wifi: mt76: Remove blank line after mt792x firmware version dmesg
An extra blank line gets printed after printing firmware version
because the build date is null terminated. Remove the "\n" from
dev_info() calls to print firmware version and build date to fix
the problem.
Reported-by: Mario Limonciello <superm1 at gmail.com>
Signed-off-by: Shuah Khan <skhan at linuxfoundation.org>
Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
Merge tag 'platform-drivers-x86-v6.19-2' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86
Pull x86 platform driver fixes from Ilpo Järvinen:
- alienware-wmi-wmax: Area-51, x16, and 16X Aurora laptops support
- asus-armoury:
- Fix FA507R PPT data
- Add TDP data for more laptop models
- asus-nb-wmi: Asus Zenbook 14 display toggle key support
- dell-lis3lv02d: Dell Latitude 5400 support
- hp-bioscfg: Fix out-of-bounds array access in ACPI package parsing
- ibm_rtl: Fix EBDA signature search pointer arithmetic
- ideapad-laptop: Reassign KEY_CUT to KEY_SELECTIVE_SCREENSHOT
[39 lines not shown]
Merge tag 'vfio-v6.19-rc4' of https://github.com/awilliam/linux-vfio
Pull VFIO fixes from Alex Williamson:
- Restrict ROM access to dword to resolve a regression introduced with
qword access seen on some Intel NICs. Update VGA region access to the
same given lack of precedent for 64-bit users (Kevin Tian)
- Fix missing .get_region_info_caps callback in the xe-vfio-pci variant
driver due to integration through the DRM tree (Michal Wajdeczko)
- Add aligned 64-bit access macros to tools/include/linux/types.h,
allowing removal of uapi/linux/type.h includes from various vfio
selftest, resolving redefinition warnings for integration with KVM
selftests (David Matlack)
- Fix error path memory leak in pds-vfio-pci variant driver (Zilin Guan)
- Fix error path use-after-free in xe-vfio-pci variant driver (Alper Ak)
[9 lines not shown]
Merge tag 'nfsd-6.19-2' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux
Pull nfsd fixes from Chuck Lever:
"A set of NFSD fixes that arrived just a bit late for the 6.19 merge
window.
Regression fix:
- Avoid unnecessarily breaking a timestamp delegation
Stable fixes:
- Fix a crasher in nlm4svc_proc_test()
- Fix nfsd_file reference leak during write delegation
- Fix error flow in client_states_open()"
* tag 'nfsd-6.19-2' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux:
nfsd: Drop the client reference in client_states_open()
nfsd: use ATTR_DELEG in nfsd4_finalize_deleg_timestamps()
nfsd: fix nfsd_file reference leak in nfsd4_add_rdaccess_to_wrdeleg()
lockd: fix vfs_test_lock() calls
Merge tag 'net-6.19-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
Pull networking fixes from Paolo Abeni:
"Including fixes from Bluetooth and WiFi. Notably this includes the fix
for the iwlwifi issue you reported.
Current release - regressions:
- core: avoid prefetching NULL pointers
- wifi:
- iwlwifi: implement settime64 as stub for MVM/MLD PTP
- mac80211: fix list iteration in ieee80211_add_virtual_monitor()
- handshake: fix null-ptr-deref in handshake_complete()
- eth: mana: fix use-after-free in reset service rescan path
Previous releases - regressions:
[65 lines not shown]
ipv6: fix a BUG in rt6_get_pcpu_route() under PREEMPT_RT
On PREEMPT_RT kernels, after rt6_get_pcpu_route() returns NULL, the
current task can be preempted. Another task running on the same CPU
may then execute rt6_make_pcpu_route() and successfully install a
pcpu_rt entry. When the first task resumes execution, its cmpxchg()
in rt6_make_pcpu_route() will fail because rt6i_pcpu is no longer
NULL, triggering the BUG_ON(prev). It's easy to reproduce it by adding
mdelay() after rt6_get_pcpu_route().
Using preempt_disable/enable is not appropriate here because
ip6_rt_pcpu_alloc() may sleep.
Fix this by handling the cmpxchg() failure gracefully on PREEMPT_RT:
free our allocation and return the existing pcpu_rt installed by
another task. The BUG_ON is replaced by WARN_ON_ONCE for non-PREEMPT_RT
kernels where such races should not occur.
Link: https://syzkaller.appspot.com/bug?extid=9b35e9bc0951140d13e6
[7 lines not shown]
platform/x86: asus-armoury: add support for G835LW
Add TDP data for laptop model G835LW.
Signed-off-by: Denis Benato <denis.benato at linux.dev>
Link: https://patch.msgid.link/20251229204458.2658777-1-denis.benato@linux.dev
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen at linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen at linux.intel.com>
net: rose: fix invalid array index in rose_kill_by_device()
rose_kill_by_device() collects sockets into a local array[] and then
iterates over them to disconnect sockets bound to a device being brought
down.
The loop mistakenly indexes array[cnt] instead of array[i]. For cnt <
ARRAY_SIZE(array), this reads an uninitialized entry; for cnt ==
ARRAY_SIZE(array), it is an out-of-bounds read. Either case can lead to
an invalid socket pointer dereference and also leaks references taken
via sock_hold().
Fix the index to use i.
Fixes: 64b8bc7d5f143 ("net/rose: fix races in rose_kill_by_device()")
Co-developed-by: Fatma Alwasmi <falwasmi at purdue.edu>
Signed-off-by: Fatma Alwasmi <falwasmi at purdue.edu>
Signed-off-by: Pwnverse <stanksal at purdue.edu>
Link: https://patch.msgid.link/20251222212227.4116041-1-ritviktanksalkar@gmail.com
[2 lines not shown]
net: enetc: do not print error log if addr is 0
A value of 0 for addr indicates that the IEB_LBCR register does not
need to be configured, as its default value is 0. However, the driver
will print an error log if addr is 0, so this issue needs to be fixed.
Fixes: 50bfd9c06f0f ("net: enetc: set external PHY address in IERB for i.MX94 ENETC")
Signed-off-by: Wei Fang <wei.fang at nxp.com>
Reviewed-by: Vladimir Oltean <vladimir.oltean at nxp.com>
Link: https://patch.msgid.link/20251222022628.4016403-1-wei.fang@nxp.com
Signed-off-by: Paolo Abeni <pabeni at redhat.com>
net: macb: Relocate mog_init_rings() callback from macb_mac_link_up() to macb_open()
In the non-RT kernel, local_bh_disable() merely disables preemption,
whereas it maps to an actual spin lock in the RT kernel. Consequently,
when attempting to refill RX buffers via netdev_alloc_skb() in
macb_mac_link_up(), a deadlock scenario arises as follows:
WARNING: possible circular locking dependency detected
6.18.0-08691-g2061f18ad76e #39 Not tainted
------------------------------------------------------
kworker/0:0/8 is trying to acquire lock:
ffff00080369bbe0 (&bp->lock){+.+.}-{3:3}, at: macb_start_xmit+0x808/0xb7c
but task is already holding lock:
ffff000803698e58 (&queue->tx_ptr_lock){+...}-{3:3}, at: macb_start_xmit
+0x148/0xb7c
which lock already depends on the new lock.
[121 lines not shown]
selftests: fib_test: Add test case for ipv4 multi nexthops
The test checks that with multi nexthops route the preferred route is the
one which matches source ip. In case when source ip is on dummy
interface, it checks that the routes are balanced.
Reviewed-by: Willem de Bruijn <willemb at google.com>
Signed-off-by: Vadim Fedorenko <vadim.fedorenko at linux.dev>
Link: https://patch.msgid.link/20251221192639.3911901-2-vadim.fedorenko@linux.dev
Signed-off-by: Paolo Abeni <pabeni at redhat.com>
net: fib: restore ECMP balance from loopback
Preference of nexthop with source address broke ECMP for packets with
source addresses which are not in the broadcast domain, but rather added
to loopback/dummy interfaces. Original behaviour was to balance over
nexthops while now it uses the latest nexthop from the group. To fix the
issue introduce next hop scoring system where next hops with source
address equal to requested will always have higher priority.
For the case with 198.51.100.1/32 assigned to dummy0 and routed using
192.0.2.0/24 and 203.0.113.0/24 networks:
2: dummy0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
link/ether d6:54:8a:ff:78:f5 brd ff:ff:ff:ff:ff:ff
inet 198.51.100.1/32 scope global dummy0
valid_lft forever preferred_lft forever
7: veth1 at if6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 06:ed:98:87:6d:8a brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 192.0.2.2/24 scope global veth1
[33 lines not shown]
ipv4: Fix reference count leak when using error routes with nexthop objects
When a nexthop object is deleted, it is marked as dead and then
fib_table_flush() is called to flush all the routes that are using the
dead nexthop.
The current logic in fib_table_flush() is to only flush error routes
(e.g., blackhole) when it is called as part of network namespace
dismantle (i.e., with flush_all=true). Therefore, error routes are not
flushed when their nexthop object is deleted:
# ip link add name dummy1 up type dummy
# ip nexthop add id 1 dev dummy1
# ip route add 198.51.100.1/32 nhid 1
# ip route add blackhole 198.51.100.2/32 nhid 1
# ip nexthop del id 1
# ip route show
blackhole 198.51.100.2 nhid 1 dev dummy1
[20 lines not shown]
selftests: fib_nexthops: Add test cases for error routes deletion
Add test cases that check that error routes (e.g., blackhole) are
deleted when their nexthop is deleted.
Output without "ipv4: Fix reference count leak when using error routes
with nexthop objects":
# ./fib_nexthops.sh -t "ipv4_fcnal ipv6_fcnal"
IPv4 functional
----------------------
[...]
WARNING: Unexpected route entry
TEST: Error route removed on nexthop deletion [FAIL]
IPv6
----------------------
[...]
[30 lines not shown]
net: usb: sr9700: fix incorrect command used to write single register
This fixes the device failing to initialize with "error reading MAC
address" for me, probably because the incorrect write of NCR_RST to
SR_NCR is not actually resetting the device.
Fixes: c9b37458e95629b1d1171457afdcc1bf1eb7881d ("USB2NET : SR9700 : One chip USB 1.1 USB2NET SR9700Device Driver Support")
Cc: stable at vger.kernel.org
Signed-off-by: Ethan Nelson-Moore <enelsonmoore at gmail.com>
Link: https://patch.msgid.link/20251221082400.50688-1-enelsonmoore@gmail.com
Signed-off-by: Paolo Abeni <pabeni at redhat.com>
Merge tag 'kbuild-fixes-6.19-1' of git://git.kernel.org/pub/scm/linux/kernel/git/kbuild/linux
Pull Kbuild fixes from Nicolas Schier:
- Revert commit "scripts/clang-tools: Handle included .c files in
gen_compile_commands" which is reported to cause false entries for
some files.
- Fix compilation of dtb specified on command-line without make rule
- mcb: Add missing modpost build support
* tag 'kbuild-fixes-6.19-1' of git://git.kernel.org/pub/scm/linux/kernel/git/kbuild/linux:
mcb: Add missing modpost build support
kbuild: fix compilation of dtb specified on command-line without make rule
Revert "scripts/clang-tools: Handle included .c files in gen_compile_commands"
Merge tag 'mm-hotfixes-stable-2025-12-28-21-50' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
Pull misc fixes from Andrew Morton:
"27 hotfixes. 12 are cc:stable, 18 are MM.
There's a patch series from Jiayuan Chen which fixes some
issues with KASAN and vmalloc. Apart from that it's the usual
shower of singletons - please see the respective changelogs
for details"
* tag 'mm-hotfixes-stable-2025-12-28-21-50' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm: (27 commits)
mm/ksm: fix pte_unmap_unlock of wrong address in break_ksm_pmd_entry
mm/page_owner: fix memory leak in page_owner_stack_fops->release()
mm/memremap: fix spurious large folio warning for FS-DAX
MAINTAINERS: notify the "Device Memory" community of memory hotplug changes
sparse: update MAINTAINERS info
mm/page_alloc: report 1 as zone_batchsize for !CONFIG_MMU
mm: consider non-anon swap cache folios in folio_expected_ref_count()
rust: maple_tree: rcu_read_lock() in destructor to silence lockdep
[13 lines not shown]
ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr()
There exists a kernel oops caused by a BUG_ON(nhead < 0) at
net/core/skbuff.c:2232 in pskb_expand_head().
This bug is triggered as part of the calipso_skbuff_setattr()
routine when skb_cow() is passed headroom > INT_MAX
(i.e. (int)(skb_headroom(skb) + len_delta) < 0).
The root cause of the bug is due to an implicit integer cast in
__skb_cow(). The check (headroom > skb_headroom(skb)) is meant to ensure
that delta = headroom - skb_headroom(skb) is never negative, otherwise
we will trigger a BUG_ON in pskb_expand_head(). However, if
headroom > INT_MAX and delta <= -NET_SKB_PAD, the check passes, delta
becomes negative, and pskb_expand_head() is passed a negative value for
nhead.
Fix the trigger condition in calipso_skbuff_setattr(). Avoid passing
"negative" headroom sizes to skb_cow() within calipso_skbuff_setattr()
by only using skb_cow() to grow headroom.
[49 lines not shown]
usbnet: avoid a possible crash in dql_completed()
syzbot reported a crash [1] in dql_completed() after recent usbnet
BQL adoption.
The reason for the crash is that netdev_reset_queue() is called too soon.
It should be called after cancel_work_sync(&dev->bh_work) to make
sure no more TX completion can happen.
[1]
kernel BUG at lib/dynamic_queue_limits.c:99 !
Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
CPU: 1 UID: 0 PID: 5197 Comm: udevd Tainted: G L syzkaller #0 PREEMPT(full)
Tainted: [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
RIP: 0010:dql_completed+0xbe1/0xbf0 lib/dynamic_queue_limits.c:99
Call Trace:
<IRQ>
[21 lines not shown]
net: stmmac: fix the crash issue for zero copy XDP_TX action
There is a crash issue when running zero copy XDP_TX action, the crash
log is shown below.
[ 216.122464] Unable to handle kernel paging request at virtual address fffeffff80000000
[ 216.187524] Internal error: Oops: 0000000096000144 [#1] SMP
[ 216.301694] Call trace:
[ 216.304130] dcache_clean_poc+0x20/0x38 (P)
[ 216.308308] __dma_sync_single_for_device+0x1bc/0x1e0
[ 216.313351] stmmac_xdp_xmit_xdpf+0x354/0x400
[ 216.317701] __stmmac_xdp_run_prog+0x164/0x368
[ 216.322139] stmmac_napi_poll_rxtx+0xba8/0xf00
[ 216.326576] __napi_poll+0x40/0x218
[ 216.408054] Kernel panic - not syncing: Oops: Fatal exception in interrupt
For XDP_TX action, the xdp_buff is converted to xdp_frame by
xdp_convert_buff_to_frame(). The memory type of the resulting xdp_frame
depends on the memory type of the xdp_buff. For page pool based xdp_buff
[13 lines not shown]
Merge tag 'wireless-2025-12-17' of https://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless
Johannes Berg says:
====================
Various fixes all over, most are recent regressions but
also some long-standing issues:
- cfg80211:
- fix an issue with overly long SSIDs
- mac80211:
- long-standing beacon protection issue on some devices
- for for a multi-BSSID AP-side issue
- fix a syzbot warning on OCB (not really used in practice)
- remove WARN on connections using disabled channels,
as that can happen due to changes in the disable flag
- fix monitor mode list iteration
[31 lines not shown]
octeontx2-pf: fix "UBSAN: shift-out-of-bounds error"
This patch ensures that the RX ring size (rx_pending) is not
set below the permitted length. This avoids UBSAN
shift-out-of-bounds errors when users passes small or zero
ring sizes via ethtool -G.
Fixes: d45d8979840d ("octeontx2-pf: Add basic ethtool support")
Signed-off-by: Anshumali Gaur <agaur at marvell.com>
Link: https://patch.msgid.link/20251219062226.524844-1-agaur@marvell.com
Signed-off-by: Paolo Abeni <pabeni at redhat.com>
platform/x86: asus-armoury: fix ppt data for FA507R
PPT data for FA507R was reported to be wrong by a user:
change limits to make them equal to Armoury Crate limits.
Fixes: 39ae6c50e599 ("platform/x86: asus-armoury: add ppt_* and nv_* tuning knobs")
Signed-off-by: Denis Benato <denis.benato at linux.dev>
Link: https://patch.msgid.link/20251229150755.1351495-1-denis.benato@linux.dev
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen at linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen at linux.intel.com>
platform/x86/intel/pmt/discovery: use valid device pointer in dev_err_probe
The PMT feature probe creates a child device with device_create().
If device creation fail, the code pass priv->dev (which is an ERR_PTR)
to dev_err_probe(), which is not a valid device pointer.
This patch change the dev_err_probe() call to use the parent auxiliary
device (&auxdev->dev) and update the error message to reference the
parent device name. It ensure correct error reporting and avoid
passing an invalid device pointer.
Fixes: d9a078809356 ("platform/x86/intel/pmt: Add PMT Discovery driver")
Signed-off-by: Alok Tiwari <alok.a.tiwari at oracle.com>
Link: https://patch.msgid.link/20251224095133.115678-1-alok.a.tiwari@oracle.com
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen at linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen at linux.intel.com>
platform/x86: hp-bioscfg: Fix out-of-bounds array access in ACPI package parsing
The hp_populate_*_elements_from_package() functions in the hp-bioscfg
driver contain out-of-bounds array access vulnerabilities.
These functions parse ACPI packages into internal data structures using
a for loop with index variable 'elem' that iterates through
enum_obj/integer_obj/order_obj/password_obj/string_obj arrays.
When processing multi-element fields like PREREQUISITES and
ENUM_POSSIBLE_VALUES, these functions read multiple consecutive array
elements using expressions like 'enum_obj[elem + reqs]' and
'enum_obj[elem + pos_values]' within nested loops.
The bug is that the bounds check only validated elem, but did not consider
the additional offset when accessing elem + reqs or elem + pos_values.
The fix changes the bounds check to validate the actual accessed index.
[7 lines not shown]
platform/x86: asus-armoury: add support for G615LR
Add TDP data for laptop model G615LR.
Signed-off-by: Denis Benato <denis.benato at linux.dev>
Link: https://patch.msgid.link/20251225031041.2321249-1-denis.benato@linux.dev
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen at linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen at linux.intel.com>
platform/x86: asus-armoury: add support for FA608UM
Add TDP data for laptop model FA608UM.
Signed-off-by: Denis Benato <denis.benato at linux.dev>
Link: https://patch.msgid.link/20251225030354.2315874-1-denis.benato@linux.dev
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen at linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen at linux.intel.com>
platform/x86: asus-armoury: add support for GA403WR
Add TDP data for laptop model GA403WR.
Signed-off-by: Denis Benato <denis.benato at linux.dev>
Link: https://patch.msgid.link/20251225025301.1980627-1-denis.benato@linux.dev
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen at linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen at linux.intel.com>
