* Re: [PATCH v2 3/7] dt-bindings: soc: samsung: exynos-pmu: deprecate google,pmu-intr-gen-syscon
From: Krzysztof Kozlowski @ 2026-04-01 14:23 UTC (permalink / raw)
To: Alexey Klimov, Sam Protsenko, linux-samsung-soc, Peter Griffin,
André Draszik, Conor Dooley, Alim Akhtar
Cc: Tudor Ambarus, Rob Herring, Krzysztof Kozlowski, linux-arm-kernel,
devicetree, linux-kernel
In-Reply-To: <20260401-exynos850-cpuhotplug-v2-3-c5a760a3e259@linaro.org>
On 01/04/2026 06:51, Alexey Klimov wrote:
> The generic property samsung,pmu-intr-gen-syscon should be used
> by default for Samsung Exynos PMU hardware blocks. Update binding
> document to add deprecated flag for google,pmu-intr-gen-syscon
> property.
> While at this, also add dependency to not allow usage of both
> above mentioned properties in the same time.
>
> Signed-off-by: Alexey Klimov <alexey.klimov@linaro.org>
> ---
> Documentation/devicetree/bindings/soc/samsung/exynos-pmu.yaml | 6 ++++++
> 1 file changed, 6 insertions(+)
This should be squashed. Otherwise you add incorrect code - duplicated
property - which only later you adjust/correct.
Best regards,
Krzysztof
^ permalink raw reply
* Re: [PATCH 12/33] rust: macros: update `extract_if` MSRV TODO comment
From: Gary Guo @ 2026-04-01 14:18 UTC (permalink / raw)
To: Miguel Ojeda, Nathan Chancellor, Nicolas Schier, Danilo Krummrich,
Andreas Hindborg, Catalin Marinas, Will Deacon, Paul Walmsley,
Palmer Dabbelt, Albert Ou, Alexandre Courbot, David Airlie,
Simona Vetter, Brendan Higgins, David Gow, Greg Kroah-Hartman,
Arve Hjønnevåg, Todd Kjos, Christian Brauner,
Carlos Llamas, Alice Ryhl, Jonathan Corbet
Cc: Boqun Feng, Gary Guo, Björn Roy Baron, Benno Lossin,
Trevor Gross, rust-for-linux, linux-kbuild, Lorenzo Stoakes,
Vlastimil Babka, Liam R . Howlett, Uladzislau Rezki, linux-block,
moderated for non-subscribers, Alexandre Ghiti, linux-riscv,
nouveau, dri-devel, Rae Moar, linux-kselftest, kunit-dev,
Nick Desaulniers, Bill Wendling, Justin Stitt, llvm, linux-kernel,
Shuah Khan, linux-doc
In-Reply-To: <20260401114540.30108-13-ojeda@kernel.org>
On Wed Apr 1, 2026 at 12:45 PM BST, Miguel Ojeda wrote:
> `feature(extract_if)` was stabilized in Rust 1.87.0 [1].
>
> Thus update the comment to reflect that.
>
> Alternatively, we could use it unstably already.
>
> Link: https://github.com/rust-lang/rust/pull/137109 [1]
> Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
> ---
> rust/macros/kunit.rs | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/rust/macros/kunit.rs b/rust/macros/kunit.rs
> index 6be880d634e2..6f6d746b8dbb 100644
> --- a/rust/macros/kunit.rs
> +++ b/rust/macros/kunit.rs
> @@ -87,7 +87,7 @@ pub(crate) fn kunit_tests(test_suite: Ident, mut module: ItemMod) -> Result<Toke
> continue;
> };
>
> - // TODO: Replace below with `extract_if` when MSRV is bumped above 1.85.
> + // TODO: Replace with `extract_if` when MSRV is >= 1.87.0.
> let before_len = f.attrs.len();
> f.attrs.retain(|attr| !attr.path().is_ident("test"));
> if f.attrs.len() == before_len {
When I write the comment the intention is to enable the unstable feature and
switch.
Best,
Gary
diff --git a/rust/macros/kunit.rs b/rust/macros/kunit.rs
index 6be880d634e2..ae20ed6768f1 100644
--- a/rust/macros/kunit.rs
+++ b/rust/macros/kunit.rs
@@ -87,10 +87,11 @@ pub(crate) fn kunit_tests(test_suite: Ident, mut module: ItemMod) -> Result<Toke
continue;
};
- // TODO: Replace below with `extract_if` when MSRV is bumped above 1.85.
- let before_len = f.attrs.len();
- f.attrs.retain(|attr| !attr.path().is_ident("test"));
- if f.attrs.len() == before_len {
+ if f.attrs
+ .extract_if(.., |attr| attr.path().is_ident("test"))
+ .count()
+ == 0
+ {
processed_items.push(Item::Fn(f));
continue;
}
diff --git a/rust/macros/lib.rs b/rust/macros/lib.rs
index 0c36194d9971..2cfd59e0f9e7 100644
--- a/rust/macros/lib.rs
+++ b/rust/macros/lib.rs
@@ -6,6 +6,9 @@
// and thus add a dependency on `include/config/RUSTC_VERSION_TEXT`, which is
// touched by Kconfig when the version string from the compiler changes.
+// Stable since Rust 1.87.0.
+#![feature(extract_if)]
+//
// Stable since Rust 1.88.0 under a different name, `proc_macro_span_file`,
// which was added in Rust 1.88.0. This is why `cfg_attr` is used here, i.e.
// to avoid depending on the full `proc_macro_span` on Rust >= 1.88.0.
^ permalink raw reply related
* Re: Question: interrupt randomness and handle_percpu_devid_irq()
From: Sebastian Andrzej Siewior @ 2026-04-01 14:14 UTC (permalink / raw)
To: Thomas Gleixner
Cc: Michael Kelley, Marc Zyngier, Lorenzo Pieralisi,
linux-arm-kernel@lists.infradead.org, LKML, Jan Kiszka
In-Reply-To: <87bjgik042.ffs@tglx>
On 2026-03-20 16:10:37 [+0100], Thomas Gleixner wrote:
> On Thu, Mar 19 2026 at 19:34, Michael Kelley wrote:
> > The function header comment for handle_percpu_devid_irq() says that it is the
> > same as handle_percpu_irq(), but with the addition of a pointer to a percpu
> > variable with the real device id. That makes sense. But there's another difference:
> > handle_percpu_irq() calls add_interrupt_randomness() [via handle_irq_event_percpu()],
> > while handle_percpu_devid_irq() does not.
> >
> > Question: Is there a reason for this difference in handling interrupt randomness?
> > Or is it just an oversight? handle_percpu_devid_irq() is used, for example, for the
> > SGIs and PPIs on the GICv3 chip, so I wondered if IPIs (as built on SGIs) & PPIs
> > specifically did not want the overhead of add_interrupt_randomness(). But then
> > GICv5 is doing IPIs using LPIs, which use handle_percpu_irq() and hence *do*
> > add interrupt randomness. That seemed inconsistent, which didn't help provide
> > an answer.
> >
> > The question arises in the context of Linux guests running on Hyper-V. Hyper-V
> > VMBus interrupts to the guest are per-CPU interrupts in Linux, using a PPI on
> > arm64. So these interrupts do not call add_interrupt_randomness(), which is a
> > problem because these guests don't have much other way to get entropy. To
> > fix this, the VMBus ISR has always had an explicit call to
> > add_interrupt_randomness(). But maybe that's not the best approach, and
> > handle_percpu_devid_irq() should be fixed to call add_interrupt_randomness().
>
> I don't think there is a real good reason unless any of those interrupts
> is NMI like.
So we could wire up the generic/ arch code here and feed the
"randomness" from there and it from the driver bits.
> Thanks,
>
> tglx
Sebastian
^ permalink raw reply
* Re: [PATCH 11/33] rust: alloc: simplify with `NonNull::add()` now that it is stable
From: Gary Guo @ 2026-04-01 14:12 UTC (permalink / raw)
To: Miguel Ojeda, Nathan Chancellor, Nicolas Schier, Danilo Krummrich,
Andreas Hindborg, Catalin Marinas, Will Deacon, Paul Walmsley,
Palmer Dabbelt, Albert Ou, Alexandre Courbot, David Airlie,
Simona Vetter, Brendan Higgins, David Gow, Greg Kroah-Hartman,
Arve Hjønnevåg, Todd Kjos, Christian Brauner,
Carlos Llamas, Alice Ryhl, Jonathan Corbet
Cc: Boqun Feng, Gary Guo, Björn Roy Baron, Benno Lossin,
Trevor Gross, rust-for-linux, linux-kbuild, Lorenzo Stoakes,
Vlastimil Babka, Liam R . Howlett, Uladzislau Rezki, linux-block,
moderated for non-subscribers, Alexandre Ghiti, linux-riscv,
nouveau, dri-devel, Rae Moar, linux-kselftest, kunit-dev,
Nick Desaulniers, Bill Wendling, Justin Stitt, llvm, linux-kernel,
Shuah Khan, linux-doc
In-Reply-To: <20260401114540.30108-12-ojeda@kernel.org>
On Wed Apr 1, 2026 at 12:45 PM BST, Miguel Ojeda wrote:
> Currently we need to go through raw pointers and then re-create the
> `NonNull` from the result of offsetting the raw pointer.
>
> Thus, now that we bump the Rust minimum version, simplify using
> `NonNull::add()` and clean the TODO note.
>
> Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
Reviewed-by: Gary Guo <gary@garyguo.net>
> ---
> rust/kernel/alloc/allocator/iter.rs | 8 +-------
> 1 file changed, 1 insertion(+), 7 deletions(-)
^ permalink raw reply
* Re: [PATCH 09/33] rust: kbuild: make `--remap-path-prefix` workaround conditional
From: Gary Guo @ 2026-04-01 14:08 UTC (permalink / raw)
To: Miguel Ojeda, Nathan Chancellor, Nicolas Schier, Danilo Krummrich,
Andreas Hindborg, Catalin Marinas, Will Deacon, Paul Walmsley,
Palmer Dabbelt, Albert Ou, Alexandre Courbot, David Airlie,
Simona Vetter, Brendan Higgins, David Gow, Greg Kroah-Hartman,
Arve Hjønnevåg, Todd Kjos, Christian Brauner,
Carlos Llamas, Alice Ryhl, Jonathan Corbet
Cc: Boqun Feng, Gary Guo, Björn Roy Baron, Benno Lossin,
Trevor Gross, rust-for-linux, linux-kbuild, Lorenzo Stoakes,
Vlastimil Babka, Liam R . Howlett, Uladzislau Rezki, linux-block,
moderated for non-subscribers, Alexandre Ghiti, linux-riscv,
nouveau, dri-devel, Rae Moar, linux-kselftest, kunit-dev,
Nick Desaulniers, Bill Wendling, Justin Stitt, llvm, linux-kernel,
Shuah Khan, linux-doc
In-Reply-To: <20260401114540.30108-10-ojeda@kernel.org>
On Wed Apr 1, 2026 at 12:45 PM BST, Miguel Ojeda wrote:
> The Internal Compiler Error that the comment mentions [1] was fixed in
> Rust 1.87.0 [2]. And, for other workarounds, we plan on limiting where
> we apply them [3].
>
> Thus limit the ICE one too.
>
> This will help to make sure the workaround is not needed anymore on
> newer versions.
>
> Link: https://github.com/rust-lang/rust/issues/138520 [1]
> Link: https://github.com/rust-lang/rust/pull/138556 [2]
> Link: https://lore.kernel.org/rust-for-linux/20260205131815.2943152-2-mlksvender@gmail.com/ [3]
> Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
> ---
> rust/Makefile | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/rust/Makefile b/rust/Makefile
> index 708530ee3613..163d2258e93f 100644
> --- a/rust/Makefile
> +++ b/rust/Makefile
> @@ -145,10 +145,12 @@ doctests_modifiers_workaround := $(rustdoc_modifiers_workaround)$(if $(call rust
> # `rustdoc` ICEs on out-of-tree builds in Rust < 1.87.0
> # (https://github.com/rust-lang/rust/issues/138520). Thus workaround the
> # issue skipping the flag.
> +rustdoc_remap_workaround := $(if $(call rustc-min-version,108700),,--remap-path-prefix=%)
Okay, I see what the comments mean now. Perhaps squash this to the previous
commit?
Best,
Gary
> +
> quiet_cmd_rustdoc = RUSTDOC $(if $(rustdoc_host),H, ) $<
> cmd_rustdoc = \
> OBJTREE=$(abspath $(objtree)) \
> - $(RUSTDOC) $(filter-out $(skip_flags) --remap-path-prefix=%,$(if $(rustdoc_host),$(rust_common_flags),$(rust_flags))) \
> + $(RUSTDOC) $(filter-out $(skip_flags) $(rustdoc_remap_workaround),$(if $(rustdoc_host),$(rust_common_flags),$(rust_flags))) \
> $(rustc_target_flags) -L$(objtree)/$(obj) \
> -Zunstable-options --generate-link-to-definition \
> --output $(rustdoc_output) \
^ permalink raw reply
* Re: [PATCH 10/33] rust: transmute: simplify code with Rust 1.80.0 `split_at_*checked()`
From: Gary Guo @ 2026-04-01 14:10 UTC (permalink / raw)
To: Miguel Ojeda, Nathan Chancellor, Nicolas Schier, Danilo Krummrich,
Andreas Hindborg, Catalin Marinas, Will Deacon, Paul Walmsley,
Palmer Dabbelt, Albert Ou, Alexandre Courbot, David Airlie,
Simona Vetter, Brendan Higgins, David Gow, Greg Kroah-Hartman,
Arve Hjønnevåg, Todd Kjos, Christian Brauner,
Carlos Llamas, Alice Ryhl, Jonathan Corbet
Cc: Boqun Feng, Gary Guo, Björn Roy Baron, Benno Lossin,
Trevor Gross, rust-for-linux, linux-kbuild, Lorenzo Stoakes,
Vlastimil Babka, Liam R . Howlett, Uladzislau Rezki, linux-block,
moderated for non-subscribers, Alexandre Ghiti, linux-riscv,
nouveau, dri-devel, Rae Moar, linux-kselftest, kunit-dev,
Nick Desaulniers, Bill Wendling, Justin Stitt, llvm, linux-kernel,
Shuah Khan, linux-doc
In-Reply-To: <20260401114540.30108-11-ojeda@kernel.org>
On Wed Apr 1, 2026 at 12:45 PM BST, Miguel Ojeda wrote:
> `feature(split_at_checked)` [1] has been stabilized in Rust 1.80.0 [2],
> which is beyond our new minimum Rust version (Rust 1.85.0).
>
> Thus simplify the code using `split_at_*checked()`.
>
> Link: https://github.com/rust-lang/rust/issues/119128 [1]
> Link: https://github.com/rust-lang/rust/pull/124678 [2]
> Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
Reviewed-by: Gary Guo <gary@garyguo.net>
> ---
> rust/kernel/transmute.rs | 33 ++++++---------------------------
> 1 file changed, 6 insertions(+), 27 deletions(-)
^ permalink raw reply
* Re: [PATCH v5 2/3] arm64: dts: rockchip: refactor items from Orange Pi 5/b to prep for Pro
From: Jonas Karlman @ 2026-04-01 14:05 UTC (permalink / raw)
To: dennis@ausil.us
Cc: FUKAUMI Naoki, Hsun Lai, Chaoyi Chen, John Clark,
Michael Opdenacker, Quentin Schulz, Andrew Lunn, Chukun Pan,
Alexey Charkov, Peter Robinson, Michael Riesch, Mykola Kvach,
Jimmy Hon, devicetree@vger.kernel.org,
linux-arm-kernel@lists.infradead.org,
linux-rockchip@lists.infradead.org, linux-kernel@vger.kernel.org,
Rob Herring, Krzysztof Kozlowski, Conor Dooley, Heiko Stuebner
In-Reply-To: <20260401010707.2584962-3-dennis@ausil.us>
Hi Dennis,
On 4/1/2026 3:07 AM, dennis@ausil.us wrote:
> From: Dennis Gilmore <dennis@ausil.us>
>
> The Orange Pi 5 Pro uses the same SoC and base as the Orange Pi 5 and
> Orange Pi 5B but has had sound, USB, and leds wired up differently. The
> boards also use gmac for ethernet where thre Pro has a PCIe attached NIC
>
> Signed-off-by: Dennis Gilmore <dennis@ausil.us>
> ---
> .../boot/dts/rockchip/rk3588s-orangepi-5.dts | 184 ++++++++++++++++
> .../boot/dts/rockchip/rk3588s-orangepi-5.dtsi | 202 ++----------------
> .../boot/dts/rockchip/rk3588s-orangepi-5b.dts | 181 ++++++++++++++++
> 3 files changed, 378 insertions(+), 189 deletions(-)
This patch seem to reintroduce a lot of duplication for the 5 and 5b
.dts-files. Please reduce the added duplication caused by this patch.
Maybe it is better to create a rk3588s-orangepi-5-base.dtsi or similar
where everything that is shared for all three boards is moved. Or the 5
an 5b specific parts are moved into a rk3588s-orangepi-5-5b.dtsi or
similar. Then the change in 5 and 5b board .dts-files are kept to a
minimum.
Regards,
Jonas
^ permalink raw reply
* Re: [PATCH 08/33] rust: kbuild: simplify `--remap-path-prefix` workaround
From: Gary Guo @ 2026-04-01 13:59 UTC (permalink / raw)
To: Miguel Ojeda, Nathan Chancellor, Nicolas Schier, Danilo Krummrich,
Andreas Hindborg, Catalin Marinas, Will Deacon, Paul Walmsley,
Palmer Dabbelt, Albert Ou, Alexandre Courbot, David Airlie,
Simona Vetter, Brendan Higgins, David Gow, Greg Kroah-Hartman,
Arve Hjønnevåg, Todd Kjos, Christian Brauner,
Carlos Llamas, Alice Ryhl, Jonathan Corbet
Cc: Boqun Feng, Gary Guo, Björn Roy Baron, Benno Lossin,
Trevor Gross, rust-for-linux, linux-kbuild, Lorenzo Stoakes,
Vlastimil Babka, Liam R . Howlett, Uladzislau Rezki, linux-block,
moderated for non-subscribers, Alexandre Ghiti, linux-riscv,
nouveau, dri-devel, Rae Moar, linux-kselftest, kunit-dev,
Nick Desaulniers, Bill Wendling, Justin Stitt, llvm, linux-kernel,
Shuah Khan, linux-doc
In-Reply-To: <20260401114540.30108-9-ojeda@kernel.org>
On Wed Apr 1, 2026 at 12:45 PM BST, Miguel Ojeda wrote:
> With the minimum version bump in place, `rustdoc` now always recognizes
> the `--remap-path-prefix` flag.
>
> In addition, the Internal Compiler Error that the comment mentions [1]
> was fixed in Rust 1.87.0 [2], so we still need to skip the flag for
> the normal `rustdoc` case, but not for `--test` since the ICE does not
> reproduce there -- please see commit 2c8725c1dca3 ("rust: kbuild: skip
> `--remap-path-prefix` for `rustdoc`").
>
> Thus update the comment and remove the skipping of the flag for the
> `--test` case.
>
> Note that commit dda135077ecc ("rust: build: remap path to avoid
> absolute path") re-landed the `--remap-path-prefix` flag (together with
> `--remap-path-scope`), so we keep the workaround, i.e. an alternative
> could have been to simply delete the skip entirely, but since we still
> have it and it will be needed when this gets merged, let's keep it.
I'm not sure that I parse this. You do remove the filter-out completely below?
>
> Link: https://github.com/rust-lang/rust/issues/138520 [1]
> Link: https://github.com/rust-lang/rust/pull/138556 [2]
> Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
> ---
> rust/Makefile | 9 ++++-----
> 1 file changed, 4 insertions(+), 5 deletions(-)
>
> diff --git a/rust/Makefile b/rust/Makefile
> index 193cf06eea64..708530ee3613 100644
> --- a/rust/Makefile
> +++ b/rust/Makefile
> @@ -142,10 +142,9 @@ rustdoc_modifiers_workaround := $(if $(call rustc-min-version,108800),-Cunsafe-a
> # Similarly, for doctests (https://github.com/rust-lang/rust/issues/146465).
> doctests_modifiers_workaround := $(rustdoc_modifiers_workaround)$(if $(call rustc-min-version,109100),$(comma)sanitizer)
>
> -# `rustc` recognizes `--remap-path-prefix` since 1.26.0, but `rustdoc` only
> -# since Rust 1.81.0. Moreover, `rustdoc` ICEs on out-of-tree builds since Rust
> -# 1.82.0 (https://github.com/rust-lang/rust/issues/138520). Thus workaround both
> -# issues skipping the flag. The former also applies to `RUSTDOC TK`.
> +# `rustdoc` ICEs on out-of-tree builds in Rust < 1.87.0
> +# (https://github.com/rust-lang/rust/issues/138520). Thus workaround the
> +# issue skipping the flag.
> quiet_cmd_rustdoc = RUSTDOC $(if $(rustdoc_host),H, ) $<
> cmd_rustdoc = \
> OBJTREE=$(abspath $(objtree)) \
> @@ -333,7 +332,7 @@ quiet_cmd_rustdoc_test_kernel = RUSTDOC TK $<
> rm -rf $(objtree)/$(obj)/test/doctests/kernel; \
> mkdir -p $(objtree)/$(obj)/test/doctests/kernel; \
> OBJTREE=$(abspath $(objtree)) \
> - $(RUSTDOC) --test $(filter-out --remap-path-prefix=%,$(rust_flags)) \
Looks like this is going to conflict with rust-fixes (which adds the
--remap-path-scope). Perhaps worth doing a back merge?
Best,
Gary
> + $(RUSTDOC) --test $(rust_flags) \
> -L$(objtree)/$(obj) --extern ffi --extern pin_init \
> --extern kernel --extern build_error --extern macros \
> --extern bindings --extern uapi \
^ permalink raw reply
* RE: [PATCH v2] iio: adc: xilinx-xadc: Fix sequencer mode in postdisable for dual mux
From: Erim, Salih @ 2026-04-01 13:57 UTC (permalink / raw)
To: Erim, Salih, Simek, Michal, Jonathan Cameron, Christofer Jonason,
O'Griofa, Conall
Cc: lars@metafoo.de, dlechner@baylibre.com, nuno.sa@analog.com,
andy@kernel.org, victor.jonsson@guidelinegeo.com,
linux-iio@vger.kernel.org, linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org, stable@vger.kernel.org
In-Reply-To: <IA1PR12MB77361978ED21FF22F079034D9F50A@IA1PR12MB7736.namprd12.prod.outlook.com>
Hi,
> -----Original Message-----
> From: Erim, Salih <Salih.Erim@amd.com>
> Sent: Wednesday, April 1, 2026 2:13 PM
> To: Simek, Michal <michal.simek@amd.com>; Jonathan Cameron
> <jic23@kernel.org>; Christofer Jonason <christofer.jonason@guidelinegeo.com>;
> O'Griofa, Conall <conall.ogriofa@amd.com>
> Cc: lars@metafoo.de; dlechner@baylibre.com; nuno.sa@analog.com;
> andy@kernel.org; victor.jonsson@guidelinegeo.com; linux-iio@vger.kernel.org;
> linux-arm-kernel@lists.infradead.org; linux-kernel@vger.kernel.org;
> stable@vger.kernel.org
> Subject: RE: [PATCH v2] iio: adc: xilinx-xadc: Fix sequencer mode in postdisable
> for dual mux
>
> Caution: This message originated from an External Source. Use proper caution
> when opening attachments, clicking links, or responding.
>
>
> [AMD Official Use Only - AMD Internal Distribution Only]
I am deeply sorry about these markings. Please try to ignore them, and I will do my best to escape from them.
>
> Reviewed-by: Salih Erim <salih.erim@amd.com>
>
> > -----Original Message-----
> > From: Erim, Salih
> > Sent: Wednesday, April 1, 2026 2:12 PM
> > To: Simek, Michal <michal.simek@amd.com>; Jonathan Cameron
> > <jic23@kernel.org>; Christofer Jonason
> > <christofer.jonason@guidelinegeo.com>;
> > O'Griofa, Conall <conall.ogriofa@amd.com>
> > Cc: lars@metafoo.de; dlechner@baylibre.com; nuno.sa@analog.com;
> > andy@kernel.org; victor.jonsson@guidelinegeo.com;
> > linux-iio@vger.kernel.org; linux-arm-kernel@lists.infradead.org;
> > linux-kernel@vger.kernel.org; stable@vger.kernel.org
> > Subject: RE: [PATCH v2] iio: adc: xilinx-xadc: Fix sequencer mode in
> > postdisable for dual mux
> >
> > Hi Christofer,
> >
> > The code change looks correct to me - it aligns postdisable with
> > preenable by reusing xadc_get_seq_mode(), and the scope is limited to
> > dual external mux configurations.
> >
> > Since this is targeting stable, could you please share what
> > hardware/board this was tested on and how you verified that VAUX[8-15]
> > channels return correct data with the fix applied?
> >
> > Reviewed-by: Salih Emin <salih.emin@amd.com>
> >
> > Thanks,
> > Salih
> >
> >
> > > -----Original Message-----
> > > From: Simek, Michal <michal.simek@amd.com>
> > > Sent: Tuesday, March 10, 2026 7:43 AM
> > > To: Jonathan Cameron <jic23@kernel.org>; Christofer Jonason
> > > <christofer.jonason@guidelinegeo.com>; Erim, Salih
> > > <Salih.Erim@amd.com>; O'Griofa, Conall <conall.ogriofa@amd.com>
> > > Cc: lars@metafoo.de; dlechner@baylibre.com; nuno.sa@analog.com;
> > > andy@kernel.org; victor.jonsson@guidelinegeo.com;
> > > linux-iio@vger.kernel.org; linux-arm-kernel@lists.infradead.org;
> > > linux-kernel@vger.kernel.org; stable@vger.kernel.org
> > > Subject: Re: [PATCH v2] iio: adc: xilinx-xadc: Fix sequencer mode in
> > > postdisable for dual mux
> > >
> > > +Salih, Conall,
> > >
> > > On 3/7/26 13:41, Jonathan Cameron wrote:
> > > > On Wed, 4 Mar 2026 10:07:27 +0100 Christofer Jonason
> > > > <christofer.jonason@guidelinegeo.com> wrote:
> > > >
> > > >> xadc_postdisable() unconditionally sets the sequencer to
> > > >> continuous mode. For dual external multiplexer configurations this is
> incorrect:
> > > >> simultaneous sampling mode is required so that ADC-A samples
> > > >> through the mux on VAUX[0-7] while ADC-B simultaneously samples
> > > >> through the mux on VAUX[8-15]. In continuous mode only ADC-A is
> > > >> active, so VAUX[8-15] channels return incorrect data.
> > > >>
> > > >> Since postdisable is also called from xadc_probe() to set the
> > > >> initial idle state, the wrong sequencer mode is active from the
> > > >> moment the driver loads.
> > > >>
> > > >> The preenable path already uses xadc_get_seq_mode() which returns
> > > >> SIMULTANEOUS for dual mux. Fix postdisable to do the same.
> > > >>
> > > >> Fixes: bdc8cda1d010 ("iio:adc: Add Xilinx XADC driver")
> > > >> Cc: stable@vger.kernel.org
> > > >> Signed-off-by: Christofer Jonason
> > > >> <christofer.jonason@guidelinegeo.com>
> > > >
> > > > I'll leave this on list for a little longer as I'd really like a
> > > > confirmation of this one from the AMD Xilinx folk.
> > >
> > > Salih/Conall: Please look at this patch and provide your comment or tag.
> > >
> > > Thanks,
> > > Michal
As I mentioned earlier, I have reviewed and it looks correct to me.
It would be good if Christopher could share testing environment and results.
Reviewed-by: Salih Emin <salih.emin@amd.com>
Thanks,
Salih.
^ permalink raw reply
* Re: [PATCH 07/33] rust: kbuild: remove `feature(...)`s that are now stable
From: Gary Guo @ 2026-04-01 13:51 UTC (permalink / raw)
To: Miguel Ojeda, Nathan Chancellor, Nicolas Schier, Danilo Krummrich,
Andreas Hindborg, Catalin Marinas, Will Deacon, Paul Walmsley,
Palmer Dabbelt, Albert Ou, Alexandre Courbot, David Airlie,
Simona Vetter, Brendan Higgins, David Gow, Greg Kroah-Hartman,
Arve Hjønnevåg, Todd Kjos, Christian Brauner,
Carlos Llamas, Alice Ryhl, Jonathan Corbet
Cc: Boqun Feng, Gary Guo, Björn Roy Baron, Benno Lossin,
Trevor Gross, rust-for-linux, linux-kbuild, Lorenzo Stoakes,
Vlastimil Babka, Liam R . Howlett, Uladzislau Rezki, linux-block,
moderated for non-subscribers, Alexandre Ghiti, linux-riscv,
nouveau, dri-devel, Rae Moar, linux-kselftest, kunit-dev,
Nick Desaulniers, Bill Wendling, Justin Stitt, llvm, linux-kernel,
Shuah Khan, linux-doc
In-Reply-To: <20260401114540.30108-8-ojeda@kernel.org>
On Wed Apr 1, 2026 at 12:45 PM BST, Miguel Ojeda wrote:
> Now that the Rust minimum version is 1.85.0, there is no need to enable
> certain features that are stable.
>
> Thus clean them up.
>
> Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
Reviewed-by: Gary Guo <gary@garyguo.net>
> ---
> rust/Makefile | 2 --
> rust/kernel/lib.rs | 21 ---------------------
> scripts/Makefile.build | 6 +-----
> 3 files changed, 1 insertion(+), 28 deletions(-)
^ permalink raw reply
* [PATCH] usb: dwc3: imx8mp: fix memory leak on probe failure path
From: Xiaolei Wang @ 2026-04-01 13:49 UTC (permalink / raw)
To: Thinh.Nguyen, gregkh, Frank.Li, s.hauer, kernel, festevam,
Xiaolei.Wang
Cc: linux-usb, imx, linux-arm-kernel, linux-kernel
When platform_get_drvdata() returns NULL and probe defers, the error
path jumps to the 'depopulate' label, skipping put_device() for the
reference acquired by of_find_device_by_node(). This extra reference
prevents the child platform device from being freed when
of_platform_depopulate() is called, resulting in memory leaks reported
by kmemleak:
unreferenced object 0xffff0000c92c1480 (size 64):
comm "kworker/u16:2", pid 50, jiffies 4294895789
backtrace (crc 49d507d0):
kmemleak_alloc+0x34/0x40
__kmalloc_noprof+0x430/0x670
of_device_alloc+0xec/0x26c
of_platform_device_create_pdata+0x60/0x1f0
of_platform_bus_create+0x290/0x610
of_platform_populate+0x74/0x118
dwc3_imx8mp_probe+0x228/0x734
Fixes: 86767625f525 ("usb: dwc3: imx8mp: disable auto suspend for host role")
Signed-off-by: Xiaolei Wang <xiaolei.wang@windriver.com>
---
drivers/usb/dwc3/dwc3-imx8mp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/usb/dwc3/dwc3-imx8mp.c b/drivers/usb/dwc3/dwc3-imx8mp.c
index b3d7252bd910..1cf96540b66e 100644
--- a/drivers/usb/dwc3/dwc3-imx8mp.c
+++ b/drivers/usb/dwc3/dwc3-imx8mp.c
@@ -263,7 +263,7 @@ static int dwc3_imx8mp_probe(struct platform_device *pdev)
dwc3 = platform_get_drvdata(dwc3_imx->dwc3_pdev);
if (!dwc3) {
err = dev_err_probe(dev, -EPROBE_DEFER, "failed to get dwc3 platform data\n");
- goto depopulate;
+ goto put_dwc3;
}
dwc3->glue_ops = &dwc3_imx_glue_ops;
--
2.43.0
^ permalink raw reply related
* Re: [PATCH v4 3/5] mfd: aaeon: Add SRG-IMX8P MCU driver
From: Thomas Perrot @ 2026-04-01 13:48 UTC (permalink / raw)
To: Lee Jones
Cc: thomas.perrot, Rob Herring, Krzysztof Kozlowski, Conor Dooley,
Linus Walleij, Bartosz Golaszewski, Shawn Guo, Sascha Hauer,
Pengutronix Kernel Team, Fabio Estevam,
Jérémie Dautheribes, Wim Van Sebroeck, Guenter Roeck,
devicetree, linux-kernel, linux-gpio, imx, linux-arm-kernel,
linux-watchdog, Thomas Petazzoni, Miquel Raynal
In-Reply-To: <20260331130848.GG3795166@google.com>
[-- Attachment #1: Type: text/plain, Size: 11931 bytes --]
Hello Lee,
Thank you for the review. Please find answers to your questions inline,
and the remaining items will be addressed in v5.
On Tue, 2026-03-31 at 14:08 +0100, Lee Jones wrote:
> On Tue, 24 Mar 2026, Thomas Perrot (Schneider Electric) wrote:
>
> > Add Multi-Function Device (MFD) driver for the Aaeon SRG-IMX8P
> > embedded controller. This driver provides the core I2C
> > communication
> > interface and registers child devices (GPIO and watchdog
> > controllers).
> >
> > The driver implements a custom regmap bus over I2C to match the
> > MCU's
> > fixed 3-byte command format [opcode, arg, value]. Register
> > addresses
> > are encoded as 16-bit values (opcode << 8 | arg) using the
> > AAEON_MCU_REG() macro defined in the shared header. The regmap
> > instance is shared with child drivers via dev_get_regmap().
> > Concurrent
> > I2C accesses from child drivers are serialized by regmap's built-in
> > locking.
> >
> > Co-developed-by: Jérémie Dautheribes (Schneider Electric)
> > <jeremie.dautheribes@bootlin.com>
> > Signed-off-by: Jérémie Dautheribes (Schneider Electric)
> > <jeremie.dautheribes@bootlin.com>
> > Signed-off-by: Thomas Perrot (Schneider Electric)
> > <thomas.perrot@bootlin.com>
> > ---
> > MAINTAINERS | 2 +
> > drivers/mfd/Kconfig | 10 +++
> > drivers/mfd/Makefile | 1 +
> > drivers/mfd/aaeon-mcu.c | 155
> > ++++++++++++++++++++++++++++++++++++++++++
> > include/linux/mfd/aaeon-mcu.h | 20 ++++++
> > 5 files changed, 188 insertions(+)
> >
> > diff --git a/MAINTAINERS b/MAINTAINERS
> > index
> > ea9d55f76f3509c7f6ba6d1bc86ca2e2e71aa954..f91b6a1826d04bef8a0f88221
> > f6c8e8a3652cd77 100644
> > --- a/MAINTAINERS
> > +++ b/MAINTAINERS
> > @@ -191,6 +191,8 @@ M: Thomas Perrot <thomas.perrot@bootlin.com>
> > R: Jérémie Dautheribes <jeremie.dautheribes@bootlin.com>
> > S: Maintained
> > F: Documentation/devicetree/bindings/mfd/aaeon,srg-imx8p-
> > mcu.yaml
> > +F: drivers/mfd/aaeon-mcu.c
> > +F: include/linux/mfd/aaeon-mcu.h
> >
> > AAEON UPBOARD FPGA MFD DRIVER
> > M: Thomas Richard <thomas.richard@bootlin.com>
> > diff --git a/drivers/mfd/Kconfig b/drivers/mfd/Kconfig
> > index
> > aace5766b38aa5e46e32a8a7b42eea238159fbcf..7a1ceedece899faad7a03a1fe
> > 7b1c91b72253c05 100644
> > --- a/drivers/mfd/Kconfig
> > +++ b/drivers/mfd/Kconfig
> > @@ -1574,6 +1574,16 @@ config AB8500_CORE
> > the irq_chip parts for handling the Mixed Signal chip
> > events.
> > This chip embeds various other multimedia
> > functionalities as well.
> >
> > +config MFD_AAEON_MCU
> > + tristate "Aaeon SRG-IMX8P MCU Driver"
> > + depends on I2C || COMPILE_TEST
> > + select MFD_CORE
> > + help
> > + Select this option to enable support for the Aaeon SRG-
> > IMX8P
> > + onboard microcontroller (MCU). This driver provides the
> > core
> > + functionality to communicate with the MCU over I2C. The
> > MCU
> > + provides GPIO and watchdog functionality.
> > +
> > config MFD_DB8500_PRCMU
> > bool "ST-Ericsson DB8500 Power Reset Control Management
> > Unit"
> > depends on UX500_SOC_DB8500
> > diff --git a/drivers/mfd/Makefile b/drivers/mfd/Makefile
> > index
> > e75e8045c28afae975ac61d282b3b85af5440119..34db5b033584368b7a269b1ee
> > f12528a74baf8f5 100644
> > --- a/drivers/mfd/Makefile
> > +++ b/drivers/mfd/Makefile
> > @@ -8,6 +8,7 @@ obj-$(CONFIG_MFD_88PM860X) += 88pm860x.o
> > obj-$(CONFIG_MFD_88PM800) += 88pm800.o 88pm80x.o
> > obj-$(CONFIG_MFD_88PM805) += 88pm805.o 88pm80x.o
> > obj-$(CONFIG_MFD_88PM886_PMIC) += 88pm886.o
> > +obj-$(CONFIG_MFD_AAEON_MCU) += aaeon-mcu.o
> > obj-$(CONFIG_MFD_ACT8945A) += act8945a.o
> > obj-$(CONFIG_MFD_SM501) += sm501.o
> > obj-$(CONFIG_ARCH_BCM2835) += bcm2835-pm.o
> > diff --git a/drivers/mfd/aaeon-mcu.c b/drivers/mfd/aaeon-mcu.c
> > new file mode 100644
> > index
> > 0000000000000000000000000000000000000000..5a969890d201c027eb25c324b
> > 4d4d89b1f8c563e
> > --- /dev/null
> > +++ b/drivers/mfd/aaeon-mcu.c
> > @@ -0,0 +1,155 @@
> > +// SPDX-License-Identifier: GPL-2.0-or-later
> > +/*
> > + * Aaeon MCU driver
> > + *
> > + * Copyright (C) 2025 Bootlin
> > + * Author: Jérémie Dautheribes <jeremie.dautheribes@bootlin.com>
> > + * Author: Thomas Perrot <thomas.perrot@bootlin.com>
> > + */
>
> Consider updating the Copyright date - we're pretty deep into 2026 at
> this point.
>
> > +#include <linux/err.h>
> > +#include <linux/i2c.h>
> > +#include <linux/mfd/core.h>
> > +#include <linux/platform_device.h>
> > +#include <linux/regmap.h>
> > +
> > +static const struct mfd_cell aaeon_mcu_devs[] = {
> > + {
> > + .name = "aaeon-mcu-wdt",
> > + },
> > + {
> > + .name = "aaeon-mcu-gpio",
> > + },
> > +};
>
> MFD_CELL_BASIC()
>
> > +/*
> > + * Custom regmap bus for the Aaeon MCU I2C protocol.
> > + *
> > + * The MCU uses a fixed 3-byte command format [opcode, arg, value]
> > followed
> > + * by a 1-byte response. It requires a STOP condition between the
> > command
> > + * write and the response read, so two separate i2c_transfer()
> > calls are
> > + * issued. The regmap lock serialises concurrent accesses from
> > the GPIO
> > + * and watchdog child drivers.
> > + *
> > + * Register addresses are encoded as a 16-bit big-endian value
> > where the
> > + * high byte is the opcode and the low byte is the argument,
> > matching the
> > + * wire layout produced by regmap for reg_bits=16.
> > + */
> > +
> > +static int aaeon_mcu_regmap_write(void *context, const void *data,
> > size_t count)
> > +{
> > + struct i2c_client *client = context;
> > + /* data = [opcode, arg, value] as formatted by regmap */
> > + struct i2c_msg write_msg = {
> > + .addr = client->addr,
> > + .flags = 0,
> > + .buf = (u8 *)data,
> > + .len = count,
> > + };
> > + u8 rsp;
> > + /* The MCU always sends a response byte after each
> > command; discard it. */
> > + struct i2c_msg rsp_msg = {
>
> Assuming 'rsp' means response, let's just write that out in full.
>
> Readability wins over brevity every time.
>
> > + .addr = client->addr,
> > + .flags = I2C_M_RD,
> > + .buf = &rsp,
> > + .len = 1,
> > + };
> > + int ret;
>
> Since some I2C host controllers might use DMA, should we ensure that
> the
> 'rsp' buffer is allocated in DMA-safe memory rather than on the stack
> to
> prevent potential cache-line corruption?
>
> Also allocation of structs during in declaration statements is rough!
>
> And adding that u8 in the middle is just rubbing it in.
>
> > + ret = i2c_transfer(client->adapter, &write_msg, 1);
> > + if (ret < 0)
> > + return ret;
> > + if (ret != 1)
> > + return -EIO;
> > +
> > + ret = i2c_transfer(client->adapter, &rsp_msg, 1);
> > + if (ret < 0)
> > + return ret;
> > + if (ret != 1)
> > + return -EIO;
> > +
> > + return 0;
> > +}
> > +
> > +static int aaeon_mcu_regmap_read(void *context, const void
> > *reg_buf,
> > + size_t reg_size, void *val_buf,
> > size_t val_size)
> > +{
> > + struct i2c_client *client = context;
> > + /*
> > + * reg_buf holds the 2-byte big-endian register address
> > [opcode, arg].
> > + * Append a trailing 0x00 to form the full 3-byte MCU
> > command.
> > + */
> > + u8 cmd[3] = { ((u8 *)reg_buf)[0], ((u8 *)reg_buf)[1], 0x00
> > };
> > + struct i2c_msg write_msg = {
> > + .addr = client->addr,
> > + .flags = 0,
> > + .buf = cmd,
> > + .len = sizeof(cmd),
> > + };
> > + struct i2c_msg read_msg = {
> > + .addr = client->addr,
> > + .flags = I2C_M_RD,
> > + .buf = val_buf,
> > + .len = val_size,
> > + };
> > + int ret;
> > +
> > + ret = i2c_transfer(client->adapter, &write_msg, 1);
> > + if (ret < 0)
> > + return ret;
> > + if (ret != 1)
> > + return -EIO;
> > +
> > + ret = i2c_transfer(client->adapter, &read_msg, 1);
> > + if (ret < 0)
> > + return ret;
> > + if (ret != 1)
> > + return -EIO;
> > +
> > + return 0;
> > +}
> > +
> > +static const struct regmap_bus aaeon_mcu_regmap_bus = {
> > + .write = aaeon_mcu_regmap_write,
> > + .read = aaeon_mcu_regmap_read,
> > +};
> > +
> > +static const struct regmap_config aaeon_mcu_regmap_config = {
> > + .reg_bits = 16,
> > + .val_bits = 8,
> > + .reg_format_endian = REGMAP_ENDIAN_BIG,
> > + .cache_type = REGCACHE_NONE,
>
> Are you sure? Why none?
The GPIO and watchdog states are managed entirely by the MCU firmware,
which makes the design safer because every access goes directly to the
hardware. I will look into adding a cache; otherwise I will add a
comment in v5.
>
> > +};
> > +
> > +static int aaeon_mcu_probe(struct i2c_client *client)
> > +{
> > + struct regmap *regmap;
> > +
> > + regmap = devm_regmap_init(&client->dev,
> > &aaeon_mcu_regmap_bus,
> > + client,
> > &aaeon_mcu_regmap_config);
> > + if (IS_ERR(regmap))
> > + return PTR_ERR(regmap);
>
> dev_err_probe()
>
> > +
> > + return devm_mfd_add_devices(&client->dev,
> > PLATFORM_DEVID_NONE,
> > + aaeon_mcu_devs,
> > ARRAY_SIZE(aaeon_mcu_devs),
> > + NULL, 0, NULL);
>
> Why PLATFORM_DEVID_NONE over AUTO here?
No strong reason, it was an oversight. Since multiple instances of this
MCU could theoretically be present, AUTO is the safer choice and avoids
potential ID collisions.
Fixed in v5.
>
> > +}
> > +
> > +static const struct of_device_id aaeon_mcu_of_match[] = {
> > + { .compatible = "aaeon,srg-imx8p-mcu" },
> > + {},
> > +};
> > +MODULE_DEVICE_TABLE(of, aaeon_mcu_of_match);
> > +
> > +static struct i2c_driver aaeon_mcu_driver = {
> > + .driver = {
> > + .name = "aaeon_mcu",
> > + .of_match_table = aaeon_mcu_of_match,
> > + },
> > + .probe = aaeon_mcu_probe,
> > +};
> > +module_i2c_driver(aaeon_mcu_driver);
> > +
> > +MODULE_DESCRIPTION("Aaeon MCU Driver");
> > +MODULE_AUTHOR("Jérémie Dautheribes
> > <jeremie.dautheribes@bootlin.com>");
> > +MODULE_LICENSE("GPL");
> > diff --git a/include/linux/mfd/aaeon-mcu.h
> > b/include/linux/mfd/aaeon-mcu.h
> > new file mode 100644
> > index
> > 0000000000000000000000000000000000000000..861003f6dfd20424c3785008b
> > d2cf89aaa1715b9
> > --- /dev/null
> > +++ b/include/linux/mfd/aaeon-mcu.h
> > @@ -0,0 +1,20 @@
> > +/* SPDX-License-Identifier: GPL-2.0-or-later */
> > +/*
> > + * Aaeon MCU driver definitions
> > + *
> > + * Copyright (C) 2025 Bootlin
> > + * Author: Jérémie Dautheribes <jeremie.dautheribes@bootlin.com>
> > + * Author: Thomas Perrot <thomas.perrot@bootlin.com>
> > + */
>
> As above.
>
> > +
> > +#ifndef __LINUX_MFD_AAEON_MCU_H
> > +#define __LINUX_MFD_AAEON_MCU_H
> > +
> > +/*
> > + * MCU register address: the high byte is the command opcode, the
> > low
> > + * byte is the argument. This matches the 3-byte wire format
> > + * [opcode, arg, value] used by the MCU I2C protocol.
> > + */
> > +#define AAEON_MCU_REG(op, arg) (((op) << 8) | (arg))
>
> Where else is this used?
It is used by both child drivers:
- drivers/gpio/gpio-aaeon-mcu.c
- drivers/watchdog/aaeon_mcu_wdt.c
This macro encodes the regmap register address from the opcode and
argument that form the first two bytes of the MCU's 3-byte wire
command, so keeping it in the shared header avoids duplicating that
encoding in each child.
Kind regards,
Thomas Perrot
>
> > +#endif /* __LINUX_MFD_AAEON_MCU_H */
> >
> > --
> > 2.53.0
> >
--
Thomas Perrot, Bootlin
Embedded Linux and kernel engineering
https://bootlin.com
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply
* Re: [PATCH 06/33] rust: kbuild: remove skipping of `-Wrustdoc::unescaped_backticks`
From: Gary Guo @ 2026-04-01 13:44 UTC (permalink / raw)
To: Miguel Ojeda, Nathan Chancellor, Nicolas Schier, Danilo Krummrich,
Andreas Hindborg, Catalin Marinas, Will Deacon, Paul Walmsley,
Palmer Dabbelt, Albert Ou, Alexandre Courbot, David Airlie,
Simona Vetter, Brendan Higgins, David Gow, Greg Kroah-Hartman,
Arve Hjønnevåg, Todd Kjos, Christian Brauner,
Carlos Llamas, Alice Ryhl, Jonathan Corbet
Cc: Boqun Feng, Gary Guo, Björn Roy Baron, Benno Lossin,
Trevor Gross, rust-for-linux, linux-kbuild, Lorenzo Stoakes,
Vlastimil Babka, Liam R . Howlett, Uladzislau Rezki, linux-block,
moderated for non-subscribers, Alexandre Ghiti, linux-riscv,
nouveau, dri-devel, Rae Moar, linux-kselftest, kunit-dev,
Nick Desaulniers, Bill Wendling, Justin Stitt, llvm, linux-kernel,
Shuah Khan, linux-doc
In-Reply-To: <20260401114540.30108-7-ojeda@kernel.org>
On Wed Apr 1, 2026 at 12:45 PM BST, Miguel Ojeda wrote:
> Back in Rust 1.82.0, I cleaned the `rustdoc::unescaped_backticks` lint in
> upstream Rust and added tests so that hopefully it would not regress [1].
>
> Thus we can remove it from our side given the Rust minimum version bump.
>
> Link: https://github.com/rust-lang/rust/pull/128307 [1]
> Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
Reviewed-by: Gary Guo <gary@garyguo.net>
> ---
> rust/Makefile | 5 +----
> 1 file changed, 1 insertion(+), 4 deletions(-)
^ permalink raw reply
* Re: [PATCH 05/33] rust: remove `RUSTC_HAS_COERCE_POINTEE` and simplify code
From: Gary Guo @ 2026-04-01 13:44 UTC (permalink / raw)
To: Miguel Ojeda, Nathan Chancellor, Nicolas Schier, Danilo Krummrich,
Andreas Hindborg, Catalin Marinas, Will Deacon, Paul Walmsley,
Palmer Dabbelt, Albert Ou, Alexandre Courbot, David Airlie,
Simona Vetter, Brendan Higgins, David Gow, Greg Kroah-Hartman,
Arve Hjønnevåg, Todd Kjos, Christian Brauner,
Carlos Llamas, Alice Ryhl, Jonathan Corbet
Cc: Boqun Feng, Gary Guo, Björn Roy Baron, Benno Lossin,
Trevor Gross, rust-for-linux, linux-kbuild, Lorenzo Stoakes,
Vlastimil Babka, Liam R . Howlett, Uladzislau Rezki, linux-block,
moderated for non-subscribers, Alexandre Ghiti, linux-riscv,
nouveau, dri-devel, Rae Moar, linux-kselftest, kunit-dev,
Nick Desaulniers, Bill Wendling, Justin Stitt, llvm, linux-kernel,
Shuah Khan, linux-doc
In-Reply-To: <20260401114540.30108-6-ojeda@kernel.org>
On Wed Apr 1, 2026 at 12:45 PM BST, Miguel Ojeda wrote:
> With the Rust version bump in place, the `RUSTC_HAS_COERCE_POINTEE`
> Kconfig (automatic) option is always true.
>
> Thus remove the option and simplify the code.
>
> In particular, this includes removing our use of the predecessor unstable
> features we used with Rust < 1.84.0 (`coerce_unsized`, `dispatch_from_dyn`
> and `unsize`).
>
> Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
Reviewed-by: Gary Guo <gary@garyguo.net>
> ---
> init/Kconfig | 3 ---
> rust/kernel/alloc/kbox.rs | 29 ++---------------------------
> rust/kernel/lib.rs | 8 +-------
> rust/kernel/list/arc.rs | 22 +---------------------
> rust/kernel/sync/arc.rs | 21 ++-------------------
> 5 files changed, 6 insertions(+), 77 deletions(-)
^ permalink raw reply
* [PATCH 6.1.y 5/8] nvme-apple: remove an extra queue reference
From: Heyne, Maximilian @ 2026-04-01 13:37 UTC (permalink / raw)
To: stable@vger.kernel.org
Cc: Heyne, Maximilian, Christoph Hellwig, Sagi Grimberg, Sven Peter,
Chaitanya Kulkarni, Keith Busch, Jens Axboe, Hector Martin,
Alyssa Rosenzweig, James E.J. Bottomley, Martin K. Petersen,
Alim Akhtar, Avri Altman, Bart Van Assche, Sasha Levin,
Peter Wang, Greg Kroah-Hartman, Seunghui Lee, Sanjeev Yadav,
Wonkon Kim, Brian Kao, Hannes Reinecke, Ming Lei,
linux-block@vger.kernel.org, linux-kernel@vger.kernel.org,
asahi@lists.linux.dev, linux-arm-kernel@lists.infradead.org,
linux-nvme@lists.infradead.org, linux-scsi@vger.kernel.org
In-Reply-To: <20260401-defer-gleam-5226cb65@mheyne-amazon>
From: Christoph Hellwig <hch@lst.de>
[ Upstream commit 941f7298c70c7668416e7845fa76eb72c07d966b ]
Now that blk_mq_destroy_queue does not release the queue reference, there
is no need for a second admin queue reference to be held by the
apple_nvme structure.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
Reviewed-by: Sven Peter <sven@svenpeter.dev>
Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
Reviewed-by: Keith Busch <kbusch@kernel.org>
Link: https://lore.kernel.org/r/20221018135720.670094-5-hch@lst.de
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Maximilian Heyne <mheyne@amazon.de>
---
drivers/nvme/host/apple.c | 9 ---------
1 file changed, 9 deletions(-)
diff --git a/drivers/nvme/host/apple.c b/drivers/nvme/host/apple.c
index c5fc293c22123..c84ebfcfdeb88 100644
--- a/drivers/nvme/host/apple.c
+++ b/drivers/nvme/host/apple.c
@@ -1507,15 +1507,6 @@ static int apple_nvme_probe(struct platform_device *pdev)
goto put_dev;
}
- if (!blk_get_queue(anv->ctrl.admin_q)) {
- nvme_start_admin_queue(&anv->ctrl);
- blk_mq_destroy_queue(anv->ctrl.admin_q);
- blk_put_queue(anv->ctrl.admin_q);
- anv->ctrl.admin_q = NULL;
- ret = -ENODEV;
- goto put_dev;
- }
-
nvme_reset_ctrl(&anv->ctrl);
async_schedule(apple_nvme_async_probe, anv);
--
2.50.1
Amazon Web Services Development Center Germany GmbH
Tamara-Danz-Str. 13
10243 Berlin
Geschaeftsfuehrung: Christof Hellmis, Andreas Stieger
Eingetragen am Amtsgericht Charlottenburg unter HRB 257764 B
Sitz: Berlin
Ust-ID: DE 365 538 597
^ permalink raw reply related
* [PATCH 6.1.y 8/8] nvme: fix admin queue leak on controller reset
From: Heyne, Maximilian @ 2026-04-01 13:37 UTC (permalink / raw)
To: stable@vger.kernel.org
Cc: Heyne, Maximilian, Ming Lei, Keith Busch, Yi Zhang, Jens Axboe,
Hector Martin, Sven Peter, Alyssa Rosenzweig, Christoph Hellwig,
Sagi Grimberg, James E.J. Bottomley, Martin K. Petersen,
Alim Akhtar, Avri Altman, Bart Van Assche, Sasha Levin,
Peter Wang, Greg Kroah-Hartman, Seunghui Lee, Adrian Hunter,
Bean Huo, Brian Kao, Sanjeev Yadav, Wonkon Kim,
Chaitanya Kulkarni, Hannes Reinecke, linux-block@vger.kernel.org,
linux-kernel@vger.kernel.org, asahi@lists.linux.dev,
linux-arm-kernel@lists.infradead.org,
linux-nvme@lists.infradead.org, linux-scsi@vger.kernel.org
In-Reply-To: <20260401-defer-gleam-5226cb65@mheyne-amazon>
From: Ming Lei <ming.lei@redhat.com>
[ Upstream commit b84bb7bd913d8ca2f976ee6faf4a174f91c02b8d ]
When nvme_alloc_admin_tag_set() is called during a controller reset,
a previous admin queue may still exist. Release it properly before
allocating a new one to avoid orphaning the old queue.
This fixes a regression introduced by commit 03b3bcd319b3 ("nvme: fix
admin request_queue lifetime").
Cc: Keith Busch <kbusch@kernel.org>
Fixes: 03b3bcd319b3 ("nvme: fix admin request_queue lifetime").
Reported-and-tested-by: Yi Zhang <yi.zhang@redhat.com>
Closes: https://lore.kernel.org/linux-block/CAHj4cs9wv3SdPo+N01Fw2SHBYDs9tj2M_e1-GdQOkRy=DsBB1w@mail.gmail.com/
Signed-off-by: Ming Lei <ming.lei@redhat.com>
Signed-off-by: Keith Busch <kbusch@kernel.org>
[ Have to do analogous work in nvme_pci_alloc_admin_tag_set in pci.c due
to missing upstream commit 0da7feaa5913 ("nvme-pci: use the tagset
alloc/free helpers") ]
Signed-off-by: Maximilian Heyne <mheyne@amazon.de>
---
drivers/nvme/host/core.c | 7 +++++++
drivers/nvme/host/pci.c | 7 +++++++
2 files changed, 14 insertions(+)
diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
index f17318f6c82b0..09439fa7d083a 100644
--- a/drivers/nvme/host/core.c
+++ b/drivers/nvme/host/core.c
@@ -5012,6 +5012,13 @@ int nvme_alloc_admin_tag_set(struct nvme_ctrl *ctrl, struct blk_mq_tag_set *set,
if (ret)
return ret;
+ /*
+ * If a previous admin queue exists (e.g., from before a reset),
+ * put it now before allocating a new one to avoid orphaning it.
+ */
+ if (ctrl->admin_q)
+ blk_put_queue(ctrl->admin_q);
+
ctrl->admin_q = blk_mq_init_queue(set);
if (IS_ERR(ctrl->admin_q)) {
ret = PTR_ERR(ctrl->admin_q);
diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
index e8b7b0004086c..07ca1e1d920b8 100644
--- a/drivers/nvme/host/pci.c
+++ b/drivers/nvme/host/pci.c
@@ -1804,6 +1804,13 @@ static int nvme_pci_alloc_admin_tag_set(struct nvme_dev *dev)
return -ENOMEM;
dev->ctrl.admin_tagset = set;
+ /*
+ * If a previous admin queue exists (e.g., from before a reset),
+ * put it now before allocating a new one to avoid orphaning it.
+ */
+ if (dev->ctrl.admin_q)
+ blk_put_queue(dev->ctrl.admin_q);
+
dev->ctrl.admin_q = blk_mq_init_queue(set);
if (IS_ERR(dev->ctrl.admin_q)) {
blk_mq_free_tag_set(set);
--
2.50.1
Amazon Web Services Development Center Germany GmbH
Tamara-Danz-Str. 13
10243 Berlin
Geschaeftsfuehrung: Christof Hellmis, Andreas Stieger
Eingetragen am Amtsgericht Charlottenburg unter HRB 257764 B
Sitz: Berlin
Ust-ID: DE 365 538 597
^ permalink raw reply related
* [PATCH 6.1.y 4/8] nvme-pci: remove an extra queue reference
From: Heyne, Maximilian @ 2026-04-01 13:37 UTC (permalink / raw)
To: stable@vger.kernel.org
Cc: Heyne, Maximilian, Christoph Hellwig, Sagi Grimberg,
Chaitanya Kulkarni, Keith Busch, Jens Axboe, Hector Martin,
Sven Peter, Alyssa Rosenzweig, James E.J. Bottomley,
Martin K. Petersen, Alim Akhtar, Avri Altman, Bart Van Assche,
Sasha Levin, Peter Wang, Greg Kroah-Hartman, Bean Huo, Brian Kao,
Wonkon Kim, Seunghui Lee, Sanjeev Yadav, Hannes Reinecke,
Ming Lei, linux-block@vger.kernel.org,
linux-kernel@vger.kernel.org, asahi@lists.linux.dev,
linux-arm-kernel@lists.infradead.org,
linux-nvme@lists.infradead.org, linux-scsi@vger.kernel.org
In-Reply-To: <20260401-defer-gleam-5226cb65@mheyne-amazon>
From: Christoph Hellwig <hch@lst.de>
[ Upstream commit 7dcebef90d35de13a326f765dd787538880566f9 ]
Now that blk_mq_destroy_queue does not release the queue reference, there
is no need for a second admin queue reference to be held by the nvme_dev.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
Reviewed-by: Keith Busch <kbusch@kernel.org>
Link: https://lore.kernel.org/r/20221018135720.670094-4-hch@lst.de
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Stable-dep-of: 03b3bcd319b3 ("nvme: fix admin request_queue lifetime")
Signed-off-by: Maximilian Heyne <mheyne@amazon.de>
---
drivers/nvme/host/pci.c | 6 ------
1 file changed, 6 deletions(-)
diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
index 727585f580362..13c0098939ec0 100644
--- a/drivers/nvme/host/pci.c
+++ b/drivers/nvme/host/pci.c
@@ -1782,7 +1782,6 @@ static void nvme_dev_remove_admin(struct nvme_dev *dev)
*/
nvme_start_admin_queue(&dev->ctrl);
blk_mq_destroy_queue(dev->ctrl.admin_q);
- blk_put_queue(dev->ctrl.admin_q);
blk_mq_free_tag_set(&dev->admin_tagset);
}
}
@@ -1811,11 +1810,6 @@ static int nvme_pci_alloc_admin_tag_set(struct nvme_dev *dev)
dev->ctrl.admin_q = NULL;
return -ENOMEM;
}
- if (!blk_get_queue(dev->ctrl.admin_q)) {
- nvme_dev_remove_admin(dev);
- dev->ctrl.admin_q = NULL;
- return -ENODEV;
- }
return 0;
}
--
2.50.1
Amazon Web Services Development Center Germany GmbH
Tamara-Danz-Str. 13
10243 Berlin
Geschaeftsfuehrung: Christof Hellmis, Andreas Stieger
Eingetragen am Amtsgericht Charlottenburg unter HRB 257764 B
Sitz: Berlin
Ust-ID: DE 365 538 597
^ permalink raw reply related
* [PATCH 6.1.y 6/8] nvme-pci: put the admin queue in nvme_dev_remove_admin
From: Heyne, Maximilian @ 2026-04-01 13:37 UTC (permalink / raw)
To: stable@vger.kernel.org
Cc: Heyne, Maximilian, Christoph Hellwig, Keith Busch, Sagi Grimberg,
Chaitanya Kulkarni, Jens Axboe, Hector Martin, Sven Peter,
Alyssa Rosenzweig, James E.J. Bottomley, Martin K. Petersen,
Alim Akhtar, Avri Altman, Bart Van Assche, Sasha Levin,
Peter Wang, Greg Kroah-Hartman, Seunghui Lee, Brian Kao,
Adrian Hunter, Sanjeev Yadav, Wonkon Kim, Hannes Reinecke,
Ming Lei, linux-block@vger.kernel.org,
linux-kernel@vger.kernel.org, asahi@lists.linux.dev,
linux-arm-kernel@lists.infradead.org,
linux-nvme@lists.infradead.org, linux-scsi@vger.kernel.org
In-Reply-To: <20260401-defer-gleam-5226cb65@mheyne-amazon>
From: Christoph Hellwig <hch@lst.de>
[ Upstream commit 96ef1be53663a9343dffcf106e2f1b59da4b8799 ]
Once the controller is shutdown no one can access the admin queue. Tear
it down in nvme_dev_remove_admin, which matches the flow in the other
drivers.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Keith Busch <kbusch@kernel.org>
Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
Tested-by Gerd Bayer <gbayer@linxu.ibm.com>
Stable-dep-of: 03b3bcd319b3 ("nvme: fix admin request_queue lifetime")
[ Context change due to missing commit 94cc781f69f4 ("nvme: move OPAL
setup from PCIe to core")]
Signed-off-by: Maximilian Heyne <mheyne@amazon.de>
---
drivers/nvme/host/pci.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
index 13c0098939ec0..38732c0c28bbb 100644
--- a/drivers/nvme/host/pci.c
+++ b/drivers/nvme/host/pci.c
@@ -1782,6 +1782,7 @@ static void nvme_dev_remove_admin(struct nvme_dev *dev)
*/
nvme_start_admin_queue(&dev->ctrl);
blk_mq_destroy_queue(dev->ctrl.admin_q);
+ blk_put_queue(dev->ctrl.admin_q);
blk_mq_free_tag_set(&dev->admin_tagset);
}
}
@@ -2831,8 +2832,6 @@ static void nvme_pci_free_ctrl(struct nvme_ctrl *ctrl)
nvme_dbbuf_dma_free(dev);
nvme_free_tagset(dev);
- if (dev->ctrl.admin_q)
- blk_put_queue(dev->ctrl.admin_q);
free_opal_dev(dev->ctrl.opal_dev);
mempool_destroy(dev->iod_mempool);
put_device(dev->dev);
--
2.50.1
Amazon Web Services Development Center Germany GmbH
Tamara-Danz-Str. 13
10243 Berlin
Geschaeftsfuehrung: Christof Hellmis, Andreas Stieger
Eingetragen am Amtsgericht Charlottenburg unter HRB 257764 B
Sitz: Berlin
Ust-ID: DE 365 538 597
^ permalink raw reply related
* [PATCH 6.1.y 7/8] nvme: fix admin request_queue lifetime
From: Heyne, Maximilian @ 2026-04-01 13:37 UTC (permalink / raw)
To: stable@vger.kernel.org
Cc: Heyne, Maximilian, Keith Busch, Casey Chen, Christoph Hellwig,
Hannes Reinecke, Ming Lei, Chaitanya Kulkarni, Jens Axboe,
Hector Martin, Sven Peter, Alyssa Rosenzweig, Sagi Grimberg,
James E.J. Bottomley, Martin K. Petersen, Alim Akhtar,
Avri Altman, Bart Van Assche, Sasha Levin, Peter Wang,
Greg Kroah-Hartman, Wonkon Kim, Sanjeev Yadav, Brian Kao,
Seunghui Lee, linux-block@vger.kernel.org,
linux-kernel@vger.kernel.org, asahi@lists.linux.dev,
linux-arm-kernel@lists.infradead.org,
linux-nvme@lists.infradead.org, linux-scsi@vger.kernel.org
In-Reply-To: <20260401-defer-gleam-5226cb65@mheyne-amazon>
From: Keith Busch <kbusch@kernel.org>
[ Upstream commit 03b3bcd319b3ab5182bc9aaa0421351572c78ac0]
The namespaces can access the controller's admin request_queue, and
stale references on the namespaces may exist after tearing down the
controller. Ensure the admin request_queue is active by moving the
controller's 'put' to after all controller references have been released
to ensure no one is can access the request_queue. This fixes a reported
use-after-free bug:
BUG: KASAN: slab-use-after-free in blk_queue_enter+0x41c/0x4a0
Read of size 8 at addr ffff88c0a53819f8 by task nvme/3287
CPU: 67 UID: 0 PID: 3287 Comm: nvme Tainted: G E 6.13.2-ga1582f1a031e #15
Tainted: [E]=UNSIGNED_MODULE
Hardware name: Jabil /EGS 2S MB1, BIOS 1.00 06/18/2025
Call Trace:
<TASK>
dump_stack_lvl+0x4f/0x60
print_report+0xc4/0x620
? _raw_spin_lock_irqsave+0x70/0xb0
? _raw_read_unlock_irqrestore+0x30/0x30
? blk_queue_enter+0x41c/0x4a0
kasan_report+0xab/0xe0
? blk_queue_enter+0x41c/0x4a0
blk_queue_enter+0x41c/0x4a0
? __irq_work_queue_local+0x75/0x1d0
? blk_queue_start_drain+0x70/0x70
? irq_work_queue+0x18/0x20
? vprintk_emit.part.0+0x1cc/0x350
? wake_up_klogd_work_func+0x60/0x60
blk_mq_alloc_request+0x2b7/0x6b0
? __blk_mq_alloc_requests+0x1060/0x1060
? __switch_to+0x5b7/0x1060
nvme_submit_user_cmd+0xa9/0x330
nvme_user_cmd.isra.0+0x240/0x3f0
? force_sigsegv+0xe0/0xe0
? nvme_user_cmd64+0x400/0x400
? vfs_fileattr_set+0x9b0/0x9b0
? cgroup_update_frozen_flag+0x24/0x1c0
? cgroup_leave_frozen+0x204/0x330
? nvme_ioctl+0x7c/0x2c0
blkdev_ioctl+0x1a8/0x4d0
? blkdev_common_ioctl+0x1930/0x1930
? fdget+0x54/0x380
__x64_sys_ioctl+0x129/0x190
do_syscall_64+0x5b/0x160
entry_SYSCALL_64_after_hwframe+0x4b/0x53
RIP: 0033:0x7f765f703b0b
Code: ff ff ff 85 c0 79 9b 49 c7 c4 ff ff ff ff 5b 5d 4c 89 e0 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d dd 52 0f 00 f7 d8 64 89 01 48
RSP: 002b:00007ffe2cefe808 EFLAGS: 00000202 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007ffe2cefe860 RCX: 00007f765f703b0b
RDX: 00007ffe2cefe860 RSI: 00000000c0484e41 RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000000000003 R09: 0000000000000000
R10: 00007f765f611d50 R11: 0000000000000202 R12: 0000000000000003
R13: 00000000c0484e41 R14: 0000000000000001 R15: 00007ffe2cefea60
</TASK>
Reported-by: Casey Chen <cachen@purestorage.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Hannes Reinecke <hare@suse.de>
Reviewed-by: Ming Lei <ming.lei@redhat.com>
Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
Signed-off-by: Keith Busch <kbusch@kernel.org>
[ Because we're missing commit 0da7feaa5913 ("nvme-pci: use the tagset
alloc/free helpers") we need to additionally remove the blk_put_queue
from nvme_dev_remove_admin in pci.c to properly fix the UAF ]
Signed-off-by: Maximilian Heyne <mheyne@amazon.de>
---
drivers/nvme/host/core.c | 3 ++-
drivers/nvme/host/pci.c | 1 -
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
index 044e1a9c099b3..f17318f6c82b0 100644
--- a/drivers/nvme/host/core.c
+++ b/drivers/nvme/host/core.c
@@ -5043,7 +5043,6 @@ EXPORT_SYMBOL_GPL(nvme_alloc_admin_tag_set);
void nvme_remove_admin_tag_set(struct nvme_ctrl *ctrl)
{
blk_mq_destroy_queue(ctrl->admin_q);
- blk_put_queue(ctrl->admin_q);
if (ctrl->ops->flags & NVME_F_FABRICS) {
blk_mq_destroy_queue(ctrl->fabrics_q);
blk_put_queue(ctrl->fabrics_q);
@@ -5186,6 +5185,8 @@ static void nvme_free_ctrl(struct device *dev)
container_of(dev, struct nvme_ctrl, ctrl_device);
struct nvme_subsystem *subsys = ctrl->subsys;
+ if (ctrl->admin_q)
+ blk_put_queue(ctrl->admin_q);
if (!subsys || ctrl->instance != subsys->instance)
ida_free(&nvme_instance_ida, ctrl->instance);
diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
index 38732c0c28bbb..e8b7b0004086c 100644
--- a/drivers/nvme/host/pci.c
+++ b/drivers/nvme/host/pci.c
@@ -1782,7 +1782,6 @@ static void nvme_dev_remove_admin(struct nvme_dev *dev)
*/
nvme_start_admin_queue(&dev->ctrl);
blk_mq_destroy_queue(dev->ctrl.admin_q);
- blk_put_queue(dev->ctrl.admin_q);
blk_mq_free_tag_set(&dev->admin_tagset);
}
}
--
2.50.1
Amazon Web Services Development Center Germany GmbH
Tamara-Danz-Str. 13
10243 Berlin
Geschaeftsfuehrung: Christof Hellmis, Andreas Stieger
Eingetragen am Amtsgericht Charlottenburg unter HRB 257764 B
Sitz: Berlin
Ust-ID: DE 365 538 597
^ permalink raw reply related
* [PATCH 6.1.y 3/8] scsi: remove an extra queue reference
From: Heyne, Maximilian @ 2026-04-01 13:37 UTC (permalink / raw)
To: stable@vger.kernel.org
Cc: Heyne, Maximilian, Christoph Hellwig, Sagi Grimberg,
Chaitanya Kulkarni, Keith Busch, Jens Axboe, Hector Martin,
Sven Peter, Alyssa Rosenzweig, James E.J. Bottomley,
Martin K. Petersen, Alim Akhtar, Avri Altman, Bart Van Assche,
Sasha Levin, Peter Wang, Greg Kroah-Hartman, Bean Huo, Brian Kao,
Seunghui Lee, Sanjeev Yadav, Wonkon Kim, Ming Lei,
Hannes Reinecke, linux-block@vger.kernel.org,
linux-kernel@vger.kernel.org, asahi@lists.linux.dev,
linux-arm-kernel@lists.infradead.org,
linux-nvme@lists.infradead.org, linux-scsi@vger.kernel.org
In-Reply-To: <20260401-defer-gleam-5226cb65@mheyne-amazon>
From: Christoph Hellwig <hch@lst.de>
[ Upstream commit dc917c361422388f0d39d3f0dc2bc5a188c01156 ]
Now that blk_mq_destroy_queue does not release the queue reference, there
is no need for a second queue reference to be held by the scsi_device.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
Reviewed-by: Keith Busch <kbusch@kernel.org>
Link: https://lore.kernel.org/r/20221018135720.670094-3-hch@lst.de
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Maximilian Heyne <mheyne@amazon.de>
---
drivers/scsi/scsi_scan.c | 1 -
drivers/scsi/scsi_sysfs.c | 1 -
2 files changed, 2 deletions(-)
diff --git a/drivers/scsi/scsi_scan.c b/drivers/scsi/scsi_scan.c
index 696f178fb57d8..0eaec372f7560 100644
--- a/drivers/scsi/scsi_scan.c
+++ b/drivers/scsi/scsi_scan.c
@@ -344,7 +344,6 @@ static struct scsi_device *scsi_alloc_sdev(struct scsi_target *starget,
sdev->request_queue = q;
q->queuedata = sdev;
__scsi_init_queue(sdev->host, q);
- WARN_ON_ONCE(!blk_get_queue(q));
depth = sdev->host->cmd_per_lun ?: 1;
diff --git a/drivers/scsi/scsi_sysfs.c b/drivers/scsi/scsi_sysfs.c
index af81b2ba0c9b3..456b92c3a7811 100644
--- a/drivers/scsi/scsi_sysfs.c
+++ b/drivers/scsi/scsi_sysfs.c
@@ -1486,7 +1486,6 @@ void __scsi_remove_device(struct scsi_device *sdev)
mutex_unlock(&sdev->state_mutex);
blk_mq_destroy_queue(sdev->request_queue);
- blk_put_queue(sdev->request_queue);
kref_put(&sdev->host->tagset_refcnt, scsi_mq_free_tags);
cancel_work_sync(&sdev->requeue_work);
--
2.50.1
Amazon Web Services Development Center Germany GmbH
Tamara-Danz-Str. 13
10243 Berlin
Geschaeftsfuehrung: Christof Hellmis, Andreas Stieger
Eingetragen am Amtsgericht Charlottenburg unter HRB 257764 B
Sitz: Berlin
Ust-ID: DE 365 538 597
^ permalink raw reply related
* [PATCH 6.1.y 0/8] nvme: correctly fix admin request_queue lifetime
From: Heyne, Maximilian @ 2026-04-01 13:36 UTC (permalink / raw)
To: stable@vger.kernel.org
Cc: Heyne, Maximilian, Jens Axboe, Hector Martin, Sven Peter,
Alyssa Rosenzweig, Keith Busch, Christoph Hellwig, Sagi Grimberg,
James E.J. Bottomley, Martin K. Petersen, Alim Akhtar,
Avri Altman, Bart Van Assche, Sasha Levin, Peter Wang,
Greg Kroah-Hartman, Thomas Yen, Bean Huo, Brian Kao, Seunghui Lee,
Sanjeev Yadav, Wonkon Kim, Ming Lei, Hannes Reinecke,
Chaitanya Kulkarni, linux-block@vger.kernel.org,
linux-kernel@vger.kernel.org, asahi@lists.linux.dev,
linux-arm-kernel@lists.infradead.org,
linux-nvme@lists.infradead.org, linux-scsi@vger.kernel.org
The initial attempt to backport upstream commit 03b3bcd319b3 ("nvme: fix
admin request_queue lifetime") was not correct leading to refcount
underflows and not even fixing the problem.
I've tested the reproduction steps from [1] (adding a delay to
nvme_submit_user_cmd and 'echo 1 | sudo tee
/sys/class/nvme/nvme0/delete_controller') on the nvme-tcp driver which
printed the KASAN UAF blurb.
Fixing the issue in the 6.1 series requires a few dependent patches.
This is mainly the upstream commit 2b3f056f72e5 ("blk-mq: move the call
to blk_put_queue out of blk_mq_destroy_queue") which allows to move the
blk_put_queue to a different location. While at it, I'm backporting the
whole patch series for completeness. However, the scsi and apple patches
are not strictly required and could be dropped from this series.
The backport of commit 03b3bcd319b3 ("nvme: fix admin
request_queue lifetime") needed a tweak to the nvme pci driver.
Furthermore, in this patch series I've also included a follow-up fixup
from upstream commit b84bb7bd913d ("nvme: fix admin queue leak on
controller reset"), again with an adaption to the nvme pci driver. This
issue could easily be reproduced by resetting the controller (no need to
run full blktests):
echo 1 > /sys/class/nvme/nvme0/reset_controller
[1] https://lore.kernel.org/all/20251029210853.20768-1-cachen@purestorage.com/
Christoph Hellwig (5):
blk-mq: move the call to blk_put_queue out of blk_mq_destroy_queue
scsi: remove an extra queue reference
nvme-pci: remove an extra queue reference
nvme-apple: remove an extra queue reference
nvme-pci: put the admin queue in nvme_dev_remove_admin
Keith Busch (1):
nvme: fix admin request_queue lifetime
Maximilian Heyne (1):
Revert "nvme: fix admin request_queue lifetime"
Ming Lei (1):
nvme: fix admin queue leak on controller reset
block/blk-mq.c | 4 +---
block/bsg-lib.c | 2 ++
drivers/nvme/host/apple.c | 8 --------
drivers/nvme/host/core.c | 16 ++++++++++++++--
drivers/nvme/host/pci.c | 14 +++++++-------
drivers/scsi/scsi_scan.c | 1 -
drivers/ufs/core/ufshcd.c | 2 ++
7 files changed, 26 insertions(+), 21 deletions(-)
--
2.50.1
Amazon Web Services Development Center Germany GmbH
Tamara-Danz-Str. 13
10243 Berlin
Geschaeftsfuehrung: Christof Hellmis, Andreas Stieger
Eingetragen am Amtsgericht Charlottenburg unter HRB 257764 B
Sitz: Berlin
Ust-ID: DE 365 538 597
^ permalink raw reply
* [PATCH 6.1.y 2/8] blk-mq: move the call to blk_put_queue out of blk_mq_destroy_queue
From: Heyne, Maximilian @ 2026-04-01 13:36 UTC (permalink / raw)
To: stable@vger.kernel.org
Cc: Heyne, Maximilian, Christoph Hellwig, Sagi Grimberg,
Chaitanya Kulkarni, Keith Busch, Jens Axboe, Hector Martin,
Sven Peter, Alyssa Rosenzweig, James E.J. Bottomley,
Martin K. Petersen, Alim Akhtar, Avri Altman, Bart Van Assche,
Sasha Levin, Peter Wang, Greg Kroah-Hartman, Seunghwan Baek,
Bean Huo, Thomas Yen, Brian Kao, Seunghui Lee, Sanjeev Yadav,
Wonkon Kim, Hannes Reinecke, Ming Lei,
linux-block@vger.kernel.org, linux-kernel@vger.kernel.org,
asahi@lists.linux.dev, linux-arm-kernel@lists.infradead.org,
linux-nvme@lists.infradead.org, linux-scsi@vger.kernel.org
In-Reply-To: <20260401-defer-gleam-5226cb65@mheyne-amazon>
From: Christoph Hellwig <hch@lst.de>
[ Upstream commit 2b3f056f72e56fa07df69b4705e0b46a6c08e77c ]
The fact that blk_mq_destroy_queue also drops a queue reference leads
to various places having to grab an extra reference. Move the call to
blk_put_queue into the callers to allow removing the extra references.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
Reviewed-by: Keith Busch <kbusch@kernel.org>
Link: https://lore.kernel.org/r/20221018135720.670094-2-hch@lst.de
[axboe: fix fabrics_q vs admin_q conflict in nvme core.c]
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Stable-dep-of: 03b3bcd319b3 ("nvme: fix admin request_queue lifetime")
Signed-off-by: Maximilian Heyne <mheyne@amazon.de>
---
block/blk-mq.c | 4 +---
block/bsg-lib.c | 2 ++
drivers/nvme/host/apple.c | 1 +
drivers/nvme/host/core.c | 10 ++++++++--
drivers/nvme/host/pci.c | 1 +
drivers/scsi/scsi_sysfs.c | 1 +
drivers/ufs/core/ufshcd.c | 2 ++
7 files changed, 16 insertions(+), 5 deletions(-)
diff --git a/block/blk-mq.c b/block/blk-mq.c
index a9697541d67f9..8b9e5ca398242 100644
--- a/block/blk-mq.c
+++ b/block/blk-mq.c
@@ -4194,9 +4194,6 @@ void blk_mq_destroy_queue(struct request_queue *q)
blk_sync_queue(q);
blk_mq_cancel_work_sync(q);
blk_mq_exit_queue(q);
-
- /* @q is and will stay empty, shutdown and put */
- blk_put_queue(q);
}
EXPORT_SYMBOL(blk_mq_destroy_queue);
@@ -4213,6 +4210,7 @@ struct gendisk *__blk_mq_alloc_disk(struct blk_mq_tag_set *set, void *queuedata,
disk = __alloc_disk_node(q, set->numa_node, lkclass);
if (!disk) {
blk_mq_destroy_queue(q);
+ blk_put_queue(q);
return ERR_PTR(-ENOMEM);
}
set_bit(GD_OWNS_QUEUE, &disk->state);
diff --git a/block/bsg-lib.c b/block/bsg-lib.c
index d6f5dcdce748c..435c32373cd68 100644
--- a/block/bsg-lib.c
+++ b/block/bsg-lib.c
@@ -325,6 +325,7 @@ void bsg_remove_queue(struct request_queue *q)
bsg_unregister_queue(bset->bd);
blk_mq_destroy_queue(q);
+ blk_put_queue(q);
blk_mq_free_tag_set(&bset->tag_set);
kfree(bset);
}
@@ -400,6 +401,7 @@ struct request_queue *bsg_setup_queue(struct device *dev, const char *name,
return q;
out_cleanup_queue:
blk_mq_destroy_queue(q);
+ blk_put_queue(q);
out_queue:
blk_mq_free_tag_set(set);
out_tag_set:
diff --git a/drivers/nvme/host/apple.c b/drivers/nvme/host/apple.c
index 262d2b60ac6dd..c5fc293c22123 100644
--- a/drivers/nvme/host/apple.c
+++ b/drivers/nvme/host/apple.c
@@ -1510,6 +1510,7 @@ static int apple_nvme_probe(struct platform_device *pdev)
if (!blk_get_queue(anv->ctrl.admin_q)) {
nvme_start_admin_queue(&anv->ctrl);
blk_mq_destroy_queue(anv->ctrl.admin_q);
+ blk_put_queue(anv->ctrl.admin_q);
anv->ctrl.admin_q = NULL;
ret = -ENODEV;
goto put_dev;
diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
index 938af571dc13e..044e1a9c099b3 100644
--- a/drivers/nvme/host/core.c
+++ b/drivers/nvme/host/core.c
@@ -5031,6 +5031,7 @@ int nvme_alloc_admin_tag_set(struct nvme_ctrl *ctrl, struct blk_mq_tag_set *set,
out_cleanup_admin_q:
blk_mq_destroy_queue(ctrl->admin_q);
+ blk_put_queue(ctrl->admin_q);
out_free_tagset:
blk_mq_free_tag_set(set);
ctrl->admin_q = NULL;
@@ -5042,8 +5043,11 @@ EXPORT_SYMBOL_GPL(nvme_alloc_admin_tag_set);
void nvme_remove_admin_tag_set(struct nvme_ctrl *ctrl)
{
blk_mq_destroy_queue(ctrl->admin_q);
- if (ctrl->ops->flags & NVME_F_FABRICS)
+ blk_put_queue(ctrl->admin_q);
+ if (ctrl->ops->flags & NVME_F_FABRICS) {
blk_mq_destroy_queue(ctrl->fabrics_q);
+ blk_put_queue(ctrl->fabrics_q);
+ }
blk_mq_free_tag_set(ctrl->admin_tagset);
}
EXPORT_SYMBOL_GPL(nvme_remove_admin_tag_set);
@@ -5099,8 +5103,10 @@ EXPORT_SYMBOL_GPL(nvme_alloc_io_tag_set);
void nvme_remove_io_tag_set(struct nvme_ctrl *ctrl)
{
- if (ctrl->ops->flags & NVME_F_FABRICS)
+ if (ctrl->ops->flags & NVME_F_FABRICS) {
blk_mq_destroy_queue(ctrl->connect_q);
+ blk_put_queue(ctrl->connect_q);
+ }
blk_mq_free_tag_set(ctrl->tagset);
}
EXPORT_SYMBOL_GPL(nvme_remove_io_tag_set);
diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
index 518f8c5012bdf..727585f580362 100644
--- a/drivers/nvme/host/pci.c
+++ b/drivers/nvme/host/pci.c
@@ -1782,6 +1782,7 @@ static void nvme_dev_remove_admin(struct nvme_dev *dev)
*/
nvme_start_admin_queue(&dev->ctrl);
blk_mq_destroy_queue(dev->ctrl.admin_q);
+ blk_put_queue(dev->ctrl.admin_q);
blk_mq_free_tag_set(&dev->admin_tagset);
}
}
diff --git a/drivers/scsi/scsi_sysfs.c b/drivers/scsi/scsi_sysfs.c
index 456b92c3a7811..af81b2ba0c9b3 100644
--- a/drivers/scsi/scsi_sysfs.c
+++ b/drivers/scsi/scsi_sysfs.c
@@ -1486,6 +1486,7 @@ void __scsi_remove_device(struct scsi_device *sdev)
mutex_unlock(&sdev->state_mutex);
blk_mq_destroy_queue(sdev->request_queue);
+ blk_put_queue(sdev->request_queue);
kref_put(&sdev->host->tagset_refcnt, scsi_mq_free_tags);
cancel_work_sync(&sdev->requeue_work);
diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c
index f72ba0b206437..a39ffc62d88a1 100644
--- a/drivers/ufs/core/ufshcd.c
+++ b/drivers/ufs/core/ufshcd.c
@@ -9651,6 +9651,7 @@ void ufshcd_remove(struct ufs_hba *hba)
ufshpb_remove(hba);
ufs_sysfs_remove_nodes(hba->dev);
blk_mq_destroy_queue(hba->tmf_queue);
+ blk_put_queue(hba->tmf_queue);
blk_mq_free_tag_set(&hba->tmf_tag_set);
scsi_remove_host(hba->host);
/* disable interrupts */
@@ -9953,6 +9954,7 @@ int ufshcd_init(struct ufs_hba *hba, void __iomem *mmio_base, unsigned int irq)
free_tmf_queue:
blk_mq_destroy_queue(hba->tmf_queue);
+ blk_put_queue(hba->tmf_queue);
free_tmf_tag_set:
blk_mq_free_tag_set(&hba->tmf_tag_set);
out_remove_scsi_host:
--
2.50.1
Amazon Web Services Development Center Germany GmbH
Tamara-Danz-Str. 13
10243 Berlin
Geschaeftsfuehrung: Christof Hellmis, Andreas Stieger
Eingetragen am Amtsgericht Charlottenburg unter HRB 257764 B
Sitz: Berlin
Ust-ID: DE 365 538 597
^ permalink raw reply related
* [PATCH 6.1.y 1/8] Revert "nvme: fix admin request_queue lifetime"
From: Heyne, Maximilian @ 2026-04-01 13:36 UTC (permalink / raw)
To: stable@vger.kernel.org
Cc: Heyne, Maximilian, Jens Axboe, Hector Martin, Sven Peter,
Alyssa Rosenzweig, Keith Busch, Christoph Hellwig, Sagi Grimberg,
James E.J. Bottomley, Martin K. Petersen, Alim Akhtar,
Avri Altman, Bart Van Assche, Sasha Levin, Peter Wang,
Greg Kroah-Hartman, Wonkon Kim, Seunghwan Baek, Adrian Hunter,
Bean Huo, Brian Kao, Seunghui Lee, Sanjeev Yadav, Hannes Reinecke,
Ming Lei, Chaitanya Kulkarni, linux-block@vger.kernel.org,
linux-kernel@vger.kernel.org, asahi@lists.linux.dev,
linux-arm-kernel@lists.infradead.org,
linux-nvme@lists.infradead.org, linux-scsi@vger.kernel.org
In-Reply-To: <20260401-defer-gleam-5226cb65@mheyne-amazon>
This reverts commit ff037b5f47eeccc1636c03f84cd47db094eb73c9.
The backport of upstream commit 03b3bcd319b3 ("nvme: fix admin
request_queue lifetime") to 6.1 is broken in 2 ways. First of all it
doesn't actually fix the issue because blk_put_queue will still be
called as part of blk_mq_destroy_queue in nvme_remove_admin_tag_set
leading to the UAF.
Second, the backport leads to a refcount underflow when unbinding a pci
nvme device:
refcount_t: underflow; use-after-free.
WARNING: CPU: 2 PID: 1486 at lib/refcount.c:28 refcount_warn_saturate+0xba/0x110
Modules linked in: bochs drm_vram_helper simpledrm skx_edac_common drm_shmem_helper drm_kms_helper kvm_intel cfbfillrect syscopyarea cfbimgblt sysfillrect sysimgblt fb_sys_fops cfbcopyarea drm_ttm_helper fb ttm kvm fbdev drm mousedev nls_ascii psmouse irqbypass nls_cp437 atkbd crc32_pclmul crc32c_intel libps2 vfat fat sunrpc virtio_net ata_piix vivaldi_fmap drm_panel_orientation_quirks libata backlight i2c_piix4 net_failover i8042 ghash_clmulni_intel failover serio i2c_core button sch_fq_codel
CPU: 2 PID: 1486 Comm: bash Not tainted 6.1.167 #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS edk2-20240813-306.amzn2 08/13/2024
RIP: 0010:refcount_warn_saturate+0xba/0x110
Code: 01 01 e8 89 79 ad ff 0f 0b e9 82 f4 7e 00 80 3d 73 03 cc 01 00 75 85 48 c7 c7 e0 5d 3b 8e c6 05 63 03 cc 01 01 e8 66 79 ad ff <0f> 0b c3 cc cc cc cc 80 3d 4e 03 cc 01 00 0f 85 5e ff ff ff 48 c7
RSP: 0018:ffffd0cc011bfd18 EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffff8ada07b33210 RCX: 0000000000000027
RDX: ffff8adb37d1f728 RSI: 0000000000000001 RDI: ffff8adb37d1f720
RBP: ffff8ada07b33000 R08: 0000000000000000 R09: 00000000fffeffff
R10: ffffd0cc011bfba8 R11: ffffffff8f1781a8 R12: ffffd0cc011bfd38
R13: ffff8ada03080800 R14: ffff8ada07b33210 R15: ffff8ada07b33b10
FS: 00007f50f6964740(0000) GS:ffff8adb37d00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055cdb54e6ae0 CR3: 000000010224e001 CR4: 0000000000770ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
<TASK>
nvme_pci_free_ctrl+0x45/0x80
nvme_free_ctrl+0x1aa/0x2b0
device_release+0x34/0x90
kobject_cleanup+0x3a/0x130
pci_device_remove+0x3e/0xb0
device_release_driver_internal+0x1aa/0x230
unbind_store+0x11f/0x130
kernfs_fop_write_iter+0x13a/0x1d0
vfs_write+0x2a6/0x3b0
ksys_write+0x5f/0xe0
do_syscall_64+0x35/0x80
entry_SYSCALL_64_after_hwframe+0x6e/0xd8
RIP: 0033:0x7f50f66ff897
Code: 0f 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24
RSP: 002b:00007fffaef903d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f50f67fd780 RCX: 00007f50f66ff897
RDX: 000000000000000d RSI: 0000557f72ef6b90 RDI: 0000000000000001
RBP: 000000000000000d R08: 0000000000000000 R09: 00007f50f67b2d20
R10: 00007f50f67b2c20 R11: 0000000000000246 R12: 000000000000000d
R13: 0000557f72ef6b90 R14: 000000000000000d R15: 00007f50f67f89c0
</TASK>
The reason for this is that nvme_free_ctrl calls ->free_ctrl which
resolves to nvme_pci_free_ctrl in aforementioned case which also has a
blk_put_queue, so the admin queue is put twice. This is because on 6.1
we're missing the commit 96ef1be53663 ("nvme-pci: put the admin queue in
nvme_dev_remove_admin").
Signed-off-by: Maximilian Heyne <mheyne@amazon.de>
---
drivers/nvme/host/core.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
index 9df33b293ee3e..938af571dc13e 100644
--- a/drivers/nvme/host/core.c
+++ b/drivers/nvme/host/core.c
@@ -5180,8 +5180,6 @@ static void nvme_free_ctrl(struct device *dev)
container_of(dev, struct nvme_ctrl, ctrl_device);
struct nvme_subsystem *subsys = ctrl->subsys;
- if (ctrl->admin_q)
- blk_put_queue(ctrl->admin_q);
if (!subsys || ctrl->instance != subsys->instance)
ida_free(&nvme_instance_ida, ctrl->instance);
--
2.50.1
Amazon Web Services Development Center Germany GmbH
Tamara-Danz-Str. 13
10243 Berlin
Geschaeftsfuehrung: Christof Hellmis, Andreas Stieger
Eingetragen am Amtsgericht Charlottenburg unter HRB 257764 B
Sitz: Berlin
Ust-ID: DE 365 538 597
^ permalink raw reply related
* Re: [PATCH v5 11/38] KVM: arm64: Split teardown hypercall into two phases
From: Mark Brown @ 2026-04-01 13:35 UTC (permalink / raw)
To: Will Deacon
Cc: kvmarm, linux-arm-kernel, Marc Zyngier, Oliver Upton, Joey Gouly,
Suzuki K Poulose, Zenghui Yu, Catalin Marinas, Quentin Perret,
Fuad Tabba, Vincent Donnefort, Mostafa Saleh, Alexandru Elisei,
Aishwarya.TCV
In-Reply-To: <acwfcFytYX7eHAUZ@willie-the-truck>
[-- Attachment #1: Type: text/plain, Size: 681 bytes --]
On Tue, Mar 31, 2026 at 08:24:32PM +0100, Will Deacon wrote:
> On Tue, Mar 31, 2026 at 08:15:40PM +0100, Mark Brown wrote:
> > We've started seeing WARN_ON()s generated in -next on N1DSP when running
> > kvm-unit-tests under pKVM:
> > 1821 23:03:59.721620 <4>[ 17.558270] ------------[ cut here ]------------
> > 1822 23:03:59.725053 <4>[ 17.558274] WARNING: arch/arm64/kvm/pkvm.c:373 at __pkvm_pgtable_stage2_unshare+0xbc/0xfc, CPU#3: qemu-system-aar/390
> Aha! That's probably the thing I tried to fix today. Please can you try
> these patches on top?
> https://lore.kernel.org/r/20260331155056.28220-1-will@kernel.org
Yes, those seem to stop the warnings showing up.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply
* Re: [PATCH 0/3] KVM: arm64: Fix teardown of non-protected VMs with pKVM
From: Mark Brown @ 2026-04-01 13:33 UTC (permalink / raw)
To: Will Deacon
Cc: kvmarm, linux-arm-kernel, Marc Zyngier, Oliver Upton, Joey Gouly,
Suzuki K Poulose, Zenghui Yu, Catalin Marinas, Quentin Perret,
Fuad Tabba, Vincent Donnefort, Mostafa Saleh, Alexandru Elisei
In-Reply-To: <20260331155056.28220-1-will@kernel.org>
[-- Attachment #1: Type: text/plain, Size: 867 bytes --]
On Tue, Mar 31, 2026 at 04:50:52PM +0100, Will Deacon wrote:
> This time, it spotted that my fix (introduced in v5 [1] of the pKVM
> series) to prevent taking a reference on a VM in the 'is_dying' state
> also prevents unsharing of pages shared with a non-protected VM if that
> VM is torn down by its VM fd being destroyed, rather than the usual path
> via the MMU notifiers.
> Rather than send a v6 of the whole series, here are three patches that
> apply on top of v5 and fix the issue by (a) preventing teardown of a
> referenced VM and (b) allowing some references to be taken on a dying
> VM. As an added bonus, this simplifies the locking on the reclaim path
> because now a VM reference is enough to stop the page-tables from going
> away.
This series fixes the warnings I reported with pKVM on N1DSP yesterday:
Tested-by: Mark Brown <broonie@kernel.org>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox