6.18-stable patches

added patches:
	drivers-hv-vmbus-use-kthread-for-vmbus-interrupts-on-preempt_rt.patch
	drm-amd-display-clear-hdmi-hpd-pending-work-only-if-it-is-enabled.patch
	drm-exynos-vidi-fix-to-avoid-directly-dereferencing-user-pointer.patch
	drm-exynos-vidi-use-priv-vidi_dev-for-ctx-lookup-in-vidi_connection_ioctl.patch
	io_uring-rsrc-clean-up-buffer-cloning-arg-validation.patch
	selftests-bpf-test-bpf_skb_check_mtu-bpf_mtu_chk_segs-when-transport_header-is-not-set.patch

diff --git a/queue-6.18/drivers-hv-vmbus-use-kthread-for-vmbus-interrupts-on-preempt_rt.patch b/queue-6.18/drivers-hv-vmbus-use-kthread-for-vmbus-interrupts-on-preempt_rt.patch
new file mode 100644 (file)
index 0000000..600233d
--- /dev/null
+++ b/queue-6.18/drivers-hv-vmbus-use-kthread-for-vmbus-interrupts-on-preempt_rt.patch
@@ -0,0 +1,175 @@
+From f8e6343b7a89c7c649db5a9e309ba7aa20401813 Mon Sep 17 00:00:00 2001
+From: Jan Kiszka <jan.kiszka@siemens.com>
+Date: Mon, 16 Feb 2026 17:24:56 +0100
+Subject: Drivers: hv: vmbus: Use kthread for vmbus interrupts on PREEMPT_RT
+
+From: Jan Kiszka <jan.kiszka@siemens.com>
+
+commit f8e6343b7a89c7c649db5a9e309ba7aa20401813 upstream.
+
+Resolves the following lockdep report when booting PREEMPT_RT on Hyper-V
+with related guest support enabled:
+
+[    1.127941] hv_vmbus: registering driver hyperv_drm
+
+[    1.132518] =============================
+[    1.132519] [ BUG: Invalid wait context ]
+[    1.132521] 6.19.0-rc8+ #9 Not tainted
+[    1.132524] -----------------------------
+[    1.132525] swapper/0/0 is trying to lock:
+[    1.132526] ffff8b9381bb3c90 (&channel->sched_lock){....}-{3:3}, at: vmbus_chan_sched+0xc4/0x2b0
+[    1.132543] other info that might help us debug this:
+[    1.132544] context-{2:2}
+[    1.132545] 1 lock held by swapper/0/0:
+[    1.132547]  #0: ffffffffa010c4c0 (rcu_read_lock){....}-{1:3}, at: vmbus_chan_sched+0x31/0x2b0
+[    1.132557] stack backtrace:
+[    1.132560] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.19.0-rc8+ #9 PREEMPT_{RT,(lazy)}
+[    1.132565] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 09/25/2025
+[    1.132567] Call Trace:
+[    1.132570]  <IRQ>
+[    1.132573]  dump_stack_lvl+0x6e/0xa0
+[    1.132581]  __lock_acquire+0xee0/0x21b0
+[    1.132592]  lock_acquire+0xd5/0x2d0
+[    1.132598]  ? vmbus_chan_sched+0xc4/0x2b0
+[    1.132606]  ? lock_acquire+0xd5/0x2d0
+[    1.132613]  ? vmbus_chan_sched+0x31/0x2b0
+[    1.132619]  rt_spin_lock+0x3f/0x1f0
+[    1.132623]  ? vmbus_chan_sched+0xc4/0x2b0
+[    1.132629]  ? vmbus_chan_sched+0x31/0x2b0
+[    1.132634]  vmbus_chan_sched+0xc4/0x2b0
+[    1.132641]  vmbus_isr+0x2c/0x150
+[    1.132648]  __sysvec_hyperv_callback+0x5f/0xa0
+[    1.132654]  sysvec_hyperv_callback+0x88/0xb0
+[    1.132658]  </IRQ>
+[    1.132659]  <TASK>
+[    1.132660]  asm_sysvec_hyperv_callback+0x1a/0x20
+
+As code paths that handle vmbus IRQs use sleepy locks under PREEMPT_RT,
+the vmbus_isr execution needs to be moved into thread context. Open-
+coding this allows to skip the IPI that irq_work would additionally
+bring and which we do not need, being an IRQ, never an NMI.
+
+This affects both x86 and arm64, therefore hook into the common driver
+logic.
+
+Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
+Reviewed-by: Florian Bezdeka <florian.bezdeka@siemens.com>
+Tested-by: Florian Bezdeka <florian.bezdeka@siemens.com>
+Reviewed-by: Michael Kelley <mhklinux@outlook.com>
+Tested-by: Michael Kelley <mhklinux@outlook.com>
+Signed-off-by: Wei Liu <wei.liu@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hv/vmbus_drv.c |   66 ++++++++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 65 insertions(+), 1 deletion(-)
+
+--- a/drivers/hv/vmbus_drv.c
++++ b/drivers/hv/vmbus_drv.c
+@@ -25,6 +25,7 @@
+ #include <linux/cpu.h>
+ #include <linux/sched/isolation.h>
+ #include <linux/sched/task_stack.h>
++#include <linux/smpboot.h>
+ 
+ #include <linux/delay.h>
+ #include <linux/panic_notifier.h>
+@@ -1306,7 +1307,7 @@ sched_unlock_rcu:
+       }
+ }
+ 
+-static void vmbus_isr(void)
++static void __vmbus_isr(void)
+ {
+       struct hv_per_cpu_context *hv_cpu
+               = this_cpu_ptr(hv_context.cpu_context);
+@@ -1330,6 +1331,53 @@ static void vmbus_isr(void)
+       add_interrupt_randomness(vmbus_interrupt);
+ }
+ 
++static DEFINE_PER_CPU(bool, vmbus_irq_pending);
++static DEFINE_PER_CPU(struct task_struct *, vmbus_irqd);
++
++static void vmbus_irqd_wake(void)
++{
++      struct task_struct *tsk = __this_cpu_read(vmbus_irqd);
++
++      __this_cpu_write(vmbus_irq_pending, true);
++      wake_up_process(tsk);
++}
++
++static void vmbus_irqd_setup(unsigned int cpu)
++{
++      sched_set_fifo(current);
++}
++
++static int vmbus_irqd_should_run(unsigned int cpu)
++{
++      return __this_cpu_read(vmbus_irq_pending);
++}
++
++static void run_vmbus_irqd(unsigned int cpu)
++{
++      __this_cpu_write(vmbus_irq_pending, false);
++      __vmbus_isr();
++}
++
++static bool vmbus_irq_initialized;
++
++static struct smp_hotplug_thread vmbus_irq_threads = {
++      .store                  = &vmbus_irqd,
++      .setup                  = vmbus_irqd_setup,
++      .thread_should_run      = vmbus_irqd_should_run,
++      .thread_fn              = run_vmbus_irqd,
++      .thread_comm            = "vmbus_irq/%u",
++};
++
++static void vmbus_isr(void)
++{
++      if (IS_ENABLED(CONFIG_PREEMPT_RT)) {
++              vmbus_irqd_wake();
++      } else {
++              lockdep_hardirq_threaded();
++              __vmbus_isr();
++      }
++}
++
+ static irqreturn_t vmbus_percpu_isr(int irq, void *dev_id)
+ {
+       vmbus_isr();
+@@ -1375,6 +1423,13 @@ static int vmbus_bus_init(void)
+        * the VMbus interrupt handler.
+        */
+ 
++      if (IS_ENABLED(CONFIG_PREEMPT_RT) && !vmbus_irq_initialized) {
++              ret = smpboot_register_percpu_thread(&vmbus_irq_threads);
++              if (ret)
++                      goto err_kthread;
++              vmbus_irq_initialized = true;
++      }
++
+       if (vmbus_irq == -1) {
+               hv_setup_vmbus_handler(vmbus_isr);
+       } else {
+@@ -1449,6 +1504,11 @@ err_alloc:
+               free_percpu(vmbus_evt);
+       }
+ err_setup:
++      if (IS_ENABLED(CONFIG_PREEMPT_RT) && vmbus_irq_initialized) {
++              smpboot_unregister_percpu_thread(&vmbus_irq_threads);
++              vmbus_irq_initialized = false;
++      }
++err_kthread:
+       bus_unregister(&hv_bus);
+       return ret;
+ }
+@@ -2914,6 +2974,10 @@ static void __exit vmbus_exit(void)
+               free_percpu_irq(vmbus_irq, vmbus_evt);
+               free_percpu(vmbus_evt);
+       }
++      if (IS_ENABLED(CONFIG_PREEMPT_RT) && vmbus_irq_initialized) {
++              smpboot_unregister_percpu_thread(&vmbus_irq_threads);
++              vmbus_irq_initialized = false;
++      }
+       for_each_online_cpu(cpu) {
+               struct hv_per_cpu_context *hv_cpu
+                       = per_cpu_ptr(hv_context.cpu_context, cpu);

diff --git a/queue-6.18/drm-amd-display-clear-hdmi-hpd-pending-work-only-if-it-is-enabled.patch b/queue-6.18/drm-amd-display-clear-hdmi-hpd-pending-work-only-if-it-is-enabled.patch
new file mode 100644 (file)
index 0000000..4c329f2
--- /dev/null
+++ b/queue-6.18/drm-amd-display-clear-hdmi-hpd-pending-work-only-if-it-is-enabled.patch
@@ -0,0 +1,43 @@
+From 17b2c526fd8026d8e0f4c0e7f94fc517e3901589 Mon Sep 17 00:00:00 2001
+From: Ivan Lipski <ivan.lipski@amd.com>
+Date: Fri, 16 Jan 2026 10:03:54 -0500
+Subject: drm/amd/display: Clear HDMI HPD pending work only if it is enabled
+
+From: Ivan Lipski <ivan.lipski@amd.com>
+
+commit 17b2c526fd8026d8e0f4c0e7f94fc517e3901589 upstream.
+
+[Why&How]
+On amdgpu_dm_connector_destroy(), the driver attempts to cancel pending
+HDMI HPD work without checking if the HDMI HPD is enabled.
+
+Added a check that it is enabled before clearing it.
+
+Fixes: 6a681cd90345 ("drm/amd/display: Add an hdmi_hpd_debounce_delay_ms module")
+Signed-off-by: Ivan Lipski <ivan.lipski@amd.com>
+Reviewed-by: Mario Limonciello (AMD) <superm1@kernel.org>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c |   10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+@@ -7548,10 +7548,12 @@ static void amdgpu_dm_connector_destroy(
+               drm_dp_mst_topology_mgr_destroy(&aconnector->mst_mgr);
+ 
+       /* Cancel and flush any pending HDMI HPD debounce work */
+-      cancel_delayed_work_sync(&aconnector->hdmi_hpd_debounce_work);
+-      if (aconnector->hdmi_prev_sink) {
+-              dc_sink_release(aconnector->hdmi_prev_sink);
+-              aconnector->hdmi_prev_sink = NULL;
++      if (aconnector->hdmi_hpd_debounce_delay_ms) {
++              cancel_delayed_work_sync(&aconnector->hdmi_hpd_debounce_work);
++              if (aconnector->hdmi_prev_sink) {
++                      dc_sink_release(aconnector->hdmi_prev_sink);
++                      aconnector->hdmi_prev_sink = NULL;
++              }
+       }
+ 
+       if (aconnector->bl_idx != -1) {

diff --git a/queue-6.18/drm-exynos-vidi-fix-to-avoid-directly-dereferencing-user-pointer.patch b/queue-6.18/drm-exynos-vidi-fix-to-avoid-directly-dereferencing-user-pointer.patch
new file mode 100644 (file)
index 0000000..9382ed7
--- /dev/null
+++ b/queue-6.18/drm-exynos-vidi-fix-to-avoid-directly-dereferencing-user-pointer.patch
@@ -0,0 +1,58 @@
+From d4c98c077c7fb2dfdece7d605e694b5ea2665085 Mon Sep 17 00:00:00 2001
+From: Jeongjun Park <aha310510@gmail.com>
+Date: Mon, 19 Jan 2026 17:25:52 +0900
+Subject: drm/exynos: vidi: fix to avoid directly dereferencing user pointer
+
+From: Jeongjun Park <aha310510@gmail.com>
+
+commit d4c98c077c7fb2dfdece7d605e694b5ea2665085 upstream.
+
+In vidi_connection_ioctl(), vidi->edid(user pointer) is directly
+dereferenced in the kernel.
+
+This allows arbitrary kernel memory access from the user space, so instead
+of directly accessing the user pointer in the kernel, we should modify it
+to copy edid to kernel memory using copy_from_user() and use it.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Jeongjun Park <aha310510@gmail.com>
+Signed-off-by: Inki Dae <inki.dae@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/exynos/exynos_drm_vidi.c |   22 ++++++++++++++++++----
+ 1 file changed, 18 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpu/drm/exynos/exynos_drm_vidi.c
++++ b/drivers/gpu/drm/exynos/exynos_drm_vidi.c
+@@ -262,13 +262,27 @@ int vidi_connection_ioctl(struct drm_dev
+ 
+       if (vidi->connection) {
+               const struct drm_edid *drm_edid;
+-              const struct edid *raw_edid;
++              const void __user *edid_userptr = u64_to_user_ptr(vidi->edid);
++              void *edid_buf;
++              struct edid hdr;
+               size_t size;
+ 
+-              raw_edid = (const struct edid *)(unsigned long)vidi->edid;
+-              size = (raw_edid->extensions + 1) * EDID_LENGTH;
++              if (copy_from_user(&hdr, edid_userptr, sizeof(hdr)))
++                      return -EFAULT;
+ 
+-              drm_edid = drm_edid_alloc(raw_edid, size);
++              size = (hdr.extensions + 1) * EDID_LENGTH;
++
++              edid_buf = kmalloc(size, GFP_KERNEL);
++              if (!edid_buf)
++                      return -ENOMEM;
++
++              if (copy_from_user(edid_buf, edid_userptr, size)) {
++                      kfree(edid_buf);
++                      return -EFAULT;
++              }
++
++              drm_edid = drm_edid_alloc(edid_buf, size);
++              kfree(edid_buf);
+               if (!drm_edid)
+                       return -ENOMEM;
+ 

diff --git a/queue-6.18/drm-exynos-vidi-use-priv-vidi_dev-for-ctx-lookup-in-vidi_connection_ioctl.patch b/queue-6.18/drm-exynos-vidi-use-priv-vidi_dev-for-ctx-lookup-in-vidi_connection_ioctl.patch
new file mode 100644 (file)
index 0000000..eb107d7
--- /dev/null
+++ b/queue-6.18/drm-exynos-vidi-use-priv-vidi_dev-for-ctx-lookup-in-vidi_connection_ioctl.patch
@@ -0,0 +1,90 @@
+From d3968a0d85b211e197f2f4f06268a7031079e0d0 Mon Sep 17 00:00:00 2001
+From: Jeongjun Park <aha310510@gmail.com>
+Date: Mon, 19 Jan 2026 17:25:51 +0900
+Subject: drm/exynos: vidi: use priv->vidi_dev for ctx lookup in vidi_connection_ioctl()
+
+From: Jeongjun Park <aha310510@gmail.com>
+
+commit d3968a0d85b211e197f2f4f06268a7031079e0d0 upstream.
+
+vidi_connection_ioctl() retrieves the driver_data from drm_dev->dev to
+obtain a struct vidi_context pointer. However, drm_dev->dev is the
+exynos-drm master device, and the driver_data contained therein is not
+the vidi component device, but a completely different device.
+
+This can lead to various bugs, ranging from null pointer dereferences and
+garbage value accesses to, in unlucky cases, out-of-bounds errors,
+use-after-free errors, and more.
+
+To resolve this issue, we need to store/delete the vidi device pointer in
+exynos_drm_private->vidi_dev during bind/unbind, and then read this
+exynos_drm_private->vidi_dev within ioctl() to obtain the correct
+struct vidi_context pointer.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Jeongjun Park <aha310510@gmail.com>
+Signed-off-by: Inki Dae <inki.dae@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/exynos/exynos_drm_drv.h  |    1 +
+ drivers/gpu/drm/exynos/exynos_drm_vidi.c |   14 +++++++++++++-
+ 2 files changed, 14 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/exynos/exynos_drm_drv.h
++++ b/drivers/gpu/drm/exynos/exynos_drm_drv.h
+@@ -199,6 +199,7 @@ struct drm_exynos_file_private {
+ struct exynos_drm_private {
+       struct device *g2d_dev;
+       struct device *dma_dev;
++      struct device *vidi_dev;
+       void *mapping;
+ 
+       /* for atomic commit */
+--- a/drivers/gpu/drm/exynos/exynos_drm_vidi.c
++++ b/drivers/gpu/drm/exynos/exynos_drm_vidi.c
+@@ -231,9 +231,14 @@ ATTRIBUTE_GROUPS(vidi);
+ int vidi_connection_ioctl(struct drm_device *drm_dev, void *data,
+                               struct drm_file *file_priv)
+ {
+-      struct vidi_context *ctx = dev_get_drvdata(drm_dev->dev);
++      struct exynos_drm_private *priv = drm_dev->dev_private;
++      struct device *dev = priv ? priv->vidi_dev : NULL;
++      struct vidi_context *ctx = dev ? dev_get_drvdata(dev) : NULL;
+       struct drm_exynos_vidi_connection *vidi = data;
+ 
++      if (!ctx)
++              return -ENODEV;
++
+       if (!vidi) {
+               DRM_DEV_DEBUG_KMS(ctx->dev,
+                                 "user data for vidi is null.\n");
+@@ -393,6 +398,7 @@ static int vidi_bind(struct device *dev,
+ {
+       struct vidi_context *ctx = dev_get_drvdata(dev);
+       struct drm_device *drm_dev = data;
++      struct exynos_drm_private *priv = drm_dev->dev_private;
+       struct drm_encoder *encoder = &ctx->encoder;
+       struct exynos_drm_plane *exynos_plane;
+       struct exynos_drm_plane_config plane_config = { 0 };
+@@ -400,6 +406,8 @@ static int vidi_bind(struct device *dev,
+       int ret;
+ 
+       ctx->drm_dev = drm_dev;
++      if (priv)
++              priv->vidi_dev = dev;
+ 
+       plane_config.pixel_formats = formats;
+       plane_config.num_pixel_formats = ARRAY_SIZE(formats);
+@@ -445,8 +453,12 @@ static int vidi_bind(struct device *dev,
+ static void vidi_unbind(struct device *dev, struct device *master, void *data)
+ {
+       struct vidi_context *ctx = dev_get_drvdata(dev);
++      struct drm_device *drm_dev = data;
++      struct exynos_drm_private *priv = drm_dev->dev_private;
+ 
+       timer_delete_sync(&ctx->timer);
++      if (priv)
++              priv->vidi_dev = NULL;
+ }
+ 
+ static const struct component_ops vidi_component_ops = {

diff --git a/queue-6.18/io_uring-rsrc-clean-up-buffer-cloning-arg-validation.patch b/queue-6.18/io_uring-rsrc-clean-up-buffer-cloning-arg-validation.patch
new file mode 100644 (file)
index 0000000..baff19d
--- /dev/null
+++ b/queue-6.18/io_uring-rsrc-clean-up-buffer-cloning-arg-validation.patch
@@ -0,0 +1,82 @@
+From b8201b50e403815f941d1c6581a27fdbfe7d0fd4 Mon Sep 17 00:00:00 2001
+From: Joanne Koong <joannelkoong@gmail.com>
+Date: Thu, 4 Dec 2025 13:51:14 -0800
+Subject: io_uring/rsrc: clean up buffer cloning arg validation
+
+From: Joanne Koong <joannelkoong@gmail.com>
+
+commit b8201b50e403815f941d1c6581a27fdbfe7d0fd4 upstream.
+
+Get rid of some redundant checks and move the src arg validation to
+before the buffer table allocation, which simplifies error handling.
+
+Signed-off-by: Joanne Koong <joannelkoong@gmail.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/rsrc.c |   27 ++++++---------------------
+ 1 file changed, 6 insertions(+), 21 deletions(-)
+
+--- a/io_uring/rsrc.c
++++ b/io_uring/rsrc.c
+@@ -1185,12 +1185,16 @@ static int io_clone_buffers(struct io_ri
+               return -EBUSY;
+ 
+       nbufs = src_ctx->buf_table.nr;
++      if (!nbufs)
++              return -ENXIO;
+       if (!arg->nr)
+               arg->nr = nbufs;
+       else if (arg->nr > nbufs)
+               return -EINVAL;
+       else if (arg->nr > IORING_MAX_REG_BUFFERS)
+               return -EINVAL;
++      if (check_add_overflow(arg->nr, arg->src_off, &off) || off > nbufs)
++              return -EOVERFLOW;
+       if (check_add_overflow(arg->nr, arg->dst_off, &nbufs))
+               return -EOVERFLOW;
+       if (nbufs > IORING_MAX_REG_BUFFERS)
+@@ -1210,21 +1214,6 @@ static int io_clone_buffers(struct io_ri
+               }
+       }
+ 
+-      ret = -ENXIO;
+-      nbufs = src_ctx->buf_table.nr;
+-      if (!nbufs)
+-              goto out_free;
+-      ret = -EINVAL;
+-      if (!arg->nr)
+-              arg->nr = nbufs;
+-      else if (arg->nr > nbufs)
+-              goto out_free;
+-      ret = -EOVERFLOW;
+-      if (check_add_overflow(arg->nr, arg->src_off, &off))
+-              goto out_free;
+-      if (off > nbufs)
+-              goto out_free;
+-
+       off = arg->dst_off;
+       i = arg->src_off;
+       nr = arg->nr;
+@@ -1237,8 +1226,8 @@ static int io_clone_buffers(struct io_ri
+               } else {
+                       dst_node = io_rsrc_node_alloc(ctx, IORING_RSRC_BUFFER);
+                       if (!dst_node) {
+-                              ret = -ENOMEM;
+-                              goto out_free;
++                              io_rsrc_data_free(ctx, &data);
++                              return -ENOMEM;
+                       }
+ 
+                       refcount_inc(&src_node->buf->refs);
+@@ -1274,10 +1263,6 @@ static int io_clone_buffers(struct io_ri
+       WARN_ON_ONCE(ctx->buf_table.nr);
+       ctx->buf_table = data;
+       return 0;
+-
+-out_free:
+-      io_rsrc_data_free(ctx, &data);
+-      return ret;
+ }
+ 
+ /*

diff --git a/queue-6.18/selftests-bpf-test-bpf_skb_check_mtu-bpf_mtu_chk_segs-when-transport_header-is-not-set.patch b/queue-6.18/selftests-bpf-test-bpf_skb_check_mtu-bpf_mtu_chk_segs-when-transport_header-is-not-set.patch
new file mode 100644 (file)
index 0000000..7e08737
--- /dev/null
+++ b/queue-6.18/selftests-bpf-test-bpf_skb_check_mtu-bpf_mtu_chk_segs-when-transport_header-is-not-set.patch
@@ -0,0 +1,94 @@
+From 6cc73f35406cae1f053e984e8de40e6dc9681446 Mon Sep 17 00:00:00 2001
+From: Martin KaFai Lau <martin.lau@kernel.org>
+Date: Wed, 12 Nov 2025 15:23:31 -0800
+Subject: selftests/bpf: Test bpf_skb_check_mtu(BPF_MTU_CHK_SEGS) when transport_header is not set
+
+From: Martin KaFai Lau <martin.lau@kernel.org>
+
+commit 6cc73f35406cae1f053e984e8de40e6dc9681446 upstream.
+
+Add a test to check that bpf_skb_check_mtu(BPF_MTU_CHK_SEGS) is
+rejected (-EINVAL) if skb->transport_header is not set. The test
+needs to lower the MTU of the loopback device. Thus, take this
+opportunity to run the test in a netns by adding "ns_" to the test
+name. The "serial_" prefix can then be removed.
+
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Link: https://lore.kernel.org/r/20251112232331.1566074-2-martin.lau@linux.dev
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+Signed-off-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
+---
+ tools/testing/selftests/bpf/prog_tests/check_mtu.c |   23 ++++++++++++++++++++-
+ tools/testing/selftests/bpf/progs/test_check_mtu.c |   12 ++++++++++
+ 2 files changed, 34 insertions(+), 1 deletion(-)
+
+--- a/tools/testing/selftests/bpf/prog_tests/check_mtu.c
++++ b/tools/testing/selftests/bpf/prog_tests/check_mtu.c
+@@ -153,6 +153,26 @@ static void test_check_mtu_run_tc(struct
+       ASSERT_EQ(mtu_result, mtu_expect, "MTU-compare-user");
+ }
+ 
++static void test_chk_segs_flag(struct test_check_mtu *skel, __u32 mtu)
++{
++      int err, prog_fd = bpf_program__fd(skel->progs.tc_chk_segs_flag);
++      struct __sk_buff skb = {
++              .gso_size = 10,
++      };
++      LIBBPF_OPTS(bpf_test_run_opts, topts,
++                  .data_in = &pkt_v4,
++                  .data_size_in = sizeof(pkt_v4),
++                  .ctx_in = &skb,
++                  .ctx_size_in = sizeof(skb),
++      );
++
++      /* Lower the mtu to test the BPF_MTU_CHK_SEGS */
++      SYS_NOFAIL("ip link set dev lo mtu 10");
++      err = bpf_prog_test_run_opts(prog_fd, &topts);
++      SYS_NOFAIL("ip link set dev lo mtu %u", mtu);
++      ASSERT_OK(err, "test_run");
++      ASSERT_EQ(topts.retval, BPF_OK, "retval");
++}
+ 
+ static void test_check_mtu_tc(__u32 mtu, __u32 ifindex)
+ {
+@@ -177,11 +197,12 @@ static void test_check_mtu_tc(__u32 mtu,
+       test_check_mtu_run_tc(skel, skel->progs.tc_minus_delta, mtu);
+       test_check_mtu_run_tc(skel, skel->progs.tc_input_len, mtu);
+       test_check_mtu_run_tc(skel, skel->progs.tc_input_len_exceed, mtu);
++      test_chk_segs_flag(skel, mtu);
+ cleanup:
+       test_check_mtu__destroy(skel);
+ }
+ 
+-void serial_test_check_mtu(void)
++void test_ns_check_mtu(void)
+ {
+       int mtu_lo;
+ 
+--- a/tools/testing/selftests/bpf/progs/test_check_mtu.c
++++ b/tools/testing/selftests/bpf/progs/test_check_mtu.c
+@@ -7,6 +7,7 @@
+ 
+ #include <stddef.h>
+ #include <stdint.h>
++#include <errno.h>
+ 
+ char _license[] SEC("license") = "GPL";
+ 
+@@ -288,3 +289,14 @@ int tc_input_len_exceed(struct __sk_buff
+       global_bpf_mtu_xdp = mtu_len;
+       return retval;
+ }
++
++SEC("tc")
++int tc_chk_segs_flag(struct __sk_buff *ctx)
++{
++      __u32 mtu_len = 0;
++      int err;
++
++      err = bpf_check_mtu(ctx, GLOBAL_USER_IFINDEX, &mtu_len, 0, BPF_MTU_CHK_SEGS);
++
++      return err == -EINVAL ? BPF_OK : BPF_DROP;
++}

diff --git a/queue-6.18/series b/queue-6.18/series
index 08fd618c919824c8538d08fcdd0ec15fb556526c..2e3d693fb2c7709e29fe5d5dfd317692a75bb92e 100644 (file)
--- a/queue-6.18/series
+++ b/queue-6.18/series
@@ -633,3 +633,9 @@ asoc-dt-bindings-asahi-kasei-ak5558-fix-the-supply-names.patch
 alsa-hda-realtek-add-quirk-for-gigabyte-g5-kf5-2023.patch
 alsa-hda-conexant-fix-headphone-jack-handling-on-acer-swift-sf314.patch
 alsa-hda-realtek-add-quirk-for-samsung-galaxy-book3-pro-360-np965qfg.patch
+drm-exynos-vidi-use-priv-vidi_dev-for-ctx-lookup-in-vidi_connection_ioctl.patch
+drm-exynos-vidi-fix-to-avoid-directly-dereferencing-user-pointer.patch
+drivers-hv-vmbus-use-kthread-for-vmbus-interrupts-on-preempt_rt.patch
+io_uring-rsrc-clean-up-buffer-cloning-arg-validation.patch
+selftests-bpf-test-bpf_skb_check_mtu-bpf_mtu_chk_segs-when-transport_header-is-not-set.patch
+drm-amd-display-clear-hdmi-hpd-pending-work-only-if-it-is-enabled.patch