summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
4 hoursMerge tag 'for-6.19-rc4-tag' of ↵HEADmasterLinus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux Pull btrfs fixes from David Sterba: - fix potential NULL pointer dereference when replaying tree log after an error - release path before initializing extent tree to avoid potential deadlock when allocating new inode - on filesystems with block size > page size - fix potential read out of bounds during encoded read of an inline extent - only enforce free space tree if v1 cache is required - print correct tree id in error message * tag 'for-6.19-rc4-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux: btrfs: show correct warning if can't read data reloc tree btrfs: fix NULL pointer dereference in do_abort_log_replay() btrfs: force free space tree for bs > ps cases btrfs: only enforce free space tree if v1 cache is required for bs < ps cases btrfs: release path before initializing extent tree in btrfs_read_locked_inode() btrfs: avoid access-beyond-folio for bs > ps encoded writes
4 hoursMerge tag 'pci-v6.19-fixes-2' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/pci/pci Pull PCI fixes from Bjorn Helgaas: - Remove ASPM L0s support for MSM8996 SoC since we now enable L0s when advertised, and it caused random hangs on this device (Manivannan Sadhasivam) - Fix meson-pcie to report that the link is up while in ASPM L0s or L1, since those are active states from the software point of view, and treating the link as down caused config access failures (Bjorn Helgaas) - Fix up sparc DTS BAR descriptions that are above 4GB but not marked as prefetchable, which caused resource assignment and driver probe failures after we converted from the SPARC pcibios_enable_device() to the generic version (Ilpo Järvinen) * tag 'pci-v6.19-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/pci/pci: sparc/PCI: Correct 64-bit non-pref -> pref BAR resources PCI: meson: Report that link is up while in ASPM L0s and L1 states PCI: qcom: Remove ASPM L0s support for MSM8996 SoC
4 hoursMerge tag 'acpi-6.19-rc5' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull ACPI support fix from Rafael Wysocki: "This fixes the ACPI/PCI legacy interrupts (INTx) parsing in the case when the ACPI Global System Interrupt (GSI) value is a 32-bit one with the MSB set. That was interpreted as a negative integer and caused acpi_pci_link_allocate_irq() to fail and acpi_irq_get_penalty() to trigger an out-of-bounds array dereference (Lorenzo Pieralisi)" * tag 'acpi-6.19-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: ACPI: PCI: IRQ: Fix INTx GSIs signedness
4 hoursMerge tag 'pm-6.19-rc5' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull power management fix from Rafael Wysocki: "This fixes a crash in the hibernation image saving code that can be triggered when the given compression algorithm is unavailable (Malaya Kumar Rout)" * tag 'pm-6.19-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: PM: hibernate: Fix crash when freeing invalid crypto compressor
4 hoursMerge tag 'gpio-fixes-for-v6.19-rc5' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux Pull gpio fixes from Bartosz Golaszewski: "There are several ordinary driver fixes and a fix to a race between the registration of two chips that causes a crash in GPIO core. The bulk of the changed lines however, concerns the management of shared GPIOs that landed in v6.19-rc1. Enabling it for ARCH_QCOM enabled it in defconfig which effectively enabled it for all arm64 platforms and exposed the code to quite a lot of testing (which is good, right? :)). As a resukt, I received a number of bug reports, which I progressively fixed over the course of last weeks. This explains the number of lines higher than what I normally aim for at this stage. - balance superio enter/exit calls in error path in gpio-it87 - fix a race where we try to take the SRCU read lock of the GPIO device before it's been initialized causing a NULL-pointer dereference - fix handling of short-pulse interrupts in gpio-pca053x - fix a reference leak in error path in gpio-mpsse - mark the GPIO controller as sleeping (it calls sleeping functions) in gpio-rockchip - fix several issues in management of shared GPIOs" * tag 'gpio-fixes-for-v6.19-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux: gpio: shared: fix a false-positive sharing detection with reset-gpios gpiolib: fix lookup table matching gpio: shared: don't allocate the lookup table until we really need it gpio: shared: fix a race condition gpio: shared: assign the correct firmware node for reset-gpio use-case gpio: rockchip: mark the GPIO controller as sleeping gpio: mpsse: fix reference leak in gpio_mpsse_probe() error paths gpio: pca953x: handle short interrupt pulses on PCAL devices gpiolib: fix race condition for gdev->srcu gpio: shared: allow sharing a reset-gpios pin between reset-gpio and gpiolib gpio: shared: verify con_id when adding proxy lookup gpiolib: allow multiple lookup tables per consumer gpio: it87: balance superio enter/exit calls in error path
5 hoursMerge tag 'drm-fixes-2026-01-09' of https://gitlab.freedesktop.org/drm/kernelLinus Torvalds
Pull drm fixes from Dave Airlie: "I missed the drm-rust fixes tree for last week, so this catches up on that, along with amdgpu, and then some misc fixes across a few drivers. I hadn't got an xe pull by the time I sent this, I suspect one will arrive 10 mins after, but I don't think there is anything that can't wait for next week. Things seem to have picked up a little with people coming back from holidays, MAINTAINERS: - Fix Nova GPU driver git links - Fix typo in TYR driver entry preventing correct behavior of scripts/get_maintainer.pl - Exclude TYR driver from DRM MISC nova-core: - Correctly select RUST_FW_LOADER_ABSTRACTIONS to prevent build errors - Regenerate nova-core bindgen bindings with '--explicit-padding' to avoid uninitialized bytes - Fix length of received GSP messages, due to miscalculated message payload size - Regenerate bindings to derive MaybeZeroable - Use a bindings alias to derive the firmware version exynos: - hdmi: replace system_wq with system_percpu_wq pl111: - Fix error handling in probe mediatek/atomic/tidss: - Fix tidss in another way and revert reordering of pre-enable and post-disable operations, as it breaks other bridge drivers nouveau: - Fix regression from fwsec s/r fix pci/vga: - Fix multiple gpu's being reported a 'boot_display' fb-helper: - Fix vblank timeout during suspend/reset amdgpu: - Clang fixes - Navi1x PCIe DPM fixes - Ring reset fixes - ISP suspend fix - Analog DC fixes - VPE fixes - Mode1 reset fix radeon: - Variable sized array fix" * tag 'drm-fixes-2026-01-09' of https://gitlab.freedesktop.org/drm/kernel: (32 commits) Reapply "Revert "drm/amd: Skip power ungate during suspend for VPE"" drm/amd/display: Check NULL before calling dac_load_detection drm/amd/pm: Disable MMIO access during SMU Mode 1 reset drm/exynos: hdmi: replace use of system_wq with system_percpu_wq drm/fb-helper: Fix vblank timeout during suspend/reset PCI/VGA: Don't assume the only VGA device on a system is `boot_vga` drm/amdgpu: Fix query for VPE block_type and ip_count drm/amd/display: Add missing encoder setup to DACnEncoderControl drm/amd/display: Correct color depth for SelectCRTC_Source drm/amd/amdgpu: Fix SMU warning during isp suspend-resume drm/amdgpu: always backup and reemit fences drm/amdgpu: don't reemit ring contents more than once drm/amd/pm: force send pcie parmater on navi1x drm/amd/pm: fix wrong pcie parameter on navi1x drm/radeon: Remove __counted_by from ClockInfoArray.clockInfo[] drm/amd/display: Reduce number of arguments of dcn30's CalculateWatermarksAndDRAMSpeedChangeSupport() drm/amd/display: Reduce number of arguments of dcn30's CalculatePrefetchSchedule() drm/amd/display: Apply e4479aecf658 to dml nouveau: don't attempt fwsec on sb on newer platforms drm/tidss: Fix enable/disable order ...
5 hoursMerge tag 'vfs-6.19-rc5.fixes' of ↵Linus Torvalds
gitolite.kernel.org:pub/scm/linux/kernel/git/vfs/vfs Pull vfs fixes from Christian Brauner: - Remove incorrect __user annotation from struct xattr_args::value - Documentation fix: Add missing kernel-doc description for the @isnew parameter in ilookup5_nowait() to silence Sphinx warnings - Documentation fix: Fix kernel-doc comment for __start_dirop() - the function name in the comment was wrong and the @state parameter was undocumented - Replace dynamic folio_batch allocation with stack allocation in iomap_zero_range(). The dynamic allocation was problematic for ext4-on-iomap work (didn't handle allocation failure properly) and triggered lockdep complaints. Uses a flag instead to control batch usage - Re-add #ifdef guards around PIDFD_GET_<ns-type>_NAMESPACE ioctls. When a namespace type is disabled, ns->ops is NULL, causes crashes during inode eviction when closing the fd. The ifdefs were removed in a recent simplification but are still needed - Fixe a race where a folio could be unlocked before the trailing zeros (for EOF within the page) were written - Split out a dedicated lease_dispose_list() helper since lease code paths always know they're disposing of leases. Removes unnecessary runtime flag checks and prepares for upcoming lease_manager enhancements - Fix userland delegation requests succeeding despite conflicting opens. Previously, FL_LAYOUT and FL_DELEG leases bypassed conflict checks (a hack for nfsd). Adds new ->lm_open_conflict() lease_manager operation so userland delegations get proper conflict checking while nfsd can continue its own conflict handling - Fix LOOKUP_CACHED path lookups incorrectly falling through to the slow path. After legitimize_links() calls were conditionally elided, the routine would always fail with LOOKUP_CACHED regardless of whether there were any links. Now the flag is checked at the two callsites before calling legitimize_links() - Fix bug in media fd allocation in media_request_alloc() - Fix mismatched API calls in ecryptfs_mknod(): was calling end_removing() instead of end_creating() after ecryptfs_start_creating_dentry() - Fix dentry reference count leak in ecryptfs_mkdir(): a dget() of the lower parent dir was added but never dput()'d, causing BUG during lower filesystem unmount due to the still-in-use dentry * tag 'vfs-6.19-rc5.fixes' of gitolite.kernel.org:pub/scm/linux/kernel/git/vfs/vfs: pidfs: protect PIDFD_GET_* ioctls() via ifdef ecryptfs: Release lower parent dentry after creating dir ecryptfs: Fix improper mknod pairing of start_creating()/end_removing() get rid of bogus __user in struct xattr_args::value VFS: fix __start_dirop() kernel-doc warnings fs: Describe @isnew parameter in ilookup5_nowait() fs: make sure to fail try_to_unlazy() and try_to_unlazy() for LOOKUP_CACHED netfs: Fix early read unlock of page with EOF in middle filelock: allow lease_managers to dictate what qualifies as a conflict filelock: add lease_dispose_list() helper iomap: replace folio_batch allocation with stack allocation media: mc: fix potential use-after-free in media_request_alloc()
5 hoursMerge tag 'v6.19-p3' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 Pull crypto fix from Herbert Xu: - Fix duplicate restart messages in qat * tag 'v6.19-p3' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: crypto: qat - fix duplicate restarting msg during AER error
12 hoursgpio: shared: fix a false-positive sharing detection with reset-gpiosBartosz Golaszewski
After scanning the devicetree, we remove all entries that have only one reference, while creating GPIO shared proxies for the remaining, shared entries. However: for the reset-gpio corner-case, we will have two references for a "reset-gpios" pin that's not really shared. In this case one will come from the actual consumer fwnode and the other from the potential auxiliary reset-gpio device. This causes the GPIO core to create unnecessary GPIO shared proxy devices for pins that are not really shared. Add a function that can detect this situation and remove entries that have exactly two references but one of them is a reset-gpio. Fixes: 7b78b26757e0 ("gpio: shared: handle the reset-gpios corner case") Link: https://lore.kernel.org/r/20260108-gpio-shared-false-positive-v1-1-5dbf8d1b2f7d@oss.qualcomm.com Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
18 hoursMerge tag 'pinctrl-v6.19-2' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl Pull pin control fixes from Linus Walleij: - Fix the mt8189 register base name order back from being fixed broken - Add REGMAP_MMIO to the pic64gx-gpio2 to avoid build breakages - Mark the Qualcomm lpass-lpi pin controller GPIO chip instance as sleeping to fix lock splats - Update .mailmap with my new kernel.org address for all old mails after maintainers ran into issues with this * tag 'pinctrl-v6.19-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl: pinctrl: qcom: lpass-lpi: mark the GPIO controller as sleeping pinctrl: pic64gx-gpio2: Add REGMAP_MMIO dependency Update .mailmap for Linus Walleij pinctrl: mediatek: mt8189: restore previous register base name array order
26 hoursMerge tag 'trace-v6.19-rc4' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace Pull tracing fixes from Steven Rostedt: - Remove useless assignment of soft_mode variable The function __ftrace_event_enable_disable() sets "soft_mode" in one of the branch paths but doesn't use it after that. Remove the setting of that variable. - Add a cond_resched() in ring_buffer_resize() The resize function that allocates all the pages for the ring buffer was causing a soft lockup on PREEMPT_NONE configs when allocating large buffers on machines with many CPUs. Hopefully this is the last cond_resched() needed to be added as PREEMPT_LAZY becomes the norm in the future. - Make ftrace_graph_ent depth field signed The "depth" field of struct ftrace_graph_ent was converted from "int" to "unsigned long" for alignment reasons to work with being embedded in other structures. The conversion from a signed to unsigned caused integrity checks to always pass as they were comparing "depth" to less than zero. Make the field signed long. - Add recursion protection to stack trace events A infinite recursion was triggered by a stack trace event calling RCU which internally called rcu_read_unlock_special(), which triggered an event that was also doing stacktraces which cause it to trigger the same RCU lock that called rcu_read_unlock_special() again. Update the trace_test_and_set_recursion() to add a set of context checks for events to use, and have the stack trace event use that for recursion protection. - Make the variable ftrace_dump_on_oops static The cleanup of sysctl that moved all the updates to the files that use them moved the reference of ftrace_dump_on_oops to where it is used. It is no longer used outside of the trace.c file. Make it static. * tag 'trace-v6.19-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace: trace: ftrace_dump_on_oops[] is not exported, make it static tracing: Add recursion protection in kernel stack trace recording ftrace: Make ftrace_graph_ent depth field signed ring-buffer: Avoid softlockup in ring_buffer_resize() during memory free tracing: Drop unneeded assignment to soft_mode
26 hoursMerge tag 'net-6.19-rc5' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net Pull networking fixes from Jakub Kicinski: "Including fixes from netfilter and wireless. Current release - fix to a fix: - net: do not write to msg_get_inq in callee - arp: do not assume dev_hard_header() does not change skb->head Current release - regressions: - wifi: mac80211: don't iterate not running interfaces - eth: mlx5: fix NULL pointer dereference in ioctl module EEPROM Current release - new code bugs: - eth: bnge: add AUXILIARY_BUS to Kconfig dependencies Previous releases - regressions: - eth: mlx5: dealloc forgotten PSP RX modify header Previous releases - always broken: - ping: fix ICMP out SNMP stats double-counting with ICMP sockets - bonding: preserve NETIF_F_ALL_FOR_ALL across TSO updates - bridge: fix C-VLAN preservation in 802.1ad vlan_tunnel egress - eth: bnxt: fix potential data corruption with HW GRO/LRO" * tag 'net-6.19-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (70 commits) arp: do not assume dev_hard_header() does not change skb->head net: enetc: fix build warning when PAGE_SIZE is greater than 128K atm: Fix dma_free_coherent() size tools: ynl: don't install tests net: do not write to msg_get_inq in callee bnxt_en: Fix NULL pointer crash in bnxt_ptp_enable during error cleanup net: usb: pegasus: fix memory leak in update_eth_regs_async() net: 3com: 3c59x: fix possible null dereference in vortex_probe1() net/sched: sch_qfq: Fix NULL deref when deactivating inactive aggregate in qfq_reset wifi: mac80211: collect station statistics earlier when disconnect wifi: mac80211: restore non-chanctx injection behaviour wifi: mac80211_hwsim: disable BHs for hwsim_radio_lock wifi: mac80211: don't iterate not running interfaces wifi: mac80211_hwsim: fix typo in frequency notification wifi: avoid kernel-infoleak from struct iw_point net: airoha: Fix schedule while atomic in airoha_ppe_deinit() selftests: netdevsim: add carrier state consistency test net: netdevsim: fix inconsistent carrier state after link/unlink selftests: drv-net: Bring back tool() to driver __init__s net/sched: act_api: avoid dereferencing ERR_PTR in tcf_idrinfo_destroy ...
28 hoursarp: do not assume dev_hard_header() does not change skb->headEric Dumazet
arp_create() is the only dev_hard_header() caller making assumption about skb->head being unchanged. A recent commit broke this assumption. Initialize @arp pointer after dev_hard_header() call. Fixes: db5b4e39c4e6 ("ip6_gre: make ip6gre_header() robust") Reported-by: syzbot+58b44a770a1585795351@syzkaller.appspotmail.com Signed-off-by: Eric Dumazet <edumazet@google.com> Link: https://patch.msgid.link/20260107212250.384552-1-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
28 hoursMerge branch '200GbE' of ↵Jakub Kicinski
git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue Tony Nguyen says: ==================== Intel Wired LAN Driver Updates 2026-01-06 (idpf) This series contains updates to idpf driver only. Emil fixes issues related to resets; among them timeouts, NULL pointer dereferences, and memory leaks. Sreedevi resolves issues around RSS; mainly involving operations when the interface is down and resets. She also addresses some incomplete cleanups for ntuple filters and interrupts. Erik fixes incomplete output of ntuple filters. Josh sets restriction of Rx buffer size to follow hardware restrictions. Larysa adds check to prevent NULL pointer dereference when RDMA is not enabled. * '200GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue: idpf: fix aux device unplugging when rdma is not supported by vport idpf: cap maximum Rx buffer size idpf: Fix error handling in idpf_vport_open() idpf: Fix RSS LUT NULL ptr issue after soft reset idpf: Fix RSS LUT configuration on down interfaces idpf: Fix RSS LUT NULL pointer crash on early ethtool operations idpf: fix issue with ethtool -n command display idpf: fix memory leak of flow steer list on rmmod idpf: fix error handling in the init_task on load idpf: fix memory leak in idpf_vc_core_deinit() idpf: fix memory leak in idpf_vport_rel() idpf: detach and close netdevs while handling a reset idpf: keep the netdev when a reset fails ==================== Link: https://patch.msgid.link/20260107000648.1861994-1-anthony.l.nguyen@intel.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
28 hoursnet: enetc: fix build warning when PAGE_SIZE is greater than 128KWei Fang
The max buffer size of ENETC RX BD is 0xFFFF bytes, so if the PAGE_SIZE is greater than 128K, ENETC_RXB_DMA_SIZE and ENETC_RXB_DMA_SIZE_XDP will be greater than 0xFFFF, thus causing a build warning. This will not cause any practical issues because ENETC is currently only used on the ARM64 platform, and the max PAGE_SIZE is 64K. So this patch is only for fixing the build warning that occurs when compiling ENETC drivers for other platforms. Reported-by: kernel test robot <lkp@intel.com> Closes: https://lore.kernel.org/oe-kbuild-all/202601050637.kHEKKOG7-lkp@intel.com/ Fixes: e59bc32df2e9 ("net: enetc: correct the value of ENETC_RXB_TRUESIZE") Signed-off-by: Wei Fang <wei.fang@nxp.com> Reviewed-by: Frank Li <Frank.Li@nxp.com> Link: https://patch.msgid.link/20260107091204.1980222-1-wei.fang@nxp.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
28 hoursMerge tag 'wireless-2026-01-08' of ↵Jakub Kicinski
https://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless Johannes Berg says: ==================== Couple of fixes: - mac80211: - long-standing injection bug due to chanctx rework - more recent interface iteration issue - collect statistics before removing stations - hwsim: - fix NAN frequency typo (potential NULL ptr deref) - fix locking of radio lock (needs softirqs disabled) - wext: - ancient issue with compat and events copying some uninitialized stack data to userspace * tag 'wireless-2026-01-08' of https://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless: wifi: mac80211: collect station statistics earlier when disconnect wifi: mac80211: restore non-chanctx injection behaviour wifi: mac80211_hwsim: disable BHs for hwsim_radio_lock wifi: mac80211: don't iterate not running interfaces wifi: mac80211_hwsim: fix typo in frequency notification wifi: avoid kernel-infoleak from struct iw_point ==================== Link: https://patch.msgid.link/20260108140141.139687-3-johannes@sipsolutions.net Signed-off-by: Jakub Kicinski <kuba@kernel.org>
28 hoursatm: Fix dma_free_coherent() sizeThomas Fourier
The size of the buffer is not the same when alloc'd with dma_alloc_coherent() in he_init_tpdrq() and freed. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: <stable@vger.kernel.org> Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com> Link: https://patch.msgid.link/20260107090141.80900-2-fourier.thomas@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
28 hourstools: ynl: don't install testsJakub Kicinski
make's install target is meant for installing the production artifacts, AFAIU. Don't install test_ynl_cli and test_ynl_ethtool from under the main YNL install target. The install target under tests/ is retained in case someone wants the tests to be installed. Fixes: 308b7dee3e5c ("tools: ynl: add YNL test framework") Reviewed-by: Hangbin Liu <liuhangbin@gmail.com> Reviewed-by: Donald Hunter <donald.hunter@gmail.com> Link: https://patch.msgid.link/20260106163426.1468943-1-kuba@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
28 hoursnet: do not write to msg_get_inq in calleeWillem de Bruijn
NULL pointer dereference fix. msg_get_inq is an input field from caller to callee. Don't set it in the callee, as the caller may not clear it on struct reuse. This is a kernel-internal variant of msghdr only, and the only user does reinitialize the field. So this is not critical for that reason. But it is more robust to avoid the write, and slightly simpler code. And it fixes a bug, see below. Callers set msg_get_inq to request the input queue length to be returned in msg_inq. This is equivalent to but independent from the SO_INQ request to return that same info as a cmsg (tp->recvmsg_inq). To reduce branching in the hot path the second also sets the msg_inq. That is WAI. This is a fix to commit 4d1442979e4a ("af_unix: don't post cmsg for SO_INQ unless explicitly asked for"), which fixed the inverse. Also avoid NULL pointer dereference in unix_stream_read_generic if state->msg is NULL and msg->msg_get_inq is written. A NULL state->msg can happen when splicing as of commit 2b514574f7e8 ("net: af_unix: implement splice for stream af_unix sockets"). Also collapse two branches using a bitwise or. Cc: stable@vger.kernel.org Fixes: 4d1442979e4a ("af_unix: don't post cmsg for SO_INQ unless explicitly asked for") Link: https://lore.kernel.org/netdev/willemdebruijn.kernel.24d8030f7a3de@gmail.com/ Signed-off-by: Willem de Bruijn <willemb@google.com> Reviewed-by: Jens Axboe <axboe@kernel.dk> Reviewed-by: Eric Dumazet <edumazet@google.com> Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com> Link: https://patch.msgid.link/20260106150626.3944363-1-willemdebruijn.kernel@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
28 hoursbnxt_en: Fix NULL pointer crash in bnxt_ptp_enable during error cleanupBreno Leitao
When bnxt_init_one() fails during initialization (e.g., bnxt_init_int_mode returns -ENODEV), the error path calls bnxt_free_hwrm_resources() which destroys the DMA pool and sets bp->hwrm_dma_pool to NULL. Subsequently, bnxt_ptp_clear() is called, which invokes ptp_clock_unregister(). Since commit a60fc3294a37 ("ptp: rework ptp_clock_unregister() to disable events"), ptp_clock_unregister() now calls ptp_disable_all_events(), which in turn invokes the driver's .enable() callback (bnxt_ptp_enable()) to disable PTP events before completing the unregistration. bnxt_ptp_enable() attempts to send HWRM commands via bnxt_ptp_cfg_pin() and bnxt_ptp_cfg_event(), both of which call hwrm_req_init(). This function tries to allocate from bp->hwrm_dma_pool, causing a NULL pointer dereference: bnxt_en 0000:01:00.0 (unnamed net_device) (uninitialized): bnxt_init_int_mode err: ffffffed KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f] Call Trace: __hwrm_req_init (drivers/net/ethernet/broadcom/bnxt/bnxt_hwrm.c:72) bnxt_ptp_enable (drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c:323 drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c:517) ptp_disable_all_events (drivers/ptp/ptp_chardev.c:66) ptp_clock_unregister (drivers/ptp/ptp_clock.c:518) bnxt_ptp_clear (drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c:1134) bnxt_init_one (drivers/net/ethernet/broadcom/bnxt/bnxt.c:16889) Lines are against commit f8f9c1f4d0c7 ("Linux 6.19-rc3") Fix this by clearing and unregistering ptp (bnxt_ptp_clear()) before freeing HWRM resources. Suggested-by: Pavan Chebbi <pavan.chebbi@broadcom.com> Signed-off-by: Breno Leitao <leitao@debian.org> Fixes: a60fc3294a37 ("ptp: rework ptp_clock_unregister() to disable events") Cc: stable@vger.kernel.org Reviewed-by: Pavan Chebbi <pavan.chebbi@broadcom.com> Link: https://patch.msgid.link/20260106-bnxt-v3-1-71f37e11446a@debian.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
28 hoursnet: usb: pegasus: fix memory leak in update_eth_regs_async()Petko Manolov
When asynchronously writing to the device registers and if usb_submit_urb() fail, the code fail to release allocated to this point resources. Fixes: 323b34963d11 ("drivers: net: usb: pegasus: fix control urb submission") Signed-off-by: Petko Manolov <petkan@nucleusys.com> Link: https://patch.msgid.link/20260106084821.3746677-1-petko.manolov@konsulko.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
28 hoursnet: 3com: 3c59x: fix possible null dereference in vortex_probe1()Thomas Fourier
pdev can be null and free_ring: can be called in 1297 with a null pdev. Fixes: 55c82617c3e8 ("3c59x: convert to generic DMA API") Cc: <stable@vger.kernel.org> Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com> Link: https://patch.msgid.link/20260106094731.25819-2-fourier.thomas@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
28 hoursnet/sched: sch_qfq: Fix NULL deref when deactivating inactive aggregate in ↵Xiang Mei
qfq_reset `qfq_class->leaf_qdisc->q.qlen > 0` does not imply that the class itself is active. Two qfq_class objects may point to the same leaf_qdisc. This happens when: 1. one QFQ qdisc is attached to the dev as the root qdisc, and 2. another QFQ qdisc is temporarily referenced (e.g., via qdisc_get() / qdisc_put()) and is pending to be destroyed, as in function tc_new_tfilter. When packets are enqueued through the root QFQ qdisc, the shared leaf_qdisc->q.qlen increases. At the same time, the second QFQ qdisc triggers qdisc_put and qdisc_destroy: the qdisc enters qfq_reset() with its own q->q.qlen == 0, but its class's leaf qdisc->q.qlen > 0. Therefore, the qfq_reset would wrongly deactivate an inactive aggregate and trigger a null-deref in qfq_deactivate_agg: [ 0.903172] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 0.903571] #PF: supervisor write access in kernel mode [ 0.903860] #PF: error_code(0x0002) - not-present page [ 0.904177] PGD 10299b067 P4D 10299b067 PUD 10299c067 PMD 0 [ 0.904502] Oops: Oops: 0002 [#1] SMP NOPTI [ 0.904737] CPU: 0 UID: 0 PID: 135 Comm: exploit Not tainted 6.19.0-rc3+ #2 NONE [ 0.905157] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014 [ 0.905754] RIP: 0010:qfq_deactivate_agg (include/linux/list.h:992 (discriminator 2) include/linux/list.h:1006 (discriminator 2) net/sched/sch_qfq.c:1367 (discriminator 2) net/sched/sch_qfq.c:1393 (discriminator 2)) [ 0.906046] Code: 0f 84 4d 01 00 00 48 89 70 18 8b 4b 10 48 c7 c2 ff ff ff ff 48 8b 78 08 48 d3 e2 48 21 f2 48 2b 13 48 8b 30 48 d3 ea 8b 4b 18 0 Code starting with the faulting instruction =========================================== 0: 0f 84 4d 01 00 00 je 0x153 6: 48 89 70 18 mov %rsi,0x18(%rax) a: 8b 4b 10 mov 0x10(%rbx),%ecx d: 48 c7 c2 ff ff ff ff mov $0xffffffffffffffff,%rdx 14: 48 8b 78 08 mov 0x8(%rax),%rdi 18: 48 d3 e2 shl %cl,%rdx 1b: 48 21 f2 and %rsi,%rdx 1e: 48 2b 13 sub (%rbx),%rdx 21: 48 8b 30 mov (%rax),%rsi 24: 48 d3 ea shr %cl,%rdx 27: 8b 4b 18 mov 0x18(%rbx),%ecx ... [ 0.907095] RSP: 0018:ffffc900004a39a0 EFLAGS: 00010246 [ 0.907368] RAX: ffff8881043a0880 RBX: ffff888102953340 RCX: 0000000000000000 [ 0.907723] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 0.908100] RBP: ffff888102952180 R08: 0000000000000000 R09: 0000000000000000 [ 0.908451] R10: ffff8881043a0000 R11: 0000000000000000 R12: ffff888102952000 [ 0.908804] R13: ffff888102952180 R14: ffff8881043a0ad8 R15: ffff8881043a0880 [ 0.909179] FS: 000000002a1a0380(0000) GS:ffff888196d8d000(0000) knlGS:0000000000000000 [ 0.909572] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 0.909857] CR2: 0000000000000000 CR3: 0000000102993002 CR4: 0000000000772ef0 [ 0.910247] PKRU: 55555554 [ 0.910391] Call Trace: [ 0.910527] <TASK> [ 0.910638] qfq_reset_qdisc (net/sched/sch_qfq.c:357 net/sched/sch_qfq.c:1485) [ 0.910826] qdisc_reset (include/linux/skbuff.h:2195 include/linux/skbuff.h:2501 include/linux/skbuff.h:3424 include/linux/skbuff.h:3430 net/sched/sch_generic.c:1036) [ 0.911040] __qdisc_destroy (net/sched/sch_generic.c:1076) [ 0.911236] tc_new_tfilter (net/sched/cls_api.c:2447) [ 0.911447] rtnetlink_rcv_msg (net/core/rtnetlink.c:6958) [ 0.911663] ? __pfx_rtnetlink_rcv_msg (net/core/rtnetlink.c:6861) [ 0.911894] netlink_rcv_skb (net/netlink/af_netlink.c:2550) [ 0.912100] netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344) [ 0.912296] ? __alloc_skb (net/core/skbuff.c:706) [ 0.912484] netlink_sendmsg (net/netlink/af_netlink.c:1894) [ 0.912682] sock_write_iter (net/socket.c:727 (discriminator 1) net/socket.c:742 (discriminator 1) net/socket.c:1195 (discriminator 1)) [ 0.912880] vfs_write (fs/read_write.c:593 fs/read_write.c:686) [ 0.913077] ksys_write (fs/read_write.c:738) [ 0.913252] do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) [ 0.913438] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:131) [ 0.913687] RIP: 0033:0x424c34 [ 0.913844] Code: 89 02 48 c7 c0 ff ff ff ff eb bd 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 80 3d 2d 44 09 00 00 74 13 b8 01 00 00 00 0f 05 9 Code starting with the faulting instruction =========================================== 0: 89 02 mov %eax,(%rdx) 2: 48 c7 c0 ff ff ff ff mov $0xffffffffffffffff,%rax 9: eb bd jmp 0xffffffffffffffc8 b: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1) 12: 00 00 00 15: 90 nop 16: f3 0f 1e fa endbr64 1a: 80 3d 2d 44 09 00 00 cmpb $0x0,0x9442d(%rip) # 0x9444e 21: 74 13 je 0x36 23: b8 01 00 00 00 mov $0x1,%eax 28: 0f 05 syscall 2a: 09 .byte 0x9 [ 0.914807] RSP: 002b:00007ffea1938b78 EFLAGS: 00000202 ORIG_RAX: 0000000000000001 [ 0.915197] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000424c34 [ 0.915556] RDX: 000000000000003c RSI: 000000002af378c0 RDI: 0000000000000003 [ 0.915912] RBP: 00007ffea1938bc0 R08: 00000000004b8820 R09: 0000000000000000 [ 0.916297] R10: 0000000000000001 R11: 0000000000000202 R12: 00007ffea1938d28 [ 0.916652] R13: 00007ffea1938d38 R14: 00000000004b3828 R15: 0000000000000001 [ 0.917039] </TASK> [ 0.917158] Modules linked in: [ 0.917316] CR2: 0000000000000000 [ 0.917484] ---[ end trace 0000000000000000 ]--- [ 0.917717] RIP: 0010:qfq_deactivate_agg (include/linux/list.h:992 (discriminator 2) include/linux/list.h:1006 (discriminator 2) net/sched/sch_qfq.c:1367 (discriminator 2) net/sched/sch_qfq.c:1393 (discriminator 2)) [ 0.917978] Code: 0f 84 4d 01 00 00 48 89 70 18 8b 4b 10 48 c7 c2 ff ff ff ff 48 8b 78 08 48 d3 e2 48 21 f2 48 2b 13 48 8b 30 48 d3 ea 8b 4b 18 0 Code starting with the faulting instruction =========================================== 0: 0f 84 4d 01 00 00 je 0x153 6: 48 89 70 18 mov %rsi,0x18(%rax) a: 8b 4b 10 mov 0x10(%rbx),%ecx d: 48 c7 c2 ff ff ff ff mov $0xffffffffffffffff,%rdx 14: 48 8b 78 08 mov 0x8(%rax),%rdi 18: 48 d3 e2 shl %cl,%rdx 1b: 48 21 f2 and %rsi,%rdx 1e: 48 2b 13 sub (%rbx),%rdx 21: 48 8b 30 mov (%rax),%rsi 24: 48 d3 ea shr %cl,%rdx 27: 8b 4b 18 mov 0x18(%rbx),%ecx ... [ 0.918902] RSP: 0018:ffffc900004a39a0 EFLAGS: 00010246 [ 0.919198] RAX: ffff8881043a0880 RBX: ffff888102953340 RCX: 0000000000000000 [ 0.919559] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 0.919908] RBP: ffff888102952180 R08: 0000000000000000 R09: 0000000000000000 [ 0.920289] R10: ffff8881043a0000 R11: 0000000000000000 R12: ffff888102952000 [ 0.920648] R13: ffff888102952180 R14: ffff8881043a0ad8 R15: ffff8881043a0880 [ 0.921014] FS: 000000002a1a0380(0000) GS:ffff888196d8d000(0000) knlGS:0000000000000000 [ 0.921424] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 0.921710] CR2: 0000000000000000 CR3: 0000000102993002 CR4: 0000000000772ef0 [ 0.922097] PKRU: 55555554 [ 0.922240] Kernel panic - not syncing: Fatal exception [ 0.922590] Kernel Offset: disabled Fixes: 0545a3037773 ("pkt_sched: QFQ - quick fair queue scheduler") Signed-off-by: Xiang Mei <xmei5@asu.edu> Link: https://patch.msgid.link/20260106034100.1780779-1-xmei5@asu.edu Signed-off-by: Jakub Kicinski <kuba@kernel.org>
29 hoursMerge tag 'hid-for-linus-2026010801' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid Pull HID fixes from Jiri Kosina: - build fix for HID-BPF (Benjamin Tissoires) - fix for potential buffer overflow in i2c-hid (Kwok Kin Ming) - a couple of selftests/hid fixes (Peter Hutterer) - fix for handling pressure pads in hid-multitouch (Peter Hutterer) - fix for potential NULL pointer dereference in intel-thc-hid (Even Xu) - fix for interrupt delay control in intel-thc-hid (Even Xu) - fix finger release detection on some VTL-class touchpads (DaytonCL) - fix for correct enumeration on intel-ish-hid systems with no sensors (Zhang Lixu) - assorted device ID additions and device-specific quirks * tag 'hid-for-linus-2026010801' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid: (21 commits) HID: logitech: add HID++ support for Logitech MX Anywhere 3S HID: Elecom: Add support for ELECOM M-XT3DRBK (018C) HID: quirks: work around VID/PID conflict for appledisplay HID: Apply quirk HID_QUIRK_ALWAYS_POLL to Edifier QR30 (2d99:a101) HID: i2c-hid: fix potential buffer overflow in i2c_hid_get_report() selftests/hid: add a test for the Digitizer/Button Type pressurepad selftests/hid: use a enum class for the different button types selftests/hid: require hidtools 0.12 HID: multitouch: set INPUT_PROP_PRESSUREPAD based on Digitizer/Button Type HID: quirks: Add another Chicony HP 5MP Cameras to hid_ignore_list HID: Intel-thc-hid: Intel-thc: Add safety check for reading DMA buffer hid: intel-thc-hid: Select SGL_ALLOC selftests/hid: fix bpf compilations due to -fms-extensions HID: bpf: fix bpf compilation with -fms-extensions HID: Intel-thc-hid: Intel-thc: Fix wrong register reading HID: multitouch: add MT_QUIRK_STICKY_FINGERS to MT_CLS_VTL HID: intel-ish-hid: Reset enum_devices_done before enumeration HID: intel-ish-hid: Update ishtp bus match to support device ID table HID: Intel-thc-hid: Intel-thc: fix dma_unmap_sg() nents value HID: playstation: Center initial joystick axes to prevent spurious events ...
29 hoursMerge tag 'sound-6.19-rc5' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound Pull sound fixes from Takashi Iwai: "A collection of small device-specific fixes: - ASoC Intel topology fixes for conflicting Bluetooth bits - Cleanups of ASoC drivers for superfluous NULL checks - Fix for error handling in the AC97 bus - A regression fix for TAS2781 speaker ID handling - HD-audio quirks" * tag 'sound-6.19-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: ALSA: hda/realtek: add HP Laptop 15s-eq1xxx mute LED quirk ALSA: hda/realtek: Add quirk for Acer Nitro AN517-55 ALSA: hda/tas2781: properly initialize speaker_id for TAS2563 ALSA: ac97: fix a double free in snd_ac97_controller_register() ASoC: sun4i-spdif: Add missing kerneldoc fields for sun4i_spdif_quirks ASoC: codecs: pm4125: clean up bind() device reference handling ASoC: soc_sdw_utils: drop bogus container_of() error handling ASoC: codecs: wcd937x: drop bogus container_of() error handling ASoC: codecs: pm4125: drop bogus container_of() error handling ASoC: SOF: Intel: add -bt tplg suffix if BT is present ASoC: Intel: sof_sdw: shift SSP BT mask bits.
30 hoursgpiolib: fix lookup table matchingBartosz Golaszewski
If on any iteration in gpiod_find(), gpio_desc_table_match() returns NULL (which is normal and expected), we never reinitialize desc back to ERR_PTR(-ENOENT) and if we don't find a match later on, we will return NULL causing a NULL-pointer dereference in users not expecting it. Don't initialize desc, but return ERR_PTR(-ENOENT) explicitly at the end of the function. Fixes: 9700b0fccf38 ("gpiolib: allow multiple lookup tables per consumer") Reported-by: Marek Szyprowski <m.szyprowski@samsung.com> Closes: https://lore.kernel.org/all/00107523-7737-4b92-a785-14ce4e93b8cb@samsung.com/ Tested-by: Marek Szyprowski <m.szyprowski@samsung.com> Link: https://lore.kernel.org/r/20260108102314.18816-1-bartosz.golaszewski@oss.qualcomm.com Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
32 hourswifi: mac80211: collect station statistics earlier when disconnectBaochen Qiang
In __sta_info_destroy_part2(), station statistics are requested after the IEEE80211_STA_NONE -> IEEE80211_STA_NOTEXIST transition. This is problematic because the driver may be unable to handle the request due to the STA being in the NOTEXIST state (i.e. if the driver destroys the underlying data when transitioning to NOTEXIST). Move the statistics collection to before the state transition to avoid this issue. Signed-off-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com> Link: https://patch.msgid.link/20251222-mac80211-move-station-stats-collection-earlier-v1-1-12cd4e42c633@oss.qualcomm.com Signed-off-by: Johannes Berg <johannes.berg@intel.com>
32 hourswifi: mac80211: restore non-chanctx injection behaviourJohannes Berg
During the transition to use channel contexts throughout, the ability to do injection while in monitor mode concurrent with another interface was lost, since the (virtual) monitor won't have a chanctx assigned in this scenario. It's harder to fix drivers that actually transitioned to using channel contexts themselves, such as mt76, but it's easy to do those that are (still) just using the emulation. Do that. Cc: stable@vger.kernel.org Link: https://bugzilla.kernel.org/show_bug.cgi?id=218763 Reported-and-tested-by: Oscar Alfonso Diaz <oscar.alfonso.diaz@gmail.com> Fixes: 0a44dfc07074 ("wifi: mac80211: simplify non-chanctx drivers") Link: https://patch.msgid.link/20251216105242.18366-2-johannes@sipsolutions.net Signed-off-by: Johannes Berg <johannes.berg@intel.com>
32 hourswifi: mac80211_hwsim: disable BHs for hwsim_radio_lockBenjamin Berg
The hwsim_radio_lock spinlock expects bottom-half to be disabled, fix the call in mac80211_hwsim_nan_stop to ensure BHs are disabled. Signed-off-by: Benjamin Berg <benjamin.berg@intel.com> Link: https://patch.msgid.link/20260107143805.ce7406511608.I688f8b19346e94c1f8de0cdadde072054d4b861c@changeid Signed-off-by: Johannes Berg <johannes.berg@intel.com>
32 hourswifi: mac80211: don't iterate not running interfacesMiri Korenblit
for_each_chanctx_user_* was introdcued as a replacement for for_each_sdata_link, which visits also other chanctx users that are not link. for_each_sdata_link skips not running interfaces, do the same for for_each_chanctx_user_* Fixes: 1ce954c98b89 ("wifi: mac80211: add and use chanctx usage iteration") Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com> Link: https://patch.msgid.link/20260107143736.55c084e2a976.I38b7b904a135dadca339321923b501b2c2c5c8c0@changeid Signed-off-by: Johannes Berg <johannes.berg@intel.com>
32 hourswifi: mac80211_hwsim: fix typo in frequency notificationBenjamin Berg
The NAN notification is for 5745 MHz which corresponds to channel 149 and not 5475 which is not actually a valid channel. This could result in a NULL pointer dereference in cfg80211_next_nan_dw_notif. Fixes: a37a6f54439b ("wifi: mac80211_hwsim: Add simulation support for NAN device") Signed-off-by: Benjamin Berg <benjamin.berg@intel.com> Reviewed-by: Ilan Peer <ilan.peer@intel.com> Reviewed-by: Miriam Rachel Korenblit <miriam.rachel.korenblit@intel.com> Link: https://patch.msgid.link/20260107143652.7dab2035836f.Iacbaf7bb94ed5c14a0928a625827e4137d8bfede@changeid Signed-off-by: Johannes Berg <johannes.berg@intel.com>
32 hourswifi: avoid kernel-infoleak from struct iw_pointEric Dumazet
struct iw_point has a 32bit hole on 64bit arches. struct iw_point { void __user *pointer; /* Pointer to the data (in user space) */ __u16 length; /* number of fields or size in bytes */ __u16 flags; /* Optional params */ }; Make sure to zero the structure to avoid disclosing 32bits of kernel data to user space. Fixes: 87de87d5e47f ("wext: Dispatch and handle compat ioctls entirely in net/wireless/wext.c") Reported-by: syzbot+bfc7323743ca6dbcc3d3@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/695f83f3.050a0220.1c677c.0392.GAE@google.com/T/#u Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: stable@vger.kernel.org Link: https://patch.msgid.link/20260108101927.857582-1-edumazet@google.com Signed-off-by: Johannes Berg <johannes.berg@intel.com>
33 hoursHID: logitech: add HID++ support for Logitech MX Anywhere 3SDennis Marttinen
I've acquired a Logitech MX Anywhere 3S mouse, which supports HID++ over Bluetooth. Adding its PID 0xb037 to the allowlist enables the additional features, such as high-resolution scrolling. Tested working across multiple machines, with a mix of Intel and Mediatek Bluetooth chips. [jkosina@suse.com: standardize shortlog] Signed-off-by: Dennis Marttinen <twelho@welho.tech> Signed-off-by: Jiri Kosina <jkosina@suse.com>
34 hoursnet: airoha: Fix schedule while atomic in airoha_ppe_deinit()Lorenzo Bianconi
airoha_ppe_deinit() runs airoha_npu_ppe_deinit() in atomic context. airoha_npu_ppe_deinit routine allocates ppe_data buffer with GFP_KERNEL flag. Rely on rcu_replace_pointer in airoha_ppe_deinit routine in order to fix schedule while atomic issue in airoha_npu_ppe_deinit() since we do not need atomic context there. Fixes: 00a7678310fe3 ("net: airoha: Introduce flowtable offload support") Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org> Link: https://patch.msgid.link/20260105-airoha-fw-ethtool-v2-1-3b32b158cc31@kernel.org Signed-off-by: Paolo Abeni <pabeni@redhat.com>
44 hoursMerge tag 'amd-drm-fixes-6.19-2026-01-06' of ↵Dave Airlie
https://gitlab.freedesktop.org/agd5f/linux into drm-fixes amd-drm-fixes-6.19-2026-01-06: amdgpu: - Clang fixes - Navi1x PCIe DPM fixes - Ring reset fixes - ISP suspend fix - Analog DC fixes - VPE fixes - Mode1 reset fix radeon: - Variable sized array fix Signed-off-by: Dave Airlie <airlied@redhat.com> From: Alex Deucher <alexander.deucher@amd.com> Link: https://patch.msgid.link/20260107223315.16095-1-alexander.deucher@amd.com
46 hoursHID: Elecom: Add support for ELECOM M-XT3DRBK (018C)Arnoud Willemsen
Wireless/new version of the Elecom trackball mouse M-XT3DRBK has a product id that differs from the existing M-XT3DRBK. The report descriptor format also seems to have changed and matches other (newer?) models instead (except for six buttons instead of eight). This patch follows the same format as the patch for the M-XT3URBK (018F) by Naoki Ueki (Nov 3rd 2025) to enable the sixth mouse button. dmesg output: [ 292.074664] usb 1-2: new full-speed USB device number 7 using xhci_hcd [ 292.218667] usb 1-2: New USB device found, idVendor=056e, idProduct=018c, bcdDevice= 1.00 [ 292.218676] usb 1-2: New USB device strings: Mfr=1, Product=2, SerialNumber=0 [ 292.218679] usb 1-2: Product: ELECOM TrackBall Mouse [ 292.218681] usb 1-2: Manufacturer: ELECOM usbhid-dump output: 001:006:000:DESCRIPTOR 1765072638.050578 05 01 09 02 A1 01 09 01 A1 00 85 01 05 09 19 01 29 05 15 00 25 01 95 08 75 01 81 02 95 01 75 00 81 01 05 01 09 30 09 31 16 00 80 26 FF 7F 75 10 95 02 81 06 C0 A1 00 05 01 09 38 15 81 25 7F 75 08 95 01 81 06 C0 A1 00 05 0C 0A 38 02 95 01 75 08 15 81 25 7F 81 06 C0 C0 06 01 FF 09 00 A1 01 85 02 09 00 15 00 26 FF 00 75 08 95 07 81 02 C0 05 0C 09 01 A1 01 85 05 15 00 26 3C 02 19 00 2A 3C 02 75 10 95 01 81 00 C0 05 01 09 80 A1 01 85 03 19 81 29 83 15 00 25 01 95 03 75 01 81 02 95 01 75 05 81 01 C0 06 BC FF 09 88 A1 01 85 04 95 01 75 08 15 00 26 FF 00 19 00 2A FF 00 81 00 C0 06 02 FF 09 02 A1 01 85 06 09 02 15 00 26 FF 00 75 08 95 07 B1 02 C0 Signed-off-by: Arnoud Willemsen <mail@lynthium.com> Signed-off-by: Jiri Kosina <jkosina@suse.com>
46 hoursHID: quirks: work around VID/PID conflict for appledisplayRené Rebe
For years I wondered why the Apple Cinema Display driver would not just work for me. Turns out the hidraw driver instantly takes it over. Fix by adding appledisplay VID/PIDs to hid_have_special_driver. Fixes: 069e8a65cd79 ("Driver for Apple Cinema Display") Signed-off-by: René Rebe <rene@exactco.de> Signed-off-by: Jiri Kosina <jkosina@suse.com>
46 hoursHID: Apply quirk HID_QUIRK_ALWAYS_POLL to Edifier QR30 (2d99:a101)Rodrigo Lugathe da Conceição Alves
The USB speaker has a bug that causes it to reboot when changing the brightness using the physical knob. Add a new vendor and product ID entry in hid-ids.h, and register the corresponding device in hid-quirks.c with the required quirk. Signed-off-by: Rodrigo Lugathe da Conceição Alves <lugathe2@gmail.com> Reviewed-by: Terry Junge <linuxhid@cosmicgizmosystems.com> Signed-off-by: Jiri Kosina <jkosina@suse.com>
46 hoursReapply "Revert "drm/amd: Skip power ungate during suspend for VPE""Mario Limonciello (AMD)
Skipping power ungate exposed some scenarios that will fail like below: ``` amdgpu: Register(0) [regVPEC_QUEUE_RESET_REQ] failed to reach value 0x00000000 != 0x00000001n amdgpu 0000:c1:00.0: amdgpu: VPE queue reset failed ... amdgpu: [drm] *ERROR* wait_for_completion_timeout timeout! ``` The underlying s2idle issue that prompted this commit is going to be fixed in BIOS. This reverts commit 2a6c826cfeedd7714611ac115371a959ead55bda. This was lost in the 6.19 merge so reapply it. Fixes: 2a6c826cfeed ("drm/amd: Skip power ungate during suspend for VPE") Signed-off-by: Mario Limonciello (AMD) <superm1@kernel.org> Acked-by: Alex Deucher <alexander.deucher@amd.com> Reported-by: Konstantin <answer2019@yandex.ru> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220812 Reported-by: Matthew Schwartz <matthew.schwartz@linux.dev> Signed-off-by: Alex Deucher <alexander.deucher@amd.com> (cherry picked from commit 3925683515e93844be204381d2d5a1df5de34f31)
46 hoursdrm/amd/display: Check NULL before calling dac_load_detectionAlex Hung
dac_load_detection can be NULL in some scenario, so checking it before calling. Reviewed-by: Harry Wentland <harry.wentland@amd.com> Signed-off-by: Alex Hung <alex.hung@amd.com> Signed-off-by: Chenyu Chen <chen-yu.chen@amd.com> Tested-by: Daniel Wheeler <daniel.wheeler@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com> (cherry picked from commit 179176134b535246f0b368b30e8ecad50066f896)
46 hoursdrm/amd/pm: Disable MMIO access during SMU Mode 1 resetPerry Yuan
During Mode 1 reset, the ASIC undergoes a reset cycle and becomes temporarily inaccessible via PCIe. Any attempt to access MMIO registers during this window (e.g., from interrupt handlers or other driver threads) can result in uncompleted PCIe transactions, leading to NMI panics or system hangs. To prevent this, set the `no_hw_access` flag to true immediately after triggering the reset. This signals other driver components to skip register accesses while the device is offline. A memory barrier `smp_mb()` is added to ensure the flag update is globally visible to all cores before the driver enters the sleep/wait state. Signed-off-by: Perry Yuan <perry.yuan@amd.com> Reviewed-by: Yifan Zhang <yifan1.zhang@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com> (cherry picked from commit 7edb503fe4b6d67f47d8bb0dfafb8e699bb0f8a4)
47 hoursMerge tag 'drm-misc-fixes-2026-01-07' of ↵Dave Airlie
https://gitlab.freedesktop.org/drm/misc/kernel into drm-fixes drm-misc-fixes for v6.19-rc5: pl111: - Fix error handling in probe mediatek/atomic/tidss: - Fix tidss in another way and revert reordering of pre-enable and post-disable operations, as it breaks other bridge drivers. nouveau: - Fix regression from fwsec s/r fix. pci/vga: - Fix multiple gpu's being reported a 'boot_display' fb-helper: - Fix vblank timeout during suspend/reset Signed-off-by: Dave Airlie <airlied@redhat.com> From: Maarten Lankhorst <maarten.lankhorst@linux.intel.com> Link: https://patch.msgid.link/f50067e6-243a-4ed8-9781-1e4e4fdebc8e@linux.intel.com
47 hoursMerge tag 'exynos-drm-fixes-v6.19-rc5' of ↵Dave Airlie
git://git.kernel.org/pub/scm/linux/kernel/git/daeinki/drm-exynos into drm-fixes One code cleanup . Replace system_wq with system_percpu_wq in the Exynos HDMI driver. system_wq is effectively a per-cpu workqueue, but its name does not make this explicit. Recent workqueue changes introduced system_percpu_wq to clarify semantics and support ongoing workqueue API refactoring. Signed-off-by: Dave Airlie <airlied@redhat.com> From: Inki Dae <inki.dae@samsung.com> Link: https://patch.msgid.link/20260107091154.27436-1-inki.dae@samsung.com
2 dayssparc/PCI: Correct 64-bit non-pref -> pref BAR resourcesIlpo Järvinen
SPARC T5-2 dts describes some PCI BARs as 64-bit resources without the pref(etchable) bit (0x83... vs 0xc3... in assigned-addresses) for address ranges above the 4G threshold. Such resources cannot be placed into a non-prefetchable PCI bridge window that is capable only of 32-bit addressing. As such, it looks like the platform is improperly described by the dts. The kernel detects this problem (see the IORESOURCE_PREFETCH check in pci_find_parent_resource()) and fails to assign these BAR resources to the resource tree due to lack of a compatible bridge window. Prior to 754babaaf333 ("sparc/PCI: Remove pcibios_enable_device() as they do nothing extra") SPARC arch code did not test whether device resources were successfully in the resource tree when enabling a device, effectively hiding the problem. After removing the arch-specific enable code, pci_enable_resources() refuses to enable the device when it finds not all mem resources are assigned, and therefore mpt3sas can't be enabled: pci 0001:04:00.0: reg 0x14: [mem 0x801110000000-0x80111000ffff 64bit] pci 0001:04:00.0: reg 0x1c: [mem 0x801110040000-0x80111007ffff 64bit] pci 0001:04:00.0: BAR 1 [mem 0x801110000000-0x80111000ffff 64bit]: can't claim; no compatible bridge window pci 0001:04:00.0: BAR 3 [mem 0x801110040000-0x80111007ffff 64bit]: can't claim; no compatible bridge window mpt3sas 0001:04:00.0: BAR 1 [mem size 0x00010000 64bit]: not assigned; can't enable device For clarity, this filtered log only shows failures for one mpt3sas device but other devices fail similarly. In the reported case, the end result with all the failures is an unbootable system. Things appeared to "work" before 754babaaf333 ("sparc/PCI: Remove pcibios_enable_device() as they do nothing extra") because the resource tree is agnostic to whether PCI BAR resources are properly in the tree or not. So as long as there was a parent resource (e.g. a root bus resource) that contains the address range, the resource tree code just places resource request underneath it without any consideration to the intermediate BAR resource. While it worked, it's incorrect setup still. Add an OF fixup to set the IORESOURCE_PREFETCH flag for a 64-bit PCI resource that has the end address above 4G requiring placement into the prefetchable window. Also log the issue. Fixes: 754babaaf333 ("sparc/PCI: Remove pcibios_enable_device() as they do nothing extra") Reported-by: Nathaniel Roach <nroach44@gmail.com> Closes: https://github.com/sparclinux/issues/issues/22 Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> Signed-off-by: Bjorn Helgaas <bhelgaas@google.com> Tested-by: Nathaniel Roach <nroach44@gmail.com> Link: https://patch.msgid.link/20251124170411.3709-1-ilpo.jarvinen@linux.intel.com
2 daystrace: ftrace_dump_on_oops[] is not exported, make it staticBen Dooks
The ftrace_dump_on_oops string is not used outside of trace.c so make it static to avoid the export warning from sparse: kernel/trace/trace.c:141:6: warning: symbol 'ftrace_dump_on_oops' was not declared. Should it be static? Fixes: dd293df6395a2 ("tracing: Move trace sysctls into trace.c") Link: https://patch.msgid.link/20260106231054.84270-1-ben.dooks@codethink.co.uk Signed-off-by: Ben Dooks <ben.dooks@codethink.co.uk> Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
2 daystracing: Add recursion protection in kernel stack trace recordingSteven Rostedt
A bug was reported about an infinite recursion caused by tracing the rcu events with the kernel stack trace trigger enabled. The stack trace code called back into RCU which then called the stack trace again. Expand the ftrace recursion protection to add a set of bits to protect events from recursion. Each bit represents the context that the event is in (normal, softirq, interrupt and NMI). Have the stack trace code use the interrupt context to protect against recursion. Note, the bug showed an issue in both the RCU code as well as the tracing stacktrace code. This only handles the tracing stack trace side of the bug. The RCU fix will be handled separately. Link: https://lore.kernel.org/all/20260102122807.7025fc87@gandalf.local.home/ Cc: stable@vger.kernel.org Cc: Masami Hiramatsu <mhiramat@kernel.org> Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com> Cc: Joel Fernandes <joel@joelfernandes.org> Cc: "Paul E. McKenney" <paulmck@kernel.org> Cc: Boqun Feng <boqun.feng@gmail.com> Link: https://patch.msgid.link/20260105203141.515cd49f@gandalf.local.home Reported-by: Yao Kai <yaokai34@huawei.com> Tested-by: Yao Kai <yaokai34@huawei.com> Fixes: 5f5fa7ea89dc ("rcu: Don't use negative nesting depth in __rcu_read_unlock()") Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
2 daysftrace: Make ftrace_graph_ent depth field signedSteven Rostedt
The code has integrity checks to make sure that depth never goes below zero. But the depth field has recently been converted to unsigned long from "int" (for alignment reasons). As unsigned long can never be less than zero, the integrity checks no longer work. Convert depth to long from unsigned long to allow the integrity checks to work again. Cc: stable@vger.kernel.org Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com> Cc: pengdonglin <pengdonglin@xiaomi.com> Link: https://patch.msgid.link/20260102143148.251c2e16@gandalf.local.home Reported-by: Dan Carpenter <dan.carpenter@linaro.org> Closes: https://lore.kernel.org/all/aS6kGi0maWBl-MjZ@stanley.mountain/ Fixes: f83ac7544fbf7 ("function_graph: Enable funcgraph-args and funcgraph-retaddr to work simultaneously") Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org> Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
2 daysring-buffer: Avoid softlockup in ring_buffer_resize() during memory freeWupeng Ma
When user resize all trace ring buffer through file 'buffer_size_kb', then in ring_buffer_resize(), kernel allocates buffer pages for each cpu in a loop. If the kernel preemption model is PREEMPT_NONE and there are many cpus and there are many buffer pages to be freed, it may not give up cpu for a long time and finally cause a softlockup. To avoid it, call cond_resched() after each cpu buffer free as Commit f6bd2c92488c ("ring-buffer: Avoid softlockup in ring_buffer_resize()") does. Detailed call trace as follow: rcu: INFO: rcu_sched self-detected stall on CPU rcu: 24-....: (14837 ticks this GP) idle=521c/1/0x4000000000000000 softirq=230597/230597 fqs=5329 rcu: (t=15004 jiffies g=26003221 q=211022 ncpus=96) CPU: 24 UID: 0 PID: 11253 Comm: bash Kdump: loaded Tainted: G EL 6.18.2+ #278 NONE pc : arch_local_irq_restore+0x8/0x20 arch_local_irq_restore+0x8/0x20 (P) free_frozen_page_commit+0x28c/0x3b0 __free_frozen_pages+0x1c0/0x678 ___free_pages+0xc0/0xe0 free_pages+0x3c/0x50 ring_buffer_resize.part.0+0x6a8/0x880 ring_buffer_resize+0x3c/0x58 __tracing_resize_ring_buffer.part.0+0x34/0xd8 tracing_resize_ring_buffer+0x8c/0xd0 tracing_entries_write+0x74/0xd8 vfs_write+0xcc/0x288 ksys_write+0x74/0x118 __arm64_sys_write+0x24/0x38 Cc: <mathieu.desnoyers@efficios.com> Link: https://patch.msgid.link/20251228065008.2396573-1-mawupeng1@huawei.com Signed-off-by: Wupeng Ma <mawupeng1@huawei.com> Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org> Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
2 daystracing: Drop unneeded assignment to soft_modeJulia Lawall
soft_mode is not read in the enable case, so drop the assignment. Drop also the comment text that refers to the assignment and realign the comment. Cc: "Paul E . McKenney" <paulmck@kernel.org> Cc: Gabriele Paoloni <gpaoloni@redhat.com> Cc: Masami Hiramatsu <mhiramat@kernel.org> Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com> Link: https://patch.msgid.link/20251226110531.4129794-1-Julia.Lawall@inria.fr Signed-off-by: Julia Lawall <Julia.Lawall@inria.fr> Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
2 daysHID: i2c-hid: fix potential buffer overflow in i2c_hid_get_report()Kwok Kin Ming
`i2c_hid_xfer` is used to read `recv_len + sizeof(__le16)` bytes of data into `ihid->rawbuf`. The former can come from the userspace in the hidraw driver and is only bounded by HID_MAX_BUFFER_SIZE(16384) by default (unless we also set `max_buffer_size` field of `struct hid_ll_driver` which we do not). The latter has size determined at runtime by the maximum size of different report types you could receive on any particular device and can be a much smaller value. Fix this by truncating `recv_len` to `ihid->bufsize - sizeof(__le16)`. The impact is low since access to hidraw devices requires root. Signed-off-by: Kwok Kin Ming <kenkinming2002@gmail.com> Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>