* [PATCH v5 0/5] Add support for AAEON SRG-IMX8P MCU
From: Thomas Perrot (Schneider Electric) @ 2026-04-08 17:21 UTC (permalink / raw)
To: Rob Herring, Krzysztof Kozlowski, Conor Dooley, Linus Walleij,
Bartosz Golaszewski, Shawn Guo, Sascha Hauer,
Pengutronix Kernel Team, Fabio Estevam,
Jérémie Dautheribes, Wim Van Sebroeck, Guenter Roeck,
Lee Jones
Cc: devicetree, linux-kernel, linux-gpio, imx, linux-arm-kernel,
linux-watchdog, Thomas Petazzoni, Miquel Raynal,
Thomas Perrot (Schneider Electric), Krzysztof Kozlowski,
Conor Dooley, Bartosz Golaszewski
This patch series introduces support for the AAEON SRG-IMX8P embedded
controller (MCU). The MCU is connected via I2C and provides GPIO and
watchdog functionality for the SRG-IMX8P board.
The series includes:
- Device tree binding for the MFD driver
- MFD driver that serves as the core driver for the MCU
- GPIO driver implementing the GPIO functionality
- Watchdog driver for system monitoring
- MAINTAINERS entry for the new drivers
The drivers follow the standard Linux kernel subsystem patterns, with
the MFD driver registering the sub-devices (GPIO and watchdog) which
are then handled by their respective subsystem drivers.
Signed-off-by: Thomas Perrot (Schneider Electric) <thomas.perrot@bootlin.com>
---
Changes in v5:
- mfd: use heap-allocated DMA-safe buffers for I2C transfers, replacing
stack-allocated buffers in the regmap bus callbacks
- mfd: switch from REGCACHE_NONE to REGCACHE_MAPLE; add volatile_reg
callback marking GPIO input read registers (opcode 0x72) as volatile;
add max_register
- mfd: use PLATFORM_DEVID_AUTO instead of PLATFORM_DEVID_NONE
- mfd: use MFD_CELL_BASIC() macro for cell definitions
- mfd: use dev_err_probe() for regmap initialization error
- Link to v4: https://lore.kernel.org/r/20260324-dev-b4-aaeon-mcu-driver-v4-0-afb011df4794@bootlin.com
Changes in v4:
- mfd: switch to a custom regmap bus; remove aaeon_mcu_i2c_xfer() and the aaeon_mcu_dev struct
- mfd: locking delegated to regmap's built-in mutex; drop explicit mutex
- mfd: remove firmware version reading at probe time
- gpio, watchdog: use regmap_read()/regmap_write() via dev_get_regmap()
- include: replace aaeon_mcu_i2c_xfer() declaration with AAEON_MCU_REG() macro
- dt-bindings: remove unused label from example node
- Link to v3: https://lore.kernel.org/r/20260203-dev-b4-aaeon-mcu-driver-v3-0-0a19432076ac@bootlin.com
Changes in v3:
- Renamed SRG-IMX8PL to SRG-IMX8P
- dt-bindings: add gpio-controller properties as required
- mfd: move struct aaeon_mcu_dev from header to .c file (private)
- mfd: use guard(mutex) and devm_mutex_init() for cleanup
- mfd: firmware version log changed to dev_dbg()
- mfd: add select MFD_CORE to Kconfig
- Kconfig: add || COMPILE_TEST to all three drivers
- watchdog: add comments explaining hardware timeout and WDOG_HW_RUNNING
- watchdog: remove unused platform_set_drvdata()
- watchdog: add a function to query the status
- Link to v2: https://lore.kernel.org/r/20260123-dev-b4-aaeon-mcu-driver-v2-0-9f4c00bfb5cb@bootlin.com
Changes in v2:
- Fold GPIO and watchdog bindings into MFD binding
- Drop OF_GPIO dependency in GPIO Kconfig
- Use __set_bit/__clear_bit/__assign_bit instead of atomic variants
- Various driver cleanups and improvements
- Link to v1: https://lore.kernel.org/r/20251212-dev-b4-aaeon-mcu-driver-v1-0-6bd65bc8ef12@bootlin.com
---
Thomas Perrot (Schneider Electric) (5):
dt-bindings: vendor-prefixes: Add AAEON vendor prefix
dt-bindings: mfd: Add AAEON embedded controller
mfd: aaeon: Add SRG-IMX8P MCU driver
gpio: aaeon: Add GPIO driver for SRG-IMX8P MCU
watchdog: aaeon: Add watchdog driver for SRG-IMX8P MCU
.../bindings/mfd/aaeon,srg-imx8p-mcu.yaml | 67 ++++++
.../devicetree/bindings/vendor-prefixes.yaml | 2 +
MAINTAINERS | 10 +
drivers/gpio/Kconfig | 9 +
drivers/gpio/Makefile | 1 +
drivers/gpio/gpio-aaeon-mcu.c | 229 +++++++++++++++++++++
drivers/mfd/Kconfig | 10 +
drivers/mfd/Makefile | 1 +
drivers/mfd/aaeon-mcu.c | 204 ++++++++++++++++++
drivers/watchdog/Kconfig | 10 +
drivers/watchdog/Makefile | 1 +
drivers/watchdog/aaeon_mcu_wdt.c | 132 ++++++++++++
include/linux/mfd/aaeon-mcu.h | 40 ++++
13 files changed, 716 insertions(+)
---
base-commit: d358e5254674b70f34c847715ca509e46eb81e6f
change-id: 20251211-dev-b4-aaeon-mcu-driver-e0e89ebf4afb
Best regards,
--
Thomas Perrot (Schneider Electric) <thomas.perrot@bootlin.com>
^ permalink raw reply
* [PATCH v5 1/5] dt-bindings: vendor-prefixes: Add AAEON vendor prefix
From: Thomas Perrot (Schneider Electric) @ 2026-04-08 17:21 UTC (permalink / raw)
To: Rob Herring, Krzysztof Kozlowski, Conor Dooley, Linus Walleij,
Bartosz Golaszewski, Shawn Guo, Sascha Hauer,
Pengutronix Kernel Team, Fabio Estevam,
Jérémie Dautheribes, Wim Van Sebroeck, Guenter Roeck,
Lee Jones
Cc: devicetree, linux-kernel, linux-gpio, imx, linux-arm-kernel,
linux-watchdog, Thomas Petazzoni, Miquel Raynal,
Thomas Perrot (Schneider Electric), Krzysztof Kozlowski
In-Reply-To: <20260408-dev-b4-aaeon-mcu-driver-v5-0-ad98bd481668@bootlin.com>
Add the AAEON vendor prefix to support the AAEON SRG-IMX8P MCU driver
devicetree bindings.
Acked-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
Signed-off-by: Thomas Perrot (Schneider Electric) <thomas.perrot@bootlin.com>
---
Documentation/devicetree/bindings/vendor-prefixes.yaml | 2 ++
1 file changed, 2 insertions(+)
diff --git a/Documentation/devicetree/bindings/vendor-prefixes.yaml b/Documentation/devicetree/bindings/vendor-prefixes.yaml
index c7591b2aec2a..0f84ee93b3a8 100644
--- a/Documentation/devicetree/bindings/vendor-prefixes.yaml
+++ b/Documentation/devicetree/bindings/vendor-prefixes.yaml
@@ -32,6 +32,8 @@ patternProperties:
description: 8devices, UAB
"^9tripod,.*":
description: Shenzhen 9Tripod Innovation and Development CO., LTD.
+ "^aaeon,.*":
+ description: AAEON
"^abb,.*":
description: ABB
"^abilis,.*":
--
2.53.0
^ permalink raw reply related
* Re: [PATCH v2 1/4] dt-bindings: input: adc-keys: allow linux,input-type property
From: Nicolas Frattaroli @ 2026-04-08 17:11 UTC (permalink / raw)
To: Rob Herring, Dmitry Torokhov
Cc: Krzysztof Kozlowski, Krzysztof Kozlowski, Conor Dooley,
Alexandre Belloni, Heiko Stuebner, kernel, linux-input,
devicetree, linux-kernel, linux-arm-kernel, linux-rockchip
In-Reply-To: <adaJOEZHHmvZM_cB@google.com>
On Wednesday, 8 April 2026 18:59:08 Central European Summer Time Dmitry Torokhov wrote:
> On Wed, Dec 17, 2025 at 07:34:40AM -0600, Rob Herring wrote:
> > On Wed, Dec 17, 2025 at 01:57:46PM +0100, Nicolas Frattaroli wrote:
> > > On Wednesday, 17 December 2025 09:31:15 Central European Standard Time Krzysztof Kozlowski wrote:
> > > > On Mon, Dec 15, 2025 at 01:29:29PM +0100, Nicolas Frattaroli wrote:
> > > > > adc-keys, unlike gpio-keys, does not allow linux,input-type as a valid
> > > > > property. This makes it impossible to model devices that have ADC inputs
> > > > > that should generate switch events.
> > > >
> > > > The solution is to use unevaluatedProps instead, which also allows
> > > > dropping other properties.
> > > >
> > > > Best regards,
> > > > Krzysztof
> > > >
> > > >
> > >
> > > Hi Krzysztof,
> > >
> > > to understand the motivation behind this suggestion correctly:
> > > are the "linux," vendor prefixed properties, especially with regards
> > > to key codes, generally a bit of a thorn in the side of DT bindings
> > > maintainers?
> >
> > Not really. Most have existed for decades. New ones get extra scrutiny
> > and often end up dropping the linux prefix.
> >
> > > I'd imagine so since they technically tie the DT to a specific OS
> > > kernel (though of course, others are free to translate those key
> > > codes). And the whole idea of configuring which code is emitted
> > > from something is basically abusing DT for configuring software
> > > rather than describing hardware.
> > >
> > > I'm mainly interested because this is a thought that has been in
> > > the back of my mind for a while now, and I'm curious if the DT
> > > binding maintainers happen to have arrived at the same impassé,
> > > where linux,input-type et al abuse the DT model for something we
> > > would tell any other vendor not to abuse it for, but no better
> > > solution exists right now to achieve the same thing.
> >
> > Not sure what the BSDs do here. It's never come up that I remember. Best
> > I can tell is they just make it a userspace problem. So every possible
> > keyboard needs a keymap file. Though I'm not sure how that would work
> > with GPIO keys as you don't really have a scan code.
>
> Is there an update for this binding or should I apply the current
> version? I am OK with the driver changes...
>
> Thanks.
>
>
I will send a new version that doesn't add the property but allows
unevaluatedProps instead. Thanks for reminding me.
Kind regards,
Nicolas Frattaroli
^ permalink raw reply
* Re: [PATCH v2 1/4] dt-bindings: input: adc-keys: allow linux,input-type property
From: Dmitry Torokhov @ 2026-04-08 16:59 UTC (permalink / raw)
To: Rob Herring
Cc: Nicolas Frattaroli, Krzysztof Kozlowski, Krzysztof Kozlowski,
Conor Dooley, Alexandre Belloni, Heiko Stuebner, kernel,
linux-input, devicetree, linux-kernel, linux-arm-kernel,
linux-rockchip
In-Reply-To: <20251217133440.GA724723-robh@kernel.org>
On Wed, Dec 17, 2025 at 07:34:40AM -0600, Rob Herring wrote:
> On Wed, Dec 17, 2025 at 01:57:46PM +0100, Nicolas Frattaroli wrote:
> > On Wednesday, 17 December 2025 09:31:15 Central European Standard Time Krzysztof Kozlowski wrote:
> > > On Mon, Dec 15, 2025 at 01:29:29PM +0100, Nicolas Frattaroli wrote:
> > > > adc-keys, unlike gpio-keys, does not allow linux,input-type as a valid
> > > > property. This makes it impossible to model devices that have ADC inputs
> > > > that should generate switch events.
> > >
> > > The solution is to use unevaluatedProps instead, which also allows
> > > dropping other properties.
> > >
> > > Best regards,
> > > Krzysztof
> > >
> > >
> >
> > Hi Krzysztof,
> >
> > to understand the motivation behind this suggestion correctly:
> > are the "linux," vendor prefixed properties, especially with regards
> > to key codes, generally a bit of a thorn in the side of DT bindings
> > maintainers?
>
> Not really. Most have existed for decades. New ones get extra scrutiny
> and often end up dropping the linux prefix.
>
> > I'd imagine so since they technically tie the DT to a specific OS
> > kernel (though of course, others are free to translate those key
> > codes). And the whole idea of configuring which code is emitted
> > from something is basically abusing DT for configuring software
> > rather than describing hardware.
> >
> > I'm mainly interested because this is a thought that has been in
> > the back of my mind for a while now, and I'm curious if the DT
> > binding maintainers happen to have arrived at the same impassé,
> > where linux,input-type et al abuse the DT model for something we
> > would tell any other vendor not to abuse it for, but no better
> > solution exists right now to achieve the same thing.
>
> Not sure what the BSDs do here. It's never come up that I remember. Best
> I can tell is they just make it a userspace problem. So every possible
> keyboard needs a keymap file. Though I'm not sure how that would work
> with GPIO keys as you don't really have a scan code.
Is there an update for this binding or should I apply the current
version? I am OK with the driver changes...
Thanks.
--
Dmitry
^ permalink raw reply
* Re: [PATCH 2/3] nvmem: Add the Raspberry Pi OTP driver
From: Stefan Wahren @ 2026-04-08 16:52 UTC (permalink / raw)
To: Gregor Herburger, Rob Herring, Krzysztof Kozlowski, Conor Dooley,
Florian Fainelli, Ray Jui, Scott Branden,
Broadcom internal kernel review list, Srinivas Kandagatla
Cc: devicetree, linux-rpi-kernel, linux-arm-kernel, linux-kernel
In-Reply-To: <20260408-rpi-otp-driver-v1-2-e02d1dbe6008@linutronix.de>
Hi Gregor,
[drop Emma's old address]
Am 08.04.26 um 10:00 schrieb Gregor Herburger:
> Raspberry Pis have OTP registers which can be accessed through the
> videocore firmware. Add a nvmem driver to support these OTP registers.
>
> Signed-off-by: Gregor Herburger <gregor.herburger@linutronix.de>
> ---
> drivers/nvmem/Kconfig | 12 +++
> drivers/nvmem/Makefile | 1 +
> drivers/nvmem/raspberrypi-otp.c | 159 +++++++++++++++++++++++++++++
> include/soc/bcm2835/raspberrypi-firmware.h | 2 +
> 4 files changed, 174 insertions(+)
>
> diff --git a/drivers/nvmem/Kconfig b/drivers/nvmem/Kconfig
> index 74ddbd0f79b0..892d05fe67be 100644
> --- a/drivers/nvmem/Kconfig
> +++ b/drivers/nvmem/Kconfig
> @@ -483,4 +483,16 @@ config NVMEM_QORIQ_EFUSE
> This driver can also be built as a module. If so, the module
> will be called nvmem_qoriq_efuse.
>
> +config NVMEM_RASPBERRYPI_OTP
> + tristate "Raspberry Pi OTP support"
> + # Make sure not 'y' when RASPBERRYPI_FIRMWARE is 'm'. This can only
> + # happen when COMPILE_TEST=y, hence the added !RASPBERRYPI_FIRMWARE.
I don't think these comments are necessary, because this applies to
other firmware drivers, too.
> + depends on RASPBERRYPI_FIRMWARE || (COMPILE_TEST && !RASPBERRYPI_FIRMWARE)
> + help
> + This driver provides access to the Raspberry Pi OTP memory via the
> + nvmem subsystem. The driver supports the customer otp as well as the
> + device specific private key OTP.
> +
> + This driver can also be built as a module. If so, the module
> + will be called raspberrypi-otp.
> endif
> diff --git a/drivers/nvmem/Makefile b/drivers/nvmem/Makefile
> index 7252b8ec88d4..8ca2095e068f 100644
> --- a/drivers/nvmem/Makefile
> +++ b/drivers/nvmem/Makefile
> @@ -95,3 +95,4 @@ obj-$(CONFIG_NVMEM_ZYNQMP) += nvmem_zynqmp_nvmem.o
> nvmem_zynqmp_nvmem-y := zynqmp_nvmem.o
> obj-$(CONFIG_NVMEM_QORIQ_EFUSE) += nvmem-qoriq-efuse.o
> nvmem-qoriq-efuse-y := qoriq-efuse.o
> +obj-$(CONFIG_NVMEM_RASPBERRYPI_OTP) += raspberrypi-otp.o
> diff --git a/drivers/nvmem/raspberrypi-otp.c b/drivers/nvmem/raspberrypi-otp.c
> new file mode 100644
> index 000000000000..13ee3784b137
> --- /dev/null
> +++ b/drivers/nvmem/raspberrypi-otp.c
> @@ -0,0 +1,159 @@
> +// SPDX-License-Identifier: GPL-2.0-only
> +
> +#include <linux/module.h>
> +#include <linux/nvmem-provider.h>
> +#include <linux/of.h>
> +#include <linux/platform_device.h>
> +#include <soc/bcm2835/raspberrypi-firmware.h>
> +
> +struct rpi_otp_priv {
> + struct rpi_firmware *fw;
> + struct device *dev;
> + u32 read_tag;
> + u32 write_tag;
> +};
> +
> +struct rpi_otp_driver_data {
> + const char *name;
> + u32 read_tag;
> + u32 write_tag;
> +};
> +
> +struct rpi_otp_header {
> + u32 start;
> + u32 count;
> + u32 data[];
> +};
> +
> +static int rpi_otp_read(void *context, unsigned int offset, void *buf, size_t bytes)
> +{
> + struct rpi_otp_priv *priv = context;
> + struct rpi_otp_header *fwbuf;
> + int ret;
> +
> + fwbuf = kmalloc(sizeof(struct rpi_otp_header) + bytes, GFP_KERNEL);
> + if (!fwbuf)
> + return -ENOMEM;
> +
> + fwbuf->start = offset / 4;
> + fwbuf->count = bytes / 4;
> +
> + ret = rpi_firmware_property(priv->fw, priv->read_tag, fwbuf,
> + sizeof(struct rpi_otp_header) + bytes);
> + if (ret)
> + goto out;
> +
> + memcpy(buf, fwbuf->data, bytes);
> +
> +out:
> + kfree(fwbuf);
> + return ret;
> +}
> +
> +static int rpi_otp_write(void *context, unsigned int offset, void *val, size_t bytes)
> +{
> + struct rpi_otp_priv *priv = context;
> + struct rpi_otp_header *fwbuf;
> + int ret;
> +
> + fwbuf = kmalloc(sizeof(struct rpi_otp_header) + bytes, GFP_KERNEL);
> + if (!fwbuf)
> + return -ENOMEM;
> +
> + fwbuf->start = offset / 4;
> + fwbuf->count = bytes / 4;
> + memcpy(fwbuf->data, val, bytes);
> +
> + ret = rpi_firmware_property(priv->fw, priv->write_tag, fwbuf,
> + sizeof(struct rpi_otp_header) + bytes);
> +
> + kfree(fwbuf);
> + return ret;
> +}
> +
> +static const struct rpi_otp_driver_data rpi_otp_customer = {
> + .name = "rpi-otp-customer",
> + .read_tag = RPI_FIRMWARE_GET_CUSTOMER_OTP,
> + .write_tag = RPI_FIRMWARE_SET_CUSTOMER_OTP,
> +};
> +
> +static const struct rpi_otp_driver_data rpi_otp_private = {
> + .name = "rpi-otp-private",
> + .read_tag = RPI_FIRMWARE_GET_PRIVATE_OTP,
> + .write_tag = RPI_FIRMWARE_SET_PRIVATE_OTP,
> +};
> +
> +static int rpi_otp_probe(struct platform_device *pdev)
> +{
> + struct device *dev = &pdev->dev;
> + struct nvmem_device *nvmem;
> + struct rpi_otp_priv *priv;
> + struct device_node *np;
> + const struct rpi_otp_driver_data *data;
> + struct nvmem_config config = {
> + .read_only = false,
> + .word_size = 4,
> + .stride = 4,
> + .reg_read = rpi_otp_read,
> + .reg_write = rpi_otp_write,
> + .size = 32,
> + };
> +
> + priv = devm_kzalloc(dev, sizeof(*priv), GFP_KERNEL);
> + if (!priv)
> + return -ENOMEM;
> +
> + data = device_get_match_data(dev);
> + if (!data)
> + return -ENODEV;
> +
> + np = of_get_parent(dev->of_node);
> + if (!np) {
> + dev_err(dev, "Missing firmware node\n");
> + return -ENOENT;
> + }
> +
> + priv->fw = devm_rpi_firmware_get(&pdev->dev, np);
> + of_node_put(np);
> + if (!priv->fw)
> + return -EPROBE_DEFER;
> +
> + priv->dev = dev;
> + priv->read_tag = data->read_tag;
> + priv->write_tag = data->write_tag;
> + config.dev = dev;
> + config.priv = priv;
> + config.name = data->name;
> +
> + nvmem = devm_nvmem_register(dev, &config);
> + if (IS_ERR(nvmem))
> + return dev_err_probe(dev, PTR_ERR(nvmem), "error registering nvmem config\n");
> +
> + return 0;
> +}
Is there any reason, why we cannot register this driver in
rpi_firmware_probe() like hwmon and clk driver?
I like to avoid the complete dt-binding from patch 1.
> +
> +static const struct of_device_id rpi_otp_of_match[] = {
> + {
> + .compatible = "raspberrypi,firmware-otp-customer",
> + .data = &rpi_otp_customer
> + },
> + {
> + .compatible = "raspberrypi,firmware-otp-private",
> + .data = &rpi_otp_private,
> + },
> + { /* sentinel */ }
> +};
> +MODULE_DEVICE_TABLE(of, rpi_otp_of_match);
> +
> +static struct platform_driver raspberry_otp_driver = {
> + .probe = rpi_otp_probe,
> + .driver = {
> + .name = "rpi-otp",
> + .of_match_table = rpi_otp_of_match,
> + },
> +};
> +module_platform_driver(raspberry_otp_driver);
> +
> +MODULE_AUTHOR("Gregor Herburger <gregor.herburger@linutronix.de>");
> +MODULE_DESCRIPTION("Raspberry OTP driver");
Raspberry Pi OTP driver ?
Regards
> +MODULE_LICENSE("GPL");
> diff --git a/include/soc/bcm2835/raspberrypi-firmware.h b/include/soc/bcm2835/raspberrypi-firmware.h
> index e1f87fbfe554..6e94ccf34f47 100644
> --- a/include/soc/bcm2835/raspberrypi-firmware.h
> +++ b/include/soc/bcm2835/raspberrypi-firmware.h
> @@ -92,6 +92,8 @@ enum rpi_firmware_property_tag {
> RPI_FIRMWARE_SET_POE_HAT_VAL = 0x00030050,
> RPI_FIRMWARE_NOTIFY_XHCI_RESET = 0x00030058,
> RPI_FIRMWARE_NOTIFY_DISPLAY_DONE = 0x00030066,
> + RPI_FIRMWARE_GET_PRIVATE_OTP = 0x00030081,
> + RPI_FIRMWARE_SET_PRIVATE_OTP = 0x00038081,
>
> /* Dispmanx TAGS */
> RPI_FIRMWARE_FRAMEBUFFER_ALLOCATE = 0x00040001,
>
^ permalink raw reply
* Re: BUG: net-next (7.0-rc6 based and later) fails to boot on Jetson Xavier NX
From: Robin Murphy @ 2026-04-08 16:40 UTC (permalink / raw)
To: Russell King (Oracle), netdev, linux-arm-kernel, linux-kernel,
iommu, linux-ext4, Linus Torvalds, dmaengine
Cc: Marek Szyprowski, Theodore Ts'o, Andreas Dilger, Vinod Koul,
Frank Li
In-Reply-To: <adZ_ZmjcE8S22vR1@shell.armlinux.org.uk>
On 2026-04-08 5:16 pm, Russell King (Oracle) wrote:
> On Wed, Apr 08, 2026 at 05:08:34PM +0100, Russell King (Oracle) wrote:
>> The rebase is still progressing, but it's landed on:
>>
>> c7d812e33f3e dmaengine: xilinx: xilinx_dma: Fix unmasked residue subtraction
FWIW I don't see a Tegra having the Xilinx IP in it anyway - judging by
the DT it has their own tegra-gpcdma engine...
There's a fair chance this could be 90c5def10bea ("iommu: Do not call
drivers for empty gathers"), which JonH also reported causing boot
issues on Tegras - in short, SMMU TLB maintenance may not be completed
properly which could lead to recycled DMA addresses causing exactly this
kind of random memory corruption. I CC'd you on a patch:
https://lore.kernel.org/linux-iommu/20260408162846.GE3357077@nvidia.com/T/#t
Thanks,
Robin.
>>
>> and while this boots to a login prompt, it spat out a BUG():
>>
>> BUG: sleeping function called from invalid context at kernel/locking/mutex.c:591
>> in_atomic(): 0, irqs_disabled(): 1, non_block: 0, pid: 56, name: kworker/u24:3
>> preempt_count: 0, expected: 0
>> RCU nest depth: 0, expected: 0
>> 3 locks held by kworker/u24:3/56:
>> #0: ffff000080042148 ((wq_completion)events_unbound#2){+.+.}-{0:0}, at: process_one_work+0x184/0x780
>> #1: ffff80008299bdf8 (deferred_probe_work){+.+.}-{0:0}, at: process_one_work+0x1ac/0x780
>> #2: ffff0000808b48f8 (&dev->mutex){....}-{4:4}, at: __device_attach+0x2c/0x188
>> irq event stamp: 10872
>> hardirqs last enabled at (10871): [<ffff80008013a410>] ktime_get+0x130/0x180
>> hardirqs last disabled at (10872): [<ffff800080d61ac8>] _raw_spin_lock_irqsave+0x84/0x88
>> softirqs last enabled at (9216): [<ffff80008002807c>] fpsimd_save_and_flush_current_state+0x3c/0x80
>> softirqs last disabled at (9214): [<ffff800080028098>] fpsimd_save_and_flush_current_state+0x58/0x80
>> CPU: 5 UID: 0 PID: 56 Comm: kworker/u24:3 Not tainted 7.0.0-rc1-bisect+ #654 PREEMPT
>> Hardware name: NVIDIA NVIDIA Jetson Xavier NX Developer Kit/Jetson, BIOS 6.0-37391689 08/28/2024
>> Workqueue: events_unbound deferred_probe_work_func
>> Call trace:
>> show_stack+0x18/0x30 (C)
>> dump_stack_lvl+0x6c/0x94
>> dump_stack+0x18/0x24
>> __might_resched+0x154/0x220
>> __might_sleep+0x48/0x80
>> __mutex_lock+0x48/0x800
>> mutex_lock_nested+0x24/0x30
>> pinmux_disable_setting+0x9c/0x180
>> pinctrl_commit_state+0x5c/0x260
>> pinctrl_pm_select_idle_state+0x4c/0xa0
>> tegra_i2c_runtime_suspend+0x2c/0x3c
>> pm_generic_runtime_suspend+0x2c/0x44
>> __rpm_callback+0x48/0x1ec
>> rpm_callback+0x74/0x80
>> rpm_suspend+0xec/0x630
>> rpm_idle+0x2c0/0x420
>> __pm_runtime_idle+0x44/0x160
>> tegra_i2c_probe+0x2e4/0x640
>> platform_probe+0x5c/0xa4
>> really_probe+0xbc/0x2c0
>> __driver_probe_device+0x78/0x120
>> driver_probe_device+0x3c/0x160
>> __device_attach_driver+0xbc/0x160
>> bus_for_each_drv+0x70/0xb8
>> __device_attach+0xa4/0x188
>> device_initial_probe+0x50/0x54
>> bus_probe_device+0x38/0xa4
>> deferred_probe_work_func+0x90/0xcc
>> process_one_work+0x204/0x780
>> worker_thread+0x1c8/0x36c
>> kthread+0x138/0x144
>> ret_from_fork+0x10/0x20
>>
>> This is reproducible.
>
> I've just realised that it's the Tegra I2C bug that is already known
> about, but took ages to be fixed in mainline - it's unrelated to the
> memory corruption, so can be ignored. Sorry for the noise.
>
^ permalink raw reply
* [PATCH] drm: uapi: Add macro for chipset specific event ID region
From: Bence Csokas @ 2026-04-08 16:36 UTC (permalink / raw)
To: dri-devel, linux-kernel, linux-arm-kernel, linux-samsung-soc
Cc: Bence Csokas, Daniel Kiss, Maarten Lankhorst, Maxime Ripard,
Thomas Zimmermann, David Airlie, Simona Vetter, Inki Dae,
Seung-Woo Kim, Kyungmin Park, Krzysztof Kozlowski, Alim Akhtar,
Zack Rusin, Broadcom internal kernel review list
uapi/drm/drm.h states:
Event types 0 - 0x7fffffff are generic DRM events, 0x80000000 and
up are chipset specific.
However, this distinction was not put in the code. To elevate the contract
between the generic DRM framework and the driver from the comment to code,
put this in a macro for clarity and convenience.
Cc: Daniel Kiss <Daniel.Kiss@arm.com>
Signed-off-by: Bence Csokas <bence.csokas@arm.com>
---
include/uapi/drm/drm.h | 8 ++++++++
include/uapi/drm/exynos_drm.h | 4 ++--
include/uapi/drm/virtgpu_drm.h | 2 +-
include/uapi/drm/vmwgfx_drm.h | 2 +-
4 files changed, 12 insertions(+), 4 deletions(-)
diff --git a/include/uapi/drm/drm.h b/include/uapi/drm/drm.h
index 27cc159c1d27..aa745e643ef4 100644
--- a/include/uapi/drm/drm.h
+++ b/include/uapi/drm/drm.h
@@ -1419,6 +1419,14 @@ struct drm_event {
* The event payload is a struct drm_event_crtc_sequence.
*/
#define DRM_EVENT_CRTC_SEQUENCE 0x03
+/**
+ * DRM_EVENT_VENDOR_SPECIFIC - vendor/chipset specific event
+ *
+ * These event IDs are reserved for chipset and driver specific events.
+ *
+ * Refer to the chipset driver's header for details and payload struct.
+ */
+#define DRM_EVENT_VENDOR_SPECIFIC(_v) ((_v) | 0x80000000)
struct drm_event_vblank {
struct drm_event base;
diff --git a/include/uapi/drm/exynos_drm.h b/include/uapi/drm/exynos_drm.h
index a51aa1c618c1..8d3156fb129c 100644
--- a/include/uapi/drm/exynos_drm.h
+++ b/include/uapi/drm/exynos_drm.h
@@ -395,8 +395,8 @@ struct drm_exynos_ioctl_ipp_commit {
DRM_EXYNOS_IPP_COMMIT, struct drm_exynos_ioctl_ipp_commit)
/* Exynos specific events */
-#define DRM_EXYNOS_G2D_EVENT 0x80000000
-#define DRM_EXYNOS_IPP_EVENT 0x80000002
+#define DRM_EXYNOS_G2D_EVENT DRM_EVENT_VENDOR_SPECIFIC(0x0)
+#define DRM_EXYNOS_IPP_EVENT DRM_EVENT_VENDOR_SPECIFIC(0x2)
struct drm_exynos_g2d_event {
struct drm_event base;
diff --git a/include/uapi/drm/virtgpu_drm.h b/include/uapi/drm/virtgpu_drm.h
index 9debb320c34b..03e8a0c7f778 100644
--- a/include/uapi/drm/virtgpu_drm.h
+++ b/include/uapi/drm/virtgpu_drm.h
@@ -224,7 +224,7 @@ struct drm_virtgpu_context_init {
* effect. The event size is sizeof(drm_event), since there is no additional
* payload.
*/
-#define VIRTGPU_EVENT_FENCE_SIGNALED 0x90000000
+#define VIRTGPU_EVENT_FENCE_SIGNALED DRM_EVENT_VENDOR_SPECIFIC(0x10000000)
#define DRM_IOCTL_VIRTGPU_MAP \
DRM_IOWR(DRM_COMMAND_BASE + DRM_VIRTGPU_MAP, struct drm_virtgpu_map)
diff --git a/include/uapi/drm/vmwgfx_drm.h b/include/uapi/drm/vmwgfx_drm.h
index 7d786a0cc835..5e5878384e60 100644
--- a/include/uapi/drm/vmwgfx_drm.h
+++ b/include/uapi/drm/vmwgfx_drm.h
@@ -715,7 +715,7 @@ struct drm_vmw_fence_arg {
/*
* The event type
*/
-#define DRM_VMW_EVENT_FENCE_SIGNALED 0x80000000
+#define DRM_VMW_EVENT_FENCE_SIGNALED DRM_EVENT_VENDOR_SPECIFIC(0x0)
struct drm_vmw_event_fence {
struct drm_event base;
--
2.53.0
^ permalink raw reply related
* Re: BUG: net-next (7.0-rc6 based and later) fails to boot on Jetson Xavier NX
From: Linus Torvalds @ 2026-04-08 16:22 UTC (permalink / raw)
To: Russell King (Oracle)
Cc: netdev, linux-arm-kernel, linux-kernel, iommu, linux-ext4,
dmaengine, Marek Szyprowski, Robin Murphy, Theodore Ts'o,
Andreas Dilger, Vinod Koul, Frank Li
In-Reply-To: <adZ9grUg71f518Fg@shell.armlinux.org.uk>
On Wed, 8 Apr 2026 at 09:08, Russell King (Oracle)
<linux@armlinux.org.uk> wrote:
>
> The rebase is still progressing, but it's landed on:
>
> c7d812e33f3e dmaengine: xilinx: xilinx_dma: Fix unmasked residue subtraction
Well, that commit looks completely bogus.
The explanation is just garbage: when subtracting two values that may
have random crud in the top bits, it's actually likely *better* to do
the masking *after* the subtraction.
The subtract of bogus upper bits will only affect upper bits. The
carry-chain only works upwards, not downwards.
So the old code that did
residue += (cdma_hw->control - cdma_hw->status) &
chan->xdev->max_buffer_len;
would correctly mask out the upper bits, and the result of the
subtraction would be done "modulo mac_buffer_len". Which is rather
reasonable.
The code was changed to
residue += (cdma_hw->control &
chan->xdev->max_buffer_len) -
(cdma_hw->status &
chan->xdev->max_buffer_len);
and now it does obviously still mask out the upper bits on each of the
values), but then the subtraction is done "modulo the arithmetic C
type" (which is 'u32')
In particular, if the status bits are bigger than the control bits,
that residue addition will now add a *huge* 32-bit number. It used to
add a number that was limited by the max_buffer_len mask.
So the "interference from those top bits" stated in the commit message
is simply NOT TRUE. It's just complete rambling garbage.
Instead, the commit purely changes the final modulus of the
subtraction - which has nothing to do with any upper bits, and
everything to do with what kind of answer you want.
I think that commit is just very very wrong. At least the commit
message is wrong. And see above why I think the changed arithmetic is
likely wrong too.
It's very possible that the 'residue' is now a random 32-bit number
with the high bits set, and you get DMA corruption.
That would explain why this happens on Jetson but I haven't seen other reports.
Linus
^ permalink raw reply
* Re: BUG: net-next (7.0-rc6 based and later) fails to boot on Jetson Xavier NX
From: Russell King (Oracle) @ 2026-04-08 16:16 UTC (permalink / raw)
To: netdev, linux-arm-kernel, linux-kernel, iommu, linux-ext4,
Linus Torvalds, dmaengine
Cc: Marek Szyprowski, Robin Murphy, Theodore Ts'o, Andreas Dilger,
Vinod Koul, Frank Li
In-Reply-To: <adZ9grUg71f518Fg@shell.armlinux.org.uk>
On Wed, Apr 08, 2026 at 05:08:34PM +0100, Russell King (Oracle) wrote:
> The rebase is still progressing, but it's landed on:
>
> c7d812e33f3e dmaengine: xilinx: xilinx_dma: Fix unmasked residue subtraction
>
> and while this boots to a login prompt, it spat out a BUG():
>
> BUG: sleeping function called from invalid context at kernel/locking/mutex.c:591
> in_atomic(): 0, irqs_disabled(): 1, non_block: 0, pid: 56, name: kworker/u24:3
> preempt_count: 0, expected: 0
> RCU nest depth: 0, expected: 0
> 3 locks held by kworker/u24:3/56:
> #0: ffff000080042148 ((wq_completion)events_unbound#2){+.+.}-{0:0}, at: process_one_work+0x184/0x780
> #1: ffff80008299bdf8 (deferred_probe_work){+.+.}-{0:0}, at: process_one_work+0x1ac/0x780
> #2: ffff0000808b48f8 (&dev->mutex){....}-{4:4}, at: __device_attach+0x2c/0x188
> irq event stamp: 10872
> hardirqs last enabled at (10871): [<ffff80008013a410>] ktime_get+0x130/0x180
> hardirqs last disabled at (10872): [<ffff800080d61ac8>] _raw_spin_lock_irqsave+0x84/0x88
> softirqs last enabled at (9216): [<ffff80008002807c>] fpsimd_save_and_flush_current_state+0x3c/0x80
> softirqs last disabled at (9214): [<ffff800080028098>] fpsimd_save_and_flush_current_state+0x58/0x80
> CPU: 5 UID: 0 PID: 56 Comm: kworker/u24:3 Not tainted 7.0.0-rc1-bisect+ #654 PREEMPT
> Hardware name: NVIDIA NVIDIA Jetson Xavier NX Developer Kit/Jetson, BIOS 6.0-37391689 08/28/2024
> Workqueue: events_unbound deferred_probe_work_func
> Call trace:
> show_stack+0x18/0x30 (C)
> dump_stack_lvl+0x6c/0x94
> dump_stack+0x18/0x24
> __might_resched+0x154/0x220
> __might_sleep+0x48/0x80
> __mutex_lock+0x48/0x800
> mutex_lock_nested+0x24/0x30
> pinmux_disable_setting+0x9c/0x180
> pinctrl_commit_state+0x5c/0x260
> pinctrl_pm_select_idle_state+0x4c/0xa0
> tegra_i2c_runtime_suspend+0x2c/0x3c
> pm_generic_runtime_suspend+0x2c/0x44
> __rpm_callback+0x48/0x1ec
> rpm_callback+0x74/0x80
> rpm_suspend+0xec/0x630
> rpm_idle+0x2c0/0x420
> __pm_runtime_idle+0x44/0x160
> tegra_i2c_probe+0x2e4/0x640
> platform_probe+0x5c/0xa4
> really_probe+0xbc/0x2c0
> __driver_probe_device+0x78/0x120
> driver_probe_device+0x3c/0x160
> __device_attach_driver+0xbc/0x160
> bus_for_each_drv+0x70/0xb8
> __device_attach+0xa4/0x188
> device_initial_probe+0x50/0x54
> bus_probe_device+0x38/0xa4
> deferred_probe_work_func+0x90/0xcc
> process_one_work+0x204/0x780
> worker_thread+0x1c8/0x36c
> kthread+0x138/0x144
> ret_from_fork+0x10/0x20
>
> This is reproducible.
I've just realised that it's the Tegra I2C bug that is already known
about, but took ages to be fixed in mainline - it's unrelated to the
memory corruption, so can be ignored. Sorry for the noise.
--
RMK's Patch system: https://www.armlinux.org.uk/developer/patches/
FTTP is here! 80Mbps down 10Mbps up. Decent connectivity at last!
^ permalink raw reply
* Re: BUG: net-next (7.0-rc6 based and later) fails to boot on Jetson Xavier NX
From: Russell King (Oracle) @ 2026-04-08 16:08 UTC (permalink / raw)
To: netdev, linux-arm-kernel, linux-kernel, iommu, linux-ext4,
Linus Torvalds, dmaengine
Cc: Marek Szyprowski, Robin Murphy, Theodore Ts'o, Andreas Dilger,
Vinod Koul, Frank Li
In-Reply-To: <adZfTi3R6jtsjXx-@shell.armlinux.org.uk>
On Wed, Apr 08, 2026 at 02:59:42PM +0100, Russell King (Oracle) wrote:
> On Wed, Apr 08, 2026 at 02:07:36PM +0100, Russell King (Oracle) wrote:
> > Hi,
> >
> > Just a heads-up that current net-next (v7.0-rc6 based) fails to boot on
> > my nVidia Jetson Xavier platform. v7.0-rc5 and v6.14 based net-next both
> > boot fine. This is an arm64 platform.
> >
> > The problem appears to be completely random in terms of its symptoms,
> > and looks like severe memory corruption - every boot seems to produce
> > a different problem. The common theme is, although the kernel gets to
> > userspace, it never gets anywhere close to a login prompt before
> > failing in some way.
> >
> > The last net-next+ boot (which is currently v7.0-rc6 based) resulted
> > in:
> >
> > tegra-mc 2c00000.memory-controller: xusb_hostw: secure write @0x00000003ffffff00: VPR violation ((null))
> > ...
> > irq 91: nobody cared (try booting with the "irqpoll" option)
> > ...
> > depmod: ERROR: could not open directory /lib/modules/7.0.0-rc6-net-next+: No such file or directory
> > ...
> > Unable to handle kernel paging request at virtual address 0003201fd50320cf
> >
> >
> > A previous boot of the exact same kernel didn't oops, but was unable
> > to find the block device to mount for /mnt via block UUID.
> >
> > A previous boot to that resulted in an oops.
> >
> >
> > The intersting thing is - the depmod error above is incorrect:
> >
> > root@tegra-ubuntu:~# ls -ld /lib/modules/7.0.0-rc6-net-next+
> > drwxrwxr-x 3 root root 4096 Apr 8 10:23 /lib/modules/7.0.0-rc6-net-next+
> >
> > The directory is definitely there, and is readable - checked after
> > booting back into net-next based on 7.0-rc5. In some of these boots,
> > stmmac hasn't probed yet, which rules out my changes.
> >
> > Rootfs is ext4, and it seems there were a lot of ext4 commits merged
> > between rc5 and rc6, but nothing for rc7.
> >
> > My current net-next head is dfecb0c5af3b. Merging rc7 on top also
> > fails, I suspect also randomly, with that I just got:
> >
> > EXT4-fs (mmcblk0p1): VFS: Can't find ext4 filesystem
> > mount: /mnt: wrong fs type, bad option, bad superblock on /dev/mmcblk0p1, missing codepage or helper program, or other error.
> > mount: /mnt/: can't find PARTUUID=741c0777-391a-4bce-a222-455e180ece2a.
> > Unable to handle kernel paging request at virtual address f9bf0011ac0fb893
> > Mem abort info:
> > ESR = 0x0000000096000004
> > EC = 0x25: DABT (current EL), IL = 32 bits
> > SET = 0, FnV = 0
> > EA = 0, S1PTW = 0
> > FSC = 0x04: level 0 translation fault
> > Data abort info:
> > ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
> > CM = 0, WnR = 0, TnD = 0, TagAccess = 0
> > GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
> > [f9bf0011ac0fb893] address between user and kernel address ranges
> > Internal error: Oops: 0000000096000004 [#1] SMP
> > Modules linked in:
> > CPU: 1 UID: 0 PID: 936 Comm: mount Not tainted 7.0.0-rc7-net-next+ #649 PREEMPT
> > Hardware name: NVIDIA NVIDIA Jetson Xavier NX Developer Kit/Jetson, BIOS 6.0-37391689 08/28/2024
> > pstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
> > pc : refill_objects+0x298/0x5ec
> > lr : refill_objects+0x1f0/0x5ec
> >
> > ...
> >
> > Call trace:
> > refill_objects+0x298/0x5ec (P)
> > __pcs_replace_empty_main+0x13c/0x3a8
> > kmem_cache_alloc_noprof+0x324/0x3a0
> > alloc_iova+0x3c/0x290
> > alloc_iova_fast+0x168/0x2d4
> > iommu_dma_alloc_iova+0x84/0x154
> > iommu_dma_map_sg+0x2c4/0x538
> > __dma_map_sg_attrs+0x124/0x2c0
> > dma_map_sg_attrs+0x10/0x20
> > sdhci_pre_dma_transfer+0xb8/0x164
> > sdhci_pre_req+0x38/0x44
> > mmc_blk_mq_issue_rq+0x3dc/0x920
> > mmc_mq_queue_rq+0x104/0x2b0
> > __blk_mq_issue_directly+0x38/0xb0
> > blk_mq_request_issue_directly+0x54/0xb4
> > blk_mq_issue_direct+0x84/0x180
> > blk_mq_dispatch_queue_requests+0x1a8/0x2e0
> > blk_mq_flush_plug_list+0x60/0x140
> > __blk_flush_plug+0xe0/0x11c
> > blk_finish_plug+0x38/0x4c
> > read_pages+0x158/0x260
> > page_cache_ra_unbounded+0x158/0x3e0
> > force_page_cache_ra+0xb0/0xe4
> > page_cache_sync_ra+0x88/0x480
> > filemap_get_pages+0xd8/0x850
> > filemap_read+0xdc/0x3d8
> > blkdev_read_iter+0x84/0x198
> > vfs_read+0x208/0x2d8
> > ksys_read+0x58/0xf4
> > __arm64_sys_read+0x1c/0x28
> > invoke_syscall.constprop.0+0x50/0xe0
> > do_el0_svc+0x40/0xc0
> > el0_svc+0x48/0x2a0
> > el0t_64_sync_handler+0xa0/0xe4
> > el0t_64_sync+0x19c/0x1a0
> > Code: 54000189 f9000022 aa0203e4 b9402ae3 (f8634840)
> > ---[ end trace 0000000000000000 ]---
> > Kernel panic - not syncing: Oops: Fatal exception
> >
> > Looking at the changes between rc5 and rc6, there's one drivers/block
> > change for zram (which is used on this platform), one change in
> > drivers/base for regmap, nothing for drivers/mmc, but plenty for
> > fs/ext4. There are five DMA API changes.
> >
> > Now building straight -rc7. If that also fails, my plan is to start
> > bisecting rc5..rc6, which will likely take most of the rest of the
> > day. So, in the mean time I'm sending this as a heads-up that rc6
> > and onwards has a problem.
>
> Plain -rc7 fails (another random oops):
>
> Root device found: PARTUUID=741c0777-391a-4bce-a222-455e180ece2a
> depmod: ERROR: could not open directory /lib/modules/7.0.0-rc7-net-next+: No such file or directory
> depmod: FATAL: could not search modules: No such file or directory
> usb 2-3: new SuperSpeed Plus Gen 2x1 USB device number 2 using tegra-xusb
> hub 2-3:1.0: USB hub found
> hub 2-3:1.0: 4 ports detected
> usb 1-3: new full-speed USB device number 3 using tegra-xusb
> Unable to handle kernel paging request at virtual address 0003201fd50320cf
> Mem abort info:
> ESR = 0x0000000096000004
> EC = 0x25: DABT (current EL), IL = 32 bits
> SET = 0, FnV = 0
> EA = 0, S1PTW = 0
> FSC = 0x04: level 0 translation fault
> Data abort info:
> ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
> CM = 0, WnR = 0, TnD = 0, TagAccess = 0
> GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
> [0003201fd50320cf] address between user and kernel address ranges
> Internal error: Oops: 0000000096000004 [#1] SMP
> Modules linked in:
> CPU: 1 UID: 0 PID: 917 Comm: mount Not tainted 7.0.0-rc7-net-next+ #649 PREEMPT
> Hardware name: NVIDIA NVIDIA Jetson Xavier NX Developer Kit/Jetson, BIOS 6.0-37391689 08/28/2024
> pstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
> pc : refill_objects+0x298/0x5ec
> lr : refill_objects+0x1f0/0x5ec
> sp : ffff80008606b500
> x29: ffff80008606b500 x28: 0000000000000001 x27: fffffdffc20e6200
> x26: 0000000000000006 x25: 0000000000000000 x24: 000000000000003c
> x23: ffff0000809e4840 x22: ffff0000809dba00 x21: ffff80008606b5a0
> x20: ffff000081133820 x19: fffffdffc20e6220 x18: 0000000000000000
> x17: 0000000000000000 x16: 0000000000000100 x15: 0000000000000000
> x14: 0000000000000000 x13: 0000000000000000 x12: ffff800081e5faa8
> x11: ffff800082192c70 x10: ffff8000814074dc x9 : 0000000000000050
> x8 : ffff80008606b490 x7 : ffff000083988b40 x6 : ffff80008606b4a0
> x5 : 000000080015000f x4 : d503201fd503201f x3 : 00000000000000b0
> x2 : d503201fd503201f x1 : ffff000081133828 x0 : d503201fd503201f
> Call trace:
> refill_objects+0x298/0x5ec (P)
> __pcs_replace_empty_main+0x13c/0x3a8
> kmem_cache_alloc_noprof+0x324/0x3a0
> mempool_alloc_slab+0x1c/0x28
> mempool_alloc_noprof+0x98/0xe0
> bio_alloc_bioset+0x160/0x3e0
> do_mpage_readpage+0x3d0/0x618
> mpage_readahead+0xb8/0x144
> blkdev_readahead+0x18/0x24
> read_pages+0x58/0x260
> page_cache_ra_unbounded+0x158/0x3e0
> force_page_cache_ra+0xb0/0xe4
> page_cache_sync_ra+0x88/0x480
> filemap_get_pages+0xd8/0x850
> filemap_read+0xdc/0x3d8
> blkdev_read_iter+0x84/0x198
> vfs_read+0x208/0x2d8
> ksys_read+0x58/0xf4
> __arm64_sys_read+0x1c/0x28
> invoke_syscall.constprop.0+0x50/0xe0
> do_el0_svc+0x40/0xc0
> el0_svc+0x48/0x2a0
> el0t_64_sync_handler+0xa0/0xe4
> el0t_64_sync+0x19c/0x1a0
> Code: 54000189 f9000022 aa0203e4 b9402ae3 (f8634840)
> ---[ end trace 0000000000000000 ]---
>
> Now starting the bisect between 7.0-rc5 and 7.0-rc6.
The rebase is still progressing, but it's landed on:
c7d812e33f3e dmaengine: xilinx: xilinx_dma: Fix unmasked residue subtraction
and while this boots to a login prompt, it spat out a BUG():
BUG: sleeping function called from invalid context at kernel/locking/mutex.c:591
in_atomic(): 0, irqs_disabled(): 1, non_block: 0, pid: 56, name: kworker/u24:3
preempt_count: 0, expected: 0
RCU nest depth: 0, expected: 0
3 locks held by kworker/u24:3/56:
#0: ffff000080042148 ((wq_completion)events_unbound#2){+.+.}-{0:0}, at: process_one_work+0x184/0x780
#1: ffff80008299bdf8 (deferred_probe_work){+.+.}-{0:0}, at: process_one_work+0x1ac/0x780
#2: ffff0000808b48f8 (&dev->mutex){....}-{4:4}, at: __device_attach+0x2c/0x188
irq event stamp: 10872
hardirqs last enabled at (10871): [<ffff80008013a410>] ktime_get+0x130/0x180
hardirqs last disabled at (10872): [<ffff800080d61ac8>] _raw_spin_lock_irqsave+0x84/0x88
softirqs last enabled at (9216): [<ffff80008002807c>] fpsimd_save_and_flush_current_state+0x3c/0x80
softirqs last disabled at (9214): [<ffff800080028098>] fpsimd_save_and_flush_current_state+0x58/0x80
CPU: 5 UID: 0 PID: 56 Comm: kworker/u24:3 Not tainted 7.0.0-rc1-bisect+ #654 PREEMPT
Hardware name: NVIDIA NVIDIA Jetson Xavier NX Developer Kit/Jetson, BIOS 6.0-37391689 08/28/2024
Workqueue: events_unbound deferred_probe_work_func
Call trace:
show_stack+0x18/0x30 (C)
dump_stack_lvl+0x6c/0x94
dump_stack+0x18/0x24
__might_resched+0x154/0x220
__might_sleep+0x48/0x80
__mutex_lock+0x48/0x800
mutex_lock_nested+0x24/0x30
pinmux_disable_setting+0x9c/0x180
pinctrl_commit_state+0x5c/0x260
pinctrl_pm_select_idle_state+0x4c/0xa0
tegra_i2c_runtime_suspend+0x2c/0x3c
pm_generic_runtime_suspend+0x2c/0x44
__rpm_callback+0x48/0x1ec
rpm_callback+0x74/0x80
rpm_suspend+0xec/0x630
rpm_idle+0x2c0/0x420
__pm_runtime_idle+0x44/0x160
tegra_i2c_probe+0x2e4/0x640
platform_probe+0x5c/0xa4
really_probe+0xbc/0x2c0
__driver_probe_device+0x78/0x120
driver_probe_device+0x3c/0x160
__device_attach_driver+0xbc/0x160
bus_for_each_drv+0x70/0xb8
__device_attach+0xa4/0x188
device_initial_probe+0x50/0x54
bus_probe_device+0x38/0xa4
deferred_probe_work_func+0x90/0xcc
process_one_work+0x204/0x780
worker_thread+0x1c8/0x36c
kthread+0x138/0x144
ret_from_fork+0x10/0x20
This is reproducible.
Adding Vinod and Frank, and dmaengine mailing list.
Bisect continuing, assuming this is a "good" commit as it isn't
producing the boot failure with random memory corruption.
--
RMK's Patch system: https://www.armlinux.org.uk/developer/patches/
FTTP is here! 80Mbps down 10Mbps up. Decent connectivity at last!
^ permalink raw reply
* Re: [PATCH v2 2/3] remoteproc: imx_rproc: Pass bootaddr to SM CPU/LMM reset vector
From: Daniel Baluta @ 2026-04-08 16:00 UTC (permalink / raw)
To: Peng Fan, Mathieu Poirier, Peng Fan (OSS)
Cc: Bjorn Andersson, Rob Herring, Krzysztof Kozlowski, Conor Dooley,
Frank Li, Sascha Hauer, Pengutronix Kernel Team, Fabio Estevam,
Daniel Baluta, linux-remoteproc@vger.kernel.org,
devicetree@vger.kernel.org, imx@lists.linux.dev,
linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org
In-Reply-To: <PAXPR04MB8459AA009C932EB9D6139A11885BA@PAXPR04MB8459.eurprd04.prod.outlook.com>
On 4/8/26 04:30, Peng Fan wrote:
>> Subject: Re: [PATCH v2 2/3] remoteproc: imx_rproc: Pass bootaddr to
>> SM CPU/LMM reset vector
>>
> [...]
>>> Aligning the ELF entry point with the hardware reset base on
>> Cortex‑M
>>> systems is possible, but it comes with several risks.
>> I'm not asking to align the ELF entry point with the hardware reset base.
>> All I want is to have the correct start address embedded in the ELF file
>> to avoid having to use a mask.
> I see, per my understanding:
> FreeRTOS typically exposes __isr_vector, which corresponds to the hardware
> reset / vector table base.
> Zephyr (Cortex‑M) exposes _vector_table, which serves the same purpose.
> I am not certain about other RTOSes, but the pattern seems consistent:
> the vector table base is already available as a named ELF symbol.
>
> Given that, if the preferred approach is to parse the ELF and explicitly
> retrieve the hardware reset base, I can update the implementation accordingly.
> If you prefer to parse the elf file to get the hardware reset base,
> I could update to use them.
>
> Options1: Something as below:
> 1. Include rproc_elf_find_symbol in remoteproc_elf_loader.c
> 2. Use below in imx_rproc.c
> ret = rproc_elf_find_symbol(rproc, fw, "__isr_vector", &vector_base);
> if (ret)
> ret = rproc_elf_find_symbol(rproc, fw, "__vector_table", &vector_base);
>
> if (!ret)
> rproc->bootaddr = vector_base
> else
> dev_info(dev, "no __isr_vector or __vector_table\n")
>
> This makes the hardware reset base explicit, avoids masking e_entry.
>
> Option 2: User‑provided reset symbol via sysfs
> As an alternative, we could expose a sysfs attribute,
> e.g. reset_symbol, allowing users to specify the symbol name
> to be used as the reset base:
>
> echo __isr_vector > /sys/class/remoteproc/remoteprocX/reset_symbol
>
> The remoteproc core would then resolve that symbol from
> the ELF and set rproc->bootaddr accordingly.
> This provides maximum flexibility but does introduce a new user‑visible ABI,
> so I see it more as an opt‑in or fallback mechanism.
>
> Please let me know which approach you prefer, and I will update
> this series accordingly in v3..
I would go with option 1) as this and having something like this:
#define IMX_RPROC_DEFAULT_RST_VECTOR_NAME "..."
later we can expand that with a configurable name via sysfs.
This was along my initial proposal where you would determine
the reset vector address from the elf file.
^ permalink raw reply
* [GIT PULL] KVM/arm64 updates for 7.1
From: Marc Zyngier @ 2026-04-08 15:55 UTC (permalink / raw)
To: Paolo Bonzini
Cc: Alexandru Elisei, Arnd Bergmann, Catalin Marinas, Fuad Tabba,
James Clark, Joey Gouly, John Stultz, Jonathan Cameron,
Kalesh Singh, Leo Yan, Mark Brown, Mostafa Saleh,
Nathan Chancellor, Oliver Upton, Quentin Perret, Sascha Bischoff,
Sebastian Ene, Steven Rostedt, Suzuki K Poulose,
Vincent Donnefort, Wei-Lin Chang, Will Deacon, Zenghui Yu, kvmarm,
linux-arm-kernel, kvm
Paolo,
7.1 should be a pretty large milestone for KVM/arm64. Of note, we have:
- the hypervisor tracing infrastructure, which is pretty large on its
own, but also comes with an equally large set of tracing specific
patches (we share a branch with the tracing tree).
- the first set of patches for native GICv5 support, limited to PPIs
for the time being. I expect this to take a few kernel revisions
to reach the feature-complete state.
- some movement on the pKVM front, in the form of protected guest and
protected memory support.
The rest is a large set of fixes, cleanups and rework in order to make
some of the most hairy code more maintainable (user_mem_abort() being
the most significant example).
Please pull,
M.
The following changes since commit f338e77383789c0cae23ca3d48adcc5e9e137e3c:
Linux 7.0-rc4 (2026-03-15 13:52:05 -0700)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/kvmarm/kvmarm.git tags/kvmarm-7.1
for you to fetch changes up to 94b4ae79ebb42a8a6f2124b4d4b033b15a98e4f9:
Merge branch kvm-arm64/misc-7.1 into kvmarm-master/next (2026-04-08 12:26:11 +0100)
----------------------------------------------------------------
KVM/arm64 updates for 7.1
* New features:
- Add support for tracing in the standalone EL2 hypervisor code,
which should help both debugging and performance analysis.
This comes with a full infrastructure for 'remote' trace buffers
that can be exposed by non-kernel entities such as firmware.
- Add support for GICv5 Per Processor Interrupts (PPIs), as the
starting point for supporting the new GIC architecture in KVM.
- Finally add support for pKVM protected guests, with anonymous
memory being used as a backing store. About time!
* Improvements and bug fixes:
- Rework the dreaded user_mem_abort() function to make it more
maintainable, reducing the amount of state being exposed to
the various helpers and rendering a substantial amount of
state immutable.
- Expand the Stage-2 page table dumper to support NV shadow
page tables on a per-VM basis.
- Tidy up the pKVM PSCI proxy code to be slightly less hard
to follow.
- Fix both SPE and TRBE in non-VHE configurations so that they
do not generate spurious, out of context table walks that
ultimately lead to very bad HW lockups.
- A small set of patches fixing the Stage-2 MMU freeing in error
cases.
- Tighten-up accepted SMC immediate value to be only #0 for host
SMCCC calls.
- The usual cleanups and other selftest churn.
----------------------------------------------------------------
Arnd Bergmann (3):
tracing: add more symbols to whitelist
KVM: arm64: tracing: add ftrace dependency
KVM: arm64: avoid unused-variable warning
Fuad Tabba (14):
KVM: arm64: Extract VMA size resolution in user_mem_abort()
KVM: arm64: Introduce struct kvm_s2_fault to user_mem_abort()
KVM: arm64: Extract PFN resolution in user_mem_abort()
KVM: arm64: Isolate mmap_read_lock inside new kvm_s2_fault_get_vma_info() helper
KVM: arm64: Extract stage-2 permission logic in user_mem_abort()
KVM: arm64: Extract page table mapping in user_mem_abort()
KVM: arm64: Simplify nested VMA shift calculation
KVM: arm64: Remove redundant state variables from struct kvm_s2_fault
KVM: arm64: Simplify return logic in user_mem_abort()
KVM: arm64: Initialize struct kvm_s2_fault completely at declaration
KVM: arm64: Optimize early exit checks in kvm_s2_fault_pin_pfn()
KVM: arm64: Hoist MTE validation check out of MMU lock path
KVM: arm64: Clean up control flow in kvm_s2_fault_map()
KVM: arm64: Expose self-hosted debug regs as RAZ/WI for protected guests
Marc Zyngier (49):
tracing: Restore accidentally removed SPDX tag
KVM: arm64: pkvm: Move error handling to the end of kvm_hyp_cpu_entry
KVM: arm64: pkvm: Simplify BTI handling on CPU boot
KVM: arm64: pkvm: Turn __kvm_hyp_init_cpu into an inner label
KVM: arm64: pkvm: Use direct function pointers for cpu_{on,resume}
KVM: arm64: Remove extra ISBs when using msr_hcr_el2
KVM: arm64: Kill fault->ipa
KVM: arm64: Make fault_ipa immutable
KVM: arm64: Move fault context to const structure
KVM: arm64: Replace fault_is_perm with a helper
KVM: arm64: Constrain fault_granule to kvm_s2_fault_map()
KVM: arm64: Kill write_fault from kvm_s2_fault
KVM: arm64: Kill exec_fault from kvm_s2_fault
KVM: arm64: Kill topup_memcache from kvm_s2_fault
KVM: arm64: Move VMA-related information to kvm_s2_fault_vma_info
KVM: arm64: Kill logging_active from kvm_s2_fault
KVM: arm64: Restrict the scope of the 'writable' attribute
KVM: arm64: Move kvm_s2_fault.{pfn,page} to kvm_s2_vma_info
KVM: arm64: Replace force_pte with a max_map_size attribute
KVM: arm64: Move device mapping management into kvm_s2_fault_pin_pfn()
KVM: arm64: Directly expose mapping prot and kill kvm_s2_fault
KVM: arm64: Simplify integration of adjust_nested_*_perms()
KVM: arm64: Convert gmem_abort() to struct kvm_s2_fault_desc
KVM: arm64: vgic: Don't reset cpuif/redist addresses at finalize time
KVM: arm64: Don't skip per-vcpu NV initialisation
arm64: Fix field references for ICH_PPI_DVIR[01]_EL2
KVM: arm64: Fix writeable mask for ID_AA64PFR2_EL1
KVM: arm64: Account for RESx bits in __compute_fgt()
KVM: arm64: vgic-v5: Hold config_lock while finalizing GICv5 PPIs
KVM: arm64: vgic-v5: Transfer edge pending state to ICH_PPI_PENDRx_EL2
KVM: arm64: vgic-v5: Cast vgic_apr to u32 to avoid undefined behaviours
KVM: arm64: vgic-v5: Make the effective priority mask a strict limit
KVM: arm64: vgic-v5: Correctly set dist->ready once initialised
KVM: arm64: Kill arch_timer_context::direct field
KVM: arm64: Remove evaluation of timer state in kvm_cpu_has_pending_timer()
KVM: arm64: Move GICv5 timer PPI validation into timer_irqs_are_valid()
KVM: arm64: Correctly plumb ID_AA64PFR2_EL1 into pkvm idreg handling
KVM: arm64: Don't advertises GICv3 in ID_PFR1_EL1 if AArch32 isn't supported
KVM: arm64: set_id_regs: Allow GICv3 support to be set at runtime
KVM: arm64: Advertise ID_AA64PFR2_EL1.GCIE
Merge branch kvm-arm64/hyp-tracing into kvmarm-master/next
Merge branch kvm-arm64/vgic-v5-ppi into kvmarm-master/next
Merge branch kvm-arm64/nv-s2-debugfs into kvmarm-master/next
Merge branch kvm-arm64/pkvm-psci into kvmarm-master/next
Merge branch kvm-arm64/user_mem_abort-rework into kvmarm-master/next
Merge branch kvm-arm64/spe-trbe-nvhe into kvmarm-master/next
Merge branch kvm-arm64/pkvm-protected-guest into kvmarm-master/next
Merge branch kvm-arm64/vgic-fixes-7.1 into kvmarm-master/next
Merge branch kvm-arm64/misc-7.1 into kvmarm-master/next
Nathan Chancellor (1):
tracing: Adjust cmd_check_undefined to show unexpected undefined symbols
Quentin Perret (1):
KVM: arm64: Inject SIGSEGV on illegal accesses
Sascha Bischoff (41):
KVM: arm64: vgic-v3: Drop userspace write sanitization for ID_AA64PFR0.GIC on GICv5
KVM: arm64: vgic: Rework vgic_is_v3() and add vgic_host_has_gicvX()
KVM: arm64: Return early from kvm_finalize_sys_regs() if guest has run
KVM: arm64: vgic: Split out mapping IRQs and setting irq_ops
arm64/sysreg: Add remaining GICv5 ICC_ & ICH_ sysregs for KVM support
arm64/sysreg: Add GICR CDNMIA encoding
KVM: arm64: gic-v5: Add ARM_VGIC_V5 device to KVM headers
KVM: arm64: gic: Introduce interrupt type helpers
KVM: arm64: gic-v5: Add Arm copyright header
KVM: arm64: gic-v5: Detect implemented PPIs on boot
KVM: arm64: gic-v5: Sanitize ID_AA64PFR2_EL1.GCIE
KVM: arm64: gic-v5: Support GICv5 FGTs & FGUs
KVM: arm64: gic-v5: Add emulation for ICC_IAFFIDR_EL1 accesses
KVM: arm64: gic-v5: Trap and emulate ICC_IDR0_EL1 accesses
KVM: arm64: gic-v5: Add vgic-v5 save/restore hyp interface
KVM: arm64: gic-v5: Implement GICv5 load/put and save/restore
KVM: arm64: gic-v5: Finalize GICv5 PPIs and generate mask
KVM: arm64: gic: Introduce queue_irq_unlock to irq_ops
KVM: arm64: gic-v5: Implement PPI interrupt injection
KVM: arm64: gic-v5: Init Private IRQs (PPIs) for GICv5
KVM: arm64: gic-v5: Clear TWI if single task running
KVM: arm64: gic-v5: Check for pending PPIs
KVM: arm64: gic-v5: Trap and mask guest ICC_PPI_ENABLERx_EL1 writes
KVM: arm64: Introduce set_direct_injection irq_op
KVM: arm64: gic-v5: Implement direct injection of PPIs
KVM: arm64: gic-v5: Support GICv5 interrupts with KVM_IRQ_LINE
KVM: arm64: gic-v5: Create and initialise vgic_v5
KVM: arm64: gic-v5: Initialise ID and priority bits when resetting vcpu
irqchip/gic-v5: Introduce minimal irq_set_type() for PPIs
KVM: arm64: gic-v5: Enlighten arch timer for GICv5
KVM: arm64: gic-v5: Mandate architected PPI for PMU emulation on GICv5
KVM: arm64: gic: Hide GICv5 for protected guests
KVM: arm64: gic-v5: Hide FEAT_GCIE from NV GICv5 guests
KVM: arm64: gic-v5: Introduce kvm_arm_vgic_v5_ops and register them
KVM: arm64: gic-v5: Set ICH_VCTLR_EL2.En on boot
KVM: arm64: gic-v5: Probe for GICv5 device
Documentation: KVM: Introduce documentation for VGICv5
KVM: arm64: gic-v5: Communicate userspace-driveable PPIs via a UAPI
KVM: arm64: selftests: Introduce a minimal GICv5 PPI selftest
KVM: arm64: selftests: Add no-vgic-v5 selftest
KVM: arm64: vgic-v5: Fold PPI state for all exposed PPIs
Sebastian Ene (1):
KVM: arm64: Prevent the host from using an smc with imm16 != 0
Vincent Donnefort (35):
ring-buffer: Add page statistics to the meta-page
ring-buffer: Store bpage pointers into subbuf_ids
ring-buffer: Introduce ring-buffer remotes
ring-buffer: Add non-consuming read for ring-buffer remotes
tracing: Introduce trace remotes
tracing: Add reset to trace remotes
tracing: Add non-consuming read to trace remotes
tracing: Add init callback to trace remotes
tracing: Add events to trace remotes
tracing: Add events/ root files to trace remotes
tracing: Add helpers to create trace remote events
ring-buffer: Export buffer_data_page and macros
tracing: Introduce simple_ring_buffer
tracing: Add a trace remote module for testing
tracing: selftests: Add trace remote tests
Documentation: tracing: Add tracing remotes
tracing: load/unload page callbacks for simple_ring_buffer
tracing: Check for undefined symbols in simple_ring_buffer
KVM: arm64: Add PKVM_DISABLE_STAGE2_ON_PANIC
KVM: arm64: Add clock support to nVHE/pKVM hyp
KVM: arm64: Initialise hyp_nr_cpus for nVHE hyp
KVM: arm64: Support unaligned fixmap in the pKVM hyp
KVM: arm64: Add tracing capability for the nVHE/pKVM hyp
KVM: arm64: Add trace remote for the nVHE/pKVM hyp
KVM: arm64: Sync boot clock with the nVHE/pKVM hyp
KVM: arm64: Add trace reset to the nVHE/pKVM hyp
KVM: arm64: Add event support to the nVHE/pKVM hyp and trace remote
KVM: arm64: Add hyp_enter/hyp_exit events to nVHE/pKVM hyp
KVM: arm64: Add selftest event support to nVHE/pKVM hyp
tracing: selftests: Add hypervisor trace remote tests
KVM: arm64: Fix out-of-tree build for nVHE/pKVM tracing
tracing: Update undefined symbols allow list for simple_ring_buffer
tracing: Generate undef symbols allowlist for simple_ring_buffer
tracing: Non-consuming read for trace remotes with an offline CPU
tracing: selftests: Extend hotplug testing for trace remotes
Wei-Lin Chang (2):
KVM: arm64: ptdump: Make KVM ptdump code s2 mmu aware
KVM: arm64: nv: Expose shadow page tables in debugfs
Will Deacon (44):
KVM: arm64: Disable TRBE Trace Buffer Unit when running in guest context
KVM: arm64: Disable SPE Profiling Buffer when running in guest context
KVM: arm64: Don't pass host_debug_state to BRBE world-switch routines
KVM: arm64: Remove unused PKVM_ID_FFA definition
KVM: arm64: Don't leak stage-2 page-table if VM fails to init under pKVM
KVM: arm64: Move handle check into pkvm_pgtable_stage2_destroy_range()
KVM: arm64: Rename __pkvm_pgtable_stage2_unmap()
KVM: arm64: Don't advertise unsupported features for protected guests
KVM: arm64: Remove is_protected_kvm_enabled() checks from hypercalls
KVM: arm64: Ignore MMU notifier callbacks for protected VMs
KVM: arm64: Prevent unsupported memslot operations on protected VMs
KVM: arm64: Ignore -EAGAIN when mapping in pages for the pKVM host
KVM: arm64: Split teardown hypercall into two phases
KVM: arm64: Introduce __pkvm_host_donate_guest()
KVM: arm64: Hook up donation hypercall to pkvm_pgtable_stage2_map()
KVM: arm64: Handle aborts from protected VMs
KVM: arm64: Introduce __pkvm_reclaim_dying_guest_page()
KVM: arm64: Hook up reclaim hypercall to pkvm_pgtable_stage2_destroy()
KVM: arm64: Factor out pKVM host exception injection logic
KVM: arm64: Support translation faults in inject_host_exception()
KVM: arm64: Avoid pointless annotation when mapping host-owned pages
KVM: arm64: Generalise kvm_pgtable_stage2_set_owner()
KVM: arm64: Introduce host_stage2_set_owner_metadata_locked()
KVM: arm64: Change 'pkvm_handle_t' to u16
KVM: arm64: Annotate guest donations with handle and gfn in host stage-2
KVM: arm64: Introduce hypercall to force reclaim of a protected page
KVM: arm64: Reclaim faulting page from pKVM in spurious fault handler
KVM: arm64: Return -EFAULT from VCPU_RUN on access to a poisoned pte
KVM: arm64: Add hvc handler at EL2 for hypercalls from protected VMs
KVM: arm64: Implement the MEM_SHARE hypercall for protected VMs
KVM: arm64: Implement the MEM_UNSHARE hypercall for protected VMs
KVM: arm64: Allow userspace to create protected VMs when pKVM is enabled
KVM: arm64: Add some initial documentation for pKVM
KVM: arm64: Extend pKVM page ownership selftests to cover guest donation
KVM: arm64: Register 'selftest_vm' in the VM table
KVM: arm64: Extend pKVM page ownership selftests to cover forced reclaim
KVM: arm64: Extend pKVM page ownership selftests to cover guest hvcs
KVM: arm64: Rename PKVM_PAGE_STATE_MASK
drivers/virt: pkvm: Add Kconfig dependency on DMA_RESTRICTED_POOL
KVM: arm64: Prevent teardown finalisation of referenced 'hyp_vm'
KVM: arm64: Allow get_pkvm_hyp_vm() to take a reference to a dying VM
KVM: arm64: Don't hold 'vm_table_lock' across guest page reclaim
KVM: arm64: Don't leave mmu->pgt dangling on kvm_init_stage2_mmu() error
KVM: arm64: Destroy stage-2 page-table in kvm_arch_destroy_vm()
Zenghui Yu (Huawei) (2):
KVM: arm64: ptdump: Initialize parser_state before pgtable walk
KVM: arm64: selftests: Avoid testing the IMPDEF behavior
Documentation/admin-guide/kernel-parameters.txt | 4 +-
Documentation/trace/index.rst | 11 +
Documentation/trace/remotes.rst | 66 +
Documentation/virt/kvm/api.rst | 6 +-
Documentation/virt/kvm/arm/index.rst | 1 +
Documentation/virt/kvm/arm/pkvm.rst | 106 ++
Documentation/virt/kvm/devices/arm-vgic-v5.rst | 50 +
Documentation/virt/kvm/devices/index.rst | 1 +
Documentation/virt/kvm/devices/vcpu.rst | 5 +-
arch/arm64/include/asm/el2_setup.h | 4 +-
arch/arm64/include/asm/kvm_asm.h | 44 +-
arch/arm64/include/asm/kvm_define_hypevents.h | 16 +
arch/arm64/include/asm/kvm_host.h | 50 +-
arch/arm64/include/asm/kvm_hyp.h | 14 +-
arch/arm64/include/asm/kvm_hypevents.h | 60 +
arch/arm64/include/asm/kvm_hyptrace.h | 26 +
arch/arm64/include/asm/kvm_mmu.h | 4 +
arch/arm64/include/asm/kvm_pgtable.h | 45 +-
arch/arm64/include/asm/kvm_pkvm.h | 4 +-
arch/arm64/include/asm/sysreg.h | 13 +-
arch/arm64/include/asm/virt.h | 9 +
arch/arm64/include/asm/vncr_mapping.h | 3 +
arch/arm64/include/uapi/asm/kvm.h | 1 +
arch/arm64/kernel/cpufeature.c | 1 +
arch/arm64/kernel/hyp-stub.S | 1 -
arch/arm64/kernel/image-vars.h | 4 +
arch/arm64/kernel/vmlinux.lds.S | 18 +
arch/arm64/kvm/Kconfig | 64 +-
arch/arm64/kvm/Makefile | 2 +
arch/arm64/kvm/arch_timer.c | 102 +-
arch/arm64/kvm/arm.c | 69 +-
arch/arm64/kvm/config.c | 127 +-
arch/arm64/kvm/emulate-nested.c | 68 +
arch/arm64/kvm/handle_exit.c | 2 +-
arch/arm64/kvm/hyp/include/hyp/switch.h | 27 +
arch/arm64/kvm/hyp/include/nvhe/arm-smccc.h | 23 +
arch/arm64/kvm/hyp/include/nvhe/clock.h | 16 +
arch/arm64/kvm/hyp/include/nvhe/define_events.h | 14 +
arch/arm64/kvm/hyp/include/nvhe/mem_protect.h | 12 +-
arch/arm64/kvm/hyp/include/nvhe/memory.h | 12 +-
arch/arm64/kvm/hyp/include/nvhe/pkvm.h | 7 +-
arch/arm64/kvm/hyp/include/nvhe/trace.h | 70 +
arch/arm64/kvm/hyp/include/nvhe/trap_handler.h | 2 +
arch/arm64/kvm/hyp/nvhe/Makefile | 8 +-
arch/arm64/kvm/hyp/nvhe/clock.c | 65 +
arch/arm64/kvm/hyp/nvhe/debug-sr.c | 116 +-
arch/arm64/kvm/hyp/nvhe/events.c | 25 +
arch/arm64/kvm/hyp/nvhe/ffa.c | 28 +-
arch/arm64/kvm/hyp/nvhe/host.S | 13 +-
arch/arm64/kvm/hyp/nvhe/hyp-init.S | 41 +-
arch/arm64/kvm/hyp/nvhe/hyp-main.c | 294 +++--
arch/arm64/kvm/hyp/nvhe/hyp.lds.S | 6 +
arch/arm64/kvm/hyp/nvhe/mem_protect.c | 587 ++++++++-
arch/arm64/kvm/hyp/nvhe/mm.c | 4 +-
arch/arm64/kvm/hyp/nvhe/pkvm.c | 239 +++-
arch/arm64/kvm/hyp/nvhe/psci-relay.c | 45 +-
arch/arm64/kvm/hyp/nvhe/setup.c | 4 +-
arch/arm64/kvm/hyp/nvhe/stacktrace.c | 6 +-
arch/arm64/kvm/hyp/nvhe/switch.c | 23 +-
arch/arm64/kvm/hyp/nvhe/sys_regs.c | 18 +-
arch/arm64/kvm/hyp/nvhe/trace.c | 306 +++++
arch/arm64/kvm/hyp/pgtable.c | 33 +-
arch/arm64/kvm/hyp/vgic-v5-sr.c | 166 +++
arch/arm64/kvm/hyp/vhe/Makefile | 2 +-
arch/arm64/kvm/hyp_trace.c | 442 +++++++
arch/arm64/kvm/hyp_trace.h | 11 +
arch/arm64/kvm/mmu.c | 624 +++++----
arch/arm64/kvm/nested.c | 11 +-
arch/arm64/kvm/pkvm.c | 159 ++-
arch/arm64/kvm/pmu-emul.c | 20 +-
arch/arm64/kvm/ptdump.c | 79 +-
arch/arm64/kvm/stacktrace.c | 8 +-
arch/arm64/kvm/sys_regs.c | 188 ++-
arch/arm64/kvm/vgic/vgic-init.c | 228 +++-
arch/arm64/kvm/vgic/vgic-kvm-device.c | 107 +-
arch/arm64/kvm/vgic/vgic-mmio.c | 40 +-
arch/arm64/kvm/vgic/vgic-v3.c | 2 +-
arch/arm64/kvm/vgic/vgic-v5.c | 499 ++++++-
arch/arm64/kvm/vgic/vgic.c | 173 ++-
arch/arm64/kvm/vgic/vgic.h | 53 +-
arch/arm64/mm/fault.c | 33 +-
arch/arm64/tools/sysreg | 480 +++++++
drivers/irqchip/irq-gic-v5.c | 18 +
drivers/virt/coco/pkvm-guest/Kconfig | 2 +-
fs/tracefs/inode.c | 1 +
include/kvm/arm_arch_timer.h | 8 +-
include/kvm/arm_pmu.h | 5 +-
include/kvm/arm_vgic.h | 191 ++-
include/linux/irqchip/arm-gic-v5.h | 27 +
include/linux/kvm_host.h | 1 +
include/linux/ring_buffer.h | 58 +
include/linux/ring_buffer_types.h | 41 +
include/linux/simple_ring_buffer.h | 65 +
include/linux/trace_remote.h | 48 +
include/linux/trace_remote_event.h | 33 +
include/trace/define_remote_events.h | 73 ++
include/uapi/linux/kvm.h | 7 +
include/uapi/linux/trace_mmap.h | 8 +-
kernel/trace/Kconfig | 14 +
kernel/trace/Makefile | 59 +
kernel/trace/remote_test.c | 261 ++++
kernel/trace/remote_test_events.h | 10 +
kernel/trace/ring_buffer.c | 354 ++++-
kernel/trace/simple_ring_buffer.c | 517 ++++++++
kernel/trace/trace.c | 4 +-
kernel/trace/trace.h | 7 +
kernel/trace/trace_remote.c | 1384 ++++++++++++++++++++
tools/arch/arm64/include/uapi/asm/kvm.h | 1 +
tools/include/uapi/linux/kvm.h | 2 +
.../selftests/ftrace/test.d/remotes/buffer_size.tc | 25 +
.../selftests/ftrace/test.d/remotes/functions | 99 ++
.../selftests/ftrace/test.d/remotes/hotplug.tc | 88 ++
.../test.d/remotes/hypervisor/buffer_size.tc | 11 +
.../ftrace/test.d/remotes/hypervisor/hotplug.tc | 11 +
.../ftrace/test.d/remotes/hypervisor/reset.tc | 11 +
.../ftrace/test.d/remotes/hypervisor/trace.tc | 11 +
.../ftrace/test.d/remotes/hypervisor/trace_pipe.tc | 11 +
.../ftrace/test.d/remotes/hypervisor/unloading.tc | 11 +
.../selftests/ftrace/test.d/remotes/reset.tc | 90 ++
.../selftests/ftrace/test.d/remotes/trace.tc | 102 ++
.../selftests/ftrace/test.d/remotes/trace_pipe.tc | 102 ++
.../selftests/ftrace/test.d/remotes/unloading.tc | 41 +
tools/testing/selftests/kvm/Makefile.kvm | 3 +-
tools/testing/selftests/kvm/arm64/at.c | 14 +-
tools/testing/selftests/kvm/arm64/no-vgic-v3.c | 177 ---
tools/testing/selftests/kvm/arm64/no-vgic.c | 297 +++++
tools/testing/selftests/kvm/arm64/set_id_regs.c | 52 +-
tools/testing/selftests/kvm/arm64/vgic_v5.c | 228 ++++
tools/testing/selftests/kvm/include/arm64/gic_v5.h | 150 +++
129 files changed, 10017 insertions(+), 1086 deletions(-)
create mode 100644 Documentation/trace/remotes.rst
create mode 100644 Documentation/virt/kvm/arm/pkvm.rst
create mode 100644 Documentation/virt/kvm/devices/arm-vgic-v5.rst
create mode 100644 arch/arm64/include/asm/kvm_define_hypevents.h
create mode 100644 arch/arm64/include/asm/kvm_hypevents.h
create mode 100644 arch/arm64/include/asm/kvm_hyptrace.h
create mode 100644 arch/arm64/kvm/hyp/include/nvhe/arm-smccc.h
create mode 100644 arch/arm64/kvm/hyp/include/nvhe/clock.h
create mode 100644 arch/arm64/kvm/hyp/include/nvhe/define_events.h
create mode 100644 arch/arm64/kvm/hyp/include/nvhe/trace.h
create mode 100644 arch/arm64/kvm/hyp/nvhe/clock.c
create mode 100644 arch/arm64/kvm/hyp/nvhe/events.c
create mode 100644 arch/arm64/kvm/hyp/nvhe/trace.c
create mode 100644 arch/arm64/kvm/hyp/vgic-v5-sr.c
create mode 100644 arch/arm64/kvm/hyp_trace.c
create mode 100644 arch/arm64/kvm/hyp_trace.h
create mode 100644 include/linux/ring_buffer_types.h
create mode 100644 include/linux/simple_ring_buffer.h
create mode 100644 include/linux/trace_remote.h
create mode 100644 include/linux/trace_remote_event.h
create mode 100644 include/trace/define_remote_events.h
create mode 100644 kernel/trace/remote_test.c
create mode 100644 kernel/trace/remote_test_events.h
create mode 100644 kernel/trace/simple_ring_buffer.c
create mode 100644 kernel/trace/trace_remote.c
create mode 100644 tools/testing/selftests/ftrace/test.d/remotes/buffer_size.tc
create mode 100644 tools/testing/selftests/ftrace/test.d/remotes/functions
create mode 100644 tools/testing/selftests/ftrace/test.d/remotes/hotplug.tc
create mode 100644 tools/testing/selftests/ftrace/test.d/remotes/hypervisor/buffer_size.tc
create mode 100644 tools/testing/selftests/ftrace/test.d/remotes/hypervisor/hotplug.tc
create mode 100644 tools/testing/selftests/ftrace/test.d/remotes/hypervisor/reset.tc
create mode 100644 tools/testing/selftests/ftrace/test.d/remotes/hypervisor/trace.tc
create mode 100644 tools/testing/selftests/ftrace/test.d/remotes/hypervisor/trace_pipe.tc
create mode 100644 tools/testing/selftests/ftrace/test.d/remotes/hypervisor/unloading.tc
create mode 100644 tools/testing/selftests/ftrace/test.d/remotes/reset.tc
create mode 100644 tools/testing/selftests/ftrace/test.d/remotes/trace.tc
create mode 100644 tools/testing/selftests/ftrace/test.d/remotes/trace_pipe.tc
create mode 100644 tools/testing/selftests/ftrace/test.d/remotes/unloading.tc
delete mode 100644 tools/testing/selftests/kvm/arm64/no-vgic-v3.c
create mode 100644 tools/testing/selftests/kvm/arm64/no-vgic.c
create mode 100644 tools/testing/selftests/kvm/arm64/vgic_v5.c
create mode 100644 tools/testing/selftests/kvm/include/arm64/gic_v5.h
^ permalink raw reply
* Re: [PATCH v3 07/13] arm64: mm: Use hierarchical XN mapping for the fixmap
From: Ard Biesheuvel @ 2026-04-08 15:48 UTC (permalink / raw)
To: Catalin Marinas, Ard Biesheuvel
Cc: linux-kernel, linux-arm-kernel, Will Deacon, Mark Rutland,
Ryan Roberts, Anshuman Khandual, Liz Prucka, Seth Jenkins,
Kees Cook, linux-hardening
In-Reply-To: <adZ4LpvJJz-3K20O@arm.com>
On Wed, 8 Apr 2026, at 17:45, Catalin Marinas wrote:
> On Fri, Mar 20, 2026 at 03:59:42PM +0100, Ard Biesheuvel wrote:
>> From: Ard Biesheuvel <ardb@kernel.org>
>>
>> Nothing in the fixmap or in its vicinity requires executable
>> permissions, and given that it is placed at exactly 1 GiB from the end
>> of the virtual address space, we can safely set the hierarchical XN
>> attributes on the level 2 table entries covering the fixmap, without
>> running the risk of inadvertently taking away the executable permissions
>> on an adjacent mappings.
>>
>> This is a hardening measure that reduces the risk of the fixmap being
>> abused to create executable mappings in the kernel address space.
>>
>> Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
>> ---
>> arch/arm64/mm/fixmap.c | 3 ++-
>> 1 file changed, 2 insertions(+), 1 deletion(-)
>>
>> diff --git a/arch/arm64/mm/fixmap.c b/arch/arm64/mm/fixmap.c
>> index c5c5425791da..c3dd3c868cf5 100644
>> --- a/arch/arm64/mm/fixmap.c
>> +++ b/arch/arm64/mm/fixmap.c
>> @@ -48,7 +48,8 @@ static void __init early_fixmap_init_pte(pmd_t *pmdp, unsigned long addr)
>> if (pmd_none(pmd)) {
>> ptep = bm_pte[BM_PTE_TABLE_IDX(addr)];
>> __pmd_populate(pmdp, __pa_symbol(ptep),
>> - PMD_TYPE_TABLE | PMD_TABLE_AF);
>> + PMD_TYPE_TABLE | PMD_TABLE_AF |
>> + PMD_TABLE_PXN | PMD_TABLE_UXN);
>> }
>> }
>
> Sashiko reckons this breaks kpti. I think that's valid but I couldn't
> reproduce it on qemu (maybe it doesn't implement hierarchical
> permissions).
Yeah, I think that observation is accurate, and it doesn't really affect the rest so I was just going to drop it.
> Then I tried FVP and the whole series panics (unrelated to
> kpti). With kvm-arm.mode=protected, I think kvm_ksym_ref() is lm_alias()
> and we have kvm_hyp_init_symbols() trying to flush the bss.
>
Interesting - I'll look into this for the next respin.
> Unable to handle kernel paging request at virtual address
> fff00000748f7000
> Mem abort info:
> ESR = 0x0000000096000147
> ** replaying previous printk message **
> EC = 0x25: DABT (current EL), IL = 32 bits
> SET = 0, FnV = 0
> EA = 0, S1PTW = 0
> FSC = 0x07: level 3 translation fault
> Data abort info:
> ISV = 0, ISS = 0x00000147, ISS2 = 0x00000000
> CM = 1, WnR = 1, TnD = 0, TagAccess = 0
> GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
> swapper pgtable: 4k pages, 52-bit VAs, pgdp=00000000f40ad000
> [fff00000748f7000] pgd=18000008fffff403, p4d=18000008ffffe403,
> pud=18000008ffffd403, pmd=18000008fffe9403, pte=00e80000f48f7406
> Internal error: Oops: 0000000096000147 [#1] SMP
> Modules linked in:
> CPU: 1 UID: 0 PID: 1 Comm: swapper/0 Not tainted
> 7.0.0-rc3-00013-g6bb20b972b8c #2 PREEMPT
> Hardware name: FVP Base RevC (DT)
> pstate: 81400005 (Nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
> pc : dcache_clean_inval_poc+0x24/0x48
> lr : kvm_arm_init+0xb48/0x1338
> sp : ffff80008005bd20
> x29: ffff80008005bd60 x28: ffff95c63230b000 x27: 0000000000000004
> x26: 0000000000000001 x25: ffff95c631a160c0 x24: 0000000000000008
> x23: 0000000000000000 x22: 0000000000000000 x21: fff00000748f7000
> x20: 0000000000002000 x19: 0001101131111112 x18: 00000000ffffffff
> x17: ffff95c6321fdd88 x16: 0000000031427afd x15: 0000000000000100
> x14: 0000000000000000 x13: 0000000000077a9a x12: fff000087f805650
> x11: fff000087f805630 x10: ffffc1ffe005db08 x9 : 0000000000000000
> x8 : 0000000080000000 x7 : ffff80008005bc50 x6 : 000f63580145a000
> x5 : ffff95c6322f8000 x4 : 0000000000000000 x3 : 000000000000003f
> x2 : 0000000000000040 x1 : fff00000748f9000 x0 : fff00000748f7000
> Call trace:
> dcache_clean_inval_poc+0x24/0x48 (P)
> do_one_initcall+0x60/0x1d4
> kernel_init_freeable+0x24c/0x2d4
> kernel_init+0x24/0x140
> ret_from_fork+0x10/0x20
> Code: 9ac32042 d1000443 8a230000 d503201f (d50b7e20)
> ---[ end trace 0000000000000000 ]---
>
> --
> Catalin
^ permalink raw reply
* Re: [PATCH v2 2/3] remoteproc: imx_rproc: Pass bootaddr to SM CPU/LMM reset vector
From: Mathieu Poirier @ 2026-04-08 15:46 UTC (permalink / raw)
To: Peng Fan
Cc: Peng Fan (OSS), Bjorn Andersson, Rob Herring, Krzysztof Kozlowski,
Conor Dooley, Frank Li, Sascha Hauer, Pengutronix Kernel Team,
Fabio Estevam, Daniel Baluta, linux-remoteproc@vger.kernel.org,
devicetree@vger.kernel.org, imx@lists.linux.dev,
linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org
In-Reply-To: <PAXPR04MB8459AA009C932EB9D6139A11885BA@PAXPR04MB8459.eurprd04.prod.outlook.com>
On Wed, Apr 08, 2026 at 01:30:16AM +0000, Peng Fan wrote:
> > Subject: Re: [PATCH v2 2/3] remoteproc: imx_rproc: Pass bootaddr to
> > SM CPU/LMM reset vector
> >
> [...]
> >
> > >
> > > Aligning the ELF entry point with the hardware reset base on
> > Cortex‑M
> > > systems is possible, but it comes with several risks.
> >
> > I'm not asking to align the ELF entry point with the hardware reset base.
> > All I want is to have the correct start address embedded in the ELF file
> > to avoid having to use a mask.
>
> I see, per my understanding:
> FreeRTOS typically exposes __isr_vector, which corresponds to the hardware
> reset / vector table base.
> Zephyr (Cortex‑M) exposes _vector_table, which serves the same purpose.
> I am not certain about other RTOSes, but the pattern seems consistent:
> the vector table base is already available as a named ELF symbol.
>
> Given that, if the preferred approach is to parse the ELF and explicitly
> retrieve the hardware reset base, I can update the implementation accordingly.
> If you prefer to parse the elf file to get the hardware reset base,
> I could update to use them.
>
> Options1: Something as below:
> 1. Include rproc_elf_find_symbol in remoteproc_elf_loader.c
> 2. Use below in imx_rproc.c
> ret = rproc_elf_find_symbol(rproc, fw, "__isr_vector", &vector_base);
> if (ret)
> ret = rproc_elf_find_symbol(rproc, fw, "__vector_table", &vector_base);
>
> if (!ret)
> rproc->bootaddr = vector_base
> else
> dev_info(dev, "no __isr_vector or __vector_table\n")
No
>
> This makes the hardware reset base explicit, avoids masking e_entry.
>
> Option 2: User‑provided reset symbol via sysfs
> As an alternative, we could expose a sysfs attribute,
> e.g. reset_symbol, allowing users to specify the symbol name
> to be used as the reset base:
>
> echo __isr_vector > /sys/class/remoteproc/remoteprocX/reset_symbol
>
Definitely not.
The definition of e_entry in the specification is clear, i.e "the address of the
entry point from where the process starts executing". If masking is required
because the tool that puts the image together gets the wrong address, then it
should be fixed.
> The remoteproc core would then resolve that symbol from
> the ELF and set rproc->bootaddr accordingly.
> This provides maximum flexibility but does introduce a new user‑visible ABI,
> so I see it more as an opt‑in or fallback mechanism.
>
> Please let me know which approach you prefer, and I will update
> this series accordingly in v3..
>
> Thanks,
> Peng.
>
>
> >
> > > 1, Semantic mismatch (ELF vs. hardware behavior) 2, Debuggers may
> > > attempt to set breakpoints or start execution at the entry symbol
> > >
^ permalink raw reply
* Re: [PATCH v3 07/13] arm64: mm: Use hierarchical XN mapping for the fixmap
From: Catalin Marinas @ 2026-04-08 15:45 UTC (permalink / raw)
To: Ard Biesheuvel
Cc: linux-kernel, linux-arm-kernel, will, mark.rutland,
Ard Biesheuvel, Ryan Roberts, Anshuman Khandual, Liz Prucka,
Seth Jenkins, Kees Cook, linux-hardening
In-Reply-To: <20260320145934.2349881-22-ardb+git@google.com>
On Fri, Mar 20, 2026 at 03:59:42PM +0100, Ard Biesheuvel wrote:
> From: Ard Biesheuvel <ardb@kernel.org>
>
> Nothing in the fixmap or in its vicinity requires executable
> permissions, and given that it is placed at exactly 1 GiB from the end
> of the virtual address space, we can safely set the hierarchical XN
> attributes on the level 2 table entries covering the fixmap, without
> running the risk of inadvertently taking away the executable permissions
> on an adjacent mappings.
>
> This is a hardening measure that reduces the risk of the fixmap being
> abused to create executable mappings in the kernel address space.
>
> Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
> ---
> arch/arm64/mm/fixmap.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/arch/arm64/mm/fixmap.c b/arch/arm64/mm/fixmap.c
> index c5c5425791da..c3dd3c868cf5 100644
> --- a/arch/arm64/mm/fixmap.c
> +++ b/arch/arm64/mm/fixmap.c
> @@ -48,7 +48,8 @@ static void __init early_fixmap_init_pte(pmd_t *pmdp, unsigned long addr)
> if (pmd_none(pmd)) {
> ptep = bm_pte[BM_PTE_TABLE_IDX(addr)];
> __pmd_populate(pmdp, __pa_symbol(ptep),
> - PMD_TYPE_TABLE | PMD_TABLE_AF);
> + PMD_TYPE_TABLE | PMD_TABLE_AF |
> + PMD_TABLE_PXN | PMD_TABLE_UXN);
> }
> }
Sashiko reckons this breaks kpti. I think that's valid but I couldn't
reproduce it on qemu (maybe it doesn't implement hierarchical
permissions). Then I tried FVP and the whole series panics (unrelated to
kpti). With kvm-arm.mode=protected, I think kvm_ksym_ref() is lm_alias()
and we have kvm_hyp_init_symbols() trying to flush the bss.
I'll drop it for now.
Unable to handle kernel paging request at virtual address fff00000748f7000
Mem abort info:
ESR = 0x0000000096000147
** replaying previous printk message **
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x07: level 3 translation fault
Data abort info:
ISV = 0, ISS = 0x00000147, ISS2 = 0x00000000
CM = 1, WnR = 1, TnD = 0, TagAccess = 0
GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
swapper pgtable: 4k pages, 52-bit VAs, pgdp=00000000f40ad000
[fff00000748f7000] pgd=18000008fffff403, p4d=18000008ffffe403, pud=18000008ffffd403, pmd=18000008fffe9403, pte=00e80000f48f7406
Internal error: Oops: 0000000096000147 [#1] SMP
Modules linked in:
CPU: 1 UID: 0 PID: 1 Comm: swapper/0 Not tainted 7.0.0-rc3-00013-g6bb20b972b8c #2 PREEMPT
Hardware name: FVP Base RevC (DT)
pstate: 81400005 (Nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
pc : dcache_clean_inval_poc+0x24/0x48
lr : kvm_arm_init+0xb48/0x1338
sp : ffff80008005bd20
x29: ffff80008005bd60 x28: ffff95c63230b000 x27: 0000000000000004
x26: 0000000000000001 x25: ffff95c631a160c0 x24: 0000000000000008
x23: 0000000000000000 x22: 0000000000000000 x21: fff00000748f7000
x20: 0000000000002000 x19: 0001101131111112 x18: 00000000ffffffff
x17: ffff95c6321fdd88 x16: 0000000031427afd x15: 0000000000000100
x14: 0000000000000000 x13: 0000000000077a9a x12: fff000087f805650
x11: fff000087f805630 x10: ffffc1ffe005db08 x9 : 0000000000000000
x8 : 0000000080000000 x7 : ffff80008005bc50 x6 : 000f63580145a000
x5 : ffff95c6322f8000 x4 : 0000000000000000 x3 : 000000000000003f
x2 : 0000000000000040 x1 : fff00000748f9000 x0 : fff00000748f7000
Call trace:
dcache_clean_inval_poc+0x24/0x48 (P)
do_one_initcall+0x60/0x1d4
kernel_init_freeable+0x24c/0x2d4
kernel_init+0x24/0x140
ret_from_fork+0x10/0x20
Code: 9ac32042 d1000443 8a230000 d503201f (d50b7e20)
---[ end trace 0000000000000000 ]---
--
Catalin
^ permalink raw reply
* [PATCH v2] interconnect: imx: fix use-after-free in imx_icc_node_init_qos()
From: Wentao Liang @ 2026-04-08 15:30 UTC (permalink / raw)
To: Georgi Djakov, Shawn Guo, Sascha Hauer
Cc: Pengutronix Kernel Team, Fabio Estevam, Wentao Liang, linux-pm,
imx, linux-arm-kernel, linux-kernel, stable
The function imx_icc_node_init_qos() manually manages the reference count
of struct device_node *dn using of_node_put(). However, some error paths
use dn after the put, leading to use-after-free. Convert to automatic
cleanup using __free(device_node) to ensure the reference is always
released when dn goes out of scope.
Fixes: f0d8048525d7 ("interconnect: Add imx core driver")
Cc: stable@vger.kernel.org
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
---
Changes in v2:
- Use auto cheanup to fix the problem.
---
drivers/interconnect/imx/imx.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/drivers/interconnect/imx/imx.c b/drivers/interconnect/imx/imx.c
index 9511f80cf041..e5fcdcb88cfb 100644
--- a/drivers/interconnect/imx/imx.c
+++ b/drivers/interconnect/imx/imx.c
@@ -120,7 +120,8 @@ static int imx_icc_node_init_qos(struct icc_provider *provider,
struct imx_icc_node *node_data = node->data;
const struct imx_icc_node_adj_desc *adj = node_data->desc->adj;
struct device *dev = provider->dev;
- struct device_node *dn = NULL;
+ struct device_node *__free(device_nod) dn = of_parse_phandle(dev->of_node,
+ adj->phandle_name, 0);
struct platform_device *pdev;
if (adj->main_noc) {
@@ -128,7 +129,6 @@ static int imx_icc_node_init_qos(struct icc_provider *provider,
dev_dbg(dev, "icc node %s[%d] is main noc itself\n",
node->name, node->id);
} else {
- dn = of_parse_phandle(dev->of_node, adj->phandle_name, 0);
if (!dn) {
dev_warn(dev, "Failed to parse %s\n",
adj->phandle_name);
@@ -138,12 +138,10 @@ static int imx_icc_node_init_qos(struct icc_provider *provider,
if (!of_device_is_available(dn)) {
dev_warn(dev, "Missing property %s, skip scaling %s\n",
adj->phandle_name, node->name);
- of_node_put(dn);
return 0;
}
pdev = of_find_device_by_node(dn);
- of_node_put(dn);
if (!pdev) {
dev_warn(dev, "node %s[%d] missing device for %pOF\n",
node->name, node->id, dn);
--
2.34.1
^ permalink raw reply related
* Status of thermal support for i.MX93
From: Stefan Wahren @ 2026-04-08 15:28 UTC (permalink / raw)
To: Jacky Bai, Alice Guo, Frank Li
Cc: Fabio Estevam, imx@lists.linux.dev, Linux ARM,
open list:GENERIC PM DOMAINS, Daniel Lezcano, Sascha Hauer
Hi,
AFAIK the thermal support for i.MX93 hasn't been mainlined yet. The last
version I can find is here [1].
Are there any plans to finish this work?
Thanks
[1] -
https://lore.kernel.org/linux-arm-kernel/d9392dbc-806a-41df-8992-28c3d6132309@linaro.org/#t
^ permalink raw reply
* Re: BUG: net-next (7.0-rc6 based and later) fails to boot on Jetson Xavier NX
From: Linus Torvalds @ 2026-04-08 15:22 UTC (permalink / raw)
To: Russell King (Oracle)
Cc: netdev, linux-arm-kernel, linux-kernel, iommu, linux-ext4,
Marek Szyprowski, Robin Murphy, Theodore Ts'o, Andreas Dilger
In-Reply-To: <adZfTi3R6jtsjXx-@shell.armlinux.org.uk>
On Wed, 8 Apr 2026 at 06:59, Russell King (Oracle)
<linux@armlinux.org.uk> wrote:
>
> > Now building straight -rc7. If that also fails, my plan is to start
> > bisecting rc5..rc6, which will likely take most of the rest of the
> > day. So, in the mean time I'm sending this as a heads-up that rc6
> > and onwards has a problem.
>
> Plain -rc7 fails (another random oops):
>
> Now starting the bisect between 7.0-rc5 and 7.0-rc6.
Thanks. Not what I wanted to hear at this point, but a bisect should
get the culprit if this is at least sufficiently repeatable.
The exact symptoms and oops details may be random, but hopefully the
"something bad happens" is reliable enough to bisect.
Linus
^ permalink raw reply
* [PATCH] arm64: dts: rockchip: fix rk809 interrupt pin on rk3566-roc-pc
From: guoweix @ 2026-04-08 15:09 UTC (permalink / raw)
To: heiko
Cc: robh, krzk+dt, conor+dt, f.kardame, pgwipeout, devicetree,
linux-arm-kernel, linux-rockchip, linux-kernel, guoweix
The RK809 PMIC interrupt pin on the Firefly ROC-RK3566-PC (Station M2)
is physically connected to GPIO0_A3 (RK_PA3) according to the board's
schematic.
Currently, the PMIC node incorrectly specifies RK_PA7 for the interrupt,
which prevents the PMIC from correctly signaling interrupts. (Note that
the pinctrl node 'pmic_int' correctly configures RK_PA3).
Fix this by updating the interrupts property to use RK_PA3.
Fixes: 30ac9b4e25d8 ("arm64: dts: rockchip: add dts for Firefly Station M2 rk3566")
Signed-off-by: guoweix <2298701336@qq.com>
---
arch/arm64/boot/dts/rockchip/rk3566-roc-pc.dts | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/rockchip/rk3566-roc-pc.dts b/arch/arm64/boot/dts/rockchip/rk3566-roc-pc.dts
index 7e499064e035..985770e3a5e2 100644
--- a/arch/arm64/boot/dts/rockchip/rk3566-roc-pc.dts
+++ b/arch/arm64/boot/dts/rockchip/rk3566-roc-pc.dts
@@ -245,7 +245,7 @@ rk809: pmic@20 {
compatible = "rockchip,rk809";
reg = <0x20>;
interrupt-parent = <&gpio0>;
- interrupts = <RK_PA7 IRQ_TYPE_LEVEL_LOW>;
+ interrupts = <RK_PA3 IRQ_TYPE_LEVEL_LOW>;
clock-output-names = "rk808-clkout1", "rk808-clkout2";
assigned-clocks = <&cru I2S1_MCLKOUT_TX>;
assigned-clock-parents = <&cru CLK_I2S1_8CH_TX>;
--
2.43.0
^ permalink raw reply related
* Re: [PATCH v3 01/13] arm64: Move the zero page to rodata
From: Ard Biesheuvel @ 2026-04-08 15:09 UTC (permalink / raw)
To: Catalin Marinas, Ard Biesheuvel
Cc: linux-kernel, linux-arm-kernel, Will Deacon, Mark Rutland,
Ryan Roberts, Anshuman Khandual, Liz Prucka, Seth Jenkins,
Kees Cook, linux-hardening
In-Reply-To: <adZbgYJqY6bisaoZ@arm.com>
On Wed, 8 Apr 2026, at 15:43, Catalin Marinas wrote:
> Hi Ard,
>
> On Fri, Mar 20, 2026 at 03:59:36PM +0100, Ard Biesheuvel wrote:
>> diff --git a/arch/arm64/kernel/vmlinux.lds.S b/arch/arm64/kernel/vmlinux.lds.S
>> index 2964aad0362e..2d021a576e50 100644
>> --- a/arch/arm64/kernel/vmlinux.lds.S
>> +++ b/arch/arm64/kernel/vmlinux.lds.S
>> @@ -229,6 +229,7 @@ SECTIONS
>> #endif
>>
>> reserved_pg_dir = .;
>> + empty_zero_page = .;
>> . += PAGE_SIZE;
>>
>> swapper_pg_dir = .;
>> diff --git a/arch/arm64/mm/mmu.c b/arch/arm64/mm/mmu.c
>> index a6a00accf4f9..795743913ce5 100644
>> --- a/arch/arm64/mm/mmu.c
>> +++ b/arch/arm64/mm/mmu.c
>> @@ -66,9 +66,8 @@ long __section(".mmuoff.data.write") __early_cpu_boot_status;
>>
>> /*
>> * Empty_zero_page is a special page that is used for zero-initialized data
>> - * and COW.
>> + * and COW. Defined in the linker script.
>> */
>> -unsigned long empty_zero_page[PAGE_SIZE / sizeof(unsigned long)] __page_aligned_bss;
>> EXPORT_SYMBOL(empty_zero_page);
>
> I looked at Sashiko's reports
> (https://sashiko.dev/#/patchset/20260320145934.2349881-15-ardb+git@google.com)
> and it has a point here that with MTE, map_mem() doesn't map the
> empty_zero_page as Tagged in the for_each_mem_range() loop. The
> subsequent cpu_enable_mte() will fail to initialise the tags. I think
> this problem disappears with patch 11 where all the linear map is now
> Tagged.
>
> We either ignore it or we temporarily map the kernel as Tagged until the
> linear alias is removed later:
>
> diff --git a/arch/arm64/mm/mmu.c b/arch/arm64/mm/mmu.c
> index 795743913ce5..5290f7537074 100644
> --- a/arch/arm64/mm/mmu.c
> +++ b/arch/arm64/mm/mmu.c
> @@ -1175,7 +1175,7 @@ static void __init map_mem(pgd_t *pgdp)
> * so we should avoid them here.
> */
> __map_memblock(pgdp, kernel_start, kernel_end,
> - PAGE_KERNEL, NO_CONT_MAPPINGS);
> + pgprot_tagged(PAGE_KERNEL), NO_CONT_MAPPINGS);
> memblock_clear_nomap(kernel_start, kernel_end - kernel_start);
> arm64_kfence_map_pool(early_kfence_pool, pgdp);
> }
>
OK. There were some other very good comments too, I'll look into those and respin this for the next cycle.
^ permalink raw reply
* Re: [PATCH v3 0/7] arm64: dts: ti: k3-am62a7-sk: Split r5f memory region
From: Rob Herring @ 2026-04-08 15:03 UTC (permalink / raw)
To: Markus Schneider-Pargmann (TI)
Cc: Nishanth Menon, devicetree, Conor Dooley, Vignesh Raghavendra,
Mathieu Poirier, Dhruva Gole, Akashdeep Kaur, Kevin Hilman,
Bjorn Andersson, linux-remoteproc, linux-kernel, Kendall Willis,
Vishal Mahaveer, Sebin Francis, Krzysztof Kozlowski, Tero Kristo,
linux-arm-kernel
In-Reply-To: <20260318-topic-am62a-ioddr-dt-v6-19-v3-0-c41473cb23c3@baylibre.com>
On Wed, Mar 18, 2026 at 10:14 AM Markus Schneider-Pargmann (TI)
<msp@baylibre.com> wrote:
>
> Hi,
>
> Split the firmware memory region in more specific parts so it is better
> described where which information is stored. Specifically the LPM metadata
> region is important as bootloader software like U-Boot has to know where
> that data is to be able to read that data and resume from RAM.
>
> IO+DDR is a deep sleep state in which a few pins are set to be sensitive
> for wakeup while the DDR is kept in self refresh. Everything else is
> powered off.
>
> The changes in this series were suggested as part of the IO+DDR u-boot series:
> https://lore.kernel.org/r/814c211f-a9eb-4311-bb84-165b1a69755f@ti.com
>
> There are currently no real users of the memory-region that is split in
> this series. The size of the memory-region in total stays the same.
> The new layout is derived from the software running on the r5f
> processor:
> https://github.com/TexasInstruments/mcupsdk-core-k3/blob/k3_main/examples/drivers/ipc/ipc_rpmsg_echo_linux/am62ax-sk/r5fss0-0_freertos/ti-arm-clang/linker.cmd#L172
> https://github.com/TexasInstruments/mcupsdk-core-k3/blob/k3_main/source/drivers/device_manager/sciclient.h#L459
>
> Additionally the two important devicetree nodes for resuming from IO+DDR
> have the bootph-pre-ram flag added as this data needs to be read before
> the RAM is in use.
>
> Best
> Markus
>
> Signed-off-by: Markus Schneider-Pargmann (TI) <msp@baylibre.com>
> ---
> Changes in v3:
> - Squash the enforcement of the memory-region-names requirement in the
> patch adding the memory-region-names, as suggested.
> - Link to v2: https://lore.kernel.org/r/20260312-topic-am62a-ioddr-dt-v6-19-v2-0-37cb7ceec658@baylibre.com
>
> Changes in v2:
> - Make memory-region-names required if memory-region is present
> - Fixup memory-region and memory-region-names conditions. Require either
> 2 or 6 regions for memory-region and memory-region-names
> - Reword and restructure the binding documentation for memory-region and
> memory-region-names
> - Add memory-region-names to all uses of memory-region
> - Link to v1: https://lore.kernel.org/r/20260303-topic-am62a-ioddr-dt-v6-19-v1-0-12fe72bb40d2@baylibre.com
>
> ---
> Markus Schneider-Pargmann (TI) (7):
> dt-bindings: remoteproc: k3-r5f: Split up memory regions
> dt-bindings: remoteproc: k3-r5f: Add memory-region-names
> arm64: dts: ti: k3: Use memory-region-names for r5f
> arm64: dts: ti: k3-am62a7-sk: Split r5f memory region
> arm64: dts: ti: k3-am62p5-sk: Split r5f memory region
> arm64: dts: ti: k3-am62a7-sk: Add r5f nodes to pre-ram bootphase
> arm64: dts: ti: k3-am62p5-sk: Add r5f nodes to pre-ram bootphase
TI folks, Please make sure these dts patches are picked up for 7.1.
There's now a crap load of warnings in next with the binding change:
58 (ti,am62-r5fss): r5f@78000000: 'memory-region-names' is a
required property
30 (ti,am62-r5fss): r5f@79000000: 'memory-region-names' is a
required property
22 (ti,j721s2-r5fss): r5f@5f00000: 'memory-region-names' is a
required property
22 (ti,j721s2-r5fss): r5f@5e00000: 'memory-region-names' is a
required property
22 (ti,j721s2-r5fss): r5f@5d00000: 'memory-region-names' is a
required property
22 (ti,j721s2-r5fss): r5f@5c00000: 'memory-region-names' is a
required property
22 (ti,j721s2-r5fss): r5f@41400000: 'memory-region-names' is a
required property
22 (ti,j721s2-r5fss): r5f@41000000: 'memory-region-names' is a
required property
21 (ti,am64-r5fss): r5f@78600000: 'memory-region-names' is a
required property
21 (ti,am64-r5fss): r5f@78400000: 'memory-region-names' is a
required property
21 (ti,am64-r5fss): r5f@78200000: 'memory-region-names' is a
required property
21 (ti,am64-r5fss): r5f@78000000: 'memory-region-names' is a
required property
12 (ti,j721s2-r5fss): r5f@5a00000: 'memory-region-names' is a
required property
12 (ti,j721s2-r5fss): r5f@5900000: 'memory-region-names' is a
required property
12 (ti,am654-r5fss): r5f@41400000: 'memory-region-names' is a
required property
12 (ti,am654-r5fss): r5f@41000000: 'memory-region-names' is a
required property
9 (ti,j721e-r5fss): r5f@5f00000: 'memory-region-names' is a
required property
9 (ti,j721e-r5fss): r5f@5e00000: 'memory-region-names' is a
required property
9 (ti,j721e-r5fss): r5f@5d00000: 'memory-region-names' is a
required property
9 (ti,j721e-r5fss): r5f@5c00000: 'memory-region-names' is a
required property
9 (ti,j721e-r5fss): r5f@41400000: 'memory-region-names' is a
required property
9 (ti,j721e-r5fss): r5f@41000000: 'memory-region-names' is a
required property
4 (ti,am62-r5fss): r5f@78400000: 'memory-region-names' is a
required property
3 (ti,j7200-r5fss): r5f@5d00000: 'memory-region-names' is a
required property
3 (ti,j7200-r5fss): r5f@5c00000: 'memory-region-names' is a
required property
3 (ti,j7200-r5fss): r5f@41400000: 'memory-region-names' is a
required property
3 (ti,j7200-r5fss): r5f@41000000: 'memory-region-names' is a
required property
If they aren't applied, making 'memory-region-names' required needs
to be dropped from the binding.
Rob
^ permalink raw reply
* Re: [PATCH v2 0/7] thermal: samsung: Add support for Google GS101 TMU
From: Alexey Klimov @ 2026-04-08 14:49 UTC (permalink / raw)
To: Tudor Ambarus
Cc: Rafael J. Wysocki, Daniel Lezcano, Zhang Rui, Lukasz Luba,
Rob Herring, Krzysztof Kozlowski, Conor Dooley,
Krzysztof Kozlowski, Alim Akhtar, Bartlomiej Zolnierkiewicz,
Kees Cook, Gustavo A. R. Silva, Peter Griffin, André Draszik,
willmcvicker, jyescas, shin.son, linux-samsung-soc, linux-kernel,
linux-pm, devicetree, linux-arm-kernel, linux-hardening
In-Reply-To: <20260119-acpm-tmu-v2-0-e02a834f04c6@linaro.org>
On Mon Jan 19, 2026 at 12:08 PM GMT, Tudor Ambarus wrote:
> Add support for the Thermal Management Unit (TMU) on the Google GS101
> SoC.
>
> The GS101 TMU implementation utilizes a hybrid architecture where
> management is shared between the kernel and the Alive Clock and
> Power Manager (ACPM) firmware.
Do you plan to update or work on this series? If, by some reason,
this series is postphoned I can rebase it and re-send, for example.
IIRC it needs a clean rebase as a minimial change.
I am constructing some code on top of it, so it will be nice to have
newer version that can be (re-)tested for Exynos850.
Thanks,
Alexey
[...]
^ permalink raw reply
* Re: [PATCH v2 2/7] dt-bindings: soc: samsung: exynos-pmu: add samsung,pmu-intr-gen phandle
From: Alexey Klimov @ 2026-04-08 14:30 UTC (permalink / raw)
To: André Draszik, Sam Protsenko, linux-samsung-soc,
Krzysztof Kozlowski, Peter Griffin, Conor Dooley, Alim Akhtar
Cc: Tudor Ambarus, Rob Herring, Krzysztof Kozlowski, linux-arm-kernel,
devicetree, linux-kernel
In-Reply-To: <01ffe5d3aca040edcedb084386ab6e195cb93013.camel@linaro.org>
Hi André,
On Fri Apr 3, 2026 at 11:17 AM BST, André Draszik wrote:
> Hi Alexey,
>
> On Wed, 2026-04-01 at 05:51 +0100, Alexey Klimov wrote:
>> Some Exynos-based SoCs, for instance Exynos850, require access
>> to the pmu interrupt generation register region which is exposed
>> as a syscon. Update the exynos-pmu bindings documentation to
>> reflect this.
>
> You could mention that this is similar to the existing google,...
> one due to same requirement, hence a new and more general property.
Ok. Thanks.
>> Signed-off-by: Alexey Klimov <alexey.klimov@linaro.org>
>> ---
>> .../devicetree/bindings/soc/samsung/exynos-pmu.yaml | 18 ++++++++++++++++++
>> 1 file changed, 18 insertions(+)
>>
>> diff --git a/Documentation/devicetree/bindings/soc/samsung/exynos-pmu.yaml b/Documentation/devicetree/bindings/soc/samsung/exynos-
>> pmu.yaml
>> index 76ce7e98c10f..92acdfd5d44e 100644
>> --- a/Documentation/devicetree/bindings/soc/samsung/exynos-pmu.yaml
>> +++ b/Documentation/devicetree/bindings/soc/samsung/exynos-pmu.yaml
>> @@ -110,6 +110,11 @@ properties:
>> description:
>> Node for reboot method
>>
>> + samsung,pmu-intr-gen-syscon:
>> + $ref: /schemas/types.yaml#/definitions/phandle
>> + description:
>> + Phandle to PMU interrupt generation interface.
>> +
>> google,pmu-intr-gen-syscon:
>
> Please keep alphabetical order of vendors.
Sure. Thanks for noticing this.
Best regards,
Alexey
^ permalink raw reply
* [PATCH v2] nvme-apple: drop invalid put of admin queue reference count
From: Fedor Pchelkin @ 2026-04-08 14:18 UTC (permalink / raw)
To: Keith Busch, Christoph Hellwig, Jens Axboe
Cc: Fedor Pchelkin, Sven Peter, Janne Grunau, Neal Gompa,
Sagi Grimberg, Hannes Reinecke, Ming Lei, Chaitanya Kulkarni,
Heyne, Maximilian, asahi, linux-arm-kernel, linux-nvme,
linux-kernel, lvc-project, stable
Commit 03b3bcd319b3 ("nvme: fix admin request_queue lifetime") moved the
admin queue reference ->put call into nvme_free_ctrl() - a controller
device release callback performed for every nvme driver doing
nvme_init_ctrl().
nvme-apple sets refcount of the admin queue to 1 at allocation during the
probe function and then puts it twice now:
nvme_free_ctrl()
blk_put_queue(ctrl->admin_q) // #1
->free_ctrl()
apple_nvme_free_ctrl()
blk_put_queue(anv->ctrl.admin_q) // #2
Note that there is a commit 941f7298c70c ("nvme-apple: remove an extra
queue reference") which intended to drop taking an extra admin queue
reference. Looks like at that moment it accidentally fixed a refcount
leak, which existed since the driver's introduction. There were two ->get
calls at driver's probe function and a single ->put inside
apple_nvme_free_ctrl().
However now after commit 03b3bcd319b3 ("nvme: fix admin request_queue
lifetime") the refcount is imbalanced again. Fix it by removing extra
->put call from apple_nvme_free_ctrl(). anv->dev and ctrl->dev point to
the same device, so use ctrl->dev directly for simplification. Compile
tested only.
Found by Linux Verification Center (linuxtesting.org).
Fixes: 03b3bcd319b3 ("nvme: fix admin request_queue lifetime")
Cc: stable@vger.kernel.org
Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
---
v2: use ctrl->dev directly for simplification (Jens Axboe)
link to v1: https://lore.kernel.org/linux-nvme/20260403202701.991276-1-pchelkin@ispras.ru/
drivers/nvme/host/apple.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/drivers/nvme/host/apple.c b/drivers/nvme/host/apple.c
index ed61b97fde59..423c9c628e7b 100644
--- a/drivers/nvme/host/apple.c
+++ b/drivers/nvme/host/apple.c
@@ -1267,11 +1267,7 @@ static int apple_nvme_get_address(struct nvme_ctrl *ctrl, char *buf, int size)
static void apple_nvme_free_ctrl(struct nvme_ctrl *ctrl)
{
- struct apple_nvme *anv = ctrl_to_apple_nvme(ctrl);
-
- if (anv->ctrl.admin_q)
- blk_put_queue(anv->ctrl.admin_q);
- put_device(anv->dev);
+ put_device(ctrl->dev);
}
static const struct nvme_ctrl_ops nvme_ctrl_ops = {
--
2.53.0
^ permalink raw reply related
* [PATCH] pmdomain: mediatek: fix use-after-free in scpsys_get_bus_protection_legacy()
From: Wentao Liang @ 2026-04-08 14:11 UTC (permalink / raw)
To: Ulf Hansson, Matthias Brugger, AngeloGioacchino Del Regno
Cc: nfraprado, Macpaul Lin, Adam Ford, Chen-Yu Tsai, linux-pm,
linux-kernel, linux-arm-kernel, linux-mediatek, Wentao Liang,
stable
In scpsys_get_bus_protection_legacy(), of_find_node_with_property()
returns a device node with its reference count incremented. The function
then calls of_node_put(node) before checking whether
syscon_regmap_lookup_by_phandle() returns an error. If an error occurs,
dev_err_probe() dereferences the node pointer to print diagnostic
information, but the node memory may have already been freed due to the
earlier of_node_put(), leading to a use-after-free vulnerability.
Fix this by moving the of_node_put() call after the error check, ensuring
the node is still valid when accessed in the error path.
Fixes: c29345fa5f66 ("pmdomain: mediatek: Refactor bus protection regmaps retrieval")
Cc: stable@vger.kernel.org
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
---
drivers/pmdomain/mediatek/mtk-pm-domains.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/drivers/pmdomain/mediatek/mtk-pm-domains.c b/drivers/pmdomain/mediatek/mtk-pm-domains.c
index e2800aa1bc59..d3b36f32417c 100644
--- a/drivers/pmdomain/mediatek/mtk-pm-domains.c
+++ b/drivers/pmdomain/mediatek/mtk-pm-domains.c
@@ -993,6 +993,7 @@ static int scpsys_get_bus_protection_legacy(struct device *dev, struct scpsys *s
struct device_node *node, *smi_np;
int num_regmaps = 0, i, j;
struct regmap *regmap[3];
+ int ret = 0;
/*
* Legacy code retrieves a maximum of three bus protection handles:
@@ -1043,11 +1044,14 @@ static int scpsys_get_bus_protection_legacy(struct device *dev, struct scpsys *s
if (node) {
regmap[2] = syscon_regmap_lookup_by_phandle(node, "mediatek,infracfg-nao");
num_regmaps++;
- of_node_put(node);
- if (IS_ERR(regmap[2]))
- return dev_err_probe(dev, PTR_ERR(regmap[2]),
+ if (IS_ERR(regmap[2])) {
+ ret = dev_err_probe(dev, PTR_ERR(regmap[2]),
"%pOF: failed to get infracfg regmap\n",
node);
+ of_node_put(node);
+ return ret;
+ }
+ of_node_put(node);
} else {
regmap[2] = NULL;
}
--
2.34.1
^ permalink raw reply related
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox