--- /dev/null
+From 92cac9cff4f9e43f481d03ace673524ab9ae0670 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Sep 2025 12:46:42 +0000
+Subject: ax25: properly unshare skbs in ax25_kiss_rcv()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 8156210d36a43e76372312c87eb5ea3dbb405a85 ]
+
+Bernard Pidoux reported a regression apparently caused by commit
+c353e8983e0d ("net: introduce per netns packet chains").
+
+skb->dev becomes NULL and we crash in __netif_receive_skb_core().
+
+Before above commit, different kind of bugs or corruptions could happen
+without a major crash.
+
+But the root cause is that ax25_kiss_rcv() can queue/mangle input skb
+without checking if this skb is shared or not.
+
+Many thanks to Bernard Pidoux for his help, diagnosis and tests.
+
+We had a similar issue years ago fixed with commit 7aaed57c5c28
+("phonet: properly unshare skbs in phonet_rcv()").
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: Bernard Pidoux <f6bvp@free.fr>
+Closes: https://lore.kernel.org/netdev/1713f383-c538-4918-bc64-13b3288cd542@free.fr/
+Tested-by: Bernard Pidoux <f6bvp@free.fr>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Joerg Reuter <jreuter@yaina.de>
+Cc: David Ranch <dranch@trinnet.net>
+Cc: Folkert van Heusden <folkert@vanheusden.com>
+Reviewed-by: Dan Cross <crossd@gmail.com>
+Link: https://patch.msgid.link/20250902124642.212705-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ax25/ax25_in.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/ax25/ax25_in.c b/net/ax25/ax25_in.c
+index cd6afe895db99..e43f92372cba5 100644
+--- a/net/ax25/ax25_in.c
++++ b/net/ax25/ax25_in.c
+@@ -433,6 +433,10 @@ static int ax25_rcv(struct sk_buff *skb, struct net_device *dev,
+ int ax25_kiss_rcv(struct sk_buff *skb, struct net_device *dev,
+ struct packet_type *ptype, struct net_device *orig_dev)
+ {
++ skb = skb_share_check(skb, GFP_ATOMIC);
++ if (!skb)
++ return NET_RX_DROP;
++
+ skb_orphan(skb);
+
+ if (!net_eq(dev_net(dev), &init_net)) {
+--
+2.50.1
+
--- /dev/null
+From a82a2f4afd7cbed56263430dc47a80ffce805d39 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Aug 2025 20:40:14 +0000
+Subject: Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen()
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit 862c628108562d8c7a516a900034823b381d3cba ]
+
+syzbot reported the splat below without a repro.
+
+In the splat, a single thread calling bt_accept_dequeue() freed sk
+and touched it after that.
+
+The root cause would be the racy l2cap_sock_cleanup_listen() call
+added by the cited commit.
+
+bt_accept_dequeue() is called under lock_sock() except for
+l2cap_sock_release().
+
+Two threads could see the same socket during the list iteration
+in bt_accept_dequeue():
+
+ CPU1 CPU2 (close())
+ ---- ----
+ sock_hold(sk) sock_hold(sk);
+ lock_sock(sk) <-- block close()
+ sock_put(sk)
+ bt_accept_unlink(sk)
+ sock_put(sk) <-- refcnt by bt_accept_enqueue()
+ release_sock(sk)
+ lock_sock(sk)
+ sock_put(sk)
+ bt_accept_unlink(sk)
+ sock_put(sk) <-- last refcnt
+ bt_accept_unlink(sk) <-- UAF
+
+Depending on the timing, the other thread could show up in the
+"Freed by task" part.
+
+Let's call l2cap_sock_cleanup_listen() under lock_sock() in
+l2cap_sock_release().
+
+[0]:
+BUG: KASAN: slab-use-after-free in debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline]
+BUG: KASAN: slab-use-after-free in do_raw_spin_lock+0x26f/0x2b0 kernel/locking/spinlock_debug.c:115
+Read of size 4 at addr ffff88803b7eb1c4 by task syz.5.3276/16995
+CPU: 3 UID: 0 PID: 16995 Comm: syz.5.3276 Not tainted syzkaller #0 PREEMPT(full)
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:94 [inline]
+ dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
+ print_address_description mm/kasan/report.c:378 [inline]
+ print_report+0xcd/0x630 mm/kasan/report.c:482
+ kasan_report+0xe0/0x110 mm/kasan/report.c:595
+ debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline]
+ do_raw_spin_lock+0x26f/0x2b0 kernel/locking/spinlock_debug.c:115
+ spin_lock_bh include/linux/spinlock.h:356 [inline]
+ release_sock+0x21/0x220 net/core/sock.c:3746
+ bt_accept_dequeue+0x505/0x600 net/bluetooth/af_bluetooth.c:312
+ l2cap_sock_cleanup_listen+0x5c/0x2a0 net/bluetooth/l2cap_sock.c:1451
+ l2cap_sock_release+0x5c/0x210 net/bluetooth/l2cap_sock.c:1425
+ __sock_release+0xb3/0x270 net/socket.c:649
+ sock_close+0x1c/0x30 net/socket.c:1439
+ __fput+0x3ff/0xb70 fs/file_table.c:468
+ task_work_run+0x14d/0x240 kernel/task_work.c:227
+ resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
+ exit_to_user_mode_loop+0xeb/0x110 kernel/entry/common.c:43
+ exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
+ syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
+ syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
+ do_syscall_64+0x3f6/0x4c0 arch/x86/entry/syscall_64.c:100
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7f2accf8ebe9
+Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007ffdb6cb1378 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
+RAX: 0000000000000000 RBX: 00000000000426fb RCX: 00007f2accf8ebe9
+RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
+RBP: 00007f2acd1b7da0 R08: 0000000000000001 R09: 00000012b6cb166f
+R10: 0000001b30e20000 R11: 0000000000000246 R12: 00007f2acd1b609c
+R13: 00007f2acd1b6090 R14: ffffffffffffffff R15: 00007ffdb6cb1490
+ </TASK>
+
+Allocated by task 5326:
+ kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
+ kasan_save_track+0x14/0x30 mm/kasan/common.c:68
+ poison_kmalloc_redzone mm/kasan/common.c:388 [inline]
+ __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:405
+ kasan_kmalloc include/linux/kasan.h:260 [inline]
+ __do_kmalloc_node mm/slub.c:4365 [inline]
+ __kmalloc_noprof+0x223/0x510 mm/slub.c:4377
+ kmalloc_noprof include/linux/slab.h:909 [inline]
+ sk_prot_alloc+0x1a8/0x2a0 net/core/sock.c:2239
+ sk_alloc+0x36/0xc20 net/core/sock.c:2295
+ bt_sock_alloc+0x3b/0x3a0 net/bluetooth/af_bluetooth.c:151
+ l2cap_sock_alloc.constprop.0+0x33/0x1d0 net/bluetooth/l2cap_sock.c:1894
+ l2cap_sock_new_connection_cb+0x101/0x240 net/bluetooth/l2cap_sock.c:1482
+ l2cap_connect_cfm+0x4c4/0xf80 net/bluetooth/l2cap_core.c:7287
+ hci_connect_cfm include/net/bluetooth/hci_core.h:2050 [inline]
+ hci_remote_features_evt+0x4dd/0x970 net/bluetooth/hci_event.c:3712
+ hci_event_func net/bluetooth/hci_event.c:7519 [inline]
+ hci_event_packet+0xa0d/0x11c0 net/bluetooth/hci_event.c:7573
+ hci_rx_work+0x2c5/0x16b0 net/bluetooth/hci_core.c:4071
+ process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3236
+ process_scheduled_works kernel/workqueue.c:3319 [inline]
+ worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400
+ kthread+0x3c2/0x780 kernel/kthread.c:463
+ ret_from_fork+0x5d7/0x6f0 arch/x86/kernel/process.c:148
+ ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
+
+Freed by task 16995:
+ kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
+ kasan_save_track+0x14/0x30 mm/kasan/common.c:68
+ kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576
+ poison_slab_object mm/kasan/common.c:243 [inline]
+ __kasan_slab_free+0x60/0x70 mm/kasan/common.c:275
+ kasan_slab_free include/linux/kasan.h:233 [inline]
+ slab_free_hook mm/slub.c:2417 [inline]
+ slab_free mm/slub.c:4680 [inline]
+ kfree+0x2b4/0x4d0 mm/slub.c:4879
+ sk_prot_free net/core/sock.c:2278 [inline]
+ __sk_destruct+0x75f/0x9a0 net/core/sock.c:2373
+ sk_destruct+0xc2/0xf0 net/core/sock.c:2401
+ __sk_free+0xf4/0x3e0 net/core/sock.c:2412
+ sk_free+0x6a/0x90 net/core/sock.c:2423
+ sock_put include/net/sock.h:1960 [inline]
+ bt_accept_unlink+0x245/0x2e0 net/bluetooth/af_bluetooth.c:262
+ bt_accept_dequeue+0x517/0x600 net/bluetooth/af_bluetooth.c:308
+ l2cap_sock_cleanup_listen+0x5c/0x2a0 net/bluetooth/l2cap_sock.c:1451
+ l2cap_sock_release+0x5c/0x210 net/bluetooth/l2cap_sock.c:1425
+ __sock_release+0xb3/0x270 net/socket.c:649
+ sock_close+0x1c/0x30 net/socket.c:1439
+ __fput+0x3ff/0xb70 fs/file_table.c:468
+ task_work_run+0x14d/0x240 kernel/task_work.c:227
+ resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
+ exit_to_user_mode_loop+0xeb/0x110 kernel/entry/common.c:43
+ exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
+ syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
+ syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
+ do_syscall_64+0x3f6/0x4c0 arch/x86/entry/syscall_64.c:100
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Fixes: 1728137b33c0 ("Bluetooth: L2CAP: Fix use-after-free in l2cap_sock_ready_cb")
+Reported-by: syzbot+e5e64cdf8e92046dd3e1@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/linux-bluetooth/68af6b9d.a70a0220.3cafd4.0032.GAE@google.com/
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/l2cap_sock.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
+index 7d7f4ba60a208..5465b537f0e72 100644
+--- a/net/bluetooth/l2cap_sock.c
++++ b/net/bluetooth/l2cap_sock.c
+@@ -1404,7 +1404,10 @@ static int l2cap_sock_release(struct socket *sock)
+ if (!sk)
+ return 0;
+
++ lock_sock_nested(sk, L2CAP_NESTING_PARENT);
+ l2cap_sock_cleanup_listen(sk);
++ release_sock(sk);
++
+ bt_sock_unlink(&l2cap_sk_list, sk);
+
+ err = l2cap_sock_shutdown(sock, SHUT_RDWR);
+--
+2.50.1
+
--- /dev/null
+From a768a6b0c98f698524ab04d3f9a394e035dba9d1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Aug 2025 19:56:31 +0800
+Subject: i40e: Fix potential invalid access when MAC list is empty
+
+From: Zhen Ni <zhen.ni@easystack.cn>
+
+[ Upstream commit a556f06338e1d5a85af0e32ecb46e365547f92b9 ]
+
+list_first_entry() never returns NULL - if the list is empty, it still
+returns a pointer to an invalid object, leading to potential invalid
+memory access when dereferenced.
+
+Fix this by using list_first_entry_or_null instead of list_first_entry.
+
+Fixes: e3219ce6a775 ("i40e: Add support for client interface for IWARP driver")
+Signed-off-by: Zhen Ni <zhen.ni@easystack.cn>
+Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_client.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_client.c b/drivers/net/ethernet/intel/i40e/i40e_client.c
+index b3cb5d1033260..af65321a68886 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_client.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_client.c
+@@ -318,8 +318,8 @@ static void i40e_client_add_instance(struct i40e_pf *pf)
+ return;
+ }
+
+- mac = list_first_entry(&cdev->lan_info.netdev->dev_addrs.list,
+- struct netdev_hw_addr, list);
++ mac = list_first_entry_or_null(&cdev->lan_info.netdev->dev_addrs.list,
++ struct netdev_hw_addr, list);
+ if (mac)
+ ether_addr_copy(cdev->lan_info.lanmac, mac->addr);
+ else
+--
+2.50.1
+
--- /dev/null
+From 23d966897a24bce4466654a9b6ecd07b02fa7ae8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Aug 2025 11:14:35 +0200
+Subject: icmp: fix icmp_ndo_send address translation for reply direction
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Fabian Bläse <fabian@blaese.de>
+
+[ Upstream commit c6dd1aa2cbb72b33e0569f3e71d95792beab5042 ]
+
+The icmp_ndo_send function was originally introduced to ensure proper
+rate limiting when icmp_send is called by a network device driver,
+where the packet's source address may have already been transformed
+by SNAT.
+
+However, the original implementation only considers the
+IP_CT_DIR_ORIGINAL direction for SNAT and always replaced the packet's
+source address with that of the original-direction tuple. This causes
+two problems:
+
+1. For SNAT:
+ Reply-direction packets were incorrectly translated using the source
+ address of the CT original direction, even though no translation is
+ required.
+
+2. For DNAT:
+ Reply-direction packets were not handled at all. In DNAT, the original
+ direction's destination is translated. Therefore, in the reply
+ direction the source address must be set to the reply-direction
+ source, so rate limiting works as intended.
+
+Fix this by using the connection direction to select the correct tuple
+for source address translation, and adjust the pre-checks to handle
+reply-direction packets in case of DNAT.
+
+Additionally, wrap the `ct->status` access in READ_ONCE(). This avoids
+possible KCSAN reports about concurrent updates to `ct->status`.
+
+Fixes: 0b41713b6066 ("icmp: introduce helper for nat'd source address in network device context")
+Signed-off-by: Fabian Bläse <fabian@blaese.de>
+Cc: Jason A. Donenfeld <Jason@zx2c4.com>
+Reviewed-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/icmp.c | 6 ++++--
+ net/ipv6/ip6_icmp.c | 6 ++++--
+ 2 files changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
+index 0bbc047e8f6e1..efeeed4f0517e 100644
+--- a/net/ipv4/icmp.c
++++ b/net/ipv4/icmp.c
+@@ -791,11 +791,12 @@ void icmp_ndo_send(struct sk_buff *skb_in, int type, int code, __be32 info)
+ struct sk_buff *cloned_skb = NULL;
+ struct ip_options opts = { 0 };
+ enum ip_conntrack_info ctinfo;
++ enum ip_conntrack_dir dir;
+ struct nf_conn *ct;
+ __be32 orig_ip;
+
+ ct = nf_ct_get(skb_in, &ctinfo);
+- if (!ct || !(ct->status & IPS_SRC_NAT)) {
++ if (!ct || !(READ_ONCE(ct->status) & IPS_NAT_MASK)) {
+ __icmp_send(skb_in, type, code, info, &opts);
+ return;
+ }
+@@ -810,7 +811,8 @@ void icmp_ndo_send(struct sk_buff *skb_in, int type, int code, __be32 info)
+ goto out;
+
+ orig_ip = ip_hdr(skb_in)->saddr;
+- ip_hdr(skb_in)->saddr = ct->tuplehash[0].tuple.src.u3.ip;
++ dir = CTINFO2DIR(ctinfo);
++ ip_hdr(skb_in)->saddr = ct->tuplehash[dir].tuple.src.u3.ip;
+ __icmp_send(skb_in, type, code, info, &opts);
+ ip_hdr(skb_in)->saddr = orig_ip;
+ out:
+diff --git a/net/ipv6/ip6_icmp.c b/net/ipv6/ip6_icmp.c
+index 9e3574880cb03..233914b63bdb8 100644
+--- a/net/ipv6/ip6_icmp.c
++++ b/net/ipv6/ip6_icmp.c
+@@ -54,11 +54,12 @@ void icmpv6_ndo_send(struct sk_buff *skb_in, u8 type, u8 code, __u32 info)
+ struct inet6_skb_parm parm = { 0 };
+ struct sk_buff *cloned_skb = NULL;
+ enum ip_conntrack_info ctinfo;
++ enum ip_conntrack_dir dir;
+ struct in6_addr orig_ip;
+ struct nf_conn *ct;
+
+ ct = nf_ct_get(skb_in, &ctinfo);
+- if (!ct || !(ct->status & IPS_SRC_NAT)) {
++ if (!ct || !(READ_ONCE(ct->status) & IPS_NAT_MASK)) {
+ __icmpv6_send(skb_in, type, code, info, &parm);
+ return;
+ }
+@@ -73,7 +74,8 @@ void icmpv6_ndo_send(struct sk_buff *skb_in, u8 type, u8 code, __u32 info)
+ goto out;
+
+ orig_ip = ipv6_hdr(skb_in)->saddr;
+- ipv6_hdr(skb_in)->saddr = ct->tuplehash[0].tuple.src.u3.in6;
++ dir = CTINFO2DIR(ctinfo);
++ ipv6_hdr(skb_in)->saddr = ct->tuplehash[dir].tuple.src.u3.in6;
+ __icmpv6_send(skb_in, type, code, info, &parm);
+ ipv6_hdr(skb_in)->saddr = orig_ip;
+ out:
+--
+2.50.1
+
--- /dev/null
+From c3f56c54369b995cd5eff946a5261e5d22c10506 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Sep 2025 09:36:08 +0300
+Subject: ipv4: Fix NULL vs error pointer check in inet_blackhole_dev_init()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit a51160f8da850a65afbf165f5bbac7ffb388bf74 ]
+
+The inetdev_init() function never returns NULL. Check for error
+pointers instead.
+
+Fixes: 22600596b675 ("ipv4: give an IPv4 dev to blackhole_netdev")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/aLaQWL9NguWmeM1i@stanley.mountain
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/devinet.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
+index 2dc94109fc0ea..bf85978145197 100644
+--- a/net/ipv4/devinet.c
++++ b/net/ipv4/devinet.c
+@@ -332,14 +332,13 @@ static void inetdev_destroy(struct in_device *in_dev)
+
+ static int __init inet_blackhole_dev_init(void)
+ {
+- int err = 0;
++ struct in_device *in_dev;
+
+ rtnl_lock();
+- if (!inetdev_init(blackhole_netdev))
+- err = -ENOMEM;
++ in_dev = inetdev_init(blackhole_netdev);
+ rtnl_unlock();
+
+- return err;
++ return PTR_ERR_OR_ZERO(in_dev);
+ }
+ late_initcall(inet_blackhole_dev_init);
+
+--
+2.50.1
+
--- /dev/null
+From 41c92c8cd2db71fd24f2b4fea3022ec3cf3cc839 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Aug 2025 16:14:57 +0800
+Subject: mISDN: Fix memory leak in dsp_hwec_enable()
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+[ Upstream commit 0704a3da7ce50f972e898bbda88d2692a22922d9 ]
+
+dsp_hwec_enable() allocates dup pointer by kstrdup(arg),
+but then it updates dup variable by strsep(&dup, ",").
+As a result when it calls kfree(dup), the dup variable may be
+a modified pointer that no longer points to the original allocated
+memory, causing a memory leak.
+
+The issue is the same pattern as fixed in commit c6a502c22999
+("mISDN: Fix memory leak in dsp_pipeline_build()").
+
+Fixes: 9a4381618262 ("mISDN: Remove VLAs")
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250828081457.36061-1-linmq006@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/isdn/mISDN/dsp_hwec.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/isdn/mISDN/dsp_hwec.c b/drivers/isdn/mISDN/dsp_hwec.c
+index 0b3f29195330a..0cd216e28f009 100644
+--- a/drivers/isdn/mISDN/dsp_hwec.c
++++ b/drivers/isdn/mISDN/dsp_hwec.c
+@@ -51,14 +51,14 @@ void dsp_hwec_enable(struct dsp *dsp, const char *arg)
+ goto _do;
+
+ {
+- char *dup, *tok, *name, *val;
++ char *dup, *next, *tok, *name, *val;
+ int tmp;
+
+- dup = kstrdup(arg, GFP_ATOMIC);
++ dup = next = kstrdup(arg, GFP_ATOMIC);
+ if (!dup)
+ return;
+
+- while ((tok = strsep(&dup, ","))) {
++ while ((tok = strsep(&next, ","))) {
+ if (!strlen(tok))
+ continue;
+ name = strsep(&tok, "=");
+--
+2.50.1
+
--- /dev/null
+From bfe1dac2cbed3104c6471c61aaf2d88d8dd0d051 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Sep 2025 14:35:37 +0800
+Subject: net: atm: fix memory leak in atm_register_sysfs when device_register
+ fail
+
+From: Wang Liang <wangliang74@huawei.com>
+
+[ Upstream commit 0a228624bcc00af41f281a2a84c928595a74c17d ]
+
+When device_register() return error in atm_register_sysfs(), which can be
+triggered by kzalloc fail in device_private_init() or other reasons,
+kmemleak reports the following memory leaks:
+
+unreferenced object 0xffff88810182fb80 (size 8):
+ comm "insmod", pid 504, jiffies 4294852464
+ hex dump (first 8 bytes):
+ 61 64 75 6d 6d 79 30 00 adummy0.
+ backtrace (crc 14dfadaf):
+ __kmalloc_node_track_caller_noprof+0x335/0x450
+ kvasprintf+0xb3/0x130
+ kobject_set_name_vargs+0x45/0x120
+ dev_set_name+0xa9/0xe0
+ atm_register_sysfs+0xf3/0x220
+ atm_dev_register+0x40b/0x780
+ 0xffffffffa000b089
+ do_one_initcall+0x89/0x300
+ do_init_module+0x27b/0x7d0
+ load_module+0x54cd/0x5ff0
+ init_module_from_file+0xe4/0x150
+ idempotent_init_module+0x32c/0x610
+ __x64_sys_finit_module+0xbd/0x120
+ do_syscall_64+0xa8/0x270
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+When device_create_file() return error in atm_register_sysfs(), the same
+issue also can be triggered.
+
+Function put_device() should be called to release kobj->name memory and
+other device resource, instead of kfree().
+
+Fixes: 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array")
+Signed-off-by: Wang Liang <wangliang74@huawei.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250901063537.1472221-1-wangliang74@huawei.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/atm/resources.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/net/atm/resources.c b/net/atm/resources.c
+index fb8cf4cd6c1d7..932f7b383dba7 100644
+--- a/net/atm/resources.c
++++ b/net/atm/resources.c
+@@ -114,7 +114,9 @@ struct atm_dev *atm_dev_register(const char *type, struct device *parent,
+
+ if (atm_proc_dev_register(dev) < 0) {
+ pr_err("atm_proc_dev_register failed for dev %s\n", type);
+- goto out_fail;
++ mutex_unlock(&atm_dev_mutex);
++ kfree(dev);
++ return NULL;
+ }
+
+ if (atm_register_sysfs(dev, parent) < 0) {
+@@ -130,7 +132,7 @@ struct atm_dev *atm_dev_register(const char *type, struct device *parent,
+ return dev;
+
+ out_fail:
+- kfree(dev);
++ put_device(&dev->class_dev);
+ dev = NULL;
+ goto out;
+ }
+--
+2.50.1
+
--- /dev/null
+From 2aa676bc11a39a1374890d99cda7e0d296e8ce30 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 31 Aug 2025 20:20:07 +0200
+Subject: net: ethernet: mtk_eth_soc: fix tx vlan tag for llc packets
+
+From: Felix Fietkau <nbd@nbd.name>
+
+[ Upstream commit d4736737110ffa83d29f1c5d17b26113864205f6 ]
+
+When sending llc packets with vlan tx offload, the hardware fails to
+actually add the tag. Deal with this by fixing it up in software.
+
+Fixes: 656e705243fd ("net-next: mediatek: add support for MT7623 ethernet")
+Reported-by: Thibaut VARENE <hacks@slashdirt.org>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250831182007.51619-1-nbd@nbd.name
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mediatek/mtk_eth_soc.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
+index 011210e6842de..dc29403e4b733 100644
+--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c
++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
+@@ -1178,6 +1178,13 @@ static netdev_tx_t mtk_start_xmit(struct sk_buff *skb, struct net_device *dev)
+ bool gso = false;
+ int tx_num;
+
++ if (skb_vlan_tag_present(skb) &&
++ !eth_proto_is_802_3(eth_hdr(skb)->h_proto)) {
++ skb = __vlan_hwaccel_push_inside(skb);
++ if (!skb)
++ goto dropped;
++ }
++
+ /* normally we can rely on the stack not calling this more than once,
+ * however we have 2 queues running on the same ring so we need to lock
+ * the ring access
+@@ -1223,8 +1230,9 @@ static netdev_tx_t mtk_start_xmit(struct sk_buff *skb, struct net_device *dev)
+
+ drop:
+ spin_unlock(ð->page_lock);
+- stats->tx_dropped++;
+ dev_kfree_skb_any(skb);
++dropped:
++ stats->tx_dropped++;
+ return NETDEV_TX_OK;
+ }
+
+--
+2.50.1
+
--- /dev/null
+From 946adeac1656a740fdf27f291be08fb152f76dd1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Sep 2025 14:30:18 -0700
+Subject: net: thunder_bgx: add a missing of_node_put
+
+From: Rosen Penev <rosenp@gmail.com>
+
+[ Upstream commit 9d28f94912589f04ab51fbccaef287d4f40e0d1f ]
+
+phy_np needs to get freed, just like the other child nodes.
+
+Fixes: 5fc7cf179449 ("net: thunderx: Cleanup PHY probing code.")
+Signed-off-by: Rosen Penev <rosenp@gmail.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250901213018.47392-1-rosenp@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/cavium/thunder/thunder_bgx.c | 18 +++++++++++-------
+ 1 file changed, 11 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c
+index 0a71909bb2ee5..f5dbe2f5af659 100644
+--- a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c
++++ b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c
+@@ -1497,13 +1497,17 @@ static int bgx_init_of_phy(struct bgx *bgx)
+ * this cortina phy, for which there is no driver
+ * support, ignore it.
+ */
+- if (phy_np &&
+- !of_device_is_compatible(phy_np, "cortina,cs4223-slice")) {
+- /* Wait until the phy drivers are available */
+- pd = of_phy_find_device(phy_np);
+- if (!pd)
+- goto defer;
+- bgx->lmac[lmac].phydev = pd;
++ if (phy_np) {
++ if (!of_device_is_compatible(phy_np, "cortina,cs4223-slice")) {
++ /* Wait until the phy drivers are available */
++ pd = of_phy_find_device(phy_np);
++ if (!pd) {
++ of_node_put(phy_np);
++ goto defer;
++ }
++ bgx->lmac[lmac].phydev = pd;
++ }
++ of_node_put(phy_np);
+ }
+
+ lmac++;
+--
+2.50.1
+
--- /dev/null
+From b36fd26a00a58b0d81cb7d74bf2076dc4284d18f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Sep 2025 14:33:14 -0700
+Subject: net: thunder_bgx: decrement cleanup index before use
+
+From: Rosen Penev <rosenp@gmail.com>
+
+[ Upstream commit 9e3d71a92e561ccc77025689dab25d201fee7a3e ]
+
+All paths in probe that call goto defer do so before assigning phydev
+and thus it makes sense to cleanup the prior index. It also fixes a bug
+where index 0 does not get cleaned up.
+
+Fixes: b7d3e3d3d21a ("net: thunderx: Don't leak phy device references on -EPROBE_DEFER condition.")
+Signed-off-by: Rosen Penev <rosenp@gmail.com>
+Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250901213314.48599-1-rosenp@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cavium/thunder/thunder_bgx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c
+index f5dbe2f5af659..daabd851dae87 100644
+--- a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c
++++ b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c
+@@ -1523,11 +1523,11 @@ static int bgx_init_of_phy(struct bgx *bgx)
+ * for phy devices we may have already found.
+ */
+ while (lmac) {
++ lmac--;
+ if (bgx->lmac[lmac].phydev) {
+ put_device(&bgx->lmac[lmac].phydev->mdio.dev);
+ bgx->lmac[lmac].phydev = NULL;
+ }
+- lmac--;
+ }
+ of_node_put(node);
+ return -EPROBE_DEFER;
+--
+2.50.1
+
--- /dev/null
+From f682507ec8d4ac9b36fd73b2e521899adda5ed54 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Aug 2025 13:22:20 +0200
+Subject: netfilter: conntrack: helper: Replace -EEXIST by -EBUSY
+
+From: Phil Sutter <phil@nwl.cc>
+
+[ Upstream commit 54416fd76770bd04fc3c501810e8d673550bab26 ]
+
+The helper registration return value is passed-through by module_init
+callbacks which modprobe confuses with the harmless -EEXIST returned
+when trying to load an already loaded module.
+
+Make sure modprobe fails so users notice their helper has not been
+registered and won't work.
+
+Suggested-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Fixes: 12f7a505331e ("netfilter: add user-space connection tracking helper infrastructure")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_helper.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c
+index 32cc91f5ba99f..89174c91053ed 100644
+--- a/net/netfilter/nf_conntrack_helper.c
++++ b/net/netfilter/nf_conntrack_helper.c
+@@ -417,7 +417,7 @@ int nf_conntrack_helper_register(struct nf_conntrack_helper *me)
+ (cur->tuple.src.l3num == NFPROTO_UNSPEC ||
+ cur->tuple.src.l3num == me->tuple.src.l3num) &&
+ cur->tuple.dst.protonum == me->tuple.dst.protonum) {
+- ret = -EEXIST;
++ ret = -EBUSY;
+ goto out;
+ }
+ }
+@@ -428,7 +428,7 @@ int nf_conntrack_helper_register(struct nf_conntrack_helper *me)
+ hlist_for_each_entry(cur, &nf_ct_helper_hash[h], hnode) {
+ if (nf_ct_tuple_src_mask_cmp(&cur->tuple, &me->tuple,
+ &mask)) {
+- ret = -EEXIST;
++ ret = -EBUSY;
+ goto out;
+ }
+ }
+--
+2.50.1
+
--- /dev/null
+From 4a144f1e0c5e06eae086f5559dccfa402292ef4f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Sep 2025 18:07:26 +0800
+Subject: ppp: fix memory leak in pad_compress_skb
+
+From: Qingfang Deng <dqfext@gmail.com>
+
+[ Upstream commit 4844123fe0b853a4982c02666cb3fd863d701d50 ]
+
+If alloc_skb() fails in pad_compress_skb(), it returns NULL without
+releasing the old skb. The caller does:
+
+ skb = pad_compress_skb(ppp, skb);
+ if (!skb)
+ goto drop;
+
+drop:
+ kfree_skb(skb);
+
+When pad_compress_skb() returns NULL, the reference to the old skb is
+lost and kfree_skb(skb) ends up doing nothing, leading to a memory leak.
+
+Align pad_compress_skb() semantics with realloc(): only free the old
+skb if allocation and compression succeed. At the call site, use the
+new_skb variable so the original skb is not lost when pad_compress_skb()
+fails.
+
+Fixes: b3f9b92a6ec1 ("[PPP]: add PPP MPPE encryption module")
+Signed-off-by: Qingfang Deng <dqfext@gmail.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Yue Haibing <yuehaibing@huawei.com>
+Link: https://patch.msgid.link/20250903100726.269839-1-dqfext@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ppp/ppp_generic.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
+index d9d1f3519f0a7..b2b5a994dd0ee 100644
+--- a/drivers/net/ppp/ppp_generic.c
++++ b/drivers/net/ppp/ppp_generic.c
+@@ -1616,7 +1616,6 @@ pad_compress_skb(struct ppp *ppp, struct sk_buff *skb)
+ */
+ if (net_ratelimit())
+ netdev_err(ppp->dev, "ppp: compressor dropped pkt\n");
+- kfree_skb(skb);
+ consume_skb(new_skb);
+ new_skb = NULL;
+ }
+@@ -1718,9 +1717,10 @@ ppp_send_frame(struct ppp *ppp, struct sk_buff *skb)
+ "down - pkt dropped.\n");
+ goto drop;
+ }
+- skb = pad_compress_skb(ppp, skb);
+- if (!skb)
++ new_skb = pad_compress_skb(ppp, skb);
++ if (!new_skb)
+ goto drop;
++ skb = new_skb;
+ }
+
+ /*
+--
+2.50.1
+
drm-amd-display-don-t-warn-when-missing-dce-encoder-.patch
tee-fix-null-pointer-dereference-in-tee_shm_put.patch
arm64-dts-rockchip-add-vcc-supply-to-spi-flash-on-rk.patch
+wifi-cfg80211-fix-use-after-free-in-cmp_bss.patch
+netfilter-conntrack-helper-replace-eexist-by-ebusy.patch
+bluetooth-fix-use-after-free-in-l2cap_sock_cleanup_l.patch
+xirc2ps_cs-fix-register-access-when-enabling-fulldup.patch
+misdn-fix-memory-leak-in-dsp_hwec_enable.patch
+icmp-fix-icmp_ndo_send-address-translation-for-reply.patch
+i40e-fix-potential-invalid-access-when-mac-list-is-e.patch
+net-ethernet-mtk_eth_soc-fix-tx-vlan-tag-for-llc-pac.patch
+wifi-cw1200-cap-ssid-length-in-cw1200_do_join.patch
+wifi-libertas-cap-ssid-len-in-lbs_associate.patch
+net-thunder_bgx-add-a-missing-of_node_put.patch
+net-thunder_bgx-decrement-cleanup-index-before-use.patch
+ipv4-fix-null-vs-error-pointer-check-in-inet_blackho.patch
+ax25-properly-unshare-skbs-in-ax25_kiss_rcv.patch
+net-atm-fix-memory-leak-in-atm_register_sysfs-when-d.patch
+ppp-fix-memory-leak-in-pad_compress_skb.patch
--- /dev/null
+From 93fdf736a1a378bd57a202348b1a9f2019287f4c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Aug 2025 16:52:36 +0300
+Subject: wifi: cfg80211: fix use-after-free in cmp_bss()
+
+From: Dmitry Antipov <dmantipov@yandex.ru>
+
+[ Upstream commit 26e84445f02ce6b2fe5f3e0e28ff7add77f35e08 ]
+
+Following bss_free() quirk introduced in commit 776b3580178f
+("cfg80211: track hidden SSID networks properly"), adjust
+cfg80211_update_known_bss() to free the last beacon frame
+elements only if they're not shared via the corresponding
+'hidden_beacon_bss' pointer.
+
+Reported-by: syzbot+30754ca335e6fb7e3092@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=30754ca335e6fb7e3092
+Fixes: 3ab8227d3e7d ("cfg80211: refactor cfg80211_bss_update")
+Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
+Link: https://patch.msgid.link/20250813135236.799384-1-dmantipov@yandex.ru
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/scan.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/wireless/scan.c b/net/wireless/scan.c
+index 670fcdbef95be..a09fb52910082 100644
+--- a/net/wireless/scan.c
++++ b/net/wireless/scan.c
+@@ -1761,7 +1761,8 @@ cfg80211_update_known_bss(struct cfg80211_registered_device *rdev,
+ */
+
+ f = rcu_access_pointer(new->pub.beacon_ies);
+- kfree_rcu((struct cfg80211_bss_ies *)f, rcu_head);
++ if (!new->pub.hidden_beacon_bss)
++ kfree_rcu((struct cfg80211_bss_ies *)f, rcu_head);
+ return false;
+ }
+
+--
+2.50.1
+
--- /dev/null
+From 966f00f823b2b507bb05f2a8a9da9d83129aa32e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Aug 2025 15:48:28 +0300
+Subject: wifi: cw1200: cap SSID length in cw1200_do_join()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit f8f15f6742b8874e59c9c715d0af3474608310ad ]
+
+If the ssidie[1] length is more that 32 it leads to memory corruption.
+
+Fixes: a910e4a94f69 ("cw1200: add driver for the ST-E CW1100 & CW1200 WLAN chipsets")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://patch.msgid.link/e91fb43fcedc4893b604dfb973131661510901a7.1756456951.git.dan.carpenter@linaro.org
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/st/cw1200/sta.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/st/cw1200/sta.c b/drivers/net/wireless/st/cw1200/sta.c
+index 236022d4ae2a3..0f2d1ec34cd82 100644
+--- a/drivers/net/wireless/st/cw1200/sta.c
++++ b/drivers/net/wireless/st/cw1200/sta.c
+@@ -1289,7 +1289,7 @@ static void cw1200_do_join(struct cw1200_common *priv)
+ rcu_read_lock();
+ ssidie = ieee80211_bss_get_ie(bss, WLAN_EID_SSID);
+ if (ssidie) {
+- join.ssid_len = ssidie[1];
++ join.ssid_len = min(ssidie[1], IEEE80211_MAX_SSID_LEN);
+ memcpy(join.ssid, &ssidie[2], join.ssid_len);
+ }
+ rcu_read_unlock();
+--
+2.50.1
+
--- /dev/null
+From 2bfc9633a793a79d036c4a76f3c35a08c13ade52 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Aug 2025 15:48:35 +0300
+Subject: wifi: libertas: cap SSID len in lbs_associate()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit c786794bd27b0d7a5fd9063695df83206009be59 ]
+
+If the ssid_eid[1] length is more that 32 it leads to memory corruption.
+
+Fixes: a910e4a94f69 ("cw1200: add driver for the ST-E CW1100 & CW1200 WLAN chipsets")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://patch.msgid.link/2a40f5ec7617144aef412034c12919a4927d90ad.1756456951.git.dan.carpenter@linaro.org
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/marvell/libertas/cfg.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/marvell/libertas/cfg.c b/drivers/net/wireless/marvell/libertas/cfg.c
+index 4e3de684928bf..a659054c1bcd9 100644
+--- a/drivers/net/wireless/marvell/libertas/cfg.c
++++ b/drivers/net/wireless/marvell/libertas/cfg.c
+@@ -1102,10 +1102,13 @@ static int lbs_associate(struct lbs_private *priv,
+ /* add SSID TLV */
+ rcu_read_lock();
+ ssid_eid = ieee80211_bss_get_ie(bss, WLAN_EID_SSID);
+- if (ssid_eid)
+- pos += lbs_add_ssid_tlv(pos, ssid_eid + 2, ssid_eid[1]);
+- else
++ if (ssid_eid) {
++ u32 ssid_len = min(ssid_eid[1], IEEE80211_MAX_SSID_LEN);
++
++ pos += lbs_add_ssid_tlv(pos, ssid_eid + 2, ssid_len);
++ } else {
+ lbs_deb_assoc("no SSID\n");
++ }
+ rcu_read_unlock();
+
+ /* add DS param TLV */
+--
+2.50.1
+
--- /dev/null
+From e4c76166434395824eb4aba0dc7718dfb0e73855 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Aug 2025 12:26:43 -0700
+Subject: xirc2ps_cs: fix register access when enabling FullDuplex
+
+From: Alok Tiwari <alok.a.tiwari@oracle.com>
+
+[ Upstream commit b79e498080b170fd94fc83bca2471f450811549b ]
+
+The current code incorrectly passes (XIRCREG1_ECR | FullDuplex) as
+the register address to GetByte(), instead of fetching the register
+value and OR-ing it with FullDuplex. This results in an invalid
+register access.
+
+Fix it by reading XIRCREG1_ECR first, then or-ing with FullDuplex
+before writing it back.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Link: https://patch.msgid.link/20250827192645.658496-1-alok.a.tiwari@oracle.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/xircom/xirc2ps_cs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/xircom/xirc2ps_cs.c b/drivers/net/ethernet/xircom/xirc2ps_cs.c
+index 56cef59c1c872..1dd297143ee08 100644
+--- a/drivers/net/ethernet/xircom/xirc2ps_cs.c
++++ b/drivers/net/ethernet/xircom/xirc2ps_cs.c
+@@ -1584,7 +1584,7 @@ do_reset(struct net_device *dev, int full)
+ msleep(40); /* wait 40 msec to let it complete */
+ }
+ if (full_duplex)
+- PutByte(XIRCREG1_ECR, GetByte(XIRCREG1_ECR | FullDuplex));
++ PutByte(XIRCREG1_ECR, GetByte(XIRCREG1_ECR) | FullDuplex);
+ } else { /* No MII */
+ SelectPage(0);
+ value = GetByte(XIRCREG_ESR); /* read the ESR */
+--
+2.50.1
+
--- /dev/null
+From 9f6ccc2b8d4e50d472c7a4bb4b50651b77935185 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Sep 2025 12:46:42 +0000
+Subject: ax25: properly unshare skbs in ax25_kiss_rcv()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 8156210d36a43e76372312c87eb5ea3dbb405a85 ]
+
+Bernard Pidoux reported a regression apparently caused by commit
+c353e8983e0d ("net: introduce per netns packet chains").
+
+skb->dev becomes NULL and we crash in __netif_receive_skb_core().
+
+Before above commit, different kind of bugs or corruptions could happen
+without a major crash.
+
+But the root cause is that ax25_kiss_rcv() can queue/mangle input skb
+without checking if this skb is shared or not.
+
+Many thanks to Bernard Pidoux for his help, diagnosis and tests.
+
+We had a similar issue years ago fixed with commit 7aaed57c5c28
+("phonet: properly unshare skbs in phonet_rcv()").
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: Bernard Pidoux <f6bvp@free.fr>
+Closes: https://lore.kernel.org/netdev/1713f383-c538-4918-bc64-13b3288cd542@free.fr/
+Tested-by: Bernard Pidoux <f6bvp@free.fr>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Joerg Reuter <jreuter@yaina.de>
+Cc: David Ranch <dranch@trinnet.net>
+Cc: Folkert van Heusden <folkert@vanheusden.com>
+Reviewed-by: Dan Cross <crossd@gmail.com>
+Link: https://patch.msgid.link/20250902124642.212705-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ax25/ax25_in.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/ax25/ax25_in.c b/net/ax25/ax25_in.c
+index cd6afe895db99..e43f92372cba5 100644
+--- a/net/ax25/ax25_in.c
++++ b/net/ax25/ax25_in.c
+@@ -433,6 +433,10 @@ static int ax25_rcv(struct sk_buff *skb, struct net_device *dev,
+ int ax25_kiss_rcv(struct sk_buff *skb, struct net_device *dev,
+ struct packet_type *ptype, struct net_device *orig_dev)
+ {
++ skb = skb_share_check(skb, GFP_ATOMIC);
++ if (!skb)
++ return NET_RX_DROP;
++
+ skb_orphan(skb);
+
+ if (!net_eq(dev_net(dev), &init_net)) {
+--
+2.50.1
+
--- /dev/null
+From 5948471309cc466590ca2bb074276d86491bf8d4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Aug 2025 20:40:14 +0000
+Subject: Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen()
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit 862c628108562d8c7a516a900034823b381d3cba ]
+
+syzbot reported the splat below without a repro.
+
+In the splat, a single thread calling bt_accept_dequeue() freed sk
+and touched it after that.
+
+The root cause would be the racy l2cap_sock_cleanup_listen() call
+added by the cited commit.
+
+bt_accept_dequeue() is called under lock_sock() except for
+l2cap_sock_release().
+
+Two threads could see the same socket during the list iteration
+in bt_accept_dequeue():
+
+ CPU1 CPU2 (close())
+ ---- ----
+ sock_hold(sk) sock_hold(sk);
+ lock_sock(sk) <-- block close()
+ sock_put(sk)
+ bt_accept_unlink(sk)
+ sock_put(sk) <-- refcnt by bt_accept_enqueue()
+ release_sock(sk)
+ lock_sock(sk)
+ sock_put(sk)
+ bt_accept_unlink(sk)
+ sock_put(sk) <-- last refcnt
+ bt_accept_unlink(sk) <-- UAF
+
+Depending on the timing, the other thread could show up in the
+"Freed by task" part.
+
+Let's call l2cap_sock_cleanup_listen() under lock_sock() in
+l2cap_sock_release().
+
+[0]:
+BUG: KASAN: slab-use-after-free in debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline]
+BUG: KASAN: slab-use-after-free in do_raw_spin_lock+0x26f/0x2b0 kernel/locking/spinlock_debug.c:115
+Read of size 4 at addr ffff88803b7eb1c4 by task syz.5.3276/16995
+CPU: 3 UID: 0 PID: 16995 Comm: syz.5.3276 Not tainted syzkaller #0 PREEMPT(full)
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:94 [inline]
+ dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
+ print_address_description mm/kasan/report.c:378 [inline]
+ print_report+0xcd/0x630 mm/kasan/report.c:482
+ kasan_report+0xe0/0x110 mm/kasan/report.c:595
+ debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline]
+ do_raw_spin_lock+0x26f/0x2b0 kernel/locking/spinlock_debug.c:115
+ spin_lock_bh include/linux/spinlock.h:356 [inline]
+ release_sock+0x21/0x220 net/core/sock.c:3746
+ bt_accept_dequeue+0x505/0x600 net/bluetooth/af_bluetooth.c:312
+ l2cap_sock_cleanup_listen+0x5c/0x2a0 net/bluetooth/l2cap_sock.c:1451
+ l2cap_sock_release+0x5c/0x210 net/bluetooth/l2cap_sock.c:1425
+ __sock_release+0xb3/0x270 net/socket.c:649
+ sock_close+0x1c/0x30 net/socket.c:1439
+ __fput+0x3ff/0xb70 fs/file_table.c:468
+ task_work_run+0x14d/0x240 kernel/task_work.c:227
+ resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
+ exit_to_user_mode_loop+0xeb/0x110 kernel/entry/common.c:43
+ exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
+ syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
+ syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
+ do_syscall_64+0x3f6/0x4c0 arch/x86/entry/syscall_64.c:100
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7f2accf8ebe9
+Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007ffdb6cb1378 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
+RAX: 0000000000000000 RBX: 00000000000426fb RCX: 00007f2accf8ebe9
+RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
+RBP: 00007f2acd1b7da0 R08: 0000000000000001 R09: 00000012b6cb166f
+R10: 0000001b30e20000 R11: 0000000000000246 R12: 00007f2acd1b609c
+R13: 00007f2acd1b6090 R14: ffffffffffffffff R15: 00007ffdb6cb1490
+ </TASK>
+
+Allocated by task 5326:
+ kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
+ kasan_save_track+0x14/0x30 mm/kasan/common.c:68
+ poison_kmalloc_redzone mm/kasan/common.c:388 [inline]
+ __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:405
+ kasan_kmalloc include/linux/kasan.h:260 [inline]
+ __do_kmalloc_node mm/slub.c:4365 [inline]
+ __kmalloc_noprof+0x223/0x510 mm/slub.c:4377
+ kmalloc_noprof include/linux/slab.h:909 [inline]
+ sk_prot_alloc+0x1a8/0x2a0 net/core/sock.c:2239
+ sk_alloc+0x36/0xc20 net/core/sock.c:2295
+ bt_sock_alloc+0x3b/0x3a0 net/bluetooth/af_bluetooth.c:151
+ l2cap_sock_alloc.constprop.0+0x33/0x1d0 net/bluetooth/l2cap_sock.c:1894
+ l2cap_sock_new_connection_cb+0x101/0x240 net/bluetooth/l2cap_sock.c:1482
+ l2cap_connect_cfm+0x4c4/0xf80 net/bluetooth/l2cap_core.c:7287
+ hci_connect_cfm include/net/bluetooth/hci_core.h:2050 [inline]
+ hci_remote_features_evt+0x4dd/0x970 net/bluetooth/hci_event.c:3712
+ hci_event_func net/bluetooth/hci_event.c:7519 [inline]
+ hci_event_packet+0xa0d/0x11c0 net/bluetooth/hci_event.c:7573
+ hci_rx_work+0x2c5/0x16b0 net/bluetooth/hci_core.c:4071
+ process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3236
+ process_scheduled_works kernel/workqueue.c:3319 [inline]
+ worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400
+ kthread+0x3c2/0x780 kernel/kthread.c:463
+ ret_from_fork+0x5d7/0x6f0 arch/x86/kernel/process.c:148
+ ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
+
+Freed by task 16995:
+ kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
+ kasan_save_track+0x14/0x30 mm/kasan/common.c:68
+ kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576
+ poison_slab_object mm/kasan/common.c:243 [inline]
+ __kasan_slab_free+0x60/0x70 mm/kasan/common.c:275
+ kasan_slab_free include/linux/kasan.h:233 [inline]
+ slab_free_hook mm/slub.c:2417 [inline]
+ slab_free mm/slub.c:4680 [inline]
+ kfree+0x2b4/0x4d0 mm/slub.c:4879
+ sk_prot_free net/core/sock.c:2278 [inline]
+ __sk_destruct+0x75f/0x9a0 net/core/sock.c:2373
+ sk_destruct+0xc2/0xf0 net/core/sock.c:2401
+ __sk_free+0xf4/0x3e0 net/core/sock.c:2412
+ sk_free+0x6a/0x90 net/core/sock.c:2423
+ sock_put include/net/sock.h:1960 [inline]
+ bt_accept_unlink+0x245/0x2e0 net/bluetooth/af_bluetooth.c:262
+ bt_accept_dequeue+0x517/0x600 net/bluetooth/af_bluetooth.c:308
+ l2cap_sock_cleanup_listen+0x5c/0x2a0 net/bluetooth/l2cap_sock.c:1451
+ l2cap_sock_release+0x5c/0x210 net/bluetooth/l2cap_sock.c:1425
+ __sock_release+0xb3/0x270 net/socket.c:649
+ sock_close+0x1c/0x30 net/socket.c:1439
+ __fput+0x3ff/0xb70 fs/file_table.c:468
+ task_work_run+0x14d/0x240 kernel/task_work.c:227
+ resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
+ exit_to_user_mode_loop+0xeb/0x110 kernel/entry/common.c:43
+ exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
+ syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
+ syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
+ do_syscall_64+0x3f6/0x4c0 arch/x86/entry/syscall_64.c:100
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Fixes: 1728137b33c0 ("Bluetooth: L2CAP: Fix use-after-free in l2cap_sock_ready_cb")
+Reported-by: syzbot+e5e64cdf8e92046dd3e1@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/linux-bluetooth/68af6b9d.a70a0220.3cafd4.0032.GAE@google.com/
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/l2cap_sock.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
+index b2719f1b8adff..8e2e6d1a6dd15 100644
+--- a/net/bluetooth/l2cap_sock.c
++++ b/net/bluetooth/l2cap_sock.c
+@@ -1416,7 +1416,10 @@ static int l2cap_sock_release(struct socket *sock)
+ if (!sk)
+ return 0;
+
++ lock_sock_nested(sk, L2CAP_NESTING_PARENT);
+ l2cap_sock_cleanup_listen(sk);
++ release_sock(sk);
++
+ bt_sock_unlink(&l2cap_sk_list, sk);
+
+ err = l2cap_sock_shutdown(sock, SHUT_RDWR);
+--
+2.50.1
+
--- /dev/null
+From 5294b575f52b363cf0a8c25f08ec8e65e27ce9ba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Aug 2025 19:56:31 +0800
+Subject: i40e: Fix potential invalid access when MAC list is empty
+
+From: Zhen Ni <zhen.ni@easystack.cn>
+
+[ Upstream commit a556f06338e1d5a85af0e32ecb46e365547f92b9 ]
+
+list_first_entry() never returns NULL - if the list is empty, it still
+returns a pointer to an invalid object, leading to potential invalid
+memory access when dereferenced.
+
+Fix this by using list_first_entry_or_null instead of list_first_entry.
+
+Fixes: e3219ce6a775 ("i40e: Add support for client interface for IWARP driver")
+Signed-off-by: Zhen Ni <zhen.ni@easystack.cn>
+Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_client.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_client.c b/drivers/net/ethernet/intel/i40e/i40e_client.c
+index 8bcb98b85e3d9..4af2a4c591067 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_client.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_client.c
+@@ -362,8 +362,8 @@ static void i40e_client_add_instance(struct i40e_pf *pf)
+ if (i40e_client_get_params(vsi, &cdev->lan_info.params))
+ goto free_cdev;
+
+- mac = list_first_entry(&cdev->lan_info.netdev->dev_addrs.list,
+- struct netdev_hw_addr, list);
++ mac = list_first_entry_or_null(&cdev->lan_info.netdev->dev_addrs.list,
++ struct netdev_hw_addr, list);
+ if (mac)
+ ether_addr_copy(cdev->lan_info.lanmac, mac->addr);
+ else
+--
+2.50.1
+
--- /dev/null
+From feb596fa252010e015d631e6fdf19de4857dc529 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Aug 2025 11:14:35 +0200
+Subject: icmp: fix icmp_ndo_send address translation for reply direction
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Fabian Bläse <fabian@blaese.de>
+
+[ Upstream commit c6dd1aa2cbb72b33e0569f3e71d95792beab5042 ]
+
+The icmp_ndo_send function was originally introduced to ensure proper
+rate limiting when icmp_send is called by a network device driver,
+where the packet's source address may have already been transformed
+by SNAT.
+
+However, the original implementation only considers the
+IP_CT_DIR_ORIGINAL direction for SNAT and always replaced the packet's
+source address with that of the original-direction tuple. This causes
+two problems:
+
+1. For SNAT:
+ Reply-direction packets were incorrectly translated using the source
+ address of the CT original direction, even though no translation is
+ required.
+
+2. For DNAT:
+ Reply-direction packets were not handled at all. In DNAT, the original
+ direction's destination is translated. Therefore, in the reply
+ direction the source address must be set to the reply-direction
+ source, so rate limiting works as intended.
+
+Fix this by using the connection direction to select the correct tuple
+for source address translation, and adjust the pre-checks to handle
+reply-direction packets in case of DNAT.
+
+Additionally, wrap the `ct->status` access in READ_ONCE(). This avoids
+possible KCSAN reports about concurrent updates to `ct->status`.
+
+Fixes: 0b41713b6066 ("icmp: introduce helper for nat'd source address in network device context")
+Signed-off-by: Fabian Bläse <fabian@blaese.de>
+Cc: Jason A. Donenfeld <Jason@zx2c4.com>
+Reviewed-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/icmp.c | 6 ++++--
+ net/ipv6/ip6_icmp.c | 6 ++++--
+ 2 files changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
+index 38b30f6790294..8a70e51654264 100644
+--- a/net/ipv4/icmp.c
++++ b/net/ipv4/icmp.c
+@@ -792,11 +792,12 @@ void icmp_ndo_send(struct sk_buff *skb_in, int type, int code, __be32 info)
+ struct sk_buff *cloned_skb = NULL;
+ struct ip_options opts = { 0 };
+ enum ip_conntrack_info ctinfo;
++ enum ip_conntrack_dir dir;
+ struct nf_conn *ct;
+ __be32 orig_ip;
+
+ ct = nf_ct_get(skb_in, &ctinfo);
+- if (!ct || !(ct->status & IPS_SRC_NAT)) {
++ if (!ct || !(READ_ONCE(ct->status) & IPS_NAT_MASK)) {
+ __icmp_send(skb_in, type, code, info, &opts);
+ return;
+ }
+@@ -811,7 +812,8 @@ void icmp_ndo_send(struct sk_buff *skb_in, int type, int code, __be32 info)
+ goto out;
+
+ orig_ip = ip_hdr(skb_in)->saddr;
+- ip_hdr(skb_in)->saddr = ct->tuplehash[0].tuple.src.u3.ip;
++ dir = CTINFO2DIR(ctinfo);
++ ip_hdr(skb_in)->saddr = ct->tuplehash[dir].tuple.src.u3.ip;
+ __icmp_send(skb_in, type, code, info, &opts);
+ ip_hdr(skb_in)->saddr = orig_ip;
+ out:
+diff --git a/net/ipv6/ip6_icmp.c b/net/ipv6/ip6_icmp.c
+index 9e3574880cb03..233914b63bdb8 100644
+--- a/net/ipv6/ip6_icmp.c
++++ b/net/ipv6/ip6_icmp.c
+@@ -54,11 +54,12 @@ void icmpv6_ndo_send(struct sk_buff *skb_in, u8 type, u8 code, __u32 info)
+ struct inet6_skb_parm parm = { 0 };
+ struct sk_buff *cloned_skb = NULL;
+ enum ip_conntrack_info ctinfo;
++ enum ip_conntrack_dir dir;
+ struct in6_addr orig_ip;
+ struct nf_conn *ct;
+
+ ct = nf_ct_get(skb_in, &ctinfo);
+- if (!ct || !(ct->status & IPS_SRC_NAT)) {
++ if (!ct || !(READ_ONCE(ct->status) & IPS_NAT_MASK)) {
+ __icmpv6_send(skb_in, type, code, info, &parm);
+ return;
+ }
+@@ -73,7 +74,8 @@ void icmpv6_ndo_send(struct sk_buff *skb_in, u8 type, u8 code, __u32 info)
+ goto out;
+
+ orig_ip = ipv6_hdr(skb_in)->saddr;
+- ipv6_hdr(skb_in)->saddr = ct->tuplehash[0].tuple.src.u3.in6;
++ dir = CTINFO2DIR(ctinfo);
++ ipv6_hdr(skb_in)->saddr = ct->tuplehash[dir].tuple.src.u3.in6;
+ __icmpv6_send(skb_in, type, code, info, &parm);
+ ipv6_hdr(skb_in)->saddr = orig_ip;
+ out:
+--
+2.50.1
+
--- /dev/null
+From 56872d1abdbc201186e4e87baa63d83682044f29 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Sep 2025 09:36:08 +0300
+Subject: ipv4: Fix NULL vs error pointer check in inet_blackhole_dev_init()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit a51160f8da850a65afbf165f5bbac7ffb388bf74 ]
+
+The inetdev_init() function never returns NULL. Check for error
+pointers instead.
+
+Fixes: 22600596b675 ("ipv4: give an IPv4 dev to blackhole_netdev")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/aLaQWL9NguWmeM1i@stanley.mountain
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/devinet.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
+index 33e87b442b475..6b0dc07f273a2 100644
+--- a/net/ipv4/devinet.c
++++ b/net/ipv4/devinet.c
+@@ -332,14 +332,13 @@ static void inetdev_destroy(struct in_device *in_dev)
+
+ static int __init inet_blackhole_dev_init(void)
+ {
+- int err = 0;
++ struct in_device *in_dev;
+
+ rtnl_lock();
+- if (!inetdev_init(blackhole_netdev))
+- err = -ENOMEM;
++ in_dev = inetdev_init(blackhole_netdev);
+ rtnl_unlock();
+
+- return err;
++ return PTR_ERR_OR_ZERO(in_dev);
+ }
+ late_initcall(inet_blackhole_dev_init);
+
+--
+2.50.1
+
--- /dev/null
+From 0242749f48795d5adbe29eb18f65b36d10aa1512 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Aug 2025 16:14:57 +0800
+Subject: mISDN: Fix memory leak in dsp_hwec_enable()
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+[ Upstream commit 0704a3da7ce50f972e898bbda88d2692a22922d9 ]
+
+dsp_hwec_enable() allocates dup pointer by kstrdup(arg),
+but then it updates dup variable by strsep(&dup, ",").
+As a result when it calls kfree(dup), the dup variable may be
+a modified pointer that no longer points to the original allocated
+memory, causing a memory leak.
+
+The issue is the same pattern as fixed in commit c6a502c22999
+("mISDN: Fix memory leak in dsp_pipeline_build()").
+
+Fixes: 9a4381618262 ("mISDN: Remove VLAs")
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250828081457.36061-1-linmq006@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/isdn/mISDN/dsp_hwec.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/isdn/mISDN/dsp_hwec.c b/drivers/isdn/mISDN/dsp_hwec.c
+index 0b3f29195330a..0cd216e28f009 100644
+--- a/drivers/isdn/mISDN/dsp_hwec.c
++++ b/drivers/isdn/mISDN/dsp_hwec.c
+@@ -51,14 +51,14 @@ void dsp_hwec_enable(struct dsp *dsp, const char *arg)
+ goto _do;
+
+ {
+- char *dup, *tok, *name, *val;
++ char *dup, *next, *tok, *name, *val;
+ int tmp;
+
+- dup = kstrdup(arg, GFP_ATOMIC);
++ dup = next = kstrdup(arg, GFP_ATOMIC);
+ if (!dup)
+ return;
+
+- while ((tok = strsep(&dup, ","))) {
++ while ((tok = strsep(&next, ","))) {
+ if (!strlen(tok))
+ continue;
+ name = strsep(&tok, "=");
+--
+2.50.1
+
--- /dev/null
+From 702d3740e1f452419bdee97db25a245b8fc926ab Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Sep 2025 14:35:37 +0800
+Subject: net: atm: fix memory leak in atm_register_sysfs when device_register
+ fail
+
+From: Wang Liang <wangliang74@huawei.com>
+
+[ Upstream commit 0a228624bcc00af41f281a2a84c928595a74c17d ]
+
+When device_register() return error in atm_register_sysfs(), which can be
+triggered by kzalloc fail in device_private_init() or other reasons,
+kmemleak reports the following memory leaks:
+
+unreferenced object 0xffff88810182fb80 (size 8):
+ comm "insmod", pid 504, jiffies 4294852464
+ hex dump (first 8 bytes):
+ 61 64 75 6d 6d 79 30 00 adummy0.
+ backtrace (crc 14dfadaf):
+ __kmalloc_node_track_caller_noprof+0x335/0x450
+ kvasprintf+0xb3/0x130
+ kobject_set_name_vargs+0x45/0x120
+ dev_set_name+0xa9/0xe0
+ atm_register_sysfs+0xf3/0x220
+ atm_dev_register+0x40b/0x780
+ 0xffffffffa000b089
+ do_one_initcall+0x89/0x300
+ do_init_module+0x27b/0x7d0
+ load_module+0x54cd/0x5ff0
+ init_module_from_file+0xe4/0x150
+ idempotent_init_module+0x32c/0x610
+ __x64_sys_finit_module+0xbd/0x120
+ do_syscall_64+0xa8/0x270
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+When device_create_file() return error in atm_register_sysfs(), the same
+issue also can be triggered.
+
+Function put_device() should be called to release kobj->name memory and
+other device resource, instead of kfree().
+
+Fixes: 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array")
+Signed-off-by: Wang Liang <wangliang74@huawei.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250901063537.1472221-1-wangliang74@huawei.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/atm/resources.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/net/atm/resources.c b/net/atm/resources.c
+index b19d851e1f443..7c6fdedbcf4e5 100644
+--- a/net/atm/resources.c
++++ b/net/atm/resources.c
+@@ -112,7 +112,9 @@ struct atm_dev *atm_dev_register(const char *type, struct device *parent,
+
+ if (atm_proc_dev_register(dev) < 0) {
+ pr_err("atm_proc_dev_register failed for dev %s\n", type);
+- goto out_fail;
++ mutex_unlock(&atm_dev_mutex);
++ kfree(dev);
++ return NULL;
+ }
+
+ if (atm_register_sysfs(dev, parent) < 0) {
+@@ -128,7 +130,7 @@ struct atm_dev *atm_dev_register(const char *type, struct device *parent,
+ return dev;
+
+ out_fail:
+- kfree(dev);
++ put_device(&dev->class_dev);
+ dev = NULL;
+ goto out;
+ }
+--
+2.50.1
+
--- /dev/null
+From 16a9d4618f4af2d3845ce6eb90505cc28e44a632 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 31 Aug 2025 20:20:07 +0200
+Subject: net: ethernet: mtk_eth_soc: fix tx vlan tag for llc packets
+
+From: Felix Fietkau <nbd@nbd.name>
+
+[ Upstream commit d4736737110ffa83d29f1c5d17b26113864205f6 ]
+
+When sending llc packets with vlan tx offload, the hardware fails to
+actually add the tag. Deal with this by fixing it up in software.
+
+Fixes: 656e705243fd ("net-next: mediatek: add support for MT7623 ethernet")
+Reported-by: Thibaut VARENE <hacks@slashdirt.org>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250831182007.51619-1-nbd@nbd.name
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mediatek/mtk_eth_soc.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
+index 711acc6059a4f..4d7a72bcee614 100644
+--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c
++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
+@@ -1196,6 +1196,13 @@ static netdev_tx_t mtk_start_xmit(struct sk_buff *skb, struct net_device *dev)
+ bool gso = false;
+ int tx_num;
+
++ if (skb_vlan_tag_present(skb) &&
++ !eth_proto_is_802_3(eth_hdr(skb)->h_proto)) {
++ skb = __vlan_hwaccel_push_inside(skb);
++ if (!skb)
++ goto dropped;
++ }
++
+ /* normally we can rely on the stack not calling this more than once,
+ * however we have 2 queues running on the same ring so we need to lock
+ * the ring access
+@@ -1241,8 +1248,9 @@ static netdev_tx_t mtk_start_xmit(struct sk_buff *skb, struct net_device *dev)
+
+ drop:
+ spin_unlock(ð->page_lock);
+- stats->tx_dropped++;
+ dev_kfree_skb_any(skb);
++dropped:
++ stats->tx_dropped++;
+ return NETDEV_TX_OK;
+ }
+
+--
+2.50.1
+
--- /dev/null
+From d5900d832747d3449328855be8d11b44248a1b97 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 May 2025 13:57:22 +0200
+Subject: net: phy: mscc: Fix memory leak when using one step timestamping
+
+From: Horatiu Vultur <horatiu.vultur@microchip.com>
+
+[ Upstream commit 846992645b25ec4253167e3f931e4597eb84af56 ]
+
+Fix memory leak when running one-step timestamping. When running
+one-step sync timestamping, the HW is configured to insert the TX time
+into the frame, so there is no reason to keep the skb anymore. As in
+this case the HW will never generate an interrupt to say that the frame
+was timestamped, then the frame will never released.
+Fix this by freeing the frame in case of one-step timestamping.
+
+Fixes: 7d272e63e0979d ("net: phy: mscc: timestamping and PHC support")
+Signed-off-by: Horatiu Vultur <horatiu.vultur@microchip.com>
+Link: https://patch.msgid.link/20250522115722.2827199-1-horatiu.vultur@microchip.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: 9b2bfdbf43ad ("phy: mscc: Stop taking ts_lock for tx_queue and use its own lock")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/mscc/mscc_ptp.c | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/phy/mscc/mscc_ptp.c b/drivers/net/phy/mscc/mscc_ptp.c
+index e30e6ba9da2f4..717435562f1c5 100644
+--- a/drivers/net/phy/mscc/mscc_ptp.c
++++ b/drivers/net/phy/mscc/mscc_ptp.c
+@@ -1171,18 +1171,24 @@ static void vsc85xx_txtstamp(struct mii_timestamper *mii_ts,
+ container_of(mii_ts, struct vsc8531_private, mii_ts);
+
+ if (!vsc8531->ptp->configured)
+- return;
++ goto out;
+
+- if (vsc8531->ptp->tx_type == HWTSTAMP_TX_OFF) {
+- kfree_skb(skb);
+- return;
+- }
++ if (vsc8531->ptp->tx_type == HWTSTAMP_TX_OFF)
++ goto out;
++
++ if (vsc8531->ptp->tx_type == HWTSTAMP_TX_ONESTEP_SYNC)
++ if (ptp_msg_is_sync(skb, type))
++ goto out;
+
+ skb_shinfo(skb)->tx_flags |= SKBTX_IN_PROGRESS;
+
+ mutex_lock(&vsc8531->ts_lock);
+ __skb_queue_tail(&vsc8531->ptp->tx_queue, skb);
+ mutex_unlock(&vsc8531->ts_lock);
++ return;
++
++out:
++ kfree_skb(skb);
+ }
+
+ static bool vsc85xx_rxtstamp(struct mii_timestamper *mii_ts,
+--
+2.50.1
+
--- /dev/null
+From 10566a50b23b12f9828b68d816220ab2ba86ad0e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Sep 2025 14:30:18 -0700
+Subject: net: thunder_bgx: add a missing of_node_put
+
+From: Rosen Penev <rosenp@gmail.com>
+
+[ Upstream commit 9d28f94912589f04ab51fbccaef287d4f40e0d1f ]
+
+phy_np needs to get freed, just like the other child nodes.
+
+Fixes: 5fc7cf179449 ("net: thunderx: Cleanup PHY probing code.")
+Signed-off-by: Rosen Penev <rosenp@gmail.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250901213018.47392-1-rosenp@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/cavium/thunder/thunder_bgx.c | 18 +++++++++++-------
+ 1 file changed, 11 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c
+index 1831066c76475..d749431803e2e 100644
+--- a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c
++++ b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c
+@@ -1491,13 +1491,17 @@ static int bgx_init_of_phy(struct bgx *bgx)
+ * this cortina phy, for which there is no driver
+ * support, ignore it.
+ */
+- if (phy_np &&
+- !of_device_is_compatible(phy_np, "cortina,cs4223-slice")) {
+- /* Wait until the phy drivers are available */
+- pd = of_phy_find_device(phy_np);
+- if (!pd)
+- goto defer;
+- bgx->lmac[lmac].phydev = pd;
++ if (phy_np) {
++ if (!of_device_is_compatible(phy_np, "cortina,cs4223-slice")) {
++ /* Wait until the phy drivers are available */
++ pd = of_phy_find_device(phy_np);
++ if (!pd) {
++ of_node_put(phy_np);
++ goto defer;
++ }
++ bgx->lmac[lmac].phydev = pd;
++ }
++ of_node_put(phy_np);
+ }
+
+ lmac++;
+--
+2.50.1
+
--- /dev/null
+From e98a08ece9a0b30838b8d6c8dc6b91f5c0c4d650 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Sep 2025 14:33:14 -0700
+Subject: net: thunder_bgx: decrement cleanup index before use
+
+From: Rosen Penev <rosenp@gmail.com>
+
+[ Upstream commit 9e3d71a92e561ccc77025689dab25d201fee7a3e ]
+
+All paths in probe that call goto defer do so before assigning phydev
+and thus it makes sense to cleanup the prior index. It also fixes a bug
+where index 0 does not get cleaned up.
+
+Fixes: b7d3e3d3d21a ("net: thunderx: Don't leak phy device references on -EPROBE_DEFER condition.")
+Signed-off-by: Rosen Penev <rosenp@gmail.com>
+Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250901213314.48599-1-rosenp@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cavium/thunder/thunder_bgx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c
+index d749431803e2e..460f8c0989947 100644
+--- a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c
++++ b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c
+@@ -1517,11 +1517,11 @@ static int bgx_init_of_phy(struct bgx *bgx)
+ * for phy devices we may have already found.
+ */
+ while (lmac) {
++ lmac--;
+ if (bgx->lmac[lmac].phydev) {
+ put_device(&bgx->lmac[lmac].phydev->mdio.dev);
+ bgx->lmac[lmac].phydev = NULL;
+ }
+- lmac--;
+ }
+ of_node_put(node);
+ return -EPROBE_DEFER;
+--
+2.50.1
+
--- /dev/null
+From 0bcf72fabb303a8b73601eabfc558f526b0387da Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Aug 2025 11:52:19 +0800
+Subject: netfilter: br_netfilter: do not check confirmed bit in
+ br_nf_local_in() after confirm
+
+From: Wang Liang <wangliang74@huawei.com>
+
+[ Upstream commit 479a54ab92087318514c82428a87af2d7af1a576 ]
+
+When send a broadcast packet to a tap device, which was added to a bridge,
+br_nf_local_in() is called to confirm the conntrack. If another conntrack
+with the same hash value is added to the hash table, which can be
+triggered by a normal packet to a non-bridge device, the below warning
+may happen.
+
+ ------------[ cut here ]------------
+ WARNING: CPU: 1 PID: 96 at net/bridge/br_netfilter_hooks.c:632 br_nf_local_in+0x168/0x200
+ CPU: 1 UID: 0 PID: 96 Comm: tap_send Not tainted 6.17.0-rc2-dirty #44 PREEMPT(voluntary)
+ RIP: 0010:br_nf_local_in+0x168/0x200
+ Call Trace:
+ <TASK>
+ nf_hook_slow+0x3e/0xf0
+ br_pass_frame_up+0x103/0x180
+ br_handle_frame_finish+0x2de/0x5b0
+ br_nf_hook_thresh+0xc0/0x120
+ br_nf_pre_routing_finish+0x168/0x3a0
+ br_nf_pre_routing+0x237/0x5e0
+ br_handle_frame+0x1ec/0x3c0
+ __netif_receive_skb_core+0x225/0x1210
+ __netif_receive_skb_one_core+0x37/0xa0
+ netif_receive_skb+0x36/0x160
+ tun_get_user+0xa54/0x10c0
+ tun_chr_write_iter+0x65/0xb0
+ vfs_write+0x305/0x410
+ ksys_write+0x60/0xd0
+ do_syscall_64+0xa4/0x260
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+ </TASK>
+ ---[ end trace 0000000000000000 ]---
+
+To solve the hash conflict, nf_ct_resolve_clash() try to merge the
+conntracks, and update skb->_nfct. However, br_nf_local_in() still use the
+old ct from local variable 'nfct' after confirm(), which leads to this
+warning.
+
+If confirm() does not insert the conntrack entry and return NF_DROP, the
+warning may also occur. There is no need to reserve the WARN_ON_ONCE, just
+remove it.
+
+Link: https://lore.kernel.org/netdev/20250820043329.2902014-1-wangliang74@huawei.com/
+Fixes: 62e7151ae3eb ("netfilter: bridge: confirm multicast packets before passing them up the stack")
+Suggested-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Wang Liang <wangliang74@huawei.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/br_netfilter_hooks.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
+index 7cd2bef583312..9ad0feb248b5d 100644
+--- a/net/bridge/br_netfilter_hooks.c
++++ b/net/bridge/br_netfilter_hooks.c
+@@ -630,9 +630,6 @@ static unsigned int br_nf_local_in(void *priv,
+ break;
+ }
+
+- ct = container_of(nfct, struct nf_conn, ct_general);
+- WARN_ON_ONCE(!nf_ct_is_confirmed(ct));
+-
+ return ret;
+ }
+ #endif
+--
+2.50.1
+
--- /dev/null
+From d739e1061c0a230a693737607136f4a559d33378 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Aug 2025 13:22:20 +0200
+Subject: netfilter: conntrack: helper: Replace -EEXIST by -EBUSY
+
+From: Phil Sutter <phil@nwl.cc>
+
+[ Upstream commit 54416fd76770bd04fc3c501810e8d673550bab26 ]
+
+The helper registration return value is passed-through by module_init
+callbacks which modprobe confuses with the harmless -EEXIST returned
+when trying to load an already loaded module.
+
+Make sure modprobe fails so users notice their helper has not been
+registered and won't work.
+
+Suggested-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Fixes: 12f7a505331e ("netfilter: add user-space connection tracking helper infrastructure")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_helper.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c
+index 41c9708b50575..de5ac9f431031 100644
+--- a/net/netfilter/nf_conntrack_helper.c
++++ b/net/netfilter/nf_conntrack_helper.c
+@@ -418,7 +418,7 @@ int nf_conntrack_helper_register(struct nf_conntrack_helper *me)
+ (cur->tuple.src.l3num == NFPROTO_UNSPEC ||
+ cur->tuple.src.l3num == me->tuple.src.l3num) &&
+ cur->tuple.dst.protonum == me->tuple.dst.protonum) {
+- ret = -EEXIST;
++ ret = -EBUSY;
+ goto out;
+ }
+ }
+@@ -429,7 +429,7 @@ int nf_conntrack_helper_register(struct nf_conntrack_helper *me)
+ hlist_for_each_entry(cur, &nf_ct_helper_hash[h], hnode) {
+ if (nf_ct_tuple_src_mask_cmp(&cur->tuple, &me->tuple,
+ &mask)) {
+- ret = -EEXIST;
++ ret = -EBUSY;
+ goto out;
+ }
+ }
+--
+2.50.1
+
--- /dev/null
+From 9eaeacc3514420ebff10690707cdd8dcbc15e381 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Sep 2025 14:12:59 +0200
+Subject: phy: mscc: Stop taking ts_lock for tx_queue and use its own lock
+
+From: Horatiu Vultur <horatiu.vultur@microchip.com>
+
+[ Upstream commit 9b2bfdbf43adb9929c5ddcdd96efedbf1c88cf53 ]
+
+When transmitting a PTP frame which is timestamp using 2 step, the
+following warning appears if CONFIG_PROVE_LOCKING is enabled:
+=============================
+[ BUG: Invalid wait context ]
+6.17.0-rc1-00326-ge6160462704e #427 Not tainted
+-----------------------------
+ptp4l/119 is trying to lock:
+c2a44ed4 (&vsc8531->ts_lock){+.+.}-{3:3}, at: vsc85xx_txtstamp+0x50/0xac
+other info that might help us debug this:
+context-{4:4}
+4 locks held by ptp4l/119:
+ #0: c145f068 (rcu_read_lock_bh){....}-{1:2}, at: __dev_queue_xmit+0x58/0x1440
+ #1: c29df974 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+...}-{2:2}, at: __dev_queue_xmit+0x5c4/0x1440
+ #2: c2aaaad0 (_xmit_ETHER#2){+.-.}-{2:2}, at: sch_direct_xmit+0x108/0x350
+ #3: c2aac170 (&lan966x->tx_lock){+.-.}-{2:2}, at: lan966x_port_xmit+0xd0/0x350
+stack backtrace:
+CPU: 0 UID: 0 PID: 119 Comm: ptp4l Not tainted 6.17.0-rc1-00326-ge6160462704e #427 NONE
+Hardware name: Generic DT based system
+Call trace:
+ unwind_backtrace from show_stack+0x10/0x14
+ show_stack from dump_stack_lvl+0x7c/0xac
+ dump_stack_lvl from __lock_acquire+0x8e8/0x29dc
+ __lock_acquire from lock_acquire+0x108/0x38c
+ lock_acquire from __mutex_lock+0xb0/0xe78
+ __mutex_lock from mutex_lock_nested+0x1c/0x24
+ mutex_lock_nested from vsc85xx_txtstamp+0x50/0xac
+ vsc85xx_txtstamp from lan966x_fdma_xmit+0xd8/0x3a8
+ lan966x_fdma_xmit from lan966x_port_xmit+0x1bc/0x350
+ lan966x_port_xmit from dev_hard_start_xmit+0xc8/0x2c0
+ dev_hard_start_xmit from sch_direct_xmit+0x8c/0x350
+ sch_direct_xmit from __dev_queue_xmit+0x680/0x1440
+ __dev_queue_xmit from packet_sendmsg+0xfa4/0x1568
+ packet_sendmsg from __sys_sendto+0x110/0x19c
+ __sys_sendto from sys_send+0x18/0x20
+ sys_send from ret_fast_syscall+0x0/0x1c
+Exception stack(0xf0b05fa8 to 0xf0b05ff0)
+5fa0: 00000001 0000000e 0000000e 0004b47a 0000003a 00000000
+5fc0: 00000001 0000000e 00000000 00000121 0004af58 00044874 00000000 00000000
+5fe0: 00000001 bee9d420 00025a10 b6e75c7c
+
+So, instead of using the ts_lock for tx_queue, use the spinlock that
+skb_buff_head has.
+
+Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
+Fixes: 7d272e63e0979d ("net: phy: mscc: timestamping and PHC support")
+Signed-off-by: Horatiu Vultur <horatiu.vultur@microchip.com>
+Link: https://patch.msgid.link/20250902121259.3257536-1-horatiu.vultur@microchip.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/mscc/mscc_ptp.c | 18 ++++++++----------
+ 1 file changed, 8 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/net/phy/mscc/mscc_ptp.c b/drivers/net/phy/mscc/mscc_ptp.c
+index 717435562f1c5..7b73b78ac9b35 100644
+--- a/drivers/net/phy/mscc/mscc_ptp.c
++++ b/drivers/net/phy/mscc/mscc_ptp.c
+@@ -455,12 +455,12 @@ static void vsc85xx_dequeue_skb(struct vsc85xx_ptp *ptp)
+ *p++ = (reg >> 24) & 0xff;
+ }
+
+- len = skb_queue_len(&ptp->tx_queue);
++ len = skb_queue_len_lockless(&ptp->tx_queue);
+ if (len < 1)
+ return;
+
+ while (len--) {
+- skb = __skb_dequeue(&ptp->tx_queue);
++ skb = skb_dequeue(&ptp->tx_queue);
+ if (!skb)
+ return;
+
+@@ -485,7 +485,7 @@ static void vsc85xx_dequeue_skb(struct vsc85xx_ptp *ptp)
+ * packet in the FIFO right now, reschedule it for later
+ * packets.
+ */
+- __skb_queue_tail(&ptp->tx_queue, skb);
++ skb_queue_tail(&ptp->tx_queue, skb);
+ }
+ }
+
+@@ -1070,6 +1070,7 @@ static int vsc85xx_hwtstamp(struct mii_timestamper *mii_ts, struct ifreq *ifr)
+ case HWTSTAMP_TX_ON:
+ break;
+ case HWTSTAMP_TX_OFF:
++ skb_queue_purge(&vsc8531->ptp->tx_queue);
+ break;
+ default:
+ return -ERANGE;
+@@ -1094,9 +1095,6 @@ static int vsc85xx_hwtstamp(struct mii_timestamper *mii_ts, struct ifreq *ifr)
+
+ mutex_lock(&vsc8531->ts_lock);
+
+- __skb_queue_purge(&vsc8531->ptp->tx_queue);
+- __skb_queue_head_init(&vsc8531->ptp->tx_queue);
+-
+ /* Disable predictor while configuring the 1588 block */
+ val = vsc85xx_ts_read_csr(phydev, PROCESSOR,
+ MSCC_PHY_PTP_INGR_PREDICTOR);
+@@ -1182,9 +1180,7 @@ static void vsc85xx_txtstamp(struct mii_timestamper *mii_ts,
+
+ skb_shinfo(skb)->tx_flags |= SKBTX_IN_PROGRESS;
+
+- mutex_lock(&vsc8531->ts_lock);
+- __skb_queue_tail(&vsc8531->ptp->tx_queue, skb);
+- mutex_unlock(&vsc8531->ts_lock);
++ skb_queue_tail(&vsc8531->ptp->tx_queue, skb);
+ return;
+
+ out:
+@@ -1550,6 +1546,7 @@ void vsc8584_ptp_deinit(struct phy_device *phydev)
+ if (vsc8531->ptp->ptp_clock) {
+ ptp_clock_unregister(vsc8531->ptp->ptp_clock);
+ skb_queue_purge(&vsc8531->rx_skbs_list);
++ skb_queue_purge(&vsc8531->ptp->tx_queue);
+ }
+ }
+
+@@ -1573,7 +1570,7 @@ irqreturn_t vsc8584_handle_ts_interrupt(struct phy_device *phydev)
+ if (rc & VSC85XX_1588_INT_FIFO_ADD) {
+ vsc85xx_get_tx_ts(priv->ptp);
+ } else if (rc & VSC85XX_1588_INT_FIFO_OVERFLOW) {
+- __skb_queue_purge(&priv->ptp->tx_queue);
++ skb_queue_purge(&priv->ptp->tx_queue);
+ vsc85xx_ts_reset_fifo(phydev);
+ }
+
+@@ -1593,6 +1590,7 @@ int vsc8584_ptp_probe(struct phy_device *phydev)
+ mutex_init(&vsc8531->phc_lock);
+ mutex_init(&vsc8531->ts_lock);
+ skb_queue_head_init(&vsc8531->rx_skbs_list);
++ skb_queue_head_init(&vsc8531->ptp->tx_queue);
+
+ /* Retrieve the shared load/save GPIO. Request it as non exclusive as
+ * the same GPIO can be requested by all the PHYs of the same package.
+--
+2.50.1
+
--- /dev/null
+From e5ba38bf81cfc5c0005b4cccfa308e1f448e531f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Sep 2025 18:07:26 +0800
+Subject: ppp: fix memory leak in pad_compress_skb
+
+From: Qingfang Deng <dqfext@gmail.com>
+
+[ Upstream commit 4844123fe0b853a4982c02666cb3fd863d701d50 ]
+
+If alloc_skb() fails in pad_compress_skb(), it returns NULL without
+releasing the old skb. The caller does:
+
+ skb = pad_compress_skb(ppp, skb);
+ if (!skb)
+ goto drop;
+
+drop:
+ kfree_skb(skb);
+
+When pad_compress_skb() returns NULL, the reference to the old skb is
+lost and kfree_skb(skb) ends up doing nothing, leading to a memory leak.
+
+Align pad_compress_skb() semantics with realloc(): only free the old
+skb if allocation and compression succeed. At the call site, use the
+new_skb variable so the original skb is not lost when pad_compress_skb()
+fails.
+
+Fixes: b3f9b92a6ec1 ("[PPP]: add PPP MPPE encryption module")
+Signed-off-by: Qingfang Deng <dqfext@gmail.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Yue Haibing <yuehaibing@huawei.com>
+Link: https://patch.msgid.link/20250903100726.269839-1-dqfext@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ppp/ppp_generic.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
+index 5cb06e04293e3..91a19ed03bc7d 100644
+--- a/drivers/net/ppp/ppp_generic.c
++++ b/drivers/net/ppp/ppp_generic.c
+@@ -1752,7 +1752,6 @@ pad_compress_skb(struct ppp *ppp, struct sk_buff *skb)
+ */
+ if (net_ratelimit())
+ netdev_err(ppp->dev, "ppp: compressor dropped pkt\n");
+- kfree_skb(skb);
+ consume_skb(new_skb);
+ new_skb = NULL;
+ }
+@@ -1854,9 +1853,10 @@ ppp_send_frame(struct ppp *ppp, struct sk_buff *skb)
+ "down - pkt dropped.\n");
+ goto drop;
+ }
+- skb = pad_compress_skb(ppp, skb);
+- if (!skb)
++ new_skb = pad_compress_skb(ppp, skb);
++ if (!new_skb)
+ goto drop;
++ skb = new_skb;
+ }
+
+ /*
+--
+2.50.1
+
--- /dev/null
+From c5f7a20bfc50392ff2b17e87d27341b4e11ecb06 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 5 Mar 2022 12:21:25 +0100
+Subject: ptp: Add generic PTP is_sync() function
+
+From: Kurt Kanzenbach <kurt@linutronix.de>
+
+[ Upstream commit f72de02ebece2e962462bc0c1e9efd29eaa029b2 ]
+
+PHY drivers such as micrel or dp83640 need to analyze whether a given
+skb is a PTP sync message for one step functionality.
+
+In order to avoid code duplication introduce a generic function and
+move it to ptp classify.
+
+Signed-off-by: Kurt Kanzenbach <kurt@linutronix.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: 9b2bfdbf43ad ("phy: mscc: Stop taking ts_lock for tx_queue and use its own lock")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/ptp_classify.h | 15 +++++++++++++++
+ net/core/ptp_classifier.c | 12 ++++++++++++
+ 2 files changed, 27 insertions(+)
+
+diff --git a/include/linux/ptp_classify.h b/include/linux/ptp_classify.h
+index 7a526b52bd748..c91ede9654f92 100644
+--- a/include/linux/ptp_classify.h
++++ b/include/linux/ptp_classify.h
+@@ -128,6 +128,17 @@ static inline u8 ptp_get_msgtype(const struct ptp_header *hdr,
+ return msgtype;
+ }
+
++/**
++ * ptp_msg_is_sync - Evaluates whether the given skb is a PTP Sync message
++ * @skb: packet buffer
++ * @type: type of the packet (see ptp_classify_raw())
++ *
++ * This function evaluates whether the given skb is a PTP Sync message.
++ *
++ * Return: true if sync message, false otherwise
++ */
++bool ptp_msg_is_sync(struct sk_buff *skb, unsigned int type);
++
+ void __init ptp_classifier_init(void);
+ #else
+ static inline void ptp_classifier_init(void)
+@@ -150,5 +161,9 @@ static inline u8 ptp_get_msgtype(const struct ptp_header *hdr,
+ */
+ return PTP_MSGTYPE_SYNC;
+ }
++static inline bool ptp_msg_is_sync(struct sk_buff *skb, unsigned int type)
++{
++ return false;
++}
+ #endif
+ #endif /* _PTP_CLASSIFY_H_ */
+diff --git a/net/core/ptp_classifier.c b/net/core/ptp_classifier.c
+index dd4cf01d1e0a2..598041b0499e3 100644
+--- a/net/core/ptp_classifier.c
++++ b/net/core/ptp_classifier.c
+@@ -137,6 +137,18 @@ struct ptp_header *ptp_parse_header(struct sk_buff *skb, unsigned int type)
+ }
+ EXPORT_SYMBOL_GPL(ptp_parse_header);
+
++bool ptp_msg_is_sync(struct sk_buff *skb, unsigned int type)
++{
++ struct ptp_header *hdr;
++
++ hdr = ptp_parse_header(skb, type);
++ if (!hdr)
++ return false;
++
++ return ptp_get_msgtype(hdr, type) == PTP_MSGTYPE_SYNC;
++}
++EXPORT_SYMBOL_GPL(ptp_msg_is_sync);
++
+ void __init ptp_classifier_init(void)
+ {
+ static struct sock_filter ptp_filter[] __initdata = {
+--
+2.50.1
+
fs-writeback-fix-use-after-free-in-__mark_inode_dirt.patch
tee-fix-null-pointer-dereference-in-tee_shm_put.patch
arm64-dts-rockchip-add-vcc-supply-to-spi-flash-on-rk.patch
+wifi-cfg80211-fix-use-after-free-in-cmp_bss.patch
+netfilter-br_netfilter-do-not-check-confirmed-bit-in.patch
+netfilter-conntrack-helper-replace-eexist-by-ebusy.patch
+bluetooth-fix-use-after-free-in-l2cap_sock_cleanup_l.patch
+xirc2ps_cs-fix-register-access-when-enabling-fulldup.patch
+misdn-fix-memory-leak-in-dsp_hwec_enable.patch
+icmp-fix-icmp_ndo_send-address-translation-for-reply.patch
+i40e-fix-potential-invalid-access-when-mac-list-is-e.patch
+net-ethernet-mtk_eth_soc-fix-tx-vlan-tag-for-llc-pac.patch
+wifi-cw1200-cap-ssid-length-in-cw1200_do_join.patch
+wifi-libertas-cap-ssid-len-in-lbs_associate.patch
+net-thunder_bgx-add-a-missing-of_node_put.patch
+net-thunder_bgx-decrement-cleanup-index-before-use.patch
+ipv4-fix-null-vs-error-pointer-check-in-inet_blackho.patch
+ax25-properly-unshare-skbs-in-ax25_kiss_rcv.patch
+net-atm-fix-memory-leak-in-atm_register_sysfs-when-d.patch
+ppp-fix-memory-leak-in-pad_compress_skb.patch
+ptp-add-generic-ptp-is_sync-function.patch
+net-phy-mscc-fix-memory-leak-when-using-one-step-tim.patch
+phy-mscc-stop-taking-ts_lock-for-tx_queue-and-use-it.patch
--- /dev/null
+From 1cd04db178fd4d910213e5c43211878603e67329 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Aug 2025 16:52:36 +0300
+Subject: wifi: cfg80211: fix use-after-free in cmp_bss()
+
+From: Dmitry Antipov <dmantipov@yandex.ru>
+
+[ Upstream commit 26e84445f02ce6b2fe5f3e0e28ff7add77f35e08 ]
+
+Following bss_free() quirk introduced in commit 776b3580178f
+("cfg80211: track hidden SSID networks properly"), adjust
+cfg80211_update_known_bss() to free the last beacon frame
+elements only if they're not shared via the corresponding
+'hidden_beacon_bss' pointer.
+
+Reported-by: syzbot+30754ca335e6fb7e3092@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=30754ca335e6fb7e3092
+Fixes: 3ab8227d3e7d ("cfg80211: refactor cfg80211_bss_update")
+Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
+Link: https://patch.msgid.link/20250813135236.799384-1-dmantipov@yandex.ru
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/scan.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/wireless/scan.c b/net/wireless/scan.c
+index d977d7a7675e1..e2b4149e5ff43 100644
+--- a/net/wireless/scan.c
++++ b/net/wireless/scan.c
+@@ -1768,7 +1768,8 @@ cfg80211_update_known_bss(struct cfg80211_registered_device *rdev,
+ */
+
+ f = rcu_access_pointer(new->pub.beacon_ies);
+- kfree_rcu((struct cfg80211_bss_ies *)f, rcu_head);
++ if (!new->pub.hidden_beacon_bss)
++ kfree_rcu((struct cfg80211_bss_ies *)f, rcu_head);
+ return false;
+ }
+
+--
+2.50.1
+
--- /dev/null
+From 43885afaea51527337489f550f7bf46b356c8cbd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Aug 2025 15:48:28 +0300
+Subject: wifi: cw1200: cap SSID length in cw1200_do_join()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit f8f15f6742b8874e59c9c715d0af3474608310ad ]
+
+If the ssidie[1] length is more that 32 it leads to memory corruption.
+
+Fixes: a910e4a94f69 ("cw1200: add driver for the ST-E CW1100 & CW1200 WLAN chipsets")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://patch.msgid.link/e91fb43fcedc4893b604dfb973131661510901a7.1756456951.git.dan.carpenter@linaro.org
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/st/cw1200/sta.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/st/cw1200/sta.c b/drivers/net/wireless/st/cw1200/sta.c
+index 236022d4ae2a3..0f2d1ec34cd82 100644
+--- a/drivers/net/wireless/st/cw1200/sta.c
++++ b/drivers/net/wireless/st/cw1200/sta.c
+@@ -1289,7 +1289,7 @@ static void cw1200_do_join(struct cw1200_common *priv)
+ rcu_read_lock();
+ ssidie = ieee80211_bss_get_ie(bss, WLAN_EID_SSID);
+ if (ssidie) {
+- join.ssid_len = ssidie[1];
++ join.ssid_len = min(ssidie[1], IEEE80211_MAX_SSID_LEN);
+ memcpy(join.ssid, &ssidie[2], join.ssid_len);
+ }
+ rcu_read_unlock();
+--
+2.50.1
+
--- /dev/null
+From 121cf6f53c428b9a974e19e5e86bb5567bb91b12 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Aug 2025 15:48:35 +0300
+Subject: wifi: libertas: cap SSID len in lbs_associate()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit c786794bd27b0d7a5fd9063695df83206009be59 ]
+
+If the ssid_eid[1] length is more that 32 it leads to memory corruption.
+
+Fixes: a910e4a94f69 ("cw1200: add driver for the ST-E CW1100 & CW1200 WLAN chipsets")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://patch.msgid.link/2a40f5ec7617144aef412034c12919a4927d90ad.1756456951.git.dan.carpenter@linaro.org
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/marvell/libertas/cfg.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/marvell/libertas/cfg.c b/drivers/net/wireless/marvell/libertas/cfg.c
+index 4e3de684928bf..a659054c1bcd9 100644
+--- a/drivers/net/wireless/marvell/libertas/cfg.c
++++ b/drivers/net/wireless/marvell/libertas/cfg.c
+@@ -1102,10 +1102,13 @@ static int lbs_associate(struct lbs_private *priv,
+ /* add SSID TLV */
+ rcu_read_lock();
+ ssid_eid = ieee80211_bss_get_ie(bss, WLAN_EID_SSID);
+- if (ssid_eid)
+- pos += lbs_add_ssid_tlv(pos, ssid_eid + 2, ssid_eid[1]);
+- else
++ if (ssid_eid) {
++ u32 ssid_len = min(ssid_eid[1], IEEE80211_MAX_SSID_LEN);
++
++ pos += lbs_add_ssid_tlv(pos, ssid_eid + 2, ssid_len);
++ } else {
+ lbs_deb_assoc("no SSID\n");
++ }
+ rcu_read_unlock();
+
+ /* add DS param TLV */
+--
+2.50.1
+
--- /dev/null
+From 96015fdc2b6e98c45c12be0b3c2b990ece9f385c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Aug 2025 12:26:43 -0700
+Subject: xirc2ps_cs: fix register access when enabling FullDuplex
+
+From: Alok Tiwari <alok.a.tiwari@oracle.com>
+
+[ Upstream commit b79e498080b170fd94fc83bca2471f450811549b ]
+
+The current code incorrectly passes (XIRCREG1_ECR | FullDuplex) as
+the register address to GetByte(), instead of fetching the register
+value and OR-ing it with FullDuplex. This results in an invalid
+register access.
+
+Fix it by reading XIRCREG1_ECR first, then or-ing with FullDuplex
+before writing it back.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Link: https://patch.msgid.link/20250827192645.658496-1-alok.a.tiwari@oracle.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/xircom/xirc2ps_cs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/xircom/xirc2ps_cs.c b/drivers/net/ethernet/xircom/xirc2ps_cs.c
+index 10f42b7df8b35..efbd337b8bb8e 100644
+--- a/drivers/net/ethernet/xircom/xirc2ps_cs.c
++++ b/drivers/net/ethernet/xircom/xirc2ps_cs.c
+@@ -1582,7 +1582,7 @@ do_reset(struct net_device *dev, int full)
+ msleep(40); /* wait 40 msec to let it complete */
+ }
+ if (full_duplex)
+- PutByte(XIRCREG1_ECR, GetByte(XIRCREG1_ECR | FullDuplex));
++ PutByte(XIRCREG1_ECR, GetByte(XIRCREG1_ECR) | FullDuplex);
+ } else { /* No MII */
+ SelectPage(0);
+ value = GetByte(XIRCREG_ESR); /* read the ESR */
+--
+2.50.1
+
--- /dev/null
+From 9f23391db0127f2e649b4b05da5d0e32f544ee73 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Sep 2025 12:46:42 +0000
+Subject: ax25: properly unshare skbs in ax25_kiss_rcv()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 8156210d36a43e76372312c87eb5ea3dbb405a85 ]
+
+Bernard Pidoux reported a regression apparently caused by commit
+c353e8983e0d ("net: introduce per netns packet chains").
+
+skb->dev becomes NULL and we crash in __netif_receive_skb_core().
+
+Before above commit, different kind of bugs or corruptions could happen
+without a major crash.
+
+But the root cause is that ax25_kiss_rcv() can queue/mangle input skb
+without checking if this skb is shared or not.
+
+Many thanks to Bernard Pidoux for his help, diagnosis and tests.
+
+We had a similar issue years ago fixed with commit 7aaed57c5c28
+("phonet: properly unshare skbs in phonet_rcv()").
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: Bernard Pidoux <f6bvp@free.fr>
+Closes: https://lore.kernel.org/netdev/1713f383-c538-4918-bc64-13b3288cd542@free.fr/
+Tested-by: Bernard Pidoux <f6bvp@free.fr>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Joerg Reuter <jreuter@yaina.de>
+Cc: David Ranch <dranch@trinnet.net>
+Cc: Folkert van Heusden <folkert@vanheusden.com>
+Reviewed-by: Dan Cross <crossd@gmail.com>
+Link: https://patch.msgid.link/20250902124642.212705-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ax25/ax25_in.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/ax25/ax25_in.c b/net/ax25/ax25_in.c
+index dcdbaeeb2358a..506a88b2357bf 100644
+--- a/net/ax25/ax25_in.c
++++ b/net/ax25/ax25_in.c
+@@ -433,6 +433,10 @@ static int ax25_rcv(struct sk_buff *skb, struct net_device *dev,
+ int ax25_kiss_rcv(struct sk_buff *skb, struct net_device *dev,
+ struct packet_type *ptype, struct net_device *orig_dev)
+ {
++ skb = skb_share_check(skb, GFP_ATOMIC);
++ if (!skb)
++ return NET_RX_DROP;
++
+ skb_orphan(skb);
+
+ if (!net_eq(dev_net(dev), &init_net)) {
+--
+2.50.1
+
--- /dev/null
+From 8b77bc5378d526a64cb4287c795944588b545f7d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Aug 2025 20:40:14 +0000
+Subject: Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen()
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit 862c628108562d8c7a516a900034823b381d3cba ]
+
+syzbot reported the splat below without a repro.
+
+In the splat, a single thread calling bt_accept_dequeue() freed sk
+and touched it after that.
+
+The root cause would be the racy l2cap_sock_cleanup_listen() call
+added by the cited commit.
+
+bt_accept_dequeue() is called under lock_sock() except for
+l2cap_sock_release().
+
+Two threads could see the same socket during the list iteration
+in bt_accept_dequeue():
+
+ CPU1 CPU2 (close())
+ ---- ----
+ sock_hold(sk) sock_hold(sk);
+ lock_sock(sk) <-- block close()
+ sock_put(sk)
+ bt_accept_unlink(sk)
+ sock_put(sk) <-- refcnt by bt_accept_enqueue()
+ release_sock(sk)
+ lock_sock(sk)
+ sock_put(sk)
+ bt_accept_unlink(sk)
+ sock_put(sk) <-- last refcnt
+ bt_accept_unlink(sk) <-- UAF
+
+Depending on the timing, the other thread could show up in the
+"Freed by task" part.
+
+Let's call l2cap_sock_cleanup_listen() under lock_sock() in
+l2cap_sock_release().
+
+[0]:
+BUG: KASAN: slab-use-after-free in debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline]
+BUG: KASAN: slab-use-after-free in do_raw_spin_lock+0x26f/0x2b0 kernel/locking/spinlock_debug.c:115
+Read of size 4 at addr ffff88803b7eb1c4 by task syz.5.3276/16995
+CPU: 3 UID: 0 PID: 16995 Comm: syz.5.3276 Not tainted syzkaller #0 PREEMPT(full)
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:94 [inline]
+ dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
+ print_address_description mm/kasan/report.c:378 [inline]
+ print_report+0xcd/0x630 mm/kasan/report.c:482
+ kasan_report+0xe0/0x110 mm/kasan/report.c:595
+ debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline]
+ do_raw_spin_lock+0x26f/0x2b0 kernel/locking/spinlock_debug.c:115
+ spin_lock_bh include/linux/spinlock.h:356 [inline]
+ release_sock+0x21/0x220 net/core/sock.c:3746
+ bt_accept_dequeue+0x505/0x600 net/bluetooth/af_bluetooth.c:312
+ l2cap_sock_cleanup_listen+0x5c/0x2a0 net/bluetooth/l2cap_sock.c:1451
+ l2cap_sock_release+0x5c/0x210 net/bluetooth/l2cap_sock.c:1425
+ __sock_release+0xb3/0x270 net/socket.c:649
+ sock_close+0x1c/0x30 net/socket.c:1439
+ __fput+0x3ff/0xb70 fs/file_table.c:468
+ task_work_run+0x14d/0x240 kernel/task_work.c:227
+ resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
+ exit_to_user_mode_loop+0xeb/0x110 kernel/entry/common.c:43
+ exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
+ syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
+ syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
+ do_syscall_64+0x3f6/0x4c0 arch/x86/entry/syscall_64.c:100
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7f2accf8ebe9
+Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007ffdb6cb1378 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
+RAX: 0000000000000000 RBX: 00000000000426fb RCX: 00007f2accf8ebe9
+RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
+RBP: 00007f2acd1b7da0 R08: 0000000000000001 R09: 00000012b6cb166f
+R10: 0000001b30e20000 R11: 0000000000000246 R12: 00007f2acd1b609c
+R13: 00007f2acd1b6090 R14: ffffffffffffffff R15: 00007ffdb6cb1490
+ </TASK>
+
+Allocated by task 5326:
+ kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
+ kasan_save_track+0x14/0x30 mm/kasan/common.c:68
+ poison_kmalloc_redzone mm/kasan/common.c:388 [inline]
+ __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:405
+ kasan_kmalloc include/linux/kasan.h:260 [inline]
+ __do_kmalloc_node mm/slub.c:4365 [inline]
+ __kmalloc_noprof+0x223/0x510 mm/slub.c:4377
+ kmalloc_noprof include/linux/slab.h:909 [inline]
+ sk_prot_alloc+0x1a8/0x2a0 net/core/sock.c:2239
+ sk_alloc+0x36/0xc20 net/core/sock.c:2295
+ bt_sock_alloc+0x3b/0x3a0 net/bluetooth/af_bluetooth.c:151
+ l2cap_sock_alloc.constprop.0+0x33/0x1d0 net/bluetooth/l2cap_sock.c:1894
+ l2cap_sock_new_connection_cb+0x101/0x240 net/bluetooth/l2cap_sock.c:1482
+ l2cap_connect_cfm+0x4c4/0xf80 net/bluetooth/l2cap_core.c:7287
+ hci_connect_cfm include/net/bluetooth/hci_core.h:2050 [inline]
+ hci_remote_features_evt+0x4dd/0x970 net/bluetooth/hci_event.c:3712
+ hci_event_func net/bluetooth/hci_event.c:7519 [inline]
+ hci_event_packet+0xa0d/0x11c0 net/bluetooth/hci_event.c:7573
+ hci_rx_work+0x2c5/0x16b0 net/bluetooth/hci_core.c:4071
+ process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3236
+ process_scheduled_works kernel/workqueue.c:3319 [inline]
+ worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400
+ kthread+0x3c2/0x780 kernel/kthread.c:463
+ ret_from_fork+0x5d7/0x6f0 arch/x86/kernel/process.c:148
+ ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
+
+Freed by task 16995:
+ kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
+ kasan_save_track+0x14/0x30 mm/kasan/common.c:68
+ kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576
+ poison_slab_object mm/kasan/common.c:243 [inline]
+ __kasan_slab_free+0x60/0x70 mm/kasan/common.c:275
+ kasan_slab_free include/linux/kasan.h:233 [inline]
+ slab_free_hook mm/slub.c:2417 [inline]
+ slab_free mm/slub.c:4680 [inline]
+ kfree+0x2b4/0x4d0 mm/slub.c:4879
+ sk_prot_free net/core/sock.c:2278 [inline]
+ __sk_destruct+0x75f/0x9a0 net/core/sock.c:2373
+ sk_destruct+0xc2/0xf0 net/core/sock.c:2401
+ __sk_free+0xf4/0x3e0 net/core/sock.c:2412
+ sk_free+0x6a/0x90 net/core/sock.c:2423
+ sock_put include/net/sock.h:1960 [inline]
+ bt_accept_unlink+0x245/0x2e0 net/bluetooth/af_bluetooth.c:262
+ bt_accept_dequeue+0x517/0x600 net/bluetooth/af_bluetooth.c:308
+ l2cap_sock_cleanup_listen+0x5c/0x2a0 net/bluetooth/l2cap_sock.c:1451
+ l2cap_sock_release+0x5c/0x210 net/bluetooth/l2cap_sock.c:1425
+ __sock_release+0xb3/0x270 net/socket.c:649
+ sock_close+0x1c/0x30 net/socket.c:1439
+ __fput+0x3ff/0xb70 fs/file_table.c:468
+ task_work_run+0x14d/0x240 kernel/task_work.c:227
+ resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
+ exit_to_user_mode_loop+0xeb/0x110 kernel/entry/common.c:43
+ exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
+ syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
+ syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
+ do_syscall_64+0x3f6/0x4c0 arch/x86/entry/syscall_64.c:100
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Fixes: 1728137b33c0 ("Bluetooth: L2CAP: Fix use-after-free in l2cap_sock_ready_cb")
+Reported-by: syzbot+e5e64cdf8e92046dd3e1@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/linux-bluetooth/68af6b9d.a70a0220.3cafd4.0032.GAE@google.com/
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/l2cap_sock.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
+index 93df53f2b76e3..dfffc5bb292dd 100644
+--- a/net/bluetooth/l2cap_sock.c
++++ b/net/bluetooth/l2cap_sock.c
+@@ -1226,7 +1226,10 @@ static int l2cap_sock_release(struct socket *sock)
+ if (!sk)
+ return 0;
+
++ lock_sock_nested(sk, L2CAP_NESTING_PARENT);
+ l2cap_sock_cleanup_listen(sk);
++ release_sock(sk);
++
+ bt_sock_unlink(&l2cap_sk_list, sk);
+
+ err = l2cap_sock_shutdown(sock, 2);
+--
+2.50.1
+
--- /dev/null
+From 562fa2e31fafb2513a3006238ea9dd05bb2d94d9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Aug 2025 19:56:31 +0800
+Subject: i40e: Fix potential invalid access when MAC list is empty
+
+From: Zhen Ni <zhen.ni@easystack.cn>
+
+[ Upstream commit a556f06338e1d5a85af0e32ecb46e365547f92b9 ]
+
+list_first_entry() never returns NULL - if the list is empty, it still
+returns a pointer to an invalid object, leading to potential invalid
+memory access when dereferenced.
+
+Fix this by using list_first_entry_or_null instead of list_first_entry.
+
+Fixes: e3219ce6a775 ("i40e: Add support for client interface for IWARP driver")
+Signed-off-by: Zhen Ni <zhen.ni@easystack.cn>
+Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_client.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_client.c b/drivers/net/ethernet/intel/i40e/i40e_client.c
+index 10125b02d1543..b7c3625aec154 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_client.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_client.c
+@@ -320,8 +320,8 @@ static void i40e_client_add_instance(struct i40e_pf *pf)
+ return;
+ }
+
+- mac = list_first_entry(&cdev->lan_info.netdev->dev_addrs.list,
+- struct netdev_hw_addr, list);
++ mac = list_first_entry_or_null(&cdev->lan_info.netdev->dev_addrs.list,
++ struct netdev_hw_addr, list);
+ if (mac)
+ ether_addr_copy(cdev->lan_info.lanmac, mac->addr);
+ else
+--
+2.50.1
+
--- /dev/null
+From 1d26751a90a549fa0059e1d8502de71abf012f64 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Aug 2025 11:14:35 +0200
+Subject: icmp: fix icmp_ndo_send address translation for reply direction
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Fabian Bläse <fabian@blaese.de>
+
+[ Upstream commit c6dd1aa2cbb72b33e0569f3e71d95792beab5042 ]
+
+The icmp_ndo_send function was originally introduced to ensure proper
+rate limiting when icmp_send is called by a network device driver,
+where the packet's source address may have already been transformed
+by SNAT.
+
+However, the original implementation only considers the
+IP_CT_DIR_ORIGINAL direction for SNAT and always replaced the packet's
+source address with that of the original-direction tuple. This causes
+two problems:
+
+1. For SNAT:
+ Reply-direction packets were incorrectly translated using the source
+ address of the CT original direction, even though no translation is
+ required.
+
+2. For DNAT:
+ Reply-direction packets were not handled at all. In DNAT, the original
+ direction's destination is translated. Therefore, in the reply
+ direction the source address must be set to the reply-direction
+ source, so rate limiting works as intended.
+
+Fix this by using the connection direction to select the correct tuple
+for source address translation, and adjust the pre-checks to handle
+reply-direction packets in case of DNAT.
+
+Additionally, wrap the `ct->status` access in READ_ONCE(). This avoids
+possible KCSAN reports about concurrent updates to `ct->status`.
+
+Fixes: 0b41713b6066 ("icmp: introduce helper for nat'd source address in network device context")
+Signed-off-by: Fabian Bläse <fabian@blaese.de>
+Cc: Jason A. Donenfeld <Jason@zx2c4.com>
+Reviewed-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/icmp.c | 6 ++++--
+ net/ipv6/ip6_icmp.c | 6 ++++--
+ 2 files changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
+index ac82a4158b86b..875424c428e66 100644
+--- a/net/ipv4/icmp.c
++++ b/net/ipv4/icmp.c
+@@ -790,11 +790,12 @@ void icmp_ndo_send(struct sk_buff *skb_in, int type, int code, __be32 info)
+ struct sk_buff *cloned_skb = NULL;
+ struct ip_options opts = { 0 };
+ enum ip_conntrack_info ctinfo;
++ enum ip_conntrack_dir dir;
+ struct nf_conn *ct;
+ __be32 orig_ip;
+
+ ct = nf_ct_get(skb_in, &ctinfo);
+- if (!ct || !(ct->status & IPS_SRC_NAT)) {
++ if (!ct || !(READ_ONCE(ct->status) & IPS_NAT_MASK)) {
+ __icmp_send(skb_in, type, code, info, &opts);
+ return;
+ }
+@@ -809,7 +810,8 @@ void icmp_ndo_send(struct sk_buff *skb_in, int type, int code, __be32 info)
+ goto out;
+
+ orig_ip = ip_hdr(skb_in)->saddr;
+- ip_hdr(skb_in)->saddr = ct->tuplehash[0].tuple.src.u3.ip;
++ dir = CTINFO2DIR(ctinfo);
++ ip_hdr(skb_in)->saddr = ct->tuplehash[dir].tuple.src.u3.ip;
+ __icmp_send(skb_in, type, code, info, &opts);
+ ip_hdr(skb_in)->saddr = orig_ip;
+ out:
+diff --git a/net/ipv6/ip6_icmp.c b/net/ipv6/ip6_icmp.c
+index 9e3574880cb03..233914b63bdb8 100644
+--- a/net/ipv6/ip6_icmp.c
++++ b/net/ipv6/ip6_icmp.c
+@@ -54,11 +54,12 @@ void icmpv6_ndo_send(struct sk_buff *skb_in, u8 type, u8 code, __u32 info)
+ struct inet6_skb_parm parm = { 0 };
+ struct sk_buff *cloned_skb = NULL;
+ enum ip_conntrack_info ctinfo;
++ enum ip_conntrack_dir dir;
+ struct in6_addr orig_ip;
+ struct nf_conn *ct;
+
+ ct = nf_ct_get(skb_in, &ctinfo);
+- if (!ct || !(ct->status & IPS_SRC_NAT)) {
++ if (!ct || !(READ_ONCE(ct->status) & IPS_NAT_MASK)) {
+ __icmpv6_send(skb_in, type, code, info, &parm);
+ return;
+ }
+@@ -73,7 +74,8 @@ void icmpv6_ndo_send(struct sk_buff *skb_in, u8 type, u8 code, __u32 info)
+ goto out;
+
+ orig_ip = ipv6_hdr(skb_in)->saddr;
+- ipv6_hdr(skb_in)->saddr = ct->tuplehash[0].tuple.src.u3.in6;
++ dir = CTINFO2DIR(ctinfo);
++ ipv6_hdr(skb_in)->saddr = ct->tuplehash[dir].tuple.src.u3.in6;
+ __icmpv6_send(skb_in, type, code, info, &parm);
+ ipv6_hdr(skb_in)->saddr = orig_ip;
+ out:
+--
+2.50.1
+
--- /dev/null
+From 9752d736d95b54eef609e8b0169b2e7758aa373f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Sep 2025 09:36:08 +0300
+Subject: ipv4: Fix NULL vs error pointer check in inet_blackhole_dev_init()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit a51160f8da850a65afbf165f5bbac7ffb388bf74 ]
+
+The inetdev_init() function never returns NULL. Check for error
+pointers instead.
+
+Fixes: 22600596b675 ("ipv4: give an IPv4 dev to blackhole_netdev")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/aLaQWL9NguWmeM1i@stanley.mountain
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/devinet.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
+index 6855372d57a34..b4fb75be24d9c 100644
+--- a/net/ipv4/devinet.c
++++ b/net/ipv4/devinet.c
+@@ -332,14 +332,13 @@ static void inetdev_destroy(struct in_device *in_dev)
+
+ static int __init inet_blackhole_dev_init(void)
+ {
+- int err = 0;
++ struct in_device *in_dev;
+
+ rtnl_lock();
+- if (!inetdev_init(blackhole_netdev))
+- err = -ENOMEM;
++ in_dev = inetdev_init(blackhole_netdev);
+ rtnl_unlock();
+
+- return err;
++ return PTR_ERR_OR_ZERO(in_dev);
+ }
+ late_initcall(inet_blackhole_dev_init);
+
+--
+2.50.1
+
--- /dev/null
+From f08221a3baf69001e42a9f32037a689c73f03e3d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Aug 2025 16:14:57 +0800
+Subject: mISDN: Fix memory leak in dsp_hwec_enable()
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+[ Upstream commit 0704a3da7ce50f972e898bbda88d2692a22922d9 ]
+
+dsp_hwec_enable() allocates dup pointer by kstrdup(arg),
+but then it updates dup variable by strsep(&dup, ",").
+As a result when it calls kfree(dup), the dup variable may be
+a modified pointer that no longer points to the original allocated
+memory, causing a memory leak.
+
+The issue is the same pattern as fixed in commit c6a502c22999
+("mISDN: Fix memory leak in dsp_pipeline_build()").
+
+Fixes: 9a4381618262 ("mISDN: Remove VLAs")
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250828081457.36061-1-linmq006@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/isdn/mISDN/dsp_hwec.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/isdn/mISDN/dsp_hwec.c b/drivers/isdn/mISDN/dsp_hwec.c
+index 0b3f29195330a..0cd216e28f009 100644
+--- a/drivers/isdn/mISDN/dsp_hwec.c
++++ b/drivers/isdn/mISDN/dsp_hwec.c
+@@ -51,14 +51,14 @@ void dsp_hwec_enable(struct dsp *dsp, const char *arg)
+ goto _do;
+
+ {
+- char *dup, *tok, *name, *val;
++ char *dup, *next, *tok, *name, *val;
+ int tmp;
+
+- dup = kstrdup(arg, GFP_ATOMIC);
++ dup = next = kstrdup(arg, GFP_ATOMIC);
+ if (!dup)
+ return;
+
+- while ((tok = strsep(&dup, ","))) {
++ while ((tok = strsep(&next, ","))) {
+ if (!strlen(tok))
+ continue;
+ name = strsep(&tok, "=");
+--
+2.50.1
+
--- /dev/null
+From 513e9bb448bbe38960f092674eea214c6100db47 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Sep 2025 14:35:37 +0800
+Subject: net: atm: fix memory leak in atm_register_sysfs when device_register
+ fail
+
+From: Wang Liang <wangliang74@huawei.com>
+
+[ Upstream commit 0a228624bcc00af41f281a2a84c928595a74c17d ]
+
+When device_register() return error in atm_register_sysfs(), which can be
+triggered by kzalloc fail in device_private_init() or other reasons,
+kmemleak reports the following memory leaks:
+
+unreferenced object 0xffff88810182fb80 (size 8):
+ comm "insmod", pid 504, jiffies 4294852464
+ hex dump (first 8 bytes):
+ 61 64 75 6d 6d 79 30 00 adummy0.
+ backtrace (crc 14dfadaf):
+ __kmalloc_node_track_caller_noprof+0x335/0x450
+ kvasprintf+0xb3/0x130
+ kobject_set_name_vargs+0x45/0x120
+ dev_set_name+0xa9/0xe0
+ atm_register_sysfs+0xf3/0x220
+ atm_dev_register+0x40b/0x780
+ 0xffffffffa000b089
+ do_one_initcall+0x89/0x300
+ do_init_module+0x27b/0x7d0
+ load_module+0x54cd/0x5ff0
+ init_module_from_file+0xe4/0x150
+ idempotent_init_module+0x32c/0x610
+ __x64_sys_finit_module+0xbd/0x120
+ do_syscall_64+0xa8/0x270
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+When device_create_file() return error in atm_register_sysfs(), the same
+issue also can be triggered.
+
+Function put_device() should be called to release kobj->name memory and
+other device resource, instead of kfree().
+
+Fixes: 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array")
+Signed-off-by: Wang Liang <wangliang74@huawei.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250901063537.1472221-1-wangliang74@huawei.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/atm/resources.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/net/atm/resources.c b/net/atm/resources.c
+index e244c2576d1e0..a00799254e2d6 100644
+--- a/net/atm/resources.c
++++ b/net/atm/resources.c
+@@ -114,7 +114,9 @@ struct atm_dev *atm_dev_register(const char *type, struct device *parent,
+
+ if (atm_proc_dev_register(dev) < 0) {
+ pr_err("atm_proc_dev_register failed for dev %s\n", type);
+- goto out_fail;
++ mutex_unlock(&atm_dev_mutex);
++ kfree(dev);
++ return NULL;
+ }
+
+ if (atm_register_sysfs(dev, parent) < 0) {
+@@ -130,7 +132,7 @@ struct atm_dev *atm_dev_register(const char *type, struct device *parent,
+ return dev;
+
+ out_fail:
+- kfree(dev);
++ put_device(&dev->class_dev);
+ dev = NULL;
+ goto out;
+ }
+--
+2.50.1
+
--- /dev/null
+From ae669bb27c600400bee9ff5f6c98549ad70d7366 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 31 Aug 2025 20:20:07 +0200
+Subject: net: ethernet: mtk_eth_soc: fix tx vlan tag for llc packets
+
+From: Felix Fietkau <nbd@nbd.name>
+
+[ Upstream commit d4736737110ffa83d29f1c5d17b26113864205f6 ]
+
+When sending llc packets with vlan tx offload, the hardware fails to
+actually add the tag. Deal with this by fixing it up in software.
+
+Fixes: 656e705243fd ("net-next: mediatek: add support for MT7623 ethernet")
+Reported-by: Thibaut VARENE <hacks@slashdirt.org>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250831182007.51619-1-nbd@nbd.name
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mediatek/mtk_eth_soc.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
+index 7b9f5eba78dcc..6ab4c84bc22ef 100644
+--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c
++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
+@@ -1173,6 +1173,13 @@ static int mtk_start_xmit(struct sk_buff *skb, struct net_device *dev)
+ bool gso = false;
+ int tx_num;
+
++ if (skb_vlan_tag_present(skb) &&
++ !eth_proto_is_802_3(eth_hdr(skb)->h_proto)) {
++ skb = __vlan_hwaccel_push_inside(skb);
++ if (!skb)
++ goto dropped;
++ }
++
+ /* normally we can rely on the stack not calling this more than once,
+ * however we have 2 queues running on the same ring so we need to lock
+ * the ring access
+@@ -1218,8 +1225,9 @@ static int mtk_start_xmit(struct sk_buff *skb, struct net_device *dev)
+
+ drop:
+ spin_unlock(ð->page_lock);
+- stats->tx_dropped++;
+ dev_kfree_skb_any(skb);
++dropped:
++ stats->tx_dropped++;
+ return NETDEV_TX_OK;
+ }
+
+--
+2.50.1
+
--- /dev/null
+From 56b1cdac0364e30c03f927bbec0ebe96e0197d88 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Sep 2025 14:30:18 -0700
+Subject: net: thunder_bgx: add a missing of_node_put
+
+From: Rosen Penev <rosenp@gmail.com>
+
+[ Upstream commit 9d28f94912589f04ab51fbccaef287d4f40e0d1f ]
+
+phy_np needs to get freed, just like the other child nodes.
+
+Fixes: 5fc7cf179449 ("net: thunderx: Cleanup PHY probing code.")
+Signed-off-by: Rosen Penev <rosenp@gmail.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250901213018.47392-1-rosenp@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/cavium/thunder/thunder_bgx.c | 18 +++++++++++-------
+ 1 file changed, 11 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c
+index 8854025610e64..e3acbdbc80993 100644
+--- a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c
++++ b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c
+@@ -1497,13 +1497,17 @@ static int bgx_init_of_phy(struct bgx *bgx)
+ * this cortina phy, for which there is no driver
+ * support, ignore it.
+ */
+- if (phy_np &&
+- !of_device_is_compatible(phy_np, "cortina,cs4223-slice")) {
+- /* Wait until the phy drivers are available */
+- pd = of_phy_find_device(phy_np);
+- if (!pd)
+- goto defer;
+- bgx->lmac[lmac].phydev = pd;
++ if (phy_np) {
++ if (!of_device_is_compatible(phy_np, "cortina,cs4223-slice")) {
++ /* Wait until the phy drivers are available */
++ pd = of_phy_find_device(phy_np);
++ if (!pd) {
++ of_node_put(phy_np);
++ goto defer;
++ }
++ bgx->lmac[lmac].phydev = pd;
++ }
++ of_node_put(phy_np);
+ }
+
+ lmac++;
+--
+2.50.1
+
--- /dev/null
+From 9f58a02d8c8943a28107da393f9d5b31a31fd018 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Sep 2025 14:33:14 -0700
+Subject: net: thunder_bgx: decrement cleanup index before use
+
+From: Rosen Penev <rosenp@gmail.com>
+
+[ Upstream commit 9e3d71a92e561ccc77025689dab25d201fee7a3e ]
+
+All paths in probe that call goto defer do so before assigning phydev
+and thus it makes sense to cleanup the prior index. It also fixes a bug
+where index 0 does not get cleaned up.
+
+Fixes: b7d3e3d3d21a ("net: thunderx: Don't leak phy device references on -EPROBE_DEFER condition.")
+Signed-off-by: Rosen Penev <rosenp@gmail.com>
+Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250901213314.48599-1-rosenp@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cavium/thunder/thunder_bgx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c
+index e3acbdbc80993..8f4f831237cd2 100644
+--- a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c
++++ b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c
+@@ -1523,11 +1523,11 @@ static int bgx_init_of_phy(struct bgx *bgx)
+ * for phy devices we may have already found.
+ */
+ while (lmac) {
++ lmac--;
+ if (bgx->lmac[lmac].phydev) {
+ put_device(&bgx->lmac[lmac].phydev->mdio.dev);
+ bgx->lmac[lmac].phydev = NULL;
+ }
+- lmac--;
+ }
+ of_node_put(node);
+ return -EPROBE_DEFER;
+--
+2.50.1
+
--- /dev/null
+From ffb66390c04d7f2cf1ab36f7c22b1202099af629 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Aug 2025 13:22:20 +0200
+Subject: netfilter: conntrack: helper: Replace -EEXIST by -EBUSY
+
+From: Phil Sutter <phil@nwl.cc>
+
+[ Upstream commit 54416fd76770bd04fc3c501810e8d673550bab26 ]
+
+The helper registration return value is passed-through by module_init
+callbacks which modprobe confuses with the harmless -EEXIST returned
+when trying to load an already loaded module.
+
+Make sure modprobe fails so users notice their helper has not been
+registered and won't work.
+
+Suggested-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Fixes: 12f7a505331e ("netfilter: add user-space connection tracking helper infrastructure")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_helper.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c
+index 32cc91f5ba99f..89174c91053ed 100644
+--- a/net/netfilter/nf_conntrack_helper.c
++++ b/net/netfilter/nf_conntrack_helper.c
+@@ -417,7 +417,7 @@ int nf_conntrack_helper_register(struct nf_conntrack_helper *me)
+ (cur->tuple.src.l3num == NFPROTO_UNSPEC ||
+ cur->tuple.src.l3num == me->tuple.src.l3num) &&
+ cur->tuple.dst.protonum == me->tuple.dst.protonum) {
+- ret = -EEXIST;
++ ret = -EBUSY;
+ goto out;
+ }
+ }
+@@ -428,7 +428,7 @@ int nf_conntrack_helper_register(struct nf_conntrack_helper *me)
+ hlist_for_each_entry(cur, &nf_ct_helper_hash[h], hnode) {
+ if (nf_ct_tuple_src_mask_cmp(&cur->tuple, &me->tuple,
+ &mask)) {
+- ret = -EEXIST;
++ ret = -EBUSY;
+ goto out;
+ }
+ }
+--
+2.50.1
+
--- /dev/null
+From cd803beaa7d3c89f55214acd4105ec09383aafbb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Sep 2025 18:07:26 +0800
+Subject: ppp: fix memory leak in pad_compress_skb
+
+From: Qingfang Deng <dqfext@gmail.com>
+
+[ Upstream commit 4844123fe0b853a4982c02666cb3fd863d701d50 ]
+
+If alloc_skb() fails in pad_compress_skb(), it returns NULL without
+releasing the old skb. The caller does:
+
+ skb = pad_compress_skb(ppp, skb);
+ if (!skb)
+ goto drop;
+
+drop:
+ kfree_skb(skb);
+
+When pad_compress_skb() returns NULL, the reference to the old skb is
+lost and kfree_skb(skb) ends up doing nothing, leading to a memory leak.
+
+Align pad_compress_skb() semantics with realloc(): only free the old
+skb if allocation and compression succeed. At the call site, use the
+new_skb variable so the original skb is not lost when pad_compress_skb()
+fails.
+
+Fixes: b3f9b92a6ec1 ("[PPP]: add PPP MPPE encryption module")
+Signed-off-by: Qingfang Deng <dqfext@gmail.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Yue Haibing <yuehaibing@huawei.com>
+Link: https://patch.msgid.link/20250903100726.269839-1-dqfext@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ppp/ppp_generic.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
+index 7b9337e16d6e1..dd7c84e4b4986 100644
+--- a/drivers/net/ppp/ppp_generic.c
++++ b/drivers/net/ppp/ppp_generic.c
+@@ -1528,7 +1528,6 @@ pad_compress_skb(struct ppp *ppp, struct sk_buff *skb)
+ */
+ if (net_ratelimit())
+ netdev_err(ppp->dev, "ppp: compressor dropped pkt\n");
+- kfree_skb(skb);
+ consume_skb(new_skb);
+ new_skb = NULL;
+ }
+@@ -1630,9 +1629,10 @@ ppp_send_frame(struct ppp *ppp, struct sk_buff *skb)
+ "down - pkt dropped.\n");
+ goto drop;
+ }
+- skb = pad_compress_skb(ppp, skb);
+- if (!skb)
++ new_skb = pad_compress_skb(ppp, skb);
++ if (!new_skb)
+ goto drop;
++ skb = new_skb;
+ }
+
+ /*
+--
+2.50.1
+
powerpc-boot-remove-leading-zero-in-label-in-udelay.patch
+wifi-cfg80211-fix-use-after-free-in-cmp_bss.patch
+netfilter-conntrack-helper-replace-eexist-by-ebusy.patch
+bluetooth-fix-use-after-free-in-l2cap_sock_cleanup_l.patch
+xirc2ps_cs-fix-register-access-when-enabling-fulldup.patch
+misdn-fix-memory-leak-in-dsp_hwec_enable.patch
+icmp-fix-icmp_ndo_send-address-translation-for-reply.patch
+i40e-fix-potential-invalid-access-when-mac-list-is-e.patch
+net-ethernet-mtk_eth_soc-fix-tx-vlan-tag-for-llc-pac.patch
+wifi-cw1200-cap-ssid-length-in-cw1200_do_join.patch
+wifi-libertas-cap-ssid-len-in-lbs_associate.patch
+net-thunder_bgx-add-a-missing-of_node_put.patch
+net-thunder_bgx-decrement-cleanup-index-before-use.patch
+ipv4-fix-null-vs-error-pointer-check-in-inet_blackho.patch
+ax25-properly-unshare-skbs-in-ax25_kiss_rcv.patch
+net-atm-fix-memory-leak-in-atm_register_sysfs-when-d.patch
+ppp-fix-memory-leak-in-pad_compress_skb.patch
--- /dev/null
+From 878c4ec6a0ef6d1913198595c6d495160758a974 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Aug 2025 16:52:36 +0300
+Subject: wifi: cfg80211: fix use-after-free in cmp_bss()
+
+From: Dmitry Antipov <dmantipov@yandex.ru>
+
+[ Upstream commit 26e84445f02ce6b2fe5f3e0e28ff7add77f35e08 ]
+
+Following bss_free() quirk introduced in commit 776b3580178f
+("cfg80211: track hidden SSID networks properly"), adjust
+cfg80211_update_known_bss() to free the last beacon frame
+elements only if they're not shared via the corresponding
+'hidden_beacon_bss' pointer.
+
+Reported-by: syzbot+30754ca335e6fb7e3092@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=30754ca335e6fb7e3092
+Fixes: 3ab8227d3e7d ("cfg80211: refactor cfg80211_bss_update")
+Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
+Link: https://patch.msgid.link/20250813135236.799384-1-dmantipov@yandex.ru
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/scan.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/wireless/scan.c b/net/wireless/scan.c
+index 18398968b3ed7..33e6f41035506 100644
+--- a/net/wireless/scan.c
++++ b/net/wireless/scan.c
+@@ -1219,7 +1219,8 @@ cfg80211_update_known_bss(struct cfg80211_registered_device *rdev,
+ */
+
+ f = rcu_access_pointer(new->pub.beacon_ies);
+- kfree_rcu((struct cfg80211_bss_ies *)f, rcu_head);
++ if (!new->pub.hidden_beacon_bss)
++ kfree_rcu((struct cfg80211_bss_ies *)f, rcu_head);
+ return false;
+ }
+
+--
+2.50.1
+
--- /dev/null
+From 4fa62ab288955803897881d318fb911fd91f218b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Aug 2025 15:48:28 +0300
+Subject: wifi: cw1200: cap SSID length in cw1200_do_join()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit f8f15f6742b8874e59c9c715d0af3474608310ad ]
+
+If the ssidie[1] length is more that 32 it leads to memory corruption.
+
+Fixes: a910e4a94f69 ("cw1200: add driver for the ST-E CW1100 & CW1200 WLAN chipsets")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://patch.msgid.link/e91fb43fcedc4893b604dfb973131661510901a7.1756456951.git.dan.carpenter@linaro.org
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/st/cw1200/sta.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/st/cw1200/sta.c b/drivers/net/wireless/st/cw1200/sta.c
+index 236022d4ae2a3..0f2d1ec34cd82 100644
+--- a/drivers/net/wireless/st/cw1200/sta.c
++++ b/drivers/net/wireless/st/cw1200/sta.c
+@@ -1289,7 +1289,7 @@ static void cw1200_do_join(struct cw1200_common *priv)
+ rcu_read_lock();
+ ssidie = ieee80211_bss_get_ie(bss, WLAN_EID_SSID);
+ if (ssidie) {
+- join.ssid_len = ssidie[1];
++ join.ssid_len = min(ssidie[1], IEEE80211_MAX_SSID_LEN);
+ memcpy(join.ssid, &ssidie[2], join.ssid_len);
+ }
+ rcu_read_unlock();
+--
+2.50.1
+
--- /dev/null
+From 51d401e5acdaabfb658d8099ec164b4b73a74d58 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Aug 2025 15:48:35 +0300
+Subject: wifi: libertas: cap SSID len in lbs_associate()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit c786794bd27b0d7a5fd9063695df83206009be59 ]
+
+If the ssid_eid[1] length is more that 32 it leads to memory corruption.
+
+Fixes: a910e4a94f69 ("cw1200: add driver for the ST-E CW1100 & CW1200 WLAN chipsets")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://patch.msgid.link/2a40f5ec7617144aef412034c12919a4927d90ad.1756456951.git.dan.carpenter@linaro.org
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/marvell/libertas/cfg.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/marvell/libertas/cfg.c b/drivers/net/wireless/marvell/libertas/cfg.c
+index 4e3de684928bf..a659054c1bcd9 100644
+--- a/drivers/net/wireless/marvell/libertas/cfg.c
++++ b/drivers/net/wireless/marvell/libertas/cfg.c
+@@ -1102,10 +1102,13 @@ static int lbs_associate(struct lbs_private *priv,
+ /* add SSID TLV */
+ rcu_read_lock();
+ ssid_eid = ieee80211_bss_get_ie(bss, WLAN_EID_SSID);
+- if (ssid_eid)
+- pos += lbs_add_ssid_tlv(pos, ssid_eid + 2, ssid_eid[1]);
+- else
++ if (ssid_eid) {
++ u32 ssid_len = min(ssid_eid[1], IEEE80211_MAX_SSID_LEN);
++
++ pos += lbs_add_ssid_tlv(pos, ssid_eid + 2, ssid_len);
++ } else {
+ lbs_deb_assoc("no SSID\n");
++ }
+ rcu_read_unlock();
+
+ /* add DS param TLV */
+--
+2.50.1
+
--- /dev/null
+From 65bb29d5c12b441c7025aec427892d61dea36eea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Aug 2025 12:26:43 -0700
+Subject: xirc2ps_cs: fix register access when enabling FullDuplex
+
+From: Alok Tiwari <alok.a.tiwari@oracle.com>
+
+[ Upstream commit b79e498080b170fd94fc83bca2471f450811549b ]
+
+The current code incorrectly passes (XIRCREG1_ECR | FullDuplex) as
+the register address to GetByte(), instead of fetching the register
+value and OR-ing it with FullDuplex. This results in an invalid
+register access.
+
+Fix it by reading XIRCREG1_ECR first, then or-ing with FullDuplex
+before writing it back.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Link: https://patch.msgid.link/20250827192645.658496-1-alok.a.tiwari@oracle.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/xircom/xirc2ps_cs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/xircom/xirc2ps_cs.c b/drivers/net/ethernet/xircom/xirc2ps_cs.c
+index e3438cef5f9c6..4d8a1728e8ed6 100644
+--- a/drivers/net/ethernet/xircom/xirc2ps_cs.c
++++ b/drivers/net/ethernet/xircom/xirc2ps_cs.c
+@@ -1584,7 +1584,7 @@ do_reset(struct net_device *dev, int full)
+ msleep(40); /* wait 40 msec to let it complete */
+ }
+ if (full_duplex)
+- PutByte(XIRCREG1_ECR, GetByte(XIRCREG1_ECR | FullDuplex));
++ PutByte(XIRCREG1_ECR, GetByte(XIRCREG1_ECR) | FullDuplex);
+ } else { /* No MII */
+ SelectPage(0);
+ value = GetByte(XIRCREG_ESR); /* read the ESR */
+--
+2.50.1
+
--- /dev/null
+From 801f6e3aaab8dc49168a1035ca67426fb07e9283 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Sep 2025 12:46:42 +0000
+Subject: ax25: properly unshare skbs in ax25_kiss_rcv()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 8156210d36a43e76372312c87eb5ea3dbb405a85 ]
+
+Bernard Pidoux reported a regression apparently caused by commit
+c353e8983e0d ("net: introduce per netns packet chains").
+
+skb->dev becomes NULL and we crash in __netif_receive_skb_core().
+
+Before above commit, different kind of bugs or corruptions could happen
+without a major crash.
+
+But the root cause is that ax25_kiss_rcv() can queue/mangle input skb
+without checking if this skb is shared or not.
+
+Many thanks to Bernard Pidoux for his help, diagnosis and tests.
+
+We had a similar issue years ago fixed with commit 7aaed57c5c28
+("phonet: properly unshare skbs in phonet_rcv()").
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: Bernard Pidoux <f6bvp@free.fr>
+Closes: https://lore.kernel.org/netdev/1713f383-c538-4918-bc64-13b3288cd542@free.fr/
+Tested-by: Bernard Pidoux <f6bvp@free.fr>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Joerg Reuter <jreuter@yaina.de>
+Cc: David Ranch <dranch@trinnet.net>
+Cc: Folkert van Heusden <folkert@vanheusden.com>
+Reviewed-by: Dan Cross <crossd@gmail.com>
+Link: https://patch.msgid.link/20250902124642.212705-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ax25/ax25_in.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/ax25/ax25_in.c b/net/ax25/ax25_in.c
+index 1cac25aca6378..f2d66af863595 100644
+--- a/net/ax25/ax25_in.c
++++ b/net/ax25/ax25_in.c
+@@ -433,6 +433,10 @@ static int ax25_rcv(struct sk_buff *skb, struct net_device *dev,
+ int ax25_kiss_rcv(struct sk_buff *skb, struct net_device *dev,
+ struct packet_type *ptype, struct net_device *orig_dev)
+ {
++ skb = skb_share_check(skb, GFP_ATOMIC);
++ if (!skb)
++ return NET_RX_DROP;
++
+ skb_orphan(skb);
+
+ if (!net_eq(dev_net(dev), &init_net)) {
+--
+2.50.1
+
--- /dev/null
+From ec60ae32db29173fc2a53a6121124b4cd4816dfe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Aug 2025 20:40:14 +0000
+Subject: Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen()
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit 862c628108562d8c7a516a900034823b381d3cba ]
+
+syzbot reported the splat below without a repro.
+
+In the splat, a single thread calling bt_accept_dequeue() freed sk
+and touched it after that.
+
+The root cause would be the racy l2cap_sock_cleanup_listen() call
+added by the cited commit.
+
+bt_accept_dequeue() is called under lock_sock() except for
+l2cap_sock_release().
+
+Two threads could see the same socket during the list iteration
+in bt_accept_dequeue():
+
+ CPU1 CPU2 (close())
+ ---- ----
+ sock_hold(sk) sock_hold(sk);
+ lock_sock(sk) <-- block close()
+ sock_put(sk)
+ bt_accept_unlink(sk)
+ sock_put(sk) <-- refcnt by bt_accept_enqueue()
+ release_sock(sk)
+ lock_sock(sk)
+ sock_put(sk)
+ bt_accept_unlink(sk)
+ sock_put(sk) <-- last refcnt
+ bt_accept_unlink(sk) <-- UAF
+
+Depending on the timing, the other thread could show up in the
+"Freed by task" part.
+
+Let's call l2cap_sock_cleanup_listen() under lock_sock() in
+l2cap_sock_release().
+
+[0]:
+BUG: KASAN: slab-use-after-free in debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline]
+BUG: KASAN: slab-use-after-free in do_raw_spin_lock+0x26f/0x2b0 kernel/locking/spinlock_debug.c:115
+Read of size 4 at addr ffff88803b7eb1c4 by task syz.5.3276/16995
+CPU: 3 UID: 0 PID: 16995 Comm: syz.5.3276 Not tainted syzkaller #0 PREEMPT(full)
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:94 [inline]
+ dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
+ print_address_description mm/kasan/report.c:378 [inline]
+ print_report+0xcd/0x630 mm/kasan/report.c:482
+ kasan_report+0xe0/0x110 mm/kasan/report.c:595
+ debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline]
+ do_raw_spin_lock+0x26f/0x2b0 kernel/locking/spinlock_debug.c:115
+ spin_lock_bh include/linux/spinlock.h:356 [inline]
+ release_sock+0x21/0x220 net/core/sock.c:3746
+ bt_accept_dequeue+0x505/0x600 net/bluetooth/af_bluetooth.c:312
+ l2cap_sock_cleanup_listen+0x5c/0x2a0 net/bluetooth/l2cap_sock.c:1451
+ l2cap_sock_release+0x5c/0x210 net/bluetooth/l2cap_sock.c:1425
+ __sock_release+0xb3/0x270 net/socket.c:649
+ sock_close+0x1c/0x30 net/socket.c:1439
+ __fput+0x3ff/0xb70 fs/file_table.c:468
+ task_work_run+0x14d/0x240 kernel/task_work.c:227
+ resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
+ exit_to_user_mode_loop+0xeb/0x110 kernel/entry/common.c:43
+ exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
+ syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
+ syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
+ do_syscall_64+0x3f6/0x4c0 arch/x86/entry/syscall_64.c:100
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7f2accf8ebe9
+Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007ffdb6cb1378 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
+RAX: 0000000000000000 RBX: 00000000000426fb RCX: 00007f2accf8ebe9
+RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
+RBP: 00007f2acd1b7da0 R08: 0000000000000001 R09: 00000012b6cb166f
+R10: 0000001b30e20000 R11: 0000000000000246 R12: 00007f2acd1b609c
+R13: 00007f2acd1b6090 R14: ffffffffffffffff R15: 00007ffdb6cb1490
+ </TASK>
+
+Allocated by task 5326:
+ kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
+ kasan_save_track+0x14/0x30 mm/kasan/common.c:68
+ poison_kmalloc_redzone mm/kasan/common.c:388 [inline]
+ __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:405
+ kasan_kmalloc include/linux/kasan.h:260 [inline]
+ __do_kmalloc_node mm/slub.c:4365 [inline]
+ __kmalloc_noprof+0x223/0x510 mm/slub.c:4377
+ kmalloc_noprof include/linux/slab.h:909 [inline]
+ sk_prot_alloc+0x1a8/0x2a0 net/core/sock.c:2239
+ sk_alloc+0x36/0xc20 net/core/sock.c:2295
+ bt_sock_alloc+0x3b/0x3a0 net/bluetooth/af_bluetooth.c:151
+ l2cap_sock_alloc.constprop.0+0x33/0x1d0 net/bluetooth/l2cap_sock.c:1894
+ l2cap_sock_new_connection_cb+0x101/0x240 net/bluetooth/l2cap_sock.c:1482
+ l2cap_connect_cfm+0x4c4/0xf80 net/bluetooth/l2cap_core.c:7287
+ hci_connect_cfm include/net/bluetooth/hci_core.h:2050 [inline]
+ hci_remote_features_evt+0x4dd/0x970 net/bluetooth/hci_event.c:3712
+ hci_event_func net/bluetooth/hci_event.c:7519 [inline]
+ hci_event_packet+0xa0d/0x11c0 net/bluetooth/hci_event.c:7573
+ hci_rx_work+0x2c5/0x16b0 net/bluetooth/hci_core.c:4071
+ process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3236
+ process_scheduled_works kernel/workqueue.c:3319 [inline]
+ worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400
+ kthread+0x3c2/0x780 kernel/kthread.c:463
+ ret_from_fork+0x5d7/0x6f0 arch/x86/kernel/process.c:148
+ ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
+
+Freed by task 16995:
+ kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
+ kasan_save_track+0x14/0x30 mm/kasan/common.c:68
+ kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576
+ poison_slab_object mm/kasan/common.c:243 [inline]
+ __kasan_slab_free+0x60/0x70 mm/kasan/common.c:275
+ kasan_slab_free include/linux/kasan.h:233 [inline]
+ slab_free_hook mm/slub.c:2417 [inline]
+ slab_free mm/slub.c:4680 [inline]
+ kfree+0x2b4/0x4d0 mm/slub.c:4879
+ sk_prot_free net/core/sock.c:2278 [inline]
+ __sk_destruct+0x75f/0x9a0 net/core/sock.c:2373
+ sk_destruct+0xc2/0xf0 net/core/sock.c:2401
+ __sk_free+0xf4/0x3e0 net/core/sock.c:2412
+ sk_free+0x6a/0x90 net/core/sock.c:2423
+ sock_put include/net/sock.h:1960 [inline]
+ bt_accept_unlink+0x245/0x2e0 net/bluetooth/af_bluetooth.c:262
+ bt_accept_dequeue+0x517/0x600 net/bluetooth/af_bluetooth.c:308
+ l2cap_sock_cleanup_listen+0x5c/0x2a0 net/bluetooth/l2cap_sock.c:1451
+ l2cap_sock_release+0x5c/0x210 net/bluetooth/l2cap_sock.c:1425
+ __sock_release+0xb3/0x270 net/socket.c:649
+ sock_close+0x1c/0x30 net/socket.c:1439
+ __fput+0x3ff/0xb70 fs/file_table.c:468
+ task_work_run+0x14d/0x240 kernel/task_work.c:227
+ resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
+ exit_to_user_mode_loop+0xeb/0x110 kernel/entry/common.c:43
+ exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
+ syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
+ syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
+ do_syscall_64+0x3f6/0x4c0 arch/x86/entry/syscall_64.c:100
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Fixes: 1728137b33c0 ("Bluetooth: L2CAP: Fix use-after-free in l2cap_sock_ready_cb")
+Reported-by: syzbot+e5e64cdf8e92046dd3e1@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/linux-bluetooth/68af6b9d.a70a0220.3cafd4.0032.GAE@google.com/
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/l2cap_sock.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
+index c89277848ca83..7b822445f8ce4 100644
+--- a/net/bluetooth/l2cap_sock.c
++++ b/net/bluetooth/l2cap_sock.c
+@@ -1442,7 +1442,10 @@ static int l2cap_sock_release(struct socket *sock)
+ if (!sk)
+ return 0;
+
++ lock_sock_nested(sk, L2CAP_NESTING_PARENT);
+ l2cap_sock_cleanup_listen(sk);
++ release_sock(sk);
++
+ bt_sock_unlink(&l2cap_sk_list, sk);
+
+ err = l2cap_sock_shutdown(sock, SHUT_RDWR);
+--
+2.50.1
+
--- /dev/null
+From a51c6e6ee075b0221fcb8e50e787dfc304373d95 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Aug 2025 19:56:31 +0800
+Subject: i40e: Fix potential invalid access when MAC list is empty
+
+From: Zhen Ni <zhen.ni@easystack.cn>
+
+[ Upstream commit a556f06338e1d5a85af0e32ecb46e365547f92b9 ]
+
+list_first_entry() never returns NULL - if the list is empty, it still
+returns a pointer to an invalid object, leading to potential invalid
+memory access when dereferenced.
+
+Fix this by using list_first_entry_or_null instead of list_first_entry.
+
+Fixes: e3219ce6a775 ("i40e: Add support for client interface for IWARP driver")
+Signed-off-by: Zhen Ni <zhen.ni@easystack.cn>
+Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_client.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_client.c b/drivers/net/ethernet/intel/i40e/i40e_client.c
+index a289f1bb3dbfc..86fd82412e9e4 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_client.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_client.c
+@@ -362,8 +362,8 @@ static void i40e_client_add_instance(struct i40e_pf *pf)
+ if (i40e_client_get_params(vsi, &cdev->lan_info.params))
+ goto free_cdev;
+
+- mac = list_first_entry(&cdev->lan_info.netdev->dev_addrs.list,
+- struct netdev_hw_addr, list);
++ mac = list_first_entry_or_null(&cdev->lan_info.netdev->dev_addrs.list,
++ struct netdev_hw_addr, list);
+ if (mac)
+ ether_addr_copy(cdev->lan_info.lanmac, mac->addr);
+ else
+--
+2.50.1
+
--- /dev/null
+From e00cfef79a666e4624e9e0cf9fb1a888be84729b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Aug 2025 11:14:35 +0200
+Subject: icmp: fix icmp_ndo_send address translation for reply direction
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Fabian Bläse <fabian@blaese.de>
+
+[ Upstream commit c6dd1aa2cbb72b33e0569f3e71d95792beab5042 ]
+
+The icmp_ndo_send function was originally introduced to ensure proper
+rate limiting when icmp_send is called by a network device driver,
+where the packet's source address may have already been transformed
+by SNAT.
+
+However, the original implementation only considers the
+IP_CT_DIR_ORIGINAL direction for SNAT and always replaced the packet's
+source address with that of the original-direction tuple. This causes
+two problems:
+
+1. For SNAT:
+ Reply-direction packets were incorrectly translated using the source
+ address of the CT original direction, even though no translation is
+ required.
+
+2. For DNAT:
+ Reply-direction packets were not handled at all. In DNAT, the original
+ direction's destination is translated. Therefore, in the reply
+ direction the source address must be set to the reply-direction
+ source, so rate limiting works as intended.
+
+Fix this by using the connection direction to select the correct tuple
+for source address translation, and adjust the pre-checks to handle
+reply-direction packets in case of DNAT.
+
+Additionally, wrap the `ct->status` access in READ_ONCE(). This avoids
+possible KCSAN reports about concurrent updates to `ct->status`.
+
+Fixes: 0b41713b6066 ("icmp: introduce helper for nat'd source address in network device context")
+Signed-off-by: Fabian Bläse <fabian@blaese.de>
+Cc: Jason A. Donenfeld <Jason@zx2c4.com>
+Reviewed-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/icmp.c | 6 ++++--
+ net/ipv6/ip6_icmp.c | 6 ++++--
+ 2 files changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
+index 94501bb30c431..b17549c4e5de8 100644
+--- a/net/ipv4/icmp.c
++++ b/net/ipv4/icmp.c
+@@ -801,11 +801,12 @@ void icmp_ndo_send(struct sk_buff *skb_in, int type, int code, __be32 info)
+ struct sk_buff *cloned_skb = NULL;
+ struct ip_options opts = { 0 };
+ enum ip_conntrack_info ctinfo;
++ enum ip_conntrack_dir dir;
+ struct nf_conn *ct;
+ __be32 orig_ip;
+
+ ct = nf_ct_get(skb_in, &ctinfo);
+- if (!ct || !(ct->status & IPS_SRC_NAT)) {
++ if (!ct || !(READ_ONCE(ct->status) & IPS_NAT_MASK)) {
+ __icmp_send(skb_in, type, code, info, &opts);
+ return;
+ }
+@@ -820,7 +821,8 @@ void icmp_ndo_send(struct sk_buff *skb_in, int type, int code, __be32 info)
+ goto out;
+
+ orig_ip = ip_hdr(skb_in)->saddr;
+- ip_hdr(skb_in)->saddr = ct->tuplehash[0].tuple.src.u3.ip;
++ dir = CTINFO2DIR(ctinfo);
++ ip_hdr(skb_in)->saddr = ct->tuplehash[dir].tuple.src.u3.ip;
+ __icmp_send(skb_in, type, code, info, &opts);
+ ip_hdr(skb_in)->saddr = orig_ip;
+ out:
+diff --git a/net/ipv6/ip6_icmp.c b/net/ipv6/ip6_icmp.c
+index 9e3574880cb03..233914b63bdb8 100644
+--- a/net/ipv6/ip6_icmp.c
++++ b/net/ipv6/ip6_icmp.c
+@@ -54,11 +54,12 @@ void icmpv6_ndo_send(struct sk_buff *skb_in, u8 type, u8 code, __u32 info)
+ struct inet6_skb_parm parm = { 0 };
+ struct sk_buff *cloned_skb = NULL;
+ enum ip_conntrack_info ctinfo;
++ enum ip_conntrack_dir dir;
+ struct in6_addr orig_ip;
+ struct nf_conn *ct;
+
+ ct = nf_ct_get(skb_in, &ctinfo);
+- if (!ct || !(ct->status & IPS_SRC_NAT)) {
++ if (!ct || !(READ_ONCE(ct->status) & IPS_NAT_MASK)) {
+ __icmpv6_send(skb_in, type, code, info, &parm);
+ return;
+ }
+@@ -73,7 +74,8 @@ void icmpv6_ndo_send(struct sk_buff *skb_in, u8 type, u8 code, __u32 info)
+ goto out;
+
+ orig_ip = ipv6_hdr(skb_in)->saddr;
+- ipv6_hdr(skb_in)->saddr = ct->tuplehash[0].tuple.src.u3.in6;
++ dir = CTINFO2DIR(ctinfo);
++ ipv6_hdr(skb_in)->saddr = ct->tuplehash[dir].tuple.src.u3.in6;
+ __icmpv6_send(skb_in, type, code, info, &parm);
+ ipv6_hdr(skb_in)->saddr = orig_ip;
+ out:
+--
+2.50.1
+
--- /dev/null
+From f7f7a0cec8e5d4f533721fb6377b7a4c1bb3daa2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Sep 2025 09:36:08 +0300
+Subject: ipv4: Fix NULL vs error pointer check in inet_blackhole_dev_init()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit a51160f8da850a65afbf165f5bbac7ffb388bf74 ]
+
+The inetdev_init() function never returns NULL. Check for error
+pointers instead.
+
+Fixes: 22600596b675 ("ipv4: give an IPv4 dev to blackhole_netdev")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/aLaQWL9NguWmeM1i@stanley.mountain
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/devinet.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
+index 1738cc2bfc7f0..fee0a0b83d27b 100644
+--- a/net/ipv4/devinet.c
++++ b/net/ipv4/devinet.c
+@@ -335,14 +335,13 @@ static void inetdev_destroy(struct in_device *in_dev)
+
+ static int __init inet_blackhole_dev_init(void)
+ {
+- int err = 0;
++ struct in_device *in_dev;
+
+ rtnl_lock();
+- if (!inetdev_init(blackhole_netdev))
+- err = -ENOMEM;
++ in_dev = inetdev_init(blackhole_netdev);
+ rtnl_unlock();
+
+- return err;
++ return PTR_ERR_OR_ZERO(in_dev);
+ }
+ late_initcall(inet_blackhole_dev_init);
+
+--
+2.50.1
+
--- /dev/null
+From 5b9911483acac7fd87f23b41add36cfcf9355560 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Sep 2025 03:20:55 -0700
+Subject: mctp: return -ENOPROTOOPT for unknown getsockopt options
+
+From: Alok Tiwari <alok.a.tiwari@oracle.com>
+
+[ Upstream commit a125c8fb9ddbcb0602103a50727a476fd30dec01 ]
+
+In mctp_getsockopt(), unrecognized options currently return -EINVAL.
+In contrast, mctp_setsockopt() returns -ENOPROTOOPT for unknown
+options.
+
+Update mctp_getsockopt() to also return -ENOPROTOOPT for unknown
+options. This aligns the behavior of getsockopt() and setsockopt(),
+and matches the standard kernel socket API convention for handling
+unsupported options.
+
+Fixes: 99ce45d5e7db ("mctp: Implement extended addressing")
+Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
+Link: https://patch.msgid.link/20250902102059.1370008-1-alok.a.tiwari@oracle.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mctp/af_mctp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/mctp/af_mctp.c b/net/mctp/af_mctp.c
+index 0f49b41570f56..8f241c92e03d8 100644
+--- a/net/mctp/af_mctp.c
++++ b/net/mctp/af_mctp.c
+@@ -346,7 +346,7 @@ static int mctp_getsockopt(struct socket *sock, int level, int optname,
+ return 0;
+ }
+
+- return -EINVAL;
++ return -ENOPROTOOPT;
+ }
+
+ static int mctp_ioctl_alloctag(struct mctp_sock *msk, unsigned long arg)
+--
+2.50.1
+
--- /dev/null
+From ef1a6e4909338a25f3b28f536350d98e60ebe9b9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Aug 2025 16:14:57 +0800
+Subject: mISDN: Fix memory leak in dsp_hwec_enable()
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+[ Upstream commit 0704a3da7ce50f972e898bbda88d2692a22922d9 ]
+
+dsp_hwec_enable() allocates dup pointer by kstrdup(arg),
+but then it updates dup variable by strsep(&dup, ",").
+As a result when it calls kfree(dup), the dup variable may be
+a modified pointer that no longer points to the original allocated
+memory, causing a memory leak.
+
+The issue is the same pattern as fixed in commit c6a502c22999
+("mISDN: Fix memory leak in dsp_pipeline_build()").
+
+Fixes: 9a4381618262 ("mISDN: Remove VLAs")
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250828081457.36061-1-linmq006@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/isdn/mISDN/dsp_hwec.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/isdn/mISDN/dsp_hwec.c b/drivers/isdn/mISDN/dsp_hwec.c
+index 0b3f29195330a..0cd216e28f009 100644
+--- a/drivers/isdn/mISDN/dsp_hwec.c
++++ b/drivers/isdn/mISDN/dsp_hwec.c
+@@ -51,14 +51,14 @@ void dsp_hwec_enable(struct dsp *dsp, const char *arg)
+ goto _do;
+
+ {
+- char *dup, *tok, *name, *val;
++ char *dup, *next, *tok, *name, *val;
+ int tmp;
+
+- dup = kstrdup(arg, GFP_ATOMIC);
++ dup = next = kstrdup(arg, GFP_ATOMIC);
+ if (!dup)
+ return;
+
+- while ((tok = strsep(&dup, ","))) {
++ while ((tok = strsep(&next, ","))) {
+ if (!strlen(tok))
+ continue;
+ name = strsep(&tok, "=");
+--
+2.50.1
+
--- /dev/null
+From 3e2dec88667e6e099db5c9fdd3c9c3b7a0a7f09e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Sep 2025 14:35:37 +0800
+Subject: net: atm: fix memory leak in atm_register_sysfs when device_register
+ fail
+
+From: Wang Liang <wangliang74@huawei.com>
+
+[ Upstream commit 0a228624bcc00af41f281a2a84c928595a74c17d ]
+
+When device_register() return error in atm_register_sysfs(), which can be
+triggered by kzalloc fail in device_private_init() or other reasons,
+kmemleak reports the following memory leaks:
+
+unreferenced object 0xffff88810182fb80 (size 8):
+ comm "insmod", pid 504, jiffies 4294852464
+ hex dump (first 8 bytes):
+ 61 64 75 6d 6d 79 30 00 adummy0.
+ backtrace (crc 14dfadaf):
+ __kmalloc_node_track_caller_noprof+0x335/0x450
+ kvasprintf+0xb3/0x130
+ kobject_set_name_vargs+0x45/0x120
+ dev_set_name+0xa9/0xe0
+ atm_register_sysfs+0xf3/0x220
+ atm_dev_register+0x40b/0x780
+ 0xffffffffa000b089
+ do_one_initcall+0x89/0x300
+ do_init_module+0x27b/0x7d0
+ load_module+0x54cd/0x5ff0
+ init_module_from_file+0xe4/0x150
+ idempotent_init_module+0x32c/0x610
+ __x64_sys_finit_module+0xbd/0x120
+ do_syscall_64+0xa8/0x270
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+When device_create_file() return error in atm_register_sysfs(), the same
+issue also can be triggered.
+
+Function put_device() should be called to release kobj->name memory and
+other device resource, instead of kfree().
+
+Fixes: 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array")
+Signed-off-by: Wang Liang <wangliang74@huawei.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250901063537.1472221-1-wangliang74@huawei.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/atm/resources.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/net/atm/resources.c b/net/atm/resources.c
+index b19d851e1f443..7c6fdedbcf4e5 100644
+--- a/net/atm/resources.c
++++ b/net/atm/resources.c
+@@ -112,7 +112,9 @@ struct atm_dev *atm_dev_register(const char *type, struct device *parent,
+
+ if (atm_proc_dev_register(dev) < 0) {
+ pr_err("atm_proc_dev_register failed for dev %s\n", type);
+- goto out_fail;
++ mutex_unlock(&atm_dev_mutex);
++ kfree(dev);
++ return NULL;
+ }
+
+ if (atm_register_sysfs(dev, parent) < 0) {
+@@ -128,7 +130,7 @@ struct atm_dev *atm_dev_register(const char *type, struct device *parent,
+ return dev;
+
+ out_fail:
+- kfree(dev);
++ put_device(&dev->class_dev);
+ dev = NULL;
+ goto out;
+ }
+--
+2.50.1
+
--- /dev/null
+From a65235bd95101e7427c7024a8c8b263bfae58bbf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 31 Aug 2025 20:20:07 +0200
+Subject: net: ethernet: mtk_eth_soc: fix tx vlan tag for llc packets
+
+From: Felix Fietkau <nbd@nbd.name>
+
+[ Upstream commit d4736737110ffa83d29f1c5d17b26113864205f6 ]
+
+When sending llc packets with vlan tx offload, the hardware fails to
+actually add the tag. Deal with this by fixing it up in software.
+
+Fixes: 656e705243fd ("net-next: mediatek: add support for MT7623 ethernet")
+Reported-by: Thibaut VARENE <hacks@slashdirt.org>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250831182007.51619-1-nbd@nbd.name
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mediatek/mtk_eth_soc.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
+index fecf3dd22dfaa..3f2f725ccceb3 100644
+--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c
++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
+@@ -1375,6 +1375,13 @@ static netdev_tx_t mtk_start_xmit(struct sk_buff *skb, struct net_device *dev)
+ bool gso = false;
+ int tx_num;
+
++ if (skb_vlan_tag_present(skb) &&
++ !eth_proto_is_802_3(eth_hdr(skb)->h_proto)) {
++ skb = __vlan_hwaccel_push_inside(skb);
++ if (!skb)
++ goto dropped;
++ }
++
+ /* normally we can rely on the stack not calling this more than once,
+ * however we have 2 queues running on the same ring so we need to lock
+ * the ring access
+@@ -1420,8 +1427,9 @@ static netdev_tx_t mtk_start_xmit(struct sk_buff *skb, struct net_device *dev)
+
+ drop:
+ spin_unlock(ð->page_lock);
+- stats->tx_dropped++;
+ dev_kfree_skb_any(skb);
++dropped:
++ stats->tx_dropped++;
+ return NETDEV_TX_OK;
+ }
+
+--
+2.50.1
+
--- /dev/null
+From 38b3aa7ae24866fa7b98a99563e3882eb14f7696 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Aug 2025 10:35:21 -0400
+Subject: net: macb: Fix tx_ptr_lock locking
+
+From: Sean Anderson <sean.anderson@linux.dev>
+
+[ Upstream commit 6bc8a5098bf4a365c4086a4a4130bfab10a58260 ]
+
+macb_start_xmit and macb_tx_poll can be called with bottom-halves
+disabled (e.g. from softirq) as well as with interrupts disabled (with
+netpoll). Because of this, all other functions taking tx_ptr_lock must
+use spin_lock_irqsave.
+
+Fixes: 138badbc21a0 ("net: macb: use NAPI for TX completion path")
+Reported-by: Mike Galbraith <efault@gmx.de>
+Signed-off-by: Sean Anderson <sean.anderson@linux.dev>
+Link: https://patch.msgid.link/20250829143521.1686062-1-sean.anderson@linux.dev
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cadence/macb_main.c | 28 ++++++++++++++----------
+ 1 file changed, 16 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c
+index 495a1cb0bc183..1ea7c86f75013 100644
+--- a/drivers/net/ethernet/cadence/macb_main.c
++++ b/drivers/net/ethernet/cadence/macb_main.c
+@@ -1174,11 +1174,12 @@ static int macb_tx_complete(struct macb_queue *queue, int budget)
+ {
+ struct macb *bp = queue->bp;
+ u16 queue_index = queue - bp->queues;
++ unsigned long flags;
+ unsigned int tail;
+ unsigned int head;
+ int packets = 0;
+
+- spin_lock(&queue->tx_ptr_lock);
++ spin_lock_irqsave(&queue->tx_ptr_lock, flags);
+ head = queue->tx_head;
+ for (tail = queue->tx_tail; tail != head && packets < budget; tail++) {
+ struct macb_tx_skb *tx_skb;
+@@ -1241,7 +1242,7 @@ static int macb_tx_complete(struct macb_queue *queue, int budget)
+ CIRC_CNT(queue->tx_head, queue->tx_tail,
+ bp->tx_ring_size) <= MACB_TX_WAKEUP_THRESH(bp))
+ netif_wake_subqueue(bp->dev, queue_index);
+- spin_unlock(&queue->tx_ptr_lock);
++ spin_unlock_irqrestore(&queue->tx_ptr_lock, flags);
+
+ return packets;
+ }
+@@ -1657,8 +1658,9 @@ static void macb_tx_restart(struct macb_queue *queue)
+ {
+ struct macb *bp = queue->bp;
+ unsigned int head_idx, tbqp;
++ unsigned long flags;
+
+- spin_lock(&queue->tx_ptr_lock);
++ spin_lock_irqsave(&queue->tx_ptr_lock, flags);
+
+ if (queue->tx_head == queue->tx_tail)
+ goto out_tx_ptr_unlock;
+@@ -1670,19 +1672,20 @@ static void macb_tx_restart(struct macb_queue *queue)
+ if (tbqp == head_idx)
+ goto out_tx_ptr_unlock;
+
+- spin_lock_irq(&bp->lock);
++ spin_lock(&bp->lock);
+ macb_writel(bp, NCR, macb_readl(bp, NCR) | MACB_BIT(TSTART));
+- spin_unlock_irq(&bp->lock);
++ spin_unlock(&bp->lock);
+
+ out_tx_ptr_unlock:
+- spin_unlock(&queue->tx_ptr_lock);
++ spin_unlock_irqrestore(&queue->tx_ptr_lock, flags);
+ }
+
+ static bool macb_tx_complete_pending(struct macb_queue *queue)
+ {
+ bool retval = false;
++ unsigned long flags;
+
+- spin_lock(&queue->tx_ptr_lock);
++ spin_lock_irqsave(&queue->tx_ptr_lock, flags);
+ if (queue->tx_head != queue->tx_tail) {
+ /* Make hw descriptor updates visible to CPU */
+ rmb();
+@@ -1690,7 +1693,7 @@ static bool macb_tx_complete_pending(struct macb_queue *queue)
+ if (macb_tx_desc(queue, queue->tx_tail)->ctrl & MACB_BIT(TX_USED))
+ retval = true;
+ }
+- spin_unlock(&queue->tx_ptr_lock);
++ spin_unlock_irqrestore(&queue->tx_ptr_lock, flags);
+ return retval;
+ }
+
+@@ -2258,6 +2261,7 @@ static netdev_tx_t macb_start_xmit(struct sk_buff *skb, struct net_device *dev)
+ struct macb_queue *queue = &bp->queues[queue_index];
+ unsigned int desc_cnt, nr_frags, frag_size, f;
+ unsigned int hdrlen;
++ unsigned long flags;
+ bool is_lso;
+ netdev_tx_t ret = NETDEV_TX_OK;
+
+@@ -2312,7 +2316,7 @@ static netdev_tx_t macb_start_xmit(struct sk_buff *skb, struct net_device *dev)
+ desc_cnt += DIV_ROUND_UP(frag_size, bp->max_tx_length);
+ }
+
+- spin_lock_bh(&queue->tx_ptr_lock);
++ spin_lock_irqsave(&queue->tx_ptr_lock, flags);
+
+ /* This is a hard error, log it. */
+ if (CIRC_SPACE(queue->tx_head, queue->tx_tail,
+@@ -2334,15 +2338,15 @@ static netdev_tx_t macb_start_xmit(struct sk_buff *skb, struct net_device *dev)
+ wmb();
+ skb_tx_timestamp(skb);
+
+- spin_lock_irq(&bp->lock);
++ spin_lock(&bp->lock);
+ macb_writel(bp, NCR, macb_readl(bp, NCR) | MACB_BIT(TSTART));
+- spin_unlock_irq(&bp->lock);
++ spin_unlock(&bp->lock);
+
+ if (CIRC_SPACE(queue->tx_head, queue->tx_tail, bp->tx_ring_size) < 1)
+ netif_stop_subqueue(dev, queue_index);
+
+ unlock:
+- spin_unlock_bh(&queue->tx_ptr_lock);
++ spin_unlock_irqrestore(&queue->tx_ptr_lock, flags);
+
+ return ret;
+ }
+--
+2.50.1
+
--- /dev/null
+From 9ad4e9578198feb81fd2ffd7f700af7180af8ade Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Aug 2025 20:41:17 +0800
+Subject: net/smc: fix one NULL pointer dereference in smc_ib_is_sg_need_sync()
+
+From: Liu Jian <liujian56@huawei.com>
+
+[ Upstream commit ba1e9421cf1a8369d25c3832439702a015d6b5f9 ]
+
+BUG: kernel NULL pointer dereference, address: 00000000000002ec
+PGD 0 P4D 0
+Oops: Oops: 0000 [#1] SMP PTI
+CPU: 28 UID: 0 PID: 343 Comm: kworker/28:1 Kdump: loaded Tainted: G OE 6.17.0-rc2+ #9 NONE
+Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014
+Workqueue: smc_hs_wq smc_listen_work [smc]
+RIP: 0010:smc_ib_is_sg_need_sync+0x9e/0xd0 [smc]
+...
+Call Trace:
+ <TASK>
+ smcr_buf_map_link+0x211/0x2a0 [smc]
+ __smc_buf_create+0x522/0x970 [smc]
+ smc_buf_create+0x3a/0x110 [smc]
+ smc_find_rdma_v2_device_serv+0x18f/0x240 [smc]
+ ? smc_vlan_by_tcpsk+0x7e/0xe0 [smc]
+ smc_listen_find_device+0x1dd/0x2b0 [smc]
+ smc_listen_work+0x30f/0x580 [smc]
+ process_one_work+0x18c/0x340
+ worker_thread+0x242/0x360
+ kthread+0xe7/0x220
+ ret_from_fork+0x13a/0x160
+ ret_from_fork_asm+0x1a/0x30
+ </TASK>
+
+If the software RoCE device is used, ibdev->dma_device is a null pointer.
+As a result, the problem occurs. Null pointer detection is added to
+prevent problems.
+
+Fixes: 0ef69e788411c ("net/smc: optimize for smc_sndbuf_sync_sg_for_device and smc_rmb_sync_sg_for_cpu")
+Signed-off-by: Liu Jian <liujian56@huawei.com>
+Reviewed-by: Guangguan Wang <guangguan.wang@linux.alibaba.com>
+Reviewed-by: Zhu Yanjun <yanjun.zhu@linux.dev>
+Reviewed-by: D. Wythe <alibuda@linux.alibaba.com>
+Link: https://patch.msgid.link/20250828124117.2622624-1-liujian56@huawei.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/smc/smc_ib.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/smc/smc_ib.c b/net/smc/smc_ib.c
+index 6de53431629ca..8e41034d8d96f 100644
+--- a/net/smc/smc_ib.c
++++ b/net/smc/smc_ib.c
+@@ -743,6 +743,9 @@ bool smc_ib_is_sg_need_sync(struct smc_link *lnk,
+ unsigned int i;
+ bool ret = false;
+
++ if (!lnk->smcibdev->ibdev->dma_device)
++ return ret;
++
+ /* for now there is just one DMA address */
+ for_each_sg(buf_slot->sgt[lnk->link_idx].sgl, sg,
+ buf_slot->sgt[lnk->link_idx].nents, i) {
+--
+2.50.1
+
--- /dev/null
+From e1ac89889d2a4c4d586809a61746825c5d570b68 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Sep 2025 10:20:41 +0200
+Subject: net/smc: Remove validation of reserved bits in CLC Decline message
+
+From: Mahanta Jambigi <mjambigi@linux.ibm.com>
+
+[ Upstream commit cc282f73bc0cbdf3ee7af2f2d3a2ef4e6b19242d ]
+
+Currently SMC code is validating the reserved bits while parsing the incoming
+CLC decline message & when this validation fails, its treated as a protocol
+error. As a result, the SMC connection is terminated instead of falling back to
+TCP. As per RFC7609[1] specs we shouldn't be validating the reserved bits that
+is part of CLC message. This patch fixes this issue.
+
+CLC Decline message format can viewed here[2].
+
+[1] https://datatracker.ietf.org/doc/html/rfc7609#page-92
+[2] https://datatracker.ietf.org/doc/html/rfc7609#page-105
+
+Fixes: 8ade200c269f ("net/smc: add v2 format of CLC decline message")
+Signed-off-by: Mahanta Jambigi <mjambigi@linux.ibm.com>
+Reviewed-by: Sidraya Jayagond <sidraya@linux.ibm.com>
+Reviewed-by: Alexandra Winter <wintera@linux.ibm.com>
+Reviewed-by: Dust Li <dust.li@linux.alibaba.com>
+Link: https://patch.msgid.link/20250902082041.98996-1-mjambigi@linux.ibm.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/smc/smc_clc.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/net/smc/smc_clc.c b/net/smc/smc_clc.c
+index a48fdc83fe6b2..6ed77f02ceac0 100644
+--- a/net/smc/smc_clc.c
++++ b/net/smc/smc_clc.c
+@@ -422,8 +422,6 @@ smc_clc_msg_decl_valid(struct smc_clc_msg_decline *dclc)
+ {
+ struct smc_clc_msg_hdr *hdr = &dclc->hdr;
+
+- if (hdr->typev1 != SMC_TYPE_R && hdr->typev1 != SMC_TYPE_D)
+- return false;
+ if (hdr->version == SMC_V1) {
+ if (ntohs(hdr->length) != sizeof(struct smc_clc_msg_decline))
+ return false;
+--
+2.50.1
+
--- /dev/null
+From 9eb36004c62705d00a2fdd4887e317a127e6cade Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Sep 2025 14:30:18 -0700
+Subject: net: thunder_bgx: add a missing of_node_put
+
+From: Rosen Penev <rosenp@gmail.com>
+
+[ Upstream commit 9d28f94912589f04ab51fbccaef287d4f40e0d1f ]
+
+phy_np needs to get freed, just like the other child nodes.
+
+Fixes: 5fc7cf179449 ("net: thunderx: Cleanup PHY probing code.")
+Signed-off-by: Rosen Penev <rosenp@gmail.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250901213018.47392-1-rosenp@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/cavium/thunder/thunder_bgx.c | 18 +++++++++++-------
+ 1 file changed, 11 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c
+index 8c955eefc7e4f..d054c519cd617 100644
+--- a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c
++++ b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c
+@@ -1492,13 +1492,17 @@ static int bgx_init_of_phy(struct bgx *bgx)
+ * this cortina phy, for which there is no driver
+ * support, ignore it.
+ */
+- if (phy_np &&
+- !of_device_is_compatible(phy_np, "cortina,cs4223-slice")) {
+- /* Wait until the phy drivers are available */
+- pd = of_phy_find_device(phy_np);
+- if (!pd)
+- goto defer;
+- bgx->lmac[lmac].phydev = pd;
++ if (phy_np) {
++ if (!of_device_is_compatible(phy_np, "cortina,cs4223-slice")) {
++ /* Wait until the phy drivers are available */
++ pd = of_phy_find_device(phy_np);
++ if (!pd) {
++ of_node_put(phy_np);
++ goto defer;
++ }
++ bgx->lmac[lmac].phydev = pd;
++ }
++ of_node_put(phy_np);
+ }
+
+ lmac++;
+--
+2.50.1
+
--- /dev/null
+From 561e16016f20486b840c15fbd3d263e4a9b6e359 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Sep 2025 14:33:14 -0700
+Subject: net: thunder_bgx: decrement cleanup index before use
+
+From: Rosen Penev <rosenp@gmail.com>
+
+[ Upstream commit 9e3d71a92e561ccc77025689dab25d201fee7a3e ]
+
+All paths in probe that call goto defer do so before assigning phydev
+and thus it makes sense to cleanup the prior index. It also fixes a bug
+where index 0 does not get cleaned up.
+
+Fixes: b7d3e3d3d21a ("net: thunderx: Don't leak phy device references on -EPROBE_DEFER condition.")
+Signed-off-by: Rosen Penev <rosenp@gmail.com>
+Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250901213314.48599-1-rosenp@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cavium/thunder/thunder_bgx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c
+index d054c519cd617..bb70afae10c4c 100644
+--- a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c
++++ b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c
+@@ -1518,11 +1518,11 @@ static int bgx_init_of_phy(struct bgx *bgx)
+ * for phy devices we may have already found.
+ */
+ while (lmac) {
++ lmac--;
+ if (bgx->lmac[lmac].phydev) {
+ put_device(&bgx->lmac[lmac].phydev->mdio.dev);
+ bgx->lmac[lmac].phydev = NULL;
+ }
+- lmac--;
+ }
+ of_node_put(node);
+ return -EPROBE_DEFER;
+--
+2.50.1
+
--- /dev/null
+From 70d134e48ba6756854dfcc4148fc82b8cae90d0d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Aug 2025 11:52:19 +0800
+Subject: netfilter: br_netfilter: do not check confirmed bit in
+ br_nf_local_in() after confirm
+
+From: Wang Liang <wangliang74@huawei.com>
+
+[ Upstream commit 479a54ab92087318514c82428a87af2d7af1a576 ]
+
+When send a broadcast packet to a tap device, which was added to a bridge,
+br_nf_local_in() is called to confirm the conntrack. If another conntrack
+with the same hash value is added to the hash table, which can be
+triggered by a normal packet to a non-bridge device, the below warning
+may happen.
+
+ ------------[ cut here ]------------
+ WARNING: CPU: 1 PID: 96 at net/bridge/br_netfilter_hooks.c:632 br_nf_local_in+0x168/0x200
+ CPU: 1 UID: 0 PID: 96 Comm: tap_send Not tainted 6.17.0-rc2-dirty #44 PREEMPT(voluntary)
+ RIP: 0010:br_nf_local_in+0x168/0x200
+ Call Trace:
+ <TASK>
+ nf_hook_slow+0x3e/0xf0
+ br_pass_frame_up+0x103/0x180
+ br_handle_frame_finish+0x2de/0x5b0
+ br_nf_hook_thresh+0xc0/0x120
+ br_nf_pre_routing_finish+0x168/0x3a0
+ br_nf_pre_routing+0x237/0x5e0
+ br_handle_frame+0x1ec/0x3c0
+ __netif_receive_skb_core+0x225/0x1210
+ __netif_receive_skb_one_core+0x37/0xa0
+ netif_receive_skb+0x36/0x160
+ tun_get_user+0xa54/0x10c0
+ tun_chr_write_iter+0x65/0xb0
+ vfs_write+0x305/0x410
+ ksys_write+0x60/0xd0
+ do_syscall_64+0xa4/0x260
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+ </TASK>
+ ---[ end trace 0000000000000000 ]---
+
+To solve the hash conflict, nf_ct_resolve_clash() try to merge the
+conntracks, and update skb->_nfct. However, br_nf_local_in() still use the
+old ct from local variable 'nfct' after confirm(), which leads to this
+warning.
+
+If confirm() does not insert the conntrack entry and return NF_DROP, the
+warning may also occur. There is no need to reserve the WARN_ON_ONCE, just
+remove it.
+
+Link: https://lore.kernel.org/netdev/20250820043329.2902014-1-wangliang74@huawei.com/
+Fixes: 62e7151ae3eb ("netfilter: bridge: confirm multicast packets before passing them up the stack")
+Suggested-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Wang Liang <wangliang74@huawei.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/br_netfilter_hooks.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
+index b4d661fe7886d..c4765691e7815 100644
+--- a/net/bridge/br_netfilter_hooks.c
++++ b/net/bridge/br_netfilter_hooks.c
+@@ -648,9 +648,6 @@ static unsigned int br_nf_local_in(void *priv,
+ break;
+ }
+
+- ct = container_of(nfct, struct nf_conn, ct_general);
+- WARN_ON_ONCE(!nf_ct_is_confirmed(ct));
+-
+ return ret;
+ }
+ #endif
+--
+2.50.1
+
--- /dev/null
+From da4ba42b65fe61e37f7dd2599ac3029b5ca958ca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Aug 2025 13:22:20 +0200
+Subject: netfilter: conntrack: helper: Replace -EEXIST by -EBUSY
+
+From: Phil Sutter <phil@nwl.cc>
+
+[ Upstream commit 54416fd76770bd04fc3c501810e8d673550bab26 ]
+
+The helper registration return value is passed-through by module_init
+callbacks which modprobe confuses with the harmless -EEXIST returned
+when trying to load an already loaded module.
+
+Make sure modprobe fails so users notice their helper has not been
+registered and won't work.
+
+Suggested-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Fixes: 12f7a505331e ("netfilter: add user-space connection tracking helper infrastructure")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_helper.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c
+index bf09a1e062481..5545016c107db 100644
+--- a/net/netfilter/nf_conntrack_helper.c
++++ b/net/netfilter/nf_conntrack_helper.c
+@@ -371,7 +371,7 @@ int nf_conntrack_helper_register(struct nf_conntrack_helper *me)
+ (cur->tuple.src.l3num == NFPROTO_UNSPEC ||
+ cur->tuple.src.l3num == me->tuple.src.l3num) &&
+ cur->tuple.dst.protonum == me->tuple.dst.protonum) {
+- ret = -EEXIST;
++ ret = -EBUSY;
+ goto out;
+ }
+ }
+@@ -382,7 +382,7 @@ int nf_conntrack_helper_register(struct nf_conntrack_helper *me)
+ hlist_for_each_entry(cur, &nf_ct_helper_hash[h], hnode) {
+ if (nf_ct_tuple_src_mask_cmp(&cur->tuple, &me->tuple,
+ &mask)) {
+- ret = -EEXIST;
++ ret = -EBUSY;
+ goto out;
+ }
+ }
+--
+2.50.1
+
--- /dev/null
+From 81caf4679237a0cb2e70dde9177a92b3126458d5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Sep 2025 14:12:59 +0200
+Subject: phy: mscc: Stop taking ts_lock for tx_queue and use its own lock
+
+From: Horatiu Vultur <horatiu.vultur@microchip.com>
+
+[ Upstream commit 9b2bfdbf43adb9929c5ddcdd96efedbf1c88cf53 ]
+
+When transmitting a PTP frame which is timestamp using 2 step, the
+following warning appears if CONFIG_PROVE_LOCKING is enabled:
+=============================
+[ BUG: Invalid wait context ]
+6.17.0-rc1-00326-ge6160462704e #427 Not tainted
+-----------------------------
+ptp4l/119 is trying to lock:
+c2a44ed4 (&vsc8531->ts_lock){+.+.}-{3:3}, at: vsc85xx_txtstamp+0x50/0xac
+other info that might help us debug this:
+context-{4:4}
+4 locks held by ptp4l/119:
+ #0: c145f068 (rcu_read_lock_bh){....}-{1:2}, at: __dev_queue_xmit+0x58/0x1440
+ #1: c29df974 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+...}-{2:2}, at: __dev_queue_xmit+0x5c4/0x1440
+ #2: c2aaaad0 (_xmit_ETHER#2){+.-.}-{2:2}, at: sch_direct_xmit+0x108/0x350
+ #3: c2aac170 (&lan966x->tx_lock){+.-.}-{2:2}, at: lan966x_port_xmit+0xd0/0x350
+stack backtrace:
+CPU: 0 UID: 0 PID: 119 Comm: ptp4l Not tainted 6.17.0-rc1-00326-ge6160462704e #427 NONE
+Hardware name: Generic DT based system
+Call trace:
+ unwind_backtrace from show_stack+0x10/0x14
+ show_stack from dump_stack_lvl+0x7c/0xac
+ dump_stack_lvl from __lock_acquire+0x8e8/0x29dc
+ __lock_acquire from lock_acquire+0x108/0x38c
+ lock_acquire from __mutex_lock+0xb0/0xe78
+ __mutex_lock from mutex_lock_nested+0x1c/0x24
+ mutex_lock_nested from vsc85xx_txtstamp+0x50/0xac
+ vsc85xx_txtstamp from lan966x_fdma_xmit+0xd8/0x3a8
+ lan966x_fdma_xmit from lan966x_port_xmit+0x1bc/0x350
+ lan966x_port_xmit from dev_hard_start_xmit+0xc8/0x2c0
+ dev_hard_start_xmit from sch_direct_xmit+0x8c/0x350
+ sch_direct_xmit from __dev_queue_xmit+0x680/0x1440
+ __dev_queue_xmit from packet_sendmsg+0xfa4/0x1568
+ packet_sendmsg from __sys_sendto+0x110/0x19c
+ __sys_sendto from sys_send+0x18/0x20
+ sys_send from ret_fast_syscall+0x0/0x1c
+Exception stack(0xf0b05fa8 to 0xf0b05ff0)
+5fa0: 00000001 0000000e 0000000e 0004b47a 0000003a 00000000
+5fc0: 00000001 0000000e 00000000 00000121 0004af58 00044874 00000000 00000000
+5fe0: 00000001 bee9d420 00025a10 b6e75c7c
+
+So, instead of using the ts_lock for tx_queue, use the spinlock that
+skb_buff_head has.
+
+Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
+Fixes: 7d272e63e0979d ("net: phy: mscc: timestamping and PHC support")
+Signed-off-by: Horatiu Vultur <horatiu.vultur@microchip.com>
+Link: https://patch.msgid.link/20250902121259.3257536-1-horatiu.vultur@microchip.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/mscc/mscc_ptp.c | 18 ++++++++----------
+ 1 file changed, 8 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/net/phy/mscc/mscc_ptp.c b/drivers/net/phy/mscc/mscc_ptp.c
+index 1f6237705b44b..939a8a17595ef 100644
+--- a/drivers/net/phy/mscc/mscc_ptp.c
++++ b/drivers/net/phy/mscc/mscc_ptp.c
+@@ -455,12 +455,12 @@ static void vsc85xx_dequeue_skb(struct vsc85xx_ptp *ptp)
+ *p++ = (reg >> 24) & 0xff;
+ }
+
+- len = skb_queue_len(&ptp->tx_queue);
++ len = skb_queue_len_lockless(&ptp->tx_queue);
+ if (len < 1)
+ return;
+
+ while (len--) {
+- skb = __skb_dequeue(&ptp->tx_queue);
++ skb = skb_dequeue(&ptp->tx_queue);
+ if (!skb)
+ return;
+
+@@ -485,7 +485,7 @@ static void vsc85xx_dequeue_skb(struct vsc85xx_ptp *ptp)
+ * packet in the FIFO right now, reschedule it for later
+ * packets.
+ */
+- __skb_queue_tail(&ptp->tx_queue, skb);
++ skb_queue_tail(&ptp->tx_queue, skb);
+ }
+ }
+
+@@ -1067,6 +1067,7 @@ static int vsc85xx_hwtstamp(struct mii_timestamper *mii_ts, struct ifreq *ifr)
+ case HWTSTAMP_TX_ON:
+ break;
+ case HWTSTAMP_TX_OFF:
++ skb_queue_purge(&vsc8531->ptp->tx_queue);
+ break;
+ default:
+ return -ERANGE;
+@@ -1091,9 +1092,6 @@ static int vsc85xx_hwtstamp(struct mii_timestamper *mii_ts, struct ifreq *ifr)
+
+ mutex_lock(&vsc8531->ts_lock);
+
+- __skb_queue_purge(&vsc8531->ptp->tx_queue);
+- __skb_queue_head_init(&vsc8531->ptp->tx_queue);
+-
+ /* Disable predictor while configuring the 1588 block */
+ val = vsc85xx_ts_read_csr(phydev, PROCESSOR,
+ MSCC_PHY_PTP_INGR_PREDICTOR);
+@@ -1179,9 +1177,7 @@ static void vsc85xx_txtstamp(struct mii_timestamper *mii_ts,
+
+ skb_shinfo(skb)->tx_flags |= SKBTX_IN_PROGRESS;
+
+- mutex_lock(&vsc8531->ts_lock);
+- __skb_queue_tail(&vsc8531->ptp->tx_queue, skb);
+- mutex_unlock(&vsc8531->ts_lock);
++ skb_queue_tail(&vsc8531->ptp->tx_queue, skb);
+ return;
+
+ out:
+@@ -1547,6 +1543,7 @@ void vsc8584_ptp_deinit(struct phy_device *phydev)
+ if (vsc8531->ptp->ptp_clock) {
+ ptp_clock_unregister(vsc8531->ptp->ptp_clock);
+ skb_queue_purge(&vsc8531->rx_skbs_list);
++ skb_queue_purge(&vsc8531->ptp->tx_queue);
+ }
+ }
+
+@@ -1570,7 +1567,7 @@ irqreturn_t vsc8584_handle_ts_interrupt(struct phy_device *phydev)
+ if (rc & VSC85XX_1588_INT_FIFO_ADD) {
+ vsc85xx_get_tx_ts(priv->ptp);
+ } else if (rc & VSC85XX_1588_INT_FIFO_OVERFLOW) {
+- __skb_queue_purge(&priv->ptp->tx_queue);
++ skb_queue_purge(&priv->ptp->tx_queue);
+ vsc85xx_ts_reset_fifo(phydev);
+ }
+
+@@ -1590,6 +1587,7 @@ int vsc8584_ptp_probe(struct phy_device *phydev)
+ mutex_init(&vsc8531->phc_lock);
+ mutex_init(&vsc8531->ts_lock);
+ skb_queue_head_init(&vsc8531->rx_skbs_list);
++ skb_queue_head_init(&vsc8531->ptp->tx_queue);
+
+ /* Retrieve the shared load/save GPIO. Request it as non exclusive as
+ * the same GPIO can be requested by all the PHYs of the same package.
+--
+2.50.1
+
--- /dev/null
+From aebf57274a90adf0d0569158cb6722daeeafbce2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Sep 2025 18:07:26 +0800
+Subject: ppp: fix memory leak in pad_compress_skb
+
+From: Qingfang Deng <dqfext@gmail.com>
+
+[ Upstream commit 4844123fe0b853a4982c02666cb3fd863d701d50 ]
+
+If alloc_skb() fails in pad_compress_skb(), it returns NULL without
+releasing the old skb. The caller does:
+
+ skb = pad_compress_skb(ppp, skb);
+ if (!skb)
+ goto drop;
+
+drop:
+ kfree_skb(skb);
+
+When pad_compress_skb() returns NULL, the reference to the old skb is
+lost and kfree_skb(skb) ends up doing nothing, leading to a memory leak.
+
+Align pad_compress_skb() semantics with realloc(): only free the old
+skb if allocation and compression succeed. At the call site, use the
+new_skb variable so the original skb is not lost when pad_compress_skb()
+fails.
+
+Fixes: b3f9b92a6ec1 ("[PPP]: add PPP MPPE encryption module")
+Signed-off-by: Qingfang Deng <dqfext@gmail.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Yue Haibing <yuehaibing@huawei.com>
+Link: https://patch.msgid.link/20250903100726.269839-1-dqfext@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ppp/ppp_generic.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
+index cbf1c1f23281d..f184368d5c5e7 100644
+--- a/drivers/net/ppp/ppp_generic.c
++++ b/drivers/net/ppp/ppp_generic.c
+@@ -1753,7 +1753,6 @@ pad_compress_skb(struct ppp *ppp, struct sk_buff *skb)
+ */
+ if (net_ratelimit())
+ netdev_err(ppp->dev, "ppp: compressor dropped pkt\n");
+- kfree_skb(skb);
+ consume_skb(new_skb);
+ new_skb = NULL;
+ }
+@@ -1855,9 +1854,10 @@ ppp_send_frame(struct ppp *ppp, struct sk_buff *skb)
+ "down - pkt dropped.\n");
+ goto drop;
+ }
+- skb = pad_compress_skb(ppp, skb);
+- if (!skb)
++ new_skb = pad_compress_skb(ppp, skb);
++ if (!new_skb)
+ goto drop;
++ skb = new_skb;
+ }
+
+ /*
+--
+2.50.1
+
--- /dev/null
+From 93d3ad2189f3eb3dfbb29631a86c00f27606656d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Sep 2025 22:28:51 +0000
+Subject: selftest: net: Fix weird setsockopt() in bind_bhash.c.
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit fd2004d82d8d8faa94879e3de3096c8511728637 ]
+
+bind_bhash.c passes (SO_REUSEADDR | SO_REUSEPORT) to setsockopt().
+
+In the asm-generic definition, the value happens to match with the
+bare SO_REUSEPORT, (2 | 15) == 15, but not on some arch.
+
+arch/alpha/include/uapi/asm/socket.h:18:#define SO_REUSEADDR 0x0004
+arch/alpha/include/uapi/asm/socket.h:24:#define SO_REUSEPORT 0x0200
+arch/mips/include/uapi/asm/socket.h:24:#define SO_REUSEADDR 0x0004 /* Allow reuse of local addresses. */
+arch/mips/include/uapi/asm/socket.h:33:#define SO_REUSEPORT 0x0200 /* Allow local address and port reuse. */
+arch/parisc/include/uapi/asm/socket.h:12:#define SO_REUSEADDR 0x0004
+arch/parisc/include/uapi/asm/socket.h:18:#define SO_REUSEPORT 0x0200
+arch/sparc/include/uapi/asm/socket.h:13:#define SO_REUSEADDR 0x0004
+arch/sparc/include/uapi/asm/socket.h:20:#define SO_REUSEPORT 0x0200
+include/uapi/asm-generic/socket.h:12:#define SO_REUSEADDR 2
+include/uapi/asm-generic/socket.h:27:#define SO_REUSEPORT 15
+
+Let's pass SO_REUSEPORT only.
+
+Fixes: c35ecb95c448 ("selftests/net: Add test for timing a bind request to a port with a populated bhash entry")
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250903222938.2601522-1-kuniyu@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/bind_bhash.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/testing/selftests/net/bind_bhash.c b/tools/testing/selftests/net/bind_bhash.c
+index 57ff67a3751eb..da04b0b19b73c 100644
+--- a/tools/testing/selftests/net/bind_bhash.c
++++ b/tools/testing/selftests/net/bind_bhash.c
+@@ -75,7 +75,7 @@ static void *setup(void *arg)
+ int *array = (int *)arg;
+
+ for (i = 0; i < MAX_CONNECTIONS; i++) {
+- sock_fd = bind_socket(SO_REUSEADDR | SO_REUSEPORT, setup_addr);
++ sock_fd = bind_socket(SO_REUSEPORT, setup_addr);
+ if (sock_fd < 0) {
+ ret = sock_fd;
+ pthread_exit(&ret);
+@@ -103,7 +103,7 @@ int main(int argc, const char *argv[])
+
+ setup_addr = use_v6 ? setup_addr_v6 : setup_addr_v4;
+
+- listener_fd = bind_socket(SO_REUSEADDR | SO_REUSEPORT, setup_addr);
++ listener_fd = bind_socket(SO_REUSEPORT, setup_addr);
+ if (listen(listener_fd, 100) < 0) {
+ perror("listen failed");
+ return -1;
+--
+2.50.1
+
arm64-dts-rockchip-add-vcc-supply-to-spi-flash-on-rk.patch
tee-optee-ffa-fix-a-typo-of-optee_ffa_api_is_compati.patch
arm64-dts-imx8mp-fix-missing-microsd-slot-vqmmc-on-d.patch
+wifi-cfg80211-fix-use-after-free-in-cmp_bss.patch
+netfilter-br_netfilter-do-not-check-confirmed-bit-in.patch
+netfilter-conntrack-helper-replace-eexist-by-ebusy.patch
+bluetooth-fix-use-after-free-in-l2cap_sock_cleanup_l.patch
+xirc2ps_cs-fix-register-access-when-enabling-fulldup.patch
+misdn-fix-memory-leak-in-dsp_hwec_enable.patch
+icmp-fix-icmp_ndo_send-address-translation-for-reply.patch
+net-macb-fix-tx_ptr_lock-locking.patch
+net-smc-fix-one-null-pointer-dereference-in-smc_ib_i.patch
+i40e-fix-potential-invalid-access-when-mac-list-is-e.patch
+net-ethernet-mtk_eth_soc-fix-tx-vlan-tag-for-llc-pac.patch
+wifi-cw1200-cap-ssid-length-in-cw1200_do_join.patch
+wifi-libertas-cap-ssid-len-in-lbs_associate.patch
+wifi-cfg80211-sme-cap-ssid-length-in-__cfg80211_conn.patch
+net-thunder_bgx-add-a-missing-of_node_put.patch
+net-thunder_bgx-decrement-cleanup-index-before-use.patch
+ipv4-fix-null-vs-error-pointer-check-in-inet_blackho.patch
+net-smc-remove-validation-of-reserved-bits-in-clc-de.patch
+mctp-return-enoprotoopt-for-unknown-getsockopt-optio.patch
+ax25-properly-unshare-skbs-in-ax25_kiss_rcv.patch
+net-atm-fix-memory-leak-in-atm_register_sysfs-when-d.patch
+ppp-fix-memory-leak-in-pad_compress_skb.patch
+selftest-net-fix-weird-setsockopt-in-bind_bhash.c.patch
+phy-mscc-stop-taking-ts_lock-for-tx_queue-and-use-it.patch
--- /dev/null
+From cd2e358a8d181cd48d4ccc86aa2d4c00c830eac5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Aug 2025 16:52:36 +0300
+Subject: wifi: cfg80211: fix use-after-free in cmp_bss()
+
+From: Dmitry Antipov <dmantipov@yandex.ru>
+
+[ Upstream commit 26e84445f02ce6b2fe5f3e0e28ff7add77f35e08 ]
+
+Following bss_free() quirk introduced in commit 776b3580178f
+("cfg80211: track hidden SSID networks properly"), adjust
+cfg80211_update_known_bss() to free the last beacon frame
+elements only if they're not shared via the corresponding
+'hidden_beacon_bss' pointer.
+
+Reported-by: syzbot+30754ca335e6fb7e3092@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=30754ca335e6fb7e3092
+Fixes: 3ab8227d3e7d ("cfg80211: refactor cfg80211_bss_update")
+Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
+Link: https://patch.msgid.link/20250813135236.799384-1-dmantipov@yandex.ru
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/scan.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/wireless/scan.c b/net/wireless/scan.c
+index 810293f160a8c..7369172819fdf 100644
+--- a/net/wireless/scan.c
++++ b/net/wireless/scan.c
+@@ -1785,7 +1785,8 @@ cfg80211_update_known_bss(struct cfg80211_registered_device *rdev,
+ */
+
+ f = rcu_access_pointer(new->pub.beacon_ies);
+- kfree_rcu((struct cfg80211_bss_ies *)f, rcu_head);
++ if (!new->pub.hidden_beacon_bss)
++ kfree_rcu((struct cfg80211_bss_ies *)f, rcu_head);
+ return false;
+ }
+
+--
+2.50.1
+
--- /dev/null
+From afcdb7e9b34bc2ef956d83aa38e3a7549b7066f8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Aug 2025 15:48:45 +0300
+Subject: wifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 62b635dcd69c4fde7ce1de4992d71420a37e51e3 ]
+
+If the ssid->datalen is more than IEEE80211_MAX_SSID_LEN (32) it would
+lead to memory corruption so add some bounds checking.
+
+Fixes: c38c70185101 ("wifi: cfg80211: Set SSID if it is not already set")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://patch.msgid.link/0aaaae4a3ed37c6252363c34ae4904b1604e8e32.1756456951.git.dan.carpenter@linaro.org
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/sme.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/net/wireless/sme.c b/net/wireless/sme.c
+index e35c3c29cec7d..ed16e852133e7 100644
+--- a/net/wireless/sme.c
++++ b/net/wireless/sme.c
+@@ -886,13 +886,16 @@ void __cfg80211_connect_result(struct net_device *dev,
+ if (!wdev->u.client.ssid_len) {
+ rcu_read_lock();
+ for_each_valid_link(cr, link) {
++ u32 ssid_len;
++
+ ssid = ieee80211_bss_get_elem(cr->links[link].bss,
+ WLAN_EID_SSID);
+
+ if (!ssid || !ssid->datalen)
+ continue;
+
+- memcpy(wdev->u.client.ssid, ssid->data, ssid->datalen);
++ ssid_len = min(ssid->datalen, IEEE80211_MAX_SSID_LEN);
++ memcpy(wdev->u.client.ssid, ssid->data, ssid_len);
+ wdev->u.client.ssid_len = ssid->datalen;
+ break;
+ }
+--
+2.50.1
+
--- /dev/null
+From 093fcee9dcb9666f1925a9f2312d914ea06829e2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Aug 2025 15:48:28 +0300
+Subject: wifi: cw1200: cap SSID length in cw1200_do_join()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit f8f15f6742b8874e59c9c715d0af3474608310ad ]
+
+If the ssidie[1] length is more that 32 it leads to memory corruption.
+
+Fixes: a910e4a94f69 ("cw1200: add driver for the ST-E CW1100 & CW1200 WLAN chipsets")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://patch.msgid.link/e91fb43fcedc4893b604dfb973131661510901a7.1756456951.git.dan.carpenter@linaro.org
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/st/cw1200/sta.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/st/cw1200/sta.c b/drivers/net/wireless/st/cw1200/sta.c
+index 8ef1d06b9bbdd..121d810c8839e 100644
+--- a/drivers/net/wireless/st/cw1200/sta.c
++++ b/drivers/net/wireless/st/cw1200/sta.c
+@@ -1290,7 +1290,7 @@ static void cw1200_do_join(struct cw1200_common *priv)
+ rcu_read_lock();
+ ssidie = ieee80211_bss_get_ie(bss, WLAN_EID_SSID);
+ if (ssidie) {
+- join.ssid_len = ssidie[1];
++ join.ssid_len = min(ssidie[1], IEEE80211_MAX_SSID_LEN);
+ memcpy(join.ssid, &ssidie[2], join.ssid_len);
+ }
+ rcu_read_unlock();
+--
+2.50.1
+
--- /dev/null
+From 7b103fd6923b404cebe3b3cc7a88a3f6312ee82d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Aug 2025 15:48:35 +0300
+Subject: wifi: libertas: cap SSID len in lbs_associate()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit c786794bd27b0d7a5fd9063695df83206009be59 ]
+
+If the ssid_eid[1] length is more that 32 it leads to memory corruption.
+
+Fixes: a910e4a94f69 ("cw1200: add driver for the ST-E CW1100 & CW1200 WLAN chipsets")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://patch.msgid.link/2a40f5ec7617144aef412034c12919a4927d90ad.1756456951.git.dan.carpenter@linaro.org
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/marvell/libertas/cfg.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/marvell/libertas/cfg.c b/drivers/net/wireless/marvell/libertas/cfg.c
+index 3e065cbb0af91..5f0fef67fa841 100644
+--- a/drivers/net/wireless/marvell/libertas/cfg.c
++++ b/drivers/net/wireless/marvell/libertas/cfg.c
+@@ -1101,10 +1101,13 @@ static int lbs_associate(struct lbs_private *priv,
+ /* add SSID TLV */
+ rcu_read_lock();
+ ssid_eid = ieee80211_bss_get_ie(bss, WLAN_EID_SSID);
+- if (ssid_eid)
+- pos += lbs_add_ssid_tlv(pos, ssid_eid + 2, ssid_eid[1]);
+- else
++ if (ssid_eid) {
++ u32 ssid_len = min(ssid_eid[1], IEEE80211_MAX_SSID_LEN);
++
++ pos += lbs_add_ssid_tlv(pos, ssid_eid + 2, ssid_len);
++ } else {
+ lbs_deb_assoc("no SSID\n");
++ }
+ rcu_read_unlock();
+
+ /* add DS param TLV */
+--
+2.50.1
+
--- /dev/null
+From da5bc216d65d573c689ced0980d49041a6ef2ae5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Aug 2025 12:26:43 -0700
+Subject: xirc2ps_cs: fix register access when enabling FullDuplex
+
+From: Alok Tiwari <alok.a.tiwari@oracle.com>
+
+[ Upstream commit b79e498080b170fd94fc83bca2471f450811549b ]
+
+The current code incorrectly passes (XIRCREG1_ECR | FullDuplex) as
+the register address to GetByte(), instead of fetching the register
+value and OR-ing it with FullDuplex. This results in an invalid
+register access.
+
+Fix it by reading XIRCREG1_ECR first, then or-ing with FullDuplex
+before writing it back.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Link: https://patch.msgid.link/20250827192645.658496-1-alok.a.tiwari@oracle.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/xircom/xirc2ps_cs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/xircom/xirc2ps_cs.c b/drivers/net/ethernet/xircom/xirc2ps_cs.c
+index 9f505cf02d965..2dc1cfcd7ce99 100644
+--- a/drivers/net/ethernet/xircom/xirc2ps_cs.c
++++ b/drivers/net/ethernet/xircom/xirc2ps_cs.c
+@@ -1578,7 +1578,7 @@ do_reset(struct net_device *dev, int full)
+ msleep(40); /* wait 40 msec to let it complete */
+ }
+ if (full_duplex)
+- PutByte(XIRCREG1_ECR, GetByte(XIRCREG1_ECR | FullDuplex));
++ PutByte(XIRCREG1_ECR, GetByte(XIRCREG1_ECR) | FullDuplex);
+ } else { /* No MII */
+ SelectPage(0);
+ value = GetByte(XIRCREG_ESR); /* read the ESR */
+--
+2.50.1
+
--- /dev/null
+From 0d8e55d405cf1b187b73951e817ac40b82d28a1c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Sep 2025 12:46:42 +0000
+Subject: ax25: properly unshare skbs in ax25_kiss_rcv()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 8156210d36a43e76372312c87eb5ea3dbb405a85 ]
+
+Bernard Pidoux reported a regression apparently caused by commit
+c353e8983e0d ("net: introduce per netns packet chains").
+
+skb->dev becomes NULL and we crash in __netif_receive_skb_core().
+
+Before above commit, different kind of bugs or corruptions could happen
+without a major crash.
+
+But the root cause is that ax25_kiss_rcv() can queue/mangle input skb
+without checking if this skb is shared or not.
+
+Many thanks to Bernard Pidoux for his help, diagnosis and tests.
+
+We had a similar issue years ago fixed with commit 7aaed57c5c28
+("phonet: properly unshare skbs in phonet_rcv()").
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: Bernard Pidoux <f6bvp@free.fr>
+Closes: https://lore.kernel.org/netdev/1713f383-c538-4918-bc64-13b3288cd542@free.fr/
+Tested-by: Bernard Pidoux <f6bvp@free.fr>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Joerg Reuter <jreuter@yaina.de>
+Cc: David Ranch <dranch@trinnet.net>
+Cc: Folkert van Heusden <folkert@vanheusden.com>
+Reviewed-by: Dan Cross <crossd@gmail.com>
+Link: https://patch.msgid.link/20250902124642.212705-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ax25/ax25_in.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/ax25/ax25_in.c b/net/ax25/ax25_in.c
+index 1cac25aca6378..f2d66af863595 100644
+--- a/net/ax25/ax25_in.c
++++ b/net/ax25/ax25_in.c
+@@ -433,6 +433,10 @@ static int ax25_rcv(struct sk_buff *skb, struct net_device *dev,
+ int ax25_kiss_rcv(struct sk_buff *skb, struct net_device *dev,
+ struct packet_type *ptype, struct net_device *orig_dev)
+ {
++ skb = skb_share_check(skb, GFP_ATOMIC);
++ if (!skb)
++ return NET_RX_DROP;
++
+ skb_orphan(skb);
+
+ if (!net_eq(dev_net(dev), &init_net)) {
+--
+2.50.1
+
--- /dev/null
+From d0f1d7d2a438ff4b740644c2dd0e9fb923b90bbd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Aug 2025 20:40:14 +0000
+Subject: Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen()
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit 862c628108562d8c7a516a900034823b381d3cba ]
+
+syzbot reported the splat below without a repro.
+
+In the splat, a single thread calling bt_accept_dequeue() freed sk
+and touched it after that.
+
+The root cause would be the racy l2cap_sock_cleanup_listen() call
+added by the cited commit.
+
+bt_accept_dequeue() is called under lock_sock() except for
+l2cap_sock_release().
+
+Two threads could see the same socket during the list iteration
+in bt_accept_dequeue():
+
+ CPU1 CPU2 (close())
+ ---- ----
+ sock_hold(sk) sock_hold(sk);
+ lock_sock(sk) <-- block close()
+ sock_put(sk)
+ bt_accept_unlink(sk)
+ sock_put(sk) <-- refcnt by bt_accept_enqueue()
+ release_sock(sk)
+ lock_sock(sk)
+ sock_put(sk)
+ bt_accept_unlink(sk)
+ sock_put(sk) <-- last refcnt
+ bt_accept_unlink(sk) <-- UAF
+
+Depending on the timing, the other thread could show up in the
+"Freed by task" part.
+
+Let's call l2cap_sock_cleanup_listen() under lock_sock() in
+l2cap_sock_release().
+
+[0]:
+BUG: KASAN: slab-use-after-free in debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline]
+BUG: KASAN: slab-use-after-free in do_raw_spin_lock+0x26f/0x2b0 kernel/locking/spinlock_debug.c:115
+Read of size 4 at addr ffff88803b7eb1c4 by task syz.5.3276/16995
+CPU: 3 UID: 0 PID: 16995 Comm: syz.5.3276 Not tainted syzkaller #0 PREEMPT(full)
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:94 [inline]
+ dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
+ print_address_description mm/kasan/report.c:378 [inline]
+ print_report+0xcd/0x630 mm/kasan/report.c:482
+ kasan_report+0xe0/0x110 mm/kasan/report.c:595
+ debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline]
+ do_raw_spin_lock+0x26f/0x2b0 kernel/locking/spinlock_debug.c:115
+ spin_lock_bh include/linux/spinlock.h:356 [inline]
+ release_sock+0x21/0x220 net/core/sock.c:3746
+ bt_accept_dequeue+0x505/0x600 net/bluetooth/af_bluetooth.c:312
+ l2cap_sock_cleanup_listen+0x5c/0x2a0 net/bluetooth/l2cap_sock.c:1451
+ l2cap_sock_release+0x5c/0x210 net/bluetooth/l2cap_sock.c:1425
+ __sock_release+0xb3/0x270 net/socket.c:649
+ sock_close+0x1c/0x30 net/socket.c:1439
+ __fput+0x3ff/0xb70 fs/file_table.c:468
+ task_work_run+0x14d/0x240 kernel/task_work.c:227
+ resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
+ exit_to_user_mode_loop+0xeb/0x110 kernel/entry/common.c:43
+ exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
+ syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
+ syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
+ do_syscall_64+0x3f6/0x4c0 arch/x86/entry/syscall_64.c:100
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7f2accf8ebe9
+Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007ffdb6cb1378 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
+RAX: 0000000000000000 RBX: 00000000000426fb RCX: 00007f2accf8ebe9
+RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
+RBP: 00007f2acd1b7da0 R08: 0000000000000001 R09: 00000012b6cb166f
+R10: 0000001b30e20000 R11: 0000000000000246 R12: 00007f2acd1b609c
+R13: 00007f2acd1b6090 R14: ffffffffffffffff R15: 00007ffdb6cb1490
+ </TASK>
+
+Allocated by task 5326:
+ kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
+ kasan_save_track+0x14/0x30 mm/kasan/common.c:68
+ poison_kmalloc_redzone mm/kasan/common.c:388 [inline]
+ __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:405
+ kasan_kmalloc include/linux/kasan.h:260 [inline]
+ __do_kmalloc_node mm/slub.c:4365 [inline]
+ __kmalloc_noprof+0x223/0x510 mm/slub.c:4377
+ kmalloc_noprof include/linux/slab.h:909 [inline]
+ sk_prot_alloc+0x1a8/0x2a0 net/core/sock.c:2239
+ sk_alloc+0x36/0xc20 net/core/sock.c:2295
+ bt_sock_alloc+0x3b/0x3a0 net/bluetooth/af_bluetooth.c:151
+ l2cap_sock_alloc.constprop.0+0x33/0x1d0 net/bluetooth/l2cap_sock.c:1894
+ l2cap_sock_new_connection_cb+0x101/0x240 net/bluetooth/l2cap_sock.c:1482
+ l2cap_connect_cfm+0x4c4/0xf80 net/bluetooth/l2cap_core.c:7287
+ hci_connect_cfm include/net/bluetooth/hci_core.h:2050 [inline]
+ hci_remote_features_evt+0x4dd/0x970 net/bluetooth/hci_event.c:3712
+ hci_event_func net/bluetooth/hci_event.c:7519 [inline]
+ hci_event_packet+0xa0d/0x11c0 net/bluetooth/hci_event.c:7573
+ hci_rx_work+0x2c5/0x16b0 net/bluetooth/hci_core.c:4071
+ process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3236
+ process_scheduled_works kernel/workqueue.c:3319 [inline]
+ worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400
+ kthread+0x3c2/0x780 kernel/kthread.c:463
+ ret_from_fork+0x5d7/0x6f0 arch/x86/kernel/process.c:148
+ ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
+
+Freed by task 16995:
+ kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
+ kasan_save_track+0x14/0x30 mm/kasan/common.c:68
+ kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576
+ poison_slab_object mm/kasan/common.c:243 [inline]
+ __kasan_slab_free+0x60/0x70 mm/kasan/common.c:275
+ kasan_slab_free include/linux/kasan.h:233 [inline]
+ slab_free_hook mm/slub.c:2417 [inline]
+ slab_free mm/slub.c:4680 [inline]
+ kfree+0x2b4/0x4d0 mm/slub.c:4879
+ sk_prot_free net/core/sock.c:2278 [inline]
+ __sk_destruct+0x75f/0x9a0 net/core/sock.c:2373
+ sk_destruct+0xc2/0xf0 net/core/sock.c:2401
+ __sk_free+0xf4/0x3e0 net/core/sock.c:2412
+ sk_free+0x6a/0x90 net/core/sock.c:2423
+ sock_put include/net/sock.h:1960 [inline]
+ bt_accept_unlink+0x245/0x2e0 net/bluetooth/af_bluetooth.c:262
+ bt_accept_dequeue+0x517/0x600 net/bluetooth/af_bluetooth.c:308
+ l2cap_sock_cleanup_listen+0x5c/0x2a0 net/bluetooth/l2cap_sock.c:1451
+ l2cap_sock_release+0x5c/0x210 net/bluetooth/l2cap_sock.c:1425
+ __sock_release+0xb3/0x270 net/socket.c:649
+ sock_close+0x1c/0x30 net/socket.c:1439
+ __fput+0x3ff/0xb70 fs/file_table.c:468
+ task_work_run+0x14d/0x240 kernel/task_work.c:227
+ resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
+ exit_to_user_mode_loop+0xeb/0x110 kernel/entry/common.c:43
+ exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
+ syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
+ syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
+ do_syscall_64+0x3f6/0x4c0 arch/x86/entry/syscall_64.c:100
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Fixes: 1728137b33c0 ("Bluetooth: L2CAP: Fix use-after-free in l2cap_sock_ready_cb")
+Reported-by: syzbot+e5e64cdf8e92046dd3e1@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/linux-bluetooth/68af6b9d.a70a0220.3cafd4.0032.GAE@google.com/
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/l2cap_sock.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
+index 615c18e290ab9..b35f1551b9be7 100644
+--- a/net/bluetooth/l2cap_sock.c
++++ b/net/bluetooth/l2cap_sock.c
+@@ -1409,7 +1409,10 @@ static int l2cap_sock_release(struct socket *sock)
+ if (!sk)
+ return 0;
+
++ lock_sock_nested(sk, L2CAP_NESTING_PARENT);
+ l2cap_sock_cleanup_listen(sk);
++ release_sock(sk);
++
+ bt_sock_unlink(&l2cap_sk_list, sk);
+
+ err = l2cap_sock_shutdown(sock, SHUT_RDWR);
+--
+2.50.1
+
--- /dev/null
+From f58686cf85219dafd8736569932eeae1b7541f0a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Aug 2025 10:53:25 -0400
+Subject: Bluetooth: vhci: Prevent use-after-free by removing debugfs files
+ early
+
+From: Ivan Pravdin <ipravdin.official@gmail.com>
+
+[ Upstream commit 28010791193a4503f054e8d69a950ef815deb539 ]
+
+Move the creation of debugfs files into a dedicated function, and ensure
+they are explicitly removed during vhci_release(), before associated
+data structures are freed.
+
+Previously, debugfs files such as "force_suspend", "force_wakeup", and
+others were created under hdev->debugfs but not removed in
+vhci_release(). Since vhci_release() frees the backing vhci_data
+structure, any access to these files after release would result in
+use-after-free errors.
+
+Although hdev->debugfs is later freed in hci_release_dev(), user can
+access files after vhci_data is freed but before hdev->debugfs is
+released.
+
+Fixes: ab4e4380d4e1 ("Bluetooth: Add vhci devcoredump support")
+Signed-off-by: Ivan Pravdin <ipravdin.official@gmail.com>
+Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/hci_vhci.c | 57 ++++++++++++++++++++++++++----------
+ 1 file changed, 41 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/bluetooth/hci_vhci.c b/drivers/bluetooth/hci_vhci.c
+index 9ac22e4a070be..59872e73c1878 100644
+--- a/drivers/bluetooth/hci_vhci.c
++++ b/drivers/bluetooth/hci_vhci.c
+@@ -380,6 +380,28 @@ static const struct file_operations force_devcoredump_fops = {
+ .write = force_devcd_write,
+ };
+
++static void vhci_debugfs_init(struct vhci_data *data)
++{
++ struct hci_dev *hdev = data->hdev;
++
++ debugfs_create_file("force_suspend", 0644, hdev->debugfs, data,
++ &force_suspend_fops);
++
++ debugfs_create_file("force_wakeup", 0644, hdev->debugfs, data,
++ &force_wakeup_fops);
++
++ if (IS_ENABLED(CONFIG_BT_MSFTEXT))
++ debugfs_create_file("msft_opcode", 0644, hdev->debugfs, data,
++ &msft_opcode_fops);
++
++ if (IS_ENABLED(CONFIG_BT_AOSPEXT))
++ debugfs_create_file("aosp_capable", 0644, hdev->debugfs, data,
++ &aosp_capable_fops);
++
++ debugfs_create_file("force_devcoredump", 0644, hdev->debugfs, data,
++ &force_devcoredump_fops);
++}
++
+ static int __vhci_create_device(struct vhci_data *data, __u8 opcode)
+ {
+ struct hci_dev *hdev;
+@@ -433,22 +455,8 @@ static int __vhci_create_device(struct vhci_data *data, __u8 opcode)
+ return -EBUSY;
+ }
+
+- debugfs_create_file("force_suspend", 0644, hdev->debugfs, data,
+- &force_suspend_fops);
+-
+- debugfs_create_file("force_wakeup", 0644, hdev->debugfs, data,
+- &force_wakeup_fops);
+-
+- if (IS_ENABLED(CONFIG_BT_MSFTEXT))
+- debugfs_create_file("msft_opcode", 0644, hdev->debugfs, data,
+- &msft_opcode_fops);
+-
+- if (IS_ENABLED(CONFIG_BT_AOSPEXT))
+- debugfs_create_file("aosp_capable", 0644, hdev->debugfs, data,
+- &aosp_capable_fops);
+-
+- debugfs_create_file("force_devcoredump", 0644, hdev->debugfs, data,
+- &force_devcoredump_fops);
++ if (!IS_ERR_OR_NULL(hdev->debugfs))
++ vhci_debugfs_init(data);
+
+ hci_skb_pkt_type(skb) = HCI_VENDOR_PKT;
+
+@@ -650,6 +658,21 @@ static int vhci_open(struct inode *inode, struct file *file)
+ return 0;
+ }
+
++static void vhci_debugfs_remove(struct hci_dev *hdev)
++{
++ debugfs_lookup_and_remove("force_suspend", hdev->debugfs);
++
++ debugfs_lookup_and_remove("force_wakeup", hdev->debugfs);
++
++ if (IS_ENABLED(CONFIG_BT_MSFTEXT))
++ debugfs_lookup_and_remove("msft_opcode", hdev->debugfs);
++
++ if (IS_ENABLED(CONFIG_BT_AOSPEXT))
++ debugfs_lookup_and_remove("aosp_capable", hdev->debugfs);
++
++ debugfs_lookup_and_remove("force_devcoredump", hdev->debugfs);
++}
++
+ static int vhci_release(struct inode *inode, struct file *file)
+ {
+ struct vhci_data *data = file->private_data;
+@@ -661,6 +684,8 @@ static int vhci_release(struct inode *inode, struct file *file)
+ hdev = data->hdev;
+
+ if (hdev) {
++ if (!IS_ERR_OR_NULL(hdev->debugfs))
++ vhci_debugfs_remove(hdev);
+ hci_unregister_dev(hdev);
+ hci_free_dev(hdev);
+ }
+--
+2.50.1
+
--- /dev/null
+From 2de783008907375ef749a95e70d5671b1807ac6e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Aug 2025 23:23:27 -0700
+Subject: bnxt_en: fix incorrect page count in RX aggr ring log
+
+From: Alok Tiwari <alok.a.tiwari@oracle.com>
+
+[ Upstream commit 7000f4fa9b24ae2511b07babd0d49e888db5d265 ]
+
+The warning in bnxt_alloc_one_rx_ring_netmem() reports the number
+of pages allocated for the RX aggregation ring. However, it
+mistakenly used bp->rx_ring_size instead of bp->rx_agg_ring_size,
+leading to confusing or misleading log output.
+
+Use the correct bp->rx_agg_ring_size value to fix this.
+
+Fixes: c0c050c58d84 ("bnxt_en: New Broadcom ethernet driver.")
+Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Reviewed-by: Michael Chan <michael.chan@broadcom.com>
+Reviewed-by: Somnath Kotur <somnath.kotur@broadcom.com>
+Link: https://patch.msgid.link/20250830062331.783783-1-alok.a.tiwari@oracle.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+index 08886c3a28c61..8a6f3e230fce6 100644
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -4207,7 +4207,7 @@ static void bnxt_alloc_one_rx_ring_page(struct bnxt *bp,
+ for (i = 0; i < bp->rx_agg_ring_size; i++) {
+ if (bnxt_alloc_rx_page(bp, rxr, prod, GFP_KERNEL)) {
+ netdev_warn(bp->dev, "init'ed rx ring %d with %d/%d pages only\n",
+- ring_nr, i, bp->rx_ring_size);
++ ring_nr, i, bp->rx_agg_ring_size);
+ break;
+ }
+ prod = NEXT_RX_AGG(prod);
+--
+2.50.1
+
--- /dev/null
+From 1fe868e3d7def114b934dd09a4ecbc7fd524316b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Aug 2025 19:56:31 +0800
+Subject: i40e: Fix potential invalid access when MAC list is empty
+
+From: Zhen Ni <zhen.ni@easystack.cn>
+
+[ Upstream commit a556f06338e1d5a85af0e32ecb46e365547f92b9 ]
+
+list_first_entry() never returns NULL - if the list is empty, it still
+returns a pointer to an invalid object, leading to potential invalid
+memory access when dereferenced.
+
+Fix this by using list_first_entry_or_null instead of list_first_entry.
+
+Fixes: e3219ce6a775 ("i40e: Add support for client interface for IWARP driver")
+Signed-off-by: Zhen Ni <zhen.ni@easystack.cn>
+Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_client.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_client.c b/drivers/net/ethernet/intel/i40e/i40e_client.c
+index 59263551c3838..0b099e5f48163 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_client.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_client.c
+@@ -359,8 +359,8 @@ static void i40e_client_add_instance(struct i40e_pf *pf)
+ if (i40e_client_get_params(vsi, &cdev->lan_info.params))
+ goto free_cdev;
+
+- mac = list_first_entry(&cdev->lan_info.netdev->dev_addrs.list,
+- struct netdev_hw_addr, list);
++ mac = list_first_entry_or_null(&cdev->lan_info.netdev->dev_addrs.list,
++ struct netdev_hw_addr, list);
+ if (mac)
+ ether_addr_copy(cdev->lan_info.lanmac, mac->addr);
+ else
+--
+2.50.1
+
--- /dev/null
+From 92c58f45763331b549d118c4e371cdb817a77460 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Jul 2025 17:14:37 -0700
+Subject: i40e: remove read access to debugfs files
+
+From: Jacob Keller <jacob.e.keller@intel.com>
+
+[ Upstream commit 9fcdb1c3c4ba134434694c001dbff343f1ffa319 ]
+
+The 'command' and 'netdev_ops' debugfs files are a legacy debugging
+interface supported by the i40e driver since its early days by commit
+02e9c290814c ("i40e: debugfs interface").
+
+Both of these debugfs files provide a read handler which is mostly useless,
+and which is implemented with questionable logic. They both use a static
+256 byte buffer which is initialized to the empty string. In the case of
+the 'command' file this buffer is literally never used and simply wastes
+space. In the case of the 'netdev_ops' file, the last command written is
+saved here.
+
+On read, the files contents are presented as the name of the device
+followed by a colon and then the contents of their respective static
+buffer. For 'command' this will always be "<device>: ". For 'netdev_ops',
+this will be "<device>: <last command written>". But note the buffer is
+shared between all devices operated by this module. At best, it is mostly
+meaningless information, and at worse it could be accessed simultaneously
+as there doesn't appear to be any locking mechanism.
+
+We have also recently received multiple reports for both read functions
+about their use of snprintf and potential overflow that could result in
+reading arbitrary kernel memory. For the 'command' file, this is definitely
+impossible, since the static buffer is always zero and never written to.
+For the 'netdev_ops' file, it does appear to be possible, if the user
+carefully crafts the command input, it will be copied into the buffer,
+which could be large enough to cause snprintf to truncate, which then
+causes the copy_to_user to read beyond the length of the buffer allocated
+by kzalloc.
+
+A minimal fix would be to replace snprintf() with scnprintf() which would
+cap the return to the number of bytes written, preventing an overflow. A
+more involved fix would be to drop the mostly useless static buffers,
+saving 512 bytes and modifying the read functions to stop needing those as
+input.
+
+Instead, lets just completely drop the read access to these files. These
+are debug interfaces exposed as part of debugfs, and I don't believe that
+dropping read access will break any script, as the provided output is
+pretty useless. You can find the netdev name through other more standard
+interfaces, and the 'netdev_ops' interface can easily result in garbage if
+you issue simultaneous writes to multiple devices at once.
+
+In order to properly remove the i40e_dbg_netdev_ops_buf, we need to
+refactor its write function to avoid using the static buffer. Instead, use
+the same logic as the i40e_dbg_command_write, with an allocated buffer.
+Update the code to use this instead of the static buffer, and ensure we
+free the buffer on exit. This fixes simultaneous writes to 'netdev_ops' on
+multiple devices, and allows us to remove the now unused static buffer
+along with removing the read access.
+
+Fixes: 02e9c290814c ("i40e: debugfs interface")
+Reported-by: Kunwu Chan <chentao@kylinos.cn>
+Closes: https://lore.kernel.org/intel-wired-lan/20231208031950.47410-1-chentao@kylinos.cn/
+Reported-by: Wang Haoran <haoranwangsec@gmail.com>
+Closes: https://lore.kernel.org/all/CANZ3JQRRiOdtfQJoP9QM=6LS1Jto8PGBGw6y7-TL=BcnzHQn1Q@mail.gmail.com/
+Reported-by: Amir Mohammad Jahangirzad <a.jahangirzad@gmail.com>
+Closes: https://lore.kernel.org/all/20250722115017.206969-1-a.jahangirzad@gmail.com/
+Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
+Reviewed-by: Dawid Osuchowski <dawid.osuchowski@linux.intel.com>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Kunwu Chan <kunwu.chan@linux.dev>
+Tested-by: Rinitha S <sx.rinitha@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/intel/i40e/i40e_debugfs.c | 123 +++---------------
+ 1 file changed, 19 insertions(+), 104 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_debugfs.c b/drivers/net/ethernet/intel/i40e/i40e_debugfs.c
+index 208c2f0857b61..ded8f43fdf068 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_debugfs.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_debugfs.c
+@@ -40,48 +40,6 @@ static struct i40e_vsi *i40e_dbg_find_vsi(struct i40e_pf *pf, int seid)
+ * setup, adding or removing filters, or other things. Many of
+ * these will be useful for some forms of unit testing.
+ **************************************************************/
+-static char i40e_dbg_command_buf[256] = "";
+-
+-/**
+- * i40e_dbg_command_read - read for command datum
+- * @filp: the opened file
+- * @buffer: where to write the data for the user to read
+- * @count: the size of the user's buffer
+- * @ppos: file position offset
+- **/
+-static ssize_t i40e_dbg_command_read(struct file *filp, char __user *buffer,
+- size_t count, loff_t *ppos)
+-{
+- struct i40e_pf *pf = filp->private_data;
+- struct i40e_vsi *main_vsi;
+- int bytes_not_copied;
+- int buf_size = 256;
+- char *buf;
+- int len;
+-
+- /* don't allow partial reads */
+- if (*ppos != 0)
+- return 0;
+- if (count < buf_size)
+- return -ENOSPC;
+-
+- buf = kzalloc(buf_size, GFP_KERNEL);
+- if (!buf)
+- return -ENOSPC;
+-
+- main_vsi = i40e_pf_get_main_vsi(pf);
+- len = snprintf(buf, buf_size, "%s: %s\n", main_vsi->netdev->name,
+- i40e_dbg_command_buf);
+-
+- bytes_not_copied = copy_to_user(buffer, buf, len);
+- kfree(buf);
+-
+- if (bytes_not_copied)
+- return -EFAULT;
+-
+- *ppos = len;
+- return len;
+-}
+
+ static char *i40e_filter_state_string[] = {
+ "INVALID",
+@@ -1621,7 +1579,6 @@ static ssize_t i40e_dbg_command_write(struct file *filp,
+ static const struct file_operations i40e_dbg_command_fops = {
+ .owner = THIS_MODULE,
+ .open = simple_open,
+- .read = i40e_dbg_command_read,
+ .write = i40e_dbg_command_write,
+ };
+
+@@ -1630,48 +1587,6 @@ static const struct file_operations i40e_dbg_command_fops = {
+ * The netdev_ops entry in debugfs is for giving the driver commands
+ * to be executed from the netdev operations.
+ **************************************************************/
+-static char i40e_dbg_netdev_ops_buf[256] = "";
+-
+-/**
+- * i40e_dbg_netdev_ops_read - read for netdev_ops datum
+- * @filp: the opened file
+- * @buffer: where to write the data for the user to read
+- * @count: the size of the user's buffer
+- * @ppos: file position offset
+- **/
+-static ssize_t i40e_dbg_netdev_ops_read(struct file *filp, char __user *buffer,
+- size_t count, loff_t *ppos)
+-{
+- struct i40e_pf *pf = filp->private_data;
+- struct i40e_vsi *main_vsi;
+- int bytes_not_copied;
+- int buf_size = 256;
+- char *buf;
+- int len;
+-
+- /* don't allow partal reads */
+- if (*ppos != 0)
+- return 0;
+- if (count < buf_size)
+- return -ENOSPC;
+-
+- buf = kzalloc(buf_size, GFP_KERNEL);
+- if (!buf)
+- return -ENOSPC;
+-
+- main_vsi = i40e_pf_get_main_vsi(pf);
+- len = snprintf(buf, buf_size, "%s: %s\n", main_vsi->netdev->name,
+- i40e_dbg_netdev_ops_buf);
+-
+- bytes_not_copied = copy_to_user(buffer, buf, len);
+- kfree(buf);
+-
+- if (bytes_not_copied)
+- return -EFAULT;
+-
+- *ppos = len;
+- return len;
+-}
+
+ /**
+ * i40e_dbg_netdev_ops_write - write into netdev_ops datum
+@@ -1685,35 +1600,36 @@ static ssize_t i40e_dbg_netdev_ops_write(struct file *filp,
+ size_t count, loff_t *ppos)
+ {
+ struct i40e_pf *pf = filp->private_data;
++ char *cmd_buf, *buf_tmp;
+ int bytes_not_copied;
+ struct i40e_vsi *vsi;
+- char *buf_tmp;
+ int vsi_seid;
+ int i, cnt;
+
+ /* don't allow partial writes */
+ if (*ppos != 0)
+ return 0;
+- if (count >= sizeof(i40e_dbg_netdev_ops_buf))
+- return -ENOSPC;
+
+- memset(i40e_dbg_netdev_ops_buf, 0, sizeof(i40e_dbg_netdev_ops_buf));
+- bytes_not_copied = copy_from_user(i40e_dbg_netdev_ops_buf,
+- buffer, count);
+- if (bytes_not_copied)
++ cmd_buf = kzalloc(count + 1, GFP_KERNEL);
++ if (!cmd_buf)
++ return count;
++ bytes_not_copied = copy_from_user(cmd_buf, buffer, count);
++ if (bytes_not_copied) {
++ kfree(cmd_buf);
+ return -EFAULT;
+- i40e_dbg_netdev_ops_buf[count] = '\0';
++ }
++ cmd_buf[count] = '\0';
+
+- buf_tmp = strchr(i40e_dbg_netdev_ops_buf, '\n');
++ buf_tmp = strchr(cmd_buf, '\n');
+ if (buf_tmp) {
+ *buf_tmp = '\0';
+- count = buf_tmp - i40e_dbg_netdev_ops_buf + 1;
++ count = buf_tmp - cmd_buf + 1;
+ }
+
+- if (strncmp(i40e_dbg_netdev_ops_buf, "change_mtu", 10) == 0) {
++ if (strncmp(cmd_buf, "change_mtu", 10) == 0) {
+ int mtu;
+
+- cnt = sscanf(&i40e_dbg_netdev_ops_buf[11], "%i %i",
++ cnt = sscanf(&cmd_buf[11], "%i %i",
+ &vsi_seid, &mtu);
+ if (cnt != 2) {
+ dev_info(&pf->pdev->dev, "change_mtu <vsi_seid> <mtu>\n");
+@@ -1735,8 +1651,8 @@ static ssize_t i40e_dbg_netdev_ops_write(struct file *filp,
+ dev_info(&pf->pdev->dev, "Could not acquire RTNL - please try again\n");
+ }
+
+- } else if (strncmp(i40e_dbg_netdev_ops_buf, "set_rx_mode", 11) == 0) {
+- cnt = sscanf(&i40e_dbg_netdev_ops_buf[11], "%i", &vsi_seid);
++ } else if (strncmp(cmd_buf, "set_rx_mode", 11) == 0) {
++ cnt = sscanf(&cmd_buf[11], "%i", &vsi_seid);
+ if (cnt != 1) {
+ dev_info(&pf->pdev->dev, "set_rx_mode <vsi_seid>\n");
+ goto netdev_ops_write_done;
+@@ -1756,8 +1672,8 @@ static ssize_t i40e_dbg_netdev_ops_write(struct file *filp,
+ dev_info(&pf->pdev->dev, "Could not acquire RTNL - please try again\n");
+ }
+
+- } else if (strncmp(i40e_dbg_netdev_ops_buf, "napi", 4) == 0) {
+- cnt = sscanf(&i40e_dbg_netdev_ops_buf[4], "%i", &vsi_seid);
++ } else if (strncmp(cmd_buf, "napi", 4) == 0) {
++ cnt = sscanf(&cmd_buf[4], "%i", &vsi_seid);
+ if (cnt != 1) {
+ dev_info(&pf->pdev->dev, "napi <vsi_seid>\n");
+ goto netdev_ops_write_done;
+@@ -1775,21 +1691,20 @@ static ssize_t i40e_dbg_netdev_ops_write(struct file *filp,
+ dev_info(&pf->pdev->dev, "napi called\n");
+ }
+ } else {
+- dev_info(&pf->pdev->dev, "unknown command '%s'\n",
+- i40e_dbg_netdev_ops_buf);
++ dev_info(&pf->pdev->dev, "unknown command '%s'\n", cmd_buf);
+ dev_info(&pf->pdev->dev, "available commands\n");
+ dev_info(&pf->pdev->dev, " change_mtu <vsi_seid> <mtu>\n");
+ dev_info(&pf->pdev->dev, " set_rx_mode <vsi_seid>\n");
+ dev_info(&pf->pdev->dev, " napi <vsi_seid>\n");
+ }
+ netdev_ops_write_done:
++ kfree(cmd_buf);
+ return count;
+ }
+
+ static const struct file_operations i40e_dbg_netdev_ops_fops = {
+ .owner = THIS_MODULE,
+ .open = simple_open,
+- .read = i40e_dbg_netdev_ops_read,
+ .write = i40e_dbg_netdev_ops_write,
+ };
+
+--
+2.50.1
+
--- /dev/null
+From 364d96e1e619067e0dceedafb24b89bfb670cc10 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Aug 2025 10:35:27 -0700
+Subject: ice: fix NULL access of tx->in_use in ice_ll_ts_intr
+
+From: Jacob Keller <jacob.e.keller@intel.com>
+
+[ Upstream commit f6486338fde3f04ed0ec59fe67a69a208c32734f ]
+
+Recent versions of the E810 firmware have support for an extra interrupt to
+handle report of the "low latency" Tx timestamps coming from the
+specialized low latency firmware interface. Instead of polling the
+registers, software can wait until the low latency interrupt is fired.
+
+This logic makes use of the Tx timestamp tracking structure, ice_ptp_tx, as
+it uses the same "ready" bitmap to track which Tx timestamps complete.
+
+Unfortunately, the ice_ll_ts_intr() function does not check if the
+tracker is initialized before its first access. This results in NULL
+dereference or use-after-free bugs similar to the issues fixed in the
+ice_ptp_ts_irq() function.
+
+Fix this by only checking the in_use bitmap (and other fields) if the
+tracker is marked as initialized. The reset flow will clear the init field
+under lock before it tears the tracker down, thus preventing any
+use-after-free or NULL access.
+
+Fixes: 82e71b226e0e ("ice: Enable SW interrupt from FW for LL TS")
+Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
+Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Tested-by: Rinitha S <sx.rinitha@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_main.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c
+index 74d4f2fde3e0f..bd5db525f1939 100644
+--- a/drivers/net/ethernet/intel/ice/ice_main.c
++++ b/drivers/net/ethernet/intel/ice/ice_main.c
+@@ -3193,12 +3193,14 @@ static irqreturn_t ice_ll_ts_intr(int __always_unused irq, void *data)
+ hw = &pf->hw;
+ tx = &pf->ptp.port.tx;
+ spin_lock_irqsave(&tx->lock, flags);
+- ice_ptp_complete_tx_single_tstamp(tx);
++ if (tx->init) {
++ ice_ptp_complete_tx_single_tstamp(tx);
+
+- idx = find_next_bit_wrap(tx->in_use, tx->len,
+- tx->last_ll_ts_idx_read + 1);
+- if (idx != tx->len)
+- ice_ptp_req_tx_single_tstamp(tx, idx);
++ idx = find_next_bit_wrap(tx->in_use, tx->len,
++ tx->last_ll_ts_idx_read + 1);
++ if (idx != tx->len)
++ ice_ptp_req_tx_single_tstamp(tx, idx);
++ }
+ spin_unlock_irqrestore(&tx->lock, flags);
+
+ val = GLINT_DYN_CTL_INTENA_M | GLINT_DYN_CTL_CLEARPBA_M |
+--
+2.50.1
+
--- /dev/null
+From 9da88934276fb787f13b64f4048ec4ece37b1f4a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Aug 2025 11:14:35 +0200
+Subject: icmp: fix icmp_ndo_send address translation for reply direction
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Fabian Bläse <fabian@blaese.de>
+
+[ Upstream commit c6dd1aa2cbb72b33e0569f3e71d95792beab5042 ]
+
+The icmp_ndo_send function was originally introduced to ensure proper
+rate limiting when icmp_send is called by a network device driver,
+where the packet's source address may have already been transformed
+by SNAT.
+
+However, the original implementation only considers the
+IP_CT_DIR_ORIGINAL direction for SNAT and always replaced the packet's
+source address with that of the original-direction tuple. This causes
+two problems:
+
+1. For SNAT:
+ Reply-direction packets were incorrectly translated using the source
+ address of the CT original direction, even though no translation is
+ required.
+
+2. For DNAT:
+ Reply-direction packets were not handled at all. In DNAT, the original
+ direction's destination is translated. Therefore, in the reply
+ direction the source address must be set to the reply-direction
+ source, so rate limiting works as intended.
+
+Fix this by using the connection direction to select the correct tuple
+for source address translation, and adjust the pre-checks to handle
+reply-direction packets in case of DNAT.
+
+Additionally, wrap the `ct->status` access in READ_ONCE(). This avoids
+possible KCSAN reports about concurrent updates to `ct->status`.
+
+Fixes: 0b41713b6066 ("icmp: introduce helper for nat'd source address in network device context")
+Signed-off-by: Fabian Bläse <fabian@blaese.de>
+Cc: Jason A. Donenfeld <Jason@zx2c4.com>
+Reviewed-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/icmp.c | 6 ++++--
+ net/ipv6/ip6_icmp.c | 6 ++++--
+ 2 files changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
+index b8111ec651b54..8f11870b77377 100644
+--- a/net/ipv4/icmp.c
++++ b/net/ipv4/icmp.c
+@@ -799,11 +799,12 @@ void icmp_ndo_send(struct sk_buff *skb_in, int type, int code, __be32 info)
+ struct sk_buff *cloned_skb = NULL;
+ struct ip_options opts = { 0 };
+ enum ip_conntrack_info ctinfo;
++ enum ip_conntrack_dir dir;
+ struct nf_conn *ct;
+ __be32 orig_ip;
+
+ ct = nf_ct_get(skb_in, &ctinfo);
+- if (!ct || !(ct->status & IPS_SRC_NAT)) {
++ if (!ct || !(READ_ONCE(ct->status) & IPS_NAT_MASK)) {
+ __icmp_send(skb_in, type, code, info, &opts);
+ return;
+ }
+@@ -818,7 +819,8 @@ void icmp_ndo_send(struct sk_buff *skb_in, int type, int code, __be32 info)
+ goto out;
+
+ orig_ip = ip_hdr(skb_in)->saddr;
+- ip_hdr(skb_in)->saddr = ct->tuplehash[0].tuple.src.u3.ip;
++ dir = CTINFO2DIR(ctinfo);
++ ip_hdr(skb_in)->saddr = ct->tuplehash[dir].tuple.src.u3.ip;
+ __icmp_send(skb_in, type, code, info, &opts);
+ ip_hdr(skb_in)->saddr = orig_ip;
+ out:
+diff --git a/net/ipv6/ip6_icmp.c b/net/ipv6/ip6_icmp.c
+index 9e3574880cb03..233914b63bdb8 100644
+--- a/net/ipv6/ip6_icmp.c
++++ b/net/ipv6/ip6_icmp.c
+@@ -54,11 +54,12 @@ void icmpv6_ndo_send(struct sk_buff *skb_in, u8 type, u8 code, __u32 info)
+ struct inet6_skb_parm parm = { 0 };
+ struct sk_buff *cloned_skb = NULL;
+ enum ip_conntrack_info ctinfo;
++ enum ip_conntrack_dir dir;
+ struct in6_addr orig_ip;
+ struct nf_conn *ct;
+
+ ct = nf_ct_get(skb_in, &ctinfo);
+- if (!ct || !(ct->status & IPS_SRC_NAT)) {
++ if (!ct || !(READ_ONCE(ct->status) & IPS_NAT_MASK)) {
+ __icmpv6_send(skb_in, type, code, info, &parm);
+ return;
+ }
+@@ -73,7 +74,8 @@ void icmpv6_ndo_send(struct sk_buff *skb_in, u8 type, u8 code, __u32 info)
+ goto out;
+
+ orig_ip = ipv6_hdr(skb_in)->saddr;
+- ipv6_hdr(skb_in)->saddr = ct->tuplehash[0].tuple.src.u3.in6;
++ dir = CTINFO2DIR(ctinfo);
++ ipv6_hdr(skb_in)->saddr = ct->tuplehash[dir].tuple.src.u3.in6;
+ __icmpv6_send(skb_in, type, code, info, &parm);
+ ipv6_hdr(skb_in)->saddr = orig_ip;
+ out:
+--
+2.50.1
+
--- /dev/null
+From f725322b67428a86a2bf96f52b954dd6e5628463 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Aug 2025 16:43:00 -0700
+Subject: idpf: set mac type when adding and removing MAC filters
+
+From: Emil Tantilov <emil.s.tantilov@intel.com>
+
+[ Upstream commit acf3a5c8be80fe238c1a7629db1c21c74a1f9dd4 ]
+
+On control planes that allow changing the MAC address of the interface,
+the driver must provide a MAC type to avoid errors such as:
+
+idpf 0000:0a:00.0: Transaction failed (op 535)
+idpf 0000:0a:00.0: Received invalid MAC filter payload (op 535) (len 0)
+idpf 0000:0a:00.0: Transaction failed (op 536)
+
+These errors occur during driver load or when changing the MAC via:
+ip link set <iface> address <mac>
+
+Add logic to set the MAC type when sending ADD/DEL (opcodes 535/536) to
+the control plane. Since only one primary MAC is supported per vport, the
+driver only needs to send an ADD opcode when setting it. Remove the old
+address by calling __idpf_del_mac_filter(), which skips the message and
+just clears the entry from the internal list. This avoids an error on DEL
+as it attempts to remove an address already cleared by the preceding ADD
+opcode.
+
+Fixes: ce1b75d0635c ("idpf: add ptypes and MAC filter support")
+Reported-by: Jian Liu <jianliu@redhat.com>
+Signed-off-by: Emil Tantilov <emil.s.tantilov@intel.com>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Samuel Salin <Samuel.salin@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/idpf/idpf_lib.c | 9 ++++++---
+ drivers/net/ethernet/intel/idpf/idpf_virtchnl.c | 12 ++++++++++++
+ 2 files changed, 18 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/idpf/idpf_lib.c b/drivers/net/ethernet/intel/idpf/idpf_lib.c
+index 1468a0f0df2ba..52d9caab2fcb2 100644
+--- a/drivers/net/ethernet/intel/idpf/idpf_lib.c
++++ b/drivers/net/ethernet/intel/idpf/idpf_lib.c
+@@ -2278,6 +2278,7 @@ static int idpf_set_mac(struct net_device *netdev, void *p)
+ struct idpf_netdev_priv *np = netdev_priv(netdev);
+ struct idpf_vport_config *vport_config;
+ struct sockaddr *addr = p;
++ u8 old_mac_addr[ETH_ALEN];
+ struct idpf_vport *vport;
+ int err = 0;
+
+@@ -2301,17 +2302,19 @@ static int idpf_set_mac(struct net_device *netdev, void *p)
+ if (ether_addr_equal(netdev->dev_addr, addr->sa_data))
+ goto unlock_mutex;
+
++ ether_addr_copy(old_mac_addr, vport->default_mac_addr);
++ ether_addr_copy(vport->default_mac_addr, addr->sa_data);
+ vport_config = vport->adapter->vport_config[vport->idx];
+ err = idpf_add_mac_filter(vport, np, addr->sa_data, false);
+ if (err) {
+ __idpf_del_mac_filter(vport_config, addr->sa_data);
++ ether_addr_copy(vport->default_mac_addr, netdev->dev_addr);
+ goto unlock_mutex;
+ }
+
+- if (is_valid_ether_addr(vport->default_mac_addr))
+- idpf_del_mac_filter(vport, np, vport->default_mac_addr, false);
++ if (is_valid_ether_addr(old_mac_addr))
++ __idpf_del_mac_filter(vport_config, old_mac_addr);
+
+- ether_addr_copy(vport->default_mac_addr, addr->sa_data);
+ eth_hw_addr_set(netdev, addr->sa_data);
+
+ unlock_mutex:
+diff --git a/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c b/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c
+index 151beea20d343..f27a8cf3816db 100644
+--- a/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c
++++ b/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c
+@@ -3513,6 +3513,16 @@ u32 idpf_get_vport_id(struct idpf_vport *vport)
+ return le32_to_cpu(vport_msg->vport_id);
+ }
+
++static void idpf_set_mac_type(struct idpf_vport *vport,
++ struct virtchnl2_mac_addr *mac_addr)
++{
++ bool is_primary;
++
++ is_primary = ether_addr_equal(vport->default_mac_addr, mac_addr->addr);
++ mac_addr->type = is_primary ? VIRTCHNL2_MAC_ADDR_PRIMARY :
++ VIRTCHNL2_MAC_ADDR_EXTRA;
++}
++
+ /**
+ * idpf_mac_filter_async_handler - Async callback for mac filters
+ * @adapter: private data struct
+@@ -3642,6 +3652,7 @@ int idpf_add_del_mac_filters(struct idpf_vport *vport,
+ list) {
+ if (add && f->add) {
+ ether_addr_copy(mac_addr[i].addr, f->macaddr);
++ idpf_set_mac_type(vport, &mac_addr[i]);
+ i++;
+ f->add = false;
+ if (i == total_filters)
+@@ -3649,6 +3660,7 @@ int idpf_add_del_mac_filters(struct idpf_vport *vport,
+ }
+ if (!add && f->remove) {
+ ether_addr_copy(mac_addr[i].addr, f->macaddr);
++ idpf_set_mac_type(vport, &mac_addr[i]);
+ i++;
+ f->remove = false;
+ if (i == total_filters)
+--
+2.50.1
+
--- /dev/null
+From a59f73d91a412d9be965d5370f37d5d1975843da Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Sep 2025 09:36:08 +0300
+Subject: ipv4: Fix NULL vs error pointer check in inet_blackhole_dev_init()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit a51160f8da850a65afbf165f5bbac7ffb388bf74 ]
+
+The inetdev_init() function never returns NULL. Check for error
+pointers instead.
+
+Fixes: 22600596b675 ("ipv4: give an IPv4 dev to blackhole_netdev")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/aLaQWL9NguWmeM1i@stanley.mountain
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/devinet.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
+index a55e95046984d..46fa50576f581 100644
+--- a/net/ipv4/devinet.c
++++ b/net/ipv4/devinet.c
+@@ -351,14 +351,13 @@ static void inetdev_destroy(struct in_device *in_dev)
+
+ static int __init inet_blackhole_dev_init(void)
+ {
+- int err = 0;
++ struct in_device *in_dev;
+
+ rtnl_lock();
+- if (!inetdev_init(blackhole_netdev))
+- err = -ENOMEM;
++ in_dev = inetdev_init(blackhole_netdev);
+ rtnl_unlock();
+
+- return err;
++ return PTR_ERR_OR_ZERO(in_dev);
+ }
+ late_initcall(inet_blackhole_dev_init);
+
+--
+2.50.1
+
--- /dev/null
+From e5b4cedbe1ca3b31c3afdd29dfacaa09b4e95990 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 10 Aug 2025 10:01:14 -0700
+Subject: ixgbe: fix incorrect map used in eee linkmode
+
+From: Alok Tiwari <alok.a.tiwari@oracle.com>
+
+[ Upstream commit b7e5c3e3bfa9dc8af75ff6d8633ad7070e1985e4 ]
+
+incorrectly used ixgbe_lp_map in loops intended to populate the
+supported and advertised EEE linkmode bitmaps based on ixgbe_ls_map.
+This results in incorrect bit setting and potential out-of-bounds
+access, since ixgbe_lp_map and ixgbe_ls_map have different sizes
+and purposes.
+
+ixgbe_lp_map[i] -> ixgbe_ls_map[i]
+
+Use ixgbe_ls_map for supported and advertised linkmodes, and keep
+ixgbe_lp_map usage only for link partner (lp_advertised) mapping.
+
+Fixes: 9356b6db9d05 ("net: ethernet: ixgbe: Convert EEE to use linkmodes")
+Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Tested-by: Rinitha S <sx.rinitha@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c
+index 9482e0cca8b7d..0b9ecb10aa7cf 100644
+--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c
++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c
+@@ -3443,13 +3443,13 @@ ixgbe_get_eee_fw(struct ixgbe_adapter *adapter, struct ethtool_keee *edata)
+
+ for (i = 0; i < ARRAY_SIZE(ixgbe_ls_map); ++i) {
+ if (hw->phy.eee_speeds_supported & ixgbe_ls_map[i].mac_speed)
+- linkmode_set_bit(ixgbe_lp_map[i].link_mode,
++ linkmode_set_bit(ixgbe_ls_map[i].link_mode,
+ edata->supported);
+ }
+
+ for (i = 0; i < ARRAY_SIZE(ixgbe_ls_map); ++i) {
+ if (hw->phy.eee_speeds_advertised & ixgbe_ls_map[i].mac_speed)
+- linkmode_set_bit(ixgbe_lp_map[i].link_mode,
++ linkmode_set_bit(ixgbe_ls_map[i].link_mode,
+ edata->advertised);
+ }
+
+--
+2.50.1
+
--- /dev/null
+From 334ef68fc8fc512be79e4e021554a80ede63d819 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Aug 2025 20:55:40 +0200
+Subject: macsec: read MACSEC_SA_ATTR_PN with nla_get_uint
+
+From: Sabrina Dubroca <sd@queasysnail.net>
+
+[ Upstream commit 030e1c45666629f72d0fc1d040f9d2915680de8e ]
+
+The code currently reads both U32 attributes and U64 attributes as
+U64, so when a U32 attribute is provided by userspace (ie, when not
+using XPN), on big endian systems, we'll load that value into the
+upper 32bits of the next_pn field instead of the lower 32bits. This
+means that the value that userspace provided is ignored (we only care
+about the lower 32bits for non-XPN), and we'll start using PNs from 0.
+
+Switch to nla_get_uint, which will read the value correctly on all
+arches, whether it's 32b or 64b.
+
+Fixes: 48ef50fa866a ("macsec: Netlink support of XPN cipher suites (IEEE 802.1AEbw)")
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/1c1df1661b89238caf5beefb84a10ebfd56c66ea.1756459839.git.sd@queasysnail.net
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/macsec.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c
+index 090a56a5e456a..8b10112c30dc1 100644
+--- a/drivers/net/macsec.c
++++ b/drivers/net/macsec.c
+@@ -1843,7 +1843,7 @@ static int macsec_add_rxsa(struct sk_buff *skb, struct genl_info *info)
+
+ if (tb_sa[MACSEC_SA_ATTR_PN]) {
+ spin_lock_bh(&rx_sa->lock);
+- rx_sa->next_pn = nla_get_u64(tb_sa[MACSEC_SA_ATTR_PN]);
++ rx_sa->next_pn = nla_get_uint(tb_sa[MACSEC_SA_ATTR_PN]);
+ spin_unlock_bh(&rx_sa->lock);
+ }
+
+@@ -2085,7 +2085,7 @@ static int macsec_add_txsa(struct sk_buff *skb, struct genl_info *info)
+ }
+
+ spin_lock_bh(&tx_sa->lock);
+- tx_sa->next_pn = nla_get_u64(tb_sa[MACSEC_SA_ATTR_PN]);
++ tx_sa->next_pn = nla_get_uint(tb_sa[MACSEC_SA_ATTR_PN]);
+ spin_unlock_bh(&tx_sa->lock);
+
+ if (tb_sa[MACSEC_SA_ATTR_ACTIVE])
+@@ -2397,7 +2397,7 @@ static int macsec_upd_txsa(struct sk_buff *skb, struct genl_info *info)
+
+ spin_lock_bh(&tx_sa->lock);
+ prev_pn = tx_sa->next_pn_halves;
+- tx_sa->next_pn = nla_get_u64(tb_sa[MACSEC_SA_ATTR_PN]);
++ tx_sa->next_pn = nla_get_uint(tb_sa[MACSEC_SA_ATTR_PN]);
+ spin_unlock_bh(&tx_sa->lock);
+ }
+
+@@ -2495,7 +2495,7 @@ static int macsec_upd_rxsa(struct sk_buff *skb, struct genl_info *info)
+
+ spin_lock_bh(&rx_sa->lock);
+ prev_pn = rx_sa->next_pn_halves;
+- rx_sa->next_pn = nla_get_u64(tb_sa[MACSEC_SA_ATTR_PN]);
++ rx_sa->next_pn = nla_get_uint(tb_sa[MACSEC_SA_ATTR_PN]);
+ spin_unlock_bh(&rx_sa->lock);
+ }
+
+--
+2.50.1
+
--- /dev/null
+From 01ebc574aade76dfe73daf82177ba9c003e5e646 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Sep 2025 03:20:55 -0700
+Subject: mctp: return -ENOPROTOOPT for unknown getsockopt options
+
+From: Alok Tiwari <alok.a.tiwari@oracle.com>
+
+[ Upstream commit a125c8fb9ddbcb0602103a50727a476fd30dec01 ]
+
+In mctp_getsockopt(), unrecognized options currently return -EINVAL.
+In contrast, mctp_setsockopt() returns -ENOPROTOOPT for unknown
+options.
+
+Update mctp_getsockopt() to also return -ENOPROTOOPT for unknown
+options. This aligns the behavior of getsockopt() and setsockopt(),
+and matches the standard kernel socket API convention for handling
+unsupported options.
+
+Fixes: 99ce45d5e7db ("mctp: Implement extended addressing")
+Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
+Link: https://patch.msgid.link/20250902102059.1370008-1-alok.a.tiwari@oracle.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mctp/af_mctp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/mctp/af_mctp.c b/net/mctp/af_mctp.c
+index 70aeebfc4182e..9a552569143bb 100644
+--- a/net/mctp/af_mctp.c
++++ b/net/mctp/af_mctp.c
+@@ -346,7 +346,7 @@ static int mctp_getsockopt(struct socket *sock, int level, int optname,
+ return 0;
+ }
+
+- return -EINVAL;
++ return -ENOPROTOOPT;
+ }
+
+ /* helpers for reading/writing the tag ioc, handling compatibility across the
+--
+2.50.1
+
--- /dev/null
+From 234fe42f5d1e99cd99ab945d0e0b407be263ea73 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Aug 2025 16:14:57 +0800
+Subject: mISDN: Fix memory leak in dsp_hwec_enable()
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+[ Upstream commit 0704a3da7ce50f972e898bbda88d2692a22922d9 ]
+
+dsp_hwec_enable() allocates dup pointer by kstrdup(arg),
+but then it updates dup variable by strsep(&dup, ",").
+As a result when it calls kfree(dup), the dup variable may be
+a modified pointer that no longer points to the original allocated
+memory, causing a memory leak.
+
+The issue is the same pattern as fixed in commit c6a502c22999
+("mISDN: Fix memory leak in dsp_pipeline_build()").
+
+Fixes: 9a4381618262 ("mISDN: Remove VLAs")
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250828081457.36061-1-linmq006@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/isdn/mISDN/dsp_hwec.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/isdn/mISDN/dsp_hwec.c b/drivers/isdn/mISDN/dsp_hwec.c
+index 0b3f29195330a..0cd216e28f009 100644
+--- a/drivers/isdn/mISDN/dsp_hwec.c
++++ b/drivers/isdn/mISDN/dsp_hwec.c
+@@ -51,14 +51,14 @@ void dsp_hwec_enable(struct dsp *dsp, const char *arg)
+ goto _do;
+
+ {
+- char *dup, *tok, *name, *val;
++ char *dup, *next, *tok, *name, *val;
+ int tmp;
+
+- dup = kstrdup(arg, GFP_ATOMIC);
++ dup = next = kstrdup(arg, GFP_ATOMIC);
+ if (!dup)
+ return;
+
+- while ((tok = strsep(&dup, ","))) {
++ while ((tok = strsep(&next, ","))) {
+ if (!strlen(tok))
+ continue;
+ name = strsep(&tok, "=");
+--
+2.50.1
+
--- /dev/null
+From 99c1e9900b5c015c1b5110a4ace9cb2c1b1cd37f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Sep 2025 14:35:37 +0800
+Subject: net: atm: fix memory leak in atm_register_sysfs when device_register
+ fail
+
+From: Wang Liang <wangliang74@huawei.com>
+
+[ Upstream commit 0a228624bcc00af41f281a2a84c928595a74c17d ]
+
+When device_register() return error in atm_register_sysfs(), which can be
+triggered by kzalloc fail in device_private_init() or other reasons,
+kmemleak reports the following memory leaks:
+
+unreferenced object 0xffff88810182fb80 (size 8):
+ comm "insmod", pid 504, jiffies 4294852464
+ hex dump (first 8 bytes):
+ 61 64 75 6d 6d 79 30 00 adummy0.
+ backtrace (crc 14dfadaf):
+ __kmalloc_node_track_caller_noprof+0x335/0x450
+ kvasprintf+0xb3/0x130
+ kobject_set_name_vargs+0x45/0x120
+ dev_set_name+0xa9/0xe0
+ atm_register_sysfs+0xf3/0x220
+ atm_dev_register+0x40b/0x780
+ 0xffffffffa000b089
+ do_one_initcall+0x89/0x300
+ do_init_module+0x27b/0x7d0
+ load_module+0x54cd/0x5ff0
+ init_module_from_file+0xe4/0x150
+ idempotent_init_module+0x32c/0x610
+ __x64_sys_finit_module+0xbd/0x120
+ do_syscall_64+0xa8/0x270
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+When device_create_file() return error in atm_register_sysfs(), the same
+issue also can be triggered.
+
+Function put_device() should be called to release kobj->name memory and
+other device resource, instead of kfree().
+
+Fixes: 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array")
+Signed-off-by: Wang Liang <wangliang74@huawei.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250901063537.1472221-1-wangliang74@huawei.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/atm/resources.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/net/atm/resources.c b/net/atm/resources.c
+index b19d851e1f443..7c6fdedbcf4e5 100644
+--- a/net/atm/resources.c
++++ b/net/atm/resources.c
+@@ -112,7 +112,9 @@ struct atm_dev *atm_dev_register(const char *type, struct device *parent,
+
+ if (atm_proc_dev_register(dev) < 0) {
+ pr_err("atm_proc_dev_register failed for dev %s\n", type);
+- goto out_fail;
++ mutex_unlock(&atm_dev_mutex);
++ kfree(dev);
++ return NULL;
+ }
+
+ if (atm_register_sysfs(dev, parent) < 0) {
+@@ -128,7 +130,7 @@ struct atm_dev *atm_dev_register(const char *type, struct device *parent,
+ return dev;
+
+ out_fail:
+- kfree(dev);
++ put_device(&dev->class_dev);
+ dev = NULL;
+ goto out;
+ }
+--
+2.50.1
+
--- /dev/null
+From f5d8129c443fed2c6939309ec914b75cae288c6a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 31 Aug 2025 20:20:07 +0200
+Subject: net: ethernet: mtk_eth_soc: fix tx vlan tag for llc packets
+
+From: Felix Fietkau <nbd@nbd.name>
+
+[ Upstream commit d4736737110ffa83d29f1c5d17b26113864205f6 ]
+
+When sending llc packets with vlan tx offload, the hardware fails to
+actually add the tag. Deal with this by fixing it up in software.
+
+Fixes: 656e705243fd ("net-next: mediatek: add support for MT7623 ethernet")
+Reported-by: Thibaut VARENE <hacks@slashdirt.org>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250831182007.51619-1-nbd@nbd.name
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mediatek/mtk_eth_soc.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
+index 272f178906d61..64d86068b51eb 100644
+--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c
++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
+@@ -1606,6 +1606,13 @@ static netdev_tx_t mtk_start_xmit(struct sk_buff *skb, struct net_device *dev)
+ bool gso = false;
+ int tx_num;
+
++ if (skb_vlan_tag_present(skb) &&
++ !eth_proto_is_802_3(eth_hdr(skb)->h_proto)) {
++ skb = __vlan_hwaccel_push_inside(skb);
++ if (!skb)
++ goto dropped;
++ }
++
+ /* normally we can rely on the stack not calling this more than once,
+ * however we have 2 queues running on the same ring so we need to lock
+ * the ring access
+@@ -1651,8 +1658,9 @@ static netdev_tx_t mtk_start_xmit(struct sk_buff *skb, struct net_device *dev)
+
+ drop:
+ spin_unlock(ð->page_lock);
+- stats->tx_dropped++;
+ dev_kfree_skb_any(skb);
++dropped:
++ stats->tx_dropped++;
+ return NETDEV_TX_OK;
+ }
+
+--
+2.50.1
+
--- /dev/null
+From de87e94bd40fcc792e7deed5c568062d46ec3ab5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Aug 2025 10:35:21 -0400
+Subject: net: macb: Fix tx_ptr_lock locking
+
+From: Sean Anderson <sean.anderson@linux.dev>
+
+[ Upstream commit 6bc8a5098bf4a365c4086a4a4130bfab10a58260 ]
+
+macb_start_xmit and macb_tx_poll can be called with bottom-halves
+disabled (e.g. from softirq) as well as with interrupts disabled (with
+netpoll). Because of this, all other functions taking tx_ptr_lock must
+use spin_lock_irqsave.
+
+Fixes: 138badbc21a0 ("net: macb: use NAPI for TX completion path")
+Reported-by: Mike Galbraith <efault@gmx.de>
+Signed-off-by: Sean Anderson <sean.anderson@linux.dev>
+Link: https://patch.msgid.link/20250829143521.1686062-1-sean.anderson@linux.dev
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cadence/macb_main.c | 28 ++++++++++++++----------
+ 1 file changed, 16 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c
+index 6c2d69ef1a8db..f7e8c08d84415 100644
+--- a/drivers/net/ethernet/cadence/macb_main.c
++++ b/drivers/net/ethernet/cadence/macb_main.c
+@@ -1234,11 +1234,12 @@ static int macb_tx_complete(struct macb_queue *queue, int budget)
+ {
+ struct macb *bp = queue->bp;
+ u16 queue_index = queue - bp->queues;
++ unsigned long flags;
+ unsigned int tail;
+ unsigned int head;
+ int packets = 0;
+
+- spin_lock(&queue->tx_ptr_lock);
++ spin_lock_irqsave(&queue->tx_ptr_lock, flags);
+ head = queue->tx_head;
+ for (tail = queue->tx_tail; tail != head && packets < budget; tail++) {
+ struct macb_tx_skb *tx_skb;
+@@ -1297,7 +1298,7 @@ static int macb_tx_complete(struct macb_queue *queue, int budget)
+ CIRC_CNT(queue->tx_head, queue->tx_tail,
+ bp->tx_ring_size) <= MACB_TX_WAKEUP_THRESH(bp))
+ netif_wake_subqueue(bp->dev, queue_index);
+- spin_unlock(&queue->tx_ptr_lock);
++ spin_unlock_irqrestore(&queue->tx_ptr_lock, flags);
+
+ return packets;
+ }
+@@ -1713,8 +1714,9 @@ static void macb_tx_restart(struct macb_queue *queue)
+ {
+ struct macb *bp = queue->bp;
+ unsigned int head_idx, tbqp;
++ unsigned long flags;
+
+- spin_lock(&queue->tx_ptr_lock);
++ spin_lock_irqsave(&queue->tx_ptr_lock, flags);
+
+ if (queue->tx_head == queue->tx_tail)
+ goto out_tx_ptr_unlock;
+@@ -1726,19 +1728,20 @@ static void macb_tx_restart(struct macb_queue *queue)
+ if (tbqp == head_idx)
+ goto out_tx_ptr_unlock;
+
+- spin_lock_irq(&bp->lock);
++ spin_lock(&bp->lock);
+ macb_writel(bp, NCR, macb_readl(bp, NCR) | MACB_BIT(TSTART));
+- spin_unlock_irq(&bp->lock);
++ spin_unlock(&bp->lock);
+
+ out_tx_ptr_unlock:
+- spin_unlock(&queue->tx_ptr_lock);
++ spin_unlock_irqrestore(&queue->tx_ptr_lock, flags);
+ }
+
+ static bool macb_tx_complete_pending(struct macb_queue *queue)
+ {
+ bool retval = false;
++ unsigned long flags;
+
+- spin_lock(&queue->tx_ptr_lock);
++ spin_lock_irqsave(&queue->tx_ptr_lock, flags);
+ if (queue->tx_head != queue->tx_tail) {
+ /* Make hw descriptor updates visible to CPU */
+ rmb();
+@@ -1746,7 +1749,7 @@ static bool macb_tx_complete_pending(struct macb_queue *queue)
+ if (macb_tx_desc(queue, queue->tx_tail)->ctrl & MACB_BIT(TX_USED))
+ retval = true;
+ }
+- spin_unlock(&queue->tx_ptr_lock);
++ spin_unlock_irqrestore(&queue->tx_ptr_lock, flags);
+ return retval;
+ }
+
+@@ -2314,6 +2317,7 @@ static netdev_tx_t macb_start_xmit(struct sk_buff *skb, struct net_device *dev)
+ struct macb_queue *queue = &bp->queues[queue_index];
+ unsigned int desc_cnt, nr_frags, frag_size, f;
+ unsigned int hdrlen;
++ unsigned long flags;
+ bool is_lso;
+ netdev_tx_t ret = NETDEV_TX_OK;
+
+@@ -2374,7 +2378,7 @@ static netdev_tx_t macb_start_xmit(struct sk_buff *skb, struct net_device *dev)
+ desc_cnt += DIV_ROUND_UP(frag_size, bp->max_tx_length);
+ }
+
+- spin_lock_bh(&queue->tx_ptr_lock);
++ spin_lock_irqsave(&queue->tx_ptr_lock, flags);
+
+ /* This is a hard error, log it. */
+ if (CIRC_SPACE(queue->tx_head, queue->tx_tail,
+@@ -2396,15 +2400,15 @@ static netdev_tx_t macb_start_xmit(struct sk_buff *skb, struct net_device *dev)
+ wmb();
+ skb_tx_timestamp(skb);
+
+- spin_lock_irq(&bp->lock);
++ spin_lock(&bp->lock);
+ macb_writel(bp, NCR, macb_readl(bp, NCR) | MACB_BIT(TSTART));
+- spin_unlock_irq(&bp->lock);
++ spin_unlock(&bp->lock);
+
+ if (CIRC_SPACE(queue->tx_head, queue->tx_tail, bp->tx_ring_size) < 1)
+ netif_stop_subqueue(dev, queue_index);
+
+ unlock:
+- spin_unlock_bh(&queue->tx_ptr_lock);
++ spin_unlock_irqrestore(&queue->tx_ptr_lock, flags);
+
+ return ret;
+ }
+--
+2.50.1
+
--- /dev/null
+From 84e22279d0604e355a61d6839a683237f7797c8a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Aug 2025 15:28:26 +0800
+Subject: net: mctp: mctp_fraq_queue should take ownership of passed skb
+
+From: Jeremy Kerr <jk@codeconstruct.com.au>
+
+[ Upstream commit 773b27a8a2f00ce3134e92e50ea4794a98ba2b76 ]
+
+As of commit f5d83cf0eeb9 ("net: mctp: unshare packets when
+reassembling"), we skb_unshare() in mctp_frag_queue(). The unshare may
+invalidate the original skb pointer, so we need to treat the skb as
+entirely owned by the fraq queue, even on failure.
+
+Fixes: f5d83cf0eeb9 ("net: mctp: unshare packets when reassembling")
+Signed-off-by: Jeremy Kerr <jk@codeconstruct.com.au>
+Link: https://patch.msgid.link/20250829-mctp-skb-unshare-v1-1-1c28fe10235a@codeconstruct.com.au
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mctp/route.c | 35 +++++++++++++++++++----------------
+ 1 file changed, 19 insertions(+), 16 deletions(-)
+
+diff --git a/net/mctp/route.c b/net/mctp/route.c
+index d9c8e5a5f9ce9..19ff259d7bc43 100644
+--- a/net/mctp/route.c
++++ b/net/mctp/route.c
+@@ -325,6 +325,7 @@ static void mctp_skb_set_flow(struct sk_buff *skb, struct mctp_sk_key *key) {}
+ static void mctp_flow_prepare_output(struct sk_buff *skb, struct mctp_dev *dev) {}
+ #endif
+
++/* takes ownership of skb, both in success and failure cases */
+ static int mctp_frag_queue(struct mctp_sk_key *key, struct sk_buff *skb)
+ {
+ struct mctp_hdr *hdr = mctp_hdr(skb);
+@@ -334,8 +335,10 @@ static int mctp_frag_queue(struct mctp_sk_key *key, struct sk_buff *skb)
+ & MCTP_HDR_SEQ_MASK;
+
+ if (!key->reasm_head) {
+- /* Since we're manipulating the shared frag_list, ensure it isn't
+- * shared with any other SKBs.
++ /* Since we're manipulating the shared frag_list, ensure it
++ * isn't shared with any other SKBs. In the cloned case,
++ * this will free the skb; callers can no longer access it
++ * safely.
+ */
+ key->reasm_head = skb_unshare(skb, GFP_ATOMIC);
+ if (!key->reasm_head)
+@@ -349,10 +352,10 @@ static int mctp_frag_queue(struct mctp_sk_key *key, struct sk_buff *skb)
+ exp_seq = (key->last_seq + 1) & MCTP_HDR_SEQ_MASK;
+
+ if (this_seq != exp_seq)
+- return -EINVAL;
++ goto err_free;
+
+ if (key->reasm_head->len + skb->len > mctp_message_maxlen)
+- return -EINVAL;
++ goto err_free;
+
+ skb->next = NULL;
+ skb->sk = NULL;
+@@ -366,6 +369,10 @@ static int mctp_frag_queue(struct mctp_sk_key *key, struct sk_buff *skb)
+ key->reasm_head->truesize += skb->truesize;
+
+ return 0;
++
++err_free:
++ kfree_skb(skb);
++ return -EINVAL;
+ }
+
+ static int mctp_route_input(struct mctp_route *route, struct sk_buff *skb)
+@@ -476,18 +483,16 @@ static int mctp_route_input(struct mctp_route *route, struct sk_buff *skb)
+ * key isn't observable yet
+ */
+ mctp_frag_queue(key, skb);
++ skb = NULL;
+
+ /* if the key_add fails, we've raced with another
+ * SOM packet with the same src, dest and tag. There's
+ * no way to distinguish future packets, so all we
+- * can do is drop; we'll free the skb on exit from
+- * this function.
++ * can do is drop.
+ */
+ rc = mctp_key_add(key, msk);
+- if (!rc) {
++ if (!rc)
+ trace_mctp_key_acquire(key);
+- skb = NULL;
+- }
+
+ /* we don't need to release key->lock on exit, so
+ * clean up here and suppress the unlock via
+@@ -505,8 +510,7 @@ static int mctp_route_input(struct mctp_route *route, struct sk_buff *skb)
+ key = NULL;
+ } else {
+ rc = mctp_frag_queue(key, skb);
+- if (!rc)
+- skb = NULL;
++ skb = NULL;
+ }
+ }
+
+@@ -516,17 +520,16 @@ static int mctp_route_input(struct mctp_route *route, struct sk_buff *skb)
+ */
+
+ /* we need to be continuing an existing reassembly... */
+- if (!key->reasm_head)
++ if (!key->reasm_head) {
+ rc = -EINVAL;
+- else
++ } else {
+ rc = mctp_frag_queue(key, skb);
++ skb = NULL;
++ }
+
+ if (rc)
+ goto out_unlock;
+
+- /* we've queued; the queue owns the skb now */
+- skb = NULL;
+-
+ /* end of message? deliver to socket, and we're done with
+ * the reassembly/response key
+ */
+--
+2.50.1
+
--- /dev/null
+From a28fdbc6b7c73c346079857586ee879001e1842a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Oct 2024 10:28:19 +0800
+Subject: net: skb: add pskb_network_may_pull_reason() helper
+
+From: Menglong Dong <menglong8.dong@gmail.com>
+
+[ Upstream commit 454bbde8f0d465e93e5a3a4003ac6c7e62fa4473 ]
+
+Introduce the function pskb_network_may_pull_reason() and make
+pskb_network_may_pull() a simple inline call to it. The drop reasons of
+it just come from pskb_may_pull_reason.
+
+Signed-off-by: Menglong Dong <dongml2@chinatelecom.cn>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: 6ead38147ebb ("vxlan: Fix NPD when refreshing an FDB entry with a nexthop object")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/skbuff.h | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
+index b2827fce5a2de..314328ab0b843 100644
+--- a/include/linux/skbuff.h
++++ b/include/linux/skbuff.h
+@@ -3153,9 +3153,15 @@ static inline int skb_inner_network_offset(const struct sk_buff *skb)
+ return skb_inner_network_header(skb) - skb->data;
+ }
+
++static inline enum skb_drop_reason
++pskb_network_may_pull_reason(struct sk_buff *skb, unsigned int len)
++{
++ return pskb_may_pull_reason(skb, skb_network_offset(skb) + len);
++}
++
+ static inline int pskb_network_may_pull(struct sk_buff *skb, unsigned int len)
+ {
+- return pskb_may_pull(skb, skb_network_offset(skb) + len);
++ return pskb_network_may_pull_reason(skb, len) == SKB_NOT_DROPPED_YET;
+ }
+
+ /*
+--
+2.50.1
+
--- /dev/null
+From ec38630dce22ce0547461c80db4dac6f2ec8c862 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Aug 2025 20:41:17 +0800
+Subject: net/smc: fix one NULL pointer dereference in smc_ib_is_sg_need_sync()
+
+From: Liu Jian <liujian56@huawei.com>
+
+[ Upstream commit ba1e9421cf1a8369d25c3832439702a015d6b5f9 ]
+
+BUG: kernel NULL pointer dereference, address: 00000000000002ec
+PGD 0 P4D 0
+Oops: Oops: 0000 [#1] SMP PTI
+CPU: 28 UID: 0 PID: 343 Comm: kworker/28:1 Kdump: loaded Tainted: G OE 6.17.0-rc2+ #9 NONE
+Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014
+Workqueue: smc_hs_wq smc_listen_work [smc]
+RIP: 0010:smc_ib_is_sg_need_sync+0x9e/0xd0 [smc]
+...
+Call Trace:
+ <TASK>
+ smcr_buf_map_link+0x211/0x2a0 [smc]
+ __smc_buf_create+0x522/0x970 [smc]
+ smc_buf_create+0x3a/0x110 [smc]
+ smc_find_rdma_v2_device_serv+0x18f/0x240 [smc]
+ ? smc_vlan_by_tcpsk+0x7e/0xe0 [smc]
+ smc_listen_find_device+0x1dd/0x2b0 [smc]
+ smc_listen_work+0x30f/0x580 [smc]
+ process_one_work+0x18c/0x340
+ worker_thread+0x242/0x360
+ kthread+0xe7/0x220
+ ret_from_fork+0x13a/0x160
+ ret_from_fork_asm+0x1a/0x30
+ </TASK>
+
+If the software RoCE device is used, ibdev->dma_device is a null pointer.
+As a result, the problem occurs. Null pointer detection is added to
+prevent problems.
+
+Fixes: 0ef69e788411c ("net/smc: optimize for smc_sndbuf_sync_sg_for_device and smc_rmb_sync_sg_for_cpu")
+Signed-off-by: Liu Jian <liujian56@huawei.com>
+Reviewed-by: Guangguan Wang <guangguan.wang@linux.alibaba.com>
+Reviewed-by: Zhu Yanjun <yanjun.zhu@linux.dev>
+Reviewed-by: D. Wythe <alibuda@linux.alibaba.com>
+Link: https://patch.msgid.link/20250828124117.2622624-1-liujian56@huawei.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/smc/smc_ib.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/smc/smc_ib.c b/net/smc/smc_ib.c
+index 9c563cdbea908..fc07fc4ed9986 100644
+--- a/net/smc/smc_ib.c
++++ b/net/smc/smc_ib.c
+@@ -743,6 +743,9 @@ bool smc_ib_is_sg_need_sync(struct smc_link *lnk,
+ unsigned int i;
+ bool ret = false;
+
++ if (!lnk->smcibdev->ibdev->dma_device)
++ return ret;
++
+ /* for now there is just one DMA address */
+ for_each_sg(buf_slot->sgt[lnk->link_idx].sgl, sg,
+ buf_slot->sgt[lnk->link_idx].nents, i) {
+--
+2.50.1
+
--- /dev/null
+From 1922f6f4be3e3ccb1763b1cb710d0e24713cacdb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Sep 2025 10:20:41 +0200
+Subject: net/smc: Remove validation of reserved bits in CLC Decline message
+
+From: Mahanta Jambigi <mjambigi@linux.ibm.com>
+
+[ Upstream commit cc282f73bc0cbdf3ee7af2f2d3a2ef4e6b19242d ]
+
+Currently SMC code is validating the reserved bits while parsing the incoming
+CLC decline message & when this validation fails, its treated as a protocol
+error. As a result, the SMC connection is terminated instead of falling back to
+TCP. As per RFC7609[1] specs we shouldn't be validating the reserved bits that
+is part of CLC message. This patch fixes this issue.
+
+CLC Decline message format can viewed here[2].
+
+[1] https://datatracker.ietf.org/doc/html/rfc7609#page-92
+[2] https://datatracker.ietf.org/doc/html/rfc7609#page-105
+
+Fixes: 8ade200c269f ("net/smc: add v2 format of CLC decline message")
+Signed-off-by: Mahanta Jambigi <mjambigi@linux.ibm.com>
+Reviewed-by: Sidraya Jayagond <sidraya@linux.ibm.com>
+Reviewed-by: Alexandra Winter <wintera@linux.ibm.com>
+Reviewed-by: Dust Li <dust.li@linux.alibaba.com>
+Link: https://patch.msgid.link/20250902082041.98996-1-mjambigi@linux.ibm.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/smc/smc_clc.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/net/smc/smc_clc.c b/net/smc/smc_clc.c
+index 521f5df80e10c..8a794333e9927 100644
+--- a/net/smc/smc_clc.c
++++ b/net/smc/smc_clc.c
+@@ -426,8 +426,6 @@ smc_clc_msg_decl_valid(struct smc_clc_msg_decline *dclc)
+ {
+ struct smc_clc_msg_hdr *hdr = &dclc->hdr;
+
+- if (hdr->typev1 != SMC_TYPE_R && hdr->typev1 != SMC_TYPE_D)
+- return false;
+ if (hdr->version == SMC_V1) {
+ if (ntohs(hdr->length) != sizeof(struct smc_clc_msg_decline))
+ return false;
+--
+2.50.1
+
--- /dev/null
+From bda5c6d94a78497b1d33fb812b268063eb57a53f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 30 Aug 2025 15:55:38 -0700
+Subject: net/tcp: Fix socket memory leak in TCP-AO failure handling for IPv6
+
+From: Christoph Paasch <cpaasch@openai.com>
+
+[ Upstream commit fa390321aba0a54d0f7ae95ee4ecde1358bb9234 ]
+
+When tcp_ao_copy_all_matching() fails in tcp_v6_syn_recv_sock() it just
+exits the function. This ends up causing a memory-leak:
+
+unreferenced object 0xffff0000281a8200 (size 2496):
+ comm "softirq", pid 0, jiffies 4295174684
+ hex dump (first 32 bytes):
+ 7f 00 00 06 7f 00 00 06 00 00 00 00 cb a8 88 13 ................
+ 0a 00 03 61 00 00 00 00 00 00 00 00 00 00 00 00 ...a............
+ backtrace (crc 5ebdbe15):
+ kmemleak_alloc+0x44/0xe0
+ kmem_cache_alloc_noprof+0x248/0x470
+ sk_prot_alloc+0x48/0x120
+ sk_clone_lock+0x38/0x3b0
+ inet_csk_clone_lock+0x34/0x150
+ tcp_create_openreq_child+0x3c/0x4a8
+ tcp_v6_syn_recv_sock+0x1c0/0x620
+ tcp_check_req+0x588/0x790
+ tcp_v6_rcv+0x5d0/0xc18
+ ip6_protocol_deliver_rcu+0x2d8/0x4c0
+ ip6_input_finish+0x74/0x148
+ ip6_input+0x50/0x118
+ ip6_sublist_rcv+0x2fc/0x3b0
+ ipv6_list_rcv+0x114/0x170
+ __netif_receive_skb_list_core+0x16c/0x200
+ netif_receive_skb_list_internal+0x1f0/0x2d0
+
+This is because in tcp_v6_syn_recv_sock (and the IPv4 counterpart), when
+exiting upon error, inet_csk_prepare_forced_close() and tcp_done() need
+to be called. They make sure the newsk will end up being correctly
+free'd.
+
+tcp_v4_syn_recv_sock() makes this very clear by having the put_and_exit
+label that takes care of things. So, this patch here makes sure
+tcp_v4_syn_recv_sock and tcp_v6_syn_recv_sock have similar
+error-handling and thus fixes the leak for TCP-AO.
+
+Fixes: 06b22ef29591 ("net/tcp: Wire TCP-AO to request sockets")
+Signed-off-by: Christoph Paasch <cpaasch@openai.com>
+Reviewed-by: Dmitry Safonov <0x7f454c46@gmail.com>
+Link: https://patch.msgid.link/20250830-tcpao_leak-v1-1-e5878c2c3173@openai.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/tcp_ipv6.c | 32 +++++++++++++++-----------------
+ 1 file changed, 15 insertions(+), 17 deletions(-)
+
+diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
+index 59173f58ce992..882ce5444572e 100644
+--- a/net/ipv6/tcp_ipv6.c
++++ b/net/ipv6/tcp_ipv6.c
+@@ -1417,17 +1417,17 @@ static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff *
+ ireq = inet_rsk(req);
+
+ if (sk_acceptq_is_full(sk))
+- goto out_overflow;
++ goto exit_overflow;
+
+ if (!dst) {
+ dst = inet6_csk_route_req(sk, &fl6, req, IPPROTO_TCP);
+ if (!dst)
+- goto out;
++ goto exit;
+ }
+
+ newsk = tcp_create_openreq_child(sk, req, skb);
+ if (!newsk)
+- goto out_nonewsk;
++ goto exit_nonewsk;
+
+ /*
+ * No need to charge this sock to the relevant IPv6 refcnt debug socks
+@@ -1517,25 +1517,19 @@ static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff *
+ const union tcp_md5_addr *addr;
+
+ addr = (union tcp_md5_addr *)&newsk->sk_v6_daddr;
+- if (tcp_md5_key_copy(newsk, addr, AF_INET6, 128, l3index, key)) {
+- inet_csk_prepare_forced_close(newsk);
+- tcp_done(newsk);
+- goto out;
+- }
++ if (tcp_md5_key_copy(newsk, addr, AF_INET6, 128, l3index, key))
++ goto put_and_exit;
+ }
+ }
+ #endif
+ #ifdef CONFIG_TCP_AO
+ /* Copy over tcp_ao_info if any */
+ if (tcp_ao_copy_all_matching(sk, newsk, req, skb, AF_INET6))
+- goto out; /* OOM */
++ goto put_and_exit; /* OOM */
+ #endif
+
+- if (__inet_inherit_port(sk, newsk) < 0) {
+- inet_csk_prepare_forced_close(newsk);
+- tcp_done(newsk);
+- goto out;
+- }
++ if (__inet_inherit_port(sk, newsk) < 0)
++ goto put_and_exit;
+ *own_req = inet_ehash_nolisten(newsk, req_to_sk(req_unhash),
+ &found_dup_sk);
+ if (*own_req) {
+@@ -1562,13 +1556,17 @@ static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff *
+
+ return newsk;
+
+-out_overflow:
++exit_overflow:
+ __NET_INC_STATS(sock_net(sk), LINUX_MIB_LISTENOVERFLOWS);
+-out_nonewsk:
++exit_nonewsk:
+ dst_release(dst);
+-out:
++exit:
+ tcp_listendrop(sk);
+ return NULL;
++put_and_exit:
++ inet_csk_prepare_forced_close(newsk);
++ tcp_done(newsk);
++ goto exit;
+ }
+
+ INDIRECT_CALLABLE_DECLARE(struct dst_entry *ipv4_dst_check(struct dst_entry *,
+--
+2.50.1
+
--- /dev/null
+From 7e8e32a55bcaadfd75645f6396040e85adab3716 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Sep 2025 14:30:18 -0700
+Subject: net: thunder_bgx: add a missing of_node_put
+
+From: Rosen Penev <rosenp@gmail.com>
+
+[ Upstream commit 9d28f94912589f04ab51fbccaef287d4f40e0d1f ]
+
+phy_np needs to get freed, just like the other child nodes.
+
+Fixes: 5fc7cf179449 ("net: thunderx: Cleanup PHY probing code.")
+Signed-off-by: Rosen Penev <rosenp@gmail.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250901213018.47392-1-rosenp@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/cavium/thunder/thunder_bgx.c | 18 +++++++++++-------
+ 1 file changed, 11 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c
+index aa80c37022323..5afc0735b5827 100644
+--- a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c
++++ b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c
+@@ -1493,13 +1493,17 @@ static int bgx_init_of_phy(struct bgx *bgx)
+ * this cortina phy, for which there is no driver
+ * support, ignore it.
+ */
+- if (phy_np &&
+- !of_device_is_compatible(phy_np, "cortina,cs4223-slice")) {
+- /* Wait until the phy drivers are available */
+- pd = of_phy_find_device(phy_np);
+- if (!pd)
+- goto defer;
+- bgx->lmac[lmac].phydev = pd;
++ if (phy_np) {
++ if (!of_device_is_compatible(phy_np, "cortina,cs4223-slice")) {
++ /* Wait until the phy drivers are available */
++ pd = of_phy_find_device(phy_np);
++ if (!pd) {
++ of_node_put(phy_np);
++ goto defer;
++ }
++ bgx->lmac[lmac].phydev = pd;
++ }
++ of_node_put(phy_np);
+ }
+
+ lmac++;
+--
+2.50.1
+
--- /dev/null
+From b084a1bb23095d389a0cc6f37f8a36f44aa28aa9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Sep 2025 14:33:14 -0700
+Subject: net: thunder_bgx: decrement cleanup index before use
+
+From: Rosen Penev <rosenp@gmail.com>
+
+[ Upstream commit 9e3d71a92e561ccc77025689dab25d201fee7a3e ]
+
+All paths in probe that call goto defer do so before assigning phydev
+and thus it makes sense to cleanup the prior index. It also fixes a bug
+where index 0 does not get cleaned up.
+
+Fixes: b7d3e3d3d21a ("net: thunderx: Don't leak phy device references on -EPROBE_DEFER condition.")
+Signed-off-by: Rosen Penev <rosenp@gmail.com>
+Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250901213314.48599-1-rosenp@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cavium/thunder/thunder_bgx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c
+index 5afc0735b5827..a360d3dffccd4 100644
+--- a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c
++++ b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c
+@@ -1519,11 +1519,11 @@ static int bgx_init_of_phy(struct bgx *bgx)
+ * for phy devices we may have already found.
+ */
+ while (lmac) {
++ lmac--;
+ if (bgx->lmac[lmac].phydev) {
+ put_device(&bgx->lmac[lmac].phydev->mdio.dev);
+ bgx->lmac[lmac].phydev = NULL;
+ }
+- lmac--;
+ }
+ of_node_put(node);
+ return -EPROBE_DEFER;
+--
+2.50.1
+
--- /dev/null
+From 16335c441c6cafa04b5eb1e1a5105b36317ac3c1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Oct 2024 10:28:20 +0800
+Subject: net: tunnel: add pskb_inet_may_pull_reason() helper
+
+From: Menglong Dong <menglong8.dong@gmail.com>
+
+[ Upstream commit 7f20dbd7de7b9b2804e6bf54b0c22f2bc447cd64 ]
+
+Introduce the function pskb_inet_may_pull_reason() and make
+pskb_inet_may_pull a simple inline call to it. The drop reasons of it just
+come from pskb_may_pull_reason().
+
+Signed-off-by: Menglong Dong <dongml2@chinatelecom.cn>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: 6ead38147ebb ("vxlan: Fix NPD when refreshing an FDB entry with a nexthop object")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/ip_tunnels.h | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/include/net/ip_tunnels.h b/include/net/ip_tunnels.h
+index 6a070478254d8..ae83a969ae64b 100644
+--- a/include/net/ip_tunnels.h
++++ b/include/net/ip_tunnels.h
+@@ -439,7 +439,8 @@ int ip_tunnel_encap_del_ops(const struct ip_tunnel_encap_ops *op,
+ int ip_tunnel_encap_setup(struct ip_tunnel *t,
+ struct ip_tunnel_encap *ipencap);
+
+-static inline bool pskb_inet_may_pull(struct sk_buff *skb)
++static inline enum skb_drop_reason
++pskb_inet_may_pull_reason(struct sk_buff *skb)
+ {
+ int nhlen;
+
+@@ -456,7 +457,12 @@ static inline bool pskb_inet_may_pull(struct sk_buff *skb)
+ nhlen = 0;
+ }
+
+- return pskb_network_may_pull(skb, nhlen);
++ return pskb_network_may_pull_reason(skb, nhlen);
++}
++
++static inline bool pskb_inet_may_pull(struct sk_buff *skb)
++{
++ return pskb_inet_may_pull_reason(skb) == SKB_NOT_DROPPED_YET;
+ }
+
+ /* Variant of pskb_inet_may_pull().
+--
+2.50.1
+
--- /dev/null
+From 05bad791ab132a59c880ca671de0412acb9cb5d3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Oct 2024 10:28:22 +0800
+Subject: net: vxlan: add skb drop reasons to vxlan_rcv()
+
+From: Menglong Dong <menglong8.dong@gmail.com>
+
+[ Upstream commit 4c06d9daf8e6215447ca8a2ddd59fa09862c9bae ]
+
+Introduce skb drop reasons to the function vxlan_rcv(). Following new
+drop reasons are added:
+
+ SKB_DROP_REASON_VXLAN_INVALID_HDR
+ SKB_DROP_REASON_VXLAN_VNI_NOT_FOUND
+ SKB_DROP_REASON_IP_TUNNEL_ECN
+
+Signed-off-by: Menglong Dong <dongml2@chinatelecom.cn>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: 6ead38147ebb ("vxlan: Fix NPD when refreshing an FDB entry with a nexthop object")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/vxlan/vxlan_core.c | 26 ++++++++++++++++++++------
+ include/net/dropreason-core.h | 16 ++++++++++++++++
+ 2 files changed, 36 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/vxlan/vxlan_core.c b/drivers/net/vxlan/vxlan_core.c
+index 1a70770938001..efd5e99808935 100644
+--- a/drivers/net/vxlan/vxlan_core.c
++++ b/drivers/net/vxlan/vxlan_core.c
+@@ -1671,13 +1671,15 @@ static int vxlan_rcv(struct sock *sk, struct sk_buff *skb)
+ struct vxlan_metadata _md;
+ struct vxlan_metadata *md = &_md;
+ __be16 protocol = htons(ETH_P_TEB);
++ enum skb_drop_reason reason;
+ bool raw_proto = false;
+ void *oiph;
+ __be32 vni = 0;
+ int nh;
+
+ /* Need UDP and VXLAN header to be present */
+- if (!pskb_may_pull(skb, VXLAN_HLEN))
++ reason = pskb_may_pull_reason(skb, VXLAN_HLEN);
++ if (reason)
+ goto drop;
+
+ unparsed = *vxlan_hdr(skb);
+@@ -1686,6 +1688,7 @@ static int vxlan_rcv(struct sock *sk, struct sk_buff *skb)
+ netdev_dbg(skb->dev, "invalid vxlan flags=%#x vni=%#x\n",
+ ntohl(vxlan_hdr(skb)->vx_flags),
+ ntohl(vxlan_hdr(skb)->vx_vni));
++ reason = SKB_DROP_REASON_VXLAN_INVALID_HDR;
+ /* Return non vxlan pkt */
+ goto drop;
+ }
+@@ -1699,8 +1702,10 @@ static int vxlan_rcv(struct sock *sk, struct sk_buff *skb)
+ vni = vxlan_vni(vxlan_hdr(skb)->vx_vni);
+
+ vxlan = vxlan_vs_find_vni(vs, skb->dev->ifindex, vni, &vninode);
+- if (!vxlan)
++ if (!vxlan) {
++ reason = SKB_DROP_REASON_VXLAN_VNI_NOT_FOUND;
+ goto drop;
++ }
+
+ /* For backwards compatibility, only allow reserved fields to be
+ * used by VXLAN extensions if explicitly requested.
+@@ -1713,8 +1718,10 @@ static int vxlan_rcv(struct sock *sk, struct sk_buff *skb)
+ }
+
+ if (__iptunnel_pull_header(skb, VXLAN_HLEN, protocol, raw_proto,
+- !net_eq(vxlan->net, dev_net(vxlan->dev))))
++ !net_eq(vxlan->net, dev_net(vxlan->dev)))) {
++ reason = SKB_DROP_REASON_NOMEM;
+ goto drop;
++ }
+
+ if (vs->flags & VXLAN_F_REMCSUM_RX)
+ if (unlikely(!vxlan_remcsum(&unparsed, skb, vs->flags)))
+@@ -1728,8 +1735,10 @@ static int vxlan_rcv(struct sock *sk, struct sk_buff *skb)
+ tun_dst = udp_tun_rx_dst(skb, vxlan_get_sk_family(vs), flags,
+ key32_to_tunnel_id(vni), sizeof(*md));
+
+- if (!tun_dst)
++ if (!tun_dst) {
++ reason = SKB_DROP_REASON_NOMEM;
+ goto drop;
++ }
+
+ md = ip_tunnel_info_opts(&tun_dst->u.tun_info);
+
+@@ -1753,6 +1762,7 @@ static int vxlan_rcv(struct sock *sk, struct sk_buff *skb)
+ * is more robust and provides a little more security in
+ * adding extensions to VXLAN.
+ */
++ reason = SKB_DROP_REASON_VXLAN_INVALID_HDR;
+ goto drop;
+ }
+
+@@ -1773,7 +1783,8 @@ static int vxlan_rcv(struct sock *sk, struct sk_buff *skb)
+
+ skb_reset_network_header(skb);
+
+- if (!pskb_inet_may_pull(skb)) {
++ reason = pskb_inet_may_pull_reason(skb);
++ if (reason) {
+ DEV_STATS_INC(vxlan->dev, rx_length_errors);
+ DEV_STATS_INC(vxlan->dev, rx_errors);
+ vxlan_vnifilter_count(vxlan, vni, vninode,
+@@ -1785,6 +1796,7 @@ static int vxlan_rcv(struct sock *sk, struct sk_buff *skb)
+ oiph = skb->head + nh;
+
+ if (!vxlan_ecn_decapsulate(vs, oiph, skb)) {
++ reason = SKB_DROP_REASON_IP_TUNNEL_ECN;
+ DEV_STATS_INC(vxlan->dev, rx_frame_errors);
+ DEV_STATS_INC(vxlan->dev, rx_errors);
+ vxlan_vnifilter_count(vxlan, vni, vninode,
+@@ -1799,6 +1811,7 @@ static int vxlan_rcv(struct sock *sk, struct sk_buff *skb)
+ dev_core_stats_rx_dropped_inc(vxlan->dev);
+ vxlan_vnifilter_count(vxlan, vni, vninode,
+ VXLAN_VNI_STATS_RX_DROPS, 0);
++ reason = SKB_DROP_REASON_DEV_READY;
+ goto drop;
+ }
+
+@@ -1811,8 +1824,9 @@ static int vxlan_rcv(struct sock *sk, struct sk_buff *skb)
+ return 0;
+
+ drop:
++ reason = reason ?: SKB_DROP_REASON_NOT_SPECIFIED;
+ /* Consume bad packet */
+- kfree_skb(skb);
++ kfree_skb_reason(skb, reason);
+ return 0;
+ }
+
+diff --git a/include/net/dropreason-core.h b/include/net/dropreason-core.h
+index 4748680e8c88e..98259d2b3e926 100644
+--- a/include/net/dropreason-core.h
++++ b/include/net/dropreason-core.h
+@@ -92,6 +92,9 @@
+ FN(PACKET_SOCK_ERROR) \
+ FN(TC_CHAIN_NOTFOUND) \
+ FN(TC_RECLASSIFY_LOOP) \
++ FN(VXLAN_INVALID_HDR) \
++ FN(VXLAN_VNI_NOT_FOUND) \
++ FN(IP_TUNNEL_ECN) \
+ FNe(MAX)
+
+ /**
+@@ -418,6 +421,19 @@ enum skb_drop_reason {
+ * iterations.
+ */
+ SKB_DROP_REASON_TC_RECLASSIFY_LOOP,
++ /**
++ * @SKB_DROP_REASON_VXLAN_INVALID_HDR: VXLAN header is invalid. E.g.:
++ * 1) reserved fields are not zero
++ * 2) "I" flag is not set
++ */
++ SKB_DROP_REASON_VXLAN_INVALID_HDR,
++ /** @SKB_DROP_REASON_VXLAN_VNI_NOT_FOUND: no VXLAN device found for VNI */
++ SKB_DROP_REASON_VXLAN_VNI_NOT_FOUND,
++ /**
++ * @SKB_DROP_REASON_IP_TUNNEL_ECN: skb is dropped according to
++ * RFC 6040 4.2, see __INET_ECN_decapsulate() for detail.
++ */
++ SKB_DROP_REASON_IP_TUNNEL_ECN,
+ /**
+ * @SKB_DROP_REASON_MAX: the maximum of core drop reasons, which
+ * shouldn't be used as a real 'reason' - only for tracing code gen
+--
+2.50.1
+
--- /dev/null
+From 4129353540f0134104269399ee01a6324a8577ee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Oct 2024 10:28:25 +0800
+Subject: net: vxlan: make vxlan_set_mac() return drop reasons
+
+From: Menglong Dong <menglong8.dong@gmail.com>
+
+[ Upstream commit d209706f562ee4fa81bdf24cf6b679c3222aa06c ]
+
+Change the return type of vxlan_set_mac() from bool to enum
+skb_drop_reason. In this commit, the drop reason
+"SKB_DROP_REASON_LOCAL_MAC" is introduced for the case that the source
+mac of the packet is a local mac.
+
+Signed-off-by: Menglong Dong <dongml2@chinatelecom.cn>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: 1f5d2fd1ca04 ("vxlan: Fix NPD in {arp,neigh}_reduce() when using nexthop objects")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/vxlan/vxlan_core.c | 19 ++++++++++---------
+ include/net/dropreason-core.h | 6 ++++++
+ 2 files changed, 16 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/vxlan/vxlan_core.c b/drivers/net/vxlan/vxlan_core.c
+index 58590ddbc6a15..d9077698c5a89 100644
+--- a/drivers/net/vxlan/vxlan_core.c
++++ b/drivers/net/vxlan/vxlan_core.c
+@@ -1605,9 +1605,9 @@ static void vxlan_parse_gbp_hdr(struct vxlanhdr *unparsed,
+ unparsed->vx_flags &= ~VXLAN_GBP_USED_BITS;
+ }
+
+-static bool vxlan_set_mac(struct vxlan_dev *vxlan,
+- struct vxlan_sock *vs,
+- struct sk_buff *skb, __be32 vni)
++static enum skb_drop_reason vxlan_set_mac(struct vxlan_dev *vxlan,
++ struct vxlan_sock *vs,
++ struct sk_buff *skb, __be32 vni)
+ {
+ union vxlan_addr saddr;
+ u32 ifindex = skb->dev->ifindex;
+@@ -1618,7 +1618,7 @@ static bool vxlan_set_mac(struct vxlan_dev *vxlan,
+
+ /* Ignore packet loops (and multicast echo) */
+ if (ether_addr_equal(eth_hdr(skb)->h_source, vxlan->dev->dev_addr))
+- return false;
++ return SKB_DROP_REASON_LOCAL_MAC;
+
+ /* Get address from the outer IP header */
+ if (vxlan_get_sk_family(vs) == AF_INET) {
+@@ -1631,11 +1631,11 @@ static bool vxlan_set_mac(struct vxlan_dev *vxlan,
+ #endif
+ }
+
+- if ((vxlan->cfg.flags & VXLAN_F_LEARN) &&
+- vxlan_snoop(skb->dev, &saddr, eth_hdr(skb)->h_source, ifindex, vni))
+- return false;
++ if (!(vxlan->cfg.flags & VXLAN_F_LEARN))
++ return SKB_NOT_DROPPED_YET;
+
+- return true;
++ return vxlan_snoop(skb->dev, &saddr, eth_hdr(skb)->h_source,
++ ifindex, vni);
+ }
+
+ static bool vxlan_ecn_decapsulate(struct vxlan_sock *vs, void *oiph,
+@@ -1768,7 +1768,8 @@ static int vxlan_rcv(struct sock *sk, struct sk_buff *skb)
+ }
+
+ if (!raw_proto) {
+- if (!vxlan_set_mac(vxlan, vs, skb, vni))
++ reason = vxlan_set_mac(vxlan, vs, skb, vni);
++ if (reason)
+ goto drop;
+ } else {
+ skb_reset_mac_header(skb);
+diff --git a/include/net/dropreason-core.h b/include/net/dropreason-core.h
+index 1cb8d7c953beb..fbf92d442c1b2 100644
+--- a/include/net/dropreason-core.h
++++ b/include/net/dropreason-core.h
+@@ -97,6 +97,7 @@
+ FN(MAC_INVALID_SOURCE) \
+ FN(VXLAN_ENTRY_EXISTS) \
+ FN(IP_TUNNEL_ECN) \
++ FN(LOCAL_MAC) \
+ FNe(MAX)
+
+ /**
+@@ -443,6 +444,11 @@ enum skb_drop_reason {
+ * RFC 6040 4.2, see __INET_ECN_decapsulate() for detail.
+ */
+ SKB_DROP_REASON_IP_TUNNEL_ECN,
++ /**
++ * @SKB_DROP_REASON_LOCAL_MAC: the source MAC address is equal to
++ * the MAC address of the local netdev.
++ */
++ SKB_DROP_REASON_LOCAL_MAC,
+ /**
+ * @SKB_DROP_REASON_MAX: the maximum of core drop reasons, which
+ * shouldn't be used as a real 'reason' - only for tracing code gen
+--
+2.50.1
+
--- /dev/null
+From 7ecbf2b72bfee5c1d0969f1b4c100c987605e18c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Oct 2024 10:28:24 +0800
+Subject: net: vxlan: make vxlan_snoop() return drop reasons
+
+From: Menglong Dong <menglong8.dong@gmail.com>
+
+[ Upstream commit 289fd4e75219a96f77c5d679166035cd5118d139 ]
+
+Change the return type of vxlan_snoop() from bool to enum
+skb_drop_reason. In this commit, two drop reasons are introduced:
+
+ SKB_DROP_REASON_MAC_INVALID_SOURCE
+ SKB_DROP_REASON_VXLAN_ENTRY_EXISTS
+
+Signed-off-by: Menglong Dong <dongml2@chinatelecom.cn>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: 6ead38147ebb ("vxlan: Fix NPD when refreshing an FDB entry with a nexthop object")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/vxlan/vxlan_core.c | 17 +++++++++--------
+ include/net/dropreason-core.h | 9 +++++++++
+ 2 files changed, 18 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/net/vxlan/vxlan_core.c b/drivers/net/vxlan/vxlan_core.c
+index efd5e99808935..c4ce577eb0908 100644
+--- a/drivers/net/vxlan/vxlan_core.c
++++ b/drivers/net/vxlan/vxlan_core.c
+@@ -1437,9 +1437,10 @@ static int vxlan_fdb_get(struct sk_buff *skb,
+ * and Tunnel endpoint.
+ * Return true if packet is bogus and should be dropped.
+ */
+-static bool vxlan_snoop(struct net_device *dev,
+- union vxlan_addr *src_ip, const u8 *src_mac,
+- u32 src_ifindex, __be32 vni)
++static enum skb_drop_reason vxlan_snoop(struct net_device *dev,
++ union vxlan_addr *src_ip,
++ const u8 *src_mac, u32 src_ifindex,
++ __be32 vni)
+ {
+ struct vxlan_dev *vxlan = netdev_priv(dev);
+ struct vxlan_fdb *f;
+@@ -1447,7 +1448,7 @@ static bool vxlan_snoop(struct net_device *dev,
+
+ /* Ignore packets from invalid src-address */
+ if (!is_valid_ether_addr(src_mac))
+- return true;
++ return SKB_DROP_REASON_MAC_INVALID_SOURCE;
+
+ #if IS_ENABLED(CONFIG_IPV6)
+ if (src_ip->sa.sa_family == AF_INET6 &&
+@@ -1461,15 +1462,15 @@ static bool vxlan_snoop(struct net_device *dev,
+
+ if (likely(vxlan_addr_equal(&rdst->remote_ip, src_ip) &&
+ rdst->remote_ifindex == ifindex))
+- return false;
++ return SKB_NOT_DROPPED_YET;
+
+ /* Don't migrate static entries, drop packets */
+ if (f->state & (NUD_PERMANENT | NUD_NOARP))
+- return true;
++ return SKB_DROP_REASON_VXLAN_ENTRY_EXISTS;
+
+ /* Don't override an fdb with nexthop with a learnt entry */
+ if (rcu_access_pointer(f->nh))
+- return true;
++ return SKB_DROP_REASON_VXLAN_ENTRY_EXISTS;
+
+ if (net_ratelimit())
+ netdev_info(dev,
+@@ -1497,7 +1498,7 @@ static bool vxlan_snoop(struct net_device *dev,
+ spin_unlock(&vxlan->hash_lock[hash_index]);
+ }
+
+- return false;
++ return SKB_NOT_DROPPED_YET;
+ }
+
+ static bool __vxlan_sock_release_prep(struct vxlan_sock *vs)
+diff --git a/include/net/dropreason-core.h b/include/net/dropreason-core.h
+index 98259d2b3e926..1cb8d7c953beb 100644
+--- a/include/net/dropreason-core.h
++++ b/include/net/dropreason-core.h
+@@ -94,6 +94,8 @@
+ FN(TC_RECLASSIFY_LOOP) \
+ FN(VXLAN_INVALID_HDR) \
+ FN(VXLAN_VNI_NOT_FOUND) \
++ FN(MAC_INVALID_SOURCE) \
++ FN(VXLAN_ENTRY_EXISTS) \
+ FN(IP_TUNNEL_ECN) \
+ FNe(MAX)
+
+@@ -429,6 +431,13 @@ enum skb_drop_reason {
+ SKB_DROP_REASON_VXLAN_INVALID_HDR,
+ /** @SKB_DROP_REASON_VXLAN_VNI_NOT_FOUND: no VXLAN device found for VNI */
+ SKB_DROP_REASON_VXLAN_VNI_NOT_FOUND,
++ /** @SKB_DROP_REASON_MAC_INVALID_SOURCE: source mac is invalid */
++ SKB_DROP_REASON_MAC_INVALID_SOURCE,
++ /**
++ * @SKB_DROP_REASON_VXLAN_ENTRY_EXISTS: trying to migrate a static
++ * entry or an entry pointing to a nexthop.
++ */
++ SKB_DROP_REASON_VXLAN_ENTRY_EXISTS,
+ /**
+ * @SKB_DROP_REASON_IP_TUNNEL_ECN: skb is dropped according to
+ * RFC 6040 4.2, see __INET_ECN_decapsulate() for detail.
+--
+2.50.1
+
--- /dev/null
+From 8762606b2ec57bf147d754e45e8642ef2c153e83 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Dec 2024 11:36:05 -0500
+Subject: net: vxlan: rename SKB_DROP_REASON_VXLAN_NO_REMOTE
+
+From: Radu Rendec <rrendec@redhat.com>
+
+[ Upstream commit 46e0ccfb88f02ab2eb20a41d519d6e4c028652f2 ]
+
+The SKB_DROP_REASON_VXLAN_NO_REMOTE skb drop reason was introduced in
+the specific context of vxlan. As it turns out, there are similar cases
+when a packet needs to be dropped in other parts of the network stack,
+such as the bridge module.
+
+Rename SKB_DROP_REASON_VXLAN_NO_REMOTE and give it a more generic name,
+so that it can be used in other parts of the network stack. This is not
+a functional change, and the numeric value of the drop reason even
+remains unchanged.
+
+Signed-off-by: Radu Rendec <rrendec@redhat.com>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
+Link: https://patch.msgid.link/20241219163606.717758-2-rrendec@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: 1f5d2fd1ca04 ("vxlan: Fix NPD in {arp,neigh}_reduce() when using nexthop objects")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/vxlan/vxlan_core.c | 4 ++--
+ drivers/net/vxlan/vxlan_mdb.c | 2 +-
+ include/net/dropreason-core.h | 6 +++---
+ 3 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/vxlan/vxlan_core.c b/drivers/net/vxlan/vxlan_core.c
+index 40f01a6aaed38..ce9dcd8e74a93 100644
+--- a/drivers/net/vxlan/vxlan_core.c
++++ b/drivers/net/vxlan/vxlan_core.c
+@@ -2787,7 +2787,7 @@ static netdev_tx_t vxlan_xmit(struct sk_buff *skb, struct net_device *dev)
+ dev_core_stats_tx_dropped_inc(dev);
+ vxlan_vnifilter_count(vxlan, vni, NULL,
+ VXLAN_VNI_STATS_TX_DROPS, 0);
+- kfree_skb_reason(skb, SKB_DROP_REASON_VXLAN_NO_REMOTE);
++ kfree_skb_reason(skb, SKB_DROP_REASON_NO_TX_TARGET);
+ return NETDEV_TX_OK;
+ }
+ }
+@@ -2810,7 +2810,7 @@ static netdev_tx_t vxlan_xmit(struct sk_buff *skb, struct net_device *dev)
+ if (fdst)
+ vxlan_xmit_one(skb, dev, vni, fdst, did_rsc);
+ else
+- kfree_skb_reason(skb, SKB_DROP_REASON_VXLAN_NO_REMOTE);
++ kfree_skb_reason(skb, SKB_DROP_REASON_NO_TX_TARGET);
+ }
+
+ return NETDEV_TX_OK;
+diff --git a/drivers/net/vxlan/vxlan_mdb.c b/drivers/net/vxlan/vxlan_mdb.c
+index e1173ae134284..ec86d1c024834 100644
+--- a/drivers/net/vxlan/vxlan_mdb.c
++++ b/drivers/net/vxlan/vxlan_mdb.c
+@@ -1712,7 +1712,7 @@ netdev_tx_t vxlan_mdb_xmit(struct vxlan_dev *vxlan,
+ vxlan_xmit_one(skb, vxlan->dev, src_vni,
+ rcu_dereference(fremote->rd), false);
+ else
+- kfree_skb_reason(skb, SKB_DROP_REASON_VXLAN_NO_REMOTE);
++ kfree_skb_reason(skb, SKB_DROP_REASON_NO_TX_TARGET);
+
+ return NETDEV_TX_OK;
+ }
+diff --git a/include/net/dropreason-core.h b/include/net/dropreason-core.h
+index d59bb96c5a02c..02e7be19b0428 100644
+--- a/include/net/dropreason-core.h
++++ b/include/net/dropreason-core.h
+@@ -96,7 +96,7 @@
+ FN(VXLAN_VNI_NOT_FOUND) \
+ FN(MAC_INVALID_SOURCE) \
+ FN(VXLAN_ENTRY_EXISTS) \
+- FN(VXLAN_NO_REMOTE) \
++ FN(NO_TX_TARGET) \
+ FN(IP_TUNNEL_ECN) \
+ FN(TUNNEL_TXINFO) \
+ FN(LOCAL_MAC) \
+@@ -441,8 +441,8 @@ enum skb_drop_reason {
+ * entry or an entry pointing to a nexthop.
+ */
+ SKB_DROP_REASON_VXLAN_ENTRY_EXISTS,
+- /** @SKB_DROP_REASON_VXLAN_NO_REMOTE: no remote found for xmit */
+- SKB_DROP_REASON_VXLAN_NO_REMOTE,
++ /** @SKB_DROP_REASON_NO_TX_TARGET: no target found for xmit */
++ SKB_DROP_REASON_NO_TX_TARGET,
+ /**
+ * @SKB_DROP_REASON_IP_TUNNEL_ECN: skb is dropped according to
+ * RFC 6040 4.2, see __INET_ECN_decapsulate() for detail.
+--
+2.50.1
+
--- /dev/null
+From 3f61f28d39e1e37304b5c5607c02455be8a3db83 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Oct 2024 10:28:28 +0800
+Subject: net: vxlan: use kfree_skb_reason() in vxlan_mdb_xmit()
+
+From: Menglong Dong <menglong8.dong@gmail.com>
+
+[ Upstream commit 03483dbde80d102146a61ec09b9e90cfc4bb8be0 ]
+
+Replace kfree_skb() with kfree_skb_reason() in vxlan_mdb_xmit. No drop
+reasons are introduced in this commit.
+
+Signed-off-by: Menglong Dong <dongml2@chinatelecom.cn>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: 1f5d2fd1ca04 ("vxlan: Fix NPD in {arp,neigh}_reduce() when using nexthop objects")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/vxlan/vxlan_mdb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/vxlan/vxlan_mdb.c b/drivers/net/vxlan/vxlan_mdb.c
+index 60eb95a06d551..e1173ae134284 100644
+--- a/drivers/net/vxlan/vxlan_mdb.c
++++ b/drivers/net/vxlan/vxlan_mdb.c
+@@ -1712,7 +1712,7 @@ netdev_tx_t vxlan_mdb_xmit(struct vxlan_dev *vxlan,
+ vxlan_xmit_one(skb, vxlan->dev, src_vni,
+ rcu_dereference(fremote->rd), false);
+ else
+- kfree_skb(skb);
++ kfree_skb_reason(skb, SKB_DROP_REASON_VXLAN_NO_REMOTE);
+
+ return NETDEV_TX_OK;
+ }
+--
+2.50.1
+
--- /dev/null
+From caa2ea2179057df8ad5656fe836d7917232464fe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Oct 2024 10:28:26 +0800
+Subject: net: vxlan: use kfree_skb_reason() in vxlan_xmit()
+
+From: Menglong Dong <menglong8.dong@gmail.com>
+
+[ Upstream commit b71a576e452b800efeac49ecca116d954601d911 ]
+
+Replace kfree_skb() with kfree_skb_reason() in vxlan_xmit(). Following
+new skb drop reasons are introduced for vxlan:
+
+/* no remote found for xmit */
+SKB_DROP_REASON_VXLAN_NO_REMOTE
+/* packet without necessary metadata reached a device which is
+ * in "external" mode
+ */
+SKB_DROP_REASON_TUNNEL_TXINFO
+
+Signed-off-by: Menglong Dong <dongml2@chinatelecom.cn>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: 1f5d2fd1ca04 ("vxlan: Fix NPD in {arp,neigh}_reduce() when using nexthop objects")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/vxlan/vxlan_core.c | 6 +++---
+ include/net/dropreason-core.h | 9 +++++++++
+ 2 files changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/vxlan/vxlan_core.c b/drivers/net/vxlan/vxlan_core.c
+index d9077698c5a89..40f01a6aaed38 100644
+--- a/drivers/net/vxlan/vxlan_core.c
++++ b/drivers/net/vxlan/vxlan_core.c
+@@ -2724,7 +2724,7 @@ static netdev_tx_t vxlan_xmit(struct sk_buff *skb, struct net_device *dev)
+ if (info && info->mode & IP_TUNNEL_INFO_TX)
+ vxlan_xmit_one(skb, dev, vni, NULL, false);
+ else
+- kfree_skb(skb);
++ kfree_skb_reason(skb, SKB_DROP_REASON_TUNNEL_TXINFO);
+ return NETDEV_TX_OK;
+ }
+ }
+@@ -2787,7 +2787,7 @@ static netdev_tx_t vxlan_xmit(struct sk_buff *skb, struct net_device *dev)
+ dev_core_stats_tx_dropped_inc(dev);
+ vxlan_vnifilter_count(vxlan, vni, NULL,
+ VXLAN_VNI_STATS_TX_DROPS, 0);
+- kfree_skb(skb);
++ kfree_skb_reason(skb, SKB_DROP_REASON_VXLAN_NO_REMOTE);
+ return NETDEV_TX_OK;
+ }
+ }
+@@ -2810,7 +2810,7 @@ static netdev_tx_t vxlan_xmit(struct sk_buff *skb, struct net_device *dev)
+ if (fdst)
+ vxlan_xmit_one(skb, dev, vni, fdst, did_rsc);
+ else
+- kfree_skb(skb);
++ kfree_skb_reason(skb, SKB_DROP_REASON_VXLAN_NO_REMOTE);
+ }
+
+ return NETDEV_TX_OK;
+diff --git a/include/net/dropreason-core.h b/include/net/dropreason-core.h
+index fbf92d442c1b2..d59bb96c5a02c 100644
+--- a/include/net/dropreason-core.h
++++ b/include/net/dropreason-core.h
+@@ -96,7 +96,9 @@
+ FN(VXLAN_VNI_NOT_FOUND) \
+ FN(MAC_INVALID_SOURCE) \
+ FN(VXLAN_ENTRY_EXISTS) \
++ FN(VXLAN_NO_REMOTE) \
+ FN(IP_TUNNEL_ECN) \
++ FN(TUNNEL_TXINFO) \
+ FN(LOCAL_MAC) \
+ FNe(MAX)
+
+@@ -439,11 +441,18 @@ enum skb_drop_reason {
+ * entry or an entry pointing to a nexthop.
+ */
+ SKB_DROP_REASON_VXLAN_ENTRY_EXISTS,
++ /** @SKB_DROP_REASON_VXLAN_NO_REMOTE: no remote found for xmit */
++ SKB_DROP_REASON_VXLAN_NO_REMOTE,
+ /**
+ * @SKB_DROP_REASON_IP_TUNNEL_ECN: skb is dropped according to
+ * RFC 6040 4.2, see __INET_ECN_decapsulate() for detail.
+ */
+ SKB_DROP_REASON_IP_TUNNEL_ECN,
++ /**
++ * @SKB_DROP_REASON_TUNNEL_TXINFO: packet without necessary metadata
++ * reached a device which is in "external" mode.
++ */
++ SKB_DROP_REASON_TUNNEL_TXINFO,
+ /**
+ * @SKB_DROP_REASON_LOCAL_MAC: the source MAC address is equal to
+ * the MAC address of the local netdev.
+--
+2.50.1
+
--- /dev/null
+From 6a24744b60d37549544a78b92ec23561e85ca16a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Sep 2025 08:22:13 +0530
+Subject: net: xilinx: axienet: Add error handling for RX metadata pointer
+ retrieval
+
+From: Abin Joseph <abin.joseph@amd.com>
+
+[ Upstream commit 8bbceba7dc5090c00105e006ce28d1292cfda8dd ]
+
+Add proper error checking for dmaengine_desc_get_metadata_ptr() which
+can return an error pointer and lead to potential crashes or undefined
+behaviour if the pointer retrieval fails.
+
+Properly handle the error by unmapping DMA buffer, freeing the skb and
+returning early to prevent further processing with invalid data.
+
+Fixes: 6a91b846af85 ("net: axienet: Introduce dmaengine support")
+Signed-off-by: Abin Joseph <abin.joseph@amd.com>
+Reviewed-by: Radhey Shyam Pandey <radhey.shyam.pandey@amd.com>
+Link: https://patch.msgid.link/20250903025213.3120181-1-abin.joseph@amd.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
+index 1775e060d39d3..3339c5e1a57a9 100644
+--- a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
++++ b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
+@@ -1127,6 +1127,15 @@ static void axienet_dma_rx_cb(void *data, const struct dmaengine_result *result)
+ &meta_max_len);
+ dma_unmap_single(lp->dev, skbuf_dma->dma_address, lp->max_frm_size,
+ DMA_FROM_DEVICE);
++
++ if (IS_ERR(app_metadata)) {
++ if (net_ratelimit())
++ netdev_err(lp->ndev, "Failed to get RX metadata pointer\n");
++ dev_kfree_skb_any(skb);
++ lp->ndev->stats.rx_dropped++;
++ goto rx_submit;
++ }
++
+ /* TODO: Derive app word index programmatically */
+ rx_len = (app_metadata[LEN_APP] & 0xFFFF);
+ skb_put(skb, rx_len);
+@@ -1139,6 +1148,7 @@ static void axienet_dma_rx_cb(void *data, const struct dmaengine_result *result)
+ u64_stats_add(&lp->rx_bytes, rx_len);
+ u64_stats_update_end(&lp->rx_stat_sync);
+
++rx_submit:
+ for (i = 0; i < CIRC_SPACE(lp->rx_ring_head, lp->rx_ring_tail,
+ RX_BUF_NUM_DEFAULT); i++)
+ axienet_rx_submit_desc(lp->ndev);
+--
+2.50.1
+
--- /dev/null
+From 75c7377b305279bbe7772e0777fd4b6733e3f2e1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Aug 2025 16:23:52 +0000
+Subject: net_sched: gen_estimator: fix est_timer() vs CONFIG_PREEMPT_RT=y
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 9f74c0ea9b26d1505d55b61e36b1623dd347e1d1 ]
+
+syzbot reported a WARNING in est_timer() [1]
+
+Problem here is that with CONFIG_PREEMPT_RT=y, timer callbacks
+can be preempted.
+
+Adopt preempt_disable_nested()/preempt_enable_nested() to fix this.
+
+[1]
+ WARNING: CPU: 0 PID: 16 at ./include/linux/seqlock.h:221 __seqprop_assert include/linux/seqlock.h:221 [inline]
+ WARNING: CPU: 0 PID: 16 at ./include/linux/seqlock.h:221 est_timer+0x6dc/0x9f0 net/core/gen_estimator.c:93
+Modules linked in:
+CPU: 0 UID: 0 PID: 16 Comm: ktimers/0 Not tainted syzkaller #0 PREEMPT_{RT,(full)}
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
+ RIP: 0010:__seqprop_assert include/linux/seqlock.h:221 [inline]
+ RIP: 0010:est_timer+0x6dc/0x9f0 net/core/gen_estimator.c:93
+Call Trace:
+ <TASK>
+ call_timer_fn+0x17e/0x5f0 kernel/time/timer.c:1747
+ expire_timers kernel/time/timer.c:1798 [inline]
+ __run_timers kernel/time/timer.c:2372 [inline]
+ __run_timer_base+0x648/0x970 kernel/time/timer.c:2384
+ run_timer_base kernel/time/timer.c:2393 [inline]
+ run_timer_softirq+0xb7/0x180 kernel/time/timer.c:2403
+ handle_softirqs+0x22c/0x710 kernel/softirq.c:579
+ __do_softirq kernel/softirq.c:613 [inline]
+ run_ktimerd+0xcf/0x190 kernel/softirq.c:1043
+ smpboot_thread_fn+0x53f/0xa60 kernel/smpboot.c:160
+ kthread+0x70e/0x8a0 kernel/kthread.c:463
+ ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
+ ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
+ </TASK>
+
+Fixes: d2d6422f8bd1 ("x86: Allow to enable PREEMPT_RT.")
+Reported-by: syzbot+72db9ee39db57c3fecc5@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/68adf6fa.a70a0220.3cafd4.0000.GAE@google.com/T/#u
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Link: https://patch.msgid.link/20250827162352.3960779-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/gen_estimator.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/core/gen_estimator.c b/net/core/gen_estimator.c
+index 412816076b8bc..392f1cb5cc479 100644
+--- a/net/core/gen_estimator.c
++++ b/net/core/gen_estimator.c
+@@ -90,10 +90,12 @@ static void est_timer(struct timer_list *t)
+ rate = (b_packets - est->last_packets) << (10 - est->intvl_log);
+ rate = (rate >> est->ewma_log) - (est->avpps >> est->ewma_log);
+
++ preempt_disable_nested();
+ write_seqcount_begin(&est->seq);
+ est->avbps += brate;
+ est->avpps += rate;
+ write_seqcount_end(&est->seq);
++ preempt_enable_nested();
+
+ est->last_bytes = b_bytes;
+ est->last_packets = b_packets;
+--
+2.50.1
+
--- /dev/null
+From 6c8012325874886890f70a29c135545fa3d56cf9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Aug 2025 11:52:19 +0800
+Subject: netfilter: br_netfilter: do not check confirmed bit in
+ br_nf_local_in() after confirm
+
+From: Wang Liang <wangliang74@huawei.com>
+
+[ Upstream commit 479a54ab92087318514c82428a87af2d7af1a576 ]
+
+When send a broadcast packet to a tap device, which was added to a bridge,
+br_nf_local_in() is called to confirm the conntrack. If another conntrack
+with the same hash value is added to the hash table, which can be
+triggered by a normal packet to a non-bridge device, the below warning
+may happen.
+
+ ------------[ cut here ]------------
+ WARNING: CPU: 1 PID: 96 at net/bridge/br_netfilter_hooks.c:632 br_nf_local_in+0x168/0x200
+ CPU: 1 UID: 0 PID: 96 Comm: tap_send Not tainted 6.17.0-rc2-dirty #44 PREEMPT(voluntary)
+ RIP: 0010:br_nf_local_in+0x168/0x200
+ Call Trace:
+ <TASK>
+ nf_hook_slow+0x3e/0xf0
+ br_pass_frame_up+0x103/0x180
+ br_handle_frame_finish+0x2de/0x5b0
+ br_nf_hook_thresh+0xc0/0x120
+ br_nf_pre_routing_finish+0x168/0x3a0
+ br_nf_pre_routing+0x237/0x5e0
+ br_handle_frame+0x1ec/0x3c0
+ __netif_receive_skb_core+0x225/0x1210
+ __netif_receive_skb_one_core+0x37/0xa0
+ netif_receive_skb+0x36/0x160
+ tun_get_user+0xa54/0x10c0
+ tun_chr_write_iter+0x65/0xb0
+ vfs_write+0x305/0x410
+ ksys_write+0x60/0xd0
+ do_syscall_64+0xa4/0x260
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+ </TASK>
+ ---[ end trace 0000000000000000 ]---
+
+To solve the hash conflict, nf_ct_resolve_clash() try to merge the
+conntracks, and update skb->_nfct. However, br_nf_local_in() still use the
+old ct from local variable 'nfct' after confirm(), which leads to this
+warning.
+
+If confirm() does not insert the conntrack entry and return NF_DROP, the
+warning may also occur. There is no need to reserve the WARN_ON_ONCE, just
+remove it.
+
+Link: https://lore.kernel.org/netdev/20250820043329.2902014-1-wangliang74@huawei.com/
+Fixes: 62e7151ae3eb ("netfilter: bridge: confirm multicast packets before passing them up the stack")
+Suggested-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Wang Liang <wangliang74@huawei.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/br_netfilter_hooks.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
+index 17a5f5923d615..5ad3f3ef4ca75 100644
+--- a/net/bridge/br_netfilter_hooks.c
++++ b/net/bridge/br_netfilter_hooks.c
+@@ -653,9 +653,6 @@ static unsigned int br_nf_local_in(void *priv,
+ break;
+ }
+
+- ct = container_of(nfct, struct nf_conn, ct_general);
+- WARN_ON_ONCE(!nf_ct_is_confirmed(ct));
+-
+ return ret;
+ }
+ #endif
+--
+2.50.1
+
--- /dev/null
+From 5bbc3be0077e9017e74037e9e734bcb3d0290ca2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Aug 2025 13:22:20 +0200
+Subject: netfilter: conntrack: helper: Replace -EEXIST by -EBUSY
+
+From: Phil Sutter <phil@nwl.cc>
+
+[ Upstream commit 54416fd76770bd04fc3c501810e8d673550bab26 ]
+
+The helper registration return value is passed-through by module_init
+callbacks which modprobe confuses with the harmless -EEXIST returned
+when trying to load an already loaded module.
+
+Make sure modprobe fails so users notice their helper has not been
+registered and won't work.
+
+Suggested-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Fixes: 12f7a505331e ("netfilter: add user-space connection tracking helper infrastructure")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_helper.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c
+index 4ed5878cb25b1..ceb48c3ca0a43 100644
+--- a/net/netfilter/nf_conntrack_helper.c
++++ b/net/netfilter/nf_conntrack_helper.c
+@@ -368,7 +368,7 @@ int nf_conntrack_helper_register(struct nf_conntrack_helper *me)
+ (cur->tuple.src.l3num == NFPROTO_UNSPEC ||
+ cur->tuple.src.l3num == me->tuple.src.l3num) &&
+ cur->tuple.dst.protonum == me->tuple.dst.protonum) {
+- ret = -EEXIST;
++ ret = -EBUSY;
+ goto out;
+ }
+ }
+@@ -379,7 +379,7 @@ int nf_conntrack_helper_register(struct nf_conntrack_helper *me)
+ hlist_for_each_entry(cur, &nf_ct_helper_hash[h], hnode) {
+ if (nf_ct_tuple_src_mask_cmp(&cur->tuple, &me->tuple,
+ &mask)) {
+- ret = -EEXIST;
++ ret = -EBUSY;
+ goto out;
+ }
+ }
+--
+2.50.1
+
--- /dev/null
+From 5571c22a30a73ed8bea61c31d60b66cbd2b29ea0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Aug 2025 23:49:18 +0200
+Subject: netfilter: nft_flowtable.sh: re-run with random mtu sizes
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit d6a367ec6c96fc8e61b4d67e69df03565ec69fb7 ]
+
+Jakub says:
+ nft_flowtable.sh is one of the most flake-atious test for netdev CI currently :(
+
+The root cause is two-fold:
+1. the failing part of the test is supposed to make sure that ip
+ fragments are forwarded for offloaded flows.
+ (flowtable has to pass them to classic forward path).
+ path mtu discovery for these subtests is disabled.
+
+2. nft_flowtable.sh has two passes. One with fixed mtus/file size and
+ one where link mtus and file sizes are random.
+
+The CI failures all have same pattern:
+ re-run with random mtus and file size: -o 27663 -l 4117 -r 10089 -s 54384840
+ [..]
+ PASS: dscp_egress: dscp packet counters match
+ FAIL: file mismatch for ns1 -> ns2
+
+In some cases this error triggers a bit ealier, sometimes in a later
+subtest:
+ re-run with random mtus and file size: -o 20201 -l 4555 -r 12657 -s 9405856
+ [..]
+ PASS: dscp_egress: dscp packet counters match
+ PASS: dscp_fwd: dscp packet counters match
+ 2025/08/17 20:37:52 socat[18954] E write(7, 0x560716b96000, 8192): Broken pipe
+ FAIL: file mismatch for ns1 -> ns2
+ -rw------- 1 root root 9405856 Aug 17 20:36 /tmp/tmp.2n63vlTrQe
+
+But all logs I saw show same scenario:
+1. Failing tests have pmtu discovery off (i.e., ip fragmentation)
+2. The test file is much larger than first-pass default (2M Byte)
+3. peers have much larger MTUs compared to the 'network'.
+
+These errors are very reproducible when re-running the test with
+the same commandline arguments.
+
+The timeout became much more prominent with
+1d2fbaad7cd8 ("tcp: stronger sk_rcvbuf checks"): reassembled packets
+typically have a skb->truesize more than double the skb length.
+
+As that commit is intentional and pmtud-off with
+large-tcp-packets-as-fragments is not normal adjust the test to use a
+smaller file for the pmtu-off subtests.
+
+While at it, add more information to pass/fail messages and
+also run the dscp alteration subtest with pmtu discovery enabled.
+
+Link: https://netdev.bots.linux.dev/contest.html?test=nft-flowtable-sh
+Fixes: f84ab634904c ("selftests: netfilter: nft_flowtable.sh: re-run with random mtu sizes")
+Reported-by: Jakub Kicinski <kuba@kernel.org>
+Closes: https://lore.kernel.org/netdev/20250822071330.4168f0db@kernel.org/
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Link: https://patch.msgid.link/20250828214918.3385-1-fw@strlen.de
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../selftests/net/netfilter/nft_flowtable.sh | 113 ++++++++++++------
+ 1 file changed, 76 insertions(+), 37 deletions(-)
+
+diff --git a/tools/testing/selftests/net/netfilter/nft_flowtable.sh b/tools/testing/selftests/net/netfilter/nft_flowtable.sh
+index a4ee5496f2a17..45832df982950 100755
+--- a/tools/testing/selftests/net/netfilter/nft_flowtable.sh
++++ b/tools/testing/selftests/net/netfilter/nft_flowtable.sh
+@@ -20,6 +20,7 @@ ret=0
+ SOCAT_TIMEOUT=60
+
+ nsin=""
++nsin_small=""
+ ns1out=""
+ ns2out=""
+
+@@ -36,7 +37,7 @@ cleanup() {
+
+ cleanup_all_ns
+
+- rm -f "$nsin" "$ns1out" "$ns2out"
++ rm -f "$nsin" "$nsin_small" "$ns1out" "$ns2out"
+
+ [ "$log_netns" -eq 0 ] && sysctl -q net.netfilter.nf_log_all_netns="$log_netns"
+ }
+@@ -72,6 +73,7 @@ lmtu=1500
+ rmtu=2000
+
+ filesize=$((2 * 1024 * 1024))
++filesize_small=$((filesize / 16))
+
+ usage(){
+ echo "nft_flowtable.sh [OPTIONS]"
+@@ -89,7 +91,10 @@ do
+ o) omtu=$OPTARG;;
+ l) lmtu=$OPTARG;;
+ r) rmtu=$OPTARG;;
+- s) filesize=$OPTARG;;
++ s)
++ filesize=$OPTARG
++ filesize_small=$((OPTARG / 16))
++ ;;
+ *) usage;;
+ esac
+ done
+@@ -215,6 +220,7 @@ if ! ip netns exec "$ns2" ping -c 1 -q 10.0.1.99 > /dev/null; then
+ fi
+
+ nsin=$(mktemp)
++nsin_small=$(mktemp)
+ ns1out=$(mktemp)
+ ns2out=$(mktemp)
+
+@@ -265,6 +271,7 @@ check_counters()
+ check_dscp()
+ {
+ local what=$1
++ local pmtud="$2"
+ local ok=1
+
+ local counter
+@@ -277,37 +284,39 @@ check_dscp()
+ local pc4z=${counter%*bytes*}
+ local pc4z=${pc4z#*packets}
+
++ local failmsg="FAIL: pmtu $pmtu: $what counters do not match, expected"
++
+ case "$what" in
+ "dscp_none")
+ if [ "$pc4" -gt 0 ] || [ "$pc4z" -eq 0 ]; then
+- echo "FAIL: dscp counters do not match, expected dscp3 == 0, dscp0 > 0, but got $pc4,$pc4z" 1>&2
++ echo "$failmsg dscp3 == 0, dscp0 > 0, but got $pc4,$pc4z" 1>&2
+ ret=1
+ ok=0
+ fi
+ ;;
+ "dscp_fwd")
+ if [ "$pc4" -eq 0 ] || [ "$pc4z" -eq 0 ]; then
+- echo "FAIL: dscp counters do not match, expected dscp3 and dscp0 > 0 but got $pc4,$pc4z" 1>&2
++ echo "$failmsg dscp3 and dscp0 > 0 but got $pc4,$pc4z" 1>&2
+ ret=1
+ ok=0
+ fi
+ ;;
+ "dscp_ingress")
+ if [ "$pc4" -eq 0 ] || [ "$pc4z" -gt 0 ]; then
+- echo "FAIL: dscp counters do not match, expected dscp3 > 0, dscp0 == 0 but got $pc4,$pc4z" 1>&2
++ echo "$failmsg dscp3 > 0, dscp0 == 0 but got $pc4,$pc4z" 1>&2
+ ret=1
+ ok=0
+ fi
+ ;;
+ "dscp_egress")
+ if [ "$pc4" -eq 0 ] || [ "$pc4z" -gt 0 ]; then
+- echo "FAIL: dscp counters do not match, expected dscp3 > 0, dscp0 == 0 but got $pc4,$pc4z" 1>&2
++ echo "$failmsg dscp3 > 0, dscp0 == 0 but got $pc4,$pc4z" 1>&2
+ ret=1
+ ok=0
+ fi
+ ;;
+ *)
+- echo "FAIL: Unknown DSCP check" 1>&2
++ echo "$failmsg: Unknown DSCP check" 1>&2
+ ret=1
+ ok=0
+ esac
+@@ -319,9 +328,9 @@ check_dscp()
+
+ check_transfer()
+ {
+- in=$1
+- out=$2
+- what=$3
++ local in=$1
++ local out=$2
++ local what=$3
+
+ if ! cmp "$in" "$out" > /dev/null 2>&1; then
+ echo "FAIL: file mismatch for $what" 1>&2
+@@ -342,25 +351,39 @@ test_tcp_forwarding_ip()
+ {
+ local nsa=$1
+ local nsb=$2
+- local dstip=$3
+- local dstport=$4
++ local pmtu=$3
++ local dstip=$4
++ local dstport=$5
+ local lret=0
++ local socatc
++ local socatl
++ local infile="$nsin"
++
++ if [ $pmtu -eq 0 ]; then
++ infile="$nsin_small"
++ fi
+
+- timeout "$SOCAT_TIMEOUT" ip netns exec "$nsb" socat -4 TCP-LISTEN:12345,reuseaddr STDIO < "$nsin" > "$ns2out" &
++ timeout "$SOCAT_TIMEOUT" ip netns exec "$nsb" socat -4 TCP-LISTEN:12345,reuseaddr STDIO < "$infile" > "$ns2out" &
+ lpid=$!
+
+ busywait 1000 listener_ready
+
+- timeout "$SOCAT_TIMEOUT" ip netns exec "$nsa" socat -4 TCP:"$dstip":"$dstport" STDIO < "$nsin" > "$ns1out"
++ timeout "$SOCAT_TIMEOUT" ip netns exec "$nsa" socat -4 TCP:"$dstip":"$dstport" STDIO < "$infile" > "$ns1out"
++ socatc=$?
+
+ wait $lpid
++ socatl=$?
+
+- if ! check_transfer "$nsin" "$ns2out" "ns1 -> ns2"; then
++ if [ $socatl -ne 0 ] || [ $socatc -ne 0 ];then
++ rc=1
++ fi
++
++ if ! check_transfer "$infile" "$ns2out" "ns1 -> ns2"; then
+ lret=1
+ ret=1
+ fi
+
+- if ! check_transfer "$nsin" "$ns1out" "ns1 <- ns2"; then
++ if ! check_transfer "$infile" "$ns1out" "ns1 <- ns2"; then
+ lret=1
+ ret=1
+ fi
+@@ -370,14 +393,16 @@ test_tcp_forwarding_ip()
+
+ test_tcp_forwarding()
+ {
+- test_tcp_forwarding_ip "$1" "$2" 10.0.2.99 12345
++ local pmtu="$3"
++
++ test_tcp_forwarding_ip "$1" "$2" "$pmtu" 10.0.2.99 12345
+
+ return $?
+ }
+
+ test_tcp_forwarding_set_dscp()
+ {
+- check_dscp "dscp_none"
++ local pmtu="$3"
+
+ ip netns exec "$nsr1" nft -f - <<EOF
+ table netdev dscpmangle {
+@@ -388,8 +413,8 @@ table netdev dscpmangle {
+ }
+ EOF
+ if [ $? -eq 0 ]; then
+- test_tcp_forwarding_ip "$1" "$2" 10.0.2.99 12345
+- check_dscp "dscp_ingress"
++ test_tcp_forwarding_ip "$1" "$2" "$3" 10.0.2.99 12345
++ check_dscp "dscp_ingress" "$pmtu"
+
+ ip netns exec "$nsr1" nft delete table netdev dscpmangle
+ else
+@@ -405,10 +430,10 @@ table netdev dscpmangle {
+ }
+ EOF
+ if [ $? -eq 0 ]; then
+- test_tcp_forwarding_ip "$1" "$2" 10.0.2.99 12345
+- check_dscp "dscp_egress"
++ test_tcp_forwarding_ip "$1" "$2" "$pmtu" 10.0.2.99 12345
++ check_dscp "dscp_egress" "$pmtu"
+
+- ip netns exec "$nsr1" nft flush table netdev dscpmangle
++ ip netns exec "$nsr1" nft delete table netdev dscpmangle
+ else
+ echo "SKIP: Could not load netdev:egress for veth1"
+ fi
+@@ -416,48 +441,53 @@ fi
+ # partial. If flowtable really works, then both dscp-is-0 and dscp-is-cs3
+ # counters should have seen packets (before and after ft offload kicks in).
+ ip netns exec "$nsr1" nft -a insert rule inet filter forward ip dscp set cs3
+- test_tcp_forwarding_ip "$1" "$2" 10.0.2.99 12345
+- check_dscp "dscp_fwd"
++ test_tcp_forwarding_ip "$1" "$2" "$pmtu" 10.0.2.99 12345
++ check_dscp "dscp_fwd" "$pmtu"
+ }
+
+ test_tcp_forwarding_nat()
+ {
++ local nsa="$1"
++ local nsb="$2"
++ local pmtu="$3"
++ local what="$4"
+ local lret
+- local pmtu
+
+- test_tcp_forwarding_ip "$1" "$2" 10.0.2.99 12345
+- lret=$?
++ [ "$pmtu" -eq 0 ] && what="$what (pmtu disabled)"
+
+- pmtu=$3
+- what=$4
++ test_tcp_forwarding_ip "$nsa" "$nsb" "$pmtu" 10.0.2.99 12345
++ lret=$?
+
+ if [ "$lret" -eq 0 ] ; then
+ if [ "$pmtu" -eq 1 ] ;then
+- check_counters "flow offload for ns1/ns2 with masquerade and pmtu discovery $what"
++ check_counters "flow offload for ns1/ns2 with masquerade $what"
+ else
+ echo "PASS: flow offload for ns1/ns2 with masquerade $what"
+ fi
+
+- test_tcp_forwarding_ip "$1" "$2" 10.6.6.6 1666
++ test_tcp_forwarding_ip "$1" "$2" "$pmtu" 10.6.6.6 1666
+ lret=$?
+ if [ "$pmtu" -eq 1 ] ;then
+- check_counters "flow offload for ns1/ns2 with dnat and pmtu discovery $what"
++ check_counters "flow offload for ns1/ns2 with dnat $what"
+ elif [ "$lret" -eq 0 ] ; then
+ echo "PASS: flow offload for ns1/ns2 with dnat $what"
+ fi
++ else
++ echo "FAIL: flow offload for ns1/ns2 with dnat $what"
+ fi
+
+ return $lret
+ }
+
+ make_file "$nsin" "$filesize"
++make_file "$nsin_small" "$filesize_small"
+
+ # First test:
+ # No PMTU discovery, nsr1 is expected to fragment packets from ns1 to ns2 as needed.
+ # Due to MTU mismatch in both directions, all packets (except small packets like pure
+ # acks) have to be handled by normal forwarding path. Therefore, packet counters
+ # are not checked.
+-if test_tcp_forwarding "$ns1" "$ns2"; then
++if test_tcp_forwarding "$ns1" "$ns2" 0; then
+ echo "PASS: flow offloaded for ns1/ns2"
+ else
+ echo "FAIL: flow offload for ns1/ns2:" 1>&2
+@@ -489,8 +519,9 @@ table ip nat {
+ }
+ EOF
+
++check_dscp "dscp_none" "0"
+ if ! test_tcp_forwarding_set_dscp "$ns1" "$ns2" 0 ""; then
+- echo "FAIL: flow offload for ns1/ns2 with dscp update" 1>&2
++ echo "FAIL: flow offload for ns1/ns2 with dscp update and no pmtu discovery" 1>&2
+ exit 0
+ fi
+
+@@ -512,6 +543,14 @@ ip netns exec "$ns2" sysctl net.ipv4.ip_no_pmtu_disc=0 > /dev/null
+ # are lower than file size and packets were forwarded via flowtable layer.
+ # For earlier tests (large mtus), packets cannot be handled via flowtable
+ # (except pure acks and other small packets).
++ip netns exec "$nsr1" nft reset counters table inet filter >/dev/null
++ip netns exec "$ns2" nft reset counters table inet filter >/dev/null
++
++if ! test_tcp_forwarding_set_dscp "$ns1" "$ns2" 1 ""; then
++ echo "FAIL: flow offload for ns1/ns2 with dscp update and pmtu discovery" 1>&2
++ exit 0
++fi
++
+ ip netns exec "$nsr1" nft reset counters table inet filter >/dev/null
+
+ if ! test_tcp_forwarding_nat "$ns1" "$ns2" 1 ""; then
+@@ -644,7 +683,7 @@ ip -net "$ns2" route del 192.168.10.1 via 10.0.2.1
+ ip -net "$ns2" route add default via 10.0.2.1
+ ip -net "$ns2" route add default via dead:2::1
+
+-if test_tcp_forwarding "$ns1" "$ns2"; then
++if test_tcp_forwarding "$ns1" "$ns2" 1; then
+ check_counters "ipsec tunnel mode for ns1/ns2"
+ else
+ echo "FAIL: ipsec tunnel mode for ns1/ns2"
+@@ -668,7 +707,7 @@ if [ "$1" = "" ]; then
+ fi
+
+ echo "re-run with random mtus and file size: -o $o -l $l -r $r -s $filesize"
+- $0 -o "$o" -l "$l" -r "$r" -s "$filesize"
++ $0 -o "$o" -l "$l" -r "$r" -s "$filesize" || ret=1
+ fi
+
+ exit $ret
+--
+2.50.1
+
--- /dev/null
+From 0b9b7da5fd56279399c787320232eb93fd3d9f11 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Sep 2025 14:12:59 +0200
+Subject: phy: mscc: Stop taking ts_lock for tx_queue and use its own lock
+
+From: Horatiu Vultur <horatiu.vultur@microchip.com>
+
+[ Upstream commit 9b2bfdbf43adb9929c5ddcdd96efedbf1c88cf53 ]
+
+When transmitting a PTP frame which is timestamp using 2 step, the
+following warning appears if CONFIG_PROVE_LOCKING is enabled:
+=============================
+[ BUG: Invalid wait context ]
+6.17.0-rc1-00326-ge6160462704e #427 Not tainted
+-----------------------------
+ptp4l/119 is trying to lock:
+c2a44ed4 (&vsc8531->ts_lock){+.+.}-{3:3}, at: vsc85xx_txtstamp+0x50/0xac
+other info that might help us debug this:
+context-{4:4}
+4 locks held by ptp4l/119:
+ #0: c145f068 (rcu_read_lock_bh){....}-{1:2}, at: __dev_queue_xmit+0x58/0x1440
+ #1: c29df974 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+...}-{2:2}, at: __dev_queue_xmit+0x5c4/0x1440
+ #2: c2aaaad0 (_xmit_ETHER#2){+.-.}-{2:2}, at: sch_direct_xmit+0x108/0x350
+ #3: c2aac170 (&lan966x->tx_lock){+.-.}-{2:2}, at: lan966x_port_xmit+0xd0/0x350
+stack backtrace:
+CPU: 0 UID: 0 PID: 119 Comm: ptp4l Not tainted 6.17.0-rc1-00326-ge6160462704e #427 NONE
+Hardware name: Generic DT based system
+Call trace:
+ unwind_backtrace from show_stack+0x10/0x14
+ show_stack from dump_stack_lvl+0x7c/0xac
+ dump_stack_lvl from __lock_acquire+0x8e8/0x29dc
+ __lock_acquire from lock_acquire+0x108/0x38c
+ lock_acquire from __mutex_lock+0xb0/0xe78
+ __mutex_lock from mutex_lock_nested+0x1c/0x24
+ mutex_lock_nested from vsc85xx_txtstamp+0x50/0xac
+ vsc85xx_txtstamp from lan966x_fdma_xmit+0xd8/0x3a8
+ lan966x_fdma_xmit from lan966x_port_xmit+0x1bc/0x350
+ lan966x_port_xmit from dev_hard_start_xmit+0xc8/0x2c0
+ dev_hard_start_xmit from sch_direct_xmit+0x8c/0x350
+ sch_direct_xmit from __dev_queue_xmit+0x680/0x1440
+ __dev_queue_xmit from packet_sendmsg+0xfa4/0x1568
+ packet_sendmsg from __sys_sendto+0x110/0x19c
+ __sys_sendto from sys_send+0x18/0x20
+ sys_send from ret_fast_syscall+0x0/0x1c
+Exception stack(0xf0b05fa8 to 0xf0b05ff0)
+5fa0: 00000001 0000000e 0000000e 0004b47a 0000003a 00000000
+5fc0: 00000001 0000000e 00000000 00000121 0004af58 00044874 00000000 00000000
+5fe0: 00000001 bee9d420 00025a10 b6e75c7c
+
+So, instead of using the ts_lock for tx_queue, use the spinlock that
+skb_buff_head has.
+
+Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
+Fixes: 7d272e63e0979d ("net: phy: mscc: timestamping and PHC support")
+Signed-off-by: Horatiu Vultur <horatiu.vultur@microchip.com>
+Link: https://patch.msgid.link/20250902121259.3257536-1-horatiu.vultur@microchip.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/mscc/mscc_ptp.c | 18 ++++++++----------
+ 1 file changed, 8 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/net/phy/mscc/mscc_ptp.c b/drivers/net/phy/mscc/mscc_ptp.c
+index 920f35f8f84e7..fa24ba8f6bff0 100644
+--- a/drivers/net/phy/mscc/mscc_ptp.c
++++ b/drivers/net/phy/mscc/mscc_ptp.c
+@@ -455,12 +455,12 @@ static void vsc85xx_dequeue_skb(struct vsc85xx_ptp *ptp)
+ *p++ = (reg >> 24) & 0xff;
+ }
+
+- len = skb_queue_len(&ptp->tx_queue);
++ len = skb_queue_len_lockless(&ptp->tx_queue);
+ if (len < 1)
+ return;
+
+ while (len--) {
+- skb = __skb_dequeue(&ptp->tx_queue);
++ skb = skb_dequeue(&ptp->tx_queue);
+ if (!skb)
+ return;
+
+@@ -485,7 +485,7 @@ static void vsc85xx_dequeue_skb(struct vsc85xx_ptp *ptp)
+ * packet in the FIFO right now, reschedule it for later
+ * packets.
+ */
+- __skb_queue_tail(&ptp->tx_queue, skb);
++ skb_queue_tail(&ptp->tx_queue, skb);
+ }
+ }
+
+@@ -1065,6 +1065,7 @@ static int vsc85xx_hwtstamp(struct mii_timestamper *mii_ts,
+ case HWTSTAMP_TX_ON:
+ break;
+ case HWTSTAMP_TX_OFF:
++ skb_queue_purge(&vsc8531->ptp->tx_queue);
+ break;
+ default:
+ return -ERANGE;
+@@ -1089,9 +1090,6 @@ static int vsc85xx_hwtstamp(struct mii_timestamper *mii_ts,
+
+ mutex_lock(&vsc8531->ts_lock);
+
+- __skb_queue_purge(&vsc8531->ptp->tx_queue);
+- __skb_queue_head_init(&vsc8531->ptp->tx_queue);
+-
+ /* Disable predictor while configuring the 1588 block */
+ val = vsc85xx_ts_read_csr(phydev, PROCESSOR,
+ MSCC_PHY_PTP_INGR_PREDICTOR);
+@@ -1177,9 +1175,7 @@ static void vsc85xx_txtstamp(struct mii_timestamper *mii_ts,
+
+ skb_shinfo(skb)->tx_flags |= SKBTX_IN_PROGRESS;
+
+- mutex_lock(&vsc8531->ts_lock);
+- __skb_queue_tail(&vsc8531->ptp->tx_queue, skb);
+- mutex_unlock(&vsc8531->ts_lock);
++ skb_queue_tail(&vsc8531->ptp->tx_queue, skb);
+ return;
+
+ out:
+@@ -1545,6 +1541,7 @@ void vsc8584_ptp_deinit(struct phy_device *phydev)
+ if (vsc8531->ptp->ptp_clock) {
+ ptp_clock_unregister(vsc8531->ptp->ptp_clock);
+ skb_queue_purge(&vsc8531->rx_skbs_list);
++ skb_queue_purge(&vsc8531->ptp->tx_queue);
+ }
+ }
+
+@@ -1568,7 +1565,7 @@ irqreturn_t vsc8584_handle_ts_interrupt(struct phy_device *phydev)
+ if (rc & VSC85XX_1588_INT_FIFO_ADD) {
+ vsc85xx_get_tx_ts(priv->ptp);
+ } else if (rc & VSC85XX_1588_INT_FIFO_OVERFLOW) {
+- __skb_queue_purge(&priv->ptp->tx_queue);
++ skb_queue_purge(&priv->ptp->tx_queue);
+ vsc85xx_ts_reset_fifo(phydev);
+ }
+
+@@ -1588,6 +1585,7 @@ int vsc8584_ptp_probe(struct phy_device *phydev)
+ mutex_init(&vsc8531->phc_lock);
+ mutex_init(&vsc8531->ts_lock);
+ skb_queue_head_init(&vsc8531->rx_skbs_list);
++ skb_queue_head_init(&vsc8531->ptp->tx_queue);
+
+ /* Retrieve the shared load/save GPIO. Request it as non exclusive as
+ * the same GPIO can be requested by all the PHYs of the same package.
+--
+2.50.1
+
--- /dev/null
+From df94b39b2101a2b7ae180d64fba4333e721a3da0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Sep 2025 18:07:26 +0800
+Subject: ppp: fix memory leak in pad_compress_skb
+
+From: Qingfang Deng <dqfext@gmail.com>
+
+[ Upstream commit 4844123fe0b853a4982c02666cb3fd863d701d50 ]
+
+If alloc_skb() fails in pad_compress_skb(), it returns NULL without
+releasing the old skb. The caller does:
+
+ skb = pad_compress_skb(ppp, skb);
+ if (!skb)
+ goto drop;
+
+drop:
+ kfree_skb(skb);
+
+When pad_compress_skb() returns NULL, the reference to the old skb is
+lost and kfree_skb(skb) ends up doing nothing, leading to a memory leak.
+
+Align pad_compress_skb() semantics with realloc(): only free the old
+skb if allocation and compression succeed. At the call site, use the
+new_skb variable so the original skb is not lost when pad_compress_skb()
+fails.
+
+Fixes: b3f9b92a6ec1 ("[PPP]: add PPP MPPE encryption module")
+Signed-off-by: Qingfang Deng <dqfext@gmail.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Yue Haibing <yuehaibing@huawei.com>
+Link: https://patch.msgid.link/20250903100726.269839-1-dqfext@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ppp/ppp_generic.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
+index 0553b0b356b30..afc1566488b32 100644
+--- a/drivers/net/ppp/ppp_generic.c
++++ b/drivers/net/ppp/ppp_generic.c
+@@ -1753,7 +1753,6 @@ pad_compress_skb(struct ppp *ppp, struct sk_buff *skb)
+ */
+ if (net_ratelimit())
+ netdev_err(ppp->dev, "ppp: compressor dropped pkt\n");
+- kfree_skb(skb);
+ consume_skb(new_skb);
+ new_skb = NULL;
+ }
+@@ -1855,9 +1854,10 @@ ppp_send_frame(struct ppp *ppp, struct sk_buff *skb)
+ "down - pkt dropped.\n");
+ goto drop;
+ }
+- skb = pad_compress_skb(ppp, skb);
+- if (!skb)
++ new_skb = pad_compress_skb(ppp, skb);
++ if (!new_skb)
+ goto drop;
++ skb = new_skb;
+ }
+
+ /*
+--
+2.50.1
+
--- /dev/null
+From 02521d5b99d973a63fa5a63424943839847ad50e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Sep 2025 22:28:51 +0000
+Subject: selftest: net: Fix weird setsockopt() in bind_bhash.c.
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit fd2004d82d8d8faa94879e3de3096c8511728637 ]
+
+bind_bhash.c passes (SO_REUSEADDR | SO_REUSEPORT) to setsockopt().
+
+In the asm-generic definition, the value happens to match with the
+bare SO_REUSEPORT, (2 | 15) == 15, but not on some arch.
+
+arch/alpha/include/uapi/asm/socket.h:18:#define SO_REUSEADDR 0x0004
+arch/alpha/include/uapi/asm/socket.h:24:#define SO_REUSEPORT 0x0200
+arch/mips/include/uapi/asm/socket.h:24:#define SO_REUSEADDR 0x0004 /* Allow reuse of local addresses. */
+arch/mips/include/uapi/asm/socket.h:33:#define SO_REUSEPORT 0x0200 /* Allow local address and port reuse. */
+arch/parisc/include/uapi/asm/socket.h:12:#define SO_REUSEADDR 0x0004
+arch/parisc/include/uapi/asm/socket.h:18:#define SO_REUSEPORT 0x0200
+arch/sparc/include/uapi/asm/socket.h:13:#define SO_REUSEADDR 0x0004
+arch/sparc/include/uapi/asm/socket.h:20:#define SO_REUSEPORT 0x0200
+include/uapi/asm-generic/socket.h:12:#define SO_REUSEADDR 2
+include/uapi/asm-generic/socket.h:27:#define SO_REUSEPORT 15
+
+Let's pass SO_REUSEPORT only.
+
+Fixes: c35ecb95c448 ("selftests/net: Add test for timing a bind request to a port with a populated bhash entry")
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250903222938.2601522-1-kuniyu@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/bind_bhash.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/testing/selftests/net/bind_bhash.c b/tools/testing/selftests/net/bind_bhash.c
+index 57ff67a3751eb..da04b0b19b73c 100644
+--- a/tools/testing/selftests/net/bind_bhash.c
++++ b/tools/testing/selftests/net/bind_bhash.c
+@@ -75,7 +75,7 @@ static void *setup(void *arg)
+ int *array = (int *)arg;
+
+ for (i = 0; i < MAX_CONNECTIONS; i++) {
+- sock_fd = bind_socket(SO_REUSEADDR | SO_REUSEPORT, setup_addr);
++ sock_fd = bind_socket(SO_REUSEPORT, setup_addr);
+ if (sock_fd < 0) {
+ ret = sock_fd;
+ pthread_exit(&ret);
+@@ -103,7 +103,7 @@ int main(int argc, const char *argv[])
+
+ setup_addr = use_v6 ? setup_addr_v6 : setup_addr_v4;
+
+- listener_fd = bind_socket(SO_REUSEADDR | SO_REUSEPORT, setup_addr);
++ listener_fd = bind_socket(SO_REUSEPORT, setup_addr);
+ if (listen(listener_fd, 100) < 0) {
+ perror("listen failed");
+ return -1;
+--
+2.50.1
+
--- /dev/null
+From 3de887d42798a89f1101f09387e4b4d8ca3aaec1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 30 Aug 2025 11:38:42 -0700
+Subject: selftests: drv-net: csum: fix interface name for remote host
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 49c2502b5946ebf454d7e16fd0189769a82b6117 ]
+
+Use cfg.remote_ifname for arguments of remote command.
+Without this UDP tests fail in NIPA where local interface
+is called enp1s0 and remote enp0s4.
+
+Fixes: 1d0dc857b5d8 ("selftests: drv-net: add checksum tests")
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
+Link: https://patch.msgid.link/20250830183842.688935-1-kuba@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/drivers/net/hw/csum.py | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/testing/selftests/drivers/net/hw/csum.py b/tools/testing/selftests/drivers/net/hw/csum.py
+index cb40497faee44..b7e55be9bd9fd 100755
+--- a/tools/testing/selftests/drivers/net/hw/csum.py
++++ b/tools/testing/selftests/drivers/net/hw/csum.py
+@@ -20,7 +20,7 @@ def test_receive(cfg, ipv4=False, extra_args=None):
+ ip_args = f"-6 -S {cfg.remote_v6} -D {cfg.v6}"
+
+ rx_cmd = f"{cfg.bin_local} -i {cfg.ifname} -n 100 {ip_args} -r 1 -R {extra_args}"
+- tx_cmd = f"{cfg.bin_remote} -i {cfg.ifname} -n 100 {ip_args} -r 1 -T {extra_args}"
++ tx_cmd = f"{cfg.bin_remote} -i {cfg.remote_ifname} -n 100 {ip_args} -r 1 -T {extra_args}"
+
+ with bkg(rx_cmd, exit_wait=True):
+ wait_port_listen(34000, proto="udp")
+@@ -43,7 +43,7 @@ def test_transmit(cfg, ipv4=False, extra_args=None):
+ if extra_args != "-U -Z":
+ extra_args += " -r 1"
+
+- rx_cmd = f"{cfg.bin_remote} -i {cfg.ifname} -L 1 -n 100 {ip_args} -R {extra_args}"
++ rx_cmd = f"{cfg.bin_remote} -i {cfg.remote_ifname} -L 1 -n 100 {ip_args} -R {extra_args}"
+ tx_cmd = f"{cfg.bin_local} -i {cfg.ifname} -L 1 -n 100 {ip_args} -T {extra_args}"
+
+ with bkg(rx_cmd, host=cfg.remote, exit_wait=True):
+--
+2.50.1
+
loongarch-vdso-remove-nostdlib-complier-flag.patch
mmc-sdhci-of-arasan-support-for-emmc-hardware-reset.patch
mmc-sdhci-of-arasan-ensure-cd-logic-stabilization-be.patch
+wifi-cfg80211-fix-use-after-free-in-cmp_bss.patch
+wifi-brcmfmac-fix-use-after-free-when-rescheduling-b.patch
+wifi-mt76-mt7925-fix-locking-in-mt7925_change_vif_li.patch
+wifi-mt76-prevent-non-offchannel-mgmt-tx-during-scan.patch
+wifi-mt76-free-pending-offchannel-tx-frames-on-wcid-.patch
+wifi-mt76-fix-linked-list-corruption.patch
+netfilter-br_netfilter-do-not-check-confirmed-bit-in.patch
+netfilter-conntrack-helper-replace-eexist-by-ebusy.patch
+wifi-iwlwifi-uefi-check-dsm-item-validity.patch
+bluetooth-vhci-prevent-use-after-free-by-removing-de.patch
+bluetooth-fix-use-after-free-in-l2cap_sock_cleanup_l.patch
+netfilter-nft_flowtable.sh-re-run-with-random-mtu-si.patch
+net_sched-gen_estimator-fix-est_timer-vs-config_pree.patch
+xirc2ps_cs-fix-register-access-when-enabling-fulldup.patch
+misdn-fix-memory-leak-in-dsp_hwec_enable.patch
+selftests-drv-net-csum-fix-interface-name-for-remote.patch
+bnxt_en-fix-incorrect-page-count-in-rx-aggr-ring-log.patch
+icmp-fix-icmp_ndo_send-address-translation-for-reply.patch
+net-macb-fix-tx_ptr_lock-locking.patch
+macsec-read-macsec_sa_attr_pn-with-nla_get_uint.patch
+net-smc-fix-one-null-pointer-dereference-in-smc_ib_i.patch
+net-mctp-mctp_fraq_queue-should-take-ownership-of-pa.patch
+ice-fix-null-access-of-tx-in_use-in-ice_ll_ts_intr.patch
+idpf-set-mac-type-when-adding-and-removing-mac-filte.patch
+i40e-remove-read-access-to-debugfs-files.patch
+i40e-fix-potential-invalid-access-when-mac-list-is-e.patch
+ixgbe-fix-incorrect-map-used-in-eee-linkmode.patch
+wifi-ath11k-fix-group-data-packet-drops-during-rekey.patch
+net-tcp-fix-socket-memory-leak-in-tcp-ao-failure-han.patch
+net-ethernet-mtk_eth_soc-fix-tx-vlan-tag-for-llc-pac.patch
+net-skb-add-pskb_network_may_pull_reason-helper.patch
+net-tunnel-add-pskb_inet_may_pull_reason-helper.patch
+net-vxlan-add-skb-drop-reasons-to-vxlan_rcv.patch
+net-vxlan-make-vxlan_snoop-return-drop-reasons.patch
+vxlan-fix-npd-when-refreshing-an-fdb-entry-with-a-ne.patch
+net-vxlan-make-vxlan_set_mac-return-drop-reasons.patch
+net-vxlan-use-kfree_skb_reason-in-vxlan_xmit.patch
+net-vxlan-use-kfree_skb_reason-in-vxlan_mdb_xmit.patch
+net-vxlan-rename-skb_drop_reason_vxlan_no_remote.patch
+vxlan-refresh-fdb-updated-time-upon-ntf_use.patch
+vxlan-avoid-unnecessary-updates-to-fdb-used-time.patch
+vxlan-add-rcu-read-side-critical-sections-in-the-tx-.patch
+vxlan-rename-fdb-tx-lookup-function.patch
+vxlan-fix-npd-in-arp-neigh-_reduce-when-using-nextho.patch
+wifi-cw1200-cap-ssid-length-in-cw1200_do_join.patch
+wifi-libertas-cap-ssid-len-in-lbs_associate.patch
+wifi-cfg80211-sme-cap-ssid-length-in-__cfg80211_conn.patch
+net-thunder_bgx-add-a-missing-of_node_put.patch
+net-thunder_bgx-decrement-cleanup-index-before-use.patch
+ipv4-fix-null-vs-error-pointer-check-in-inet_blackho.patch
+net-smc-remove-validation-of-reserved-bits-in-clc-de.patch
+mctp-return-enoprotoopt-for-unknown-getsockopt-optio.patch
+ax25-properly-unshare-skbs-in-ax25_kiss_rcv.patch
+net-atm-fix-memory-leak-in-atm_register_sysfs-when-d.patch
+net-xilinx-axienet-add-error-handling-for-rx-metadat.patch
+ppp-fix-memory-leak-in-pad_compress_skb.patch
+selftest-net-fix-weird-setsockopt-in-bind_bhash.c.patch
+phy-mscc-stop-taking-ts_lock-for-tx_queue-and-use-it.patch
--- /dev/null
+From 3590e4e5253d1968a51abc26dcb9363245697669 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Apr 2025 15:11:29 +0300
+Subject: vxlan: Add RCU read-side critical sections in the Tx path
+
+From: Ido Schimmel <idosch@nvidia.com>
+
+[ Upstream commit 804b09be09f8af4eda5346a72361459ba21fcf1b ]
+
+The Tx path does not run from an RCU read-side critical section which
+makes the current lockless accesses to FDB entries invalid. As far as I
+am aware, this has not been a problem in practice, but traces will be
+generated once we transition the FDB lookup to rhashtable_lookup().
+
+Add rcu_read_{lock,unlock}() around the handling of FDB entries in the
+Tx path. Remove the RCU read-side critical section from vxlan_xmit_nh()
+as now the function is always called from an RCU read-side critical
+section.
+
+Reviewed-by: Petr Machata <petrm@nvidia.com>
+Signed-off-by: Ido Schimmel <idosch@nvidia.com>
+Link: https://patch.msgid.link/20250415121143.345227-2-idosch@nvidia.com
+Reviewed-by: Nikolay Aleksandrov <razor@blackwall.org>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Stable-dep-of: 1f5d2fd1ca04 ("vxlan: Fix NPD in {arp,neigh}_reduce() when using nexthop objects")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/vxlan/vxlan_core.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/vxlan/vxlan_core.c b/drivers/net/vxlan/vxlan_core.c
+index 8853fcb7eb7f2..1d431e3fc71ea 100644
+--- a/drivers/net/vxlan/vxlan_core.c
++++ b/drivers/net/vxlan/vxlan_core.c
+@@ -1909,12 +1909,15 @@ static int arp_reduce(struct net_device *dev, struct sk_buff *skb, __be32 vni)
+ goto out;
+ }
+
++ rcu_read_lock();
+ f = vxlan_find_mac(vxlan, n->ha, vni);
+ if (f && vxlan_addr_any(&(first_remote_rcu(f)->remote_ip))) {
+ /* bridge-local neighbor */
+ neigh_release(n);
++ rcu_read_unlock();
+ goto out;
+ }
++ rcu_read_unlock();
+
+ reply = arp_create(ARPOP_REPLY, ETH_P_ARP, sip, dev, tip, sha,
+ n->ha, sha);
+@@ -2632,14 +2635,10 @@ static void vxlan_xmit_nh(struct sk_buff *skb, struct net_device *dev,
+ memset(&nh_rdst, 0, sizeof(struct vxlan_rdst));
+ hash = skb_get_hash(skb);
+
+- rcu_read_lock();
+ nh = rcu_dereference(f->nh);
+- if (!nh) {
+- rcu_read_unlock();
++ if (!nh)
+ goto drop;
+- }
+ do_xmit = vxlan_fdb_nh_path_select(nh, hash, &nh_rdst);
+- rcu_read_unlock();
+
+ if (likely(do_xmit))
+ vxlan_xmit_one(skb, dev, vni, &nh_rdst, did_rsc);
+@@ -2766,6 +2765,7 @@ static netdev_tx_t vxlan_xmit(struct sk_buff *skb, struct net_device *dev)
+ }
+
+ eth = eth_hdr(skb);
++ rcu_read_lock();
+ f = vxlan_find_mac(vxlan, eth->h_dest, vni);
+ did_rsc = false;
+
+@@ -2788,7 +2788,7 @@ static netdev_tx_t vxlan_xmit(struct sk_buff *skb, struct net_device *dev)
+ vxlan_vnifilter_count(vxlan, vni, NULL,
+ VXLAN_VNI_STATS_TX_DROPS, 0);
+ kfree_skb_reason(skb, SKB_DROP_REASON_NO_TX_TARGET);
+- return NETDEV_TX_OK;
++ goto out;
+ }
+ }
+
+@@ -2813,6 +2813,8 @@ static netdev_tx_t vxlan_xmit(struct sk_buff *skb, struct net_device *dev)
+ kfree_skb_reason(skb, SKB_DROP_REASON_NO_TX_TARGET);
+ }
+
++out:
++ rcu_read_unlock();
+ return NETDEV_TX_OK;
+ }
+
+--
+2.50.1
+
--- /dev/null
+From b0fddb6e5f22f2150bc07eee8fd3247ea3a4e41d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Feb 2025 16:55:48 +0200
+Subject: vxlan: Avoid unnecessary updates to FDB 'used' time
+
+From: Ido Schimmel <idosch@nvidia.com>
+
+[ Upstream commit 9722f834fe9a7c583591defa2cab3f652f50a5f0 ]
+
+Now that the VXLAN driver ages out FDB entries based on their 'updated'
+time we can remove unnecessary updates of the 'used' time from the Rx
+path and the control path, so that the 'used' time is only updated by
+the Tx path.
+
+Reviewed-by: Petr Machata <petrm@nvidia.com>
+Signed-off-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: Nikolay Aleksandrov <razor@blackwall.org>
+Link: https://patch.msgid.link/20250204145549.1216254-8-idosch@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: 1f5d2fd1ca04 ("vxlan: Fix NPD in {arp,neigh}_reduce() when using nexthop objects")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/vxlan/vxlan_core.c | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/vxlan/vxlan_core.c b/drivers/net/vxlan/vxlan_core.c
+index ce9c979080bb4..8853fcb7eb7f2 100644
+--- a/drivers/net/vxlan/vxlan_core.c
++++ b/drivers/net/vxlan/vxlan_core.c
+@@ -1047,10 +1047,8 @@ static int vxlan_fdb_update_existing(struct vxlan_dev *vxlan,
+ notify |= rc;
+ }
+
+- if (ndm_flags & NTF_USE) {
+- WRITE_ONCE(f->used, jiffies);
++ if (ndm_flags & NTF_USE)
+ WRITE_ONCE(f->updated, jiffies);
+- }
+
+ if (notify) {
+ if (rd == NULL)
+@@ -1294,7 +1292,7 @@ int __vxlan_fdb_delete(struct vxlan_dev *vxlan,
+ struct vxlan_fdb *f;
+ int err = -ENOENT;
+
+- f = vxlan_find_mac(vxlan, addr, src_vni);
++ f = __vxlan_find_mac(vxlan, addr, src_vni);
+ if (!f)
+ return err;
+
+@@ -1458,7 +1456,7 @@ static enum skb_drop_reason vxlan_snoop(struct net_device *dev,
+ ifindex = src_ifindex;
+ #endif
+
+- f = vxlan_find_mac(vxlan, src_mac, vni);
++ f = __vxlan_find_mac(vxlan, src_mac, vni);
+ if (likely(f)) {
+ struct vxlan_rdst *rdst = first_remote_rcu(f);
+
+@@ -4718,7 +4716,7 @@ vxlan_fdb_offloaded_set(struct net_device *dev,
+
+ spin_lock_bh(&vxlan->hash_lock[hash_index]);
+
+- f = vxlan_find_mac(vxlan, fdb_info->eth_addr, fdb_info->vni);
++ f = __vxlan_find_mac(vxlan, fdb_info->eth_addr, fdb_info->vni);
+ if (!f)
+ goto out;
+
+@@ -4774,7 +4772,7 @@ vxlan_fdb_external_learn_del(struct net_device *dev,
+ hash_index = fdb_head_index(vxlan, fdb_info->eth_addr, fdb_info->vni);
+ spin_lock_bh(&vxlan->hash_lock[hash_index]);
+
+- f = vxlan_find_mac(vxlan, fdb_info->eth_addr, fdb_info->vni);
++ f = __vxlan_find_mac(vxlan, fdb_info->eth_addr, fdb_info->vni);
+ if (!f)
+ err = -ENOENT;
+ else if (f->flags & NTF_EXT_LEARNED)
+--
+2.50.1
+
--- /dev/null
+From 5542642cb084acbc9b7ef97fc115cd6ba36c271f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Sep 2025 09:50:34 +0300
+Subject: vxlan: Fix NPD in {arp,neigh}_reduce() when using nexthop objects
+
+From: Ido Schimmel <idosch@nvidia.com>
+
+[ Upstream commit 1f5d2fd1ca04a23c18b1bde9a43ce2fa2ffa1bce ]
+
+When the "proxy" option is enabled on a VXLAN device, the device will
+suppress ARP requests and IPv6 Neighbor Solicitation messages if it is
+able to reply on behalf of the remote host. That is, if a matching and
+valid neighbor entry is configured on the VXLAN device whose MAC address
+is not behind the "any" remote (0.0.0.0 / ::).
+
+The code currently assumes that the FDB entry for the neighbor's MAC
+address points to a valid remote destination, but this is incorrect if
+the entry is associated with an FDB nexthop group. This can result in a
+NPD [1][3] which can be reproduced using [2][4].
+
+Fix by checking that the remote destination exists before dereferencing
+it.
+
+[1]
+BUG: kernel NULL pointer dereference, address: 0000000000000000
+[...]
+CPU: 4 UID: 0 PID: 365 Comm: arping Not tainted 6.17.0-rc2-virtme-g2a89cb21162c #2 PREEMPT(voluntary)
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc41 04/01/2014
+RIP: 0010:vxlan_xmit+0xb58/0x15f0
+[...]
+Call Trace:
+ <TASK>
+ dev_hard_start_xmit+0x5d/0x1c0
+ __dev_queue_xmit+0x246/0xfd0
+ packet_sendmsg+0x113a/0x1850
+ __sock_sendmsg+0x38/0x70
+ __sys_sendto+0x126/0x180
+ __x64_sys_sendto+0x24/0x30
+ do_syscall_64+0xa4/0x260
+ entry_SYSCALL_64_after_hwframe+0x4b/0x53
+
+[2]
+ #!/bin/bash
+
+ ip address add 192.0.2.1/32 dev lo
+
+ ip nexthop add id 1 via 192.0.2.2 fdb
+ ip nexthop add id 10 group 1 fdb
+
+ ip link add name vx0 up type vxlan id 10010 local 192.0.2.1 dstport 4789 proxy
+
+ ip neigh add 192.0.2.3 lladdr 00:11:22:33:44:55 nud perm dev vx0
+
+ bridge fdb add 00:11:22:33:44:55 dev vx0 self static nhid 10
+
+ arping -b -c 1 -s 192.0.2.1 -I vx0 192.0.2.3
+
+[3]
+BUG: kernel NULL pointer dereference, address: 0000000000000000
+[...]
+CPU: 13 UID: 0 PID: 372 Comm: ndisc6 Not tainted 6.17.0-rc2-virtmne-g6ee90cb26014 #3 PREEMPT(voluntary)
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1v996), BIOS 1.17.0-4.fc41 04/01/2x014
+RIP: 0010:vxlan_xmit+0x803/0x1600
+[...]
+Call Trace:
+ <TASK>
+ dev_hard_start_xmit+0x5d/0x1c0
+ __dev_queue_xmit+0x246/0xfd0
+ ip6_finish_output2+0x210/0x6c0
+ ip6_finish_output+0x1af/0x2b0
+ ip6_mr_output+0x92/0x3e0
+ ip6_send_skb+0x30/0x90
+ rawv6_sendmsg+0xe6e/0x12e0
+ __sock_sendmsg+0x38/0x70
+ __sys_sendto+0x126/0x180
+ __x64_sys_sendto+0x24/0x30
+ do_syscall_64+0xa4/0x260
+ entry_SYSCALL_64_after_hwframe+0x4b/0x53
+RIP: 0033:0x7f383422ec77
+
+[4]
+ #!/bin/bash
+
+ ip address add 2001:db8:1::1/128 dev lo
+
+ ip nexthop add id 1 via 2001:db8:1::1 fdb
+ ip nexthop add id 10 group 1 fdb
+
+ ip link add name vx0 up type vxlan id 10010 local 2001:db8:1::1 dstport 4789 proxy
+
+ ip neigh add 2001:db8:1::3 lladdr 00:11:22:33:44:55 nud perm dev vx0
+
+ bridge fdb add 00:11:22:33:44:55 dev vx0 self static nhid 10
+
+ ndisc6 -r 1 -s 2001:db8:1::1 -w 1 2001:db8:1::3 vx0
+
+Fixes: 1274e1cc4226 ("vxlan: ecmp support for mac fdb entries")
+Reviewed-by: Petr Machata <petrm@nvidia.com>
+Signed-off-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: Nikolay Aleksandrov <razor@blackwall.org>
+Link: https://patch.msgid.link/20250901065035.159644-3-idosch@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/vxlan/vxlan_core.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/vxlan/vxlan_core.c b/drivers/net/vxlan/vxlan_core.c
+index 6b4b4b0484d6e..bbfa4eed17559 100644
+--- a/drivers/net/vxlan/vxlan_core.c
++++ b/drivers/net/vxlan/vxlan_core.c
+@@ -1901,6 +1901,7 @@ static int arp_reduce(struct net_device *dev, struct sk_buff *skb, __be32 vni)
+ n = neigh_lookup(&arp_tbl, &tip, dev);
+
+ if (n) {
++ struct vxlan_rdst *rdst = NULL;
+ struct vxlan_fdb *f;
+ struct sk_buff *reply;
+
+@@ -1911,7 +1912,9 @@ static int arp_reduce(struct net_device *dev, struct sk_buff *skb, __be32 vni)
+
+ rcu_read_lock();
+ f = vxlan_find_mac_tx(vxlan, n->ha, vni);
+- if (f && vxlan_addr_any(&(first_remote_rcu(f)->remote_ip))) {
++ if (f)
++ rdst = first_remote_rcu(f);
++ if (rdst && vxlan_addr_any(&rdst->remote_ip)) {
+ /* bridge-local neighbor */
+ neigh_release(n);
+ rcu_read_unlock();
+@@ -2068,6 +2071,7 @@ static int neigh_reduce(struct net_device *dev, struct sk_buff *skb, __be32 vni)
+ n = neigh_lookup(ipv6_stub->nd_tbl, &msg->target, dev);
+
+ if (n) {
++ struct vxlan_rdst *rdst = NULL;
+ struct vxlan_fdb *f;
+ struct sk_buff *reply;
+
+@@ -2077,7 +2081,9 @@ static int neigh_reduce(struct net_device *dev, struct sk_buff *skb, __be32 vni)
+ }
+
+ f = vxlan_find_mac_tx(vxlan, n->ha, vni);
+- if (f && vxlan_addr_any(&(first_remote_rcu(f)->remote_ip))) {
++ if (f)
++ rdst = first_remote_rcu(f);
++ if (rdst && vxlan_addr_any(&rdst->remote_ip)) {
+ /* bridge-local neighbor */
+ neigh_release(n);
+ goto out;
+--
+2.50.1
+
--- /dev/null
+From d1e9fa792bf0fad4e6ab391fd6f6a31640489dd2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Sep 2025 09:50:33 +0300
+Subject: vxlan: Fix NPD when refreshing an FDB entry with a nexthop object
+
+From: Ido Schimmel <idosch@nvidia.com>
+
+[ Upstream commit 6ead38147ebb813f08be6ea8ef547a0e4c09559a ]
+
+VXLAN FDB entries can point to either a remote destination or an FDB
+nexthop group. The latter is usually used in EVPN deployments where
+learning is disabled.
+
+However, when learning is enabled, an incoming packet might try to
+refresh an FDB entry that points to an FDB nexthop group and therefore
+does not have a remote. Such packets should be dropped, but they are
+only dropped after dereferencing the non-existent remote, resulting in a
+NPD [1] which can be reproduced using [2].
+
+Fix by dropping such packets earlier. Remove the misleading comment from
+first_remote_rcu().
+
+[1]
+BUG: kernel NULL pointer dereference, address: 0000000000000000
+[...]
+CPU: 13 UID: 0 PID: 361 Comm: mausezahn Not tainted 6.17.0-rc1-virtme-g9f6b606b6b37 #1 PREEMPT(voluntary)
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc41 04/01/2014
+RIP: 0010:vxlan_snoop+0x98/0x1e0
+[...]
+Call Trace:
+ <TASK>
+ vxlan_encap_bypass+0x209/0x240
+ encap_bypass_if_local+0xb1/0x100
+ vxlan_xmit_one+0x1375/0x17e0
+ vxlan_xmit+0x6b4/0x15f0
+ dev_hard_start_xmit+0x5d/0x1c0
+ __dev_queue_xmit+0x246/0xfd0
+ packet_sendmsg+0x113a/0x1850
+ __sock_sendmsg+0x38/0x70
+ __sys_sendto+0x126/0x180
+ __x64_sys_sendto+0x24/0x30
+ do_syscall_64+0xa4/0x260
+ entry_SYSCALL_64_after_hwframe+0x4b/0x53
+
+[2]
+ #!/bin/bash
+
+ ip address add 192.0.2.1/32 dev lo
+ ip address add 192.0.2.2/32 dev lo
+
+ ip nexthop add id 1 via 192.0.2.3 fdb
+ ip nexthop add id 10 group 1 fdb
+
+ ip link add name vx0 up type vxlan id 10010 local 192.0.2.1 dstport 12345 localbypass
+ ip link add name vx1 up type vxlan id 10020 local 192.0.2.2 dstport 54321 learning
+
+ bridge fdb add 00:11:22:33:44:55 dev vx0 self static dst 192.0.2.2 port 54321 vni 10020
+ bridge fdb add 00:aa:bb:cc:dd:ee dev vx1 self static nhid 10
+
+ mausezahn vx0 -a 00:aa:bb:cc:dd:ee -b 00:11:22:33:44:55 -c 1 -q
+
+Fixes: 1274e1cc4226 ("vxlan: ecmp support for mac fdb entries")
+Reported-by: Marlin Cremers <mcremers@cloudbear.nl>
+Reviewed-by: Petr Machata <petrm@nvidia.com>
+Signed-off-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: Nikolay Aleksandrov <razor@blackwall.org>
+Link: https://patch.msgid.link/20250901065035.159644-2-idosch@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/vxlan/vxlan_core.c | 8 ++++----
+ drivers/net/vxlan/vxlan_private.h | 4 +---
+ 2 files changed, 5 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/vxlan/vxlan_core.c b/drivers/net/vxlan/vxlan_core.c
+index c4ce577eb0908..58590ddbc6a15 100644
+--- a/drivers/net/vxlan/vxlan_core.c
++++ b/drivers/net/vxlan/vxlan_core.c
+@@ -1460,6 +1460,10 @@ static enum skb_drop_reason vxlan_snoop(struct net_device *dev,
+ if (likely(f)) {
+ struct vxlan_rdst *rdst = first_remote_rcu(f);
+
++ /* Don't override an fdb with nexthop with a learnt entry */
++ if (rcu_access_pointer(f->nh))
++ return SKB_DROP_REASON_VXLAN_ENTRY_EXISTS;
++
+ if (likely(vxlan_addr_equal(&rdst->remote_ip, src_ip) &&
+ rdst->remote_ifindex == ifindex))
+ return SKB_NOT_DROPPED_YET;
+@@ -1468,10 +1472,6 @@ static enum skb_drop_reason vxlan_snoop(struct net_device *dev,
+ if (f->state & (NUD_PERMANENT | NUD_NOARP))
+ return SKB_DROP_REASON_VXLAN_ENTRY_EXISTS;
+
+- /* Don't override an fdb with nexthop with a learnt entry */
+- if (rcu_access_pointer(f->nh))
+- return SKB_DROP_REASON_VXLAN_ENTRY_EXISTS;
+-
+ if (net_ratelimit())
+ netdev_info(dev,
+ "%pM migrated from %pIS to %pIS\n",
+diff --git a/drivers/net/vxlan/vxlan_private.h b/drivers/net/vxlan/vxlan_private.h
+index 76a351a997d51..c6279ef98a5c2 100644
+--- a/drivers/net/vxlan/vxlan_private.h
++++ b/drivers/net/vxlan/vxlan_private.h
+@@ -56,9 +56,7 @@ static inline struct hlist_head *vs_head(struct net *net, __be16 port)
+ return &vn->sock_list[hash_32(ntohs(port), PORT_HASH_BITS)];
+ }
+
+-/* First remote destination for a forwarding entry.
+- * Guaranteed to be non-NULL because remotes are never deleted.
+- */
++/* First remote destination for a forwarding entry. */
+ static inline struct vxlan_rdst *first_remote_rcu(struct vxlan_fdb *fdb)
+ {
+ if (rcu_access_pointer(fdb->nh))
+--
+2.50.1
+
--- /dev/null
+From 863c144ae6ce9cc15a745b3b3be603a073f929b5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Feb 2025 16:55:45 +0200
+Subject: vxlan: Refresh FDB 'updated' time upon 'NTF_USE'
+
+From: Ido Schimmel <idosch@nvidia.com>
+
+[ Upstream commit 40a9994f2fbddf299655073be947e9cfc57dfdf1 ]
+
+The 'NTF_USE' flag can be used by user space to refresh FDB entries so
+that they will not age out. Currently, the VXLAN driver implements it by
+refreshing the 'used' field in the FDB entry as this is the field
+according to which FDB entries are aged out.
+
+Subsequent patches will switch the VXLAN driver to age out entries based
+on the 'updated' field. Prepare for this change by refreshing the
+'updated' field upon 'NTF_USE'. This is consistent with the bridge
+driver's FDB:
+
+ # ip link add name br1 up type bridge
+ # ip link add name swp1 master br1 up type dummy
+ # bridge fdb add 00:11:22:33:44:55 dev swp1 master dynamic vlan 1
+ # sleep 10
+ # bridge fdb replace 00:11:22:33:44:55 dev swp1 master dynamic vlan 1
+ # bridge -s -j fdb get 00:11:22:33:44:55 br br1 vlan 1 | jq '.[]["updated"]'
+ 10
+ # sleep 10
+ # bridge fdb replace 00:11:22:33:44:55 dev swp1 master use dynamic vlan 1
+ # bridge -s -j fdb get 00:11:22:33:44:55 br br1 vlan 1 | jq '.[]["updated"]'
+ 0
+
+Before:
+
+ # ip link add name vx1 up type vxlan id 10010 dstport 4789
+ # bridge fdb add 00:11:22:33:44:55 dev vx1 self dynamic dst 198.51.100.1
+ # sleep 10
+ # bridge fdb replace 00:11:22:33:44:55 dev vx1 self dynamic dst 198.51.100.1
+ # bridge -s -j -p fdb get 00:11:22:33:44:55 br vx1 self | jq '.[]["updated"]'
+ 10
+ # sleep 10
+ # bridge fdb replace 00:11:22:33:44:55 dev vx1 self use dynamic dst 198.51.100.1
+ # bridge -s -j -p fdb get 00:11:22:33:44:55 br vx1 self | jq '.[]["updated"]'
+ 20
+
+After:
+
+ # ip link add name vx1 up type vxlan id 10010 dstport 4789
+ # bridge fdb add 00:11:22:33:44:55 dev vx1 self dynamic dst 198.51.100.1
+ # sleep 10
+ # bridge fdb replace 00:11:22:33:44:55 dev vx1 self dynamic dst 198.51.100.1
+ # bridge -s -j -p fdb get 00:11:22:33:44:55 br vx1 self | jq '.[]["updated"]'
+ 10
+ # sleep 10
+ # bridge fdb replace 00:11:22:33:44:55 dev vx1 self use dynamic dst 198.51.100.1
+ # bridge -s -j -p fdb get 00:11:22:33:44:55 br vx1 self | jq '.[]["updated"]'
+ 0
+
+Reviewed-by: Petr Machata <petrm@nvidia.com>
+Signed-off-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: Nikolay Aleksandrov <razor@blackwall.org>
+Link: https://patch.msgid.link/20250204145549.1216254-5-idosch@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: 1f5d2fd1ca04 ("vxlan: Fix NPD in {arp,neigh}_reduce() when using nexthop objects")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/vxlan/vxlan_core.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/vxlan/vxlan_core.c b/drivers/net/vxlan/vxlan_core.c
+index ce9dcd8e74a93..ce9c979080bb4 100644
+--- a/drivers/net/vxlan/vxlan_core.c
++++ b/drivers/net/vxlan/vxlan_core.c
+@@ -1047,8 +1047,10 @@ static int vxlan_fdb_update_existing(struct vxlan_dev *vxlan,
+ notify |= rc;
+ }
+
+- if (ndm_flags & NTF_USE)
++ if (ndm_flags & NTF_USE) {
+ WRITE_ONCE(f->used, jiffies);
++ WRITE_ONCE(f->updated, jiffies);
++ }
+
+ if (notify) {
+ if (rd == NULL)
+--
+2.50.1
+
--- /dev/null
+From 9e02f79945cf32dfaf8b07e2b7b81ada04b4303a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Apr 2025 15:11:39 +0300
+Subject: vxlan: Rename FDB Tx lookup function
+
+From: Ido Schimmel <idosch@nvidia.com>
+
+[ Upstream commit 5cde39ea38813ebb5bf07922a3ba60871edebf99 ]
+
+vxlan_find_mac() is only expected to be called from the Tx path as it
+updates the 'used' timestamp. Rename it to vxlan_find_mac_tx() to
+reflect that and to avoid incorrect updates of this timestamp like those
+addressed by commit 9722f834fe9a ("vxlan: Avoid unnecessary updates to
+FDB 'used' time").
+
+No functional changes intended.
+
+Reviewed-by: Petr Machata <petrm@nvidia.com>
+Signed-off-by: Ido Schimmel <idosch@nvidia.com>
+Link: https://patch.msgid.link/20250415121143.345227-12-idosch@nvidia.com
+Reviewed-by: Nikolay Aleksandrov <razor@blackwall.org>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Stable-dep-of: 1f5d2fd1ca04 ("vxlan: Fix NPD in {arp,neigh}_reduce() when using nexthop objects")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/vxlan/vxlan_core.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/vxlan/vxlan_core.c b/drivers/net/vxlan/vxlan_core.c
+index 1d431e3fc71ea..6b4b4b0484d6e 100644
+--- a/drivers/net/vxlan/vxlan_core.c
++++ b/drivers/net/vxlan/vxlan_core.c
+@@ -428,8 +428,8 @@ static struct vxlan_fdb *__vxlan_find_mac(struct vxlan_dev *vxlan,
+ return NULL;
+ }
+
+-static struct vxlan_fdb *vxlan_find_mac(struct vxlan_dev *vxlan,
+- const u8 *mac, __be32 vni)
++static struct vxlan_fdb *vxlan_find_mac_tx(struct vxlan_dev *vxlan,
++ const u8 *mac, __be32 vni)
+ {
+ struct vxlan_fdb *f;
+
+@@ -1910,7 +1910,7 @@ static int arp_reduce(struct net_device *dev, struct sk_buff *skb, __be32 vni)
+ }
+
+ rcu_read_lock();
+- f = vxlan_find_mac(vxlan, n->ha, vni);
++ f = vxlan_find_mac_tx(vxlan, n->ha, vni);
+ if (f && vxlan_addr_any(&(first_remote_rcu(f)->remote_ip))) {
+ /* bridge-local neighbor */
+ neigh_release(n);
+@@ -2076,7 +2076,7 @@ static int neigh_reduce(struct net_device *dev, struct sk_buff *skb, __be32 vni)
+ goto out;
+ }
+
+- f = vxlan_find_mac(vxlan, n->ha, vni);
++ f = vxlan_find_mac_tx(vxlan, n->ha, vni);
+ if (f && vxlan_addr_any(&(first_remote_rcu(f)->remote_ip))) {
+ /* bridge-local neighbor */
+ neigh_release(n);
+@@ -2766,7 +2766,7 @@ static netdev_tx_t vxlan_xmit(struct sk_buff *skb, struct net_device *dev)
+
+ eth = eth_hdr(skb);
+ rcu_read_lock();
+- f = vxlan_find_mac(vxlan, eth->h_dest, vni);
++ f = vxlan_find_mac_tx(vxlan, eth->h_dest, vni);
+ did_rsc = false;
+
+ if (f && (f->flags & NTF_ROUTER) && (vxlan->cfg.flags & VXLAN_F_RSC) &&
+@@ -2774,11 +2774,11 @@ static netdev_tx_t vxlan_xmit(struct sk_buff *skb, struct net_device *dev)
+ ntohs(eth->h_proto) == ETH_P_IPV6)) {
+ did_rsc = route_shortcircuit(dev, skb);
+ if (did_rsc)
+- f = vxlan_find_mac(vxlan, eth->h_dest, vni);
++ f = vxlan_find_mac_tx(vxlan, eth->h_dest, vni);
+ }
+
+ if (f == NULL) {
+- f = vxlan_find_mac(vxlan, all_zeros_mac, vni);
++ f = vxlan_find_mac_tx(vxlan, all_zeros_mac, vni);
+ if (f == NULL) {
+ if ((vxlan->cfg.flags & VXLAN_F_L2MISS) &&
+ !is_multicast_ether_addr(eth->h_dest))
+--
+2.50.1
+
--- /dev/null
+From facb50079149384b5ceee02c370286472c785fbe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 10 Aug 2025 22:30:18 +0530
+Subject: wifi: ath11k: fix group data packet drops during rekey
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Rameshkumar Sundaram <rameshkumar.sundaram@oss.qualcomm.com>
+
+[ Upstream commit 97acb0259cc9cbfbd7ab689e25684f3d8ce10e26 ]
+
+During GTK rekey, mac80211 issues a clear key (if the old key exists)
+followed by an install key operation in the same context. This causes
+ath11k to send two WMI commands in quick succession: one to clear the
+old key and another to install the new key in the same slot.
+
+Under certain conditions—especially under high load or time sensitive
+scenarios, firmware may process these commands asynchronously in a way
+that firmware assumes the key is cleared whereas hardware has a valid key.
+This inconsistency between hardware and firmware leads to group addressed
+packet drops. Only setting the same key again can restore a valid key in
+firmware and allow packets to be transmitted.
+
+This issue remained latent because the host's clear key commands were
+not effective in firmware until commit 436a4e886598 ("ath11k: clear the
+keys properly via DISABLE_KEY"). That commit enabled the host to
+explicitly clear group keys, which inadvertently exposed the race.
+
+To mitigate this, restrict group key clearing across all modes (AP, STA,
+MESH). During rekey, the new key can simply be set on top of the previous
+one, avoiding the need for a clear followed by a set.
+
+However, in AP mode specifically, permit group key clearing when no
+stations are associated. This exception supports transitions from secure
+modes (e.g., WPA2/WPA3) to open mode, during which all associated peers
+are removed and the group key is cleared as part of the transition.
+
+Add a per-BSS station counter to track the presence of stations during
+set key operations. Also add a reset_group_keys flag to track the key
+re-installation state and avoid repeated installation of the same key
+when the number of connected stations transitions to non-zero within a
+rekey period.
+
+Additionally, for AP and Mesh modes, when the first station associates,
+reinstall the same group key that was last set. This ensures that the
+firmware recovers from any race that may have occurred during a previous
+key clear when no stations were associated.
+
+This change ensures that key clearing is permitted only when no clients
+are connected, avoiding packet loss while enabling dynamic security mode
+transitions.
+
+Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.9.0.1-02146-QCAHKSWPL_SILICONZ-1
+Tested-on: WCN6855 hw2.1 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41
+
+Reported-by: Steffen Moser <lists@steffen-moser.de>
+Closes: https://lore.kernel.org/linux-wireless/c6366409-9928-4dd7-bf7b-ba7fcf20eabf@steffen-moser.de
+Fixes: 436a4e886598 ("ath11k: clear the keys properly via DISABLE_KEY")
+Signed-off-by: Rameshkumar Sundaram <rameshkumar.sundaram@oss.qualcomm.com>
+Tested-by: Nicolas Escande <nico.escande@gmail.com>
+Reviewed-by: Vasanthakumar Thiagarajan <vasanthakumar.thiagarajan@oss.qualcomm.com>
+Link: https://patch.msgid.link/20250810170018.1124014-1-rameshkumar.sundaram@oss.qualcomm.com
+Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath11k/core.h | 2 +
+ drivers/net/wireless/ath/ath11k/mac.c | 111 +++++++++++++++++++++++--
+ 2 files changed, 104 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath11k/core.h b/drivers/net/wireless/ath/ath11k/core.h
+index 09fdb7be0e197..2fed2f58a0bd9 100644
+--- a/drivers/net/wireless/ath/ath11k/core.h
++++ b/drivers/net/wireless/ath/ath11k/core.h
+@@ -409,6 +409,8 @@ struct ath11k_vif {
+ bool do_not_send_tmpl;
+ struct ath11k_arp_ns_offload arp_ns_offload;
+ struct ath11k_rekey_data rekey_data;
++ u32 num_stations;
++ bool reinstall_group_keys;
+
+ struct ath11k_reg_tpc_power_info reg_tpc_info;
+
+diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c
+index ddf4ec6b244b4..bd91d1deb26e1 100644
+--- a/drivers/net/wireless/ath/ath11k/mac.c
++++ b/drivers/net/wireless/ath/ath11k/mac.c
+@@ -4307,6 +4307,40 @@ static int ath11k_clear_peer_keys(struct ath11k_vif *arvif,
+ return first_errno;
+ }
+
++static int ath11k_set_group_keys(struct ath11k_vif *arvif)
++{
++ struct ath11k *ar = arvif->ar;
++ struct ath11k_base *ab = ar->ab;
++ const u8 *addr = arvif->bssid;
++ int i, ret, first_errno = 0;
++ struct ath11k_peer *peer;
++
++ spin_lock_bh(&ab->base_lock);
++ peer = ath11k_peer_find(ab, arvif->vdev_id, addr);
++ spin_unlock_bh(&ab->base_lock);
++
++ if (!peer)
++ return -ENOENT;
++
++ for (i = 0; i < ARRAY_SIZE(peer->keys); i++) {
++ struct ieee80211_key_conf *key = peer->keys[i];
++
++ if (!key || (key->flags & IEEE80211_KEY_FLAG_PAIRWISE))
++ continue;
++
++ ret = ath11k_install_key(arvif, key, SET_KEY, addr,
++ WMI_KEY_GROUP);
++ if (ret < 0 && first_errno == 0)
++ first_errno = ret;
++
++ if (ret < 0)
++ ath11k_warn(ab, "failed to set group key of idx %d for vdev %d: %d\n",
++ i, arvif->vdev_id, ret);
++ }
++
++ return first_errno;
++}
++
+ static int ath11k_mac_op_set_key(struct ieee80211_hw *hw, enum set_key_cmd cmd,
+ struct ieee80211_vif *vif, struct ieee80211_sta *sta,
+ struct ieee80211_key_conf *key)
+@@ -4316,6 +4350,7 @@ static int ath11k_mac_op_set_key(struct ieee80211_hw *hw, enum set_key_cmd cmd,
+ struct ath11k_vif *arvif = ath11k_vif_to_arvif(vif);
+ struct ath11k_peer *peer;
+ struct ath11k_sta *arsta;
++ bool is_ap_with_no_sta;
+ const u8 *peer_addr;
+ int ret = 0;
+ u32 flags = 0;
+@@ -4376,16 +4411,57 @@ static int ath11k_mac_op_set_key(struct ieee80211_hw *hw, enum set_key_cmd cmd,
+ else
+ flags |= WMI_KEY_GROUP;
+
+- ret = ath11k_install_key(arvif, key, cmd, peer_addr, flags);
+- if (ret) {
+- ath11k_warn(ab, "ath11k_install_key failed (%d)\n", ret);
+- goto exit;
+- }
++ ath11k_dbg(ar->ab, ATH11K_DBG_MAC,
++ "%s for peer %pM on vdev %d flags 0x%X, type = %d, num_sta %d\n",
++ cmd == SET_KEY ? "SET_KEY" : "DEL_KEY", peer_addr, arvif->vdev_id,
++ flags, arvif->vdev_type, arvif->num_stations);
++
++ /* Allow group key clearing only in AP mode when no stations are
++ * associated. There is a known race condition in firmware where
++ * group addressed packets may be dropped if the key is cleared
++ * and immediately set again during rekey.
++ *
++ * During GTK rekey, mac80211 issues a clear key (if the old key
++ * exists) followed by an install key operation for same key
++ * index. This causes ath11k to send two WMI commands in quick
++ * succession: one to clear the old key and another to install the
++ * new key in the same slot.
++ *
++ * Under certain conditions—especially under high load or time
++ * sensitive scenarios, firmware may process these commands
++ * asynchronously in a way that firmware assumes the key is
++ * cleared whereas hardware has a valid key. This inconsistency
++ * between hardware and firmware leads to group addressed packet
++ * drops after rekey.
++ * Only setting the same key again can restore a valid key in
++ * firmware and allow packets to be transmitted.
++ *
++ * There is a use case where an AP can transition from Secure mode
++ * to open mode without a vdev restart by just deleting all
++ * associated peers and clearing key, Hence allow clear key for
++ * that case alone. Mark arvif->reinstall_group_keys in such cases
++ * and reinstall the same key when the first peer is added,
++ * allowing firmware to recover from the race if it had occurred.
++ */
+
+- ret = ath11k_dp_peer_rx_pn_replay_config(arvif, peer_addr, cmd, key);
+- if (ret) {
+- ath11k_warn(ab, "failed to offload PN replay detection %d\n", ret);
+- goto exit;
++ is_ap_with_no_sta = (vif->type == NL80211_IFTYPE_AP &&
++ !arvif->num_stations);
++ if ((flags & WMI_KEY_PAIRWISE) || cmd == SET_KEY || is_ap_with_no_sta) {
++ ret = ath11k_install_key(arvif, key, cmd, peer_addr, flags);
++ if (ret) {
++ ath11k_warn(ab, "ath11k_install_key failed (%d)\n", ret);
++ goto exit;
++ }
++
++ ret = ath11k_dp_peer_rx_pn_replay_config(arvif, peer_addr, cmd, key);
++ if (ret) {
++ ath11k_warn(ab, "failed to offload PN replay detection %d\n",
++ ret);
++ goto exit;
++ }
++
++ if ((flags & WMI_KEY_GROUP) && cmd == SET_KEY && is_ap_with_no_sta)
++ arvif->reinstall_group_keys = true;
+ }
+
+ spin_lock_bh(&ab->base_lock);
+@@ -4984,6 +5060,7 @@ static int ath11k_mac_inc_num_stations(struct ath11k_vif *arvif,
+ return -ENOBUFS;
+
+ ar->num_stations++;
++ arvif->num_stations++;
+
+ return 0;
+ }
+@@ -4999,6 +5076,7 @@ static void ath11k_mac_dec_num_stations(struct ath11k_vif *arvif,
+ return;
+
+ ar->num_stations--;
++ arvif->num_stations--;
+ }
+
+ static u32 ath11k_mac_ieee80211_sta_bw_to_wmi(struct ath11k *ar,
+@@ -9519,6 +9597,21 @@ static int ath11k_mac_station_add(struct ath11k *ar,
+ goto exit;
+ }
+
++ /* Driver allows the DEL KEY followed by SET KEY sequence for
++ * group keys for only when there is no clients associated, if at
++ * all firmware has entered the race during that window,
++ * reinstalling the same key when the first sta connects will allow
++ * firmware to recover from the race.
++ */
++ if (arvif->num_stations == 1 && arvif->reinstall_group_keys) {
++ ath11k_dbg(ab, ATH11K_DBG_MAC, "set group keys on 1st station add for vdev %d\n",
++ arvif->vdev_id);
++ ret = ath11k_set_group_keys(arvif);
++ if (ret)
++ goto dec_num_station;
++ arvif->reinstall_group_keys = false;
++ }
++
+ arsta->rx_stats = kzalloc(sizeof(*arsta->rx_stats), GFP_KERNEL);
+ if (!arsta->rx_stats) {
+ ret = -ENOMEM;
+--
+2.50.1
+
--- /dev/null
+From d2acd81dd549712e96699d5c7a3635a3866011cb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Aug 2025 13:08:39 +0800
+Subject: wifi: brcmfmac: fix use-after-free when rescheduling
+ brcmf_btcoex_info work
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Duoming Zhou <duoming@zju.edu.cn>
+
+[ Upstream commit 9cb83d4be0b9b697eae93d321e0da999f9cdfcfc ]
+
+The brcmf_btcoex_detach() only shuts down the btcoex timer, if the
+flag timer_on is false. However, the brcmf_btcoex_timerfunc(), which
+runs as timer handler, sets timer_on to false. This creates critical
+race conditions:
+
+1.If brcmf_btcoex_detach() is called while brcmf_btcoex_timerfunc()
+is executing, it may observe timer_on as false and skip the call to
+timer_shutdown_sync().
+
+2.The brcmf_btcoex_timerfunc() may then reschedule the brcmf_btcoex_info
+worker after the cancel_work_sync() has been executed, resulting in
+use-after-free bugs.
+
+The use-after-free bugs occur in two distinct scenarios, depending on
+the timing of when the brcmf_btcoex_info struct is freed relative to
+the execution of its worker thread.
+
+Scenario 1: Freed before the worker is scheduled
+
+The brcmf_btcoex_info is deallocated before the worker is scheduled.
+A race condition can occur when schedule_work(&bt_local->work) is
+called after the target memory has been freed. The sequence of events
+is detailed below:
+
+CPU0 | CPU1
+brcmf_btcoex_detach | brcmf_btcoex_timerfunc
+ | bt_local->timer_on = false;
+ if (cfg->btcoex->timer_on) |
+ ... |
+ cancel_work_sync(); |
+ ... |
+ kfree(cfg->btcoex); // FREE |
+ | schedule_work(&bt_local->work); // USE
+
+Scenario 2: Freed after the worker is scheduled
+
+The brcmf_btcoex_info is freed after the worker has been scheduled
+but before or during its execution. In this case, statements within
+the brcmf_btcoex_handler() — such as the container_of macro and
+subsequent dereferences of the brcmf_btcoex_info object will cause
+a use-after-free access. The following timeline illustrates this
+scenario:
+
+CPU0 | CPU1
+brcmf_btcoex_detach | brcmf_btcoex_timerfunc
+ | bt_local->timer_on = false;
+ if (cfg->btcoex->timer_on) |
+ ... |
+ cancel_work_sync(); |
+ ... | schedule_work(); // Reschedule
+ |
+ kfree(cfg->btcoex); // FREE | brcmf_btcoex_handler() // Worker
+ /* | btci = container_of(....); // USE
+ The kfree() above could | ...
+ also occur at any point | btci-> // USE
+ during the worker's execution|
+ */ |
+
+To resolve the race conditions, drop the conditional check and call
+timer_shutdown_sync() directly. It can deactivate the timer reliably,
+regardless of its current state. Once stopped, the timer_on state is
+then set to false.
+
+Fixes: 61730d4dfffc ("brcmfmac: support critical protocol API for DHCP")
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
+Link: https://patch.msgid.link/20250822050839.4413-1-duoming@zju.edu.cn
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/btcoex.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/btcoex.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/btcoex.c
+index 1e8495f50c16a..6531cff58ae9f 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/btcoex.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/btcoex.c
+@@ -392,10 +392,8 @@ void brcmf_btcoex_detach(struct brcmf_cfg80211_info *cfg)
+ if (!cfg->btcoex)
+ return;
+
+- if (cfg->btcoex->timer_on) {
+- cfg->btcoex->timer_on = false;
+- timer_shutdown_sync(&cfg->btcoex->timer);
+- }
++ timer_shutdown_sync(&cfg->btcoex->timer);
++ cfg->btcoex->timer_on = false;
+
+ cancel_work_sync(&cfg->btcoex->work);
+
+--
+2.50.1
+
--- /dev/null
+From 5d62cf12ef755fdd35eb8dd923db6e28e3f9e6f3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Aug 2025 16:52:36 +0300
+Subject: wifi: cfg80211: fix use-after-free in cmp_bss()
+
+From: Dmitry Antipov <dmantipov@yandex.ru>
+
+[ Upstream commit 26e84445f02ce6b2fe5f3e0e28ff7add77f35e08 ]
+
+Following bss_free() quirk introduced in commit 776b3580178f
+("cfg80211: track hidden SSID networks properly"), adjust
+cfg80211_update_known_bss() to free the last beacon frame
+elements only if they're not shared via the corresponding
+'hidden_beacon_bss' pointer.
+
+Reported-by: syzbot+30754ca335e6fb7e3092@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=30754ca335e6fb7e3092
+Fixes: 3ab8227d3e7d ("cfg80211: refactor cfg80211_bss_update")
+Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
+Link: https://patch.msgid.link/20250813135236.799384-1-dmantipov@yandex.ru
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/scan.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/wireless/scan.c b/net/wireless/scan.c
+index d80ab1725f28d..f00ccc6d803be 100644
+--- a/net/wireless/scan.c
++++ b/net/wireless/scan.c
+@@ -1868,7 +1868,8 @@ cfg80211_update_known_bss(struct cfg80211_registered_device *rdev,
+ */
+
+ f = rcu_access_pointer(new->pub.beacon_ies);
+- kfree_rcu((struct cfg80211_bss_ies *)f, rcu_head);
++ if (!new->pub.hidden_beacon_bss)
++ kfree_rcu((struct cfg80211_bss_ies *)f, rcu_head);
+ return false;
+ }
+
+--
+2.50.1
+
--- /dev/null
+From 9af13662c05bb62e24bafd430c7ed47f074a1bcc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Aug 2025 15:48:45 +0300
+Subject: wifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 62b635dcd69c4fde7ce1de4992d71420a37e51e3 ]
+
+If the ssid->datalen is more than IEEE80211_MAX_SSID_LEN (32) it would
+lead to memory corruption so add some bounds checking.
+
+Fixes: c38c70185101 ("wifi: cfg80211: Set SSID if it is not already set")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://patch.msgid.link/0aaaae4a3ed37c6252363c34ae4904b1604e8e32.1756456951.git.dan.carpenter@linaro.org
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/sme.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/net/wireless/sme.c b/net/wireless/sme.c
+index 2681716000876..e0d3c713538b5 100644
+--- a/net/wireless/sme.c
++++ b/net/wireless/sme.c
+@@ -903,13 +903,16 @@ void __cfg80211_connect_result(struct net_device *dev,
+ if (!wdev->u.client.ssid_len) {
+ rcu_read_lock();
+ for_each_valid_link(cr, link) {
++ u32 ssid_len;
++
+ ssid = ieee80211_bss_get_elem(cr->links[link].bss,
+ WLAN_EID_SSID);
+
+ if (!ssid || !ssid->datalen)
+ continue;
+
+- memcpy(wdev->u.client.ssid, ssid->data, ssid->datalen);
++ ssid_len = min(ssid->datalen, IEEE80211_MAX_SSID_LEN);
++ memcpy(wdev->u.client.ssid, ssid->data, ssid_len);
+ wdev->u.client.ssid_len = ssid->datalen;
+ break;
+ }
+--
+2.50.1
+
--- /dev/null
+From fdc05faeb2da7b384620748c2f74bc0c63a01fa4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Aug 2025 15:48:28 +0300
+Subject: wifi: cw1200: cap SSID length in cw1200_do_join()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit f8f15f6742b8874e59c9c715d0af3474608310ad ]
+
+If the ssidie[1] length is more that 32 it leads to memory corruption.
+
+Fixes: a910e4a94f69 ("cw1200: add driver for the ST-E CW1100 & CW1200 WLAN chipsets")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://patch.msgid.link/e91fb43fcedc4893b604dfb973131661510901a7.1756456951.git.dan.carpenter@linaro.org
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/st/cw1200/sta.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/st/cw1200/sta.c b/drivers/net/wireless/st/cw1200/sta.c
+index c259da8161e4d..2bce867dd4acf 100644
+--- a/drivers/net/wireless/st/cw1200/sta.c
++++ b/drivers/net/wireless/st/cw1200/sta.c
+@@ -1290,7 +1290,7 @@ static void cw1200_do_join(struct cw1200_common *priv)
+ rcu_read_lock();
+ ssidie = ieee80211_bss_get_ie(bss, WLAN_EID_SSID);
+ if (ssidie) {
+- join.ssid_len = ssidie[1];
++ join.ssid_len = min(ssidie[1], IEEE80211_MAX_SSID_LEN);
+ memcpy(join.ssid, &ssidie[2], join.ssid_len);
+ }
+ rcu_read_unlock();
+--
+2.50.1
+
--- /dev/null
+From f2062e91037bddbde645f893e4cacad07b73dd8e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Aug 2025 09:55:28 +0300
+Subject: wifi: iwlwifi: uefi: check DSM item validity
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 1d33694462fa7da451846c39d653585b61375992 ]
+
+The first array index is a bitmap indicating which of the
+other values are valid. Check that bitmap before returning
+a value.
+
+Fixes: fc7214c3c986 ("wifi: iwlwifi: read DSM functions from UEFI")
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220085
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Link: https://patch.msgid.link/20250828095500.59ec52ff865e.I9e11f497a029eb38f481b2c90c43c0935285216d@changeid
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/fw/uefi.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/fw/uefi.c b/drivers/net/wireless/intel/iwlwifi/fw/uefi.c
+index 86d6286a15378..e5fbb5fcc4abc 100644
+--- a/drivers/net/wireless/intel/iwlwifi/fw/uefi.c
++++ b/drivers/net/wireless/intel/iwlwifi/fw/uefi.c
+@@ -741,6 +741,12 @@ int iwl_uefi_get_dsm(struct iwl_fw_runtime *fwrt, enum iwl_dsm_funcs func,
+ goto out;
+ }
+
++ if (!(data->functions[DSM_FUNC_QUERY] & BIT(func))) {
++ IWL_DEBUG_RADIO(fwrt, "DSM func %d not in 0x%x\n",
++ func, data->functions[DSM_FUNC_QUERY]);
++ goto out;
++ }
++
+ *value = data->functions[func];
+ ret = 0;
+ out:
+--
+2.50.1
+
--- /dev/null
+From d691b9b883c9f2b45af64cef528b23b5e12dc72d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Aug 2025 15:48:35 +0300
+Subject: wifi: libertas: cap SSID len in lbs_associate()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit c786794bd27b0d7a5fd9063695df83206009be59 ]
+
+If the ssid_eid[1] length is more that 32 it leads to memory corruption.
+
+Fixes: a910e4a94f69 ("cw1200: add driver for the ST-E CW1100 & CW1200 WLAN chipsets")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://patch.msgid.link/2a40f5ec7617144aef412034c12919a4927d90ad.1756456951.git.dan.carpenter@linaro.org
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/marvell/libertas/cfg.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/marvell/libertas/cfg.c b/drivers/net/wireless/marvell/libertas/cfg.c
+index afe9bcd3ad46d..37bb788f83e36 100644
+--- a/drivers/net/wireless/marvell/libertas/cfg.c
++++ b/drivers/net/wireless/marvell/libertas/cfg.c
+@@ -1150,10 +1150,13 @@ static int lbs_associate(struct lbs_private *priv,
+ /* add SSID TLV */
+ rcu_read_lock();
+ ssid_eid = ieee80211_bss_get_ie(bss, WLAN_EID_SSID);
+- if (ssid_eid)
+- pos += lbs_add_ssid_tlv(pos, ssid_eid + 2, ssid_eid[1]);
+- else
++ if (ssid_eid) {
++ u32 ssid_len = min(ssid_eid[1], IEEE80211_MAX_SSID_LEN);
++
++ pos += lbs_add_ssid_tlv(pos, ssid_eid + 2, ssid_len);
++ } else {
+ lbs_deb_assoc("no SSID\n");
++ }
+ rcu_read_unlock();
+
+ /* add DS param TLV */
+--
+2.50.1
+
--- /dev/null
+From d57ce062989234f925316bd7434cc431894ad525 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Aug 2025 10:53:52 +0200
+Subject: wifi: mt76: fix linked list corruption
+
+From: Felix Fietkau <nbd@nbd.name>
+
+[ Upstream commit 49fba87205bec14a0f6bd997635bf3968408161e ]
+
+Never leave scheduled wcid entries on the temporary on-stack list
+
+Fixes: 0b3be9d1d34e ("wifi: mt76: add separate tx scheduling queue for off-channel tx")
+Link: https://patch.msgid.link/20250827085352.51636-6-nbd@nbd.name
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/tx.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/tx.c b/drivers/net/wireless/mediatek/mt76/tx.c
+index 5e081972bf445..634b6dacd1e0d 100644
+--- a/drivers/net/wireless/mediatek/mt76/tx.c
++++ b/drivers/net/wireless/mediatek/mt76/tx.c
+@@ -645,6 +645,7 @@ mt76_txq_schedule_pending_wcid(struct mt76_phy *phy, struct mt76_wcid *wcid,
+ static void mt76_txq_schedule_pending(struct mt76_phy *phy)
+ {
+ LIST_HEAD(tx_list);
++ int ret = 0;
+
+ if (list_empty(&phy->tx_list))
+ return;
+@@ -656,13 +657,13 @@ static void mt76_txq_schedule_pending(struct mt76_phy *phy)
+ list_splice_init(&phy->tx_list, &tx_list);
+ while (!list_empty(&tx_list)) {
+ struct mt76_wcid *wcid;
+- int ret;
+
+ wcid = list_first_entry(&tx_list, struct mt76_wcid, tx_list);
+ list_del_init(&wcid->tx_list);
+
+ spin_unlock(&phy->tx_lock);
+- ret = mt76_txq_schedule_pending_wcid(phy, wcid, &wcid->tx_offchannel);
++ if (ret >= 0)
++ ret = mt76_txq_schedule_pending_wcid(phy, wcid, &wcid->tx_offchannel);
+ if (ret >= 0 && !phy->offchannel)
+ ret = mt76_txq_schedule_pending_wcid(phy, wcid, &wcid->tx_pending);
+ spin_lock(&phy->tx_lock);
+@@ -671,9 +672,6 @@ static void mt76_txq_schedule_pending(struct mt76_phy *phy)
+ !skb_queue_empty(&wcid->tx_offchannel) &&
+ list_empty(&wcid->tx_list))
+ list_add_tail(&wcid->tx_list, &phy->tx_list);
+-
+- if (ret < 0)
+- break;
+ }
+ spin_unlock(&phy->tx_lock);
+
+--
+2.50.1
+
--- /dev/null
+From 23c8d9bab63fdaf6bae8809696b93f4122428ce9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Aug 2025 10:53:51 +0200
+Subject: wifi: mt76: free pending offchannel tx frames on wcid cleanup
+
+From: Felix Fietkau <nbd@nbd.name>
+
+[ Upstream commit bdeac7815629c1a32b8784922368742e183747ea ]
+
+Avoid leaking them or keeping the wcid on the tx list
+
+Fixes: 0b3be9d1d34e ("wifi: mt76: add separate tx scheduling queue for off-channel tx")
+Link: https://patch.msgid.link/20250827085352.51636-5-nbd@nbd.name
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mac80211.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mac80211.c b/drivers/net/wireless/mediatek/mt76/mac80211.c
+index 0ca83f1a3e3ea..5373f8c419b04 100644
+--- a/drivers/net/wireless/mediatek/mt76/mac80211.c
++++ b/drivers/net/wireless/mediatek/mt76/mac80211.c
+@@ -1586,6 +1586,10 @@ void mt76_wcid_cleanup(struct mt76_dev *dev, struct mt76_wcid *wcid)
+ skb_queue_splice_tail_init(&wcid->tx_pending, &list);
+ spin_unlock(&wcid->tx_pending.lock);
+
++ spin_lock(&wcid->tx_offchannel.lock);
++ skb_queue_splice_tail_init(&wcid->tx_offchannel, &list);
++ spin_unlock(&wcid->tx_offchannel.lock);
++
+ spin_unlock_bh(&phy->tx_lock);
+
+ while ((skb = __skb_dequeue(&list)) != NULL) {
+--
+2.50.1
+
--- /dev/null
+From 92ab92579037cf7498349a36b3944ed28a45f7ee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 27 Jul 2025 07:04:13 -0700
+Subject: wifi: mt76: mt7925: fix locking in mt7925_change_vif_links()
+
+From: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
+
+[ Upstream commit 9f15701370ec15fbf1f6a1cbbf584b0018d036b5 ]
+
+&dev->mt76.mutex lock is taken using mt792x_mutex_acquire(dev) but not
+released in one of the error paths, add the unlock to fix it.
+
+Fixes: 5cd0bd815c8a ("wifi: mt76: mt7925: fix NULL deref check in mt7925_change_vif_links")
+Reported-by: kernel test robot <lkp@intel.com>
+Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
+Closes: https://lore.kernel.org/r/202503031055.3ZRqxhAl-lkp@intel.com/
+Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
+Link: https://patch.msgid.link/20250727140416.1153406-1-harshit.m.mogalapalli@oracle.com
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7925/main.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/main.c b/drivers/net/wireless/mediatek/mt76/mt7925/main.c
+index a635b223dab18..53831e1e00424 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7925/main.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7925/main.c
+@@ -2005,8 +2005,10 @@ mt7925_change_vif_links(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
+ GFP_KERNEL);
+ mlink = devm_kzalloc(dev->mt76.dev, sizeof(*mlink),
+ GFP_KERNEL);
+- if (!mconf || !mlink)
++ if (!mconf || !mlink) {
++ mt792x_mutex_release(dev);
+ return -ENOMEM;
++ }
+ }
+
+ mconfs[link_id] = mconf;
+--
+2.50.1
+
--- /dev/null
+From a292faa1cd56a2193bc8b5e813bb534a5cfb0b8b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Aug 2025 14:11:06 +0200
+Subject: wifi: mt76: prevent non-offchannel mgmt tx during scan/roc
+
+From: Felix Fietkau <nbd@nbd.name>
+
+[ Upstream commit 4c2334587b0a13b8f4eda1336ae657297fcd743b ]
+
+Only put probe request packets in the offchannel queue if
+IEEE80211_TX_CTRL_DONT_USE_RATE_MASK is set and IEEE80211_TX_CTL_TX_OFFCHAN
+is unset.
+
+Fixes: 0b3be9d1d34e ("wifi: mt76: add separate tx scheduling queue for off-channel tx")
+Reported-by: Chad Monroe <chad.monroe@adtran.com>
+Link: https://patch.msgid.link/20250813121106.81559-2-nbd@nbd.name
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/tx.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/tx.c b/drivers/net/wireless/mediatek/mt76/tx.c
+index 065a1e4537457..5e081972bf445 100644
+--- a/drivers/net/wireless/mediatek/mt76/tx.c
++++ b/drivers/net/wireless/mediatek/mt76/tx.c
+@@ -334,6 +334,7 @@ mt76_tx(struct mt76_phy *phy, struct ieee80211_sta *sta,
+ struct mt76_wcid *wcid, struct sk_buff *skb)
+ {
+ struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
++ struct ieee80211_hdr *hdr = (void *)skb->data;
+ struct sk_buff_head *head;
+
+ if (mt76_testmode_enabled(phy)) {
+@@ -351,7 +352,8 @@ mt76_tx(struct mt76_phy *phy, struct ieee80211_sta *sta,
+ info->hw_queue |= FIELD_PREP(MT_TX_HW_QUEUE_PHY, phy->band_idx);
+
+ if ((info->flags & IEEE80211_TX_CTL_TX_OFFCHAN) ||
+- (info->control.flags & IEEE80211_TX_CTRL_DONT_USE_RATE_MASK))
++ ((info->control.flags & IEEE80211_TX_CTRL_DONT_USE_RATE_MASK) &&
++ ieee80211_is_probe_req(hdr->frame_control)))
+ head = &wcid->tx_offchannel;
+ else
+ head = &wcid->tx_pending;
+--
+2.50.1
+
--- /dev/null
+From 98f1a7a60b979493e9b4feeb4a840ef324d90232 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Aug 2025 12:26:43 -0700
+Subject: xirc2ps_cs: fix register access when enabling FullDuplex
+
+From: Alok Tiwari <alok.a.tiwari@oracle.com>
+
+[ Upstream commit b79e498080b170fd94fc83bca2471f450811549b ]
+
+The current code incorrectly passes (XIRCREG1_ECR | FullDuplex) as
+the register address to GetByte(), instead of fetching the register
+value and OR-ing it with FullDuplex. This results in an invalid
+register access.
+
+Fix it by reading XIRCREG1_ECR first, then or-ing with FullDuplex
+before writing it back.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Link: https://patch.msgid.link/20250827192645.658496-1-alok.a.tiwari@oracle.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/xircom/xirc2ps_cs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/xircom/xirc2ps_cs.c b/drivers/net/ethernet/xircom/xirc2ps_cs.c
+index a31d5d5e65936..97e88886253f5 100644
+--- a/drivers/net/ethernet/xircom/xirc2ps_cs.c
++++ b/drivers/net/ethernet/xircom/xirc2ps_cs.c
+@@ -1576,7 +1576,7 @@ do_reset(struct net_device *dev, int full)
+ msleep(40); /* wait 40 msec to let it complete */
+ }
+ if (full_duplex)
+- PutByte(XIRCREG1_ECR, GetByte(XIRCREG1_ECR | FullDuplex));
++ PutByte(XIRCREG1_ECR, GetByte(XIRCREG1_ECR) | FullDuplex);
+ } else { /* No MII */
+ SelectPage(0);
+ value = GetByte(XIRCREG_ESR); /* read the ESR */
+--
+2.50.1
+
--- /dev/null
+From aaa0899200bf3ec0abf75f1948da2463de72b5c3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Sep 2025 12:46:42 +0000
+Subject: ax25: properly unshare skbs in ax25_kiss_rcv()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 8156210d36a43e76372312c87eb5ea3dbb405a85 ]
+
+Bernard Pidoux reported a regression apparently caused by commit
+c353e8983e0d ("net: introduce per netns packet chains").
+
+skb->dev becomes NULL and we crash in __netif_receive_skb_core().
+
+Before above commit, different kind of bugs or corruptions could happen
+without a major crash.
+
+But the root cause is that ax25_kiss_rcv() can queue/mangle input skb
+without checking if this skb is shared or not.
+
+Many thanks to Bernard Pidoux for his help, diagnosis and tests.
+
+We had a similar issue years ago fixed with commit 7aaed57c5c28
+("phonet: properly unshare skbs in phonet_rcv()").
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: Bernard Pidoux <f6bvp@free.fr>
+Closes: https://lore.kernel.org/netdev/1713f383-c538-4918-bc64-13b3288cd542@free.fr/
+Tested-by: Bernard Pidoux <f6bvp@free.fr>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Joerg Reuter <jreuter@yaina.de>
+Cc: David Ranch <dranch@trinnet.net>
+Cc: Folkert van Heusden <folkert@vanheusden.com>
+Reviewed-by: Dan Cross <crossd@gmail.com>
+Link: https://patch.msgid.link/20250902124642.212705-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ax25/ax25_in.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/ax25/ax25_in.c b/net/ax25/ax25_in.c
+index 1cac25aca6378..f2d66af863595 100644
+--- a/net/ax25/ax25_in.c
++++ b/net/ax25/ax25_in.c
+@@ -433,6 +433,10 @@ static int ax25_rcv(struct sk_buff *skb, struct net_device *dev,
+ int ax25_kiss_rcv(struct sk_buff *skb, struct net_device *dev,
+ struct packet_type *ptype, struct net_device *orig_dev)
+ {
++ skb = skb_share_check(skb, GFP_ATOMIC);
++ if (!skb)
++ return NET_RX_DROP;
++
+ skb_orphan(skb);
+
+ if (!net_eq(dev_net(dev), &init_net)) {
+--
+2.50.1
+
--- /dev/null
+From c5e552646706ef4eb4476554c6fc8b639b32ae31 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Aug 2025 20:40:14 +0000
+Subject: Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen()
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit 862c628108562d8c7a516a900034823b381d3cba ]
+
+syzbot reported the splat below without a repro.
+
+In the splat, a single thread calling bt_accept_dequeue() freed sk
+and touched it after that.
+
+The root cause would be the racy l2cap_sock_cleanup_listen() call
+added by the cited commit.
+
+bt_accept_dequeue() is called under lock_sock() except for
+l2cap_sock_release().
+
+Two threads could see the same socket during the list iteration
+in bt_accept_dequeue():
+
+ CPU1 CPU2 (close())
+ ---- ----
+ sock_hold(sk) sock_hold(sk);
+ lock_sock(sk) <-- block close()
+ sock_put(sk)
+ bt_accept_unlink(sk)
+ sock_put(sk) <-- refcnt by bt_accept_enqueue()
+ release_sock(sk)
+ lock_sock(sk)
+ sock_put(sk)
+ bt_accept_unlink(sk)
+ sock_put(sk) <-- last refcnt
+ bt_accept_unlink(sk) <-- UAF
+
+Depending on the timing, the other thread could show up in the
+"Freed by task" part.
+
+Let's call l2cap_sock_cleanup_listen() under lock_sock() in
+l2cap_sock_release().
+
+[0]:
+BUG: KASAN: slab-use-after-free in debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline]
+BUG: KASAN: slab-use-after-free in do_raw_spin_lock+0x26f/0x2b0 kernel/locking/spinlock_debug.c:115
+Read of size 4 at addr ffff88803b7eb1c4 by task syz.5.3276/16995
+CPU: 3 UID: 0 PID: 16995 Comm: syz.5.3276 Not tainted syzkaller #0 PREEMPT(full)
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:94 [inline]
+ dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
+ print_address_description mm/kasan/report.c:378 [inline]
+ print_report+0xcd/0x630 mm/kasan/report.c:482
+ kasan_report+0xe0/0x110 mm/kasan/report.c:595
+ debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline]
+ do_raw_spin_lock+0x26f/0x2b0 kernel/locking/spinlock_debug.c:115
+ spin_lock_bh include/linux/spinlock.h:356 [inline]
+ release_sock+0x21/0x220 net/core/sock.c:3746
+ bt_accept_dequeue+0x505/0x600 net/bluetooth/af_bluetooth.c:312
+ l2cap_sock_cleanup_listen+0x5c/0x2a0 net/bluetooth/l2cap_sock.c:1451
+ l2cap_sock_release+0x5c/0x210 net/bluetooth/l2cap_sock.c:1425
+ __sock_release+0xb3/0x270 net/socket.c:649
+ sock_close+0x1c/0x30 net/socket.c:1439
+ __fput+0x3ff/0xb70 fs/file_table.c:468
+ task_work_run+0x14d/0x240 kernel/task_work.c:227
+ resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
+ exit_to_user_mode_loop+0xeb/0x110 kernel/entry/common.c:43
+ exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
+ syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
+ syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
+ do_syscall_64+0x3f6/0x4c0 arch/x86/entry/syscall_64.c:100
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7f2accf8ebe9
+Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007ffdb6cb1378 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
+RAX: 0000000000000000 RBX: 00000000000426fb RCX: 00007f2accf8ebe9
+RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
+RBP: 00007f2acd1b7da0 R08: 0000000000000001 R09: 00000012b6cb166f
+R10: 0000001b30e20000 R11: 0000000000000246 R12: 00007f2acd1b609c
+R13: 00007f2acd1b6090 R14: ffffffffffffffff R15: 00007ffdb6cb1490
+ </TASK>
+
+Allocated by task 5326:
+ kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
+ kasan_save_track+0x14/0x30 mm/kasan/common.c:68
+ poison_kmalloc_redzone mm/kasan/common.c:388 [inline]
+ __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:405
+ kasan_kmalloc include/linux/kasan.h:260 [inline]
+ __do_kmalloc_node mm/slub.c:4365 [inline]
+ __kmalloc_noprof+0x223/0x510 mm/slub.c:4377
+ kmalloc_noprof include/linux/slab.h:909 [inline]
+ sk_prot_alloc+0x1a8/0x2a0 net/core/sock.c:2239
+ sk_alloc+0x36/0xc20 net/core/sock.c:2295
+ bt_sock_alloc+0x3b/0x3a0 net/bluetooth/af_bluetooth.c:151
+ l2cap_sock_alloc.constprop.0+0x33/0x1d0 net/bluetooth/l2cap_sock.c:1894
+ l2cap_sock_new_connection_cb+0x101/0x240 net/bluetooth/l2cap_sock.c:1482
+ l2cap_connect_cfm+0x4c4/0xf80 net/bluetooth/l2cap_core.c:7287
+ hci_connect_cfm include/net/bluetooth/hci_core.h:2050 [inline]
+ hci_remote_features_evt+0x4dd/0x970 net/bluetooth/hci_event.c:3712
+ hci_event_func net/bluetooth/hci_event.c:7519 [inline]
+ hci_event_packet+0xa0d/0x11c0 net/bluetooth/hci_event.c:7573
+ hci_rx_work+0x2c5/0x16b0 net/bluetooth/hci_core.c:4071
+ process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3236
+ process_scheduled_works kernel/workqueue.c:3319 [inline]
+ worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400
+ kthread+0x3c2/0x780 kernel/kthread.c:463
+ ret_from_fork+0x5d7/0x6f0 arch/x86/kernel/process.c:148
+ ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
+
+Freed by task 16995:
+ kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
+ kasan_save_track+0x14/0x30 mm/kasan/common.c:68
+ kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576
+ poison_slab_object mm/kasan/common.c:243 [inline]
+ __kasan_slab_free+0x60/0x70 mm/kasan/common.c:275
+ kasan_slab_free include/linux/kasan.h:233 [inline]
+ slab_free_hook mm/slub.c:2417 [inline]
+ slab_free mm/slub.c:4680 [inline]
+ kfree+0x2b4/0x4d0 mm/slub.c:4879
+ sk_prot_free net/core/sock.c:2278 [inline]
+ __sk_destruct+0x75f/0x9a0 net/core/sock.c:2373
+ sk_destruct+0xc2/0xf0 net/core/sock.c:2401
+ __sk_free+0xf4/0x3e0 net/core/sock.c:2412
+ sk_free+0x6a/0x90 net/core/sock.c:2423
+ sock_put include/net/sock.h:1960 [inline]
+ bt_accept_unlink+0x245/0x2e0 net/bluetooth/af_bluetooth.c:262
+ bt_accept_dequeue+0x517/0x600 net/bluetooth/af_bluetooth.c:308
+ l2cap_sock_cleanup_listen+0x5c/0x2a0 net/bluetooth/l2cap_sock.c:1451
+ l2cap_sock_release+0x5c/0x210 net/bluetooth/l2cap_sock.c:1425
+ __sock_release+0xb3/0x270 net/socket.c:649
+ sock_close+0x1c/0x30 net/socket.c:1439
+ __fput+0x3ff/0xb70 fs/file_table.c:468
+ task_work_run+0x14d/0x240 kernel/task_work.c:227
+ resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
+ exit_to_user_mode_loop+0xeb/0x110 kernel/entry/common.c:43
+ exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
+ syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
+ syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
+ do_syscall_64+0x3f6/0x4c0 arch/x86/entry/syscall_64.c:100
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Fixes: 1728137b33c0 ("Bluetooth: L2CAP: Fix use-after-free in l2cap_sock_ready_cb")
+Reported-by: syzbot+e5e64cdf8e92046dd3e1@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/linux-bluetooth/68af6b9d.a70a0220.3cafd4.0032.GAE@google.com/
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/l2cap_sock.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
+index 82d943c4cb505..05b7480970f72 100644
+--- a/net/bluetooth/l2cap_sock.c
++++ b/net/bluetooth/l2cap_sock.c
+@@ -1422,7 +1422,10 @@ static int l2cap_sock_release(struct socket *sock)
+ if (!sk)
+ return 0;
+
++ lock_sock_nested(sk, L2CAP_NESTING_PARENT);
+ l2cap_sock_cleanup_listen(sk);
++ release_sock(sk);
++
+ bt_sock_unlink(&l2cap_sk_list, sk);
+
+ err = l2cap_sock_shutdown(sock, SHUT_RDWR);
+--
+2.50.1
+
--- /dev/null
+From b9c4d984bc2df5ed128d0915438375554b0fa201 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Aug 2025 10:53:25 -0400
+Subject: Bluetooth: vhci: Prevent use-after-free by removing debugfs files
+ early
+
+From: Ivan Pravdin <ipravdin.official@gmail.com>
+
+[ Upstream commit 28010791193a4503f054e8d69a950ef815deb539 ]
+
+Move the creation of debugfs files into a dedicated function, and ensure
+they are explicitly removed during vhci_release(), before associated
+data structures are freed.
+
+Previously, debugfs files such as "force_suspend", "force_wakeup", and
+others were created under hdev->debugfs but not removed in
+vhci_release(). Since vhci_release() frees the backing vhci_data
+structure, any access to these files after release would result in
+use-after-free errors.
+
+Although hdev->debugfs is later freed in hci_release_dev(), user can
+access files after vhci_data is freed but before hdev->debugfs is
+released.
+
+Fixes: ab4e4380d4e1 ("Bluetooth: Add vhci devcoredump support")
+Signed-off-by: Ivan Pravdin <ipravdin.official@gmail.com>
+Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/hci_vhci.c | 57 ++++++++++++++++++++++++++----------
+ 1 file changed, 41 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/bluetooth/hci_vhci.c b/drivers/bluetooth/hci_vhci.c
+index f7d8c3c00655a..2fef08254d78d 100644
+--- a/drivers/bluetooth/hci_vhci.c
++++ b/drivers/bluetooth/hci_vhci.c
+@@ -380,6 +380,28 @@ static const struct file_operations force_devcoredump_fops = {
+ .write = force_devcd_write,
+ };
+
++static void vhci_debugfs_init(struct vhci_data *data)
++{
++ struct hci_dev *hdev = data->hdev;
++
++ debugfs_create_file("force_suspend", 0644, hdev->debugfs, data,
++ &force_suspend_fops);
++
++ debugfs_create_file("force_wakeup", 0644, hdev->debugfs, data,
++ &force_wakeup_fops);
++
++ if (IS_ENABLED(CONFIG_BT_MSFTEXT))
++ debugfs_create_file("msft_opcode", 0644, hdev->debugfs, data,
++ &msft_opcode_fops);
++
++ if (IS_ENABLED(CONFIG_BT_AOSPEXT))
++ debugfs_create_file("aosp_capable", 0644, hdev->debugfs, data,
++ &aosp_capable_fops);
++
++ debugfs_create_file("force_devcoredump", 0644, hdev->debugfs, data,
++ &force_devcoredump_fops);
++}
++
+ static int __vhci_create_device(struct vhci_data *data, __u8 opcode)
+ {
+ struct hci_dev *hdev;
+@@ -434,22 +456,8 @@ static int __vhci_create_device(struct vhci_data *data, __u8 opcode)
+ return -EBUSY;
+ }
+
+- debugfs_create_file("force_suspend", 0644, hdev->debugfs, data,
+- &force_suspend_fops);
+-
+- debugfs_create_file("force_wakeup", 0644, hdev->debugfs, data,
+- &force_wakeup_fops);
+-
+- if (IS_ENABLED(CONFIG_BT_MSFTEXT))
+- debugfs_create_file("msft_opcode", 0644, hdev->debugfs, data,
+- &msft_opcode_fops);
+-
+- if (IS_ENABLED(CONFIG_BT_AOSPEXT))
+- debugfs_create_file("aosp_capable", 0644, hdev->debugfs, data,
+- &aosp_capable_fops);
+-
+- debugfs_create_file("force_devcoredump", 0644, hdev->debugfs, data,
+- &force_devcoredump_fops);
++ if (!IS_ERR_OR_NULL(hdev->debugfs))
++ vhci_debugfs_init(data);
+
+ hci_skb_pkt_type(skb) = HCI_VENDOR_PKT;
+
+@@ -651,6 +659,21 @@ static int vhci_open(struct inode *inode, struct file *file)
+ return 0;
+ }
+
++static void vhci_debugfs_remove(struct hci_dev *hdev)
++{
++ debugfs_lookup_and_remove("force_suspend", hdev->debugfs);
++
++ debugfs_lookup_and_remove("force_wakeup", hdev->debugfs);
++
++ if (IS_ENABLED(CONFIG_BT_MSFTEXT))
++ debugfs_lookup_and_remove("msft_opcode", hdev->debugfs);
++
++ if (IS_ENABLED(CONFIG_BT_AOSPEXT))
++ debugfs_lookup_and_remove("aosp_capable", hdev->debugfs);
++
++ debugfs_lookup_and_remove("force_devcoredump", hdev->debugfs);
++}
++
+ static int vhci_release(struct inode *inode, struct file *file)
+ {
+ struct vhci_data *data = file->private_data;
+@@ -662,6 +685,8 @@ static int vhci_release(struct inode *inode, struct file *file)
+ hdev = data->hdev;
+
+ if (hdev) {
++ if (!IS_ERR_OR_NULL(hdev->debugfs))
++ vhci_debugfs_remove(hdev);
+ hci_unregister_dev(hdev);
+ hci_free_dev(hdev);
+ }
+--
+2.50.1
+
--- /dev/null
+From 515da162e6c0a22d5898c33f1ad5a4f8b575b56d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Aug 2025 23:23:27 -0700
+Subject: bnxt_en: fix incorrect page count in RX aggr ring log
+
+From: Alok Tiwari <alok.a.tiwari@oracle.com>
+
+[ Upstream commit 7000f4fa9b24ae2511b07babd0d49e888db5d265 ]
+
+The warning in bnxt_alloc_one_rx_ring_netmem() reports the number
+of pages allocated for the RX aggregation ring. However, it
+mistakenly used bp->rx_ring_size instead of bp->rx_agg_ring_size,
+leading to confusing or misleading log output.
+
+Use the correct bp->rx_agg_ring_size value to fix this.
+
+Fixes: c0c050c58d84 ("bnxt_en: New Broadcom ethernet driver.")
+Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Reviewed-by: Michael Chan <michael.chan@broadcom.com>
+Reviewed-by: Somnath Kotur <somnath.kotur@broadcom.com>
+Link: https://patch.msgid.link/20250830062331.783783-1-alok.a.tiwari@oracle.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+index cb76ab78904fc..d47c1d81c49b8 100644
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -4390,7 +4390,7 @@ static void bnxt_alloc_one_rx_ring_netmem(struct bnxt *bp,
+ for (i = 0; i < bp->rx_agg_ring_size; i++) {
+ if (bnxt_alloc_rx_netmem(bp, rxr, prod, GFP_KERNEL)) {
+ netdev_warn(bp->dev, "init'ed rx ring %d with %d/%d pages only\n",
+- ring_nr, i, bp->rx_ring_size);
++ ring_nr, i, bp->rx_agg_ring_size);
+ break;
+ }
+ prod = NEXT_RX_AGG(prod);
+--
+2.50.1
+
--- /dev/null
+From 963c1288aed98d312e262c534f4dc44b26c46cbe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Aug 2025 20:18:58 +0800
+Subject: eth: mlx4: Fix IS_ERR() vs NULL check bug in mlx4_en_create_rx_ring
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+[ Upstream commit e580beaf43d563aaf457f1c7f934002355ebfe7b ]
+
+Replace NULL check with IS_ERR() check after calling page_pool_create()
+since this function returns error pointers (ERR_PTR).
+Using NULL check could lead to invalid pointer dereference.
+
+Fixes: 8533b14b3d65 ("eth: mlx4: create a page pool for Rx")
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
+Link: https://patch.msgid.link/20250828121858.67639-1-linmq006@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx4/en_rx.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx4/en_rx.c b/drivers/net/ethernet/mellanox/mlx4/en_rx.c
+index b33285d755b90..a626fd0d20735 100644
+--- a/drivers/net/ethernet/mellanox/mlx4/en_rx.c
++++ b/drivers/net/ethernet/mellanox/mlx4/en_rx.c
+@@ -267,8 +267,10 @@ int mlx4_en_create_rx_ring(struct mlx4_en_priv *priv,
+ pp.dma_dir = priv->dma_dir;
+
+ ring->pp = page_pool_create(&pp);
+- if (!ring->pp)
++ if (IS_ERR(ring->pp)) {
++ err = PTR_ERR(ring->pp);
+ goto err_ring;
++ }
+
+ if (xdp_rxq_info_reg(&ring->xdp_rxq, priv->dev, queue_index, 0) < 0)
+ goto err_pp;
+--
+2.50.1
+
--- /dev/null
+From 16b99db6dcb7778ff60c04777ea93f83b4fc5291 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Aug 2025 19:56:31 +0800
+Subject: i40e: Fix potential invalid access when MAC list is empty
+
+From: Zhen Ni <zhen.ni@easystack.cn>
+
+[ Upstream commit a556f06338e1d5a85af0e32ecb46e365547f92b9 ]
+
+list_first_entry() never returns NULL - if the list is empty, it still
+returns a pointer to an invalid object, leading to potential invalid
+memory access when dereferenced.
+
+Fix this by using list_first_entry_or_null instead of list_first_entry.
+
+Fixes: e3219ce6a775 ("i40e: Add support for client interface for IWARP driver")
+Signed-off-by: Zhen Ni <zhen.ni@easystack.cn>
+Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_client.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_client.c b/drivers/net/ethernet/intel/i40e/i40e_client.c
+index 59263551c3838..0b099e5f48163 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_client.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_client.c
+@@ -359,8 +359,8 @@ static void i40e_client_add_instance(struct i40e_pf *pf)
+ if (i40e_client_get_params(vsi, &cdev->lan_info.params))
+ goto free_cdev;
+
+- mac = list_first_entry(&cdev->lan_info.netdev->dev_addrs.list,
+- struct netdev_hw_addr, list);
++ mac = list_first_entry_or_null(&cdev->lan_info.netdev->dev_addrs.list,
++ struct netdev_hw_addr, list);
+ if (mac)
+ ether_addr_copy(cdev->lan_info.lanmac, mac->addr);
+ else
+--
+2.50.1
+
--- /dev/null
+From 7353c3b4b184c4310909e123bf6a7e9a057f4b51 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Jul 2025 17:14:37 -0700
+Subject: i40e: remove read access to debugfs files
+
+From: Jacob Keller <jacob.e.keller@intel.com>
+
+[ Upstream commit 9fcdb1c3c4ba134434694c001dbff343f1ffa319 ]
+
+The 'command' and 'netdev_ops' debugfs files are a legacy debugging
+interface supported by the i40e driver since its early days by commit
+02e9c290814c ("i40e: debugfs interface").
+
+Both of these debugfs files provide a read handler which is mostly useless,
+and which is implemented with questionable logic. They both use a static
+256 byte buffer which is initialized to the empty string. In the case of
+the 'command' file this buffer is literally never used and simply wastes
+space. In the case of the 'netdev_ops' file, the last command written is
+saved here.
+
+On read, the files contents are presented as the name of the device
+followed by a colon and then the contents of their respective static
+buffer. For 'command' this will always be "<device>: ". For 'netdev_ops',
+this will be "<device>: <last command written>". But note the buffer is
+shared between all devices operated by this module. At best, it is mostly
+meaningless information, and at worse it could be accessed simultaneously
+as there doesn't appear to be any locking mechanism.
+
+We have also recently received multiple reports for both read functions
+about their use of snprintf and potential overflow that could result in
+reading arbitrary kernel memory. For the 'command' file, this is definitely
+impossible, since the static buffer is always zero and never written to.
+For the 'netdev_ops' file, it does appear to be possible, if the user
+carefully crafts the command input, it will be copied into the buffer,
+which could be large enough to cause snprintf to truncate, which then
+causes the copy_to_user to read beyond the length of the buffer allocated
+by kzalloc.
+
+A minimal fix would be to replace snprintf() with scnprintf() which would
+cap the return to the number of bytes written, preventing an overflow. A
+more involved fix would be to drop the mostly useless static buffers,
+saving 512 bytes and modifying the read functions to stop needing those as
+input.
+
+Instead, lets just completely drop the read access to these files. These
+are debug interfaces exposed as part of debugfs, and I don't believe that
+dropping read access will break any script, as the provided output is
+pretty useless. You can find the netdev name through other more standard
+interfaces, and the 'netdev_ops' interface can easily result in garbage if
+you issue simultaneous writes to multiple devices at once.
+
+In order to properly remove the i40e_dbg_netdev_ops_buf, we need to
+refactor its write function to avoid using the static buffer. Instead, use
+the same logic as the i40e_dbg_command_write, with an allocated buffer.
+Update the code to use this instead of the static buffer, and ensure we
+free the buffer on exit. This fixes simultaneous writes to 'netdev_ops' on
+multiple devices, and allows us to remove the now unused static buffer
+along with removing the read access.
+
+Fixes: 02e9c290814c ("i40e: debugfs interface")
+Reported-by: Kunwu Chan <chentao@kylinos.cn>
+Closes: https://lore.kernel.org/intel-wired-lan/20231208031950.47410-1-chentao@kylinos.cn/
+Reported-by: Wang Haoran <haoranwangsec@gmail.com>
+Closes: https://lore.kernel.org/all/CANZ3JQRRiOdtfQJoP9QM=6LS1Jto8PGBGw6y7-TL=BcnzHQn1Q@mail.gmail.com/
+Reported-by: Amir Mohammad Jahangirzad <a.jahangirzad@gmail.com>
+Closes: https://lore.kernel.org/all/20250722115017.206969-1-a.jahangirzad@gmail.com/
+Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
+Reviewed-by: Dawid Osuchowski <dawid.osuchowski@linux.intel.com>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Kunwu Chan <kunwu.chan@linux.dev>
+Tested-by: Rinitha S <sx.rinitha@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/intel/i40e/i40e_debugfs.c | 123 +++---------------
+ 1 file changed, 19 insertions(+), 104 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_debugfs.c b/drivers/net/ethernet/intel/i40e/i40e_debugfs.c
+index 6cd9da662ae11..a5c794371dfe6 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_debugfs.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_debugfs.c
+@@ -40,48 +40,6 @@ static struct i40e_vsi *i40e_dbg_find_vsi(struct i40e_pf *pf, int seid)
+ * setup, adding or removing filters, or other things. Many of
+ * these will be useful for some forms of unit testing.
+ **************************************************************/
+-static char i40e_dbg_command_buf[256] = "";
+-
+-/**
+- * i40e_dbg_command_read - read for command datum
+- * @filp: the opened file
+- * @buffer: where to write the data for the user to read
+- * @count: the size of the user's buffer
+- * @ppos: file position offset
+- **/
+-static ssize_t i40e_dbg_command_read(struct file *filp, char __user *buffer,
+- size_t count, loff_t *ppos)
+-{
+- struct i40e_pf *pf = filp->private_data;
+- struct i40e_vsi *main_vsi;
+- int bytes_not_copied;
+- int buf_size = 256;
+- char *buf;
+- int len;
+-
+- /* don't allow partial reads */
+- if (*ppos != 0)
+- return 0;
+- if (count < buf_size)
+- return -ENOSPC;
+-
+- buf = kzalloc(buf_size, GFP_KERNEL);
+- if (!buf)
+- return -ENOSPC;
+-
+- main_vsi = i40e_pf_get_main_vsi(pf);
+- len = snprintf(buf, buf_size, "%s: %s\n", main_vsi->netdev->name,
+- i40e_dbg_command_buf);
+-
+- bytes_not_copied = copy_to_user(buffer, buf, len);
+- kfree(buf);
+-
+- if (bytes_not_copied)
+- return -EFAULT;
+-
+- *ppos = len;
+- return len;
+-}
+
+ static char *i40e_filter_state_string[] = {
+ "INVALID",
+@@ -1621,7 +1579,6 @@ static ssize_t i40e_dbg_command_write(struct file *filp,
+ static const struct file_operations i40e_dbg_command_fops = {
+ .owner = THIS_MODULE,
+ .open = simple_open,
+- .read = i40e_dbg_command_read,
+ .write = i40e_dbg_command_write,
+ };
+
+@@ -1630,48 +1587,6 @@ static const struct file_operations i40e_dbg_command_fops = {
+ * The netdev_ops entry in debugfs is for giving the driver commands
+ * to be executed from the netdev operations.
+ **************************************************************/
+-static char i40e_dbg_netdev_ops_buf[256] = "";
+-
+-/**
+- * i40e_dbg_netdev_ops_read - read for netdev_ops datum
+- * @filp: the opened file
+- * @buffer: where to write the data for the user to read
+- * @count: the size of the user's buffer
+- * @ppos: file position offset
+- **/
+-static ssize_t i40e_dbg_netdev_ops_read(struct file *filp, char __user *buffer,
+- size_t count, loff_t *ppos)
+-{
+- struct i40e_pf *pf = filp->private_data;
+- struct i40e_vsi *main_vsi;
+- int bytes_not_copied;
+- int buf_size = 256;
+- char *buf;
+- int len;
+-
+- /* don't allow partal reads */
+- if (*ppos != 0)
+- return 0;
+- if (count < buf_size)
+- return -ENOSPC;
+-
+- buf = kzalloc(buf_size, GFP_KERNEL);
+- if (!buf)
+- return -ENOSPC;
+-
+- main_vsi = i40e_pf_get_main_vsi(pf);
+- len = snprintf(buf, buf_size, "%s: %s\n", main_vsi->netdev->name,
+- i40e_dbg_netdev_ops_buf);
+-
+- bytes_not_copied = copy_to_user(buffer, buf, len);
+- kfree(buf);
+-
+- if (bytes_not_copied)
+- return -EFAULT;
+-
+- *ppos = len;
+- return len;
+-}
+
+ /**
+ * i40e_dbg_netdev_ops_write - write into netdev_ops datum
+@@ -1685,35 +1600,36 @@ static ssize_t i40e_dbg_netdev_ops_write(struct file *filp,
+ size_t count, loff_t *ppos)
+ {
+ struct i40e_pf *pf = filp->private_data;
++ char *cmd_buf, *buf_tmp;
+ int bytes_not_copied;
+ struct i40e_vsi *vsi;
+- char *buf_tmp;
+ int vsi_seid;
+ int i, cnt;
+
+ /* don't allow partial writes */
+ if (*ppos != 0)
+ return 0;
+- if (count >= sizeof(i40e_dbg_netdev_ops_buf))
+- return -ENOSPC;
+
+- memset(i40e_dbg_netdev_ops_buf, 0, sizeof(i40e_dbg_netdev_ops_buf));
+- bytes_not_copied = copy_from_user(i40e_dbg_netdev_ops_buf,
+- buffer, count);
+- if (bytes_not_copied)
++ cmd_buf = kzalloc(count + 1, GFP_KERNEL);
++ if (!cmd_buf)
++ return count;
++ bytes_not_copied = copy_from_user(cmd_buf, buffer, count);
++ if (bytes_not_copied) {
++ kfree(cmd_buf);
+ return -EFAULT;
+- i40e_dbg_netdev_ops_buf[count] = '\0';
++ }
++ cmd_buf[count] = '\0';
+
+- buf_tmp = strchr(i40e_dbg_netdev_ops_buf, '\n');
++ buf_tmp = strchr(cmd_buf, '\n');
+ if (buf_tmp) {
+ *buf_tmp = '\0';
+- count = buf_tmp - i40e_dbg_netdev_ops_buf + 1;
++ count = buf_tmp - cmd_buf + 1;
+ }
+
+- if (strncmp(i40e_dbg_netdev_ops_buf, "change_mtu", 10) == 0) {
++ if (strncmp(cmd_buf, "change_mtu", 10) == 0) {
+ int mtu;
+
+- cnt = sscanf(&i40e_dbg_netdev_ops_buf[11], "%i %i",
++ cnt = sscanf(&cmd_buf[11], "%i %i",
+ &vsi_seid, &mtu);
+ if (cnt != 2) {
+ dev_info(&pf->pdev->dev, "change_mtu <vsi_seid> <mtu>\n");
+@@ -1735,8 +1651,8 @@ static ssize_t i40e_dbg_netdev_ops_write(struct file *filp,
+ dev_info(&pf->pdev->dev, "Could not acquire RTNL - please try again\n");
+ }
+
+- } else if (strncmp(i40e_dbg_netdev_ops_buf, "set_rx_mode", 11) == 0) {
+- cnt = sscanf(&i40e_dbg_netdev_ops_buf[11], "%i", &vsi_seid);
++ } else if (strncmp(cmd_buf, "set_rx_mode", 11) == 0) {
++ cnt = sscanf(&cmd_buf[11], "%i", &vsi_seid);
+ if (cnt != 1) {
+ dev_info(&pf->pdev->dev, "set_rx_mode <vsi_seid>\n");
+ goto netdev_ops_write_done;
+@@ -1756,8 +1672,8 @@ static ssize_t i40e_dbg_netdev_ops_write(struct file *filp,
+ dev_info(&pf->pdev->dev, "Could not acquire RTNL - please try again\n");
+ }
+
+- } else if (strncmp(i40e_dbg_netdev_ops_buf, "napi", 4) == 0) {
+- cnt = sscanf(&i40e_dbg_netdev_ops_buf[4], "%i", &vsi_seid);
++ } else if (strncmp(cmd_buf, "napi", 4) == 0) {
++ cnt = sscanf(&cmd_buf[4], "%i", &vsi_seid);
+ if (cnt != 1) {
+ dev_info(&pf->pdev->dev, "napi <vsi_seid>\n");
+ goto netdev_ops_write_done;
+@@ -1775,21 +1691,20 @@ static ssize_t i40e_dbg_netdev_ops_write(struct file *filp,
+ dev_info(&pf->pdev->dev, "napi called\n");
+ }
+ } else {
+- dev_info(&pf->pdev->dev, "unknown command '%s'\n",
+- i40e_dbg_netdev_ops_buf);
++ dev_info(&pf->pdev->dev, "unknown command '%s'\n", cmd_buf);
+ dev_info(&pf->pdev->dev, "available commands\n");
+ dev_info(&pf->pdev->dev, " change_mtu <vsi_seid> <mtu>\n");
+ dev_info(&pf->pdev->dev, " set_rx_mode <vsi_seid>\n");
+ dev_info(&pf->pdev->dev, " napi <vsi_seid>\n");
+ }
+ netdev_ops_write_done:
++ kfree(cmd_buf);
+ return count;
+ }
+
+ static const struct file_operations i40e_dbg_netdev_ops_fops = {
+ .owner = THIS_MODULE,
+ .open = simple_open,
+- .read = i40e_dbg_netdev_ops_read,
+ .write = i40e_dbg_netdev_ops_write,
+ };
+
+--
+2.50.1
+
--- /dev/null
+From 80f332fe3787a9f210136b73a691d1f1b4acb4b3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Aug 2025 10:35:27 -0700
+Subject: ice: fix NULL access of tx->in_use in ice_ll_ts_intr
+
+From: Jacob Keller <jacob.e.keller@intel.com>
+
+[ Upstream commit f6486338fde3f04ed0ec59fe67a69a208c32734f ]
+
+Recent versions of the E810 firmware have support for an extra interrupt to
+handle report of the "low latency" Tx timestamps coming from the
+specialized low latency firmware interface. Instead of polling the
+registers, software can wait until the low latency interrupt is fired.
+
+This logic makes use of the Tx timestamp tracking structure, ice_ptp_tx, as
+it uses the same "ready" bitmap to track which Tx timestamps complete.
+
+Unfortunately, the ice_ll_ts_intr() function does not check if the
+tracker is initialized before its first access. This results in NULL
+dereference or use-after-free bugs similar to the issues fixed in the
+ice_ptp_ts_irq() function.
+
+Fix this by only checking the in_use bitmap (and other fields) if the
+tracker is marked as initialized. The reset flow will clear the init field
+under lock before it tears the tracker down, thus preventing any
+use-after-free or NULL access.
+
+Fixes: 82e71b226e0e ("ice: Enable SW interrupt from FW for LL TS")
+Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
+Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Tested-by: Rinitha S <sx.rinitha@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_main.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c
+index d42892c8c5a12..a34faa4894739 100644
+--- a/drivers/net/ethernet/intel/ice/ice_main.c
++++ b/drivers/net/ethernet/intel/ice/ice_main.c
+@@ -3172,12 +3172,14 @@ static irqreturn_t ice_ll_ts_intr(int __always_unused irq, void *data)
+ hw = &pf->hw;
+ tx = &pf->ptp.port.tx;
+ spin_lock_irqsave(&tx->lock, flags);
+- ice_ptp_complete_tx_single_tstamp(tx);
++ if (tx->init) {
++ ice_ptp_complete_tx_single_tstamp(tx);
+
+- idx = find_next_bit_wrap(tx->in_use, tx->len,
+- tx->last_ll_ts_idx_read + 1);
+- if (idx != tx->len)
+- ice_ptp_req_tx_single_tstamp(tx, idx);
++ idx = find_next_bit_wrap(tx->in_use, tx->len,
++ tx->last_ll_ts_idx_read + 1);
++ if (idx != tx->len)
++ ice_ptp_req_tx_single_tstamp(tx, idx);
++ }
+ spin_unlock_irqrestore(&tx->lock, flags);
+
+ val = GLINT_DYN_CTL_INTENA_M | GLINT_DYN_CTL_CLEARPBA_M |
+--
+2.50.1
+
--- /dev/null
+From 0a3843c7568757dc80c3911da4af127a1a89125a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Aug 2025 10:35:26 -0700
+Subject: ice: fix NULL access of tx->in_use in ice_ptp_ts_irq
+
+From: Jacob Keller <jacob.e.keller@intel.com>
+
+[ Upstream commit 403bf043d9340196e06769065169df7444b91f7a ]
+
+The E810 device has support for a "low latency" firmware interface to
+access and read the Tx timestamps. This interface does not use the standard
+Tx timestamp logic, due to the latency overhead of proxying sideband
+command requests over the firmware AdminQ.
+
+The logic still makes use of the Tx timestamp tracking structure,
+ice_ptp_tx, as it uses the same "ready" bitmap to track which Tx
+timestamps complete.
+
+Unfortunately, the ice_ptp_ts_irq() function does not check if the tracker
+is initialized before its first access. This results in NULL dereference or
+use-after-free bugs similar to the following:
+
+[245977.278756] BUG: kernel NULL pointer dereference, address: 0000000000000000
+[245977.278774] RIP: 0010:_find_first_bit+0x19/0x40
+[245977.278796] Call Trace:
+[245977.278809] ? ice_misc_intr+0x364/0x380 [ice]
+
+This can occur if a Tx timestamp interrupt races with the driver reset
+logic.
+
+Fix this by only checking the in_use bitmap (and other fields) if the
+tracker is marked as initialized. The reset flow will clear the init field
+under lock before it tears the tracker down, thus preventing any
+use-after-free or NULL access.
+
+Fixes: f9472aaabd1f ("ice: Process TSYN IRQ in a separate function")
+Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
+Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Tested-by: Rinitha S <sx.rinitha@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_ptp.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_ptp.c b/drivers/net/ethernet/intel/ice/ice_ptp.c
+index 55cad824c5b9f..69e05bafb1e37 100644
+--- a/drivers/net/ethernet/intel/ice/ice_ptp.c
++++ b/drivers/net/ethernet/intel/ice/ice_ptp.c
+@@ -2877,16 +2877,19 @@ irqreturn_t ice_ptp_ts_irq(struct ice_pf *pf)
+ */
+ if (hw->dev_caps.ts_dev_info.ts_ll_int_read) {
+ struct ice_ptp_tx *tx = &pf->ptp.port.tx;
+- u8 idx;
++ u8 idx, last;
+
+ if (!ice_pf_state_is_nominal(pf))
+ return IRQ_HANDLED;
+
+ spin_lock(&tx->lock);
+- idx = find_next_bit_wrap(tx->in_use, tx->len,
+- tx->last_ll_ts_idx_read + 1);
+- if (idx != tx->len)
+- ice_ptp_req_tx_single_tstamp(tx, idx);
++ if (tx->init) {
++ last = tx->last_ll_ts_idx_read + 1;
++ idx = find_next_bit_wrap(tx->in_use, tx->len,
++ last);
++ if (idx != tx->len)
++ ice_ptp_req_tx_single_tstamp(tx, idx);
++ }
+ spin_unlock(&tx->lock);
+
+ return IRQ_HANDLED;
+--
+2.50.1
+
--- /dev/null
+From c09c239e737c29a04537f72b8a4535a405a8cf1c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Aug 2025 11:14:35 +0200
+Subject: icmp: fix icmp_ndo_send address translation for reply direction
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Fabian Bläse <fabian@blaese.de>
+
+[ Upstream commit c6dd1aa2cbb72b33e0569f3e71d95792beab5042 ]
+
+The icmp_ndo_send function was originally introduced to ensure proper
+rate limiting when icmp_send is called by a network device driver,
+where the packet's source address may have already been transformed
+by SNAT.
+
+However, the original implementation only considers the
+IP_CT_DIR_ORIGINAL direction for SNAT and always replaced the packet's
+source address with that of the original-direction tuple. This causes
+two problems:
+
+1. For SNAT:
+ Reply-direction packets were incorrectly translated using the source
+ address of the CT original direction, even though no translation is
+ required.
+
+2. For DNAT:
+ Reply-direction packets were not handled at all. In DNAT, the original
+ direction's destination is translated. Therefore, in the reply
+ direction the source address must be set to the reply-direction
+ source, so rate limiting works as intended.
+
+Fix this by using the connection direction to select the correct tuple
+for source address translation, and adjust the pre-checks to handle
+reply-direction packets in case of DNAT.
+
+Additionally, wrap the `ct->status` access in READ_ONCE(). This avoids
+possible KCSAN reports about concurrent updates to `ct->status`.
+
+Fixes: 0b41713b6066 ("icmp: introduce helper for nat'd source address in network device context")
+Signed-off-by: Fabian Bläse <fabian@blaese.de>
+Cc: Jason A. Donenfeld <Jason@zx2c4.com>
+Reviewed-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/icmp.c | 6 ++++--
+ net/ipv6/ip6_icmp.c | 6 ++++--
+ 2 files changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
+index 717cb7d3607a1..14beae97f81b3 100644
+--- a/net/ipv4/icmp.c
++++ b/net/ipv4/icmp.c
+@@ -797,11 +797,12 @@ void icmp_ndo_send(struct sk_buff *skb_in, int type, int code, __be32 info)
+ struct sk_buff *cloned_skb = NULL;
+ struct ip_options opts = { 0 };
+ enum ip_conntrack_info ctinfo;
++ enum ip_conntrack_dir dir;
+ struct nf_conn *ct;
+ __be32 orig_ip;
+
+ ct = nf_ct_get(skb_in, &ctinfo);
+- if (!ct || !(ct->status & IPS_SRC_NAT)) {
++ if (!ct || !(READ_ONCE(ct->status) & IPS_NAT_MASK)) {
+ __icmp_send(skb_in, type, code, info, &opts);
+ return;
+ }
+@@ -816,7 +817,8 @@ void icmp_ndo_send(struct sk_buff *skb_in, int type, int code, __be32 info)
+ goto out;
+
+ orig_ip = ip_hdr(skb_in)->saddr;
+- ip_hdr(skb_in)->saddr = ct->tuplehash[0].tuple.src.u3.ip;
++ dir = CTINFO2DIR(ctinfo);
++ ip_hdr(skb_in)->saddr = ct->tuplehash[dir].tuple.src.u3.ip;
+ __icmp_send(skb_in, type, code, info, &opts);
+ ip_hdr(skb_in)->saddr = orig_ip;
+ out:
+diff --git a/net/ipv6/ip6_icmp.c b/net/ipv6/ip6_icmp.c
+index 9e3574880cb03..233914b63bdb8 100644
+--- a/net/ipv6/ip6_icmp.c
++++ b/net/ipv6/ip6_icmp.c
+@@ -54,11 +54,12 @@ void icmpv6_ndo_send(struct sk_buff *skb_in, u8 type, u8 code, __u32 info)
+ struct inet6_skb_parm parm = { 0 };
+ struct sk_buff *cloned_skb = NULL;
+ enum ip_conntrack_info ctinfo;
++ enum ip_conntrack_dir dir;
+ struct in6_addr orig_ip;
+ struct nf_conn *ct;
+
+ ct = nf_ct_get(skb_in, &ctinfo);
+- if (!ct || !(ct->status & IPS_SRC_NAT)) {
++ if (!ct || !(READ_ONCE(ct->status) & IPS_NAT_MASK)) {
+ __icmpv6_send(skb_in, type, code, info, &parm);
+ return;
+ }
+@@ -73,7 +74,8 @@ void icmpv6_ndo_send(struct sk_buff *skb_in, u8 type, u8 code, __u32 info)
+ goto out;
+
+ orig_ip = ipv6_hdr(skb_in)->saddr;
+- ipv6_hdr(skb_in)->saddr = ct->tuplehash[0].tuple.src.u3.in6;
++ dir = CTINFO2DIR(ctinfo);
++ ipv6_hdr(skb_in)->saddr = ct->tuplehash[dir].tuple.src.u3.in6;
+ __icmpv6_send(skb_in, type, code, info, &parm);
+ ipv6_hdr(skb_in)->saddr = orig_ip;
+ out:
+--
+2.50.1
+
--- /dev/null
+From 2756bbcc1f0ccc8be0d33f8e7778fffd711b3d2b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Aug 2025 16:43:00 -0700
+Subject: idpf: set mac type when adding and removing MAC filters
+
+From: Emil Tantilov <emil.s.tantilov@intel.com>
+
+[ Upstream commit acf3a5c8be80fe238c1a7629db1c21c74a1f9dd4 ]
+
+On control planes that allow changing the MAC address of the interface,
+the driver must provide a MAC type to avoid errors such as:
+
+idpf 0000:0a:00.0: Transaction failed (op 535)
+idpf 0000:0a:00.0: Received invalid MAC filter payload (op 535) (len 0)
+idpf 0000:0a:00.0: Transaction failed (op 536)
+
+These errors occur during driver load or when changing the MAC via:
+ip link set <iface> address <mac>
+
+Add logic to set the MAC type when sending ADD/DEL (opcodes 535/536) to
+the control plane. Since only one primary MAC is supported per vport, the
+driver only needs to send an ADD opcode when setting it. Remove the old
+address by calling __idpf_del_mac_filter(), which skips the message and
+just clears the entry from the internal list. This avoids an error on DEL
+as it attempts to remove an address already cleared by the preceding ADD
+opcode.
+
+Fixes: ce1b75d0635c ("idpf: add ptypes and MAC filter support")
+Reported-by: Jian Liu <jianliu@redhat.com>
+Signed-off-by: Emil Tantilov <emil.s.tantilov@intel.com>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Samuel Salin <Samuel.salin@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/idpf/idpf_lib.c | 9 ++++++---
+ drivers/net/ethernet/intel/idpf/idpf_virtchnl.c | 12 ++++++++++++
+ 2 files changed, 18 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/idpf/idpf_lib.c b/drivers/net/ethernet/intel/idpf/idpf_lib.c
+index e9f8da9f7979b..5fc6147ecd93c 100644
+--- a/drivers/net/ethernet/intel/idpf/idpf_lib.c
++++ b/drivers/net/ethernet/intel/idpf/idpf_lib.c
+@@ -2277,6 +2277,7 @@ static int idpf_set_mac(struct net_device *netdev, void *p)
+ struct idpf_netdev_priv *np = netdev_priv(netdev);
+ struct idpf_vport_config *vport_config;
+ struct sockaddr *addr = p;
++ u8 old_mac_addr[ETH_ALEN];
+ struct idpf_vport *vport;
+ int err = 0;
+
+@@ -2300,17 +2301,19 @@ static int idpf_set_mac(struct net_device *netdev, void *p)
+ if (ether_addr_equal(netdev->dev_addr, addr->sa_data))
+ goto unlock_mutex;
+
++ ether_addr_copy(old_mac_addr, vport->default_mac_addr);
++ ether_addr_copy(vport->default_mac_addr, addr->sa_data);
+ vport_config = vport->adapter->vport_config[vport->idx];
+ err = idpf_add_mac_filter(vport, np, addr->sa_data, false);
+ if (err) {
+ __idpf_del_mac_filter(vport_config, addr->sa_data);
++ ether_addr_copy(vport->default_mac_addr, netdev->dev_addr);
+ goto unlock_mutex;
+ }
+
+- if (is_valid_ether_addr(vport->default_mac_addr))
+- idpf_del_mac_filter(vport, np, vport->default_mac_addr, false);
++ if (is_valid_ether_addr(old_mac_addr))
++ __idpf_del_mac_filter(vport_config, old_mac_addr);
+
+- ether_addr_copy(vport->default_mac_addr, addr->sa_data);
+ eth_hw_addr_set(netdev, addr->sa_data);
+
+ unlock_mutex:
+diff --git a/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c b/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c
+index 24febaaa8fbb8..cb9a27307670e 100644
+--- a/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c
++++ b/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c
+@@ -3507,6 +3507,16 @@ u32 idpf_get_vport_id(struct idpf_vport *vport)
+ return le32_to_cpu(vport_msg->vport_id);
+ }
+
++static void idpf_set_mac_type(struct idpf_vport *vport,
++ struct virtchnl2_mac_addr *mac_addr)
++{
++ bool is_primary;
++
++ is_primary = ether_addr_equal(vport->default_mac_addr, mac_addr->addr);
++ mac_addr->type = is_primary ? VIRTCHNL2_MAC_ADDR_PRIMARY :
++ VIRTCHNL2_MAC_ADDR_EXTRA;
++}
++
+ /**
+ * idpf_mac_filter_async_handler - Async callback for mac filters
+ * @adapter: private data struct
+@@ -3636,6 +3646,7 @@ int idpf_add_del_mac_filters(struct idpf_vport *vport,
+ list) {
+ if (add && f->add) {
+ ether_addr_copy(mac_addr[i].addr, f->macaddr);
++ idpf_set_mac_type(vport, &mac_addr[i]);
+ i++;
+ f->add = false;
+ if (i == total_filters)
+@@ -3643,6 +3654,7 @@ int idpf_add_del_mac_filters(struct idpf_vport *vport,
+ }
+ if (!add && f->remove) {
+ ether_addr_copy(mac_addr[i].addr, f->macaddr);
++ idpf_set_mac_type(vport, &mac_addr[i]);
+ i++;
+ f->remove = false;
+ if (i == total_filters)
+--
+2.50.1
+
--- /dev/null
+From fee0706be4bbb979013e394f8115faa8291d5697 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Sep 2025 09:36:08 +0300
+Subject: ipv4: Fix NULL vs error pointer check in inet_blackhole_dev_init()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit a51160f8da850a65afbf165f5bbac7ffb388bf74 ]
+
+The inetdev_init() function never returns NULL. Check for error
+pointers instead.
+
+Fixes: 22600596b675 ("ipv4: give an IPv4 dev to blackhole_netdev")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/aLaQWL9NguWmeM1i@stanley.mountain
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/devinet.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
+index c47d3828d4f65..942a887bf0893 100644
+--- a/net/ipv4/devinet.c
++++ b/net/ipv4/devinet.c
+@@ -340,14 +340,13 @@ static void inetdev_destroy(struct in_device *in_dev)
+
+ static int __init inet_blackhole_dev_init(void)
+ {
+- int err = 0;
++ struct in_device *in_dev;
+
+ rtnl_lock();
+- if (!inetdev_init(blackhole_netdev))
+- err = -ENOMEM;
++ in_dev = inetdev_init(blackhole_netdev);
+ rtnl_unlock();
+
+- return err;
++ return PTR_ERR_OR_ZERO(in_dev);
+ }
+ late_initcall(inet_blackhole_dev_init);
+
+--
+2.50.1
+
--- /dev/null
+From eea5372ed6b5500487b55d42889d53d72c3bfe9e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 10 Aug 2025 10:01:14 -0700
+Subject: ixgbe: fix incorrect map used in eee linkmode
+
+From: Alok Tiwari <alok.a.tiwari@oracle.com>
+
+[ Upstream commit b7e5c3e3bfa9dc8af75ff6d8633ad7070e1985e4 ]
+
+incorrectly used ixgbe_lp_map in loops intended to populate the
+supported and advertised EEE linkmode bitmaps based on ixgbe_ls_map.
+This results in incorrect bit setting and potential out-of-bounds
+access, since ixgbe_lp_map and ixgbe_ls_map have different sizes
+and purposes.
+
+ixgbe_lp_map[i] -> ixgbe_ls_map[i]
+
+Use ixgbe_ls_map for supported and advertised linkmodes, and keep
+ixgbe_lp_map usage only for link partner (lp_advertised) mapping.
+
+Fixes: 9356b6db9d05 ("net: ethernet: ixgbe: Convert EEE to use linkmodes")
+Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Tested-by: Rinitha S <sx.rinitha@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c
+index d8a919ab7027a..05a1f9f5914fd 100644
+--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c
++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c
+@@ -3565,13 +3565,13 @@ ixgbe_get_eee_fw(struct ixgbe_adapter *adapter, struct ethtool_keee *edata)
+
+ for (i = 0; i < ARRAY_SIZE(ixgbe_ls_map); ++i) {
+ if (hw->phy.eee_speeds_supported & ixgbe_ls_map[i].mac_speed)
+- linkmode_set_bit(ixgbe_lp_map[i].link_mode,
++ linkmode_set_bit(ixgbe_ls_map[i].link_mode,
+ edata->supported);
+ }
+
+ for (i = 0; i < ARRAY_SIZE(ixgbe_ls_map); ++i) {
+ if (hw->phy.eee_speeds_advertised & ixgbe_ls_map[i].mac_speed)
+- linkmode_set_bit(ixgbe_lp_map[i].link_mode,
++ linkmode_set_bit(ixgbe_ls_map[i].link_mode,
+ edata->advertised);
+ }
+
+--
+2.50.1
+
--- /dev/null
+From e1badcd606cd5d3c9ec721e98bf449740311a775 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Aug 2025 20:55:40 +0200
+Subject: macsec: read MACSEC_SA_ATTR_PN with nla_get_uint
+
+From: Sabrina Dubroca <sd@queasysnail.net>
+
+[ Upstream commit 030e1c45666629f72d0fc1d040f9d2915680de8e ]
+
+The code currently reads both U32 attributes and U64 attributes as
+U64, so when a U32 attribute is provided by userspace (ie, when not
+using XPN), on big endian systems, we'll load that value into the
+upper 32bits of the next_pn field instead of the lower 32bits. This
+means that the value that userspace provided is ignored (we only care
+about the lower 32bits for non-XPN), and we'll start using PNs from 0.
+
+Switch to nla_get_uint, which will read the value correctly on all
+arches, whether it's 32b or 64b.
+
+Fixes: 48ef50fa866a ("macsec: Netlink support of XPN cipher suites (IEEE 802.1AEbw)")
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/1c1df1661b89238caf5beefb84a10ebfd56c66ea.1756459839.git.sd@queasysnail.net
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/macsec.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c
+index 4c75d1fea5527..01329fe7451a1 100644
+--- a/drivers/net/macsec.c
++++ b/drivers/net/macsec.c
+@@ -1844,7 +1844,7 @@ static int macsec_add_rxsa(struct sk_buff *skb, struct genl_info *info)
+
+ if (tb_sa[MACSEC_SA_ATTR_PN]) {
+ spin_lock_bh(&rx_sa->lock);
+- rx_sa->next_pn = nla_get_u64(tb_sa[MACSEC_SA_ATTR_PN]);
++ rx_sa->next_pn = nla_get_uint(tb_sa[MACSEC_SA_ATTR_PN]);
+ spin_unlock_bh(&rx_sa->lock);
+ }
+
+@@ -2086,7 +2086,7 @@ static int macsec_add_txsa(struct sk_buff *skb, struct genl_info *info)
+ }
+
+ spin_lock_bh(&tx_sa->lock);
+- tx_sa->next_pn = nla_get_u64(tb_sa[MACSEC_SA_ATTR_PN]);
++ tx_sa->next_pn = nla_get_uint(tb_sa[MACSEC_SA_ATTR_PN]);
+ spin_unlock_bh(&tx_sa->lock);
+
+ if (tb_sa[MACSEC_SA_ATTR_ACTIVE])
+@@ -2398,7 +2398,7 @@ static int macsec_upd_txsa(struct sk_buff *skb, struct genl_info *info)
+
+ spin_lock_bh(&tx_sa->lock);
+ prev_pn = tx_sa->next_pn_halves;
+- tx_sa->next_pn = nla_get_u64(tb_sa[MACSEC_SA_ATTR_PN]);
++ tx_sa->next_pn = nla_get_uint(tb_sa[MACSEC_SA_ATTR_PN]);
+ spin_unlock_bh(&tx_sa->lock);
+ }
+
+@@ -2496,7 +2496,7 @@ static int macsec_upd_rxsa(struct sk_buff *skb, struct genl_info *info)
+
+ spin_lock_bh(&rx_sa->lock);
+ prev_pn = rx_sa->next_pn_halves;
+- rx_sa->next_pn = nla_get_u64(tb_sa[MACSEC_SA_ATTR_PN]);
++ rx_sa->next_pn = nla_get_uint(tb_sa[MACSEC_SA_ATTR_PN]);
+ spin_unlock_bh(&rx_sa->lock);
+ }
+
+--
+2.50.1
+
--- /dev/null
+From 4ab93f8ef85d52b62d9aaf8120154238acd2b9ae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Sep 2025 03:20:55 -0700
+Subject: mctp: return -ENOPROTOOPT for unknown getsockopt options
+
+From: Alok Tiwari <alok.a.tiwari@oracle.com>
+
+[ Upstream commit a125c8fb9ddbcb0602103a50727a476fd30dec01 ]
+
+In mctp_getsockopt(), unrecognized options currently return -EINVAL.
+In contrast, mctp_setsockopt() returns -ENOPROTOOPT for unknown
+options.
+
+Update mctp_getsockopt() to also return -ENOPROTOOPT for unknown
+options. This aligns the behavior of getsockopt() and setsockopt(),
+and matches the standard kernel socket API convention for handling
+unsupported options.
+
+Fixes: 99ce45d5e7db ("mctp: Implement extended addressing")
+Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
+Link: https://patch.msgid.link/20250902102059.1370008-1-alok.a.tiwari@oracle.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mctp/af_mctp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/mctp/af_mctp.c b/net/mctp/af_mctp.c
+index 9d5db3feedec5..4dee06171361e 100644
+--- a/net/mctp/af_mctp.c
++++ b/net/mctp/af_mctp.c
+@@ -346,7 +346,7 @@ static int mctp_getsockopt(struct socket *sock, int level, int optname,
+ return 0;
+ }
+
+- return -EINVAL;
++ return -ENOPROTOOPT;
+ }
+
+ /* helpers for reading/writing the tag ioc, handling compatibility across the
+--
+2.50.1
+
--- /dev/null
+From eee74822a54e5285963d825d574bd9bec5ff1a73 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Aug 2025 16:14:57 +0800
+Subject: mISDN: Fix memory leak in dsp_hwec_enable()
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+[ Upstream commit 0704a3da7ce50f972e898bbda88d2692a22922d9 ]
+
+dsp_hwec_enable() allocates dup pointer by kstrdup(arg),
+but then it updates dup variable by strsep(&dup, ",").
+As a result when it calls kfree(dup), the dup variable may be
+a modified pointer that no longer points to the original allocated
+memory, causing a memory leak.
+
+The issue is the same pattern as fixed in commit c6a502c22999
+("mISDN: Fix memory leak in dsp_pipeline_build()").
+
+Fixes: 9a4381618262 ("mISDN: Remove VLAs")
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250828081457.36061-1-linmq006@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/isdn/mISDN/dsp_hwec.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/isdn/mISDN/dsp_hwec.c b/drivers/isdn/mISDN/dsp_hwec.c
+index 0b3f29195330a..0cd216e28f009 100644
+--- a/drivers/isdn/mISDN/dsp_hwec.c
++++ b/drivers/isdn/mISDN/dsp_hwec.c
+@@ -51,14 +51,14 @@ void dsp_hwec_enable(struct dsp *dsp, const char *arg)
+ goto _do;
+
+ {
+- char *dup, *tok, *name, *val;
++ char *dup, *next, *tok, *name, *val;
+ int tmp;
+
+- dup = kstrdup(arg, GFP_ATOMIC);
++ dup = next = kstrdup(arg, GFP_ATOMIC);
+ if (!dup)
+ return;
+
+- while ((tok = strsep(&dup, ","))) {
++ while ((tok = strsep(&next, ","))) {
+ if (!strlen(tok))
+ continue;
+ name = strsep(&tok, "=");
+--
+2.50.1
+
--- /dev/null
+From 61c9a2d998c6da886a0f43e63f08ddd4e3dadfb3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Sep 2025 14:35:37 +0800
+Subject: net: atm: fix memory leak in atm_register_sysfs when device_register
+ fail
+
+From: Wang Liang <wangliang74@huawei.com>
+
+[ Upstream commit 0a228624bcc00af41f281a2a84c928595a74c17d ]
+
+When device_register() return error in atm_register_sysfs(), which can be
+triggered by kzalloc fail in device_private_init() or other reasons,
+kmemleak reports the following memory leaks:
+
+unreferenced object 0xffff88810182fb80 (size 8):
+ comm "insmod", pid 504, jiffies 4294852464
+ hex dump (first 8 bytes):
+ 61 64 75 6d 6d 79 30 00 adummy0.
+ backtrace (crc 14dfadaf):
+ __kmalloc_node_track_caller_noprof+0x335/0x450
+ kvasprintf+0xb3/0x130
+ kobject_set_name_vargs+0x45/0x120
+ dev_set_name+0xa9/0xe0
+ atm_register_sysfs+0xf3/0x220
+ atm_dev_register+0x40b/0x780
+ 0xffffffffa000b089
+ do_one_initcall+0x89/0x300
+ do_init_module+0x27b/0x7d0
+ load_module+0x54cd/0x5ff0
+ init_module_from_file+0xe4/0x150
+ idempotent_init_module+0x32c/0x610
+ __x64_sys_finit_module+0xbd/0x120
+ do_syscall_64+0xa8/0x270
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+When device_create_file() return error in atm_register_sysfs(), the same
+issue also can be triggered.
+
+Function put_device() should be called to release kobj->name memory and
+other device resource, instead of kfree().
+
+Fixes: 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array")
+Signed-off-by: Wang Liang <wangliang74@huawei.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250901063537.1472221-1-wangliang74@huawei.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/atm/resources.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/net/atm/resources.c b/net/atm/resources.c
+index b19d851e1f443..7c6fdedbcf4e5 100644
+--- a/net/atm/resources.c
++++ b/net/atm/resources.c
+@@ -112,7 +112,9 @@ struct atm_dev *atm_dev_register(const char *type, struct device *parent,
+
+ if (atm_proc_dev_register(dev) < 0) {
+ pr_err("atm_proc_dev_register failed for dev %s\n", type);
+- goto out_fail;
++ mutex_unlock(&atm_dev_mutex);
++ kfree(dev);
++ return NULL;
+ }
+
+ if (atm_register_sysfs(dev, parent) < 0) {
+@@ -128,7 +130,7 @@ struct atm_dev *atm_dev_register(const char *type, struct device *parent,
+ return dev;
+
+ out_fail:
+- kfree(dev);
++ put_device(&dev->class_dev);
+ dev = NULL;
+ goto out;
+ }
+--
+2.50.1
+
--- /dev/null
+From ae84c62165609e55a10d5dfff72a78117b7c425c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 31 Aug 2025 20:20:07 +0200
+Subject: net: ethernet: mtk_eth_soc: fix tx vlan tag for llc packets
+
+From: Felix Fietkau <nbd@nbd.name>
+
+[ Upstream commit d4736737110ffa83d29f1c5d17b26113864205f6 ]
+
+When sending llc packets with vlan tx offload, the hardware fails to
+actually add the tag. Deal with this by fixing it up in software.
+
+Fixes: 656e705243fd ("net-next: mediatek: add support for MT7623 ethernet")
+Reported-by: Thibaut VARENE <hacks@slashdirt.org>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250831182007.51619-1-nbd@nbd.name
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mediatek/mtk_eth_soc.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
+index b38e4f2de6748..880f27ca84d42 100644
+--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c
++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
+@@ -1737,6 +1737,13 @@ static netdev_tx_t mtk_start_xmit(struct sk_buff *skb, struct net_device *dev)
+ bool gso = false;
+ int tx_num;
+
++ if (skb_vlan_tag_present(skb) &&
++ !eth_proto_is_802_3(eth_hdr(skb)->h_proto)) {
++ skb = __vlan_hwaccel_push_inside(skb);
++ if (!skb)
++ goto dropped;
++ }
++
+ /* normally we can rely on the stack not calling this more than once,
+ * however we have 2 queues running on the same ring so we need to lock
+ * the ring access
+@@ -1782,8 +1789,9 @@ static netdev_tx_t mtk_start_xmit(struct sk_buff *skb, struct net_device *dev)
+
+ drop:
+ spin_unlock(ð->page_lock);
+- stats->tx_dropped++;
+ dev_kfree_skb_any(skb);
++dropped:
++ stats->tx_dropped++;
+ return NETDEV_TX_OK;
+ }
+
+--
+2.50.1
+
--- /dev/null
+From 0cbe0bb3f924599f449c2d799aa71aa7ebc9ac8b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Aug 2025 17:40:51 +0530
+Subject: net: ethernet: ti: am65-cpsw-nuss: Fix null pointer dereference for
+ ndev
+
+From: Nishanth Menon <nm@ti.com>
+
+[ Upstream commit a6099f263e1f408bcc7913c9df24b0677164fc5d ]
+
+In the TX completion packet stage of TI SoCs with CPSW2G instance, which
+has single external ethernet port, ndev is accessed without being
+initialized if no TX packets have been processed. It results into null
+pointer dereference, causing kernel to crash. Fix this by having a check
+on the number of TX packets which have been processed.
+
+Fixes: 9a369ae3d143 ("net: ethernet: ti: am65-cpsw: remove am65_cpsw_nuss_tx_compl_packets_2g()")
+Signed-off-by: Nishanth Menon <nm@ti.com>
+Signed-off-by: Chintan Vankar <c-vankar@ti.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250829121051.2031832-1-c-vankar@ti.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/ti/am65-cpsw-nuss.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/ti/am65-cpsw-nuss.c b/drivers/net/ethernet/ti/am65-cpsw-nuss.c
+index 231ca141331f5..dbdbc40109c51 100644
+--- a/drivers/net/ethernet/ti/am65-cpsw-nuss.c
++++ b/drivers/net/ethernet/ti/am65-cpsw-nuss.c
+@@ -1522,7 +1522,7 @@ static int am65_cpsw_nuss_tx_compl_packets(struct am65_cpsw_common *common,
+ }
+ }
+
+- if (single_port) {
++ if (single_port && num_tx) {
+ netif_txq = netdev_get_tx_queue(ndev, chn);
+ netdev_tx_completed_queue(netif_txq, num_tx, total_bytes);
+ am65_cpsw_nuss_tx_wake(tx_chn, ndev, netif_txq);
+--
+2.50.1
+
--- /dev/null
+From 7e7e7f7bd5eb1701c44ea1febac0721d8f186f68 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Sep 2025 18:36:03 +0000
+Subject: net: lockless sock_i_ino()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 5d6b58c932ec451a5c41482790eb5b1ecf165a94 ]
+
+Followup of commit c51da3f7a161 ("net: remove sock_i_uid()")
+
+A recent syzbot report was the trigger for this change.
+
+Over the years, we had many problems caused by the
+read_lock[_bh](&sk->sk_callback_lock) in sock_i_uid().
+
+We could fix smc_diag_dump_proto() or make a more radical move:
+
+Instead of waiting for new syzbot reports, cache the socket
+inode number in sk->sk_ino, so that we no longer
+need to acquire sk->sk_callback_lock in sock_i_ino().
+
+This makes socket dumps faster (one less cache line miss,
+and two atomic ops avoided).
+
+Prior art:
+
+commit 25a9c8a4431c ("netlink: Add __sock_i_ino() for __netlink_diag_dump().")
+commit 4f9bf2a2f5aa ("tcp: Don't acquire inet_listen_hashbucket::lock with disabled BH.")
+commit efc3dbc37412 ("rds: Make rds_sock_lock BH rather than IRQ safe.")
+
+Fixes: d2d6422f8bd1 ("x86: Allow to enable PREEMPT_RT.")
+Reported-by: syzbot+50603c05bbdf4dfdaffa@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/68b73804.050a0220.3db4df.01d8.GAE@google.com/T/#u
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
+Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Link: https://patch.msgid.link/20250902183603.740428-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/sock.h | 17 +++++++++++++----
+ net/core/sock.c | 22 ----------------------
+ net/mptcp/protocol.c | 1 -
+ net/netlink/diag.c | 2 +-
+ 4 files changed, 14 insertions(+), 28 deletions(-)
+
+diff --git a/include/net/sock.h b/include/net/sock.h
+index da644ab5ae7f4..a348ae145eda4 100644
+--- a/include/net/sock.h
++++ b/include/net/sock.h
+@@ -285,6 +285,7 @@ struct sk_filter;
+ * @sk_ack_backlog: current listen backlog
+ * @sk_max_ack_backlog: listen backlog set in listen()
+ * @sk_uid: user id of owner
++ * @sk_ino: inode number (zero if orphaned)
+ * @sk_prefer_busy_poll: prefer busypolling over softirq processing
+ * @sk_busy_poll_budget: napi processing budget when busypolling
+ * @sk_priority: %SO_PRIORITY setting
+@@ -518,6 +519,7 @@ struct sock {
+ u32 sk_ack_backlog;
+ u32 sk_max_ack_backlog;
+ kuid_t sk_uid;
++ unsigned long sk_ino;
+ spinlock_t sk_peer_lock;
+ int sk_bind_phc;
+ struct pid *sk_peer_pid;
+@@ -2056,6 +2058,10 @@ static inline int sk_rx_queue_get(const struct sock *sk)
+ static inline void sk_set_socket(struct sock *sk, struct socket *sock)
+ {
+ sk->sk_socket = sock;
++ if (sock) {
++ WRITE_ONCE(sk->sk_uid, SOCK_INODE(sock)->i_uid);
++ WRITE_ONCE(sk->sk_ino, SOCK_INODE(sock)->i_ino);
++ }
+ }
+
+ static inline wait_queue_head_t *sk_sleep(struct sock *sk)
+@@ -2077,6 +2083,7 @@ static inline void sock_orphan(struct sock *sk)
+ sk_set_socket(sk, NULL);
+ sk->sk_wq = NULL;
+ /* Note: sk_uid is unchanged. */
++ WRITE_ONCE(sk->sk_ino, 0);
+ write_unlock_bh(&sk->sk_callback_lock);
+ }
+
+@@ -2087,20 +2094,22 @@ static inline void sock_graft(struct sock *sk, struct socket *parent)
+ rcu_assign_pointer(sk->sk_wq, &parent->wq);
+ parent->sk = sk;
+ sk_set_socket(sk, parent);
+- WRITE_ONCE(sk->sk_uid, SOCK_INODE(parent)->i_uid);
+ security_sock_graft(sk, parent);
+ write_unlock_bh(&sk->sk_callback_lock);
+ }
+
++static inline unsigned long sock_i_ino(const struct sock *sk)
++{
++ /* Paired with WRITE_ONCE() in sock_graft() and sock_orphan() */
++ return READ_ONCE(sk->sk_ino);
++}
++
+ static inline kuid_t sk_uid(const struct sock *sk)
+ {
+ /* Paired with WRITE_ONCE() in sockfs_setattr() */
+ return READ_ONCE(sk->sk_uid);
+ }
+
+-unsigned long __sock_i_ino(struct sock *sk);
+-unsigned long sock_i_ino(struct sock *sk);
+-
+ static inline kuid_t sock_net_uid(const struct net *net, const struct sock *sk)
+ {
+ return sk ? sk_uid(sk) : make_kuid(net->user_ns, 0);
+diff --git a/net/core/sock.c b/net/core/sock.c
+index 1689eaf42f25b..10c1df62338be 100644
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -2788,28 +2788,6 @@ void sock_pfree(struct sk_buff *skb)
+ EXPORT_SYMBOL(sock_pfree);
+ #endif /* CONFIG_INET */
+
+-unsigned long __sock_i_ino(struct sock *sk)
+-{
+- unsigned long ino;
+-
+- read_lock(&sk->sk_callback_lock);
+- ino = sk->sk_socket ? SOCK_INODE(sk->sk_socket)->i_ino : 0;
+- read_unlock(&sk->sk_callback_lock);
+- return ino;
+-}
+-EXPORT_SYMBOL(__sock_i_ino);
+-
+-unsigned long sock_i_ino(struct sock *sk)
+-{
+- unsigned long ino;
+-
+- local_bh_disable();
+- ino = __sock_i_ino(sk);
+- local_bh_enable();
+- return ino;
+-}
+-EXPORT_SYMBOL(sock_i_ino);
+-
+ /*
+ * Allocate a skb from the socket's send buffer.
+ */
+diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c
+index 76cb699885b38..1063c53850c05 100644
+--- a/net/mptcp/protocol.c
++++ b/net/mptcp/protocol.c
+@@ -3537,7 +3537,6 @@ void mptcp_sock_graft(struct sock *sk, struct socket *parent)
+ write_lock_bh(&sk->sk_callback_lock);
+ rcu_assign_pointer(sk->sk_wq, &parent->wq);
+ sk_set_socket(sk, parent);
+- WRITE_ONCE(sk->sk_uid, SOCK_INODE(parent)->i_uid);
+ write_unlock_bh(&sk->sk_callback_lock);
+ }
+
+diff --git a/net/netlink/diag.c b/net/netlink/diag.c
+index 61981e01fd6ff..b8e58132e8af1 100644
+--- a/net/netlink/diag.c
++++ b/net/netlink/diag.c
+@@ -168,7 +168,7 @@ static int __netlink_diag_dump(struct sk_buff *skb, struct netlink_callback *cb,
+ NETLINK_CB(cb->skb).portid,
+ cb->nlh->nlmsg_seq,
+ NLM_F_MULTI,
+- __sock_i_ino(sk)) < 0) {
++ sock_i_ino(sk)) < 0) {
+ ret = 1;
+ break;
+ }
+--
+2.50.1
+
--- /dev/null
+From 27022b2874b8f85ca2cdb3c437abf7d92089569f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Aug 2025 10:35:21 -0400
+Subject: net: macb: Fix tx_ptr_lock locking
+
+From: Sean Anderson <sean.anderson@linux.dev>
+
+[ Upstream commit 6bc8a5098bf4a365c4086a4a4130bfab10a58260 ]
+
+macb_start_xmit and macb_tx_poll can be called with bottom-halves
+disabled (e.g. from softirq) as well as with interrupts disabled (with
+netpoll). Because of this, all other functions taking tx_ptr_lock must
+use spin_lock_irqsave.
+
+Fixes: 138badbc21a0 ("net: macb: use NAPI for TX completion path")
+Reported-by: Mike Galbraith <efault@gmx.de>
+Signed-off-by: Sean Anderson <sean.anderson@linux.dev>
+Link: https://patch.msgid.link/20250829143521.1686062-1-sean.anderson@linux.dev
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cadence/macb_main.c | 28 ++++++++++++++----------
+ 1 file changed, 16 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c
+index d949d2ba6cb9f..f5d7556afb97e 100644
+--- a/drivers/net/ethernet/cadence/macb_main.c
++++ b/drivers/net/ethernet/cadence/macb_main.c
+@@ -1223,12 +1223,13 @@ static int macb_tx_complete(struct macb_queue *queue, int budget)
+ {
+ struct macb *bp = queue->bp;
+ u16 queue_index = queue - bp->queues;
++ unsigned long flags;
+ unsigned int tail;
+ unsigned int head;
+ int packets = 0;
+ u32 bytes = 0;
+
+- spin_lock(&queue->tx_ptr_lock);
++ spin_lock_irqsave(&queue->tx_ptr_lock, flags);
+ head = queue->tx_head;
+ for (tail = queue->tx_tail; tail != head && packets < budget; tail++) {
+ struct macb_tx_skb *tx_skb;
+@@ -1291,7 +1292,7 @@ static int macb_tx_complete(struct macb_queue *queue, int budget)
+ CIRC_CNT(queue->tx_head, queue->tx_tail,
+ bp->tx_ring_size) <= MACB_TX_WAKEUP_THRESH(bp))
+ netif_wake_subqueue(bp->dev, queue_index);
+- spin_unlock(&queue->tx_ptr_lock);
++ spin_unlock_irqrestore(&queue->tx_ptr_lock, flags);
+
+ return packets;
+ }
+@@ -1707,8 +1708,9 @@ static void macb_tx_restart(struct macb_queue *queue)
+ {
+ struct macb *bp = queue->bp;
+ unsigned int head_idx, tbqp;
++ unsigned long flags;
+
+- spin_lock(&queue->tx_ptr_lock);
++ spin_lock_irqsave(&queue->tx_ptr_lock, flags);
+
+ if (queue->tx_head == queue->tx_tail)
+ goto out_tx_ptr_unlock;
+@@ -1720,19 +1722,20 @@ static void macb_tx_restart(struct macb_queue *queue)
+ if (tbqp == head_idx)
+ goto out_tx_ptr_unlock;
+
+- spin_lock_irq(&bp->lock);
++ spin_lock(&bp->lock);
+ macb_writel(bp, NCR, macb_readl(bp, NCR) | MACB_BIT(TSTART));
+- spin_unlock_irq(&bp->lock);
++ spin_unlock(&bp->lock);
+
+ out_tx_ptr_unlock:
+- spin_unlock(&queue->tx_ptr_lock);
++ spin_unlock_irqrestore(&queue->tx_ptr_lock, flags);
+ }
+
+ static bool macb_tx_complete_pending(struct macb_queue *queue)
+ {
+ bool retval = false;
++ unsigned long flags;
+
+- spin_lock(&queue->tx_ptr_lock);
++ spin_lock_irqsave(&queue->tx_ptr_lock, flags);
+ if (queue->tx_head != queue->tx_tail) {
+ /* Make hw descriptor updates visible to CPU */
+ rmb();
+@@ -1740,7 +1743,7 @@ static bool macb_tx_complete_pending(struct macb_queue *queue)
+ if (macb_tx_desc(queue, queue->tx_tail)->ctrl & MACB_BIT(TX_USED))
+ retval = true;
+ }
+- spin_unlock(&queue->tx_ptr_lock);
++ spin_unlock_irqrestore(&queue->tx_ptr_lock, flags);
+ return retval;
+ }
+
+@@ -2308,6 +2311,7 @@ static netdev_tx_t macb_start_xmit(struct sk_buff *skb, struct net_device *dev)
+ struct macb_queue *queue = &bp->queues[queue_index];
+ unsigned int desc_cnt, nr_frags, frag_size, f;
+ unsigned int hdrlen;
++ unsigned long flags;
+ bool is_lso;
+ netdev_tx_t ret = NETDEV_TX_OK;
+
+@@ -2368,7 +2372,7 @@ static netdev_tx_t macb_start_xmit(struct sk_buff *skb, struct net_device *dev)
+ desc_cnt += DIV_ROUND_UP(frag_size, bp->max_tx_length);
+ }
+
+- spin_lock_bh(&queue->tx_ptr_lock);
++ spin_lock_irqsave(&queue->tx_ptr_lock, flags);
+
+ /* This is a hard error, log it. */
+ if (CIRC_SPACE(queue->tx_head, queue->tx_tail,
+@@ -2392,15 +2396,15 @@ static netdev_tx_t macb_start_xmit(struct sk_buff *skb, struct net_device *dev)
+ netdev_tx_sent_queue(netdev_get_tx_queue(bp->dev, queue_index),
+ skb->len);
+
+- spin_lock_irq(&bp->lock);
++ spin_lock(&bp->lock);
+ macb_writel(bp, NCR, macb_readl(bp, NCR) | MACB_BIT(TSTART));
+- spin_unlock_irq(&bp->lock);
++ spin_unlock(&bp->lock);
+
+ if (CIRC_SPACE(queue->tx_head, queue->tx_tail, bp->tx_ring_size) < 1)
+ netif_stop_subqueue(dev, queue_index);
+
+ unlock:
+- spin_unlock_bh(&queue->tx_ptr_lock);
++ spin_unlock_irqrestore(&queue->tx_ptr_lock, flags);
+
+ return ret;
+ }
+--
+2.50.1
+
--- /dev/null
+From 4ed0c8900bed7a0f67f3b1b2019796ee281aa1c0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Aug 2025 15:28:26 +0800
+Subject: net: mctp: mctp_fraq_queue should take ownership of passed skb
+
+From: Jeremy Kerr <jk@codeconstruct.com.au>
+
+[ Upstream commit 773b27a8a2f00ce3134e92e50ea4794a98ba2b76 ]
+
+As of commit f5d83cf0eeb9 ("net: mctp: unshare packets when
+reassembling"), we skb_unshare() in mctp_frag_queue(). The unshare may
+invalidate the original skb pointer, so we need to treat the skb as
+entirely owned by the fraq queue, even on failure.
+
+Fixes: f5d83cf0eeb9 ("net: mctp: unshare packets when reassembling")
+Signed-off-by: Jeremy Kerr <jk@codeconstruct.com.au>
+Link: https://patch.msgid.link/20250829-mctp-skb-unshare-v1-1-1c28fe10235a@codeconstruct.com.au
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mctp/route.c | 35 +++++++++++++++++++----------------
+ 1 file changed, 19 insertions(+), 16 deletions(-)
+
+diff --git a/net/mctp/route.c b/net/mctp/route.c
+index d9c8e5a5f9ce9..19ff259d7bc43 100644
+--- a/net/mctp/route.c
++++ b/net/mctp/route.c
+@@ -325,6 +325,7 @@ static void mctp_skb_set_flow(struct sk_buff *skb, struct mctp_sk_key *key) {}
+ static void mctp_flow_prepare_output(struct sk_buff *skb, struct mctp_dev *dev) {}
+ #endif
+
++/* takes ownership of skb, both in success and failure cases */
+ static int mctp_frag_queue(struct mctp_sk_key *key, struct sk_buff *skb)
+ {
+ struct mctp_hdr *hdr = mctp_hdr(skb);
+@@ -334,8 +335,10 @@ static int mctp_frag_queue(struct mctp_sk_key *key, struct sk_buff *skb)
+ & MCTP_HDR_SEQ_MASK;
+
+ if (!key->reasm_head) {
+- /* Since we're manipulating the shared frag_list, ensure it isn't
+- * shared with any other SKBs.
++ /* Since we're manipulating the shared frag_list, ensure it
++ * isn't shared with any other SKBs. In the cloned case,
++ * this will free the skb; callers can no longer access it
++ * safely.
+ */
+ key->reasm_head = skb_unshare(skb, GFP_ATOMIC);
+ if (!key->reasm_head)
+@@ -349,10 +352,10 @@ static int mctp_frag_queue(struct mctp_sk_key *key, struct sk_buff *skb)
+ exp_seq = (key->last_seq + 1) & MCTP_HDR_SEQ_MASK;
+
+ if (this_seq != exp_seq)
+- return -EINVAL;
++ goto err_free;
+
+ if (key->reasm_head->len + skb->len > mctp_message_maxlen)
+- return -EINVAL;
++ goto err_free;
+
+ skb->next = NULL;
+ skb->sk = NULL;
+@@ -366,6 +369,10 @@ static int mctp_frag_queue(struct mctp_sk_key *key, struct sk_buff *skb)
+ key->reasm_head->truesize += skb->truesize;
+
+ return 0;
++
++err_free:
++ kfree_skb(skb);
++ return -EINVAL;
+ }
+
+ static int mctp_route_input(struct mctp_route *route, struct sk_buff *skb)
+@@ -476,18 +483,16 @@ static int mctp_route_input(struct mctp_route *route, struct sk_buff *skb)
+ * key isn't observable yet
+ */
+ mctp_frag_queue(key, skb);
++ skb = NULL;
+
+ /* if the key_add fails, we've raced with another
+ * SOM packet with the same src, dest and tag. There's
+ * no way to distinguish future packets, so all we
+- * can do is drop; we'll free the skb on exit from
+- * this function.
++ * can do is drop.
+ */
+ rc = mctp_key_add(key, msk);
+- if (!rc) {
++ if (!rc)
+ trace_mctp_key_acquire(key);
+- skb = NULL;
+- }
+
+ /* we don't need to release key->lock on exit, so
+ * clean up here and suppress the unlock via
+@@ -505,8 +510,7 @@ static int mctp_route_input(struct mctp_route *route, struct sk_buff *skb)
+ key = NULL;
+ } else {
+ rc = mctp_frag_queue(key, skb);
+- if (!rc)
+- skb = NULL;
++ skb = NULL;
+ }
+ }
+
+@@ -516,17 +520,16 @@ static int mctp_route_input(struct mctp_route *route, struct sk_buff *skb)
+ */
+
+ /* we need to be continuing an existing reassembly... */
+- if (!key->reasm_head)
++ if (!key->reasm_head) {
+ rc = -EINVAL;
+- else
++ } else {
+ rc = mctp_frag_queue(key, skb);
++ skb = NULL;
++ }
+
+ if (rc)
+ goto out_unlock;
+
+- /* we've queued; the queue owns the skb now */
+- skb = NULL;
+-
+ /* end of message? deliver to socket, and we're done with
+ * the reassembly/response key
+ */
+--
+2.50.1
+
--- /dev/null
+From faeaa544a3e29d7a3248a1cb7b71a6bd229b287d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Aug 2025 15:40:23 +0800
+Subject: net: mctp: usb: initialise mac header in RX path
+
+From: Jeremy Kerr <jk@codeconstruct.com.au>
+
+[ Upstream commit e27e34bc99413a29cafae02ad572ea3c9beba2ce ]
+
+We're not currently setting skb->mac_header on ingress, and the netdev
+core rx path expects it. Without it, we'll hit a warning on DEBUG_NETDEV
+from commit 1e4033b53db4 ("net: skb_reset_mac_len() must check if
+mac_header was set")
+
+Initialise the mac_header to refer to the USB transport header.
+
+Fixes: 0791c0327a6e ("net: mctp: Add MCTP USB transport driver")
+Signed-off-by: Jeremy Kerr <jk@codeconstruct.com.au>
+Link: https://patch.msgid.link/20250829-mctp-usb-mac-header-v1-1-338ad725e183@codeconstruct.com.au
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/mctp/mctp-usb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/mctp/mctp-usb.c b/drivers/net/mctp/mctp-usb.c
+index 775a386d0aca1..36ccc53b17975 100644
+--- a/drivers/net/mctp/mctp-usb.c
++++ b/drivers/net/mctp/mctp-usb.c
+@@ -183,6 +183,7 @@ static void mctp_usb_in_complete(struct urb *urb)
+ struct mctp_usb_hdr *hdr;
+ u8 pkt_len; /* length of MCTP packet, no USB header */
+
++ skb_reset_mac_header(skb);
+ hdr = skb_pull_data(skb, sizeof(*hdr));
+ if (!hdr)
+ break;
+--
+2.50.1
+
--- /dev/null
+From 7ecdb06fd0515d2ddc04f3e2c1d3191b755849b4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Jun 2025 13:30:01 +0000
+Subject: net: remove sock_i_uid()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit c51da3f7a161c6822232be832abdffe47eb55b4c ]
+
+Difference between sock_i_uid() and sk_uid() is that
+after sock_orphan(), sock_i_uid() returns GLOBAL_ROOT_UID
+while sk_uid() returns the last cached sk->sk_uid value.
+
+None of sock_i_uid() callers care about this.
+
+Use sk_uid() which is much faster and inlined.
+
+Note that diag/dump users are calling sock_i_ino() and
+can not see the full benefit yet.
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Lorenzo Colitti <lorenzo@google.com>
+Reviewed-by: Maciej Żenczykowski <maze@google.com>
+Link: https://patch.msgid.link/20250620133001.4090592-3-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: 5d6b58c932ec ("net: lockless sock_i_ino()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/sock.h | 2 --
+ net/appletalk/atalk_proc.c | 2 +-
+ net/bluetooth/af_bluetooth.c | 2 +-
+ net/core/sock.c | 11 -----------
+ net/ipv4/inet_connection_sock.c | 27 ++++++++++++---------------
+ net/ipv4/inet_diag.c | 2 +-
+ net/ipv4/inet_hashtables.c | 4 ++--
+ net/ipv4/ping.c | 2 +-
+ net/ipv4/raw.c | 2 +-
+ net/ipv4/tcp_ipv4.c | 8 ++++----
+ net/ipv4/udp.c | 16 ++++++++--------
+ net/ipv6/datagram.c | 2 +-
+ net/ipv6/tcp_ipv6.c | 4 ++--
+ net/key/af_key.c | 2 +-
+ net/llc/llc_proc.c | 2 +-
+ net/packet/af_packet.c | 2 +-
+ net/packet/diag.c | 2 +-
+ net/phonet/socket.c | 4 ++--
+ net/sctp/input.c | 2 +-
+ net/sctp/proc.c | 4 ++--
+ net/sctp/socket.c | 4 ++--
+ net/smc/smc_diag.c | 2 +-
+ net/tipc/socket.c | 2 +-
+ net/unix/af_unix.c | 2 +-
+ net/unix/diag.c | 2 +-
+ net/xdp/xsk_diag.c | 2 +-
+ 26 files changed, 50 insertions(+), 66 deletions(-)
+
+diff --git a/include/net/sock.h b/include/net/sock.h
+index e3ab203456858..da644ab5ae7f4 100644
+--- a/include/net/sock.h
++++ b/include/net/sock.h
+@@ -2092,8 +2092,6 @@ static inline void sock_graft(struct sock *sk, struct socket *parent)
+ write_unlock_bh(&sk->sk_callback_lock);
+ }
+
+-kuid_t sock_i_uid(struct sock *sk);
+-
+ static inline kuid_t sk_uid(const struct sock *sk)
+ {
+ /* Paired with WRITE_ONCE() in sockfs_setattr() */
+diff --git a/net/appletalk/atalk_proc.c b/net/appletalk/atalk_proc.c
+index 9c1241292d1d2..01787fb6a7bce 100644
+--- a/net/appletalk/atalk_proc.c
++++ b/net/appletalk/atalk_proc.c
+@@ -181,7 +181,7 @@ static int atalk_seq_socket_show(struct seq_file *seq, void *v)
+ sk_wmem_alloc_get(s),
+ sk_rmem_alloc_get(s),
+ s->sk_state,
+- from_kuid_munged(seq_user_ns(seq), sock_i_uid(s)));
++ from_kuid_munged(seq_user_ns(seq), sk_uid(s)));
+ out:
+ return 0;
+ }
+diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c
+index 6ad2f72f53f4e..ee9bf84c88a70 100644
+--- a/net/bluetooth/af_bluetooth.c
++++ b/net/bluetooth/af_bluetooth.c
+@@ -815,7 +815,7 @@ static int bt_seq_show(struct seq_file *seq, void *v)
+ refcount_read(&sk->sk_refcnt),
+ sk_rmem_alloc_get(sk),
+ sk_wmem_alloc_get(sk),
+- from_kuid(seq_user_ns(seq), sock_i_uid(sk)),
++ from_kuid(seq_user_ns(seq), sk_uid(sk)),
+ sock_i_ino(sk),
+ bt->parent ? sock_i_ino(bt->parent) : 0LU);
+
+diff --git a/net/core/sock.c b/net/core/sock.c
+index 9fae9239f9393..1689eaf42f25b 100644
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -2788,17 +2788,6 @@ void sock_pfree(struct sk_buff *skb)
+ EXPORT_SYMBOL(sock_pfree);
+ #endif /* CONFIG_INET */
+
+-kuid_t sock_i_uid(struct sock *sk)
+-{
+- kuid_t uid;
+-
+- read_lock_bh(&sk->sk_callback_lock);
+- uid = sk->sk_socket ? SOCK_INODE(sk->sk_socket)->i_uid : GLOBAL_ROOT_UID;
+- read_unlock_bh(&sk->sk_callback_lock);
+- return uid;
+-}
+-EXPORT_SYMBOL(sock_i_uid);
+-
+ unsigned long __sock_i_ino(struct sock *sk)
+ {
+ unsigned long ino;
+diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c
+index 46750c96d08ea..f4157d26ec9e4 100644
+--- a/net/ipv4/inet_connection_sock.c
++++ b/net/ipv4/inet_connection_sock.c
+@@ -168,7 +168,7 @@ static bool inet_use_bhash2_on_bind(const struct sock *sk)
+ }
+
+ static bool inet_bind_conflict(const struct sock *sk, struct sock *sk2,
+- kuid_t sk_uid, bool relax,
++ kuid_t uid, bool relax,
+ bool reuseport_cb_ok, bool reuseport_ok)
+ {
+ int bound_dev_if2;
+@@ -185,12 +185,12 @@ static bool inet_bind_conflict(const struct sock *sk, struct sock *sk2,
+ if (!relax || (!reuseport_ok && sk->sk_reuseport &&
+ sk2->sk_reuseport && reuseport_cb_ok &&
+ (sk2->sk_state == TCP_TIME_WAIT ||
+- uid_eq(sk_uid, sock_i_uid(sk2)))))
++ uid_eq(uid, sk_uid(sk2)))))
+ return true;
+ } else if (!reuseport_ok || !sk->sk_reuseport ||
+ !sk2->sk_reuseport || !reuseport_cb_ok ||
+ (sk2->sk_state != TCP_TIME_WAIT &&
+- !uid_eq(sk_uid, sock_i_uid(sk2)))) {
++ !uid_eq(uid, sk_uid(sk2)))) {
+ return true;
+ }
+ }
+@@ -198,7 +198,7 @@ static bool inet_bind_conflict(const struct sock *sk, struct sock *sk2,
+ }
+
+ static bool __inet_bhash2_conflict(const struct sock *sk, struct sock *sk2,
+- kuid_t sk_uid, bool relax,
++ kuid_t uid, bool relax,
+ bool reuseport_cb_ok, bool reuseport_ok)
+ {
+ if (ipv6_only_sock(sk2)) {
+@@ -211,20 +211,20 @@ static bool __inet_bhash2_conflict(const struct sock *sk, struct sock *sk2,
+ #endif
+ }
+
+- return inet_bind_conflict(sk, sk2, sk_uid, relax,
++ return inet_bind_conflict(sk, sk2, uid, relax,
+ reuseport_cb_ok, reuseport_ok);
+ }
+
+ static bool inet_bhash2_conflict(const struct sock *sk,
+ const struct inet_bind2_bucket *tb2,
+- kuid_t sk_uid,
++ kuid_t uid,
+ bool relax, bool reuseport_cb_ok,
+ bool reuseport_ok)
+ {
+ struct sock *sk2;
+
+ sk_for_each_bound(sk2, &tb2->owners) {
+- if (__inet_bhash2_conflict(sk, sk2, sk_uid, relax,
++ if (__inet_bhash2_conflict(sk, sk2, uid, relax,
+ reuseport_cb_ok, reuseport_ok))
+ return true;
+ }
+@@ -242,8 +242,8 @@ static int inet_csk_bind_conflict(const struct sock *sk,
+ const struct inet_bind2_bucket *tb2, /* may be null */
+ bool relax, bool reuseport_ok)
+ {
+- kuid_t uid = sock_i_uid((struct sock *)sk);
+ struct sock_reuseport *reuseport_cb;
++ kuid_t uid = sk_uid(sk);
+ bool reuseport_cb_ok;
+ struct sock *sk2;
+
+@@ -287,11 +287,11 @@ static int inet_csk_bind_conflict(const struct sock *sk,
+ static bool inet_bhash2_addr_any_conflict(const struct sock *sk, int port, int l3mdev,
+ bool relax, bool reuseport_ok)
+ {
+- kuid_t uid = sock_i_uid((struct sock *)sk);
+ const struct net *net = sock_net(sk);
+ struct sock_reuseport *reuseport_cb;
+ struct inet_bind_hashbucket *head2;
+ struct inet_bind2_bucket *tb2;
++ kuid_t uid = sk_uid(sk);
+ bool conflict = false;
+ bool reuseport_cb_ok;
+
+@@ -425,15 +425,13 @@ inet_csk_find_open_port(const struct sock *sk, struct inet_bind_bucket **tb_ret,
+ static inline int sk_reuseport_match(struct inet_bind_bucket *tb,
+ struct sock *sk)
+ {
+- kuid_t uid = sock_i_uid(sk);
+-
+ if (tb->fastreuseport <= 0)
+ return 0;
+ if (!sk->sk_reuseport)
+ return 0;
+ if (rcu_access_pointer(sk->sk_reuseport_cb))
+ return 0;
+- if (!uid_eq(tb->fastuid, uid))
++ if (!uid_eq(tb->fastuid, sk_uid(sk)))
+ return 0;
+ /* We only need to check the rcv_saddr if this tb was once marked
+ * without fastreuseport and then was reset, as we can only know that
+@@ -458,14 +456,13 @@ static inline int sk_reuseport_match(struct inet_bind_bucket *tb,
+ void inet_csk_update_fastreuse(struct inet_bind_bucket *tb,
+ struct sock *sk)
+ {
+- kuid_t uid = sock_i_uid(sk);
+ bool reuse = sk->sk_reuse && sk->sk_state != TCP_LISTEN;
+
+ if (hlist_empty(&tb->bhash2)) {
+ tb->fastreuse = reuse;
+ if (sk->sk_reuseport) {
+ tb->fastreuseport = FASTREUSEPORT_ANY;
+- tb->fastuid = uid;
++ tb->fastuid = sk_uid(sk);
+ tb->fast_rcv_saddr = sk->sk_rcv_saddr;
+ tb->fast_ipv6_only = ipv6_only_sock(sk);
+ tb->fast_sk_family = sk->sk_family;
+@@ -492,7 +489,7 @@ void inet_csk_update_fastreuse(struct inet_bind_bucket *tb,
+ */
+ if (!sk_reuseport_match(tb, sk)) {
+ tb->fastreuseport = FASTREUSEPORT_STRICT;
+- tb->fastuid = uid;
++ tb->fastuid = sk_uid(sk);
+ tb->fast_rcv_saddr = sk->sk_rcv_saddr;
+ tb->fast_ipv6_only = ipv6_only_sock(sk);
+ tb->fast_sk_family = sk->sk_family;
+diff --git a/net/ipv4/inet_diag.c b/net/ipv4/inet_diag.c
+index 1d1d6ad53f4c9..2fa53b16fe778 100644
+--- a/net/ipv4/inet_diag.c
++++ b/net/ipv4/inet_diag.c
+@@ -181,7 +181,7 @@ int inet_diag_msg_attrs_fill(struct sock *sk, struct sk_buff *skb,
+ goto errout;
+ #endif
+
+- r->idiag_uid = from_kuid_munged(user_ns, sock_i_uid(sk));
++ r->idiag_uid = from_kuid_munged(user_ns, sk_uid(sk));
+ r->idiag_inode = sock_i_ino(sk);
+
+ memset(&inet_sockopt, 0, sizeof(inet_sockopt));
+diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c
+index 77a0b52b2eabf..ceeeec9b7290a 100644
+--- a/net/ipv4/inet_hashtables.c
++++ b/net/ipv4/inet_hashtables.c
+@@ -721,8 +721,8 @@ static int inet_reuseport_add_sock(struct sock *sk,
+ {
+ struct inet_bind_bucket *tb = inet_csk(sk)->icsk_bind_hash;
+ const struct hlist_nulls_node *node;
++ kuid_t uid = sk_uid(sk);
+ struct sock *sk2;
+- kuid_t uid = sock_i_uid(sk);
+
+ sk_nulls_for_each_rcu(sk2, node, &ilb->nulls_head) {
+ if (sk2 != sk &&
+@@ -730,7 +730,7 @@ static int inet_reuseport_add_sock(struct sock *sk,
+ ipv6_only_sock(sk2) == ipv6_only_sock(sk) &&
+ sk2->sk_bound_dev_if == sk->sk_bound_dev_if &&
+ inet_csk(sk2)->icsk_bind_hash == tb &&
+- sk2->sk_reuseport && uid_eq(uid, sock_i_uid(sk2)) &&
++ sk2->sk_reuseport && uid_eq(uid, sk_uid(sk2)) &&
+ inet_rcv_saddr_equal(sk, sk2, false))
+ return reuseport_add_sock(sk, sk2,
+ inet_rcv_saddr_any(sk));
+diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
+index 4eacaf00e2e9b..031df4c19fcc5 100644
+--- a/net/ipv4/ping.c
++++ b/net/ipv4/ping.c
+@@ -1116,7 +1116,7 @@ static void ping_v4_format_sock(struct sock *sp, struct seq_file *f,
+ sk_wmem_alloc_get(sp),
+ sk_rmem_alloc_get(sp),
+ 0, 0L, 0,
+- from_kuid_munged(seq_user_ns(f), sock_i_uid(sp)),
++ from_kuid_munged(seq_user_ns(f), sk_uid(sp)),
+ 0, sock_i_ino(sp),
+ refcount_read(&sp->sk_refcnt), sp,
+ atomic_read(&sp->sk_drops));
+diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
+index 32f942d0f944c..1d2c89d63cc71 100644
+--- a/net/ipv4/raw.c
++++ b/net/ipv4/raw.c
+@@ -1043,7 +1043,7 @@ static void raw_sock_seq_show(struct seq_file *seq, struct sock *sp, int i)
+ sk_wmem_alloc_get(sp),
+ sk_rmem_alloc_get(sp),
+ 0, 0L, 0,
+- from_kuid_munged(seq_user_ns(seq), sock_i_uid(sp)),
++ from_kuid_munged(seq_user_ns(seq), sk_uid(sp)),
+ 0, sock_i_ino(sp),
+ refcount_read(&sp->sk_refcnt), sp, atomic_read(&sp->sk_drops));
+ }
+diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
+index 6a14f9e6fef64..429fb34b075e0 100644
+--- a/net/ipv4/tcp_ipv4.c
++++ b/net/ipv4/tcp_ipv4.c
+@@ -2896,7 +2896,7 @@ static void get_openreq4(const struct request_sock *req,
+ jiffies_delta_to_clock_t(delta),
+ req->num_timeout,
+ from_kuid_munged(seq_user_ns(f),
+- sock_i_uid(req->rsk_listener)),
++ sk_uid(req->rsk_listener)),
+ 0, /* non standard timer */
+ 0, /* open_requests have no inode */
+ 0,
+@@ -2954,7 +2954,7 @@ static void get_tcp4_sock(struct sock *sk, struct seq_file *f, int i)
+ timer_active,
+ jiffies_delta_to_clock_t(timer_expires - jiffies),
+ icsk->icsk_retransmits,
+- from_kuid_munged(seq_user_ns(f), sock_i_uid(sk)),
++ from_kuid_munged(seq_user_ns(f), sk_uid(sk)),
+ icsk->icsk_probes_out,
+ sock_i_ino(sk),
+ refcount_read(&sk->sk_refcnt), sk,
+@@ -3246,9 +3246,9 @@ static int bpf_iter_tcp_seq_show(struct seq_file *seq, void *v)
+ const struct request_sock *req = v;
+
+ uid = from_kuid_munged(seq_user_ns(seq),
+- sock_i_uid(req->rsk_listener));
++ sk_uid(req->rsk_listener));
+ } else {
+- uid = from_kuid_munged(seq_user_ns(seq), sock_i_uid(sk));
++ uid = from_kuid_munged(seq_user_ns(seq), sk_uid(sk));
+ }
+
+ meta.seq = seq;
+diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
+index f94bb222aa2d4..19573ee64a0f1 100644
+--- a/net/ipv4/udp.c
++++ b/net/ipv4/udp.c
+@@ -145,8 +145,8 @@ static int udp_lib_lport_inuse(struct net *net, __u16 num,
+ unsigned long *bitmap,
+ struct sock *sk, unsigned int log)
+ {
++ kuid_t uid = sk_uid(sk);
+ struct sock *sk2;
+- kuid_t uid = sock_i_uid(sk);
+
+ sk_for_each(sk2, &hslot->head) {
+ if (net_eq(sock_net(sk2), net) &&
+@@ -158,7 +158,7 @@ static int udp_lib_lport_inuse(struct net *net, __u16 num,
+ inet_rcv_saddr_equal(sk, sk2, true)) {
+ if (sk2->sk_reuseport && sk->sk_reuseport &&
+ !rcu_access_pointer(sk->sk_reuseport_cb) &&
+- uid_eq(uid, sock_i_uid(sk2))) {
++ uid_eq(uid, sk_uid(sk2))) {
+ if (!bitmap)
+ return 0;
+ } else {
+@@ -180,8 +180,8 @@ static int udp_lib_lport_inuse2(struct net *net, __u16 num,
+ struct udp_hslot *hslot2,
+ struct sock *sk)
+ {
++ kuid_t uid = sk_uid(sk);
+ struct sock *sk2;
+- kuid_t uid = sock_i_uid(sk);
+ int res = 0;
+
+ spin_lock(&hslot2->lock);
+@@ -195,7 +195,7 @@ static int udp_lib_lport_inuse2(struct net *net, __u16 num,
+ inet_rcv_saddr_equal(sk, sk2, true)) {
+ if (sk2->sk_reuseport && sk->sk_reuseport &&
+ !rcu_access_pointer(sk->sk_reuseport_cb) &&
+- uid_eq(uid, sock_i_uid(sk2))) {
++ uid_eq(uid, sk_uid(sk2))) {
+ res = 0;
+ } else {
+ res = 1;
+@@ -210,7 +210,7 @@ static int udp_lib_lport_inuse2(struct net *net, __u16 num,
+ static int udp_reuseport_add_sock(struct sock *sk, struct udp_hslot *hslot)
+ {
+ struct net *net = sock_net(sk);
+- kuid_t uid = sock_i_uid(sk);
++ kuid_t uid = sk_uid(sk);
+ struct sock *sk2;
+
+ sk_for_each(sk2, &hslot->head) {
+@@ -220,7 +220,7 @@ static int udp_reuseport_add_sock(struct sock *sk, struct udp_hslot *hslot)
+ ipv6_only_sock(sk2) == ipv6_only_sock(sk) &&
+ (udp_sk(sk2)->udp_port_hash == udp_sk(sk)->udp_port_hash) &&
+ (sk2->sk_bound_dev_if == sk->sk_bound_dev_if) &&
+- sk2->sk_reuseport && uid_eq(uid, sock_i_uid(sk2)) &&
++ sk2->sk_reuseport && uid_eq(uid, sk_uid(sk2)) &&
+ inet_rcv_saddr_equal(sk, sk2, false)) {
+ return reuseport_add_sock(sk, sk2,
+ inet_rcv_saddr_any(sk));
+@@ -3387,7 +3387,7 @@ static void udp4_format_sock(struct sock *sp, struct seq_file *f,
+ sk_wmem_alloc_get(sp),
+ udp_rqueue_get(sp),
+ 0, 0L, 0,
+- from_kuid_munged(seq_user_ns(f), sock_i_uid(sp)),
++ from_kuid_munged(seq_user_ns(f), sk_uid(sp)),
+ 0, sock_i_ino(sp),
+ refcount_read(&sp->sk_refcnt), sp,
+ atomic_read(&sp->sk_drops));
+@@ -3630,7 +3630,7 @@ static int bpf_iter_udp_seq_show(struct seq_file *seq, void *v)
+ goto unlock;
+ }
+
+- uid = from_kuid_munged(seq_user_ns(seq), sock_i_uid(sk));
++ uid = from_kuid_munged(seq_user_ns(seq), sk_uid(sk));
+ meta.seq = seq;
+ prog = bpf_iter_get_info(&meta, false);
+ ret = udp_prog_seq_show(prog, &meta, v, uid, state->bucket);
+diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c
+index 83f5aa5e133ab..281722817a65c 100644
+--- a/net/ipv6/datagram.c
++++ b/net/ipv6/datagram.c
+@@ -1064,7 +1064,7 @@ void __ip6_dgram_sock_seq_show(struct seq_file *seq, struct sock *sp,
+ sk_wmem_alloc_get(sp),
+ rqueue,
+ 0, 0L, 0,
+- from_kuid_munged(seq_user_ns(seq), sock_i_uid(sp)),
++ from_kuid_munged(seq_user_ns(seq), sk_uid(sp)),
+ 0,
+ sock_i_ino(sp),
+ refcount_read(&sp->sk_refcnt), sp,
+diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
+index 3e83c7b5c14a7..5604ae6163f45 100644
+--- a/net/ipv6/tcp_ipv6.c
++++ b/net/ipv6/tcp_ipv6.c
+@@ -2166,7 +2166,7 @@ static void get_openreq6(struct seq_file *seq,
+ jiffies_to_clock_t(ttd),
+ req->num_timeout,
+ from_kuid_munged(seq_user_ns(seq),
+- sock_i_uid(req->rsk_listener)),
++ sk_uid(req->rsk_listener)),
+ 0, /* non standard timer */
+ 0, /* open_requests have no inode */
+ 0, req);
+@@ -2232,7 +2232,7 @@ static void get_tcp6_sock(struct seq_file *seq, struct sock *sp, int i)
+ timer_active,
+ jiffies_delta_to_clock_t(timer_expires - jiffies),
+ icsk->icsk_retransmits,
+- from_kuid_munged(seq_user_ns(seq), sock_i_uid(sp)),
++ from_kuid_munged(seq_user_ns(seq), sk_uid(sp)),
+ icsk->icsk_probes_out,
+ sock_i_ino(sp),
+ refcount_read(&sp->sk_refcnt), sp,
+diff --git a/net/key/af_key.c b/net/key/af_key.c
+index b5d761700776a..2ebde03522459 100644
+--- a/net/key/af_key.c
++++ b/net/key/af_key.c
+@@ -3788,7 +3788,7 @@ static int pfkey_seq_show(struct seq_file *f, void *v)
+ refcount_read(&s->sk_refcnt),
+ sk_rmem_alloc_get(s),
+ sk_wmem_alloc_get(s),
+- from_kuid_munged(seq_user_ns(f), sock_i_uid(s)),
++ from_kuid_munged(seq_user_ns(f), sk_uid(s)),
+ sock_i_ino(s)
+ );
+ return 0;
+diff --git a/net/llc/llc_proc.c b/net/llc/llc_proc.c
+index 07e9abb5978a7..aa81c67b24a15 100644
+--- a/net/llc/llc_proc.c
++++ b/net/llc/llc_proc.c
+@@ -151,7 +151,7 @@ static int llc_seq_socket_show(struct seq_file *seq, void *v)
+ sk_wmem_alloc_get(sk),
+ sk_rmem_alloc_get(sk) - llc->copied_seq,
+ sk->sk_state,
+- from_kuid_munged(seq_user_ns(seq), sock_i_uid(sk)),
++ from_kuid_munged(seq_user_ns(seq), sk_uid(sk)),
+ llc->link);
+ out:
+ return 0;
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
+index c7c7de3403f76..a7017d7f09272 100644
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -4782,7 +4782,7 @@ static int packet_seq_show(struct seq_file *seq, void *v)
+ READ_ONCE(po->ifindex),
+ packet_sock_flag(po, PACKET_SOCK_RUNNING),
+ atomic_read(&s->sk_rmem_alloc),
+- from_kuid_munged(seq_user_ns(seq), sock_i_uid(s)),
++ from_kuid_munged(seq_user_ns(seq), sk_uid(s)),
+ sock_i_ino(s));
+ }
+
+diff --git a/net/packet/diag.c b/net/packet/diag.c
+index 47f69f3dbf73e..6ce1dcc284d92 100644
+--- a/net/packet/diag.c
++++ b/net/packet/diag.c
+@@ -153,7 +153,7 @@ static int sk_diag_fill(struct sock *sk, struct sk_buff *skb,
+
+ if ((req->pdiag_show & PACKET_SHOW_INFO) &&
+ nla_put_u32(skb, PACKET_DIAG_UID,
+- from_kuid_munged(user_ns, sock_i_uid(sk))))
++ from_kuid_munged(user_ns, sk_uid(sk))))
+ goto out_nlmsg_trim;
+
+ if ((req->pdiag_show & PACKET_SHOW_MCLIST) &&
+diff --git a/net/phonet/socket.c b/net/phonet/socket.c
+index 5ce0b3ee5def8..ea4d5e6533dba 100644
+--- a/net/phonet/socket.c
++++ b/net/phonet/socket.c
+@@ -584,7 +584,7 @@ static int pn_sock_seq_show(struct seq_file *seq, void *v)
+ sk->sk_protocol, pn->sobject, pn->dobject,
+ pn->resource, sk->sk_state,
+ sk_wmem_alloc_get(sk), sk_rmem_alloc_get(sk),
+- from_kuid_munged(seq_user_ns(seq), sock_i_uid(sk)),
++ from_kuid_munged(seq_user_ns(seq), sk_uid(sk)),
+ sock_i_ino(sk),
+ refcount_read(&sk->sk_refcnt), sk,
+ atomic_read(&sk->sk_drops));
+@@ -755,7 +755,7 @@ static int pn_res_seq_show(struct seq_file *seq, void *v)
+
+ seq_printf(seq, "%02X %5u %lu",
+ (int) (psk - pnres.sk),
+- from_kuid_munged(seq_user_ns(seq), sock_i_uid(sk)),
++ from_kuid_munged(seq_user_ns(seq), sk_uid(sk)),
+ sock_i_ino(sk));
+ }
+ seq_pad(seq, '\n');
+diff --git a/net/sctp/input.c b/net/sctp/input.c
+index 6fcdcaeed40e9..7e99894778d4f 100644
+--- a/net/sctp/input.c
++++ b/net/sctp/input.c
+@@ -756,7 +756,7 @@ static int __sctp_hash_endpoint(struct sctp_endpoint *ep)
+ struct sock *sk2 = ep2->base.sk;
+
+ if (!net_eq(sock_net(sk2), net) || sk2 == sk ||
+- !uid_eq(sock_i_uid(sk2), sock_i_uid(sk)) ||
++ !uid_eq(sk_uid(sk2), sk_uid(sk)) ||
+ !sk2->sk_reuseport)
+ continue;
+
+diff --git a/net/sctp/proc.c b/net/sctp/proc.c
+index ec00ee75d59a6..74bff317e205c 100644
+--- a/net/sctp/proc.c
++++ b/net/sctp/proc.c
+@@ -177,7 +177,7 @@ static int sctp_eps_seq_show(struct seq_file *seq, void *v)
+ seq_printf(seq, "%8pK %8pK %-3d %-3d %-4d %-5d %5u %5lu ", ep, sk,
+ sctp_sk(sk)->type, sk->sk_state, hash,
+ ep->base.bind_addr.port,
+- from_kuid_munged(seq_user_ns(seq), sock_i_uid(sk)),
++ from_kuid_munged(seq_user_ns(seq), sk_uid(sk)),
+ sock_i_ino(sk));
+
+ sctp_seq_dump_local_addrs(seq, &ep->base);
+@@ -267,7 +267,7 @@ static int sctp_assocs_seq_show(struct seq_file *seq, void *v)
+ assoc->assoc_id,
+ assoc->sndbuf_used,
+ atomic_read(&assoc->rmem_alloc),
+- from_kuid_munged(seq_user_ns(seq), sock_i_uid(sk)),
++ from_kuid_munged(seq_user_ns(seq), sk_uid(sk)),
+ sock_i_ino(sk),
+ epb->bind_addr.port,
+ assoc->peer.port);
+diff --git a/net/sctp/socket.c b/net/sctp/socket.c
+index 1e5739858c206..aa6400811018e 100644
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -8345,8 +8345,8 @@ static int sctp_get_port_local(struct sock *sk, union sctp_addr *addr)
+ bool reuse = (sk->sk_reuse || sp->reuse);
+ struct sctp_bind_hashbucket *head; /* hash list */
+ struct net *net = sock_net(sk);
+- kuid_t uid = sock_i_uid(sk);
+ struct sctp_bind_bucket *pp;
++ kuid_t uid = sk_uid(sk);
+ unsigned short snum;
+ int ret;
+
+@@ -8444,7 +8444,7 @@ static int sctp_get_port_local(struct sock *sk, union sctp_addr *addr)
+ (reuse && (sk2->sk_reuse || sp2->reuse) &&
+ sk2->sk_state != SCTP_SS_LISTENING) ||
+ (sk->sk_reuseport && sk2->sk_reuseport &&
+- uid_eq(uid, sock_i_uid(sk2))))
++ uid_eq(uid, sk_uid(sk2))))
+ continue;
+
+ if ((!sk->sk_bound_dev_if || !bound_dev_if2 ||
+diff --git a/net/smc/smc_diag.c b/net/smc/smc_diag.c
+index 6fdb2d96777ad..8ed2f6689b017 100644
+--- a/net/smc/smc_diag.c
++++ b/net/smc/smc_diag.c
+@@ -64,7 +64,7 @@ static int smc_diag_msg_attrs_fill(struct sock *sk, struct sk_buff *skb,
+ if (nla_put_u8(skb, SMC_DIAG_SHUTDOWN, sk->sk_shutdown))
+ return 1;
+
+- r->diag_uid = from_kuid_munged(user_ns, sock_i_uid(sk));
++ r->diag_uid = from_kuid_munged(user_ns, sk_uid(sk));
+ r->diag_inode = sock_i_ino(sk);
+ return 0;
+ }
+diff --git a/net/tipc/socket.c b/net/tipc/socket.c
+index 7c61d47ea2086..e028bf6584992 100644
+--- a/net/tipc/socket.c
++++ b/net/tipc/socket.c
+@@ -3642,7 +3642,7 @@ int tipc_sk_fill_sock_diag(struct sk_buff *skb, struct netlink_callback *cb,
+ nla_put_u32(skb, TIPC_NLA_SOCK_INO, sock_i_ino(sk)) ||
+ nla_put_u32(skb, TIPC_NLA_SOCK_UID,
+ from_kuid_munged(sk_user_ns(NETLINK_CB(cb->skb).sk),
+- sock_i_uid(sk))) ||
++ sk_uid(sk))) ||
+ nla_put_u64_64bit(skb, TIPC_NLA_SOCK_COOKIE,
+ tipc_diag_gen_cookie(sk),
+ TIPC_NLA_SOCK_PAD))
+diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
+index 52b155123985a..564c970d97fff 100644
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -3697,7 +3697,7 @@ static int bpf_iter_unix_seq_show(struct seq_file *seq, void *v)
+ goto unlock;
+ }
+
+- uid = from_kuid_munged(seq_user_ns(seq), sock_i_uid(sk));
++ uid = from_kuid_munged(seq_user_ns(seq), sk_uid(sk));
+ meta.seq = seq;
+ prog = bpf_iter_get_info(&meta, false);
+ ret = unix_prog_seq_show(prog, &meta, v, uid);
+diff --git a/net/unix/diag.c b/net/unix/diag.c
+index 79b182d0e62ae..ca34730261510 100644
+--- a/net/unix/diag.c
++++ b/net/unix/diag.c
+@@ -106,7 +106,7 @@ static int sk_diag_show_rqlen(struct sock *sk, struct sk_buff *nlskb)
+ static int sk_diag_dump_uid(struct sock *sk, struct sk_buff *nlskb,
+ struct user_namespace *user_ns)
+ {
+- uid_t uid = from_kuid_munged(user_ns, sock_i_uid(sk));
++ uid_t uid = from_kuid_munged(user_ns, sk_uid(sk));
+ return nla_put(nlskb, UNIX_DIAG_UID, sizeof(uid_t), &uid);
+ }
+
+diff --git a/net/xdp/xsk_diag.c b/net/xdp/xsk_diag.c
+index 09dcea0cbbed9..0e0bca031c039 100644
+--- a/net/xdp/xsk_diag.c
++++ b/net/xdp/xsk_diag.c
+@@ -119,7 +119,7 @@ static int xsk_diag_fill(struct sock *sk, struct sk_buff *nlskb,
+
+ if ((req->xdiag_show & XDP_SHOW_INFO) &&
+ nla_put_u32(nlskb, XDP_DIAG_UID,
+- from_kuid_munged(user_ns, sock_i_uid(sk))))
++ from_kuid_munged(user_ns, sk_uid(sk))))
+ goto out_nlmsg_trim;
+
+ if ((req->xdiag_show & XDP_SHOW_RING_CFG) &&
+--
+2.50.1
+
--- /dev/null
+From b4ec076f5d12b6bddca66516150211cf51e39ec3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Aug 2025 20:41:17 +0800
+Subject: net/smc: fix one NULL pointer dereference in smc_ib_is_sg_need_sync()
+
+From: Liu Jian <liujian56@huawei.com>
+
+[ Upstream commit ba1e9421cf1a8369d25c3832439702a015d6b5f9 ]
+
+BUG: kernel NULL pointer dereference, address: 00000000000002ec
+PGD 0 P4D 0
+Oops: Oops: 0000 [#1] SMP PTI
+CPU: 28 UID: 0 PID: 343 Comm: kworker/28:1 Kdump: loaded Tainted: G OE 6.17.0-rc2+ #9 NONE
+Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014
+Workqueue: smc_hs_wq smc_listen_work [smc]
+RIP: 0010:smc_ib_is_sg_need_sync+0x9e/0xd0 [smc]
+...
+Call Trace:
+ <TASK>
+ smcr_buf_map_link+0x211/0x2a0 [smc]
+ __smc_buf_create+0x522/0x970 [smc]
+ smc_buf_create+0x3a/0x110 [smc]
+ smc_find_rdma_v2_device_serv+0x18f/0x240 [smc]
+ ? smc_vlan_by_tcpsk+0x7e/0xe0 [smc]
+ smc_listen_find_device+0x1dd/0x2b0 [smc]
+ smc_listen_work+0x30f/0x580 [smc]
+ process_one_work+0x18c/0x340
+ worker_thread+0x242/0x360
+ kthread+0xe7/0x220
+ ret_from_fork+0x13a/0x160
+ ret_from_fork_asm+0x1a/0x30
+ </TASK>
+
+If the software RoCE device is used, ibdev->dma_device is a null pointer.
+As a result, the problem occurs. Null pointer detection is added to
+prevent problems.
+
+Fixes: 0ef69e788411c ("net/smc: optimize for smc_sndbuf_sync_sg_for_device and smc_rmb_sync_sg_for_cpu")
+Signed-off-by: Liu Jian <liujian56@huawei.com>
+Reviewed-by: Guangguan Wang <guangguan.wang@linux.alibaba.com>
+Reviewed-by: Zhu Yanjun <yanjun.zhu@linux.dev>
+Reviewed-by: D. Wythe <alibuda@linux.alibaba.com>
+Link: https://patch.msgid.link/20250828124117.2622624-1-liujian56@huawei.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/smc/smc_ib.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/smc/smc_ib.c b/net/smc/smc_ib.c
+index 53828833a3f7f..a42ef3f77b961 100644
+--- a/net/smc/smc_ib.c
++++ b/net/smc/smc_ib.c
+@@ -742,6 +742,9 @@ bool smc_ib_is_sg_need_sync(struct smc_link *lnk,
+ unsigned int i;
+ bool ret = false;
+
++ if (!lnk->smcibdev->ibdev->dma_device)
++ return ret;
++
+ /* for now there is just one DMA address */
+ for_each_sg(buf_slot->sgt[lnk->link_idx].sgl, sg,
+ buf_slot->sgt[lnk->link_idx].nents, i) {
+--
+2.50.1
+
--- /dev/null
+From 391391fa17c210edb8fb020b93ca6de1b971a86c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Sep 2025 10:20:41 +0200
+Subject: net/smc: Remove validation of reserved bits in CLC Decline message
+
+From: Mahanta Jambigi <mjambigi@linux.ibm.com>
+
+[ Upstream commit cc282f73bc0cbdf3ee7af2f2d3a2ef4e6b19242d ]
+
+Currently SMC code is validating the reserved bits while parsing the incoming
+CLC decline message & when this validation fails, its treated as a protocol
+error. As a result, the SMC connection is terminated instead of falling back to
+TCP. As per RFC7609[1] specs we shouldn't be validating the reserved bits that
+is part of CLC message. This patch fixes this issue.
+
+CLC Decline message format can viewed here[2].
+
+[1] https://datatracker.ietf.org/doc/html/rfc7609#page-92
+[2] https://datatracker.ietf.org/doc/html/rfc7609#page-105
+
+Fixes: 8ade200c269f ("net/smc: add v2 format of CLC decline message")
+Signed-off-by: Mahanta Jambigi <mjambigi@linux.ibm.com>
+Reviewed-by: Sidraya Jayagond <sidraya@linux.ibm.com>
+Reviewed-by: Alexandra Winter <wintera@linux.ibm.com>
+Reviewed-by: Dust Li <dust.li@linux.alibaba.com>
+Link: https://patch.msgid.link/20250902082041.98996-1-mjambigi@linux.ibm.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/smc/smc_clc.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/net/smc/smc_clc.c b/net/smc/smc_clc.c
+index 521f5df80e10c..8a794333e9927 100644
+--- a/net/smc/smc_clc.c
++++ b/net/smc/smc_clc.c
+@@ -426,8 +426,6 @@ smc_clc_msg_decl_valid(struct smc_clc_msg_decline *dclc)
+ {
+ struct smc_clc_msg_hdr *hdr = &dclc->hdr;
+
+- if (hdr->typev1 != SMC_TYPE_R && hdr->typev1 != SMC_TYPE_D)
+- return false;
+ if (hdr->version == SMC_V1) {
+ if (ntohs(hdr->length) != sizeof(struct smc_clc_msg_decline))
+ return false;
+--
+2.50.1
+
--- /dev/null
+From 0746a3835a3f0fc7d17a109173b50fbc0d28dfe6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 30 Aug 2025 15:55:38 -0700
+Subject: net/tcp: Fix socket memory leak in TCP-AO failure handling for IPv6
+
+From: Christoph Paasch <cpaasch@openai.com>
+
+[ Upstream commit fa390321aba0a54d0f7ae95ee4ecde1358bb9234 ]
+
+When tcp_ao_copy_all_matching() fails in tcp_v6_syn_recv_sock() it just
+exits the function. This ends up causing a memory-leak:
+
+unreferenced object 0xffff0000281a8200 (size 2496):
+ comm "softirq", pid 0, jiffies 4295174684
+ hex dump (first 32 bytes):
+ 7f 00 00 06 7f 00 00 06 00 00 00 00 cb a8 88 13 ................
+ 0a 00 03 61 00 00 00 00 00 00 00 00 00 00 00 00 ...a............
+ backtrace (crc 5ebdbe15):
+ kmemleak_alloc+0x44/0xe0
+ kmem_cache_alloc_noprof+0x248/0x470
+ sk_prot_alloc+0x48/0x120
+ sk_clone_lock+0x38/0x3b0
+ inet_csk_clone_lock+0x34/0x150
+ tcp_create_openreq_child+0x3c/0x4a8
+ tcp_v6_syn_recv_sock+0x1c0/0x620
+ tcp_check_req+0x588/0x790
+ tcp_v6_rcv+0x5d0/0xc18
+ ip6_protocol_deliver_rcu+0x2d8/0x4c0
+ ip6_input_finish+0x74/0x148
+ ip6_input+0x50/0x118
+ ip6_sublist_rcv+0x2fc/0x3b0
+ ipv6_list_rcv+0x114/0x170
+ __netif_receive_skb_list_core+0x16c/0x200
+ netif_receive_skb_list_internal+0x1f0/0x2d0
+
+This is because in tcp_v6_syn_recv_sock (and the IPv4 counterpart), when
+exiting upon error, inet_csk_prepare_forced_close() and tcp_done() need
+to be called. They make sure the newsk will end up being correctly
+free'd.
+
+tcp_v4_syn_recv_sock() makes this very clear by having the put_and_exit
+label that takes care of things. So, this patch here makes sure
+tcp_v4_syn_recv_sock and tcp_v6_syn_recv_sock have similar
+error-handling and thus fixes the leak for TCP-AO.
+
+Fixes: 06b22ef29591 ("net/tcp: Wire TCP-AO to request sockets")
+Signed-off-by: Christoph Paasch <cpaasch@openai.com>
+Reviewed-by: Dmitry Safonov <0x7f454c46@gmail.com>
+Link: https://patch.msgid.link/20250830-tcpao_leak-v1-1-e5878c2c3173@openai.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/tcp_ipv6.c | 32 +++++++++++++++-----------------
+ 1 file changed, 15 insertions(+), 17 deletions(-)
+
+diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
+index f61b0396ef6b1..3e83c7b5c14a7 100644
+--- a/net/ipv6/tcp_ipv6.c
++++ b/net/ipv6/tcp_ipv6.c
+@@ -1431,17 +1431,17 @@ static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff *
+ ireq = inet_rsk(req);
+
+ if (sk_acceptq_is_full(sk))
+- goto out_overflow;
++ goto exit_overflow;
+
+ if (!dst) {
+ dst = inet6_csk_route_req(sk, &fl6, req, IPPROTO_TCP);
+ if (!dst)
+- goto out;
++ goto exit;
+ }
+
+ newsk = tcp_create_openreq_child(sk, req, skb);
+ if (!newsk)
+- goto out_nonewsk;
++ goto exit_nonewsk;
+
+ /*
+ * No need to charge this sock to the relevant IPv6 refcnt debug socks
+@@ -1525,25 +1525,19 @@ static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff *
+ const union tcp_md5_addr *addr;
+
+ addr = (union tcp_md5_addr *)&newsk->sk_v6_daddr;
+- if (tcp_md5_key_copy(newsk, addr, AF_INET6, 128, l3index, key)) {
+- inet_csk_prepare_forced_close(newsk);
+- tcp_done(newsk);
+- goto out;
+- }
++ if (tcp_md5_key_copy(newsk, addr, AF_INET6, 128, l3index, key))
++ goto put_and_exit;
+ }
+ }
+ #endif
+ #ifdef CONFIG_TCP_AO
+ /* Copy over tcp_ao_info if any */
+ if (tcp_ao_copy_all_matching(sk, newsk, req, skb, AF_INET6))
+- goto out; /* OOM */
++ goto put_and_exit; /* OOM */
+ #endif
+
+- if (__inet_inherit_port(sk, newsk) < 0) {
+- inet_csk_prepare_forced_close(newsk);
+- tcp_done(newsk);
+- goto out;
+- }
++ if (__inet_inherit_port(sk, newsk) < 0)
++ goto put_and_exit;
+ *own_req = inet_ehash_nolisten(newsk, req_to_sk(req_unhash),
+ &found_dup_sk);
+ if (*own_req) {
+@@ -1570,13 +1564,17 @@ static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff *
+
+ return newsk;
+
+-out_overflow:
++exit_overflow:
+ __NET_INC_STATS(sock_net(sk), LINUX_MIB_LISTENOVERFLOWS);
+-out_nonewsk:
++exit_nonewsk:
+ dst_release(dst);
+-out:
++exit:
+ tcp_listendrop(sk);
+ return NULL;
++put_and_exit:
++ inet_csk_prepare_forced_close(newsk);
++ tcp_done(newsk);
++ goto exit;
+ }
+
+ INDIRECT_CALLABLE_DECLARE(struct dst_entry *ipv4_dst_check(struct dst_entry *,
+--
+2.50.1
+
--- /dev/null
+From a8784fc1348050c072739b3589d766806fd5ece1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Sep 2025 14:30:18 -0700
+Subject: net: thunder_bgx: add a missing of_node_put
+
+From: Rosen Penev <rosenp@gmail.com>
+
+[ Upstream commit 9d28f94912589f04ab51fbccaef287d4f40e0d1f ]
+
+phy_np needs to get freed, just like the other child nodes.
+
+Fixes: 5fc7cf179449 ("net: thunderx: Cleanup PHY probing code.")
+Signed-off-by: Rosen Penev <rosenp@gmail.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250901213018.47392-1-rosenp@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/cavium/thunder/thunder_bgx.c | 18 +++++++++++-------
+ 1 file changed, 11 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c
+index 21495b5dce254..0f913db4814ea 100644
+--- a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c
++++ b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c
+@@ -1493,13 +1493,17 @@ static int bgx_init_of_phy(struct bgx *bgx)
+ * this cortina phy, for which there is no driver
+ * support, ignore it.
+ */
+- if (phy_np &&
+- !of_device_is_compatible(phy_np, "cortina,cs4223-slice")) {
+- /* Wait until the phy drivers are available */
+- pd = of_phy_find_device(phy_np);
+- if (!pd)
+- goto defer;
+- bgx->lmac[lmac].phydev = pd;
++ if (phy_np) {
++ if (!of_device_is_compatible(phy_np, "cortina,cs4223-slice")) {
++ /* Wait until the phy drivers are available */
++ pd = of_phy_find_device(phy_np);
++ if (!pd) {
++ of_node_put(phy_np);
++ goto defer;
++ }
++ bgx->lmac[lmac].phydev = pd;
++ }
++ of_node_put(phy_np);
+ }
+
+ lmac++;
+--
+2.50.1
+
--- /dev/null
+From f0a2e5542c8180353ac6cd23d8bc3ee1244419a3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Sep 2025 14:33:14 -0700
+Subject: net: thunder_bgx: decrement cleanup index before use
+
+From: Rosen Penev <rosenp@gmail.com>
+
+[ Upstream commit 9e3d71a92e561ccc77025689dab25d201fee7a3e ]
+
+All paths in probe that call goto defer do so before assigning phydev
+and thus it makes sense to cleanup the prior index. It also fixes a bug
+where index 0 does not get cleaned up.
+
+Fixes: b7d3e3d3d21a ("net: thunderx: Don't leak phy device references on -EPROBE_DEFER condition.")
+Signed-off-by: Rosen Penev <rosenp@gmail.com>
+Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250901213314.48599-1-rosenp@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cavium/thunder/thunder_bgx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c
+index 0f913db4814ea..9efb60842ad1f 100644
+--- a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c
++++ b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c
+@@ -1519,11 +1519,11 @@ static int bgx_init_of_phy(struct bgx *bgx)
+ * for phy devices we may have already found.
+ */
+ while (lmac) {
++ lmac--;
+ if (bgx->lmac[lmac].phydev) {
+ put_device(&bgx->lmac[lmac].phydev->mdio.dev);
+ bgx->lmac[lmac].phydev = NULL;
+ }
+- lmac--;
+ }
+ of_node_put(node);
+ return -EPROBE_DEFER;
+--
+2.50.1
+
--- /dev/null
+From c4404f0b03906d917ec22f125b30dce40b80e70d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Sep 2025 08:22:13 +0530
+Subject: net: xilinx: axienet: Add error handling for RX metadata pointer
+ retrieval
+
+From: Abin Joseph <abin.joseph@amd.com>
+
+[ Upstream commit 8bbceba7dc5090c00105e006ce28d1292cfda8dd ]
+
+Add proper error checking for dmaengine_desc_get_metadata_ptr() which
+can return an error pointer and lead to potential crashes or undefined
+behaviour if the pointer retrieval fails.
+
+Properly handle the error by unmapping DMA buffer, freeing the skb and
+returning early to prevent further processing with invalid data.
+
+Fixes: 6a91b846af85 ("net: axienet: Introduce dmaengine support")
+Signed-off-by: Abin Joseph <abin.joseph@amd.com>
+Reviewed-by: Radhey Shyam Pandey <radhey.shyam.pandey@amd.com>
+Link: https://patch.msgid.link/20250903025213.3120181-1-abin.joseph@amd.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
+index 0d8a05fe541af..ec6d47dc984aa 100644
+--- a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
++++ b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
+@@ -1168,6 +1168,15 @@ static void axienet_dma_rx_cb(void *data, const struct dmaengine_result *result)
+ &meta_max_len);
+ dma_unmap_single(lp->dev, skbuf_dma->dma_address, lp->max_frm_size,
+ DMA_FROM_DEVICE);
++
++ if (IS_ERR(app_metadata)) {
++ if (net_ratelimit())
++ netdev_err(lp->ndev, "Failed to get RX metadata pointer\n");
++ dev_kfree_skb_any(skb);
++ lp->ndev->stats.rx_dropped++;
++ goto rx_submit;
++ }
++
+ /* TODO: Derive app word index programmatically */
+ rx_len = (app_metadata[LEN_APP] & 0xFFFF);
+ skb_put(skb, rx_len);
+@@ -1180,6 +1189,7 @@ static void axienet_dma_rx_cb(void *data, const struct dmaengine_result *result)
+ u64_stats_add(&lp->rx_bytes, rx_len);
+ u64_stats_update_end(&lp->rx_stat_sync);
+
++rx_submit:
+ for (i = 0; i < CIRC_SPACE(lp->rx_ring_head, lp->rx_ring_tail,
+ RX_BUF_NUM_DEFAULT); i++)
+ axienet_rx_submit_desc(lp->ndev);
+--
+2.50.1
+
--- /dev/null
+From 01078420ce6e0e9aaf11d55686a33bd93eea23f1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Aug 2025 16:23:52 +0000
+Subject: net_sched: gen_estimator: fix est_timer() vs CONFIG_PREEMPT_RT=y
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 9f74c0ea9b26d1505d55b61e36b1623dd347e1d1 ]
+
+syzbot reported a WARNING in est_timer() [1]
+
+Problem here is that with CONFIG_PREEMPT_RT=y, timer callbacks
+can be preempted.
+
+Adopt preempt_disable_nested()/preempt_enable_nested() to fix this.
+
+[1]
+ WARNING: CPU: 0 PID: 16 at ./include/linux/seqlock.h:221 __seqprop_assert include/linux/seqlock.h:221 [inline]
+ WARNING: CPU: 0 PID: 16 at ./include/linux/seqlock.h:221 est_timer+0x6dc/0x9f0 net/core/gen_estimator.c:93
+Modules linked in:
+CPU: 0 UID: 0 PID: 16 Comm: ktimers/0 Not tainted syzkaller #0 PREEMPT_{RT,(full)}
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
+ RIP: 0010:__seqprop_assert include/linux/seqlock.h:221 [inline]
+ RIP: 0010:est_timer+0x6dc/0x9f0 net/core/gen_estimator.c:93
+Call Trace:
+ <TASK>
+ call_timer_fn+0x17e/0x5f0 kernel/time/timer.c:1747
+ expire_timers kernel/time/timer.c:1798 [inline]
+ __run_timers kernel/time/timer.c:2372 [inline]
+ __run_timer_base+0x648/0x970 kernel/time/timer.c:2384
+ run_timer_base kernel/time/timer.c:2393 [inline]
+ run_timer_softirq+0xb7/0x180 kernel/time/timer.c:2403
+ handle_softirqs+0x22c/0x710 kernel/softirq.c:579
+ __do_softirq kernel/softirq.c:613 [inline]
+ run_ktimerd+0xcf/0x190 kernel/softirq.c:1043
+ smpboot_thread_fn+0x53f/0xa60 kernel/smpboot.c:160
+ kthread+0x70e/0x8a0 kernel/kthread.c:463
+ ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
+ ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
+ </TASK>
+
+Fixes: d2d6422f8bd1 ("x86: Allow to enable PREEMPT_RT.")
+Reported-by: syzbot+72db9ee39db57c3fecc5@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/68adf6fa.a70a0220.3cafd4.0000.GAE@google.com/T/#u
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Link: https://patch.msgid.link/20250827162352.3960779-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/gen_estimator.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/core/gen_estimator.c b/net/core/gen_estimator.c
+index 7d426a8e29f30..f112156db587b 100644
+--- a/net/core/gen_estimator.c
++++ b/net/core/gen_estimator.c
+@@ -90,10 +90,12 @@ static void est_timer(struct timer_list *t)
+ rate = (b_packets - est->last_packets) << (10 - est->intvl_log);
+ rate = (rate >> est->ewma_log) - (est->avpps >> est->ewma_log);
+
++ preempt_disable_nested();
+ write_seqcount_begin(&est->seq);
+ est->avbps += brate;
+ est->avpps += rate;
+ write_seqcount_end(&est->seq);
++ preempt_enable_nested();
+
+ est->last_bytes = b_bytes;
+ est->last_packets = b_packets;
+--
+2.50.1
+
--- /dev/null
+From e5c1216662d1adb09a81d49eca1a90b125da138e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Aug 2025 11:52:19 +0800
+Subject: netfilter: br_netfilter: do not check confirmed bit in
+ br_nf_local_in() after confirm
+
+From: Wang Liang <wangliang74@huawei.com>
+
+[ Upstream commit 479a54ab92087318514c82428a87af2d7af1a576 ]
+
+When send a broadcast packet to a tap device, which was added to a bridge,
+br_nf_local_in() is called to confirm the conntrack. If another conntrack
+with the same hash value is added to the hash table, which can be
+triggered by a normal packet to a non-bridge device, the below warning
+may happen.
+
+ ------------[ cut here ]------------
+ WARNING: CPU: 1 PID: 96 at net/bridge/br_netfilter_hooks.c:632 br_nf_local_in+0x168/0x200
+ CPU: 1 UID: 0 PID: 96 Comm: tap_send Not tainted 6.17.0-rc2-dirty #44 PREEMPT(voluntary)
+ RIP: 0010:br_nf_local_in+0x168/0x200
+ Call Trace:
+ <TASK>
+ nf_hook_slow+0x3e/0xf0
+ br_pass_frame_up+0x103/0x180
+ br_handle_frame_finish+0x2de/0x5b0
+ br_nf_hook_thresh+0xc0/0x120
+ br_nf_pre_routing_finish+0x168/0x3a0
+ br_nf_pre_routing+0x237/0x5e0
+ br_handle_frame+0x1ec/0x3c0
+ __netif_receive_skb_core+0x225/0x1210
+ __netif_receive_skb_one_core+0x37/0xa0
+ netif_receive_skb+0x36/0x160
+ tun_get_user+0xa54/0x10c0
+ tun_chr_write_iter+0x65/0xb0
+ vfs_write+0x305/0x410
+ ksys_write+0x60/0xd0
+ do_syscall_64+0xa4/0x260
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+ </TASK>
+ ---[ end trace 0000000000000000 ]---
+
+To solve the hash conflict, nf_ct_resolve_clash() try to merge the
+conntracks, and update skb->_nfct. However, br_nf_local_in() still use the
+old ct from local variable 'nfct' after confirm(), which leads to this
+warning.
+
+If confirm() does not insert the conntrack entry and return NF_DROP, the
+warning may also occur. There is no need to reserve the WARN_ON_ONCE, just
+remove it.
+
+Link: https://lore.kernel.org/netdev/20250820043329.2902014-1-wangliang74@huawei.com/
+Fixes: 62e7151ae3eb ("netfilter: bridge: confirm multicast packets before passing them up the stack")
+Suggested-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Wang Liang <wangliang74@huawei.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/br_netfilter_hooks.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
+index 94cbe967d1c16..083e2fe96441d 100644
+--- a/net/bridge/br_netfilter_hooks.c
++++ b/net/bridge/br_netfilter_hooks.c
+@@ -626,9 +626,6 @@ static unsigned int br_nf_local_in(void *priv,
+ break;
+ }
+
+- ct = container_of(nfct, struct nf_conn, ct_general);
+- WARN_ON_ONCE(!nf_ct_is_confirmed(ct));
+-
+ return ret;
+ }
+ #endif
+--
+2.50.1
+
--- /dev/null
+From d5d35dc9ac72f55cd420ae829a3f9bc5760ac1b1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Aug 2025 13:22:20 +0200
+Subject: netfilter: conntrack: helper: Replace -EEXIST by -EBUSY
+
+From: Phil Sutter <phil@nwl.cc>
+
+[ Upstream commit 54416fd76770bd04fc3c501810e8d673550bab26 ]
+
+The helper registration return value is passed-through by module_init
+callbacks which modprobe confuses with the harmless -EEXIST returned
+when trying to load an already loaded module.
+
+Make sure modprobe fails so users notice their helper has not been
+registered and won't work.
+
+Suggested-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Fixes: 12f7a505331e ("netfilter: add user-space connection tracking helper infrastructure")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_helper.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c
+index 4ed5878cb25b1..ceb48c3ca0a43 100644
+--- a/net/netfilter/nf_conntrack_helper.c
++++ b/net/netfilter/nf_conntrack_helper.c
+@@ -368,7 +368,7 @@ int nf_conntrack_helper_register(struct nf_conntrack_helper *me)
+ (cur->tuple.src.l3num == NFPROTO_UNSPEC ||
+ cur->tuple.src.l3num == me->tuple.src.l3num) &&
+ cur->tuple.dst.protonum == me->tuple.dst.protonum) {
+- ret = -EEXIST;
++ ret = -EBUSY;
+ goto out;
+ }
+ }
+@@ -379,7 +379,7 @@ int nf_conntrack_helper_register(struct nf_conntrack_helper *me)
+ hlist_for_each_entry(cur, &nf_ct_helper_hash[h], hnode) {
+ if (nf_ct_tuple_src_mask_cmp(&cur->tuple, &me->tuple,
+ &mask)) {
+- ret = -EEXIST;
++ ret = -EBUSY;
+ goto out;
+ }
+ }
+--
+2.50.1
+
--- /dev/null
+From f320b159b348e9eff634d70557b4caad36155010 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Aug 2025 15:49:59 +0200
+Subject: netfilter: nf_tables: Introduce NFTA_DEVICE_PREFIX
+
+From: Phil Sutter <phil@nwl.cc>
+
+[ Upstream commit 4039ce7ef40474d5ba46f414c50cc7020b9cf8ae ]
+
+This new attribute is supposed to be used instead of NFTA_DEVICE_NAME
+for simple wildcard interface specs. It holds a NUL-terminated string
+representing an interface name prefix to match on.
+
+While kernel code to distinguish full names from prefixes in
+NFTA_DEVICE_NAME is simpler than this solution, reusing the existing
+attribute with different semantics leads to confusion between different
+versions of kernel and user space though:
+
+* With old kernels, wildcards submitted by user space are accepted yet
+ silently treated as regular names.
+* With old user space, wildcards submitted by kernel may cause crashes
+ since libnftnl expects NUL-termination when there is none.
+
+Using a distinct attribute type sanitizes these situations as the
+receiving part detects and rejects the unexpected attribute nested in
+*_HOOK_DEVS attributes.
+
+Fixes: 6d07a289504a ("netfilter: nf_tables: Support wildcard netdev hook specs")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/uapi/linux/netfilter/nf_tables.h | 2 ++
+ net/netfilter/nf_tables_api.c | 42 +++++++++++++++++-------
+ 2 files changed, 33 insertions(+), 11 deletions(-)
+
+diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
+index 2beb30be2c5f8..8e0eb832bc01e 100644
+--- a/include/uapi/linux/netfilter/nf_tables.h
++++ b/include/uapi/linux/netfilter/nf_tables.h
+@@ -1784,10 +1784,12 @@ enum nft_synproxy_attributes {
+ * enum nft_device_attributes - nf_tables device netlink attributes
+ *
+ * @NFTA_DEVICE_NAME: name of this device (NLA_STRING)
++ * @NFTA_DEVICE_PREFIX: device name prefix, a simple wildcard (NLA_STRING)
+ */
+ enum nft_devices_attributes {
+ NFTA_DEVICE_UNSPEC,
+ NFTA_DEVICE_NAME,
++ NFTA_DEVICE_PREFIX,
+ __NFTA_DEVICE_MAX
+ };
+ #define NFTA_DEVICE_MAX (__NFTA_DEVICE_MAX - 1)
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 46ca725d65381..0e86434ca13b0 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -1953,6 +1953,18 @@ static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
+ return -ENOSPC;
+ }
+
++static bool hook_is_prefix(struct nft_hook *hook)
++{
++ return strlen(hook->ifname) >= hook->ifnamelen;
++}
++
++static int nft_nla_put_hook_dev(struct sk_buff *skb, struct nft_hook *hook)
++{
++ int attr = hook_is_prefix(hook) ? NFTA_DEVICE_PREFIX : NFTA_DEVICE_NAME;
++
++ return nla_put_string(skb, attr, hook->ifname);
++}
++
+ static int nft_dump_basechain_hook(struct sk_buff *skb,
+ const struct net *net, int family,
+ const struct nft_base_chain *basechain,
+@@ -1984,16 +1996,15 @@ static int nft_dump_basechain_hook(struct sk_buff *skb,
+ if (!first)
+ first = hook;
+
+- if (nla_put(skb, NFTA_DEVICE_NAME,
+- hook->ifnamelen, hook->ifname))
++ if (nft_nla_put_hook_dev(skb, hook))
+ goto nla_put_failure;
+ n++;
+ }
+ nla_nest_end(skb, nest_devs);
+
+ if (n == 1 &&
+- nla_put(skb, NFTA_HOOK_DEV,
+- first->ifnamelen, first->ifname))
++ !hook_is_prefix(first) &&
++ nla_put_string(skb, NFTA_HOOK_DEV, first->ifname))
+ goto nla_put_failure;
+ }
+ nla_nest_end(skb, nest);
+@@ -2297,7 +2308,8 @@ void nf_tables_chain_destroy(struct nft_chain *chain)
+ }
+
+ static struct nft_hook *nft_netdev_hook_alloc(struct net *net,
+- const struct nlattr *attr)
++ const struct nlattr *attr,
++ bool prefix)
+ {
+ struct nf_hook_ops *ops;
+ struct net_device *dev;
+@@ -2314,7 +2326,8 @@ static struct nft_hook *nft_netdev_hook_alloc(struct net *net,
+ if (err < 0)
+ goto err_hook_free;
+
+- hook->ifnamelen = nla_len(attr);
++ /* include the terminating NUL-char when comparing non-prefixes */
++ hook->ifnamelen = strlen(hook->ifname) + !prefix;
+
+ /* nf_tables_netdev_event() is called under rtnl_mutex, this is
+ * indirectly serializing all the other holders of the commit_mutex with
+@@ -2361,14 +2374,22 @@ static int nf_tables_parse_netdev_hooks(struct net *net,
+ struct nft_hook *hook, *next;
+ const struct nlattr *tmp;
+ int rem, n = 0, err;
++ bool prefix;
+
+ nla_for_each_nested(tmp, attr, rem) {
+- if (nla_type(tmp) != NFTA_DEVICE_NAME) {
++ switch (nla_type(tmp)) {
++ case NFTA_DEVICE_NAME:
++ prefix = false;
++ break;
++ case NFTA_DEVICE_PREFIX:
++ prefix = true;
++ break;
++ default:
+ err = -EINVAL;
+ goto err_hook;
+ }
+
+- hook = nft_netdev_hook_alloc(net, tmp);
++ hook = nft_netdev_hook_alloc(net, tmp, prefix);
+ if (IS_ERR(hook)) {
+ NL_SET_BAD_ATTR(extack, tmp);
+ err = PTR_ERR(hook);
+@@ -2414,7 +2435,7 @@ static int nft_chain_parse_netdev(struct net *net, struct nlattr *tb[],
+ int err;
+
+ if (tb[NFTA_HOOK_DEV]) {
+- hook = nft_netdev_hook_alloc(net, tb[NFTA_HOOK_DEV]);
++ hook = nft_netdev_hook_alloc(net, tb[NFTA_HOOK_DEV], false);
+ if (IS_ERR(hook)) {
+ NL_SET_BAD_ATTR(extack, tb[NFTA_HOOK_DEV]);
+ return PTR_ERR(hook);
+@@ -9424,8 +9445,7 @@ static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net,
+
+ list_for_each_entry_rcu(hook, hook_list, list,
+ lockdep_commit_lock_is_held(net)) {
+- if (nla_put(skb, NFTA_DEVICE_NAME,
+- hook->ifnamelen, hook->ifname))
++ if (nft_nla_put_hook_dev(skb, hook))
+ goto nla_put_failure;
+ }
+ nla_nest_end(skb, nest_devs);
+--
+2.50.1
+
--- /dev/null
+From c5fd80d1dcbc1551b34c7190164b17aa09bb79d7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Aug 2025 23:49:18 +0200
+Subject: netfilter: nft_flowtable.sh: re-run with random mtu sizes
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit d6a367ec6c96fc8e61b4d67e69df03565ec69fb7 ]
+
+Jakub says:
+ nft_flowtable.sh is one of the most flake-atious test for netdev CI currently :(
+
+The root cause is two-fold:
+1. the failing part of the test is supposed to make sure that ip
+ fragments are forwarded for offloaded flows.
+ (flowtable has to pass them to classic forward path).
+ path mtu discovery for these subtests is disabled.
+
+2. nft_flowtable.sh has two passes. One with fixed mtus/file size and
+ one where link mtus and file sizes are random.
+
+The CI failures all have same pattern:
+ re-run with random mtus and file size: -o 27663 -l 4117 -r 10089 -s 54384840
+ [..]
+ PASS: dscp_egress: dscp packet counters match
+ FAIL: file mismatch for ns1 -> ns2
+
+In some cases this error triggers a bit ealier, sometimes in a later
+subtest:
+ re-run with random mtus and file size: -o 20201 -l 4555 -r 12657 -s 9405856
+ [..]
+ PASS: dscp_egress: dscp packet counters match
+ PASS: dscp_fwd: dscp packet counters match
+ 2025/08/17 20:37:52 socat[18954] E write(7, 0x560716b96000, 8192): Broken pipe
+ FAIL: file mismatch for ns1 -> ns2
+ -rw------- 1 root root 9405856 Aug 17 20:36 /tmp/tmp.2n63vlTrQe
+
+But all logs I saw show same scenario:
+1. Failing tests have pmtu discovery off (i.e., ip fragmentation)
+2. The test file is much larger than first-pass default (2M Byte)
+3. peers have much larger MTUs compared to the 'network'.
+
+These errors are very reproducible when re-running the test with
+the same commandline arguments.
+
+The timeout became much more prominent with
+1d2fbaad7cd8 ("tcp: stronger sk_rcvbuf checks"): reassembled packets
+typically have a skb->truesize more than double the skb length.
+
+As that commit is intentional and pmtud-off with
+large-tcp-packets-as-fragments is not normal adjust the test to use a
+smaller file for the pmtu-off subtests.
+
+While at it, add more information to pass/fail messages and
+also run the dscp alteration subtest with pmtu discovery enabled.
+
+Link: https://netdev.bots.linux.dev/contest.html?test=nft-flowtable-sh
+Fixes: f84ab634904c ("selftests: netfilter: nft_flowtable.sh: re-run with random mtu sizes")
+Reported-by: Jakub Kicinski <kuba@kernel.org>
+Closes: https://lore.kernel.org/netdev/20250822071330.4168f0db@kernel.org/
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Link: https://patch.msgid.link/20250828214918.3385-1-fw@strlen.de
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../selftests/net/netfilter/nft_flowtable.sh | 113 ++++++++++++------
+ 1 file changed, 76 insertions(+), 37 deletions(-)
+
+diff --git a/tools/testing/selftests/net/netfilter/nft_flowtable.sh b/tools/testing/selftests/net/netfilter/nft_flowtable.sh
+index a4ee5496f2a17..45832df982950 100755
+--- a/tools/testing/selftests/net/netfilter/nft_flowtable.sh
++++ b/tools/testing/selftests/net/netfilter/nft_flowtable.sh
+@@ -20,6 +20,7 @@ ret=0
+ SOCAT_TIMEOUT=60
+
+ nsin=""
++nsin_small=""
+ ns1out=""
+ ns2out=""
+
+@@ -36,7 +37,7 @@ cleanup() {
+
+ cleanup_all_ns
+
+- rm -f "$nsin" "$ns1out" "$ns2out"
++ rm -f "$nsin" "$nsin_small" "$ns1out" "$ns2out"
+
+ [ "$log_netns" -eq 0 ] && sysctl -q net.netfilter.nf_log_all_netns="$log_netns"
+ }
+@@ -72,6 +73,7 @@ lmtu=1500
+ rmtu=2000
+
+ filesize=$((2 * 1024 * 1024))
++filesize_small=$((filesize / 16))
+
+ usage(){
+ echo "nft_flowtable.sh [OPTIONS]"
+@@ -89,7 +91,10 @@ do
+ o) omtu=$OPTARG;;
+ l) lmtu=$OPTARG;;
+ r) rmtu=$OPTARG;;
+- s) filesize=$OPTARG;;
++ s)
++ filesize=$OPTARG
++ filesize_small=$((OPTARG / 16))
++ ;;
+ *) usage;;
+ esac
+ done
+@@ -215,6 +220,7 @@ if ! ip netns exec "$ns2" ping -c 1 -q 10.0.1.99 > /dev/null; then
+ fi
+
+ nsin=$(mktemp)
++nsin_small=$(mktemp)
+ ns1out=$(mktemp)
+ ns2out=$(mktemp)
+
+@@ -265,6 +271,7 @@ check_counters()
+ check_dscp()
+ {
+ local what=$1
++ local pmtud="$2"
+ local ok=1
+
+ local counter
+@@ -277,37 +284,39 @@ check_dscp()
+ local pc4z=${counter%*bytes*}
+ local pc4z=${pc4z#*packets}
+
++ local failmsg="FAIL: pmtu $pmtu: $what counters do not match, expected"
++
+ case "$what" in
+ "dscp_none")
+ if [ "$pc4" -gt 0 ] || [ "$pc4z" -eq 0 ]; then
+- echo "FAIL: dscp counters do not match, expected dscp3 == 0, dscp0 > 0, but got $pc4,$pc4z" 1>&2
++ echo "$failmsg dscp3 == 0, dscp0 > 0, but got $pc4,$pc4z" 1>&2
+ ret=1
+ ok=0
+ fi
+ ;;
+ "dscp_fwd")
+ if [ "$pc4" -eq 0 ] || [ "$pc4z" -eq 0 ]; then
+- echo "FAIL: dscp counters do not match, expected dscp3 and dscp0 > 0 but got $pc4,$pc4z" 1>&2
++ echo "$failmsg dscp3 and dscp0 > 0 but got $pc4,$pc4z" 1>&2
+ ret=1
+ ok=0
+ fi
+ ;;
+ "dscp_ingress")
+ if [ "$pc4" -eq 0 ] || [ "$pc4z" -gt 0 ]; then
+- echo "FAIL: dscp counters do not match, expected dscp3 > 0, dscp0 == 0 but got $pc4,$pc4z" 1>&2
++ echo "$failmsg dscp3 > 0, dscp0 == 0 but got $pc4,$pc4z" 1>&2
+ ret=1
+ ok=0
+ fi
+ ;;
+ "dscp_egress")
+ if [ "$pc4" -eq 0 ] || [ "$pc4z" -gt 0 ]; then
+- echo "FAIL: dscp counters do not match, expected dscp3 > 0, dscp0 == 0 but got $pc4,$pc4z" 1>&2
++ echo "$failmsg dscp3 > 0, dscp0 == 0 but got $pc4,$pc4z" 1>&2
+ ret=1
+ ok=0
+ fi
+ ;;
+ *)
+- echo "FAIL: Unknown DSCP check" 1>&2
++ echo "$failmsg: Unknown DSCP check" 1>&2
+ ret=1
+ ok=0
+ esac
+@@ -319,9 +328,9 @@ check_dscp()
+
+ check_transfer()
+ {
+- in=$1
+- out=$2
+- what=$3
++ local in=$1
++ local out=$2
++ local what=$3
+
+ if ! cmp "$in" "$out" > /dev/null 2>&1; then
+ echo "FAIL: file mismatch for $what" 1>&2
+@@ -342,25 +351,39 @@ test_tcp_forwarding_ip()
+ {
+ local nsa=$1
+ local nsb=$2
+- local dstip=$3
+- local dstport=$4
++ local pmtu=$3
++ local dstip=$4
++ local dstport=$5
+ local lret=0
++ local socatc
++ local socatl
++ local infile="$nsin"
++
++ if [ $pmtu -eq 0 ]; then
++ infile="$nsin_small"
++ fi
+
+- timeout "$SOCAT_TIMEOUT" ip netns exec "$nsb" socat -4 TCP-LISTEN:12345,reuseaddr STDIO < "$nsin" > "$ns2out" &
++ timeout "$SOCAT_TIMEOUT" ip netns exec "$nsb" socat -4 TCP-LISTEN:12345,reuseaddr STDIO < "$infile" > "$ns2out" &
+ lpid=$!
+
+ busywait 1000 listener_ready
+
+- timeout "$SOCAT_TIMEOUT" ip netns exec "$nsa" socat -4 TCP:"$dstip":"$dstport" STDIO < "$nsin" > "$ns1out"
++ timeout "$SOCAT_TIMEOUT" ip netns exec "$nsa" socat -4 TCP:"$dstip":"$dstport" STDIO < "$infile" > "$ns1out"
++ socatc=$?
+
+ wait $lpid
++ socatl=$?
+
+- if ! check_transfer "$nsin" "$ns2out" "ns1 -> ns2"; then
++ if [ $socatl -ne 0 ] || [ $socatc -ne 0 ];then
++ rc=1
++ fi
++
++ if ! check_transfer "$infile" "$ns2out" "ns1 -> ns2"; then
+ lret=1
+ ret=1
+ fi
+
+- if ! check_transfer "$nsin" "$ns1out" "ns1 <- ns2"; then
++ if ! check_transfer "$infile" "$ns1out" "ns1 <- ns2"; then
+ lret=1
+ ret=1
+ fi
+@@ -370,14 +393,16 @@ test_tcp_forwarding_ip()
+
+ test_tcp_forwarding()
+ {
+- test_tcp_forwarding_ip "$1" "$2" 10.0.2.99 12345
++ local pmtu="$3"
++
++ test_tcp_forwarding_ip "$1" "$2" "$pmtu" 10.0.2.99 12345
+
+ return $?
+ }
+
+ test_tcp_forwarding_set_dscp()
+ {
+- check_dscp "dscp_none"
++ local pmtu="$3"
+
+ ip netns exec "$nsr1" nft -f - <<EOF
+ table netdev dscpmangle {
+@@ -388,8 +413,8 @@ table netdev dscpmangle {
+ }
+ EOF
+ if [ $? -eq 0 ]; then
+- test_tcp_forwarding_ip "$1" "$2" 10.0.2.99 12345
+- check_dscp "dscp_ingress"
++ test_tcp_forwarding_ip "$1" "$2" "$3" 10.0.2.99 12345
++ check_dscp "dscp_ingress" "$pmtu"
+
+ ip netns exec "$nsr1" nft delete table netdev dscpmangle
+ else
+@@ -405,10 +430,10 @@ table netdev dscpmangle {
+ }
+ EOF
+ if [ $? -eq 0 ]; then
+- test_tcp_forwarding_ip "$1" "$2" 10.0.2.99 12345
+- check_dscp "dscp_egress"
++ test_tcp_forwarding_ip "$1" "$2" "$pmtu" 10.0.2.99 12345
++ check_dscp "dscp_egress" "$pmtu"
+
+- ip netns exec "$nsr1" nft flush table netdev dscpmangle
++ ip netns exec "$nsr1" nft delete table netdev dscpmangle
+ else
+ echo "SKIP: Could not load netdev:egress for veth1"
+ fi
+@@ -416,48 +441,53 @@ fi
+ # partial. If flowtable really works, then both dscp-is-0 and dscp-is-cs3
+ # counters should have seen packets (before and after ft offload kicks in).
+ ip netns exec "$nsr1" nft -a insert rule inet filter forward ip dscp set cs3
+- test_tcp_forwarding_ip "$1" "$2" 10.0.2.99 12345
+- check_dscp "dscp_fwd"
++ test_tcp_forwarding_ip "$1" "$2" "$pmtu" 10.0.2.99 12345
++ check_dscp "dscp_fwd" "$pmtu"
+ }
+
+ test_tcp_forwarding_nat()
+ {
++ local nsa="$1"
++ local nsb="$2"
++ local pmtu="$3"
++ local what="$4"
+ local lret
+- local pmtu
+
+- test_tcp_forwarding_ip "$1" "$2" 10.0.2.99 12345
+- lret=$?
++ [ "$pmtu" -eq 0 ] && what="$what (pmtu disabled)"
+
+- pmtu=$3
+- what=$4
++ test_tcp_forwarding_ip "$nsa" "$nsb" "$pmtu" 10.0.2.99 12345
++ lret=$?
+
+ if [ "$lret" -eq 0 ] ; then
+ if [ "$pmtu" -eq 1 ] ;then
+- check_counters "flow offload for ns1/ns2 with masquerade and pmtu discovery $what"
++ check_counters "flow offload for ns1/ns2 with masquerade $what"
+ else
+ echo "PASS: flow offload for ns1/ns2 with masquerade $what"
+ fi
+
+- test_tcp_forwarding_ip "$1" "$2" 10.6.6.6 1666
++ test_tcp_forwarding_ip "$1" "$2" "$pmtu" 10.6.6.6 1666
+ lret=$?
+ if [ "$pmtu" -eq 1 ] ;then
+- check_counters "flow offload for ns1/ns2 with dnat and pmtu discovery $what"
++ check_counters "flow offload for ns1/ns2 with dnat $what"
+ elif [ "$lret" -eq 0 ] ; then
+ echo "PASS: flow offload for ns1/ns2 with dnat $what"
+ fi
++ else
++ echo "FAIL: flow offload for ns1/ns2 with dnat $what"
+ fi
+
+ return $lret
+ }
+
+ make_file "$nsin" "$filesize"
++make_file "$nsin_small" "$filesize_small"
+
+ # First test:
+ # No PMTU discovery, nsr1 is expected to fragment packets from ns1 to ns2 as needed.
+ # Due to MTU mismatch in both directions, all packets (except small packets like pure
+ # acks) have to be handled by normal forwarding path. Therefore, packet counters
+ # are not checked.
+-if test_tcp_forwarding "$ns1" "$ns2"; then
++if test_tcp_forwarding "$ns1" "$ns2" 0; then
+ echo "PASS: flow offloaded for ns1/ns2"
+ else
+ echo "FAIL: flow offload for ns1/ns2:" 1>&2
+@@ -489,8 +519,9 @@ table ip nat {
+ }
+ EOF
+
++check_dscp "dscp_none" "0"
+ if ! test_tcp_forwarding_set_dscp "$ns1" "$ns2" 0 ""; then
+- echo "FAIL: flow offload for ns1/ns2 with dscp update" 1>&2
++ echo "FAIL: flow offload for ns1/ns2 with dscp update and no pmtu discovery" 1>&2
+ exit 0
+ fi
+
+@@ -512,6 +543,14 @@ ip netns exec "$ns2" sysctl net.ipv4.ip_no_pmtu_disc=0 > /dev/null
+ # are lower than file size and packets were forwarded via flowtable layer.
+ # For earlier tests (large mtus), packets cannot be handled via flowtable
+ # (except pure acks and other small packets).
++ip netns exec "$nsr1" nft reset counters table inet filter >/dev/null
++ip netns exec "$ns2" nft reset counters table inet filter >/dev/null
++
++if ! test_tcp_forwarding_set_dscp "$ns1" "$ns2" 1 ""; then
++ echo "FAIL: flow offload for ns1/ns2 with dscp update and pmtu discovery" 1>&2
++ exit 0
++fi
++
+ ip netns exec "$nsr1" nft reset counters table inet filter >/dev/null
+
+ if ! test_tcp_forwarding_nat "$ns1" "$ns2" 1 ""; then
+@@ -644,7 +683,7 @@ ip -net "$ns2" route del 192.168.10.1 via 10.0.2.1
+ ip -net "$ns2" route add default via 10.0.2.1
+ ip -net "$ns2" route add default via dead:2::1
+
+-if test_tcp_forwarding "$ns1" "$ns2"; then
++if test_tcp_forwarding "$ns1" "$ns2" 1; then
+ check_counters "ipsec tunnel mode for ns1/ns2"
+ else
+ echo "FAIL: ipsec tunnel mode for ns1/ns2"
+@@ -668,7 +707,7 @@ if [ "$1" = "" ]; then
+ fi
+
+ echo "re-run with random mtus and file size: -o $o -l $l -r $r -s $filesize"
+- $0 -o "$o" -l "$l" -r "$r" -s "$filesize"
++ $0 -o "$o" -l "$l" -r "$r" -s "$filesize" || ret=1
+ fi
+
+ exit $ret
+--
+2.50.1
+
--- /dev/null
+From 2daf76d2fbd7e6ad171a69c87dd51f576f199139 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Sep 2025 14:12:59 +0200
+Subject: phy: mscc: Stop taking ts_lock for tx_queue and use its own lock
+
+From: Horatiu Vultur <horatiu.vultur@microchip.com>
+
+[ Upstream commit 9b2bfdbf43adb9929c5ddcdd96efedbf1c88cf53 ]
+
+When transmitting a PTP frame which is timestamp using 2 step, the
+following warning appears if CONFIG_PROVE_LOCKING is enabled:
+=============================
+[ BUG: Invalid wait context ]
+6.17.0-rc1-00326-ge6160462704e #427 Not tainted
+-----------------------------
+ptp4l/119 is trying to lock:
+c2a44ed4 (&vsc8531->ts_lock){+.+.}-{3:3}, at: vsc85xx_txtstamp+0x50/0xac
+other info that might help us debug this:
+context-{4:4}
+4 locks held by ptp4l/119:
+ #0: c145f068 (rcu_read_lock_bh){....}-{1:2}, at: __dev_queue_xmit+0x58/0x1440
+ #1: c29df974 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+...}-{2:2}, at: __dev_queue_xmit+0x5c4/0x1440
+ #2: c2aaaad0 (_xmit_ETHER#2){+.-.}-{2:2}, at: sch_direct_xmit+0x108/0x350
+ #3: c2aac170 (&lan966x->tx_lock){+.-.}-{2:2}, at: lan966x_port_xmit+0xd0/0x350
+stack backtrace:
+CPU: 0 UID: 0 PID: 119 Comm: ptp4l Not tainted 6.17.0-rc1-00326-ge6160462704e #427 NONE
+Hardware name: Generic DT based system
+Call trace:
+ unwind_backtrace from show_stack+0x10/0x14
+ show_stack from dump_stack_lvl+0x7c/0xac
+ dump_stack_lvl from __lock_acquire+0x8e8/0x29dc
+ __lock_acquire from lock_acquire+0x108/0x38c
+ lock_acquire from __mutex_lock+0xb0/0xe78
+ __mutex_lock from mutex_lock_nested+0x1c/0x24
+ mutex_lock_nested from vsc85xx_txtstamp+0x50/0xac
+ vsc85xx_txtstamp from lan966x_fdma_xmit+0xd8/0x3a8
+ lan966x_fdma_xmit from lan966x_port_xmit+0x1bc/0x350
+ lan966x_port_xmit from dev_hard_start_xmit+0xc8/0x2c0
+ dev_hard_start_xmit from sch_direct_xmit+0x8c/0x350
+ sch_direct_xmit from __dev_queue_xmit+0x680/0x1440
+ __dev_queue_xmit from packet_sendmsg+0xfa4/0x1568
+ packet_sendmsg from __sys_sendto+0x110/0x19c
+ __sys_sendto from sys_send+0x18/0x20
+ sys_send from ret_fast_syscall+0x0/0x1c
+Exception stack(0xf0b05fa8 to 0xf0b05ff0)
+5fa0: 00000001 0000000e 0000000e 0004b47a 0000003a 00000000
+5fc0: 00000001 0000000e 00000000 00000121 0004af58 00044874 00000000 00000000
+5fe0: 00000001 bee9d420 00025a10 b6e75c7c
+
+So, instead of using the ts_lock for tx_queue, use the spinlock that
+skb_buff_head has.
+
+Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
+Fixes: 7d272e63e0979d ("net: phy: mscc: timestamping and PHC support")
+Signed-off-by: Horatiu Vultur <horatiu.vultur@microchip.com>
+Link: https://patch.msgid.link/20250902121259.3257536-1-horatiu.vultur@microchip.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/mscc/mscc_ptp.c | 18 ++++++++----------
+ 1 file changed, 8 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/net/phy/mscc/mscc_ptp.c b/drivers/net/phy/mscc/mscc_ptp.c
+index 72847320cb652..d692df7d975c7 100644
+--- a/drivers/net/phy/mscc/mscc_ptp.c
++++ b/drivers/net/phy/mscc/mscc_ptp.c
+@@ -456,12 +456,12 @@ static void vsc85xx_dequeue_skb(struct vsc85xx_ptp *ptp)
+ *p++ = (reg >> 24) & 0xff;
+ }
+
+- len = skb_queue_len(&ptp->tx_queue);
++ len = skb_queue_len_lockless(&ptp->tx_queue);
+ if (len < 1)
+ return;
+
+ while (len--) {
+- skb = __skb_dequeue(&ptp->tx_queue);
++ skb = skb_dequeue(&ptp->tx_queue);
+ if (!skb)
+ return;
+
+@@ -486,7 +486,7 @@ static void vsc85xx_dequeue_skb(struct vsc85xx_ptp *ptp)
+ * packet in the FIFO right now, reschedule it for later
+ * packets.
+ */
+- __skb_queue_tail(&ptp->tx_queue, skb);
++ skb_queue_tail(&ptp->tx_queue, skb);
+ }
+ }
+
+@@ -1068,6 +1068,7 @@ static int vsc85xx_hwtstamp(struct mii_timestamper *mii_ts,
+ case HWTSTAMP_TX_ON:
+ break;
+ case HWTSTAMP_TX_OFF:
++ skb_queue_purge(&vsc8531->ptp->tx_queue);
+ break;
+ default:
+ return -ERANGE;
+@@ -1092,9 +1093,6 @@ static int vsc85xx_hwtstamp(struct mii_timestamper *mii_ts,
+
+ mutex_lock(&vsc8531->ts_lock);
+
+- __skb_queue_purge(&vsc8531->ptp->tx_queue);
+- __skb_queue_head_init(&vsc8531->ptp->tx_queue);
+-
+ /* Disable predictor while configuring the 1588 block */
+ val = vsc85xx_ts_read_csr(phydev, PROCESSOR,
+ MSCC_PHY_PTP_INGR_PREDICTOR);
+@@ -1180,9 +1178,7 @@ static void vsc85xx_txtstamp(struct mii_timestamper *mii_ts,
+
+ skb_shinfo(skb)->tx_flags |= SKBTX_IN_PROGRESS;
+
+- mutex_lock(&vsc8531->ts_lock);
+- __skb_queue_tail(&vsc8531->ptp->tx_queue, skb);
+- mutex_unlock(&vsc8531->ts_lock);
++ skb_queue_tail(&vsc8531->ptp->tx_queue, skb);
+ return;
+
+ out:
+@@ -1548,6 +1544,7 @@ void vsc8584_ptp_deinit(struct phy_device *phydev)
+ if (vsc8531->ptp->ptp_clock) {
+ ptp_clock_unregister(vsc8531->ptp->ptp_clock);
+ skb_queue_purge(&vsc8531->rx_skbs_list);
++ skb_queue_purge(&vsc8531->ptp->tx_queue);
+ }
+ }
+
+@@ -1571,7 +1568,7 @@ irqreturn_t vsc8584_handle_ts_interrupt(struct phy_device *phydev)
+ if (rc & VSC85XX_1588_INT_FIFO_ADD) {
+ vsc85xx_get_tx_ts(priv->ptp);
+ } else if (rc & VSC85XX_1588_INT_FIFO_OVERFLOW) {
+- __skb_queue_purge(&priv->ptp->tx_queue);
++ skb_queue_purge(&priv->ptp->tx_queue);
+ vsc85xx_ts_reset_fifo(phydev);
+ }
+
+@@ -1591,6 +1588,7 @@ int vsc8584_ptp_probe(struct phy_device *phydev)
+ mutex_init(&vsc8531->phc_lock);
+ mutex_init(&vsc8531->ts_lock);
+ skb_queue_head_init(&vsc8531->rx_skbs_list);
++ skb_queue_head_init(&vsc8531->ptp->tx_queue);
+
+ /* Retrieve the shared load/save GPIO. Request it as non exclusive as
+ * the same GPIO can be requested by all the PHYs of the same package.
+--
+2.50.1
+
--- /dev/null
+From 66015393b88e42fae54b15cdc5c673212569556b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Sep 2025 18:07:26 +0800
+Subject: ppp: fix memory leak in pad_compress_skb
+
+From: Qingfang Deng <dqfext@gmail.com>
+
+[ Upstream commit 4844123fe0b853a4982c02666cb3fd863d701d50 ]
+
+If alloc_skb() fails in pad_compress_skb(), it returns NULL without
+releasing the old skb. The caller does:
+
+ skb = pad_compress_skb(ppp, skb);
+ if (!skb)
+ goto drop;
+
+drop:
+ kfree_skb(skb);
+
+When pad_compress_skb() returns NULL, the reference to the old skb is
+lost and kfree_skb(skb) ends up doing nothing, leading to a memory leak.
+
+Align pad_compress_skb() semantics with realloc(): only free the old
+skb if allocation and compression succeed. At the call site, use the
+new_skb variable so the original skb is not lost when pad_compress_skb()
+fails.
+
+Fixes: b3f9b92a6ec1 ("[PPP]: add PPP MPPE encryption module")
+Signed-off-by: Qingfang Deng <dqfext@gmail.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Yue Haibing <yuehaibing@huawei.com>
+Link: https://patch.msgid.link/20250903100726.269839-1-dqfext@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ppp/ppp_generic.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
+index 5e7672d2022c9..bb5343c039259 100644
+--- a/drivers/net/ppp/ppp_generic.c
++++ b/drivers/net/ppp/ppp_generic.c
+@@ -1752,7 +1752,6 @@ pad_compress_skb(struct ppp *ppp, struct sk_buff *skb)
+ */
+ if (net_ratelimit())
+ netdev_err(ppp->dev, "ppp: compressor dropped pkt\n");
+- kfree_skb(skb);
+ consume_skb(new_skb);
+ new_skb = NULL;
+ }
+@@ -1854,9 +1853,10 @@ ppp_send_frame(struct ppp *ppp, struct sk_buff *skb)
+ "down - pkt dropped.\n");
+ goto drop;
+ }
+- skb = pad_compress_skb(ppp, skb);
+- if (!skb)
++ new_skb = pad_compress_skb(ppp, skb);
++ if (!new_skb)
+ goto drop;
++ skb = new_skb;
+ }
+
+ /*
+--
+2.50.1
+
--- /dev/null
+From 676b8b73b070554100542f40dde56f2215e7a300 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Aug 2025 16:29:49 +0800
+Subject: ptp: ocp: fix use-after-free bugs causing by ptp_ocp_watchdog
+
+From: Duoming Zhou <duoming@zju.edu.cn>
+
+[ Upstream commit 8bf935cf789872350b04c1a6468b0a509f67afb2 ]
+
+The ptp_ocp_detach() only shuts down the watchdog timer if it is
+pending. However, if the timer handler is already running, the
+timer_delete_sync() is not called. This leads to race conditions
+where the devlink that contains the ptp_ocp is deallocated while
+the timer handler is still accessing it, resulting in use-after-free
+bugs. The following details one of the race scenarios.
+
+(thread 1) | (thread 2)
+ptp_ocp_remove() |
+ ptp_ocp_detach() | ptp_ocp_watchdog()
+ if (timer_pending(&bp->watchdog))| bp = timer_container_of()
+ timer_delete_sync() |
+ |
+ devlink_free(devlink) //free |
+ | bp-> //use
+
+Resolve this by unconditionally calling timer_delete_sync() to ensure
+the timer is reliably deactivated, preventing any access after free.
+
+Fixes: 773bda964921 ("ptp: ocp: Expose various resources on the timecard.")
+Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
+Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
+Link: https://patch.msgid.link/20250828082949.28189-1-duoming@zju.edu.cn
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ptp/ptp_ocp.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/ptp/ptp_ocp.c b/drivers/ptp/ptp_ocp.c
+index 1e7f72e575576..5388285475952 100644
+--- a/drivers/ptp/ptp_ocp.c
++++ b/drivers/ptp/ptp_ocp.c
+@@ -4557,8 +4557,7 @@ ptp_ocp_detach(struct ptp_ocp *bp)
+ ptp_ocp_debugfs_remove_device(bp);
+ ptp_ocp_detach_sysfs(bp);
+ ptp_ocp_attr_group_del(bp);
+- if (timer_pending(&bp->watchdog))
+- timer_delete_sync(&bp->watchdog);
++ timer_delete_sync(&bp->watchdog);
+ if (bp->ts0)
+ ptp_ocp_unregister_ext(bp->ts0);
+ if (bp->ts1)
+--
+2.50.1
+
--- /dev/null
+From 163b4e4dc7e5a0e5b8f583846426c7263143a682 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Sep 2025 22:28:51 +0000
+Subject: selftest: net: Fix weird setsockopt() in bind_bhash.c.
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit fd2004d82d8d8faa94879e3de3096c8511728637 ]
+
+bind_bhash.c passes (SO_REUSEADDR | SO_REUSEPORT) to setsockopt().
+
+In the asm-generic definition, the value happens to match with the
+bare SO_REUSEPORT, (2 | 15) == 15, but not on some arch.
+
+arch/alpha/include/uapi/asm/socket.h:18:#define SO_REUSEADDR 0x0004
+arch/alpha/include/uapi/asm/socket.h:24:#define SO_REUSEPORT 0x0200
+arch/mips/include/uapi/asm/socket.h:24:#define SO_REUSEADDR 0x0004 /* Allow reuse of local addresses. */
+arch/mips/include/uapi/asm/socket.h:33:#define SO_REUSEPORT 0x0200 /* Allow local address and port reuse. */
+arch/parisc/include/uapi/asm/socket.h:12:#define SO_REUSEADDR 0x0004
+arch/parisc/include/uapi/asm/socket.h:18:#define SO_REUSEPORT 0x0200
+arch/sparc/include/uapi/asm/socket.h:13:#define SO_REUSEADDR 0x0004
+arch/sparc/include/uapi/asm/socket.h:20:#define SO_REUSEPORT 0x0200
+include/uapi/asm-generic/socket.h:12:#define SO_REUSEADDR 2
+include/uapi/asm-generic/socket.h:27:#define SO_REUSEPORT 15
+
+Let's pass SO_REUSEPORT only.
+
+Fixes: c35ecb95c448 ("selftests/net: Add test for timing a bind request to a port with a populated bhash entry")
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250903222938.2601522-1-kuniyu@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/bind_bhash.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/testing/selftests/net/bind_bhash.c b/tools/testing/selftests/net/bind_bhash.c
+index 57ff67a3751eb..da04b0b19b73c 100644
+--- a/tools/testing/selftests/net/bind_bhash.c
++++ b/tools/testing/selftests/net/bind_bhash.c
+@@ -75,7 +75,7 @@ static void *setup(void *arg)
+ int *array = (int *)arg;
+
+ for (i = 0; i < MAX_CONNECTIONS; i++) {
+- sock_fd = bind_socket(SO_REUSEADDR | SO_REUSEPORT, setup_addr);
++ sock_fd = bind_socket(SO_REUSEPORT, setup_addr);
+ if (sock_fd < 0) {
+ ret = sock_fd;
+ pthread_exit(&ret);
+@@ -103,7 +103,7 @@ int main(int argc, const char *argv[])
+
+ setup_addr = use_v6 ? setup_addr_v6 : setup_addr_v4;
+
+- listener_fd = bind_socket(SO_REUSEADDR | SO_REUSEPORT, setup_addr);
++ listener_fd = bind_socket(SO_REUSEPORT, setup_addr);
+ if (listen(listener_fd, 100) < 0) {
+ perror("listen failed");
+ return -1;
+--
+2.50.1
+
--- /dev/null
+From b82529f412d33bd4a5e15dc1ea87e52ede9edae2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 30 Aug 2025 11:38:42 -0700
+Subject: selftests: drv-net: csum: fix interface name for remote host
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 49c2502b5946ebf454d7e16fd0189769a82b6117 ]
+
+Use cfg.remote_ifname for arguments of remote command.
+Without this UDP tests fail in NIPA where local interface
+is called enp1s0 and remote enp0s4.
+
+Fixes: 1d0dc857b5d8 ("selftests: drv-net: add checksum tests")
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
+Link: https://patch.msgid.link/20250830183842.688935-1-kuba@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/drivers/net/hw/csum.py | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/testing/selftests/drivers/net/hw/csum.py b/tools/testing/selftests/drivers/net/hw/csum.py
+index cd23af8753170..3e3a89a34afe7 100755
+--- a/tools/testing/selftests/drivers/net/hw/csum.py
++++ b/tools/testing/selftests/drivers/net/hw/csum.py
+@@ -17,7 +17,7 @@ def test_receive(cfg, ipver="6", extra_args=None):
+ ip_args = f"-{ipver} -S {cfg.remote_addr_v[ipver]} -D {cfg.addr_v[ipver]}"
+
+ rx_cmd = f"{cfg.bin_local} -i {cfg.ifname} -n 100 {ip_args} -r 1 -R {extra_args}"
+- tx_cmd = f"{cfg.bin_remote} -i {cfg.ifname} -n 100 {ip_args} -r 1 -T {extra_args}"
++ tx_cmd = f"{cfg.bin_remote} -i {cfg.remote_ifname} -n 100 {ip_args} -r 1 -T {extra_args}"
+
+ with bkg(rx_cmd, exit_wait=True):
+ wait_port_listen(34000, proto="udp")
+@@ -37,7 +37,7 @@ def test_transmit(cfg, ipver="6", extra_args=None):
+ if extra_args != "-U -Z":
+ extra_args += " -r 1"
+
+- rx_cmd = f"{cfg.bin_remote} -i {cfg.ifname} -L 1 -n 100 {ip_args} -R {extra_args}"
++ rx_cmd = f"{cfg.bin_remote} -i {cfg.remote_ifname} -L 1 -n 100 {ip_args} -R {extra_args}"
+ tx_cmd = f"{cfg.bin_local} -i {cfg.ifname} -L 1 -n 100 {ip_args} -T {extra_args}"
+
+ with bkg(rx_cmd, host=cfg.remote, exit_wait=True):
+--
+2.50.1
+
--- /dev/null
+From 6c8fe9e52f73c32f4b022984c9f21fbd6e138d8c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Aug 2025 19:17:32 +0200
+Subject: selftests: netfilter: fix udpclash tool hang
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit 661a4f307fe0f80c1d544e09476ccba9037e8e65 ]
+
+Yi Chen reports that 'udpclash' loops forever depending on compiler
+(and optimization level used); while (x == 1) gets optimized into
+for (;;). Add volatile qualifier to avoid that.
+
+While at it, also run it under timeout(1) and fix the resize script
+to not ignore the timeout passed as second parameter to insert_flood.
+
+Reported-by: Yi Chen <yiche@redhat.com>
+Suggested-by: Yi Chen <yiche@redhat.com>
+Fixes: 78a588363587 ("selftests: netfilter: add conntrack clash resolution test case")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/netfilter/conntrack_clash.sh | 2 +-
+ tools/testing/selftests/net/netfilter/conntrack_resize.sh | 5 +++--
+ tools/testing/selftests/net/netfilter/udpclash.c | 2 +-
+ 3 files changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/tools/testing/selftests/net/netfilter/conntrack_clash.sh b/tools/testing/selftests/net/netfilter/conntrack_clash.sh
+index 606a43a60f736..7fc6c5dbd5516 100755
+--- a/tools/testing/selftests/net/netfilter/conntrack_clash.sh
++++ b/tools/testing/selftests/net/netfilter/conntrack_clash.sh
+@@ -99,7 +99,7 @@ run_one_clash_test()
+ local entries
+ local cre
+
+- if ! ip netns exec "$ns" ./udpclash $daddr $dport;then
++ if ! ip netns exec "$ns" timeout 30 ./udpclash $daddr $dport;then
+ echo "INFO: did not receive expected number of replies for $daddr:$dport"
+ ip netns exec "$ctns" conntrack -S
+ # don't fail: check if clash resolution triggered after all.
+diff --git a/tools/testing/selftests/net/netfilter/conntrack_resize.sh b/tools/testing/selftests/net/netfilter/conntrack_resize.sh
+index 788cd56ea4a0d..615fe3c6f405d 100755
+--- a/tools/testing/selftests/net/netfilter/conntrack_resize.sh
++++ b/tools/testing/selftests/net/netfilter/conntrack_resize.sh
+@@ -187,7 +187,7 @@ ct_udpclash()
+ [ -x udpclash ] || return
+
+ while [ $now -lt $end ]; do
+- ip netns exec "$ns" ./udpclash 127.0.0.1 $((RANDOM%65536)) > /dev/null 2>&1
++ ip netns exec "$ns" timeout 30 ./udpclash 127.0.0.1 $((RANDOM%65536)) > /dev/null 2>&1
+
+ now=$(date +%s)
+ done
+@@ -277,6 +277,7 @@ check_taint()
+ insert_flood()
+ {
+ local n="$1"
++ local timeout="$2"
+ local r=0
+
+ r=$((RANDOM%$insert_count))
+@@ -302,7 +303,7 @@ test_floodresize_all()
+ read tainted_then < /proc/sys/kernel/tainted
+
+ for n in "$nsclient1" "$nsclient2";do
+- insert_flood "$n" &
++ insert_flood "$n" "$timeout" &
+ done
+
+ # resize table constantly while flood/insert/dump/flushs
+diff --git a/tools/testing/selftests/net/netfilter/udpclash.c b/tools/testing/selftests/net/netfilter/udpclash.c
+index 85c7b906ad08f..79de163d61ab7 100644
+--- a/tools/testing/selftests/net/netfilter/udpclash.c
++++ b/tools/testing/selftests/net/netfilter/udpclash.c
+@@ -29,7 +29,7 @@ struct thread_args {
+ int sockfd;
+ };
+
+-static int wait = 1;
++static volatile int wait = 1;
+
+ static void *thread_main(void *varg)
+ {
+--
+2.50.1
+
arm64-dts-rockchip-fix-the-headphone-detection-on-th.patch
arm64-dts-rockchip-add-supplies-for-emmc-on-rk3588-o.patch
arm-dts-microchip-sama7d65-force-sdmmc-legacy-mode.patch
+wifi-cfg80211-fix-use-after-free-in-cmp_bss.patch
+wifi-brcmfmac-fix-use-after-free-when-rescheduling-b.patch
+wifi-mt76-mt7921-don-t-disconnect-when-csa-to-dfs-ch.patch
+wifi-mt76-mt7925-fix-locking-in-mt7925_change_vif_li.patch
+wifi-mt76-prevent-non-offchannel-mgmt-tx-during-scan.patch
+wifi-mt76-mt7996-disable-beacons-when-going-offchann.patch
+wifi-mt76-mt7996-use-the-correct-vif-link-for-scanni.patch
+wifi-mt76-mt7996-add-missing-check-for-rx-wcid-entri.patch
+wifi-mt76-mt7915-fix-list-corruption-after-hardware-.patch
+wifi-mt76-free-pending-offchannel-tx-frames-on-wcid-.patch
+wifi-mt76-fix-linked-list-corruption.patch
+netfilter-br_netfilter-do-not-check-confirmed-bit-in.patch
+netfilter-conntrack-helper-replace-eexist-by-ebusy.patch
+wifi-iwlwifi-if-scratch-is-0u-consider-it-a-failure.patch
+wifi-iwlwifi-acpi-check-dsm-func-validity.patch
+wifi-iwlwifi-uefi-check-dsm-item-validity.patch
+wifi-iwlwifi-cfg-restore-some-1000-series-configs.patch
+wifi-iwlwifi-cfg-add-back-more-lost-pci-ids.patch
+bluetooth-vhci-prevent-use-after-free-by-removing-de.patch
+bluetooth-fix-use-after-free-in-l2cap_sock_cleanup_l.patch
+netfilter-nft_flowtable.sh-re-run-with-random-mtu-si.patch
+net_sched-gen_estimator-fix-est_timer-vs-config_pree.patch
+xirc2ps_cs-fix-register-access-when-enabling-fulldup.patch
+ptp-ocp-fix-use-after-free-bugs-causing-by-ptp_ocp_w.patch
+misdn-fix-memory-leak-in-dsp_hwec_enable.patch
+selftests-drv-net-csum-fix-interface-name-for-remote.patch
+bnxt_en-fix-incorrect-page-count-in-rx-aggr-ring-log.patch
+icmp-fix-icmp_ndo_send-address-translation-for-reply.patch
+eth-mlx4-fix-is_err-vs-null-check-bug-in-mlx4_en_cre.patch
+net-macb-fix-tx_ptr_lock-locking.patch
+macsec-read-macsec_sa_attr_pn-with-nla_get_uint.patch
+net-smc-fix-one-null-pointer-dereference-in-smc_ib_i.patch
+net-mctp-mctp_fraq_queue-should-take-ownership-of-pa.patch
+net-mctp-usb-initialise-mac-header-in-rx-path.patch
+net-ethernet-ti-am65-cpsw-nuss-fix-null-pointer-dere.patch
+ice-fix-null-access-of-tx-in_use-in-ice_ptp_ts_irq.patch
+ice-fix-null-access-of-tx-in_use-in-ice_ll_ts_intr.patch
+idpf-set-mac-type-when-adding-and-removing-mac-filte.patch
+i40e-remove-read-access-to-debugfs-files.patch
+i40e-fix-potential-invalid-access-when-mac-list-is-e.patch
+ixgbe-fix-incorrect-map-used-in-eee-linkmode.patch
+wifi-ath12k-set-emlsr-support-flag-in-mlo-flags-for-.patch
+wifi-ath11k-fix-group-data-packet-drops-during-rekey.patch
+net-tcp-fix-socket-memory-leak-in-tcp-ao-failure-han.patch
+net-ethernet-mtk_eth_soc-fix-tx-vlan-tag-for-llc-pac.patch
+vxlan-fix-npd-when-refreshing-an-fdb-entry-with-a-ne.patch
+vxlan-fix-npd-in-arp-neigh-_reduce-when-using-nextho.patch
+wifi-cw1200-cap-ssid-length-in-cw1200_do_join.patch
+wifi-libertas-cap-ssid-len-in-lbs_associate.patch
+wifi-cfg80211-sme-cap-ssid-length-in-__cfg80211_conn.patch
+tools-ynl-gen-fix-nested-array-counting.patch
+net-remove-sock_i_uid.patch
+net-lockless-sock_i_ino.patch
+net-thunder_bgx-add-a-missing-of_node_put.patch
+net-thunder_bgx-decrement-cleanup-index-before-use.patch
+ipv4-fix-null-vs-error-pointer-check-in-inet_blackho.patch
+net-smc-remove-validation-of-reserved-bits-in-clc-de.patch
+mctp-return-enoprotoopt-for-unknown-getsockopt-optio.patch
+ax25-properly-unshare-skbs-in-ax25_kiss_rcv.patch
+selftests-netfilter-fix-udpclash-tool-hang.patch
+netfilter-nf_tables-introduce-nfta_device_prefix.patch
+net-atm-fix-memory-leak-in-atm_register_sysfs-when-d.patch
+net-xilinx-axienet-add-error-handling-for-rx-metadat.patch
+ppp-fix-memory-leak-in-pad_compress_skb.patch
+selftest-net-fix-weird-setsockopt-in-bind_bhash.c.patch
+phy-mscc-stop-taking-ts_lock-for-tx_queue-and-use-it.patch
--- /dev/null
+From 1f44729cd35b178a0c8c55592f5ae63b8cdc1c1a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Sep 2025 15:59:59 +0000
+Subject: tools: ynl-gen: fix nested array counting
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Asbjørn Sloth Tønnesen <ast@fiberby.net>
+
+[ Upstream commit b4ada0618eed0fbd1b1630f73deb048c592b06a1 ]
+
+The blamed commit introduced the concept of split attribute
+counting, and later allocating an array to hold them, however
+TypeArrayNest wasn't updated to use the new counting variable.
+
+Abbreviated example from tools/net/ynl/generated/nl80211-user.c:
+nl80211_if_combination_attributes_parse(...):
+ unsigned int n_limits = 0;
+ [...]
+ ynl_attr_for_each(attr, nlh, yarg->ys->family->hdr_len)
+ if (type == NL80211_IFACE_COMB_LIMITS)
+ ynl_attr_for_each_nested(attr2, attr)
+ dst->_count.limits++;
+ if (n_limits) {
+ dst->_count.limits = n_limits;
+ /* allocate and parse attributes */
+ }
+
+In the above example n_limits is guaranteed to always be 0,
+hence the conditional is unsatisfiable and is optimized out.
+
+This patch changes the attribute counting to use n_limits++ in the
+attribute counting loop in the above example.
+
+Fixes: 58da455b31ba ("tools: ynl-gen: improve unwind on parsing errors")
+Signed-off-by: Asbjørn Sloth Tønnesen <ast@fiberby.net>
+Link: https://patch.msgid.link/20250902160001.760953-1-ast@fiberby.net
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/net/ynl/pyynl/ynl_gen_c.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/net/ynl/pyynl/ynl_gen_c.py b/tools/net/ynl/pyynl/ynl_gen_c.py
+index 76032e01c2e75..0725a52b6ad7b 100755
+--- a/tools/net/ynl/pyynl/ynl_gen_c.py
++++ b/tools/net/ynl/pyynl/ynl_gen_c.py
+@@ -830,7 +830,7 @@ class TypeArrayNest(Type):
+ 'ynl_attr_for_each_nested(attr2, attr) {',
+ '\tif (ynl_attr_validate(yarg, attr2))',
+ '\t\treturn YNL_PARSE_CB_ERROR;',
+- f'\t{var}->_count.{self.c_name}++;',
++ f'\tn_{self.c_name}++;',
+ '}']
+ return get_lines, None, local_vars
+
+--
+2.50.1
+
--- /dev/null
+From 1209b6f2c5d046fd870b950373045fbdee34bc00 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Sep 2025 09:50:34 +0300
+Subject: vxlan: Fix NPD in {arp,neigh}_reduce() when using nexthop objects
+
+From: Ido Schimmel <idosch@nvidia.com>
+
+[ Upstream commit 1f5d2fd1ca04a23c18b1bde9a43ce2fa2ffa1bce ]
+
+When the "proxy" option is enabled on a VXLAN device, the device will
+suppress ARP requests and IPv6 Neighbor Solicitation messages if it is
+able to reply on behalf of the remote host. That is, if a matching and
+valid neighbor entry is configured on the VXLAN device whose MAC address
+is not behind the "any" remote (0.0.0.0 / ::).
+
+The code currently assumes that the FDB entry for the neighbor's MAC
+address points to a valid remote destination, but this is incorrect if
+the entry is associated with an FDB nexthop group. This can result in a
+NPD [1][3] which can be reproduced using [2][4].
+
+Fix by checking that the remote destination exists before dereferencing
+it.
+
+[1]
+BUG: kernel NULL pointer dereference, address: 0000000000000000
+[...]
+CPU: 4 UID: 0 PID: 365 Comm: arping Not tainted 6.17.0-rc2-virtme-g2a89cb21162c #2 PREEMPT(voluntary)
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc41 04/01/2014
+RIP: 0010:vxlan_xmit+0xb58/0x15f0
+[...]
+Call Trace:
+ <TASK>
+ dev_hard_start_xmit+0x5d/0x1c0
+ __dev_queue_xmit+0x246/0xfd0
+ packet_sendmsg+0x113a/0x1850
+ __sock_sendmsg+0x38/0x70
+ __sys_sendto+0x126/0x180
+ __x64_sys_sendto+0x24/0x30
+ do_syscall_64+0xa4/0x260
+ entry_SYSCALL_64_after_hwframe+0x4b/0x53
+
+[2]
+ #!/bin/bash
+
+ ip address add 192.0.2.1/32 dev lo
+
+ ip nexthop add id 1 via 192.0.2.2 fdb
+ ip nexthop add id 10 group 1 fdb
+
+ ip link add name vx0 up type vxlan id 10010 local 192.0.2.1 dstport 4789 proxy
+
+ ip neigh add 192.0.2.3 lladdr 00:11:22:33:44:55 nud perm dev vx0
+
+ bridge fdb add 00:11:22:33:44:55 dev vx0 self static nhid 10
+
+ arping -b -c 1 -s 192.0.2.1 -I vx0 192.0.2.3
+
+[3]
+BUG: kernel NULL pointer dereference, address: 0000000000000000
+[...]
+CPU: 13 UID: 0 PID: 372 Comm: ndisc6 Not tainted 6.17.0-rc2-virtmne-g6ee90cb26014 #3 PREEMPT(voluntary)
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1v996), BIOS 1.17.0-4.fc41 04/01/2x014
+RIP: 0010:vxlan_xmit+0x803/0x1600
+[...]
+Call Trace:
+ <TASK>
+ dev_hard_start_xmit+0x5d/0x1c0
+ __dev_queue_xmit+0x246/0xfd0
+ ip6_finish_output2+0x210/0x6c0
+ ip6_finish_output+0x1af/0x2b0
+ ip6_mr_output+0x92/0x3e0
+ ip6_send_skb+0x30/0x90
+ rawv6_sendmsg+0xe6e/0x12e0
+ __sock_sendmsg+0x38/0x70
+ __sys_sendto+0x126/0x180
+ __x64_sys_sendto+0x24/0x30
+ do_syscall_64+0xa4/0x260
+ entry_SYSCALL_64_after_hwframe+0x4b/0x53
+RIP: 0033:0x7f383422ec77
+
+[4]
+ #!/bin/bash
+
+ ip address add 2001:db8:1::1/128 dev lo
+
+ ip nexthop add id 1 via 2001:db8:1::1 fdb
+ ip nexthop add id 10 group 1 fdb
+
+ ip link add name vx0 up type vxlan id 10010 local 2001:db8:1::1 dstport 4789 proxy
+
+ ip neigh add 2001:db8:1::3 lladdr 00:11:22:33:44:55 nud perm dev vx0
+
+ bridge fdb add 00:11:22:33:44:55 dev vx0 self static nhid 10
+
+ ndisc6 -r 1 -s 2001:db8:1::1 -w 1 2001:db8:1::3 vx0
+
+Fixes: 1274e1cc4226 ("vxlan: ecmp support for mac fdb entries")
+Reviewed-by: Petr Machata <petrm@nvidia.com>
+Signed-off-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: Nikolay Aleksandrov <razor@blackwall.org>
+Link: https://patch.msgid.link/20250901065035.159644-3-idosch@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/vxlan/vxlan_core.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/vxlan/vxlan_core.c b/drivers/net/vxlan/vxlan_core.c
+index cea9dd067b68a..45cec14d76f62 100644
+--- a/drivers/net/vxlan/vxlan_core.c
++++ b/drivers/net/vxlan/vxlan_core.c
+@@ -1880,6 +1880,7 @@ static int arp_reduce(struct net_device *dev, struct sk_buff *skb, __be32 vni)
+ n = neigh_lookup(&arp_tbl, &tip, dev);
+
+ if (n) {
++ struct vxlan_rdst *rdst = NULL;
+ struct vxlan_fdb *f;
+ struct sk_buff *reply;
+
+@@ -1890,7 +1891,9 @@ static int arp_reduce(struct net_device *dev, struct sk_buff *skb, __be32 vni)
+
+ rcu_read_lock();
+ f = vxlan_find_mac_tx(vxlan, n->ha, vni);
+- if (f && vxlan_addr_any(&(first_remote_rcu(f)->remote_ip))) {
++ if (f)
++ rdst = first_remote_rcu(f);
++ if (rdst && vxlan_addr_any(&rdst->remote_ip)) {
+ /* bridge-local neighbor */
+ neigh_release(n);
+ rcu_read_unlock();
+@@ -2047,6 +2050,7 @@ static int neigh_reduce(struct net_device *dev, struct sk_buff *skb, __be32 vni)
+ n = neigh_lookup(ipv6_stub->nd_tbl, &msg->target, dev);
+
+ if (n) {
++ struct vxlan_rdst *rdst = NULL;
+ struct vxlan_fdb *f;
+ struct sk_buff *reply;
+
+@@ -2056,7 +2060,9 @@ static int neigh_reduce(struct net_device *dev, struct sk_buff *skb, __be32 vni)
+ }
+
+ f = vxlan_find_mac_tx(vxlan, n->ha, vni);
+- if (f && vxlan_addr_any(&(first_remote_rcu(f)->remote_ip))) {
++ if (f)
++ rdst = first_remote_rcu(f);
++ if (rdst && vxlan_addr_any(&rdst->remote_ip)) {
+ /* bridge-local neighbor */
+ neigh_release(n);
+ goto out;
+--
+2.50.1
+
--- /dev/null
+From 717b7b7ee3df1c0e9331d607a416e9a275699328 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Sep 2025 09:50:33 +0300
+Subject: vxlan: Fix NPD when refreshing an FDB entry with a nexthop object
+
+From: Ido Schimmel <idosch@nvidia.com>
+
+[ Upstream commit 6ead38147ebb813f08be6ea8ef547a0e4c09559a ]
+
+VXLAN FDB entries can point to either a remote destination or an FDB
+nexthop group. The latter is usually used in EVPN deployments where
+learning is disabled.
+
+However, when learning is enabled, an incoming packet might try to
+refresh an FDB entry that points to an FDB nexthop group and therefore
+does not have a remote. Such packets should be dropped, but they are
+only dropped after dereferencing the non-existent remote, resulting in a
+NPD [1] which can be reproduced using [2].
+
+Fix by dropping such packets earlier. Remove the misleading comment from
+first_remote_rcu().
+
+[1]
+BUG: kernel NULL pointer dereference, address: 0000000000000000
+[...]
+CPU: 13 UID: 0 PID: 361 Comm: mausezahn Not tainted 6.17.0-rc1-virtme-g9f6b606b6b37 #1 PREEMPT(voluntary)
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc41 04/01/2014
+RIP: 0010:vxlan_snoop+0x98/0x1e0
+[...]
+Call Trace:
+ <TASK>
+ vxlan_encap_bypass+0x209/0x240
+ encap_bypass_if_local+0xb1/0x100
+ vxlan_xmit_one+0x1375/0x17e0
+ vxlan_xmit+0x6b4/0x15f0
+ dev_hard_start_xmit+0x5d/0x1c0
+ __dev_queue_xmit+0x246/0xfd0
+ packet_sendmsg+0x113a/0x1850
+ __sock_sendmsg+0x38/0x70
+ __sys_sendto+0x126/0x180
+ __x64_sys_sendto+0x24/0x30
+ do_syscall_64+0xa4/0x260
+ entry_SYSCALL_64_after_hwframe+0x4b/0x53
+
+[2]
+ #!/bin/bash
+
+ ip address add 192.0.2.1/32 dev lo
+ ip address add 192.0.2.2/32 dev lo
+
+ ip nexthop add id 1 via 192.0.2.3 fdb
+ ip nexthop add id 10 group 1 fdb
+
+ ip link add name vx0 up type vxlan id 10010 local 192.0.2.1 dstport 12345 localbypass
+ ip link add name vx1 up type vxlan id 10020 local 192.0.2.2 dstport 54321 learning
+
+ bridge fdb add 00:11:22:33:44:55 dev vx0 self static dst 192.0.2.2 port 54321 vni 10020
+ bridge fdb add 00:aa:bb:cc:dd:ee dev vx1 self static nhid 10
+
+ mausezahn vx0 -a 00:aa:bb:cc:dd:ee -b 00:11:22:33:44:55 -c 1 -q
+
+Fixes: 1274e1cc4226 ("vxlan: ecmp support for mac fdb entries")
+Reported-by: Marlin Cremers <mcremers@cloudbear.nl>
+Reviewed-by: Petr Machata <petrm@nvidia.com>
+Signed-off-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: Nikolay Aleksandrov <razor@blackwall.org>
+Link: https://patch.msgid.link/20250901065035.159644-2-idosch@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/vxlan/vxlan_core.c | 8 ++++----
+ drivers/net/vxlan/vxlan_private.h | 4 +---
+ 2 files changed, 5 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/vxlan/vxlan_core.c b/drivers/net/vxlan/vxlan_core.c
+index 97792de896b72..cea9dd067b68a 100644
+--- a/drivers/net/vxlan/vxlan_core.c
++++ b/drivers/net/vxlan/vxlan_core.c
+@@ -1445,6 +1445,10 @@ static enum skb_drop_reason vxlan_snoop(struct net_device *dev,
+ if (READ_ONCE(f->updated) != now)
+ WRITE_ONCE(f->updated, now);
+
++ /* Don't override an fdb with nexthop with a learnt entry */
++ if (rcu_access_pointer(f->nh))
++ return SKB_DROP_REASON_VXLAN_ENTRY_EXISTS;
++
+ if (likely(vxlan_addr_equal(&rdst->remote_ip, src_ip) &&
+ rdst->remote_ifindex == ifindex))
+ return SKB_NOT_DROPPED_YET;
+@@ -1453,10 +1457,6 @@ static enum skb_drop_reason vxlan_snoop(struct net_device *dev,
+ if (f->state & (NUD_PERMANENT | NUD_NOARP))
+ return SKB_DROP_REASON_VXLAN_ENTRY_EXISTS;
+
+- /* Don't override an fdb with nexthop with a learnt entry */
+- if (rcu_access_pointer(f->nh))
+- return SKB_DROP_REASON_VXLAN_ENTRY_EXISTS;
+-
+ if (net_ratelimit())
+ netdev_info(dev,
+ "%pM migrated from %pIS to %pIS\n",
+diff --git a/drivers/net/vxlan/vxlan_private.h b/drivers/net/vxlan/vxlan_private.h
+index d328aed9feefd..55b84c0cbd65e 100644
+--- a/drivers/net/vxlan/vxlan_private.h
++++ b/drivers/net/vxlan/vxlan_private.h
+@@ -61,9 +61,7 @@ static inline struct hlist_head *vs_head(struct net *net, __be16 port)
+ return &vn->sock_list[hash_32(ntohs(port), PORT_HASH_BITS)];
+ }
+
+-/* First remote destination for a forwarding entry.
+- * Guaranteed to be non-NULL because remotes are never deleted.
+- */
++/* First remote destination for a forwarding entry. */
+ static inline struct vxlan_rdst *first_remote_rcu(struct vxlan_fdb *fdb)
+ {
+ if (rcu_access_pointer(fdb->nh))
+--
+2.50.1
+
--- /dev/null
+From 7fde069f02b1b7a575f21e427a4d27ae137e8979 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 10 Aug 2025 22:30:18 +0530
+Subject: wifi: ath11k: fix group data packet drops during rekey
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Rameshkumar Sundaram <rameshkumar.sundaram@oss.qualcomm.com>
+
+[ Upstream commit 97acb0259cc9cbfbd7ab689e25684f3d8ce10e26 ]
+
+During GTK rekey, mac80211 issues a clear key (if the old key exists)
+followed by an install key operation in the same context. This causes
+ath11k to send two WMI commands in quick succession: one to clear the
+old key and another to install the new key in the same slot.
+
+Under certain conditions—especially under high load or time sensitive
+scenarios, firmware may process these commands asynchronously in a way
+that firmware assumes the key is cleared whereas hardware has a valid key.
+This inconsistency between hardware and firmware leads to group addressed
+packet drops. Only setting the same key again can restore a valid key in
+firmware and allow packets to be transmitted.
+
+This issue remained latent because the host's clear key commands were
+not effective in firmware until commit 436a4e886598 ("ath11k: clear the
+keys properly via DISABLE_KEY"). That commit enabled the host to
+explicitly clear group keys, which inadvertently exposed the race.
+
+To mitigate this, restrict group key clearing across all modes (AP, STA,
+MESH). During rekey, the new key can simply be set on top of the previous
+one, avoiding the need for a clear followed by a set.
+
+However, in AP mode specifically, permit group key clearing when no
+stations are associated. This exception supports transitions from secure
+modes (e.g., WPA2/WPA3) to open mode, during which all associated peers
+are removed and the group key is cleared as part of the transition.
+
+Add a per-BSS station counter to track the presence of stations during
+set key operations. Also add a reset_group_keys flag to track the key
+re-installation state and avoid repeated installation of the same key
+when the number of connected stations transitions to non-zero within a
+rekey period.
+
+Additionally, for AP and Mesh modes, when the first station associates,
+reinstall the same group key that was last set. This ensures that the
+firmware recovers from any race that may have occurred during a previous
+key clear when no stations were associated.
+
+This change ensures that key clearing is permitted only when no clients
+are connected, avoiding packet loss while enabling dynamic security mode
+transitions.
+
+Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.9.0.1-02146-QCAHKSWPL_SILICONZ-1
+Tested-on: WCN6855 hw2.1 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41
+
+Reported-by: Steffen Moser <lists@steffen-moser.de>
+Closes: https://lore.kernel.org/linux-wireless/c6366409-9928-4dd7-bf7b-ba7fcf20eabf@steffen-moser.de
+Fixes: 436a4e886598 ("ath11k: clear the keys properly via DISABLE_KEY")
+Signed-off-by: Rameshkumar Sundaram <rameshkumar.sundaram@oss.qualcomm.com>
+Tested-by: Nicolas Escande <nico.escande@gmail.com>
+Reviewed-by: Vasanthakumar Thiagarajan <vasanthakumar.thiagarajan@oss.qualcomm.com>
+Link: https://patch.msgid.link/20250810170018.1124014-1-rameshkumar.sundaram@oss.qualcomm.com
+Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath11k/core.h | 2 +
+ drivers/net/wireless/ath/ath11k/mac.c | 111 +++++++++++++++++++++++--
+ 2 files changed, 104 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath11k/core.h b/drivers/net/wireless/ath/ath11k/core.h
+index 6b2f207975e33..5d0210953fa30 100644
+--- a/drivers/net/wireless/ath/ath11k/core.h
++++ b/drivers/net/wireless/ath/ath11k/core.h
+@@ -410,6 +410,8 @@ struct ath11k_vif {
+ bool do_not_send_tmpl;
+ struct ath11k_arp_ns_offload arp_ns_offload;
+ struct ath11k_rekey_data rekey_data;
++ u32 num_stations;
++ bool reinstall_group_keys;
+
+ struct ath11k_reg_tpc_power_info reg_tpc_info;
+
+diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c
+index 977f370fd6de4..5f6cc763c86ac 100644
+--- a/drivers/net/wireless/ath/ath11k/mac.c
++++ b/drivers/net/wireless/ath/ath11k/mac.c
+@@ -4317,6 +4317,40 @@ static int ath11k_clear_peer_keys(struct ath11k_vif *arvif,
+ return first_errno;
+ }
+
++static int ath11k_set_group_keys(struct ath11k_vif *arvif)
++{
++ struct ath11k *ar = arvif->ar;
++ struct ath11k_base *ab = ar->ab;
++ const u8 *addr = arvif->bssid;
++ int i, ret, first_errno = 0;
++ struct ath11k_peer *peer;
++
++ spin_lock_bh(&ab->base_lock);
++ peer = ath11k_peer_find(ab, arvif->vdev_id, addr);
++ spin_unlock_bh(&ab->base_lock);
++
++ if (!peer)
++ return -ENOENT;
++
++ for (i = 0; i < ARRAY_SIZE(peer->keys); i++) {
++ struct ieee80211_key_conf *key = peer->keys[i];
++
++ if (!key || (key->flags & IEEE80211_KEY_FLAG_PAIRWISE))
++ continue;
++
++ ret = ath11k_install_key(arvif, key, SET_KEY, addr,
++ WMI_KEY_GROUP);
++ if (ret < 0 && first_errno == 0)
++ first_errno = ret;
++
++ if (ret < 0)
++ ath11k_warn(ab, "failed to set group key of idx %d for vdev %d: %d\n",
++ i, arvif->vdev_id, ret);
++ }
++
++ return first_errno;
++}
++
+ static int ath11k_mac_op_set_key(struct ieee80211_hw *hw, enum set_key_cmd cmd,
+ struct ieee80211_vif *vif, struct ieee80211_sta *sta,
+ struct ieee80211_key_conf *key)
+@@ -4326,6 +4360,7 @@ static int ath11k_mac_op_set_key(struct ieee80211_hw *hw, enum set_key_cmd cmd,
+ struct ath11k_vif *arvif = ath11k_vif_to_arvif(vif);
+ struct ath11k_peer *peer;
+ struct ath11k_sta *arsta;
++ bool is_ap_with_no_sta;
+ const u8 *peer_addr;
+ int ret = 0;
+ u32 flags = 0;
+@@ -4386,16 +4421,57 @@ static int ath11k_mac_op_set_key(struct ieee80211_hw *hw, enum set_key_cmd cmd,
+ else
+ flags |= WMI_KEY_GROUP;
+
+- ret = ath11k_install_key(arvif, key, cmd, peer_addr, flags);
+- if (ret) {
+- ath11k_warn(ab, "ath11k_install_key failed (%d)\n", ret);
+- goto exit;
+- }
++ ath11k_dbg(ar->ab, ATH11K_DBG_MAC,
++ "%s for peer %pM on vdev %d flags 0x%X, type = %d, num_sta %d\n",
++ cmd == SET_KEY ? "SET_KEY" : "DEL_KEY", peer_addr, arvif->vdev_id,
++ flags, arvif->vdev_type, arvif->num_stations);
++
++ /* Allow group key clearing only in AP mode when no stations are
++ * associated. There is a known race condition in firmware where
++ * group addressed packets may be dropped if the key is cleared
++ * and immediately set again during rekey.
++ *
++ * During GTK rekey, mac80211 issues a clear key (if the old key
++ * exists) followed by an install key operation for same key
++ * index. This causes ath11k to send two WMI commands in quick
++ * succession: one to clear the old key and another to install the
++ * new key in the same slot.
++ *
++ * Under certain conditions—especially under high load or time
++ * sensitive scenarios, firmware may process these commands
++ * asynchronously in a way that firmware assumes the key is
++ * cleared whereas hardware has a valid key. This inconsistency
++ * between hardware and firmware leads to group addressed packet
++ * drops after rekey.
++ * Only setting the same key again can restore a valid key in
++ * firmware and allow packets to be transmitted.
++ *
++ * There is a use case where an AP can transition from Secure mode
++ * to open mode without a vdev restart by just deleting all
++ * associated peers and clearing key, Hence allow clear key for
++ * that case alone. Mark arvif->reinstall_group_keys in such cases
++ * and reinstall the same key when the first peer is added,
++ * allowing firmware to recover from the race if it had occurred.
++ */
+
+- ret = ath11k_dp_peer_rx_pn_replay_config(arvif, peer_addr, cmd, key);
+- if (ret) {
+- ath11k_warn(ab, "failed to offload PN replay detection %d\n", ret);
+- goto exit;
++ is_ap_with_no_sta = (vif->type == NL80211_IFTYPE_AP &&
++ !arvif->num_stations);
++ if ((flags & WMI_KEY_PAIRWISE) || cmd == SET_KEY || is_ap_with_no_sta) {
++ ret = ath11k_install_key(arvif, key, cmd, peer_addr, flags);
++ if (ret) {
++ ath11k_warn(ab, "ath11k_install_key failed (%d)\n", ret);
++ goto exit;
++ }
++
++ ret = ath11k_dp_peer_rx_pn_replay_config(arvif, peer_addr, cmd, key);
++ if (ret) {
++ ath11k_warn(ab, "failed to offload PN replay detection %d\n",
++ ret);
++ goto exit;
++ }
++
++ if ((flags & WMI_KEY_GROUP) && cmd == SET_KEY && is_ap_with_no_sta)
++ arvif->reinstall_group_keys = true;
+ }
+
+ spin_lock_bh(&ab->base_lock);
+@@ -4994,6 +5070,7 @@ static int ath11k_mac_inc_num_stations(struct ath11k_vif *arvif,
+ return -ENOBUFS;
+
+ ar->num_stations++;
++ arvif->num_stations++;
+
+ return 0;
+ }
+@@ -5009,6 +5086,7 @@ static void ath11k_mac_dec_num_stations(struct ath11k_vif *arvif,
+ return;
+
+ ar->num_stations--;
++ arvif->num_stations--;
+ }
+
+ static u32 ath11k_mac_ieee80211_sta_bw_to_wmi(struct ath11k *ar,
+@@ -9536,6 +9614,21 @@ static int ath11k_mac_station_add(struct ath11k *ar,
+ goto exit;
+ }
+
++ /* Driver allows the DEL KEY followed by SET KEY sequence for
++ * group keys for only when there is no clients associated, if at
++ * all firmware has entered the race during that window,
++ * reinstalling the same key when the first sta connects will allow
++ * firmware to recover from the race.
++ */
++ if (arvif->num_stations == 1 && arvif->reinstall_group_keys) {
++ ath11k_dbg(ab, ATH11K_DBG_MAC, "set group keys on 1st station add for vdev %d\n",
++ arvif->vdev_id);
++ ret = ath11k_set_group_keys(arvif);
++ if (ret)
++ goto dec_num_station;
++ arvif->reinstall_group_keys = false;
++ }
++
+ arsta->rx_stats = kzalloc(sizeof(*arsta->rx_stats), GFP_KERNEL);
+ if (!arsta->rx_stats) {
+ ret = -ENOMEM;
+--
+2.50.1
+
--- /dev/null
+From fb52db37efeba431a0742e58d063a7833a0db390 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Aug 2025 16:19:20 +0530
+Subject: wifi: ath12k: Set EMLSR support flag in MLO flags for EML-capable
+ stations
+
+From: Ramya Gnanasekar <ramya.gnanasekar@oss.qualcomm.com>
+
+[ Upstream commit 22c55fb9eb92395d999b8404d73e58540d11bdd8 ]
+
+Currently, when updating EMLSR capabilities of a multi-link (ML) station,
+only the EMLSR parameters (e.g., padding delay, transition delay, and
+timeout) are sent to firmware. However, firmware also requires the
+EMLSR support flag to be set in the MLO flags of the peer assoc WMI
+command to properly handle EML operating mode notification frames.
+
+Set the ATH12K_WMI_FLAG_MLO_EMLSR_SUPPORT flag in the peer assoc WMI
+command when the ML station is EMLSR-capable, so that the firmware can
+respond to EHT EML action frames from associated stations.
+
+Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1
+
+Fixes: 4bcf9525bc49 ("wifi: ath12k: update EMLSR capabilities of ML Station")
+Signed-off-by: Ramya Gnanasekar <ramya.gnanasekar@oss.qualcomm.com>
+Signed-off-by: Rameshkumar Sundaram <rameshkumar.sundaram@oss.qualcomm.com>
+Reviewed-by: Vasanthakumar Thiagarajan <vasanthakumar.thiagarajan@oss.qualcomm.com>
+Link: https://patch.msgid.link/20250801104920.3326352-1-rameshkumar.sundaram@oss.qualcomm.com
+Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath12k/wmi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/wireless/ath/ath12k/wmi.c b/drivers/net/wireless/ath/ath12k/wmi.c
+index 1d0d4a6689464..eac5d48cade66 100644
+--- a/drivers/net/wireless/ath/ath12k/wmi.c
++++ b/drivers/net/wireless/ath/ath12k/wmi.c
+@@ -2370,6 +2370,7 @@ int ath12k_wmi_send_peer_assoc_cmd(struct ath12k *ar,
+
+ eml_cap = arg->ml.eml_cap;
+ if (u16_get_bits(eml_cap, IEEE80211_EML_CAP_EMLSR_SUPP)) {
++ ml_params->flags |= cpu_to_le32(ATH12K_WMI_FLAG_MLO_EMLSR_SUPPORT);
+ /* Padding delay */
+ eml_pad_delay = ieee80211_emlsr_pad_delay_in_us(eml_cap);
+ ml_params->emlsr_padding_delay_us = cpu_to_le32(eml_pad_delay);
+--
+2.50.1
+
--- /dev/null
+From 4c0d72920e4bd0f74981669dfa2309d757b7aacf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Aug 2025 13:08:39 +0800
+Subject: wifi: brcmfmac: fix use-after-free when rescheduling
+ brcmf_btcoex_info work
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Duoming Zhou <duoming@zju.edu.cn>
+
+[ Upstream commit 9cb83d4be0b9b697eae93d321e0da999f9cdfcfc ]
+
+The brcmf_btcoex_detach() only shuts down the btcoex timer, if the
+flag timer_on is false. However, the brcmf_btcoex_timerfunc(), which
+runs as timer handler, sets timer_on to false. This creates critical
+race conditions:
+
+1.If brcmf_btcoex_detach() is called while brcmf_btcoex_timerfunc()
+is executing, it may observe timer_on as false and skip the call to
+timer_shutdown_sync().
+
+2.The brcmf_btcoex_timerfunc() may then reschedule the brcmf_btcoex_info
+worker after the cancel_work_sync() has been executed, resulting in
+use-after-free bugs.
+
+The use-after-free bugs occur in two distinct scenarios, depending on
+the timing of when the brcmf_btcoex_info struct is freed relative to
+the execution of its worker thread.
+
+Scenario 1: Freed before the worker is scheduled
+
+The brcmf_btcoex_info is deallocated before the worker is scheduled.
+A race condition can occur when schedule_work(&bt_local->work) is
+called after the target memory has been freed. The sequence of events
+is detailed below:
+
+CPU0 | CPU1
+brcmf_btcoex_detach | brcmf_btcoex_timerfunc
+ | bt_local->timer_on = false;
+ if (cfg->btcoex->timer_on) |
+ ... |
+ cancel_work_sync(); |
+ ... |
+ kfree(cfg->btcoex); // FREE |
+ | schedule_work(&bt_local->work); // USE
+
+Scenario 2: Freed after the worker is scheduled
+
+The brcmf_btcoex_info is freed after the worker has been scheduled
+but before or during its execution. In this case, statements within
+the brcmf_btcoex_handler() — such as the container_of macro and
+subsequent dereferences of the brcmf_btcoex_info object will cause
+a use-after-free access. The following timeline illustrates this
+scenario:
+
+CPU0 | CPU1
+brcmf_btcoex_detach | brcmf_btcoex_timerfunc
+ | bt_local->timer_on = false;
+ if (cfg->btcoex->timer_on) |
+ ... |
+ cancel_work_sync(); |
+ ... | schedule_work(); // Reschedule
+ |
+ kfree(cfg->btcoex); // FREE | brcmf_btcoex_handler() // Worker
+ /* | btci = container_of(....); // USE
+ The kfree() above could | ...
+ also occur at any point | btci-> // USE
+ during the worker's execution|
+ */ |
+
+To resolve the race conditions, drop the conditional check and call
+timer_shutdown_sync() directly. It can deactivate the timer reliably,
+regardless of its current state. Once stopped, the timer_on state is
+then set to false.
+
+Fixes: 61730d4dfffc ("brcmfmac: support critical protocol API for DHCP")
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
+Link: https://patch.msgid.link/20250822050839.4413-1-duoming@zju.edu.cn
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/btcoex.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/btcoex.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/btcoex.c
+index 69ef8cf203d24..67c0c5a92f998 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/btcoex.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/btcoex.c
+@@ -393,10 +393,8 @@ void brcmf_btcoex_detach(struct brcmf_cfg80211_info *cfg)
+ if (!cfg->btcoex)
+ return;
+
+- if (cfg->btcoex->timer_on) {
+- cfg->btcoex->timer_on = false;
+- timer_shutdown_sync(&cfg->btcoex->timer);
+- }
++ timer_shutdown_sync(&cfg->btcoex->timer);
++ cfg->btcoex->timer_on = false;
+
+ cancel_work_sync(&cfg->btcoex->work);
+
+--
+2.50.1
+
--- /dev/null
+From 61291c9ee150abfd26df874e12e7ed9eb894dabf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Aug 2025 16:52:36 +0300
+Subject: wifi: cfg80211: fix use-after-free in cmp_bss()
+
+From: Dmitry Antipov <dmantipov@yandex.ru>
+
+[ Upstream commit 26e84445f02ce6b2fe5f3e0e28ff7add77f35e08 ]
+
+Following bss_free() quirk introduced in commit 776b3580178f
+("cfg80211: track hidden SSID networks properly"), adjust
+cfg80211_update_known_bss() to free the last beacon frame
+elements only if they're not shared via the corresponding
+'hidden_beacon_bss' pointer.
+
+Reported-by: syzbot+30754ca335e6fb7e3092@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=30754ca335e6fb7e3092
+Fixes: 3ab8227d3e7d ("cfg80211: refactor cfg80211_bss_update")
+Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
+Link: https://patch.msgid.link/20250813135236.799384-1-dmantipov@yandex.ru
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/scan.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/wireless/scan.c b/net/wireless/scan.c
+index e8a4fe44ec2d8..f2a66af385dcb 100644
+--- a/net/wireless/scan.c
++++ b/net/wireless/scan.c
+@@ -1905,7 +1905,8 @@ cfg80211_update_known_bss(struct cfg80211_registered_device *rdev,
+ */
+
+ f = rcu_access_pointer(new->pub.beacon_ies);
+- kfree_rcu((struct cfg80211_bss_ies *)f, rcu_head);
++ if (!new->pub.hidden_beacon_bss)
++ kfree_rcu((struct cfg80211_bss_ies *)f, rcu_head);
+ return false;
+ }
+
+--
+2.50.1
+
--- /dev/null
+From 5966205ad61462636ac53733848ebc525c5324e6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Aug 2025 15:48:45 +0300
+Subject: wifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 62b635dcd69c4fde7ce1de4992d71420a37e51e3 ]
+
+If the ssid->datalen is more than IEEE80211_MAX_SSID_LEN (32) it would
+lead to memory corruption so add some bounds checking.
+
+Fixes: c38c70185101 ("wifi: cfg80211: Set SSID if it is not already set")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://patch.msgid.link/0aaaae4a3ed37c6252363c34ae4904b1604e8e32.1756456951.git.dan.carpenter@linaro.org
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/sme.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/net/wireless/sme.c b/net/wireless/sme.c
+index cf998500a9654..05d06512983c2 100644
+--- a/net/wireless/sme.c
++++ b/net/wireless/sme.c
+@@ -901,13 +901,16 @@ void __cfg80211_connect_result(struct net_device *dev,
+ if (!wdev->u.client.ssid_len) {
+ rcu_read_lock();
+ for_each_valid_link(cr, link) {
++ u32 ssid_len;
++
+ ssid = ieee80211_bss_get_elem(cr->links[link].bss,
+ WLAN_EID_SSID);
+
+ if (!ssid || !ssid->datalen)
+ continue;
+
+- memcpy(wdev->u.client.ssid, ssid->data, ssid->datalen);
++ ssid_len = min(ssid->datalen, IEEE80211_MAX_SSID_LEN);
++ memcpy(wdev->u.client.ssid, ssid->data, ssid_len);
+ wdev->u.client.ssid_len = ssid->datalen;
+ break;
+ }
+--
+2.50.1
+
--- /dev/null
+From 215fa59de8498a8230348c340591714a278e1d54 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Aug 2025 15:48:28 +0300
+Subject: wifi: cw1200: cap SSID length in cw1200_do_join()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit f8f15f6742b8874e59c9c715d0af3474608310ad ]
+
+If the ssidie[1] length is more that 32 it leads to memory corruption.
+
+Fixes: a910e4a94f69 ("cw1200: add driver for the ST-E CW1100 & CW1200 WLAN chipsets")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://patch.msgid.link/e91fb43fcedc4893b604dfb973131661510901a7.1756456951.git.dan.carpenter@linaro.org
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/st/cw1200/sta.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/st/cw1200/sta.c b/drivers/net/wireless/st/cw1200/sta.c
+index 5dd7f6a389006..cc56018b2e327 100644
+--- a/drivers/net/wireless/st/cw1200/sta.c
++++ b/drivers/net/wireless/st/cw1200/sta.c
+@@ -1290,7 +1290,7 @@ static void cw1200_do_join(struct cw1200_common *priv)
+ rcu_read_lock();
+ ssidie = ieee80211_bss_get_ie(bss, WLAN_EID_SSID);
+ if (ssidie) {
+- join.ssid_len = ssidie[1];
++ join.ssid_len = min(ssidie[1], IEEE80211_MAX_SSID_LEN);
+ memcpy(join.ssid, &ssidie[2], join.ssid_len);
+ }
+ rcu_read_unlock();
+--
+2.50.1
+
--- /dev/null
+From 5ce37ccb625c560ec6b79cec480d7d16f620c805 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Aug 2025 09:55:27 +0300
+Subject: wifi: iwlwifi: acpi: check DSM func validity
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 7bf2dfccc2dd70821104d15cbab7b6fca21872be ]
+
+The DSM func 0 (DSM_FUNC_QUERY) returns a bitmap of which
+other functions contain valid data, query and check it
+before returning other functions data.
+
+Fixes: 9db93491f29e ("iwlwifi: acpi: support device specific method (DSM)")
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220085
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Link: https://patch.msgid.link/20250828095500.881e17ff8f6a.Ic6d92997d9d5fad127919d6e1b830cd3fe944468@changeid
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/fw/acpi.c | 25 ++++++++++++++++++-
+ .../net/wireless/intel/iwlwifi/fw/runtime.h | 8 ++++++
+ 2 files changed, 32 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/fw/acpi.c b/drivers/net/wireless/intel/iwlwifi/fw/acpi.c
+index bee7d92293b8d..7ec22738b5d65 100644
+--- a/drivers/net/wireless/intel/iwlwifi/fw/acpi.c
++++ b/drivers/net/wireless/intel/iwlwifi/fw/acpi.c
+@@ -169,7 +169,7 @@ int iwl_acpi_get_dsm(struct iwl_fw_runtime *fwrt,
+
+ BUILD_BUG_ON(ARRAY_SIZE(acpi_dsm_size) != DSM_FUNC_NUM_FUNCS);
+
+- if (WARN_ON(func >= ARRAY_SIZE(acpi_dsm_size)))
++ if (WARN_ON(func >= ARRAY_SIZE(acpi_dsm_size) || !func))
+ return -EINVAL;
+
+ expected_size = acpi_dsm_size[func];
+@@ -178,6 +178,29 @@ int iwl_acpi_get_dsm(struct iwl_fw_runtime *fwrt,
+ if (expected_size != sizeof(u8) && expected_size != sizeof(u32))
+ return -EOPNOTSUPP;
+
++ if (!fwrt->acpi_dsm_funcs_valid) {
++ ret = iwl_acpi_get_dsm_integer(fwrt->dev, ACPI_DSM_REV,
++ DSM_FUNC_QUERY,
++ &iwl_guid, &tmp,
++ acpi_dsm_size[DSM_FUNC_QUERY]);
++ if (ret) {
++ /* always indicate BIT(0) to avoid re-reading */
++ fwrt->acpi_dsm_funcs_valid = BIT(0);
++ return ret;
++ }
++
++ IWL_DEBUG_RADIO(fwrt, "ACPI DSM validity bitmap 0x%x\n",
++ (u32)tmp);
++ /* always indicate BIT(0) to avoid re-reading */
++ fwrt->acpi_dsm_funcs_valid = tmp | BIT(0);
++ }
++
++ if (!(fwrt->acpi_dsm_funcs_valid & BIT(func))) {
++ IWL_DEBUG_RADIO(fwrt, "ACPI DSM %d not indicated as valid\n",
++ func);
++ return -ENODATA;
++ }
++
+ ret = iwl_acpi_get_dsm_integer(fwrt->dev, ACPI_DSM_REV, func,
+ &iwl_guid, &tmp, expected_size);
+ if (ret)
+diff --git a/drivers/net/wireless/intel/iwlwifi/fw/runtime.h b/drivers/net/wireless/intel/iwlwifi/fw/runtime.h
+index 0444a736c2b20..bd3bc2846cfa4 100644
+--- a/drivers/net/wireless/intel/iwlwifi/fw/runtime.h
++++ b/drivers/net/wireless/intel/iwlwifi/fw/runtime.h
+@@ -113,6 +113,10 @@ struct iwl_txf_iter_data {
+ * @phy_filters: specific phy filters as read from WPFC BIOS table
+ * @ppag_bios_rev: PPAG BIOS revision
+ * @ppag_bios_source: see &enum bios_source
++ * @acpi_dsm_funcs_valid: bitmap indicating which DSM values are valid,
++ * zero (default initialization) means it hasn't been read yet,
++ * and BIT(0) is set when it has since function 0 also has this
++ * bitmap and is always supported
+ */
+ struct iwl_fw_runtime {
+ struct iwl_trans *trans;
+@@ -189,6 +193,10 @@ struct iwl_fw_runtime {
+ bool uats_valid;
+ u8 uefi_tables_lock_status;
+ struct iwl_phy_specific_cfg phy_filters;
++
++#ifdef CONFIG_ACPI
++ u32 acpi_dsm_funcs_valid;
++#endif
+ };
+
+ void iwl_fw_runtime_init(struct iwl_fw_runtime *fwrt, struct iwl_trans *trans,
+--
+2.50.1
+
--- /dev/null
+From b5c8a1693a96153332c6fa6c6f010f7ea96e6ffc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Aug 2025 09:55:31 +0300
+Subject: wifi: iwlwifi: cfg: add back more lost PCI IDs
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 019f71a6760a6f89d388c3cd45622d1aae7d3641 ]
+
+Add back a few more PCI IDs to the config match table that
+evidently I lost during the cleanups.
+
+Fixes: 1fb053d9876f ("wifi: iwlwifi: cfg: remove unnecessary configs")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Link: https://patch.msgid.link/20250828095500.46fee422651e.I8f6c3e9eea9523bb1658f5690b715eb443740e07@changeid
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
+index b66a581c2e564..4e47ccb43bd86 100644
+--- a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
++++ b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
+@@ -670,6 +670,8 @@ VISIBLE_IF_IWLWIFI_KUNIT const struct iwl_dev_info iwl_dev_info_table[] = {
+
+ IWL_DEV_INFO(iwl6005_n_cfg, iwl6005_2agn_sff_name,
+ DEVICE(0x0082), SUBDEV_MASKED(0xC000, 0xF000)),
++ IWL_DEV_INFO(iwl6005_n_cfg, iwl6005_2agn_sff_name,
++ DEVICE(0x0085), SUBDEV_MASKED(0xC000, 0xF000)),
+ IWL_DEV_INFO(iwl6005_n_cfg, iwl6005_2agn_d_name,
+ DEVICE(0x0082), SUBDEV(0x4820)),
+ IWL_DEV_INFO(iwl6005_n_cfg, iwl6005_2agn_mow1_name,
+@@ -961,6 +963,12 @@ VISIBLE_IF_IWLWIFI_KUNIT const struct iwl_dev_info iwl_dev_info_table[] = {
+ DEVICE(0x24F3), SUBDEV(0x0004)),
+ IWL_DEV_INFO(iwl8260_cfg, iwl8260_2n_name,
+ DEVICE(0x24F3), SUBDEV(0x0044)),
++ IWL_DEV_INFO(iwl8260_cfg, iwl8260_2ac_name,
++ DEVICE(0x24F4)),
++ IWL_DEV_INFO(iwl8260_cfg, iwl4165_2ac_name,
++ DEVICE(0x24F5)),
++ IWL_DEV_INFO(iwl8260_cfg, iwl4165_2ac_name,
++ DEVICE(0x24F6)),
+ IWL_DEV_INFO(iwl8265_cfg, iwl8265_2ac_name,
+ DEVICE(0x24FD)),
+ IWL_DEV_INFO(iwl8265_cfg, iwl8275_2ac_name,
+--
+2.50.1
+
--- /dev/null
+From c95561b7c4bc36bdaab9226c21b126d6259d0cf4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Aug 2025 09:55:29 +0300
+Subject: wifi: iwlwifi: cfg: restore some 1000 series configs
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 22e6bdb129ec64e640f5cccef9686f7c1a7d559b ]
+
+In the fixed commit, I inadvertently removed two configurations
+while combining the 0x0083/0x0084 device IDs. Replace the fixed
+matches for the BG versions by a masked match and add the BGN
+version back with a similar masked match.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=220477
+Fixes: 1fb053d9876f ("wifi: iwlwifi: cfg: remove unnecessary configs")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Link: https://patch.msgid.link/20250828095500.fabb99c2df9e.If0ad87bf9ab360da5f613e879fd416c17c544733@changeid
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
+index e4e06bf9161c3..b66a581c2e564 100644
+--- a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
++++ b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
+@@ -726,10 +726,10 @@ VISIBLE_IF_IWLWIFI_KUNIT const struct iwl_dev_info iwl_dev_info_table[] = {
+ DEVICE(0x0083), SUBDEV_MASKED(0x5, 0xF)),
+ IWL_DEV_INFO(iwl1000_bg_cfg, iwl1000_bg_name,
+ DEVICE(0x0083), SUBDEV_MASKED(0x6, 0xF)),
++ IWL_DEV_INFO(iwl1000_bgn_cfg, iwl1000_bgn_name,
++ DEVICE(0x0084), SUBDEV_MASKED(0x5, 0xF)),
+ IWL_DEV_INFO(iwl1000_bg_cfg, iwl1000_bg_name,
+- DEVICE(0x0084), SUBDEV(0x1216)),
+- IWL_DEV_INFO(iwl1000_bg_cfg, iwl1000_bg_name,
+- DEVICE(0x0084), SUBDEV(0x1316)),
++ DEVICE(0x0084), SUBDEV_MASKED(0x6, 0xF)),
+
+ /* 100 Series WiFi */
+ IWL_DEV_INFO(iwl100_bgn_cfg, iwl100_bgn_name,
+--
+2.50.1
+
--- /dev/null
+From c46330e01f8c0661ecddcaa5987cda7b9d0aa453 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Aug 2025 09:55:26 +0300
+Subject: wifi: iwlwifi: if scratch is ~0U, consider it a failure
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+[ Upstream commit 224476613c8499f00ce4de975dd65749c5ca498c ]
+
+We want to see bits being set in the scratch register upon resume, but
+if all the bits are set, it means that we were kicked out of the PCI bus
+and that clearly doesn't mean we can assume the firmware is still alive
+after the suspend / resume cycle.
+
+Fixes: cb347bd29d0d ("wifi: iwlwifi: mvm: fix hibernation")
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Link: https://patch.msgid.link/20250828095500.0f203e559242.I59eff718cb5fda575db41081a1a389f7af488717@changeid
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
+index 0a9e0dbb58fbf..e4e06bf9161c3 100644
+--- a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
++++ b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
+@@ -1503,11 +1503,15 @@ static int _iwl_pci_resume(struct device *device, bool restore)
+ * Note: MAC (bits 0:7) will be cleared upon suspend even with wowlan,
+ * but not bits [15:8]. So if we have bits set in lower word, assume
+ * the device is alive.
++ * Alternatively, if the scratch value is 0xFFFFFFFF, then we no longer
++ * have access to the device and consider it powered off.
+ * For older devices, just try silently to grab the NIC.
+ */
+ if (trans->mac_cfg->device_family >= IWL_DEVICE_FAMILY_BZ) {
+- if (!(iwl_read32(trans, CSR_FUNC_SCRATCH) &
+- CSR_FUNC_SCRATCH_POWER_OFF_MASK))
++ u32 scratch = iwl_read32(trans, CSR_FUNC_SCRATCH);
++
++ if (!(scratch & CSR_FUNC_SCRATCH_POWER_OFF_MASK) ||
++ scratch == ~0U)
+ device_was_powered_off = true;
+ } else {
+ /*
+--
+2.50.1
+
--- /dev/null
+From 3223353a1582eb202909a04ac7cd6aa9300d017b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Aug 2025 09:55:28 +0300
+Subject: wifi: iwlwifi: uefi: check DSM item validity
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 1d33694462fa7da451846c39d653585b61375992 ]
+
+The first array index is a bitmap indicating which of the
+other values are valid. Check that bitmap before returning
+a value.
+
+Fixes: fc7214c3c986 ("wifi: iwlwifi: read DSM functions from UEFI")
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220085
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Link: https://patch.msgid.link/20250828095500.59ec52ff865e.I9e11f497a029eb38f481b2c90c43c0935285216d@changeid
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/fw/uefi.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/fw/uefi.c b/drivers/net/wireless/intel/iwlwifi/fw/uefi.c
+index 48126ec6b94bf..99a17b9323e9b 100644
+--- a/drivers/net/wireless/intel/iwlwifi/fw/uefi.c
++++ b/drivers/net/wireless/intel/iwlwifi/fw/uefi.c
+@@ -747,6 +747,12 @@ int iwl_uefi_get_dsm(struct iwl_fw_runtime *fwrt, enum iwl_dsm_funcs func,
+ goto out;
+ }
+
++ if (!(data->functions[DSM_FUNC_QUERY] & BIT(func))) {
++ IWL_DEBUG_RADIO(fwrt, "DSM func %d not in 0x%x\n",
++ func, data->functions[DSM_FUNC_QUERY]);
++ goto out;
++ }
++
+ *value = data->functions[func];
+
+ IWL_DEBUG_RADIO(fwrt,
+--
+2.50.1
+
--- /dev/null
+From 4a2f25ee481c9c5e897194f7fbcbf3ae44f59733 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Aug 2025 15:48:35 +0300
+Subject: wifi: libertas: cap SSID len in lbs_associate()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit c786794bd27b0d7a5fd9063695df83206009be59 ]
+
+If the ssid_eid[1] length is more that 32 it leads to memory corruption.
+
+Fixes: a910e4a94f69 ("cw1200: add driver for the ST-E CW1100 & CW1200 WLAN chipsets")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://patch.msgid.link/2a40f5ec7617144aef412034c12919a4927d90ad.1756456951.git.dan.carpenter@linaro.org
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/marvell/libertas/cfg.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/marvell/libertas/cfg.c b/drivers/net/wireless/marvell/libertas/cfg.c
+index 2e2c193716d96..309556541a83e 100644
+--- a/drivers/net/wireless/marvell/libertas/cfg.c
++++ b/drivers/net/wireless/marvell/libertas/cfg.c
+@@ -1151,10 +1151,13 @@ static int lbs_associate(struct lbs_private *priv,
+ /* add SSID TLV */
+ rcu_read_lock();
+ ssid_eid = ieee80211_bss_get_ie(bss, WLAN_EID_SSID);
+- if (ssid_eid)
+- pos += lbs_add_ssid_tlv(pos, ssid_eid + 2, ssid_eid[1]);
+- else
++ if (ssid_eid) {
++ u32 ssid_len = min(ssid_eid[1], IEEE80211_MAX_SSID_LEN);
++
++ pos += lbs_add_ssid_tlv(pos, ssid_eid + 2, ssid_len);
++ } else {
+ lbs_deb_assoc("no SSID\n");
++ }
+ rcu_read_unlock();
+
+ /* add DS param TLV */
+--
+2.50.1
+
--- /dev/null
+From d37521e02cfefe4e152d9a070fad6725d90ae8b2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Aug 2025 10:53:52 +0200
+Subject: wifi: mt76: fix linked list corruption
+
+From: Felix Fietkau <nbd@nbd.name>
+
+[ Upstream commit 49fba87205bec14a0f6bd997635bf3968408161e ]
+
+Never leave scheduled wcid entries on the temporary on-stack list
+
+Fixes: 0b3be9d1d34e ("wifi: mt76: add separate tx scheduling queue for off-channel tx")
+Link: https://patch.msgid.link/20250827085352.51636-6-nbd@nbd.name
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/tx.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/tx.c b/drivers/net/wireless/mediatek/mt76/tx.c
+index 03b042fdf997f..8ab5840fee57f 100644
+--- a/drivers/net/wireless/mediatek/mt76/tx.c
++++ b/drivers/net/wireless/mediatek/mt76/tx.c
+@@ -646,6 +646,7 @@ mt76_txq_schedule_pending_wcid(struct mt76_phy *phy, struct mt76_wcid *wcid,
+ static void mt76_txq_schedule_pending(struct mt76_phy *phy)
+ {
+ LIST_HEAD(tx_list);
++ int ret = 0;
+
+ if (list_empty(&phy->tx_list))
+ return;
+@@ -657,13 +658,13 @@ static void mt76_txq_schedule_pending(struct mt76_phy *phy)
+ list_splice_init(&phy->tx_list, &tx_list);
+ while (!list_empty(&tx_list)) {
+ struct mt76_wcid *wcid;
+- int ret;
+
+ wcid = list_first_entry(&tx_list, struct mt76_wcid, tx_list);
+ list_del_init(&wcid->tx_list);
+
+ spin_unlock(&phy->tx_lock);
+- ret = mt76_txq_schedule_pending_wcid(phy, wcid, &wcid->tx_offchannel);
++ if (ret >= 0)
++ ret = mt76_txq_schedule_pending_wcid(phy, wcid, &wcid->tx_offchannel);
+ if (ret >= 0 && !phy->offchannel)
+ ret = mt76_txq_schedule_pending_wcid(phy, wcid, &wcid->tx_pending);
+ spin_lock(&phy->tx_lock);
+@@ -672,9 +673,6 @@ static void mt76_txq_schedule_pending(struct mt76_phy *phy)
+ !skb_queue_empty(&wcid->tx_offchannel) &&
+ list_empty(&wcid->tx_list))
+ list_add_tail(&wcid->tx_list, &phy->tx_list);
+-
+- if (ret < 0)
+- break;
+ }
+ spin_unlock(&phy->tx_lock);
+
+--
+2.50.1
+
--- /dev/null
+From 9dd88c583347750e2841e36afd1cb3909800f402 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Aug 2025 10:53:51 +0200
+Subject: wifi: mt76: free pending offchannel tx frames on wcid cleanup
+
+From: Felix Fietkau <nbd@nbd.name>
+
+[ Upstream commit bdeac7815629c1a32b8784922368742e183747ea ]
+
+Avoid leaking them or keeping the wcid on the tx list
+
+Fixes: 0b3be9d1d34e ("wifi: mt76: add separate tx scheduling queue for off-channel tx")
+Link: https://patch.msgid.link/20250827085352.51636-5-nbd@nbd.name
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mac80211.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mac80211.c b/drivers/net/wireless/mediatek/mt76/mac80211.c
+index 4e435bec828b5..8e6ce16ab5b88 100644
+--- a/drivers/net/wireless/mediatek/mt76/mac80211.c
++++ b/drivers/net/wireless/mediatek/mt76/mac80211.c
+@@ -1716,6 +1716,10 @@ void mt76_wcid_cleanup(struct mt76_dev *dev, struct mt76_wcid *wcid)
+ skb_queue_splice_tail_init(&wcid->tx_pending, &list);
+ spin_unlock(&wcid->tx_pending.lock);
+
++ spin_lock(&wcid->tx_offchannel.lock);
++ skb_queue_splice_tail_init(&wcid->tx_offchannel, &list);
++ spin_unlock(&wcid->tx_offchannel.lock);
++
+ spin_unlock_bh(&phy->tx_lock);
+
+ while ((skb = __skb_dequeue(&list)) != NULL) {
+--
+2.50.1
+
--- /dev/null
+From f689238875caeda807da31492679c0d8009f7ad6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Aug 2025 10:53:50 +0200
+Subject: wifi: mt76: mt7915: fix list corruption after hardware restart
+
+From: Felix Fietkau <nbd@nbd.name>
+
+[ Upstream commit 065c79df595af21d6d1b27d642860faa1d938774 ]
+
+Since stations are recreated from scratch, all lists that wcids are added
+to must be cleared before calling ieee80211_restart_hw.
+Set wcid->sta = 0 for each wcid entry in order to ensure that they are
+not added again before they are ready.
+
+Fixes: 8a55712d124f ("wifi: mt76: mt7915: enable full system reset support")
+Link: https://patch.msgid.link/20250827085352.51636-4-nbd@nbd.name
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mac80211.c | 37 +++++++++++++++++++
+ drivers/net/wireless/mediatek/mt76/mt76.h | 1 +
+ .../net/wireless/mediatek/mt76/mt7915/mac.c | 12 +++---
+ 3 files changed, 43 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mac80211.c b/drivers/net/wireless/mediatek/mt76/mac80211.c
+index 45c8db939d554..4e435bec828b5 100644
+--- a/drivers/net/wireless/mediatek/mt76/mac80211.c
++++ b/drivers/net/wireless/mediatek/mt76/mac80211.c
+@@ -818,6 +818,43 @@ void mt76_free_device(struct mt76_dev *dev)
+ }
+ EXPORT_SYMBOL_GPL(mt76_free_device);
+
++static void mt76_reset_phy(struct mt76_phy *phy)
++{
++ if (!phy)
++ return;
++
++ INIT_LIST_HEAD(&phy->tx_list);
++}
++
++void mt76_reset_device(struct mt76_dev *dev)
++{
++ int i;
++
++ rcu_read_lock();
++ for (i = 0; i < ARRAY_SIZE(dev->wcid); i++) {
++ struct mt76_wcid *wcid;
++
++ wcid = rcu_dereference(dev->wcid[i]);
++ if (!wcid)
++ continue;
++
++ wcid->sta = 0;
++ mt76_wcid_cleanup(dev, wcid);
++ rcu_assign_pointer(dev->wcid[i], NULL);
++ }
++ rcu_read_unlock();
++
++ INIT_LIST_HEAD(&dev->wcid_list);
++ INIT_LIST_HEAD(&dev->sta_poll_list);
++ dev->vif_mask = 0;
++ memset(dev->wcid_mask, 0, sizeof(dev->wcid_mask));
++
++ mt76_reset_phy(&dev->phy);
++ for (i = 0; i < ARRAY_SIZE(dev->phys); i++)
++ mt76_reset_phy(dev->phys[i]);
++}
++EXPORT_SYMBOL_GPL(mt76_reset_device);
++
+ struct mt76_phy *mt76_vif_phy(struct ieee80211_hw *hw,
+ struct ieee80211_vif *vif)
+ {
+diff --git a/drivers/net/wireless/mediatek/mt76/mt76.h b/drivers/net/wireless/mediatek/mt76/mt76.h
+index 0ecf77fcbe3d0..0290ddbb2424e 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt76.h
++++ b/drivers/net/wireless/mediatek/mt76/mt76.h
+@@ -1241,6 +1241,7 @@ int mt76_register_device(struct mt76_dev *dev, bool vht,
+ struct ieee80211_rate *rates, int n_rates);
+ void mt76_unregister_device(struct mt76_dev *dev);
+ void mt76_free_device(struct mt76_dev *dev);
++void mt76_reset_device(struct mt76_dev *dev);
+ void mt76_unregister_phy(struct mt76_phy *phy);
+
+ struct mt76_phy *mt76_alloc_radio_phy(struct mt76_dev *dev, unsigned int size,
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mac.c b/drivers/net/wireless/mediatek/mt76/mt7915/mac.c
+index 6639976afcee6..1c0d310146d63 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7915/mac.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7915/mac.c
+@@ -1460,17 +1460,15 @@ mt7915_mac_full_reset(struct mt7915_dev *dev)
+ if (i == 10)
+ dev_err(dev->mt76.dev, "chip full reset failed\n");
+
+- spin_lock_bh(&dev->mt76.sta_poll_lock);
+- while (!list_empty(&dev->mt76.sta_poll_list))
+- list_del_init(dev->mt76.sta_poll_list.next);
+- spin_unlock_bh(&dev->mt76.sta_poll_lock);
+-
+- memset(dev->mt76.wcid_mask, 0, sizeof(dev->mt76.wcid_mask));
+- dev->mt76.vif_mask = 0;
+ dev->phy.omac_mask = 0;
+ if (phy2)
+ phy2->omac_mask = 0;
+
++ mt76_reset_device(&dev->mt76);
++
++ INIT_LIST_HEAD(&dev->sta_rc_list);
++ INIT_LIST_HEAD(&dev->twt_list);
++
+ i = mt76_wcid_alloc(dev->mt76.wcid_mask, MT7915_WTBL_STA);
+ dev->mt76.global_wcid.idx = i;
+ dev->recovery.hw_full_reset = false;
+--
+2.50.1
+
--- /dev/null
+From d5caa65b4281dc16189d07992809a55a2a5e196b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Jul 2025 18:54:01 +0200
+Subject: wifi: mt76: mt7921: don't disconnect when CSA to DFS chan
+
+From: Janusz Dziedzic <janusz.dziedzic@gmail.com>
+
+[ Upstream commit 87f38519d27a514c9909f84b8f1334125df9778e ]
+
+When station mode, don't disconnect when we get
+channel switch from AP to DFS channel. Most APs
+send CSA request after pass background CAC. In other
+case we should disconnect after detect beacon miss.
+
+Without patch when we get CSA to DFS channel get:
+"kernel: wlo1: preparing for channel switch failed, disconnecting"
+
+Fixes: 8aa2f59260eb ("wifi: mt76: mt7921: introduce CSA support")
+Signed-off-by: Janusz Dziedzic <janusz.dziedzic@gmail.com>
+Link: https://patch.msgid.link/20250716165443.28354-1-janusz.dziedzic@gmail.com
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7921/main.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/main.c b/drivers/net/wireless/mediatek/mt76/mt7921/main.c
+index 77f73ae1d7ecc..f6b431c422ebc 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7921/main.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7921/main.c
+@@ -1457,11 +1457,8 @@ static int mt7921_pre_channel_switch(struct ieee80211_hw *hw,
+ if (vif->type != NL80211_IFTYPE_STATION || !vif->cfg.assoc)
+ return -EOPNOTSUPP;
+
+- /* Avoid beacon loss due to the CAC(Channel Availability Check) time
+- * of the AP.
+- */
+ if (!cfg80211_chandef_usable(hw->wiphy, &chsw->chandef,
+- IEEE80211_CHAN_RADAR))
++ IEEE80211_CHAN_DISABLED))
+ return -EOPNOTSUPP;
+
+ return 0;
+--
+2.50.1
+
--- /dev/null
+From 4c76c8215dab279991085b614663d9a213fd7e7d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 27 Jul 2025 07:04:13 -0700
+Subject: wifi: mt76: mt7925: fix locking in mt7925_change_vif_links()
+
+From: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
+
+[ Upstream commit 9f15701370ec15fbf1f6a1cbbf584b0018d036b5 ]
+
+&dev->mt76.mutex lock is taken using mt792x_mutex_acquire(dev) but not
+released in one of the error paths, add the unlock to fix it.
+
+Fixes: 5cd0bd815c8a ("wifi: mt76: mt7925: fix NULL deref check in mt7925_change_vif_links")
+Reported-by: kernel test robot <lkp@intel.com>
+Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
+Closes: https://lore.kernel.org/r/202503031055.3ZRqxhAl-lkp@intel.com/
+Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
+Link: https://patch.msgid.link/20250727140416.1153406-1-harshit.m.mogalapalli@oracle.com
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7925/main.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/main.c b/drivers/net/wireless/mediatek/mt76/mt7925/main.c
+index 5b001548dffce..328a06998c7b7 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7925/main.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7925/main.c
+@@ -2067,8 +2067,10 @@ mt7925_change_vif_links(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
+ GFP_KERNEL);
+ mlink = devm_kzalloc(dev->mt76.dev, sizeof(*mlink),
+ GFP_KERNEL);
+- if (!mconf || !mlink)
++ if (!mconf || !mlink) {
++ mt792x_mutex_release(dev);
+ return -ENOMEM;
++ }
+ }
+
+ mconfs[link_id] = mconf;
+--
+2.50.1
+
--- /dev/null
+From b5779a2f5c5f323d80f8c4e288035d5561e7753f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Aug 2025 10:53:49 +0200
+Subject: wifi: mt76: mt7996: add missing check for rx wcid entries
+
+From: Felix Fietkau <nbd@nbd.name>
+
+[ Upstream commit 4a522b01e368eec58d182ecc47d24f49a39e440d ]
+
+Non-station wcid entries must not be passed to the rx functions.
+In case of the global wcid entry, it could even lead to corruption in the wcid
+array due to pointer being casted to struct mt7996_sta_link using container_of.
+
+Fixes: 7464b12b7d92 ("wifi: mt76: mt7996: rework mt7996_rx_get_wcid to support MLO")
+Link: https://patch.msgid.link/20250827085352.51636-3-nbd@nbd.name
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7996/mac.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
+index b0fa051fc3094..a7a5ac8b7d265 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
+@@ -62,7 +62,7 @@ static struct mt76_wcid *mt7996_rx_get_wcid(struct mt7996_dev *dev,
+ int i;
+
+ wcid = mt76_wcid_ptr(dev, idx);
+- if (!wcid)
++ if (!wcid || !wcid->sta)
+ return NULL;
+
+ if (!mt7996_band_valid(dev, band_idx))
+--
+2.50.1
+
--- /dev/null
+From 3bc1a65a6a8b5dbeede04705ae0530e945a98a5b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Aug 2025 14:11:05 +0200
+Subject: wifi: mt76: mt7996: disable beacons when going offchannel
+
+From: Felix Fietkau <nbd@nbd.name>
+
+[ Upstream commit f30906c55a400a9b7fc677e3f4c614b9069bd4a8 ]
+
+Avoid leaking beacons on unrelated channels during scanning/roc
+
+Fixes: c56d6edebc1f ("wifi: mt76: mt7996: use emulated hardware scan support")
+Reported-by: Chad Monroe <chad.monroe@adtran.com>
+Link: https://patch.msgid.link/20250813121106.81559-1-nbd@nbd.name
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/wireless/mediatek/mt76/mt7996/mac.c | 46 +++++++++++--------
+ .../net/wireless/mediatek/mt76/mt7996/main.c | 5 ++
+ .../net/wireless/mediatek/mt76/mt7996/mcu.c | 11 +++--
+ .../wireless/mediatek/mt76/mt7996/mt7996.h | 1 +
+ 4 files changed, 42 insertions(+), 21 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
+index 37b21ad828b96..f675cf537898a 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
+@@ -1696,43 +1696,53 @@ mt7996_wait_reset_state(struct mt7996_dev *dev, u32 state)
+ static void
+ mt7996_update_vif_beacon(void *priv, u8 *mac, struct ieee80211_vif *vif)
+ {
+- struct ieee80211_hw *hw = priv;
++ struct ieee80211_bss_conf *link_conf;
++ struct mt7996_phy *phy = priv;
++ struct mt7996_dev *dev = phy->dev;
++ unsigned int link_id;
++
+
+ switch (vif->type) {
+ case NL80211_IFTYPE_MESH_POINT:
+ case NL80211_IFTYPE_ADHOC:
+ case NL80211_IFTYPE_AP:
+- mt7996_mcu_add_beacon(hw, vif, &vif->bss_conf);
+ break;
+ default:
+- break;
++ return;
++ }
++
++ for_each_vif_active_link(vif, link_conf, link_id) {
++ struct mt7996_vif_link *link;
++
++ link = mt7996_vif_link(dev, vif, link_id);
++ if (!link || link->phy != phy)
++ continue;
++
++ mt7996_mcu_add_beacon(dev->mt76.hw, vif, link_conf);
+ }
+ }
+
++void mt7996_mac_update_beacons(struct mt7996_phy *phy)
++{
++ ieee80211_iterate_active_interfaces(phy->mt76->hw,
++ IEEE80211_IFACE_ITER_RESUME_ALL,
++ mt7996_update_vif_beacon, phy);
++}
++
+ static void
+ mt7996_update_beacons(struct mt7996_dev *dev)
+ {
+ struct mt76_phy *phy2, *phy3;
+
+- ieee80211_iterate_active_interfaces(dev->mt76.hw,
+- IEEE80211_IFACE_ITER_RESUME_ALL,
+- mt7996_update_vif_beacon, dev->mt76.hw);
++ mt7996_mac_update_beacons(&dev->phy);
+
+ phy2 = dev->mt76.phys[MT_BAND1];
+- if (!phy2)
+- return;
+-
+- ieee80211_iterate_active_interfaces(phy2->hw,
+- IEEE80211_IFACE_ITER_RESUME_ALL,
+- mt7996_update_vif_beacon, phy2->hw);
++ if (phy2)
++ mt7996_mac_update_beacons(phy2->priv);
+
+ phy3 = dev->mt76.phys[MT_BAND2];
+- if (!phy3)
+- return;
+-
+- ieee80211_iterate_active_interfaces(phy3->hw,
+- IEEE80211_IFACE_ITER_RESUME_ALL,
+- mt7996_update_vif_beacon, phy3->hw);
++ if (phy3)
++ mt7996_mac_update_beacons(phy3->priv);
+ }
+
+ void mt7996_tx_token_put(struct mt7996_dev *dev)
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/main.c b/drivers/net/wireless/mediatek/mt76/mt7996/main.c
+index f41b2c98bc451..f6590ef85c0d0 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7996/main.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7996/main.c
+@@ -516,6 +516,9 @@ int mt7996_set_channel(struct mt76_phy *mphy)
+ struct mt7996_phy *phy = mphy->priv;
+ int ret;
+
++ if (mphy->offchannel)
++ mt7996_mac_update_beacons(phy);
++
+ ret = mt7996_mcu_set_chan_info(phy, UNI_CHANNEL_SWITCH);
+ if (ret)
+ goto out;
+@@ -533,6 +536,8 @@ int mt7996_set_channel(struct mt76_phy *mphy)
+
+ mt7996_mac_reset_counters(phy);
+ phy->noise = 0;
++ if (!mphy->offchannel)
++ mt7996_mac_update_beacons(phy);
+
+ out:
+ ieee80211_queue_delayed_work(mphy->hw, &mphy->mac_work,
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c
+index dd4b7b8c34ea1..655950276840d 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c
+@@ -2755,13 +2755,15 @@ int mt7996_mcu_add_beacon(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
+ struct ieee80211_bss_conf *link_conf)
+ {
+ struct mt7996_dev *dev = mt7996_hw_dev(hw);
+- struct mt76_vif_link *mlink = mt76_vif_conf_link(&dev->mt76, vif, link_conf);
++ struct mt7996_vif_link *link = mt7996_vif_conf_link(dev, vif, link_conf);
++ struct mt76_vif_link *mlink = link ? &link->mt76 : NULL;
+ struct ieee80211_mutable_offsets offs;
+ struct ieee80211_tx_info *info;
+ struct sk_buff *skb, *rskb;
+ struct tlv *tlv;
+ struct bss_bcn_content_tlv *bcn;
+ int len, extra_len = 0;
++ bool enabled = link_conf->enable_beacon;
+
+ if (link_conf->nontransmitted)
+ return 0;
+@@ -2769,13 +2771,16 @@ int mt7996_mcu_add_beacon(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
+ if (!mlink)
+ return -EINVAL;
+
++ if (link->phy && link->phy->mt76->offchannel)
++ enabled = false;
++
+ rskb = __mt7996_mcu_alloc_bss_req(&dev->mt76, mlink,
+ MT7996_MAX_BSS_OFFLOAD_SIZE);
+ if (IS_ERR(rskb))
+ return PTR_ERR(rskb);
+
+ skb = ieee80211_beacon_get_template(hw, vif, &offs, link_conf->link_id);
+- if (link_conf->enable_beacon && !skb) {
++ if (enabled && !skb) {
+ dev_kfree_skb(rskb);
+ return -EINVAL;
+ }
+@@ -2794,7 +2799,7 @@ int mt7996_mcu_add_beacon(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
+ len = ALIGN(sizeof(*bcn) + MT_TXD_SIZE + extra_len, 4);
+ tlv = mt7996_mcu_add_uni_tlv(rskb, UNI_BSS_INFO_BCN_CONTENT, len);
+ bcn = (struct bss_bcn_content_tlv *)tlv;
+- bcn->enable = link_conf->enable_beacon;
++ bcn->enable = enabled;
+ if (!bcn->enable)
+ goto out;
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h b/drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h
+index 33ac16b64ef11..8509d508e1e19 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h
++++ b/drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h
+@@ -732,6 +732,7 @@ void mt7996_mac_write_txwi(struct mt7996_dev *dev, __le32 *txwi,
+ struct sk_buff *skb, struct mt76_wcid *wcid,
+ struct ieee80211_key_conf *key, int pid,
+ enum mt76_txq_id qid, u32 changed);
++void mt7996_mac_update_beacons(struct mt7996_phy *phy);
+ void mt7996_mac_set_coverage_class(struct mt7996_phy *phy);
+ void mt7996_mac_work(struct work_struct *work);
+ void mt7996_mac_reset_work(struct work_struct *work);
+--
+2.50.1
+
--- /dev/null
+From 89166a65dae1cea4db8a984842ae57e8ccd6f543 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Aug 2025 13:29:48 +0000
+Subject: wifi: mt76: mt7996: use the correct vif link for scanning/roc
+
+From: Chad Monroe <chad@monroe.io>
+
+[ Upstream commit 4be3b46ec5190dc79cd38e3750480b2c66a791ad ]
+
+restore fix which was dropped during MLO rework
+
+Fixes: f0b0b239b8f3 ("wifi: mt76: mt7996: rework mt7996_mac_write_txwi() for MLO support")
+Signed-off-by: Chad Monroe <chad@monroe.io>
+Acked-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Link: https://patch.msgid.link/180fffd409aa57f535a3d2c1951e41ae398ce09e.1754659732.git.chad@monroe.io
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7996/mac.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
+index f675cf537898a..b0fa051fc3094 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
+@@ -903,8 +903,12 @@ void mt7996_mac_write_txwi(struct mt7996_dev *dev, __le32 *txwi,
+ IEEE80211_TX_CTRL_MLO_LINK);
+
+ mvif = vif ? (struct mt7996_vif *)vif->drv_priv : NULL;
+- if (mvif)
+- mlink = rcu_dereference(mvif->mt76.link[link_id]);
++ if (mvif) {
++ if (wcid->offchannel)
++ mlink = rcu_dereference(mvif->mt76.offchannel_link);
++ if (!mlink)
++ mlink = rcu_dereference(mvif->mt76.link[link_id]);
++ }
+
+ if (mlink) {
+ omac_idx = mlink->omac_idx;
+--
+2.50.1
+
--- /dev/null
+From 48c061febb044464bda5ea8a0fb055ffa56584b4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Aug 2025 14:11:06 +0200
+Subject: wifi: mt76: prevent non-offchannel mgmt tx during scan/roc
+
+From: Felix Fietkau <nbd@nbd.name>
+
+[ Upstream commit 4c2334587b0a13b8f4eda1336ae657297fcd743b ]
+
+Only put probe request packets in the offchannel queue if
+IEEE80211_TX_CTRL_DONT_USE_RATE_MASK is set and IEEE80211_TX_CTL_TX_OFFCHAN
+is unset.
+
+Fixes: 0b3be9d1d34e ("wifi: mt76: add separate tx scheduling queue for off-channel tx")
+Reported-by: Chad Monroe <chad.monroe@adtran.com>
+Link: https://patch.msgid.link/20250813121106.81559-2-nbd@nbd.name
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/tx.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/tx.c b/drivers/net/wireless/mediatek/mt76/tx.c
+index e6cf16706667e..03b042fdf997f 100644
+--- a/drivers/net/wireless/mediatek/mt76/tx.c
++++ b/drivers/net/wireless/mediatek/mt76/tx.c
+@@ -332,6 +332,7 @@ mt76_tx(struct mt76_phy *phy, struct ieee80211_sta *sta,
+ struct mt76_wcid *wcid, struct sk_buff *skb)
+ {
+ struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
++ struct ieee80211_hdr *hdr = (void *)skb->data;
+ struct sk_buff_head *head;
+
+ if (mt76_testmode_enabled(phy)) {
+@@ -349,7 +350,8 @@ mt76_tx(struct mt76_phy *phy, struct ieee80211_sta *sta,
+ info->hw_queue |= FIELD_PREP(MT_TX_HW_QUEUE_PHY, phy->band_idx);
+
+ if ((info->flags & IEEE80211_TX_CTL_TX_OFFCHAN) ||
+- (info->control.flags & IEEE80211_TX_CTRL_DONT_USE_RATE_MASK))
++ ((info->control.flags & IEEE80211_TX_CTRL_DONT_USE_RATE_MASK) &&
++ ieee80211_is_probe_req(hdr->frame_control)))
+ head = &wcid->tx_offchannel;
+ else
+ head = &wcid->tx_pending;
+--
+2.50.1
+
--- /dev/null
+From 1a55229ba6b41922671c9e55ee10700e11bcce34 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Aug 2025 12:26:43 -0700
+Subject: xirc2ps_cs: fix register access when enabling FullDuplex
+
+From: Alok Tiwari <alok.a.tiwari@oracle.com>
+
+[ Upstream commit b79e498080b170fd94fc83bca2471f450811549b ]
+
+The current code incorrectly passes (XIRCREG1_ECR | FullDuplex) as
+the register address to GetByte(), instead of fetching the register
+value and OR-ing it with FullDuplex. This results in an invalid
+register access.
+
+Fix it by reading XIRCREG1_ECR first, then or-ing with FullDuplex
+before writing it back.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Link: https://patch.msgid.link/20250827192645.658496-1-alok.a.tiwari@oracle.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/xircom/xirc2ps_cs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/xircom/xirc2ps_cs.c b/drivers/net/ethernet/xircom/xirc2ps_cs.c
+index a31d5d5e65936..97e88886253f5 100644
+--- a/drivers/net/ethernet/xircom/xirc2ps_cs.c
++++ b/drivers/net/ethernet/xircom/xirc2ps_cs.c
+@@ -1576,7 +1576,7 @@ do_reset(struct net_device *dev, int full)
+ msleep(40); /* wait 40 msec to let it complete */
+ }
+ if (full_duplex)
+- PutByte(XIRCREG1_ECR, GetByte(XIRCREG1_ECR | FullDuplex));
++ PutByte(XIRCREG1_ECR, GetByte(XIRCREG1_ECR) | FullDuplex);
+ } else { /* No MII */
+ SelectPage(0);
+ value = GetByte(XIRCREG_ESR); /* read the ESR */
+--
+2.50.1
+
--- /dev/null
+From 360ccf629d7c254209590a5713a47c3dc0cf6b16 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Sep 2025 12:46:42 +0000
+Subject: ax25: properly unshare skbs in ax25_kiss_rcv()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 8156210d36a43e76372312c87eb5ea3dbb405a85 ]
+
+Bernard Pidoux reported a regression apparently caused by commit
+c353e8983e0d ("net: introduce per netns packet chains").
+
+skb->dev becomes NULL and we crash in __netif_receive_skb_core().
+
+Before above commit, different kind of bugs or corruptions could happen
+without a major crash.
+
+But the root cause is that ax25_kiss_rcv() can queue/mangle input skb
+without checking if this skb is shared or not.
+
+Many thanks to Bernard Pidoux for his help, diagnosis and tests.
+
+We had a similar issue years ago fixed with commit 7aaed57c5c28
+("phonet: properly unshare skbs in phonet_rcv()").
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: Bernard Pidoux <f6bvp@free.fr>
+Closes: https://lore.kernel.org/netdev/1713f383-c538-4918-bc64-13b3288cd542@free.fr/
+Tested-by: Bernard Pidoux <f6bvp@free.fr>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Joerg Reuter <jreuter@yaina.de>
+Cc: David Ranch <dranch@trinnet.net>
+Cc: Folkert van Heusden <folkert@vanheusden.com>
+Reviewed-by: Dan Cross <crossd@gmail.com>
+Link: https://patch.msgid.link/20250902124642.212705-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ax25/ax25_in.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/ax25/ax25_in.c b/net/ax25/ax25_in.c
+index 1cac25aca6378..f2d66af863595 100644
+--- a/net/ax25/ax25_in.c
++++ b/net/ax25/ax25_in.c
+@@ -433,6 +433,10 @@ static int ax25_rcv(struct sk_buff *skb, struct net_device *dev,
+ int ax25_kiss_rcv(struct sk_buff *skb, struct net_device *dev,
+ struct packet_type *ptype, struct net_device *orig_dev)
+ {
++ skb = skb_share_check(skb, GFP_ATOMIC);
++ if (!skb)
++ return NET_RX_DROP;
++
+ skb_orphan(skb);
+
+ if (!net_eq(dev_net(dev), &init_net)) {
+--
+2.50.1
+
--- /dev/null
+From dd171d6d9578573e55b655a38adf443bba854b9b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Aug 2025 20:40:14 +0000
+Subject: Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen()
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit 862c628108562d8c7a516a900034823b381d3cba ]
+
+syzbot reported the splat below without a repro.
+
+In the splat, a single thread calling bt_accept_dequeue() freed sk
+and touched it after that.
+
+The root cause would be the racy l2cap_sock_cleanup_listen() call
+added by the cited commit.
+
+bt_accept_dequeue() is called under lock_sock() except for
+l2cap_sock_release().
+
+Two threads could see the same socket during the list iteration
+in bt_accept_dequeue():
+
+ CPU1 CPU2 (close())
+ ---- ----
+ sock_hold(sk) sock_hold(sk);
+ lock_sock(sk) <-- block close()
+ sock_put(sk)
+ bt_accept_unlink(sk)
+ sock_put(sk) <-- refcnt by bt_accept_enqueue()
+ release_sock(sk)
+ lock_sock(sk)
+ sock_put(sk)
+ bt_accept_unlink(sk)
+ sock_put(sk) <-- last refcnt
+ bt_accept_unlink(sk) <-- UAF
+
+Depending on the timing, the other thread could show up in the
+"Freed by task" part.
+
+Let's call l2cap_sock_cleanup_listen() under lock_sock() in
+l2cap_sock_release().
+
+[0]:
+BUG: KASAN: slab-use-after-free in debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline]
+BUG: KASAN: slab-use-after-free in do_raw_spin_lock+0x26f/0x2b0 kernel/locking/spinlock_debug.c:115
+Read of size 4 at addr ffff88803b7eb1c4 by task syz.5.3276/16995
+CPU: 3 UID: 0 PID: 16995 Comm: syz.5.3276 Not tainted syzkaller #0 PREEMPT(full)
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:94 [inline]
+ dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
+ print_address_description mm/kasan/report.c:378 [inline]
+ print_report+0xcd/0x630 mm/kasan/report.c:482
+ kasan_report+0xe0/0x110 mm/kasan/report.c:595
+ debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline]
+ do_raw_spin_lock+0x26f/0x2b0 kernel/locking/spinlock_debug.c:115
+ spin_lock_bh include/linux/spinlock.h:356 [inline]
+ release_sock+0x21/0x220 net/core/sock.c:3746
+ bt_accept_dequeue+0x505/0x600 net/bluetooth/af_bluetooth.c:312
+ l2cap_sock_cleanup_listen+0x5c/0x2a0 net/bluetooth/l2cap_sock.c:1451
+ l2cap_sock_release+0x5c/0x210 net/bluetooth/l2cap_sock.c:1425
+ __sock_release+0xb3/0x270 net/socket.c:649
+ sock_close+0x1c/0x30 net/socket.c:1439
+ __fput+0x3ff/0xb70 fs/file_table.c:468
+ task_work_run+0x14d/0x240 kernel/task_work.c:227
+ resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
+ exit_to_user_mode_loop+0xeb/0x110 kernel/entry/common.c:43
+ exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
+ syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
+ syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
+ do_syscall_64+0x3f6/0x4c0 arch/x86/entry/syscall_64.c:100
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7f2accf8ebe9
+Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007ffdb6cb1378 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
+RAX: 0000000000000000 RBX: 00000000000426fb RCX: 00007f2accf8ebe9
+RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
+RBP: 00007f2acd1b7da0 R08: 0000000000000001 R09: 00000012b6cb166f
+R10: 0000001b30e20000 R11: 0000000000000246 R12: 00007f2acd1b609c
+R13: 00007f2acd1b6090 R14: ffffffffffffffff R15: 00007ffdb6cb1490
+ </TASK>
+
+Allocated by task 5326:
+ kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
+ kasan_save_track+0x14/0x30 mm/kasan/common.c:68
+ poison_kmalloc_redzone mm/kasan/common.c:388 [inline]
+ __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:405
+ kasan_kmalloc include/linux/kasan.h:260 [inline]
+ __do_kmalloc_node mm/slub.c:4365 [inline]
+ __kmalloc_noprof+0x223/0x510 mm/slub.c:4377
+ kmalloc_noprof include/linux/slab.h:909 [inline]
+ sk_prot_alloc+0x1a8/0x2a0 net/core/sock.c:2239
+ sk_alloc+0x36/0xc20 net/core/sock.c:2295
+ bt_sock_alloc+0x3b/0x3a0 net/bluetooth/af_bluetooth.c:151
+ l2cap_sock_alloc.constprop.0+0x33/0x1d0 net/bluetooth/l2cap_sock.c:1894
+ l2cap_sock_new_connection_cb+0x101/0x240 net/bluetooth/l2cap_sock.c:1482
+ l2cap_connect_cfm+0x4c4/0xf80 net/bluetooth/l2cap_core.c:7287
+ hci_connect_cfm include/net/bluetooth/hci_core.h:2050 [inline]
+ hci_remote_features_evt+0x4dd/0x970 net/bluetooth/hci_event.c:3712
+ hci_event_func net/bluetooth/hci_event.c:7519 [inline]
+ hci_event_packet+0xa0d/0x11c0 net/bluetooth/hci_event.c:7573
+ hci_rx_work+0x2c5/0x16b0 net/bluetooth/hci_core.c:4071
+ process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3236
+ process_scheduled_works kernel/workqueue.c:3319 [inline]
+ worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400
+ kthread+0x3c2/0x780 kernel/kthread.c:463
+ ret_from_fork+0x5d7/0x6f0 arch/x86/kernel/process.c:148
+ ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
+
+Freed by task 16995:
+ kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
+ kasan_save_track+0x14/0x30 mm/kasan/common.c:68
+ kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576
+ poison_slab_object mm/kasan/common.c:243 [inline]
+ __kasan_slab_free+0x60/0x70 mm/kasan/common.c:275
+ kasan_slab_free include/linux/kasan.h:233 [inline]
+ slab_free_hook mm/slub.c:2417 [inline]
+ slab_free mm/slub.c:4680 [inline]
+ kfree+0x2b4/0x4d0 mm/slub.c:4879
+ sk_prot_free net/core/sock.c:2278 [inline]
+ __sk_destruct+0x75f/0x9a0 net/core/sock.c:2373
+ sk_destruct+0xc2/0xf0 net/core/sock.c:2401
+ __sk_free+0xf4/0x3e0 net/core/sock.c:2412
+ sk_free+0x6a/0x90 net/core/sock.c:2423
+ sock_put include/net/sock.h:1960 [inline]
+ bt_accept_unlink+0x245/0x2e0 net/bluetooth/af_bluetooth.c:262
+ bt_accept_dequeue+0x517/0x600 net/bluetooth/af_bluetooth.c:308
+ l2cap_sock_cleanup_listen+0x5c/0x2a0 net/bluetooth/l2cap_sock.c:1451
+ l2cap_sock_release+0x5c/0x210 net/bluetooth/l2cap_sock.c:1425
+ __sock_release+0xb3/0x270 net/socket.c:649
+ sock_close+0x1c/0x30 net/socket.c:1439
+ __fput+0x3ff/0xb70 fs/file_table.c:468
+ task_work_run+0x14d/0x240 kernel/task_work.c:227
+ resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
+ exit_to_user_mode_loop+0xeb/0x110 kernel/entry/common.c:43
+ exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
+ syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
+ syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
+ do_syscall_64+0x3f6/0x4c0 arch/x86/entry/syscall_64.c:100
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Fixes: 1728137b33c0 ("Bluetooth: L2CAP: Fix use-after-free in l2cap_sock_ready_cb")
+Reported-by: syzbot+e5e64cdf8e92046dd3e1@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/linux-bluetooth/68af6b9d.a70a0220.3cafd4.0032.GAE@google.com/
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/l2cap_sock.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
+index 9a906977c8723..59630dbeda20d 100644
+--- a/net/bluetooth/l2cap_sock.c
++++ b/net/bluetooth/l2cap_sock.c
+@@ -1406,7 +1406,10 @@ static int l2cap_sock_release(struct socket *sock)
+ if (!sk)
+ return 0;
+
++ lock_sock_nested(sk, L2CAP_NESTING_PARENT);
+ l2cap_sock_cleanup_listen(sk);
++ release_sock(sk);
++
+ bt_sock_unlink(&l2cap_sk_list, sk);
+
+ err = l2cap_sock_shutdown(sock, SHUT_RDWR);
+--
+2.50.1
+
--- /dev/null
+From 848a4154c345d39c2a5073fb78b4acf8cc9f566e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Aug 2025 10:53:25 -0400
+Subject: Bluetooth: vhci: Prevent use-after-free by removing debugfs files
+ early
+
+From: Ivan Pravdin <ipravdin.official@gmail.com>
+
+[ Upstream commit 28010791193a4503f054e8d69a950ef815deb539 ]
+
+Move the creation of debugfs files into a dedicated function, and ensure
+they are explicitly removed during vhci_release(), before associated
+data structures are freed.
+
+Previously, debugfs files such as "force_suspend", "force_wakeup", and
+others were created under hdev->debugfs but not removed in
+vhci_release(). Since vhci_release() frees the backing vhci_data
+structure, any access to these files after release would result in
+use-after-free errors.
+
+Although hdev->debugfs is later freed in hci_release_dev(), user can
+access files after vhci_data is freed but before hdev->debugfs is
+released.
+
+Fixes: ab4e4380d4e1 ("Bluetooth: Add vhci devcoredump support")
+Signed-off-by: Ivan Pravdin <ipravdin.official@gmail.com>
+Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/hci_vhci.c | 57 ++++++++++++++++++++++++++----------
+ 1 file changed, 41 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/bluetooth/hci_vhci.c b/drivers/bluetooth/hci_vhci.c
+index 4bfc78f9781ed..0935045051699 100644
+--- a/drivers/bluetooth/hci_vhci.c
++++ b/drivers/bluetooth/hci_vhci.c
+@@ -380,6 +380,28 @@ static const struct file_operations force_devcoredump_fops = {
+ .write = force_devcd_write,
+ };
+
++static void vhci_debugfs_init(struct vhci_data *data)
++{
++ struct hci_dev *hdev = data->hdev;
++
++ debugfs_create_file("force_suspend", 0644, hdev->debugfs, data,
++ &force_suspend_fops);
++
++ debugfs_create_file("force_wakeup", 0644, hdev->debugfs, data,
++ &force_wakeup_fops);
++
++ if (IS_ENABLED(CONFIG_BT_MSFTEXT))
++ debugfs_create_file("msft_opcode", 0644, hdev->debugfs, data,
++ &msft_opcode_fops);
++
++ if (IS_ENABLED(CONFIG_BT_AOSPEXT))
++ debugfs_create_file("aosp_capable", 0644, hdev->debugfs, data,
++ &aosp_capable_fops);
++
++ debugfs_create_file("force_devcoredump", 0644, hdev->debugfs, data,
++ &force_devcoredump_fops);
++}
++
+ static int __vhci_create_device(struct vhci_data *data, __u8 opcode)
+ {
+ struct hci_dev *hdev;
+@@ -435,22 +457,8 @@ static int __vhci_create_device(struct vhci_data *data, __u8 opcode)
+ return -EBUSY;
+ }
+
+- debugfs_create_file("force_suspend", 0644, hdev->debugfs, data,
+- &force_suspend_fops);
+-
+- debugfs_create_file("force_wakeup", 0644, hdev->debugfs, data,
+- &force_wakeup_fops);
+-
+- if (IS_ENABLED(CONFIG_BT_MSFTEXT))
+- debugfs_create_file("msft_opcode", 0644, hdev->debugfs, data,
+- &msft_opcode_fops);
+-
+- if (IS_ENABLED(CONFIG_BT_AOSPEXT))
+- debugfs_create_file("aosp_capable", 0644, hdev->debugfs, data,
+- &aosp_capable_fops);
+-
+- debugfs_create_file("force_devcoredump", 0644, hdev->debugfs, data,
+- &force_devcoredump_fops);
++ if (!IS_ERR_OR_NULL(hdev->debugfs))
++ vhci_debugfs_init(data);
+
+ hci_skb_pkt_type(skb) = HCI_VENDOR_PKT;
+
+@@ -652,6 +660,21 @@ static int vhci_open(struct inode *inode, struct file *file)
+ return 0;
+ }
+
++static void vhci_debugfs_remove(struct hci_dev *hdev)
++{
++ debugfs_lookup_and_remove("force_suspend", hdev->debugfs);
++
++ debugfs_lookup_and_remove("force_wakeup", hdev->debugfs);
++
++ if (IS_ENABLED(CONFIG_BT_MSFTEXT))
++ debugfs_lookup_and_remove("msft_opcode", hdev->debugfs);
++
++ if (IS_ENABLED(CONFIG_BT_AOSPEXT))
++ debugfs_lookup_and_remove("aosp_capable", hdev->debugfs);
++
++ debugfs_lookup_and_remove("force_devcoredump", hdev->debugfs);
++}
++
+ static int vhci_release(struct inode *inode, struct file *file)
+ {
+ struct vhci_data *data = file->private_data;
+@@ -663,6 +686,8 @@ static int vhci_release(struct inode *inode, struct file *file)
+ hdev = data->hdev;
+
+ if (hdev) {
++ if (!IS_ERR_OR_NULL(hdev->debugfs))
++ vhci_debugfs_remove(hdev);
+ hci_unregister_dev(hdev);
+ hci_free_dev(hdev);
+ }
+--
+2.50.1
+
--- /dev/null
+From 9652c4c0c6d8a6e9fdbb0377d1545aeca7728a7f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Aug 2025 19:56:31 +0800
+Subject: i40e: Fix potential invalid access when MAC list is empty
+
+From: Zhen Ni <zhen.ni@easystack.cn>
+
+[ Upstream commit a556f06338e1d5a85af0e32ecb46e365547f92b9 ]
+
+list_first_entry() never returns NULL - if the list is empty, it still
+returns a pointer to an invalid object, leading to potential invalid
+memory access when dereferenced.
+
+Fix this by using list_first_entry_or_null instead of list_first_entry.
+
+Fixes: e3219ce6a775 ("i40e: Add support for client interface for IWARP driver")
+Signed-off-by: Zhen Ni <zhen.ni@easystack.cn>
+Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_client.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_client.c b/drivers/net/ethernet/intel/i40e/i40e_client.c
+index 306758428aefd..a569d2fcc90af 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_client.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_client.c
+@@ -361,8 +361,8 @@ static void i40e_client_add_instance(struct i40e_pf *pf)
+ if (i40e_client_get_params(vsi, &cdev->lan_info.params))
+ goto free_cdev;
+
+- mac = list_first_entry(&cdev->lan_info.netdev->dev_addrs.list,
+- struct netdev_hw_addr, list);
++ mac = list_first_entry_or_null(&cdev->lan_info.netdev->dev_addrs.list,
++ struct netdev_hw_addr, list);
+ if (mac)
+ ether_addr_copy(cdev->lan_info.lanmac, mac->addr);
+ else
+--
+2.50.1
+
--- /dev/null
+From 904f68af634a9d837339a218c74dab784a99f858 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Aug 2025 11:14:35 +0200
+Subject: icmp: fix icmp_ndo_send address translation for reply direction
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Fabian Bläse <fabian@blaese.de>
+
+[ Upstream commit c6dd1aa2cbb72b33e0569f3e71d95792beab5042 ]
+
+The icmp_ndo_send function was originally introduced to ensure proper
+rate limiting when icmp_send is called by a network device driver,
+where the packet's source address may have already been transformed
+by SNAT.
+
+However, the original implementation only considers the
+IP_CT_DIR_ORIGINAL direction for SNAT and always replaced the packet's
+source address with that of the original-direction tuple. This causes
+two problems:
+
+1. For SNAT:
+ Reply-direction packets were incorrectly translated using the source
+ address of the CT original direction, even though no translation is
+ required.
+
+2. For DNAT:
+ Reply-direction packets were not handled at all. In DNAT, the original
+ direction's destination is translated. Therefore, in the reply
+ direction the source address must be set to the reply-direction
+ source, so rate limiting works as intended.
+
+Fix this by using the connection direction to select the correct tuple
+for source address translation, and adjust the pre-checks to handle
+reply-direction packets in case of DNAT.
+
+Additionally, wrap the `ct->status` access in READ_ONCE(). This avoids
+possible KCSAN reports about concurrent updates to `ct->status`.
+
+Fixes: 0b41713b6066 ("icmp: introduce helper for nat'd source address in network device context")
+Signed-off-by: Fabian Bläse <fabian@blaese.de>
+Cc: Jason A. Donenfeld <Jason@zx2c4.com>
+Reviewed-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/icmp.c | 6 ++++--
+ net/ipv6/ip6_icmp.c | 6 ++++--
+ 2 files changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
+index 94501bb30c431..b17549c4e5de8 100644
+--- a/net/ipv4/icmp.c
++++ b/net/ipv4/icmp.c
+@@ -801,11 +801,12 @@ void icmp_ndo_send(struct sk_buff *skb_in, int type, int code, __be32 info)
+ struct sk_buff *cloned_skb = NULL;
+ struct ip_options opts = { 0 };
+ enum ip_conntrack_info ctinfo;
++ enum ip_conntrack_dir dir;
+ struct nf_conn *ct;
+ __be32 orig_ip;
+
+ ct = nf_ct_get(skb_in, &ctinfo);
+- if (!ct || !(ct->status & IPS_SRC_NAT)) {
++ if (!ct || !(READ_ONCE(ct->status) & IPS_NAT_MASK)) {
+ __icmp_send(skb_in, type, code, info, &opts);
+ return;
+ }
+@@ -820,7 +821,8 @@ void icmp_ndo_send(struct sk_buff *skb_in, int type, int code, __be32 info)
+ goto out;
+
+ orig_ip = ip_hdr(skb_in)->saddr;
+- ip_hdr(skb_in)->saddr = ct->tuplehash[0].tuple.src.u3.ip;
++ dir = CTINFO2DIR(ctinfo);
++ ip_hdr(skb_in)->saddr = ct->tuplehash[dir].tuple.src.u3.ip;
+ __icmp_send(skb_in, type, code, info, &opts);
+ ip_hdr(skb_in)->saddr = orig_ip;
+ out:
+diff --git a/net/ipv6/ip6_icmp.c b/net/ipv6/ip6_icmp.c
+index 9e3574880cb03..233914b63bdb8 100644
+--- a/net/ipv6/ip6_icmp.c
++++ b/net/ipv6/ip6_icmp.c
+@@ -54,11 +54,12 @@ void icmpv6_ndo_send(struct sk_buff *skb_in, u8 type, u8 code, __u32 info)
+ struct inet6_skb_parm parm = { 0 };
+ struct sk_buff *cloned_skb = NULL;
+ enum ip_conntrack_info ctinfo;
++ enum ip_conntrack_dir dir;
+ struct in6_addr orig_ip;
+ struct nf_conn *ct;
+
+ ct = nf_ct_get(skb_in, &ctinfo);
+- if (!ct || !(ct->status & IPS_SRC_NAT)) {
++ if (!ct || !(READ_ONCE(ct->status) & IPS_NAT_MASK)) {
+ __icmpv6_send(skb_in, type, code, info, &parm);
+ return;
+ }
+@@ -73,7 +74,8 @@ void icmpv6_ndo_send(struct sk_buff *skb_in, u8 type, u8 code, __u32 info)
+ goto out;
+
+ orig_ip = ipv6_hdr(skb_in)->saddr;
+- ipv6_hdr(skb_in)->saddr = ct->tuplehash[0].tuple.src.u3.in6;
++ dir = CTINFO2DIR(ctinfo);
++ ipv6_hdr(skb_in)->saddr = ct->tuplehash[dir].tuple.src.u3.in6;
+ __icmpv6_send(skb_in, type, code, info, &parm);
+ ipv6_hdr(skb_in)->saddr = orig_ip;
+ out:
+--
+2.50.1
+
--- /dev/null
+From 634e182306260bd0c3d379c1a7ec6189cb4a5aea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Sep 2025 09:36:08 +0300
+Subject: ipv4: Fix NULL vs error pointer check in inet_blackhole_dev_init()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit a51160f8da850a65afbf165f5bbac7ffb388bf74 ]
+
+The inetdev_init() function never returns NULL. Check for error
+pointers instead.
+
+Fixes: 22600596b675 ("ipv4: give an IPv4 dev to blackhole_netdev")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/aLaQWL9NguWmeM1i@stanley.mountain
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/devinet.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
+index c33b1ecc591e4..798497c8b1923 100644
+--- a/net/ipv4/devinet.c
++++ b/net/ipv4/devinet.c
+@@ -336,14 +336,13 @@ static void inetdev_destroy(struct in_device *in_dev)
+
+ static int __init inet_blackhole_dev_init(void)
+ {
+- int err = 0;
++ struct in_device *in_dev;
+
+ rtnl_lock();
+- if (!inetdev_init(blackhole_netdev))
+- err = -ENOMEM;
++ in_dev = inetdev_init(blackhole_netdev);
+ rtnl_unlock();
+
+- return err;
++ return PTR_ERR_OR_ZERO(in_dev);
+ }
+ late_initcall(inet_blackhole_dev_init);
+
+--
+2.50.1
+
--- /dev/null
+From 22f0a3a98764de9c25a3da16081f2504d60f0709 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Aug 2025 20:55:40 +0200
+Subject: macsec: read MACSEC_SA_ATTR_PN with nla_get_uint
+
+From: Sabrina Dubroca <sd@queasysnail.net>
+
+[ Upstream commit 030e1c45666629f72d0fc1d040f9d2915680de8e ]
+
+The code currently reads both U32 attributes and U64 attributes as
+U64, so when a U32 attribute is provided by userspace (ie, when not
+using XPN), on big endian systems, we'll load that value into the
+upper 32bits of the next_pn field instead of the lower 32bits. This
+means that the value that userspace provided is ignored (we only care
+about the lower 32bits for non-XPN), and we'll start using PNs from 0.
+
+Switch to nla_get_uint, which will read the value correctly on all
+arches, whether it's 32b or 64b.
+
+Fixes: 48ef50fa866a ("macsec: Netlink support of XPN cipher suites (IEEE 802.1AEbw)")
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/1c1df1661b89238caf5beefb84a10ebfd56c66ea.1756459839.git.sd@queasysnail.net
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/macsec.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c
+index 767053d6c6b6f..af6cc3e90ef7c 100644
+--- a/drivers/net/macsec.c
++++ b/drivers/net/macsec.c
+@@ -1840,7 +1840,7 @@ static int macsec_add_rxsa(struct sk_buff *skb, struct genl_info *info)
+
+ if (tb_sa[MACSEC_SA_ATTR_PN]) {
+ spin_lock_bh(&rx_sa->lock);
+- rx_sa->next_pn = nla_get_u64(tb_sa[MACSEC_SA_ATTR_PN]);
++ rx_sa->next_pn = nla_get_uint(tb_sa[MACSEC_SA_ATTR_PN]);
+ spin_unlock_bh(&rx_sa->lock);
+ }
+
+@@ -2082,7 +2082,7 @@ static int macsec_add_txsa(struct sk_buff *skb, struct genl_info *info)
+ }
+
+ spin_lock_bh(&tx_sa->lock);
+- tx_sa->next_pn = nla_get_u64(tb_sa[MACSEC_SA_ATTR_PN]);
++ tx_sa->next_pn = nla_get_uint(tb_sa[MACSEC_SA_ATTR_PN]);
+ spin_unlock_bh(&tx_sa->lock);
+
+ if (tb_sa[MACSEC_SA_ATTR_ACTIVE])
+@@ -2394,7 +2394,7 @@ static int macsec_upd_txsa(struct sk_buff *skb, struct genl_info *info)
+
+ spin_lock_bh(&tx_sa->lock);
+ prev_pn = tx_sa->next_pn_halves;
+- tx_sa->next_pn = nla_get_u64(tb_sa[MACSEC_SA_ATTR_PN]);
++ tx_sa->next_pn = nla_get_uint(tb_sa[MACSEC_SA_ATTR_PN]);
+ spin_unlock_bh(&tx_sa->lock);
+ }
+
+@@ -2492,7 +2492,7 @@ static int macsec_upd_rxsa(struct sk_buff *skb, struct genl_info *info)
+
+ spin_lock_bh(&rx_sa->lock);
+ prev_pn = rx_sa->next_pn_halves;
+- rx_sa->next_pn = nla_get_u64(tb_sa[MACSEC_SA_ATTR_PN]);
++ rx_sa->next_pn = nla_get_uint(tb_sa[MACSEC_SA_ATTR_PN]);
+ spin_unlock_bh(&rx_sa->lock);
+ }
+
+--
+2.50.1
+
--- /dev/null
+From 36d729f7a48b504a73cdc08d1232c40e783743b2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Sep 2025 03:20:55 -0700
+Subject: mctp: return -ENOPROTOOPT for unknown getsockopt options
+
+From: Alok Tiwari <alok.a.tiwari@oracle.com>
+
+[ Upstream commit a125c8fb9ddbcb0602103a50727a476fd30dec01 ]
+
+In mctp_getsockopt(), unrecognized options currently return -EINVAL.
+In contrast, mctp_setsockopt() returns -ENOPROTOOPT for unknown
+options.
+
+Update mctp_getsockopt() to also return -ENOPROTOOPT for unknown
+options. This aligns the behavior of getsockopt() and setsockopt(),
+and matches the standard kernel socket API convention for handling
+unsupported options.
+
+Fixes: 99ce45d5e7db ("mctp: Implement extended addressing")
+Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
+Link: https://patch.msgid.link/20250902102059.1370008-1-alok.a.tiwari@oracle.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mctp/af_mctp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/mctp/af_mctp.c b/net/mctp/af_mctp.c
+index 5f9592fb57add..805f7376cebe3 100644
+--- a/net/mctp/af_mctp.c
++++ b/net/mctp/af_mctp.c
+@@ -346,7 +346,7 @@ static int mctp_getsockopt(struct socket *sock, int level, int optname,
+ return 0;
+ }
+
+- return -EINVAL;
++ return -ENOPROTOOPT;
+ }
+
+ static int mctp_ioctl_alloctag(struct mctp_sock *msk, unsigned long arg)
+--
+2.50.1
+
--- /dev/null
+From b8a05fd7e5affe543feeebda20def620ece1b078 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Aug 2025 16:14:57 +0800
+Subject: mISDN: Fix memory leak in dsp_hwec_enable()
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+[ Upstream commit 0704a3da7ce50f972e898bbda88d2692a22922d9 ]
+
+dsp_hwec_enable() allocates dup pointer by kstrdup(arg),
+but then it updates dup variable by strsep(&dup, ",").
+As a result when it calls kfree(dup), the dup variable may be
+a modified pointer that no longer points to the original allocated
+memory, causing a memory leak.
+
+The issue is the same pattern as fixed in commit c6a502c22999
+("mISDN: Fix memory leak in dsp_pipeline_build()").
+
+Fixes: 9a4381618262 ("mISDN: Remove VLAs")
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250828081457.36061-1-linmq006@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/isdn/mISDN/dsp_hwec.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/isdn/mISDN/dsp_hwec.c b/drivers/isdn/mISDN/dsp_hwec.c
+index 0b3f29195330a..0cd216e28f009 100644
+--- a/drivers/isdn/mISDN/dsp_hwec.c
++++ b/drivers/isdn/mISDN/dsp_hwec.c
+@@ -51,14 +51,14 @@ void dsp_hwec_enable(struct dsp *dsp, const char *arg)
+ goto _do;
+
+ {
+- char *dup, *tok, *name, *val;
++ char *dup, *next, *tok, *name, *val;
+ int tmp;
+
+- dup = kstrdup(arg, GFP_ATOMIC);
++ dup = next = kstrdup(arg, GFP_ATOMIC);
+ if (!dup)
+ return;
+
+- while ((tok = strsep(&dup, ","))) {
++ while ((tok = strsep(&next, ","))) {
+ if (!strlen(tok))
+ continue;
+ name = strsep(&tok, "=");
+--
+2.50.1
+
--- /dev/null
+From 88295c606db5424591125afeee4c6bdf2646343d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Sep 2025 14:35:37 +0800
+Subject: net: atm: fix memory leak in atm_register_sysfs when device_register
+ fail
+
+From: Wang Liang <wangliang74@huawei.com>
+
+[ Upstream commit 0a228624bcc00af41f281a2a84c928595a74c17d ]
+
+When device_register() return error in atm_register_sysfs(), which can be
+triggered by kzalloc fail in device_private_init() or other reasons,
+kmemleak reports the following memory leaks:
+
+unreferenced object 0xffff88810182fb80 (size 8):
+ comm "insmod", pid 504, jiffies 4294852464
+ hex dump (first 8 bytes):
+ 61 64 75 6d 6d 79 30 00 adummy0.
+ backtrace (crc 14dfadaf):
+ __kmalloc_node_track_caller_noprof+0x335/0x450
+ kvasprintf+0xb3/0x130
+ kobject_set_name_vargs+0x45/0x120
+ dev_set_name+0xa9/0xe0
+ atm_register_sysfs+0xf3/0x220
+ atm_dev_register+0x40b/0x780
+ 0xffffffffa000b089
+ do_one_initcall+0x89/0x300
+ do_init_module+0x27b/0x7d0
+ load_module+0x54cd/0x5ff0
+ init_module_from_file+0xe4/0x150
+ idempotent_init_module+0x32c/0x610
+ __x64_sys_finit_module+0xbd/0x120
+ do_syscall_64+0xa8/0x270
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+When device_create_file() return error in atm_register_sysfs(), the same
+issue also can be triggered.
+
+Function put_device() should be called to release kobj->name memory and
+other device resource, instead of kfree().
+
+Fixes: 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array")
+Signed-off-by: Wang Liang <wangliang74@huawei.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250901063537.1472221-1-wangliang74@huawei.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/atm/resources.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/net/atm/resources.c b/net/atm/resources.c
+index b19d851e1f443..7c6fdedbcf4e5 100644
+--- a/net/atm/resources.c
++++ b/net/atm/resources.c
+@@ -112,7 +112,9 @@ struct atm_dev *atm_dev_register(const char *type, struct device *parent,
+
+ if (atm_proc_dev_register(dev) < 0) {
+ pr_err("atm_proc_dev_register failed for dev %s\n", type);
+- goto out_fail;
++ mutex_unlock(&atm_dev_mutex);
++ kfree(dev);
++ return NULL;
+ }
+
+ if (atm_register_sysfs(dev, parent) < 0) {
+@@ -128,7 +130,7 @@ struct atm_dev *atm_dev_register(const char *type, struct device *parent,
+ return dev;
+
+ out_fail:
+- kfree(dev);
++ put_device(&dev->class_dev);
+ dev = NULL;
+ goto out;
+ }
+--
+2.50.1
+
--- /dev/null
+From 614be817df275cc03dfc344cb2ee9e9b021b9451 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 31 Aug 2025 20:20:07 +0200
+Subject: net: ethernet: mtk_eth_soc: fix tx vlan tag for llc packets
+
+From: Felix Fietkau <nbd@nbd.name>
+
+[ Upstream commit d4736737110ffa83d29f1c5d17b26113864205f6 ]
+
+When sending llc packets with vlan tx offload, the hardware fails to
+actually add the tag. Deal with this by fixing it up in software.
+
+Fixes: 656e705243fd ("net-next: mediatek: add support for MT7623 ethernet")
+Reported-by: Thibaut VARENE <hacks@slashdirt.org>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250831182007.51619-1-nbd@nbd.name
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mediatek/mtk_eth_soc.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
+index cb8efc952dfda..aefe2af6f01d4 100644
+--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c
++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
+@@ -1586,6 +1586,13 @@ static netdev_tx_t mtk_start_xmit(struct sk_buff *skb, struct net_device *dev)
+ bool gso = false;
+ int tx_num;
+
++ if (skb_vlan_tag_present(skb) &&
++ !eth_proto_is_802_3(eth_hdr(skb)->h_proto)) {
++ skb = __vlan_hwaccel_push_inside(skb);
++ if (!skb)
++ goto dropped;
++ }
++
+ /* normally we can rely on the stack not calling this more than once,
+ * however we have 2 queues running on the same ring so we need to lock
+ * the ring access
+@@ -1631,8 +1638,9 @@ static netdev_tx_t mtk_start_xmit(struct sk_buff *skb, struct net_device *dev)
+
+ drop:
+ spin_unlock(ð->page_lock);
+- stats->tx_dropped++;
+ dev_kfree_skb_any(skb);
++dropped:
++ stats->tx_dropped++;
+ return NETDEV_TX_OK;
+ }
+
+--
+2.50.1
+
--- /dev/null
+From 71380180bcd166a2746056783278b13fcce604d8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Aug 2025 10:35:21 -0400
+Subject: net: macb: Fix tx_ptr_lock locking
+
+From: Sean Anderson <sean.anderson@linux.dev>
+
+[ Upstream commit 6bc8a5098bf4a365c4086a4a4130bfab10a58260 ]
+
+macb_start_xmit and macb_tx_poll can be called with bottom-halves
+disabled (e.g. from softirq) as well as with interrupts disabled (with
+netpoll). Because of this, all other functions taking tx_ptr_lock must
+use spin_lock_irqsave.
+
+Fixes: 138badbc21a0 ("net: macb: use NAPI for TX completion path")
+Reported-by: Mike Galbraith <efault@gmx.de>
+Signed-off-by: Sean Anderson <sean.anderson@linux.dev>
+Link: https://patch.msgid.link/20250829143521.1686062-1-sean.anderson@linux.dev
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cadence/macb_main.c | 28 ++++++++++++++----------
+ 1 file changed, 16 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c
+index 534e7f7bca4c2..b836ab2a649a2 100644
+--- a/drivers/net/ethernet/cadence/macb_main.c
++++ b/drivers/net/ethernet/cadence/macb_main.c
+@@ -1234,11 +1234,12 @@ static int macb_tx_complete(struct macb_queue *queue, int budget)
+ {
+ struct macb *bp = queue->bp;
+ u16 queue_index = queue - bp->queues;
++ unsigned long flags;
+ unsigned int tail;
+ unsigned int head;
+ int packets = 0;
+
+- spin_lock(&queue->tx_ptr_lock);
++ spin_lock_irqsave(&queue->tx_ptr_lock, flags);
+ head = queue->tx_head;
+ for (tail = queue->tx_tail; tail != head && packets < budget; tail++) {
+ struct macb_tx_skb *tx_skb;
+@@ -1297,7 +1298,7 @@ static int macb_tx_complete(struct macb_queue *queue, int budget)
+ CIRC_CNT(queue->tx_head, queue->tx_tail,
+ bp->tx_ring_size) <= MACB_TX_WAKEUP_THRESH(bp))
+ netif_wake_subqueue(bp->dev, queue_index);
+- spin_unlock(&queue->tx_ptr_lock);
++ spin_unlock_irqrestore(&queue->tx_ptr_lock, flags);
+
+ return packets;
+ }
+@@ -1713,8 +1714,9 @@ static void macb_tx_restart(struct macb_queue *queue)
+ {
+ struct macb *bp = queue->bp;
+ unsigned int head_idx, tbqp;
++ unsigned long flags;
+
+- spin_lock(&queue->tx_ptr_lock);
++ spin_lock_irqsave(&queue->tx_ptr_lock, flags);
+
+ if (queue->tx_head == queue->tx_tail)
+ goto out_tx_ptr_unlock;
+@@ -1726,19 +1728,20 @@ static void macb_tx_restart(struct macb_queue *queue)
+ if (tbqp == head_idx)
+ goto out_tx_ptr_unlock;
+
+- spin_lock_irq(&bp->lock);
++ spin_lock(&bp->lock);
+ macb_writel(bp, NCR, macb_readl(bp, NCR) | MACB_BIT(TSTART));
+- spin_unlock_irq(&bp->lock);
++ spin_unlock(&bp->lock);
+
+ out_tx_ptr_unlock:
+- spin_unlock(&queue->tx_ptr_lock);
++ spin_unlock_irqrestore(&queue->tx_ptr_lock, flags);
+ }
+
+ static bool macb_tx_complete_pending(struct macb_queue *queue)
+ {
+ bool retval = false;
++ unsigned long flags;
+
+- spin_lock(&queue->tx_ptr_lock);
++ spin_lock_irqsave(&queue->tx_ptr_lock, flags);
+ if (queue->tx_head != queue->tx_tail) {
+ /* Make hw descriptor updates visible to CPU */
+ rmb();
+@@ -1746,7 +1749,7 @@ static bool macb_tx_complete_pending(struct macb_queue *queue)
+ if (macb_tx_desc(queue, queue->tx_tail)->ctrl & MACB_BIT(TX_USED))
+ retval = true;
+ }
+- spin_unlock(&queue->tx_ptr_lock);
++ spin_unlock_irqrestore(&queue->tx_ptr_lock, flags);
+ return retval;
+ }
+
+@@ -2314,6 +2317,7 @@ static netdev_tx_t macb_start_xmit(struct sk_buff *skb, struct net_device *dev)
+ struct macb_queue *queue = &bp->queues[queue_index];
+ unsigned int desc_cnt, nr_frags, frag_size, f;
+ unsigned int hdrlen;
++ unsigned long flags;
+ bool is_lso;
+ netdev_tx_t ret = NETDEV_TX_OK;
+
+@@ -2374,7 +2378,7 @@ static netdev_tx_t macb_start_xmit(struct sk_buff *skb, struct net_device *dev)
+ desc_cnt += DIV_ROUND_UP(frag_size, bp->max_tx_length);
+ }
+
+- spin_lock_bh(&queue->tx_ptr_lock);
++ spin_lock_irqsave(&queue->tx_ptr_lock, flags);
+
+ /* This is a hard error, log it. */
+ if (CIRC_SPACE(queue->tx_head, queue->tx_tail,
+@@ -2396,15 +2400,15 @@ static netdev_tx_t macb_start_xmit(struct sk_buff *skb, struct net_device *dev)
+ wmb();
+ skb_tx_timestamp(skb);
+
+- spin_lock_irq(&bp->lock);
++ spin_lock(&bp->lock);
+ macb_writel(bp, NCR, macb_readl(bp, NCR) | MACB_BIT(TSTART));
+- spin_unlock_irq(&bp->lock);
++ spin_unlock(&bp->lock);
+
+ if (CIRC_SPACE(queue->tx_head, queue->tx_tail, bp->tx_ring_size) < 1)
+ netif_stop_subqueue(dev, queue_index);
+
+ unlock:
+- spin_unlock_bh(&queue->tx_ptr_lock);
++ spin_unlock_irqrestore(&queue->tx_ptr_lock, flags);
+
+ return ret;
+ }
+--
+2.50.1
+
--- /dev/null
+From 9568db6540253a5990c8e2e2e374b6c30d3cb730 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Aug 2025 20:41:17 +0800
+Subject: net/smc: fix one NULL pointer dereference in smc_ib_is_sg_need_sync()
+
+From: Liu Jian <liujian56@huawei.com>
+
+[ Upstream commit ba1e9421cf1a8369d25c3832439702a015d6b5f9 ]
+
+BUG: kernel NULL pointer dereference, address: 00000000000002ec
+PGD 0 P4D 0
+Oops: Oops: 0000 [#1] SMP PTI
+CPU: 28 UID: 0 PID: 343 Comm: kworker/28:1 Kdump: loaded Tainted: G OE 6.17.0-rc2+ #9 NONE
+Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014
+Workqueue: smc_hs_wq smc_listen_work [smc]
+RIP: 0010:smc_ib_is_sg_need_sync+0x9e/0xd0 [smc]
+...
+Call Trace:
+ <TASK>
+ smcr_buf_map_link+0x211/0x2a0 [smc]
+ __smc_buf_create+0x522/0x970 [smc]
+ smc_buf_create+0x3a/0x110 [smc]
+ smc_find_rdma_v2_device_serv+0x18f/0x240 [smc]
+ ? smc_vlan_by_tcpsk+0x7e/0xe0 [smc]
+ smc_listen_find_device+0x1dd/0x2b0 [smc]
+ smc_listen_work+0x30f/0x580 [smc]
+ process_one_work+0x18c/0x340
+ worker_thread+0x242/0x360
+ kthread+0xe7/0x220
+ ret_from_fork+0x13a/0x160
+ ret_from_fork_asm+0x1a/0x30
+ </TASK>
+
+If the software RoCE device is used, ibdev->dma_device is a null pointer.
+As a result, the problem occurs. Null pointer detection is added to
+prevent problems.
+
+Fixes: 0ef69e788411c ("net/smc: optimize for smc_sndbuf_sync_sg_for_device and smc_rmb_sync_sg_for_cpu")
+Signed-off-by: Liu Jian <liujian56@huawei.com>
+Reviewed-by: Guangguan Wang <guangguan.wang@linux.alibaba.com>
+Reviewed-by: Zhu Yanjun <yanjun.zhu@linux.dev>
+Reviewed-by: D. Wythe <alibuda@linux.alibaba.com>
+Link: https://patch.msgid.link/20250828124117.2622624-1-liujian56@huawei.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/smc/smc_ib.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/smc/smc_ib.c b/net/smc/smc_ib.c
+index 598ac9ead64b7..6df543e083fb3 100644
+--- a/net/smc/smc_ib.c
++++ b/net/smc/smc_ib.c
+@@ -743,6 +743,9 @@ bool smc_ib_is_sg_need_sync(struct smc_link *lnk,
+ unsigned int i;
+ bool ret = false;
+
++ if (!lnk->smcibdev->ibdev->dma_device)
++ return ret;
++
+ /* for now there is just one DMA address */
+ for_each_sg(buf_slot->sgt[lnk->link_idx].sgl, sg,
+ buf_slot->sgt[lnk->link_idx].nents, i) {
+--
+2.50.1
+
--- /dev/null
+From dbd78e1c1af3f3837fc2ffda1b0257f4fd1e9e5e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Sep 2025 10:20:41 +0200
+Subject: net/smc: Remove validation of reserved bits in CLC Decline message
+
+From: Mahanta Jambigi <mjambigi@linux.ibm.com>
+
+[ Upstream commit cc282f73bc0cbdf3ee7af2f2d3a2ef4e6b19242d ]
+
+Currently SMC code is validating the reserved bits while parsing the incoming
+CLC decline message & when this validation fails, its treated as a protocol
+error. As a result, the SMC connection is terminated instead of falling back to
+TCP. As per RFC7609[1] specs we shouldn't be validating the reserved bits that
+is part of CLC message. This patch fixes this issue.
+
+CLC Decline message format can viewed here[2].
+
+[1] https://datatracker.ietf.org/doc/html/rfc7609#page-92
+[2] https://datatracker.ietf.org/doc/html/rfc7609#page-105
+
+Fixes: 8ade200c269f ("net/smc: add v2 format of CLC decline message")
+Signed-off-by: Mahanta Jambigi <mjambigi@linux.ibm.com>
+Reviewed-by: Sidraya Jayagond <sidraya@linux.ibm.com>
+Reviewed-by: Alexandra Winter <wintera@linux.ibm.com>
+Reviewed-by: Dust Li <dust.li@linux.alibaba.com>
+Link: https://patch.msgid.link/20250902082041.98996-1-mjambigi@linux.ibm.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/smc/smc_clc.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/net/smc/smc_clc.c b/net/smc/smc_clc.c
+index dbce904c03cf7..4f485b9b31b28 100644
+--- a/net/smc/smc_clc.c
++++ b/net/smc/smc_clc.c
+@@ -426,8 +426,6 @@ smc_clc_msg_decl_valid(struct smc_clc_msg_decline *dclc)
+ {
+ struct smc_clc_msg_hdr *hdr = &dclc->hdr;
+
+- if (hdr->typev1 != SMC_TYPE_R && hdr->typev1 != SMC_TYPE_D)
+- return false;
+ if (hdr->version == SMC_V1) {
+ if (ntohs(hdr->length) != sizeof(struct smc_clc_msg_decline))
+ return false;
+--
+2.50.1
+
--- /dev/null
+From 9b035f22694a34025698303085334c4b2d6b9706 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Sep 2025 14:30:18 -0700
+Subject: net: thunder_bgx: add a missing of_node_put
+
+From: Rosen Penev <rosenp@gmail.com>
+
+[ Upstream commit 9d28f94912589f04ab51fbccaef287d4f40e0d1f ]
+
+phy_np needs to get freed, just like the other child nodes.
+
+Fixes: 5fc7cf179449 ("net: thunderx: Cleanup PHY probing code.")
+Signed-off-by: Rosen Penev <rosenp@gmail.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250901213018.47392-1-rosenp@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/cavium/thunder/thunder_bgx.c | 18 +++++++++++-------
+ 1 file changed, 11 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c
+index 087d4c2b3efd1..7ef1b88c8c535 100644
+--- a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c
++++ b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c
+@@ -1491,13 +1491,17 @@ static int bgx_init_of_phy(struct bgx *bgx)
+ * this cortina phy, for which there is no driver
+ * support, ignore it.
+ */
+- if (phy_np &&
+- !of_device_is_compatible(phy_np, "cortina,cs4223-slice")) {
+- /* Wait until the phy drivers are available */
+- pd = of_phy_find_device(phy_np);
+- if (!pd)
+- goto defer;
+- bgx->lmac[lmac].phydev = pd;
++ if (phy_np) {
++ if (!of_device_is_compatible(phy_np, "cortina,cs4223-slice")) {
++ /* Wait until the phy drivers are available */
++ pd = of_phy_find_device(phy_np);
++ if (!pd) {
++ of_node_put(phy_np);
++ goto defer;
++ }
++ bgx->lmac[lmac].phydev = pd;
++ }
++ of_node_put(phy_np);
+ }
+
+ lmac++;
+--
+2.50.1
+
--- /dev/null
+From 0ea7ffc3f07747db6bbad828adff2059b6432508 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Sep 2025 14:33:14 -0700
+Subject: net: thunder_bgx: decrement cleanup index before use
+
+From: Rosen Penev <rosenp@gmail.com>
+
+[ Upstream commit 9e3d71a92e561ccc77025689dab25d201fee7a3e ]
+
+All paths in probe that call goto defer do so before assigning phydev
+and thus it makes sense to cleanup the prior index. It also fixes a bug
+where index 0 does not get cleaned up.
+
+Fixes: b7d3e3d3d21a ("net: thunderx: Don't leak phy device references on -EPROBE_DEFER condition.")
+Signed-off-by: Rosen Penev <rosenp@gmail.com>
+Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250901213314.48599-1-rosenp@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cavium/thunder/thunder_bgx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c
+index 7ef1b88c8c535..a423a93882115 100644
+--- a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c
++++ b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c
+@@ -1517,11 +1517,11 @@ static int bgx_init_of_phy(struct bgx *bgx)
+ * for phy devices we may have already found.
+ */
+ while (lmac) {
++ lmac--;
+ if (bgx->lmac[lmac].phydev) {
+ put_device(&bgx->lmac[lmac].phydev->mdio.dev);
+ bgx->lmac[lmac].phydev = NULL;
+ }
+- lmac--;
+ }
+ of_node_put(node);
+ return -EPROBE_DEFER;
+--
+2.50.1
+
--- /dev/null
+From ed965805fe91869b5be5cf3caf2d1a057f1d2812 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Aug 2025 11:52:19 +0800
+Subject: netfilter: br_netfilter: do not check confirmed bit in
+ br_nf_local_in() after confirm
+
+From: Wang Liang <wangliang74@huawei.com>
+
+[ Upstream commit 479a54ab92087318514c82428a87af2d7af1a576 ]
+
+When send a broadcast packet to a tap device, which was added to a bridge,
+br_nf_local_in() is called to confirm the conntrack. If another conntrack
+with the same hash value is added to the hash table, which can be
+triggered by a normal packet to a non-bridge device, the below warning
+may happen.
+
+ ------------[ cut here ]------------
+ WARNING: CPU: 1 PID: 96 at net/bridge/br_netfilter_hooks.c:632 br_nf_local_in+0x168/0x200
+ CPU: 1 UID: 0 PID: 96 Comm: tap_send Not tainted 6.17.0-rc2-dirty #44 PREEMPT(voluntary)
+ RIP: 0010:br_nf_local_in+0x168/0x200
+ Call Trace:
+ <TASK>
+ nf_hook_slow+0x3e/0xf0
+ br_pass_frame_up+0x103/0x180
+ br_handle_frame_finish+0x2de/0x5b0
+ br_nf_hook_thresh+0xc0/0x120
+ br_nf_pre_routing_finish+0x168/0x3a0
+ br_nf_pre_routing+0x237/0x5e0
+ br_handle_frame+0x1ec/0x3c0
+ __netif_receive_skb_core+0x225/0x1210
+ __netif_receive_skb_one_core+0x37/0xa0
+ netif_receive_skb+0x36/0x160
+ tun_get_user+0xa54/0x10c0
+ tun_chr_write_iter+0x65/0xb0
+ vfs_write+0x305/0x410
+ ksys_write+0x60/0xd0
+ do_syscall_64+0xa4/0x260
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+ </TASK>
+ ---[ end trace 0000000000000000 ]---
+
+To solve the hash conflict, nf_ct_resolve_clash() try to merge the
+conntracks, and update skb->_nfct. However, br_nf_local_in() still use the
+old ct from local variable 'nfct' after confirm(), which leads to this
+warning.
+
+If confirm() does not insert the conntrack entry and return NF_DROP, the
+warning may also occur. There is no need to reserve the WARN_ON_ONCE, just
+remove it.
+
+Link: https://lore.kernel.org/netdev/20250820043329.2902014-1-wangliang74@huawei.com/
+Fixes: 62e7151ae3eb ("netfilter: bridge: confirm multicast packets before passing them up the stack")
+Suggested-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Wang Liang <wangliang74@huawei.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/br_netfilter_hooks.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
+index 2a4958e995f2d..e6962d693359b 100644
+--- a/net/bridge/br_netfilter_hooks.c
++++ b/net/bridge/br_netfilter_hooks.c
+@@ -648,9 +648,6 @@ static unsigned int br_nf_local_in(void *priv,
+ break;
+ }
+
+- ct = container_of(nfct, struct nf_conn, ct_general);
+- WARN_ON_ONCE(!nf_ct_is_confirmed(ct));
+-
+ return ret;
+ }
+ #endif
+--
+2.50.1
+
--- /dev/null
+From eebaeffbdbb047ecb35b1930510263a993b59cfc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Aug 2025 13:22:20 +0200
+Subject: netfilter: conntrack: helper: Replace -EEXIST by -EBUSY
+
+From: Phil Sutter <phil@nwl.cc>
+
+[ Upstream commit 54416fd76770bd04fc3c501810e8d673550bab26 ]
+
+The helper registration return value is passed-through by module_init
+callbacks which modprobe confuses with the harmless -EEXIST returned
+when trying to load an already loaded module.
+
+Make sure modprobe fails so users notice their helper has not been
+registered and won't work.
+
+Suggested-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Fixes: 12f7a505331e ("netfilter: add user-space connection tracking helper infrastructure")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_helper.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c
+index f22691f838536..10f72b5b4e1ad 100644
+--- a/net/netfilter/nf_conntrack_helper.c
++++ b/net/netfilter/nf_conntrack_helper.c
+@@ -373,7 +373,7 @@ int nf_conntrack_helper_register(struct nf_conntrack_helper *me)
+ (cur->tuple.src.l3num == NFPROTO_UNSPEC ||
+ cur->tuple.src.l3num == me->tuple.src.l3num) &&
+ cur->tuple.dst.protonum == me->tuple.dst.protonum) {
+- ret = -EEXIST;
++ ret = -EBUSY;
+ goto out;
+ }
+ }
+@@ -384,7 +384,7 @@ int nf_conntrack_helper_register(struct nf_conntrack_helper *me)
+ hlist_for_each_entry(cur, &nf_ct_helper_hash[h], hnode) {
+ if (nf_ct_tuple_src_mask_cmp(&cur->tuple, &me->tuple,
+ &mask)) {
+- ret = -EEXIST;
++ ret = -EBUSY;
+ goto out;
+ }
+ }
+--
+2.50.1
+
--- /dev/null
+From e3430bf9d21a25ae13c20332fe46aab5ec9e4bfe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Oct 2023 14:39:20 -0700
+Subject: netlink: add variable-length / auto integers
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 374d345d9b5e13380c66d7042f9533a6ac6d1195 ]
+
+We currently push everyone to use padding to align 64b values
+in netlink. Un-padded nla_put_u64() doesn't even exist any more.
+
+The story behind this possibly start with this thread:
+https://lore.kernel.org/netdev/20121204.130914.1457976839967676240.davem@davemloft.net/
+where DaveM was concerned about the alignment of a structure
+containing 64b stats. If user space tries to access such struct
+directly:
+
+ struct some_stats *stats = nla_data(attr);
+ printf("A: %llu", stats->a);
+
+lack of alignment may become problematic for some architectures.
+These days we most often put every single member in a separate
+attribute, meaning that the code above would use a helper like
+nla_get_u64(), which can deal with alignment internally.
+Even for arches which don't have good unaligned access - access
+aligned to 4B should be pretty efficient.
+Kernel and well known libraries deal with unaligned input already.
+
+Padded 64b is quite space-inefficient (64b + pad means at worst 16B
+per attr vs 32b which takes 8B). It is also more typing:
+
+ if (nla_put_u64_pad(rsp, NETDEV_A_SOMETHING_SOMETHING,
+ value, NETDEV_A_SOMETHING_PAD))
+
+Create a new attribute type which will use 32 bits at netlink
+level if value is small enough (probably most of the time?),
+and (4B-aligned) 64 bits otherwise. Kernel API is just:
+
+ if (nla_put_uint(rsp, NETDEV_A_SOMETHING_SOMETHING, value))
+
+Calling this new type "just" sint / uint with no specific size
+will hopefully also make people more comfortable with using it.
+Currently telling people "don't use u8, you may need the bits,
+and netlink will round up to 4B, anyway" is the #1 comment
+we give to newcomers.
+
+In terms of netlink layout it looks like this:
+
+ 0 4 8 12 16
+32b: [nlattr][ u32 ]
+64b: [ pad ][nlattr][ u64 ]
+uint(32) [nlattr][ u32 ]
+uint(64) [nlattr][ u64 ]
+
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Acked-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: 030e1c456666 ("macsec: read MACSEC_SA_ATTR_PN with nla_get_uint")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/userspace-api/netlink/specs.rst | 18 ++++-
+ include/net/netlink.h | 69 ++++++++++++++++++-
+ include/uapi/linux/netlink.h | 5 ++
+ lib/nlattr.c | 22 ++++++
+ net/netlink/policy.c | 14 +++-
+ 5 files changed, 121 insertions(+), 7 deletions(-)
+
+diff --git a/Documentation/userspace-api/netlink/specs.rst b/Documentation/userspace-api/netlink/specs.rst
+index cc4e2430997ef..a8218284e67a4 100644
+--- a/Documentation/userspace-api/netlink/specs.rst
++++ b/Documentation/userspace-api/netlink/specs.rst
+@@ -408,10 +408,21 @@ This section describes the attribute types supported by the ``genetlink``
+ compatibility level. Refer to documentation of different levels for additional
+ attribute types.
+
+-Scalar integer types
++Common integer types
+ --------------------
+
+-Fixed-width integer types:
++``sint`` and ``uint`` represent signed and unsigned 64 bit integers.
++If the value can fit on 32 bits only 32 bits are carried in netlink
++messages, otherwise full 64 bits are carried. Note that the payload
++is only aligned to 4B, so the full 64 bit value may be unaligned!
++
++Common integer types should be preferred over fix-width types in majority
++of cases.
++
++Fix-width integer types
++-----------------------
++
++Fixed-width integer types include:
+ ``u8``, ``u16``, ``u32``, ``u64``, ``s8``, ``s16``, ``s32``, ``s64``.
+
+ Note that types smaller than 32 bit should be avoided as using them
+@@ -421,6 +432,9 @@ See :ref:`pad_type` for padding of 64 bit attributes.
+ The payload of the attribute is the integer in host order unless ``byte-order``
+ specifies otherwise.
+
++64 bit values are usually aligned by the kernel but it is recommended
++that the user space is able to deal with unaligned values.
++
+ .. _pad_type:
+
+ pad
+diff --git a/include/net/netlink.h b/include/net/netlink.h
+index 8a7cd1170e1f7..aba2b162a2260 100644
+--- a/include/net/netlink.h
++++ b/include/net/netlink.h
+@@ -128,6 +128,8 @@
+ * nla_len(nla) length of attribute payload
+ *
+ * Attribute Payload Access for Basic Types:
++ * nla_get_uint(nla) get payload for a uint attribute
++ * nla_get_sint(nla) get payload for a sint attribute
+ * nla_get_u8(nla) get payload for a u8 attribute
+ * nla_get_u16(nla) get payload for a u16 attribute
+ * nla_get_u32(nla) get payload for a u32 attribute
+@@ -183,6 +185,8 @@ enum {
+ NLA_REJECT,
+ NLA_BE16,
+ NLA_BE32,
++ NLA_SINT,
++ NLA_UINT,
+ __NLA_TYPE_MAX,
+ };
+
+@@ -229,6 +233,7 @@ enum nla_policy_validation {
+ * nested header (or empty); len field is used if
+ * nested_policy is also used, for the max attr
+ * number in the nested policy.
++ * NLA_SINT, NLA_UINT,
+ * NLA_U8, NLA_U16,
+ * NLA_U32, NLA_U64,
+ * NLA_S8, NLA_S16,
+@@ -260,12 +265,14 @@ enum nla_policy_validation {
+ * while an array has the nested attributes at another
+ * level down and the attribute types directly in the
+ * nesting don't matter.
++ * NLA_UINT,
+ * NLA_U8,
+ * NLA_U16,
+ * NLA_U32,
+ * NLA_U64,
+ * NLA_BE16,
+ * NLA_BE32,
++ * NLA_SINT,
+ * NLA_S8,
+ * NLA_S16,
+ * NLA_S32,
+@@ -280,6 +287,7 @@ enum nla_policy_validation {
+ * or NLA_POLICY_FULL_RANGE_SIGNED() macros instead.
+ * Use the NLA_POLICY_MIN(), NLA_POLICY_MAX() and
+ * NLA_POLICY_RANGE() macros.
++ * NLA_UINT,
+ * NLA_U8,
+ * NLA_U16,
+ * NLA_U32,
+@@ -288,6 +296,7 @@ enum nla_policy_validation {
+ * to a struct netlink_range_validation that indicates
+ * the min/max values.
+ * Use NLA_POLICY_FULL_RANGE().
++ * NLA_SINT,
+ * NLA_S8,
+ * NLA_S16,
+ * NLA_S32,
+@@ -377,9 +386,11 @@ struct nla_policy {
+
+ #define __NLA_IS_UINT_TYPE(tp) \
+ (tp == NLA_U8 || tp == NLA_U16 || tp == NLA_U32 || \
+- tp == NLA_U64 || tp == NLA_BE16 || tp == NLA_BE32)
++ tp == NLA_U64 || tp == NLA_UINT || \
++ tp == NLA_BE16 || tp == NLA_BE32)
+ #define __NLA_IS_SINT_TYPE(tp) \
+- (tp == NLA_S8 || tp == NLA_S16 || tp == NLA_S32 || tp == NLA_S64)
++ (tp == NLA_S8 || tp == NLA_S16 || tp == NLA_S32 || tp == NLA_S64 || \
++ tp == NLA_SINT)
+
+ #define __NLA_ENSURE(condition) BUILD_BUG_ON_ZERO(!(condition))
+ #define NLA_ENSURE_UINT_TYPE(tp) \
+@@ -1357,6 +1368,22 @@ static inline int nla_put_u32(struct sk_buff *skb, int attrtype, u32 value)
+ return nla_put(skb, attrtype, sizeof(u32), &tmp);
+ }
+
++/**
++ * nla_put_uint - Add a variable-size unsigned int to a socket buffer
++ * @skb: socket buffer to add attribute to
++ * @attrtype: attribute type
++ * @value: numeric value
++ */
++static inline int nla_put_uint(struct sk_buff *skb, int attrtype, u64 value)
++{
++ u64 tmp64 = value;
++ u32 tmp32 = value;
++
++ if (tmp64 == tmp32)
++ return nla_put_u32(skb, attrtype, tmp32);
++ return nla_put(skb, attrtype, sizeof(u64), &tmp64);
++}
++
+ /**
+ * nla_put_be32 - Add a __be32 netlink attribute to a socket buffer
+ * @skb: socket buffer to add attribute to
+@@ -1511,6 +1538,22 @@ static inline int nla_put_s64(struct sk_buff *skb, int attrtype, s64 value,
+ return nla_put_64bit(skb, attrtype, sizeof(s64), &tmp, padattr);
+ }
+
++/**
++ * nla_put_sint - Add a variable-size signed int to a socket buffer
++ * @skb: socket buffer to add attribute to
++ * @attrtype: attribute type
++ * @value: numeric value
++ */
++static inline int nla_put_sint(struct sk_buff *skb, int attrtype, s64 value)
++{
++ s64 tmp64 = value;
++ s32 tmp32 = value;
++
++ if (tmp64 == tmp32)
++ return nla_put_s32(skb, attrtype, tmp32);
++ return nla_put(skb, attrtype, sizeof(s64), &tmp64);
++}
++
+ /**
+ * nla_put_string - Add a string netlink attribute to a socket buffer
+ * @skb: socket buffer to add attribute to
+@@ -1667,6 +1710,17 @@ static inline u64 nla_get_u64(const struct nlattr *nla)
+ return tmp;
+ }
+
++/**
++ * nla_get_uint - return payload of uint attribute
++ * @nla: uint netlink attribute
++ */
++static inline u64 nla_get_uint(const struct nlattr *nla)
++{
++ if (nla_len(nla) == sizeof(u32))
++ return nla_get_u32(nla);
++ return nla_get_u64(nla);
++}
++
+ /**
+ * nla_get_be64 - return payload of __be64 attribute
+ * @nla: __be64 netlink attribute
+@@ -1729,6 +1783,17 @@ static inline s64 nla_get_s64(const struct nlattr *nla)
+ return tmp;
+ }
+
++/**
++ * nla_get_sint - return payload of uint attribute
++ * @nla: uint netlink attribute
++ */
++static inline s64 nla_get_sint(const struct nlattr *nla)
++{
++ if (nla_len(nla) == sizeof(s32))
++ return nla_get_s32(nla);
++ return nla_get_s64(nla);
++}
++
+ /**
+ * nla_get_flag - return payload of flag attribute
+ * @nla: flag netlink attribute
+diff --git a/include/uapi/linux/netlink.h b/include/uapi/linux/netlink.h
+index e2ae82e3f9f71..f87aaf28a6491 100644
+--- a/include/uapi/linux/netlink.h
++++ b/include/uapi/linux/netlink.h
+@@ -298,6 +298,8 @@ struct nla_bitfield32 {
+ * entry has attributes again, the policy for those inner ones
+ * and the corresponding maxtype may be specified.
+ * @NL_ATTR_TYPE_BITFIELD32: &struct nla_bitfield32 attribute
++ * @NL_ATTR_TYPE_SINT: 32-bit or 64-bit signed attribute, aligned to 4B
++ * @NL_ATTR_TYPE_UINT: 32-bit or 64-bit unsigned attribute, aligned to 4B
+ */
+ enum netlink_attribute_type {
+ NL_ATTR_TYPE_INVALID,
+@@ -322,6 +324,9 @@ enum netlink_attribute_type {
+ NL_ATTR_TYPE_NESTED_ARRAY,
+
+ NL_ATTR_TYPE_BITFIELD32,
++
++ NL_ATTR_TYPE_SINT,
++ NL_ATTR_TYPE_UINT,
+ };
+
+ /**
+diff --git a/lib/nlattr.c b/lib/nlattr.c
+index ba698a097fc81..0319e811bb10a 100644
+--- a/lib/nlattr.c
++++ b/lib/nlattr.c
+@@ -138,6 +138,7 @@ void nla_get_range_unsigned(const struct nla_policy *pt,
+ range->max = U32_MAX;
+ break;
+ case NLA_U64:
++ case NLA_UINT:
+ case NLA_MSECS:
+ range->max = U64_MAX;
+ break;
+@@ -187,6 +188,9 @@ static int nla_validate_range_unsigned(const struct nla_policy *pt,
+ case NLA_U64:
+ value = nla_get_u64(nla);
+ break;
++ case NLA_UINT:
++ value = nla_get_uint(nla);
++ break;
+ case NLA_MSECS:
+ value = nla_get_u64(nla);
+ break;
+@@ -252,6 +256,7 @@ void nla_get_range_signed(const struct nla_policy *pt,
+ range->max = S32_MAX;
+ break;
+ case NLA_S64:
++ case NLA_SINT:
+ range->min = S64_MIN;
+ range->max = S64_MAX;
+ break;
+@@ -299,6 +304,9 @@ static int nla_validate_int_range_signed(const struct nla_policy *pt,
+ case NLA_S64:
+ value = nla_get_s64(nla);
+ break;
++ case NLA_SINT:
++ value = nla_get_sint(nla);
++ break;
+ default:
+ return -EINVAL;
+ }
+@@ -324,6 +332,7 @@ static int nla_validate_int_range(const struct nla_policy *pt,
+ case NLA_U16:
+ case NLA_U32:
+ case NLA_U64:
++ case NLA_UINT:
+ case NLA_MSECS:
+ case NLA_BINARY:
+ case NLA_BE16:
+@@ -333,6 +342,7 @@ static int nla_validate_int_range(const struct nla_policy *pt,
+ case NLA_S16:
+ case NLA_S32:
+ case NLA_S64:
++ case NLA_SINT:
+ return nla_validate_int_range_signed(pt, nla, extack);
+ default:
+ WARN_ON(1);
+@@ -359,6 +369,9 @@ static int nla_validate_mask(const struct nla_policy *pt,
+ case NLA_U64:
+ value = nla_get_u64(nla);
+ break;
++ case NLA_UINT:
++ value = nla_get_uint(nla);
++ break;
+ case NLA_BE16:
+ value = ntohs(nla_get_be16(nla));
+ break;
+@@ -437,6 +450,15 @@ static int validate_nla(const struct nlattr *nla, int maxtype,
+ goto out_err;
+ break;
+
++ case NLA_SINT:
++ case NLA_UINT:
++ if (attrlen != sizeof(u32) && attrlen != sizeof(u64)) {
++ NL_SET_ERR_MSG_ATTR_POL(extack, nla, pt,
++ "invalid attribute length");
++ return -EINVAL;
++ }
++ break;
++
+ case NLA_BITFIELD32:
+ if (attrlen != sizeof(struct nla_bitfield32))
+ goto out_err;
+diff --git a/net/netlink/policy.c b/net/netlink/policy.c
+index 87e3de0fde896..ef542a142b980 100644
+--- a/net/netlink/policy.c
++++ b/net/netlink/policy.c
+@@ -229,6 +229,8 @@ int netlink_policy_dump_attr_size_estimate(const struct nla_policy *pt)
+ case NLA_S16:
+ case NLA_S32:
+ case NLA_S64:
++ case NLA_SINT:
++ case NLA_UINT:
+ /* maximum is common, u64 min/max with padding */
+ return common +
+ 2 * (nla_attr_size(0) + nla_attr_size(sizeof(u64)));
+@@ -287,6 +289,7 @@ __netlink_policy_dump_write_attr(struct netlink_policy_dump_state *state,
+ case NLA_U16:
+ case NLA_U32:
+ case NLA_U64:
++ case NLA_UINT:
+ case NLA_MSECS: {
+ struct netlink_range_validation range;
+
+@@ -296,8 +299,10 @@ __netlink_policy_dump_write_attr(struct netlink_policy_dump_state *state,
+ type = NL_ATTR_TYPE_U16;
+ else if (pt->type == NLA_U32)
+ type = NL_ATTR_TYPE_U32;
+- else
++ else if (pt->type == NLA_U64)
+ type = NL_ATTR_TYPE_U64;
++ else
++ type = NL_ATTR_TYPE_UINT;
+
+ if (pt->validation_type == NLA_VALIDATE_MASK) {
+ if (nla_put_u64_64bit(skb, NL_POLICY_TYPE_ATTR_MASK,
+@@ -319,7 +324,8 @@ __netlink_policy_dump_write_attr(struct netlink_policy_dump_state *state,
+ case NLA_S8:
+ case NLA_S16:
+ case NLA_S32:
+- case NLA_S64: {
++ case NLA_S64:
++ case NLA_SINT: {
+ struct netlink_range_validation_signed range;
+
+ if (pt->type == NLA_S8)
+@@ -328,8 +334,10 @@ __netlink_policy_dump_write_attr(struct netlink_policy_dump_state *state,
+ type = NL_ATTR_TYPE_S16;
+ else if (pt->type == NLA_S32)
+ type = NL_ATTR_TYPE_S32;
+- else
++ else if (pt->type == NLA_S64)
+ type = NL_ATTR_TYPE_S64;
++ else
++ type = NL_ATTR_TYPE_SINT;
+
+ nla_get_range_signed(pt, &range);
+
+--
+2.50.1
+
--- /dev/null
+From 2a2e1498d143975bfec6707d013cd478d4ecd781 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Sep 2025 14:12:59 +0200
+Subject: phy: mscc: Stop taking ts_lock for tx_queue and use its own lock
+
+From: Horatiu Vultur <horatiu.vultur@microchip.com>
+
+[ Upstream commit 9b2bfdbf43adb9929c5ddcdd96efedbf1c88cf53 ]
+
+When transmitting a PTP frame which is timestamp using 2 step, the
+following warning appears if CONFIG_PROVE_LOCKING is enabled:
+=============================
+[ BUG: Invalid wait context ]
+6.17.0-rc1-00326-ge6160462704e #427 Not tainted
+-----------------------------
+ptp4l/119 is trying to lock:
+c2a44ed4 (&vsc8531->ts_lock){+.+.}-{3:3}, at: vsc85xx_txtstamp+0x50/0xac
+other info that might help us debug this:
+context-{4:4}
+4 locks held by ptp4l/119:
+ #0: c145f068 (rcu_read_lock_bh){....}-{1:2}, at: __dev_queue_xmit+0x58/0x1440
+ #1: c29df974 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+...}-{2:2}, at: __dev_queue_xmit+0x5c4/0x1440
+ #2: c2aaaad0 (_xmit_ETHER#2){+.-.}-{2:2}, at: sch_direct_xmit+0x108/0x350
+ #3: c2aac170 (&lan966x->tx_lock){+.-.}-{2:2}, at: lan966x_port_xmit+0xd0/0x350
+stack backtrace:
+CPU: 0 UID: 0 PID: 119 Comm: ptp4l Not tainted 6.17.0-rc1-00326-ge6160462704e #427 NONE
+Hardware name: Generic DT based system
+Call trace:
+ unwind_backtrace from show_stack+0x10/0x14
+ show_stack from dump_stack_lvl+0x7c/0xac
+ dump_stack_lvl from __lock_acquire+0x8e8/0x29dc
+ __lock_acquire from lock_acquire+0x108/0x38c
+ lock_acquire from __mutex_lock+0xb0/0xe78
+ __mutex_lock from mutex_lock_nested+0x1c/0x24
+ mutex_lock_nested from vsc85xx_txtstamp+0x50/0xac
+ vsc85xx_txtstamp from lan966x_fdma_xmit+0xd8/0x3a8
+ lan966x_fdma_xmit from lan966x_port_xmit+0x1bc/0x350
+ lan966x_port_xmit from dev_hard_start_xmit+0xc8/0x2c0
+ dev_hard_start_xmit from sch_direct_xmit+0x8c/0x350
+ sch_direct_xmit from __dev_queue_xmit+0x680/0x1440
+ __dev_queue_xmit from packet_sendmsg+0xfa4/0x1568
+ packet_sendmsg from __sys_sendto+0x110/0x19c
+ __sys_sendto from sys_send+0x18/0x20
+ sys_send from ret_fast_syscall+0x0/0x1c
+Exception stack(0xf0b05fa8 to 0xf0b05ff0)
+5fa0: 00000001 0000000e 0000000e 0004b47a 0000003a 00000000
+5fc0: 00000001 0000000e 00000000 00000121 0004af58 00044874 00000000 00000000
+5fe0: 00000001 bee9d420 00025a10 b6e75c7c
+
+So, instead of using the ts_lock for tx_queue, use the spinlock that
+skb_buff_head has.
+
+Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
+Fixes: 7d272e63e0979d ("net: phy: mscc: timestamping and PHC support")
+Signed-off-by: Horatiu Vultur <horatiu.vultur@microchip.com>
+Link: https://patch.msgid.link/20250902121259.3257536-1-horatiu.vultur@microchip.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/mscc/mscc_ptp.c | 18 ++++++++----------
+ 1 file changed, 8 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/net/phy/mscc/mscc_ptp.c b/drivers/net/phy/mscc/mscc_ptp.c
+index 1f6237705b44b..939a8a17595ef 100644
+--- a/drivers/net/phy/mscc/mscc_ptp.c
++++ b/drivers/net/phy/mscc/mscc_ptp.c
+@@ -455,12 +455,12 @@ static void vsc85xx_dequeue_skb(struct vsc85xx_ptp *ptp)
+ *p++ = (reg >> 24) & 0xff;
+ }
+
+- len = skb_queue_len(&ptp->tx_queue);
++ len = skb_queue_len_lockless(&ptp->tx_queue);
+ if (len < 1)
+ return;
+
+ while (len--) {
+- skb = __skb_dequeue(&ptp->tx_queue);
++ skb = skb_dequeue(&ptp->tx_queue);
+ if (!skb)
+ return;
+
+@@ -485,7 +485,7 @@ static void vsc85xx_dequeue_skb(struct vsc85xx_ptp *ptp)
+ * packet in the FIFO right now, reschedule it for later
+ * packets.
+ */
+- __skb_queue_tail(&ptp->tx_queue, skb);
++ skb_queue_tail(&ptp->tx_queue, skb);
+ }
+ }
+
+@@ -1067,6 +1067,7 @@ static int vsc85xx_hwtstamp(struct mii_timestamper *mii_ts, struct ifreq *ifr)
+ case HWTSTAMP_TX_ON:
+ break;
+ case HWTSTAMP_TX_OFF:
++ skb_queue_purge(&vsc8531->ptp->tx_queue);
+ break;
+ default:
+ return -ERANGE;
+@@ -1091,9 +1092,6 @@ static int vsc85xx_hwtstamp(struct mii_timestamper *mii_ts, struct ifreq *ifr)
+
+ mutex_lock(&vsc8531->ts_lock);
+
+- __skb_queue_purge(&vsc8531->ptp->tx_queue);
+- __skb_queue_head_init(&vsc8531->ptp->tx_queue);
+-
+ /* Disable predictor while configuring the 1588 block */
+ val = vsc85xx_ts_read_csr(phydev, PROCESSOR,
+ MSCC_PHY_PTP_INGR_PREDICTOR);
+@@ -1179,9 +1177,7 @@ static void vsc85xx_txtstamp(struct mii_timestamper *mii_ts,
+
+ skb_shinfo(skb)->tx_flags |= SKBTX_IN_PROGRESS;
+
+- mutex_lock(&vsc8531->ts_lock);
+- __skb_queue_tail(&vsc8531->ptp->tx_queue, skb);
+- mutex_unlock(&vsc8531->ts_lock);
++ skb_queue_tail(&vsc8531->ptp->tx_queue, skb);
+ return;
+
+ out:
+@@ -1547,6 +1543,7 @@ void vsc8584_ptp_deinit(struct phy_device *phydev)
+ if (vsc8531->ptp->ptp_clock) {
+ ptp_clock_unregister(vsc8531->ptp->ptp_clock);
+ skb_queue_purge(&vsc8531->rx_skbs_list);
++ skb_queue_purge(&vsc8531->ptp->tx_queue);
+ }
+ }
+
+@@ -1570,7 +1567,7 @@ irqreturn_t vsc8584_handle_ts_interrupt(struct phy_device *phydev)
+ if (rc & VSC85XX_1588_INT_FIFO_ADD) {
+ vsc85xx_get_tx_ts(priv->ptp);
+ } else if (rc & VSC85XX_1588_INT_FIFO_OVERFLOW) {
+- __skb_queue_purge(&priv->ptp->tx_queue);
++ skb_queue_purge(&priv->ptp->tx_queue);
+ vsc85xx_ts_reset_fifo(phydev);
+ }
+
+@@ -1590,6 +1587,7 @@ int vsc8584_ptp_probe(struct phy_device *phydev)
+ mutex_init(&vsc8531->phc_lock);
+ mutex_init(&vsc8531->ts_lock);
+ skb_queue_head_init(&vsc8531->rx_skbs_list);
++ skb_queue_head_init(&vsc8531->ptp->tx_queue);
+
+ /* Retrieve the shared load/save GPIO. Request it as non exclusive as
+ * the same GPIO can be requested by all the PHYs of the same package.
+--
+2.50.1
+
--- /dev/null
+From 64f781419b1cc0dd1fa3c044098b65c9cc95a62e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Sep 2025 18:07:26 +0800
+Subject: ppp: fix memory leak in pad_compress_skb
+
+From: Qingfang Deng <dqfext@gmail.com>
+
+[ Upstream commit 4844123fe0b853a4982c02666cb3fd863d701d50 ]
+
+If alloc_skb() fails in pad_compress_skb(), it returns NULL without
+releasing the old skb. The caller does:
+
+ skb = pad_compress_skb(ppp, skb);
+ if (!skb)
+ goto drop;
+
+drop:
+ kfree_skb(skb);
+
+When pad_compress_skb() returns NULL, the reference to the old skb is
+lost and kfree_skb(skb) ends up doing nothing, leading to a memory leak.
+
+Align pad_compress_skb() semantics with realloc(): only free the old
+skb if allocation and compression succeed. At the call site, use the
+new_skb variable so the original skb is not lost when pad_compress_skb()
+fails.
+
+Fixes: b3f9b92a6ec1 ("[PPP]: add PPP MPPE encryption module")
+Signed-off-by: Qingfang Deng <dqfext@gmail.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Yue Haibing <yuehaibing@huawei.com>
+Link: https://patch.msgid.link/20250903100726.269839-1-dqfext@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ppp/ppp_generic.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
+index 28b894bcd7a93..46ac51217114b 100644
+--- a/drivers/net/ppp/ppp_generic.c
++++ b/drivers/net/ppp/ppp_generic.c
+@@ -1753,7 +1753,6 @@ pad_compress_skb(struct ppp *ppp, struct sk_buff *skb)
+ */
+ if (net_ratelimit())
+ netdev_err(ppp->dev, "ppp: compressor dropped pkt\n");
+- kfree_skb(skb);
+ consume_skb(new_skb);
+ new_skb = NULL;
+ }
+@@ -1855,9 +1854,10 @@ ppp_send_frame(struct ppp *ppp, struct sk_buff *skb)
+ "down - pkt dropped.\n");
+ goto drop;
+ }
+- skb = pad_compress_skb(ppp, skb);
+- if (!skb)
++ new_skb = pad_compress_skb(ppp, skb);
++ if (!new_skb)
+ goto drop;
++ skb = new_skb;
+ }
+
+ /*
+--
+2.50.1
+
--- /dev/null
+From d432a96f2c5d2f954d98ec6ba93614d1ccc3d0c9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Sep 2025 22:28:51 +0000
+Subject: selftest: net: Fix weird setsockopt() in bind_bhash.c.
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit fd2004d82d8d8faa94879e3de3096c8511728637 ]
+
+bind_bhash.c passes (SO_REUSEADDR | SO_REUSEPORT) to setsockopt().
+
+In the asm-generic definition, the value happens to match with the
+bare SO_REUSEPORT, (2 | 15) == 15, but not on some arch.
+
+arch/alpha/include/uapi/asm/socket.h:18:#define SO_REUSEADDR 0x0004
+arch/alpha/include/uapi/asm/socket.h:24:#define SO_REUSEPORT 0x0200
+arch/mips/include/uapi/asm/socket.h:24:#define SO_REUSEADDR 0x0004 /* Allow reuse of local addresses. */
+arch/mips/include/uapi/asm/socket.h:33:#define SO_REUSEPORT 0x0200 /* Allow local address and port reuse. */
+arch/parisc/include/uapi/asm/socket.h:12:#define SO_REUSEADDR 0x0004
+arch/parisc/include/uapi/asm/socket.h:18:#define SO_REUSEPORT 0x0200
+arch/sparc/include/uapi/asm/socket.h:13:#define SO_REUSEADDR 0x0004
+arch/sparc/include/uapi/asm/socket.h:20:#define SO_REUSEPORT 0x0200
+include/uapi/asm-generic/socket.h:12:#define SO_REUSEADDR 2
+include/uapi/asm-generic/socket.h:27:#define SO_REUSEPORT 15
+
+Let's pass SO_REUSEPORT only.
+
+Fixes: c35ecb95c448 ("selftests/net: Add test for timing a bind request to a port with a populated bhash entry")
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250903222938.2601522-1-kuniyu@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/bind_bhash.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/testing/selftests/net/bind_bhash.c b/tools/testing/selftests/net/bind_bhash.c
+index 57ff67a3751eb..da04b0b19b73c 100644
+--- a/tools/testing/selftests/net/bind_bhash.c
++++ b/tools/testing/selftests/net/bind_bhash.c
+@@ -75,7 +75,7 @@ static void *setup(void *arg)
+ int *array = (int *)arg;
+
+ for (i = 0; i < MAX_CONNECTIONS; i++) {
+- sock_fd = bind_socket(SO_REUSEADDR | SO_REUSEPORT, setup_addr);
++ sock_fd = bind_socket(SO_REUSEPORT, setup_addr);
+ if (sock_fd < 0) {
+ ret = sock_fd;
+ pthread_exit(&ret);
+@@ -103,7 +103,7 @@ int main(int argc, const char *argv[])
+
+ setup_addr = use_v6 ? setup_addr_v6 : setup_addr_v4;
+
+- listener_fd = bind_socket(SO_REUSEADDR | SO_REUSEPORT, setup_addr);
++ listener_fd = bind_socket(SO_REUSEPORT, setup_addr);
+ if (listen(listener_fd, 100) < 0) {
+ perror("listen failed");
+ return -1;
+--
+2.50.1
+
tee-optee-ffa-fix-a-typo-of-optee_ffa_api_is_compati.patch
arm64-dts-imx8mp-fix-missing-microsd-slot-vqmmc-on-d.patch
arm64-dts-imx8mp-fix-missing-microsd-slot-vqmmc-on-d.patch-12817
+wifi-cfg80211-fix-use-after-free-in-cmp_bss.patch
+wifi-brcmfmac-fix-use-after-free-when-rescheduling-b.patch
+netfilter-br_netfilter-do-not-check-confirmed-bit-in.patch
+netfilter-conntrack-helper-replace-eexist-by-ebusy.patch
+bluetooth-vhci-prevent-use-after-free-by-removing-de.patch
+bluetooth-fix-use-after-free-in-l2cap_sock_cleanup_l.patch
+xirc2ps_cs-fix-register-access-when-enabling-fulldup.patch
+misdn-fix-memory-leak-in-dsp_hwec_enable.patch
+icmp-fix-icmp_ndo_send-address-translation-for-reply.patch
+net-macb-fix-tx_ptr_lock-locking.patch
+netlink-add-variable-length-auto-integers.patch
+macsec-read-macsec_sa_attr_pn-with-nla_get_uint.patch
+net-smc-fix-one-null-pointer-dereference-in-smc_ib_i.patch
+i40e-fix-potential-invalid-access-when-mac-list-is-e.patch
+wifi-ath11k-introduce-and-use-ath11k_sta_to_arsta.patch
+wifi-ath11k-rename-ath11k_start_vdev_delay.patch
+wifi-ath11k-avoid-forward-declaration-of-ath11k_mac_.patch
+wifi-ath11k-fix-group-data-packet-drops-during-rekey.patch
+net-ethernet-mtk_eth_soc-fix-tx-vlan-tag-for-llc-pac.patch
+wifi-cw1200-cap-ssid-length-in-cw1200_do_join.patch
+wifi-libertas-cap-ssid-len-in-lbs_associate.patch
+wifi-cfg80211-sme-cap-ssid-length-in-__cfg80211_conn.patch
+net-thunder_bgx-add-a-missing-of_node_put.patch
+net-thunder_bgx-decrement-cleanup-index-before-use.patch
+ipv4-fix-null-vs-error-pointer-check-in-inet_blackho.patch
+net-smc-remove-validation-of-reserved-bits-in-clc-de.patch
+mctp-return-enoprotoopt-for-unknown-getsockopt-optio.patch
+ax25-properly-unshare-skbs-in-ax25_kiss_rcv.patch
+net-atm-fix-memory-leak-in-atm_register_sysfs-when-d.patch
+ppp-fix-memory-leak-in-pad_compress_skb.patch
+selftest-net-fix-weird-setsockopt-in-bind_bhash.c.patch
+phy-mscc-stop-taking-ts_lock-for-tx_queue-and-use-it.patch
--- /dev/null
+From d1cd23403c460d407d2fb4147ed282120da7e9e8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Jan 2024 10:56:59 +0800
+Subject: wifi: ath11k: avoid forward declaration of
+ ath11k_mac_start_vdev_delay()
+
+From: Baochen Qiang <quic_bqiang@quicinc.com>
+
+[ Upstream commit ce59902e56ea0477ad9bef0067d0e47b6c4d707d ]
+
+Currently ath11k_mac_start_vdev_delay() needs a forward declaration because
+it is defined after where it is called. Avoid this by re-arranging
+ath11k_mac_station_add() and ath11k_mac_op_sta_state().
+
+No functional changes. Compile tested only.
+
+Signed-off-by: Baochen Qiang <quic_bqiang@quicinc.com>
+Acked-by: Jeff Johnson <quic_jjohnson@quicinc.com>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://msgid.link/20240123025700.2929-4-quic_bqiang@quicinc.com
+Stable-dep-of: 97acb0259cc9 ("wifi: ath11k: fix group data packet drops during rekey")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath11k/mac.c | 459 +++++++++++++-------------
+ 1 file changed, 228 insertions(+), 231 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c
+index 58cc079f0df4a..eb295d092a33c 100644
+--- a/drivers/net/wireless/ath/ath11k/mac.c
++++ b/drivers/net/wireless/ath/ath11k/mac.c
+@@ -254,9 +254,6 @@ static const u32 ath11k_smps_map[] = {
+ [WLAN_HT_CAP_SM_PS_DISABLED] = WMI_PEER_SMPS_PS_NONE,
+ };
+
+-static int ath11k_mac_start_vdev_delay(struct ieee80211_hw *hw,
+- struct ieee80211_vif *vif);
+-
+ enum nl80211_he_ru_alloc ath11k_mac_phy_he_ru_to_nl80211_he_ru_alloc(u16 ru_phy)
+ {
+ enum nl80211_he_ru_alloc ret;
+@@ -4896,100 +4893,6 @@ static void ath11k_mac_dec_num_stations(struct ath11k_vif *arvif,
+ ar->num_stations--;
+ }
+
+-static int ath11k_mac_station_add(struct ath11k *ar,
+- struct ieee80211_vif *vif,
+- struct ieee80211_sta *sta)
+-{
+- struct ath11k_base *ab = ar->ab;
+- struct ath11k_vif *arvif = ath11k_vif_to_arvif(vif);
+- struct ath11k_sta *arsta = ath11k_sta_to_arsta(sta);
+- struct peer_create_params peer_param;
+- int ret;
+-
+- lockdep_assert_held(&ar->conf_mutex);
+-
+- ret = ath11k_mac_inc_num_stations(arvif, sta);
+- if (ret) {
+- ath11k_warn(ab, "refusing to associate station: too many connected already (%d)\n",
+- ar->max_num_stations);
+- goto exit;
+- }
+-
+- arsta->rx_stats = kzalloc(sizeof(*arsta->rx_stats), GFP_KERNEL);
+- if (!arsta->rx_stats) {
+- ret = -ENOMEM;
+- goto dec_num_station;
+- }
+-
+- peer_param.vdev_id = arvif->vdev_id;
+- peer_param.peer_addr = sta->addr;
+- peer_param.peer_type = WMI_PEER_TYPE_DEFAULT;
+-
+- ret = ath11k_peer_create(ar, arvif, sta, &peer_param);
+- if (ret) {
+- ath11k_warn(ab, "Failed to add peer: %pM for VDEV: %d\n",
+- sta->addr, arvif->vdev_id);
+- goto free_rx_stats;
+- }
+-
+- ath11k_dbg(ab, ATH11K_DBG_MAC, "Added peer: %pM for VDEV: %d\n",
+- sta->addr, arvif->vdev_id);
+-
+- if (ath11k_debugfs_is_extd_tx_stats_enabled(ar)) {
+- arsta->tx_stats = kzalloc(sizeof(*arsta->tx_stats), GFP_KERNEL);
+- if (!arsta->tx_stats) {
+- ret = -ENOMEM;
+- goto free_peer;
+- }
+- }
+-
+- if (ieee80211_vif_is_mesh(vif)) {
+- ath11k_dbg(ab, ATH11K_DBG_MAC,
+- "setting USE_4ADDR for mesh STA %pM\n", sta->addr);
+- ret = ath11k_wmi_set_peer_param(ar, sta->addr,
+- arvif->vdev_id,
+- WMI_PEER_USE_4ADDR, 1);
+- if (ret) {
+- ath11k_warn(ab, "failed to set mesh STA %pM 4addr capability: %d\n",
+- sta->addr, ret);
+- goto free_tx_stats;
+- }
+- }
+-
+- ret = ath11k_dp_peer_setup(ar, arvif->vdev_id, sta->addr);
+- if (ret) {
+- ath11k_warn(ab, "failed to setup dp for peer %pM on vdev %i (%d)\n",
+- sta->addr, arvif->vdev_id, ret);
+- goto free_tx_stats;
+- }
+-
+- if (ab->hw_params.vdev_start_delay &&
+- !arvif->is_started &&
+- arvif->vdev_type != WMI_VDEV_TYPE_AP) {
+- ret = ath11k_mac_start_vdev_delay(ar->hw, vif);
+- if (ret) {
+- ath11k_warn(ab, "failed to delay vdev start: %d\n", ret);
+- goto free_tx_stats;
+- }
+- }
+-
+- ewma_avg_rssi_init(&arsta->avg_rssi);
+- return 0;
+-
+-free_tx_stats:
+- kfree(arsta->tx_stats);
+- arsta->tx_stats = NULL;
+-free_peer:
+- ath11k_peer_delete(ar, arvif->vdev_id, sta->addr);
+-free_rx_stats:
+- kfree(arsta->rx_stats);
+- arsta->rx_stats = NULL;
+-dec_num_station:
+- ath11k_mac_dec_num_stations(arvif, sta);
+-exit:
+- return ret;
+-}
+-
+ static u32 ath11k_mac_ieee80211_sta_bw_to_wmi(struct ath11k *ar,
+ struct ieee80211_sta *sta)
+ {
+@@ -5018,140 +4921,6 @@ static u32 ath11k_mac_ieee80211_sta_bw_to_wmi(struct ath11k *ar,
+ return bw;
+ }
+
+-static int ath11k_mac_op_sta_state(struct ieee80211_hw *hw,
+- struct ieee80211_vif *vif,
+- struct ieee80211_sta *sta,
+- enum ieee80211_sta_state old_state,
+- enum ieee80211_sta_state new_state)
+-{
+- struct ath11k *ar = hw->priv;
+- struct ath11k_vif *arvif = ath11k_vif_to_arvif(vif);
+- struct ath11k_sta *arsta = ath11k_sta_to_arsta(sta);
+- struct ath11k_peer *peer;
+- int ret = 0;
+-
+- /* cancel must be done outside the mutex to avoid deadlock */
+- if ((old_state == IEEE80211_STA_NONE &&
+- new_state == IEEE80211_STA_NOTEXIST)) {
+- cancel_work_sync(&arsta->update_wk);
+- cancel_work_sync(&arsta->set_4addr_wk);
+- }
+-
+- mutex_lock(&ar->conf_mutex);
+-
+- if (old_state == IEEE80211_STA_NOTEXIST &&
+- new_state == IEEE80211_STA_NONE) {
+- memset(arsta, 0, sizeof(*arsta));
+- arsta->arvif = arvif;
+- arsta->peer_ps_state = WMI_PEER_PS_STATE_DISABLED;
+- INIT_WORK(&arsta->update_wk, ath11k_sta_rc_update_wk);
+- INIT_WORK(&arsta->set_4addr_wk, ath11k_sta_set_4addr_wk);
+-
+- ret = ath11k_mac_station_add(ar, vif, sta);
+- if (ret)
+- ath11k_warn(ar->ab, "Failed to add station: %pM for VDEV: %d\n",
+- sta->addr, arvif->vdev_id);
+- } else if ((old_state == IEEE80211_STA_NONE &&
+- new_state == IEEE80211_STA_NOTEXIST)) {
+- bool skip_peer_delete = ar->ab->hw_params.vdev_start_delay &&
+- vif->type == NL80211_IFTYPE_STATION;
+-
+- ath11k_dp_peer_cleanup(ar, arvif->vdev_id, sta->addr);
+-
+- if (!skip_peer_delete) {
+- ret = ath11k_peer_delete(ar, arvif->vdev_id, sta->addr);
+- if (ret)
+- ath11k_warn(ar->ab,
+- "Failed to delete peer: %pM for VDEV: %d\n",
+- sta->addr, arvif->vdev_id);
+- else
+- ath11k_dbg(ar->ab,
+- ATH11K_DBG_MAC,
+- "Removed peer: %pM for VDEV: %d\n",
+- sta->addr, arvif->vdev_id);
+- }
+-
+- ath11k_mac_dec_num_stations(arvif, sta);
+- mutex_lock(&ar->ab->tbl_mtx_lock);
+- spin_lock_bh(&ar->ab->base_lock);
+- peer = ath11k_peer_find(ar->ab, arvif->vdev_id, sta->addr);
+- if (skip_peer_delete && peer) {
+- peer->sta = NULL;
+- } else if (peer && peer->sta == sta) {
+- ath11k_warn(ar->ab, "Found peer entry %pM n vdev %i after it was supposedly removed\n",
+- vif->addr, arvif->vdev_id);
+- ath11k_peer_rhash_delete(ar->ab, peer);
+- peer->sta = NULL;
+- list_del(&peer->list);
+- kfree(peer);
+- ar->num_peers--;
+- }
+- spin_unlock_bh(&ar->ab->base_lock);
+- mutex_unlock(&ar->ab->tbl_mtx_lock);
+-
+- kfree(arsta->tx_stats);
+- arsta->tx_stats = NULL;
+-
+- kfree(arsta->rx_stats);
+- arsta->rx_stats = NULL;
+- } else if (old_state == IEEE80211_STA_AUTH &&
+- new_state == IEEE80211_STA_ASSOC &&
+- (vif->type == NL80211_IFTYPE_AP ||
+- vif->type == NL80211_IFTYPE_MESH_POINT ||
+- vif->type == NL80211_IFTYPE_ADHOC)) {
+- ret = ath11k_station_assoc(ar, vif, sta, false);
+- if (ret)
+- ath11k_warn(ar->ab, "Failed to associate station: %pM\n",
+- sta->addr);
+-
+- spin_lock_bh(&ar->data_lock);
+- /* Set arsta bw and prev bw */
+- arsta->bw = ath11k_mac_ieee80211_sta_bw_to_wmi(ar, sta);
+- arsta->bw_prev = arsta->bw;
+- spin_unlock_bh(&ar->data_lock);
+- } else if (old_state == IEEE80211_STA_ASSOC &&
+- new_state == IEEE80211_STA_AUTHORIZED) {
+- spin_lock_bh(&ar->ab->base_lock);
+-
+- peer = ath11k_peer_find(ar->ab, arvif->vdev_id, sta->addr);
+- if (peer)
+- peer->is_authorized = true;
+-
+- spin_unlock_bh(&ar->ab->base_lock);
+-
+- if (vif->type == NL80211_IFTYPE_STATION && arvif->is_up) {
+- ret = ath11k_wmi_set_peer_param(ar, sta->addr,
+- arvif->vdev_id,
+- WMI_PEER_AUTHORIZE,
+- 1);
+- if (ret)
+- ath11k_warn(ar->ab, "Unable to authorize peer %pM vdev %d: %d\n",
+- sta->addr, arvif->vdev_id, ret);
+- }
+- } else if (old_state == IEEE80211_STA_AUTHORIZED &&
+- new_state == IEEE80211_STA_ASSOC) {
+- spin_lock_bh(&ar->ab->base_lock);
+-
+- peer = ath11k_peer_find(ar->ab, arvif->vdev_id, sta->addr);
+- if (peer)
+- peer->is_authorized = false;
+-
+- spin_unlock_bh(&ar->ab->base_lock);
+- } else if (old_state == IEEE80211_STA_ASSOC &&
+- new_state == IEEE80211_STA_AUTH &&
+- (vif->type == NL80211_IFTYPE_AP ||
+- vif->type == NL80211_IFTYPE_MESH_POINT ||
+- vif->type == NL80211_IFTYPE_ADHOC)) {
+- ret = ath11k_station_disassoc(ar, vif, sta);
+- if (ret)
+- ath11k_warn(ar->ab, "Failed to disassociate station: %pM\n",
+- sta->addr);
+- }
+-
+- mutex_unlock(&ar->conf_mutex);
+- return ret;
+-}
+-
+ static int ath11k_mac_op_sta_set_txpwr(struct ieee80211_hw *hw,
+ struct ieee80211_vif *vif,
+ struct ieee80211_sta *sta)
+@@ -9099,6 +8868,234 @@ static int ath11k_mac_op_get_txpower(struct ieee80211_hw *hw,
+ return 0;
+ }
+
++static int ath11k_mac_station_add(struct ath11k *ar,
++ struct ieee80211_vif *vif,
++ struct ieee80211_sta *sta)
++{
++ struct ath11k_base *ab = ar->ab;
++ struct ath11k_vif *arvif = ath11k_vif_to_arvif(vif);
++ struct ath11k_sta *arsta = ath11k_sta_to_arsta(sta);
++ struct peer_create_params peer_param;
++ int ret;
++
++ lockdep_assert_held(&ar->conf_mutex);
++
++ ret = ath11k_mac_inc_num_stations(arvif, sta);
++ if (ret) {
++ ath11k_warn(ab, "refusing to associate station: too many connected already (%d)\n",
++ ar->max_num_stations);
++ goto exit;
++ }
++
++ arsta->rx_stats = kzalloc(sizeof(*arsta->rx_stats), GFP_KERNEL);
++ if (!arsta->rx_stats) {
++ ret = -ENOMEM;
++ goto dec_num_station;
++ }
++
++ peer_param.vdev_id = arvif->vdev_id;
++ peer_param.peer_addr = sta->addr;
++ peer_param.peer_type = WMI_PEER_TYPE_DEFAULT;
++
++ ret = ath11k_peer_create(ar, arvif, sta, &peer_param);
++ if (ret) {
++ ath11k_warn(ab, "Failed to add peer: %pM for VDEV: %d\n",
++ sta->addr, arvif->vdev_id);
++ goto free_rx_stats;
++ }
++
++ ath11k_dbg(ab, ATH11K_DBG_MAC, "Added peer: %pM for VDEV: %d\n",
++ sta->addr, arvif->vdev_id);
++
++ if (ath11k_debugfs_is_extd_tx_stats_enabled(ar)) {
++ arsta->tx_stats = kzalloc(sizeof(*arsta->tx_stats), GFP_KERNEL);
++ if (!arsta->tx_stats) {
++ ret = -ENOMEM;
++ goto free_peer;
++ }
++ }
++
++ if (ieee80211_vif_is_mesh(vif)) {
++ ath11k_dbg(ab, ATH11K_DBG_MAC,
++ "setting USE_4ADDR for mesh STA %pM\n", sta->addr);
++ ret = ath11k_wmi_set_peer_param(ar, sta->addr,
++ arvif->vdev_id,
++ WMI_PEER_USE_4ADDR, 1);
++ if (ret) {
++ ath11k_warn(ab, "failed to set mesh STA %pM 4addr capability: %d\n",
++ sta->addr, ret);
++ goto free_tx_stats;
++ }
++ }
++
++ ret = ath11k_dp_peer_setup(ar, arvif->vdev_id, sta->addr);
++ if (ret) {
++ ath11k_warn(ab, "failed to setup dp for peer %pM on vdev %i (%d)\n",
++ sta->addr, arvif->vdev_id, ret);
++ goto free_tx_stats;
++ }
++
++ if (ab->hw_params.vdev_start_delay &&
++ !arvif->is_started &&
++ arvif->vdev_type != WMI_VDEV_TYPE_AP) {
++ ret = ath11k_mac_start_vdev_delay(ar->hw, vif);
++ if (ret) {
++ ath11k_warn(ab, "failed to delay vdev start: %d\n", ret);
++ goto free_tx_stats;
++ }
++ }
++
++ ewma_avg_rssi_init(&arsta->avg_rssi);
++ return 0;
++
++free_tx_stats:
++ kfree(arsta->tx_stats);
++ arsta->tx_stats = NULL;
++free_peer:
++ ath11k_peer_delete(ar, arvif->vdev_id, sta->addr);
++free_rx_stats:
++ kfree(arsta->rx_stats);
++ arsta->rx_stats = NULL;
++dec_num_station:
++ ath11k_mac_dec_num_stations(arvif, sta);
++exit:
++ return ret;
++}
++
++static int ath11k_mac_op_sta_state(struct ieee80211_hw *hw,
++ struct ieee80211_vif *vif,
++ struct ieee80211_sta *sta,
++ enum ieee80211_sta_state old_state,
++ enum ieee80211_sta_state new_state)
++{
++ struct ath11k *ar = hw->priv;
++ struct ath11k_vif *arvif = ath11k_vif_to_arvif(vif);
++ struct ath11k_sta *arsta = ath11k_sta_to_arsta(sta);
++ struct ath11k_peer *peer;
++ int ret = 0;
++
++ /* cancel must be done outside the mutex to avoid deadlock */
++ if ((old_state == IEEE80211_STA_NONE &&
++ new_state == IEEE80211_STA_NOTEXIST)) {
++ cancel_work_sync(&arsta->update_wk);
++ cancel_work_sync(&arsta->set_4addr_wk);
++ }
++
++ mutex_lock(&ar->conf_mutex);
++
++ if (old_state == IEEE80211_STA_NOTEXIST &&
++ new_state == IEEE80211_STA_NONE) {
++ memset(arsta, 0, sizeof(*arsta));
++ arsta->arvif = arvif;
++ arsta->peer_ps_state = WMI_PEER_PS_STATE_DISABLED;
++ INIT_WORK(&arsta->update_wk, ath11k_sta_rc_update_wk);
++ INIT_WORK(&arsta->set_4addr_wk, ath11k_sta_set_4addr_wk);
++
++ ret = ath11k_mac_station_add(ar, vif, sta);
++ if (ret)
++ ath11k_warn(ar->ab, "Failed to add station: %pM for VDEV: %d\n",
++ sta->addr, arvif->vdev_id);
++ } else if ((old_state == IEEE80211_STA_NONE &&
++ new_state == IEEE80211_STA_NOTEXIST)) {
++ bool skip_peer_delete = ar->ab->hw_params.vdev_start_delay &&
++ vif->type == NL80211_IFTYPE_STATION;
++
++ ath11k_dp_peer_cleanup(ar, arvif->vdev_id, sta->addr);
++
++ if (!skip_peer_delete) {
++ ret = ath11k_peer_delete(ar, arvif->vdev_id, sta->addr);
++ if (ret)
++ ath11k_warn(ar->ab,
++ "Failed to delete peer: %pM for VDEV: %d\n",
++ sta->addr, arvif->vdev_id);
++ else
++ ath11k_dbg(ar->ab,
++ ATH11K_DBG_MAC,
++ "Removed peer: %pM for VDEV: %d\n",
++ sta->addr, arvif->vdev_id);
++ }
++
++ ath11k_mac_dec_num_stations(arvif, sta);
++ mutex_lock(&ar->ab->tbl_mtx_lock);
++ spin_lock_bh(&ar->ab->base_lock);
++ peer = ath11k_peer_find(ar->ab, arvif->vdev_id, sta->addr);
++ if (skip_peer_delete && peer) {
++ peer->sta = NULL;
++ } else if (peer && peer->sta == sta) {
++ ath11k_warn(ar->ab, "Found peer entry %pM n vdev %i after it was supposedly removed\n",
++ vif->addr, arvif->vdev_id);
++ ath11k_peer_rhash_delete(ar->ab, peer);
++ peer->sta = NULL;
++ list_del(&peer->list);
++ kfree(peer);
++ ar->num_peers--;
++ }
++ spin_unlock_bh(&ar->ab->base_lock);
++ mutex_unlock(&ar->ab->tbl_mtx_lock);
++
++ kfree(arsta->tx_stats);
++ arsta->tx_stats = NULL;
++
++ kfree(arsta->rx_stats);
++ arsta->rx_stats = NULL;
++ } else if (old_state == IEEE80211_STA_AUTH &&
++ new_state == IEEE80211_STA_ASSOC &&
++ (vif->type == NL80211_IFTYPE_AP ||
++ vif->type == NL80211_IFTYPE_MESH_POINT ||
++ vif->type == NL80211_IFTYPE_ADHOC)) {
++ ret = ath11k_station_assoc(ar, vif, sta, false);
++ if (ret)
++ ath11k_warn(ar->ab, "Failed to associate station: %pM\n",
++ sta->addr);
++
++ spin_lock_bh(&ar->data_lock);
++ /* Set arsta bw and prev bw */
++ arsta->bw = ath11k_mac_ieee80211_sta_bw_to_wmi(ar, sta);
++ arsta->bw_prev = arsta->bw;
++ spin_unlock_bh(&ar->data_lock);
++ } else if (old_state == IEEE80211_STA_ASSOC &&
++ new_state == IEEE80211_STA_AUTHORIZED) {
++ spin_lock_bh(&ar->ab->base_lock);
++
++ peer = ath11k_peer_find(ar->ab, arvif->vdev_id, sta->addr);
++ if (peer)
++ peer->is_authorized = true;
++
++ spin_unlock_bh(&ar->ab->base_lock);
++
++ if (vif->type == NL80211_IFTYPE_STATION && arvif->is_up) {
++ ret = ath11k_wmi_set_peer_param(ar, sta->addr,
++ arvif->vdev_id,
++ WMI_PEER_AUTHORIZE,
++ 1);
++ if (ret)
++ ath11k_warn(ar->ab, "Unable to authorize peer %pM vdev %d: %d\n",
++ sta->addr, arvif->vdev_id, ret);
++ }
++ } else if (old_state == IEEE80211_STA_AUTHORIZED &&
++ new_state == IEEE80211_STA_ASSOC) {
++ spin_lock_bh(&ar->ab->base_lock);
++
++ peer = ath11k_peer_find(ar->ab, arvif->vdev_id, sta->addr);
++ if (peer)
++ peer->is_authorized = false;
++
++ spin_unlock_bh(&ar->ab->base_lock);
++ } else if (old_state == IEEE80211_STA_ASSOC &&
++ new_state == IEEE80211_STA_AUTH &&
++ (vif->type == NL80211_IFTYPE_AP ||
++ vif->type == NL80211_IFTYPE_MESH_POINT ||
++ vif->type == NL80211_IFTYPE_ADHOC)) {
++ ret = ath11k_station_disassoc(ar, vif, sta);
++ if (ret)
++ ath11k_warn(ar->ab, "Failed to disassociate station: %pM\n",
++ sta->addr);
++ }
++
++ mutex_unlock(&ar->conf_mutex);
++ return ret;
++}
++
+ static const struct ieee80211_ops ath11k_ops = {
+ .tx = ath11k_mac_op_tx,
+ .wake_tx_queue = ieee80211_handle_wake_tx_queue,
+--
+2.50.1
+
--- /dev/null
+From 0f879aec07f622945cc260814614d07345b536e9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 10 Aug 2025 22:30:18 +0530
+Subject: wifi: ath11k: fix group data packet drops during rekey
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Rameshkumar Sundaram <rameshkumar.sundaram@oss.qualcomm.com>
+
+[ Upstream commit 97acb0259cc9cbfbd7ab689e25684f3d8ce10e26 ]
+
+During GTK rekey, mac80211 issues a clear key (if the old key exists)
+followed by an install key operation in the same context. This causes
+ath11k to send two WMI commands in quick succession: one to clear the
+old key and another to install the new key in the same slot.
+
+Under certain conditions—especially under high load or time sensitive
+scenarios, firmware may process these commands asynchronously in a way
+that firmware assumes the key is cleared whereas hardware has a valid key.
+This inconsistency between hardware and firmware leads to group addressed
+packet drops. Only setting the same key again can restore a valid key in
+firmware and allow packets to be transmitted.
+
+This issue remained latent because the host's clear key commands were
+not effective in firmware until commit 436a4e886598 ("ath11k: clear the
+keys properly via DISABLE_KEY"). That commit enabled the host to
+explicitly clear group keys, which inadvertently exposed the race.
+
+To mitigate this, restrict group key clearing across all modes (AP, STA,
+MESH). During rekey, the new key can simply be set on top of the previous
+one, avoiding the need for a clear followed by a set.
+
+However, in AP mode specifically, permit group key clearing when no
+stations are associated. This exception supports transitions from secure
+modes (e.g., WPA2/WPA3) to open mode, during which all associated peers
+are removed and the group key is cleared as part of the transition.
+
+Add a per-BSS station counter to track the presence of stations during
+set key operations. Also add a reset_group_keys flag to track the key
+re-installation state and avoid repeated installation of the same key
+when the number of connected stations transitions to non-zero within a
+rekey period.
+
+Additionally, for AP and Mesh modes, when the first station associates,
+reinstall the same group key that was last set. This ensures that the
+firmware recovers from any race that may have occurred during a previous
+key clear when no stations were associated.
+
+This change ensures that key clearing is permitted only when no clients
+are connected, avoiding packet loss while enabling dynamic security mode
+transitions.
+
+Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.9.0.1-02146-QCAHKSWPL_SILICONZ-1
+Tested-on: WCN6855 hw2.1 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41
+
+Reported-by: Steffen Moser <lists@steffen-moser.de>
+Closes: https://lore.kernel.org/linux-wireless/c6366409-9928-4dd7-bf7b-ba7fcf20eabf@steffen-moser.de
+Fixes: 436a4e886598 ("ath11k: clear the keys properly via DISABLE_KEY")
+Signed-off-by: Rameshkumar Sundaram <rameshkumar.sundaram@oss.qualcomm.com>
+Tested-by: Nicolas Escande <nico.escande@gmail.com>
+Reviewed-by: Vasanthakumar Thiagarajan <vasanthakumar.thiagarajan@oss.qualcomm.com>
+Link: https://patch.msgid.link/20250810170018.1124014-1-rameshkumar.sundaram@oss.qualcomm.com
+Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath11k/core.h | 2 +
+ drivers/net/wireless/ath/ath11k/mac.c | 111 +++++++++++++++++++++++--
+ 2 files changed, 104 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath11k/core.h b/drivers/net/wireless/ath/ath11k/core.h
+index fea96620e0672..4bb36dc6ae08b 100644
+--- a/drivers/net/wireless/ath/ath11k/core.h
++++ b/drivers/net/wireless/ath/ath11k/core.h
+@@ -365,6 +365,8 @@ struct ath11k_vif {
+ struct ieee80211_chanctx_conf chanctx;
+ struct ath11k_arp_ns_offload arp_ns_offload;
+ struct ath11k_rekey_data rekey_data;
++ u32 num_stations;
++ bool reinstall_group_keys;
+
+ #ifdef CONFIG_ATH11K_DEBUGFS
+ struct dentry *debugfs_twt;
+diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c
+index eb295d092a33c..2921be9bd530c 100644
+--- a/drivers/net/wireless/ath/ath11k/mac.c
++++ b/drivers/net/wireless/ath/ath11k/mac.c
+@@ -4205,6 +4205,40 @@ static int ath11k_clear_peer_keys(struct ath11k_vif *arvif,
+ return first_errno;
+ }
+
++static int ath11k_set_group_keys(struct ath11k_vif *arvif)
++{
++ struct ath11k *ar = arvif->ar;
++ struct ath11k_base *ab = ar->ab;
++ const u8 *addr = arvif->bssid;
++ int i, ret, first_errno = 0;
++ struct ath11k_peer *peer;
++
++ spin_lock_bh(&ab->base_lock);
++ peer = ath11k_peer_find(ab, arvif->vdev_id, addr);
++ spin_unlock_bh(&ab->base_lock);
++
++ if (!peer)
++ return -ENOENT;
++
++ for (i = 0; i < ARRAY_SIZE(peer->keys); i++) {
++ struct ieee80211_key_conf *key = peer->keys[i];
++
++ if (!key || (key->flags & IEEE80211_KEY_FLAG_PAIRWISE))
++ continue;
++
++ ret = ath11k_install_key(arvif, key, SET_KEY, addr,
++ WMI_KEY_GROUP);
++ if (ret < 0 && first_errno == 0)
++ first_errno = ret;
++
++ if (ret < 0)
++ ath11k_warn(ab, "failed to set group key of idx %d for vdev %d: %d\n",
++ i, arvif->vdev_id, ret);
++ }
++
++ return first_errno;
++}
++
+ static int ath11k_mac_op_set_key(struct ieee80211_hw *hw, enum set_key_cmd cmd,
+ struct ieee80211_vif *vif, struct ieee80211_sta *sta,
+ struct ieee80211_key_conf *key)
+@@ -4214,6 +4248,7 @@ static int ath11k_mac_op_set_key(struct ieee80211_hw *hw, enum set_key_cmd cmd,
+ struct ath11k_vif *arvif = ath11k_vif_to_arvif(vif);
+ struct ath11k_peer *peer;
+ struct ath11k_sta *arsta;
++ bool is_ap_with_no_sta;
+ const u8 *peer_addr;
+ int ret = 0;
+ u32 flags = 0;
+@@ -4274,16 +4309,57 @@ static int ath11k_mac_op_set_key(struct ieee80211_hw *hw, enum set_key_cmd cmd,
+ else
+ flags |= WMI_KEY_GROUP;
+
+- ret = ath11k_install_key(arvif, key, cmd, peer_addr, flags);
+- if (ret) {
+- ath11k_warn(ab, "ath11k_install_key failed (%d)\n", ret);
+- goto exit;
+- }
++ ath11k_dbg(ar->ab, ATH11K_DBG_MAC,
++ "%s for peer %pM on vdev %d flags 0x%X, type = %d, num_sta %d\n",
++ cmd == SET_KEY ? "SET_KEY" : "DEL_KEY", peer_addr, arvif->vdev_id,
++ flags, arvif->vdev_type, arvif->num_stations);
++
++ /* Allow group key clearing only in AP mode when no stations are
++ * associated. There is a known race condition in firmware where
++ * group addressed packets may be dropped if the key is cleared
++ * and immediately set again during rekey.
++ *
++ * During GTK rekey, mac80211 issues a clear key (if the old key
++ * exists) followed by an install key operation for same key
++ * index. This causes ath11k to send two WMI commands in quick
++ * succession: one to clear the old key and another to install the
++ * new key in the same slot.
++ *
++ * Under certain conditions—especially under high load or time
++ * sensitive scenarios, firmware may process these commands
++ * asynchronously in a way that firmware assumes the key is
++ * cleared whereas hardware has a valid key. This inconsistency
++ * between hardware and firmware leads to group addressed packet
++ * drops after rekey.
++ * Only setting the same key again can restore a valid key in
++ * firmware and allow packets to be transmitted.
++ *
++ * There is a use case where an AP can transition from Secure mode
++ * to open mode without a vdev restart by just deleting all
++ * associated peers and clearing key, Hence allow clear key for
++ * that case alone. Mark arvif->reinstall_group_keys in such cases
++ * and reinstall the same key when the first peer is added,
++ * allowing firmware to recover from the race if it had occurred.
++ */
+
+- ret = ath11k_dp_peer_rx_pn_replay_config(arvif, peer_addr, cmd, key);
+- if (ret) {
+- ath11k_warn(ab, "failed to offload PN replay detection %d\n", ret);
+- goto exit;
++ is_ap_with_no_sta = (vif->type == NL80211_IFTYPE_AP &&
++ !arvif->num_stations);
++ if ((flags & WMI_KEY_PAIRWISE) || cmd == SET_KEY || is_ap_with_no_sta) {
++ ret = ath11k_install_key(arvif, key, cmd, peer_addr, flags);
++ if (ret) {
++ ath11k_warn(ab, "ath11k_install_key failed (%d)\n", ret);
++ goto exit;
++ }
++
++ ret = ath11k_dp_peer_rx_pn_replay_config(arvif, peer_addr, cmd, key);
++ if (ret) {
++ ath11k_warn(ab, "failed to offload PN replay detection %d\n",
++ ret);
++ goto exit;
++ }
++
++ if ((flags & WMI_KEY_GROUP) && cmd == SET_KEY && is_ap_with_no_sta)
++ arvif->reinstall_group_keys = true;
+ }
+
+ spin_lock_bh(&ab->base_lock);
+@@ -4876,6 +4952,7 @@ static int ath11k_mac_inc_num_stations(struct ath11k_vif *arvif,
+ return -ENOBUFS;
+
+ ar->num_stations++;
++ arvif->num_stations++;
+
+ return 0;
+ }
+@@ -4891,6 +4968,7 @@ static void ath11k_mac_dec_num_stations(struct ath11k_vif *arvif,
+ return;
+
+ ar->num_stations--;
++ arvif->num_stations--;
+ }
+
+ static u32 ath11k_mac_ieee80211_sta_bw_to_wmi(struct ath11k *ar,
+@@ -8887,6 +8965,21 @@ static int ath11k_mac_station_add(struct ath11k *ar,
+ goto exit;
+ }
+
++ /* Driver allows the DEL KEY followed by SET KEY sequence for
++ * group keys for only when there is no clients associated, if at
++ * all firmware has entered the race during that window,
++ * reinstalling the same key when the first sta connects will allow
++ * firmware to recover from the race.
++ */
++ if (arvif->num_stations == 1 && arvif->reinstall_group_keys) {
++ ath11k_dbg(ab, ATH11K_DBG_MAC, "set group keys on 1st station add for vdev %d\n",
++ arvif->vdev_id);
++ ret = ath11k_set_group_keys(arvif);
++ if (ret)
++ goto dec_num_station;
++ arvif->reinstall_group_keys = false;
++ }
++
+ arsta->rx_stats = kzalloc(sizeof(*arsta->rx_stats), GFP_KERNEL);
+ if (!arsta->rx_stats) {
+ ret = -ENOMEM;
+--
+2.50.1
+
--- /dev/null
+From 8f3bfdac964bafa920b94ec0fb7206814dbdff34 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Oct 2023 09:39:42 -0700
+Subject: wifi: ath11k: Introduce and use ath11k_sta_to_arsta()
+
+From: Jeff Johnson <quic_jjohnson@quicinc.com>
+
+[ Upstream commit 10c65f97b424fcee439463f933140df2a0022f98 ]
+
+Currently, the logic to return an ath11k_sta pointer, given a
+ieee80211_sta pointer, uses typecasting throughout the driver. In
+general, conversion functions are preferable to typecasting since
+using a conversion function allows the compiler to validate the types
+of both the input and output parameters.
+
+ath11k already defines a conversion function ath11k_vif_to_arvif() for
+a similar conversion. So introduce ath11k_sta_to_arsta() for this use
+case, and convert all of the existing typecasting to use this
+function.
+
+No functional changes, compile tested only.
+
+Signed-off-by: Jeff Johnson <quic_jjohnson@quicinc.com>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://lore.kernel.org/r/20231009-ath11k_sta_to_arsta-v1-1-1563e3a307e8@quicinc.com
+Stable-dep-of: 97acb0259cc9 ("wifi: ath11k: fix group data packet drops during rekey")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath11k/core.h | 5 ++++
+ drivers/net/wireless/ath/ath11k/debugfs.c | 4 +--
+ drivers/net/wireless/ath/ath11k/debugfs_sta.c | 30 +++++++++----------
+ drivers/net/wireless/ath/ath11k/dp_rx.c | 8 ++---
+ drivers/net/wireless/ath/ath11k/dp_tx.c | 4 +--
+ drivers/net/wireless/ath/ath11k/mac.c | 18 +++++------
+ drivers/net/wireless/ath/ath11k/peer.c | 2 +-
+ drivers/net/wireless/ath/ath11k/wmi.c | 6 ++--
+ 8 files changed, 41 insertions(+), 36 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath11k/core.h b/drivers/net/wireless/ath/ath11k/core.h
+index 812a174f74c0b..fea96620e0672 100644
+--- a/drivers/net/wireless/ath/ath11k/core.h
++++ b/drivers/net/wireless/ath/ath11k/core.h
+@@ -1234,6 +1234,11 @@ static inline struct ath11k_vif *ath11k_vif_to_arvif(struct ieee80211_vif *vif)
+ return (struct ath11k_vif *)vif->drv_priv;
+ }
+
++static inline struct ath11k_sta *ath11k_sta_to_arsta(struct ieee80211_sta *sta)
++{
++ return (struct ath11k_sta *)sta->drv_priv;
++}
++
+ static inline struct ath11k *ath11k_ab_to_ar(struct ath11k_base *ab,
+ int mac_id)
+ {
+diff --git a/drivers/net/wireless/ath/ath11k/debugfs.c b/drivers/net/wireless/ath/ath11k/debugfs.c
+index 50bc17127e68a..4304fed44d583 100644
+--- a/drivers/net/wireless/ath/ath11k/debugfs.c
++++ b/drivers/net/wireless/ath/ath11k/debugfs.c
+@@ -1452,7 +1452,7 @@ static void ath11k_reset_peer_ps_duration(void *data,
+ struct ieee80211_sta *sta)
+ {
+ struct ath11k *ar = data;
+- struct ath11k_sta *arsta = (struct ath11k_sta *)sta->drv_priv;
++ struct ath11k_sta *arsta = ath11k_sta_to_arsta(sta);
+
+ spin_lock_bh(&ar->data_lock);
+ arsta->ps_total_duration = 0;
+@@ -1503,7 +1503,7 @@ static void ath11k_peer_ps_state_disable(void *data,
+ struct ieee80211_sta *sta)
+ {
+ struct ath11k *ar = data;
+- struct ath11k_sta *arsta = (struct ath11k_sta *)sta->drv_priv;
++ struct ath11k_sta *arsta = ath11k_sta_to_arsta(sta);
+
+ spin_lock_bh(&ar->data_lock);
+ arsta->peer_ps_state = WMI_PEER_PS_STATE_DISABLED;
+diff --git a/drivers/net/wireless/ath/ath11k/debugfs_sta.c b/drivers/net/wireless/ath/ath11k/debugfs_sta.c
+index 168879a380cb2..f56a24b6c8da2 100644
+--- a/drivers/net/wireless/ath/ath11k/debugfs_sta.c
++++ b/drivers/net/wireless/ath/ath11k/debugfs_sta.c
+@@ -137,7 +137,7 @@ static ssize_t ath11k_dbg_sta_dump_tx_stats(struct file *file,
+ size_t count, loff_t *ppos)
+ {
+ struct ieee80211_sta *sta = file->private_data;
+- struct ath11k_sta *arsta = (struct ath11k_sta *)sta->drv_priv;
++ struct ath11k_sta *arsta = ath11k_sta_to_arsta(sta);
+ struct ath11k *ar = arsta->arvif->ar;
+ struct ath11k_htt_data_stats *stats;
+ static const char *str_name[ATH11K_STATS_TYPE_MAX] = {"succ", "fail",
+@@ -244,7 +244,7 @@ static ssize_t ath11k_dbg_sta_dump_rx_stats(struct file *file,
+ size_t count, loff_t *ppos)
+ {
+ struct ieee80211_sta *sta = file->private_data;
+- struct ath11k_sta *arsta = (struct ath11k_sta *)sta->drv_priv;
++ struct ath11k_sta *arsta = ath11k_sta_to_arsta(sta);
+ struct ath11k *ar = arsta->arvif->ar;
+ struct ath11k_rx_peer_stats *rx_stats = arsta->rx_stats;
+ int len = 0, i, retval = 0;
+@@ -341,7 +341,7 @@ static int
+ ath11k_dbg_sta_open_htt_peer_stats(struct inode *inode, struct file *file)
+ {
+ struct ieee80211_sta *sta = inode->i_private;
+- struct ath11k_sta *arsta = (struct ath11k_sta *)sta->drv_priv;
++ struct ath11k_sta *arsta = ath11k_sta_to_arsta(sta);
+ struct ath11k *ar = arsta->arvif->ar;
+ struct debug_htt_stats_req *stats_req;
+ int type = ar->debug.htt_stats.type;
+@@ -377,7 +377,7 @@ static int
+ ath11k_dbg_sta_release_htt_peer_stats(struct inode *inode, struct file *file)
+ {
+ struct ieee80211_sta *sta = inode->i_private;
+- struct ath11k_sta *arsta = (struct ath11k_sta *)sta->drv_priv;
++ struct ath11k_sta *arsta = ath11k_sta_to_arsta(sta);
+ struct ath11k *ar = arsta->arvif->ar;
+
+ mutex_lock(&ar->conf_mutex);
+@@ -414,7 +414,7 @@ static ssize_t ath11k_dbg_sta_write_peer_pktlog(struct file *file,
+ size_t count, loff_t *ppos)
+ {
+ struct ieee80211_sta *sta = file->private_data;
+- struct ath11k_sta *arsta = (struct ath11k_sta *)sta->drv_priv;
++ struct ath11k_sta *arsta = ath11k_sta_to_arsta(sta);
+ struct ath11k *ar = arsta->arvif->ar;
+ int ret, enable;
+
+@@ -454,7 +454,7 @@ static ssize_t ath11k_dbg_sta_read_peer_pktlog(struct file *file,
+ size_t count, loff_t *ppos)
+ {
+ struct ieee80211_sta *sta = file->private_data;
+- struct ath11k_sta *arsta = (struct ath11k_sta *)sta->drv_priv;
++ struct ath11k_sta *arsta = ath11k_sta_to_arsta(sta);
+ struct ath11k *ar = arsta->arvif->ar;
+ char buf[32] = {0};
+ int len;
+@@ -481,7 +481,7 @@ static ssize_t ath11k_dbg_sta_write_delba(struct file *file,
+ size_t count, loff_t *ppos)
+ {
+ struct ieee80211_sta *sta = file->private_data;
+- struct ath11k_sta *arsta = (struct ath11k_sta *)sta->drv_priv;
++ struct ath11k_sta *arsta = ath11k_sta_to_arsta(sta);
+ struct ath11k *ar = arsta->arvif->ar;
+ u32 tid, initiator, reason;
+ int ret;
+@@ -532,7 +532,7 @@ static ssize_t ath11k_dbg_sta_write_addba_resp(struct file *file,
+ size_t count, loff_t *ppos)
+ {
+ struct ieee80211_sta *sta = file->private_data;
+- struct ath11k_sta *arsta = (struct ath11k_sta *)sta->drv_priv;
++ struct ath11k_sta *arsta = ath11k_sta_to_arsta(sta);
+ struct ath11k *ar = arsta->arvif->ar;
+ u32 tid, status;
+ int ret;
+@@ -582,7 +582,7 @@ static ssize_t ath11k_dbg_sta_write_addba(struct file *file,
+ size_t count, loff_t *ppos)
+ {
+ struct ieee80211_sta *sta = file->private_data;
+- struct ath11k_sta *arsta = (struct ath11k_sta *)sta->drv_priv;
++ struct ath11k_sta *arsta = ath11k_sta_to_arsta(sta);
+ struct ath11k *ar = arsta->arvif->ar;
+ u32 tid, buf_size;
+ int ret;
+@@ -633,7 +633,7 @@ static ssize_t ath11k_dbg_sta_read_aggr_mode(struct file *file,
+ size_t count, loff_t *ppos)
+ {
+ struct ieee80211_sta *sta = file->private_data;
+- struct ath11k_sta *arsta = (struct ath11k_sta *)sta->drv_priv;
++ struct ath11k_sta *arsta = ath11k_sta_to_arsta(sta);
+ struct ath11k *ar = arsta->arvif->ar;
+ char buf[64];
+ int len = 0;
+@@ -653,7 +653,7 @@ static ssize_t ath11k_dbg_sta_write_aggr_mode(struct file *file,
+ size_t count, loff_t *ppos)
+ {
+ struct ieee80211_sta *sta = file->private_data;
+- struct ath11k_sta *arsta = (struct ath11k_sta *)sta->drv_priv;
++ struct ath11k_sta *arsta = ath11k_sta_to_arsta(sta);
+ struct ath11k *ar = arsta->arvif->ar;
+ u32 aggr_mode;
+ int ret;
+@@ -698,7 +698,7 @@ ath11k_write_htt_peer_stats_reset(struct file *file,
+ size_t count, loff_t *ppos)
+ {
+ struct ieee80211_sta *sta = file->private_data;
+- struct ath11k_sta *arsta = (struct ath11k_sta *)sta->drv_priv;
++ struct ath11k_sta *arsta = ath11k_sta_to_arsta(sta);
+ struct ath11k *ar = arsta->arvif->ar;
+ struct htt_ext_stats_cfg_params cfg_params = { 0 };
+ int ret;
+@@ -757,7 +757,7 @@ static ssize_t ath11k_dbg_sta_read_peer_ps_state(struct file *file,
+ size_t count, loff_t *ppos)
+ {
+ struct ieee80211_sta *sta = file->private_data;
+- struct ath11k_sta *arsta = (struct ath11k_sta *)sta->drv_priv;
++ struct ath11k_sta *arsta = ath11k_sta_to_arsta(sta);
+ struct ath11k *ar = arsta->arvif->ar;
+ char buf[20];
+ int len;
+@@ -784,7 +784,7 @@ static ssize_t ath11k_dbg_sta_read_current_ps_duration(struct file *file,
+ loff_t *ppos)
+ {
+ struct ieee80211_sta *sta = file->private_data;
+- struct ath11k_sta *arsta = (struct ath11k_sta *)sta->drv_priv;
++ struct ath11k_sta *arsta = ath11k_sta_to_arsta(sta);
+ struct ath11k *ar = arsta->arvif->ar;
+ u64 time_since_station_in_power_save;
+ char buf[20];
+@@ -818,7 +818,7 @@ static ssize_t ath11k_dbg_sta_read_total_ps_duration(struct file *file,
+ size_t count, loff_t *ppos)
+ {
+ struct ieee80211_sta *sta = file->private_data;
+- struct ath11k_sta *arsta = (struct ath11k_sta *)sta->drv_priv;
++ struct ath11k_sta *arsta = ath11k_sta_to_arsta(sta);
+ struct ath11k *ar = arsta->arvif->ar;
+ char buf[20];
+ u64 power_save_duration;
+diff --git a/drivers/net/wireless/ath/ath11k/dp_rx.c b/drivers/net/wireless/ath/ath11k/dp_rx.c
+index 33b9764eaa916..8cc51ab699de7 100644
+--- a/drivers/net/wireless/ath/ath11k/dp_rx.c
++++ b/drivers/net/wireless/ath/ath11k/dp_rx.c
+@@ -1100,7 +1100,7 @@ int ath11k_dp_rx_ampdu_start(struct ath11k *ar,
+ struct ieee80211_ampdu_params *params)
+ {
+ struct ath11k_base *ab = ar->ab;
+- struct ath11k_sta *arsta = (void *)params->sta->drv_priv;
++ struct ath11k_sta *arsta = ath11k_sta_to_arsta(params->sta);
+ int vdev_id = arsta->arvif->vdev_id;
+ int ret;
+
+@@ -1118,7 +1118,7 @@ int ath11k_dp_rx_ampdu_stop(struct ath11k *ar,
+ {
+ struct ath11k_base *ab = ar->ab;
+ struct ath11k_peer *peer;
+- struct ath11k_sta *arsta = (void *)params->sta->drv_priv;
++ struct ath11k_sta *arsta = ath11k_sta_to_arsta(params->sta);
+ int vdev_id = arsta->arvif->vdev_id;
+ dma_addr_t paddr;
+ bool active;
+@@ -1460,7 +1460,7 @@ ath11k_update_per_peer_tx_stats(struct ath11k *ar,
+ }
+
+ sta = peer->sta;
+- arsta = (struct ath11k_sta *)sta->drv_priv;
++ arsta = ath11k_sta_to_arsta(sta);
+
+ memset(&arsta->txrate, 0, sizeof(arsta->txrate));
+
+@@ -5269,7 +5269,7 @@ int ath11k_dp_rx_process_mon_status(struct ath11k_base *ab, int mac_id,
+ goto next_skb;
+ }
+
+- arsta = (struct ath11k_sta *)peer->sta->drv_priv;
++ arsta = ath11k_sta_to_arsta(peer->sta);
+ ath11k_dp_rx_update_peer_stats(arsta, ppdu_info);
+
+ if (ath11k_debugfs_is_pktlog_peer_valid(ar, peer->addr))
+diff --git a/drivers/net/wireless/ath/ath11k/dp_tx.c b/drivers/net/wireless/ath/ath11k/dp_tx.c
+index 7dd1ee5898017..c1072e66e3e8f 100644
+--- a/drivers/net/wireless/ath/ath11k/dp_tx.c
++++ b/drivers/net/wireless/ath/ath11k/dp_tx.c
+@@ -467,7 +467,7 @@ void ath11k_dp_tx_update_txcompl(struct ath11k *ar, struct hal_tx_status *ts)
+ }
+
+ sta = peer->sta;
+- arsta = (struct ath11k_sta *)sta->drv_priv;
++ arsta = ath11k_sta_to_arsta(sta);
+
+ memset(&arsta->txrate, 0, sizeof(arsta->txrate));
+ pkt_type = FIELD_GET(HAL_TX_RATE_STATS_INFO0_PKT_TYPE,
+@@ -627,7 +627,7 @@ static void ath11k_dp_tx_complete_msdu(struct ath11k *ar,
+ ieee80211_free_txskb(ar->hw, msdu);
+ return;
+ }
+- arsta = (struct ath11k_sta *)peer->sta->drv_priv;
++ arsta = ath11k_sta_to_arsta(peer->sta);
+ status.sta = peer->sta;
+ status.skb = msdu;
+ status.info = info;
+diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c
+index 9df3f6449f768..cc9c09d05f63f 100644
+--- a/drivers/net/wireless/ath/ath11k/mac.c
++++ b/drivers/net/wireless/ath/ath11k/mac.c
+@@ -2828,7 +2828,7 @@ static void ath11k_peer_assoc_prepare(struct ath11k *ar,
+
+ lockdep_assert_held(&ar->conf_mutex);
+
+- arsta = (struct ath11k_sta *)sta->drv_priv;
++ arsta = ath11k_sta_to_arsta(sta);
+
+ memset(arg, 0, sizeof(*arg));
+
+@@ -4311,7 +4311,7 @@ static int ath11k_mac_op_set_key(struct ieee80211_hw *hw, enum set_key_cmd cmd,
+ ath11k_warn(ab, "peer %pM disappeared!\n", peer_addr);
+
+ if (sta) {
+- arsta = (struct ath11k_sta *)sta->drv_priv;
++ arsta = ath11k_sta_to_arsta(sta);
+
+ switch (key->cipher) {
+ case WLAN_CIPHER_SUITE_TKIP:
+@@ -4902,7 +4902,7 @@ static int ath11k_mac_station_add(struct ath11k *ar,
+ {
+ struct ath11k_base *ab = ar->ab;
+ struct ath11k_vif *arvif = ath11k_vif_to_arvif(vif);
+- struct ath11k_sta *arsta = (struct ath11k_sta *)sta->drv_priv;
++ struct ath11k_sta *arsta = ath11k_sta_to_arsta(sta);
+ struct peer_create_params peer_param;
+ int ret;
+
+@@ -5026,7 +5026,7 @@ static int ath11k_mac_op_sta_state(struct ieee80211_hw *hw,
+ {
+ struct ath11k *ar = hw->priv;
+ struct ath11k_vif *arvif = ath11k_vif_to_arvif(vif);
+- struct ath11k_sta *arsta = (struct ath11k_sta *)sta->drv_priv;
++ struct ath11k_sta *arsta = ath11k_sta_to_arsta(sta);
+ struct ath11k_peer *peer;
+ int ret = 0;
+
+@@ -5192,7 +5192,7 @@ static void ath11k_mac_op_sta_set_4addr(struct ieee80211_hw *hw,
+ struct ieee80211_sta *sta, bool enabled)
+ {
+ struct ath11k *ar = hw->priv;
+- struct ath11k_sta *arsta = (struct ath11k_sta *)sta->drv_priv;
++ struct ath11k_sta *arsta = ath11k_sta_to_arsta(sta);
+
+ if (enabled && !arsta->use_4addr_set) {
+ ieee80211_queue_work(ar->hw, &arsta->set_4addr_wk);
+@@ -5206,7 +5206,7 @@ static void ath11k_mac_op_sta_rc_update(struct ieee80211_hw *hw,
+ u32 changed)
+ {
+ struct ath11k *ar = hw->priv;
+- struct ath11k_sta *arsta = (struct ath11k_sta *)sta->drv_priv;
++ struct ath11k_sta *arsta = ath11k_sta_to_arsta(sta);
+ struct ath11k_vif *arvif = ath11k_vif_to_arvif(vif);
+ struct ath11k_peer *peer;
+ u32 bw, smps;
+@@ -6204,7 +6204,7 @@ static void ath11k_mac_op_tx(struct ieee80211_hw *hw,
+ }
+
+ if (control->sta)
+- arsta = (struct ath11k_sta *)control->sta->drv_priv;
++ arsta = ath11k_sta_to_arsta(control->sta);
+
+ ret = ath11k_dp_tx(ar, arvif, arsta, skb);
+ if (unlikely(ret)) {
+@@ -8228,7 +8228,7 @@ static void ath11k_mac_set_bitrate_mask_iter(void *data,
+ struct ieee80211_sta *sta)
+ {
+ struct ath11k_vif *arvif = data;
+- struct ath11k_sta *arsta = (struct ath11k_sta *)sta->drv_priv;
++ struct ath11k_sta *arsta = ath11k_sta_to_arsta(sta);
+ struct ath11k *ar = arvif->ar;
+
+ spin_lock_bh(&ar->data_lock);
+@@ -8632,7 +8632,7 @@ static void ath11k_mac_op_sta_statistics(struct ieee80211_hw *hw,
+ struct ieee80211_sta *sta,
+ struct station_info *sinfo)
+ {
+- struct ath11k_sta *arsta = (struct ath11k_sta *)sta->drv_priv;
++ struct ath11k_sta *arsta = ath11k_sta_to_arsta(sta);
+ struct ath11k *ar = arsta->arvif->ar;
+ s8 signal;
+ bool db2dbm = test_bit(WMI_TLV_SERVICE_HW_DB2DBM_CONVERSION_SUPPORT,
+diff --git a/drivers/net/wireless/ath/ath11k/peer.c b/drivers/net/wireless/ath/ath11k/peer.c
+index ca719eb3f7f82..6d0126c393018 100644
+--- a/drivers/net/wireless/ath/ath11k/peer.c
++++ b/drivers/net/wireless/ath/ath11k/peer.c
+@@ -446,7 +446,7 @@ int ath11k_peer_create(struct ath11k *ar, struct ath11k_vif *arvif,
+ peer->sec_type_grp = HAL_ENCRYPT_TYPE_OPEN;
+
+ if (sta) {
+- arsta = (struct ath11k_sta *)sta->drv_priv;
++ arsta = ath11k_sta_to_arsta(sta);
+ arsta->tcl_metadata |= FIELD_PREP(HTT_TCL_META_DATA_TYPE, 0) |
+ FIELD_PREP(HTT_TCL_META_DATA_PEER_ID,
+ peer->peer_id);
+diff --git a/drivers/net/wireless/ath/ath11k/wmi.c b/drivers/net/wireless/ath/ath11k/wmi.c
+index 9a829b8282420..31dbabc9eaf33 100644
+--- a/drivers/net/wireless/ath/ath11k/wmi.c
++++ b/drivers/net/wireless/ath/ath11k/wmi.c
+@@ -6452,7 +6452,7 @@ static int ath11k_wmi_tlv_rssi_chain_parse(struct ath11k_base *ab,
+ goto exit;
+ }
+
+- arsta = (struct ath11k_sta *)sta->drv_priv;
++ arsta = ath11k_sta_to_arsta(sta);
+
+ BUILD_BUG_ON(ARRAY_SIZE(arsta->chain_signal) >
+ ARRAY_SIZE(stats_rssi->rssi_avg_beacon));
+@@ -6540,7 +6540,7 @@ static int ath11k_wmi_tlv_fw_stats_data_parse(struct ath11k_base *ab,
+ arvif->bssid,
+ NULL);
+ if (sta) {
+- arsta = (struct ath11k_sta *)sta->drv_priv;
++ arsta = ath11k_sta_to_arsta(sta);
+ arsta->rssi_beacon = src->beacon_snr;
+ ath11k_dbg(ab, ATH11K_DBG_WMI,
+ "stats vdev id %d snr %d\n",
+@@ -7469,7 +7469,7 @@ static void ath11k_wmi_event_peer_sta_ps_state_chg(struct ath11k_base *ab,
+ goto exit;
+ }
+
+- arsta = (struct ath11k_sta *)sta->drv_priv;
++ arsta = ath11k_sta_to_arsta(sta);
+
+ spin_lock_bh(&ar->data_lock);
+
+--
+2.50.1
+
--- /dev/null
+From 9b9727e20927444f04d29238fcd2a7a1aea83c32 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Jan 2024 10:56:58 +0800
+Subject: wifi: ath11k: rename ath11k_start_vdev_delay()
+
+From: Baochen Qiang <quic_bqiang@quicinc.com>
+
+[ Upstream commit 629642fa8b25b8dfecefc9e2177a44c009858da7 ]
+
+Rename ath11k_start_vdev_delay() as ath11k_mac_start_vdev_delay()
+to follow naming convention.
+
+Tested-on: QCA6390 hw2.0 PCI WLAN.HST.1.0.1-01740-QCAHSTSWPLZ_V2_TO_X86-1
+Tested-on: WCN6855 hw2.1 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.23
+Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1
+Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1
+
+Signed-off-by: Baochen Qiang <quic_bqiang@quicinc.com>
+Acked-by: Jeff Johnson <quic_jjohnson@quicinc.com>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://msgid.link/20240123025700.2929-3-quic_bqiang@quicinc.com
+Stable-dep-of: 97acb0259cc9 ("wifi: ath11k: fix group data packet drops during rekey")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath11k/mac.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c
+index cc9c09d05f63f..58cc079f0df4a 100644
+--- a/drivers/net/wireless/ath/ath11k/mac.c
++++ b/drivers/net/wireless/ath/ath11k/mac.c
+@@ -254,8 +254,8 @@ static const u32 ath11k_smps_map[] = {
+ [WLAN_HT_CAP_SM_PS_DISABLED] = WMI_PEER_SMPS_PS_NONE,
+ };
+
+-static int ath11k_start_vdev_delay(struct ieee80211_hw *hw,
+- struct ieee80211_vif *vif);
++static int ath11k_mac_start_vdev_delay(struct ieee80211_hw *hw,
++ struct ieee80211_vif *vif);
+
+ enum nl80211_he_ru_alloc ath11k_mac_phy_he_ru_to_nl80211_he_ru_alloc(u16 ru_phy)
+ {
+@@ -4966,7 +4966,7 @@ static int ath11k_mac_station_add(struct ath11k *ar,
+ if (ab->hw_params.vdev_start_delay &&
+ !arvif->is_started &&
+ arvif->vdev_type != WMI_VDEV_TYPE_AP) {
+- ret = ath11k_start_vdev_delay(ar->hw, vif);
++ ret = ath11k_mac_start_vdev_delay(ar->hw, vif);
+ if (ret) {
+ ath11k_warn(ab, "failed to delay vdev start: %d\n", ret);
+ goto free_tx_stats;
+@@ -7546,8 +7546,8 @@ static void ath11k_mac_op_change_chanctx(struct ieee80211_hw *hw,
+ mutex_unlock(&ar->conf_mutex);
+ }
+
+-static int ath11k_start_vdev_delay(struct ieee80211_hw *hw,
+- struct ieee80211_vif *vif)
++static int ath11k_mac_start_vdev_delay(struct ieee80211_hw *hw,
++ struct ieee80211_vif *vif)
+ {
+ struct ath11k *ar = hw->priv;
+ struct ath11k_base *ab = ar->ab;
+--
+2.50.1
+
--- /dev/null
+From fe3316f1303f1aa1a45f13e462cc9f6498b731a7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Aug 2025 13:08:39 +0800
+Subject: wifi: brcmfmac: fix use-after-free when rescheduling
+ brcmf_btcoex_info work
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Duoming Zhou <duoming@zju.edu.cn>
+
+[ Upstream commit 9cb83d4be0b9b697eae93d321e0da999f9cdfcfc ]
+
+The brcmf_btcoex_detach() only shuts down the btcoex timer, if the
+flag timer_on is false. However, the brcmf_btcoex_timerfunc(), which
+runs as timer handler, sets timer_on to false. This creates critical
+race conditions:
+
+1.If brcmf_btcoex_detach() is called while brcmf_btcoex_timerfunc()
+is executing, it may observe timer_on as false and skip the call to
+timer_shutdown_sync().
+
+2.The brcmf_btcoex_timerfunc() may then reschedule the brcmf_btcoex_info
+worker after the cancel_work_sync() has been executed, resulting in
+use-after-free bugs.
+
+The use-after-free bugs occur in two distinct scenarios, depending on
+the timing of when the brcmf_btcoex_info struct is freed relative to
+the execution of its worker thread.
+
+Scenario 1: Freed before the worker is scheduled
+
+The brcmf_btcoex_info is deallocated before the worker is scheduled.
+A race condition can occur when schedule_work(&bt_local->work) is
+called after the target memory has been freed. The sequence of events
+is detailed below:
+
+CPU0 | CPU1
+brcmf_btcoex_detach | brcmf_btcoex_timerfunc
+ | bt_local->timer_on = false;
+ if (cfg->btcoex->timer_on) |
+ ... |
+ cancel_work_sync(); |
+ ... |
+ kfree(cfg->btcoex); // FREE |
+ | schedule_work(&bt_local->work); // USE
+
+Scenario 2: Freed after the worker is scheduled
+
+The brcmf_btcoex_info is freed after the worker has been scheduled
+but before or during its execution. In this case, statements within
+the brcmf_btcoex_handler() — such as the container_of macro and
+subsequent dereferences of the brcmf_btcoex_info object will cause
+a use-after-free access. The following timeline illustrates this
+scenario:
+
+CPU0 | CPU1
+brcmf_btcoex_detach | brcmf_btcoex_timerfunc
+ | bt_local->timer_on = false;
+ if (cfg->btcoex->timer_on) |
+ ... |
+ cancel_work_sync(); |
+ ... | schedule_work(); // Reschedule
+ |
+ kfree(cfg->btcoex); // FREE | brcmf_btcoex_handler() // Worker
+ /* | btci = container_of(....); // USE
+ The kfree() above could | ...
+ also occur at any point | btci-> // USE
+ during the worker's execution|
+ */ |
+
+To resolve the race conditions, drop the conditional check and call
+timer_shutdown_sync() directly. It can deactivate the timer reliably,
+regardless of its current state. Once stopped, the timer_on state is
+then set to false.
+
+Fixes: 61730d4dfffc ("brcmfmac: support critical protocol API for DHCP")
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
+Link: https://patch.msgid.link/20250822050839.4413-1-duoming@zju.edu.cn
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/btcoex.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/btcoex.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/btcoex.c
+index 00794086cc7c9..bf80675667ba3 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/btcoex.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/btcoex.c
+@@ -392,10 +392,8 @@ void brcmf_btcoex_detach(struct brcmf_cfg80211_info *cfg)
+ if (!cfg->btcoex)
+ return;
+
+- if (cfg->btcoex->timer_on) {
+- cfg->btcoex->timer_on = false;
+- timer_shutdown_sync(&cfg->btcoex->timer);
+- }
++ timer_shutdown_sync(&cfg->btcoex->timer);
++ cfg->btcoex->timer_on = false;
+
+ cancel_work_sync(&cfg->btcoex->work);
+
+--
+2.50.1
+
--- /dev/null
+From b24cc3c45050fc3ecf18c3c8d15ae269878e505b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Aug 2025 16:52:36 +0300
+Subject: wifi: cfg80211: fix use-after-free in cmp_bss()
+
+From: Dmitry Antipov <dmantipov@yandex.ru>
+
+[ Upstream commit 26e84445f02ce6b2fe5f3e0e28ff7add77f35e08 ]
+
+Following bss_free() quirk introduced in commit 776b3580178f
+("cfg80211: track hidden SSID networks properly"), adjust
+cfg80211_update_known_bss() to free the last beacon frame
+elements only if they're not shared via the corresponding
+'hidden_beacon_bss' pointer.
+
+Reported-by: syzbot+30754ca335e6fb7e3092@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=30754ca335e6fb7e3092
+Fixes: 3ab8227d3e7d ("cfg80211: refactor cfg80211_bss_update")
+Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
+Link: https://patch.msgid.link/20250813135236.799384-1-dmantipov@yandex.ru
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/scan.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/wireless/scan.c b/net/wireless/scan.c
+index 6db8c9a2a7a2b..c1d64e2504548 100644
+--- a/net/wireless/scan.c
++++ b/net/wireless/scan.c
+@@ -1807,7 +1807,8 @@ cfg80211_update_known_bss(struct cfg80211_registered_device *rdev,
+ */
+
+ f = rcu_access_pointer(new->pub.beacon_ies);
+- kfree_rcu((struct cfg80211_bss_ies *)f, rcu_head);
++ if (!new->pub.hidden_beacon_bss)
++ kfree_rcu((struct cfg80211_bss_ies *)f, rcu_head);
+ return false;
+ }
+
+--
+2.50.1
+
--- /dev/null
+From ac21dbbd4574988cf087ebb7466e2e1dcba18cf3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Aug 2025 15:48:45 +0300
+Subject: wifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 62b635dcd69c4fde7ce1de4992d71420a37e51e3 ]
+
+If the ssid->datalen is more than IEEE80211_MAX_SSID_LEN (32) it would
+lead to memory corruption so add some bounds checking.
+
+Fixes: c38c70185101 ("wifi: cfg80211: Set SSID if it is not already set")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://patch.msgid.link/0aaaae4a3ed37c6252363c34ae4904b1604e8e32.1756456951.git.dan.carpenter@linaro.org
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/sme.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/net/wireless/sme.c b/net/wireless/sme.c
+index 70881782c25c6..5904c869085c8 100644
+--- a/net/wireless/sme.c
++++ b/net/wireless/sme.c
+@@ -915,13 +915,16 @@ void __cfg80211_connect_result(struct net_device *dev,
+ if (!wdev->u.client.ssid_len) {
+ rcu_read_lock();
+ for_each_valid_link(cr, link) {
++ u32 ssid_len;
++
+ ssid = ieee80211_bss_get_elem(cr->links[link].bss,
+ WLAN_EID_SSID);
+
+ if (!ssid || !ssid->datalen)
+ continue;
+
+- memcpy(wdev->u.client.ssid, ssid->data, ssid->datalen);
++ ssid_len = min(ssid->datalen, IEEE80211_MAX_SSID_LEN);
++ memcpy(wdev->u.client.ssid, ssid->data, ssid_len);
+ wdev->u.client.ssid_len = ssid->datalen;
+ break;
+ }
+--
+2.50.1
+
--- /dev/null
+From abf4b9f99f11f1e43bb5a4b2987274dcefe00e95 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Aug 2025 15:48:28 +0300
+Subject: wifi: cw1200: cap SSID length in cw1200_do_join()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit f8f15f6742b8874e59c9c715d0af3474608310ad ]
+
+If the ssidie[1] length is more that 32 it leads to memory corruption.
+
+Fixes: a910e4a94f69 ("cw1200: add driver for the ST-E CW1100 & CW1200 WLAN chipsets")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://patch.msgid.link/e91fb43fcedc4893b604dfb973131661510901a7.1756456951.git.dan.carpenter@linaro.org
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/st/cw1200/sta.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/st/cw1200/sta.c b/drivers/net/wireless/st/cw1200/sta.c
+index 8ef1d06b9bbdd..121d810c8839e 100644
+--- a/drivers/net/wireless/st/cw1200/sta.c
++++ b/drivers/net/wireless/st/cw1200/sta.c
+@@ -1290,7 +1290,7 @@ static void cw1200_do_join(struct cw1200_common *priv)
+ rcu_read_lock();
+ ssidie = ieee80211_bss_get_ie(bss, WLAN_EID_SSID);
+ if (ssidie) {
+- join.ssid_len = ssidie[1];
++ join.ssid_len = min(ssidie[1], IEEE80211_MAX_SSID_LEN);
+ memcpy(join.ssid, &ssidie[2], join.ssid_len);
+ }
+ rcu_read_unlock();
+--
+2.50.1
+
--- /dev/null
+From 9354ed5c2c56a71759e90343f23bc27164d29e0a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Aug 2025 15:48:35 +0300
+Subject: wifi: libertas: cap SSID len in lbs_associate()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit c786794bd27b0d7a5fd9063695df83206009be59 ]
+
+If the ssid_eid[1] length is more that 32 it leads to memory corruption.
+
+Fixes: a910e4a94f69 ("cw1200: add driver for the ST-E CW1100 & CW1200 WLAN chipsets")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://patch.msgid.link/2a40f5ec7617144aef412034c12919a4927d90ad.1756456951.git.dan.carpenter@linaro.org
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/marvell/libertas/cfg.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/marvell/libertas/cfg.c b/drivers/net/wireless/marvell/libertas/cfg.c
+index b700c213d10c4..38ad49033d0ba 100644
+--- a/drivers/net/wireless/marvell/libertas/cfg.c
++++ b/drivers/net/wireless/marvell/libertas/cfg.c
+@@ -1150,10 +1150,13 @@ static int lbs_associate(struct lbs_private *priv,
+ /* add SSID TLV */
+ rcu_read_lock();
+ ssid_eid = ieee80211_bss_get_ie(bss, WLAN_EID_SSID);
+- if (ssid_eid)
+- pos += lbs_add_ssid_tlv(pos, ssid_eid + 2, ssid_eid[1]);
+- else
++ if (ssid_eid) {
++ u32 ssid_len = min(ssid_eid[1], IEEE80211_MAX_SSID_LEN);
++
++ pos += lbs_add_ssid_tlv(pos, ssid_eid + 2, ssid_len);
++ } else {
+ lbs_deb_assoc("no SSID\n");
++ }
+ rcu_read_unlock();
+
+ /* add DS param TLV */
+--
+2.50.1
+
--- /dev/null
+From 0ca3d89b4d1d848854391aa129475f036b71a1c7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Aug 2025 12:26:43 -0700
+Subject: xirc2ps_cs: fix register access when enabling FullDuplex
+
+From: Alok Tiwari <alok.a.tiwari@oracle.com>
+
+[ Upstream commit b79e498080b170fd94fc83bca2471f450811549b ]
+
+The current code incorrectly passes (XIRCREG1_ECR | FullDuplex) as
+the register address to GetByte(), instead of fetching the register
+value and OR-ing it with FullDuplex. This results in an invalid
+register access.
+
+Fix it by reading XIRCREG1_ECR first, then or-ing with FullDuplex
+before writing it back.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Link: https://patch.msgid.link/20250827192645.658496-1-alok.a.tiwari@oracle.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/xircom/xirc2ps_cs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/xircom/xirc2ps_cs.c b/drivers/net/ethernet/xircom/xirc2ps_cs.c
+index 9f505cf02d965..2dc1cfcd7ce99 100644
+--- a/drivers/net/ethernet/xircom/xirc2ps_cs.c
++++ b/drivers/net/ethernet/xircom/xirc2ps_cs.c
+@@ -1578,7 +1578,7 @@ do_reset(struct net_device *dev, int full)
+ msleep(40); /* wait 40 msec to let it complete */
+ }
+ if (full_duplex)
+- PutByte(XIRCREG1_ECR, GetByte(XIRCREG1_ECR | FullDuplex));
++ PutByte(XIRCREG1_ECR, GetByte(XIRCREG1_ECR) | FullDuplex);
+ } else { /* No MII */
+ SelectPage(0);
+ value = GetByte(XIRCREG_ESR); /* read the ESR */
+--
+2.50.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
