[Hexagon] Lower vselect instruction (#206675)
Selection fails with "Cannot select: vselect" when the condition and
both data operands of an HVX vselect are predicate vectors (e.g. v32i1,
v64i1, v128i1). This patch adds patterns for vselect on HVX predicate
vectors of all three element widths (VecQ8, VecQ16, VecQ32), expanding
them to V6_pred_or/V6_pred_and/V6_pred_and_n on Q registers.
Patch-By: @iajbar
Fixes #206353
py-octoprint: updated to 1.11.8
1.11.8
Security fixes
XSS in Suppressed Command Notifications, severity Moderate (4.6): OctoPrint versions up to and including 1.11.7 as well as 2.0.0rc1 and 2.0.0rc2 are affected by a vulnerability that allows injection of arbitrary HTML and JavaScript into Suppressed Command notifications popups generated by the printer.
An attacker who successfully convinces a victim to print a specially crafted file could exploit this issue to disrupt ongoing prints, extract information (including sensitive configuration settings, if the targeted user has the necessary permissions for that), or perform other actions on behalf of the targeted user within the OctoPrint instance.
See also the GitHub Security Advisory and CVE-2026-35163.
File exfiltration possible via further parameter injection on upload endpoints, severity High (7.0): OctoPrint versions up until and including 1.11.7 as well as 2.0.0rc1 and 2.0.0rc2 contain a vulnerability that allows an attacker with the FILE_UPLOAD permission to exfiltrate files from the host that OctoPrint has read access to, by moving them into the upload folder where they then can be downloaded from. This vulnerability was already reported as GHSA-m9jh-jf9h-x3h2/CVE-2025-48067 but the fix provided in OctoPrint 1.11.2 turned out to be incomplete.
The primary risk lies in the potential exfiltration of secrets stored inside OctoPrint's config, or further system files. By removing important runtime files, this could also be used to impact the availability of the host after an attempted server restart. Given that the attacker requires a user account with file upload permissions, the actual impact of this should however hopefully be minimal in most cases.
See also the GitHub Security Advisory and CVE-2026-54134.
Bug fixes
[2 lines not shown]
[clang] use decl itself in static assert failed boolean condition printer (#203736)
fixes #203701
`getName()` assumes the decl used in the static asserts has a simple
identifier name, but in some cases like `operator int` don't — they
fails the assertion `Name.isIdentifier() && "Name is not a simple
identifier"` when the `static_assert` failure diagnostic tries to print
the boolean expression.
Switching to getDeclName() handles these special names properly.
Reproducer:
```c++
struct S {
constexpr S(auto) {}
constexpr operator int() const { return 0; }
};
[13 lines not shown]
[AMDGPU] IGroupLP: Avoid DAG manipulation in greedyFind (#194827)
The greedy pipeline solver needs to determine the edges that are
implied by assigning an SUnit to a SchedGroup and the cost of this
assignment. The cost is the number of edges that cannot be added without
introducing cycles. The current implementation (addEdges) adds the
edges to the DAG and uses the DAG reachability function for cycle
checking. This happens for each candidate SchedGroup and needs to be
undone before other candidates are considered. The DAG manipulations
become a significant performance bottleneck on bigger pipelines.
This commit implements an alternative function for computing the edges
and cost of an assignment. This function performs the reachability
analysis that is necessary for the cyclicity checks without modifying
the DAG.
The new function returns the same cost as addEdges. The concrete edge
set may show insignificant differences, because, for instance,
the link function called from addEdges chooses not to add transitive
[7 lines not shown]
icinga2: updated to 2.16.3
2.16.3 (2026-07-01)
This is a hotfix release that fixes a regression with the `Json.decode()` DSL function that was introduced in v2.16.2:
The addition of a second argument to the internal `JsonDecode()` function unintentionally leaked into the DSL as a
required argument. This version restores the old and intended behavior of `Json.decode()`.
Changes
* Restore single-argument `Json.decode()` in the DSL
* Add the upgrading documentation for v2.15.1 again, which went missing with the v2.16.0 release
Merge tag 'device-id-rework' of git://git.kernel.org/pub/scm/linux/kernel/git/ukleinek/linux
Pull mod_devicetable.h header split from Uwe Kleine-König:
"Split <linux/mod_devicetable.h> in per subsystem headers
<linux/mod_devicetable.h> is included transitively in nearly every
driver in an x86_64 allmodconfig build of v7.1:
$ find drivers -name \*.o -not -name \*.mod.o | wc -l
21330
$ find drivers -name \*.o.cmd -not -name \*.mod.o.cmd | xargs grep -l mod_devicetable.h | wc -l
17038
The result of this mixture of different and unrelated subsystem
details is that even when touching an obscure device id struct most of
the kernel needs to be recompiled. Given that each driver typically
only needs one or two of these structures, splitting into per
subsystem headers and only including what is really needed reduces the
amount of needed recompilation.
[29 lines not shown]
SDL3: updated to 3.4.12
3.4.12
This is a stable bugfix release, with the following changes:
Fixed an assert on Windows in SDL_SetWindowOpacity()
Improved support for external surfaces under Wayland
Fixed visual artifacts when switching render targets with the Vulkan renderer
Fixed crash rendering YUV textures on NVIDIA drivers with the Vulkan renderer
Added SDL_HINT_ENABLE_STEAM_SCREEN_KEYBOARD to customize behavior on Steam Deck and Steam Machine
Improved support for gamepads under Emscripten
Added hotplug detection support when using libusb for HIDAPI controllers
Fixed flipped Xbox 360 controller axes on macOS
Fixed truncated long text input sequences when using sdl2-compat
[VPlan] Intersect all fast-math flags in VPIRFlags::intersectFlags (#204664)
intersectFlags only ANDed the nnan and ninf flags and left the others
reassoc, arcp, contract, afn and nsz) unchanged. When CSE or
interleave-group narrowing combines two operations into one, the kept
operation's remaining flags then leak onto the merged value.
Intersect all fast-math flags instead, so the result keeps only the
flags present on both operations. A pure intersection is required
because the combined operations do not always compute the same value
(e.g. when narrowing interleave groups), so a flag may be kept only if
every combined operation had it.
Found via @jlebar's X86 LLVM bug hunt / FuzzX effort:
https://github.com/SemiAnalysisAI/FuzzX/blob/master/x86/bugs/090-vplan-cse-intersect-flags-fmf-wrong-direction
cc @jlebar
[X86] matchUnaryShuffle - only prefer VZEXT_MOVL to VPMOVZX if it will fold away (#207031)
Clean up the logic matching VZEXT_MOVL in preference over VPMOVZX - we
should only use this if the source vector is GPR->FPU or a single
element load (or target load), which fold away to an implicit zero
extension.
Pre-SSE41 targets will attempt to match VZEXT_MOVL again more generally
later on.
[CodeGen][NFC] Remove RegisterClasses pointer array (#207204)
All MCRegisterClasses are stored consecutively in memory. Therefore, we
can remove the RegisterClassses pointer array and save 17kiB in
.data.rel.ro.
security/vuxml: Fix invalid escape sequence in Python re
ports/security/vuxml/files/extra-validation.py:13:
SyntaxWarning: invalid escape sequence '\|'
re_invalid_package_name = re.compile('[@!#$%^&*()<>?/\|}{~:]')
This can be fixed by making the re.compile argument a raw R'...' string,
capital R avoids issues with some Microsoft IDEs.
(Alternative is doubling the backslash, but that's less readable.)
Pull Request: https://github.com/freebsd/freebsd-ports/pull/550