMB implementations (UFS, NVMe, etc.). Signed-off-by: Bean Huo Reviewed-by: Avri Altman Acked-by: Jens Wiklander Reviewed-by: Bart Van Assche Signed-off-by: Ulf Hansson commit 6370a996f308ea3276030769b7482b346e7cc7c1 Author: Christophe Leroy Date: Thu Oct 9 19:03:13 2025 +0200 ASoC: codecs: Fix gain setting ranges for Renesas IDT821034 codec The gain ranges specified in Renesas IDT821034 codec documentation are [-3dB;+13dB] in the transmit path (ADC) and [-13dB;+3dB] in the receive path (DAC). Allthough the registers allow programming values outside those ranges, the signal S/N and distorsion are only guaranteed in the specified ranges. Set ranges to the specified ones. Fixes: e51166990e81 ("ASoC: codecs: Add support for the Renesas IDT821034 codec") Signed-off-by: Christophe Leroy Link: https://patch.msgid.link/2bd547194f3398e6182f770d7d6be711c702b4b2.1760029099.git.christophe.leroy@csgroup.eu Signed-off-by: Mark Brown commit 7e6cfa3e94cf8278ee3170dc0b81fc6db1287e28 Author: Baojun Xu Date: Thu Oct 2 15:29:25 2025 +0800 ASoC: tas2781: Update ti,tas2781.yaml for adding tas58xx Update ti,tas2781.yaml for adding TAS5802/TAS5815/TAS5828. Signed-off-by: Baojun Xu Link: https://patch.msgid.link/20251002072925.26242-2-baojun.xu@ti.com Signed-off-by: Mark Brown commit 53a3c6e222836a23e8e0693395584aefc456dca6 Author: Baojun Xu Date: Thu Oct 2 15:29:24 2025 +0800 ASoC: tas2781: Support more newly-released amplifiers tas58xx in the driver TAS5802/TAS5815/TAS5828 has on-chip DSP without current/voltage feedback. Signed-off-by: Baojun Xu Link: https://patch.msgid.link/20251002072925.26242-1-baojun.xu@ti.com Signed-off-by: Mark Brown commit dee4ef0ebe4dee655657ead30892aeca16462823 Author: Le Qi Date: Thu Oct 9 17:06:19 2025 +0800 ASoC: qcom: sc8280xp: Add support for QCS615 Add compatible for sound card on QCS615 boards. Signed-off-by: Le Qi Reviewed-by: Krzysztof Kozlowski Link: https://patch.msgid.link/20251009090619.1097388-3-le.qi@oss.qualcomm.com Signed-off-by: Mark Brown commit 6079165e6e027c03e06556ff3df0ed03a34d68f0 Author: Le Qi Date: Thu Oct 9 17:06:18 2025 +0800 ASoC: dt-bindings: qcom,sm8250: Add QCS615 sound card Add bindings for QCS615 sound card, which looks fully compatible with existing SM8250. Signed-off-by: Le Qi Acked-by: Krzysztof Kozlowski Link: https://patch.msgid.link/20251009090619.1097388-2-le.qi@oss.qualcomm.com Signed-off-by: Mark Brown commit 66233e583d1e00b1742d1ba36ae31568109ba6bd Author: Shenghao Ding Date: Mon Oct 13 12:35:55 2025 +0800 ALSA: hda/tas2781: Set tas2781_hda::tasdevice_priv::chip_id as TAS5825 in case of tas5825 The software reset for TAS5825 is different form other chips, as it will set as 0x11 instead of 0x1 during reset in the tasdevice_reset(). So set tas2781_hda::tasdevice_priv::chip_id as TAS5825, tasdevice_reset() can work correctly. Fixes: 7ceb69ca82b1 ("ASoC: tas2781: Add tas2118, tas2x20, tas5825 support") Signed-off-by: Shenghao Ding Signed-off-by: Takashi Iwai commit 5ec6f9434225e18496a393f920b03eb46d67d71d Author: Takashi Iwai Date: Mon Oct 13 09:26:49 2025 +0200 ALSA: hda/realtek: Add quirk entry for HP ZBook 17 G6 HP ZBook 17 G6 with SSID 103c:860c requires a similar workaround as its 15-inch model in order to make the speaker and mute LED working. Add the corresponding quirk entry to address it. Link: https://bugzilla.kernel.org/show_bug.cgi?id=220372 Cc: Signed-off-by: Takashi Iwai commit 12d724f2852d094d68dccaf5101e0ef89a971cde Author: Damien Le Moal Date: Thu Oct 9 19:46:00 2025 +0900 ata: libata-core: relax checks in ata_read_log_directory() Commit 6d4405b16d37 ("ata: libata-core: Cache the general purpose log directory") introduced caching of a device general purpose log directory to avoid repeated access to this log page during device scan. This change also added a check on this log page to verify that the log page version is 0x0001 as mandated by the ACS specifications. And it turns out that some devices do not bother reporting this version, instead reporting a version 0, resulting in error messages such as: ata6.00: Invalid log directory version 0x0000 and to the device being marked as not supporting the general purpose log directory log page. Since before commit 6d4405b16d37 the log page version check did not exist and things were still working correctly for these devices, relax ata_read_log_directory() version check and only warn about the invalid log page version number without disabling access to the log directory page. Fixes: 6d4405b16d37 ("ata: libata-core: Cache the general purpose log directory") Cc: stable@vger.kernel.org Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220635 Signed-off-by: Damien Le Moal Signed-off-by: Niklas Cassel commit 0843ba458439f38efdc14aa359c14ad0127edb01 Author: Sourabh Jain Date: Wed Oct 8 08:59:34 2025 +0530 powerpc/fadump: skip parameter area allocation when fadump is disabled Fadump allocates memory to pass additional kernel command-line argument to the fadump kernel. However, this allocation is not needed when fadump is disabled. So avoid allocating memory for the additional parameter area in such cases. Fixes: f4892c68ecc1 ("powerpc/fadump: allocate memory for additional parameters early") Reviewed-by: Hari Bathini Signed-off-by: Sourabh Jain Fixes: f4892c68ecc1 ("powerpc/fadump: allocate memory for additional parameters early") Signed-off-by: Madhavan Srinivasan Link: https://patch.msgid.link/20251008032934.262683-1-sourabhjain@linux.ibm.com commit 2743cf75f7c92d2a0a4acabd7aef1c17d98fe123 Author: Nam Cao Date: Wed Oct 8 08:13:59 2025 +0000 powerpc, ocxl: Fix extraction of struct xive_irq_data Commit cc0cc23babc9 ("powerpc/xive: Untangle xive from child interrupt controller drivers") changed xive_irq_data to be stashed to chip_data instead of handler_data. However, multiple places are still attempting to read xive_irq_data from handler_data and get a NULL pointer deference bug. Update them to read xive_irq_data from chip_data. Non-XIVE files which touch xive_irq_data seem quite strange to me, especially the ocxl driver. I think there ought to be an alternative platform-independent solution, instead of touching XIVE's data directly. Therefore, I think this whole thing should be cleaned up. But perhaps I just misunderstand something. In any case, this cleanup would not be trivial; for now, just get things working again. Fixes: cc0cc23babc9 ("powerpc/xive: Untangle xive from child interrupt controller drivers") Reported-by: Ritesh Harjani (IBM) Closes: https://lore.kernel.org/linuxppc-dev/68e48df8.170a0220.4b4b0.217d@mx.google.com/ Signed-off-by: Nam Cao Reviewed-by: Ganesh Goudar Acked-by: Andrew Donnellan # ocxl Signed-off-by: Madhavan Srinivasan Link: https://patch.msgid.link/20251008081359.1382699-1-namcao@linutronix.de commit ef3e73a917ec7d080e0fb0e4015098a4fb0f1cff Author: Nam Cao Date: Fri Oct 10 12:03:07 2025 +0000 powerpc/pseries/msi: Fix NULL pointer dereference at irq domain teardown pseries_msi_ops_teardown() reads pci_dev* from msi_alloc_info_t. However, pseries_msi_ops_prepare() does not populate this structure, thus it is all zeros. Consequently, pseries_msi_ops_teardown() triggers a NULL pointer dereference crash. struct pci_dev is available in struct irq_domain. Read it there instead. Reported-by: Venkat Rao Bagalkote Closes: https://lore.kernel.org/linuxppc-dev/878d7651-433a-46fe-a28b-1b7e893fcbe0@linux.ibm.com/ Tested-by: Venkat Rao Bagalkote Signed-off-by: Nam Cao Signed-off-by: Madhavan Srinivasan Link: https://patch.msgid.link/20251010120307.3281720-1-namcao@linutronix.de commit 39dec6cd888bde4171bd4b8fcf45f73ab684404d Author: Markus Elfring Date: Wed Oct 1 21:09:00 2025 +0200 smb: server: Use common error handling code in smb_direct_rdma_xmit() Add two jump targets so that a bit of exception handling can be better reused at the end of this function implementation. Signed-off-by: Markus Elfring Reviewed-by: Stefan Metzmacher Acked-by: Namjae Jeon Signed-off-by: Steve French commit 0b4b77eff5f8cd9be062783a1c1e198d46d0a753 Author: Nicolas Dichtel Date: Fri Oct 10 16:18:59 2025 +0200 doc: fix seg6_flowlabel path This sysctl is not per interface; it's global per netns. Fixes: 292ecd9f5a94 ("doc: move seg6_flowlabel to seg6-sysctl.rst") Reported-by: Philippe Guibert Signed-off-by: Nicolas Dichtel Reviewed-by: Simon Horman Signed-off-by: David S. Miller commit 68a052239fc4b351e961f698b824f7654a346091 Author: Jakub Kicinski Date: Thu Oct 9 13:56:29 2025 -0700 selftests: drv-net: update remaining Python init files Convert remaining __init__ files similar to what we did in commit b615879dbfea ("selftests: drv-net: make linters happy with our imports") Signed-off-by: Jakub Kicinski Signed-off-by: Stanislav Fomichev Reviewed-by: Simon Horman Signed-off-by: David S. Miller commit 65946eac6d888d50ae527c4e5c237dbe5cc3a2f2 Author: Yeounsu Moon Date: Fri Oct 10 00:57:16 2025 +0900 net: dlink: handle dma_map_single() failure properly There is no error handling for `dma_map_single()` failures. Add error handling by checking `dma_mapping_error()` and freeing the `skb` using `dev_kfree_skb()` (process context) when it fails. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Yeounsu Moon Tested-on: D-Link DGE-550T Rev-A3 Suggested-by: Simon Horman Reviewed-by: Simon Horman Signed-off-by: David S. Miller commit 3abc0e55ea1fa2250e52bc860e8f24b2b9a2093a Author: Rex Lu Date: Thu Oct 9 08:29:34 2025 +0200 net: mtk: wed: add dma mask limitation and GFP_DMA32 for device with more than 4GB DRAM Limit tx/rx buffer address to 32-bit address space for board with more than 4GB DRAM. Fixes: 804775dfc2885 ("net: ethernet: mtk_eth_soc: add support for Wireless Ethernet Dispatch (WED)") Fixes: 6757d345dd7db ("net: ethernet: mtk_wed: introduce hw_rro support for MT7988") Tested-by: Daniel Pawlik Tested-by: Matteo Croce Signed-off-by: Rex Lu Co-developed-by: Lorenzo Bianconi Signed-off-by: Lorenzo Bianconi Reviewed-by: Simon Horman Signed-off-by: David S. Miller commit d5d790ba1558dbb8d179054f514476e2ee970b8e Author: Bhanu Seshu Kumar Valluri Date: Thu Oct 9 11:00:09 2025 +0530 net: usb: lan78xx: Fix lost EEPROM write timeout error(-ETIMEDOUT) in lan78xx_write_raw_eeprom The function lan78xx_write_raw_eeprom failed to properly propagate EEPROM write timeout errors (-ETIMEDOUT). In the timeout fallthrough path, it first attempted to restore the pin configuration for LED outputs and then returned only the status of that restore operation, discarding the original timeout error saved in ret. As a result, callers could mistakenly treat EEPROM write operation as successful even though the EEPROM write had actually timed out with no or partial data write. To fix this, handle errors in restoring the LED pin configuration separately. If the restore succeeds, return any prior EEPROM write timeout error saved in ret to the caller. Suggested-by: Oleksij Rempel Fixes: 8b1b2ca83b20 ("net: usb: lan78xx: Improve error handling in EEPROM and OTP operations") cc: stable@vger.kernel.org Signed-off-by: Bhanu Seshu Kumar Valluri Reviewed-by: Simon Horman Signed-off-by: David S. Miller commit db74b04edce1bc86b9a5acc724c7ca06f427ab60 Author: Marek Vasut Date: Sat Oct 11 12:59:53 2025 +0200 drm/bridge: lt9211: Drop check for last nibble of version register There is now a new LT9211 rev. U5, which reports chip ID 0x18 0x01 0xe4 . The previous LT9211 reported chip ID 0x18 0x01 0xe3 , which is what the driver checks for right now. Since there is a possibility there will be yet another revision of the LT9211 in the future, drop the last version nibble check to allow all future revisions of the chip to work with this driver. This fix makes LT9211 rev. U5 work with this driver. Fixes: 8ce4129e3de4 ("drm/bridge: lt9211: Add Lontium LT9211 bridge driver") Signed-off-by: Marek Vasut Reviewed-by: Dmitry Baryshkov Link: https://lore.kernel.org/r/20251011110017.12521-1-marek.vasut@mailbox.org Signed-off-by: Dmitry Baryshkov commit 77908b81766781dfcd086878aefc29f5db8dae6a Author: Cryolitia PukNgae Date: Sat Oct 11 17:51:18 2025 +0800 ALSA: usb-audio: apply quirk for Huawei Technologies Co., Ltd. CM-Q3 There're several different actual hardwares sold by Huawei, using the same USB ID 12d1:3a07. The first one we found, having a volume control named "Headset Playback Volume", reports a min value -15360, and will mute iff setting it to -15360. It can be simply fixed by quirk flag MIXER_PLAYBACK_MIN_MUTE, which we have already submitted previously.[1] The second one we found today, having a volume control named "PCM Playback Volume", reports its min -11520 and res 256, and will mute when less than -11008. Because of the already existing quirk flag, we can just set its min to -11264, and the new minimum value will still not be available to userspace, so that userspace's minimum will be the correct -11008. 1. https://lore.kernel.org/all/20250903-sound-v1-3-d4ca777b8512@uniontech.com/ Tested-by: Guoli An Signed-off-by: Cryolitia PukNgae Signed-off-by: Takashi Iwai commit 30b3211aa24161856134b2c2ea2ab1c6eb534b36 Author: Stuart Hayhurst Date: Sat Oct 11 00:28:29 2025 +0100 ALSA: hda/intel: Add MSI X870E Tomahawk to denylist This motherboard uses USB audio instead, causing this driver to complain about "no codecs found!". Add it to the denylist to silence the warning. Signed-off-by: Stuart Hayhurst Cc: Signed-off-by: Takashi Iwai commit 1cf11d80db5df805b538c942269e05a65bcaf5bc Author: Denis Arefev Date: Thu Oct 9 13:50:47 2025 +0300 ALSA: hda: Fix missing pointer check in hda_component_manager_init function The __component_match_add function may assign the 'matchptr' pointer the value ERR_PTR(-ENOMEM), which will subsequently be dereferenced. The call stack leading to the error looks like this: hda_component_manager_init |-> component_match_add |-> component_match_add_release |-> __component_match_add ( ... ,**matchptr, ... ) |-> *matchptr = ERR_PTR(-ENOMEM); // assign |-> component_master_add_with_match( ... match) |-> component_match_realloc(match, match->num); // dereference Add IS_ERR() check to prevent the crash. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: ae7abe36e352 ("ALSA: hda/realtek: Add CS35L41 support for Thinkpad laptops") Cc: stable@vger.kernel.org Signed-off-by: Denis Arefev Signed-off-by: Takashi Iwai commit 8527bbb33936340525a3504a00932b2f8fd75754 Author: Denis Arefev Date: Tue Oct 7 10:38:31 2025 +0300 ALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_get_acpi_mute_state() Return value of a function acpi_evaluate_dsm() is dereferenced without checking for NULL, but it is usually checked for this function. acpi_evaluate_dsm() may return NULL, when acpi_evaluate_object() returns acpi_status other than ACPI_SUCCESS, so add a check to prevent the crach. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 447106e92a0c ("ALSA: hda: cs35l41: Support mute notifications for CS35L41 HDA") Cc: stable@vger.kernel.org Signed-off-by: Denis Arefev Signed-off-by: Takashi Iwai commit 852947be66b826c3d0ba328e19a3559fdf7ac726 Author: Paul Walmsley Date: Fri Oct 10 15:50:24 2025 -0600 riscv: kprobes: convert one final __ASSEMBLY__ to __ASSEMBLER__ Per the reasoning in commit f811f58597ac ("riscv: Replace __ASSEMBLY__ with __ASSEMBLER__ in non-uapi headers"), convert one last remaining instance of __ASSEMBLY__ in the arch/riscv kprobes code. This entered the tree from patches that were sent before Thomas' changes; and when I reviewed the kprobes patches before queuing them, I missed this instance. Cc: Nam Cao Cc: Thomas Huth Link: https://lore.kernel.org/linux-riscv/16b74b63-f223-4f0b-b6e5-31cea5e620b4@redhat.com/ Link: https://lore.kernel.org/linux-riscv/20250606070952.498274-1-thuth@redhat.com/ Signed-off-by: Paul Walmsley commit 505f5224b197b77169c977e747cbc18b222f85f9 Author: Sean Christopherson Date: Fri Oct 3 16:26:06 2025 -0700 KVM: selftests: Verify that reads to inaccessible guest_memfd VMAs SIGBUS Expand the guest_memfd negative testcases for overflow and MAP_PRIVATE to verify that reads to inaccessible memory also get a SIGBUS. Reviewed-by: Ackerley Tng Tested-by: Ackerley Tng Reviewed-by: Lisa Wang Tested-by: Lisa Wang Link: https://lore.kernel.org/r/20251003232606.4070510-14-seanjc@google.com Signed-off-by: Sean Christopherson commit 19942d4fd9cf022b28a9afb432a6338dcf96fc2f Author: Sean Christopherson Date: Fri Oct 3 16:26:05 2025 -0700 KVM: selftests: Verify that faulting in private guest_memfd memory fails Add a guest_memfd testcase to verify that faulting in private memory gets a SIGBUS. For now, test only the case where memory is private by default since KVM doesn't yet support in-place conversion. Deliberately run the CoW test with and without INIT_SHARED set as KVM should disallow MAP_PRIVATE regardless of whether the memory itself is private from a CoCo perspective. Cc: Ackerley Tng Reviewed-by: Fuad Tabba Tested-by: Fuad Tabba Reviewed-by: David Hildenbrand Reviewed-by: Ackerley Tng Tested-by: Ackerley Tng Link: https://lore.kernel.org/r/20251003232606.4070510-13-seanjc@google.com Signed-off-by: Sean Christopherson commit f91187c0ecc6358ccecf533c5fcc6b7dbb4735cb Author: Sean Christopherson Date: Fri Oct 3 16:26:04 2025 -0700 KVM: selftests: Add wrapper macro to handle and assert on expected SIGBUS Extract the guest_memfd test's SIGBUS handling functionality into a common TEST_EXPECT_SIGBUS() macro in anticipation of adding more SIGBUS testcases. Eating a SIGBUS isn't terrible difficult, but it requires a non-trivial amount of boilerplate code, and using a macro allows selftests to print out the exact action that failed to generate a SIGBUS without the developer needing to remember to add a useful error message. Explicitly mark the SIGBUS handler as "used", as gcc-14 at least likes to discard the function before linking. Opportunistically use TEST_FAIL(...) instead of TEST_ASSERT(false, ...), and fix the write path of the guest_memfd test to use the local "val" instead of hardcoding the literal value a second time. Suggested-by: Ackerley Tng Reviewed-by: Ackerley Tng Tested-by: Ackerley Tng Reviewed-by: Lisa Wang Tested-by: Lisa Wang Link: https://lore.kernel.org/r/20251003232606.4070510-12-seanjc@google.com Signed-off-by: Sean Christopherson commit 505c953009ec8260870d41ef8109bb4c7e208e6f Author: Sean Christopherson Date: Fri Oct 3 16:26:03 2025 -0700 KVM: selftests: Isolate the guest_memfd Copy-on-Write negative testcase Move the guest_memfd Copy-on-Write (CoW) testcase to its own function to better separate positive testcases from negative testcases. No functional change intended. Suggested-by: Ackerley Tng Reviewed-by: Ackerley Tng Tested-by: Ackerley Tng Link: https://lore.kernel.org/r/20251003232606.4070510-11-seanjc@google.com Signed-off-by: Sean Christopherson commit 61cee97f40180312dcca9580a5be0b0aa2217f6e Author: Sean Christopherson Date: Fri Oct 3 16:26:02 2025 -0700 KVM: selftests: Add wrappers for mmap() and munmap() to assert success Add and use wrappers for mmap() and munmap() that assert success to reduce a significant amount of boilerplate code, to ensure all tests assert on failure, and to provide consistent error messages on failure. No functional change intended. Reviewed-by: Fuad Tabba Tested-by: Fuad Tabba Reviewed-by: David Hildenbrand Reviewed-by: Ackerley Tng Link: https://lore.kernel.org/r/20251003232606.4070510-10-seanjc@google.com Signed-off-by: Sean Christopherson commit df0d9923f7055169cb01b050236e5a9a2b36db02 Author: Ackerley Tng Date: Fri Oct 3 16:26:01 2025 -0700 KVM: selftests: Add test coverage for guest_memfd without GUEST_MEMFD_FLAG_MMAP If a VM type supports KVM_CAP_GUEST_MEMFD_MMAP, the guest_memfd test will run all test cases with GUEST_MEMFD_FLAG_MMAP set. This leaves the code path for creating a non-mmap()-able guest_memfd on a VM that supports mappable guest memfds untested. Refactor the test to run the main test suite with a given set of flags. Then, for VM types that support the mappable capability, invoke the test suite twice: once with no flags, and once with GUEST_MEMFD_FLAG_MMAP set. This ensures both creation paths are properly exercised on capable VMs. Run test_guest_memfd_flags() only once per VM type since it depends only on the set of valid/supported flags, i.e. iterating over an arbitrary set of flags is both unnecessary and wrong. Signed-off-by: Ackerley Tng [sean: use double-underscores for the inner helper] Reviewed-by: Fuad Tabba Tested-by: Fuad Tabba Reviewed-by: David Hildenbrand Link: https://lore.kernel.org/r/20251003232606.4070510-9-seanjc@google.com Signed-off-by: Sean Christopherson commit 21d602ed616aebae4de568be55db65a1f5a3be10 Author: Sean Christopherson Date: Fri Oct 3 16:26:00 2025 -0700 KVM: selftests: Create a new guest_memfd for each testcase Refactor the guest_memfd selftest to improve test isolation by creating a a new guest_memfd for each testcase. Currently, the test reuses a single guest_memfd instance for all testcases, and thus creates dependencies between tests, e.g. not truncating folios from the guest_memfd instance at the end of a test could lead to unexpected results (see the PUNCH_HOLE purging that needs to done by in-flight the NUMA testcases[1]). Invoke each test via a macro wrapper to create and close a guest_memfd to cut down on the boilerplate copy+paste needed to create a test. Link: https://lore.kernel.org/all/20250827175247.83322-10-shivankg@amd.com Reported-by: Ackerley Tng Reviewed-by: Fuad Tabba Tested-by: Fuad Tabba Reviewed-by: David Hildenbrand Reviewed-by: Ackerley Tng Tested-by: Ackerley Tng Link: https://lore.kernel.org/r/20251003232606.4070510-8-seanjc@google.com Signed-off-by: Sean Christopherson commit 3a6c08538c742624c60cb6a53dd61eb025e0d1e1 Author: Sean Christopherson Date: Fri Oct 3 16:25:59 2025 -0700 KVM: selftests: Stash the host page size in a global in the guest_memfd test Use a global variable to track the host page size in the guest_memfd test so that the information doesn't need to be constantly passed around. The state is purely a reflection of the underlying system, i.e. can't be set by the test and is constant for a given invocation of the test, and thus explicitly passing the host page size to individual testcases adds no value, e.g. doesn't allow testing different combinations. Making page_size a global will simplify an upcoming change to create a new guest_memfd instance per testcase. No functional change intended. Reviewed-by: Fuad Tabba Tested-by: Fuad Tabba Reviewed-by: David Hildenbrand Reviewed-by: Ackerley Tng Tested-by: Ackerley Tng Link: https://lore.kernel.org/r/20251003232606.4070510-7-seanjc@google.com Signed-off-by: Sean Christopherson commit 44c6cb9fe9888b371e31165b2854bd0f4e2787d4 Author: Sean Christopherson Date: Fri Oct 3 16:25:58 2025 -0700 KVM: guest_memfd: Allow mmap() on guest_memfd for x86 VMs with private memory Allow mmap() on guest_memfd instances for x86 VMs with private memory as the need to track private vs. shared state in the guest_memfd instance is only pertinent to INIT_SHARED. Doing mmap() on private memory isn't terrible useful (yet!), but it's now possible, and will be desirable when guest_memfd gains support for other VMA-based syscalls, e.g. mbind() to set NUMA policy. Lift the restriction now, before MMAP support is officially released, so that KVM doesn't need to add another capability to enumerate support for mmap() on private memory. Fixes: 3d3a04fad25a ("KVM: Allow and advertise support for host mmap() on guest_memfd files") Reviewed-by: Ackerley Tng Tested-by: Ackerley Tng Reviewed-by: David Hildenbrand Link: https://lore.kernel.org/r/20251003232606.4070510-6-seanjc@google.com Signed-off-by: Sean Christopherson commit 9aef71c892a55e004419923ba7129abe3e58d9f1 Author: Sean Christopherson Date: Fri Oct 3 16:25:57 2025 -0700 KVM: Explicitly mark KVM_GUEST_MEMFD as depending on KVM_GENERIC_MMU_NOTIFIER Add KVM_GENERIC_MMU_NOTIFIER as a dependency for selecting KVM_GUEST_MEMFD, as guest_memfd relies on kvm_mmu_invalidate_{begin,end}(), which are defined if and only if the generic mmu_notifier implementation is enabled. The missing dependency is currently benign as s390 is the only KVM arch that doesn't utilize the generic mmu_notifier infrastructure, and s390 doesn't currently support guest_memfd. Fixes: a7800aa80ea4 ("KVM: Add KVM_CREATE_GUEST_MEMFD ioctl() for guest-specific backing memory") Reviewed-by: David Hildenbrand Link: https://lore.kernel.org/r/20251003232606.4070510-5-seanjc@google.com Signed-off-by: Sean Christopherson commit 5d3341d684be80892d8f6f9812f90f9274b81177 Author: Sean Christopherson Date: Fri Oct 3 16:25:56 2025 -0700 KVM: guest_memfd: Invalidate SHARED GPAs if gmem supports INIT_SHARED When invalidating gmem ranges, e.g. in response to PUNCH_HOLE, process all possible range types (PRIVATE vs. SHARED) for the gmem instance. Since since guest_memfd doesn't yet support in-place conversions, simply pivot on INIT_SHARED as a gmem instance can currently only have private or shared memory, not both. Failure to mark shared GPAs for invalidation is benign in the current code base, as only x86's TDX consumes KVM_FILTER_{PRIVATE,SHARED}, and TDX doesn't yet support INIT_SHARED with guest_memfd. However, invalidating only private GPAs is conceptually wrong and a lurking bug, e.g. could result in missed invalidations if ARM starts filtering invalidations based on attributes. Fixes: 3d3a04fad25a ("KVM: Allow and advertise support for host mmap() on guest_memfd files") Reviewed-by: Ackerley Tng Reviewed-by: David Hildenbrand Link: https://lore.kernel.org/r/20251003232606.4070510-4-seanjc@google.com Signed-off-by: Sean Christopherson commit fe2bf6234e947bf5544db6d386af1df2a8db80f3 Author: Sean Christopherson Date: Fri Oct 3 16:25:55 2025 -0700 KVM: guest_memfd: Add INIT_SHARED flag, reject user page faults if not set Add a guest_memfd flag to allow userspace to state that the underlying memory should be configured to be initialized as shared, and reject user page faults if the guest_memfd instance's memory isn't shared. Because KVM doesn't yet support in-place private<=>shared conversions, all guest_memfd memory effectively follows the initial state. Alternatively, KVM could deduce the initial state based on MMAP, which for all intents and purposes is what KVM currently does. However, implicitly deriving the default state based on MMAP will result in a messy ABI when support for in-place conversions is added. For x86 CoCo VMs, which don't yet support MMAP, memory is currently private by default (otherwise the memory would be unusable). If MMAP implies memory is shared by default, then the default state for CoCo VMs will vary based on MMAP, and from userspace's perspective, will change when in-place conversion support is added. I.e. to maintain guest<=>host ABI, userspace would need to immediately convert all memory from shared=>private, which is both ugly and inefficient. The inefficiency could be avoided by adding a flag to state that memory is _private_ by default, irrespective of MMAP, but that would lead to an equally messy and hard to document ABI. Bite the bullet and immediately add a flag to control the default state so that the effective behavior is explicit and straightforward. Fixes: 3d3a04fad25a ("KVM: Allow and advertise support for host mmap() on guest_memfd files") Cc: David Hildenbrand Reviewed-by: Fuad Tabba Tested-by: Fuad Tabba Reviewed-by: Ackerley Tng Tested-by: Ackerley Tng Reviewed-by: David Hildenbrand Link: https://lore.kernel.org/r/20251003232606.4070510-3-seanjc@google.com Signed-off-by: Sean Christopherson commit d2042d8f96ddefdeee823737f813efe3ab4b4e8d Author: Sean Christopherson Date: Fri Oct 3 16:25:54 2025 -0700 KVM: Rework KVM_CAP_GUEST_MEMFD_MMAP into KVM_CAP_GUEST_MEMFD_FLAGS Rework the not-yet-released KVM_CAP_GUEST_MEMFD_MMAP into a more generic KVM_CAP_GUEST_MEMFD_FLAGS capability so that adding new flags doesn't require a new capability, and so that developers aren't tempted to bundle multiple flags into a single capability. Note, kvm_vm_ioctl_check_extension_generic() can only return a 32-bit value, but that limitation can be easily circumvented by adding e.g. KVM_CAP_GUEST_MEMFD_FLAGS2 in the unlikely event guest_memfd supports more than 32 flags. Reviewed-by: Ackerley Tng Tested-by: Ackerley Tng Reviewed-by: David Hildenbrand Link: https://lore.kernel.org/r/20251003232606.4070510-2-seanjc@google.com Signed-off-by: Sean Christopherson commit 034417c1439a533a315562a57bd340d963eaac6b Author: Dapeng Mi Date: Fri Oct 10 08:52:39 2025 +0800 KVM: x86/pmu: Don't try to get perf capabilities for hybrid CPUs Explicitly zero kvm_host_pmu instead of attempting to get the perf PMU capabilities when running on a hybrid CPU to avoid running afoul of perf's sanity check. ------------[ cut here ]------------ WARNING: arch/x86/events/core.c:3089 at perf_get_x86_pmu_capability+0xd/0xc0, Call Trace: kvm_x86_vendor_init+0x1b0/0x1a40 [kvm] vmx_init+0xdb/0x260 [kvm_intel] vt_init+0x12/0x9d0 [kvm_intel] do_one_initcall+0x60/0x3f0 do_init_module+0x97/0x2b0 load_module+0x2d08/0x2e30 init_module_from_file+0x96/0xe0 idempotent_init_module+0x117/0x330 __x64_sys_finit_module+0x73/0xe0 Always read the capabilities for non-hybrid CPUs, i.e. don't entirely revert to reading capabilities if and only if KVM wants to use a PMU, as it may be useful to have the host PMU capabilities available, e.g. if only or debug. Reported-by: Chaitanya Kumar Borah Closes: https://lore.kernel.org/all/70b64347-2aca-4511-af78-a767d5fa8226@intel.com/ Fixes: 51f34b1e650f ("KVM: x86/pmu: Snapshot host (i.e. perf's) reported PMU capabilities") Suggested-by: Sean Christopherson Signed-off-by: Dapeng Mi Link: https://lore.kernel.org/r/20251010005239.146953-1-dapeng1.mi@linux.intel.com [sean: rework changelog, call out hybrid CPUs in shortlog] Signed-off-by: Sean Christopherson commit 971843c511c3c2f6eda96c6b03442913bfee6148 Author: Jan Kara Date: Tue Oct 7 15:49:37 2025 +0200 ext4: free orphan info with kvfree Orphan info is now getting allocated with kvmalloc_array(). Free it with kvfree() instead of kfree() to avoid complaints from mm. Reported-by: Chris Mason Fixes: 0a6ce20c1564 ("ext4: verify orphan file size is not too big") Cc: stable@vger.kernel.org Signed-off-by: Jan Kara Message-ID: <20251007134936.7291-2-jack@suse.cz> Signed-off-by: Theodore Ts'o commit 1d3ad183943b38eec2acf72a0ae98e635dc8456b Author: Deepanshu Kartikey Date: Tue Sep 30 16:58:10 2025 +0530 ext4: detect invalid INLINE_DATA + EXTENTS flag combination syzbot reported a BUG_ON in ext4_es_cache_extent() when opening a verity file on a corrupted ext4 filesystem mounted without a journal. The issue is that the filesystem has an inode with both the INLINE_DATA and EXTENTS flags set: EXT4-fs error (device loop0): ext4_cache_extents:545: inode #15: comm syz.0.17: corrupted extent tree: lblk 0 < prev 66 Investigation revealed that the inode has both flags set: DEBUG: inode 15 - flag=1, i_inline_off=164, has_inline=1, extents_flag=1 This is an invalid combination since an inode should have either: - INLINE_DATA: data stored directly in the inode - EXTENTS: data stored in extent-mapped blocks Having both flags causes ext4_has_inline_data() to return true, skipping extent tree validation in __ext4_iget(). The unvalidated out-of-order extents then trigger a BUG_ON in ext4_es_cache_extent() due to integer underflow when calculating hole sizes. Fix this by detecting this invalid flag combination early in ext4_iget() and rejecting the corrupted inode. Cc: stable@kernel.org Reported-and-tested-by: syzbot+038b7bf43423e132b308@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=038b7bf43423e132b308 Suggested-by: Zhang Yi Signed-off-by: Deepanshu Kartikey Reviewed-by: Zhang Yi Message-ID: <20250930112810.315095-1-kartikey406@gmail.com> Signed-off-by: Theodore Ts'o commit 4b471b736ea1ce08113a12bd7dcdaea621b0f65f Author: Zeno Endemann Date: Thu Sep 25 17:24:33 2025 +0200 ext4, doc: fix and improve directory hash tree description Some of the details about how directory hash trees work were confusing or outright wrong, this patch should fix those. A note on dx_tail's dt_reserved member, as far as I can tell the kernel never sets this explicitly, so its content is apparently left-overs from what was there before (for the dx_root I've seen remnants of a ext4_dir_entry_tail struct from when the dir was not yet a hash dir). Signed-off-by: Zeno Endemann Message-ID: <20250925152435.22749-1-zeno.endemann@mailbox.org> Signed-off-by: Theodore Ts'o commit 328a782cb138029182e521c08f50eb1587db955d Author: Zhang Yi Date: Tue Sep 16 17:33:37 2025 +0800 ext4: wait for ongoing I/O to complete before freeing blocks When freeing metadata blocks in nojournal mode, ext4_forget() calls bforget() to clear the dirty flag on the buffer_head and remvoe associated mappings. This is acceptable if the metadata has not yet begun to be written back. However, if the write-back has already started but is not yet completed, ext4_forget() will have no effect. Subsequently, ext4_mb_clear_bb() will immediately return the block to the mb allocator. This block can then be reallocated immediately, potentially causing an data corruption issue. Fix this by clearing the buffer's dirty flag and waiting for the ongoing I/O to complete, ensuring that no further writes to stale data will occur. Fixes: 16e08b14a455 ("ext4: cleanup clean_bdev_aliases() calls") Cc: stable@kernel.org Reported-by: Gao Xiang Closes: https://lore.kernel.org/linux-ext4/a9417096-9549-4441-9878-b1955b899b4e@huaweicloud.com/ Signed-off-by: Zhang Yi Reviewed-by: Jan Kara Message-ID: <20250916093337.3161016-3-yi.zhang@huaweicloud.com> Signed-off-by: Theodore Ts'o commit 3c652c3a71de1d30d72dc82c3bead8deb48eb749 Author: Zhang Yi Date: Tue Sep 16 17:33:36 2025 +0800 jbd2: ensure that all ongoing I/O complete before freeing blocks When releasing file system metadata blocks in jbd2_journal_forget(), if this buffer has not yet been checkpointed, it may have already been written back, currently be in the process of being written back, or has not yet written back. jbd2_journal_forget() calls jbd2_journal_try_remove_checkpoint() to check the buffer's status and add it to the current transaction if it has not been written back. This buffer can only be reallocated after the transaction is committed. jbd2_journal_try_remove_checkpoint() attempts to lock the buffer and check its dirty status while holding the buffer lock. If the buffer has already been written back, everything proceeds normally. However, there are two issues. First, the function returns immediately if the buffer is locked by the write-back process. It does not wait for the write-back to complete. Consequently, until the current transaction is committed and the block is reallocated, there is no guarantee that the I/O will complete. This means that ongoing I/O could write stale metadata to the newly allocated block, potentially corrupting data. Second, the function unlocks the buffer as soon as it detects that the buffer is still dirty. If a concurrent write-back occurs immediately after this unlocking and before clear_buffer_dirty() is called in jbd2_journal_forget(), data corruption can theoretically still occur. Although these two issues are unlikely to occur in practice since the undergoing metadata writeback I/O does not take this long to complete, it's better to explicitly ensure that all ongoing I/O operations are completed. Fixes: 597599268e3b ("jbd2: discard dirty data when forgetting an un-journalled buffer") Cc: stable@kernel.org Suggested-by: Jan Kara Signed-off-by: Zhang Yi Reviewed-by: Jan Kara Message-ID: <20250916093337.3161016-2-yi.zhang@huaweicloud.com> Signed-off-by: Theodore Ts'o commit 4b47a8601b71ad98833b447d465592d847b4dc77 Author: Chuck Lever Date: Thu Sep 11 11:12:06 2025 -0400 NFSD: Define a proc_layoutcommit for the FlexFiles layout type Avoid a crash if a pNFS client should happen to send a LAYOUTCOMMIT operation on a FlexFiles layout. Reported-by: Robert Morris Closes: https://lore.kernel.org/linux-nfs/152f99b2-ba35-4dec-93a9-4690e625dccd@oracle.com/T/#t Cc: Thomas Haynes Cc: stable@vger.kernel.org Fixes: 9b9960a0ca47 ("nfsd: Add a super simple flex file server") Signed-off-by: Chuck Lever commit 7933a585d70ee496fa341b50b8b0a95b131867ff Author: Seong-Gwang Heo Date: Thu Oct 9 13:41:48 2025 +0800 ovl: remove redundant IOCB_DIO_CALLER_COMP clearing The backing_file_write_iter() function, which is called immediately after this code, already contains identical logic to clear the IOCB_DIO_CALLER_COMP flag along with the same explanatory comment. There is no need to duplicate this operation in the overlayfs code. Signed-off-by: Seong-Gwang Heo Fixes: a6293b3e285c ("fs: factor out backing_file_{read,write}_iter() helpers") Acked-by: Miklos Szeredi Reviewed-by: Amir Goldstein Signed-off-by: Christian Brauner commit d90ad28e8aa482e397150e22f3762173d918a724 Author: Andrey Albershteyn Date: Wed Oct 8 14:44:18 2025 +0200 fs: return EOPNOTSUPP from file_setattr/file_getattr syscalls These syscalls call to vfs_fileattr_get/set functions which return ENOIOCTLCMD if filesystem doesn't support setting file attribute on an inode. For syscalls EOPNOTSUPP would be more appropriate return error. Signed-off-by: Andrey Albershteyn Reviewed-by: Jan Kara Reviewed-by: Arnd Bergmann Signed-off-by: Christian Brauner commit 4dd5b5ac089bb6ea719b7ffb748707ac9cbce4e4 Author: Andrey Albershteyn Date: Wed Oct 8 14:44:17 2025 +0200 Revert "fs: make vfs_fileattr_[get|set] return -EOPNOTSUPP" This reverts commit 474b155adf3927d2c944423045757b54aa1ca4de. This patch caused regression in ioctl_setflags(). Underlying filesystems use EOPNOTSUPP to indicate that flag is not supported. This error is also gets converted in ioctl_setflags(). Therefore, for unsupported flags error changed from EOPNOSUPP to ENOIOCTLCMD. Link: https://lore.kernel.org/linux-xfs/a622643f-1585-40b0-9441-cf7ece176e83@kernel.org/ Signed-off-by: Andrey Albershteyn Signed-off-by: Christian Brauner commit f3426ac54c42c3260096ddc50b5470eb179fb06a Author: Ivan Vecera Date: Wed Oct 8 16:14:18 2025 +0200 dpll: zl3073x: Increase maximum size of flash utility Newer firmware bundles contain a flash utility whose size exceeds the currently allowed limit. Increase the maximum allowed size to accommodate the newer utility version. Without this patch: # devlink dev flash i2c/1-0070 file fw_nosplit_v3.hex Failed to load firmware Flashing failed Error: zl3073x: FW load failed: [utility] component is too big (11000 bytes) Fixes: ca017409da694 ("dpll: zl3073x: Add firmware loading functionality") Suggested-by: Prathosh Satish Signed-off-by: Ivan Vecera Reviewed-by: Vadim Fedorenko Link: https://patch.msgid.link/20251008141418.841053-1-ivecera@redhat.com Signed-off-by: Paolo Abeni commit 7882d2c45ccba538cddb0615a893a008dd2efcde Author: Thomas Weißschuh Date: Thu Oct 9 11:18:48 2025 +0200 riscv: Respect dependencies of ARCH_HAS_ELF_CORE_EFLAGS This kconfig symbol has dependencies and is only selectable if those dependencies are also enabled. Respect the dependencies. Fixes the following warning when configuring an 'allnoconfig': WARNING: unmet direct dependencies detected for ARCH_HAS_ELF_CORE_EFLAGS Depends on [n]: BINFMT_ELF [=n] && ELF_CORE [=y] Selected by [y]: - RISCV [=y] Fixes: 8c94db0ae97c ("binfmt_elf: preserve original ELF e_flags for core dumps") Signed-off-by: Thomas Weißschuh Link: https://lore.kernel.org/r/20251009-riscv-elf-core-eflags-v1-1-e9b45ab6b36d@linutronix.de Signed-off-by: Paul Walmsley commit 69a8b62a7aa1e54ff7623064f6507fa29c1d0d4e Author: Han Gao Date: Wed Sep 10 19:24:01 2025 +0800 riscv: acpi: avoid errors caused by probing DT devices when ACPI is used Similar to the ARM64 commit 3505f30fb6a9s ("ARM64 / ACPI: If we chose to boot from acpi then disable FDT"), let's not do DT hardware probing if ACPI is enabled in early boot. This avoids errors caused by repeated driver probing. Signed-off-by: Han Gao Link: https://lore.kernel.org/r/20250910112401.552987-1-rabenda.cn@gmail.com [pjw@kernel.org: cleaned up patch description and subject] Signed-off-by: Paul Walmsley commit 9e68bd803fac49274fde914466fd3b07c4d602c8 Author: Fabian Vogt Date: Wed Sep 10 17:25:13 2025 +0200 riscv: kprobes: Fix probe address validation When adding a kprobe such as "p:probe/tcp_sendmsg _text+15392192", arch_check_kprobe would start iterating all instructions starting from _text until the probed address. Not only is this very inefficient, but literal values in there (e.g. left by function patching) are misinterpreted in a way that causes a desync. Fix this by doing it like x86: start the iteration at the closest preceding symbol instead of the given starting point. Fixes: 87f48c7ccc73 ("riscv: kprobe: Fixup kernel panic when probing an illegal position") Signed-off-by: Fabian Vogt Signed-off-by: Marvin Friedrich Acked-by: Guo Ren Link: https://lore.kernel.org/r/6191817.lOV4Wx5bFT@fvogt-thinkpad Signed-off-by: Paul Walmsley commit c199745d3ac3f836515a5734a6ca5c6f55a8809b Author: Florian Schmaus Date: Mon Oct 6 11:37:42 2025 +0200 riscv: entry: fix typo in comment 'instruciton' -> 'instruction' Fix a typo in a comment in the RISC-V entry.S. Signed-off-by: Florian Schmaus Link: https://lore.kernel.org/r/20251006093742.53925-1-flo@geekplace.eu [pjw@kernel.org: wrote a basic patch description] Signed-off-by: Paul Walmsley commit ae9e9f3d67dcef7582a4524047b01e33c5185ddb Author: Danil Skrebenkov Date: Fri Sep 19 16:28:46 2025 +0300 RISC-V: clear hot-unplugged cores from all task mm_cpumasks to avoid rfence errors openSBI v1.7 adds harts checks for ipi operations. Especially it adds comparison between hmask passed as an argument from linux and mask of online harts (from openSBI side). If they don't fit each other the error occurs. When cpu is offline, cpu_online_mask is explicitly cleared in __cpu_disable. However, there is no explicit clearing of mm_cpumask. mm_cpumask is used for rfence operations that call openSBI RFENCE extension which uses ipi to remote harts. If hart is offline there may be error if mask of linux is not as mask of online harts in openSBI. this patch adds explicit clearing of mm_cpumask for offline hart. Signed-off-by: Danil Skrebenkov Reviewed-by: Andrew Jones Link: https://lore.kernel.org/r/20250919132849.31676-1-danil.skrebenkov@cloudbear.ru [pjw@kernel.org: rewrote subject line for clarity] Signed-off-by: Paul Walmsley commit 781380d2cdef34559a0125ca6464b90bfc01594f Author: Miquel Sabaté Solà Date: Mon Sep 15 16:32:52 2025 +0200 riscv: kgdb: Ensure that BUFMAX > NUMREGBYTES The current value of BUFMAX is similar as in other architectures, but as per documentation on KGDB (see 'Documentation/process/debugging/kgdb.rst'), BUFMAX has to be larger than NUMREGBYTES. Some NUMREGBYTES architectures (e.g. powerpc or hexagon) actually define BUFMAX in relation to NUMREGBYTES, and thus this condition is always guaranteed. Since 2048 is a value that is generally accepted on all architectures, and that is larger than the current value of NUMREGBYTES, we can keep this value in arch/riscv, but we can at least add an 'static_assert' as an extra measure just in case NUMREGBYTES changes in the future for some unforseen reason. Signed-off-by: Miquel Sabaté Solà Link: https://lore.kernel.org/r/20250915143252.154955-1-mikisabate@gmail.com Signed-off-by: Paul Walmsley commit 812258ff4166bcd41c7d44707e0591f9ae32ac8c Author: Conor Dooley Date: Mon Sep 8 14:12:35 2025 +0100 rust: cfi: only 64-bit arm and x86 support CFI_CLANG The kernel uses the standard rustc targets for non-x86 targets, and out of those only 64-bit arm's target has kcfi support enabled. For x86, the custom 64-bit target enables kcfi. The HAVE_CFI_ICALL_NORMALIZE_INTEGERS_RUSTC config option that allows CFI_CLANG to be used in combination with RUST does not check whether the rustc target supports kcfi. This breaks the build on riscv (and presumably 32-bit arm) when CFI_CLANG and RUST are enabled at the same time. Ordinarily, a rustc-option check would be used to detect target support but unfortunately rustc-option filters out the target for reasons given in commit 46e24a545cdb4 ("rust: kasan/kbuild: fix missing flags on first build"). As a result, if the host supports kcfi but the target does not, e.g. when building for riscv on x86_64, the build would remain broken. Instead, make HAVE_CFI_ICALL_NORMALIZE_INTEGERS_RUSTC depend on the only two architectures where the target used supports it to fix the build. CC: stable@vger.kernel.org Fixes: ca627e636551e ("rust: cfi: add support for CFI_CLANG with Rust") Signed-off-by: Conor Dooley Acked-by: Miguel Ojeda Reviewed-by: Alice Ryhl Link: https://lore.kernel.org/r/20250908-distill-lint-1ae78bcf777c@spud Signed-off-by: Paul Walmsley commit bb642e2d300ee27dcede65cda7ffc47a7047bd69 Author: Amit Chaudhary Date: Fri Sep 26 12:08:22 2025 -0700 nvme-multipath: Skip nr_active increments in RETRY disposition For queue-depth I/O policy, this patch fixes unbalanced I/Os across nvme multipaths. Issue Description: The RETRY disposition incorrectly increments ns->ctrl->nr_active counter and reinitializes iostat start-time. In such cases nr_active counter never goes back to zero until that path disconnects and reconnects. Such a path is not chosen for new I/Os if multiple RETRY cases on a given a path cause its queue-depth counter to be artificially higher compared to other paths. This leads to unbalanced I/Os across paths. The patch skips incrementing nr_active if NVME_MPATH_CNT_ACTIVE is already set. And it skips restarting io stats if NVME_MPATH_IO_STATS is already set. base-commit: e989a3da2d371a4b6597ee8dee5c72e407b4db7a Fixes: d4d957b53d91eeb ("nvme-multipath: support io stats on the mpath device") Signed-off-by: Amit Chaudhary Reviewed-by: Randy Jennings Signed-off-by: Keith Busch commit e07e10ae83bdf429f59c8c149173a8c4f29c481e Author: Ketil Johnsen Date: Wed Oct 8 12:51:11 2025 +0200 drm/panthor: Ensure MCU is disabled on suspend Currently the Panthor driver needs the GPU to be powered down between suspend and resume. If this is not done, then the MCU_CONTROL register will be preserved as AUTO, which again will cause a premature FW boot on resume. The FW will go directly into fatal state in this case. This case needs to be handled as there is no guarantee that the GPU will be powered down after the suspend callback on all platforms. The fix is to call panthor_fw_stop() in "pre-reset" path to ensure the MCU_CONTROL register is cleared (set DISABLE). This matches well with the already existing call to panthor_fw_start() from the "post-reset" path. Signed-off-by: Ketil Johnsen Acked-by: Boris Brezillon Reviewed-by: Steven Price Fixes: 2718d91816ee ("drm/panthor: Add the FW logical block") Signed-off-by: Steven Price Link: https://lore.kernel.org/r/20251008105112.4077015-1-ketil.johnsen@arm.com commit 49836ff2f37dd6d52bfe3153c0bcbd96025a6100 Author: Marc Kleine-Budde Date: Thu Oct 9 08:25:36 2025 +0200 can: m_can: replace Dong Aisheng's old email address Dong Aisheng's old Freescale email is not valid anymore and bounces, replace it by the new NXP one. Reviewed-by: Dong Aisheng Link: https://patch.msgid.link/20251009-m_can-update-email-address-v1-1-30a268587f69@pengutronix.de Signed-off-by: Marc Kleine-Budde commit a9e30a22d6f23a2684c248871cad4c3061181639 Author: Marc Kleine-Budde Date: Tue Aug 12 16:58:31 2025 +0200 can: m_can: fix CAN state in system PM A suspend/resume cycle on a down interface results in the interface coming up in Error Active state. A suspend/resume cycle on an Up interface will always result in Error Active state, regardless of the actual CAN state. During suspend, only set running interfaces to CAN_STATE_SLEEPING. During resume only touch the CAN state of running interfaces. For wakeup sources, set the CAN state depending on the Protocol Status Regitser (PSR), for non wakeup source interfaces m_can_start() will do the same. Fixes: e0d1f4816f2a ("can: m_can: add Bosch M_CAN controller support") Reviewed-by: Markus Schneider-Pargmann Link: https://patch.msgid.link/20250929-m_can-fix-state-handling-v4-4-682b49b49d9a@pengutronix.de Signed-off-by: Marc Kleine-Budde commit 4942c42fe1849e6d68dfb5b36ccba344a9fac016 Author: Marc Kleine-Budde Date: Wed Aug 6 18:24:12 2025 +0200 can: m_can: m_can_chip_config(): bring up interface in correct state In some SoCs (observed on the STM32MP15) the M_CAN IP core keeps the CAN state and CAN error counters over an internal reset cycle. An external reset is not always possible, due to the shared reset with the other CAN core. This caused the core not always be in Error Active state when bringing up the controller. Instead of always setting the CAN state to Error Active in m_can_chip_config(), fix this by reading and decoding the Protocol Status Regitser (PSR) and set the CAN state accordingly. Fixes: e0d1f4816f2a ("can: m_can: add Bosch M_CAN controller support") Reviewed-by: Markus Schneider-Pargmann Link: https://patch.msgid.link/20250929-m_can-fix-state-handling-v4-3-682b49b49d9a@pengutronix.de Signed-off-by: Marc Kleine-Budde commit 3d9db29b45f970d81acf61cf91a65442efbeb997 Author: Marc Kleine-Budde Date: Wed Aug 6 16:56:15 2025 +0200 can: m_can: m_can_handle_state_errors(): fix CAN state transition to Error Active The CAN Error State is determined by the receive and transmit error counters. The CAN error counters decrease when reception/transmission is successful, so that a status transition back to the Error Active status is possible. This transition is not handled by m_can_handle_state_errors(). Add the missing detection of the Error Active state to m_can_handle_state_errors() and extend the handling of this state in m_can_handle_state_change(). Fixes: e0d1f4816f2a ("can: m_can: add Bosch M_CAN controller support") Fixes: cd0d83eab2e0 ("can: m_can: m_can_handle_state_change(): fix state change") Reviewed-by: Markus Schneider-Pargmann Link: https://patch.msgid.link/20250929-m_can-fix-state-handling-v4-2-682b49b49d9a@pengutronix.de Signed-off-by: Marc Kleine-Budde commit ba569fb07a7e9e9b71e9282e27e993ba859295c2 Author: Marc Kleine-Budde Date: Wed Aug 6 17:46:32 2025 +0200 can: m_can: m_can_plat_remove(): add missing pm_runtime_disable() Commit 227619c3ff7c ("can: m_can: move runtime PM enable/disable to m_can_platform") moved the PM runtime enable from the m_can core driver into the m_can_platform. That patch forgot to move the pm_runtime_disable() to m_can_plat_remove(), so that unloading the m_can_platform driver causes an "Unbalanced pm_runtime_enable!" error message. Add the missing pm_runtime_disable() to m_can_plat_remove() to fix the problem. Cc: Patrik Flykt Fixes: 227619c3ff7c ("can: m_can: move runtime PM enable/disable to m_can_platform") Reviewed-by: Markus Schneider-Pargmann Link: https://patch.msgid.link/20250929-m_can-fix-state-handling-v4-1-682b49b49d9a@pengutronix.de Signed-off-by: Marc Kleine-Budde commit a12f0bc764da3781da2019c60826f47a6d7ed64f Author: Celeste Liu Date: Tue Sep 30 14:53:39 2025 +0800 can: gs_usb: gs_make_candev(): populate net_device->dev_port The gs_usb driver supports USB devices with more than 1 CAN channel. In old kernel before 3.15, it uses net_device->dev_id to distinguish different channel in userspace, which was done in commit acff76fa45b4 ("can: gs_usb: gs_make_candev(): set netdev->dev_id"). But since 3.15, the correct way is populating net_device->dev_port. And according to documentation, if network device support multiple interface, lack of net_device->dev_port SHALL be treated as a bug. Fixes: acff76fa45b4 ("can: gs_usb: gs_make_candev(): set netdev->dev_id") Cc: stable@vger.kernel.org Signed-off-by: Celeste Liu Link: https://patch.msgid.link/20250930-gs-usb-populate-net_device-dev_port-v1-1-68a065de6937@coelacanthus.name Signed-off-by: Marc Kleine-Budde commit 2a27f6a8fb5722223d526843040f747e9b0e8060 Author: Celeste Liu Date: Tue Sep 30 19:34:28 2025 +0800 can: gs_usb: increase max interface to U8_MAX This issue was found by Runcheng Lu when develop HSCanT USB to CAN FD converter[1]. The original developers may have only 3 interfaces device to test so they write 3 here and wait for future change. During the HSCanT development, we actually used 4 interfaces, so the limitation of 3 is not enough now. But just increase one is not future-proofed. Since the channel index type in gs_host_frame is u8, just make canch[] become a flexible array with a u8 index, so it naturally constraint by U8_MAX and avoid statically allocate 256 pointer for every gs_usb device. [1]: https://github.com/cherry-embedded/HSCanT-hardware Fixes: d08e973a77d1 ("can: gs_usb: Added support for the GS_USB CAN devices") Reported-by: Runcheng Lu Cc: stable@vger.kernel.org Reviewed-by: Vincent Mailhol Signed-off-by: Celeste Liu Link: https://patch.msgid.link/20250930-gs-usb-max-if-v5-1-863330bf6666@coelacanthus.name Signed-off-by: Marc Kleine-Budde commit 1bcc3f87912779f66cdf1789a066046536ca6ccc Author: Yan Zhao Date: Wed Sep 24 10:42:55 2025 -0700 KVM: selftests: Test prefault memory during concurrent memslot removal Expand the prefault memory selftest to add a regression test for a KVM bug where KVM's retry logic would result in (breakable) deadlock due to the memslot deletion waiting on prefaulting to release SRCU, and prefaulting waiting on the memslot to fully disappear (KVM uses a two-step process to delete memslots, and KVM x86 retries page faults if a to-be-deleted, a.k.a. INVALID, memslot is encountered). To exercise concurrent memslot remove, spawn a second thread to initiate memslot removal at roughly the same time as prefaulting. Test memslot removal for all testcases, i.e. don't limit concurrent removal to only the success case. There are essentially three prefault scenarios (so far) that are of interest: 1. Success 2. ENOENT due to no memslot 3. EAGAIN due to INVALID memslot For all intents and purposes, #1 and #2 are mutually exclusive, or rather, easier to test via separate testcases since writing to non-existent memory is trivial. But for #3, making it mutually exclusive with #1 _or_ #2 is actually more complex than testing memslot removal for all scenarios. The only requirement to let memslot removal coexist with other scenarios is a way to guarantee a stable result, e.g. that the "no memslot" test observes ENOENT, not EAGAIN, for the final checks. So, rather than make memslot removal mutually exclusive with the ENOENT scenario, simply restore the memslot and retry prefaulting. For the "no memslot" case, KVM_PRE_FAULT_MEMORY should be idempotent, i.e. should always fail with ENOENT regardless of how many times userspace attempts prefaulting. Pass in both the base GPA and the offset (instead of the "full" GPA) so that the worker can recreate the memslot. Signed-off-by: Yan Zhao Co-developed-by: Sean Christopherson Link: https://lore.kernel.org/r/20250924174255.2141847-1-seanjc@google.com Signed-off-by: Sean Christopherson commit e2c69490dda5d4c9f1bfbb2898989c8f3530e354 Author: Guenter Roeck Date: Mon Oct 6 13:18:57 2025 -0700 ipmi: Fix handling of messages with provided receive message pointer Prior to commit b52da4054ee0 ("ipmi: Rework user message limit handling"), i_ipmi_request() used to increase the user reference counter if the receive message is provided by the caller of IPMI API functions. This is no longer the case. However, ipmi_free_recv_msg() is still called and decreases the reference counter. This results in the reference counter reaching zero, the user data pointer is released, and all kinds of interesting crashes are seen. Fix the problem by increasing user reference counter if the receive message has been provided by the caller. Fixes: b52da4054ee0 ("ipmi: Rework user message limit handling") Reported-by: Eric Dumazet Cc: Eric Dumazet Cc: Greg Thelen Signed-off-by: Guenter Roeck Message-ID: <20251006201857.3433837-1-linux@roeck-us.net> Signed-off-by: Corey Minyard commit a779e27f24aeb679969ddd1fdd7f636e22ddbc1e Author: Christian Brauner Date: Tue Oct 7 11:32:42 2025 +0200 coredump: fix core_pattern input validation In be1e0283021e ("coredump: don't pointlessly check and spew warnings") we tried to fix input validation so it only happens during a write to core_pattern. This would avoid needlessly logging a lot of warnings during a read operation. However the logic accidently got inverted in this commit. Fix it so the input validation only happens on write and is skipped on read. Fixes: be1e0283021e ("coredump: don't pointlessly check and spew warnings") Fixes: 16195d2c7dd2 ("coredump: validate socket name as it is written") Reviewed-by: Jan Kara Reported-by: Yu Watanabe Signed-off-by: Christian Brauner commit 56094ad3eaa21e6621396cc33811d8f72847a834 Author: Jan Kara Date: Thu Oct 2 17:55:07 2025 +0200 vfs: Don't leak disconnected dentries on umount When user calls open_by_handle_at() on some inode that is not cached, we will create disconnected dentry for it. If such dentry is a directory, exportfs_decode_fh_raw() will then try to connect this dentry to the dentry tree through reconnect_path(). It may happen for various reasons (such as corrupted fs or race with rename) that the call to lookup_one_unlocked() in reconnect_one() will fail to find the dentry we are trying to reconnect and instead create a new dentry under the parent. Now this dentry will not be marked as disconnected although the parent still may well be disconnected (at least in case this inconsistency happened because the fs is corrupted and .. doesn't point to the real parent directory). This creates inconsistency in disconnected flags but AFAICS it was mostly harmless. At least until commit f1ee616214cb ("VFS: don't keep disconnected dentries on d_anon") which removed adding of most disconnected dentries to sb->s_anon list. Thus after this commit cleanup of disconnected dentries implicitely relies on the fact that dput() will immediately reclaim such dentries. However when some leaf dentry isn't marked as disconnected, as in the scenario described above, the reclaim doesn't happen and the dentries are "leaked". Memory reclaim can eventually reclaim them but otherwise they stay in memory and if umount comes first, we hit infamous "Busy inodes after unmount" bug. Make sure all dentries created under a disconnected parent are marked as disconnected as well. Reported-by: syzbot+1d79ebe5383fc016cf07@syzkaller.appspotmail.com Fixes: f1ee616214cb ("VFS: don't keep disconnected dentries on d_anon") CC: stable@vger.kernel.org Signed-off-by: Jan Kara Signed-off-by: Christian Brauner commit 154d1e7ad9e5ce4b2aaefd3862b3dba545ad978d Author: Yuezhang Mo Date: Tue Sep 30 13:42:57 2025 +0800 dax: skip read lock assertion for read-only filesystems The commit 168316db3583("dax: assert that i_rwsem is held exclusive for writes") added lock assertions to ensure proper locking in DAX operations. However, these assertions trigger false-positive lockdep warnings since read lock is unnecessary on read-only filesystems(e.g., erofs). This patch skips the read lock assertion for read-only filesystems, eliminating the spurious warnings while maintaining the integrity checks for writable filesystems. Fixes: 168316db3583 ("dax: assert that i_rwsem is held exclusive for writes") Signed-off-by: Yuezhang Mo Reviewed-by: Friendy Su Reviewed-by: Daniel Palmer Reviewed-by: Gao Xiang Signed-off-by: Christian Brauner commit d68a29a6a229f8b4f3b19dbcd0bb02881316d642 Author: Tong Li Date: Tue Sep 30 19:02:58 2025 +0800 rust: file: add intra-doc link for 'EBADF' The `BadFdError` doc comment mentions the `EBADF` constant but does not currently provide a navigation target for readers of the generated docs. Turning the references into intra-doc links matches the rest of the module and makes the documentation easier to explore. Suggested-by: Onur Özkan Link: https://github.com/Rust-for-Linux/linux/issues/1186 Signed-off-by: Tong Li Reviewed-by: Onur Özkan Signed-off-by: Christian Brauner commit deafd21efdd106f9744e2339e0c70c0f4ba565c3 Author: Zhou Yuhang Date: Wed Sep 24 20:21:39 2025 +0800 fs: update comment in init_file() The f_count member in struct file has been replaced by f_ref, so update f_count to f_ref in the comment. Signed-off-by: Zhou Yuhang Signed-off-by: Christian Brauner commit 15623c860c93aac71d22e7bedb7661ff2d3418de Author: Deepanshu Kartikey Date: Mon Sep 29 11:02:05 2025 +0200 nsfs: handle inode number mismatches gracefully in file handles Replace VFS_WARN_ON_ONCE() with graceful error handling when file handles contain inode numbers that don't match the actual namespace inode. This prevents userspace from triggering kernel warnings by providing malformed file handles to open_by_handle_at(). The issue occurs when userspace provides a file handle with valid namespace type and ID that successfully locates a namespace, but specifies an incorrect inode number. Previously, this would trigger VFS_WARN_ON_ONCE() when comparing the real inode number against the provided value. Since file handle data is user-controllable, inode number mismatches should be treated as invalid input rather than kernel consistency errors. Handle this case by returning NULL to indicate the file handle is invalid, rather than warning about what is essentially user input validation. Reported-by: syzbot+9eefe09bedd093f156c2@syzkaller.appspotmail.com Suggested-by: Jan Kara Reviewed-by: Jan Kara Signed-off-by: Deepanshu Kartikey Signed-off-by: Christian Brauner commit 7c3321f3d279eda7f7d622312ffdbb889f3bec97 Author: Jingyi Wang Date: Wed Sep 24 16:29:01 2025 -0700 scsi: ufs: phy: dt-bindings: Add QMP UFS PHY compatible for Kaanapali Document the QMP UFS PHY compatible for Qualcomm Kaanapali to support physical layer functionality for UFS found on the SoC. Use fallback to indicate the compatibility of the QMP UFS PHY on the Kaanapali with that on the SM8750. Signed-off-by: Jingyi Wang Acked-by: Konrad Dybcio Signed-off-by: Martin K. Petersen commit 6dfc353af575e33c94f5d740f7b0569fa9b784d9 Author: Nitin Rawat Date: Wed Sep 24 16:29:00 2025 -0700 scsi: ufs: qcom: dt-bindings: Document the Kaanapali UFS controller Document the UFS Controller on the Kaanapali Platform. Signed-off-by: Nitin Rawat Signed-off-by: Jingyi Wang Message-Id: <20250924-knp-ufs-v1-1-42e0955a1f7c@oss.qualcomm.com> Signed-off-by: Martin K. Petersen commit 120642726ecb1b7a266f5c21bec90821e1154509 Author: Dan Carpenter Date: Tue Sep 30 15:38:09 2025 +0300 scsi: libfc: Prevent integer overflow in fc_fcp_recv_data() The "offset" comes from the skb->data that we received. Here the code is verifying that "offset + len" is within bounds however it does not take integer overflows into account. Use size_add() to be safe. This would only be an issue on 32bit systems which are probably a very small percent of the users. Still, it's worth fixing just for correctness sake. Fixes: 42e9a92fe6a9 ("[SCSI] libfc: A modular Fibre Channel library") Signed-off-by: Dan Carpenter Message-Id: Signed-off-by: Martin K. Petersen commit 987da233b2982c686a8ea5cd4c76f0bd5e957ee3 Author: Alok Tiwari Date: Mon Sep 29 02:25:54 2025 -0700 scsi: qla4xxx: Fix typos in comments Fix several spelling mistakes in qla4xxx driver comments: "Unfortunely" -> "Unfortunately" "becase" -> "because" "funcions" -> "functions" "targer_id" -> "target_id" Signed-off-by: Alok Tiwari Signed-off-by: Martin K. Petersen commit b69ffeaa0ae43892683113b3f4ddf156398738b9 Author: Long Li Date: Wed Oct 1 22:05:30 2025 -0700 scsi: storvsc: Prefer returning channel with the same CPU as on the I/O issuing CPU When selecting an outgoing channel for I/O, storvsc tries to select a channel with a returning CPU that is not the same as issuing CPU. This worked well in the past, however it doesn't work well when the Hyper-V exposes a large number of channels (up to the number of all CPUs). Use a different CPU for returning channel is not efficient on Hyper-V. Change this behavior by preferring to the channel with the same CPU as the current I/O issuing CPU whenever possible. Tests have shown improvements in newer Hyper-V/Azure environment, and no regression with older Hyper-V/Azure environments. Tested-by: Raheel Abdul Faizy Signed-off-by: Long Li Message-Id: <1759381530-7414-1-git-send-email-longli@linux.microsoft.com> Signed-off-by: Martin K. Petersen commit 4af66c2bcab06e6e515b23139122e745d7619680 Author: Dan Carpenter Date: Fri Oct 3 12:29:18 2025 +0300 mfd: ls2kbmc: check for devm_mfd_add_devices() failure Call pci_disable_device() if devm_mfd_add_devices() fails. Fixes: 0d64f6d1ffe9 ("mfd: ls2kbmc: Introduce Loongson-2K BMC core driver") Signed-off-by: Dan Carpenter Message-ID: Signed-off-by: Corey Minyard commit 0892507f4a0b76eb897afc2bacca85e172512379 Author: Dan Carpenter Date: Fri Oct 3 12:29:09 2025 +0300 mfd: ls2kbmc: Fix an IS_ERR() vs NULL check in probe() The devm_kzalloc() function returns NULL on error so check for that instead of error pointers. Fixes: d952bba3fbb5 ("mfd: ls2kbmc: Add Loongson-2K BMC reset function support") Signed-off-by: Dan Carpenter Message-ID: Signed-off-by: Corey Minyard