* Re: [PATCH] atm: fore200e: disable PCI device on DMA mask failure
From: Myeonghun Pak @ 2026-06-24 7:07 UTC (permalink / raw)
To: Andrew Lunn
Cc: Chas Williams, netdev, linux-atm-general, linux-kernel, Ijae Kim
In-Reply-To: <16ca6db2-6cf1-4f49-a77a-62bde8341b50@lunn.ch>
Hi Andrew,
Sorry for the noise.
This was against my local torvalds/linux v7.0 tree (028ef9c96e96), not the
current netdev/net-next tree. I missed 6deb53595092 ("net: remove unused ATM
protocols and legacy ATM device drivers"), which removes fore200e, so this
patch is obsolete.
Please drop/ignore it. I will subscribe to netdev and check the current
networking trees before sending future networking patches.
Thanks,
Myeonghun
2026년 6월 23일 (화) 오후 5:56, Andrew Lunn <andrew@lunn.ch>님이 작성:
>
> On Tue, Jun 23, 2026 at 04:53:56PM +0900, Myeonghun Pak wrote:
> > fore200e_pca_detect() enables the PCI device before setting the DMA
> > mask. If dma_set_mask_and_coherent() fails, the current error path
> > returns without disabling the device.
> >
> > Reuse the existing out_disable unwind label for this failure path so
> > pci_disable_device() is called after a successful pci_enable_device().
>
> What tree is this against?
>
> ommit 6deb53595092b1426885f6503d93eedc1e3ece77
> Author: Jakub Kicinski <kuba@kernel.org>
> Date: Mon Apr 20 13:42:28 2026 -0700
>
> net: remove unused ATM protocols and legacy ATM device drivers
>
> Remove the ATM protocol modules and PCI/SBUS ATM device drivers
> that are no longer in active use.
>
> The ATM core protocol stack, PPPoATM, BR2684, and USB DSL modem
> drivers (drivers/usb/atm/) are retained in-tree to maintain PPP
> over ATM (PPPoA) and PPPoE-over-BR2684 support for DSL connections.
> The Solos ADSL2+ PCI driver is also retained.
>
> Removed ATM protocol modules:
> - net/atm/clip.c - Classical IP over ATM (RFC 2225)
> - net/atm/lec.c - LAN Emulation Client (LANE)
> - net/atm/mpc.c, mpoa_caches.c, mpoa_proc.c - Multi-Protocol Over ATM
>
> Removed PCI/SBUS ATM device drivers (drivers/atm/):
> - adummy, atmtcp - software/testing ATM devices
> - eni - Efficient Networks ENI155P (OC-3, ~1995)
> - fore200e - FORE Systems 200E PCI/SBUS (OC-3, ~1999)
>
>
> Please subscribe to the netdev Mailing list, so you know what is going
> on.
>
>
> Andrew
>
> ---
> pw-bot: reject
>
^ permalink raw reply
* [PATCH] btrfs: uapi: fix stale BTRFS_SYSTEM_CHUNK_ARRAY_SIZE comment
From: Sun YangKai @ 2026-06-24 7:08 UTC (permalink / raw)
To: linux-btrfs; +Cc: Sun YangKai
The comment claims room for "14 chunks with 3 stripes each", which
was correct when the structs were smaller. Since then three additions
grew each entry:
commit e17cade25ff8 ("Btrfs: Add chunk uuids and update multi-device back references")
added btrfs_chunk.length (+8) and stripe.dev_uuid (+16)
commit 321aecc65671 ("Btrfs: Add RAID10 support")
added btrfs_chunk.sub_stripes (+2)
A 3-stripe entry now takes:
sizeof(btrfs_disk_key) + btrfs_chunk_item_size(3)
= 17 + 80 + 32 * (3 - 1)
= 161 bytes
2048 / 161 ≈ 12.7, so "14" is no longer achievable. Update to 12
and add the explicit calculation so it does not rot again.
Signed-off-by: Sun YangKai <sunk67188@gmail.com>
---
include/uapi/linux/btrfs_tree.h | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/include/uapi/linux/btrfs_tree.h b/include/uapi/linux/btrfs_tree.h
index cc3b9f7dccaf..78404abc4ba2 100644
--- a/include/uapi/linux/btrfs_tree.h
+++ b/include/uapi/linux/btrfs_tree.h
@@ -504,7 +504,11 @@ struct btrfs_header {
/*
* This is a very generous portion of the super block, giving us room to
- * translate 14 chunks with 3 stripes each.
+ * translate 12 chunks with 3 stripes each.
+ *
+ * Each entry takes sizeof(btrfs_disk_key) + btrfs_chunk_item_size(n),
+ * which for a 3-stripe chunk is 17 + 80 + 32 * (3 - 1) = 161 bytes.
+ * 2048 / 161 ≈ 12.7, so at most 12 entries fit.
*/
#define BTRFS_SYSTEM_CHUNK_ARRAY_SIZE 2048
--
2.54.0
^ permalink raw reply related
* Re: [PATCH v3] virtio_net: disable cb when NAPI is busy-polled
From: Michael S. Tsirkin @ 2026-06-24 7:08 UTC (permalink / raw)
To: Longjun Tang
Cc: xuanzhuo, jasowang, edumazet, virtualization, netdev, tanglongjun
In-Reply-To: <20260624070206.85467-1-lange_tang@163.com>
On Wed, Jun 24, 2026 at 03:02:06PM +0800, Longjun Tang wrote:
> From: Longjun Tang <tanglongjun@kylinos.cn>
>
> When busy-poll is active, napi_schedule_prep() returns false in
> virtqueue_napi_schedule(), so virtqueue_disable_cb() is skipped.
> The device may keep firing irqs until reaches virtqueue_napi_complete().
> Under load (received == budget), it will lead to a large number
> of spurious interrupts.
>
> Fix it by disabling the callback at the virtnet_poll() entry. This keeps
> the callback off while we poll and re-enable
and it is re-enabled
> by virtqueue_napi_complete()
> when going idle.
>
> Fixes: ceef438d613f ("virtio_net: remove custom busy_poll")
> Acked-by: Michael S. Tsirkin <mst@redhat.com>
> Signed-off-by: Longjun Tang <tanglongjun@kylinos.cn>
>
> ---
> V1 -> V2: Remain agnostic to busy polling
> V2 -> V3: Add fixes tag
> ---
> drivers/net/virtio_net.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c
> index f4adcfee7a80..0a11f2b32500 100644
> --- a/drivers/net/virtio_net.c
> +++ b/drivers/net/virtio_net.c
> @@ -3008,6 +3008,11 @@ static int virtnet_poll(struct napi_struct *napi, int budget)
> unsigned int xdp_xmit = 0;
> bool napi_complete;
>
> + /* Keep callbacks suppressed for the duration of this poll,
> + * busy-poll need.
I don't know what "busy-poll need" means. Just drop this part?
In fact, the whole comment can go, we know virtqueue_disable_cb
disables callbacks.
> + */
> + virtqueue_disable_cb(rq->vq);
> +
> virtnet_poll_cleantx(rq, budget);
>
> received = virtnet_receive(rq, budget, &xdp_xmit);
> --
> 2.43.0
^ permalink raw reply
* Re: [PATCH v2 10/20] md/md-llbitmap: add reshape range mapping helpers
From: sashiko-bot @ 2026-06-24 7:08 UTC (permalink / raw)
To: Yu Kuai; +Cc: linux-raid, yukuai
In-Reply-To: <8a47becf3100a3998e003afcdabce6c17c149194.1782282042.git.yukuai@kernel.org>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
- [High] TOCTOU race on mddev->reshape_position causes bios to be mapped to the wrong geometry.
- [High] The resync threads use raw array sectors and blindly compute the bitmap bit index using the old geometry's chunkshift, completely ignoring reshape_chunksize for sectors residing in the new geometry.
--
commit a481d24ff8d12695efeabb7f320e930174126333
Author: Yu Kuai <yukuai@fygo.io>
md/md-llbitmap: add reshape range mapping helpers
Teach llbitmap to choose old versus new geometry during reshape and to
encode exact bitmap ranges for the active geometry.
This is the mapping groundwork for checkpoint remapping.
> diff --git a/drivers/md/md-llbitmap.c b/drivers/md/md-llbitmap.c
> index 11fede1fc79fd..d27993cfb13da 100644
> --- a/drivers/md/md-llbitmap.c
> +++ b/drivers/md/md-llbitmap.c
[ ... ]
> @@ -1376,11 +1433,32 @@ static void llbitmap_destroy(struct mddev *mddev)
> mutex_unlock(&mddev->bitmap_info.mutex);
> }
>
> +static bool llbitmap_map_previous(struct llbitmap *llbitmap, sector_t offset,
> + unsigned long sectors)
> +{
> + struct mddev *mddev = llbitmap->mddev;
> + sector_t boundary = mddev->reshape_position;
> +
> + if (!llbitmap_reshaping(llbitmap))
> + return false;
[Severity: High]
Can a concurrent reshape thread update mddev->reshape_position from MaxSector to
0 between reading it into boundary and the call to llbitmap_reshaping()?
If that happens, boundary holds MaxSector but llbitmap_reshaping() evaluates to
true. This would cause offset < MaxSector to evaluate to true, mapping the IO
to the new geometry before the array has actually reshaped the sector. Could
this race lead to data corruption?
> +
> + WARN_ON_ONCE(sectors && offset < boundary && offset + sectors > boundary);
> +
> + return mddev->reshape_backwards ? offset < boundary : offset >= boundary;
> +}
[ ... ]
> @@ -1549,7 +1627,11 @@ static bool llbitmap_blocks_synced(struct mddev *mddev, sector_t offset)
> {
> struct llbitmap *llbitmap = mddev->bitmap;
> unsigned long p = offset >> llbitmap->chunkshift;
[Severity: High]
Does this unconditionally use the old chunkshift to compute the bit index from
the raw sync offset?
During an interrupted reshape recovery, active IO computes the correct bit index
using llbitmap_encode_range() for the new geometry. However, functions like
llbitmap_blocks_synced(), llbitmap_skip_sync_blocks(), and llbitmap_start_sync()
receive raw physical sectors from md_do_sync() and completely bypass
llbitmap_prepare_range().
If reshape_chunksize differs from chunksize, will the sync thread calculate the
wrong bit index, read a clean bit instead of the dirty bit marked by active IO,
and silently skip synchronizing the dirty sectors?
> - enum llbitmap_state c = llbitmap_read(llbitmap, p);
> + enum llbitmap_state c;
> +
> + if (p >= llbitmap->chunks)
> + return false;
> + c = llbitmap_read(llbitmap, p);
>
> return c == BitClean || c == BitDirty || c == BitCleanUnwritten;
> }
--
Sashiko AI review · https://sashiko.dev/#/patchset/cover.1782282042.git.yukuai@kernel.org?part=10
^ permalink raw reply
* [PATCH V9 00/17] iothread: Support tracking and querying IOThread holders
From: Zhang Chen @ 2026-06-24 7:08 UTC (permalink / raw)
To: qemu-devel, Dr . David Alan Gilbert, Eric Blake,
Markus Armbruster, Michael S . Tsirkin, Stefan Hajnoczi,
Paolo Bonzini, Kevin Wolf, Jason Wang, Fam Zheng
Cc: Zhang Chen
### Motivation
Currently, the relationship between IOThreads and the resources using them is
opaque. From a management perspective, it is difficult to determine which
devices or block exports are currently associated with a specific IOThread
via QMP or HMP.
This series introduces a "holder" tracking mechanism based on QOM paths,
block nodes or monitor to significantly improve IOThread observability.
In high-performance virtualization environments, users often pre-allocate
a set of IOThreads to serve as a persistent thread pool. During device
hotplug/unplug cycles, while IOThread objects remain persistent,
their attachment state changes dynamically.
By tracking these "holders," administrators can use `query-iothreads` to
monitor the real-time load distribution of the thread pool and identify which
specific devices (e.g., virtio-blk, BlockExport) are attached to which thread.
### Technical Overview
* Atomic API Design: Merged iothread_get_aio_context and
iothread_ref_and_get_aio_context into a single unified function. The new
API enforces a 'holder' parameter, making "retrieval" and "tracking" an
atomic operation to prevent reference tracking leaks.
* Subsystem Integration: Fully migrated and adapted core modules including
Virtio (blk, vq-mapping, balloon, scsi), Block Layer (export, xen),
Network (COLO), VFIO, and the Monitor subsystem.
* Introspection: Expanded the IOThreadInfo QAPI structure to include a
'holders' array (list of QOM paths), accessible via both
query-iothreads (QMP) and info iothreads (HMP).
### V9 -> V8 Changelog
- Drop to assign unique default ID for monitor, and keep the NULL ID.
- Rewrite and split the monitor patch 7 and 8.
- Add the [PATCH 17/17]tests/unit/iothread: Update the iothread_get_aio_context
to keep the API same in the unit tests.
- Refactorcode according comments.
- Update the example.
- Fix other comments issues.
### V7 -> V8 Changelog
- Drop the assumption of the Monitor QOM, add the new type
IO_THREAD_HOLDER_KIND_MONITOR_NAME.
- Drop the assumption of the string '/' as QOM path.
- Introduce new patch for Monitor:
[PATCH 06/15] assign unique default ID to anonymous monitors
- Fixed Monitor ID for the IOThread.
- Refactorcode according comments.
- Update QMP example.
- Rebased patches on upstream code.
- Fixed comments issues.
- Removed redundant code.
### V6 -> V7 Changelog
- Fixed comments issues in patch 02/14 (Thanks Markus).
- Removed redundant code.
- Rebased patches on upstream code.
- Fixed code conflict with latest patches.
- Added detailed description in git log and code.
- Added comments for patch 06/14 assuming the monitor is a QOM object,
Depends on Daniel Berrange's RFC patch:
[PATCH RFC 00/17] monitor: turn QMP and HMP into QOM objects
### V5 -> V6 Changelog
* API Refactoring (Breaking Change):
- Implement the 'union': 'IoThreadHolder' for combine the QOM objects
and the block-node.
- Completely merged iothread_get_aio_context variants.
- The iothread_get_aio_context function now strictly requires a 'holder'
argument to ensure every context retrieval is accounted for.
* Expanded Module Coverage:
- Added holder tracking for the monitor subsystem (tracking threads used
by QMP/HMP).
- Added support for the virtio-scsi dataplane.
* Code Cleanup:
- Removed redundant and obsolete API declarations.
- Standardized the use of object_get_canonical_path() across all callers
to provide consistent and unique holder names.
* Bug Fixes:
- Updated qapi/misc.json documentation to fix missing descriptions in
query-iothreads items.
* Build System:
- Improved header inclusion logic to avoid redundant declaration errors
in unit tests.
* QAPI part:
- Sorry to drop the "Acked-by: Markus Armbruster <armbru@redhat.com>",
because this version have lots of changes in the:
[PATCH V6 13/14]qapi: examine IOThread attachment status via query-iothreads
Zhang Chen (17):
qapi/misc: Fix missed query-iothreads items
iothread: introduce iothread_ref/unref to track attached devices
iothread: tracking iothread users with holder name
iothread: introduce iothread_unsafe_get_aio_context()
block/export: track IOThread reference in BlockExport
monitor: refactor monitor_data_init() to pass ID
monitor: support iothread ref/unref for anonymous monitors
monitor: switch to iothread_unsafe_get_aio_context()
virtio-vq-mapping: track iothread-vq-mapping references using device
path
virtio: use iothread_get/put_aio_context for thread pinning
net/colo: track IOThread references using path-based holder
virtio-balloon: Update tracking iothread users with holder
vfio-user/proxy: Update tracking iothread users with holder name
xen-block: Update tracking iothread users with holder name
qapi: examine IOThread attachment status via query-iothreads
iothread: simplify API by merging iothread_get_aio_context variants
tests/unit/iothread: Update the iothread_get_aio_context
block/export/export.c | 62 +++++++++--
blockdev.c | 2 +-
chardev/char.c | 2 +-
gdbstub/system.c | 3 +-
hw/block/dataplane/xen-block.c | 19 +++-
hw/block/virtio-blk.c | 22 ++--
hw/scsi/virtio-scsi-dataplane.c | 22 ++--
hw/vfio-user/proxy.c | 15 ++-
hw/virtio/iothread-vq-mapping.c | 19 +++-
hw/virtio/virtio-balloon.c | 22 +++-
include/block/export.h | 6 ++
include/hw/virtio/iothread-vq-mapping.h | 6 +-
include/monitor/monitor.h | 5 +-
include/system/iothread.h | 17 ++-
iothread.c | 136 +++++++++++++++++++++++-
monitor/hmp-cmds.c | 26 +++++
monitor/hmp.c | 5 +-
monitor/monitor-internal.h | 4 +-
monitor/monitor.c | 37 +++++--
monitor/qmp-cmds.c | 2 +-
monitor/qmp.c | 7 +-
net/colo-compare.c | 29 +++--
qapi/misc.json | 82 +++++++++++++-
stubs/monitor-internal.c | 3 +-
tests/unit/iothread.c | 16 +--
tests/unit/iothread.h | 6 +-
tests/unit/test-aio-multithread.c | 5 +-
tests/unit/test-bdrv-drain.c | 18 +++-
tests/unit/test-block-iothread.c | 21 ++--
29 files changed, 526 insertions(+), 93 deletions(-)
--
2.49.0
^ permalink raw reply
* [PATCH V9 01/17] qapi/misc: Fix missed query-iothreads items
From: Zhang Chen @ 2026-06-24 7:08 UTC (permalink / raw)
To: qemu-devel, Dr . David Alan Gilbert, Eric Blake,
Markus Armbruster, Michael S . Tsirkin, Stefan Hajnoczi,
Paolo Bonzini, Kevin Wolf, Jason Wang, Fam Zheng
Cc: Zhang Chen, qemu-stable
In-Reply-To: <20260624070851.13342-1-zhangckid@gmail.com>
The example is incomplete: it misses members @poll-max-ns, @poll-grow,
@poll-shrink, @aio-max-batch. Messed up in commit 5fc00480ab1
(monitor: add poll-* properties into query-iothreads result) and
commit 1793ad0247c (iothread: add aio-max-batch parameter).
cc: qemu-stable@nongnu.org
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Zhang Chen <zhangckid@gmail.com>
---
qapi/misc.json | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/qapi/misc.json b/qapi/misc.json
index 22b7afed9f..c71a5fe657 100644
--- a/qapi/misc.json
+++ b/qapi/misc.json
@@ -123,11 +123,19 @@
# <- { "return": [
# {
# "id":"iothread0",
-# "thread-id":3134
+# "thread-id":3134,
+# "poll-max-ns":32768,
+# "poll-grow":0,
+# "poll-shrink":0,
+# "aio-max-batch":0
# },
# {
# "id":"iothread1",
-# "thread-id":3135
+# "thread-id":3135,
+# "poll-max-ns":32768,
+# "poll-grow":0,
+# "poll-shrink":0,
+# "aio-max-batch":0
# }
# ]
# }
--
2.49.0
^ permalink raw reply related
* RE: [PATCH V2 1/8] PCI: imx6: Add skip_pwrctrl_off flag support
From: Sherry Sun @ 2026-06-24 7:09 UTC (permalink / raw)
To: Frank Li (OSS), Sherry Sun (OSS)
Cc: robh@kernel.org, krzk+dt@kernel.org, conor+dt@kernel.org,
Frank Li, s.hauer@pengutronix.de, kernel@pengutronix.de,
festevam@gmail.com, Amitkumar Karwar, Neeraj Sanjay Kale,
marcel@holtmann.org, luiz.dentz@gmail.com, Hongxing Zhu,
l.stach@pengutronix.de, lpieralisi@kernel.org,
kwilczynski@kernel.org, mani@kernel.org, bhelgaas@google.com,
brgl@kernel.org, imx@lists.linux.dev, linux-pci@vger.kernel.org,
linux-arm-kernel@lists.infradead.org, devicetree@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-bluetooth@vger.kernel.org,
linux-pm@vger.kernel.org
In-Reply-To: <ajqZBM6IkbDLiVu2@SMW015318>
> Subject: Re: [PATCH V2 1/8] PCI: imx6: Add skip_pwrctrl_off flag support
>
> On Tue, Jun 23, 2026 at 11:07:28AM +0800, Sherry Sun (OSS) wrote:
> > From: Sherry Sun <sherry.sun@nxp.com>
> >
> > Use dw_pcie_rp::skip_pwrctrl_off to avoid powering off devices during
> > suspend to preserve wakeup capability of the devices and also not to
> > power on the devices in the init path.
> > This allows controller power-off to be skipped when some devices(e.g.
> > M.2 cards key E without auxiliary power) required to support PCIe L2
> > link state and wake-up mechanisms.
> >
> > Signed-off-by: Sherry Sun <sherry.sun@nxp.com>
> > ---
> > drivers/pci/controller/dwc/pci-imx6.c | 36
> > +++++++++++++++++----------
> > 1 file changed, 23 insertions(+), 13 deletions(-)
> >
> > diff --git a/drivers/pci/controller/dwc/pci-imx6.c
> > b/drivers/pci/controller/dwc/pci-imx6.c
> > index 0fa716d1ed75..ff5a9565dbbf 100644
> > --- a/drivers/pci/controller/dwc/pci-imx6.c
> > +++ b/drivers/pci/controller/dwc/pci-imx6.c
> > @@ -1382,16 +1382,20 @@ static int imx_pcie_host_init(struct dw_pcie_rp
> *pp)
> > }
> > }
> >
> > - ret = pci_pwrctrl_create_devices(dev);
> > - if (ret) {
> > - dev_err(dev, "failed to create pwrctrl devices\n");
> > - goto err_reg_disable;
> > + if (!pci->suspended) {
> > + ret = pci_pwrctrl_create_devices(dev);
>
> Is possible move pci_pwrctrl_create_devices() of pci_pwrctrl_create_devices
>
> and call it direct at probe() function, like other regulator_get function.
>
Hi Frank,
That makes sense. However, if we move pci_pwrctrl_create_devices () to
probe(), we may need to add the following goto err_pwrctrl_destroy path
in imx_pcie_probe() to properly handle errors from
pci_pwrctrl_power_on_devices(), is that acceptable?
@@ -1960,11 +1949,15 @@ static int imx_pcie_probe(struct platform_device *pdev)
if (ret)
return ret;
+ ret = pci_pwrctrl_create_devices(dev);
+ if (ret)
+ return dev_err_probe(dev, ret, "failed to create pwrctrl devices\n");
+
pci->use_parent_dt_ranges = true;
if (imx_pcie->drvdata->mode == DW_PCIE_EP_TYPE) {
ret = imx_add_pcie_ep(imx_pcie, pdev);
if (ret < 0)
- return ret;
+ goto err_pwrctrl_destroy;
/*
* FIXME: Only single Device (EPF) is supported due to the
@@ -1979,7 +1972,7 @@ static int imx_pcie_probe(struct platform_device *pdev)
pci->pp.use_atu_msg = true;
ret = dw_pcie_host_init(&pci->pp);
if (ret < 0)
- return ret;
+ goto err_pwrctrl_destroy;
if (pci_msi_enabled()) {
u8 offset = dw_pcie_find_capability(pci, PCI_CAP_ID_MSI);
@@ -1991,6 +1984,11 @@ static int imx_pcie_probe(struct platform_device *pdev)
}
return 0;
+
+err_pwrctrl_destroy:
+ if (ret != -EPROBE_DEFER)
+ pci_pwrctrl_destroy_devices(dev);
+ return ret;
}
Best Regards
Sherry
>
> > + if (ret) {
> > + dev_err(dev, "failed to create pwrctrl devices\n");
> > + goto err_reg_disable;
> > + }
> > }
> >
> > - ret = pci_pwrctrl_power_on_devices(dev);
> > - if (ret) {
> > - dev_err(dev, "failed to power on pwrctrl devices\n");
> > - goto err_pwrctrl_destroy;
> > + if (!pp->skip_pwrctrl_off) {
> > + ret = pci_pwrctrl_power_on_devices(dev);
> > + if (ret) {
> > + dev_err(dev, "failed to power on pwrctrl devices\n");
> > + goto err_pwrctrl_destroy;
> > + }
> > }
> >
> > ret = imx_pcie_clk_enable(imx_pcie); @@ -1460,9 +1464,10 @@
> static
> > int imx_pcie_host_init(struct dw_pcie_rp *pp)
> > err_clk_disable:
> > imx_pcie_clk_disable(imx_pcie);
> > err_pwrctrl_power_off:
> > - pci_pwrctrl_power_off_devices(dev);
> > + if (!pp->skip_pwrctrl_off)
> > + pci_pwrctrl_power_off_devices(dev);
> > err_pwrctrl_destroy:
> > - if (ret != -EPROBE_DEFER)
> > + if (ret != -EPROBE_DEFER && !pci->suspended)
> > pci_pwrctrl_destroy_devices(dev);
> > err_reg_disable:
> > if (imx_pcie->vpcie)
> > @@ -1482,7 +1487,8 @@ static void imx_pcie_host_exit(struct dw_pcie_rp
> *pp)
> > }
> > imx_pcie_clk_disable(imx_pcie);
> >
> > - pci_pwrctrl_power_off_devices(pci->dev);
> > + if (!pci->pp.skip_pwrctrl_off)
> > + pci_pwrctrl_power_off_devices(pci->dev);
> > if (imx_pcie->vpcie)
> > regulator_disable(imx_pcie->vpcie);
> > }
> > @@ -1990,12 +1996,16 @@ static int imx_pcie_probe(struct
> > platform_device *pdev) static void imx_pcie_shutdown(struct
> > platform_device *pdev) {
> > struct imx_pcie *imx_pcie = platform_get_drvdata(pdev);
> > + struct dw_pcie *pci = imx_pcie->pci;
> > + struct dw_pcie_rp *pp = &pci->pp;
> >
> > /* bring down link, so bootloader gets clean state in case of reboot */
> > imx_pcie_assert_core_reset(imx_pcie);
> > imx_pcie_assert_perst(imx_pcie, true);
> > - pci_pwrctrl_power_off_devices(&pdev->dev);
> > - pci_pwrctrl_destroy_devices(&pdev->dev);
> > + if (!pp->skip_pwrctrl_off)
> > + pci_pwrctrl_power_off_devices(&pdev->dev);
> > + if (!pci->suspended)
> > + pci_pwrctrl_destroy_devices(&pdev->dev);
> > }
> >
> > static const struct imx_pcie_drvdata drvdata[] = {
> > --
> > 2.50.1
> >
> >
^ permalink raw reply
* Re: [PATCH v7 6/6] remoteproc: qcom_q6v5_pas: Add SoCCP node on Kaanapali
From: Mukesh Ojha @ 2026-06-24 7:09 UTC (permalink / raw)
To: Jingyi Wang
Cc: Bjorn Andersson, Mathieu Poirier, Rob Herring,
Krzysztof Kozlowski, Conor Dooley, Manivannan Sadhasivam,
Luca Weiss, Bartosz Golaszewski, Kumar Patro, Komal Bajaj,
Konrad Dybcio, aiqun.yu, tingwei.zhang, trilok.soni, yijie.yang,
linux-arm-msm, linux-remoteproc, devicetree, linux-kernel,
Dmitry Baryshkov, Bartosz Golaszewski
In-Reply-To: <20260623-knp-soccp-v7-6-1ec7bb5c9fec@oss.qualcomm.com>
On Tue, Jun 23, 2026 at 03:05:22AM -0700, Jingyi Wang wrote:
> The SoC Control Processor (SoCCP) is small RISC-V MCU that controls
> USB Type-C, battery charging and various other functions on Qualcomm SoCs.
> It provides a solution for control-plane processing, reducing per-subsystem
> microcontroller reinvention. Add support for SoCCP PAS loader on Kaanapali
> platform.
>
> Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
> Reviewed-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
> Signed-off-by: Jingyi Wang <jingyi.wang@oss.qualcomm.com>
> ---
> drivers/remoteproc/qcom_q6v5_pas.c | 18 ++++++++++++++++++
> 1 file changed, 18 insertions(+)
>
> diff --git a/drivers/remoteproc/qcom_q6v5_pas.c b/drivers/remoteproc/qcom_q6v5_pas.c
> index 8a0bb4b2e71c..60a4337d9e51 100644
> --- a/drivers/remoteproc/qcom_q6v5_pas.c
> +++ b/drivers/remoteproc/qcom_q6v5_pas.c
> @@ -1640,8 +1640,26 @@ static const struct qcom_pas_data sm8750_mpss_resource = {
> .region_assign_vmid = QCOM_SCM_VMID_MSS_MSA,
> };
>
> +static const struct qcom_pas_data kaanapali_soccp_resource = {
> + .crash_reason_smem = 656,
> + .firmware_name = "soccp.mbn",
> + .dtb_firmware_name = "soccp_dtb.mbn",
> + .pas_id = 51,
> + .dtb_pas_id = 0x41,
> + .proxy_pd_names = (char*[]){
> + "cx",
> + "mx",
> + NULL
> + },
> + .ssr_name = "soccp",
> + .sysmon_name = "soccp",
> + .auto_boot = true,
> + .early_boot = true,
> +};
> +
> static const struct of_device_id qcom_pas_of_match[] = {
> { .compatible = "qcom,eliza-adsp-pas", .data = &sm8550_adsp_resource },
> + { .compatible = "qcom,kaanapali-soccp-pas", .data = &kaanapali_soccp_resource },
> { .compatible = "qcom,milos-adsp-pas", .data = &sm8550_adsp_resource },
> { .compatible = "qcom,milos-cdsp-pas", .data = &milos_cdsp_resource },
> { .compatible = "qcom,milos-mpss-pas", .data = &sm8450_mpss_resource },
>
Since, this is fully compatible with Hawi SoC, I tested it on Hawi SoC.
Tested-by: Mukesh Ojha <mukesh.ojha@oss.qualcomm.com> # Hawi SoC
--
-Mukesh Ojha
^ permalink raw reply
* Re: [yocto-patches] [PATCH yocto-autobuilder2] config.py: Add meta-lts-mixin layer
From: Paul Barker @ 2026-06-24 7:09 UTC (permalink / raw)
To: yocto-patches; +Cc: Thomas Petazzoni, Mathieu Dubois-Briand
In-Reply-To: <20260623-mathieu-meta-lts-mixin-v1-1-0c552b4f6d28@bootlin.com>
[-- Attachment #1: Type: text/plain, Size: 1261 bytes --]
On Tue, 2026-06-23 at 16:46 +0200, Mathieu Dubois-Briand via
lists.yoctoproject.org wrote:
> meta-qcom wrynose branch has a dependency on meta-lts-mixin: we will
> need to clone it during some builds.
>
> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
> ---
> config.py | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/config.py b/config.py
> index 63e8b5627ae2..438753395da1 100644
> --- a/config.py
> +++ b/config.py
> @@ -70,6 +70,7 @@ repos = {
> "meta-webosose": ["https://github.com/webosose/meta-webosose.git", "master"],
> "meta-qcom": ["https://github.com/qualcomm-linux/meta-qcom", "master"],
> "meta-riscv": ["https://github.com/riscv/meta-riscv.git", "master"],
> + "meta-lts-mixins": ["ssh://git@push.yoctoproject.org/meta-lts-mixins", "master"],
> }
Hi Mathieu,
The meta-lts-mixins repo is special, each mixin layer is stored as a
separate branch.
Perhaps we need to have an entry like this:
"mixin-wrynose-linux-firmware" : ["ssh://git@push.yoctoproject.org/meta-lts-mixins", "wrynose/linux-firmware"]
The question is whether our scripts can handle multiple clones of the
same repo, checking out different branches.
Thanks,
--
Paul Barker
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 252 bytes --]
^ permalink raw reply
* Re: [PATCH] media: meson: vdec: fix NULL pointer deref in vdec_try_fmt_common
From: sashiko-bot @ 2026-06-24 7:09 UTC (permalink / raw)
To: Christian Hewitt; +Cc: neil.armstrong, linux-amlogic
In-Reply-To: <20260624065809.2460720-1-christianshewitt@gmail.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] Missing V4L2 queue busy check in vdec_s_fmt allows format changes during active streaming, leading to type confusion and memory corruption in the ISR.
--
commit 8aa33adb9b745ad7b1a26721ccafdbeb5f0768bb
Author: Christian Hewitt <christianshewitt@gmail.com>
media: meson: vdec: fix NULL pointer deref in vdec_try_fmt_common
This commit fixes a NULL pointer dereference in vdec_try_fmt_common() by
falling back to the first format in the platform's format array instead of
hardcoding MPEG2. This prevents crashes on systems where MPEG2 support has
been locally patched out.
> diff --git a/drivers/staging/media/meson/vdec/vdec.c b/drivers/staging/media/meson/vdec/vdec.c
> index a039d925c0fe5..c18bf352b1996 100644
> --- a/drivers/staging/media/meson/vdec/vdec.c
> +++ b/drivers/staging/media/meson/vdec/vdec.c
[ ... ]
[Severity: High]
This is a pre-existing issue, but while looking at the format handling in
this driver, I noticed a potential race condition.
Does vdec_s_fmt() allow format changes during active streaming?
drivers/staging/media/meson/vdec/vdec.c:vdec_s_fmt() {
...
if (f->type == V4L2_BUF_TYPE_VIDEO_OUTPUT_MPLANE)
sess->fmt_out = fmt_out;
else if (f->type == V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE)
sess->pixfmt_cap = format.fmt.pix_mp.pixelformat;
...
}
It appears there is no check to ensure the V4L2 queues are idle (e.g.,
via vb2_is_busy()) before overwriting the session format parameters.
If a userspace application is actively streaming and concurrently calls
VIDIOC_S_FMT with a different format, could this lead to type confusion
and memory corruption in the hardirq handler?
drivers/staging/media/meson/vdec/vdec.c:vdec_isr() {
...
return sess->fmt_out->codec_ops->isr(sess);
}
Because the hardirq handler dereferences sess->fmt_out without locks,
a mid-stream format change might cause the ISR of the newly selected codec
to execute on a session state (sess->priv) initialized for the previous
codec.
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260624065809.2460720-1-christianshewitt@gmail.com?part=1
_______________________________________________
linux-amlogic mailing list
linux-amlogic@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-amlogic
^ permalink raw reply
* [PATCH V9 04/17] iothread: introduce iothread_unsafe_get_aio_context()
From: Zhang Chen @ 2026-06-24 7:08 UTC (permalink / raw)
To: qemu-devel, Dr . David Alan Gilbert, Eric Blake,
Markus Armbruster, Michael S . Tsirkin, Stefan Hajnoczi,
Paolo Bonzini, Kevin Wolf, Jason Wang, Fam Zheng
Cc: Zhang Chen
In-Reply-To: <20260624070851.13342-1-zhangckid@gmail.com>
The iothread_unsafe_get_aio_context() is a low-level unsafe way of getting
the AioContext, recommend migrating to the new API with IOThreadHolder
as much as possible.
The blockdev is the first user:
Every BlockDriverState would need to get/put the IOThread AioContext in
bdrv_change_aio_context() or related functions.
However, the QEMU block layer has been moving away from having a
per-BlockDriverState AioContext. It is possible to use a
BlockDriverState from any AioContext (including multiple AioContexts at
the same time). I'm in favor of not associating BlockDriverStates with
IOThreads and instead relying on their device owners (e.g. emulated
storage controllers) to be the IOThread holders.
Signed-off-by: Zhang Chen <zhangckid@gmail.com>
---
blockdev.c | 2 +-
include/system/iothread.h | 6 ++++++
iothread.c | 6 ++++++
3 files changed, 13 insertions(+), 1 deletion(-)
diff --git a/blockdev.c b/blockdev.c
index 6e86c6262f..baeab3a3e1 100644
--- a/blockdev.c
+++ b/blockdev.c
@@ -3683,7 +3683,7 @@ void qmp_x_blockdev_set_iothread(const char *node_name, StrOrNull *iothread,
goto out;
}
- new_context = iothread_get_aio_context(obj);
+ new_context = iothread_unsafe_get_aio_context(obj);
} else {
new_context = qemu_get_aio_context();
}
diff --git a/include/system/iothread.h b/include/system/iothread.h
index b483bbfab3..064c05e78d 100644
--- a/include/system/iothread.h
+++ b/include/system/iothread.h
@@ -71,6 +71,12 @@ DECLARE_INSTANCE_CHECKER(IOThread, IOTHREAD,
char *iothread_get_id(IOThread *iothread);
IOThread *iothread_by_id(const char *id);
AioContext *iothread_get_aio_context(IOThread *iothread);
+/*
+ * The iothread_unsafe_get_aio_context() is a low-level unsafe way of getting
+ * the AioContext, recommend migrating to the new API with IOThreadHolder
+ * as much as possible.
+ */
+AioContext *iothread_unsafe_get_aio_context(IOThread *iothread);
AioContext *iothread_ref_and_get_aio_context(IOThread *iothread,
const IOThreadHolder *holder);
void iothread_put_aio_context(IOThread *iothread, const IOThreadHolder *holder);
diff --git a/iothread.c b/iothread.c
index 528002c34a..a85e960e45 100644
--- a/iothread.c
+++ b/iothread.c
@@ -468,6 +468,12 @@ void iothread_put_aio_context(IOThread *iothread, const IOThreadHolder *holder)
iothread_unref(iothread, holder);
}
+/* Recommend migrating to the new API with IOThreadHolder as much as possible */
+AioContext *iothread_unsafe_get_aio_context(IOThread *iothread)
+{
+ return iothread->ctx;
+}
+
static int query_one_iothread(Object *object, void *opaque)
{
IOThreadInfoList ***tail = opaque;
--
2.49.0
^ permalink raw reply related
* [PATCH V9 05/17] block/export: track IOThread reference in BlockExport
From: Zhang Chen @ 2026-06-24 7:08 UTC (permalink / raw)
To: qemu-devel, Dr . David Alan Gilbert, Eric Blake,
Markus Armbruster, Michael S . Tsirkin, Stefan Hajnoczi,
Paolo Bonzini, Kevin Wolf, Jason Wang, Fam Zheng
Cc: Zhang Chen
In-Reply-To: <20260624070851.13342-1-zhangckid@gmail.com>
Users currently lack visibility into which block exports
are utilizing specific IOThreads. This patch integrates IOThread
referencing into the BlockExport lifecycle.
- Add iothreads array and holder_name to BlockExport struct.
- Use iothread_ref_and_get_aio_context during export creation.
- Implement proper cleanup in blk_exp_add fail path and blk_exp_delete_bh.
- Support both single and multi-iothread export configurations.
This ensures IOThread 'holders' status correctly reflects active block
exports for better debugging and resource tracking.
Signed-off-by: Zhang Chen <zhangckid@gmail.com>
---
block/export/export.c | 63 ++++++++++++++++++++++++++++++++++++------
include/block/export.h | 6 ++++
2 files changed, 60 insertions(+), 9 deletions(-)
diff --git a/block/export/export.c b/block/export/export.c
index b733f269f3..b6c07f69b5 100644
--- a/block/export/export.c
+++ b/block/export/export.c
@@ -15,7 +15,6 @@
#include "block/block.h"
#include "system/block-backend.h"
-#include "system/iothread.h"
#include "block/export.h"
#include "block/fuse.h"
#include "block/nbd.h"
@@ -85,6 +84,8 @@ BlockExport *blk_exp_add(BlockExportOptions *export, Error **errp)
AioContext *ctx;
AioContext **multithread_ctxs = NULL;
size_t multithread_count = 0;
+ g_autofree IOThread **local_iothreads = NULL;
+ const char *holder_name = NULL;
uint64_t perm;
int ret;
@@ -139,7 +140,16 @@ BlockExport *blk_exp_add(BlockExportOptions *export, Error **errp)
goto fail;
}
- new_ctx = iothread_get_aio_context(iothread);
+ holder_name = bdrv_get_node_name(bs);
+ IOThreadHolder holder = {
+ .type = IO_THREAD_HOLDER_KIND_BLOCK_NODE,
+ .u.block_node.node_name = (char *)holder_name,
+ };
+
+ new_ctx = iothread_ref_and_get_aio_context(iothread, &holder);
+ multithread_count = 1;
+ local_iothreads = g_new0(IOThread *, 1);
+ local_iothreads[0] = iothread;
/* Ignore errors with fixed-iothread=false */
set_context_errp = fixed_iothread ? errp : NULL;
@@ -163,8 +173,15 @@ BlockExport *blk_exp_add(BlockExportOptions *export, Error **errp)
return NULL;
}
+ local_iothreads = g_new0(IOThread *, multithread_count);
multithread_ctxs = g_new(AioContext *, multithread_count);
i = 0;
+ holder_name = bdrv_get_node_name(bs);
+ IOThreadHolder holder = {
+ .type = IO_THREAD_HOLDER_KIND_BLOCK_NODE,
+ .u.block_node.node_name = (char *)holder_name,
+ };
+
for (strList *e = iothread_list; e; e = e->next) {
IOThread *iothread = iothread_by_id(e->value);
@@ -172,7 +189,9 @@ BlockExport *blk_exp_add(BlockExportOptions *export, Error **errp)
error_setg(errp, "iothread \"%s\" not found", e->value);
goto fail;
}
- multithread_ctxs[i++] = iothread_get_aio_context(iothread);
+ local_iothreads[i] = iothread;
+ multithread_ctxs[i++] = iothread_ref_and_get_aio_context(iothread,
+ &holder);
}
assert(i == multithread_count);
}
@@ -225,12 +244,15 @@ BlockExport *blk_exp_add(BlockExportOptions *export, Error **errp)
assert(drv->instance_size >= sizeof(BlockExport));
exp = g_malloc0(drv->instance_size);
*exp = (BlockExport) {
- .drv = drv,
- .refcount = 1,
- .user_owned = true,
- .id = g_strdup(export->id),
- .ctx = ctx,
- .blk = blk,
+ .drv = drv,
+ .refcount = 1,
+ .user_owned = true,
+ .id = g_strdup(export->id),
+ .ctx = ctx,
+ .blk = blk,
+ .iothreads = g_steal_pointer(&local_iothreads),
+ .iothread_count = multithread_count,
+ .iothread_holder_name = g_strdup(holder_name),
};
ret = drv->create(exp, export, multithread_ctxs, multithread_count, errp);
@@ -253,6 +275,18 @@ fail:
g_free(exp->id);
g_free(exp);
}
+ if (local_iothreads) {
+ IOThreadHolder holder = {
+ .type = IO_THREAD_HOLDER_KIND_BLOCK_NODE,
+ .u.block_node.node_name = (char *)holder_name,
+ };
+
+ for (size_t j = 0; j < multithread_count; j++) {
+ if (local_iothreads[j]) {
+ iothread_put_aio_context(local_iothreads[j], &holder);
+ }
+ }
+ }
g_free(multithread_ctxs);
return NULL;
}
@@ -269,6 +303,17 @@ static void blk_exp_delete_bh(void *opaque)
BlockExport *exp = opaque;
assert(exp->refcount == 0);
+ if (exp->iothreads) {
+ IOThreadHolder holder = {
+ .type = IO_THREAD_HOLDER_KIND_BLOCK_NODE,
+ .u.block_node.node_name = (char *)exp->iothread_holder_name,
+ };
+
+ for (size_t i = 0; i < exp->iothread_count; i++) {
+ iothread_put_aio_context(exp->iothreads[i], &holder);
+ }
+ g_free(exp->iothreads);
+ }
QLIST_REMOVE(exp, next);
exp->drv->delete(exp);
blk_set_dev_ops(exp->blk, NULL, NULL);
diff --git a/include/block/export.h b/include/block/export.h
index ca45da928c..2bb98aae31 100644
--- a/include/block/export.h
+++ b/include/block/export.h
@@ -16,6 +16,7 @@
#include "qapi/qapi-types-block-export.h"
#include "qemu/queue.h"
+#include "system/iothread.h"
typedef struct BlockExport BlockExport;
@@ -89,6 +90,11 @@ struct BlockExport {
/* List entry for block_exports */
QLIST_ENTRY(BlockExport) next;
+
+ /* The iothreads list for block_exports */
+ IOThread **iothreads;
+ size_t iothread_count;
+ char *iothread_holder_name;
};
BlockExport *blk_exp_add(BlockExportOptions *export, Error **errp);
--
2.49.0
^ permalink raw reply related
* [PATCH V9 03/17] iothread: tracking iothread users with holder name
From: Zhang Chen @ 2026-06-24 7:08 UTC (permalink / raw)
To: qemu-devel, Dr . David Alan Gilbert, Eric Blake,
Markus Armbruster, Michael S . Tsirkin, Stefan Hajnoczi,
Paolo Bonzini, Kevin Wolf, Jason Wang, Fam Zheng
Cc: Zhang Chen
In-Reply-To: <20260624070851.13342-1-zhangckid@gmail.com>
Introduce iothread_get_aio_context() (In this patch named
"iothread_ref_and_get_aio_context" for build, will change the name
in the last patch) with a 'holder' argument and its
counterpart iothread_put_aio_context().
Previously, users of an IOThread's AioContext did not explicitly
record their identity, making it difficult to debug which devices or
subsystems were pinning an IOThread.
This patch enhances the reference counting mechanism by:
1. Automatically incrementing the object reference count when a context
is retrieved.
2. Tracking holders using iothread_ref() and iothread_unref().
In iothread_instance_finalize(), we now retrieve the source name from
the GMainContext to correctly unref the initial internal holder.
Signed-off-by: Zhang Chen <zhangckid@gmail.com>
---
include/system/iothread.h | 4 ++++
iothread.c | 31 +++++++++++++++++++++++--------
2 files changed, 27 insertions(+), 8 deletions(-)
diff --git a/include/system/iothread.h b/include/system/iothread.h
index b9207ad829..b483bbfab3 100644
--- a/include/system/iothread.h
+++ b/include/system/iothread.h
@@ -18,6 +18,7 @@
#include "qemu/thread.h"
#include "qom/object.h"
#include "system/event-loop-base.h"
+#include "qapi/qapi-types-misc.h"
#define TYPE_IOTHREAD "iothread"
@@ -70,6 +71,9 @@ DECLARE_INSTANCE_CHECKER(IOThread, IOTHREAD,
char *iothread_get_id(IOThread *iothread);
IOThread *iothread_by_id(const char *id);
AioContext *iothread_get_aio_context(IOThread *iothread);
+AioContext *iothread_ref_and_get_aio_context(IOThread *iothread,
+ const IOThreadHolder *holder);
+void iothread_put_aio_context(IOThread *iothread, const IOThreadHolder *holder);
GMainContext *iothread_get_g_main_context(IOThread *iothread);
/*
diff --git a/iothread.c b/iothread.c
index 3301b8d495..528002c34a 100644
--- a/iothread.c
+++ b/iothread.c
@@ -55,6 +55,12 @@ static void iothread_ref(IOThread *iothread, const IOThreadHolder *holder)
}
iothread->holders = g_list_prepend(iothread->holders, h);
+
+ /*
+ * This guarantees that the IOThread and its AioContext remain alive
+ * as long as there is a holder.
+ */
+ object_ref(OBJECT(iothread));
}
static int iothread_holder_compare(gconstpointer a, gconstpointer b)
@@ -109,6 +115,8 @@ static void iothread_unref(IOThread *iothread, const IOThreadHolder *holder)
IOThreadHolder *h = (IOThreadHolder *)link->data;
qapi_free_IOThreadHolder(h);
iothread->holders = g_list_delete_link(iothread->holders, link);
+
+ object_unref(OBJECT(iothread));
}
static void *iothread_run(void *opaque)
@@ -223,7 +231,7 @@ static void iothread_init_gcontext(IOThread *iothread, const char *thread_name)
g_autofree char *name = g_strdup_printf("%s aio-context", thread_name);
iothread->worker_context = g_main_context_new();
- source = aio_get_g_source(iothread_get_aio_context(iothread));
+ source = aio_get_g_source(iothread->ctx);
g_source_set_name(source, name);
g_source_attach(source, iothread->worker_context);
g_source_unref(source);
@@ -442,17 +450,24 @@ char *iothread_get_id(IOThread *iothread)
AioContext *iothread_get_aio_context(IOThread *iothread)
{
- /* Remove in next patch for build */
- IOThreadHolder holder = {
- .type = IO_THREAD_HOLDER_KIND_QOM_OBJECT,
- .u.qom_object.qom_path = (char *)"tmp_path",
- };
- iothread_ref(iothread, &holder);
- iothread_unref(iothread, &holder);
+ return iothread->ctx;
+}
+
+AioContext *iothread_ref_and_get_aio_context(IOThread *iothread,
+ const IOThreadHolder *holder)
+{
+ /* Add IOThreadHolder to the list */
+ iothread_ref(iothread, holder);
return iothread->ctx;
}
+void iothread_put_aio_context(IOThread *iothread, const IOThreadHolder *holder)
+{
+ /* Delete IOThreadHolder from the list */
+ iothread_unref(iothread, holder);
+}
+
static int query_one_iothread(Object *object, void *opaque)
{
IOThreadInfoList ***tail = opaque;
--
2.49.0
^ permalink raw reply related
* [PATCH V9 07/17] monitor: support iothread ref/unref for anonymous monitors
From: Zhang Chen @ 2026-06-24 7:08 UTC (permalink / raw)
To: qemu-devel, Dr . David Alan Gilbert, Eric Blake,
Markus Armbruster, Michael S . Tsirkin, Stefan Hajnoczi,
Paolo Bonzini, Kevin Wolf, Jason Wang, Fam Zheng
Cc: Zhang Chen
In-Reply-To: <20260624070851.13342-1-zhangckid@gmail.com>
Implement iothread registration and unregistration within monitor data lifecycle
helpers using IOThreadHolder.
When an explicit monitor ID is missing, fall back to utilizing the chardev
label as a safe identifier for iothread_ref/put operations. This enables
accurate tracking for anonymous monitors while keeping 'mon->id' as NULL.
Signed-off-by: Zhang Chen <zhangckid@gmail.com>
---
monitor/monitor.c | 24 ++++++++++++++++++++++--
1 file changed, 22 insertions(+), 2 deletions(-)
diff --git a/monitor/monitor.c b/monitor/monitor.c
index 65749f931e..c3eec8c069 100644
--- a/monitor/monitor.c
+++ b/monitor/monitor.c
@@ -612,8 +612,18 @@ void monitor_data_init(Monitor *mon, bool is_qmp, bool skip_flush,
{
mon->id = id ? g_strdup(id) : NULL;
- if (use_io_thread && !mon_iothread) {
- monitor_iothread_init();
+ if (use_io_thread) {
+ if (!mon_iothread) {
+ monitor_iothread_init();
+ }
+
+ /* Setup the chr->label as the backup ID for iothread_ref/unref */
+ IOThreadHolder holder = {
+ .type = IO_THREAD_HOLDER_KIND_MONITOR_NAME,
+ .u.monitor_name.monitor_name = id ? (char *)mon->id :
+ (char *)mon->chr.chr->label,
+ };
+ iothread_ref_and_get_aio_context(mon_iothread, &holder);
}
qemu_mutex_init(&mon->mon_lock);
mon->is_qmp = is_qmp;
@@ -624,6 +634,16 @@ void monitor_data_init(Monitor *mon, bool is_qmp, bool skip_flush,
void monitor_data_destroy(Monitor *mon)
{
+ if (mon->use_io_thread && mon_iothread) {
+ IOThreadHolder holder = {
+ .type = IO_THREAD_HOLDER_KIND_MONITOR_NAME,
+ .u.monitor_name.monitor_name = mon->id ? (char *)mon->id :
+ (char *)mon->chr.chr->label,
+ };
+
+ iothread_put_aio_context(mon_iothread, &holder);
+ }
+
g_free(mon->mon_cpu_path);
qemu_chr_fe_deinit(&mon->chr, false);
if (monitor_is_qmp(mon)) {
--
2.49.0
^ permalink raw reply related
* [PATCH V9 09/17] virtio-vq-mapping: track iothread-vq-mapping references using device path
From: Zhang Chen @ 2026-06-24 7:08 UTC (permalink / raw)
To: qemu-devel, Dr . David Alan Gilbert, Eric Blake,
Markus Armbruster, Michael S . Tsirkin, Stefan Hajnoczi,
Paolo Bonzini, Kevin Wolf, Jason Wang, Fam Zheng
Cc: Zhang Chen
In-Reply-To: <20260624070851.13342-1-zhangckid@gmail.com>
Replace raw object_ref/unref calls with iothread_get/put_aio_context
in iothread-vq-mapping. This allows tracking IOThread users via
the device's canonical QOM path, improving lifecycle traceability
for virtio-blk and virtio-scsi devices.
Signed-off-by: Zhang Chen <zhangckid@gmail.com>
---
hw/block/virtio-blk.c | 8 +++++++-
hw/scsi/virtio-scsi-dataplane.c | 9 +++++++--
hw/virtio/iothread-vq-mapping.c | 20 +++++++++++++++-----
include/hw/virtio/iothread-vq-mapping.h | 6 +++++-
4 files changed, 34 insertions(+), 9 deletions(-)
diff --git a/hw/block/virtio-blk.c b/hw/block/virtio-blk.c
index 9cb9f1fb2b..30e9fcf870 100644
--- a/hw/block/virtio-blk.c
+++ b/hw/block/virtio-blk.c
@@ -1487,9 +1487,12 @@ static bool virtio_blk_vq_aio_context_init(VirtIOBlock *s, Error **errp)
s->vq_aio_context = g_new(AioContext *, conf->num_queues);
if (conf->iothread_vq_mapping_list) {
+ g_autofree char *path = object_get_canonical_path(OBJECT(vdev));
+
if (!iothread_vq_mapping_apply(conf->iothread_vq_mapping_list,
s->vq_aio_context,
conf->num_queues,
+ path,
errp)) {
g_free(s->vq_aio_context);
s->vq_aio_context = NULL;
@@ -1521,7 +1524,10 @@ static void virtio_blk_vq_aio_context_cleanup(VirtIOBlock *s)
assert(!s->ioeventfd_started);
if (conf->iothread_vq_mapping_list) {
- iothread_vq_mapping_cleanup(conf->iothread_vq_mapping_list);
+ g_autofree char *path = object_get_canonical_path(
+ OBJECT(VIRTIO_DEVICE(s)));
+
+ iothread_vq_mapping_cleanup(conf->iothread_vq_mapping_list, path);
}
if (conf->iothread) {
diff --git a/hw/scsi/virtio-scsi-dataplane.c b/hw/scsi/virtio-scsi-dataplane.c
index 95f13fb7c2..26ecefd547 100644
--- a/hw/scsi/virtio-scsi-dataplane.c
+++ b/hw/scsi/virtio-scsi-dataplane.c
@@ -65,9 +65,11 @@ void virtio_scsi_dataplane_setup(VirtIOSCSI *s, Error **errp)
s->vq_aio_context[1] = qemu_get_aio_context();
if (vs->conf.iothread_vq_mapping_list) {
+ g_autofree char *path = object_get_canonical_path(OBJECT(vdev));
+
if (!iothread_vq_mapping_apply(vs->conf.iothread_vq_mapping_list,
&s->vq_aio_context[VIRTIO_SCSI_VQ_NUM_FIXED],
- vs->conf.num_queues, errp)) {
+ vs->conf.num_queues, path, errp)) {
g_free(s->vq_aio_context);
s->vq_aio_context = NULL;
return;
@@ -94,7 +96,10 @@ void virtio_scsi_dataplane_cleanup(VirtIOSCSI *s)
VirtIOSCSICommon *vs = VIRTIO_SCSI_COMMON(s);
if (vs->conf.iothread_vq_mapping_list) {
- iothread_vq_mapping_cleanup(vs->conf.iothread_vq_mapping_list);
+ g_autofree char *path = object_get_canonical_path(
+ OBJECT(VIRTIO_DEVICE(s)));
+
+ iothread_vq_mapping_cleanup(vs->conf.iothread_vq_mapping_list, path);
}
if (vs->conf.iothread) {
diff --git a/hw/virtio/iothread-vq-mapping.c b/hw/virtio/iothread-vq-mapping.c
index 55ce62986c..2cb48dd387 100644
--- a/hw/virtio/iothread-vq-mapping.c
+++ b/hw/virtio/iothread-vq-mapping.c
@@ -77,6 +77,7 @@ bool iothread_vq_mapping_apply(
IOThreadVirtQueueMappingList *list,
AioContext **vq_aio_context,
uint16_t num_queues,
+ const char *holder,
Error **errp)
{
IOThreadVirtQueueMappingList *node;
@@ -93,10 +94,13 @@ bool iothread_vq_mapping_apply(
for (node = list; node; node = node->next) {
IOThread *iothread = iothread_by_id(node->value->iothread);
- AioContext *ctx = iothread_get_aio_context(iothread);
+ IOThreadHolder io_holder = {
+ .type = IO_THREAD_HOLDER_KIND_QOM_OBJECT,
+ .u.qom_object.qom_path = (char *)holder,
+ };
- /* Released in virtio_blk_vq_aio_context_cleanup() */
- object_ref(OBJECT(iothread));
+ AioContext *ctx = iothread_ref_and_get_aio_context(iothread,
+ &io_holder);
if (node->value->vqs) {
uint16List *vq;
@@ -120,13 +124,19 @@ bool iothread_vq_mapping_apply(
return true;
}
-void iothread_vq_mapping_cleanup(IOThreadVirtQueueMappingList *list)
+void iothread_vq_mapping_cleanup(IOThreadVirtQueueMappingList *list,
+ const char *holder)
{
IOThreadVirtQueueMappingList *node;
for (node = list; node; node = node->next) {
IOThread *iothread = iothread_by_id(node->value->iothread);
- object_unref(OBJECT(iothread));
+ IOThreadHolder io_holder = {
+ .type = IO_THREAD_HOLDER_KIND_QOM_OBJECT,
+ .u.qom_object.qom_path = (char *)holder,
+ };
+
+ iothread_put_aio_context(iothread, &io_holder);
}
}
diff --git a/include/hw/virtio/iothread-vq-mapping.h b/include/hw/virtio/iothread-vq-mapping.h
index 57335c3703..0d39caddf3 100644
--- a/include/hw/virtio/iothread-vq-mapping.h
+++ b/include/hw/virtio/iothread-vq-mapping.h
@@ -17,6 +17,7 @@
* @list: The mapping of virtqueues to IOThreads.
* @vq_aio_context: The array of AioContext pointers to fill in.
* @num_queues: The length of @vq_aio_context.
+ * @holder: The QOM paths for attached device.
* @errp: If an error occurs, a pointer to the area to store the error.
*
* Fill in the AioContext for each virtqueue in the @vq_aio_context array given
@@ -31,15 +32,18 @@ bool iothread_vq_mapping_apply(
IOThreadVirtQueueMappingList *list,
AioContext **vq_aio_context,
uint16_t num_queues,
+ const char *holder,
Error **errp);
/**
* iothread_vq_mapping_cleanup:
* @list: The mapping of virtqueues to IOThreads.
+ * @holder: The QOM paths for attached device.
*
* Release IOThread object references that were acquired by
* iothread_vq_mapping_apply().
*/
-void iothread_vq_mapping_cleanup(IOThreadVirtQueueMappingList *list);
+void iothread_vq_mapping_cleanup(IOThreadVirtQueueMappingList *list,
+ const char *holder);
#endif /* HW_VIRTIO_IOTHREAD_VQ_MAPPING_H */
--
2.49.0
^ permalink raw reply related
* [PATCH V9 06/17] monitor: refactor monitor_data_init() to pass ID
From: Zhang Chen @ 2026-06-24 7:08 UTC (permalink / raw)
To: qemu-devel, Dr . David Alan Gilbert, Eric Blake,
Markus Armbruster, Michael S . Tsirkin, Stefan Hajnoczi,
Paolo Bonzini, Kevin Wolf, Jason Wang, Fam Zheng
Cc: Zhang Chen
In-Reply-To: <20260624070851.13342-1-zhangckid@gmail.com>
Anonymous monitors (e.g., '-monitor stdio' or GDB stub) leave their 'id'
field as NULL. To allow downstream subsystems (like iothread tracking) to
identify these instances later, the initialization paths must propagate
the context.
Refactor monitor_data_init() to accept the 'id' parameters, and
update all internal QMP/HMP paths to pass these identifiers.
For anonymous monitors, 'mon->id' remains NULL at this stage to avoid
namespace pollution, setting up infrastructure for subsequent patches.
Signed-off-by: Zhang Chen <zhangckid@gmail.com>
---
chardev/char.c | 2 +-
gdbstub/system.c | 3 ++-
include/monitor/monitor.h | 5 +++--
monitor/hmp.c | 5 +++--
monitor/monitor-internal.h | 4 +++-
monitor/monitor.c | 9 ++++++---
monitor/qmp-cmds.c | 2 +-
monitor/qmp.c | 5 +++--
stubs/monitor-internal.c | 3 ++-
9 files changed, 24 insertions(+), 14 deletions(-)
diff --git a/chardev/char.c b/chardev/char.c
index ca8b37ed8d..f057247001 100644
--- a/chardev/char.c
+++ b/chardev/char.c
@@ -805,7 +805,7 @@ static Chardev *qemu_chr_new_from_name(const char *label, const char *filename,
if (qemu_opt_get_bool(opts, "mux", 0)) {
assert(permit_mux_mon);
- monitor_init_hmp(chr, true, &err);
+ monitor_init_hmp(chr, true, NULL, &err);
if (err) {
error_report_err(err);
object_unparent(OBJECT(chr));
diff --git a/gdbstub/system.c b/gdbstub/system.c
index e86c5870ab..50f934fde3 100644
--- a/gdbstub/system.c
+++ b/gdbstub/system.c
@@ -388,7 +388,8 @@ bool gdbserver_start(const char *device, Error **errp)
/* Initialize a monitor terminal for gdb */
mon_chr = qemu_chardev_new(NULL, TYPE_CHARDEV_GDB,
NULL, NULL, &error_abort);
- monitor_init_hmp(mon_chr, false, &error_abort);
+
+ monitor_init_hmp(mon_chr, false, NULL, &error_abort);
} else {
qemu_chr_fe_deinit(&gdbserver_system_state.chr, true);
mon_chr = gdbserver_system_state.mon_chr;
diff --git a/include/monitor/monitor.h b/include/monitor/monitor.h
index 55649a8664..4a5eb20bea 100644
--- a/include/monitor/monitor.h
+++ b/include/monitor/monitor.h
@@ -19,8 +19,9 @@ bool monitor_cur_is_qmp(void);
void monitor_init_globals(void);
void monitor_init_globals_core(void);
-void monitor_init_qmp(Chardev *chr, bool pretty, Error **errp);
-void monitor_init_hmp(Chardev *chr, bool use_readline, Error **errp);
+void monitor_init_qmp(Chardev *chr, bool pretty, const char *id, Error **errp);
+void monitor_init_hmp(Chardev *chr, bool use_readline, const char *id,
+ Error **errp);
int monitor_init(MonitorOptions *opts, bool allow_hmp, Error **errp);
int monitor_init_opts(QemuOpts *opts, Error **errp);
void monitor_cleanup(void);
diff --git a/monitor/hmp.c b/monitor/hmp.c
index cc4390486e..4ee8cb58d1 100644
--- a/monitor/hmp.c
+++ b/monitor/hmp.c
@@ -1522,7 +1522,8 @@ static void monitor_readline_flush(void *opaque)
monitor_flush(&mon->common);
}
-void monitor_init_hmp(Chardev *chr, bool use_readline, Error **errp)
+void monitor_init_hmp(Chardev *chr, bool use_readline, const char *id,
+ Error **errp)
{
MonitorHMP *mon = g_new0(MonitorHMP, 1);
@@ -1531,7 +1532,7 @@ void monitor_init_hmp(Chardev *chr, bool use_readline, Error **errp)
return;
}
- monitor_data_init(&mon->common, false, false, false);
+ monitor_data_init(&mon->common, false, false, false, id);
mon->use_readline = use_readline;
if (mon->use_readline) {
diff --git a/monitor/monitor-internal.h b/monitor/monitor-internal.h
index a5c4aba306..f651ba6a90 100644
--- a/monitor/monitor-internal.h
+++ b/monitor/monitor-internal.h
@@ -108,6 +108,8 @@ struct Monitor {
bool skip_flush;
bool use_io_thread;
+ char *id;
+
char *mon_cpu_path;
QTAILQ_ENTRY(Monitor) entry;
@@ -179,7 +181,7 @@ extern QemuMutex monitor_lock;
extern MonitorList mon_list;
void monitor_data_init(Monitor *mon, bool is_qmp, bool skip_flush,
- bool use_io_thread);
+ bool use_io_thread, const char *id);
void monitor_data_destroy(Monitor *mon);
int monitor_can_read(void *opaque);
void monitor_list_append(Monitor *mon);
diff --git a/monitor/monitor.c b/monitor/monitor.c
index 00b93ed612..65749f931e 100644
--- a/monitor/monitor.c
+++ b/monitor/monitor.c
@@ -608,8 +608,10 @@ static void monitor_iothread_init(void)
}
void monitor_data_init(Monitor *mon, bool is_qmp, bool skip_flush,
- bool use_io_thread)
+ bool use_io_thread, const char *id)
{
+ mon->id = id ? g_strdup(id) : NULL;
+
if (use_io_thread && !mon_iothread) {
monitor_iothread_init();
}
@@ -629,6 +631,7 @@ void monitor_data_destroy(Monitor *mon)
} else {
readline_free(container_of(mon, MonitorHMP, common)->rs);
}
+ g_free(mon->id);
g_string_free(mon->outbuf, true);
qemu_mutex_destroy(&mon->mon_lock);
}
@@ -732,7 +735,7 @@ int monitor_init(MonitorOptions *opts, bool allow_hmp, Error **errp)
switch (opts->mode) {
case MONITOR_MODE_CONTROL:
- monitor_init_qmp(chr, opts->pretty, errp);
+ monitor_init_qmp(chr, opts->pretty, opts->id, errp);
break;
case MONITOR_MODE_READLINE:
if (!allow_hmp) {
@@ -743,7 +746,7 @@ int monitor_init(MonitorOptions *opts, bool allow_hmp, Error **errp)
error_setg(errp, "'pretty' is not compatible with HMP monitors");
return -1;
}
- monitor_init_hmp(chr, true, errp);
+ monitor_init_hmp(chr, true, opts->id, errp);
break;
default:
g_assert_not_reached();
diff --git a/monitor/qmp-cmds.c b/monitor/qmp-cmds.c
index 0c409c27dc..e49b9cbf8b 100644
--- a/monitor/qmp-cmds.c
+++ b/monitor/qmp-cmds.c
@@ -168,7 +168,7 @@ char *qmp_human_monitor_command(const char *command_line, bool has_cpu_index,
char *output = NULL;
MonitorHMP hmp = {};
- monitor_data_init(&hmp.common, false, true, false);
+ monitor_data_init(&hmp.common, false, true, false, NULL);
if (has_cpu_index) {
int ret = monitor_set_cpu(&hmp.common, cpu_index);
diff --git a/monitor/qmp.c b/monitor/qmp.c
index 687019811f..8fd71386e8 100644
--- a/monitor/qmp.c
+++ b/monitor/qmp.c
@@ -513,7 +513,7 @@ static void monitor_qmp_setup_handlers_bh(void *opaque)
monitor_list_append(&mon->common);
}
-void monitor_init_qmp(Chardev *chr, bool pretty, Error **errp)
+void monitor_init_qmp(Chardev *chr, bool pretty, const char *id, Error **errp)
{
MonitorQMP *mon = g_new0(MonitorQMP, 1);
@@ -525,7 +525,8 @@ void monitor_init_qmp(Chardev *chr, bool pretty, Error **errp)
/* Note: we run QMP monitor in I/O thread when @chr supports that */
monitor_data_init(&mon->common, true, false,
- qemu_chr_has_feature(chr, QEMU_CHAR_FEATURE_GCONTEXT));
+ qemu_chr_has_feature(chr, QEMU_CHAR_FEATURE_GCONTEXT),
+ id);
mon->pretty = pretty;
diff --git a/stubs/monitor-internal.c b/stubs/monitor-internal.c
index 4fece49d53..325a559e62 100644
--- a/stubs/monitor-internal.c
+++ b/stubs/monitor-internal.c
@@ -8,6 +8,7 @@ int monitor_get_fd(Monitor *mon, const char *name, Error **errp)
return -1;
}
-void monitor_init_hmp(Chardev *chr, bool use_readline, Error **errp)
+void monitor_init_hmp(Chardev *chr, bool use_readline, const char *id,
+ Error **errp)
{
}
--
2.49.0
^ permalink raw reply related
* [PATCH V9 11/17] net/colo: track IOThread references using path-based holder
From: Zhang Chen @ 2026-06-24 7:08 UTC (permalink / raw)
To: qemu-devel, Dr . David Alan Gilbert, Eric Blake,
Markus Armbruster, Michael S . Tsirkin, Stefan Hajnoczi,
Paolo Bonzini, Kevin Wolf, Jason Wang, Fam Zheng
Cc: Zhang Chen
In-Reply-To: <20260624070851.13342-1-zhangckid@gmail.com>
Convert colo-compare to use the iothread_ref_and_get_aio_context()
and iothread_put_aio_context() APIs. This ensures that IOThread
references are tracked using the COLO object's canonical QOM path
as the holder ID.
This refactoring improves IOThread lifecycle traceability and aligns
the code with modern QEMU iothread reference management patterns.
Signed-off-by: Zhang Chen <zhangckid@gmail.com>
---
net/colo-compare.c | 29 +++++++++++++++++++----------
1 file changed, 19 insertions(+), 10 deletions(-)
diff --git a/net/colo-compare.c b/net/colo-compare.c
index 823b8aa323..4f180936e3 100644
--- a/net/colo-compare.c
+++ b/net/colo-compare.c
@@ -130,6 +130,7 @@ struct CompareState {
GHashTable *connection_track_table;
IOThread *iothread;
+ AioContext *iothread_ctx;
GMainContext *worker_context;
QEMUTimer *packet_check_timer;
@@ -926,9 +927,7 @@ void colo_notify_compares_event(void *opaque, int event, Error **errp)
static void colo_compare_timer_init(CompareState *s)
{
- AioContext *ctx = iothread_get_aio_context(s->iothread);
-
- s->packet_check_timer = aio_timer_new(ctx, QEMU_CLOCK_HOST,
+ s->packet_check_timer = aio_timer_new(s->iothread_ctx, QEMU_CLOCK_HOST,
SCALE_MS, check_old_packet_regular,
s);
timer_mod(s->packet_check_timer, qemu_clock_get_ms(QEMU_CLOCK_HOST) +
@@ -968,8 +967,15 @@ static void colo_compare_handle_event(void *opaque)
static void colo_compare_iothread(CompareState *s)
{
- AioContext *ctx = iothread_get_aio_context(s->iothread);
- object_ref(OBJECT(s->iothread));
+ g_autofree char *path = object_get_canonical_path(OBJECT(s));
+ IOThreadHolder io_holder = {
+ .type = IO_THREAD_HOLDER_KIND_QOM_OBJECT,
+ .u.qom_object.qom_path = (char *)path,
+ };
+
+ AioContext *ctx = iothread_ref_and_get_aio_context(s->iothread, &io_holder);
+
+ s->iothread_ctx = ctx;
s->worker_context = iothread_get_g_main_context(s->iothread);
qemu_chr_fe_set_handlers(&s->chr_pri_in, compare_chr_can_read,
@@ -1408,6 +1414,7 @@ static void colo_compare_finalize(Object *obj)
{
CompareState *s = COLO_COMPARE(obj);
CompareState *tmp;
+ g_autofree char *path = object_get_canonical_path(OBJECT(s));
qemu_mutex_lock(&colo_compare_mutex);
QTAILQ_FOREACH(tmp, &net_compares, next) {
@@ -1434,18 +1441,20 @@ static void colo_compare_finalize(Object *obj)
g_clear_pointer(&s->event_bh, qemu_bh_delete);
if (s->iothread) {
- AioContext *ctx = iothread_get_aio_context(s->iothread);
-
- AIO_WAIT_WHILE(ctx, !s->out_sendco.done);
+ AIO_WAIT_WHILE(s->iothread_ctx, !s->out_sendco.done);
if (s->notify_dev) {
- AIO_WAIT_WHILE(ctx, !s->notify_sendco.done);
+ AIO_WAIT_WHILE(s->iothread_ctx, !s->notify_sendco.done);
}
/* Release all unhandled packets after compare thread exited */
g_queue_foreach(&s->conn_list, colo_flush_packets, s);
AIO_WAIT_WHILE(NULL, !s->out_sendco.done);
- object_unref(OBJECT(s->iothread));
+ IOThreadHolder io_holder = {
+ .type = IO_THREAD_HOLDER_KIND_QOM_OBJECT,
+ .u.qom_object.qom_path = (char *)path,
+ };
+ iothread_put_aio_context(s->iothread, &io_holder);
}
g_queue_clear(&s->conn_list);
--
2.49.0
^ permalink raw reply related
* [PATCH V9 14/17] xen-block: Update tracking iothread users with holder name
From: Zhang Chen @ 2026-06-24 7:08 UTC (permalink / raw)
To: qemu-devel, Dr . David Alan Gilbert, Eric Blake,
Markus Armbruster, Michael S . Tsirkin, Stefan Hajnoczi,
Paolo Bonzini, Kevin Wolf, Jason Wang, Fam Zheng
Cc: Zhang Chen
In-Reply-To: <20260624070851.13342-1-zhangckid@gmail.com>
Replace raw object_ref/unref calls with iothread_get/put_aio_context.
Signed-off-by: Zhang Chen <zhangckid@gmail.com>
---
hw/block/dataplane/xen-block.c | 19 ++++++++++++++++---
1 file changed, 16 insertions(+), 3 deletions(-)
diff --git a/hw/block/dataplane/xen-block.c b/hw/block/dataplane/xen-block.c
index 48c2e315f3..b5bf8d359f 100644
--- a/hw/block/dataplane/xen-block.c
+++ b/hw/block/dataplane/xen-block.c
@@ -621,9 +621,15 @@ XenBlockDataPlane *xen_block_dataplane_create(XenDevice *xendev,
QLIST_INIT(&dataplane->freelist);
if (iothread) {
+ g_autofree char *path = object_get_canonical_path(OBJECT(xendev));
+ IOThreadHolder io_holder = {
+ .type = IO_THREAD_HOLDER_KIND_QOM_OBJECT,
+ .u.qom_object.qom_path = (char *)path,
+ };
+
dataplane->iothread = iothread;
- object_ref(OBJECT(dataplane->iothread));
- dataplane->ctx = iothread_get_aio_context(dataplane->iothread);
+ dataplane->ctx = iothread_ref_and_get_aio_context(dataplane->iothread,
+ &io_holder);
} else {
dataplane->ctx = qemu_get_aio_context();
}
@@ -652,7 +658,14 @@ void xen_block_dataplane_destroy(XenBlockDataPlane *dataplane)
qemu_bh_delete(dataplane->bh);
if (dataplane->iothread) {
- object_unref(OBJECT(dataplane->iothread));
+ g_autofree char *path = object_get_canonical_path(
+ OBJECT(dataplane->xendev));
+ IOThreadHolder io_holder = {
+ .type = IO_THREAD_HOLDER_KIND_QOM_OBJECT,
+ .u.qom_object.qom_path = (char *)path,
+ };
+
+ iothread_put_aio_context(dataplane->iothread, &io_holder);
}
g_free(dataplane);
--
2.49.0
^ permalink raw reply related
* [PATCH] iommu/vt-d: use kstrtoint_from_user() in dmar_perf_latency_write()
From: Dmitry Antipov @ 2026-06-24 7:08 UTC (permalink / raw)
To: David Woodhouse, Lu Baolu, Joerg Roedel, Will Deacon
Cc: Robin Murphy, iommu, Dmitry Antipov
Simplify 'dmar_perf_latency_write()' by using the convenient
'kstrtoint_from_user()'.
Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
---
drivers/iommu/intel/debugfs.c | 16 ++++------------
1 file changed, 4 insertions(+), 12 deletions(-)
diff --git a/drivers/iommu/intel/debugfs.c b/drivers/iommu/intel/debugfs.c
index 21e4e465ca58..d87408ebb830 100644
--- a/drivers/iommu/intel/debugfs.c
+++ b/drivers/iommu/intel/debugfs.c
@@ -690,19 +690,11 @@ static ssize_t dmar_perf_latency_write(struct file *filp,
{
struct dmar_drhd_unit *drhd;
struct intel_iommu *iommu;
- int counting;
- char buf[64];
+ int ret, counting;
- if (cnt > 63)
- cnt = 63;
-
- if (copy_from_user(&buf, ubuf, cnt))
- return -EFAULT;
-
- buf[cnt] = 0;
-
- if (kstrtoint(buf, 0, &counting))
- return -EINVAL;
+ ret = kstrtoint_from_user(ubuf, cnt, 0, &counting);
+ if (ret)
+ return ret;
switch (counting) {
case 0:
--
2.54.0
^ permalink raw reply related
* Re: [RFC 6/8] hw/pci: Add PCIe Streamlined Virtual Channel (SVC) capability.
From: Shrihari E S @ 2026-06-24 15:00 UTC (permalink / raw)
To: Jonathan Cameron
Cc: linux-cxl, linux-pci, qemu-devel, cpgs, arun.george, vikash.k5,
s.neeraj, dongjoo.seo1, dave, gost.dev
In-Reply-To: <20260616194619.47336bac@jic23-huawei>
[-- Attachment #1: Type: text/plain, Size: 5846 bytes --]
On 16/06/26 07:46PM, Jonathan Cameron wrote:
>On Tue, 9 Jun 2026 16:28:34 +0530
>Shrihari E S <shrihari.s@samsung.com> wrote:
>
>> From: Dongjoo Seo <dongjoo.seo1@samsung.com>
>>
>> Implement the PCIe Streamlined Virtual Channel (SVC) Extended
>> Capability by adding support of capability, control and status
>> registers per PCIe 6.4 section 7.9.29. This capability is one
>> of the main requisites for UIO support in both PCIe and CXL ports.
>>
>> Key changes include:
>> - New pcie_svc.c file for SVC capability management.
>> - Updated pcie_cap_fill_lnk() to handle flitmode signaling.
>> - Implement Lifecycle hooks (reset and config_write) to manage
>> SVC state.
>>
>> Signed-off-by: Dongjoo Seo <dongjoo.seo1@samsung.com>
>> Signed-off-by: Shrihari E S <shrihari.s@samsung.com>
>A very quick review on this one as I'm more or less out of time for today
>(and not listening to a call ;)
>
> pci_long_test_and_clear_mask(exp_cap + PCI_EXP_LNKCAP,
>> @@ -160,8 +161,14 @@ static void pcie_cap_fill_lnk(uint8_t *exp_cap, PCIExpLinkWidth width,
>> }
>>
>> if (flitmode) {
>> - pci_long_test_and_set_mask(exp_cap + PCI_EXP_LNKSTA2,
>> + uint32_t pos = dev->exp.exp_cap;
>> +
>> + pci_word_test_and_set_mask(exp_cap + PCI_EXP_FLAGS,
>> PCI_EXP_LNKSTA2_FLIT);
>
>Why is this writing a field from LNKSTA2 into FLAGS?
>
Hi Jonathan,
Sorry, it's a typo. It should be PCI_EXP_LNKSTA2 instead of PCI_EXP_FLAGS.
will correct it in the next version of patch.
>> static void pcie_cap_fill_slot_lnk(PCIDevice *dev)
>> {
>> PCIESlot *s = (PCIESlot *)object_dynamic_cast(OBJECT(dev), TYPE_PCIE_SLOT);
>> @@ -217,7 +259,8 @@ static void pcie_cap_fill_slot_lnk(PCIDevice *dev)
>> /* the PCI_EXP_LNKSTA_DLLLA will be set in the hotplug function */
>> }
>>
>> - pcie_cap_fill_lnk(exp_cap, s->width, s->speed, s->parent_obj.flitmode);
>> + pcie_cap_fill_lnk(dev, exp_cap, s->width, s->speed,
>> + s->parent_obj.flitmode);
>
>As previously I think that should be a PCIE_PORT(s)->flitmode
>
>> }
Yeah, will correct it.
>> +int pcie_config_uio_svc(PCIDevice *d, Error **errp)
>> +{
>> + PCIEPort *p = PCIE_PORT(d);
>> +
>> + if (!get_uio_mandatory_svc(p)
>> + || pcie_svc_cap_init(d, PCI_EXT_CAP_BASE_OFFSET, errp) < 0) {
>
>|| on the line above
>
Got it, thanks for pointing out. Will correct this.
>> +int pcie_svc_cap_init(PCIDevice *dev, uint16_t offset, Error **errp)
>> +{
>> + uint32_t hdr;
>> +
>> + if (!pci_is_express(dev)) {
>> + error_setg(errp, "SVC ECAP requires PCIe");
>> + return -EINVAL;
>> + }
>> +
>> + /*
>> + * If no other ECAPs are present, make SVC the first at 0x100.
>> + * This avoids pcie_add_capability() asserting on a non-0x100 offset.
>> + */
>> + hdr = pci_get_long(dev->config + PCI_CONFIG_SPACE_SIZE);
>
>Is there precedence for this? Seems like most cases hand code
>an offset. I think letting this run has the risk that an ordering
>change might end up with this where something else wants to go.
>
Yeah, will check the precedence and change it accordingly.
>> + if (hdr == 0) {
>> + offset = PCI_CONFIG_SPACE_SIZE;
>> + }
>
>
>> void pcie_cap_slot_pre_plug_cb(HotplugHandler *hotplug_dev, DeviceState *dev,
>> Error **errp);
>> diff --git a/include/hw/pci/pcie_regs.h b/include/hw/pci/pcie_regs.h
>> index 33a22229fe..644da744b2 100644
>> --- a/include/hw/pci/pcie_regs.h
>> +++ b/include/hw/pci/pcie_regs.h
>> @@ -81,6 +81,7 @@ typedef enum PCIExpLinkWidth {
>> #define PCI_EXP_DEVCAP2_EETLPP 0x200000
>>
>> #define PCI_EXP_DEVCTL2_EETLPPB 0x8000
>> +#define PCI_EXP_LNKCTL_FLIT_DIS 0x2000
>
>This extra indent is supposed to associate the field with the register
>but the register isn't defined here so it makes little sense.
>
>
>>
>I see there is some precedence in here for registers that are also defined
>in the linux header that is included via hw/pci/pci_regs.h
>
>Maybe we should clean that up a t somepoint.
>
>> /* ARI */
>> #define PCI_ARI_VER 1
>> diff --git a/include/hw/pci/pcie_svc.h b/include/hw/pci/pcie_svc.h
>> new file mode 100644
>> index 0000000000..4872905501
>> --- /dev/null
>> +++ b/include/hw/pci/pcie_svc.h
>> @@ -0,0 +1,91 @@
>> +/*
>> + * SPDX-License-Identifier: GPL-2.0-or-later
>> + *
>> + * PCIe Streamlined Virtual Channel (SVC) Extended Capability
>> + *
>> + * Copyright (c) 2026 Samsung Electronics Co., Ltd.
>> + */
>> +
>> +#ifndef HW_PCIE_SVC_H
>> +#define HW_PCIE_SVC_H
>
>Much of this feels like it will end up in pci_regs.h
>so maybe just do that from the start.
>
We thought that we should follow the same pattern that PCIe SRIOV did
"pcie_sriov.h", so we added pcie_svc.h. I agree that all the register
declaration and definition should go in pci_regs.h. Will do that.
>For this series you'd have to have a patch adding them with
>a note on when you expect them to be in the linux header.
>
Yeah sure.
>> +#define PCI_EXT_CAP_BASE_OFFSET 0x200
>> +#define PCI_EXT_CAP_ID_SVC 0x35
>> +#define PCI_EXT_CAP_SVC_SIZE 0x74
>> +
>> +/* PCIe 6.4 section 7.9.29 */
>> +#define PCIE_SVC_CAP_HEAD_OFFSET 0x00
>> +#define PCIE_SVC_CAP_OFFSET 0x04
>
>> +#define SVC_TC_VC_MAP(n) ((n & 0xff) << 0)
>> +
>> +/* 7.9.27.8 SVC Resource Status Register */
>> +#define SVC_RES_STATUS_BASE 0x1c
>> +#define SVC_RES_STATUS(n) (SVC_RES_STATUS_BASE + \
>> + (n) * 0x0c)
>
>That's not a nice line break for readabilty. If you have two, move the whole thing to next line.
>
Sure, will rectify it.
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply
* Re: [PATCH RFC 1/2] image: fit: allow IH_OS_OPENSBI in fit_image_load()
From: Nikita Shubin @ 2026-06-24 7:11 UTC (permalink / raw)
To: Simon Glass
Cc: u-boot, Tom Rini, Quentin Schulz, James Hilliard, Julien Stephan,
David Lechner, Frank Wunderlich, Heinrich Schuchardt,
Mikhail Kshevetskiy, Rasmus Villemoes, Anshul Dalal,
Michael Walle, João Marcos Costa, Dhruva Gole,
Richard Genoud, Miquel Raynal
In-Reply-To: <CAFLszTiF4Jz7d=PdXvXsusQZ5436qUaFMBYsa76CS_G6uHDwpQ@mail.gmail.com>
Hi Simon,
On Tue, 2026-06-23 at 15:47 +0100, Simon Glass wrote:
> Hi Nikita,
>
> On 2026-06-19T12:52:56, Nikita Shubin <nikita.shubin@maquefel.me>
> wrote:
> > image: fit: allow IH_OS_OPENSBI in fit_image_load()
> >
> > Add IH_OS_OPENSBI to the list of supported OS types in the os_ok
> > check
> > so that FIT images containing an OpenSBI firmware can be loaded
> > without
> > error. Otherwise loading OpenSBI in full FIT Image is not possible.
> >
> > Signed-off-by: Nikita Shubin <nikita.shubin@maquefel.me>
> >
> > boot/image-fit.c | 1 +
> > 1 file changed, 1 insertion(+)
>
> > diff --git a/boot/image-fit.c b/boot/image-fit.c
> > @@ -2258,6 +2258,7 @@ int fit_image_load(struct bootm_headers
> > *images, ulong addr,
> > fit_image_check_os(fit, noffset, IH_OS_U_BOOT) ||
> > fit_image_check_os(fit, noffset, IH_OS_TEE) ||
> > fit_image_check_os(fit, noffset, IH_OS_OPENRTOS) ||
> > + fit_image_check_os(fit, noffset, IH_OS_OPENSBI) |
> > fit_image_check_os(fit, noffset, IH_OS_EFI) ||
>
> Should be || not |
Thanks !
>
> Regards,
> Simon
^ permalink raw reply
* Re: [PATCH v2] mm: mglru: fix stale batch updates after memcg reparenting
From: Qi Zheng @ 2026-06-24 7:11 UTC (permalink / raw)
To: Harry Yoo, akpm, david, kasong, shakeel.butt, baohua,
axelrasmussen, yuanchu, weixugc, hannes, muchun.song, peiyang_he,
mhocko, roman.gushchin, ljs
Cc: linux-mm, linux-kernel, Qi Zheng, stable
In-Reply-To: <dfe5d773-2992-448b-a6cb-ef633714a08f@kernel.org>
Hi Harry,
On 6/24/26 12:29 PM, Harry Yoo wrote:
>
>
> On 6/23/26 6:14 PM, Qi Zheng wrote:
>> Hi Harry,
>>
>> On 6/23/26 4:18 PM, Harry Yoo wrote:
>>> On 6/23/26 4:16 PM, Qi Zheng wrote:
>>>> Hi Harry,
>>>
>>> Hi Qi!
>>>
>>>> On 6/23/26 2:17 PM, Harry Yoo wrote:
>>>>> On 6/23/26 11:42 AM, Qi Zheng wrote:
>>>>>> From: Qi Zheng <zhengqi.arch@bytedance.com>
>>>>>>
>>>>>> The mglru page table walker batches per-generation size deltas in
>>>>>> walk->nr_pages while walking page tables without holding the lruvec
>>>>>> lock.
>>>>>> The reset_batch_size() later folds those deltas into walk->lruvec
>>>>>> under
>>>>>> the lruvec lock.
>>>>>
>>>>> Ouch.
>>>>>
>>>>> IIRC the user-visible impact of underestimated nr_pages in MGLRU
>>>>> was premature OOMs because MGLRU does not try to reclaim memory when
>>>>> nr_pages reaches zero, but there are still more pages.
>>>>>
>>>>> Perhaps worth mentioning in the changelog?
>>>>
>>>> Maybe this should be placed before "To fix it...".
>>>
>>> Thanks!
>>>
>>>>>> The page table walker can run concurrently with the memcg reparenting
>>>>>> path
>>>>>> as follows:
>>>>>>
>>>>>> CPU0 CPU1
>>>>>> ==== ====
>>>>>>
>>>>>> walk_mm
>>>>>> --> walk_page_range
>>>>>> --> update_batch_size
>>>>>> --> walk->nr_pages += delta
>>>>>>
>>>>>> mem_cgroup_css_offline
>>>>>> --> memcg_reparent_objcgs
>>>>>> --> lock lruvec
>>>>>> lru_gen_reparent_memcg
>>>>>> --> reparent child folios to
>>>>>> parent
>>>>>> unlock lruvec
>>>>>>
>>>>>> lock lruvec
>>>>>> reset_batch_size
>>>>>> --> child lrugen->nr_pages += delta
>>>>>
>>>>> The problem here is that, while grabbing a reference to memcg
>>>>> (via mem_cgroup_iter(), for example) makes sure that the memcg is not
>>>>> freed, it does not prevent offlining happening, and reset_batch_size()
>>>>> doesn't check whether the lruvec has been reparented, or the lruvec
>>>>> is going to be reparented.
>>>>>
>>>>>> This will trigger the following warning in lru_gen_exit_memcg():
>>>>>>
>>>>>> VM_WARN_ON_ONCE(memchr_inv(lruvec->lrugen.nr_pages, 0,
>>>>>> sizeof(lruvec->lrugen.nr_pages)));
>>>>>>
>>>>>> To fix it, add lrugen->reparented to remember the new owner of a
>>>>>> reparented lruvec, and make reset_batch_size() charge pending
>>>>>> deltas to
>>>>>> that owner.
>>>>>
>>>>> Could you please explain why it is unavoidable to introduce the new
>>>>> field and why checking whether the cgroup is dying (and charging deltas
>>>>> to non-dying parent) doesn't work?
>>>>
>>>> Peiyang tried doing this [1], but it doesn't work because
>>>> ss->css_offline() is called before clearing the CSS_ONLINE flag.
>>>
>>> Right.
>>>
>>>> I also considered using mem_cgroup_tryget_online(), but that only
>>>> prevent
>>>> the memcg from being freed. It's doesn't prevent the offlining.
>>>
>>> Right.
>>>
>>> I think checking CSS_DYING under RCU and grabbing the lruvec
>>> of the first non-dying memcg should work (this pattern is already
>>> used where we use RCU to guarantee memcgs are not freed).
>>>
>>> If we do not observe CSS_DYING flag, it is safe to charge deltas
>>> to the lruvec because RCU guarantees that reparenting cannot happen
>>> under us.
>>>
>>> If we do observe CSS_DYING, we can walk up the hierarchy and charge
>>> deltas to the first non-dying memcg.
>>
>> Checking CSS_DYING looks feasible, but the rcu lock alone cannot prevent
>> reparenting. We should recheck CSS_DYING after acquiring the lruvec
>> lock, otherwise we might run into the following race:
>
> Haha, actually, I was thinking of checking CSS_DYING under both RCU and
> lruvec lock. (because that's the pattern)
>
>> CPU0 reset_batch_size CPU1 memcg teardown
>> ===================== ==================
>>
>> read !CSS_DYING
>>
>> set CSS_DYING
>
> Oh, I thought the entire critical section is covered by RCU.
> (I see lock_batch_lruvec() you suggested below doesn't do that)
>
> Isn't RCU enough to prevent reparenting because RCU guarantees that
> all readers who read !CSS_DYING complete before reparenting?
Oh, I think you are right.
I forgot that offlining is executed in the rcu work context.
Let's walk through this again:
cgroup_destroy_locked
--> kill_css_sync
--> css->flags |= CSS_DYING; 1)
kill_css_finish
--> css_killed_ref_fn
--> css_killed_work_fn <-- RCU work !! 2)
--> offline_css
--> reparent memcg
So while holding the rcu lock, if CSS_DYING is not observed,
css_killed_work_fn() will not be called until rcu_read_unlock().
So lock_batch_lruvec() can be implemented like this:
#ifdef CONFIG_MEMCG
static struct lruvec *lock_batch_lruvec(struct lruvec *lruvec)
{
struct pglist_data *pgdat = lruvec_pgdat(lruvec);
struct mem_cgroup *memcg = lruvec_memcg(lruvec);
rcu_read_lock();
/*
* The memcg can be NULL when the memory controller is disabled.
* Otherwise, the caller keeps the memcg owning @lruvec alive.
*/
if (!memcg || !css_is_dying(&memcg->css))
goto lock;
do {
memcg = parent_mem_cgroup(memcg);
} while (memcg && css_is_dying(&memcg->css));
lruvec = mem_cgroup_lruvec(memcg, pgdat);
lock:
spin_lock_irq(&lruvec->lru_lock);
return lruvec;
}
#else
static struct lruvec *lock_batch_lruvec(struct lruvec *lruvec)
{
lruvec_lock_irq(lruvec);
return lruvec;
}
#endif
Does this make sense?
Thanks,
Qi
>
> Now I'm confused. Is it strictly required to check CSS_DYING under
> lruvec lock? CSS_DYING is updated outside the lruvec lock anyway?
>
>> memcg_reparent_objcgs()
>> lock child lruvec
>> move child to parent
>> zero child nr_pages
>> unlock child lruvec
>>
>> lock child lruvec
>> charge stale delta to child
>>
>> So it seems lock_batch_lruvec() should be implemented like this:
>>
>> static struct lruvec *lock_batch_lruvec(struct lruvec *lruvec)
>> {
>> struct mem_cgroup *memcg = lruvec_memcg(lruvec);
>>
>> rcu_read_lock();
>> retry:
>> while (memcg && css_is_dying(&memcg->css))
>> memcg = parent_mem_cgroup(memcg);
>
> Isn't this loop unnecessary as spin_lock_irq() -> check CSS_DYING ->
> goto retry does the same thing? (of course, we need to fetch the parent
> memcg before retry then...)
>
>> lruvec = mem_cgroup_lruvec(memcg, pgdat);
>> spin_lock_irq(&lruvec->lru_lock);
>> if (memcg && unlikely(css_is_dying(&memcg->css))) {
>> spin_unlock_irq(&lruvec->lru_lock);
>> goto retry;
>> }
>>
>> rcu_read_unlock();
>>
>> return lruvec;
>> }
>
> Thanks!
>
^ permalink raw reply
* Re: [PATCH 0/3] vmsplice: make vmsplice a trivial wrapper for preadv2/pwritev2
From: Askar Safin @ 2026-06-24 7:12 UTC (permalink / raw)
To: avagin
Cc: akpm, alexander, axboe, bernd, brauner, criu, david, dhowells,
fuse-devel, hch, jack, joannelkoong, linux-api, linux-fsdevel,
linux-kernel, linux-mm, miklos, netdev, patches, pfalcato,
rostedt, safinaskar, torvalds, val, viro, willy
In-Reply-To: <CANaxB-zK5q=Xw6UZTmeFtXsDZjUsPkFk=p485m-wtNTBnf4hgg@mail.gmail.com>
Andrei Vagin <avagin@gmail.com>:
> The CRIU fifo test fails with this change. The problem is that vmsplice
> with SPLICE_F_NONBLOCK to a fifo file descriptor fails with -EOPNOTSUPP.
>
> It seems we need a fix like this one:
>
> diff --git a/fs/pipe.c b/fs/pipe.c
> index 429b0714ec57..6fc49e933727 100644
> --- a/fs/pipe.c
> +++ b/fs/pipe.c
> @@ -1253,6 +1253,7 @@ static int fifo_open(struct inode *inode, struct
> file *filp)
>
> /* We can only do regular read/write on fifos */
> stream_open(inode, filp);
> + filp->f_mode |= FMODE_NOWAIT;
>
> switch (filp->f_mode & (FMODE_READ | FMODE_WRITE)) {
> case FMODE_READ:
Does CRIU actually rely on ability to do SPLICE_F_NONBLOCK vmsplice into
named fifos? Or this is merely a test?
If this is just a test, I think we need not to preserve this behavior.
I did debian code search with regex "vmsplice.*SPLICE_F_NONBLOCK" and I
found very few packages. And it seems all them use pipes, not named fifos.
(On speed: I still think that my vmsplice patches are good thing,
despite performance regressions in CRIU.)
--
Askar Safin
^ permalink raw reply
* [syzbot ci] Re: nfc: nci: fix uninit-value in nci_core_init_rsp_packet()
From: syzbot ci @ 2026-06-24 7:13 UTC (permalink / raw)
To: davem, david, edumazet, horms, kuba, linux-kernel, netdev,
oe-linux-nfc, pabeni, sam, stable
Cc: syzbot, syzkaller-bugs
In-Reply-To: <20260623222402.175798-1-sam@bynar.io>
syzbot ci has tested the following series
[v1] nfc: nci: fix uninit-value in nci_core_init_rsp_packet()
https://lore.kernel.org/all/20260623222402.175798-1-sam@bynar.io
* [PATCH net] nfc: nci: fix uninit-value in nci_core_init_rsp_packet()
and found the following issue:
UBSAN: array-index-out-of-bounds in nci_init_complete_req
Full report is available here:
https://ci.syzbot.org/series/2a9a8657-37a3-4dce-8cb5-2035027791dd
***
UBSAN: array-index-out-of-bounds in nci_init_complete_req
tree: linux-next
URL: https://kernel.googlesource.com/pub/scm/linux/kernel/git/next/linux-next
base: a986fde914d88af47eb78fd29c5d1af7952c3500
arch: amd64
compiler: Debian clang version 22.1.6 (++20260514074242+fc4aad7b5db3-1~exp1~20260514074407.73), Debian LLD 22.1.6
config: https://ci.syzbot.org/builds/80f835c3-e998-47ff-aaa5-24c578af3b4e/config
syz repro: https://ci.syzbot.org/findings/65008893-2498-4786-b913-f2c474a7b34a/syz_repro
------------[ cut here ]------------
UBSAN: array-index-out-of-bounds in net/nfc/nci/core.c:192:7
index 4 is out of range for type '__u8[4]' (aka 'unsigned char[4]')
CPU: 0 UID: 0 PID: 5905 Comm: syz.1.33 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
ubsan_epilogue+0xa/0x30 lib/ubsan.c:233
__ubsan_handle_out_of_bounds+0xe8/0xf0 lib/ubsan.c:455
nci_init_complete_req+0x255/0x460 net/nfc/nci/core.c:192
__nci_request+0x7d/0x300 net/nfc/nci/core.c:108
nci_open_device net/nfc/nci/core.c:529 [inline]
nci_dev_up+0x8c3/0xdc0 net/nfc/nci/core.c:643
nfc_dev_up+0x165/0x350 net/nfc/core.c:118
nfc_genl_dev_up+0x89/0xe0 net/nfc/netlink.c:775
genl_family_rcv_msg_doit+0x233/0x340 net/netlink/genetlink.c:1114
genl_family_rcv_msg net/netlink/genetlink.c:1194 [inline]
genl_rcv_msg+0x614/0x7a0 net/netlink/genetlink.c:1209
netlink_rcv_skb+0x226/0x4a0 net/netlink/af_netlink.c:2556
genl_rcv+0x28/0x40 net/netlink/genetlink.c:1218
netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
netlink_unicast+0x7bb/0x940 net/netlink/af_netlink.c:1345
netlink_sendmsg+0x813/0xb40 net/netlink/af_netlink.c:1900
sock_sendmsg_nosec net/socket.c:775 [inline]
__sock_sendmsg net/socket.c:790 [inline]
____sys_sendmsg+0x9b9/0xa20 net/socket.c:2684
___sys_sendmsg+0x2a5/0x360 net/socket.c:2738
__sys_sendmsg net/socket.c:2770 [inline]
__do_sys_sendmsg net/socket.c:2775 [inline]
__se_sys_sendmsg net/socket.c:2773 [inline]
__x64_sys_sendmsg+0x1b1/0x290 net/socket.c:2773
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f55ead9ce59
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f55ebcb9028 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f55eb015fa0 RCX: 00007f55ead9ce59
RDX: 0000000004008054 RSI: 0000200000000200 RDI: 0000000000000005
RBP: 00007f55eae32e6f R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f55eb016038 R14: 00007f55eb015fa0 R15: 00007ffcba11c798
</TASK>
---[ end trace ]---
***
If these findings have caused you to resend the series or submit a
separate fix, please add the following tag to your commit message:
Tested-by: syzbot@syzkaller.appspotmail.com
---
This report is generated by a bot. It may contain errors.
syzbot ci engineers can be reached at syzkaller@googlegroups.com.
To test a patch for this bug, please reply with `#syz test`
(should be on a separate line).
The patch should be attached to the email.
Note: arguments like custom git repos and branches are not supported.
^ permalink raw reply
* Re: [yocto-patches] [PATCH yocto-autobuilder-helper wrynose] config.json: Add meta-qcom dependency on meta-lts-mixin
From: Paul Barker @ 2026-06-24 7:13 UTC (permalink / raw)
To: yocto-patches; +Cc: Thomas Petazzoni, Mathieu Dubois-Briand
In-Reply-To: <20260623-contrib-mathieu-wrynose-qcom-lts-mixin-v1-1-78465e9bec56@bootlin.com>
[-- Attachment #1: Type: text/plain, Size: 2655 bytes --]
On Tue, 2026-06-23 at 16:46 +0200, Mathieu Dubois-Briand via
lists.yoctoproject.org wrote:
> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
> ---
> config.json | 10 ++++++++--
> 1 file changed, 8 insertions(+), 2 deletions(-)
>
> diff --git a/config.json b/config.json
> index 6b37eb96254f..c18c7de80f91 100644
> --- a/config.json
> +++ b/config.json
> @@ -1313,7 +1313,7 @@
> }
> },
> "check-layer-nightly" : {
> - "NEEDREPOS" : ["bitbake", "meta-agl", "meta-arm", "meta-aws", "meta-intel", "meta-ti", "meta-openembedded", "meta-virtualization", "meta-clang", "meta-exein", "meta-qcom", "meta-riscv"],
> + "NEEDREPOS" : ["bitbake", "meta-agl", "meta-arm", "meta-aws", "meta-intel", "meta-ti", "meta-openembedded", "meta-virtualization", "meta-clang", "meta-exein", "meta-qcom", "meta-riscv", "meta-lts-mixin"],
> "step1" : {
> "shortname" : "Test meta-agl YP Compatibility",
> "EXTRACMDS" : ["yocto-check-layer-wrapper ../meta-agl/meta-agl-core ../meta-agl/meta-netboot --dependency ../meta-openembedded/meta-oe ../meta-openembedded/meta-networking ../meta-openembedded/meta-python --no-auto-dependency"]
> @@ -1356,7 +1356,7 @@
> },
> "step10" : {
> "shortname" : "Test meta-qcom YP Compatibility",
> - "EXTRACMDS" : ["yocto-check-layer-wrapper ../meta-qcom --no-auto-dependency"]
> + "EXTRACMDS" : ["yocto-check-layer-wrapper ../meta-qcom --dependency ../meta-lts-mixins --no-auto-dependency"]
We should run yocto-check-layer-wrapper on the wrynose/linux-firmware
mixin layer as well as on meta-qcom.
> },
> "step11" : {
> "shortname" : "Test meta-riscv YP Compatibility",
> @@ -1996,6 +1996,12 @@
> "branch" : "master",
> "revision" : "HEAD",
> "no-layer-add" : true
> + },
> + "meta-lts-mixin" : {
> + "url" : "ssh://git@push.yoctoproject.org/meta-lts-mixins",
> + "branch" : "master",
> + "revision" : "HEAD",
> + "no-layer-add" : true
> }
Based on my reply to the yocto-autobuilder2 patch, perhaps this should
be:
"mixin-wrynose-linux-firmware" : {
"url" : "ssh://git@push.yoctoproject.org/meta-lts-mixins",
"branch" : "wrynose/linux-firmware",
"revision" : "HEAD",
"no-layer-add" : true
}
With the repository name changed in NEEDREPOS and EXTRACMDS above.
Best regards,
--
Paul Barker
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 252 bytes --]
^ permalink raw reply
page: | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.