* Re: [PATCH v2 0/4] media: add and use fwnode_graph_for_each_endpoint_scoped()
From: Frank Li @ 2026-06-24 19:35 UTC (permalink / raw)
To: Laurent Pinchart
Cc: Andy Shevchenko, Daniel Scally, Heikki Krogerus, Sakari Ailus,
Greg Kroah-Hartman, Rafael J. Wysocki, Danilo Krummrich,
Mauro Carvalho Chehab, Dafna Hirschfeld, Heiko Stuebner,
Bryan O'Donoghue, Vladimir Zapolskiy, Loic Poulain,
driver-core, linux-acpi, linux-kernel, linux-media,
linux-rockchip, linux-arm-kernel, linux-arm-msm, imx, Guoniu Zhou,
Frank Li, Guoniu Zhou
In-Reply-To: <20260624191935.GG851255@killaraus.ideasonboard.com>
On Wed, Jun 24, 2026 at 10:19:35PM +0300, Laurent Pinchart wrote:
> Hi Frank,
>
> On Wed, Jun 24, 2026 at 01:00:08PM -0400, Frank.Li@oss.nxp.com wrote:
> > Add new helper macro fwnode_graph_for_each_endpoint_scoped() and use it
> > simplify media code.
> >
> > Typical example should qualcomm's driver (camss.c), the v4l2_mc.c and
> > rkisp1-dev.c only silience improvement.
> >
> > Anyways, *_for_each_*_scoped() already use widely and make code clean.
> >
> > Build test only.
> >
> > Sakari Ailus:
> > when I try to improve the patch
> > "Add common helper library for 1-to-1 subdev registration", I found need
> > camss.c pattern, so I create this small improvement firstly.
>
> Those are nice cleanups, thank you.
>
> After applying this series, the only left users of the
> fwnode_graph_for_each_endpoint() macro are in drivers/base/property.c.
I already checked previously, two place use it.
fwnode_graph_get_endpoint_count(), it will go though all endpoints, last
ep is NULL, which totally equial to scoped() version.
another one fwnode_graph_get_endpoint_by_id(), which return ep, expect
caller to call put().
if use scoped() version, need use no_free_ptr() at return, which make think
a little bit complex.
It'd better leave these as it.
Frank
^ permalink raw reply
* [PATCH] staging: rtl8723bs: remove unnecessary braces in odm_HWConfig.c
From: Alonso Garrigues @ 2026-06-24 19:34 UTC (permalink / raw)
To: gregkh; +Cc: error27, linux-staging, linux-kernel, Alonso Garrigues
Single statement block does not need braces.
Signed-off-by: Alonso Garrigues <agarrigues@riseup.net>
---
drivers/staging/rtl8723bs/hal/odm_HWConfig.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/staging/rtl8723bs/hal/odm_HWConfig.c b/drivers/staging/rtl8723bs/hal/odm_HWConfig.c
index c88d669cb086..1716252641d3 100644
--- a/drivers/staging/rtl8723bs/hal/odm_HWConfig.c
+++ b/drivers/staging/rtl8723bs/hal/odm_HWConfig.c
@@ -236,9 +236,8 @@ static void odm_rx_phy_status_parsing(struct dm_odm_t *dm_odm,
if (is_cck_rate) {
phy_info->signal_strength = (u8)(odm_signal_scale_mapping(dm_odm, pwdb_all));
} else {
- if (rf_rx_num != 0) {
+ if (rf_rx_num != 0)
phy_info->signal_strength = (u8)(odm_signal_scale_mapping(dm_odm, total_rssi /= rf_rx_num));
- }
}
}
--
2.54.0
^ permalink raw reply related
* ANN: SELinux userspace 3.11-rc3 release
From: Petr Lautrbach @ 2026-06-24 19:34 UTC (permalink / raw)
To: SElinux list
Hello!
The 3.11-rc3 release for the SELinux userspace is now available at:
https://github.com/SELinuxProject/selinux/releases/tag/3.11-rc3
https://github.com/SELinuxProject/selinux/wiki/Releases
I signed all tarballs using my gpg key, see .asc files.
You can download the public key from
https://github.com/bachradsusi.gpg
Thanks to all the contributors, reviewers, testers and reporters!
If you miss something important not mentioned bellow, please let me
know.
Unless something unexpected happen, 3.11 will be released
next week. Also only important patches will be merged before the
release.
User-visible changes since 3.11-rc3
-----------------------------------
- Bug fixes
Development-relevant changes
----------------------------
- Improved CI
- Added EXTRA_LD_FLAGS for use by musl+llvm builds to pass --undefined-version.
Shortlog of the changes since 3.11-rc2 release
----------------------------------------------
Chris PeBenito (2):
CI: Fix variable use in build-userspace action.
CI: Add explicit output variable for build-userspace action.
Christian Göttsche (3):
secilc/docs: fix wrong CIL statements
secilc/docs: mention nlmsg extended permissions
Makefile: avoid 0 as NULL pointer constant
James Carter (2):
libsepol: Check for proper length of addr and mask buffers
secilc: Use fstat instead of stat to avoid TOCTOU issues
Kalevi Kolttonen (16):
libselinux: use null character with strings
policycoreutils: use stderr for error messages
policycoreutils: use null character in a string
policycoreutils: use null character in strings
policycoreutils: check strdup() failure
policycoreutils: use null character in a string
policycoreutils: use bool instead of int
policycoreutils: use null character in a string
policycoreutils: use bool instead of int
mcstrans: use null character in strings
mcstrans: use null character in strings
sandbox: use bool instead of int
audit2allow: make error message more helpful
policycoreutils: use bool instead of int
mcstrans: use sig_atomic_t and bool instead of int
libsepol: Add missing comment to context.h
Petr Lautrbach (1):
Update VERSIONs to 3.11-rc3 for release.
Stephen Smalley (2):
python/semanage: do not leak an audit fd per logger instance
libselinux: Add EXTRA_LD_FLAGS for musl+llvm builds
netliomax25-code (11):
libsepol: fix out-of-bounds typealias_lists access in module_to_cil
libsepol: cast to unsigned char in ctype calls
libsepol: null-terminate temporary buffer in mls_to_string
libsepol: bound category values in mls_semantic_level_expand
libsemanage: guard end of path in semanage_fc_find_meta
libsepol: bound type values in type_set_expand negset loop
libsepol: test type_set_expand bounds negset type values
libsepol/cil: fix double free of borrowed type datum on error path
mcstrans: fix out-of-bounds read in parse_raw sensitivity parsing
checkpolicy: fix xperm complement at range boundaries
checkpolicy: reject out-of-range extended permission values
^ permalink raw reply
* [PATCH] staging: rtl8723bs: clean up style issues in rtl8723b_cmd.c
From: Alonso Garrigues @ 2026-06-24 19:31 UTC (permalink / raw)
To: gregkh; +Cc: guojy.bj, linux-staging, linux-kernel, Alonso Garrigues
Split long do-while conditions across multiple lines and add spaces
around binary operators. Fix indentation of misaligned comments.
Signed-off-by: Alonso Garrigues <agarrigues@riseup.net>
---
drivers/staging/rtl8723bs/hal/rtl8723b_cmd.c | 39 +++++++++++++-------
1 file changed, 26 insertions(+), 13 deletions(-)
diff --git a/drivers/staging/rtl8723bs/hal/rtl8723b_cmd.c b/drivers/staging/rtl8723bs/hal/rtl8723b_cmd.c
index c35c7f1c38ef..d31d8e445dcc 100644
--- a/drivers/staging/rtl8723bs/hal/rtl8723b_cmd.c
+++ b/drivers/staging/rtl8723bs/hal/rtl8723b_cmd.c
@@ -74,7 +74,7 @@ s32 FillH2CCmd8723B(struct adapter *padapter, u8 ElementID, u32 CmdLen, u8 *pCmd
else {
memcpy((u8 *)(&h2c_cmd)+1, pCmdBuffer, 3);
memcpy((u8 *)(&h2c_cmd_ex), pCmdBuffer+3, CmdLen-3);
-/* *(u8 *)(&h2c_cmd) |= BIT(7); */
+ /* *(u8 *)(&h2c_cmd) |= BIT(7); */
}
*(u8 *)(&h2c_cmd) |= ElementID;
@@ -416,13 +416,14 @@ void rtl8723b_set_FwPwrMode_cmd(struct adapter *padapter, u8 psmode)
}
-/* offload to FW if fw version > v15.10
- pmlmeext->DrvBcnEarly = 0;
- pmlmeext->DrvBcnTimeOut =7;
+ /* offload to FW if fw version > v15.10 */
+ /* pmlmeext->DrvBcnEarly = 0; */
+ /* pmlmeext->DrvBcnTimeOut =7; */
- if ((pmlmeext->DrvBcnEarly!= 0Xff) && (pmlmeext->DrvBcnTimeOut!= 0xff))
- u1H2CPwrModeParm[H2C_PWRMODE_LEN-1] = BIT(0) | ((pmlmeext->DrvBcnEarly<<1)&0x0E) |((pmlmeext->DrvBcnTimeOut<<4)&0xf0) ;
-*/
+ /* if ((pmlmeext->DrvBcnEarly!= 0Xff) && (pmlmeext->DrvBcnTimeOut!= 0xff)) */
+ /* u1H2CPwrModeParm[H2C_PWRMODE_LEN-1] = */
+ /* BIT(0) | ((pmlmeext->DrvBcnEarly<<1)&0x0E) | */
+ /* ((pmlmeext->DrvBcnTimeOut<<4)&0xf0) ; */
}
@@ -657,9 +658,15 @@ void rtl8723b_download_rsvd_page(struct adapter *padapter, u8 mstatus)
/* check rsvd page download OK. */
rtw_hal_get_hwreg(padapter, HW_VAR_BCN_VALID, (u8 *)(&bcn_valid));
poll++;
- } while (!bcn_valid && (poll%10) != 0 && !padapter->bSurpriseRemoved && !padapter->bDriverStopped);
+ } while (!bcn_valid &&
+ (poll % 10) != 0 &&
+ !padapter->bSurpriseRemoved &&
+ !padapter->bDriverStopped);
- } while (!bcn_valid && DLBcnCount <= 100 && !padapter->bSurpriseRemoved && !padapter->bDriverStopped);
+ } while (!bcn_valid &&
+ DLBcnCount <= 100 &&
+ !padapter->bSurpriseRemoved &&
+ !padapter->bDriverStopped);
if (padapter->bSurpriseRemoved || padapter->bDriverStopped) {
} else {
@@ -919,12 +926,18 @@ void rtl8723b_download_BTCoex_AP_mode_rsvd_page(struct adapter *padapter)
DLBcnCount++;
do {
yield();
-/* mdelay(10); */
- /* check rsvd page download OK. */
+ /* mdelay(10); */
+ /* check rsvd page download OK. */
rtw_hal_get_hwreg(padapter, HW_VAR_BCN_VALID, &bcn_valid);
poll++;
- } while (!bcn_valid && (poll%10) != 0 && !padapter->bSurpriseRemoved && !padapter->bDriverStopped);
- } while (!bcn_valid && (DLBcnCount <= 100) && !padapter->bSurpriseRemoved && !padapter->bDriverStopped);
+ } while (!bcn_valid &&
+ (poll % 10) != 0 &&
+ !padapter->bSurpriseRemoved &&
+ !padapter->bDriverStopped);
+ } while (!bcn_valid &&
+ (DLBcnCount <= 100) &&
+ !padapter->bSurpriseRemoved &&
+ !padapter->bDriverStopped);
if (bcn_valid) {
struct pwrctrl_priv *pwrctl = adapter_to_pwrctl(padapter);
--
2.54.0
^ permalink raw reply related
* Re: [PATCH BlueZ] unit: test-bap: disable optimization to speed up compilation
From: patchwork-bot+bluetooth @ 2026-06-24 19:31 UTC (permalink / raw)
To: Pauli Virtanen; +Cc: linux-bluetooth
In-Reply-To: <e0650488e684f464f69cf013d1654f46bb862d46.1782046466.git.pav@iki.fi>
Hello:
This patch was applied to bluetooth/bluez.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:
On Sun, 21 Jun 2026 15:54:34 +0300 you wrote:
> Compilation of this file with optimization takes 12 min with ASAN, 1 min
> without. This is too long, and the -O2 doesn't serve purpose for unit
> tests.
>
> Disable optimization to reduce to 30 sec with ASAN (5 sec without).
>
> autoconf puts global -O2 in CFLAGS that cannot be overridden eg. with
> unit_test_bap_CFLAGS. Use pragma instead.
>
> [...]
Here is the summary with links:
- [BlueZ] unit: test-bap: disable optimization to speed up compilation
https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=eb9b35c8d13d
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply
* Re: [PATCH BlueZ v1] shared/rap: Fix step payload pointer in parse_step
From: patchwork-bot+bluetooth @ 2026-06-24 19:31 UTC (permalink / raw)
To: Prathibha Madugonde
Cc: linux-bluetooth, luiz.dentz, quic_mohamull, quic_hbandi,
quic_anubhavg
In-Reply-To: <20260623111112.1332742-1-prathm@qti.qualcomm.com>
Hello:
This patch was applied to bluetooth/bluez.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:
On Tue, 23 Jun 2026 16:41:12 +0530 you wrote:
> From: Prathibha Madugonde <prathibha.madugonde@oss.qualcomm.com>
>
> util_iov_pull advances iov_base before returning the new pointer, so
> mode_iov.iov_base was set to the start of the *next* step's data.
> Every step was therefore parsed using its successor's bytes.
>
> Switch to util_iov_pull_mem which saves the original base, advances
> iov, and returns the pre-advance pointer — correctly pointing to the
> current step's payload.
>
> [...]
Here is the summary with links:
- [BlueZ,v1] shared/rap: Fix step payload pointer in parse_step
https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=40a58272a58f
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply
* Re: [PATCH BlueZ v1] shared: rap: Defer CS Event registration until connection setup
From: patchwork-bot+bluetooth @ 2026-06-24 19:31 UTC (permalink / raw)
To: Naga Bhavani Akella
Cc: linux-bluetooth, luiz.dentz, quic_mohamull, quic_hbandi,
quic_anubhavg
In-Reply-To: <20260622062905.3525480-1-naga.akella@oss.qualcomm.com>
Hello:
This patch was applied to bluetooth/bluez.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:
On Mon, 22 Jun 2026 11:59:05 +0530 you wrote:
> Move LE CS event registration from rap_probe()
> to rap_accept(). rap_probe() runs during service discovery
> while no ACL connection or connection handle exists,
> so connection-scoped CS events cannot be delivered or
> associated with a device. rap_accept() is called
> after the ACL link is established, when a valid
> connection handle is available and the HCI layer
> can route events correctly.
> Registering events at this point ensures
> proper handling of CS events.
>
> [...]
Here is the summary with links:
- [BlueZ,v1] shared: rap: Defer CS Event registration until connection setup
https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=7efd9383f0a1
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply
* Re: [PATCH] bpf: Fix use-after-free in htab elem with bpf_task_work
From: sashiko-bot @ 2026-06-24 19:31 UTC (permalink / raw)
To: Shengzhuo Wei; +Cc: bpf
In-Reply-To: <20260625-bpf-htab-task-work-uaf-v1-1-31e711ccb159@cherr.cc>
Thank you for your contribution! Sashiko AI review found 5 potential issue(s) to consider:
New issues:
- [Critical] Unconditional call to `check_and_init_map_value` on inline element memory causes out-of-bounds writes for per-CPU maps.
- [High] Dynamic memory allocation (`kmalloc(GFP_ATOMIC)`) in the element free path breaks NMI safety and causes memory exhaustion.
- [High] Permanent bricking of `BPF_TASK_WORK` fields during in-place map updates.
Pre-existing issues:
- [Critical] LRU map eviction synchronously reuses elements containing `BPF_TASK_WORK`, causing UAF and data corruption.
- [High] Incomplete fix for UAF in preallocated HASH maps due to `extra_elems` cache bypass.
--
commit 3d208f380a67702d8970ff27139db174f1482e4a
Author: Shengzhuo Wei <me@cherr.cc>
bpf: Fix use-after-free in htab elem with bpf_task_work
This commit attempts to fix a use-after-free vulnerability when deleting
hash map elements that embed a bpf_task_work. It defers recycling through
call_rcu_tasks_trace() to wait for rcu_read_lock_trace() readers. It also
changes the sentinel value in cancel_and_free() to ERR_PTR(-EBUSY).
Fixes: 38aa7003e369 ("bpf: task work scheduling kfuncs")
Signed-off-by: Shengzhuo Wei <me@cherr.cc>
> diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c
> index 9f394e1aa2e85..19fa61909e4fe 100644
> --- a/kernel/bpf/hashtab.c
> +++ b/kernel/bpf/hashtab.c
> @@ -310,6 +310,7 @@ static struct htab_elem *prealloc_lru_pop(struct bpf_htab *htab, void *key,
> bpf_map_inc_elem_count(&htab->map);
> l = container_of(node, struct htab_elem, lru_node);
> memcpy(l->key, key, htab->map.key_size);
[Severity: Critical]
This is a pre-existing issue, but does this synchronous eviction path in
kernel/bpf/hashtab.c:prealloc_lru_pop() leave LRU maps vulnerable to a
use-after-free?
When an LRU map is full, it triggers synchronous eviction. The victim node is
removed and immediately returned for reuse.
Since there is no RCU tasks trace grace period between eviction and reuse,
could a concurrent BPF program holding rcu_read_lock_trace() have its memory
overwritten while still in use?
> + check_and_init_map_value(&htab->map, htab_elem_value(l, htab->map.key_size));
[Severity: Critical]
Can this unconditional initialization cause out-of-bounds memory corruption
for per-CPU maps?
For per-CPU maps, the actual map values are allocated separately per CPU, and
the inline memory returned by htab_elem_value() is only large enough to hold
the 8-byte pointer to the per-CPU allocation.
If a per-CPU map contains a special field at an offset greater than 8, does
check_and_init_map_value() write zeroes out of bounds of the htab_elem
inline storage, corrupting adjacent slab memory?
> return l;
> }
>
[ ... ]
> @@ -950,12 +951,69 @@ static int htab_map_get_next_key(struct bpf_map *map, void *key, void *next_key)
> return -ENOENT;
> }
>
> +/* Deferred htab_elem free for bpf_task_work maps. cancel_and_free()
> + * returns while the task_work callback may still be accessing map_val;
> + * the callback holds guard(rcu_tasks_trace), so deferring the recycle
[ ... ]
> +static void htab_elem_defer_free(struct bpf_htab *htab, struct htab_elem *l)
> +{
> + struct htab_elem_free_rcu *fr;
> +
> + fr = kmalloc_obj(*fr, GFP_ATOMIC);
[Severity: High]
Does this dynamic memory allocation break the strict NMI safety guarantees of
preallocated BPF maps?
Preallocated maps are designed to avoid runtime dynamic allocations, ensuring
they are safe for NMI contexts like perf events. By unconditionally calling
htab_elem_defer_free() (which calls kmalloc) for elements with a task work
field, does this introduce a risk of deadlocks in SLUB?
Additionally, during map destruction of non-preallocated maps,
delete_all_elements() loops over all elements and frees them:
kernel/bpf/hashtab.c:delete_all_elements() {
for (i = 0; i < htab->n_buckets; i++) {
...
hlist_nulls_for_each_entry_safe(l, n, head, hash_node) {
htab_elem_free(htab, l);
}
}
}
For a map with millions of elements, could this tight loop exhaust atomic
memory reserves and risk an OOM panic?
> + if (WARN_ON_ONCE(!fr)) {
> + /* Fallback: immediate recycle, small UAF risk */
> + htab_elem_recycle(htab, l);
> + return;
> + }
> + fr->htab = htab;
> + fr->elem = l;
> + call_rcu_tasks_trace(&fr->rcu, htab_elem_free_rcu_cb);
> +}
[ ... ]
> @@ -1118,6 +1180,11 @@ static struct htab_elem *alloc_htab_elem(struct bpf_htab *htab, void *key,
> }
>
> memcpy(l_new->key, key, key_size);
> + /* Re-initialize special fields for recycled elements. copy_map_value()
> + * skips btf_record fields, so a stale ERR_PTR(-EBUSY) left by
> + * bpf_task_work_cancel_and_free would persist and block new scheduling.
> + */
> + check_and_init_map_value(&htab->map, htab_elem_value(l_new, key_size));
[Severity: Critical]
Are we at risk of out-of-bounds writes here as well for per-CPU maps?
As with the call in prealloc_lru_pop() above, if the map is a per-CPU
hash map, htab_elem_value() points to an 8-byte space.
If the map has special fields at a larger offset, check_and_init_map_value()
might corrupt slab memory. If the offset is zero, could it overwrite the
per-CPU pointer itself and cause a NULL pointer dereference in
pcpu_init_value()?
[Severity: High]
This is a pre-existing issue, but does this allocation path bypass the new
RCU tasks trace deferral for preallocated hash maps during element updates?
When updating an existing element in a preallocated map, alloc_htab_elem()
stashes the old element synchronously into the CPU local cache:
kernel/bpf/hashtab.c:alloc_htab_elem() {
if (prealloc) {
if (old_elem) {
pl_new = this_cpu_ptr(htab->extra_elems);
l_new = *pl_new;
*pl_new = old_elem;
}
...
}
Then, htab_map_update_elem() intentionally skips calling free_htab_elem()
for preallocated maps.
A subsequent update on the same CPU can immediately pop the old element from
extra_elems and overwrite it. Does this entirely bypass the RCU grace period
provided by htab_elem_defer_free(), leaving the original race condition
intact if a concurrent callback is executing?
> if (percpu) {
> if (prealloc) {
> pptr = htab_elem_get_ptr(l_new, key_size);
[ ... ]
> diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
> index c18f1e16edee4..07088ac1f0b2d 100644
> --- a/kernel/bpf/helpers.c
> +++ b/kernel/bpf/helpers.c
[ ... ]
> @@ -4784,8 +4787,8 @@ void bpf_task_work_cancel_and_free(void *val)
> struct bpf_task_work_ctx *ctx;
> enum bpf_task_work_state state;
>
> - ctx = xchg(&twk->ctx, NULL);
> - if (!ctx)
> + ctx = xchg(&twk->ctx, ERR_PTR(-EBUSY));
[Severity: High]
Could this change permanently brick task work fields for map types that
update elements in place?
The patch relies on the newly added check_and_init_map_value() calls in hash
map element allocators to clear this ERR_PTR(-EBUSY) sentinel when an element
is reused.
However, map types that update elements in place, such as array maps, never
allocate a new element. They use copy_map_value() followed by
bpf_obj_cancel_fields():
kernel/bpf/arraymap.c:array_map_update_elem() {
...
copy_map_value(map, val, value);
bpf_obj_cancel_fields(map, val);
...
}
Since check_and_init_map_value() is never called for these in-place updates,
twk->ctx appears permanently left in the ERR_PTR(-EBUSY) state. Would any
future bpf_task_work_schedule() calls on that element permanently fail?
> + if (IS_ERR_OR_NULL(ctx))
> return;
>
> state = xchg(&ctx->state, BPF_TW_FREED);
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260625-bpf-htab-task-work-uaf-v1-1-31e711ccb159@cherr.cc?part=1
^ permalink raw reply
* [PATCH] scsi: 3w-xxxx: validate AEN ioctl buffer length
From: Yousef Alhouseen @ 2026-06-24 19:31 UTC (permalink / raw)
To: Adam Radford, James E . J . Bottomley, Martin K . Petersen
Cc: linux-scsi, linux-kernel, Yousef Alhouseen
TW_OP_AEN_LISTEN copies a fixed AEN code into the ioctl data buffer, but
the coherent ioctl allocation is sized from the user supplied buffer
length. A zero-length or otherwise short buffer lets the handler write
past the allocated ioctl buffer.
Reject AEN listen requests whose data buffer is too small for the code
returned by the driver.
Signed-off-by: Yousef Alhouseen <alhouseenyousef@gmail.com>
---
drivers/scsi/3w-xxxx.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/scsi/3w-xxxx.c b/drivers/scsi/3w-xxxx.c
index c68678fa7..147a47e6b 100644
--- a/drivers/scsi/3w-xxxx.c
+++ b/drivers/scsi/3w-xxxx.c
@@ -908,6 +908,12 @@ static long tw_chrdev_ioctl(struct file *file, unsigned int cmd, unsigned long a
goto out;
}
+ if (cmd == TW_OP_AEN_LISTEN &&
+ data_buffer_length < sizeof(tw_aen_code)) {
+ retval = -EINVAL;
+ goto out;
+ }
+
/* Hardware can only do multiple of 512 byte transfers */
data_buffer_length_adjusted = (data_buffer_length + 511) & ~511;
@@ -2427,4 +2433,3 @@ static void __exit tw_exit(void)
module_init(tw_init);
module_exit(tw_exit);
-
--
2.54.0
^ permalink raw reply related
* [PATCH] scsi: 3w-9xxx: validate ioctl data buffer sizes
From: Yousef Alhouseen @ 2026-06-24 19:28 UTC (permalink / raw)
To: Adam Radford, James E . J . Bottomley, Martin K . Petersen
Cc: linux-scsi, linux-kernel, Yousef Alhouseen
Several 3w-9xxx character ioctls read or write fixed-size structures in
the ioctl data buffer, but allocation is based only on the user supplied
buffer_length. A short buffer can make event, compatibility, or lock
commands access beyond the allocated coherent ioctl buffer.
Require the data buffer to be large enough for the fixed payload used by
each local ioctl before allocating and copying the full request.
Signed-off-by: Yousef Alhouseen <alhouseenyousef@gmail.com>
---
drivers/scsi/3w-9xxx.c | 22 +++++++++++++++++++++-
1 file changed, 21 insertions(+), 1 deletion(-)
diff --git a/drivers/scsi/3w-9xxx.c b/drivers/scsi/3w-9xxx.c
index 9b93a2440..a125801e3 100644
--- a/drivers/scsi/3w-9xxx.c
+++ b/drivers/scsi/3w-9xxx.c
@@ -653,6 +653,7 @@ static long twa_chrdev_ioctl(struct file *file, unsigned int cmd, unsigned long
ktime_t current_time;
TW_Device_Extension *tw_dev = twa_device_extension_list[iminor(inode)];
int retval = TW_IOCTL_ERROR_OS_EFAULT;
+ unsigned int min_data_length = 0;
void __user *argp = (void __user *)arg;
mutex_lock(&twa_chrdev_mutex);
@@ -673,6 +674,26 @@ static long twa_chrdev_ioctl(struct file *file, unsigned int cmd, unsigned long
goto out2;
}
+ switch (cmd) {
+ case TW_IOCTL_GET_COMPATIBILITY_INFO:
+ min_data_length = sizeof(TW_Compatibility_Info);
+ break;
+ case TW_IOCTL_GET_LAST_EVENT:
+ case TW_IOCTL_GET_FIRST_EVENT:
+ case TW_IOCTL_GET_NEXT_EVENT:
+ case TW_IOCTL_GET_PREVIOUS_EVENT:
+ min_data_length = sizeof(TW_Event);
+ break;
+ case TW_IOCTL_GET_LOCK:
+ min_data_length = sizeof(TW_Lock);
+ break;
+ }
+
+ if (driver_command.buffer_length < min_data_length) {
+ retval = TW_IOCTL_ERROR_OS_EINVAL;
+ goto out2;
+ }
+
/* Hardware can only do multiple of 512 byte transfers */
data_buffer_length_adjusted = (driver_command.buffer_length + 511) & ~511;
@@ -2302,4 +2323,3 @@ static void __exit twa_exit(void)
module_init(twa_init);
module_exit(twa_exit);
-
--
2.54.0
^ permalink raw reply related
* Re: [PATCH 1/2] media: v4l2-common: add v4l2_fill_pixfmt_aligned() helper
From: Laurent Pinchart @ 2026-06-24 19:28 UTC (permalink / raw)
To: Tommaso Merciai
Cc: tomm.merciai, linux-renesas-soc, biju.das.jz, jacopo.mondi,
Lad Prabhakar, Mauro Carvalho Chehab, Hans Verkuil,
Nicolas Dufresne, Sakari Ailus, Sven Püschel, Mehdi Djait,
Paul Cercueil, Isaac Scott, Daniel Scally, linux-media,
linux-kernel
In-Reply-To: <20260624104153.798953-2-tommaso.merciai.xr@bp.renesas.com>
Hi Tommaso,
Thank you for the patch.
On Wed, Jun 24, 2026 at 12:41:30PM +0200, Tommaso Merciai wrote:
> Add v4l2_fill_pixfmt_aligned(), a variant of v4l2_fill_pixfmt()
> that accepts a stride_alignment parameter, mirroring the existing
> v4l2_fill_pixfmt_mp() / v4l2_fill_pixfmt_mp_aligned() pair.
>
> v4l2_fill_pixfmt() is refactored to call v4l2_fill_pixfmt_aligned()
> with stride_alignment=1, preserving its existing behaviour.
>
> The new helper is needed by drivers whose DMA engine requires the
> line stride to be a multiple of a specific value, such as the
> Renesas RZ/G3E CRU which requires 128-byte alignment.
>
> Signed-off-by: Tommaso Merciai <tommaso.merciai.xr@bp.renesas.com>
> ---
> drivers/media/v4l2-core/v4l2-common.c | 17 +++++++++++++----
> include/media/v4l2-common.h | 3 +++
> 2 files changed, 16 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/media/v4l2-core/v4l2-common.c b/drivers/media/v4l2-core/v4l2-common.c
> index 65db7340ad38..1de246acc7ab 100644
> --- a/drivers/media/v4l2-core/v4l2-common.c
> +++ b/drivers/media/v4l2-core/v4l2-common.c
> @@ -545,8 +545,8 @@ int v4l2_fill_pixfmt_mp(struct v4l2_pix_format_mplane *pixfmt,
> }
> EXPORT_SYMBOL_GPL(v4l2_fill_pixfmt_mp);
>
> -int v4l2_fill_pixfmt(struct v4l2_pix_format *pixfmt, u32 pixelformat,
> - u32 width, u32 height)
> +int v4l2_fill_pixfmt_aligned(struct v4l2_pix_format *pixfmt, u32 pixelformat,
> + u32 width, u32 height, u8 stride_alignment)
> {
> const struct v4l2_format_info *info;
> int i;
> @@ -562,14 +562,23 @@ int v4l2_fill_pixfmt(struct v4l2_pix_format *pixfmt, u32 pixelformat,
> pixfmt->width = width;
> pixfmt->height = height;
> pixfmt->pixelformat = pixelformat;
> - pixfmt->bytesperline = v4l2_format_plane_stride(info, 0, width, 1);
> + pixfmt->bytesperline = v4l2_format_plane_stride(info, 0, width,
> + stride_alignment);
> pixfmt->sizeimage = 0;
>
> for (i = 0; i < info->comp_planes; i++)
> pixfmt->sizeimage +=
> - v4l2_format_plane_size(info, i, width, height, 1);
> + v4l2_format_plane_size(info, i, width, height,
> + stride_alignment);
> return 0;
> }
> +EXPORT_SYMBOL_GPL(v4l2_fill_pixfmt_aligned);
> +
> +int v4l2_fill_pixfmt(struct v4l2_pix_format *pixfmt, u32 pixelformat,
> + u32 width, u32 height)
> +{
> + return v4l2_fill_pixfmt_aligned(pixfmt, pixelformat, width, height, 1);
> +}
This could be an inline wrapper in include/media/v4l2-common.h, it would
be more efficient.
> EXPORT_SYMBOL_GPL(v4l2_fill_pixfmt);
>
> #ifdef CONFIG_MEDIA_CONTROLLER
> diff --git a/include/media/v4l2-common.h b/include/media/v4l2-common.h
> index edd416178c33..718a0f47f36b 100644
> --- a/include/media/v4l2-common.h
> +++ b/include/media/v4l2-common.h
> @@ -556,6 +556,9 @@ void v4l2_apply_frmsize_constraints(u32 *width, u32 *height,
> const struct v4l2_frmsize_stepwise *frmsize);
> int v4l2_fill_pixfmt(struct v4l2_pix_format *pixfmt, u32 pixelformat,
> u32 width, u32 height);
> +/* @stride_alignment is a power of 2 value in bytes */
> +int v4l2_fill_pixfmt_aligned(struct v4l2_pix_format *pixfmt, u32 pixelformat,
> + u32 width, u32 height, u8 stride_alignment);
I know the existing functions lack documentation, but it's not a reason
to continue with that bad habit :-)
One point that needs to be clearly documented is how the stride
alignment is handled for different planes.
> int v4l2_fill_pixfmt_mp(struct v4l2_pix_format_mplane *pixfmt, u32 pixelformat,
> u32 width, u32 height);
> /* @stride_alignment is a power of 2 value in bytes */
--
Regards,
Laurent Pinchart
^ permalink raw reply
* [PATCH] misc: fastrpc: release pending invoke refs on rpmsg removal
From: Yousef Alhouseen @ 2026-06-24 19:27 UTC (permalink / raw)
To: Srinivas Kandagatla, Amol Maheshwari
Cc: Arnd Bergmann, Greg Kroah-Hartman, linux-arm-msm, dri-devel,
linux-kernel, Yousef Alhouseen
fastrpc_rpmsg_remove() wakes pending invoke waiters when the rpmsg device
is removed, but it does not release the send references taken before each
request was submitted. Those references normally disappear only when a DSP
reply arrives, which cannot be relied on after endpoint removal.
Walk the channel IDR during removal, mark in-flight contexts completed,
and schedule the send-reference put while waking waiters with -EPIPE. This
prevents disconnected channels from pinning invoke contexts indefinitely.
Signed-off-by: Yousef Alhouseen <alhouseenyousef@gmail.com>
---
drivers/misc/fastrpc.c | 21 +++++++++++----------
1 file changed, 11 insertions(+), 10 deletions(-)
diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c
index 90281859a..bfdf8ab6a 100644
--- a/drivers/misc/fastrpc.c
+++ b/drivers/misc/fastrpc.c
@@ -2580,30 +2580,31 @@ static int fastrpc_rpmsg_probe(struct rpmsg_device *rpdev)
return err;
}
-static void fastrpc_notify_users(struct fastrpc_user *user)
+static int fastrpc_notify_context(int id, void *ptr, void *data)
{
- struct fastrpc_invoke_ctx *ctx;
+ struct fastrpc_invoke_ctx *ctx = ptr;
- spin_lock(&user->lock);
- list_for_each_entry(ctx, &user->pending, node) {
- ctx->retval = -EPIPE;
- complete(&ctx->work);
+ if (ctx->sent && !ctx->completed) {
+ ctx->completed = true;
+ schedule_work(&ctx->put_work);
}
- spin_unlock(&user->lock);
+
+ ctx->retval = -EPIPE;
+ complete(&ctx->work);
+
+ return 0;
}
static void fastrpc_rpmsg_remove(struct rpmsg_device *rpdev)
{
struct fastrpc_channel_ctx *cctx = dev_get_drvdata(&rpdev->dev);
struct fastrpc_buf *buf, *b;
- struct fastrpc_user *user;
unsigned long flags;
/* No invocations past this point */
spin_lock_irqsave(&cctx->lock, flags);
cctx->rpdev = NULL;
- list_for_each_entry(user, &cctx->users, user)
- fastrpc_notify_users(user);
+ idr_for_each(&cctx->ctx_idr, fastrpc_notify_context, NULL);
spin_unlock_irqrestore(&cctx->lock, flags);
if (cctx->fdevice)
--
2.54.0
^ permalink raw reply related
* [PATCH v2 1/2] dt-bindings: usb: Add Rockchip RK3568 compatible for EHCI and OHCI
From: Jonas Karlman @ 2026-06-24 19:27 UTC (permalink / raw)
To: Heiko Stuebner, Rob Herring, Krzysztof Kozlowski, Conor Dooley,
Greg Kroah-Hartman
Cc: Diederik de Haas, devicetree, linux-rockchip, linux-usb,
linux-arm-kernel, linux-kernel, Jonas Karlman
In-Reply-To: <20260624192726.781864-1-jonas@kwiboo.se>
The Rockchip RK3568 EHCI/OHCI controller depends on clk_usbphy1_480m
being enabled, or the system may freeze when registers are accessed.
Add Rockchip RK3568 EHCI and OHCI compatibles with a similar four-clock
constraint as RK3588, also extend the EHCI constraint to include RK3588
to match similar requirements of RK3588.
Signed-off-by: Jonas Karlman <jonas@kwiboo.se>
---
Existing DTs for RK3568 use the plain generic-ehci/ohci compatible,
next patch make use of these new compatibles and adds the missing
clk_usbphy1_480m clock references.
Existing DTs for RK3588 have contained the required four clocks since
the initial addition of the EHCI/OHCI nodes.
Changes in v2:
- Include rockchip,rk3588-ehci in the EHCI constraint
- Make clocks prop required for EHCI and OHCI
---
.../devicetree/bindings/usb/generic-ehci.yaml | 14 ++++++++++++++
.../devicetree/bindings/usb/generic-ohci.yaml | 7 ++++++-
2 files changed, 20 insertions(+), 1 deletion(-)
diff --git a/Documentation/devicetree/bindings/usb/generic-ehci.yaml b/Documentation/devicetree/bindings/usb/generic-ehci.yaml
index 55a5aa7d7a54..a39f01e740b1 100644
--- a/Documentation/devicetree/bindings/usb/generic-ehci.yaml
+++ b/Documentation/devicetree/bindings/usb/generic-ehci.yaml
@@ -52,6 +52,7 @@ properties:
- ibm,476gtr-ehci
- nxp,lpc1850-ehci
- qca,ar7100-ehci
+ - rockchip,rk3568-ehci
- rockchip,rk3588-ehci
- snps,hsdk-v1.0-ehci
- socionext,uniphier-ehci
@@ -186,6 +187,19 @@ allOf:
required:
- clocks
- clock-names
+ - if:
+ properties:
+ compatible:
+ contains:
+ enum:
+ - rockchip,rk3568-ehci
+ - rockchip,rk3588-ehci
+ then:
+ properties:
+ clocks:
+ minItems: 4
+ required:
+ - clocks
unevaluatedProperties: false
diff --git a/Documentation/devicetree/bindings/usb/generic-ohci.yaml b/Documentation/devicetree/bindings/usb/generic-ohci.yaml
index d42f448fa204..19449a6b3033 100644
--- a/Documentation/devicetree/bindings/usb/generic-ohci.yaml
+++ b/Documentation/devicetree/bindings/usb/generic-ohci.yaml
@@ -47,6 +47,7 @@ properties:
- hpe,gxp-ohci
- ibm,476gtr-ohci
- ingenic,jz4740-ohci
+ - rockchip,rk3568-ohci
- rockchip,rk3588-ohci
- snps,hsdk-v1.0-ohci
- const: generic-ohci
@@ -198,11 +199,15 @@ allOf:
properties:
compatible:
contains:
- const: rockchip,rk3588-ohci
+ enum:
+ - rockchip,rk3568-ohci
+ - rockchip,rk3588-ohci
then:
properties:
clocks:
minItems: 4
+ required:
+ - clocks
else:
properties:
clocks:
--
2.54.0
_______________________________________________
Linux-rockchip mailing list
Linux-rockchip@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-rockchip
^ permalink raw reply related
* [PATCH v2 0/2] rockchip: Fix devices suspend freeze on RK3568/RK3566
From: Jonas Karlman @ 2026-06-24 19:27 UTC (permalink / raw)
To: Heiko Stuebner, Rob Herring, Krzysztof Kozlowski, Conor Dooley
Cc: Diederik de Haas, Greg Kroah-Hartman, devicetree, linux-rockchip,
linux-usb, linux-arm-kernel, linux-kernel, Jonas Karlman
This series fixes a system freeze during suspend in ohci_suspend() due
to clk_usbphy1_480m not being enabled when EHCI/OHCI registers are
accessed on e.g. a Raxa ROCK 3C board.
Following pm_test modes work on my ROCK 3C with the missing usbphy clk
refs added:
echo N > /sys/module/printk/parameters/console_suspend
echo devices > /sys/power/pm_test
echo platform > /sys/power/pm_test
echo processors > /sys/power/pm_test
echo core > /sys/power/pm_test
echo mem > /sys/power/state
Changes in v2:
- Include rockchip,rk3588-ehci in the EHCI constraint
- Make clocks prop required for EHCI and OHCI
- Collect t-b tag
Jonas Karlman (2):
dt-bindings: usb: Add Rockchip RK3568 compatible for EHCI and OHCI
arm64: dts: rockchip: Fix devices suspend freeze on RK3568/RK3566
.../devicetree/bindings/usb/generic-ehci.yaml | 14 ++++++++++++++
.../devicetree/bindings/usb/generic-ohci.yaml | 7 ++++++-
arch/arm64/boot/dts/rockchip/rk356x-base.dtsi | 16 ++++++++--------
3 files changed, 28 insertions(+), 9 deletions(-)
--
2.54.0
^ permalink raw reply
* [PATCH v2 0/2] rockchip: Fix devices suspend freeze on RK3568/RK3566
From: Jonas Karlman @ 2026-06-24 19:27 UTC (permalink / raw)
To: Heiko Stuebner, Rob Herring, Krzysztof Kozlowski, Conor Dooley
Cc: Diederik de Haas, Greg Kroah-Hartman, devicetree, linux-rockchip,
linux-usb, linux-arm-kernel, linux-kernel, Jonas Karlman
This series fixes a system freeze during suspend in ohci_suspend() due
to clk_usbphy1_480m not being enabled when EHCI/OHCI registers are
accessed on e.g. a Raxa ROCK 3C board.
Following pm_test modes work on my ROCK 3C with the missing usbphy clk
refs added:
echo N > /sys/module/printk/parameters/console_suspend
echo devices > /sys/power/pm_test
echo platform > /sys/power/pm_test
echo processors > /sys/power/pm_test
echo core > /sys/power/pm_test
echo mem > /sys/power/state
Changes in v2:
- Include rockchip,rk3588-ehci in the EHCI constraint
- Make clocks prop required for EHCI and OHCI
- Collect t-b tag
Jonas Karlman (2):
dt-bindings: usb: Add Rockchip RK3568 compatible for EHCI and OHCI
arm64: dts: rockchip: Fix devices suspend freeze on RK3568/RK3566
.../devicetree/bindings/usb/generic-ehci.yaml | 14 ++++++++++++++
.../devicetree/bindings/usb/generic-ohci.yaml | 7 ++++++-
arch/arm64/boot/dts/rockchip/rk356x-base.dtsi | 16 ++++++++--------
3 files changed, 28 insertions(+), 9 deletions(-)
--
2.54.0
_______________________________________________
Linux-rockchip mailing list
Linux-rockchip@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-rockchip
^ permalink raw reply
* [PATCH v2 1/2] dt-bindings: usb: Add Rockchip RK3568 compatible for EHCI and OHCI
From: Jonas Karlman @ 2026-06-24 19:27 UTC (permalink / raw)
To: Heiko Stuebner, Rob Herring, Krzysztof Kozlowski, Conor Dooley,
Greg Kroah-Hartman
Cc: Diederik de Haas, devicetree, linux-rockchip, linux-usb,
linux-arm-kernel, linux-kernel, Jonas Karlman
In-Reply-To: <20260624192726.781864-1-jonas@kwiboo.se>
The Rockchip RK3568 EHCI/OHCI controller depends on clk_usbphy1_480m
being enabled, or the system may freeze when registers are accessed.
Add Rockchip RK3568 EHCI and OHCI compatibles with a similar four-clock
constraint as RK3588, also extend the EHCI constraint to include RK3588
to match similar requirements of RK3588.
Signed-off-by: Jonas Karlman <jonas@kwiboo.se>
---
Existing DTs for RK3568 use the plain generic-ehci/ohci compatible,
next patch make use of these new compatibles and adds the missing
clk_usbphy1_480m clock references.
Existing DTs for RK3588 have contained the required four clocks since
the initial addition of the EHCI/OHCI nodes.
Changes in v2:
- Include rockchip,rk3588-ehci in the EHCI constraint
- Make clocks prop required for EHCI and OHCI
---
.../devicetree/bindings/usb/generic-ehci.yaml | 14 ++++++++++++++
.../devicetree/bindings/usb/generic-ohci.yaml | 7 ++++++-
2 files changed, 20 insertions(+), 1 deletion(-)
diff --git a/Documentation/devicetree/bindings/usb/generic-ehci.yaml b/Documentation/devicetree/bindings/usb/generic-ehci.yaml
index 55a5aa7d7a54..a39f01e740b1 100644
--- a/Documentation/devicetree/bindings/usb/generic-ehci.yaml
+++ b/Documentation/devicetree/bindings/usb/generic-ehci.yaml
@@ -52,6 +52,7 @@ properties:
- ibm,476gtr-ehci
- nxp,lpc1850-ehci
- qca,ar7100-ehci
+ - rockchip,rk3568-ehci
- rockchip,rk3588-ehci
- snps,hsdk-v1.0-ehci
- socionext,uniphier-ehci
@@ -186,6 +187,19 @@ allOf:
required:
- clocks
- clock-names
+ - if:
+ properties:
+ compatible:
+ contains:
+ enum:
+ - rockchip,rk3568-ehci
+ - rockchip,rk3588-ehci
+ then:
+ properties:
+ clocks:
+ minItems: 4
+ required:
+ - clocks
unevaluatedProperties: false
diff --git a/Documentation/devicetree/bindings/usb/generic-ohci.yaml b/Documentation/devicetree/bindings/usb/generic-ohci.yaml
index d42f448fa204..19449a6b3033 100644
--- a/Documentation/devicetree/bindings/usb/generic-ohci.yaml
+++ b/Documentation/devicetree/bindings/usb/generic-ohci.yaml
@@ -47,6 +47,7 @@ properties:
- hpe,gxp-ohci
- ibm,476gtr-ohci
- ingenic,jz4740-ohci
+ - rockchip,rk3568-ohci
- rockchip,rk3588-ohci
- snps,hsdk-v1.0-ohci
- const: generic-ohci
@@ -198,11 +199,15 @@ allOf:
properties:
compatible:
contains:
- const: rockchip,rk3588-ohci
+ enum:
+ - rockchip,rk3568-ohci
+ - rockchip,rk3588-ohci
then:
properties:
clocks:
minItems: 4
+ required:
+ - clocks
else:
properties:
clocks:
--
2.54.0
^ permalink raw reply related
* [PATCH v2 2/2] arm64: dts: rockchip: Fix devices suspend freeze on RK3568/RK3566
From: Jonas Karlman @ 2026-06-24 19:27 UTC (permalink / raw)
To: Heiko Stuebner, Rob Herring, Krzysztof Kozlowski, Conor Dooley,
Peter Geis, Michael Riesch
Cc: Diederik de Haas, Greg Kroah-Hartman, devicetree, linux-rockchip,
linux-usb, linux-arm-kernel, linux-kernel, Jonas Karlman
In-Reply-To: <20260624192726.781864-1-jonas@kwiboo.se>
The EHCI/OHCI controller depends on clk_usbphy1_480m being enabled, or
the system may freeze when registers are accessed, i.e. during suspend
in ohci_suspend().
Add the missing clk_usbphy1_480m clocks reference to EHCI/OHCI
controllers to ensure the clock is enabled when ECHI/OHCI registers are
accessed to prevent a system freeze.
Fixes suspend pm_test issue with EHCI/OHCI devices due to the missing
clk_usbphy1_480m reference and makes following pm_test modes work:
echo N > /sys/module/printk/parameters/console_suspend
echo devices > /sys/power/pm_test
echo platform > /sys/power/pm_test
echo processors > /sys/power/pm_test
echo core > /sys/power/pm_test
echo mem > /sys/power/state
Fixes: 91c4c3e06a25 ("arm64: dts: rockchip: add usb2 nodes to rk3568 device tree")
Fixes: 78f7186095db ("arm64: dts: rockchip: rename and sort the rk356x usb2 phy handles")
Tested-by: Diederik de Haas <diederik@cknow-tech.com>
Signed-off-by: Jonas Karlman <jonas@kwiboo.se>
---
v2: Collect t-b tag
---
arch/arm64/boot/dts/rockchip/rk356x-base.dtsi | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/arch/arm64/boot/dts/rockchip/rk356x-base.dtsi b/arch/arm64/boot/dts/rockchip/rk356x-base.dtsi
index a5832895bd39..c930a6fd6ea0 100644
--- a/arch/arm64/boot/dts/rockchip/rk356x-base.dtsi
+++ b/arch/arm64/boot/dts/rockchip/rk356x-base.dtsi
@@ -321,44 +321,44 @@ its: msi-controller@fd440000 {
};
usb_host0_ehci: usb@fd800000 {
- compatible = "generic-ehci";
+ compatible = "rockchip,rk3568-ehci", "generic-ehci";
reg = <0x0 0xfd800000 0x0 0x40000>;
interrupts = <GIC_SPI 130 IRQ_TYPE_LEVEL_HIGH>;
clocks = <&cru HCLK_USB2HOST0>, <&cru HCLK_USB2HOST0_ARB>,
- <&cru PCLK_USB>;
+ <&cru PCLK_USB>, <&usb2phy1>;
phys = <&usb2phy1_otg>;
phy-names = "usb";
status = "disabled";
};
usb_host0_ohci: usb@fd840000 {
- compatible = "generic-ohci";
+ compatible = "rockchip,rk3568-ohci", "generic-ohci";
reg = <0x0 0xfd840000 0x0 0x40000>;
interrupts = <GIC_SPI 131 IRQ_TYPE_LEVEL_HIGH>;
clocks = <&cru HCLK_USB2HOST0>, <&cru HCLK_USB2HOST0_ARB>,
- <&cru PCLK_USB>;
+ <&cru PCLK_USB>, <&usb2phy1>;
phys = <&usb2phy1_otg>;
phy-names = "usb";
status = "disabled";
};
usb_host1_ehci: usb@fd880000 {
- compatible = "generic-ehci";
+ compatible = "rockchip,rk3568-ehci", "generic-ehci";
reg = <0x0 0xfd880000 0x0 0x40000>;
interrupts = <GIC_SPI 133 IRQ_TYPE_LEVEL_HIGH>;
clocks = <&cru HCLK_USB2HOST1>, <&cru HCLK_USB2HOST1_ARB>,
- <&cru PCLK_USB>;
+ <&cru PCLK_USB>, <&usb2phy1>;
phys = <&usb2phy1_host>;
phy-names = "usb";
status = "disabled";
};
usb_host1_ohci: usb@fd8c0000 {
- compatible = "generic-ohci";
+ compatible = "rockchip,rk3568-ohci", "generic-ohci";
reg = <0x0 0xfd8c0000 0x0 0x40000>;
interrupts = <GIC_SPI 134 IRQ_TYPE_LEVEL_HIGH>;
clocks = <&cru HCLK_USB2HOST1>, <&cru HCLK_USB2HOST1_ARB>,
- <&cru PCLK_USB>;
+ <&cru PCLK_USB>, <&usb2phy1>;
phys = <&usb2phy1_host>;
phy-names = "usb";
status = "disabled";
--
2.54.0
_______________________________________________
Linux-rockchip mailing list
Linux-rockchip@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-rockchip
^ permalink raw reply related
* [PATCH v2 2/2] arm64: dts: rockchip: Fix devices suspend freeze on RK3568/RK3566
From: Jonas Karlman @ 2026-06-24 19:27 UTC (permalink / raw)
To: Heiko Stuebner, Rob Herring, Krzysztof Kozlowski, Conor Dooley,
Peter Geis, Michael Riesch
Cc: Diederik de Haas, Greg Kroah-Hartman, devicetree, linux-rockchip,
linux-usb, linux-arm-kernel, linux-kernel, Jonas Karlman
In-Reply-To: <20260624192726.781864-1-jonas@kwiboo.se>
The EHCI/OHCI controller depends on clk_usbphy1_480m being enabled, or
the system may freeze when registers are accessed, i.e. during suspend
in ohci_suspend().
Add the missing clk_usbphy1_480m clocks reference to EHCI/OHCI
controllers to ensure the clock is enabled when ECHI/OHCI registers are
accessed to prevent a system freeze.
Fixes suspend pm_test issue with EHCI/OHCI devices due to the missing
clk_usbphy1_480m reference and makes following pm_test modes work:
echo N > /sys/module/printk/parameters/console_suspend
echo devices > /sys/power/pm_test
echo platform > /sys/power/pm_test
echo processors > /sys/power/pm_test
echo core > /sys/power/pm_test
echo mem > /sys/power/state
Fixes: 91c4c3e06a25 ("arm64: dts: rockchip: add usb2 nodes to rk3568 device tree")
Fixes: 78f7186095db ("arm64: dts: rockchip: rename and sort the rk356x usb2 phy handles")
Tested-by: Diederik de Haas <diederik@cknow-tech.com>
Signed-off-by: Jonas Karlman <jonas@kwiboo.se>
---
v2: Collect t-b tag
---
arch/arm64/boot/dts/rockchip/rk356x-base.dtsi | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/arch/arm64/boot/dts/rockchip/rk356x-base.dtsi b/arch/arm64/boot/dts/rockchip/rk356x-base.dtsi
index a5832895bd39..c930a6fd6ea0 100644
--- a/arch/arm64/boot/dts/rockchip/rk356x-base.dtsi
+++ b/arch/arm64/boot/dts/rockchip/rk356x-base.dtsi
@@ -321,44 +321,44 @@ its: msi-controller@fd440000 {
};
usb_host0_ehci: usb@fd800000 {
- compatible = "generic-ehci";
+ compatible = "rockchip,rk3568-ehci", "generic-ehci";
reg = <0x0 0xfd800000 0x0 0x40000>;
interrupts = <GIC_SPI 130 IRQ_TYPE_LEVEL_HIGH>;
clocks = <&cru HCLK_USB2HOST0>, <&cru HCLK_USB2HOST0_ARB>,
- <&cru PCLK_USB>;
+ <&cru PCLK_USB>, <&usb2phy1>;
phys = <&usb2phy1_otg>;
phy-names = "usb";
status = "disabled";
};
usb_host0_ohci: usb@fd840000 {
- compatible = "generic-ohci";
+ compatible = "rockchip,rk3568-ohci", "generic-ohci";
reg = <0x0 0xfd840000 0x0 0x40000>;
interrupts = <GIC_SPI 131 IRQ_TYPE_LEVEL_HIGH>;
clocks = <&cru HCLK_USB2HOST0>, <&cru HCLK_USB2HOST0_ARB>,
- <&cru PCLK_USB>;
+ <&cru PCLK_USB>, <&usb2phy1>;
phys = <&usb2phy1_otg>;
phy-names = "usb";
status = "disabled";
};
usb_host1_ehci: usb@fd880000 {
- compatible = "generic-ehci";
+ compatible = "rockchip,rk3568-ehci", "generic-ehci";
reg = <0x0 0xfd880000 0x0 0x40000>;
interrupts = <GIC_SPI 133 IRQ_TYPE_LEVEL_HIGH>;
clocks = <&cru HCLK_USB2HOST1>, <&cru HCLK_USB2HOST1_ARB>,
- <&cru PCLK_USB>;
+ <&cru PCLK_USB>, <&usb2phy1>;
phys = <&usb2phy1_host>;
phy-names = "usb";
status = "disabled";
};
usb_host1_ohci: usb@fd8c0000 {
- compatible = "generic-ohci";
+ compatible = "rockchip,rk3568-ohci", "generic-ohci";
reg = <0x0 0xfd8c0000 0x0 0x40000>;
interrupts = <GIC_SPI 134 IRQ_TYPE_LEVEL_HIGH>;
clocks = <&cru HCLK_USB2HOST1>, <&cru HCLK_USB2HOST1_ARB>,
- <&cru PCLK_USB>;
+ <&cru PCLK_USB>, <&usb2phy1>;
phys = <&usb2phy1_host>;
phy-names = "usb";
status = "disabled";
--
2.54.0
^ permalink raw reply related
* Re: [PATCH v2] bpf: allow BPF_LOG_KERNEL from kernel space
From: bot+bpf-ci @ 2026-06-24 19:27 UTC (permalink / raw)
To: sidnayyar, ast, daniel, andrii, eddyz87, memxor, martin.lau, song,
yonghong.song, jolsa, emil
Cc: linux-kernel, bpf, sidnayyar, john.fastabend, gprocida, maennich,
ynaffit, nkapron, ast, andrii, daniel, martin.lau, eddyz87,
yonghong.song, clm, ihor.solodrai
In-Reply-To: <20260624-bpf-lskel-fixes-v2-1-e8ac5974a72c@google.com>
[-- Attachment #1: Type: text/plain, Size: 1338 bytes --]
> diff --git a/kernel/bpf/log.c b/kernel/bpf/log.c
> index b740fa73ee26..25a9f8340980 100644
> --- a/kernel/bpf/log.c
> +++ b/kernel/bpf/log.c
> @@ -21,6 +21,15 @@ static bool bpf_verifier_log_attr_valid(u32 log_level, char __user *log_buf, u32
> /* log buf without log_level is meaningless */
> if (log_buf && log_level == 0)
> return false;
> +
> + /* BPF_LOG_KERNEL is an exclusive internal mode, not a bit flag.
> + * It must be checked via strict equality to prevent it from being
> + * combined with userspace flags, which would cause the verifier
> + * to fallback to userspace logging and copy_to_user() failures.
> + */
This isn't a bug, but would it read more in line with the BPF multi-line
comment style to put the opening /* on its own line here? The text
currently starts on the same line as the opening /*:
/* BPF_LOG_KERNEL is an exclusive internal mode, not a bit flag.
* It must be checked via strict equality ...
> + if (log_level == BPF_LOG_KERNEL)
> + return true;
> +
> if (log_level & ~BPF_LOG_MASK)
> return false;
> if (log_size > UINT_MAX >> 2)
---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md
CI run summary: https://github.com/kernel-patches/bpf/actions/runs/28121265957
^ permalink raw reply
* Re: [PATCH v8 30/46] KVM: selftests: Add helpers for calling ioctls on guest_memfd
From: Fuad Tabba @ 2026-06-24 19:26 UTC (permalink / raw)
To: ackerleytng
Cc: aik, andrew.jones, binbin.wu, brauner, chao.p.peng, david,
jmattson, jthoughton, michael.roth, oupton, pankaj.gupta, qperret,
rick.p.edgecombe, rientjes, shivankg, steven.price, willy, wyihan,
yan.y.zhao, forkloop, pratyush, suzuki.poulose, aneesh.kumar,
liam, Paolo Bonzini, Sean Christopherson, Thomas Gleixner,
Ingo Molnar, Borislav Petkov, Dave Hansen, x86, H. Peter Anvin,
Steven Rostedt, Masami Hiramatsu, Mathieu Desnoyers,
Jonathan Corbet, Shuah Khan, Shuah Khan, Vishal Annapurve,
Andrew Morton, Chris Li, Kairui Song, Kemeng Shi, Nhat Pham,
Barry Song, Axel Rasmussen, Yuanchu Xie, Wei Xu, Youngjun Park,
Qi Zheng, Shakeel Butt, Kiryl Shutsemau, Baoquan He,
Jason Gunthorpe, Vlastimil Babka, kvm, linux-kernel,
linux-trace-kernel, linux-doc, linux-kselftest, linux-mm,
linux-coco
In-Reply-To: <20260618-gmem-inplace-conversion-v8-30-9d2959357853@google.com>
On Fri, 19 Jun 2026 at 01:32, Ackerley Tng via B4 Relay
<devnull+ackerleytng.google.com@kernel.org> wrote:
>
> From: Sean Christopherson <seanjc@google.com>
>
> Add helper functions to kvm_util.h to support calling ioctls, specifically
> KVM_SET_MEMORY_ATTRIBUTES2, on a guest_memfd file descriptor.
>
> Introduce gmem_ioctl() and __gmem_ioctl() macros, modeled after the
> existing vm_ioctl() helpers, to provide a standard way to call ioctls
> on a guest_memfd.
>
> Add gmem_set_memory_attributes() and its derivatives (gmem_set_private(),
> gmem_set_shared()) to set memory attributes on a guest_memfd region.
> Also provide "__" variants that return the ioctl error code instead of
> aborting the test. These helpers will be used by upcoming guest_memfd
> tests.
>
> To avoid code duplication, factor out the check for supported memory
> attributes into a new macro, TEST_ASSERT_SUPPORTED_ATTRIBUTES, and use
> it in both the existing vm_set_memory_attributes() and the new
> gmem_set_memory_attributes() helpers.
>
> Signed-off-by: Sean Christopherson <seanjc@google.com>
> Signed-off-by: Ackerley Tng <ackerleytng@google.com>
Reviewed-by: Fuad Tabba <tabba@google.com>
Cheers,
/fuad
> ---
> tools/testing/selftests/kvm/include/kvm_util.h | 94 +++++++++++++++++++++++---
> 1 file changed, 86 insertions(+), 8 deletions(-)
>
> diff --git a/tools/testing/selftests/kvm/include/kvm_util.h b/tools/testing/selftests/kvm/include/kvm_util.h
> index 0cacf3698b259..323d06b5699ec 100644
> --- a/tools/testing/selftests/kvm/include/kvm_util.h
> +++ b/tools/testing/selftests/kvm/include/kvm_util.h
> @@ -392,6 +392,16 @@ static __always_inline void static_assert_is_vcpu(struct kvm_vcpu *vcpu) { }
> __TEST_ASSERT_VM_VCPU_IOCTL(!ret, #cmd, ret, (vcpu)->vm); \
> })
>
> +#define __gmem_ioctl(gmem_fd, cmd, arg) \
> + kvm_do_ioctl(gmem_fd, cmd, arg)
> +
> +#define gmem_ioctl(gmem_fd, cmd, arg) \
> +({ \
> + int ret = __gmem_ioctl(gmem_fd, cmd, arg); \
> + \
> + TEST_ASSERT(!ret, __KVM_IOCTL_ERROR(#cmd, ret)); \
> +})
> +
> /*
> * Looks up and returns the value corresponding to the capability
> * (KVM_CAP_*) given by cap.
> @@ -418,8 +428,16 @@ static inline void vm_enable_cap(struct kvm_vm *vm, u32 cap, u64 arg0)
> vm_ioctl(vm, KVM_ENABLE_CAP, &enable_cap);
> }
>
> +/*
> + * KVM_SET_MEMORY_ATTRIBUTES{,2} overwrites _all_ attributes. These
> + * flows need significant enhancements to support multiple attributes.
> + */
> +#define TEST_ASSERT_SUPPORTED_ATTRIBUTES(attributes) \
> + TEST_ASSERT(!(attributes) || (attributes) == KVM_MEMORY_ATTRIBUTE_PRIVATE, \
> + "Update me to support multiple attributes!")
> +
> static inline void vm_set_memory_attributes(struct kvm_vm *vm, gpa_t gpa,
> - u64 size, u64 attributes)
> + size_t size, u64 attributes)
> {
> struct kvm_memory_attributes attr = {
> .attributes = attributes,
> @@ -428,17 +446,11 @@ static inline void vm_set_memory_attributes(struct kvm_vm *vm, gpa_t gpa,
> .flags = 0,
> };
>
> - /*
> - * KVM_SET_MEMORY_ATTRIBUTES overwrites _all_ attributes. These flows
> - * need significant enhancements to support multiple attributes.
> - */
> - TEST_ASSERT(!attributes || attributes == KVM_MEMORY_ATTRIBUTE_PRIVATE,
> - "Update me to support multiple attributes!");
> + TEST_ASSERT_SUPPORTED_ATTRIBUTES(attributes);
>
> vm_ioctl(vm, KVM_SET_MEMORY_ATTRIBUTES, &attr);
> }
>
> -
> static inline void vm_mem_set_private(struct kvm_vm *vm, gpa_t gpa,
> u64 size)
> {
> @@ -451,6 +463,72 @@ static inline void vm_mem_set_shared(struct kvm_vm *vm, gpa_t gpa,
> vm_set_memory_attributes(vm, gpa, size, 0);
> }
>
> +static inline int __gmem_set_memory_attributes(int fd, u64 offset,
> + size_t size, u64 attributes,
> + u64 *error_offset)
> +{
> + struct kvm_memory_attributes2 attr = {
> + .attributes = attributes,
> + .offset = offset,
> + .size = size,
> + .flags = 0,
> + .error_offset = 0,
> + };
> + int r;
> +
> + r = __gmem_ioctl(fd, KVM_SET_MEMORY_ATTRIBUTES2, &attr);
> +
> + /* Copy error_offset regardless of r so caller can check. */
> + if (error_offset)
> + *error_offset = attr.error_offset;
> +
> + return r;
> +}
> +
> +static inline int __gmem_set_private(int fd, u64 offset, size_t size,
> + u64 *error_offset)
> +{
> + return __gmem_set_memory_attributes(fd, offset, size,
> + KVM_MEMORY_ATTRIBUTE_PRIVATE,
> + error_offset);
> +}
> +
> +static inline int __gmem_set_shared(int fd, u64 offset, size_t size,
> + u64 *error_offset)
> +{
> + return __gmem_set_memory_attributes(fd, offset, size, 0,
> + error_offset);
> +}
> +
> +static inline void gmem_set_memory_attributes(int fd, u64 offset,
> + size_t size, u64 attributes)
> +{
> + struct kvm_memory_attributes2 attr = {
> + .attributes = attributes,
> + .offset = offset,
> + .size = size,
> + .flags = 0,
> + };
> +
> + TEST_ASSERT_SUPPORTED_ATTRIBUTES(attributes);
> +
> + __TEST_REQUIRE(kvm_check_cap(KVM_CAP_GUEST_MEMFD_MEMORY_ATTRIBUTES) > 0,
> + "No valid attributes for guest_memfd ioctl!");
> +
> + gmem_ioctl(fd, KVM_SET_MEMORY_ATTRIBUTES2, &attr);
> +}
> +
> +static inline void gmem_set_private(int fd, u64 offset, size_t size)
> +{
> + gmem_set_memory_attributes(fd, offset, size,
> + KVM_MEMORY_ATTRIBUTE_PRIVATE);
> +}
> +
> +static inline void gmem_set_shared(int fd, u64 offset, size_t size)
> +{
> + gmem_set_memory_attributes(fd, offset, size, 0);
> +}
> +
> void vm_guest_mem_fallocate(struct kvm_vm *vm, gpa_t gpa, u64 size,
> bool punch_hole);
>
>
> --
> 2.55.0.rc0.738.g0c8ab3ebcc-goog
>
>
^ permalink raw reply
* Re: [PATCH v8 29/46] KVM: selftests: Add selftests global for guest memory attributes capability
From: Fuad Tabba @ 2026-06-24 19:26 UTC (permalink / raw)
To: ackerleytng
Cc: aik, andrew.jones, binbin.wu, brauner, chao.p.peng, david,
jmattson, jthoughton, michael.roth, oupton, pankaj.gupta, qperret,
rick.p.edgecombe, rientjes, shivankg, steven.price, willy, wyihan,
yan.y.zhao, forkloop, pratyush, suzuki.poulose, aneesh.kumar,
liam, Paolo Bonzini, Sean Christopherson, Thomas Gleixner,
Ingo Molnar, Borislav Petkov, Dave Hansen, x86, H. Peter Anvin,
Steven Rostedt, Masami Hiramatsu, Mathieu Desnoyers,
Jonathan Corbet, Shuah Khan, Shuah Khan, Vishal Annapurve,
Andrew Morton, Chris Li, Kairui Song, Kemeng Shi, Nhat Pham,
Barry Song, Axel Rasmussen, Yuanchu Xie, Wei Xu, Youngjun Park,
Qi Zheng, Shakeel Butt, Kiryl Shutsemau, Baoquan He,
Jason Gunthorpe, Vlastimil Babka, kvm, linux-kernel,
linux-trace-kernel, linux-doc, linux-kselftest, linux-mm,
linux-coco
In-Reply-To: <20260618-gmem-inplace-conversion-v8-29-9d2959357853@google.com>
On Fri, 19 Jun 2026 at 01:32, Ackerley Tng via B4 Relay
<devnull+ackerleytng.google.com@kernel.org> wrote:
>
> From: Sean Christopherson <seanjc@google.com>
>
> Add a global variable, kvm_has_gmem_attributes, to make the result of
> checking for KVM_CAP_GUEST_MEMFD_MEMORY_ATTRIBUTES available to all tests.
>
> kvm_has_gmem_attributes is true if guest_memfd tracks memory attributes, as
> opposed to VM-level tracking.
>
> This global variable is synced to the guest for testing convenience, to
> avoid introducing subtle bugs when host/guest state is desynced.
>
> Signed-off-by: Sean Christopherson <seanjc@google.com>
> Signed-off-by: Ackerley Tng <ackerleytng@google.com>
Reviewed-by: Fuad Tabba <tabba@google.com>
Cheers,
/fuad
> ---
> tools/testing/selftests/kvm/include/test_util.h | 2 ++
> tools/testing/selftests/kvm/lib/kvm_util.c | 5 +++++
> 2 files changed, 7 insertions(+)
>
> diff --git a/tools/testing/selftests/kvm/include/test_util.h b/tools/testing/selftests/kvm/include/test_util.h
> index a56271c237ae9..51287fac8138a 100644
> --- a/tools/testing/selftests/kvm/include/test_util.h
> +++ b/tools/testing/selftests/kvm/include/test_util.h
> @@ -115,6 +115,8 @@ struct guest_random_state {
> extern u32 guest_random_seed;
> extern struct guest_random_state guest_rng;
>
> +extern bool kvm_has_gmem_attributes;
> +
> struct guest_random_state new_guest_random_state(u32 seed);
> u32 guest_random_u32(struct guest_random_state *state);
>
> diff --git a/tools/testing/selftests/kvm/lib/kvm_util.c b/tools/testing/selftests/kvm/lib/kvm_util.c
> index d5bbc80b2bf1c..b73817f7bc803 100644
> --- a/tools/testing/selftests/kvm/lib/kvm_util.c
> +++ b/tools/testing/selftests/kvm/lib/kvm_util.c
> @@ -24,6 +24,8 @@ u32 guest_random_seed;
> struct guest_random_state guest_rng;
> static u32 last_guest_seed;
>
> +bool kvm_has_gmem_attributes;
> +
> static size_t vcpu_mmap_sz(void);
>
> int __open_path_or_exit(const char *path, int flags, const char *enoent_help)
> @@ -521,6 +523,7 @@ struct kvm_vm *__vm_create(struct vm_shape shape, u32 nr_runnable_vcpus,
> }
> guest_rng = new_guest_random_state(guest_random_seed);
> sync_global_to_guest(vm, guest_rng);
> + sync_global_to_guest(vm, kvm_has_gmem_attributes);
>
> kvm_arch_vm_post_create(vm, nr_runnable_vcpus);
>
> @@ -2286,6 +2289,8 @@ void __attribute((constructor)) kvm_selftest_init(void)
> guest_random_seed = last_guest_seed = random();
> pr_info("Random seed: 0x%x\n", guest_random_seed);
>
> + kvm_has_gmem_attributes = kvm_has_cap(KVM_CAP_GUEST_MEMFD_MEMORY_ATTRIBUTES);
> +
> kvm_selftest_arch_init();
> }
>
>
> --
> 2.55.0.rc0.738.g0c8ab3ebcc-goog
>
>
^ permalink raw reply
* [PATCH] misc: fastrpc: drop invoke context on interrupted waits
From: Yousef Alhouseen @ 2026-06-24 19:25 UTC (permalink / raw)
To: Srinivas Kandagatla, Amol Maheshwari
Cc: Arnd Bergmann, Greg Kroah-Hartman, linux-arm-msm, dri-devel,
linux-kernel, Yousef Alhouseen
fastrpc_internal_invoke() skips removing and dropping the invoke context
when userspace wait is interrupted or a kernel invoke times out. The
context remains on the user's pending list even after a later DSP reply
consumes the send reference.
Remove the context from the pending list and drop the caller reference for
all exits. A late DSP reply still holds the send reference until the
callback releases it, but interrupted callers no longer pin completed
contexts for the lifetime of the file.
Signed-off-by: Yousef Alhouseen <alhouseenyousef@gmail.com>
---
drivers/misc/fastrpc.c | 15 +++++++--------
1 file changed, 7 insertions(+), 8 deletions(-)
diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c
index 4b258dbcd..90281859a 100644
--- a/drivers/misc/fastrpc.c
+++ b/drivers/misc/fastrpc.c
@@ -1379,14 +1379,6 @@ static int fastrpc_internal_invoke(struct fastrpc_user *fl, u32 kernel,
goto bail;
bail:
- if (err != -ERESTARTSYS && err != -ETIMEDOUT) {
- /* We are done with this compute context */
- spin_lock(&fl->lock);
- list_del(&ctx->node);
- spin_unlock(&fl->lock);
- fastrpc_context_put(ctx);
- }
-
if (err == -ERESTARTSYS) {
list_for_each_entry_safe(buf, b, &fl->mmaps, node) {
list_del(&buf->node);
@@ -1394,6 +1386,13 @@ static int fastrpc_internal_invoke(struct fastrpc_user *fl, u32 kernel,
}
}
+ /* We are done with this compute context */
+ spin_lock(&fl->lock);
+ if (!list_empty(&ctx->node))
+ list_del_init(&ctx->node);
+ spin_unlock(&fl->lock);
+ fastrpc_context_put(ctx);
+
if (err)
dev_dbg(fl->sctx->dev, "Error: Invoke Failed %d\n", err);
--
2.54.0
^ permalink raw reply related
* Re: [PATCH] x86: Avoid divide by 0 in amd_smn_init()
From: Borislav Petkov @ 2026-06-24 19:25 UTC (permalink / raw)
To: Jason Andryuk
Cc: Andrew Cooper, Mario Limonciello, Yazen Ghannam, Thomas Gleixner,
Ingo Molnar, Dave Hansen, x86, H. Peter Anvin, Penny Zheng,
stable, linux-kernel
In-Reply-To: <4b551319-0a04-47d2-bc57-2f0d4d9923a9@amd.com>
On Wed, Jun 24, 2026 at 03:08:08PM -0400, Jason Andryuk wrote:
> I think Ingo's suggestion to re-add the check will at least get systems
> booting again. Then when Xen SMN accesses is sorted out, that can be
> changed as necessary.
You could do something like the totally untested thing (I'm hoping dom0 sets
X86_FEATURE_XENPV):
...
roots_per_node = num_roots / num_nodes;
if (!roots_per_node) {
if (!cpu_feature_enabled(X86_FEATURE_XENPV))
pr_err(FW_BUG "Error detecting roots per node.");
roots_per_node = 1;
}
until we sort it out and as a stable fix perhaps...
Thx.
--
Regards/Gruss,
Boris.
https://people.kernel.org/tglx/notes-about-netiquette
^ permalink raw reply
* Re: [PATCH] vfio/type1: validate dirty bitmap page size before use
From: sashiko-bot @ 2026-06-24 19:25 UTC (permalink / raw)
To: Yousef Alhouseen; +Cc: kvm
In-Reply-To: <20260624191204.3774-1-alhouseenyousef@gmail.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] Calling `__ffs()` and `__fls()` with an argument of 0 results in undefined behavior when userspace passes `dirty.flags = 0`.
--
commit 38ca5c3a7cef062b9bd643fc4332459f28940553
Author: Yousef Alhouseen <alhouseenyousef@gmail.com>
vfio/type1: validate dirty bitmap page size before use
The dirty bitmap ioctl paths derive a shift with __ffs() from the userspace
supplied bitmap page size before comparing it with the IOMMU page size. A zero
page size has undefined behavior, and a non-power-of-2 value makes the bitmap
size check use a different granularity than the page size later accepted by
the ioctl.
> diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c
> index c8151ba54de33..9499381d06a20 100644
> --- a/drivers/vfio/vfio_iommu_type1.c
> +++ b/drivers/vfio/vfio_iommu_type1.c
[ ... ]
> @@ -3039,6 +3043,9 @@ static int vfio_iommu_type1_dirty_pages(struct vfio_iommu *iommu,
[Severity: High]
This isn't a bug introduced by this patch, but does calling __ffs() and
__fls() with an argument of 0 result in undefined behavior when userspace
passes dirty.flags set to 0?
In vfio_iommu_type1_dirty_pages():
if (dirty.argsz < minsz || dirty.flags & ~mask)
return -EINVAL;
/* only one flag should be set at a time */
if (__ffs(dirty.flags) != __fls(dirty.flags))
return -EINVAL;
If dirty.flags is 0, the mask check evaluates to 0 and passes, allowing
__ffs(0) and __fls(0) to execute. Since these macros map to __builtin_ctzl
and __builtin_clzl, this results in undefined behavior.
Could this be triggered by userspace to cause a denial of service?
> range.bitmap.size))
> return -EINVAL;
>
> + if (!is_power_of_2(range.bitmap.pgsize))
> + return -EINVAL;
> +
> pgshift = __ffs(range.bitmap.pgsize);
> ret = verify_bitmap_size(size >> pgshift,
> range.bitmap.size);
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260624191204.3774-1-alhouseenyousef@gmail.com?part=1
^ permalink raw reply
* Re: mm: opaque hardware page-table entry handles
From: Pedro Falcato @ 2026-06-24 19:25 UTC (permalink / raw)
To: Usama Anjum
Cc: Andrew Morton, Lorenzo Stoakes, David Hildenbrand,
Liam R. Howlett, Mike Rapoport, Ryan Roberts, Anshuman Khandual,
Catalin Marinas, Will Deacon, Samuel Holland, linux-mm,
linux-arm-kernel, linux-kernel
In-Reply-To: <74182e50-b54f-4d2d-a27f-3a59a538d6bc@arm.com>
On Wed, Jun 24, 2026 at 03:09:08PM +0100, Usama Anjum wrote:
> Hi all,
>
> This is a direction-check with the wider community before spending time on the
> development. This picks up the idea that was raised and broadly agreed in the
> earlier thread (Ryan Roberts, Lorenzo Stoakes, David Hildenbrand) [1].
>
> The problem
> -----------
> Core MM code reaches page-table entries by raw pointer dereference (pte_t *,
> pmd_t *, *pud, ...) in places, implicitly assuming a single, uniform
> representation. Sprinkling getters wouldn't solve the problem entirely. The
> problem is one level up: the *pointer type* itself is overloaded. At each level
> there are really three distinct things:
>
> 1. a page-table entry value (pte_t, pmd_t, ...)
> 2. a pointer to an entry value, e.g. a pXX_t on the stack
> 3. a pointer to a live entry in the hardware page table
>
> Today (2) and (3) share the same type - pte_t *, pmd_t *, and so on. Nothing
> distinguishes a pointer into a live table from a pointer to a stack copy.
>
> A pointer to an on-stack entry value and a pointer to a live hardware entry have
> the same type, so the compiler cannot distinguish them. Passing the stack
> pointer to an arch helper that expects a hardware-entry pointer compiles fine,
> but is wrong - a bug class the type system makes invisible. It also blocks
> evolution: an arch helper may need to read beyond the addressed entry (e.g.
> adjacent or contiguous entries), which only makes sense for a real page-table
> pointer, not a stack copy.
>
> The idea
> --------
> Give (3) its own opaque type that cannot be dereferenced:
>
> /* opaque handle to a HW page-table entry; not dereferenceable */
> typedef struct {
> pte_t *ptr;
> } hw_ptep;
I don't love typedefs that hide pointers.
>
> With this:
>
> - a stack value can no longer masquerade as a hardware table entry,
> - a hardware handle can no longer be raw-dereferenced,
> - cases that genuinely operate on a value can be refactored to pass the value
> and let the caller, which knows whether it holds a handle or a stack copy,
> read it once.
Just a small passing comment: how about doing it differently? like
typedef struct {
pte_t *ptep;
} sw_ptep_t;
or something like that. Were I to guess, referring to a pte_t on the stack
is much rarer than all the pte_t references to actual page tables. But maybe
reality doesn't match up with my guess :)
>
> The overload becomes a compile-time type error instead of a silent runtime bug,
> and converting the tree forces every such site to be made explicit. This gives
> us a framework where the architecture can completely virtualize the pgtable if
> it likes; and the compiler can enforce that higher level code can't accidentally
> work around it.
>
> It is opt-in by architectures and incremental. The generic definition is
> just an alias, so arches that do not care build unchanged:
>
> typedef pte_t *hw_ptep;
>
> An arch flips to the strong struct type when it is ready, and only then does
> it get the stronger checking. This lets the conversion land gradually.
>
> Beyond fixing the latent bug class, this abstraction is an enabler for upcoming
> features that need tighter control over how page tables are accessed and
> manipulated.
>
> Getter flavours
> ---------------
> While converting, it is useful to have two accessor flavours at each level:
>
> - pXXp_get(hw_ptep) plain C dereference (compiler may optimize)
> - pXXp_get_once(hw_ptep) single-copy-atomic, not torn, elided or
> duplicated by the compiler
>
> Keeping them distinct simplifies the conversion and avoids re-introducing the
> class of lockless-read bugs seen on 32-bit.
>
> Example conversion
> ------------------
> Most of the conversion is mechanical.
>
> -static inline void set_ptes(struct mm_struct *mm, unsigned long addr,
> - pte_t *ptep, pte_t pte, unsigned int nr)
> +static inline void set_ptes(struct mm_struct *mm, unsigned long addr,
> + hw_ptep ptep, pte_t pte, unsigned int nr)
> {
> page_table_check_ptes_set(mm, addr, ptep, pte, nr);
> for (;;) {
> set_pte(ptep, pte);
> if (--nr == 0)
> break;
> - ptep++;
> + ptep = hw_pte_next(ptep);
> pte = pte_next_pfn(pte);
> }
> }
>
> The bulk of work is this kind of rote substitution. The genuine work is the
> handful of sites that turn out to be operating on a stack copy rather than a
> live entry - those are exactly the ones the new type forces us to surface and
> fix.
>
> Estimated churn:
> ----------------
> Half way through the prototyping converting only PTE and PMD levels:
> 77 files changed, +1801 / -1425
> ~57 files reference the new types
Right, the churn would be very unfortunate.
>
> So the line count will grow once PUD/P4D/PGD and the remaining call sites are
> converted; expect meaningfully more churn than the numbers above.
>
> Introduce the type as an alias, convert one helper family per patch, and flip
> an arch to the strong type last - with non-opted arches building unchanged at
> every step.
>
> Open questions
> --------------
> - Is the type-safety + future-feature enablement worth the churn?
> - Naming: hw_ptep/hw_pmdp vs something else?
> - Should all five levels be converted before merging anything, or is a staged
> PTE-and-PMD then landing others acceptable?
> - Do we want the two getter flavours (pXXp_get / pXXp_get_once) at every
> level?
>
> [1] https://lore.kernel.org/all/a063f6c5-2785-4a9f-8079-25edb3e54cef@arm.com
>
> Thanks,
> Usama
>
--
Pedro
^ permalink raw reply
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.