* Re: [PATCH net-next] net: mana: Use at least SZ_4K in doorbell ID range check
From: Erni Sri Satya Vennela @ 2026-03-25 17:35 UTC (permalink / raw)
To: Paolo Abeni
Cc: Simon Horman, kys, haiyangz, wei.liu, decui, longli,
andrew+netdev, davem, edumazet, kuba, shradhagupta, dipayanroy,
shirazsaleem, kotaranov, yury.norov, kees, linux-hyperv, netdev,
linux-kernel
In-Reply-To: <c8fe221f-2e1c-47a0-970f-e7a1318a15bf@redhat.com>
On Tue, Mar 24, 2026 at 12:03:37PM +0100, Paolo Abeni wrote:
>
>
> On 3/21/26 11:04 AM, Simon Horman wrote:
> > On Fri, Mar 20, 2026 at 05:21:01AM -0700, Erni Sri Satya Vennela wrote:
> >> mana_gd_ring_doorbell() accesses doorbell offsets up to 0xFF8 + 8 = 4KB
> >> within a doorbell page. When db_page_size is zero, the validation check
> >> in mana_gd_register_device() reduces to:
> >> db_page_off + 0 > bar0_size
> >> which passes, even though mana_gd_ring_doorbell() will access
> >> [db_page_off, db_page_off + 4KB) and may go beyond BAR0.
> >>
> >> Use max(SZ_4K, db_page_size) in the range check so that a zero or
> >> unexpectedly small db_page_size still results in a rejection when the
> >> doorbell page would fall outside BAR0.
> >
> > Thanks Erni,
> >
> > I understand the maths here. And to that extent this change makes sense to me.
> > But I am curious to know how a db_page_size of zero works. I was expecting
> > some space is required there.
>
> To rephrase Simon's question, this feels like papering over a
> memory/state corruption. I think at best it deserves a cleaner explanation.
>
> /P
Thanks for pointing it out Simon and Paolo.
Now I understand the real issue, when db_page_sz is zero my patch rejects
it, but doesn't explicitly point it out. Such case means something is
wrong in hardware, which is silently escaped in this patch.
I will create another patch where I will reject db_page_size < SZ_4K at
the source.
^ permalink raw reply
* RE: [PATCH 04/12] hv: vmbus: use generic driver_override infrastructure
From: Michael Kelley @ 2026-03-25 17:28 UTC (permalink / raw)
To: Danilo Krummrich, Russell King, Greg Kroah-Hartman,
Rafael J. Wysocki, Ioana Ciornei, Nipun Gupta, Nikhil Agarwal,
K. Y. Srinivasan, Haiyang Zhang, Wei Liu, Dexuan Cui, Long Li,
Bjorn Helgaas, Armin Wolf, Bjorn Andersson, Mathieu Poirier,
Vineeth Vijayan, Peter Oberparleiter, Heiko Carstens,
Vasily Gorbik, Alexander Gordeev, Christian Borntraeger,
Sven Schnelle, Harald Freudenberger, Holger Dengler, Mark Brown,
Michael S. Tsirkin, Jason Wang, Xuan Zhuo, Eugenio Pérez,
Alex Williamson, Juergen Gross, Stefano Stabellini,
Oleksandr Tyshchenko, Christophe Leroy (CS GROUP)
Cc: linux-kernel@vger.kernel.org, driver-core@lists.linux.dev,
linuxppc-dev@lists.ozlabs.org, linux-hyperv@vger.kernel.org,
linux-pci@vger.kernel.org, platform-driver-x86@vger.kernel.org,
linux-arm-msm@vger.kernel.org, linux-remoteproc@vger.kernel.org,
linux-s390@vger.kernel.org, linux-spi@vger.kernel.org,
virtualization@lists.linux.dev, kvm@vger.kernel.org,
xen-devel@lists.xenproject.org,
linux-arm-kernel@lists.infradead.org, Gui-Dong Han
In-Reply-To: <20260324005919.2408620-5-dakr@kernel.org>
From: Danilo Krummrich <dakr@kernel.org> Sent: Monday, March 23, 2026 5:59 PM
>
In the patch "Subject" line, the prefix for changes for vmbus_drv.c has
historically been "Drivers: hv: vmbus:". It's a mouthful, but has been kept
fairly consistent over time.
> When a driver is probed through __driver_attach(), the bus' match()
> callback is called without the device lock held, thus accessing the
> driver_override field without a lock, which can cause a UAF.
>
> Fix this by using the driver-core driver_override infrastructure taking
> care of proper locking internally.
>
> Note that calling match() from __driver_attach() without the device lock
> held is intentional. [1]
I've tested this patch in a Hyper-V VM with VMBus devices. Did a simple
VMBus driver override, listed the overrides, and then removed the override.
All the right things happened with driver binding, unbind, etc.
Tested-by: Michael Kelley <mhklinux@outlook.com>
Modulo updates to the comments that I've noted below (and the patch
Subject line mentioned above):
Reviewed-by: Michael Kelley <mhklinux@outlook.com>
>
> Link: https://lore.kernel.org/driver-core/DGRGTIRHA62X.3RY09D9SOK77P@kernel.org/ [1]
> Reported-by: Gui-Dong Han <hanguidong02@gmail.com>
> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220789
> Fixes: d765edbb301c ("vmbus: add driver_override support")
> Signed-off-by: Danilo Krummrich <dakr@kernel.org>
> ---
> drivers/hv/vmbus_drv.c | 36 +++++-------------------------------
> include/linux/hyperv.h | 5 -----
> 2 files changed, 5 insertions(+), 36 deletions(-)
>
> diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c
> index bc4fc1951ae1..bc8dfd136f3c 100644
> --- a/drivers/hv/vmbus_drv.c
> +++ b/drivers/hv/vmbus_drv.c
[snip]
>
> @@ -711,9 +682,11 @@ static const struct hv_vmbus_device_id
> *hv_vmbus_get_id(const struct hv_driver *
> {
> const guid_t *guid = &dev->dev_type;
> const struct hv_vmbus_device_id *id;
> + int ret;
>
> /* When driver_override is set, only bind to the matching driver */
This reference to "driver_override" in the comment was originally to the
"driver_override" field in struct hv_device, which has now gone away. Better
wording would be "If a driver override is set, only bind ...."
> - if (dev->driver_override && strcmp(dev->driver_override, drv->name))
> + ret = device_match_driver_override(&dev->device, &drv->driver);
> + if (ret == 0)
> return NULL;
>
> /* Look at the dynamic ids first, before the static ones */
> @@ -722,7 +695,7 @@ static const struct hv_vmbus_device_id *hv_vmbus_get_id(const struct hv_driver *
> id = hv_vmbus_dev_match(drv->id_table, guid);
>
> /* driver_override will always match, send a dummy id */
Again, the reference to "driver_override" no longer makes sense. The
original comment is a bit opaque in its own way. Let me suggest this new
wording:
If there's a matching driver override, this function should succeed. So
return a dummy device ID if no matching ID is found.
> - if (!id && dev->driver_override)
> + if (!id && ret > 0)
> id = &vmbus_device_null;
>
> return id;
> @@ -1024,6 +997,7 @@ static const struct dev_pm_ops vmbus_pm = {
> /* The one and only one */
> static const struct bus_type hv_bus = {
> .name = "vmbus",
> + .driver_override = true,
> .match = vmbus_match,
> .shutdown = vmbus_shutdown,
> .remove = vmbus_remove,
> diff --git a/include/linux/hyperv.h b/include/linux/hyperv.h
> index dfc516c1c719..bf689d07d750 100644
> --- a/include/linux/hyperv.h
> +++ b/include/linux/hyperv.h
> @@ -1272,11 +1272,6 @@ struct hv_device {
> u16 device_id;
>
> struct device device;
> - /*
> - * Driver name to force a match. Do not set directly, because core
> - * frees it. Use driver_set_override() to set or clear it.
> - */
> - const char *driver_override;
>
> struct vmbus_channel *channel;
> struct kset *channels_kset;
> --
> 2.53.0
>
^ permalink raw reply
* Re: [PATCH net-next v5 0/6] net: mana: Per-vPort EQ and MSI-X interrupt management
From: Simon Horman @ 2026-03-25 16:56 UTC (permalink / raw)
To: Long Li
Cc: Konstantin Taranov, Jakub Kicinski, David S . Miller, Paolo Abeni,
Eric Dumazet, Andrew Lunn, Jason Gunthorpe, Leon Romanovsky,
Haiyang Zhang, K . Y . Srinivasan, Wei Liu, Dexuan Cui, netdev,
linux-rdma, linux-hyperv, linux-kernel
In-Reply-To: <20260323195952.1767304-1-longli@microsoft.com>
On Mon, Mar 23, 2026 at 12:59:46PM -0700, Long Li wrote:
> This series adds per-vPort Event Queue (EQ) allocation and MSI-X interrupt
> management for the MANA driver. Previously, all vPorts shared a single set
> of EQs. This change enables dedicated EQs per vPort with support for both
> dedicated and shared MSI-X vector allocation modes.
>
> Patch 1 moves EQ ownership from mana_context to per-vPort mana_port_context
> and exports create/destroy functions for the RDMA driver.
>
> Patch 2 adds device capability queries to determine whether MSI-X vectors
> should be dedicated per-vPort or shared. When the number of available MSI-X
> vectors is insufficient for dedicated allocation, the driver enables sharing
> mode with bitmap-based vector assignment.
>
> Patch 3 introduces the GIC (GDMA IRQ Context) abstraction with reference
> counting, allowing multiple EQs to safely share a single MSI-X vector.
>
> Patch 4 converts the global EQ allocation in probe/resume to use the new
> GIC functions.
>
> Patch 5 adds per-vPort GIC lifecycle management, calling get/put on each
> EQ creation and destruction during vPort open/close.
>
> Patch 6 extends the same GIC lifecycle management to the RDMA driver's EQ
> allocation path.
>
> Changes in v5:
> - Rebased on net-next/main
Hi Long Li,
Unfortunately v5 also doesn't apply cleanly to net-next.
--
pw-bot: changes-requested
^ permalink raw reply
* Re: [PATCH 07/12] rpmsg: use generic driver_override infrastructure
From: Mathieu Poirier @ 2026-03-25 15:49 UTC (permalink / raw)
To: Danilo Krummrich
Cc: Russell King, Greg Kroah-Hartman, Rafael J. Wysocki,
Ioana Ciornei, Nipun Gupta, Nikhil Agarwal, K. Y. Srinivasan,
Haiyang Zhang, Wei Liu, Dexuan Cui, Long Li, Bjorn Helgaas,
Armin Wolf, Bjorn Andersson, Vineeth Vijayan, Peter Oberparleiter,
Heiko Carstens, Vasily Gorbik, Alexander Gordeev,
Christian Borntraeger, Sven Schnelle, Harald Freudenberger,
Holger Dengler, Mark Brown, Michael S. Tsirkin, Jason Wang,
Xuan Zhuo, Eugenio Pérez, Alex Williamson, Juergen Gross,
Stefano Stabellini, Oleksandr Tyshchenko,
Christophe Leroy (CS GROUP), linux-kernel, driver-core,
linuxppc-dev, linux-hyperv, linux-pci, platform-driver-x86,
linux-arm-msm, linux-remoteproc, linux-s390, linux-spi,
virtualization, kvm, xen-devel, linux-arm-kernel, Gui-Dong Han
In-Reply-To: <20260324005919.2408620-8-dakr@kernel.org>
On Mon, 23 Mar 2026 at 19:00, Danilo Krummrich <dakr@kernel.org> wrote:
>
> When a driver is probed through __driver_attach(), the bus' match()
> callback is called without the device lock held, thus accessing the
> driver_override field without a lock, which can cause a UAF.
>
> Fix this by using the driver-core driver_override infrastructure taking
> care of proper locking internally.
>
> Note that calling match() from __driver_attach() without the device lock
> held is intentional. [1]
>
> Link: https://lore.kernel.org/driver-core/DGRGTIRHA62X.3RY09D9SOK77P@kernel.org/ [1]
> Reported-by: Gui-Dong Han <hanguidong02@gmail.com>
> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220789
> Fixes: e95060478244 ("rpmsg: Introduce a driver override mechanism")
> Signed-off-by: Danilo Krummrich <dakr@kernel.org>
> ---
> drivers/rpmsg/qcom_glink_native.c | 2 --
For the below files:
Reviewed-by: Mathieu Poirier <mathieu.poirier@linaro.org>
> drivers/rpmsg/rpmsg_core.c | 43 +++++--------------------------
> drivers/rpmsg/virtio_rpmsg_bus.c | 1 -
> include/linux/rpmsg.h | 4 ---
> 4 files changed, 7 insertions(+), 43 deletions(-)
>
> diff --git a/drivers/rpmsg/qcom_glink_native.c b/drivers/rpmsg/qcom_glink_native.c
> index 9ef17c2e45b0..e9d1b2082477 100644
> --- a/drivers/rpmsg/qcom_glink_native.c
> +++ b/drivers/rpmsg/qcom_glink_native.c
> @@ -1623,7 +1623,6 @@ static void qcom_glink_rpdev_release(struct device *dev)
> {
> struct rpmsg_device *rpdev = to_rpmsg_device(dev);
>
> - kfree(rpdev->driver_override);
> kfree(rpdev);
> }
>
> @@ -1859,7 +1858,6 @@ static void qcom_glink_device_release(struct device *dev)
>
> /* Release qcom_glink_alloc_channel() reference */
> kref_put(&channel->refcount, qcom_glink_channel_release);
> - kfree(rpdev->driver_override);
> kfree(rpdev);
> }
>
> diff --git a/drivers/rpmsg/rpmsg_core.c b/drivers/rpmsg/rpmsg_core.c
> index 96964745065b..2b9f6d5a9a4f 100644
> --- a/drivers/rpmsg/rpmsg_core.c
> +++ b/drivers/rpmsg/rpmsg_core.c
> @@ -358,33 +358,6 @@ rpmsg_show_attr(src, src, "0x%x\n");
> rpmsg_show_attr(dst, dst, "0x%x\n");
> rpmsg_show_attr(announce, announce ? "true" : "false", "%s\n");
>
> -static ssize_t driver_override_store(struct device *dev,
> - struct device_attribute *attr,
> - const char *buf, size_t count)
> -{
> - struct rpmsg_device *rpdev = to_rpmsg_device(dev);
> - int ret;
> -
> - ret = driver_set_override(dev, &rpdev->driver_override, buf, count);
> - if (ret)
> - return ret;
> -
> - return count;
> -}
> -
> -static ssize_t driver_override_show(struct device *dev,
> - struct device_attribute *attr, char *buf)
> -{
> - struct rpmsg_device *rpdev = to_rpmsg_device(dev);
> - ssize_t len;
> -
> - device_lock(dev);
> - len = sysfs_emit(buf, "%s\n", rpdev->driver_override);
> - device_unlock(dev);
> - return len;
> -}
> -static DEVICE_ATTR_RW(driver_override);
> -
> static ssize_t modalias_show(struct device *dev,
> struct device_attribute *attr, char *buf)
> {
> @@ -405,7 +378,6 @@ static struct attribute *rpmsg_dev_attrs[] = {
> &dev_attr_dst.attr,
> &dev_attr_src.attr,
> &dev_attr_announce.attr,
> - &dev_attr_driver_override.attr,
> NULL,
> };
> ATTRIBUTE_GROUPS(rpmsg_dev);
> @@ -424,9 +396,11 @@ static int rpmsg_dev_match(struct device *dev, const struct device_driver *drv)
> const struct rpmsg_driver *rpdrv = to_rpmsg_driver(drv);
> const struct rpmsg_device_id *ids = rpdrv->id_table;
> unsigned int i;
> + int ret;
>
> - if (rpdev->driver_override)
> - return !strcmp(rpdev->driver_override, drv->name);
> + ret = device_match_driver_override(dev, drv);
> + if (ret >= 0)
> + return ret;
>
> if (ids)
> for (i = 0; ids[i].name[0]; i++)
> @@ -535,6 +509,7 @@ static const struct bus_type rpmsg_bus = {
> .name = "rpmsg",
> .match = rpmsg_dev_match,
> .dev_groups = rpmsg_dev_groups,
> + .driver_override = true,
> .uevent = rpmsg_uevent,
> .probe = rpmsg_dev_probe,
> .remove = rpmsg_dev_remove,
> @@ -560,11 +535,9 @@ int rpmsg_register_device_override(struct rpmsg_device *rpdev,
>
> device_initialize(dev);
> if (driver_override) {
> - ret = driver_set_override(dev, &rpdev->driver_override,
> - driver_override,
> - strlen(driver_override));
> + ret = device_set_driver_override(dev, driver_override);
> if (ret) {
> - dev_err(dev, "device_set_override failed: %d\n", ret);
> + dev_err(dev, "device_set_driver_override() failed: %d\n", ret);
> put_device(dev);
> return ret;
> }
> @@ -573,8 +546,6 @@ int rpmsg_register_device_override(struct rpmsg_device *rpdev,
> ret = device_add(dev);
> if (ret) {
> dev_err(dev, "device_add failed: %d\n", ret);
> - kfree(rpdev->driver_override);
> - rpdev->driver_override = NULL;
> put_device(dev);
> }
>
> diff --git a/drivers/rpmsg/virtio_rpmsg_bus.c b/drivers/rpmsg/virtio_rpmsg_bus.c
> index 8d9e2b4dc7c1..e0dacb736ef9 100644
> --- a/drivers/rpmsg/virtio_rpmsg_bus.c
> +++ b/drivers/rpmsg/virtio_rpmsg_bus.c
> @@ -373,7 +373,6 @@ static void virtio_rpmsg_release_device(struct device *dev)
> struct rpmsg_device *rpdev = to_rpmsg_device(dev);
> struct virtio_rpmsg_channel *vch = to_virtio_rpmsg_channel(rpdev);
>
> - kfree(rpdev->driver_override);
> kfree(vch);
> }
>
> diff --git a/include/linux/rpmsg.h b/include/linux/rpmsg.h
> index fb7ab9165645..c2e3ef8480d5 100644
> --- a/include/linux/rpmsg.h
> +++ b/include/linux/rpmsg.h
> @@ -41,9 +41,6 @@ struct rpmsg_channel_info {
> * rpmsg_device - device that belong to the rpmsg bus
> * @dev: the device struct
> * @id: device id (used to match between rpmsg drivers and devices)
> - * @driver_override: driver name to force a match; do not set directly,
> - * because core frees it; use driver_set_override() to
> - * set or clear it.
> * @src: local address
> * @dst: destination address
> * @ept: the rpmsg endpoint of this channel
> @@ -53,7 +50,6 @@ struct rpmsg_channel_info {
> struct rpmsg_device {
> struct device dev;
> struct rpmsg_device_id id;
> - const char *driver_override;
> u32 src;
> u32 dst;
> struct rpmsg_endpoint *ept;
> --
> 2.53.0
>
^ permalink raw reply
* Re: [PATCH v4 19/21] uio: replace deprecated mmap hook with mmap_prepare in uio_info
From: Vlastimil Babka (SUSE) @ 2026-03-25 14:13 UTC (permalink / raw)
To: Lorenzo Stoakes (Oracle), Andrew Morton
Cc: Jonathan Corbet, Clemens Ladisch, Arnd Bergmann,
Greg Kroah-Hartman, K . Y . Srinivasan, Haiyang Zhang, Wei Liu,
Dexuan Cui, Long Li, Alexander Shishkin, Maxime Coquelin,
Alexandre Torgue, Miquel Raynal, Richard Weinberger,
Vignesh Raghavendra, Bodo Stroesser, Martin K . Petersen,
David Howells, Marc Dionne, Alexander Viro, Christian Brauner,
Jan Kara, David Hildenbrand, Liam R . Howlett, Mike Rapoport,
Suren Baghdasaryan, Michal Hocko, Jann Horn, Pedro Falcato,
linux-kernel, linux-doc, linux-hyperv, linux-stm32,
linux-arm-kernel, linux-mtd, linux-staging, linux-scsi,
target-devel, linux-afs, linux-fsdevel, linux-mm, Ryan Roberts
In-Reply-To: <157583e4477705b496896c7acd4ac88a937b8fa6.1774045440.git.ljs@kernel.org>
On 3/20/26 23:39, Lorenzo Stoakes (Oracle) wrote:
> The f_op->mmap interface is deprecated, so update uio_info to use its
> successor, mmap_prepare.
>
> Therefore, replace the uio_info->mmap hook with a new
> uio_info->mmap_prepare hook, and update its one user, target_core_user,
> to both specify this new mmap_prepare hook and also to use the new
> vm_ops->mapped() hook to continue to maintain a correct udev->kref
> refcount.
>
> Then update uio_mmap() to utilise the mmap_prepare compatibility layer to
> invoke this callback from the uio mmap invocation.
>
> Signed-off-by: Lorenzo Stoakes (Oracle) <ljs@kernel.org>
Acked-by: Vlastimil Babka (SUSE) <vbabka@kernel.org>
> ---
> drivers/target/target_core_user.c | 26 ++++++++++++++++++--------
> drivers/uio/uio.c | 10 ++++++++--
> include/linux/uio_driver.h | 4 ++--
> 3 files changed, 28 insertions(+), 12 deletions(-)
>
> diff --git a/drivers/target/target_core_user.c b/drivers/target/target_core_user.c
> index af95531ddd35..edc2afd5f4ee 100644
> --- a/drivers/target/target_core_user.c
> +++ b/drivers/target/target_core_user.c
> @@ -1860,6 +1860,17 @@ static struct page *tcmu_try_get_data_page(struct tcmu_dev *udev, uint32_t dpi)
> return NULL;
> }
>
> +static int tcmu_vma_mapped(unsigned long start, unsigned long end, pgoff_t pgoff,
> + const struct file *file, void **vm_private_data)
> +{
> + struct tcmu_dev *udev = *vm_private_data;
> +
> + pr_debug("vma_mapped\n");
This looked like testing leftover at first, but it matches
tcmu_vma_open()/close() (in case anyone else wonders).
> +
> + kref_get(&udev->kref);
> + return 0;
> +}
> +
^ permalink raw reply
* Re: [PATCH v4 18/21] drivers: hv: vmbus: replace deprecated mmap hook with mmap_prepare
From: Vlastimil Babka (SUSE) @ 2026-03-25 13:57 UTC (permalink / raw)
To: Lorenzo Stoakes (Oracle), Andrew Morton
Cc: Jonathan Corbet, Clemens Ladisch, Arnd Bergmann,
Greg Kroah-Hartman, K . Y . Srinivasan, Haiyang Zhang, Wei Liu,
Dexuan Cui, Long Li, Alexander Shishkin, Maxime Coquelin,
Alexandre Torgue, Miquel Raynal, Richard Weinberger,
Vignesh Raghavendra, Bodo Stroesser, Martin K . Petersen,
David Howells, Marc Dionne, Alexander Viro, Christian Brauner,
Jan Kara, David Hildenbrand, Liam R . Howlett, Mike Rapoport,
Suren Baghdasaryan, Michal Hocko, Jann Horn, Pedro Falcato,
linux-kernel, linux-doc, linux-hyperv, linux-stm32,
linux-arm-kernel, linux-mtd, linux-staging, linux-scsi,
target-devel, linux-afs, linux-fsdevel, linux-mm, Ryan Roberts
In-Reply-To: <05467cb62267d750e5c770147517d4df0246cda6.1774045440.git.ljs@kernel.org>
On 3/20/26 23:39, Lorenzo Stoakes (Oracle) wrote:
> The f_op->mmap interface is deprecated, so update the vmbus driver to use
> its successor, mmap_prepare.
>
> This updates all callbacks which referenced the function pointer
> hv_mmap_ring_buffer to instead reference hv_mmap_prepare_ring_buffer,
> utilising the newly introduced compat_set_desc_from_vma() and
> __compat_vma_mmap() to be able to implement this change.
>
> The UIO HV generic driver is the only user of hv_create_ring_sysfs(),
> which is the only function which references
> vmbus_channel->mmap_prepare_ring_buffer which, in turn, is the only
> external interface to hv_mmap_prepare_ring_buffer.
>
> This patch therefore updates this caller to use mmap_prepare instead,
> which also previously used vm_iomap_memory(), so this change replaces it
> with its mmap_prepare equivalent, mmap_action_simple_ioremap().
>
> Signed-off-by: Lorenzo Stoakes (Oracle) <ljs@kernel.org>
Acked-by: Vlastimil Babka (SUSE) <vbabka@kernel.org>
^ permalink raw reply
* Re: [PATCH v4 17/21] mm: allow handling of stacked mmap_prepare hooks in more drivers
From: Vlastimil Babka (SUSE) @ 2026-03-25 13:43 UTC (permalink / raw)
To: Lorenzo Stoakes (Oracle), Andrew Morton
Cc: Jonathan Corbet, Clemens Ladisch, Arnd Bergmann,
Greg Kroah-Hartman, K . Y . Srinivasan, Haiyang Zhang, Wei Liu,
Dexuan Cui, Long Li, Alexander Shishkin, Maxime Coquelin,
Alexandre Torgue, Miquel Raynal, Richard Weinberger,
Vignesh Raghavendra, Bodo Stroesser, Martin K . Petersen,
David Howells, Marc Dionne, Alexander Viro, Christian Brauner,
Jan Kara, David Hildenbrand, Liam R . Howlett, Mike Rapoport,
Suren Baghdasaryan, Michal Hocko, Jann Horn, Pedro Falcato,
linux-kernel, linux-doc, linux-hyperv, linux-stm32,
linux-arm-kernel, linux-mtd, linux-staging, linux-scsi,
target-devel, linux-afs, linux-fsdevel, linux-mm, Ryan Roberts
In-Reply-To: <24aac3019dd34740e788d169fccbe3c62781e648.1774045440.git.ljs@kernel.org>
On 3/20/26 23:39, Lorenzo Stoakes (Oracle) wrote:
> While the conversion of mmap hooks to mmap_prepare is underway, we will
> encounter situations where mmap hooks need to invoke nested mmap_prepare
> hooks.
>
> The nesting of mmap hooks is termed 'stacking'. In order to flexibly
> facilitate the conversion of custom mmap hooks in drivers which stack, we
> must split up the existing __compat_vma_mmap() function into two separate
> functions:
>
> * compat_set_desc_from_vma() - This allows the setting of a vm_area_desc
> object's fields to the relevant fields of a VMA.
>
> * __compat_vma_mmap() - Once an mmap_prepare hook has been executed upon a
> vm_area_desc object, this function performs any mmap actions specified by
> the mmap_prepare hook and then invokes its vm_ops->mapped() hook if any
> were specified.
>
> In ordinary cases, where a file's f_op->mmap_prepare() hook simply needs
> to be invoked in a stacked mmap() hook, compat_vma_mmap() can be used.
>
> However some drivers define their own nested hooks, which are invoked in
> turn by another hook.
>
> A concrete example is vmbus_channel->mmap_ring_buffer(), which is invoked
> in turn by bin_attribute->mmap():
>
> vmbus_channel->mmap_ring_buffer() has a signature of:
>
> int (*mmap_ring_buffer)(struct vmbus_channel *channel,
> struct vm_area_struct *vma);
>
> And bin_attribute->mmap() has a signature of:
>
> int (*mmap)(struct file *, struct kobject *,
> const struct bin_attribute *attr,
> struct vm_area_struct *vma);
>
> And so compat_vma_mmap() cannot be used here for incremental conversion of
> hooks from mmap() to mmap_prepare().
>
> There are many such instances like this, where conversion to mmap_prepare
> would otherwise cascade to a huge change set due to nesting of this kind.
>
> The changes in this patch mean we could now instead convert
> vmbus_channel->mmap_ring_buffer() to
> vmbus_channel->mmap_prepare_ring_buffer(), and implement something like:
>
> struct vm_area_desc desc;
> int err;
>
> compat_set_desc_from_vma(&desc, file, vma);
> err = channel->mmap_prepare_ring_buffer(channel, &desc);
> if (err)
> return err;
>
> return __compat_vma_mmap(&desc, vma);
>
> Allowing us to incrementally update this logic, and other logic like it.
>
> Unfortunately, as part of this change, we need to be able to flexibly
> assign to the VMA descriptor, so have to remove some of the const
> declarations within the structure.
>
> Also update the VMA tests to reflect the changes.
>
> Signed-off-by: Lorenzo Stoakes (Oracle) <ljs@kernel.org>
Acked-by: Vlastimil Babka (SUSE) <vbabka@kernel.org>
^ permalink raw reply
* Re: [PATCH 02/12] bus: fsl-mc: use generic driver_override infrastructure
From: Ioana Ciornei @ 2026-03-25 12:01 UTC (permalink / raw)
To: Danilo Krummrich
Cc: Russell King, Greg Kroah-Hartman, Rafael J. Wysocki, Nipun Gupta,
Nikhil Agarwal, K. Y. Srinivasan, Haiyang Zhang, Wei Liu,
Dexuan Cui, Long Li, Bjorn Helgaas, Armin Wolf, Bjorn Andersson,
Mathieu Poirier, Vineeth Vijayan, Peter Oberparleiter,
Heiko Carstens, Vasily Gorbik, Alexander Gordeev,
Christian Borntraeger, Sven Schnelle, Harald Freudenberger,
Holger Dengler, Mark Brown, Michael S. Tsirkin, Jason Wang,
Xuan Zhuo, Eugenio PĂ©rez, Alex Williamson,
Juergen Gross, Stefano Stabellini, Oleksandr Tyshchenko,
Christophe Leroy (CS GROUP), linux-kernel, driver-core,
linuxppc-dev, linux-hyperv, linux-pci, platform-driver-x86,
linux-arm-msm, linux-remoteproc, linux-s390, linux-spi,
virtualization, kvm, xen-devel, linux-arm-kernel, Gui-Dong Han
In-Reply-To: <20260324005919.2408620-3-dakr@kernel.org>
On Tue, Mar 24, 2026 at 01:59:06AM +0100, Danilo Krummrich wrote:
> When a driver is probed through __driver_attach(), the bus' match()
> callback is called without the device lock held, thus accessing the
> driver_override field without a lock, which can cause a UAF.
>
> Fix this by using the driver-core driver_override infrastructure taking
> care of proper locking internally.
>
> Note that calling match() from __driver_attach() without the device lock
> held is intentional. [1]
>
> Link: https://lore.kernel.org/driver-core/DGRGTIRHA62X.3RY09D9SOK77P@kernel.org/ [1]
> Reported-by: Gui-Dong Han <hanguidong02@gmail.com>
> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220789
> Fixes: 1f86a00c1159 ("bus/fsl-mc: add support for 'driver_override' in the mc-bus")
> Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Tested-by: Ioana Ciornei <ioana.ciornei@nxp.com>
Signed-off-by: Ioana Ciornei <ioana.ciornei@nxp.com>
^ permalink raw reply
* Re: [PATCH v4 16/21] staging: vme_user: replace deprecated mmap hook with mmap_prepare
From: Vlastimil Babka (SUSE) @ 2026-03-25 10:34 UTC (permalink / raw)
To: Lorenzo Stoakes (Oracle), Andrew Morton
Cc: Jonathan Corbet, Clemens Ladisch, Arnd Bergmann,
Greg Kroah-Hartman, K . Y . Srinivasan, Haiyang Zhang, Wei Liu,
Dexuan Cui, Long Li, Alexander Shishkin, Maxime Coquelin,
Alexandre Torgue, Miquel Raynal, Richard Weinberger,
Vignesh Raghavendra, Bodo Stroesser, Martin K . Petersen,
David Howells, Marc Dionne, Alexander Viro, Christian Brauner,
Jan Kara, David Hildenbrand, Liam R . Howlett, Mike Rapoport,
Suren Baghdasaryan, Michal Hocko, Jann Horn, Pedro Falcato,
linux-kernel, linux-doc, linux-hyperv, linux-stm32,
linux-arm-kernel, linux-mtd, linux-staging, linux-scsi,
target-devel, linux-afs, linux-fsdevel, linux-mm, Ryan Roberts
In-Reply-To: <08ecc1e1d319564fd49b9e9012f994edaff921db.1774045440.git.ljs@kernel.org>
On 3/20/26 23:39, Lorenzo Stoakes (Oracle) wrote:
> The f_op->mmap interface is deprecated, so update driver to use its
> successor, mmap_prepare.
>
> The driver previously used vm_iomap_memory(), so this change replaces it
> with its mmap_prepare equivalent, mmap_action_simple_ioremap().
>
> Functions that wrap mmap() are also converted to wrap mmap_prepare()
> instead.
>
> Also update the documentation accordingly.
>
> Reviewed-by: Suren Baghdasaryan <surenb@google.com>
> Signed-off-by: Lorenzo Stoakes (Oracle) <ljs@kernel.org>
Acked-by: Vlastimil Babka (SUSE) <vbabka@kernel.org>
^ permalink raw reply
* Re: [PATCH v4 15/21] stm: replace deprecated mmap hook with mmap_prepare
From: Vlastimil Babka (SUSE) @ 2026-03-25 10:24 UTC (permalink / raw)
To: Lorenzo Stoakes (Oracle), Andrew Morton
Cc: Jonathan Corbet, Clemens Ladisch, Arnd Bergmann,
Greg Kroah-Hartman, K . Y . Srinivasan, Haiyang Zhang, Wei Liu,
Dexuan Cui, Long Li, Alexander Shishkin, Maxime Coquelin,
Alexandre Torgue, Miquel Raynal, Richard Weinberger,
Vignesh Raghavendra, Bodo Stroesser, Martin K . Petersen,
David Howells, Marc Dionne, Alexander Viro, Christian Brauner,
Jan Kara, David Hildenbrand, Liam R . Howlett, Mike Rapoport,
Suren Baghdasaryan, Michal Hocko, Jann Horn, Pedro Falcato,
linux-kernel, linux-doc, linux-hyperv, linux-stm32,
linux-arm-kernel, linux-mtd, linux-staging, linux-scsi,
target-devel, linux-afs, linux-fsdevel, linux-mm, Ryan Roberts
In-Reply-To: <9f3d559a264a83cf45518fcf35cc7ef1d7dfd500.1774045440.git.ljs@kernel.org>
On 3/20/26 23:39, Lorenzo Stoakes (Oracle) wrote:
> The f_op->mmap interface is deprecated, so update driver to use its
> successor, mmap_prepare.
>
> The driver previously used vm_iomap_memory(), so this change replaces it
> with its mmap_prepare equivalent, mmap_action_simple_ioremap().
>
> Also, in order to correctly maintain reference counting, add a
> vm_ops->mapped callback to increment the reference count when successfully
> mapped.
>
> Reviewed-by: Suren Baghdasaryan <surenb@google.com>
> Signed-off-by: Lorenzo Stoakes (Oracle) <ljs@kernel.org>
Acked-by: Vlastimil Babka (SUSE) <vbabka@kernel.org>
> ---
> drivers/hwtracing/stm/core.c | 31 +++++++++++++++++++++----------
> 1 file changed, 21 insertions(+), 10 deletions(-)
>
> diff --git a/drivers/hwtracing/stm/core.c b/drivers/hwtracing/stm/core.c
> index 37584e786bb5..f48c6a8a0654 100644
> --- a/drivers/hwtracing/stm/core.c
> +++ b/drivers/hwtracing/stm/core.c
> @@ -666,6 +666,16 @@ static ssize_t stm_char_write(struct file *file, const char __user *buf,
> return count;
> }
>
> +static int stm_mmap_mapped(unsigned long start, unsigned long end, pgoff_t pgoff,
> + const struct file *file, void **vm_private_data)
> +{
> + struct stm_file *stmf = file->private_data;
> + struct stm_device *stm = stmf->stm;
> +
> + pm_runtime_get_sync(&stm->dev);
> + return 0;
> +}
> +
> static void stm_mmap_open(struct vm_area_struct *vma)
> {
> struct stm_file *stmf = vma->vm_file->private_data;
> @@ -684,12 +694,14 @@ static void stm_mmap_close(struct vm_area_struct *vma)
> }
>
> static const struct vm_operations_struct stm_mmap_vmops = {
> + .mapped = stm_mmap_mapped,
> .open = stm_mmap_open,
> .close = stm_mmap_close,
> };
>
> -static int stm_char_mmap(struct file *file, struct vm_area_struct *vma)
> +static int stm_char_mmap_prepare(struct vm_area_desc *desc)
> {
> + struct file *file = desc->file;
> struct stm_file *stmf = file->private_data;
> struct stm_device *stm = stmf->stm;
> unsigned long size, phys;
> @@ -697,10 +709,10 @@ static int stm_char_mmap(struct file *file, struct vm_area_struct *vma)
> if (!stm->data->mmio_addr)
> return -EOPNOTSUPP;
>
> - if (vma->vm_pgoff)
> + if (desc->pgoff)
> return -EINVAL;
>
> - size = vma->vm_end - vma->vm_start;
> + size = vma_desc_size(desc);
>
> if (stmf->output.nr_chans * stm->data->sw_mmiosz != size)
> return -EINVAL;
> @@ -712,13 +724,12 @@ static int stm_char_mmap(struct file *file, struct vm_area_struct *vma)
> if (!phys)
> return -EINVAL;
>
> - pm_runtime_get_sync(&stm->dev);
> -
> - vma->vm_page_prot = pgprot_noncached(vma->vm_page_prot);
> - vm_flags_set(vma, VM_IO | VM_DONTEXPAND | VM_DONTDUMP);
> - vma->vm_ops = &stm_mmap_vmops;
> - vm_iomap_memory(vma, phys, size);
> + desc->page_prot = pgprot_noncached(desc->page_prot);
> + vma_desc_set_flags(desc, VMA_IO_BIT, VMA_DONTEXPAND_BIT,
> + VMA_DONTDUMP_BIT);
> + desc->vm_ops = &stm_mmap_vmops;
>
> + mmap_action_simple_ioremap(desc, phys, size);
> return 0;
> }
>
> @@ -836,7 +847,7 @@ static const struct file_operations stm_fops = {
> .open = stm_char_open,
> .release = stm_char_release,
> .write = stm_char_write,
> - .mmap = stm_char_mmap,
> + .mmap_prepare = stm_char_mmap_prepare,
> .unlocked_ioctl = stm_char_ioctl,
> .compat_ioctl = compat_ptr_ioctl,
> };
^ permalink raw reply
* Re: [PATCH v4 14/21] mtdchar: replace deprecated mmap hook with mmap_prepare, clean up
From: Vlastimil Babka (SUSE) @ 2026-03-25 10:20 UTC (permalink / raw)
To: Lorenzo Stoakes (Oracle), Andrew Morton
Cc: Jonathan Corbet, Clemens Ladisch, Arnd Bergmann,
Greg Kroah-Hartman, K . Y . Srinivasan, Haiyang Zhang, Wei Liu,
Dexuan Cui, Long Li, Alexander Shishkin, Maxime Coquelin,
Alexandre Torgue, Miquel Raynal, Richard Weinberger,
Vignesh Raghavendra, Bodo Stroesser, Martin K . Petersen,
David Howells, Marc Dionne, Alexander Viro, Christian Brauner,
Jan Kara, David Hildenbrand, Liam R . Howlett, Mike Rapoport,
Suren Baghdasaryan, Michal Hocko, Jann Horn, Pedro Falcato,
linux-kernel, linux-doc, linux-hyperv, linux-stm32,
linux-arm-kernel, linux-mtd, linux-staging, linux-scsi,
target-devel, linux-afs, linux-fsdevel, linux-mm, Ryan Roberts
In-Reply-To: <d036855c21962c58ace0eb24ecd6d973d77424fe.1774045440.git.ljs@kernel.org>
On 3/20/26 23:39, Lorenzo Stoakes (Oracle) wrote:
> Replace the deprecated mmap callback with mmap_prepare.
>
> Commit f5cf8f07423b ("mtd: Disable mtdchar mmap on MMU systems") commented
> out the CONFIG_MMU part of this function back in 2012, so after ~14 years
> it's probably reasonable to remove this altogether rather than updating
> dead code.
>
> Acked-by: Richard Weinberger <richard@nod.at>
> Signed-off-by: Lorenzo Stoakes (Oracle) <ljs@kernel.org>
Acked-by: Vlastimil Babka (SUSE) <vbabka@kernel.org>
> ---
> drivers/mtd/mtdchar.c | 21 +++------------------
> 1 file changed, 3 insertions(+), 18 deletions(-)
>
> diff --git a/drivers/mtd/mtdchar.c b/drivers/mtd/mtdchar.c
> index 55a43682c567..bf01e6ac7293 100644
> --- a/drivers/mtd/mtdchar.c
> +++ b/drivers/mtd/mtdchar.c
> @@ -1376,27 +1376,12 @@ static unsigned mtdchar_mmap_capabilities(struct file *file)
> /*
> * set up a mapping for shared memory segments
> */
> -static int mtdchar_mmap(struct file *file, struct vm_area_struct *vma)
> +static int mtdchar_mmap_prepare(struct vm_area_desc *desc)
> {
> #ifdef CONFIG_MMU
> - struct mtd_file_info *mfi = file->private_data;
> - struct mtd_info *mtd = mfi->mtd;
> - struct map_info *map = mtd->priv;
> -
> - /* This is broken because it assumes the MTD device is map-based
> - and that mtd->priv is a valid struct map_info. It should be
> - replaced with something that uses the mtd_get_unmapped_area()
> - operation properly. */
> - if (0 /*mtd->type == MTD_RAM || mtd->type == MTD_ROM*/) {
> -#ifdef pgprot_noncached
> - if (file->f_flags & O_DSYNC || map->phys >= __pa(high_memory))
> - vma->vm_page_prot = pgprot_noncached(vma->vm_page_prot);
> -#endif
> - return vm_iomap_memory(vma, map->phys, map->size);
> - }
> return -ENODEV;
> #else
> - return vma->vm_flags & VM_SHARED ? 0 : -EACCES;
> + return vma_desc_test(desc, VMA_SHARED_BIT) ? 0 : -EACCES;
> #endif
> }
>
> @@ -1411,7 +1396,7 @@ static const struct file_operations mtd_fops = {
> #endif
> .open = mtdchar_open,
> .release = mtdchar_close,
> - .mmap = mtdchar_mmap,
> + .mmap_prepare = mtdchar_mmap_prepare,
> #ifndef CONFIG_MMU
> .get_unmapped_area = mtdchar_get_unmapped_area,
> .mmap_capabilities = mtdchar_mmap_capabilities,
^ permalink raw reply
* Re: [PATCH 08/12] vdpa: use generic driver_override infrastructure
From: Eugenio Perez Martin @ 2026-03-25 10:17 UTC (permalink / raw)
To: Danilo Krummrich
Cc: Russell King, Greg Kroah-Hartman, Rafael J. Wysocki,
Ioana Ciornei, Nipun Gupta, Nikhil Agarwal, K. Y. Srinivasan,
Haiyang Zhang, Wei Liu, Dexuan Cui, Long Li, Bjorn Helgaas,
Armin Wolf, Bjorn Andersson, Mathieu Poirier, Vineeth Vijayan,
Peter Oberparleiter, Heiko Carstens, Vasily Gorbik,
Alexander Gordeev, Christian Borntraeger, Sven Schnelle,
Harald Freudenberger, Holger Dengler, Mark Brown,
Michael S. Tsirkin, Jason Wang, Xuan Zhuo, Alex Williamson,
Juergen Gross, Stefano Stabellini, Oleksandr Tyshchenko,
Christophe Leroy (CS GROUP), linux-kernel, driver-core,
linuxppc-dev, linux-hyperv, linux-pci, platform-driver-x86,
linux-arm-msm, linux-remoteproc, linux-s390, linux-spi,
virtualization, kvm, xen-devel, linux-arm-kernel, Gui-Dong Han
In-Reply-To: <20260324005919.2408620-9-dakr@kernel.org>
On Tue, Mar 24, 2026 at 2:00 AM Danilo Krummrich <dakr@kernel.org> wrote:
>
> When a driver is probed through __driver_attach(), the bus' match()
> callback is called without the device lock held, thus accessing the
> driver_override field without a lock, which can cause a UAF.
>
> Fix this by using the driver-core driver_override infrastructure taking
> care of proper locking internally.
>
> Note that calling match() from __driver_attach() without the device lock
> held is intentional. [1]
>
> Link: https://lore.kernel.org/driver-core/DGRGTIRHA62X.3RY09D9SOK77P@kernel.org/ [1]
> Reported-by: Gui-Dong Han <hanguidong02@gmail.com>
> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220789
> Fixes: 539fec78edb4 ("vdpa: add driver_override support")
> Signed-off-by: Danilo Krummrich <dakr@kernel.org>
> ---
> drivers/vdpa/vdpa.c | 48 +++++---------------------------------------
> include/linux/vdpa.h | 4 ----
> 2 files changed, 5 insertions(+), 47 deletions(-)
>
Consolidate this logic is great, thanks!
> diff --git a/drivers/vdpa/vdpa.c b/drivers/vdpa/vdpa.c
> index 34874beb0152..caf0ee5d6856 100644
> --- a/drivers/vdpa/vdpa.c
> +++ b/drivers/vdpa/vdpa.c
> @@ -67,57 +67,20 @@ static void vdpa_dev_remove(struct device *d)
>
> static int vdpa_dev_match(struct device *dev, const struct device_driver *drv)
> {
> - struct vdpa_device *vdev = dev_to_vdpa(dev);
> + int ret;
>
> /* Check override first, and if set, only use the named driver */
> - if (vdev->driver_override)
> - return strcmp(vdev->driver_override, drv->name) == 0;
> + ret = device_match_driver_override(dev, drv);
> + if (ret >= 0)
> + return ret;
>
> /* Currently devices must be supported by all vDPA bus drivers */
> return 1;
Nit: Maybe all of this can be replaced by
abs(device_match_driver_override(dev,drv))? Or maybe we're putting too
much in the same line.
Either way,
Acked-by: Eugenio Pérez <eperezma@redhat.com>
Thanks!
> }
>
> -static ssize_t driver_override_store(struct device *dev,
> - struct device_attribute *attr,
> - const char *buf, size_t count)
> -{
> - struct vdpa_device *vdev = dev_to_vdpa(dev);
> - int ret;
> -
> - ret = driver_set_override(dev, &vdev->driver_override, buf, count);
> - if (ret)
> - return ret;
> -
> - return count;
> -}
> -
> -static ssize_t driver_override_show(struct device *dev,
> - struct device_attribute *attr, char *buf)
> -{
> - struct vdpa_device *vdev = dev_to_vdpa(dev);
> - ssize_t len;
> -
> - device_lock(dev);
> - len = sysfs_emit(buf, "%s\n", vdev->driver_override);
> - device_unlock(dev);
> -
> - return len;
> -}
> -static DEVICE_ATTR_RW(driver_override);
> -
> -static struct attribute *vdpa_dev_attrs[] = {
> - &dev_attr_driver_override.attr,
> - NULL,
> -};
> -
> -static const struct attribute_group vdpa_dev_group = {
> - .attrs = vdpa_dev_attrs,
> -};
> -__ATTRIBUTE_GROUPS(vdpa_dev);
> -
> static const struct bus_type vdpa_bus = {
> .name = "vdpa",
> - .dev_groups = vdpa_dev_groups,
> + .driver_override = true,
> .match = vdpa_dev_match,
> .probe = vdpa_dev_probe,
> .remove = vdpa_dev_remove,
> @@ -132,7 +95,6 @@ static void vdpa_release_dev(struct device *d)
> ops->free(vdev);
>
> ida_free(&vdpa_index_ida, vdev->index);
> - kfree(vdev->driver_override);
> kfree(vdev);
> }
>
> diff --git a/include/linux/vdpa.h b/include/linux/vdpa.h
> index 2bfe3baa63f4..782c42d25db1 100644
> --- a/include/linux/vdpa.h
> +++ b/include/linux/vdpa.h
> @@ -72,9 +72,6 @@ struct vdpa_mgmt_dev;
> * struct vdpa_device - representation of a vDPA device
> * @dev: underlying device
> * @vmap: the metadata passed to upper layer to be used for mapping
> - * @driver_override: driver name to force a match; do not set directly,
> - * because core frees it; use driver_set_override() to
> - * set or clear it.
> * @config: the configuration ops for this device.
> * @map: the map ops for this device
> * @cf_lock: Protects get and set access to configuration layout.
> @@ -90,7 +87,6 @@ struct vdpa_mgmt_dev;
> struct vdpa_device {
> struct device dev;
> union virtio_map vmap;
> - const char *driver_override;
> const struct vdpa_config_ops *config;
> const struct virtio_map_ops *map;
> struct rw_semaphore cf_lock; /* Protects get/set config */
> --
> 2.53.0
>
^ permalink raw reply
* Re: [PATCH v4 13/21] hpet: replace deprecated mmap hook with mmap_prepare
From: Vlastimil Babka (SUSE) @ 2026-03-25 10:17 UTC (permalink / raw)
To: Lorenzo Stoakes (Oracle), Andrew Morton
Cc: Jonathan Corbet, Clemens Ladisch, Arnd Bergmann,
Greg Kroah-Hartman, K . Y . Srinivasan, Haiyang Zhang, Wei Liu,
Dexuan Cui, Long Li, Alexander Shishkin, Maxime Coquelin,
Alexandre Torgue, Miquel Raynal, Richard Weinberger,
Vignesh Raghavendra, Bodo Stroesser, Martin K . Petersen,
David Howells, Marc Dionne, Alexander Viro, Christian Brauner,
Jan Kara, David Hildenbrand, Liam R . Howlett, Mike Rapoport,
Suren Baghdasaryan, Michal Hocko, Jann Horn, Pedro Falcato,
linux-kernel, linux-doc, linux-hyperv, linux-stm32,
linux-arm-kernel, linux-mtd, linux-staging, linux-scsi,
target-devel, linux-afs, linux-fsdevel, linux-mm, Ryan Roberts
In-Reply-To: <094c5fcfb2459a4f6d791b1fb852b01e252a44d4.1774045440.git.ljs@kernel.org>
On 3/20/26 23:39, Lorenzo Stoakes (Oracle) wrote:
> The f_op->mmap interface is deprecated, so update driver to use its
> successor, mmap_prepare.
>
> The driver previously used vm_iomap_memory(), so this change replaces it
> with its mmap_prepare equivalent, mmap_action_simple_ioremap().
>
> Reviewed-by: Suren Baghdasaryan <surenb@google.com>
> Signed-off-by: Lorenzo Stoakes (Oracle) <ljs@kernel.org>
Acked-by: Vlastimil Babka (SUSE) <vbabka@kernel.org>
> ---
> drivers/char/hpet.c | 12 +++++++-----
> 1 file changed, 7 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/char/hpet.c b/drivers/char/hpet.c
> index 60dd09a56f50..8f128cc40147 100644
> --- a/drivers/char/hpet.c
> +++ b/drivers/char/hpet.c
> @@ -354,8 +354,9 @@ static __init int hpet_mmap_enable(char *str)
> }
> __setup("hpet_mmap=", hpet_mmap_enable);
>
> -static int hpet_mmap(struct file *file, struct vm_area_struct *vma)
> +static int hpet_mmap_prepare(struct vm_area_desc *desc)
> {
> + struct file *file = desc->file;
> struct hpet_dev *devp;
> unsigned long addr;
>
> @@ -368,11 +369,12 @@ static int hpet_mmap(struct file *file, struct vm_area_struct *vma)
> if (addr & (PAGE_SIZE - 1))
> return -ENOSYS;
>
> - vma->vm_page_prot = pgprot_noncached(vma->vm_page_prot);
> - return vm_iomap_memory(vma, addr, PAGE_SIZE);
> + desc->page_prot = pgprot_noncached(desc->page_prot);
> + mmap_action_simple_ioremap(desc, addr, PAGE_SIZE);
> + return 0;
> }
> #else
> -static int hpet_mmap(struct file *file, struct vm_area_struct *vma)
> +static int hpet_mmap_prepare(struct vm_area_desc *desc)
> {
> return -ENOSYS;
> }
> @@ -710,7 +712,7 @@ static const struct file_operations hpet_fops = {
> .open = hpet_open,
> .release = hpet_release,
> .fasync = hpet_fasync,
> - .mmap = hpet_mmap,
> + .mmap_prepare = hpet_mmap_prepare,
> };
>
> static int hpet_is_known(struct hpet_data *hdp)
^ permalink raw reply
* Re: [PATCH v4 12/21] misc: open-dice: replace deprecated mmap hook with mmap_prepare
From: Vlastimil Babka (SUSE) @ 2026-03-25 10:14 UTC (permalink / raw)
To: Lorenzo Stoakes (Oracle), Andrew Morton
Cc: Jonathan Corbet, Clemens Ladisch, Arnd Bergmann,
Greg Kroah-Hartman, K . Y . Srinivasan, Haiyang Zhang, Wei Liu,
Dexuan Cui, Long Li, Alexander Shishkin, Maxime Coquelin,
Alexandre Torgue, Miquel Raynal, Richard Weinberger,
Vignesh Raghavendra, Bodo Stroesser, Martin K . Petersen,
David Howells, Marc Dionne, Alexander Viro, Christian Brauner,
Jan Kara, David Hildenbrand, Liam R . Howlett, Mike Rapoport,
Suren Baghdasaryan, Michal Hocko, Jann Horn, Pedro Falcato,
linux-kernel, linux-doc, linux-hyperv, linux-stm32,
linux-arm-kernel, linux-mtd, linux-staging, linux-scsi,
target-devel, linux-afs, linux-fsdevel, linux-mm, Ryan Roberts
In-Reply-To: <5a83ab00195dc8d0609fa6cc525493010ac4ead1.1774045440.git.ljs@kernel.org>
On 3/20/26 23:39, Lorenzo Stoakes (Oracle) wrote:
> The f_op->mmap interface is deprecated, so update driver to use its
> successor, mmap_prepare.
>
> The driver previously used vm_iomap_memory(), so this change replaces it
> with its mmap_prepare equivalent, mmap_action_simple_ioremap().
>
> Reviewed-by: Suren Baghdasaryan <surenb@google.com>
> Signed-off-by: Lorenzo Stoakes (Oracle) <ljs@kernel.org>
Acked-by: Vlastimil Babka (SUSE) <vbabka@kernel.org>
> ---
> drivers/misc/open-dice.c | 19 +++++++++++--------
> 1 file changed, 11 insertions(+), 8 deletions(-)
>
> diff --git a/drivers/misc/open-dice.c b/drivers/misc/open-dice.c
> index 24c29e0f00ef..45060fb4ea27 100644
> --- a/drivers/misc/open-dice.c
> +++ b/drivers/misc/open-dice.c
> @@ -86,29 +86,32 @@ static ssize_t open_dice_write(struct file *filp, const char __user *ptr,
> /*
> * Creates a mapping of the reserved memory region in user address space.
> */
> -static int open_dice_mmap(struct file *filp, struct vm_area_struct *vma)
> +static int open_dice_mmap_prepare(struct vm_area_desc *desc)
> {
> + struct file *filp = desc->file;
> struct open_dice_drvdata *drvdata = to_open_dice_drvdata(filp);
>
> - if (vma->vm_flags & VM_MAYSHARE) {
> + if (vma_desc_test(desc, VMA_MAYSHARE_BIT)) {
> /* Do not allow userspace to modify the underlying data. */
> - if (vma->vm_flags & VM_WRITE)
> + if (vma_desc_test(desc, VMA_WRITE_BIT))
> return -EPERM;
> /* Ensure userspace cannot acquire VM_WRITE later. */
> - vm_flags_clear(vma, VM_MAYWRITE);
> + vma_desc_clear_flags(desc, VMA_MAYWRITE_BIT);
> }
>
> /* Create write-combine mapping so all clients observe a wipe. */
> - vma->vm_page_prot = pgprot_writecombine(vma->vm_page_prot);
> - vm_flags_set(vma, VM_DONTCOPY | VM_DONTDUMP);
> - return vm_iomap_memory(vma, drvdata->rmem->base, drvdata->rmem->size);
> + desc->page_prot = pgprot_writecombine(desc->page_prot);
> + vma_desc_set_flags(desc, VMA_DONTCOPY_BIT, VMA_DONTDUMP_BIT);
> + mmap_action_simple_ioremap(desc, drvdata->rmem->base,
> + drvdata->rmem->size);
> + return 0;
> }
>
> static const struct file_operations open_dice_fops = {
> .owner = THIS_MODULE,
> .read = open_dice_read,
> .write = open_dice_write,
> - .mmap = open_dice_mmap,
> + .mmap_prepare = open_dice_mmap_prepare,
> };
>
> static int __init open_dice_probe(struct platform_device *pdev)
^ permalink raw reply
* Re: [PATCH v4 12/21] misc: open-dice: replace deprecated mmap hook with mmap_prepare
From: Vlastimil Babka (SUSE) @ 2026-03-25 10:04 UTC (permalink / raw)
To: Lorenzo Stoakes (Oracle), Andrew Morton
Cc: Jonathan Corbet, Clemens Ladisch, Arnd Bergmann,
Greg Kroah-Hartman, K . Y . Srinivasan, Haiyang Zhang, Wei Liu,
Dexuan Cui, Long Li, Alexander Shishkin, Maxime Coquelin,
Alexandre Torgue, Miquel Raynal, Richard Weinberger,
Vignesh Raghavendra, Bodo Stroesser, Martin K . Petersen,
David Howells, Marc Dionne, Alexander Viro, Christian Brauner,
Jan Kara, David Hildenbrand, Liam R . Howlett, Mike Rapoport,
Suren Baghdasaryan, Michal Hocko, Jann Horn, Pedro Falcato,
linux-kernel, linux-doc, linux-hyperv, linux-stm32,
linux-arm-kernel, linux-mtd, linux-staging, linux-scsi,
target-devel, linux-afs, linux-fsdevel, linux-mm, Ryan Roberts
In-Reply-To: <5a83ab00195dc8d0609fa6cc525493010ac4ead1.1774045440.git.ljs@kernel.org>
On 3/20/26 23:39, Lorenzo Stoakes (Oracle) wrote:
> The f_op->mmap interface is deprecated, so update driver to use its
> successor, mmap_prepare.
>
> The driver previously used vm_iomap_memory(), so this change replaces it
> with its mmap_prepare equivalent, mmap_action_simple_ioremap().
>
> Reviewed-by: Suren Baghdasaryan <surenb@google.com>
> Signed-off-by: Lorenzo Stoakes (Oracle) <ljs@kernel.org>
Acked-by: Vlastimil Babka (SUSE) <vbabka@kernel.org>
> ---
> drivers/misc/open-dice.c | 19 +++++++++++--------
> 1 file changed, 11 insertions(+), 8 deletions(-)
>
> diff --git a/drivers/misc/open-dice.c b/drivers/misc/open-dice.c
> index 24c29e0f00ef..45060fb4ea27 100644
> --- a/drivers/misc/open-dice.c
> +++ b/drivers/misc/open-dice.c
> @@ -86,29 +86,32 @@ static ssize_t open_dice_write(struct file *filp, const char __user *ptr,
> /*
> * Creates a mapping of the reserved memory region in user address space.
> */
> -static int open_dice_mmap(struct file *filp, struct vm_area_struct *vma)
> +static int open_dice_mmap_prepare(struct vm_area_desc *desc)
> {
> + struct file *filp = desc->file;
> struct open_dice_drvdata *drvdata = to_open_dice_drvdata(filp);
>
> - if (vma->vm_flags & VM_MAYSHARE) {
> + if (vma_desc_test(desc, VMA_MAYSHARE_BIT)) {
> /* Do not allow userspace to modify the underlying data. */
> - if (vma->vm_flags & VM_WRITE)
> + if (vma_desc_test(desc, VMA_WRITE_BIT))
> return -EPERM;
> /* Ensure userspace cannot acquire VM_WRITE later. */
> - vm_flags_clear(vma, VM_MAYWRITE);
> + vma_desc_clear_flags(desc, VMA_MAYWRITE_BIT);
> }
>
> /* Create write-combine mapping so all clients observe a wipe. */
> - vma->vm_page_prot = pgprot_writecombine(vma->vm_page_prot);
> - vm_flags_set(vma, VM_DONTCOPY | VM_DONTDUMP);
> - return vm_iomap_memory(vma, drvdata->rmem->base, drvdata->rmem->size);
> + desc->page_prot = pgprot_writecombine(desc->page_prot);
> + vma_desc_set_flags(desc, VMA_DONTCOPY_BIT, VMA_DONTDUMP_BIT);
> + mmap_action_simple_ioremap(desc, drvdata->rmem->base,
> + drvdata->rmem->size);
> + return 0;
> }
>
> static const struct file_operations open_dice_fops = {
> .owner = THIS_MODULE,
> .read = open_dice_read,
> .write = open_dice_write,
> - .mmap = open_dice_mmap,
> + .mmap_prepare = open_dice_mmap_prepare,
> };
>
> static int __init open_dice_probe(struct platform_device *pdev)
^ permalink raw reply
* Re: [PATCH v4 11/21] mm: add mmap_action_simple_ioremap()
From: Vlastimil Babka (SUSE) @ 2026-03-25 9:58 UTC (permalink / raw)
To: Lorenzo Stoakes (Oracle), Andrew Morton
Cc: Jonathan Corbet, Clemens Ladisch, Arnd Bergmann,
Greg Kroah-Hartman, K . Y . Srinivasan, Haiyang Zhang, Wei Liu,
Dexuan Cui, Long Li, Alexander Shishkin, Maxime Coquelin,
Alexandre Torgue, Miquel Raynal, Richard Weinberger,
Vignesh Raghavendra, Bodo Stroesser, Martin K . Petersen,
David Howells, Marc Dionne, Alexander Viro, Christian Brauner,
Jan Kara, David Hildenbrand, Liam R . Howlett, Mike Rapoport,
Suren Baghdasaryan, Michal Hocko, Jann Horn, Pedro Falcato,
linux-kernel, linux-doc, linux-hyperv, linux-stm32,
linux-arm-kernel, linux-mtd, linux-staging, linux-scsi,
target-devel, linux-afs, linux-fsdevel, linux-mm, Ryan Roberts
In-Reply-To: <a08ef1c4542202684da63bb37f459d5dbbeddd91.1774045440.git.ljs@kernel.org>
On 3/20/26 23:39, Lorenzo Stoakes (Oracle) wrote:
> Currently drivers use vm_iomap_memory() as a simple helper function for
> I/O remapping memory over a range starting at a specified physical address
> over a specified length.
>
> In order to utilise this from mmap_prepare, separate out the core logic
> into __simple_ioremap_prep(), update vm_iomap_memory() to use it, and add
> simple_ioremap_prepare() to do the same with a VMA descriptor object.
>
> We also add MMAP_SIMPLE_IO_REMAP and relevant fields to the struct
> mmap_action type to permit this operation also.
>
> We use mmap_action_ioremap() to set up the actual I/O remap operation once
> we have checked and figured out the parameters, which makes
> simple_ioremap_prepare() easy to implement.
>
> We then add mmap_action_simple_ioremap() to allow drivers to make use of
> this mode.
>
> We update the mmap_prepare documentation to describe this mode. Finally,
> we update the VMA tests to reflect this change.
>
> Reviewed-by: Suren Baghdasaryan <surenb@google.com>
> Signed-off-by: Lorenzo Stoakes (Oracle) <ljs@kernel.org>
Acked-by: Vlastimil Babka (SUSE) <vbabka@kernel.org>
^ permalink raw reply
* Re: [PATCH net] netvsc: transfer lower device max tso size during VF transition
From: Vitaly Kuznetsov @ 2026-03-25 9:47 UTC (permalink / raw)
To: Li Tian, netdev, linux-hyperv
Cc: linux-kernel, Haiyang Zhang, Wei Liu, Dexuan Cui, Long Li,
Andrew Lunn, Eric Dumazet, Paolo Abeni, Jakub Kicinski,
Jason Wang, Li Tian
In-Reply-To: <20260325045006.18607-1-litian@redhat.com>
Li Tian <litian@redhat.com> writes:
> When netvsc is accelerated by the lower device, we can advertise the
> lower device max tso size in order to get better performance.
> While a long-term migration to user-space bonding is planned, current
> users on RHEL 10 / Azure are experiencing significant performance
> regressions in 802.3ad environments. This patch provides a localized,
> safe fix within netvsc without introducing new core networking helpers.
>
> Signed-off-by: Li Tian <litian@redhat.com>
> ---
> drivers/net/hyperv/netvsc_drv.c | 8 ++++++--
> 1 file changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/net/hyperv/netvsc_drv.c b/drivers/net/hyperv/netvsc_drv.c
> index ee5ab5ceb2be..971607c7406f 100644
> --- a/drivers/net/hyperv/netvsc_drv.c
> +++ b/drivers/net/hyperv/netvsc_drv.c
> @@ -2428,10 +2428,14 @@ static int netvsc_vf_changed(struct net_device *vf_netdev, unsigned long event)
> * This value is only increased for netvsc NIC when datapath is
> * switched over to the VF
> */
> - if (vf_is_up)
> + if (vf_is_up) {
> netif_set_tso_max_size(ndev, vf_netdev->tso_max_size);
> - else
> + WRITE_ONCE(ndev->gso_max_size, READ_ONCE(vf_netdev->gso_max_size));
> + WRITE_ONCE(ndev->gso_ipv4_max_size,
> + READ_ONCE(vf_netdev->gso_ipv4_max_size));
It seems netif_set_gso_max_size() helper does exactly that, i.e. sets both
gso_max_size and gso_ipv4_max_size.
> + } else {
> netif_set_tso_max_size(ndev, netvsc_dev->netvsc_gso_max_size);
> + }
> }
>
> return NOTIFY_OK;
--
Vitaly
^ permalink raw reply
* Re: [PATCH v4 10/21] fs: afs: restore mmap_prepare implementation
From: Vlastimil Babka (SUSE) @ 2026-03-25 9:47 UTC (permalink / raw)
To: Lorenzo Stoakes (Oracle), Andrew Morton
Cc: Jonathan Corbet, Clemens Ladisch, Arnd Bergmann,
Greg Kroah-Hartman, K . Y . Srinivasan, Haiyang Zhang, Wei Liu,
Dexuan Cui, Long Li, Alexander Shishkin, Maxime Coquelin,
Alexandre Torgue, Miquel Raynal, Richard Weinberger,
Vignesh Raghavendra, Bodo Stroesser, Martin K . Petersen,
David Howells, Marc Dionne, Alexander Viro, Christian Brauner,
Jan Kara, David Hildenbrand, Liam R . Howlett, Mike Rapoport,
Suren Baghdasaryan, Michal Hocko, Jann Horn, Pedro Falcato,
linux-kernel, linux-doc, linux-hyperv, linux-stm32,
linux-arm-kernel, linux-mtd, linux-staging, linux-scsi,
target-devel, linux-afs, linux-fsdevel, linux-mm, Ryan Roberts
In-Reply-To: <ad9a94350a9c7d2bdab79fc397ef0f64d3412d71.1774045440.git.ljs@kernel.org>
On 3/20/26 23:39, Lorenzo Stoakes (Oracle) wrote:
> Commit 9d5403b1036c ("fs: convert most other generic_file_*mmap() users to
> .mmap_prepare()") updated AFS to use the mmap_prepare callback in favour
> of the deprecated mmap callback.
>
> However, it did not account for the fact that mmap_prepare is called
> pre-merge, and may then be merged, nor that mmap_prepare can fail to map
> due to an out of memory error.
>
> This change was therefore since reverted.
>
> Both of those are cases in which we should not be incrementing a reference
> count.
>
> With the newly added vm_ops->mapped callback available, we can simply
> defer this operation to that callback which is only invoked once the
> mapping is successfully in place (but not yet visible to userspace as the
> mmap and VMA write locks are held).
>
> This allows us to once again reimplement the .mmap_prepare implementation
> for this file system.
>
> Therefore add afs_mapped() to implement this callback for AFS, and remove
> the code doing so in afs_mmap_prepare().
>
> Also update afs_vm_open(), afs_vm_close() and afs_vm_map_pages() to be
> consistent in how the vnode is accessed.
>
> Signed-off-by: Lorenzo Stoakes (Oracle) <ljs@kernel.org>
Yep that should take care of that reference count problem.
Acked-by: Vlastimil Babka (SUSE) <vbabka@kernel.org>
> ---
> fs/afs/file.c | 42 +++++++++++++++++++++++++++++-------------
> 1 file changed, 29 insertions(+), 13 deletions(-)
>
> diff --git a/fs/afs/file.c b/fs/afs/file.c
> index 74d04af51ff4..85696ac984cc 100644
> --- a/fs/afs/file.c
> +++ b/fs/afs/file.c
> @@ -19,7 +19,7 @@
> #include <trace/events/netfs.h>
> #include "internal.h"
>
> -static int afs_file_mmap(struct file *file, struct vm_area_struct *vma);
> +static int afs_file_mmap_prepare(struct vm_area_desc *desc);
>
> static ssize_t afs_file_read_iter(struct kiocb *iocb, struct iov_iter *iter);
> static ssize_t afs_file_splice_read(struct file *in, loff_t *ppos,
> @@ -28,6 +28,8 @@ static ssize_t afs_file_splice_read(struct file *in, loff_t *ppos,
> static void afs_vm_open(struct vm_area_struct *area);
> static void afs_vm_close(struct vm_area_struct *area);
> static vm_fault_t afs_vm_map_pages(struct vm_fault *vmf, pgoff_t start_pgoff, pgoff_t end_pgoff);
> +static int afs_mapped(unsigned long start, unsigned long end, pgoff_t pgoff,
> + const struct file *file, void **vm_private_data);
>
> const struct file_operations afs_file_operations = {
> .open = afs_open,
> @@ -35,7 +37,7 @@ const struct file_operations afs_file_operations = {
> .llseek = generic_file_llseek,
> .read_iter = afs_file_read_iter,
> .write_iter = netfs_file_write_iter,
> - .mmap = afs_file_mmap,
> + .mmap_prepare = afs_file_mmap_prepare,
> .splice_read = afs_file_splice_read,
> .splice_write = iter_file_splice_write,
> .fsync = afs_fsync,
> @@ -61,6 +63,7 @@ const struct address_space_operations afs_file_aops = {
> };
>
> static const struct vm_operations_struct afs_vm_ops = {
> + .mapped = afs_mapped,
> .open = afs_vm_open,
> .close = afs_vm_close,
> .fault = filemap_fault,
> @@ -492,34 +495,47 @@ static void afs_drop_open_mmap(struct afs_vnode *vnode)
> /*
> * Handle setting up a memory mapping on an AFS file.
> */
> -static int afs_file_mmap(struct file *file, struct vm_area_struct *vma)
> +static int afs_file_mmap_prepare(struct vm_area_desc *desc)
> {
> - struct afs_vnode *vnode = AFS_FS_I(file_inode(file));
> int ret;
>
> - afs_add_open_mmap(vnode);
> + ret = generic_file_mmap_prepare(desc);
> + if (ret)
> + return ret;
>
> - ret = generic_file_mmap(file, vma);
> - if (ret == 0)
> - vma->vm_ops = &afs_vm_ops;
> - else
> - afs_drop_open_mmap(vnode);
> + desc->vm_ops = &afs_vm_ops;
> return ret;
> }
>
> +static int afs_mapped(unsigned long start, unsigned long end, pgoff_t pgoff,
> + const struct file *file, void **vm_private_data)
> +{
> + struct afs_vnode *vnode = AFS_FS_I(file_inode(file));
> +
> + afs_add_open_mmap(vnode);
> + return 0;
> +}
> +
> static void afs_vm_open(struct vm_area_struct *vma)
> {
> - afs_add_open_mmap(AFS_FS_I(file_inode(vma->vm_file)));
> + struct file *file = vma->vm_file;
> + struct afs_vnode *vnode = AFS_FS_I(file_inode(file));
> +
> + afs_add_open_mmap(vnode);
> }
>
> static void afs_vm_close(struct vm_area_struct *vma)
> {
> - afs_drop_open_mmap(AFS_FS_I(file_inode(vma->vm_file)));
> + struct file *file = vma->vm_file;
> + struct afs_vnode *vnode = AFS_FS_I(file_inode(file));
> +
> + afs_drop_open_mmap(vnode);
> }
>
> static vm_fault_t afs_vm_map_pages(struct vm_fault *vmf, pgoff_t start_pgoff, pgoff_t end_pgoff)
> {
> - struct afs_vnode *vnode = AFS_FS_I(file_inode(vmf->vma->vm_file));
> + struct file *file = vmf->vma->vm_file;
> + struct afs_vnode *vnode = AFS_FS_I(file_inode(file));
>
> if (afs_check_validity(vnode))
> return filemap_map_pages(vmf, start_pgoff, end_pgoff);
> --
> 2.53.0
^ permalink raw reply
* Re: [PATCH 00/12] treewide: Convert buses to use generic driver_override
From: Michael S. Tsirkin @ 2026-03-25 9:29 UTC (permalink / raw)
To: Danilo Krummrich
Cc: Russell King, Greg Kroah-Hartman, Rafael J. Wysocki,
Ioana Ciornei, Nipun Gupta, Nikhil Agarwal, K. Y. Srinivasan,
Haiyang Zhang, Wei Liu, Dexuan Cui, Long Li, Bjorn Helgaas,
Armin Wolf, Bjorn Andersson, Mathieu Poirier, Vineeth Vijayan,
Peter Oberparleiter, Heiko Carstens, Vasily Gorbik,
Alexander Gordeev, Christian Borntraeger, Sven Schnelle,
Harald Freudenberger, Holger Dengler, Mark Brown, Jason Wang,
Xuan Zhuo, Eugenio Pérez, Alex Williamson, Juergen Gross,
Stefano Stabellini, Oleksandr Tyshchenko,
Christophe Leroy (CS GROUP), linux-kernel, driver-core,
linuxppc-dev, linux-hyperv, linux-pci, platform-driver-x86,
linux-arm-msm, linux-remoteproc, linux-s390, linux-spi,
virtualization, kvm, xen-devel, linux-arm-kernel
In-Reply-To: <20260324005919.2408620-1-dakr@kernel.org>
On Tue, Mar 24, 2026 at 01:59:04AM +0100, Danilo Krummrich wrote:
> This is the follow-up of the driver_override generalization in [1], converting
> the remaining 11 busses and removing the now-unused driver_set_override()
> helper.
>
> All of them (except AP, which has a different race condition) are prone to the
> potential UAF described in [2], caused by accessing the driver_override field
> from their corresponding match() callback.
>
> In order to address this, the generalized driver_override field in struct device
> is protected with a spinlock. The driver-core provides accessors, such as
> device_match_driver_override(), device_has_driver_override() and
> device_set_driver_override(), which all ensure proper locking internally.
>
> Additionally, the driver-core provides a driver_override flag in struct
> bus_type, which, once enabled, automatically registers generic sysfs callbacks,
> allowing userspace to modify the driver_override field.
>
> SPI and AP are a bit special; both print "\n" when driver_override is not set,
> whereas all other buses (and thus the driver-core) produce "(null)\n" in this
> case.
>
> Hence, SPI and AP do not take advantage of the driver_override flag in struct
> bus_type; AP additionally maintains a counter in its custom sysfs store().
>
> Technically, we could support a custom fallback string when driver_override is
> unset in struct bus_type, but only SPI would benefit from this, since AP has
> additional custom logic in store() anyways.
>
> (I'm not sure if there are userspace programs that strictly rely on this;
> driverctl seems to check for both, but I rather not break some userspace tool
> I'm not aware of. :)
>
> This series is based on v7.0-rc5 with no additional dependencies, hence those
> patches can be picked up by subsystems individually.
>
> [1] https://lore.kernel.org/driver-core/20260303115720.48783-1-dakr@kernel.org/
> [2] https://bugzilla.kernel.org/show_bug.cgi?id=220789
> [3] https://gitlab.com/driverctl/driverctl/-/blob/0.121/driverctl?ref_type=tags#L99
vdpa bits:
Acked-by: Michael S. Tsirkin <mst@redhat.com>
I assume it'll all be merged together?
> Danilo Krummrich (12):
> amba: use generic driver_override infrastructure
> bus: fsl-mc: use generic driver_override infrastructure
> cdx: use generic driver_override infrastructure
> hv: vmbus: use generic driver_override infrastructure
> PCI: use generic driver_override infrastructure
> platform/wmi: use generic driver_override infrastructure
> rpmsg: use generic driver_override infrastructure
> vdpa: use generic driver_override infrastructure
> s390/cio: use generic driver_override infrastructure
> s390/ap: use generic driver_override infrastructure
> spi: use generic driver_override infrastructure
> driver core: remove driver_set_override()
>
> drivers/amba/bus.c | 37 +++------------
> drivers/base/driver.c | 75 ------------------------------
> drivers/bus/fsl-mc/fsl-mc-bus.c | 43 +++--------------
> drivers/cdx/cdx.c | 40 ++--------------
> drivers/hv/vmbus_drv.c | 36 ++------------
> drivers/pci/pci-driver.c | 11 +++--
> drivers/pci/pci-sysfs.c | 28 -----------
> drivers/pci/probe.c | 1 -
> drivers/platform/wmi/core.c | 36 ++------------
> drivers/rpmsg/qcom_glink_native.c | 2 -
> drivers/rpmsg/rpmsg_core.c | 43 +++--------------
> drivers/rpmsg/virtio_rpmsg_bus.c | 1 -
> drivers/s390/cio/cio.h | 5 --
> drivers/s390/cio/css.c | 34 ++------------
> drivers/s390/crypto/ap_bus.c | 34 +++++++-------
> drivers/s390/crypto/ap_bus.h | 1 -
> drivers/s390/crypto/ap_queue.c | 24 +++-------
> drivers/spi/spi.c | 19 +++-----
> drivers/vdpa/vdpa.c | 48 ++-----------------
> drivers/vfio/fsl-mc/vfio_fsl_mc.c | 4 +-
> drivers/vfio/pci/vfio_pci_core.c | 5 +-
> drivers/xen/xen-pciback/pci_stub.c | 6 ++-
> include/linux/amba/bus.h | 5 --
> include/linux/cdx/cdx_bus.h | 4 --
> include/linux/device/driver.h | 2 -
> include/linux/fsl/mc.h | 4 --
> include/linux/hyperv.h | 5 --
> include/linux/pci.h | 6 ---
> include/linux/rpmsg.h | 4 --
> include/linux/spi/spi.h | 5 --
> include/linux/vdpa.h | 4 --
> include/linux/wmi.h | 4 --
> 32 files changed, 88 insertions(+), 488 deletions(-)
>
>
> base-commit: c369299895a591d96745d6492d4888259b004a9e
> --
> 2.53.0
^ permalink raw reply
* Re: [RFC PATCH V3] x86/VMBus: Confidential VMBus for dynamic DMA transfers
From: Leon Romanovsky @ 2026-03-25 9:22 UTC (permalink / raw)
To: Tianyu Lan
Cc: kys, haiyangz, wei.liu, decui, longli, m.szyprowski, robin.murphy,
Tianyu Lan, iommu, linux-hyperv, linux-kernel, hch, vdso,
Michael Kelley
In-Reply-To: <20260325075649.248241-1-tiala@microsoft.com>
On Wed, Mar 25, 2026 at 03:56:49AM -0400, Tianyu Lan wrote:
> Hyper-V provides Confidential VMBus to communicate between
> device model and device guest driver via encrypted/private
> memory in Confidential VM. The device model is in OpenHCL
> (https://openvmm.dev/guide/user_guide/openhcl.html) that
> plays the paravisor role.
>
> For a VMBus device, there are two communication methods to
> talk with Host/Hypervisor. 1) VMBUS Ring buffer 2) Dynamic
> DMA transfer.
>
> The Confidential VMBus Ring buffer has been upstreamed by
> Roman Kisel(commit 6802d8af47d1).
>
> The dynamic DMA transition of VMBus device normally goes
> through DMA core and it uses SWIOTLB as bounce buffer in
> a CoCo VM.
>
> The Confidential VMBus device can do DMA directly to
> private/encrypted memory. Because the swiotlb is decrypted
> memory, the DMA transfer must not be bounced through the
> swiotlb, so as to preserve confidentiality. This is different
> from the default for Linux CoCo VMs, so disable the VMBus
> device's use of swiotlb.
>
> Expose swiotlb_dev_disable() from DMA Core to disable
> bounce buffer for device.
It feels awkward and like a layering violation to let arbitrary kernel
drivers manipulate SWIOTLB, which sits beneath the DMA core.
Thanks
>
> Suggested-by: Michael Kelley <mhklinux@outlook.com>
> Signed-off-by: Tianyu Lan <tiala@microsoft.com>
> ---
> drivers/hv/vmbus_drv.c | 6 +++++-
> include/linux/swiotlb.h | 5 +++++
> 2 files changed, 10 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c
> index 3d1a58b667db..84e6971fc90f 100644
> --- a/drivers/hv/vmbus_drv.c
> +++ b/drivers/hv/vmbus_drv.c
> @@ -2184,11 +2184,15 @@ int vmbus_device_register(struct hv_device *child_device_obj)
> child_device_obj->device.dma_mask = &child_device_obj->dma_mask;
> dma_set_mask(&child_device_obj->device, DMA_BIT_MASK(64));
>
> + device_initialize(&child_device_obj->device);
> + if (child_device_obj->channel->co_external_memory)
> + swiotlb_dev_disable(&child_device_obj->device);
> +
> /*
> * Register with the LDM. This will kick off the driver/device
> * binding...which will eventually call vmbus_match() and vmbus_probe()
> */
> - ret = device_register(&child_device_obj->device);
> + ret = device_add(&child_device_obj->device);
> if (ret) {
> pr_err("Unable to register child device\n");
> put_device(&child_device_obj->device);
> diff --git a/include/linux/swiotlb.h b/include/linux/swiotlb.h
> index 3dae0f592063..7c572570d5d9 100644
> --- a/include/linux/swiotlb.h
> +++ b/include/linux/swiotlb.h
> @@ -169,6 +169,11 @@ static inline struct io_tlb_pool *swiotlb_find_pool(struct device *dev,
> return NULL;
> }
>
> +static inline bool swiotlb_dev_disable(struct device *dev)
> +{
> + return dev->dma_io_tlb_mem == NULL;
> +}
> +
> static inline bool is_swiotlb_force_bounce(struct device *dev)
> {
> struct io_tlb_mem *mem = dev->dma_io_tlb_mem;
> --
> 2.50.1
>
>
^ permalink raw reply
* Re: [PATCH rdma v2] RDMA/mana_ib: Disable RX steering on RSS QP destroy
From: Leon Romanovsky @ 2026-03-25 9:13 UTC (permalink / raw)
To: Long Li
Cc: Konstantin Taranov, Jakub Kicinski, David S . Miller, Paolo Abeni,
Eric Dumazet, Andrew Lunn, Jason Gunthorpe, Haiyang Zhang,
K . Y . Srinivasan, Wei Liu, Dexuan Cui, Simon Horman, netdev,
linux-rdma, linux-hyperv, linux-kernel, stable
In-Reply-To: <20260323201106.1768705-1-longli@microsoft.com>
On Mon, Mar 23, 2026 at 01:10:56PM -0700, Long Li wrote:
> When an RSS QP is destroyed (e.g. DPDK exit), mana_ib_destroy_qp_rss()
> destroys the RX WQ objects but does not disable vPort RX steering in
> firmware. This leaves stale steering configuration that still points to
> the destroyed RX objects.
>
> If traffic continues to arrive (e.g. peer VM is still transmitting) and
> the VF interface is subsequently brought up (mana_open), the firmware
> may deliver completions using stale CQ IDs from the old RX objects.
> These CQ IDs can be reused by the ethernet driver for new TX CQs,
> causing RX completions to land on TX CQs:
>
> WARNING: mana_poll_tx_cq+0x1b8/0x220 [mana] (is_sq == false)
> WARNING: mana_gd_process_eq_events+0x209/0x290 (cq_table lookup fails)
>
> Fix this by disabling vPort RX steering before destroying RX WQ objects.
> Note that mana_fence_rqs() cannot be used here because the fence
> completion is delivered on the CQ, which is polled by user-mode (e.g.
> DPDK) and not visible to the kernel driver.
>
> Refactor the disable logic into a shared mana_disable_vport_rx() in
> mana_en, exported for use by mana_ib, replacing the duplicate code.
> The ethernet driver's mana_dealloc_queues() is also updated to call
> this common function.
>
> Fixes: 0266a177631d ("RDMA/mana_ib: Add a driver for Microsoft Azure Network Adapter")
> Cc: stable@vger.kernel.org
> Signed-off-by: Long Li <longli@microsoft.com>
> ---
> v2:
> - Removed redundant ibdev_err on mana_disable_vport_rx() failure as
> mana_cfg_vport_steering() already logs all failure scenarios.
> - Added comment clarifying this is best effort.
> drivers/infiniband/hw/mana/qp.c | 15 +++++++++++++++
> drivers/net/ethernet/microsoft/mana/mana_en.c | 11 ++++++++++-
> include/net/mana/mana.h | 1 +
> 3 files changed, 26 insertions(+), 1 deletion(-)
It doesn't apply to rdma-rc.
Looking up https://lore.kernel.org/all/20260323201106.1768705-1-longli@microsoft.com/
Grabbing thread from lore.kernel.org/all/20260323201106.1768705-1-longli@microsoft.com/t.mbox.gz
Checking for newer revisions
Grabbing search results from lore.kernel.org
Analyzing 3 messages in the thread
Looking for additional code-review trailers on lore.kernel.org
Analyzing 0 code-review messages
Checking attestation on all messages, may take a moment...
---
[PATCH v2] RDMA/mana_ib: Disable RX steering on RSS QP destroy
+ Link: https://patch.msgid.link/20260323201106.1768705-1-longli@microsoft.com
+ Signed-off-by: Leon Romanovsky <leon@kernel.org>
---
NOTE: install dkimpy for DKIM signature verification
---
Total patches: 1
---
Applying: RDMA/mana_ib: Disable RX steering on RSS QP destroy
Patch failed at 0001 RDMA/mana_ib: Disable RX steering on RSS QP destroy
error: patch failed: drivers/net/ethernet/microsoft/mana/mana_en.c:3339
error: drivers/net/ethernet/microsoft/mana/mana_en.c: patch does not apply
hint: Use 'git am --show-current-patch=diff' to see the failed patch
hint: When you have resolved this problem, run "git am --continue".
hint: If you prefer to skip this patch, run "git am --skip" instead.
hint: To restore the original branch and stop patching, run "git am --abort".
hint: Disable this message with "git config set advice.mergeConflict false"
Press any key to continue...
Thanks
^ permalink raw reply
* Re: [PATCH v4 09/21] fs: afs: revert mmap_prepare() change
From: Vlastimil Babka (SUSE) @ 2026-03-25 9:06 UTC (permalink / raw)
To: Lorenzo Stoakes (Oracle), Andrew Morton
Cc: Jonathan Corbet, Clemens Ladisch, Arnd Bergmann,
Greg Kroah-Hartman, K . Y . Srinivasan, Haiyang Zhang, Wei Liu,
Dexuan Cui, Long Li, Alexander Shishkin, Maxime Coquelin,
Alexandre Torgue, Miquel Raynal, Richard Weinberger,
Vignesh Raghavendra, Bodo Stroesser, Martin K . Petersen,
David Howells, Marc Dionne, Alexander Viro, Christian Brauner,
Jan Kara, David Hildenbrand, Liam R . Howlett, Mike Rapoport,
Suren Baghdasaryan, Michal Hocko, Jann Horn, Pedro Falcato,
linux-kernel, linux-doc, linux-hyperv, linux-stm32,
linux-arm-kernel, linux-mtd, linux-staging, linux-scsi,
target-devel, linux-afs, linux-fsdevel, linux-mm, Ryan Roberts
In-Reply-To: <08804c94e39d9102a3a8fbd12385e8aa079ba1d3.1774045440.git.ljs@kernel.org>
On 3/20/26 23:39, Lorenzo Stoakes (Oracle) wrote:
> Partially reverts commit 9d5403b1036c ("fs: convert most other
> generic_file_*mmap() users to .mmap_prepare()").
>
> This is because the .mmap invocation establishes a refcount, but
> .mmap_prepare is called at a point where a merge or an allocation failure
> might happen after the call, which would leak the refcount increment.
>
> Functionality is being added to permit the use of .mmap_prepare in this
> case, but in the interim, we need to fix this.
>
> Fixes: 9d5403b1036c ("fs: convert most other generic_file_*mmap() users to .mmap_prepare()")
> Cc: <stable@vger.kernel.org>
> Signed-off-by: Lorenzo Stoakes (Oracle) <ljs@kernel.org>
Acked-by: Vlastimil Babka (SUSE) <vbabka@kernel.org>
> ---
> fs/afs/file.c | 12 ++++++------
> 1 file changed, 6 insertions(+), 6 deletions(-)
>
> diff --git a/fs/afs/file.c b/fs/afs/file.c
> index f609366fd2ac..74d04af51ff4 100644
> --- a/fs/afs/file.c
> +++ b/fs/afs/file.c
> @@ -19,7 +19,7 @@
> #include <trace/events/netfs.h>
> #include "internal.h"
>
> -static int afs_file_mmap_prepare(struct vm_area_desc *desc);
> +static int afs_file_mmap(struct file *file, struct vm_area_struct *vma);
>
> static ssize_t afs_file_read_iter(struct kiocb *iocb, struct iov_iter *iter);
> static ssize_t afs_file_splice_read(struct file *in, loff_t *ppos,
> @@ -35,7 +35,7 @@ const struct file_operations afs_file_operations = {
> .llseek = generic_file_llseek,
> .read_iter = afs_file_read_iter,
> .write_iter = netfs_file_write_iter,
> - .mmap_prepare = afs_file_mmap_prepare,
> + .mmap = afs_file_mmap,
> .splice_read = afs_file_splice_read,
> .splice_write = iter_file_splice_write,
> .fsync = afs_fsync,
> @@ -492,16 +492,16 @@ static void afs_drop_open_mmap(struct afs_vnode *vnode)
> /*
> * Handle setting up a memory mapping on an AFS file.
> */
> -static int afs_file_mmap_prepare(struct vm_area_desc *desc)
> +static int afs_file_mmap(struct file *file, struct vm_area_struct *vma)
> {
> - struct afs_vnode *vnode = AFS_FS_I(file_inode(desc->file));
> + struct afs_vnode *vnode = AFS_FS_I(file_inode(file));
> int ret;
>
> afs_add_open_mmap(vnode);
>
> - ret = generic_file_mmap_prepare(desc);
> + ret = generic_file_mmap(file, vma);
> if (ret == 0)
> - desc->vm_ops = &afs_vm_ops;
> + vma->vm_ops = &afs_vm_ops;
> else
> afs_drop_open_mmap(vnode);
> return ret;
^ permalink raw reply
* [RFC PATCH V3] x86/VMBus: Confidential VMBus for dynamic DMA transfers
From: Tianyu Lan @ 2026-03-25 7:56 UTC (permalink / raw)
To: kys, haiyangz, wei.liu, decui, longli, m.szyprowski, robin.murphy
Cc: Tianyu Lan, iommu, linux-hyperv, linux-kernel, hch, vdso,
Michael Kelley
Hyper-V provides Confidential VMBus to communicate between
device model and device guest driver via encrypted/private
memory in Confidential VM. The device model is in OpenHCL
(https://openvmm.dev/guide/user_guide/openhcl.html) that
plays the paravisor role.
For a VMBus device, there are two communication methods to
talk with Host/Hypervisor. 1) VMBUS Ring buffer 2) Dynamic
DMA transfer.
The Confidential VMBus Ring buffer has been upstreamed by
Roman Kisel(commit 6802d8af47d1).
The dynamic DMA transition of VMBus device normally goes
through DMA core and it uses SWIOTLB as bounce buffer in
a CoCo VM.
The Confidential VMBus device can do DMA directly to
private/encrypted memory. Because the swiotlb is decrypted
memory, the DMA transfer must not be bounced through the
swiotlb, so as to preserve confidentiality. This is different
from the default for Linux CoCo VMs, so disable the VMBus
device's use of swiotlb.
Expose swiotlb_dev_disable() from DMA Core to disable
bounce buffer for device.
Suggested-by: Michael Kelley <mhklinux@outlook.com>
Signed-off-by: Tianyu Lan <tiala@microsoft.com>
---
drivers/hv/vmbus_drv.c | 6 +++++-
include/linux/swiotlb.h | 5 +++++
2 files changed, 10 insertions(+), 1 deletion(-)
diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c
index 3d1a58b667db..84e6971fc90f 100644
--- a/drivers/hv/vmbus_drv.c
+++ b/drivers/hv/vmbus_drv.c
@@ -2184,11 +2184,15 @@ int vmbus_device_register(struct hv_device *child_device_obj)
child_device_obj->device.dma_mask = &child_device_obj->dma_mask;
dma_set_mask(&child_device_obj->device, DMA_BIT_MASK(64));
+ device_initialize(&child_device_obj->device);
+ if (child_device_obj->channel->co_external_memory)
+ swiotlb_dev_disable(&child_device_obj->device);
+
/*
* Register with the LDM. This will kick off the driver/device
* binding...which will eventually call vmbus_match() and vmbus_probe()
*/
- ret = device_register(&child_device_obj->device);
+ ret = device_add(&child_device_obj->device);
if (ret) {
pr_err("Unable to register child device\n");
put_device(&child_device_obj->device);
diff --git a/include/linux/swiotlb.h b/include/linux/swiotlb.h
index 3dae0f592063..7c572570d5d9 100644
--- a/include/linux/swiotlb.h
+++ b/include/linux/swiotlb.h
@@ -169,6 +169,11 @@ static inline struct io_tlb_pool *swiotlb_find_pool(struct device *dev,
return NULL;
}
+static inline bool swiotlb_dev_disable(struct device *dev)
+{
+ return dev->dma_io_tlb_mem == NULL;
+}
+
static inline bool is_swiotlb_force_bounce(struct device *dev)
{
struct io_tlb_mem *mem = dev->dma_io_tlb_mem;
--
2.50.1
^ permalink raw reply related
* [PATCH net] netvsc: transfer lower device max tso size during VF transition
From: Li Tian @ 2026-03-25 4:50 UTC (permalink / raw)
To: netdev, linux-hyperv
Cc: linux-kernel, Haiyang Zhang, Wei Liu, Dexuan Cui, Long Li,
Andrew Lunn, Eric Dumazet, Vitaly Kuznetsov, Paolo Abeni,
Jakub Kicinski, Jason Wang, Li Tian
When netvsc is accelerated by the lower device, we can advertise the
lower device max tso size in order to get better performance.
While a long-term migration to user-space bonding is planned, current
users on RHEL 10 / Azure are experiencing significant performance
regressions in 802.3ad environments. This patch provides a localized,
safe fix within netvsc without introducing new core networking helpers.
Signed-off-by: Li Tian <litian@redhat.com>
---
drivers/net/hyperv/netvsc_drv.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/net/hyperv/netvsc_drv.c b/drivers/net/hyperv/netvsc_drv.c
index ee5ab5ceb2be..971607c7406f 100644
--- a/drivers/net/hyperv/netvsc_drv.c
+++ b/drivers/net/hyperv/netvsc_drv.c
@@ -2428,10 +2428,14 @@ static int netvsc_vf_changed(struct net_device *vf_netdev, unsigned long event)
* This value is only increased for netvsc NIC when datapath is
* switched over to the VF
*/
- if (vf_is_up)
+ if (vf_is_up) {
netif_set_tso_max_size(ndev, vf_netdev->tso_max_size);
- else
+ WRITE_ONCE(ndev->gso_max_size, READ_ONCE(vf_netdev->gso_max_size));
+ WRITE_ONCE(ndev->gso_ipv4_max_size,
+ READ_ONCE(vf_netdev->gso_ipv4_max_size));
+ } else {
netif_set_tso_max_size(ndev, netvsc_dev->netvsc_gso_max_size);
+ }
}
return NOTIFY_OK;
--
2.53.0
^ permalink raw reply related
* Re: [PPATCH net v3] net: mana: fix use-after-free in add_adev() error path
From: patchwork-bot+netdevbpf @ 2026-03-25 4:10 UTC (permalink / raw)
To: Guangshuo Li
Cc: kys, haiyangz, wei.liu, decui, longli, andrew+netdev, davem,
edumazet, kuba, pabeni, ernis, dipayanroy, gargaditya,
shirazsaleem, kees, leon, linux-hyperv, netdev, linux-kernel,
stable
In-Reply-To: <20260323165730.945365-1-lgs201920130244@gmail.com>
Hello:
This patch was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@kernel.org>:
On Tue, 24 Mar 2026 00:57:30 +0800 you wrote:
> If auxiliary_device_add() fails, add_adev() jumps to add_fail and calls
> auxiliary_device_uninit(adev).
>
> The auxiliary device has its release callback set to adev_release(),
> which frees the containing struct mana_adev. Since adev is embedded in
> struct mana_adev, the subsequent fall-through to init_fail and access
> to adev->id may result in a use-after-free.
>
> [...]
Here is the summary with links:
- [PPATCH,net,v3] net: mana: fix use-after-free in add_adev() error path
https://git.kernel.org/netdev/net/c/c4ea7d8907cf
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox