summaryrefslogtreecommitdiff
path: root/drivers/staging
AgeCommit message (Collapse)Author
9 daysstaging: rtl8723bs: fix OOB reads in rtw_get_sec_ie(), rtw_get_wapi_ie(), ↵Alexandru Hossu
and rtw_get_wps_attr() Three IE/attribute parsing functions have missing bounds checks. rtw_get_sec_ie() and rtw_get_wapi_ie() iterate over a raw IE buffer without verifying that the header bytes (tag + length) are within the remaining buffer before reading them. Additionally, rtw_get_sec_ie() compares the 4-byte WPA OUI at cnt+2 without checking that at least 6 bytes remain, and rtw_get_wapi_ie() compares a 4-byte WAPI OUI at cnt+6 without checking that at least 10 bytes remain. rtw_get_wps_attr() reads wps_ie[0] and wps_ie+2 unconditionally at entry, before verifying that wps_ielen is large enough to contain the 6-byte WPS IE header (element_id + length + 4-byte OUI). Inside the attribute loop, get_unaligned_be16() is called on attr_ptr and attr_ptr+2 without checking that 4 bytes remain in the buffer. Add a cnt+2 bounds check before each loop body in rtw_get_sec_ie() and rtw_get_wapi_ie(), guard each multi-byte comparison with a minimum IE length requirement, add a wps_ielen < 6 early return in rtw_get_wps_attr(), and add a 4-byte bounds check in its inner loop. Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver") Cc: stable <stable@kernel.org> Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com> Link: https://patch.msgid.link/20260522004531.1038924-8-hossu.alexandru@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
9 daysstaging: rtl8723bs: fix OOB reads in is_ap_in_tkip() IE loopAlexandru Hossu
The loop in is_ap_in_tkip() iterates over IEs without verifying that enough bytes remain before dereferencing the IE header or its payload: - pIE->element_id and pIE->length are read without checking that i + sizeof(*pIE) <= ie_length, so a truncated IE at the end of the buffer causes an OOB read. - For WLAN_EID_VENDOR_SPECIFIC the code compares pIE->data + 12, which requires pIE->length >= 16. For WLAN_EID_RSN it compares pIE->data + 8, requiring pIE->length >= 12. Neither requirement is checked. Add the missing IE header and payload bounds checks and guard each data access with an explicit pIE->length minimum, matching the pattern established in update_beacon_info(). Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver") Cc: stable <stable@kernel.org> Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com> Link: https://patch.msgid.link/20260522004531.1038924-7-hossu.alexandru@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
9 daysstaging: rtl8723bs: fix OOB read in OnAssocRsp() IE loopAlexandru Hossu
The IE parsing loop in OnAssocRsp() advances by (pIE->length + 2) each iteration but only guards on i < pkt_len. When a malicious AP sends an AssocResponse whose last IE has only one byte remaining in the frame (the element_id byte lands at pkt_len-1), the loop reads pIE->length from pframe[pkt_len], which is one byte past the allocated receive buffer. Additionally, even when the header bytes are in bounds, pIE->length itself can extend the data window beyond pkt_len, silently passing a truncated IE to the handler functions. Add two guards at the top of the loop body: 1. Break if fewer than sizeof(*pIE) bytes remain (can't read header). 2. Break if the IE's declared data extends past pkt_len. Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver") Cc: stable <stable@kernel.org> Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com> Reviewed-by: Luka Gejak <luka.gejak@linux.dev> Link: https://patch.msgid.link/20260522004531.1038924-6-hossu.alexandru@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
9 daysstaging: rtl8723bs: fix OOB write in HT_caps_handler()Alexandru Hossu
HT_caps_handler() iterates pIE->length bytes and writes into HT_caps.u.HT_cap[], which is a fixed 26-byte array (sizeof struct HT_caps_element). Because pIE->length is a raw u8 from an over-the-air 802.11 AssocResponse frame and is never validated, a malicious AP can set it up to 255, causing up to 229 bytes of out-of-bounds writes into adjacent fields of struct mlme_ext_info. Truncate the iteration count to the size of HT_caps.u.HT_cap using umin() so that data from a longer-than-expected IE is silently ignored rather than written out of bounds, preserving interoperability with APs that pad the element. An early return on oversized IEs was considered but rejected: it would bypass the pmlmeinfo->HT_caps_enable = 1 assignment that precedes the loop, silently disabling HT mode for APs that append extra bytes to the HT Capabilities IE. Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver") Cc: stable <stable@kernel.org> Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com> Reviewed-by: Luka Gejak <luka.gejak@linux.dev> Link: https://patch.msgid.link/20260522004531.1038924-5-hossu.alexandru@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
9 daysstaging: rtl8723bs: fix heap buffer overflow in rtw_cfg80211_set_wpa_ie()Alexandru Hossu
supplicant_ie is a 256-byte array in struct security_priv. The WPA and WPA2 IE copy paths use: memcpy(padapter->securitypriv.supplicant_ie, &pwpa[0], wpa_ielen + 2); where wpa_ielen is the raw IE length field (u8, 0-255). When a local user supplies a connect request via nl80211 with a crafted WPA IE of length 255, wpa_ielen + 2 equals 257, overflowing the 256-byte buffer by one byte into the adjacent last_mic_err_time field. rtw_parse_wpa_ie() does not prevent this: its length consistency check compares *(wpa_ie+1) against (u8)(wpa_ie_len-2), which is (u8)(255) == 255 when wpa_ie_len = 257, so the check passes silently. Add explicit bounds checks for both the WPA and WPA2 paths before the memcpy, rejecting any IE whose total size (wpa_ielen + 2) exceeds the supplicant_ie buffer. Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver") Cc: stable <stable@kernel.org> Reviewed-by: Luka Gejak <luka.gejak@linux.dev> Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com> Link: https://patch.msgid.link/20260522004531.1038924-4-hossu.alexandru@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
9 daysstaging: rtl8723bs: fix OOB reads in IE loops in issue_assocreq() and ↵Alexandru Hossu
join_cmd_hdl() Two IE parsing loops are missing the header bounds checks before they dereference pIE->length: - issue_assocreq() walks pmlmeinfo->network.ies to build the association request. If the stored IE data ends with only an element_id byte and no length byte, pIE->length is read one byte past the end of the buffer. - join_cmd_hdl() walks pnetwork->ies during station join and has the same problem under the same conditions. Both buffers are filled from AP beacon and probe-response frames, so a malicious AP that sends a truncated final IE can trigger the issue. Apply the two-guard pattern established in update_beacon_info(): 1. Break if fewer than sizeof(*pIE) bytes remain. 2. Break if the IE's declared data extends past the buffer end. Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver") Cc: stable <stable@kernel.org> Reviewed-by: Luka Gejak <luka.gejak@linux.dev> Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com> Link: https://patch.msgid.link/20260522004531.1038924-3-hossu.alexandru@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
9 daysstaging: rtl8723bs: fix OOB read in update_beacon_info() IE loopAlexandru Hossu
The IE parsing loop in update_beacon_info() advances by (pIE->length + 2) each iteration but only guards on i < len. When a malicious AP sends a Beacon whose last IE has only one byte remaining in the frame (the element_id byte lands at len-1), the loop reads pIE->length from one byte past the allocated receive buffer. Additionally, even when the header bytes are in bounds, pIE->length itself can extend the data window beyond len, passing a truncated IE to the handler functions. Add two guards at the top of the loop body: 1. Break if fewer than sizeof(*pIE) bytes remain (can't read header). 2. Break if the IE's declared data extends past len. Also replace i += (pIE->length + 2) with i += sizeof(*pIE) + pIE->length for consistency with the sizeof(*pIE) guards added above. Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver") Cc: stable <stable@kernel.org> Reviewed-by: Luka Gejak <luka.gejak@linux.dev> Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com> Link: https://patch.msgid.link/20260522004531.1038924-2-hossu.alexandru@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
9 daysstaging: rtl8723bs: fix WEP length underflow and OOB read in OnAuth()Alexandru Hossu
OnAuth() has two bugs in the shared-key authentication path. When the Privacy bit is set, rtw_wep_decrypt() is called without verifying that the frame is long enough to contain a valid WEP IV and ICV. Inside rtw_wep_decrypt(), length is computed as: length = len - WLAN_HDR_A3_LEN - iv_len and then passed as (length - 4) to crc32_le(). If len is less than WLAN_HDR_A3_LEN + iv_len + icv_len (32 bytes), length - 4 is negative and, after the implicit cast to size_t, causes crc32_le() to read far beyond the frame buffer. Add a minimum length check before accessing the IV field and calling the decryption path. When processing a seq=3 response, rtw_get_ie() stores the Challenge Text IE length in ie_len, but the subsequent memcmp() always reads 128 bytes regardless of ie_len. IEEE 802.11 mandates a challenge text of exactly 128 bytes; reject any IE whose length field differs, matching the check already applied to OnAuthClient(). Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver") Cc: stable <stable@kernel.org> Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com> Link: https://patch.msgid.link/20260522004605.1039209-1-hossu.alexandru@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
9 daysstaging: vme_user: fix location monitor leak in tsi148 bridgeHao-Qun Huang
tsi148_probe() allocates a location monitor resource and links it into tsi148_bridge->lm_resources. The probe error path frees this list, but tsi148_remove() only frees the dma, slave and master resource lists, so the location monitor resource is leaked on device unbind or module unload. Free the lm_resources list in tsi148_remove() as well, before tsi148_bridge is freed. Fixes: d22b8ed9a3b0 ("Staging: vme: add Tundra TSI148 VME-PCI Bridge driver") Cc: stable <stable@kernel.org> Cc: Martyn Welch <martyn@welchs.me.uk> Assisted-by: Claude:claude-fable-5 Signed-off-by: Hao-Qun Huang <alvinhuang0603@gmail.com> Link: https://patch.msgid.link/20260704065817.403111-2-alvinhuang0603@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
9 daysstaging: vme_user: fix location monitor leak in fake bridgeHao-Qun Huang
fake_init() allocates a location monitor resource and links it into fake_bridge->lm_resources. The init error path frees this list, but fake_exit() only frees the slave and master resource lists. Loading and unloading the module therefore triggers a kmemleak warning: unreferenced object 0xffff8b8b82aebe40 (size 64): comm "init", pid 1, jiffies 4294894572 backtrace (crc c1e013ef): kmemleak_alloc+0x4e/0x90 __kmalloc_cache_noprof+0x338/0x430 0xffffffffc0602246 do_one_initcall+0x4f/0x320 do_init_module+0x68/0x270 load_module+0x2a3b/0x2d90 Free the lm_resources list in fake_exit() as well, before fake_bridge is freed. Fixes: 658bcdae9c67 ("vme: Adding Fake VME driver") Cc: stable <stable@kernel.org> Cc: Martyn Welch <martyn@welchs.me.uk> Assisted-by: Claude:claude-fable-5 Signed-off-by: Hao-Qun Huang <alvinhuang0603@gmail.com> Link: https://patch.msgid.link/20260704065817.403111-1-alvinhuang0603@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
9 daysstaging: vme_user: bound slave read/write to the kern_buf sizeMichael Tautschnig
The SLAVE-path helpers buffer_to_user() and buffer_from_user() copy 'count' bytes into/out of the fixed-size kern_buf (size_buf == PCI_BUF_SIZE == 0x20000, 128 KiB) using *ppos as the offset, without bounding *ppos + count against size_buf. vme_user_write()/vme_user_read() only clamp count to the VME window size (image_size = vme_get_size(resource)), which VME_SET_SLAVE sets from the user-supplied slave.size -- validated against the VME address space (up to VME_A32_MAX = 4 GiB), not against PCI_BUF_SIZE. When the window exceeds 128 KiB, a write()/read() copies past the kern_buf allocation. Clamp count against size_buf in both helpers, with an early return when *ppos is already at/after the buffer end. *ppos is >= 0 here (the caller rejects negative offsets), so size_buf - *ppos cannot wrap. This mirrors the existing clamp in the MASTER-path helpers resource_to_user() / resource_from_user(), and matches the read()/write() convention of a short transfer at end-of-buffer. Found by static analysis (CodeQL taint tracking + CBMC bounded model checking) and confirmed dynamically under KASAN with the vme_fake bridge: BUG: KASAN: slab-out-of-bounds in _copy_from_user+0x2d/0x80 Write of size 262144 at addr ffff888004100000 by task trigger/68 _copy_from_user+0x2d/0x80 vme_user_write+0x13e/0x240 [vme_user] vfs_write+0x1b8/0x7a0 ksys_write+0xb8/0x150 Fixes: f00a86d98a1e ("Staging: vme: add VME userspace driver") Cc: stable <stable@kernel.org> Signed-off-by: Michael Tautschnig <tautschn@amazon.com> Link: https://patch.msgid.link/20260618114709.72499-1-tautschn@amazon.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
9 daysstaging: rtl8723bs: don't drop short TX frames in _rtw_pktfile_read()Christopher Mackle
Commit bc4df274dca6 ("staging: rtl8723bs: update _rtw_pktfile_read() to return error codes") changed _rtw_pktfile_read() to fail when the caller asks for more bytes than remain in the packet: if (rtw_remainder_len(pfile) < rlen) return -EINVAL; That breaks the assumption made by the data TX path. In rtw_xmitframe_coalesce() (core/rtw_xmit.c) the per-fragment copy is issued with the full fragment length, mpdu_len, which is derived from pxmitpriv->frag_len (~2300 bytes), and the code relies on the historical behaviour of copying only what is left and returning the number of bytes actually copied: mem_sz = _rtw_pktfile_read(&pktfile, pframe, mpdu_len); if (mem_sz < 0) return mem_sz; So for every outbound packet smaller than the fragmentation threshold - i.e. essentially all normal traffic, including the EAPOL frames of the WPA 4-way handshake and DHCP - rlen is larger than the bytes remaining, _rtw_pktfile_read() returns -EINVAL, rtw_xmitframe_coalesce() aborts, and the frame is dropped before it is queued to the hardware. The driver floods the log with: rtl8723bs ...: xmit_xmitframes: coalesce failed with error -22 Management frames (authentication/association) use a different path and still go out, so the interface scans and associates, but no data frame is ever transmitted. The 4-way handshake therefore never completes and wpa_supplicant misreports it as: WPA: 4-Way Handshake failed - pre-shared key may be incorrect AP mode is unaffected. The net effect is that the chip is unusable in station mode on any kernel carrying the offending commit. This was confirmed with a wpa_supplicant -dd trace on an RTL8723BS SDIO adapter (Bay Trail): message 1/4 is received and the PTK is derived, but each "Sending EAPOL-Key 2/4" coincides 1:1 with a "coalesce failed with error -22", so message 2/4 never reaches the AP, which keeps retrying message 1/4 until the handshake times out. Restore the original semantics: clamp the requested length to the bytes remaining in the packet and return that length. The skb_copy_bits() error path is kept, so genuine copy failures are still propagated. Fixes: bc4df274dca6 ("staging: rtl8723bs: update _rtw_pktfile_read() to return error codes") Cc: stable <stable@kernel.org> Tested-by: Christopher Mackle <christophermackle01@gmail.com> Signed-off-by: Christopher Mackle <christophermackle01@gmail.com> Link: https://patch.msgid.link/20260620013916.7148-1-christophermackle01@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
14 daysReplace <linux/mod_devicetable.h> by more specific <linux/device-id/*.h> (c ↵Uwe Kleine-König (The Capable Hub)
files) Replace the #include of <linux/mod_devicetable.h> by the more specific <linux/device-id/*.h> where applicable. For most cases the include can be dropped completely, only a few drivers need one or two headers added. Acked-by: Danilo Krummrich <dakr@kernel.org> Acked-by: Takashi Sakamoto <o-takashi@sakamocchi.jp> Acked-by: Bjorn Helgaas <bhelgaas@google.com> Link: https://patch.msgid.link/1a3f2007c5c5dcf555c09a4035ce3ae8ef1b6c49.1782808461.git.u.kleine-koenig@baylibre.com Signed-off-by: Uwe Kleine-König (The Capable Hub) <u.kleine-koenig@baylibre.com>
2026-06-22Merge tag 'staging-7.2-rc1' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging Pull staging driver updates from Greg KH: "Here is the big set of staging driver updates for 7.2-rc1. Nothing major in here, just constant grind of tiny cleanups and coding style fixes and wrapper removals. Overall more code was removed than added, always a nice sign that things are progressing forward. Changes outside of drivers/staging/ was due to the octeon driver changes, which for some reason also lives partially in the mips subsystem, someday that all will be untangled and cleaned up, or just removed entirely, it's hard to tell which is going to be its fate. Other than octeon driver cleanups, in here are the usual: - rtl8723bs driver reworking and cleanups, being the bulk of this merge window given all of the issues and wrappers involved in that beast of a driver - most driver cleanups - sm750fb driver cleanups (which might be done, as this really should be moved to the drm layer one of these days...) - other tiny staging driver cleanups and fixes All of these have been in linux-next for many weeks with no reported issues" * tag 'staging-7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging: (199 commits) staging: most: video: avoid double free on video register failure staging: sm750: rename CamelCase variable Bpp to bpp staging: rtl8723bs: delete superfluous switch statement staging: sm750fb: Mark g_noaccel, g_nomtrr and g_dualview as __ro_after_init staging: rtl8723bs: propagate errno through hal xmit path staging: rtl8723bs: propagate errno through xmit enqueue path staging: rtl8723bs: convert rtw_xmit_classifier to return errno staging: rtl8723bs: make rtw_xmit_classifier static staging: rtl8723bs: simplify rtw_xmit_classifier control flow staging: rtl8723bs: make _rtw_enqueue_cmd return 0 on success staging: rtl8723bs: simplify rtw_enqueue_cmd control flow staging: rtl8723bs: make _rtw_enqueue_cmd static staging: rtl8723bs: simplify _rtw_enqueue_cmd control flow staging: rtl8723bs: fix multiple blank lines in more hal/ files staging: rtl8723bs: remove unused TXDESC_64_BYTES code staging: rtl8723bs: remove unused DBG_XMIT_BUF and DBG_XMIT_BUF_EXT code staging: rtl8723bs: fix multiple blank lines in hal/Hal* files staging: rtl8723bs: fix multiple blank lines in hal/ files staging: rtl8723bs: rtw_mlme: add blank line for readability staging: rtl8723bs: rtw_mlme: wrap rtw_sitesurvey_cmd condition ...
2026-06-22Merge tag 'char-misc-7.2-rc1' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc Pull misc driver updates from Greg KH: "Here is the big set of char, misc, iio, fpga, and other small driver subsystems changes for 7.2-rc1. Lots of little stuff in here, the majority being of course the IIO driver updates, as a list they are: - IIO driver updates and additions - GPIB driver bugfixes and cleanups - Android binder driver updates (rust and C version) - counter driver updates - MHI driver updates - mei driver updates - w1 driver updates - interconnect driver updates - Comedi driver fixes and updates - some obsolete char drivers removed (applicom and dtlk) - hwtracing driver updates - other tiny driver updates All of these have been in linux-next for a while with no reported issues" * tag 'char-misc-7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc: (406 commits) w1: ds2482: Use named initializers for arrays of i2c_device_data firmware: stratix10-svc: Add support to query Arm Trusted Firmware (ATF) version firmware: stratix10-rsu: avoid blocking reboot_image sysfs when busy coresight: ultrasoc-smb: Fix OOB write in smb_sync_perf_buffer() iio: adc: nxp-sar-adc: harden buffer ISR against per-channel read failure iio: chemical: scd30: Replace manual locking with RAII locking iio: light: tsl2591: remove unneeded tsl2591_compatible_als_persist_cycle() iio: dac: ad5686: create bus ops struct iio: dac: ad5686: cleanup doc header of local structs iio: dac: ad5686: add control_sync() for single-channel devices iio: dac: ad5686: add helpers to handle powerdown masks iio: dac: ad5686: add of_match table to the spi driver iio: dac: ad5686: drop enum id iio: dac: ad5686: remove redundant register definition iio: dac: ad5686: refactor include headers iio: adc: ad4080: fix AD4880 chip ID iio: light: veml3328: add support for new device dt-bindings: iio: light: veml6030: add veml3328 fpga: microchip-spi: fix zero header_size OOB read in mpf_ops_parse_header() fpga: dfl-afu: validate DMA mapping length in afu_dma_map_region() ...
2026-06-18Merge tag 'media/v7.2-1' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media Pull media updates from Mauro Carvalho Chehab: - v4l2: - core: fix subdev sensor ownership - subdev: Allow accessing routes with STREAMS client capability - ctrls: Add validation for HEVC active reference counts and background detection control - common: Add YUV24 format info and has_alpha helper - vb2: Change vb2_read() and vb2_write() return types to ssize_t - i2c: cvs: Add driver of Intel Computer Vision Sensing Controller(CVS) - atmel-isc: remove deprecated driver - cec: Add CEC Latency Indication Protocol (LIP) support - imon: Add iMON VFD HID OEM v1.2 key mappings - AVMatrix: new HWS capture driver - isp4: new AMD capture driver - qcom: - iris: Add hierarchical coding, B-frame, and Long-Term Reference support for encoder - camss: Add SM6350 platform support - venus: Add SM6115 platform support - chips-media: wave5: Add support for Packed YUV422, CBP profile, and background detection - csi2rx: Add multistream support and 32 dma chans - Several cleanups and fixes * tag 'media/v7.2-1' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media: (394 commits) media: v4l2-fwnode: Fix subdev owner overwritten in v4l2_async_register_subdev_sensor() media: qcom: iris: vdec: allow GEN2 decoding into 10bit format media: qcom: iris: vdec: update find_format to handle 8bit and 10bit formats media: qcom: iris: vdec: update size and stride calculations for 10bit formats media: qcom: iris: gen2: add support for 10bit decoding media: qcom: iris: add QC10C & P010 buffer size calculations media: qcom: iris: add helpers for 8bit and 10bit formats media: qcom: iris: Fix FPS calculation and VPP FW overhead media: qcom: camss: vfe-340: Support for PIX client media: qcom: camss: vfe-340: Proper client handling media: qcom: camss: csid-340: Enable PIX interface routing media: qcom: camss: csid-340: Add port-to-interface mapping media: qcom: camss: csid-340: Switch to generic CSID_CFG/CTRL registers media: iris: Initialize HFI ops after firmware load in core init media: iris: drop struct iris_fmt media: iris: Add platform data for X1P42100 media: iris: Add hardware power on/off ops for X1P42100 media: iris: optimize COMV buffer allocation for VPU3x and VPU4x media: iris: add FPS calculation and VPP FW overhead in frequency formula media: qcom: iris: Simplify COMV size calculation ...
2026-06-16Merge tag 'spi-v7.2' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi Pull spi updates from Mark Brown: "This has been quite a busy release, mainly due to the subsystem wide work Johan Hovold has done to modernise resource allocation for the subsystem on probe, the subsystem did some very clever allocation management pre devm which didn't quite mesh comfortably with managed allocations and made it far too easy to introduce error handling and removal bugs. - Cleanup and simplification of controller struct allocation, moving everything over to devm and making the devm APIs more robust, from Johan Hovold - Support for spi-mem devices that don't assert chip select and support for a secondary read command for memory mapped flashes, some commits for this are shared with mtd. - Support for SpacemiT K1" * tag 'spi-v7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi: (118 commits) spi: Fix mismatched DT property access types spi: xilinx: use FIFO occupancy register to determine buffer size spi: spi-mem: Fix spi_controller_mem_ops kdoc spi: xilinx: let transfers timeout in case of no IRQ spi: dt-bindings: nuvoton,npcm750-fiu: Convert to DT schema spi: meson-spifc: fix runtime PM leak on remove spi: Use named initializers for platform_device_id arrays spi: rzv2h-rspi: Add suspend/resume support spi: dw-pci: remove redundant pci_free_irq_vectors() calls spi: ep93xx: fix double-free of zeropage on DMA setup failure spi: cadence-xspi: Revert COMPILE_TEST support spi: cadence-xspi: Support 32bit and 64bit slave dma interface spi: tegra210-quad: Allocate DMA memory for DMA engine spi: imx: replace dmaengine_terminate_all() with dmaengine_terminate_sync() spi: fsl-lpspi: terminate the RX channel on TX prepare failure path spi: fsl-lpspi: replace dmaengine_terminate_all() with dmaengine_terminate_sync() spi: atmel: fix DMA channel and bounce buffer leaks spi: omap2-mcspi: Use of_device_get_match_data() spi: Use named initializers for arrays of i2c_device_data spi: aspeed: Replace VLA parameter with flat pointer in calibration helper ...
2026-06-16Merge tag 'gpio-updates-for-v7.2-rc1' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux Pull gpio updates from Bartosz Golaszewski: "There's one new driver, one legacy driver removed, a kunit test-suite for the GPIO core, support for new models in existing drivers and a slew of various changes in many places though I can't think of anything controversial that would stand out - it's been a relatively calm cycle. GPIO core: - Add an initial set of kunit test cases for the GPIO subsystem - Use the devres owner as the GPIO chip's parent in absence of any other parent - Fix const-correctness of GPIO chip SRCU guards - Provide new GPIO consumer interfaces: gpiod_is_single_ended() and fwnode_gpiod_get() - Quarantine all legacy GPIO APIs in linux/gpio/legacy.h - Use __ro_after_init where applicable New drivers: - Add driver for the GPIO controller on Waveshare DSI TOUCH panels Removed drivers: - Remove the obsolete ts5500 GPIO driver Driver updates: - Modernize gpio-timberdale: remove platform data support and use generic device property accessors - Extend test build coverage by enabling COMPILE_TEST for more GPIO drivers - Add some missing dependencies in Kconfig - Add support for sparse fixed direction to gpio-regmap - Remove dead code from gpio-nomadik - use BIT() in gpio-mxc - use bitmap_complement() in gpio-xilinx and gpio-pca953x - Use more appropriate printing functions where applicable - Use named initializers for platform_device_id and i2c_device_id arrays - Convert gpio-altera to using the generic GPIO chip helper library - Add support for new models to gpio-dwapb, gpio-zynq, gpio-usbio and gpio-tegra186 - Unify the naming convention for Qualcomm in GPIO drivers - Fix interrupt bank mapping to GPIO chips in gpio-mt7621 - Add support for the lines-initial-states property to gpio-74x164 - Switch to using dynamic GPIO base in gpio-ixp4xx - Move the handling of an OF quirk from ASoC to gpiolib-of.c where other such quirks live - Use handle_bad_irq() in gpio-ep93xx - Some other minor tweaks and refactorings Devicetree bindings: - Document the Waveshare GPIO controller for DSI TOUCH panels - Document new models: Tegra238 in gpio-tegra186 and EIO GPIO in gpio-zynq - Add new properties for gpio-dwapb and fairchild,74hc595 - Fix whitespace issues - Sort compatibles alphabetically in gpio-zynq Documentation: - Fix kerneldoc warnings in gpio-realtek-otto Misc: - Attach software nodes representing GPIO chips to the actual struct device objects associated with them in some legacy platforms enabling real firmware node lookup instead of string matching - Drop unneeded dependencies on OF_GPIO from bus and staging drivers" * tag 'gpio-updates-for-v7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux: (62 commits) gpio: nomadik: remove dead DB8540 code from <gpio/gpio-nomadik.h> gpio: mt7621: fix interrupt banks mapping on gpio chips bus: ts-nbus: drop unneeded dependency on OF_GPIO staging: media: max96712: drop unneeded dependency on OF_GPIO gpiolib: Replace strcpy() with memcpy() gpio: remove obsolete UAF FIXMEs from lookup paths gpio: core: fix const-correctness of gpio_chip_guard gpio: mxc: use BIT() macro gpio: realtek-otto: fix kernel-doc warnings gpio: max77620: Unify usage of space and comma in platform_device_id array gpio: Use named initializers for platform_device_id arrays gpio: cros-ec: Drop unused assignment of platform_device_id driver data ARM: omap1: enable real software node lookup of GPIOs on Nokia 770 ARM: omap1: use platform_device_register_full() for GPIO devices on OMAP 16xx ARM: omap1: drop unused variable from omap16xx_gpio_init() gpio: gpiolib: use seq_puts() for plain strings gpio: ts5500: remove obsolete driver gpio: add kunit test cases for the GPIO subsystem kunit: provide kunit_platform_device_unregister() kunit: provide kunit_platform_device_register_full() ...
2026-06-12Merge tag 'staging-7.1-final' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging Pull staging driver fixes from Greg KH: "Here are two small bugfixes for a staging driver to fix a much-reported issue. The fixes are for the rtl8723bs driver and it's something that many scanning tools keep tripping over in convoluted ways (and seems to be able to be triggered by network traffic) These fixes have been in linux-next for many weeks with no reported issues, sorry for the delay in getting them to you" * tag 'staging-7.1-final' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging: staging: rtl8723bs: rtw_mlme: add bounds checks before ie_length subtraction staging: rtl8723bs: fix buffer over-read in rtw_update_protection
2026-06-08staging: media: max96712: drop unneeded dependency on OF_GPIOBartosz Golaszewski
OF_GPIO is selected automatically on all OF systems. Any symbols it controls also provide stubs and are private to GPIOLIB anyway so there's really no reason to select it explicitly. Link: https://patch.msgid.link/20260506082211.5624-1-bartosz.golaszewski@oss.qualcomm.com Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
2026-06-02Merge tag 'v7.1-rc6' into workJonathan Cameron
Linux 7.1-rc6
2026-05-31staging: iio: Use named initializers for struct i2c_device_idUwe Kleine-König (The Capable Hub)
While being less compact, using named initializers allows to more easily see which members of the structs are assigned which value without having to lookup the declaration of the struct. And it's also more robust against changes to the struct definition. This patch doesn't modify the compiled arrays, only their representation in source form benefits. The former was confirmed with x86 and arm64 builds. Signed-off-by: Uwe Kleine-König (The Capable Hub) <u.kleine-koenig@baylibre.com> Reviewed-by: Stepan Ionichev <sozdayvek@gmail.com> Reviewed-by: Joshua Crofts <joshua.crofts1@gmail.com> Signed-off-by: Jonathan Cameron <jic23@kernel.org>
2026-05-31staging: iio: addac: adt7316: document SPI interface switching sequenceHungyu Lin
The device powers up in I2C mode. Switching to SPI mode requires sending a sequence of SPI writes as described in the datasheet. During this sequence, the device may still be in I2C mode, so SPI transactions may not be recognized and can fail. Such errors are therefore ignored. Add a comment to clarify this behavior. Datasheet: https://www.analog.com/en/products/adt7316.html Reviewed-by: Maxwell Doose <m32285159@gmail.com> Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com> Signed-off-by: Hungyu Lin <dennylin0707@gmail.com> Signed-off-by: Jonathan Cameron <jic23@kernel.org>
2026-05-31staging: iio: ad9834: fix chip name typo in commentsAngus Gardner
Two comments incorrectly refer to 'AD9843' instead of 'AD9834'. Fix the copy-paste typo. Signed-off-by: Angus Gardner <angusg778@gmail.com> Reviewed-by: Maxwell Doose <m32285159@gmail.com> Signed-off-by: Jonathan Cameron <jic23@kernel.org>
2026-05-31staging: iio: ad9834: use dev_err_probe() in probe functionAngus Gardner
Replace open-coded dev_err() + return sequences with dev_err_probe(), which is the preferred pattern for probe error paths as it handles deferred probing correctly and reduces boilerplate. Convert all three remaining instances in ad9834_probe(): - master clock enable failure - device init SPI sync failure The avdd regulator path already used dev_err_probe(). Signed-off-by: Angus Gardner <angusg778@gmail.com> Reviewed-by: Maxwell Doose <m32285159@gmail.com> Signed-off-by: Jonathan Cameron <jic23@kernel.org>
2026-05-31staging: iio: ad9834: simplify -ENOMEM return in probeAngus Gardner
devm_iio_device_alloc() failure returns -ENOMEM via a local variable unnecessarily. Return -ENOMEM directly instead. Signed-off-by: Angus Gardner <angusg778@gmail.com> Reviewed-by: Maxwell Doose <m32285159@gmail.com> Signed-off-by: Jonathan Cameron <jic23@kernel.org>
2026-05-31iio: frequency: ad9832: simplify bitwise mathJoshua Crofts
Refactor the ad9832_calc_freqreg by removing the redundant u64 casts and 1L bitwise left shift and replacing the multiplication by a bit shift, as multiplying integers by a power of two is identical to a bitwise left shift. Signed-off-by: Joshua Crofts <joshua.crofts1@gmail.com> Reviewed-by: Nuno Sá <nuno.sa@analog.com> Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com> Signed-off-by: Jonathan Cameron <jic23@kernel.org>
2026-05-27media: staging: imx: remove unnecessary out-of-memory error messageShyam Sunder Reddy Padira
Remove dev_err() call after dma_alloc_coherent() failure. checkpatch.pl reports this as an unnecessary out-of-memory message because failure is already conveyed by returning -ENOMEM, and the current message does not provide additional useful debugging information. Signed-off-by: Shyam Sunder Reddy Padira <shyamsunderreddypadira@gmail.com> Signed-off-by: Frank Li <Frank.Li@nxp.com> Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
2026-05-27media: staging: imx-csi: use media_pad_is_streaming helperMichael Tretter
The media_pad_is_streaming() helper is explicitly intended to check whether a pad has been started with media_pipeline_start(). Use it instead of relying on the implicit assumption that a pad with a pipeline is streaming. Reviewed-by: Philipp Zabel <p.zabel@pengutronix.de> Signed-off-by: Michael Tretter <m.tretter@pengutronix.de> Reviewed-by: Frank Li <Frank.Li@nxp.com> Signed-off-by: Frank Li <Frank.Li@nxp.com> Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
2026-05-27media: staging: imx-csi: explicitly start media pipeline on pad 0Michael Tretter
entity->pads is an array that contains all the pads of an entity. Calling __media_pipeline_start() or __media_pipeline_stop() on the pads, implicitly starts the pipeline with the first pad in this array as origin. Explicitly use the first pad to start the pipeline to make this more obvious to the reader. Reviewed-by: Frank Li <Frank.Li@nxp.com> Reviewed-by: Philipp Zabel <p.zabel@pengutronix.de> Signed-off-by: Michael Tretter <m.tretter@pengutronix.de> Signed-off-by: Frank Li <Frank.Li@nxp.com> Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
2026-05-27media: staging: imx-csi: move media_pipeline to video deviceMichael Tretter
The imx-media driver has a single imx_media_device. Attaching the media_pipeline to the imx_media_device prevents the execution of multiple media pipelines on the device. This should be possible as long as the media_pipelines don't use the same pads or pads that be configured while the other media pipeline is streaming. Move the media_pipeline to the imx_media_video_dev to be able to construct media pipelines per imx capture device. If different media pipelines in the media device conflict, the validation will fail. Thus, the pipeline will fail to start and signal an error to user space. Reviewed-by: Frank Li <Frank.Li@nxp.com> Reviewed-by: Philipp Zabel <p.zabel@pengutronix.de> Signed-off-by: Michael Tretter <m.tretter@pengutronix.de> Signed-off-by: Frank Li <Frank.Li@nxp.com> Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
2026-05-21spi: fix controller registration API inconsistencyJohan Hovold
The SPI controller API is asymmetric in that a controller is allocated and registered in two step, while it is freed as part of deregistration. [1] This is especially unfortunate as any driver data is freed along with the controller, something which has lead to use-after-free bugs during deregistration when drivers tear down resources after deregistering the controller (or tear down resources that may still be in use before deregistering the controller in an attempt to work around the API). To reduce the risk of such bugs being introduced a device managed allocation interface was added, but this arguably made things even less consistent as now whether the controller gets freed as part of deregistration depends on how it was allocated. [2][3] With most drivers converted to use managed allocation in preparation for fixing the API, the remaining 16 drivers can be converted in one tree-wide change. Ten of those drivers use the bitbang interface and can be converted by simply removing the extra reference already taken by spi_bitbang_start() (and updating the two bitbang drivers that use managed allocation). [4] Fix the API inconsistency by no longer dropping a reference when deregistering non-devres allocated controllers. [1] 68b892f1fdc4 ("spi: document odd controller reference handling") [2] 5e844cc37a5c ("spi: Introduce device-managed SPI controller allocation") [3] 3f174274d224 ("spi: fix misleading controller deregistration kernel-doc") [4] 702a4879ec33 ("spi: bitbang: Let spi_bitbang_start() take a reference to master") Signed-off-by: Johan Hovold <johan@kernel.org> Link: https://patch.msgid.link/20260521073816.766596-1-johan@kernel.org Signed-off-by: Mark Brown <broonie@kernel.org>
2026-05-21staging: rtl8723bs: rtw_mlme: add bounds checks before ie_length subtractionSalman Alghamdi
Add guards to ensure ie_length is large enough before subtracting fixed IE offsets to prevent unsigned integer underflow. Fixes: 2038fe84b8bd ("staging: rtl8723bs: fix spacing around operators") Fixes: d3fcee1b78a5 ("staging: rtl8723bs: fix camel case in struct wlan_bssid_ex") Closes: https://lore.kernel.org/linux-staging/DI2H39EAAFBZ.3KI5NWN02AQ2S@linux.dev/ Cc: stable <stable@kernel.org> Signed-off-by: Salman Alghamdi <me@cipherat.com> Reviewed-by: Luka Gejak <luka.gejak@linux.dev> Link: https://patch.msgid.link/20260513203455.31792-1-me@cipherat.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2026-05-21staging: most: video: avoid double free on video register failureGuangshuo Li
comp_register_videodev() allocates a video_device with video_device_alloc() and releases it if video_register_device() fails. This can double free the video_device when __video_register_device() reaches device_register() and that call fails: video_register_device() -> __video_register_device() -> device_register() fails -> put_device(&vdev->dev) -> v4l2_device_release() -> vdev->release(vdev) -> video_device_release(vdev) comp_register_videodev() -> video_device_release(mdev->vdev) Use video_device_release_empty() while registering the device so that registration failure paths do not free mdev->vdev through vdev->release(). comp_register_videodev() then releases mdev->vdev exactly once on failure. Restore video_device_release() after successful registration so the registered device keeps its normal lifetime handling. This issue was found by a static analysis tool I am developing. Fixes: eab231c0398a ("staging: most: v4l2-aim: remove unnecessary label err_vbi_dev") Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com> Link: https://patch.msgid.link/20260517111218.945796-1-lgs201920130244@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2026-05-21staging: sm750: rename CamelCase variable Bpp to bppRupesh Majhi
Rename the CamelCase variable 'Bpp' to 'bpp' in both the header and implementation files to comply with Linux kernel coding style. Issue found by checkpatch. Signed-off-by: Rupesh Majhi <zoone.rupert@gmail.com> Link: https://patch.msgid.link/20260517131918.197943-1-zoone.rupert@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2026-05-21staging: rtl8723bs: delete superfluous switch statementJennifer Guo
This switch statement doesn't do anything in all of its branches. As such we can clean it up, and only keep the assignment in the else block. Signed-off-by: Jennifer Guo <guojy.bj@gmail.com> Link: https://patch.msgid.link/20260517044330.8517-1-guojy.bj@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2026-05-21staging: sm750fb: Mark g_noaccel, g_nomtrr and g_dualview as __ro_after_initLen Bao
The 'g_noaccel', 'g_nomtrr' and 'g_dualview' variables are initialized only during the init phase in the 'lynxfb_setup' function and never changed. So, mark them as __ro_after_init. Signed-off-by: Len Bao <len.bao@gmx.us> Link: https://patch.msgid.link/20260516142326.36018-1-len.bao@gmx.us Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2026-05-21staging: rtl8723bs: propagate errno through hal xmit pathHungyu Lin
Propagate errno values from rtl8723bs_hal_xmitframe_enqueue() through rtw_hal_xmitframe_enqueue() by returning the error code directly. Update rtw_hal_xmit() to explicitly map the boolean return value of rtl8723bs_hal_xmit() to _SUCCESS/_FAIL, clarifying the return semantics at the HAL boundary. None of the callers of rtw_hal_xmitframe_enqueue() check the return value, so they do not need to be updated. This change does not affect runtime behavior. Signed-off-by: Hungyu Lin <dennylin0707@gmail.com> Link: https://patch.msgid.link/20260514100708.25031-6-dennylin0707@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2026-05-21staging: rtl8723bs: propagate errno through xmit enqueue pathHungyu Lin
Propagate errno values from rtw_xmit_classifier() through rtw_xmitframe_enqueue(), and update the local enqueue caller to check for non-zero return values. Signed-off-by: Hungyu Lin <dennylin0707@gmail.com> Link: https://patch.msgid.link/20260514100708.25031-5-dennylin0707@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2026-05-21staging: rtl8723bs: convert rtw_xmit_classifier to return errnoHungyu Lin
Convert rtw_xmit_classifier() to return 0 on success and negative error codes on failure. Update the caller to check for non-zero return values and preserve the existing _FAIL/_SUCCESS semantics. Signed-off-by: Hungyu Lin <dennylin0707@gmail.com> Link: https://patch.msgid.link/20260514100708.25031-4-dennylin0707@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2026-05-21staging: rtl8723bs: make rtw_xmit_classifier staticHungyu Lin
The rtw_xmit_classifier() function is only used within rtw_xmit.c. Move it above its caller and make it static to limit its scope. Signed-off-by: Hungyu Lin <dennylin0707@gmail.com> Link: https://patch.msgid.link/20260514100708.25031-3-dennylin0707@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2026-05-21staging: rtl8723bs: simplify rtw_xmit_classifier control flowHungyu Lin
Simplify rtw_xmit_classifier() by removing the exit label and using direct returns for error handling. No functional change. Signed-off-by: Hungyu Lin <dennylin0707@gmail.com> Link: https://patch.msgid.link/20260514100708.25031-2-dennylin0707@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2026-05-21staging: rtl8723bs: make _rtw_enqueue_cmd return 0 on successHungyu Lin
Convert the private helper _rtw_enqueue_cmd() to return 0 on success instead of the legacy _SUCCESS value. Keep rtw_enqueue_cmd() translating the result back to the existing return convention for now. No functional change intended. Signed-off-by: Hungyu Lin <dennylin0707@gmail.com> Link: https://patch.msgid.link/20260513213719.12246-5-dennylin0707@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2026-05-21staging: rtl8723bs: simplify rtw_enqueue_cmd control flowHungyu Lin
Replace the goto exit pattern with direct returns to simplify the control flow and improve readability. No functional change intended. Signed-off-by: Hungyu Lin <dennylin0707@gmail.com> Link: https://patch.msgid.link/20260513213719.12246-4-dennylin0707@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2026-05-21staging: rtl8723bs: make _rtw_enqueue_cmd staticHungyu Lin
The function _rtw_enqueue_cmd() is only used within rtw_cmd.c, so make it static and remove the unnecessary declaration from the header file. Signed-off-by: Hungyu Lin <dennylin0707@gmail.com> Link: https://patch.msgid.link/20260513213719.12246-3-dennylin0707@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2026-05-21staging: rtl8723bs: simplify _rtw_enqueue_cmd control flowHungyu Lin
Replace the goto exit pattern with a direct return to simplify the control flow and improve readability. No functional change intended. Signed-off-by: Hungyu Lin <dennylin0707@gmail.com> Link: https://patch.msgid.link/20260513213719.12246-2-dennylin0707@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2026-05-21staging: rtl8723bs: fix multiple blank lines in more hal/ filesJennifer Guo
Remove multiple consecutive blank lines in more hal/ files. This fixes the following checkpatch.pl check: CHECK: Please don't use multiple blank lines Signed-off-by: Jennifer Guo <guojy.bj@gmail.com> Link: https://patch.msgid.link/20260515175140.7439-1-guojy.bj@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2026-05-21staging: rtl8723bs: remove unused TXDESC_64_BYTES codeAndrei Khomenkov
Remove the TXDESC_64_BYTES code since it is not used as the macro is not defined anywhere. Signed-off-by: Andrei Khomenkov <khomenkov@mailbox.org> Link: https://patch.msgid.link/20260515151253.8106-3-khomenkov@mailbox.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2026-05-21staging: rtl8723bs: remove unused DBG_XMIT_BUF and DBG_XMIT_BUF_EXT codeAndrei Khomenkov
Remove the DBG_XMIT_BUF and DBG_XMIT_BUF_EXT code since it is not used as the macros are not defined anywhere. Signed-off-by: Andrei Khomenkov <khomenkov@mailbox.org> Link: https://patch.msgid.link/20260515151253.8106-2-khomenkov@mailbox.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2026-05-21staging: rtl8723bs: fix multiple blank lines in hal/Hal* filesJennifer Guo
Remove multiple consecutive blank lines in hal/Hal* source and header files. This fixes the following checkpatch.pl check: CHECK: Please don't use multiple blank lines Signed-off-by: Jennifer Guo <guojy.bj@gmail.com> Link: https://patch.msgid.link/20260514180642.4608-1-guojy.bj@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>