Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ https://git.shady.money/linux/atom?h=master 2026-03-24T14:32:31Z 2026-03-24T14:32:31Z Pengpeng Hou pengpeng@iscas.ac.cn 2026-03-23T08:08:45Z urn:sha1:0fd56fad9c56356e7fa7a7c52e7ecbf807a44eb0 wl1251_tx_packet_cb() uses the firmware completion ID directly to index the fixed 16-entry wl->tx_frames[] array. The ID is a raw u8 from the completion block, and the callback does not currently verify that it fits the array before dereferencing it. Reject completion IDs that fall outside wl->tx_frames[] and keep the existing NULL check in the same guard. This keeps the fix local to the trust boundary and avoids touching the rest of the completion flow. Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn> Link: https://patch.msgid.link/20260323080845.40033-1-pengpeng@iscas.ac.cn Signed-off-by: Johannes Berg <johannes.berg@intel.com> 2026-03-18T08:05:06Z Guenter Roeck linux@roeck-us.net 2026-03-18T06:46:36Z urn:sha1:deb353d9bb009638b7762cae2d0b6e8fdbb41a69 Since upstream commit e75665dd0968 ("wifi: wlcore: ensure skb headroom before skb_push"), wl1271_tx_allocate() and with it wl1271_prepare_tx_frame() returns -EAGAIN if pskb_expand_head() fails. However, in wlcore_tx_work_locked(), a return value of -EAGAIN from wl1271_prepare_tx_frame() is interpreted as the aggregation buffer being full. This causes the code to flush the buffer, put the skb back at the head of the queue, and immediately retry the same skb in a tight while loop. Because wlcore_tx_work_locked() holds wl->mutex, and the retry happens immediately with GFP_ATOMIC, this will result in an infinite loop and a CPU soft lockup. Return -ENOMEM instead so the packet is dropped and the loop terminates. The problem was found by an experimental code review agent based on gemini-3.1-pro while reviewing backports into v6.18.y. Assisted-by: Gemini:gemini-3.1-pro Fixes: e75665dd0968 ("wifi: wlcore: ensure skb headroom before skb_push") Cc: Peter Astrand <astrand@lysator.liu.se> Signed-off-by: Guenter Roeck <linux@roeck-us.net> Link: https://patch.msgid.link/20260318064636.3065925-1-linux@roeck-us.net Signed-off-by: Johannes Berg <johannes.berg@intel.com> 2026-03-03T11:02:05Z Bart Van Assche bvanassche@acm.org 2026-02-23T22:00:25Z urn:sha1:72c6df8f284b3a49812ce2ac136727ace70acc7c Make sure that wl->mutex is locked before it is unlocked. This has been detected by the Clang thread-safety analyzer. Fixes: 45aa7f071b06 ("wlcore: Use generic runtime pm calls for wowlan elp configuration") Signed-off-by: Bart Van Assche <bvanassche@acm.org> Link: https://patch.msgid.link/20260223220102.2158611-26-bart.vanassche@linux.dev Signed-off-by: Johannes Berg <johannes.berg@intel.com> 2026-02-22T04:03:00Z Linus Torvalds torvalds@linux-foundation.org 2026-02-22T04:03:00Z urn:sha1:32a92f8c89326985e05dce8b22d3f0aa07a3e1bd This converts some of the visually simpler cases that have been split over multiple lines. I only did the ones that are easy to verify the resulting diff by having just that final GFP_KERNEL argument on the next line. Somebody should probably do a proper coccinelle script for this, but for me the trivial script actually resulted in an assertion failure in the middle of the script. I probably had made it a bit _too_ trivial. So after fighting that far a while I decided to just do some of the syntactically simpler cases with variations of the previous 'sed' scripts. The more syntactically complex multi-line cases would mostly really want whitespace cleanup anyway. Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2026-02-22T01:09:51Z Linus Torvalds torvalds@linux-foundation.org 2026-02-22T00:37:42Z urn:sha1:bf4afc53b77aeaa48b5409da5c8da6bb4eff7f43 This was done entirely with mindless brute force, using git grep -l '\<k[vmz]*alloc_objs*(.*, GFP_KERNEL)' | xargs sed -i 's/\(alloc_objs*(.*\), GFP_KERNEL)/\1)/' to convert the new alloc_obj() users that had a simple GFP_KERNEL argument to just drop that argument. Note that due to the extreme simplicity of the scripting, any slightly more complex cases spread over multiple lines would not be triggered: they definitely exist, but this covers the vast bulk of the cases, and the resulting diff is also then easier to check automatically. For the same reason the 'flex' versions will be done as a separate conversion. Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2026-02-21T09:02:28Z Kees Cook kees@kernel.org 2026-02-21T07:49:23Z urn:sha1:69050f8d6d075dc01af7a5f2f550a8067510366f This is the result of running the Coccinelle script from scripts/coccinelle/api/kmalloc_objs.cocci. The script is designed to avoid scalar types (which need careful case-by-case checking), and instead replace kmalloc-family calls that allocate struct or union object instances: Single allocations: kmalloc(sizeof(TYPE), ...) are replaced with: kmalloc_obj(TYPE, ...) Array allocations: kmalloc_array(COUNT, sizeof(TYPE), ...) are replaced with: kmalloc_objs(TYPE, COUNT, ...) Flex array allocations: kmalloc(struct_size(PTR, FAM, COUNT), ...) are replaced with: kmalloc_flex(*PTR, FAM, COUNT, ...) (where TYPE may also be *VAR) The resulting allocations no longer return "void *", instead returning "TYPE *". Signed-off-by: Kees Cook <kees@kernel.org> 2026-01-19T09:17:03Z Peter Åstrand astrand@lysator.liu.se 2026-01-16T17:58:58Z urn:sha1:c34dbc5900b0158edaab51c481510d66679d8f72 This change re-applies commit 2b7aadd3b9e1 ("wlcore: Adding suppoprt for IGTK key in wlcore driver") (sic), but only enables WLAN_CIPHER_SUITE_AES_CMAC with modern firmware. This patch is required to support WPA3 connections. Signed-off-by: Peter Åstrand <astrand@lysator.liu.se> Link: https://patch.msgid.link/0d3df7ab-6c41-c3cc-83cc-5ba55fe4e4bd@lysator.liu.se Signed-off-by: Johannes Berg <johannes.berg@intel.com> 2026-01-12T18:43:15Z Thorsten Blum thorsten.blum@linux.dev 2026-01-11T13:42:57Z urn:sha1:c2510a165056b67cded071ca76297620d022259f strncpy() is deprecated [1] for NUL-terminated destination buffers since it does not guarantee NUL termination. Remove the manual NUL termination and replace strncpy() with strscpy() to ensure NUL termination of the destination buffer. Using strscpy_pad() to retain the NUL-padding behavior of strncpy() is not needed because ->fw_ver is only used as a C-string. Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings [1] Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev> Link: https://patch.msgid.link/20260111134301.598839-1-thorsten.blum@linux.dev Signed-off-by: Johannes Berg <johannes.berg@intel.com> 2026-01-08T12:29:38Z Uwe Kleine-König u.kleine-koenig@baylibre.com 2025-12-17T11:20:34Z urn:sha1:c874f5fef053652586d2ffa9b4796d021f5c619a This increases build coverage and removes two ugly #ifdefs. Signed-off-by: Uwe Kleine-König <u.kleine-koenig@baylibre.com> Link: https://patch.msgid.link/20251217112033.3309281-4-u.kleine-koenig@baylibre.com Signed-off-by: Johannes Berg <johannes.berg@intel.com> 2025-12-16T09:23:06Z Peter Åstrand astrand@lysator.liu.se 2025-12-03T07:57:08Z urn:sha1:e75665dd096819b1184087ba5718bd93beafff51 This avoids occasional skb_under_panic Oops from wl1271_tx_work. In this case, headroom is less than needed (typically 110 - 94 = 16 bytes). Signed-off-by: Peter Astrand <astrand@lysator.liu.se> Link: https://patch.msgid.link/097bd417-e1d7-acd4-be05-47b199075013@lysator.liu.se Signed-off-by: Johannes Berg <johannes.berg@intel.com>