* [PATCH 6.18 19/60] rose: fix netdev double-hold in rose_rx_call_request()
From: Greg Kroah-Hartman @ 2026-06-25 13:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Bernard Pidoux
In-Reply-To: <20260625125645.554579168@linuxfoundation.org>
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bernard Pidoux <bernard.f6bvp@gmail.com>
commit c675277c3ba0d2310e0825577d58308c39931e14 upstream.
rose_rx_call_request() used netdev_tracker_alloc() after assigning
make_rose->device, intending to take ownership of the reference passed
by the caller. But every caller -- rose_route_frame() and
rose_loopback_timer() -- already calls dev_put() for its own hold after
the function returns, so the socket ended up with a tracker entry
pointing at a reference that had already been released.
The result was spurious refcount_t warnings ("saturated", "decrement
hit 0") on every incoming CALL_REQUEST, leading to refcount corruption
and eventual silent freeze.
Replace netdev_tracker_alloc() with netdev_hold() so that
rose_rx_call_request() acquires its own independent reference. Each
caller retains its own hold from rose_dev_get() and releases it via
dev_put() as before; socket cleanup releases the socket's separate hold
via netdev_put().
Signed-off-by: Bernard Pidoux <bernard.f6bvp@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/rose/af_rose.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
--- a/net/rose/af_rose.c
+++ b/net/rose/af_rose.c
@@ -1078,9 +1078,11 @@ int rose_rx_call_request(struct sk_buff
make_rose->source_digis[n] = facilities.source_digis[n];
make_rose->neighbour = neigh;
make_rose->device = dev;
- /* Caller got a reference for us. */
- netdev_tracker_alloc(make_rose->device, &make_rose->dev_tracker,
- GFP_ATOMIC);
+ /* Take an independent reference for this socket; callers keep their
+ * own reference (from rose_dev_get / dev_hold) and will release it
+ * themselves via dev_put().
+ */
+ netdev_hold(make_rose->device, &make_rose->dev_tracker, GFP_ATOMIC);
make_rose->facilities = facilities;
rose_neigh_hold(make_rose->neighbour);
^ permalink raw reply
* [PATCH 6.18 18/60] rose: guard rose_neigh_put() against NULL in timer expiry
From: Greg Kroah-Hartman @ 2026-06-25 13:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Bernard Pidoux
In-Reply-To: <20260625125645.554579168@linuxfoundation.org>
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bernard Pidoux <bernard.f6bvp@gmail.com>
commit 2b67342c6ff899a0b83359517146a5b7b243af97 upstream.
In rose_timer_expiry(), the ROSE_STATE_2 branch calls
rose_neigh_put(rose->neighbour) without first checking whether the
pointer is NULL. After commit 5de7665e0a07 ("net: rose: fix timer
races against user threads") the timer is re-armed when the socket is
owned by a user thread; between the re-arm and the next firing, a
device-down event or concurrent teardown via rose_kill_by_device() can
set rose->neighbour to NULL, leading to a NULL-pointer dereference
inside rose_neigh_put().
Add a NULL check before the put and clear the pointer afterwards.
Fixes: 5de7665e0a07 ("net: rose: fix timer races against user threads")
Signed-off-by: Bernard Pidoux <bernard.f6bvp@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/rose/rose_timer.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/net/rose/rose_timer.c
+++ b/net/rose/rose_timer.c
@@ -180,7 +180,10 @@ static void rose_timer_expiry(struct tim
break;
case ROSE_STATE_2: /* T3 */
- rose_neigh_put(rose->neighbour);
+ if (rose->neighbour) {
+ rose_neigh_put(rose->neighbour);
+ rose->neighbour = NULL;
+ }
rose_disconnect(sk, ETIMEDOUT, -1, -1);
break;
^ permalink raw reply
* [PATCH 6.18 17/60] rose: clear neighbour pointer after rose_neigh_put() in state machines
From: Greg Kroah-Hartman @ 2026-06-25 13:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Bernard Pidoux
In-Reply-To: <20260625125645.554579168@linuxfoundation.org>
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bernard Pidoux <bernard.f6bvp@gmail.com>
commit e8eb0c6faa8849ba7769516c1a8c84d9f612acf6 upstream.
After calling rose_neigh_put() in rose_state1_machine() through
rose_state5_machine(), rose->neighbour was left pointing at the
potentially freed neighbour structure. A subsequent timer expiry or
concurrent teardown path could dereference the stale pointer, causing
a use-after-free.
Set rose->neighbour to NULL immediately after each rose_neigh_put()
call in the state machine functions.
Fixes: d860d1faa6b2 ("net: rose: convert 'use' field to refcount_t")
Signed-off-by: Bernard Pidoux <bernard.f6bvp@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/rose/rose_in.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/net/rose/rose_in.c
+++ b/net/rose/rose_in.c
@@ -57,6 +57,7 @@ static int rose_state1_machine(struct so
rose_write_internal(sk, ROSE_CLEAR_CONFIRMATION);
rose_disconnect(sk, ECONNREFUSED, skb->data[3], skb->data[4]);
rose_neigh_put(rose->neighbour);
+ rose->neighbour = NULL;
break;
default:
@@ -80,11 +81,13 @@ static int rose_state2_machine(struct so
rose_write_internal(sk, ROSE_CLEAR_CONFIRMATION);
rose_disconnect(sk, 0, skb->data[3], skb->data[4]);
rose_neigh_put(rose->neighbour);
+ rose->neighbour = NULL;
break;
case ROSE_CLEAR_CONFIRMATION:
rose_disconnect(sk, 0, -1, -1);
rose_neigh_put(rose->neighbour);
+ rose->neighbour = NULL;
break;
default:
@@ -122,6 +125,7 @@ static int rose_state3_machine(struct so
rose_write_internal(sk, ROSE_CLEAR_CONFIRMATION);
rose_disconnect(sk, 0, skb->data[3], skb->data[4]);
rose_neigh_put(rose->neighbour);
+ rose->neighbour = NULL;
break;
case ROSE_RR:
@@ -235,6 +239,7 @@ static int rose_state4_machine(struct so
rose_write_internal(sk, ROSE_CLEAR_CONFIRMATION);
rose_disconnect(sk, 0, skb->data[3], skb->data[4]);
rose_neigh_put(rose->neighbour);
+ rose->neighbour = NULL;
break;
default:
@@ -255,6 +260,7 @@ static int rose_state5_machine(struct so
rose_write_internal(sk, ROSE_CLEAR_CONFIRMATION);
rose_disconnect(sk, 0, skb->data[3], skb->data[4]);
rose_neigh_put(rose_sk(sk)->neighbour);
+ rose_sk(sk)->neighbour = NULL;
}
return 0;
^ permalink raw reply
* [PATCH 6.18 16/60] rose: fix race between loopback timer and module removal
From: Greg Kroah-Hartman @ 2026-06-25 13:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Bernard Pidoux
In-Reply-To: <20260625125645.554579168@linuxfoundation.org>
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bernard Pidoux <bernard.f6bvp@gmail.com>
commit 47dd6ec1a77d77895afb00aa2e68373a48289108 upstream.
rose_loopback_clear() called timer_delete() which returns immediately
without waiting for any running callback to complete. If the timer
fired concurrently with module removal, rose_loopback_timer() could
re-arm the timer after timer_delete() returned and then access
rose_loopback_neigh after it was freed.
Two complementary changes close the race:
1. Add a loopback_stopping atomic flag. rose_loopback_timer() checks
it at entry (before acquiring a reference) and again inside the
loop; when set it drains the queue and exits without re-arming the
timer.
2. Switch rose_loopback_clear() to timer_delete_sync() so it blocks
until any in-flight callback has returned before freeing resources.
The smp_mb() between setting the flag and calling timer_delete_sync()
ensures the flag is visible to any callback that is about to run.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Bernard Pidoux <bernard.f6bvp@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/rose/rose_loopback.c | 31 ++++++++++++++++++++++++-------
1 file changed, 24 insertions(+), 7 deletions(-)
--- a/net/rose/rose_loopback.c
+++ b/net/rose/rose_loopback.c
@@ -12,13 +12,15 @@
#include <net/rose.h>
#include <linux/init.h>
-static struct sk_buff_head loopback_queue;
#define ROSE_LOOPBACK_LIMIT 1000
-static struct timer_list loopback_timer;
+static struct timer_list loopback_timer;
+static struct sk_buff_head loopback_queue;
static void rose_set_loopback_timer(void);
static void rose_loopback_timer(struct timer_list *unused);
+static atomic_t loopback_stopping = ATOMIC_INIT(0);
+
void rose_loopback_init(void)
{
skb_queue_head_init(&loopback_queue);
@@ -66,6 +68,9 @@ static void rose_loopback_timer(struct t
unsigned int lci_i, lci_o;
int count;
+ if (atomic_read(&loopback_stopping))
+ return;
+
if (rose_loopback_neigh)
rose_neigh_hold(rose_loopback_neigh);
else
@@ -75,6 +80,13 @@ static void rose_loopback_timer(struct t
skb = skb_dequeue(&loopback_queue);
if (!skb)
goto out;
+
+ if (atomic_read(&loopback_stopping)) {
+ kfree_skb(skb);
+ skb_queue_purge(&loopback_queue);
+ goto out;
+ }
+
if (skb->len < ROSE_MIN_LEN) {
kfree_skb(skb);
continue;
@@ -118,7 +130,7 @@ static void rose_loopback_timer(struct t
out:
rose_neigh_put(rose_loopback_neigh);
- if (!skb_queue_empty(&loopback_queue))
+ if (!atomic_read(&loopback_stopping) && !skb_queue_empty(&loopback_queue))
mod_timer(&loopback_timer, jiffies + 1);
}
@@ -126,10 +138,15 @@ void __exit rose_loopback_clear(void)
{
struct sk_buff *skb;
- timer_delete(&loopback_timer);
+ atomic_set(&loopback_stopping, 1);
+ /* Pairs with atomic_read() in rose_loopback_timer(): ensure the
+ * stopping flag is visible before we cancel, so a concurrent
+ * callback aborts its loop early rather than re-arming the timer.
+ */
+ smp_mb();
+
+ timer_delete_sync(&loopback_timer);
- while ((skb = skb_dequeue(&loopback_queue)) != NULL) {
- skb->sk = NULL;
+ while ((skb = skb_dequeue(&loopback_queue)) != NULL)
kfree_skb(skb);
- }
}
^ permalink raw reply
* [PATCH 6.18 15/60] rose: hold loopback neighbour reference across timer callback
From: Greg Kroah-Hartman @ 2026-06-25 13:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Bernard Pidoux
In-Reply-To: <20260625125645.554579168@linuxfoundation.org>
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bernard Pidoux <bernard.f6bvp@gmail.com>
commit d270a7a5793af84555c40dd1eb80f1d497fdf53c upstream.
rose_loopback_timer() dereferences rose_loopback_neigh throughout its
body but holds no reference on it. A concurrent rose_loopback_clear()
followed by rose_add_loopback_neigh() could free and reallocate the
neighbour while the timer body is running, causing a use-after-free.
Take a reference with rose_neigh_hold() at the start of the callback
(bailing out if the pointer is already NULL) and release it with
rose_neigh_put() at the single exit point. The neigh cannot be freed
while the callback holds a reference.
Fixes: d860d1faa6b2 ("net: rose: convert 'use' field to refcount_t")
Signed-off-by: Bernard Pidoux <bernard.f6bvp@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/rose/rose_loopback.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
--- a/net/rose/rose_loopback.c
+++ b/net/rose/rose_loopback.c
@@ -66,10 +66,15 @@ static void rose_loopback_timer(struct t
unsigned int lci_i, lci_o;
int count;
+ if (rose_loopback_neigh)
+ rose_neigh_hold(rose_loopback_neigh);
+ else
+ return;
+
for (count = 0; count < ROSE_LOOPBACK_LIMIT; count++) {
skb = skb_dequeue(&loopback_queue);
if (!skb)
- return;
+ goto out;
if (skb->len < ROSE_MIN_LEN) {
kfree_skb(skb);
continue;
@@ -109,6 +114,10 @@ static void rose_loopback_timer(struct t
kfree_skb(skb);
}
}
+
+out:
+ rose_neigh_put(rose_loopback_neigh);
+
if (!skb_queue_empty(&loopback_queue))
mod_timer(&loopback_timer, jiffies + 1);
}
^ permalink raw reply
* [PATCH 6.18 14/60] rose: fix dev_put() leak in rose_loopback_timer()
From: Greg Kroah-Hartman @ 2026-06-25 13:02 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Bernard Pidoux
In-Reply-To: <20260625125645.554579168@linuxfoundation.org>
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bernard Pidoux <bernard.f6bvp@gmail.com>
commit ff91adc54db2b62c7cdf063ff761eceb5adf2215 upstream.
rose_rx_call_request() always consumes or returns the skb but never
releases the device reference obtained from rose_dev_get(). When
rose_rx_call_request() succeeds (returns non-zero) dev_put() was never
called, leaking one reference per loopback CALL_REQUEST.
Move dev_put() outside the conditional so it is called unconditionally
after rose_rx_call_request() in all cases.
Also remove the dead check (!rose_loopback_neigh->dev &&
!rose_loopback_neigh->loopback) that immediately precedes it: the
loopback neighbour always has loopback=1 so this condition can never
be true.
Fixes: 0453c6824595 ("net/rose: fix unbound loop in rose_loopback_timer()")
Signed-off-by: Bernard Pidoux <bernard.f6bvp@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/rose/rose_loopback.c | 11 ++---------
1 file changed, 2 insertions(+), 9 deletions(-)
--- a/net/rose/rose_loopback.c
+++ b/net/rose/rose_loopback.c
@@ -96,22 +96,15 @@ static void rose_loopback_timer(struct t
}
if (frametype == ROSE_CALL_REQUEST) {
- if (!rose_loopback_neigh->dev &&
- !rose_loopback_neigh->loopback) {
- kfree_skb(skb);
- continue;
- }
-
dev = rose_dev_get(dest);
if (!dev) {
kfree_skb(skb);
continue;
}
- if (rose_rx_call_request(skb, dev, rose_loopback_neigh, lci_o) == 0) {
- dev_put(dev);
+ if (rose_rx_call_request(skb, dev, rose_loopback_neigh, lci_o) == 0)
kfree_skb(skb);
- }
+ dev_put(dev);
} else {
kfree_skb(skb);
}
^ permalink raw reply
* [PATCH 6.18 05/60] debugobjects: Allow to refill the pool before SYSTEM_SCHEDULING
From: Greg Kroah-Hartman @ 2026-06-25 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sebastian Andrzej Siewior,
Thomas Gleixner, Sasha Levin
In-Reply-To: <20260625125645.554579168@linuxfoundation.org>
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
commit 06e0ae988f6e3499785c407429953ade19c1096b upstream.
The pool of free objects is refilled on several occasions such as object
initialisation. On PREEMPT_RT refilling is limited to preemptible
sections due to sleeping locks used by the memory allocator. The system
boots with disabled interrupts so the pool can not be refilled.
If too many objects are initialized and the pool gets empty then
debugobjects disables itself.
Refiling can also happen early in the boot with disabled interrupts as
long as the scheduler is not operational. If the scheduler can not
preempt a task then a sleeping lock can not be contended.
Allow to additionally refill the pool if the scheduler is not
operational.
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Link: https://patch.msgid.link/20251127153652.291697-2-bigeasy@linutronix.de
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
lib/debugobjects.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/debugobjects.c b/lib/debugobjects.c
index e4b7f77ece3b4f..9d59b797d1b507 100644
--- a/lib/debugobjects.c
+++ b/lib/debugobjects.c
@@ -731,7 +731,7 @@ static void debug_objects_fill_pool(void)
* raw_spinlock_t are basically the same type and this lock-type
* inversion works just fine.
*/
- if (!IS_ENABLED(CONFIG_PREEMPT_RT) || preemptible()) {
+ if (!IS_ENABLED(CONFIG_PREEMPT_RT) || preemptible() || system_state < SYSTEM_SCHEDULING) {
/*
* Annotate away the spinlock_t inside raw_spinlock_t warning
* by temporarily raising the wait-type to WAIT_SLEEP, matching
--
2.53.0
^ permalink raw reply related
* [PATCH 6.18 00/60] 6.18.37-rc1 review
From: Greg Kroah-Hartman @ 2026-06-25 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, linux-kernel, torvalds, akpm, linux,
shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr
This is the start of the stable review cycle for the 6.18.37 release.
There are 60 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Sat, 27 Jun 2026 12:54:50 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.18.37-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.18.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linux 6.18.37-rc1
Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
mm: do not copy page tables unnecessarily for VM_UFFD_WP
Miklos Szeredi <mszeredi@redhat.com>
virtiofs: fix UAF on submount umount
Ruslan Valiyev <linuxoid@gmail.com>
media: vidtv: fix NULL pointer dereference in vidtv_mux_push_si
Gil Portnoy <dddhkts1@gmail.com>
ksmbd: reject non-VALID session in compound request branch
Georgi Djakov <georgi.djakov@oss.qualcomm.com>
drivers/base/memory: set mem->altmap after successful device registration
Viken Dadhaniya <viken.dadhaniya@oss.qualcomm.com>
serial: qcom_geni: Fix RX DMA stall when SE_DMA_RX_LEN_IN is zero
Yi Yang <yiyang13@huawei.com>
vc_screen: fix null-ptr-deref in vcs_notifier() during concurrent vcs_write
Giovanni Cabiddu <giovanni.cabiddu@intel.com>
crypto: qat - remove unused character device and IOCTLs
Dmitry Torokhov <dmitry.torokhov@gmail.com>
Input: rmi4 - fix bit count in bitmap_copy()
Dmitry Torokhov <dmitry.torokhov@gmail.com>
Input: rmi4 - iterative IRQ handler
Dmitry Torokhov <dmitry.torokhov@gmail.com>
Input: rmi4 - fix memory leak in rmi_set_attn_data()
Dmitry Torokhov <dmitry.torokhov@gmail.com>
Input: rmi4 - fix num_subpackets overflow in register descriptor
Dmitry Torokhov <dmitry.torokhov@gmail.com>
Input: rmi4 - fix type overflow in register counts
Dmitry Torokhov <dmitry.torokhov@gmail.com>
Input: rmi4 - refactor register descriptor parsing
Dmitry Torokhov <dmitry.torokhov@gmail.com>
Input: rmi4 - fix register descriptor address calculation
Sam Daly <sam@samdaly.ie>
iio: adc: ti-ads1298: add bounds check to pga_settings index
Sam Daly <sam@samdaly.ie>
iio: light: veml6075: add bounds check to veml6075_it_ms index
Faicker Mo <faicker.mo@gmail.com>
net: net_failover: Fix the deadlock in slave register
Mike Marciniszyn (Meta) <mike.marciniszyn@gmail.com>
net: export netif_open for self_test usage
Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
testing/selftests/mm: add soft-dirty merge self-test
Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
mm: propagate VM_SOFTDIRTY on merge
Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
mm: set the VM_MAYBE_GUARD flag on guard region install
Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
mm: introduce copy-on-fork VMAs and make VM_MAYBE_GUARD one
Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
mm: implement sticky VMA flags
Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
mm: update vma_modify_flags() to handle residual flags, document
Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
mm: add atomic VMA flags and set VM_MAYBE_GUARD as such
Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
mm: introduce VM_MAYBE_GUARD and make visible in /proc/$pid/smaps
Xin Long <lucien.xin@gmail.com>
sctp: disable BH before calling udp_tunnel_xmit_skb()
Tudor Ambarus <tudor.ambarus@linaro.org>
firmware: samsung: acpm: Fix cross-thread RX length corruption
Dexuan Cui <decui@microsoft.com>
Drivers: hv: vmbus: Improve the logic of reserving fb_mmio on Gen2 VMs
Thorsten Blum <thorsten.blum@linux.dev>
hv: utils: handle and propagate errors in kvp_register
André Draszik <andre.draszik@linaro.org>
regulator: core: fix locking in regulator_resolve_supply() error path
Bernard Pidoux <bernard.f6bvp@gmail.com>
rose: don't free fd-owned sockets when reaping in the heartbeat
Bernard Pidoux <bernard.f6bvp@gmail.com>
rose: clear neighbour pointer in rose_kill_by_device()
Bernard Pidoux <bernard.f6bvp@gmail.com>
rose: cancel neighbour timers in rose_neigh_put() before freeing
Bernard Pidoux <bernard.f6bvp@gmail.com>
rose: drop CALL_REQUEST in loopback timer when device is not running
Bernard Pidoux <bernard.f6bvp@gmail.com>
rose: release netdev ref and destroy orphaned incoming sockets
Bernard Pidoux <bernard.f6bvp@gmail.com>
rose: fix netdev double-hold in rose_make_new()
Bernard Pidoux <bernard.f6bvp@gmail.com>
rose: disconnect orphaned STATE_2 sockets when device is gone
Bernard Pidoux <bernard.f6bvp@gmail.com>
rose: set SOCK_DESTROY in rose_kill_by_device() for prompt cleanup
Bernard Pidoux <bernard.f6bvp@gmail.com>
rose: fix notifier unregistered too early in rose_exit()
Bernard Pidoux <bernard.f6bvp@gmail.com>
rose: fix netdev double-hold in rose_rx_call_request()
Bernard Pidoux <bernard.f6bvp@gmail.com>
rose: guard rose_neigh_put() against NULL in timer expiry
Bernard Pidoux <bernard.f6bvp@gmail.com>
rose: clear neighbour pointer after rose_neigh_put() in state machines
Bernard Pidoux <bernard.f6bvp@gmail.com>
rose: fix race between loopback timer and module removal
Bernard Pidoux <bernard.f6bvp@gmail.com>
rose: hold loopback neighbour reference across timer callback
Bernard Pidoux <bernard.f6bvp@gmail.com>
rose: fix dev_put() leak in rose_loopback_timer()
Yicong Yang <yang.yicong@picoheart.com>
ACPI: scan: Use async schedule function in acpi_scan_clear_dep_fn()
Mingyu Wang <25181214217@stu.xidian.edu.cn>
agp/amd64: Fix broken error propagation in agp_amd64_probe()
Weiming Shi <bestswngs@gmail.com>
net: qualcomm: rmnet: fix endpoint use-after-free in rmnet_dellink()
Weiming Shi <bestswngs@gmail.com>
i2c: stub: Reject I2C block transfers with invalid length
Lord Ulf Henrik Holmberg <henrik.holmberg@defensify.se>
RDMA/bnxt_re: zero shared page before exposing to userspace
Waiman Long <longman@redhat.com>
debugobjects: Dont call fill_pool() in early boot hardirq context
Helen Koike <koike@igalia.com>
debugobjects: Do not fill_pool() if pi_blocked_on
Sebastian Andrzej Siewior <bigeasy@linutronix.de>
debugobjects: Use LD_WAIT_CONFIG instead of LD_WAIT_SLEEP
Sebastian Andrzej Siewior <bigeasy@linutronix.de>
debugobjects: Allow to refill the pool before SYSTEM_SCHEDULING
Yang Erkun <yangerkun@huawei.com>
Revert "NFSD: Defer sub-object cleanup in export put callbacks"
Joanne Koong <joannelkoong@gmail.com>
fuse: re-lock request before replacing page cache folio
Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
net: stmmac: fix stm32 (and potentially others) resume regression
Gabriel Krisman Bertazi <krisman@suse.de>
io_uring/net: Avoid msghdr on op_connect/op_bind async data
-------------
Diffstat:
Documentation/filesystems/proc.rst | 5 +-
Documentation/userspace-api/ioctl/ioctl-number.rst | 1 -
Makefile | 4 +-
drivers/acpi/scan.c | 41 +--
drivers/base/memory.c | 3 +-
drivers/char/agp/amd64-agp.c | 2 +-
drivers/crypto/intel/qat/qat_common/adf_cfg.c | 10 -
drivers/crypto/intel/qat/qat_common/adf_cfg.h | 1 -
.../crypto/intel/qat/qat_common/adf_cfg_common.h | 32 --
drivers/crypto/intel/qat/qat_common/adf_cfg_user.h | 38 --
.../crypto/intel/qat/qat_common/adf_common_drv.h | 3 -
drivers/crypto/intel/qat/qat_common/adf_ctl_drv.c | 404 +--------------------
drivers/crypto/intel/qat/qat_common/adf_dev_mgr.c | 70 ----
drivers/firmware/samsung/exynos-acpm.c | 14 +-
drivers/hv/hv_kvp.c | 25 +-
drivers/hv/vmbus_drv.c | 29 +-
drivers/i2c/i2c-stub.c | 5 +
drivers/iio/adc/ti-ads1298.c | 7 +-
drivers/iio/light/veml6075.c | 8 +-
drivers/infiniband/hw/bnxt_re/ib_verbs.c | 2 +-
drivers/input/rmi4/rmi_driver.c | 171 +++++----
drivers/input/rmi4/rmi_driver.h | 4 +-
drivers/input/rmi4/rmi_f12.c | 7 +
drivers/media/test-drivers/vidtv/vidtv_mux.c | 8 +-
drivers/net/ethernet/qualcomm/rmnet/rmnet_config.c | 8 +-
drivers/net/ethernet/qualcomm/rmnet/rmnet_config.h | 1 +
drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 3 +-
drivers/net/net_failover.c | 12 +-
drivers/regulator/core.c | 10 +-
drivers/tty/serial/qcom_geni_serial.c | 9 +-
drivers/tty/vt/vc_screen.c | 2 +-
fs/fuse/dev.c | 19 +-
fs/fuse/file.c | 8 +-
fs/nfsd/export.c | 67 +---
fs/nfsd/export.h | 7 +-
fs/nfsd/nfsctl.c | 8 +-
fs/proc/task_mmu.c | 1 +
fs/smb/server/smb2pdu.c | 5 +
include/linux/mm.h | 104 ++++++
include/net/rose.h | 12 +
include/trace/events/mmflags.h | 1 +
io_uring/net.c | 36 +-
io_uring/opdef.c | 4 +-
lib/debugobjects.c | 58 ++-
mm/khugepaged.c | 71 ++--
mm/madvise.c | 24 +-
mm/memory.c | 16 +-
mm/mlock.c | 2 +-
mm/mprotect.c | 2 +-
mm/mseal.c | 7 +-
mm/vma.c | 81 +++--
mm/vma.h | 130 +++++--
net/core/dev.c | 1 +
net/core/failover.c | 6 +-
net/rose/af_rose.c | 49 ++-
net/rose/rose_in.c | 6 +
net/rose/rose_loopback.c | 61 +++-
net/rose/rose_timer.c | 87 ++++-
net/sctp/ipv6.c | 2 +
net/sctp/protocol.c | 2 +
tools/testing/selftests/mm/soft-dirty.c | 127 ++++++-
tools/testing/vma/vma.c | 3 +-
tools/testing/vma/vma_internal.h | 49 +++
63 files changed, 1023 insertions(+), 972 deletions(-)
^ permalink raw reply
* [PATCH 6.18 03/60] fuse: re-lock request before replacing page cache folio
From: Greg Kroah-Hartman @ 2026-06-25 13:02 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Lei Lu, Joanne Koong, Miklos Szeredi
In-Reply-To: <20260625125645.554579168@linuxfoundation.org>
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joanne Koong <joannelkoong@gmail.com>
commit a078484921052d0badd827fcc2770b5cfc1d4120 upstream.
fuse_try_move_folio() unlocks the request on entry but does not
re-lock it on the success path. This means fuse_chan_abort() can end the
request and free the fuse_io_args (eg fuse_readpages_end()) while the
subsequent copy chain logic after fuse_try_move_folio() accesses the
fuse_io_args, leading to use-after-free issues.
Fix this by calling lock_request() before replace_page_cache_folio().
This ensures the request is locked on the success path which will
prevent the fuse_io_args from being freed while the later copying logic
runs, and also ensures that the ap->folios[i]->mapping is never null
since ap->folios[i] will always point to the newfolio after
replace_page_cache_folio().
Fixes: ce534fb05292 ("fuse: allow splice to move pages")
Cc: stable@vger.kernel.org
Reported-by: Lei Lu <llfamsec@gmail.com>
Signed-off-by: Joanne Koong <joannelkoong@gmail.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/fuse/dev.c | 19 +++++--------------
1 file changed, 5 insertions(+), 14 deletions(-)
--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -1037,6 +1037,10 @@ static int fuse_try_move_folio(struct fu
if (WARN_ON(folio_test_mlocked(oldfolio)))
goto out_fallback_unlock;
+ err = lock_request(cs->req);
+ if (err)
+ goto out_fallback_unlock;
+
replace_page_cache_folio(oldfolio, newfolio);
folio_get(newfolio);
@@ -1050,20 +1054,7 @@ static int fuse_try_move_folio(struct fu
*/
pipe_buf_release(cs->pipe, buf);
- err = 0;
- spin_lock(&cs->req->waitq.lock);
- if (test_bit(FR_ABORTED, &cs->req->flags))
- err = -ENOENT;
- else
- *foliop = newfolio;
- spin_unlock(&cs->req->waitq.lock);
-
- if (err) {
- folio_unlock(newfolio);
- folio_put(newfolio);
- goto out_put_old;
- }
-
+ *foliop = newfolio;
folio_unlock(oldfolio);
/* Drop ref for ap->pages[] array */
folio_put(oldfolio);
^ permalink raw reply
* [PATCH 6.18 02/60] net: stmmac: fix stm32 (and potentially others) resume regression
From: Greg Kroah-Hartman @ 2026-06-25 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marek Vasut, Russell King (Oracle),
Jakub Kicinski, Sasha Levin
In-Reply-To: <20260625125645.554579168@linuxfoundation.org>
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
[ Upstream commit dbbec8c5a79f4c7aa8d07da8c0b5a34d76c50699 ]
Marek reported that suspending stm32 causes the following errors when
the interface is administratively down:
$ echo devices > /sys/power/pm_test
$ echo mem > /sys/power/state
...
ck_ker_eth2stp already disabled
...
ck_ker_eth2stp already unprepared
...
On suspend, stm32 starts the eth2stp clock in its suspend method, and
stops it in the resume method. This is because the blamed commit omits
the call to the platform glue ->suspend() method, but does make the
call to the platform glue ->resume() method.
This problem affects all other converted drivers as well - e.g. looking
at the PCIe drivers, pci_save_state() will not be called, but
pci_restore_state() will be. Similar issues affect all other drivers.
Fix this by always calling the ->suspend() method, even when the network
interface is down. This fixes all the conversions to the platform glue
->suspend() and ->resume() methods.
Link: https://lore.kernel.org/r/20260114081809.12758-1-marex@nabladev.com
Fixes: 07bbbfe7addf ("net: stmmac: add suspend()/resume() platform ops")
Reported-by: Marek Vasut <marex@nabladev.com>
Tested-by: Marek Vasut <marex@nabladev.com>
Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
Link: https://patch.msgid.link/E1vlujh-00000007Hkw-2p6r@rmk-PC.armlinux.org.uk
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
index 41b270a486308a..1ceedd74e42908 100644
--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
@@ -7760,7 +7760,7 @@ int stmmac_suspend(struct device *dev)
u32 chan;
if (!ndev || !netif_running(ndev))
- return 0;
+ goto suspend_bsp;
mutex_lock(&priv->lock);
@@ -7803,6 +7803,7 @@ int stmmac_suspend(struct device *dev)
if (stmmac_fpe_supported(priv))
ethtool_mmsv_stop(&priv->fpe_cfg.mmsv);
+suspend_bsp:
if (priv->plat->suspend)
return priv->plat->suspend(dev, priv->plat->bsp_priv);
--
2.53.0
^ permalink raw reply related
* [PATCH 6.18 01/60] io_uring/net: Avoid msghdr on op_connect/op_bind async data
From: Greg Kroah-Hartman @ 2026-06-25 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gabriel Krisman Bertazi, Jens Axboe,
Sasha Levin
In-Reply-To: <20260625125645.554579168@linuxfoundation.org>
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gabriel Krisman Bertazi <krisman@suse.de>
[ Upstream commit 3979840cd858f30f43ea9f4e7f7f1f56de82d698 ]
This fixes a memory leak due to the lack of the cleanup hook for the
iovec. The stable backport differs from upstream by dropping the
io_connect_bpf_populate hunk, which didn't exist at the time and by
fixing the merge conflict due to the introduction of
io_bind_file_create.
Both IORING_OP_CONNECT and IORING_OP_BIND reuse the msghdr object just
to store the sockaddr. Beyond allocating a much larger object than
needed, msghdr can also wrap an iovec, which will be recycled
unnecessarily. This uses the sockaddr directly.
Cc: stable@vger.kernel.org
Signed-off-by: Gabriel Krisman Bertazi <krisman@suse.de>
Link: https://patch.msgid.link/20260602215327.1885109-2-krisman@suse.de
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Gabriel Krisman Bertazi <krisman@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
io_uring/net.c | 36 ++++++++++++++++++------------------
io_uring/opdef.c | 4 ++--
2 files changed, 20 insertions(+), 20 deletions(-)
diff --git a/io_uring/net.c b/io_uring/net.c
index a46c7e81704024..3ab2bfca1bd5dd 100644
--- a/io_uring/net.c
+++ b/io_uring/net.c
@@ -1771,7 +1771,7 @@ int io_socket(struct io_kiocb *req, unsigned int issue_flags)
int io_connect_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
{
struct io_connect *conn = io_kiocb_to_cmd(req, struct io_connect);
- struct io_async_msghdr *io;
+ struct sockaddr_storage *addr;
if (sqe->len || sqe->buf_index || sqe->rw_flags || sqe->splice_fd_in)
return -EINVAL;
@@ -1780,17 +1780,17 @@ int io_connect_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
conn->addr_len = READ_ONCE(sqe->addr2);
conn->in_progress = conn->seen_econnaborted = false;
- io = io_msg_alloc_async(req);
- if (unlikely(!io))
+ addr = io_uring_alloc_async_data(NULL, req);
+ if (unlikely(!addr))
return -ENOMEM;
- return move_addr_to_kernel(conn->addr, conn->addr_len, &io->addr);
+ return move_addr_to_kernel(conn->addr, conn->addr_len, addr);
}
int io_connect(struct io_kiocb *req, unsigned int issue_flags)
{
struct io_connect *connect = io_kiocb_to_cmd(req, struct io_connect);
- struct io_async_msghdr *io = req->async_data;
+ struct sockaddr_storage *addr = req->async_data;
unsigned file_flags;
int ret;
bool force_nonblock = issue_flags & IO_URING_F_NONBLOCK;
@@ -1804,8 +1804,7 @@ int io_connect(struct io_kiocb *req, unsigned int issue_flags)
file_flags = force_nonblock ? O_NONBLOCK : 0;
- ret = __sys_connect_file(req->file, &io->addr, connect->addr_len,
- file_flags);
+ ret = __sys_connect_file(req->file, addr, connect->addr_len, file_flags);
if ((ret == -EAGAIN || ret == -EINPROGRESS || ret == -ECONNABORTED)
&& force_nonblock) {
if (ret == -EINPROGRESS) {
@@ -1834,7 +1833,6 @@ int io_connect(struct io_kiocb *req, unsigned int issue_flags)
out:
if (ret < 0)
req_set_fail(req);
- io_req_msg_cleanup(req, issue_flags);
io_req_set_res(req, ret, 0);
return IOU_COMPLETE;
}
@@ -1844,15 +1842,15 @@ int io_connect(struct io_kiocb *req, unsigned int issue_flags)
* which in turn end up in mnt_want_write() which will grab the fs
* percpu start write sem. This can trigger a lockdep warning.
*/
-static int io_bind_file_create(const struct io_async_msghdr *io, int addr_len)
+static int io_bind_file_create(const struct sockaddr_storage *addr, int addr_len)
{
const struct sockaddr_un *sun;
- if (io->addr.ss_family != AF_UNIX)
+ if (addr->ss_family != AF_UNIX)
return 0;
if (addr_len <= offsetof(struct sockaddr_un, sun_path))
return 0;
- sun = (const struct sockaddr_un *) &io->addr;
+ sun = (const struct sockaddr_un *) addr;
return sun->sun_path[0] != '\0';
}
@@ -1860,7 +1858,7 @@ int io_bind_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
{
struct io_bind *bind = io_kiocb_to_cmd(req, struct io_bind);
struct sockaddr __user *uaddr;
- struct io_async_msghdr *io;
+ struct sockaddr_storage *addr;
int ret;
if (sqe->len || sqe->buf_index || sqe->rw_flags || sqe->splice_fd_in)
@@ -1869,21 +1867,23 @@ int io_bind_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
uaddr = u64_to_user_ptr(READ_ONCE(sqe->addr));
bind->addr_len = READ_ONCE(sqe->addr2);
- io = io_msg_alloc_async(req);
- if (unlikely(!io))
+ addr = io_uring_alloc_async_data(NULL, req);
+ if (unlikely(!addr))
return -ENOMEM;
- ret = move_addr_to_kernel(uaddr, bind->addr_len, &io->addr);
+
+ ret = move_addr_to_kernel(uaddr, bind->addr_len, addr);
if (unlikely(ret))
return ret;
- if (io_bind_file_create(io, bind->addr_len))
+ if (io_bind_file_create(addr, bind->addr_len))
req->flags |= REQ_F_FORCE_ASYNC;
return 0;
}
+
int io_bind(struct io_kiocb *req, unsigned int issue_flags)
{
struct io_bind *bind = io_kiocb_to_cmd(req, struct io_bind);
- struct io_async_msghdr *io = req->async_data;
+ struct sockaddr_storage *addr = req->async_data;
struct socket *sock;
int ret;
@@ -1891,7 +1891,7 @@ int io_bind(struct io_kiocb *req, unsigned int issue_flags)
if (unlikely(!sock))
return -ENOTSOCK;
- ret = __sys_bind_socket(sock, &io->addr, bind->addr_len);
+ ret = __sys_bind_socket(sock, addr, bind->addr_len);
if (ret < 0)
req_set_fail(req);
io_req_set_res(req, ret, 0);
diff --git a/io_uring/opdef.c b/io_uring/opdef.c
index 932319633eac20..a57c820567f772 100644
--- a/io_uring/opdef.c
+++ b/io_uring/opdef.c
@@ -207,7 +207,7 @@ const struct io_issue_def io_issue_defs[] = {
.unbound_nonreg_file = 1,
.pollout = 1,
#if defined(CONFIG_NET)
- .async_size = sizeof(struct io_async_msghdr),
+ .async_size = sizeof(struct sockaddr_storage),
.prep = io_connect_prep,
.issue = io_connect,
#else
@@ -504,7 +504,7 @@ const struct io_issue_def io_issue_defs[] = {
.needs_file = 1,
.prep = io_bind_prep,
.issue = io_bind,
- .async_size = sizeof(struct io_async_msghdr),
+ .async_size = sizeof(struct sockaddr_storage),
#else
.prep = io_eopnotsupp_prep,
#endif
--
2.53.0
^ permalink raw reply related
* Re: [PATCH v7 1/3] xen/mm: Introduce per-node free page counter
From: Jan Beulich @ 2026-06-25 13:04 UTC (permalink / raw)
To: Bernhard Kaindl
Cc: Andrew Cooper, Anthony PERARD, Michal Orzel, Julien Grall,
Roger Pau Monné, Stefano Stabellini, Alejandro Vallejo,
xen-devel
In-Reply-To: <a0b83b0781319009c3862389469dc59db59e0b29.1778272036.git.bernhard.kaindl@citrix.com>
On 08.05.2026 22:27, Bernhard Kaindl wrote:
> From: Alejandro Vallejo <alejandro.vallejo@cloud.com>
>
> Add node_avail_pages[], updated under heap_lock in sync with
> avail[node][zone] to cache the per-node sum of free pages.
>
> Use it in avail_node_heap_pages() to avoid summing all zones on each
> call. Guard it with nodeid < MAX_NUMNODES and node_online(nodeid).
>
> Signed-off-by: Alejandro Vallejo <alejandro.vallejo@cloud.com>
> Signed-off-by: Bernhard Kaindl <bernhard.kaindl@citrix.com>
> ---
> This patch was originally sent by Alejandro Vallejo:
> https://lists.xenproject.org/archives/html/xen-devel/2025-03/msg01130.html
>
> I use node_avail_pages[] in avail_node_heap_pages() as an optimisation.
>
> Verification of the changes:
>
> 1. node_avail_pages[node] is updated whenever avail[node][zone] changes,
> so the two remain in sync.
>
> 2. avail_node_heap_pages() previously summed all zones of a node and now
> returns node_avail_pages[node], so the same free buddy pages are
> counted.
>
> 3. avail_node_heap_pages() returns 0 for offline nodes and for nodes
> >= MAX_NUMNODES as before.
>
> 4. avail_node_heap_pages(-1) returned the sum from all nodes, equal
> to total_avail_pages, but this is not used by current callers.
> avail_heap_pages(z, z, -1) is used by other callers for that instead.
> To avoid dead code, a check for -1 to implement this is not added.
>
> Update locations:
>
> - free_heap_pages() increments node_avail_pages[node] alongside
> avail[node][zone] when pages are freed, including during heap
> initialisation.
>
> - alloc_heap_pages() decrements node_avail_pages[node] alongside
> avail[node][zone] when pages are allocated.
>
> - reserve_offlined_page() decrements node_avail_pages[node] alongside
> avail[node][zone] when pages are offlined.
>
> Colored pages do not go through the buddy allocator.
> Since they do not update avail[node][zone], they are
> not reflected in node_avail_pages[node] either.
>
> N.B. Current callers already iterate over online nodes only.
>
> Changes since v6:
> - Preserved the 0 return for offline nodes and nodes >= MAX_NUMNODES.
Hard to identify what v6 was (and who, if anyone, asked for the change) when,
afaict, the patch subject changed.
Reviewed-by: Jan Beulich <jbeulich@suse.com>
with ...
> @@ -2831,7 +2837,9 @@ unsigned long avail_domheap_pages_region(
>
> unsigned long avail_node_heap_pages(unsigned int nodeid)
> {
> - return avail_heap_pages(MEMZONE_XEN, NR_ZONES -1, nodeid);
> + if ( nodeid < MAX_NUMNODES && node_online(nodeid) )
> + return node_avail_pages[nodeid];
> + return 0;
> }
... a blank line inserted ahead of the "main" (not really here, just by its
indentation) return.
One other remark: With the function called from just a sysctl and a
keyhandler, the direct array access is likely fine. Generally it would
want to be array_access_nospec() though, when accessible from guests.
Jan
^ permalink raw reply
* Re: [RFC PATCH v1 0/3] iomap: convert to in-iter ->iomap_next() model
From: Christoph Hellwig @ 2026-06-25 13:03 UTC (permalink / raw)
To: Joanne Koong; +Cc: hch, willy, djwong, linux-fsdevel, linux-xfs
In-Reply-To: <20260625024723.1611000-1-joannelkoong@gmail.com>
On Wed, Jun 24, 2026 at 07:47:20PM -0700, Joanne Koong wrote:
> A few questions:
> * is this roughly the in-iter direction you had in mind?
I like it.
> * is removing the indirect call still worth it? My understanding is that
> indirect calls are cheap on modern eIBRS hardware and the conversion adds
> some per-filesystem boilerplate, so I'm unsure if it carries its weight. If
> not, do you think the in-iter model is still worth having on its own?
Indirect calls have always been relatively slow, even without spectre.
So if we can easily avoid them that's always a win. That doesn't mean we
should do stupid things just to avoid them, but I think we have a win/win
here.
^ permalink raw reply
* Re: [PATCH v10] Add device-specific reset for Qualcomm devices
From: Manivannan Sadhasivam @ 2026-06-25 13:03 UTC (permalink / raw)
To: Baochen Qiang
Cc: Jose Ignacio Tornos Martinez, bhelgaas, alex, jjohnson, linux-pci,
linux-wireless, ath11k, ath12k, mhi, linux-kernel
In-Reply-To: <4cdfb71b-2ef8-4985-8294-c4a29e37faa3@oss.qualcomm.com>
On Wed, Jun 24, 2026 at 03:47:12PM +0800, Baochen Qiang wrote:
>
>
> On 6/24/2026 2:31 AM, Jose Ignacio Tornos Martinez wrote:
> > Some Qualcomm PCIe devices (WCN6855/WCN7850 WiFi cards, SDX62/SDX65 modems)
> > lack working reset methods for VFIO passthrough scenarios. These devices
> > have no FLR capability, advertise NoSoftRst+ (blocking PM reset), and have
> > broken bus reset.
> >
> > The problem manifests in VFIO passthrough scenarios:
> >
> > - WCN6855 (17cb:1103) and WCN7850 (17cb:1107) WiFi devices:
> > Normal VM operation works fine, including clean shutdown/reboot.
> > However, when the VM terminates uncleanly (crash, force-off), VFIO
> > attempts to reset the device before it can be assigned to another VM.
> > Without a working reset method, the device remains in an undefined state,
> > preventing reuse.
> >
> > - SDX62/SDX65 (17cb:0308) 5G modems: Never successfully initialize even
> > on first VM assignment without proper reset capability.
> >
> > Add device-specific reset methods using BAR-space hardware reset registers
> > that exist in these devices:
> >
> > - WCN6855/WCN7850 WiFi devices use SoC global reset via BAR0 (sequence from
> > ath11k/ath12k driver: ath11k_pci_soc_global_reset(), ath11k_pci_sw_reset(),
> > ath11k_mhi_set_mhictrl_reset()):
> > - Write/clear reset bit at offset 0x3008
> > - Wait for PCIe link recovery (up to 5 seconds)
> > - Clear MHI controller SYSERR status at offset 0x38
> >
> > - SDX62/SDX65 modem devices use MHI SoC reset via BAR0 (sequence from MHI
> > driver: mhi_soc_reset(), mhi_pci_reset_prepare()):
> > - Write reset request to offset 0xb0
> > - Wait 2 seconds for reset completion
> >
> > These are true hardware reset mechanisms (not power management or firmware
> > error recovery), providing proper device reset for VFIO scenarios.
> >
> > Testing was performed on desktop platforms with M.2 WiFi and modem cards
> > using M.2-to-PCIe adapters, including extensive force-reset cycling to
> > verify stability.
> >
> > Signed-off-by: Jose Ignacio Tornos Martinez <jtornosm@redhat.com>
> > ---
> > v10:
> > - Complete redesign based on maintainer feedback (Manivannan Sadhasivam,
> > Alex Williamson): use actual hardware reset registers from
> > device drivers instead of D3hot power cycling
> > v9: https://lore.kernel.org/all/20260612142638.1243895-1-jtornosm@redhat.com/
> >
> > drivers/pci/quirks.c | 118 +++++++++++++++++++++++++++++++++++++++++++
> > 1 file changed, 118 insertions(+)
> >
> > diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c
> > index 431c021d7414..8ad3f214e520 100644
> > --- a/drivers/pci/quirks.c
> > +++ b/drivers/pci/quirks.c
> > @@ -4240,6 +4240,121 @@ static int reset_hinic_vf_dev(struct pci_dev *pdev, bool probe)
> > return 0;
> > }
> >
> > +#define QUALCOMM_WIFI_PCIE_SOC_GLOBAL_RESET 0x3008
> > +#define QUALCOMM_WIFI_PCIE_SOC_GLOBAL_RESET_V BIT(0)
> > +#define QUALCOMM_WIFI_MHISTATUS 0x48
> > +#define QUALCOMM_WIFI_MHICTRL 0x38
> > +#define QUALCOMM_WIFI_MHICTRL_RESET_MASK 0x2
> > +
> > +/*
> > + * Qualcomm WiFi device-specific reset using SoC global reset via BAR0
> > + * registers.
> > + */
> > +static int reset_qualcomm_wifi(struct pci_dev *pdev, bool probe)
> > +{
> > + bool link_recovered = false;
> > + unsigned long timeout;
> > + void __iomem *bar;
> > + u32 val;
> > + u16 cmd;
> > +
> > + if (probe)
> > + return 0;
> > +
> > + if (pdev->current_state != PCI_D0)
> > + return -EINVAL;
> > +
> > + pci_read_config_word(pdev, PCI_COMMAND, &cmd);
> > + pci_write_config_word(pdev, PCI_COMMAND, cmd | PCI_COMMAND_MEMORY);
> > +
> > + bar = pci_iomap(pdev, 0, 0);
> > + if (!bar) {
> > + pci_write_config_word(pdev, PCI_COMMAND, cmd);
> > + return -ENODEV;
> > + }
> > +
> > + val = ioread32(bar + QUALCOMM_WIFI_PCIE_SOC_GLOBAL_RESET);
>
> QUALCOMM_WIFI_PCIE_SOC_GLOBAL_RESET is beyond the first 4K bar area hence requires MHI
> wakeup before accessing, see [1]. the wakeup callback for WCN6855 is
> ath11k_pci_bus_wake_up() which calls mhi_device_get_sync(). Not sure how this can be done
> here. Maybe Mani can provide some hints?
>
I don't think the device needs to be waken up before
QUALCOMM_WIFI_PCIE_SOC_GLOBAL_RESET. ath11k driver wakes up the device for
accessing the MHI interface I believe. Since this callback is not touching MHI,
there is no need to wakeup the device, AFAIK.
- Mani
--
மணிவண்ணன் சதாசிவம்
^ permalink raw reply
* Re: [PATCH v18 7/8] rust: Add `OwnableRefCounted`
From: Andreas Hindborg @ 2026-06-25 12:37 UTC (permalink / raw)
To: sashiko-reviews; +Cc: ojeda, dri-devel, linux-pci
In-Reply-To: <20260625102641.EDB9D1F000E9@smtp.kernel.org>
<sashiko-bot@kernel.org> writes:
> Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
> - [High] The `OwnableRefCounted` trait is a safe trait but its default `into_shared` method contains an `unsafe` block relying on unenforced invariants, violating Rust's soundness rules.
> - [Low] Incorrect documentation link for `ARef<Self>` in `aref.rs`.
> --
>
> commit b7dc8070575155be9312b255a20879f2e905b00f
> Author: Oliver Mangold <oliver.mangold@pm.me>
>
> rust: Add `OwnableRefCounted`
>
> Types implementing one of these traits can safely convert between an
> `ARef<T>` and an `Owned<T>`.
>
>> diff --git a/rust/kernel/owned.rs b/rust/kernel/owned.rs
>> index e79936c00002c..bb4223c0f725a 100644
>> --- a/rust/kernel/owned.rs
>> +++ b/rust/kernel/owned.rs
>
> [ ... ]
>
>> +pub trait OwnableRefCounted: RefCounted + Ownable + Sized {
>> + /// Checks if the [`ARef`] is unique and converts it to an [`Owned`] if that is the case.
>> + /// Otherwise it returns again an [`ARef`] to the same underlying object.
>> + fn try_from_shared(this: ARef<Self>) -> Result<Owned<Self>, ARef<Self>>;
>> +
>> + /// Converts the [`Owned`] into an [`ARef`].
>> + #[inline]
>> + fn into_shared(this: Owned<Self>) -> ARef<Self> {
>> + // SAFETY: `Owned::into_raw` returns a pointer to a valid `Self`, and the `Owned` owned the
>> + // reference count that we now transfer to the new `ARef`.
>> + unsafe { ARef::from_raw(Owned::into_raw(this)) }
>> + }
>> +}
>
> [Severity: High]
> Does this trait need to be marked unsafe?
>
> The OwnableRefCounted trait is currently safe to implement, but the default
> into_shared() method contains an unsafe block that assumes the Owned<Self>
> implicitly holds a reference count of 1.
>
> If a developer implements this safe trait for a type whose Owned<Self>
> does not account for one RefCounted increment, calling into_shared() will
> pass a pointer to ARef::from_raw() without a corresponding reference
> increment.
>
> When the resulting ARef is dropped, it will blindly call dec_ref(), which
> could lead to a reference count underflow, double-free, or use-after-free.
>
> Should OwnableRefCounted be an unsafe trait so that implementers are
> required to guarantee the reference count invariant?
I will remove the default implementation to solve this issue.
>
>> diff --git a/rust/kernel/sync/aref.rs b/rust/kernel/sync/aref.rs
>> index d0865aeb9371b..77eb390139079 100644
>> --- a/rust/kernel/sync/aref.rs
>> +++ b/rust/kernel/sync/aref.rs
>
> [ ... ]
>
>> @@ -35,7 +39,10 @@
>> /// Note: Implementing this trait allows types to be wrapped in an [`ARef<Self>`]. It requires an
>> /// internal reference count and provides only shared references. If unique references are required
>> /// [`Ownable`](crate::types::Ownable) should be implemented which allows types to be wrapped in an
>> -/// [`Owned<Self>`](crate::types::Owned).
>> +/// [`Owned<Self>`](crate::types::Owned). Implementing the trait
>> +/// [`OwnableRefCounted`] allows to convert between unique and
>> +/// shared references (i.e. [`Owned<Self>`](crate::types::Owned) and
>> +/// [`ARef<Self>`](crate::types::Owned)).
>
> [Severity: Low]
> This isn't a bug, but there appears to be a copy-paste typo in the rustdoc
> link.
>
> The documentation for ARef<Self> points to crate::types::Owned instead
> of ARef.
Will fix.
Best regards,
Andreas Hindborg
^ permalink raw reply
* Re: [PATCH v18 8/8] rust: page: add `from_raw()`
From: Andreas Hindborg @ 2026-06-25 13:02 UTC (permalink / raw)
To: sashiko-reviews; +Cc: linux-pci, ojeda, dri-devel
In-Reply-To: <20260625102549.B56171F00A3E@smtp.kernel.org>
<sashiko-bot@kernel.org> writes:
> Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
> - [Medium] The `# Safety` documentation for `Page::from_raw` is missing the precondition that `ptr` must point to a valid `struct page`.
> --
>
> commit f6aeebdd661d4004190de07e9d991442f793517a
> Author: Andreas Hindborg <a.hindborg@kernel.org>
>
> rust: page: add `from_raw()`
>
> This commit adds a from_raw() method to the Page abstraction. It allows
> the construction of a shared reference to a Page instance directly from a
> raw struct page pointer.
>
>> diff --git a/rust/kernel/page.rs b/rust/kernel/page.rs
>> index 6dc1c2395acaf..c88fda09ead5a 100644
>> --- a/rust/kernel/page.rs
>> +++ b/rust/kernel/page.rs
>
> [ ... ]
>
>> @@ -143,6 +143,20 @@ pub fn nid(&self) -> i32 {
>> unsafe { bindings::page_to_nid(self.as_ptr()) }
>> }
>>
>> + /// Create a `&Page` from a raw `struct page` pointer.
>> + ///
>> + /// # Safety
>> + ///
>> + /// `ptr` must be convertible to a shared reference with a lifetime of `'a`.
>> + #[inline]
>> + pub unsafe fn from_raw<'a>(ptr: *const bindings::page) -> &'a Self {
>
> [Severity: Medium]
> Is the safety documentation missing a requirement here?
>
> The # Safety section only requires that ptr is convertible to a shared
> reference. Under Rust's rules, an uninitialized or dummy pointer could
> technically be converted to a shared reference if properly aligned.
This is not correct. A pointer is only convertible to a shared reference
if it is pointing to properly initialized data [1].
>
>> + // INVARIANT: By the function safety requirements, `ptr` refers to a valid `struct page`, so
>> + // the returned reference upholds the type invariant of `Page`.
>
> The invariant justification inside the function explicitly relies on the
> caller guaranteeing that ptr refers to a valid struct page. Could the
> # Safety documentation be updated to explicitly require that ptr points
> to a valid, initialized struct page so that callers do not inadvertently
> violate the Page type invariant?
For `ptr` to be convertible to a shared reference, it must point to
valid and initialized data.
Best regards,
Andreas Hindborg
[1] https://doc.rust-lang.org/stable/core/ptr/index.html#pointer-to-reference-conversion
^ permalink raw reply
* Re: [PATCH v18 5/8] rust: rename `AlwaysRefCounted` to `RefCounted`.
From: Andreas Hindborg @ 2026-06-25 12:26 UTC (permalink / raw)
To: sashiko-reviews; +Cc: linux-pci, ojeda, dri-devel
In-Reply-To: <20260625102800.B4C3B1F00A3A@smtp.kernel.org>
<sashiko-bot@kernel.org> writes:
> Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
> - [Medium] Incomplete Refactoring / Trait Bound Violation for workqueue items
> - [Medium] Stale and misleading documentation for `ARef` usage
> --
>
> commit 46d36a47415ab0722d334e8010242374e8bba94c
> Author: Oliver Mangold <oliver.mangold@pm.me>
>
> rust: rename AlwaysRefCounted to RefCounted.
>
> This commit splits the AlwaysRefCounted trait into RefCounted (for actual
> reference counting logic) and a new AlwaysRefCounted marker trait. This change
> allows types that can be both reference-counted and owned to safely use
> ARef<T> conversions without violating ownership constraints.
>
>> diff --git a/rust/kernel/sync/aref.rs b/rust/kernel/sync/aref.rs
>> index 3bd5eb8a1a526..fb7466a362741 100644
>> --- a/rust/kernel/sync/aref.rs
>> +++ b/rust/kernel/sync/aref.rs
>
> [Severity: Medium]
> In the module documentation which isn't included in this diff, it states:
>
> //! To make use of [`ARef<MyType>`], `MyType` needs to implement
> //! [`AlwaysRefCounted`].
>
> Should this documentation be updated to reference RefCounted instead?
>
> Leaving this as AlwaysRefCounted might mislead developers into implementing the
> marker trait for new types, which could violate the safety contract if their
> type is also Ownable.
I will fix this.
>
>> @@ -24,11 +24,9 @@
>> ptr::NonNull, //
>> };
>>
>> -/// Types that are _always_ reference counted.
>> +/// Types that are internally reference counted.
>> ///
>> /// It allows such types to define their own custom ref increment and decrement functions.
>> -/// Additionally, it allows users to convert from a shared reference `&T` to an owned reference
>> -/// [`ARef<T>`].
>
> [ ... ]
>
>> @@ -45,9 +43,8 @@
>> /// at least until matching decrements are performed.
>> ///
>> /// Implementers must also ensure that all instances are reference-counted. (Otherwise they
>> -/// won't be able to honour the requirement that [`AlwaysRefCounted::inc_ref`] keep the object
>> -/// alive.)
>> -pub unsafe trait AlwaysRefCounted {
>> +/// won't be able to honour the requirement that [`RefCounted::inc_ref`] keep the object alive.)
>> +pub unsafe trait RefCounted {
>> /// Increments the reference count on the object.
>> fn inc_ref(&self);
>
> [Severity: Medium]
> Since this patch renames AlwaysRefCounted to RefCounted and re-adds
> AlwaysRefCounted as a marker trait, does rust/kernel/workqueue.rs need to be
> updated to use the new bound?
>
> Currently, rust/kernel/workqueue.rs enforces T: AlwaysRefCounted for work
> items using ARef<T>:
>
> rust/kernel/workqueue.rs:
> unsafe impl<T, const ID: u64> WorkItemPointer<ID> for ARef<T>
> where
> T: AlwaysRefCounted,
>
> The same bound is used for RawWorkItem and RawDelayedWorkItem.
Yes, they should be changed to `RefCounted`. I will fix this.
Best regards,
Andreas Hindborg
^ permalink raw reply
* [RFC] fanotify for flock release
From: Jori Koolstra @ 2026-06-25 13:02 UTC (permalink / raw)
To: Jan Kara, Amir Goldstein, Matthew Bobrowski,
linux-fsdevel@vger.kernel.org, Christian Brauner
Hi Jan and Amir, (cc Christian)
There has been a wish from systemd to be able to be notified on flock(2) releases.[1]
I've been looking at the locks.c code (I really wish requests were decoupled
from locks... :) ) and the fanotify code, and this seems to be a rather
straightforward expansion of existing fanotify functionality. Before sending a
patch up, are there any objections to this? If we implement this should we
also do POSIX locks notifications? And what about lock taking?
Best,
Jori.
[1]: https://systemd.io/BLOCK_DEVICE_LOCKING/
^ permalink raw reply
* [PATCH 2/2] rtc: mv: remove mv_rtc_remove
From: alexandre.belloni @ 2026-06-25 13:02 UTC (permalink / raw)
To: Alexandre Belloni; +Cc: Grégory Clement, linux-rtc, linux-kernel
In-Reply-To: <20260625130202.1621692-1-alexandre.belloni@bootlin.com>
From: Alexandre Belloni <alexandre.belloni@bootlin.com>
Use devm_device_init_wakeup() so we can avoid having to explicitly teardown
of module removal.
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
---
drivers/rtc/rtc-mv.c | 19 ++-----------------
1 file changed, 2 insertions(+), 17 deletions(-)
diff --git a/drivers/rtc/rtc-mv.c b/drivers/rtc/rtc-mv.c
index c0f1bcd838e3..db64c459ee19 100644
--- a/drivers/rtc/rtc-mv.c
+++ b/drivers/rtc/rtc-mv.c
@@ -260,7 +260,7 @@ static int __init mv_rtc_probe(struct platform_device *pdev)
}
if (pdata->irq >= 0)
- device_init_wakeup(&pdev->dev, true);
+ devm_device_init_wakeup(&pdev->dev);
else
clear_bit(RTC_FEATURE_ALARM, pdata->rtc->features);
@@ -275,14 +275,6 @@ static int __init mv_rtc_probe(struct platform_device *pdev)
return ret;
}
-static void __exit mv_rtc_remove(struct platform_device *pdev)
-{
- struct rtc_plat_data *pdata = platform_get_drvdata(pdev);
-
- if (pdata->irq >= 0)
- device_init_wakeup(&pdev->dev, false);
-}
-
#ifdef CONFIG_OF
static const struct of_device_id rtc_mv_of_match_table[] = {
{ .compatible = "marvell,orion-rtc", },
@@ -313,14 +305,7 @@ static int mv_rtc_resume(struct device *dev)
static SIMPLE_DEV_PM_OPS(mv_rtc_pm_ops, mv_rtc_suspend, mv_rtc_resume);
-/*
- * mv_rtc_remove() lives in .exit.text. For drivers registered via
- * module_platform_driver_probe() this is ok because they cannot get unbound at
- * runtime. So mark the driver struct with __refdata to prevent modpost
- * triggering a section mismatch warning.
- */
-static struct platform_driver mv_rtc_driver __refdata = {
- .remove = __exit_p(mv_rtc_remove),
+static struct platform_driver mv_rtc_driver = {
.driver = {
.name = "rtc-mv",
.of_match_table = of_match_ptr(rtc_mv_of_match_table),
--
2.54.0
^ permalink raw reply related
* [PATCH 1/2] rtc: mv: fix potential race condition
From: alexandre.belloni @ 2026-06-25 13:02 UTC (permalink / raw)
To: Alexandre Belloni; +Cc: Grégory Clement, linux-rtc, linux-kernel
From: Alexandre Belloni <alexandre.belloni@bootlin.com>
Since the driver allocates the IRQ using devm_request_irq(), this means the
IRQ is going to be automatically unregistered by devres after
mv_rtc_remove() returns.
However, mv_rtc_remove() explicitly disables the hardware clock before
devres teardown happens so the interrupt handler may run while the clock is
disabled leading to a possible bus hang when accessing registers.
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
---
drivers/rtc/rtc-mv.c | 22 ++++++----------------
1 file changed, 6 insertions(+), 16 deletions(-)
diff --git a/drivers/rtc/rtc-mv.c b/drivers/rtc/rtc-mv.c
index f88976fd6d5d..c0f1bcd838e3 100644
--- a/drivers/rtc/rtc-mv.c
+++ b/drivers/rtc/rtc-mv.c
@@ -219,17 +219,15 @@ static int __init mv_rtc_probe(struct platform_device *pdev)
if (IS_ERR(pdata->ioaddr))
return PTR_ERR(pdata->ioaddr);
- pdata->clk = devm_clk_get(&pdev->dev, NULL);
- /* Not all SoCs require a clock.*/
- if (!IS_ERR(pdata->clk))
- clk_prepare_enable(pdata->clk);
+ pdata->clk = devm_clk_get_optional_prepared(&pdev->dev, NULL);
+ if (IS_ERR(pdata->clk))
+ return PTR_ERR(pdata->clk);
/* make sure the 24 hour mode is enabled */
rtc_time = readl(pdata->ioaddr + RTC_TIME_REG_OFFS);
if (rtc_time & RTC_HOURS_12H_MODE) {
dev_err(&pdev->dev, "12 Hour mode is enabled but not supported.\n");
- ret = -EINVAL;
- goto out;
+ return -EINVAL;
}
/* make sure it is actually functional */
@@ -238,8 +236,7 @@ static int __init mv_rtc_probe(struct platform_device *pdev)
rtc_time = readl(pdata->ioaddr + RTC_TIME_REG_OFFS);
if (rtc_time == 0x01000000) {
dev_err(&pdev->dev, "internal RTC not ticking\n");
- ret = -ENODEV;
- goto out;
+ return -ENODEV;
}
}
@@ -249,8 +246,7 @@ static int __init mv_rtc_probe(struct platform_device *pdev)
pdata->rtc = devm_rtc_allocate_device(&pdev->dev);
if (IS_ERR(pdata->rtc)) {
- ret = PTR_ERR(pdata->rtc);
- goto out;
+ return PTR_ERR(pdata->rtc);
}
if (pdata->irq >= 0) {
@@ -275,9 +271,6 @@ static int __init mv_rtc_probe(struct platform_device *pdev)
ret = devm_rtc_register_device(pdata->rtc);
if (!ret)
return 0;
-out:
- if (!IS_ERR(pdata->clk))
- clk_disable_unprepare(pdata->clk);
return ret;
}
@@ -288,9 +281,6 @@ static void __exit mv_rtc_remove(struct platform_device *pdev)
if (pdata->irq >= 0)
device_init_wakeup(&pdev->dev, false);
-
- if (!IS_ERR(pdata->clk))
- clk_disable_unprepare(pdata->clk);
}
#ifdef CONFIG_OF
--
2.54.0
^ permalink raw reply related
* Re: [RFC PATCH v1 0/3] iomap: convert to in-iter ->iomap_next() model
From: Christoph Hellwig @ 2026-06-25 13:02 UTC (permalink / raw)
To: Gao Xiang; +Cc: Joanne Koong, hch, willy, djwong, linux-fsdevel, linux-xfs
In-Reply-To: <6446cb94-a005-4e4c-8034-d7bf2a4b402b@linux.alibaba.com>
On Thu, Jun 25, 2026 at 11:25:54AM +0800, Gao Xiang wrote:
> As I mentioned a year ago, I really hope this way can be proceed
> to avoid iomap iter-callback models:
>
> https://lore.kernel.org/r/20250905152118.GE1587915@frogsfrogsfrogs
Oh, I guess this is where passing the iomap and srcmap separately
from the iter come from. But for this to make sense we'd have to
be able to pass a const iter.
^ permalink raw reply
* [PATCH v2 1/1] rockchip: rk3568: Add support for LinkEase EasePi R1
From: Liangbin Lian @ 2026-06-25 12:58 UTC (permalink / raw)
To: Simon Glass, Philipp Tomsich, Kever Yang, Liangbin Lian, Tom Rini,
Joseph Chen, Mattijs Korpershoek, Michal Simek, Peng Fan,
Jonas Karlman, Quentin Schulz, Johan Jonker, FUKAUMI Naoki
Cc: u-boot
In-Reply-To: <20260625125818.18914-1-jjm2473@gmail.com>
LinkEase EasePi R1 [1] is a high-performance mini router.
Specification:
- Rockchip RK3568
- 2GB/4GB LPDDR4 RAM
- 16GB on-board eMMC
- 1x M.2 key for 2280 NVMe (PCIe 3.0)
- 1x USB 3.0 Type-A
- 1x USB 2.0 Type-C (for USB flashing)
- 2x 1000 Base-T (native, RTL8211F)
- 2x 2500 Base-T (PCIe, RTL8125B)
- 1x HDMI 2.0 Output
- 12v DC Jack
- 1x Power key connected to PMIC
- 2x LEDs (one static power supplied, one GPIO controlled)
[1] https://doc.linkease.com/zh/guide/easepi-r1/hardware.html
Signed-off-by: Liangbin Lian <jjm2473@gmail.com>
---
board/rockchip/evb_rk3568/MAINTAINERS | 5 ++
configs/easepi-r1-rk3568_defconfig | 82 +++++++++++++++++++++++++++
doc/board/rockchip/rockchip.rst | 1 +
3 files changed, 88 insertions(+)
create mode 100644 configs/easepi-r1-rk3568_defconfig
diff --git a/board/rockchip/evb_rk3568/MAINTAINERS b/board/rockchip/evb_rk3568/MAINTAINERS
index 7e17a6a98..c3d4e5df2 100644
--- a/board/rockchip/evb_rk3568/MAINTAINERS
+++ b/board/rockchip/evb_rk3568/MAINTAINERS
@@ -4,6 +4,11 @@ S: Maintained
F: configs/bpi-r2-pro-rk3568_defconfig
F: arch/arm/dts/rk3568-bpi-r2-pro*
+EASEPI-R1
+M: Liangbin Lian <jjm2473@gmail.com>
+S: Maintained
+F: configs/easepi-r1-rk3568_defconfig
+
EVB-RK3568
M: Joseph Chen <chenjh@rock-chips.com>
S: Maintained
diff --git a/configs/easepi-r1-rk3568_defconfig b/configs/easepi-r1-rk3568_defconfig
new file mode 100644
index 000000000..fa400956b
--- /dev/null
+++ b/configs/easepi-r1-rk3568_defconfig
@@ -0,0 +1,82 @@
+CONFIG_ARM=y
+CONFIG_SKIP_LOWLEVEL_INIT=y
+CONFIG_SYS_HAS_NONCACHED_MEMORY=y
+CONFIG_COUNTER_FREQUENCY=24000000
+CONFIG_ARCH_ROCKCHIP=y
+CONFIG_DEFAULT_DEVICE_TREE="rockchip/rk3568-easepi-r1"
+CONFIG_ROCKCHIP_RK3568=y
+CONFIG_SPL_SERIAL=y
+CONFIG_SYS_LOAD_ADDR=0xc00800
+CONFIG_DEBUG_UART_BASE=0xFE660000
+CONFIG_DEBUG_UART_CLOCK=24000000
+CONFIG_PCI=y
+CONFIG_DEBUG_UART=y
+CONFIG_FIT=y
+CONFIG_FIT_VERBOSE=y
+CONFIG_SPL_FIT_SIGNATURE=y
+CONFIG_SPL_LOAD_FIT=y
+CONFIG_LEGACY_IMAGE_FORMAT=y
+CONFIG_DEFAULT_FDT_FILE="rockchip/rk3568-easepi-r1.dtb"
+# CONFIG_DISPLAY_CPUINFO is not set
+CONFIG_DISPLAY_BOARDINFO_LATE=y
+CONFIG_SPL_MAX_SIZE=0x40000
+# CONFIG_SPL_RAW_IMAGE_SUPPORT is not set
+CONFIG_SPL_ATF=y
+CONFIG_CMD_GPIO=y
+CONFIG_CMD_GPT=y
+CONFIG_CMD_I2C=y
+CONFIG_CMD_MMC=y
+CONFIG_CMD_PCI=y
+CONFIG_CMD_USB=y
+CONFIG_CMD_ROCKUSB=y
+CONFIG_CMD_USB_MASS_STORAGE=y
+CONFIG_CMD_PMIC=y
+CONFIG_CMD_REGULATOR=y
+# CONFIG_SPL_DOS_PARTITION is not set
+CONFIG_SPL_OF_CONTROL=y
+CONFIG_OF_LIVE=y
+CONFIG_OF_SPL_REMOVE_PROPS="interrupt-parent assigned-clocks assigned-clock-rates assigned-clock-parents"
+CONFIG_SPL_DM_SEQ_ALIAS=y
+CONFIG_SPL_SYSCON=y
+CONFIG_SPL_CLK=y
+# CONFIG_USB_FUNCTION_FASTBOOT is not set
+CONFIG_ROCKCHIP_GPIO=y
+CONFIG_SYS_I2C_ROCKCHIP=y
+CONFIG_MISC=y
+CONFIG_SUPPORT_EMMC_RPMB=y
+CONFIG_MMC_DW=y
+CONFIG_MMC_DW_ROCKCHIP=y
+CONFIG_MMC_SDHCI=y
+CONFIG_MMC_SDHCI_SDMA=y
+CONFIG_MMC_SDHCI_ROCKCHIP=y
+CONFIG_DWC_ETH_QOS=y
+CONFIG_DWC_ETH_QOS_ROCKCHIP=y
+CONFIG_RTL8169=y
+CONFIG_PHY_REALTEK=y
+CONFIG_NVME_PCI=y
+CONFIG_PCIE_DW_ROCKCHIP=y
+CONFIG_PHY_ROCKCHIP_INNO_USB2=y
+CONFIG_PHY_ROCKCHIP_NANENG_COMBOPHY=y
+CONFIG_SPL_PINCTRL=y
+CONFIG_DM_PMIC=y
+CONFIG_PMIC_RK8XX=y
+CONFIG_REGULATOR_RK8XX=y
+CONFIG_PWM_ROCKCHIP=y
+CONFIG_SPL_RAM=y
+CONFIG_BAUDRATE=1500000
+CONFIG_DEBUG_UART_SHIFT=2
+CONFIG_SYS_NS16550_MEM32=y
+CONFIG_SYSRESET=y
+CONFIG_USB=y
+CONFIG_USB_XHCI_HCD=y
+CONFIG_USB_EHCI_HCD=y
+CONFIG_USB_EHCI_GENERIC=y
+CONFIG_USB_OHCI_HCD=y
+CONFIG_USB_OHCI_GENERIC=y
+CONFIG_USB_DWC3=y
+CONFIG_USB_DWC3_GENERIC=y
+CONFIG_SPL_USB_DWC3_GENERIC=y
+CONFIG_USB_GADGET=y
+CONFIG_USB_GADGET_DOWNLOAD=y
+CONFIG_USB_FUNCTION_ROCKUSB=y
+CONFIG_ERRNO_STR=y
diff --git a/doc/board/rockchip/rockchip.rst b/doc/board/rockchip/rockchip.rst
index a31ee7100..54bd8b81a 100644
--- a/doc/board/rockchip/rockchip.rst
+++ b/doc/board/rockchip/rockchip.rst
@@ -133,6 +133,7 @@ List of mainline supported Rockchip boards:
- FriendlyElec NanoPi R5S (nanopi-r5s-rk3568)
- Generic RK3566/RK3568 (generic-rk3568)
- Hardkernel ODROID-M1 (odroid-m1-rk3568)
+ - LinkEase EasePi R1 (easepi-r1-rk3568)
- Lunzn FastRhino R66S (fastrhino-r66s-rk3568)
- QNAP TS-433 (qnap-ts433-rk3568)
- Radxa E25 Carrier Board (radxa-e25-rk3568)
--
2.54.0
^ permalink raw reply related
* [PATCH v2 0/1] rockchip: rk3568: Add support for LinkEase EasePi R1
From: Liangbin Lian @ 2026-06-25 12:58 UTC (permalink / raw)
To: Simon Glass, Philipp Tomsich, Kever Yang, Liangbin Lian, Tom Rini,
Joseph Chen, Mattijs Korpershoek, Michal Simek, Peng Fan,
Jonas Karlman, Quentin Schulz, Johan Jonker, FUKAUMI Naoki
Cc: u-boot
LinkEase EasePi R1 [1] is a high-performance mini router.
Specification:
- Rockchip RK3568
- 2GB/4GB LPDDR4 RAM
- 16GB on-board eMMC
- 1x M.2 key for 2280 NVMe (PCIe 3.0)
- 1x USB 3.0 Type-A
- 1x USB 2.0 Type-C (for USB flashing)
- 2x 1000 Base-T (native, RTL8211F)
- 2x 2500 Base-T (PCIe, RTL8125B)
- 1x HDMI 2.0 Output
- 12v DC Jack
- 1x Power key connected to PMIC
- 2x LEDs (one static power supplied, one GPIO controlled)
[1] https://doc.linkease.com/zh/guide/easepi-r1/hardware.html
Signed-off-by: Liangbin Lian <jjm2473@gmail.com>
---
Tested: eMMC boot, USB storage, Rockusb, NVMe, Ethernet
Changes since V1:
- Removed rk3568-easepi-r1-u-boot.dtsi and corresponding entry in MAINTAINERS, suggested by Quentin Schulz
- Removed clock-names from CONFIG_OF_SPL_REMOVE_PROPS in easepi-r1-rk3568_defconfig, suggested by Quentin Schulz
- Link to V1: https://patchwork.ozlabs.org/project/uboot/cover/20260512091532.97256-1-jjm2473@gmail.com/
---
Liangbin Lian (1):
rockchip: rk3568: Add support for LinkEase EasePi R1
board/rockchip/evb_rk3568/MAINTAINERS | 5 ++
configs/easepi-r1-rk3568_defconfig | 82 +++++++++++++++++++++++++++
doc/board/rockchip/rockchip.rst | 1 +
3 files changed, 88 insertions(+)
create mode 100644 configs/easepi-r1-rk3568_defconfig
base-commit: f072620dc9ffda00b010783da27c41231c3a439b
--
2.54.0
^ permalink raw reply
* [PATCH 8/8] boot: fdt: downgrade KASLR RNG failure to warning
From: Jamie Gibbons @ 2026-06-25 12:23 UTC (permalink / raw)
To: u-boot
Cc: Conor Dooley, Valentina Fernandez Alanis, Tom Rini, Marek Vasut,
Leo Yu-Chi Liang, Sughosh Ganu, Heinrich Schuchardt,
Martin Herren, Michal Simek, Adriana Nicolae, Sam Protsenko,
jamie.gibbons
In-Reply-To: <20260625122325.834568-1-jamie.gibbons@microchip.com>
During early boot, dm_rng_read() may fail if the underlying RNG
is temporarily unavailable. This causes KASLR seeding to fail,
but does not affect boot correctness.
Currently, fdt_kaslrseed() treats this condition as a hard error
and logs an error message, even though the system continues to
boot normally.
Downgrade the failure to a warning and continue booting without
KASLR, making the behaviour explicit without implying a fatal
error.
Signed-off-by: Jamie Gibbons <jamie.gibbons@microchip.com>
---
boot/fdt_support.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/boot/fdt_support.c b/boot/fdt_support.c
index 1c215e548db..aba1841a9f5 100644
--- a/boot/fdt_support.c
+++ b/boot/fdt_support.c
@@ -308,9 +308,16 @@ int fdt_kaslrseed(void *fdt, bool overwrite)
return err;
}
err = dm_rng_read(dev, &data, sizeof(data));
- if (err) {
- dev_err(dev, "dm_rng_read failed: %d\n", err);
- return err;
+ if (err < 0) {
+ /*
+ * RNG may be unavailable during early boot.
+ * KASLR is best-effort in this case; warn and continue.
+ */
+ dev_warn(dev, "KASLR seed unavailable (RNG error %d), continuing without KASLR\n", err);
+ return 0;
+ } else if (err != sizeof(data)) {
+ dev_warn(dev, "KASLR seed unavailable (no entropy), continuing without KASLR\n");
+ return 0;
}
err = fdt_setprop(fdt, nodeoffset, "kaslr-seed", &data, sizeof(data));
if (err < 0)
--
2.43.0
^ permalink raw reply related
* [PATCH 7/8] mailbox: mpfs: add bounded wait for BUSY to clear before sending request
From: Jamie Gibbons @ 2026-06-25 12:23 UTC (permalink / raw)
To: u-boot
Cc: Conor Dooley, Valentina Fernandez Alanis, Tom Rini, Marek Vasut,
Leo Yu-Chi Liang, Sughosh Ganu, Heinrich Schuchardt,
Martin Herren, Michal Simek, Adriana Nicolae, Sam Protsenko,
jamie.gibbons
In-Reply-To: <20260625122325.834568-1-jamie.gibbons@microchip.com>
The MPFS mailbox driver currently checks the BUSY bit at the start of
mpfs_mbox_send() and immediately returns -EBUSY if the controller is
busy.
On MPFS, BUSY may be transiently asserted during early boot even though
no other U-Boot service is actively executing. In Linux, returning
-EBUSY here is retryable via the mailbox framework and scheduler, but in
U-Boot this results in a hard failure.
Replace the immediate BUSY check with a bounded wait using
regmap_read_poll_timeout(), waiting for the controller to become idle
before issuing a new request. This preserves the intent of the BUSY
check while avoiding spurious early-boot failures in U-Boot’s
synchronous, polled execution model.
The timeout is conservative and based on observed MPFS behaviour, where
BUSY clears within a few milliseconds.
Signed-off-by: Jamie Gibbons <jamie.gibbons@microchip.com>
---
drivers/mailbox/mpfs-mbox.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/mailbox/mpfs-mbox.c b/drivers/mailbox/mpfs-mbox.c
index 165d9d89630..8b7a2719330 100644
--- a/drivers/mailbox/mpfs-mbox.c
+++ b/drivers/mailbox/mpfs-mbox.c
@@ -65,8 +65,11 @@ static int mpfs_mbox_send(struct mbox_chan *chan, const void *data)
u32 *word_buf = (u32 *)msg->cmd_data;
- if (mpfs_mbox_busy(chan))
- return -EBUSY;
+ ret = regmap_read_poll_timeout(mbox->control_scb, SERVICES_SR_OFFSET,
+ value, !(value & SERVICE_SR_BUSY_MASK),
+ 1, 20);
+ if (ret)
+ return ret;
for (idx = 0; idx < (msg->cmd_data_size / BYTES_4); idx++)
writel(word_buf[idx], mbox->mbox_base + msg->mbox_offset + idx * BYTES_4);
--
2.43.0
^ permalink raw reply related
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.