Sean Wang [Fri, 6 Mar 2026 23:22:26 +0000 (17:22 -0600)]
wifi: mt76: mt7925: pass mlink to sta_hdr_trans_tlv()
Drop the mt792x_sta_to_link() lookup in mt7925_mcu_sta_hdr_trans_tlv()
and pass the resolved mlink from the caller instead. The link is
already known at the call site, making the lookup redundant.
This keeps the helper lookup-free and makes WCID selection explicit.
Sean Wang [Fri, 6 Mar 2026 23:22:25 +0000 (17:22 -0600)]
wifi: mt76: mt7925: pass mlink to mac_link_sta_remove()
Drop the mt792x_sta_to_link() lookup in mt7925_mac_link_sta_remove()
and pass mlink from mt7925_mac_sta_remove_links() instead. The link is
already resolved there, making the extra lookup redundant.
This keeps the remove helper lookup-free and avoids hidden dependence on
msta->link[link_id] during teardown.
Sean Wang [Fri, 6 Mar 2026 23:22:24 +0000 (17:22 -0600)]
wifi: mt76: mt7925: resolve primary mlink via def_wcid
Use mlink->wcid.def_wcid to obtain the primary mlink in
mt7925_mac_link_sta_add() instead of calling mt792x_sta_to_link().
The primary link context is already carried by the WCID, so the extra
lookup is redundant. This makes the add path follow the existing WCID
association directly.
Sean Wang [Fri, 6 Mar 2026 23:22:23 +0000 (17:22 -0600)]
wifi: mt76: mt7925: pass mlink to mcu_sta_update()
Drop the mt792x_sta_to_link() lookup in mt7925_mcu_sta_update() and
pass the resolved mlink from the caller instead. The link context is
already known at the call site, making the lookup redundant.
This keeps the helper lookup-free and makes WCID selection explicit.
Sean Wang [Fri, 6 Mar 2026 23:22:22 +0000 (17:22 -0600)]
wifi: mt76: mt7925: pass mlink and mconf to sta_mld_tlv()
Drop the mt792x_sta_to_link() lookup in mt7925_mcu_sta_mld_tlv() and
pass mlink and mconf from the caller instead. The link context is
already known at the call site, making the lookup redundant.
This keeps the helper lookup-free and makes MLD link selection
explicit.
Sean Wang [Fri, 6 Mar 2026 23:22:21 +0000 (17:22 -0600)]
wifi: mt76: mt7925: pass WCID indices to bss_basic_tlv()
Drop the mt792x_sta_to_link() lookup in mt7925_mcu_bss_basic_tlv() and
pass the resolved WCID indices from the caller instead. The link
context is already known, so the lookup is redundant.
This makes link ownership explicit and keeps the helper lookup-free.
Sean Wang [Fri, 6 Mar 2026 23:22:20 +0000 (17:22 -0600)]
wifi: mt76: mt7925: pass mlink to sta_amsdu_tlv()
Drop the mt792x_sta_to_link() lookup in mt7925_mcu_sta_amsdu_tlv() and
pass mlink from the caller instead. The link context is already known
so the lookup is redundant.
This makes link ownership explicit and keeps the helper lookup-free.
StanleyYP Wang [Thu, 12 Mar 2026 09:57:24 +0000 (17:57 +0800)]
wifi: mt76: mt7996: fix issues with manually triggered radar detection
Disallow triggering radar detection on non-DFS channels to prevent paused
TX queues from failing to resume, as a channel switch is not performed in
this case.
Rex Lu [Thu, 12 Mar 2026 09:57:22 +0000 (17:57 +0800)]
wifi: mt76: mt7996: adjust timeout value for boot-up calibration commands
Align the vendor driver by adjusting the timeout values for the
MCU_UNI_CMD_EFUSE_CTRL and MCU_UNI_CMD_EXT_EEPROM_CTRL commands.
Without this adjustment, false positive command timeout errors may occur,
especially on some iPA variants.
Peter Chiu [Thu, 12 Mar 2026 09:57:21 +0000 (17:57 +0800)]
wifi: mt76: mt7996: update WFSYS reset flow for MT7990 chipsets
Skip WFSYS reset during bootup for MT7990 chipsets; only reset if L0.5
recovery is triggered.
Without this fix, the following kernel error may occur:
Internal error: synchronous external abort.
Felix Fietkau [Mon, 9 Mar 2026 06:07:30 +0000 (06:07 +0000)]
wifi: mt76: add per-link beacon monitoring for MLO
With chanctx drivers using hardware scan or remain-on-channel,
mac80211 does not know when the radio goes off-channel, which breaks
its software beacon loss detection.
Implement per-link beacon monitoring in the driver. Track the last
beacon timestamp per link and check for beacon loss periodically from
the mac_work handler.
Beacon monitoring is initialized on association and on late link
activation, and cleared on disassociation. The beacon_mon_last
timestamp is reset when returning from offchannel and after channel
switches to prevent false beacon loss detection.
Felix Fietkau [Mon, 9 Mar 2026 06:07:29 +0000 (06:07 +0000)]
wifi: mt76: wait for firmware TX completion of mgmt frames before channel switch
After flushing software-pending frames to DMA, mt76_has_tx_pending()
only checks DMA ring q->queued. For token-based drivers, q->queued is
decremented at DMA consumption, but firmware may not have transmitted
the frame yet. Waiting for all tokens is not feasible because data
frames may be stuck in firmware powersave/aggregation queues.
Track PSD queue tokens (firmware ALTX) per phy using an atomic counter.
These frames are sent by firmware immediately without PS buffering, so
the counter reliably reaches zero after transmission.
Increment the counter in mt76_token_consume() and decrement it in
mt76_token_release(), only for PSD queue tokens. Include the counter
in mt76_has_tx_pending() so channel switch waits for firmware TX
completion of management and nullfunc frames.
mt7615 (uses mt76_token_get/put) and non-token drivers are unaffected
as they never call mt76_token_consume/release.
Felix Fietkau [Mon, 9 Mar 2026 06:07:28 +0000 (06:07 +0000)]
wifi: mt76: route nullfunc frames to PSD/ALTX queue
ieee80211_is_data() returns true for nullfunc/QoS-nullfunc frames, so
they bypass the PSD queue routing and go through the regular VO data
queue. This means firmware processes them through the normal TID queue
instead of the ALTX queue, which doesn't guarantee immediate
transmission.
Use ieee80211_is_data_present() instead, which returns false for both
management frames and nullfunc/QoS-nullfunc (no payload), routing them
to MT_TXQ_PSD. Firmware maps PSD to the ALTX queue, which transmits
immediately without PS buffering.
This only affects frames from the mt76_tx() pending path. Regular
mac80211 TXQ scheduling is unchanged.
Felix Fietkau [Mon, 9 Mar 2026 06:07:27 +0000 (06:07 +0000)]
wifi: mt76: flush pending TX before channel switch
mt76_tx() queues frames on wcid->tx_pending for async processing by
tx_worker. In __mt76_set_channel(), the worker gets disabled before it
may have run, and the subsequent wait only checks DMA ring queues, not
the software pending list. This means frames like nullfunc PS frames
from mt76_offchannel_notify() may never be transmitted on the correct
channel.
Fix this by running mt76_txq_schedule_pending() synchronously after
disabling the tx_worker but before setting MT76_RESET, which would
otherwise cause mt76_txq_schedule_pending_wcid() to bail out.
Felix Fietkau [Mon, 9 Mar 2026 06:07:26 +0000 (06:07 +0000)]
wifi: mt76: send nullfunc PS frames on offchannel transitions
Since mt76 uses chanctx, mac80211 does not send nullfunc power save
notifications when the driver goes offchannel for scan or ROC.
Add mt76_offchannel_notify() to send nullfunc PM=1 before going
offchannel and PM=0 after returning, so that the AP can buffer
frames during the absence.
For MLO, iterate all vif links on the phy and set
IEEE80211_TX_CTRL_MLO_LINK so that the driver's tx_prepare_skb
resolves the correct per-link wcid.
Felix Fietkau [Mon, 9 Mar 2026 06:07:25 +0000 (06:07 +0000)]
wifi: mt76: optimize ROC for same-channel case
mt76_remain_on_channel() always creates an HT20 chandef and goes
offchannel, even when the ROC channel matches the operating channel.
This unnecessarily narrows bandwidth and triggers beacon stop/restart.
When the ROC channel matches the current operating channel, preserve
the full chandef and skip the offchannel transition, matching the
optimization already present in the scan code.
Extract the shared same-channel detection into mt76_offchannel_chandef()
and use it in both ROC and scan paths.
Felix Fietkau [Mon, 9 Mar 2026 06:07:24 +0000 (06:07 +0000)]
wifi: mt76: abort ROC on chanctx changes
mt76_change_chanctx() calls mt76_phy_update_channel() which switches
the hardware channel. If ROC is active on the same phy, this switches
away from the ROC channel and clears offchannel, but leaves ROC state
intact. Mac80211 still thinks the phy is on the ROC channel.
Abort any active ROC before proceeding, matching the pattern already
used in add, remove, assign, unassign, and switch chanctx functions.
Felix Fietkau [Mon, 9 Mar 2026 06:07:23 +0000 (06:07 +0000)]
wifi: mt76: check chanctx before restoring channel after ROC
mt76_remove_chanctx() sets phy->chanctx to NULL but does not clear
phy->main_chandef. If ROC is later performed on that phy, completion
tries to restore the stale main_chandef channel, programming the
hardware to sit on a channel with no active context.
Add a chanctx check to avoid restoring a channel when no context is
active.
Felix Fietkau [Mon, 9 Mar 2026 06:07:22 +0000 (06:07 +0000)]
wifi: mt76: add offchannel check to mt76_roc_complete
mt76_roc_complete() unconditionally calls __mt76_set_channel() to
restore the operating channel. The scan equivalent mt76_scan_complete()
checks phy->offchannel first, skipping the restore if the phy is
already back on-channel.
Without this check, ROC completion performs a redundant full hardware
channel switch when something has already moved the phy back.
Chad Monroe [Mon, 9 Mar 2026 06:07:21 +0000 (06:07 +0000)]
wifi: mt76: support upgrading passive scans to active
On channels with NO_IR or RADAR flags, wait for beacon before sending
probe requests. Allows active scanning and WPS on restricted channels
if another AP is already present.
wifi: mt76: mt7996: Remove link pointer dependency in mt7996_mac_sta_remove_links()
Remove link pointer dependency in mt7996_mac_sta_remove_links routine to
get the mt7996_phy pointer since the link can be already offchannel
running mt7996_mac_sta_remove_links(). Rely on __mt7996_phy routine
instead.
Enable missing CHANCTX_STA_CSA property required for MLO.
Fixes: f5160304d57c ("wifi: mt76: mt7996: Enable MLO support for client interfaces") Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org> Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com> Link: https://patch.msgid.link/20250928-mt7996_chanctx_sta_csa-v1-1-82e455185990@kernel.org Signed-off-by: Felix Fietkau <nbd@nbd.name>
Quan Zhou [Wed, 25 Feb 2026 09:47:22 +0000 (17:47 +0800)]
wifi: mt76: mt7925: fix incorrect TLV length in CLC command
The previous implementation of __mt7925_mcu_set_clc() set the TLV length
field (.len) incorrectly during CLC command construction. The length was
initialized as sizeof(req) - 4, regardless of the actual segment length.
This could cause the WiFi firmware to misinterpret the command payload,
resulting in command execution errors.
This patch moves the TLV length assignment to after the segment is
selected, and sets .len to sizeof(req) + seg->len - 4, matching the
actual command content. This ensures the firmware receives the
correct TLV length and parses the command properly.
Ziyi Guo [Sat, 31 Jan 2026 03:52:10 +0000 (03:52 +0000)]
wifi: mt76: add missing lock protection in mt76_sta_state for sta_event callback
mt76_sta_state() calls the sta_event callback without holding dev->mutex.
However, mt7915_mac_sta_event() (MT7915 implementation of this callback)
calls mt7915_mac_twt_teardown_flow() which has
lockdep_assert_held(&dev->mt76.mutex) indicating that callers must
hold this lock.
The locking pattern in mt76_sta_state() is inconsistent:
- mt76_sta_add() acquires dev->mutex before calling dev->drv->sta_add
- mt76_sta_remove() acquires dev->mutex before calling __mt76_sta_remove
- But sta_event callback is called without acquiring the lock
Add mutex_lock()/mutex_unlock() around the mt7915_mac_twt_teardown_flow
invocation to fix the missing lock protection and maintain consistency
with the existing locking pattern.
Michael Lo [Wed, 11 Feb 2026 09:50:25 +0000 (17:50 +0800)]
wifi: mt76: mt7921: fix 6GHz regulatory update on connection
Call mt7921_regd_update() instead of mt7921_mcu_set_clc() when setting
the 6GHz power type after connection, so that regulatory limits and SAR
power are also applied.
Duoming Zhou [Sat, 31 Jan 2026 02:47:31 +0000 (10:47 +0800)]
wifi: mt76: mt7996: fix use-after-free bugs in mt7996_mac_dump_work()
When the mt7996 pci chip is detaching, the mt7996_crash_data is
released in mt7996_coredump_unregister(). However, the work item
dump_work may still be running or pending, leading to UAF bugs
when the already freed crash_data is dereferenced again in
mt7996_mac_dump_work().
Fix this by ensuring dump_work is properly canceled before
the crash_data is deallocated. Add cancel_work_sync() in
mt7996_unregister_device() to synchronize with any pending
or executing dump work.
Duoming Zhou [Fri, 30 Jan 2026 14:57:59 +0000 (22:57 +0800)]
wifi: mt76: mt7915: fix use-after-free bugs in mt7915_mac_dump_work()
When the mt7915 pci chip is detaching, the mt7915_crash_data is
released in mt7915_coredump_unregister(). However, the work item
dump_work may still be running or pending, leading to UAF bugs
when the already freed crash_data is dereferenced again in
mt7915_mac_dump_work().
Fix this by ensuring dump_work is properly canceled before
the crash_data is deallocated. Add cancel_work_sync() in
mt7915_unregister_device() to synchronize with any pending
or executing dump work.
David Bauer [Thu, 29 Jan 2026 23:23:20 +0000 (00:23 +0100)]
wifi: mt76: don't return TXQ when exceeding max non-AQL packets
mt76_txq_send_burst does check if the number of non-AQL frames exceeds
the maximum. In this case the queue is returned to ieee80211_return_txq
when iterating over the scheduled TXQs in mt76_txq_schedule_list.
This has the effect of inserting said TXQ at the head of the list. This
means the loop will get the same TXQ again, which will terminate the
scheduling round. TXQs following in the list thus never get scheduled
for transmission.
This can manifest in high latency low throughput or broken connections
for said STAs.
Check if the non-AQL packet count exceeds the limit and not return the
TXQ in this case.
Schedule all TXQs for the STA in case the non-AQL limit can be satisfied
again.
StanleyYP Wang [Tue, 3 Feb 2026 15:55:32 +0000 (23:55 +0800)]
wifi: mt76: mt7996: fix queue pause after scan due to wrong channel switch reason
Previously, we used the IEEE80211_CONF_IDLE flag to avoid setting the
parking channel with the CH_SWITCH_NORMAL reason, which could trigger TX
emission before bootup CAC.
However, we found that this flag can be set after triggering scanning on a
connected station interface, and the reason CH_SWITCH_SCAN_BYPASS_DPD will
be used when switching back to the operating channel, which makes the
firmware failed to resume paused AC queues.
Seems that we should avoid relying on this flag after switching to single
multi-radio architecture. Instead, use the existence of chanctx as the
condition.
StanleyYP Wang [Tue, 3 Feb 2026 15:55:31 +0000 (23:55 +0800)]
wifi: mt76: avoid to set ACK for MCU command if wait_resp is not set
When wait_resp is not set but the ACK option is enabled in the MCU TXD,
the ACK event is enqueued to the MCU event queue without being dequeued
by the original MCU command request.
Any orphaned ACK events will only be removed from the queue when another
MCU command requests a response. Due to sequence index mismatches, these
events are discarded one by one until a matching sequence index is found.
However, if several MCU commands that do not require a response continue
to fill up the event queue, there is a risk that when an MCU command with
wait_resp enabled is issued, it may dequeue the wrong event skb,
especially if the queue contains events with all possible sequence
indices.
Sean Wang [Thu, 19 Feb 2026 00:40:02 +0000 (18:40 -0600)]
wifi: mt76: mt792x: add PSE handling barrier for the large MCU cmd
Add a dummy register read in mt76_connac_mcu_rate_txpower_band() to act as
a PSE barrier. This would release PSE pages and prevents buffer underflow
issues when handling MCU commands with larger payloads without the response
in mt76_connac_mcu_set_rate_txpower().
This is a prerequisite patch before enabling MT7902 PCIe and SDIO support.
Co-developed-by: Xiong Huang <xiong.huang@mediatek.com> Signed-off-by: Xiong Huang <xiong.huang@mediatek.com> Signed-off-by: Sean Wang <sean.wang@mediatek.com> Link: https://patch.msgid.link/20260219004007.19733-6-sean.wang@kernel.org Signed-off-by: Felix Fietkau <nbd@nbd.name>
Sean Wang [Thu, 19 Feb 2026 00:39:59 +0000 (18:39 -0600)]
wifi: mt76: mt7921: handle MT7902 irq_map quirk with mutable copy
MT7902 PCIe requires a different wm2_complete_mask value, so introduce a
mutable per-device copy of the default irq_map and override the field
only for this chip. Other devices continue using the shared const
template.
This is a prerequisite patch before enabling MT7902 PCIe support.
Co-developed-by: Xiong Huang <xiong.huang@mediatek.com> Signed-off-by: Xiong Huang <xiong.huang@mediatek.com> Signed-off-by: Sean Wang <sean.wang@mediatek.com> Link: https://patch.msgid.link/20260219004007.19733-3-sean.wang@kernel.org Signed-off-by: Felix Fietkau <nbd@nbd.name>
Sean Wang [Thu, 19 Feb 2026 00:39:57 +0000 (18:39 -0600)]
wifi: mt76: connac: use is_connac2() to replace is_mt7921() checks
Unify all per-chip conditionals under the new is_connac2() helper. This
avoids confusion caused by the previous is_mt7921() check, which
implicitly covered multiple connac2 chipsets and no longer reflected its
actual scope. This is a clean-up only change with no functional impact.
StanleyYP Wang [Thu, 12 Feb 2026 09:03:10 +0000 (17:03 +0800)]
wifi: mt76: mt7996: apply calibration-free data from OTP
Before sending the current EEPROM data to the firmware, read the
calibration-free data (FT data) from the efuse and merge it with
the existing EEPROM data.
StanleyYP Wang [Thu, 12 Feb 2026 09:03:08 +0000 (17:03 +0800)]
wifi: mt76: add external EEPROM support for mt799x chipsets
For the MT7992 and MT7990 chipsets, efuse mode is not supported because
there is insufficient space in the efuse to store the calibration data.
Therefore, an additional on-chip EEPROM is added to address this
limitation.
Weixie Cui [Sat, 21 Mar 2026 06:08:00 +0000 (14:08 +0800)]
bpf: propagate kvmemdup_bpfptr errors from bpf_prog_verify_signature
kvmemdup_bpfptr() returns -EFAULT when the user pointer cannot be
copied, and -ENOMEM on allocation failure. The error path always
returned -ENOMEM, misreporting bad addresses as out-of-memory.
Return PTR_ERR(sig) so user space gets the correct errno.
Martin KaFai Lau [Mon, 23 Mar 2026 22:52:50 +0000 (15:52 -0700)]
bpf: Remove ipv6_bpf_stub usage in test_run
bpf_prog_test_run_skb() uses net->ipv6.ip6_null_entry for
BPF_PROG_TYPE_LWT_XMIT test runs.
It currently checks ipv6_bpf_stub before using ip6_null_entry.
ipv6_bpf_stub will be removed by the CONFIG_IPV6=m support removal
series posted at [1], so switch this check to ipv6_mod_enabled()
instead.
This change depends on that series [1]. Without it, CONFIG_IPV6=m is
still possible, and net->ipv6.ip6_null_entry remains NULL until
the IPv6 module is loaded.
Cc: Jakub Kicinski <kuba@kernel.org> Cc: Fernando Fernandez Mancera <fmancera@suse.de> Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org> Reviewed-by: Sun Jian <sun.jian.kdev@gmail.com> Reviewed-by: Fernando Fernandez Mancera <fmancera@suse.de> Link: https://lore.kernel.org/r/20260323225250.1623542-1-martin.lau@linux.dev Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Hao Sun [Fri, 20 Mar 2026 16:23:36 +0000 (17:23 +0100)]
bpf: Simplify tnum_step()
Simplify tnum_step() from a 10-variable algorithm into a straight
line sequence of bitwise operations.
Problem Reduction:
tnum_step(): Given a tnum `(tval, tmask)` where `tval & tmask == 0`,
and a value `z` with `tval ≤ z < (tval | tmask)`, find the smallest
`r > z`, a tnum-satisfying value, i.e., `r & ~tmask == tval`.
Every tnum-satisfying value has the form tval | s where s is a subset
of tmask bits (s & ~tmask == 0). Since tval and tmask are disjoint:
tval | s = tval + s
Similarly z = tval + d where d = z - tval, so r > z becomes:
tval + s > tval + d
s > d
The problem reduces to: find the smallest s, a subset of tmask, such
that s > d.
Notice that `s` must be a subset of tmask, the problem now is simplified.
Algorithm:
The mask bits of `d` form a "counter" that we want to increment by one,
but the counter has gaps at the fixed-bit positions. A normal +1 would
stop at the first 0-bit it meets; we need it to skip over fixed-bit
gaps and land on the next mask bit.
Step 1 -- plug the gaps:
d | carry_mask | ~tmask
- ~tmask fills all fixed-bit positions with 1.
- carry_mask = (1 << fls64(d & ~tmask)) - 1 fills all positions
(including mask positions) below the highest non-mask bit of d.
After this, the only remaining 0s are mask bits above the highest
non-mask bit of d where d is also 0 -- exactly the positions where
the carry can validly land.
Step 2 -- increment:
(d | carry_mask | ~tmask) + 1
Adding 1 flips all trailing 1s to 0 and sets the first 0 to 1. Since
every gap has been plugged, that first 0 is guaranteed to be a mask bit
above all non-mask bits of d.
Step 3 -- mask:
((d | carry_mask | ~tmask) + 1) & tmask
Strip the scaffolding, keeping only mask bits. Call the result inc.
The patch passes my local test: test_verifier, test_progs for
`-t verifier` and `-t reg_bounds`.
CBMC shows the new code is equiv to original one[1], and
a lean4 proof of correctness is available[2]:
theorem tnumStep_correct (tval tmask z : BitVec 64)
-- Precondition: valid tnum and input z
(h_consistent : (tval &&& tmask) = 0)
(h_lo : tval ≤ z)
(h_hi : z < (tval ||| tmask)) :
-- Postcondition: r must be:
-- (1) tnum member
-- (2) z < r
-- (3) for any other member w > z, r <= w
let r := tnumStep tval tmask z
satisfiesTnum64 r tval tmask ∧
tval ≤ r ∧ r ≤ (tval ||| tmask) ∧
z < r ∧
∀ w, satisfiesTnum64 w tval tmask → z < w → r ≤ w := by
-- unfold definition
unfold tnumStep satisfiesTnum64
simp only []
refine ⟨?_, ?_, ?_, ?_, ?_⟩
-- the solver proves each conjunct
· bv_decide
· bv_decide
· bv_decide
· bv_decide
· intro w hw1 hw2; bv_decide
Puranjay Mohan [Wed, 18 Mar 2026 17:22:57 +0000 (10:22 -0700)]
bpftool: Enable aarch64 ISA extensions for JIT disassembly
The LLVM disassembler needs ISA extension features enabled to correctly
decode instructions from those extensions. On aarch64, without these
features, instructions like LSE atomics (e.g. ldaddal) are silently
decoded as incorrect instructions and disassembly is truncated.
Use LLVMCreateDisasmCPUFeatures() with "+all" features for aarch64
targets so that the disassembler can handle any instruction the kernel
JIT might emit.
Carlos Llamas [Thu, 12 Mar 2026 18:38:17 +0000 (18:38 +0000)]
bpf: Switch CONFIG_CFI_CLANG to CONFIG_CFI
This was renamed in commit 23ef9d439769 ("kcfi: Rename CONFIG_CFI_CLANG
to CONFIG_CFI") as it is now a compiler-agnostic option. Using the wrong
name results in the code getting compiled out. Meaning the CFI failures
for btf_dtor_kfunc_t would still trigger.
Fixes: 99fde4d06261 ("bpf, btf: Enforce destructor kfunc type with CFI") Signed-off-by: Carlos Llamas <cmllamas@google.com> Reviewed-by: Sami Tolvanen <samitolvanen@google.com> Acked-by: Yonghong Song <yonghong.song@linux.dev> Link: https://lore.kernel.org/r/20260312183818.2721750-1-cmllamas@google.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Eric Biggers [Sat, 14 Mar 2026 21:45:55 +0000 (14:45 -0700)]
bpf: Remove inclusions of crypto/sha1.h
Since commit 603b44162325 ("bpf: Update the bpf_prog_calc_tag to use
SHA256") made BPF program tags use SHA-256 instead of SHA-1, the header
<crypto/sha1.h> no longer needs to be included. Remove the relevant
inclusions so that they no longer unnecessarily come up in searches for
which kernel code is still using the obsolete SHA-1 algorithm.
Since net/ipv6/addrconf.c was relying on the transitive inclusion of
<crypto/sha1.h> (for an unrelated purpose) via <linux/filter.h>, make it
include <crypto/sha1.h> explicitly in order to keep that file building.
Miri Korenblit [Fri, 20 Mar 2026 12:15:32 +0000 (14:15 +0200)]
wifi: mac80211: don't consider the sband when processing capabilities
In NAN, we have one set of (HT, VHT, HE) capabilities for all bands,
which means that we will need to process those capabilities without a
given sband.
To prepare for that, remove the sband argument from
ieee80211_ht_cap_ie_to_sta_ht_cap and ieee80211_he_cap_ie_to_sta_he_cap
and pass our own capabilities instead.
For ieee80211_vht_cap_ie_to_sta_vht_cap, make the sband argument
optional, since it is also used to check if there is at least one channel
that supports 80 MHz.
(Note that this check doesn't make much sense, but this can be handled in
a different patch.)
Miri Korenblit [Fri, 20 Mar 2026 12:13:46 +0000 (14:13 +0200)]
wifi: mac80211: properly handle error in ieee80211_add_virtual_monitor
In case of an error in ieee80211_add_virtual_monitor,
SDATA_STATE_RUNNING should be cleared as it was set in this function.
Do it there instead of in the error path of ieee80211_do_open.
wifi: cfg80211: support UNII-9 channels in ieee80211_channel_to_freq_khz
Devices that support UNII-9 will call ieee80211_channel_to_freq_khz
with a channel number that can go up to 253.
Allow the new channel numbers in ieee80211_channel_to_freq_khz.
Miri Korenblit [Fri, 20 Mar 2026 08:19:59 +0000 (10:19 +0200)]
wifi: mac80211: make ieee80211_find_chanctx link-unaware
Currently we have only one user for a channel context: the link.
With NAN, a new type of the channel context user will be added - the NAN
channel.
To prepare for this, we need to separate the channel context code from
the link code.
Removes the link argument from ieee80211_find_chanctx. Since the issue that led
to commit 5e0c422d12b5 ("wifi: mac80211: reserve chanctx during find") - that
added the link argument - is relevant for any user of the channel context, add
a boolean to the chanctx itself, indicating that the chanctx is in the process
of getting used.
When this indication is set, the reference count of the channel context
will be incremented by one, so even if it is getting released from a link
(or another user) it won't be freed.
Kees Cook [Mon, 23 Mar 2026 17:20:16 +0000 (10:20 -0700)]
wifi: mac80211: Replace strncpy() with strscpy_pad() in drv_switch_vif_chanctx tracepoint
Replace the deprecated[1] strncpy() with strscpy_pad() for copying the
interface name into a tracepoint entry.
The source "sdata->name" is a NUL-terminated char[IFNAMSIZ] buffer
populated via NUL-guaranteeing paths: strscpy() in ieee80211_if_add(),
snprintf() in ieee80211_add_virtual_monitor(), or memcpy() from
ndev->name in ieee80211_if_add() and netdev_notify()
(net/mac80211/iface.c). In the memcpy() cases, the source ndev->name
is itself always NUL-terminated (populated via snprintf() or strscpy()
in __dev_alloc_name() and dev_prep_valid_name() in net/core/dev.c).
The destination "local_vifs[i].vif.vif_name" is a char[IFNAMSIZ] field
in struct trace_vif_entry, stored in a __dynamic_array within the trace
ring buffer. Since ring buffer entries are not zeroed on allocation,
strscpy_pad() is used to zero-fill trailing bytes and prevent exposing
stale ring buffer contents to userspace readers of tracefs.
No behavioral change: since interface names are always at most 15
characters plus a NUL terminator, strscpy_pad() with size IFNAMSIZ (16)
produces identical output to the original strncpy().
Julian Braha [Mon, 23 Mar 2026 12:41:18 +0000 (12:41 +0000)]
drm: fix dead default for DRM_TTM_KUNIT_TEST
The DRM_TTM_KUNIT_TEST config option should default
to KUNIT_ALL_TESTS so that if all tests are enabled then
it is included, but currently the 'default KUNIT_ALL_TESTS'
statement is shadowed by an unconditional 'default n',
meaning that this second default statement is currently dead code.
This dead code was found by kconfirm, a static analysis
tool for Kconfig.
Amir Goldstein [Sun, 8 Mar 2026 11:02:21 +0000 (12:02 +0100)]
ovl: fix wrong detection of 32bit inode numbers
The implicit FILEID_INO32_GEN encoder was changed to be explicit,
so we need to fix the detection.
When mounting overlayfs with upperdir and lowerdir on different ext4
filesystems, the expected kmsg log is:
overlayfs: "xino" feature enabled using 32 upper inode bits.
But instead, since the regressing commit, the kmsg log was:
overlayfs: "xino" feature enabled using 2 upper inode bits.
Fixes: e21fc2038c1b9 ("exportfs: make ->encode_fh() a mandatory method for NFS export") Cc: stable@vger.kernel.org # v6.7+ Signed-off-by: Amir Goldstein <amir73il@gmail.com>
Jacopo Mondi [Wed, 11 Mar 2026 13:41:56 +0000 (14:41 +0100)]
media: rzv2h-ivc: Replace workqueue with direct function call
Scheduling of work items with an async workqueue opens the door to
potential races between multiple instances of a work item.
While the frame transfer function is now protected against races, using
a workqueue doesn't provide much benefit considering the limited cost of
creating a job transfer.
Replace the usage of the work queue with direct function calls.
Reviewed-by: Daniel Scally <dan.scally@ideasonboard.com> Signed-off-by: Jacopo Mondi <jacopo.mondi+renesas@ideasonboard.com> Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Jacopo Mondi [Wed, 11 Feb 2026 14:30:00 +0000 (15:30 +0100)]
media: rzv2h-ivc: Avoid double job scheduling
The scheduling of a new buffer transfer in the IVC driver is triggered
by two occurrences of the "frame completed" interrupt.
The first interrupt occurrence identifies when all image data have been
transferred to the ISP, the second occurrence identifies when the
post-transfer VBLANK has completed and a new buffer can be transferred.
Under heavy system load conditions the actual execution of the workqueue
item might be delayed and two items might happen to run concurrently,
leading to a new frame transfer being triggered while the previous one
has not yet finished.
This error condition is only visible because the driver maintains a
status variable that counts the number of interrupts since the last
transfer, and warns in case an IRQ happens before the counter has been
reset.
To ensure sequential execution of the worqueue items and avoid a double
buffer transfer to run concurrently, protect the whole function body
with the spinlock that so far was solely used to reset the counter and
inspect the interrupt counter variable at the beginning of the buffer
transfer function.
As soon as the ongoing transfer completes, the workqueue item will be
re-scheduled and will consume the pending buffer.
Cc: stable@vger.kernel.org Fixes: f0b3984d821b ("media: platform: Add Renesas Input Video Control block driver") Reviewed-by: Daniel Scally <dan.scally@ideasonboard.com> Signed-off-by: Jacopo Mondi <jacopo.mondi+renesas@ideasonboard.com> Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Barnabás Pőcze [Fri, 6 Feb 2026 16:30:54 +0000 (17:30 +0100)]
media: rzv2h-ivc: Fix concurrent buffer list access
The list of buffers (`rzv2h_ivc::buffers.queue`) is protected by a
spinlock (`rzv2h_ivc::buffers.lock`). However, in
`rzv2h_ivc_transfer_buffer()`, which runs in a separate workqueue, the
`list_del()` call is executed without holding the spinlock, which makes
it possible for the list to be concurrently modified
Fix that by removing a buffer from the list in the lock protected section.
Cc: stable@vger.kernel.org Fixes: f0b3984d821b ("media: platform: Add Renesas Input Video Control block driver") Reviewed-by: Daniel Scally <dan.scally@ideasonboard.com> Signed-off-by: Barnabás Pőcze <barnabas.pocze+renesas@ideasonboard.com>
[assign ivc->buffers.curr in critical section as reported by Barnabas] Signed-off-by: Jacopo Mondi <jacopo.mondi+renesas@ideasonboard.com> Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Barnabás Pőcze [Thu, 12 Feb 2026 15:45:48 +0000 (16:45 +0100)]
media: rzv2h-ivc: Write AXIRX_PIXFMT once
The documentation prescribes that invalid formats should not be set,
so do a single write to ensure that both the CLFMT and DTYPE fields
are set to valid values.
Cc: stable@vger.kernel.org Fixes: f0b3984d821b ("media: platform: Add Renesas Input Video Control block driver") Reviewed-by: Daniel Scally <dan.scally@ideasonboard.com> Signed-off-by: Barnabás Pőcze <barnabas.pocze+renesas@ideasonboard.com> Signed-off-by: Jacopo Mondi <jacopo.mondi+renesas@ideasonboard.com> Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Barnabás Pőcze [Thu, 12 Feb 2026 15:41:56 +0000 (16:41 +0100)]
media: rzv2h-ivc: Fix AXIRX_VBLANK register write
According to the documentation there are writable reserved bits in the
register and those should not be set to 0. So use `rzv2h_ivc_update_bits()`
with a proper bitmask.
Cc: stable@vger.kernel.org Fixes: f0b3984d821b ("media: platform: Add Renesas Input Video Control block driver") Reviewed-by: Daniel Scally <dan.scally@ideasonboard.com> Signed-off-by: Barnabás Pőcze <barnabas.pocze+renesas@ideasonboard.com> Signed-off-by: Jacopo Mondi <jacopo.mondi+renesas@ideasonboard.com> Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Daniel Scally [Thu, 12 Feb 2026 10:08:11 +0000 (10:08 +0000)]
media: rzv2h-ivc: Revise default VBLANK formula
The vertical blanking settings for the IVC block are dependent on
settings in the ISP. This was originally set to calculate as the
worst-case possible value, but it seems that this can cause the IVC
block to hang. Instead calculate the vblank to match the default
settings (which are currently all the driver sets anyway).
Cc: stable@vger.kernel.org Fixes: f0b3984d821b ("media: platform: Add Renesas Input Video Control block driver") Signed-off-by: Daniel Scally <dan.scally+renesas@ideasonboard.com> Signed-off-by: Jacopo Mondi <jacopo.mondi+renesas@ideasonboard.com> Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Daniel Scally [Thu, 12 Feb 2026 11:03:09 +0000 (11:03 +0000)]
media: mali-c55: Fix Iridix bypass macros
The Mali C55 Iridix block has a digital gain function and tone mapping
function, whose enablement is controlled by two different bits
in the BYPASS_3 register.
Unfortunately, the "Gain" and "Tonemap" bypass bit definitions are the
wrong way around. Swap them.
Jacopo Mondi [Mon, 19 Jan 2026 11:50:26 +0000 (12:50 +0100)]
media: mali-c55: Fully reset the ISP configuration
The Mali C55 driver uses an auto-suspend delay of 2000 milli-seconds.
As the delay is quite large, it is certainly possible that two
consecutive calls to enable_streams() do not go through a suspend of the
peripheral, meaning we cannot rely on POW register values for the ISP
configuration.
To prevent a streaming session to be initialized with settings from the
previous one, reset the full ISP configuration to know state disabling or
bypassing all the ISP blocks the driver supports.
Jacopo Mondi [Mon, 19 Jan 2026 11:20:56 +0000 (12:20 +0100)]
media: mali-c55: Initialize the ISP in enable_streams()
The Mali C55 driver initializes the ISP in two points:
1) At probe time it disables ISP blocks by configuring them in bypass
mode
2) At enable_streams() it initializes the crop rectangles and the image
processing pipeline using the current image format
However, as ISP blocks are configured by userspace, if their
configuration is not reset, from the second enable_streams() call
onwards the ISP configuration will depend on the previous streaming
session configuration.
To re-initialize the ISP completely at enable_streams() time consolidate
the ISP block bypass configuration and the image processing path
configuration in a single function to be called at enabled_streams()
time.
The driver currently ignores the return values of several I2C operations
during register writes, which could lead to silent failures and
inconsistent device state.
Wenyuan Li [Tue, 24 Mar 2026 08:36:06 +0000 (16:36 +0800)]
ASoC: uda1380: use dev_err() and %pe for better error reporting
Convert existing debug and error prints to dev_err() to provide better
diagnostic information. Use the %pe format specifier to print
human-readable error strings for I2C failures.
Wenyuan Li [Tue, 24 Mar 2026 08:36:05 +0000 (16:36 +0800)]
ASoC: uda1380: fix missing return value checks for I2C operations
The driver currently ignores the return values of several I2C operations
during register writes, which could lead to silent failures and
inconsistent device state.
Fix this by:
- Moving variable declarations to the beginning of the function (C90).
- Checking the return value of every i2c_master_send() and recv() call.
- Returning the actual error code if it's negative, or -EIO if the
transfer was incomplete.
wifi: iwlwifi: mvm: fix potential out-of-bounds read in iwl_mvm_nd_match_info_handler()
The memcpy function assumes the dynamic array notif->matches is at least
as large as the number of bytes to copy. Otherwise, results->matches may
contain unwanted data. To guarantee safety, extend the validation in one
of the checks to ensure sufficient packet length.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Cc: stable@vger.kernel.org Fixes: 5ac54afd4d97 ("wifi: iwlwifi: mvm: Add handling for scan offload match info notification") Signed-off-by: Alexey Velichayshiy <a.velichayshiy@ispras.ru> Link: https://patch.msgid.link/20260207150335.1013646-1-a.velichayshiy@ispras.ru Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Danilo Krummrich [Tue, 24 Mar 2026 00:59:15 +0000 (01:59 +0100)]
spi: use generic driver_override infrastructure
When a driver is probed through __driver_attach(), the bus' match()
callback is called without the device lock held, thus accessing the
driver_override field without a lock, which can cause a UAF.
Fix this by using the driver-core driver_override infrastructure taking
care of proper locking internally.
Note that calling match() from __driver_attach() without the device lock
held is intentional. [1]
Also note that we do not enable the driver_override feature of struct
bus_type, as SPI - in contrast to most other buses - passes "" to
sysfs_emit() when the driver_override pointer is NULL. Thus, printing
"\n" instead of "(null)\n".
Sanman Pradhan [Mon, 23 Mar 2026 00:24:37 +0000 (00:24 +0000)]
hwmon: (peci/cputemp) Fix off-by-one in cputemp_is_visible()
cputemp_is_visible() validates the channel index against
CPUTEMP_CHANNEL_NUMS, but currently uses '>' instead of '>='.
As a result, channel == CPUTEMP_CHANNEL_NUMS is not rejected even though
valid indices are 0 .. CPUTEMP_CHANNEL_NUMS - 1.
Fix the bounds check by using '>=' so invalid channel indices are
rejected before indexing the core bitmap.
Sanman Pradhan [Mon, 23 Mar 2026 00:24:25 +0000 (00:24 +0000)]
hwmon: (peci/cputemp) Fix crit_hyst returning delta instead of absolute temperature
The hwmon sysfs ABI expects tempN_crit_hyst to report the temperature at
which the critical condition clears, not the hysteresis delta from the
critical limit.
The peci cputemp driver currently returns tjmax - tcontrol for
crit_hyst_type, which is the hysteresis margin rather than the
corresponding absolute temperature.
Return tcontrol directly, and update the documentation accordingly.
Sanman Pradhan [Thu, 19 Mar 2026 17:31:29 +0000 (17:31 +0000)]
hwmon: (pmbus/isl68137) Add mutex protection for AVS enable sysfs attributes
The custom avs0_enable and avs1_enable sysfs attributes access PMBus
registers through the exported API helpers (pmbus_read_byte_data,
pmbus_read_word_data, pmbus_write_word_data, pmbus_update_byte_data)
without holding the PMBus update_lock mutex. These exported helpers do
not acquire the mutex internally, unlike the core's internal callers
which hold the lock before invoking them.
The store callback is especially vulnerable: it performs a multi-step
read-modify-write sequence (read VOUT_COMMAND, write VOUT_COMMAND, then
update OPERATION) where concurrent access from another thread could
interleave and corrupt the register state.
Add pmbus_lock_interruptible()/pmbus_unlock() around both the show and
store callbacks to serialize PMBus register access with the rest of the
driver.
Sanman Pradhan [Thu, 19 Mar 2026 17:31:19 +0000 (17:31 +0000)]
hwmon: (pmbus/ina233) Fix error handling and sign extension in shunt voltage read
ina233_read_word_data() reads MFR_READ_VSHUNT via pmbus_read_word_data()
but has two issues:
1. The return value is not checked for errors before being used in
arithmetic. A negative error code from a failed I2C transaction is
passed directly to DIV_ROUND_CLOSEST(), producing garbage data.
2. MFR_READ_VSHUNT is a 16-bit two's complement value. Negative shunt
voltages (values with bit 15 set) are treated as large positive
values since pmbus_read_word_data() returns them zero-extended in an
int. This leads to incorrect scaling in the VIN coefficient
conversion.
Fix both issues by adding an error check, casting to s16 for proper
sign extension, and clamping the result to a valid non-negative range.
The clamp is necessary because read_word_data callbacks must return
non-negative values on success (negative values indicate errors to the
pmbus core).
Fixes: b64b6cb163f16 ("hwmon: Add driver for TI INA233 Current and Power Monitor") Cc: stable@vger.kernel.org Signed-off-by: Sanman Pradhan <psanman@juniper.net> Link: https://lore.kernel.org/r/20260319173055.125271-2-sanman.pradhan@hpe.com
[groeck: Fixed clamp to avoid losing the sign bit] Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Felix Gu [Sun, 22 Mar 2026 16:04:08 +0000 (00:04 +0800)]
EDAC/versalnet: Fix device_node leak in mc_probe()
of_parse_phandle() returns a device_node reference that must be released with
of_node_put(). The original code never freed r5_core_node on any exit path,
causing a memory leak.
Fix this by using the automatic cleanup attribute __free(device_node) which
ensures of_node_put() is called when the variable goes out of scope.
Fixes: d5fe2fec6c40 ("EDAC: Add a driver for the AMD Versal NET DDR controller") Signed-off-by: Felix Gu <ustc.gu@gmail.com> Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de> Reviewed-by: Shubhrajyoti Datta <shubhrajyoti.datta@amd.com> Cc: <stable@kernel.org> Link: https://patch.msgid.link/20260323-versalnet-v1-1-4ab3012635ef@gmail.com
projects / thirdparty / kernel / linux.git / log
